Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OWASP ZAP のオプション設定を修正 #5129

Merged
merged 4 commits into from
Sep 21, 2021
Merged

OWASP ZAP のオプション設定を修正 #5129

merged 4 commits into from
Sep 21, 2021

Conversation

nanasess
Copy link
Contributor

概要(Overview・Refs Issue)

  • OWASP ZAP の動的スキャンで CSRF トークンを使用するよう修正
  • OWASP ZAP のオプション設定に CSRF トークンを追加

方針(Policy)

4.1 から、CSRFトークンが頻繁に変更されるようになり、動的スキャンで CSRF トークンを使用しないと十分にスキャンできないため、設定を追加する

実装に関する補足(Appendix)

scanner.antiCSFR は OWASP ZAP 側の typo
https://github.com/zaproxy/zaproxy/blob/8ac4b10d3d9d816957985694c2b7cf127d1364d3/zap/src/main/java/org/parosproxy/paros/core/scanner/ScannerParam.java#L77

テスト(Test)

OWASP ZAP で動的スキャンできるのを確認

相談(Discussion)

マイナーバージョン互換性保持のための制限事項チェックリスト

  • 既存機能の仕様変更
  • フックポイントの呼び出しタイミングの変更
  • フックポイントのパラメータの削除・データ型の変更
  • twigファイルに渡しているパラメータの削除・データ型の変更
  • Serviceクラスの公開関数の、引数の削除・データ型の変更
  • 入出力ファイル(CSVなど)のフォーマット変更

レビュワー確認項目

  • 動作確認
  • コードレビュー
  • E2E/Unit テスト確認(テストの追加・変更が必要かどうか)
  • 互換性が保持されているか
  • セキュリティ上の問題がないか

@codecov-commenter
Copy link

codecov-commenter commented Aug 31, 2021
edited
Loading

Codecov Report

Merging #5129 (b691f7f) into 4.1 (06b3d7c) will increase coverage by 0.08%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##              4.1    #5129      +/-   ##
==========================================
+ Coverage   68.08%   68.16%   +0.08%     
==========================================
  Files         457      457              
  Lines       24972    24988      +16     
==========================================
+ Hits        17001    17032      +31     
+ Misses       7971     7956      -15
Flag Coverage Δ
tests 68.16% <ø> (+0.08%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
src/Eccube/Service/PluginApiService.php 33.04% <0.00%> (-6.09%) ⬇️
...ntroller/Admin/Setting/System/MemberController.php 67.96% <0.00%> (-1.38%) ⬇️
src/Eccube/Controller/SitemapController.php 83.78% <0.00%> (ø)
src/Eccube/Service/TwoFactorAuthService.php 26.56% <0.00%> (ø)
src/Eccube/Controller/InstallPluginController.php 0.00% <0.00%> (ø)
src/Eccube/EventListener/TwoFactorAuthListener.php 50.00% <0.00%> (ø)
...rc/Eccube/Controller/Install/InstallController.php 12.50% <0.00%> (ø)
...Eccube/Controller/Admin/Store/PluginController.php 7.82% <0.00%> (ø)
...Eccube/Form/EventListener/HTMLPurifierListener.php 100.00% <0.00%> (ø)
...ccube/Controller/Admin/Content/CacheController.php 0.00% <0.00%> (ø)
... and 12 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 06b3d7c...b691f7f. Read the comment docs.

nanasess added a commit to nanasess/ec-cube that referenced this pull request Sep 14, 2021
@nanasess
Merge pull request EC-CUBE#5129 from nanasess/fix-zap-properties
2025915 
OWASP ZAP のオプション設定を修正
@kiy0taka kiy0taka merged commit 90d425d into EC-CUBE:4.1 Sep 21, 2021
@nanasess nanasess deleted the fix-zap-properties branch October 3, 2022 07:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nanasess @codecov-commenter @kiy0taka