Skip to content

Address potential classloader performance issues in JS scripts #504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kingthorin wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Address potential classloader performance issues in JS scripts #504

kingthorin wants to merge 1 commit into from

Conversation

@kingthorin
Copy link
Member

@kingthorin kingthorin commented Dec 12, 2025

No description provided.

@kingthorin
Copy link
Member Author

kingthorin commented Dec 12, 2025

Note I used const in all the changes but didn't change/reduce other use of var. I can I just wasn't sure if it should be the same PR.

@psiinon
Copy link
Member

psiinon commented Dec 12, 2025
edited
Loading

Logo
Checkmarx One – Scan Summary & Details52f4454d-29a2-46d3-9bcd-4af0422c5656

New Issues (5)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
HIGH Last User Is 'root' /docker-wrapper: 10
detailsLeaving the last user as root can cause security risks. Change to another user after running the commands that need privileges
ID: 48tNdC6UziXyOGUccQZn3tPPzi4%3D
LOW MAINTAINER Instruction Being Used /docker-wrapper: 3
detailsThe MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you sh...
ID: nlHBIHIr9RZHoVXOgGxJ9hQCHFA%3D
LOW Unpinned Actions Full Length Commit SHA /codeql.yml: 31
detailsPinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help...
ID: z89ONTXYaYdPcNUEzfFqPVDqGfU%3D
LOW Unpinned Actions Full Length Commit SHA /codeql.yml: 34
detailsPinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help...
ID: wmF9HbZcEd4Px83a0Vg%2BO%2F%2B%2B4BU%3D
LOW Unpinned Actions Full Length Commit SHA /codeql.yml: 35
detailsPinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help...
ID: ivv4LqDvobLaIQBf4po7RJO0z9E%3D
Fixed Issues (2)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
HIGH CVE-2025-66418 Python-urllib3-2.5.0
HIGH CVE-2025-66471 Python-urllib3-2.5.0

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

@kingthorin kingthorin force-pushed the adjust-java-type-usage branch from 39d4e87 to 80916f9 Compare December 12, 2025 16:53
@kingthorin kingthorin changed the title Address potential classloader performance issues Address potential classloader performance issues in JS scripts Dec 12, 2025
@kingthorin
Copy link
Member Author

kingthorin commented Dec 16, 2025

The CX failure is unrelated to the changes.

thc202
thc202 reviewed Dec 17, 2025
View reviewed changes
passive/Report non static sites.js Outdated
*/
function appliesToHistoryType(historyType) {
// For example, to just scan spider messages:
// return historyType == org.parosproxy.paros.model.HistoryReference.TYPE_SPIDER;
Copy link
Member

@thc202 thc202 Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be updated as well.

Copy link
Member

@thc202 thc202 Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was suggesting doing the same as the other cases move it to the script declaration not keep it inside the function.

Copy link
Member Author

@kingthorin kingthorin Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At HistoryReference or SPIDER_TYPE?

Copy link
Member

@thc202 thc202 Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move the HistoryReference.

@kingthorin
Address potential classloader performance issues
f6c4ce7 
Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>
@kingthorin kingthorin force-pushed the adjust-java-type-usage branch from 80916f9 to f6c4ce7 Compare December 19, 2025 14:31
@kingthorin
Copy link
Member Author

kingthorin commented Dec 19, 2025

Think I got all those.

thc202
thc202 reviewed Dec 19, 2025
View reviewed changes
CHANGELOG.md
- Active and passive READMEs to include lastest JS script examples.
- Reduce usage of fully qualified objects in loops or main methods to address potential classloader performance issues, in JavaScript scripts (Issue 9187).
- Updated Alert_on_HTTP_Response_Code_Errors.js to work with GraalVM JavaScript engine.

Copy link
Member

@thc202 thc202 Dec 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can be removed.

@thc202
Copy link
Member

thc202 commented Dec 19, 2025

Not all scripts were updated (some still left in the changed scripts), was that on purpose?

@kingthorin
Copy link
Member Author

kingthorin commented Dec 19, 2025

I thought I copied the full content from zaproxy/docker will check.

@thc202
Copy link
Member

thc202 commented Dec 19, 2025

I'm referring to scripts that are just here (e.g. Telerik Using Poor Crypto.js with Base64 and Alert, Capture and Replace Anti CSRF Token.js with ScriptVars).

@kingthorin
Copy link
Member Author

kingthorin commented Dec 19, 2025

My search must have missed them, thanks for clarifying.

@kingthorin
Copy link
Member Author

kingthorin commented Dec 19, 2025

I just remembered there were a few I left on purpose like in the extender scripts cause they're only used on install and uninstall or register and unregister, but I guess I should change them all to be consistent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thc202 thc202 thc202 left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kingthorin @psiinon @thc202