Address potential classloader performance issues in JS scripts by kingthorin · Pull Request #504 · zaproxy/community-scripts

kingthorin · 2025-12-12T16:45:42Z

No description provided.

kingthorin · 2025-12-12T16:46:41Z

Note I used const in all the changes but didn't change/reduce other use of var. I can I just wasn't sure if it should be the same PR.

psiinon · 2025-12-12T16:47:59Z

Checkmarx One – Scan Summary & Details – d5fe9c10-d896-49f1-8201-4caa77808066

New Issues (6)

Checkmarx found the following issues in this Pull Request

#	Issue	Source File / Package	Checkmarx Insight
1	Last User Is 'root'	/docker-wrapper: 10	details Leaving the last user as root can cause security risks. Change to another user after running the commands that need privileges
2	CVE-2026-34479	Maven-org.apache.logging.log4j:log4j-1.2-api-2.24.2	details Recommended version: 2.25.4 Description: The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3	MAINTAINER Instruction Being Used	/docker-wrapper: 3	details The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you sh...
4	Unpinned Actions Full Length Commit SHA	/codeql.yml: 31	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help...
5	Unpinned Actions Full Length Commit SHA	/codeql.yml: 34	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help...
6	Unpinned Actions Full Length Commit SHA	/codeql.yml: 35	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help...

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

kingthorin · 2025-12-16T12:27:32Z

The CX failure is unrelated to the changes.

kingthorin · 2025-12-19T14:33:41Z

Think I got all those.

thc202 · 2025-12-19T17:02:48Z

Not all scripts were updated (some still left in the changed scripts), was that on purpose?

kingthorin · 2025-12-19T17:06:15Z

I thought I copied the full content from zaproxy/docker will check.

thc202 · 2025-12-19T17:14:05Z

I'm referring to scripts that are just here (e.g. Telerik Using Poor Crypto.js with Base64 and Alert, Capture and Replace Anti CSRF Token.js with ScriptVars).

kingthorin · 2025-12-19T17:26:11Z

My search must have missed them, thanks for clarifying.

kingthorin · 2025-12-19T18:10:24Z

I just remembered there were a few I left on purpose like in the extender scripts cause they're only used on install and uninstall or register and unregister, but I guess I should change them all to be consistent.

kingthorin · 2026-05-26T21:50:01Z

Done & done. (If the var -> const change is too broad let me know and I can roll it back)

thc202 · 2026-05-27T07:11:19Z

It's not an if, it is. How does that address potential classloader performance issues.

kingthorin · 2026-05-27T10:20:06Z

We had agreed to update them as we were switching the fully qualified class usage to Java.types/extends. I was debating if consistency or minimal change was more important.

I'll roll it back.

thc202 · 2026-05-27T10:51:33Z

Minimal changes are more important if the other changes are not done consistently, there are other var that should be const (and we should drop the var as well) throughout (e.g. why in the first script it was not changed LOG_DEBUG_MESSAGES).

kingthorin · 2026-05-27T11:26:47Z

Because my instruction had been to change it with Java.type and Java.extends. It's okay, I'll go back to minimal change, that's probably best for this case. Other stuff can be done in other passes or PRs.

kingthorin · 2026-05-27T12:58:31Z

Should be back on track.

thc202 · 2026-05-27T13:25:21Z

Except the random change, e.g. https://github.com/zaproxy/community-scripts/compare/164e4a965d79e840440f7ce42f48c323b8f0cb2b..1ea2a059c734ca71753ce874da49461a7a69b95c#diff-0d7726c989fbffa009518591a5f03900cc4bc48862a617953c902402a953569aL16-R34

kingthorin · 2026-05-27T13:36:04Z

That was a restoration to the original state (check the change tab, it doesn't show there). Unless it was something we had discussed and I lost track?

Edit: Disregard I was looking at the wrong sender/Alert on*

thc202 · 2026-05-27T13:48:15Z

It can also be squashed (would make diffs easier IMO).

kingthorin · 2026-05-27T14:48:47Z

Removed unrelated changes in httpsender/Alert on * and squashed.

Copilot

Pull request overview

This PR reduces repeated fully qualified Java class access in community JavaScript scripts by hoisting Java classes into top-level Java.type(...) bindings, aligning scripts with existing ZAP scripting conventions and addressing classloader performance concerns.

Changes:

Replaced inline fully qualified Java references with reusable Java.type(...) bindings across active, passive, HTTP sender, targeted, standalone, extender, and session scripts.
Updated static/enum references to use the new bindings.
Added a changelog entry for Issue 9187.

Reviewed changes

Copilot reviewed 42 out of 42 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
`CHANGELOG.md`	Documents the classloader performance cleanup.
`active/OpenModelContextProtocolServer.js`	Hoists Apache URI class binding.
`authentication/DjangoAuthentication.js`	Moves authentication Java class imports to module scope.
`extender/ZAP onEvent Handler.js`	Hoists ZAP event bus class binding.
`extender/arpSyndicateSubdomainDiscovery.js`	Hoists ZAP event bus class binding.
`httpfuzzerprocessor/addCacheBusting.js`	Hoists HTML parameter class/type bindings.
`httpfuzzerprocessor/add_msgs_sites_tree.js`	Hoists history reference and event queue bindings.
`httpsender/Alert on HTTP Response Code Errors.js`	Hoists alert/history/integer bindings and updates evidence handling.
`httpsender/Alert on Unexpected Content Types.js`	Hoists alert/history/integer bindings.
`httpsender/Capture and Replace Anti CSRF Token.js`	Hoists ScriptVars and parameter type bindings.
`httpsender/greenbone-maintain-auth.js`	Hoists HTML parameter type binding.
`httpsender/inject_js_in_html_page.js`	Hoists file/string Java class bindings.
`httpsender/keep-cookies-going.js`	Hoists HTML parameter type binding.
`httpsender/maintain-jwt.js`	Hoists HTML parameter type binding.
`other/af-plans/juiceshop-selenium-auth/JuiceShopAuthentication.js`	Hoists Selenium extension binding.
`other/af-plans/juiceshop-selenium-auth/JuiceShopReset.js`	Hoists user management extension binding.
`other/af-plans/juiceshop-selenium-auth/JuiceShopSession.js`	Hoists HTML parameter type binding.
`passive/Report non static sites.js`	Hoists passive scanner class binding and updates example comment.
`passive/Telerik Using Poor Crypto.js`	Hoists Base64 and Alert bindings.
`passive/f5_bigip_cookie_internal_ip.js`	Hoists integer and address bindings.
`selenium/FillOTPInMFA.js`	Hoists Selenium and thread bindings.
`session/Juice Shop Session Management.js`	Hoists HTML parameter type binding.
`standalone/Active scan rule list.js`	Hoists active scan extension binding.
`standalone/Juice shop authentication by form.js`	Hoists Selenium extension binding.
`standalone/Juice shop authentication by google.js`	Hoists Selenium extension binding.
`standalone/Loop through alerts.js`	Hoists alert extension and alert bindings.
`standalone/Loop through history table.js`	Hoists history extension binding.
`standalone/alertAndPluginDetails.js`	Hoists alert/passive scan/plugin bindings.
`standalone/domainFinder.js`	Hoists InetAddress binding.
`standalone/historySourceTagger.js`	Hoists ScriptVars and history extension bindings.
`standalone/load_function_example.js`	Hoists system property binding.
`standalone/scan_rule_list.js`	Hoists active/passive scan extension bindings.
`targeted/Remove 302s.js`	Hoists purge sites binding.
`targeted/SQLMapCommandGenerator.js`	Hoists clipboard-related bindings.
`targeted/Search www.xssposed.org for known XSS.js`	Hoists DesktopUtils binding.
`targeted/curl_command_generator.js`	Hoists clipboard-related bindings.
`targeted/cve-2021-22214.js`	Hoists Alert binding.
`targeted/cve-2021-41773-apache-path-trav.js`	Hoists Alert binding.
`targeted/json_csrf_poc_generator.js`	Hoists header and clipboard bindings.
`targeted/request_to_xml.js`	Hoists HTTP header binding.
`targeted/search cvedetails using target server header.js`	Hoists DesktopUtils binding.
`variant/CompoundCookies.js`	Hoists HTML parameter type binding.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

thc202 · 2026-05-27T16:58:58Z

Thank you!

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>

kingthorin force-pushed the adjust-java-type-usage branch from 39d4e87 to 80916f9 Compare December 12, 2025 16:53

kingthorin changed the title ~~Address potential classloader performance issues~~ Address potential classloader performance issues in JS scripts Dec 12, 2025

thc202 reviewed Dec 17, 2025

View reviewed changes

kingthorin force-pushed the adjust-java-type-usage branch from 80916f9 to f6c4ce7 Compare December 19, 2025 14:31

thc202 reviewed Dec 19, 2025

View reviewed changes

Comment thread CHANGELOG.md Outdated

kingthorin force-pushed the adjust-java-type-usage branch from f6c4ce7 to 4cfd726 Compare May 26, 2026 11:25

thc202 reviewed May 26, 2026

View reviewed changes

Comment thread httpsender/Capture and Replace Anti CSRF Token.js

thc202 reviewed May 26, 2026

View reviewed changes

Comment thread passive/f5_bigip_cookie_internal_ip.js

kingthorin force-pushed the adjust-java-type-usage branch from 4cfd726 to 164e4a9 Compare May 26, 2026 21:48

kingthorin force-pushed the adjust-java-type-usage branch from 164e4a9 to 1ea2a05 Compare May 27, 2026 12:54

kingthorin force-pushed the adjust-java-type-usage branch 2 times, most recently from 97935db to 14dc813 Compare May 27, 2026 14:48

kingthorin force-pushed the adjust-java-type-usage branch from 14dc813 to 4cf6425 Compare May 27, 2026 14:54

thc202 reviewed May 27, 2026

View reviewed changes

Comment thread httpfuzzerprocessor/addCacheBusting.js Outdated

kingthorin force-pushed the adjust-java-type-usage branch 2 times, most recently from a8b939b to b6335c1 Compare May 27, 2026 15:48

thc202 requested a review from Copilot May 27, 2026 16:34

Copilot started reviewing on behalf of thc202 May 27, 2026 16:34 View session

Copilot AI reviewed May 27, 2026

View reviewed changes

Comment thread httpsender/Alert on HTTP Response Code Errors.js

thc202 approved these changes May 27, 2026

View reviewed changes

Address potential classloader performance issues

3a975c8

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>

kingthorin force-pushed the adjust-java-type-usage branch from b6335c1 to 3a975c8 Compare May 28, 2026 09:14

thc202 requested a review from psiinon May 28, 2026 09:16

psiinon approved these changes May 28, 2026

View reviewed changes

psiinon merged commit 07d3e63 into zaproxy:main May 28, 2026
9 checks passed

kingthorin deleted the adjust-java-type-usage branch May 28, 2026 09:55

Uh oh!

Conversation

kingthorin commented Dec 12, 2025

Uh oh!

kingthorin commented Dec 12, 2025

Uh oh!

psiinon commented Dec 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kingthorin commented Dec 16, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

kingthorin commented Dec 19, 2025

Uh oh!

Uh oh!

thc202 commented Dec 19, 2025

Uh oh!

kingthorin commented Dec 19, 2025

Uh oh!

thc202 commented Dec 19, 2025

Uh oh!

kingthorin commented Dec 19, 2025

Uh oh!

kingthorin commented Dec 19, 2025

Uh oh!

Uh oh!

Uh oh!

kingthorin commented May 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

thc202 commented May 27, 2026

Uh oh!

kingthorin commented May 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

thc202 commented May 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kingthorin commented May 27, 2026

Uh oh!

kingthorin commented May 27, 2026

Uh oh!

thc202 commented May 27, 2026

Uh oh!

kingthorin commented May 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

thc202 commented May 27, 2026

Uh oh!

kingthorin commented May 27, 2026

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

thc202 commented May 27, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

4 participants

psiinon commented Dec 12, 2025 •

edited

Loading

kingthorin commented May 26, 2026 •

edited

Loading

kingthorin commented May 27, 2026 •

edited

Loading

thc202 commented May 27, 2026 •

edited

Loading

kingthorin commented May 27, 2026 •

edited

Loading