ascanrules: Address External Redirect False Positives

[kingthorin]

Overview

The External Redirect scan rules has been updated to account for potential false positives involving JavaScript comments.

[psiinon]

Checkmarx One – Scan Summary & Details – 2b9816e5-290f-41f3-89fa-e369ec35e7d3

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Heap_Inspection	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/AuthUtilsUnitTest.java: 1346

---

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

[kingthorin]

Deconflicted

[Copilot]

Pull Request Overview

The External Redirect scan rule has been updated to reduce false positives by excluding JavaScript code that appears within comments from triggering redirect vulnerability alerts.

• Added JavaScript comment parsing logic to filter out commented code before pattern matching
• Enhanced test coverage with comprehensive comment scenarios including various escape sequences and edge cases
• Updated changelog to document the false positive improvement

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
ExternalRedirectScanRule.java	Added JavaScript comment extraction logic and state machine parser to filter out commented code
ExternalRedirectScanRuleUnitTest.java	Added comprehensive test cases covering various JavaScript comment scenarios and edge cases
CHANGELOG.md	Documented the false positive fix for JavaScript comments

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[kingthorin]

Got all those I believe

[kingthorin]

I think this is ready for review now. I believe I've addressed everything discussed.

[kingthorin]

Maybe this is a preferable solution (using Rhino), it handles all the existing test cases added here except "Inline incomplete block", which is kind of understandable. I doubt that browsers would be able to handle JavaScript in that case either.

https://github.com/zaproxy/zap-extensions/compare/main...kingthorin:zap-extensions:redir-wavsep-fps-rhino?expand=1

Let me know what you think, not a full review just a gutt feel: "Ya that's better" "naw let's stick with the state machine" kinda thing.

[thc202]

As said before any proven parser is preferable to manual parsing, the question is more which one. I don't have a preference as long it's being actively maintained (though using the engine we already bundle by default would be even better but that assumes it's possible).

[kingthorin]

Okay I've switched this over. Mainly I wanted to make sure that people were okay with using Rhino. It's maintained, its JS feature support is a bit behind but for the purpose here it should be totally fine.

[kingthorin]

Checking the failure.

[kingthorin]

Fixed

[thc202]

Thank you!

[Copilot]

Pull Request Overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[kingthorin]

This can be seen by leveraging debugPrint() on the ast or comment, the length of the comment is always reported one character short 😞

[kingthorin]

Reported upstream: mozilla/rhino#2151

[kingthorin]

Without a doubt when others read this on Monday you'll wonder why this wasn't relevant before. But you can see from the simple example in the linked issue that it is a Rhino issue. I'm not sure, I didn't get to dig into that yet.

I can but I don't want it to derail this. Let me know if you prefer that I roll back to the previous state.