Script Issues in ZAP v2.15.0
70 views
Skip to first unread message
Hector Luna
Jun 7, 2024, 12:44:10 PMJun 7
to ZAP User Group
So I did mention in a different thread that I am having issues with loading scripts into ZEST scripts. Namely, where I have a ZEST script that attempts to load a nashorn script via "script action."
This used to work really well in all the builds prior to v2.15.0 and now that the latest version is out I keep getting the following error:
javax.script.ScriptException: org.graalvm.polyglot.PolyglotException: ReferenceError: java is not defined
Action: failed: javax.script.ScriptException: org.graalvm.polyglot.PolyglotException: ReferenceError: java is not defined
Note that I am using ghcr.io/zaproxy/zaproxy:weekly as the image to run my tests and to make sure that it isn't an issue with my own image.
My questions are as follows:
- Is nashorn deprecated in v2.15.0?
- Isn't graalvm already included in the image?
- How do I make this work?
I am currently forced to use ZAP images that are older than v2.15.0 as I have several scripts that I load via "script action" in ZEST. What am I doing wrong?
Thank you in advance.
Thank you in advance.
Hector Luna
Jun 7, 2024, 12:45:16 PMJun 7
to ZAP User Group
This is the thread where I originally mentioned this issue, but do not want to continue there as that is a thread to announce the release of v2.15.0
https://groups.google.com/g/zaproxy-users/c/4VIpjbW88hE/m/ieeWVtHvAQAJ
https://groups.google.com/g/zaproxy-users/c/4VIpjbW88hE/m/ieeWVtHvAQAJ
thc...@gmail.com
Jun 7, 2024, 1:56:35 PMJun 7
to zaprox...@googlegroups.com
Hi,
It was already answered why that error happens in the previous thread.
As for the other questions:
- No, but Nashorn will go away when ZAP starts targeting newer Java
versions.
- Yes, but the error is not caused by the missing engine (see previous
thread).
- Remove the GraalVM JavaScript add-on.
You are not doing anything wrong just the assumption that you can use
ZAP classes/Java from the script is not correct for Graal as Zest does
not configure the engine to allow that (as mentioned in the previous
thread).
Best regards.
On 07/06/2024 17:44, Hector Luna wrote:
> So I did mention in a different thread that I am having issues with loading
> scripts into ZEST scripts. Namely, where I have a ZEST script that attempts
> to load a nashorn script via "script action."
>
> This used to work really well in all the builds prior to v2.15.0 and now
> that the latest version is out I keep getting the following error:
>
> *javax.script.ScriptException: org.graalvm.polyglot.PolyglotException:
> ReferenceError: java is not defined*
>
> *Action: failed: javax.script.ScriptException:
> org.graalvm.polyglot.PolyglotException: ReferenceError: java is not defined*
>
> Note that I am using *ghcr.io/zaproxy/zaproxy:weekly* as the image to run
> - Isn't graalvm already included in the image?
> - How do I make this work?
It was already answered why that error happens in the previous thread.
As for the other questions:
- No, but Nashorn will go away when ZAP starts targeting newer Java
versions.
- Yes, but the error is not caused by the missing engine (see previous
thread).
- Remove the GraalVM JavaScript add-on.
You are not doing anything wrong just the assumption that you can use
ZAP classes/Java from the script is not correct for Graal as Zest does
not configure the engine to allow that (as mentioned in the previous
thread).
Best regards.
On 07/06/2024 17:44, Hector Luna wrote:
> So I did mention in a different thread that I am having issues with loading
> scripts into ZEST scripts. Namely, where I have a ZEST script that attempts
> to load a nashorn script via "script action."
>
> This used to work really well in all the builds prior to v2.15.0 and now
> that the latest version is out I keep getting the following error:
>
> ReferenceError: java is not defined*
>
> *Action: failed: javax.script.ScriptException:
> org.graalvm.polyglot.PolyglotException: ReferenceError: java is not defined*
>
> Note that I am using *ghcr.io/zaproxy/zaproxy:weekly* as the image to run
> my tests and to make sure that it isn't an issue with my own image.
>
> My questions are as follows:
>
> - Is nashorn deprecated in v2.15.0?
>
> My questions are as follows:
>
> - Isn't graalvm already included in the image?
> - How do I make this work?
Hector Luna
Jun 7, 2024, 2:47:56 PMJun 7
to ZAP User Group
Thank you very much! I will make the necessary changes and report back :)
Hector Luna
Jun 21, 2024, 3:37:35 PM (11 days ago) Jun 21
to ZAP User Group
I followed the suggestions and attempted to remove the graaljs addon as follows:
# Download and expand the ZAP version we are interested in
RUN curl -s https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions.xml | xmlstarlet sel -t -v //url | grep -i ${ZAPVersion} | wget --content-disposition -i - \
&& unzip *.zip \
&& rm *.zip \
&& cp -R ZAP*/* . \
&& rm -R ZAP*
# Update add-ons and copy them to installation directory
RUN ./zap.sh -cmd -silent \
-addonupdate \
-addoninstall custompayloads \
-addoninstall wappalyzer
RUN ./zap.sh -cmd -silent -addonuninstall graaljs
RUN cp /root/.ZAP_D/plugin/*.zap plugin/ || :
Where ZAPVersion is usually set to weekly
Running any script that gets called from ZEST results in this:
javax.script.ScriptException: org.graalvm.polyglot.PolyglotException: ReferenceError: java is not defined
Action: failed: javax.script.ScriptException: org.graalvm.polyglot.PolyglotException: ReferenceError: java is not defined
This was not the case with builds prior to 2.15.0
Also, there is no D-2024-04-29 anymore and that was the last version of ZAP that worked for me. I am at a loss because our CI/DI pipelines are dead now that we can't build the docker containers with a ZAP binary that works.
Any help would be much appreciated.
Also, there is no D-2024-04-29 anymore and that was the last version of ZAP that worked for me. I am at a loss because our CI/DI pipelines are dead now that we can't build the docker containers with a ZAP binary that works.
Any help would be much appreciated.
thc...@gmail.com
Jun 21, 2024, 4:43:13 PM (11 days ago) Jun 21
to zaprox...@googlegroups.com
If you are still getting that error it means the add-on is still
installed. But best to check the zap.log which would confirm if that's
the case.
Have you checked the add-ons that are in the plugin directories (both
home and installation)?
It's possible that ZAP was not able to uninstall or remove the add-on.
You can always delete the file to be sure.
We are only keeping x old weekly/stable releases.
Best regards.
On 21/06/2024 20:37, Hector Luna wrote:
> I followed the suggestions and attempted to remove the graaljs addon as
> follows:
>
> # Download and expand the ZAP version we are interested in
> RUN curl -s
> https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions.xml |
> xmlstarlet sel -t -v //url | grep -i ${ZAPVersion} | wget
> --content-disposition -i - \
> && unzip *.zip \
> && rm *.zip \
> && cp -R ZAP*/* . \
> && rm -R ZAP*
>
> # Update add-ons and copy them to installation directory
> RUN ./zap.sh -cmd -silent \
> -addonupdate \
> -addoninstall custompayloads \
> -addoninstall wappalyzer
> RUN ./zap.sh -cmd -silent -addonuninstall graaljs
> RUN cp /root/.ZAP_D/plugin/*.zap plugin/ || :
>
> Where ZAPVersion is usually set to *weekly*
installed. But best to check the zap.log which would confirm if that's
the case.
Have you checked the add-ons that are in the plugin directories (both
home and installation)?
It's possible that ZAP was not able to uninstall or remove the add-on.
You can always delete the file to be sure.
We are only keeping x old weekly/stable releases.
Best regards.
On 21/06/2024 20:37, Hector Luna wrote:
> I followed the suggestions and attempted to remove the graaljs addon as
> follows:
>
> # Download and expand the ZAP version we are interested in
> RUN curl -s
> https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions.xml |
> xmlstarlet sel -t -v //url | grep -i ${ZAPVersion} | wget
> --content-disposition -i - \
> && unzip *.zip \
> && rm *.zip \
> && cp -R ZAP*/* . \
> && rm -R ZAP*
>
> # Update add-ons and copy them to installation directory
> RUN ./zap.sh -cmd -silent \
> -addonupdate \
> -addoninstall custompayloads \
> -addoninstall wappalyzer
> RUN ./zap.sh -cmd -silent -addonuninstall graaljs
> RUN cp /root/.ZAP_D/plugin/*.zap plugin/ || :
>
>
> Running any script that gets called from ZEST results in this:
>
> Running any script that gets called from ZEST results in this:
>
Hector Luna
Jun 21, 2024, 7:51:57 PM (11 days ago) Jun 21
to ZAP User Group
Thank you very much sir!
I added RUN rm -rf plugin/graal*.zap to my Dockerfile right after doing the addon step and things are back to normal.
Thank you for your suggestions and your help.
I am back in business!!!
I added RUN rm -rf plugin/graal*.zap to my Dockerfile right after doing the addon step and things are back to normal.
Thank you for your suggestions and your help.
I am back in business!!!
thc...@gmail.com
Jul 1, 2024, 7:22:34 AM (yesterday) Jul 1
to zaprox...@googlegroups.com
Can you try again with latest ZAP without removing GraalJS? The Zest
add-on was updated to use the same scripting configurations as when
running directly from ZAP and the scripts are now able to access ZAP
classes.
Best regards.
On 22/06/2024 00:51, Hector Luna wrote:
> Thank you very much sir!
> I added *RUN rm -rf plugin/graal*.zap *to my Dockerfile right after doing
add-on was updated to use the same scripting configurations as when
running directly from ZAP and the scripts are now able to access ZAP
classes.
Best regards.
On 22/06/2024 00:51, Hector Luna wrote:
> Thank you very much sir!
> I added *RUN rm -rf plugin/graal*.zap *to my Dockerfile right after doing
Hector Luna
Jul 1, 2024, 2:17:39 PM (yesterday) Jul 1
to ZAP User Group
I will try that right away. I also saw that you guys are migrating to Java 17.
I will try enabling the addon and seeing how that goes.
Thank you!
I will try enabling the addon and seeing how that goes.
Thank you!
Hector Luna
Jul 1, 2024, 5:44:23 PM (yesterday) Jul 1
to ZAP User Group
I tried it and all my tests work as expected without removing the addon.
Would this be a good time to start looking at Nashorn alternatives? As I am assuming that it will be deprecated in the near future?
Thank you very much!
Would this be a good time to start looking at Nashorn alternatives? As I am assuming that it will be deprecated in the near future?
Thank you very much!
Reply all
Reply to author
Forward
0 new messages