Skip to content

Upgrade addons

Craig Smith requested to merge update_addons_280767 into master

What does this MR do?

Upgraded ZAP add-on Active scanner rules to 37.0.0

Changed

  • Maintenance changes.

Fixed

  • Terminology

Added

  • The following scan rules were promoted to Beta: ELMAH Information Leak, .htaccess Information Leak (Issue 6211).

Upgraded ZAP add-on Active scanner rules (beta) to 32.0.0

Changed

  • XML External Entity Attack scan rule changed to parse response body irrespective of the HTTP response status code. (Issue 6203)
  • XML External Entity Attack scan rule changed to skip only Remote File Inclusion Attack when Callback extension is not available.
  • Maintenance changes.
  • The Relative Path Confusion scan rule no longer treats 'href="#"' as a problematic use.

Fixed

  • Terminology.
  • Correct reason shown when the XML External Entity Attack scan rule is skipped.
  • SocketTimeoutException in the Proxy Disclosure scan rule.

Added

  • The following scan rules were promoted to Beta: Cloud Meta Data, .env File, Hidden Files, XSLT Injection (Issue 6211).

Removed

  • The following scan rules were removed and promoted to Release: ELMAH Information Leak, .htaccess Information Leak (Issue 6211).

Upgraded ZAP add-on Passive scanner rules to 30.0.0

Changed

  • The CSP scan rule now checks if the form-action directive allows wildcards.
  • The CSP scan rule now includes further information in the description of allowed wildcard directives alerts when the impacted directive is one (or more) which doesn't fallback to default-src.
  • Maintenance changes.
  • Changed ViewState and XFrameOption rules to return example alerts for the docs.
  • Handle an IllegalArgumentException that could occur in the CSP scan rule if multiple CSP headers were present and one (or more) had a report-uri directive when trying to merge them.
  • Allow to ignore cookies in same site and loosely scoped scan rules.
  • The Application Error scan rule will not alert on web assembly responses.

Upgraded ZAP add-on Passive scanner rules (beta) to 23.0.0

Changed

  • Update RE2/J library to latest version (1.5).
  • Maintenance changes.
  • Content Security Policy header missing scan rule changed to Medium risk in order to align with other CSP findings, and confidence to High (Issue 6301).

Upgraded ZAP add-on Ajax Spider to 23.2.0

Added

  • Allow to specify allowed resources (Issue 3236). The allowed resources are always fetched even if out of scope, allowing to include necessary resources (e.g. scripts) from 3rd-parties. By default it allows files with extension .js and .css.

Changed

  • Update minimum ZAP version to 2.9.0.
  • Maintenance changes.

Fixed

  • Unregister the event publisher when the add-on is uninstalled.
  • Persist the state of "Remove Without Confirmation" of non-default elements to click.

Upgraded ZAP add-on Linux WebDrivers to 23.0.0

Changed

  • Update ChromeDriver to 87.0.4280.20.

Upgraded ZAP add-on MacOS WebDrivers to 22.0.0

Changed

  • Update ChromeDriver to 87.0.4280.20.

Upgraded ZAP add-on Windows WebDrivers to 23.0.0

Changed

  • Update ChromeDriver to 87.0.4280.20.

Upgraded ZAP add-on Zest - Graphical Security Scripting Language to 33.0.0

Added

  • Allow to create a screenshot from the browser, using the context menu Add Zest Client > Screenshot.

Changed

  • Update minimum ZAP version to 2.9.0.
  • Update Zest library to 0.15.0:
    • Do not follow redirects when disabled;
    • Reduce the changes done to the requests sent.
  • Maintenance changes.

Fixed

  • Make sure the header fields are separated with CRLF when edited in the UI.
  • Handle client requests when authenticating (Issue 5940).

What are the relevant issue numbers?

This MR relates to gitlab-org/gitlab#280767 (closed)

Does this MR meet the acceptance criteria?

Edited by Craig Smith

Merge request reports