zaproxy · kingthorin · Oct 9, 2024
diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md
@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 - Added more checks for valid .htaccess files to reduce false positives (Issue 7632).
+- A situation where the Server-Side Template Injection (SSTI) scan rule might result in false positives related to the Go payloads (Issue 8622).
 
 ## [68] - 2024-09-24
 ### Changed

diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java
@@ -25,6 +25,8 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -396,8 +398,11 @@ private void searchForMathsExecution(
                                             + ".*"
                                             + DELIMITER
                                             + "[\\w\\W]*";
+                            Matcher matcher = Pattern.compile(regex).matcher(output);
 
-                            if (output.contains(renderResult) && output.matches(regex)) {
+                            if (output.contains(renderResult)
+                                    && matcher.matches()
+                                    && not(matcher.group(0), renderTest)) {
 
                                 String attack = getOtherInfo(sink.getLocation(), output);
 
@@ -424,6 +429,10 @@ private void searchForMathsExecution(
         }
     }
 
+    private static boolean not(String group0, String renderTest) {
+        return !group0.contains(renderTest.replaceAll("[^A-Za-z0-9]+", ""));
+    }
+
     private AlertBuilder createAlert(String url, String param, String attack, String otherInfo) {
         return newAlert()
                 .setConfidence(Alert.CONFIDENCE_HIGH)

diff --git a/...s/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiScanRuleUnitTest.java b/...s/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiScanRuleUnitTest.java
@@ -236,6 +236,37 @@ protected Response serve(IHTTPSession session) {
         assertThat(alertsRaised.get(0).getConfidence(), equalTo(Alert.CONFIDENCE_HIGH));
     }
 
+    @Test
+    void shouldReportGoBasedSsti() throws NullPointerException, IOException {
+        String test = "/shouldReportGoBasedSsti/";
+        // Given
+        nano.addHandler(createGoHandler(test, true));
+        HttpMessage msg = getHttpMessage(test + "?name=test");
+        rule.setConfig(new ZapXmlConfiguration());
+        rule.init(msg, parent);
+        // When
+        rule.scan();
+        // Then
+        assertThat(alertsRaised.size(), equalTo(1));
+        assertThat(alertsRaised.get(0).getRisk(), equalTo(Alert.RISK_HIGH));
+        assertThat(alertsRaised.get(0).getConfidence(), equalTo(Alert.CONFIDENCE_HIGH));
+    }
+
+    @Test
+    void shouldNotReportGoBasedSstiWhenDirectiveEchoed() throws NullPointerException, IOException {
+        String test = "/shouldNotReportGoBasedSstiWhenDirectiveEchoed/";
+        // Given
+        nano.addHandler(createGoHandler(test, false));
+        HttpMessage msg = getHttpMessage(test + "?name=test");
+        rule.setConfig(new ZapXmlConfiguration());
+        rule.setAttackStrength(Plugin.AttackStrength.MEDIUM);
+        rule.init(msg, parent);
+        // When
+        rule.scan();
+        // Then
+        assertThat(alertsRaised.size(), equalTo(0));
+    }
+
     @Test
     void shouldReturnExpectedMappings() {
         // Given / When
@@ -321,4 +352,35 @@ private static String getSimpleArithmeticResult(String expression)
             throw new IllegalArgumentException("invalid template code");
         }
     }
+
+    private NanoServerHandler createGoHandler(String path, boolean stripPrint) {
+        return new NanoServerHandler(path) {
+            @Override
+            protected Response serve(IHTTPSession session) {
+                String name = getFirstParamValue(session, "name");
+                String response;
+                if (name != null) {
+                    if (!name.contains("print")) {
+                        return newFixedLengthResponse(getHtml("sstiscanrule/NoInput.html"));
+                    }
+                    try {
+                        if (name.contains("print")) {
+                            name = name.replaceAll("[^A-Za-z0-9]+", "");
+                            name = stripPrint ? name.replace("print", "") : name;
+                        }
+                        name = templateRenderMock("{", "}", name);
+                        response =
+                                getHtml(
+                                        "sstiscanrule/Rendered.html",
+                                        new String[][] {{"name", name}});
+                    } catch (IllegalArgumentException e) {
+                        response = getHtml("sstiscanrule/ErrorPage.html");
+                    }
+                } else {
+                    response = getHtml("sstiscanrule/NoInput.html");
+                }
+                return newFixedLengthResponse(response);
+            }
+        };
+    }
 }