2.12.0 (log4j update, and HTML injection fix)

Ashlen Tue, 23 May 2023 11:37:59 -0700

Release notes:
https://www.zaproxy.org/blog/2022-10-27-zap-2-12-0-the-ten-thousand-star-release/


JVM 11+ is now a requirement. log4j was updated from 2.15.0[!] to
2.19.0. An HTML injection vulnerability is patched in this release.

Builds and runs OK for the most part. zaproxy.sh was a bit broken, so I
changed some things around. Brief summary:

- Tilde expansion doesn't happen inside quotes, so `[ -f ${JVMPROPS} ]`
  would always fail. Fixed ${JVMPROPS} to use ${HOME} instead.
- The provided path for ${JVMPROPS} isn't the one used on OpenBSD[1] so I
  fixed that as well.
- Quoted variables to avoid unexpected word splitting and globbing.
- Consistency and readability improvements.
- The last line now uses `-dir "${HOME}/OWASP ZAP"`.

I wasn't sure whether to try adding a do-build target with
BUILD_DEPENDS=java/gradle so NO_BUILD can get removed. I don't have much
experience with that stuff, but if upstream makes a change in the future
that warrants downstream patches, it seems like it'd be easier to fix if
that shift has already happened.

Thoughts/feedback? :)
  
[1]: 
https://github.com/zaproxy/zaproxy/blob/v2.12.0/zap/src/main/java/org/parosproxy/paros/Constant.java#L408

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/zaproxy/Makefile,v
retrieving revision 1.13
diff -u -p -r1.13 Makefile
--- Makefile    11 Mar 2022 19:54:10 -0000      1.13
+++ Makefile    23 May 2023 18:32:54 -0000
@@ -1,6 +1,6 @@
 COMMENT =              web application security tool
 
-VERSION =              2.11.1
+VERSION =              2.12.0
 DISTNAME =             ZAP_${VERSION}_Linux
 PKGNAME =              zaproxy-${VERSION}
 
@@ -14,7 +14,7 @@ PERMIT_PACKAGE =      Yes
 MASTER_SITES =         
https://github.com/zaproxy/zaproxy/releases/download/v${VERSION}/
 
 MODULES =               java
-MODJAVA_VER =           1.8+
+MODJAVA_VER =           11+
 
 RUN_DEPENDS =          java/javaPathHelper
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/zaproxy/distinfo,v
retrieving revision 1.6
diff -u -p -r1.6 distinfo
--- distinfo    11 Dec 2021 10:09:54 -0000      1.6
+++ distinfo    23 May 2023 18:32:54 -0000
@@ -1,2 +1,2 @@
-SHA256 (ZAP_2.11.1_Linux.tar.gz) = X4Nmblhj9PlOrFg5QvHE4V+cx7cwfQW8bOZUUmXGOCw=
-SIZE (ZAP_2.11.1_Linux.tar.gz) = 194801121
+SHA256 (ZAP_2.12.0_Linux.tar.gz) = nESTyZHLk0cGOGTSQ2o3lc87aXYGJeez20Ac00LT/FU=
+SIZE (ZAP_2.12.0_Linux.tar.gz) = 248228711
Index: files/zaproxy.sh
===================================================================
RCS file: /cvs/ports/security/zaproxy/files/zaproxy.sh,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 zaproxy.sh
--- files/zaproxy.sh    7 Dec 2015 06:32:09 -0000       1.1.1.1
+++ files/zaproxy.sh    23 May 2023 18:32:54 -0000
@@ -1,41 +1,36 @@
 #!/bin/sh
 
-DIRBASEZAP=${TRUEPREFIX}/share/zaproxy/
-ZAP=${DIRBASEZAP}zap-${VERSION}.jar
+DIRBASEZAP="${TRUEPREFIX}/share/zaproxy/"
+ZAP="${DIRBASEZAP}zap-${VERSION}.jar"
 
-JAVA_CMD=$(javaPathHelper -c zaproxy)
+JAVA_CMD="$(javaPathHelper -c zaproxy)"
 
-JVMPROPS="~/.ZAP/.ZAP_JVM.properties" 
-if [ -f $JVMPROPS ]; then
+JVMPROPS="${HOME}/OWASP ZAP/.ZAP_JVM.properties" 
+if [ -f "${JVMPROPS}" ]; then
   # Local jvm properties file present
-  JMEM=$(head -1 $JVMPROPS)
+  JMEM="$(head -1 "${JVMPROPS}")"
 else
-  MEM=$(($(ulimit -m )/1024 ))
+  MEM="$(( $(ulimit -m) / 1024 ))"
 fi
 
-if [ ! -z $JMEM ]; then
-  echo "Using jvm memory setting from " ~/.ZAP_JVM.properties
-elif [ -z $MEM ]; then
-  echo "Failed to obtain current memory, using jvm default memory settings"
-else
-  echo "Available memory: " $MEM "MB"
-  if [ $MEM -gt 1500 ]; then
+if [ -n "${JMEM}" ]; then
+  echo "Using jvm memory setting from ${JVMPROPS}"
+elif [ -n "${MEM}" ]; then
+  echo "Available memory: ${MEM} MB"
+  if [ "${MEM}" -gt 1500 ]; then
     JMEM="-Xmx512m"
-  else
-    if [ $MEM -gt 900 ] ; then
-      JMEM="-Xmx256m"
-    else
-      if [ $MEM -gt 512 ] ; then
-        JMEM="-Xmx128m"
-      fi
-    fi
+  elif [ "${MEM}" -gt 900 ]; then
+    JMEM="-Xmx256m"
+  elif [ "${MEM}" -gt 512 ]; then
+    JMEM="-Xmx128m"
   fi
+else
+  echo "Failed to obtain current memory, using jvm default memory settings"
 fi
 
-if [ -n "$JMEM" ]
-then
-  echo "Setting jvm heap size: $JMEM"
+if [ -n "${JMEM}" ]; then
+  echo "Setting jvm heap size: ${JMEM}"
 fi
 
-cd ${DIRBASEZAP}
-exec ${JAVA_CMD} ${JMEM} -jar "${ZAP}" -dir ~/.ZAP/ -installdir ${DIRBASEZAP} 
"$@"
+cd "${DIRBASEZAP}" || exit
+exec "${JAVA_CMD}" "${JMEM}" -jar "${ZAP}" -dir "${HOME}/OWASP ZAP/" 
-installdir "${DIRBASEZAP}" "$@"
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/zaproxy/pkg/PLIST,v
retrieving revision 1.7
diff -u -p -r1.7 PLIST
--- pkg/PLIST   11 Mar 2022 19:54:10 -0000      1.7
+++ pkg/PLIST   23 May 2023 18:32:54 -0000
@@ -53,6 +53,7 @@ share/zaproxy/lang/Messages_ur_PK.proper
 share/zaproxy/lang/Messages_vi_VN.properties
 share/zaproxy/lang/Messages_yo_NG.properties
 share/zaproxy/lang/Messages_zh_CN.properties
+share/zaproxy/lang/Messages_zh_TW.properties
 share/zaproxy/lang/vulnerabilities.xml
 share/zaproxy/lang/vulnerabilities_ar_SA.xml
 share/zaproxy/lang/vulnerabilities_az_AZ.xml
@@ -97,29 +98,23 @@ share/zaproxy/lang/vulnerabilities_ur_PK
 share/zaproxy/lang/vulnerabilities_vi_VN.xml
 share/zaproxy/lang/vulnerabilities_yo_NG.xml
 share/zaproxy/lang/vulnerabilities_zh_CN.xml
+share/zaproxy/lang/vulnerabilities_zh_TW.xml
 share/zaproxy/lib/
-share/zaproxy/lib/bcmail-jdk15on-1.68.jar
-share/zaproxy/lib/bcpkix-jdk15on-1.68.jar
-share/zaproxy/lib/bcprov-jdk15on-1.68.jar
 share/zaproxy/lib/commons-beanutils-1.9.4.jar
 share/zaproxy/lib/commons-codec-1.15.jar
 share/zaproxy/lib/commons-collections-3.2.2.jar
 share/zaproxy/lib/commons-configuration-1.10.jar
-share/zaproxy/lib/commons-csv-1.8.jar
-share/zaproxy/lib/commons-digester-2.1.jar
+share/zaproxy/lib/commons-csv-1.9.0.jar
 share/zaproxy/lib/commons-httpclient-3.1.jar
 share/zaproxy/lib/commons-io-2.11.0.jar
-share/zaproxy/lib/commons-jxpath-1.3.jar
 share/zaproxy/lib/commons-lang-2.6.jar
 share/zaproxy/lib/commons-lang3-3.12.0.jar
 share/zaproxy/lib/commons-logging-1.2.jar
-share/zaproxy/lib/commons-text-1.9.jar
-share/zaproxy/lib/commons-validator-1.7.jar
+share/zaproxy/lib/commons-text-1.10.0.jar
 share/zaproxy/lib/ezmorph-1.0.6.jar
-share/zaproxy/lib/flatlaf-1.6.jar
+share/zaproxy/lib/flatlaf-2.6.jar
 share/zaproxy/lib/harlib-1.1.3.jar
-share/zaproxy/lib/hsqldb-2.5.2.jar
-share/zaproxy/lib/ice4j-3.0-24-g34c2ce5.jar
+share/zaproxy/lib/hsqldb-2.7.1.jar
 share/zaproxy/lib/jackson-core-asl-1.9.13.jar
 share/zaproxy/lib/java-semver-0.9.0.jar
 share/zaproxy/lib/javahelp-2.0.05.jar
@@ -127,13 +122,12 @@ share/zaproxy/lib/jericho-html-3.4.jar
 share/zaproxy/lib/jfreechart-1.5.3.jar
 share/zaproxy/lib/jgrapht-core-0.9.0.jar
 share/zaproxy/lib/json-lib-2.4-jdk15.jar
-share/zaproxy/lib/log4j-1.2-api-2.15.0.jar
-share/zaproxy/lib/log4j-api-2.15.0.jar
-share/zaproxy/lib/log4j-core-2.15.0.jar
-share/zaproxy/lib/rsyntaxtextarea-3.1.3.jar
-share/zaproxy/lib/sqlite-jdbc-3.36.0.1.jar
+share/zaproxy/lib/log4j-1.2-api-2.19.0.jar
+share/zaproxy/lib/log4j-api-2.19.0.jar
+share/zaproxy/lib/log4j-core-2.19.0.jar
+share/zaproxy/lib/rsyntaxtextarea-3.3.0.jar
 share/zaproxy/lib/swingx-all-1.6.5-1.jar
-share/zaproxy/lib/xom-1.3.7.jar
+share/zaproxy/lib/xom-1.3.8.jar
 share/zaproxy/license/
 share/zaproxy/license/ApacheLicense-2.0.txt
 share/zaproxy/license/COPYING
@@ -147,46 +141,47 @@ share/zaproxy/license/hypersonic_lic.txt
 share/zaproxy/license/lgpl-3.0.txt
 share/zaproxy/plugin/
 share/zaproxy/plugin/Readme.txt
-share/zaproxy/plugin/alertFilters-release-13.zap
-share/zaproxy/plugin/ascanrules-release-43.zap
-share/zaproxy/plugin/automation-alpha-0.9.0.zap
-share/zaproxy/plugin/bruteforce-beta-11.zap
-share/zaproxy/plugin/callhome-alpha-0.0.3.zap
-share/zaproxy/plugin/commonlib-release-1.6.0.zap
-share/zaproxy/plugin/diff-beta-11.zap
+share/zaproxy/plugin/alertFilters-release-14.zap
+share/zaproxy/plugin/ascanrules-release-49.zap
+share/zaproxy/plugin/automation-beta-0.19.0.zap
+share/zaproxy/plugin/bruteforce-beta-12.zap
+share/zaproxy/plugin/callhome-release-0.5.0.zap
+share/zaproxy/plugin/commonlib-release-1.11.0.zap
+share/zaproxy/plugin/database-alpha-0.1.0.zap
+share/zaproxy/plugin/diff-beta-12.zap
 share/zaproxy/plugin/directorylistv1-release-5.zap
-share/zaproxy/plugin/domxss-beta-12.zap
-share/zaproxy/plugin/encoder-beta-0.6.0.zap
-share/zaproxy/plugin/formhandler-beta-4.zap
-share/zaproxy/plugin/fuzz-beta-13.5.0.zap
-share/zaproxy/plugin/gettingStarted-release-13.zap
-share/zaproxy/plugin/graaljs-alpha-0.2.0.zap
-share/zaproxy/plugin/graphql-alpha-0.7.0.zap
-share/zaproxy/plugin/help-release-14.zap
-share/zaproxy/plugin/hud-beta-0.13.0.zap
-share/zaproxy/plugin/importurls-beta-8.zap
-share/zaproxy/plugin/invoke-beta-11.zap
-share/zaproxy/plugin/network-alpha-0.0.1.zap
-share/zaproxy/plugin/oast-alpha-0.6.0.zap
-share/zaproxy/plugin/onlineMenu-release-9.zap
-share/zaproxy/plugin/openapi-beta-24.zap
-share/zaproxy/plugin/pscanrules-release-37.zap
-share/zaproxy/plugin/quickstart-release-32.zap
-share/zaproxy/plugin/replacer-beta-9.zap
-share/zaproxy/plugin/reports-release-0.10.0.zap
-share/zaproxy/plugin/retest-alpha-0.2.0.zap
-share/zaproxy/plugin/retire-release-0.9.0.zap
-share/zaproxy/plugin/reveal-release-4.zap
-share/zaproxy/plugin/saverawmessage-release-6.zap
-share/zaproxy/plugin/savexmlmessage-alpha-0.2.0.zap
-share/zaproxy/plugin/scripts-beta-29.zap
-share/zaproxy/plugin/selenium-release-15.5.1.zap
-share/zaproxy/plugin/soap-alpha-12.zap
-share/zaproxy/plugin/spiderAjax-release-23.7.0.zap
-share/zaproxy/plugin/tips-beta-9.zap
-share/zaproxy/plugin/webdriverlinux-release-33.zap
-share/zaproxy/plugin/websocket-release-24.zap
-share/zaproxy/plugin/zest-beta-35.zap
+share/zaproxy/plugin/domxss-release-14.zap
+share/zaproxy/plugin/encoder-beta-0.7.0.zap
+share/zaproxy/plugin/exim-beta-0.3.0.zap
+share/zaproxy/plugin/formhandler-beta-6.1.0.zap
+share/zaproxy/plugin/fuzz-beta-13.8.0.zap
+share/zaproxy/plugin/gettingStarted-release-14.zap
+share/zaproxy/plugin/graaljs-alpha-0.3.0.zap
+share/zaproxy/plugin/graphql-alpha-0.11.0.zap
+share/zaproxy/plugin/help-release-15.zap
+share/zaproxy/plugin/hud-beta-0.15.0.zap
+share/zaproxy/plugin/invoke-beta-12.zap
+share/zaproxy/plugin/network-beta-0.3.0.zap
+share/zaproxy/plugin/oast-beta-0.13.0.zap
+share/zaproxy/plugin/onlineMenu-release-10.zap
+share/zaproxy/plugin/openapi-beta-29.zap
+share/zaproxy/plugin/pscanrules-release-44.zap
+share/zaproxy/plugin/quickstart-release-35.zap
+share/zaproxy/plugin/replacer-release-11.zap
+share/zaproxy/plugin/reports-release-0.16.0.zap
+share/zaproxy/plugin/requester-beta-7.0.0.zap
+share/zaproxy/plugin/retest-alpha-0.4.0.zap
+share/zaproxy/plugin/retire-release-0.16.0.zap
+share/zaproxy/plugin/reveal-release-5.zap
+share/zaproxy/plugin/scripts-release-33.zap
+share/zaproxy/plugin/selenium-release-15.11.0.zap
+share/zaproxy/plugin/soap-beta-15.zap
+share/zaproxy/plugin/spider-release-0.1.0.zap
+share/zaproxy/plugin/spiderAjax-release-23.10.0.zap
+share/zaproxy/plugin/tips-beta-10.zap
+share/zaproxy/plugin/webdriverlinux-release-46.zap
+share/zaproxy/plugin/websocket-release-27.zap
+share/zaproxy/plugin/zest-beta-37.zap
 share/zaproxy/scripts/
 share/zaproxy/scripts/templates/
 share/zaproxy/scripts/templates/active/
@@ -217,10 +212,8 @@ share/zaproxy/scripts/templates/variant/
 share/zaproxy/scripts/templates/variant/Input Vector default template.js
 share/zaproxy/scripts/templates/variant/Site modifying JSON example.js
 share/zaproxy/xml/
-share/zaproxy/xml/common-user-agents.txt
 share/zaproxy/xml/config.xml
 share/zaproxy/xml/drivers.dtd
-share/zaproxy/xml/drivers.xml
 share/zaproxy/xml/reportCompare.xsl
 share/zaproxy/zap-${VERSION}.jar
 share/zaproxy/zap.bat

UPDATE: security/zaproxy 2.11.1 -> 2.12.0 (log4j update, and HTML injection fix)

Reply via email to