Add evidence.extrainformation & evidence.proofs as available fields

CHANGELOG.md

@@ -1,3 +1,6 @@
+v#.#.# (MMMM YYYY)
+  - Add `evidence.extrainformation` & `evidence.proofs` as available fields
+
 v4.9.0 (June 2023)
   - No changes
 

lib/dradis/plugins/netsparker/gem_version.rb

@@ -9,7 +9,7 @@ def self.gem_version
       module VERSION
         MAJOR = 4
         MINOR = 9
-        TINY = 0
+        TINY = 1
         PRE = nil
 
         STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

lib/netsparker/vulnerability.rb

@@ -43,12 +43,13 @@ def supported_tags
         :classification_owasppc, :classification_pci31, :classification_pci32, :classification_wasc,
 
         # multiple tags
+        :extrainformation, :proofs,
       ]
     end
 
     # This allows external callers (and specs) to check for implemented
     # properties
-    def respond_to?(method, include_private=false)
+    def respond_to?(method, include_private = false)
       return true if supported_tags.include?(method.to_sym)
       super
     end
@@ -60,7 +61,6 @@ def respond_to?(method, include_private=false)
     # attribute, simple descendent or collection that it maps to in the XML
     # tree.
     def method_missing(method, *args)
-
       # We could remove this check and return nil for any non-recognized tag.
       # The problem would be that it would make tricky to debug problems with
       # typos. For instance: <>.potr would return nil instead of raising an
@@ -109,7 +109,11 @@ def method_missing(method, *args)
       tag = xml.at_xpath("./#{method_name}")
       if tag && !tag.text.blank?
         text = tag.text
-        return tags_with_html_content.include?(method) ? cleanup_html(text) : text
+        if tags_with_nested_content.include?(method)
+          return cleanup_nested(text)
+        else
+          return tags_with_html_content.include?(method) ? cleanup_html(text) : text
+        end
       else
         return 'n/a'
       end
@@ -137,34 +141,44 @@ def cleanup_html(source)
       result.gsub!(/<strong>(.*?)<\/strong>/) { "*#{$1}* " }
 
       result.gsub!(/(<br>)|(<br(\s*)\/>)/, "\n")
-      result.gsub!(/(<div>)|(<\/div>)/, "")
+      result.gsub!(/(<div>)|(<\/div>)/, '')
       result.gsub!(/<font.*?>(.*?)<\/font>/m, '\1')
       result.gsub!(/<p (.*?)>(.*?)<\/p>/) { "\n#{$2}\n" }
       result.gsub!(/<span(.*?)>(.*?)<\/span>/, '\2')
-      result.gsub!(/<span(.*?)>|<\/span>/, "")
+      result.gsub!(/<span(.*?)>|<\/span>/, '')
       result.gsub!(/(<p>)|(<\/p>)/, "\n")
       result.gsub!(/\n[a-z]\. /, "\n\* ")
 
       result.gsub!(/<a .*?href=(?:\"|\')(.*?)(?:\"|\').*?>(?:<i.*?<\/i>)?(.*?)<\/a>/i) { "\"#{$2.strip}\":#{$1.strip}" }
 
-      result.gsub!(/<code><pre.*?>(.*?)<\/pre><\/code>/m) {|m| "\n\nbc.. #{$1}\n\np.  \n" }
-      result.gsub!(/<pre.*?>(.*?)<\/pre>/m) {|m| "\n\nbc.. #{$1}\n\np.  \n" }
-      result.gsub!(/<code>(.*?)<\/code>/m) {|m| "\n\nbc.. #{$1}\n\np.  \n" }
+      result.gsub!(/<code><pre.*?>(.*?)<\/pre><\/code>/m) { |m| "\n\nbc.. #{$1}\n\np.  \n" }
+      result.gsub!(/<pre.*?>(.*?)<\/pre>/m) { |m| "\n\nbc.. #{$1}\n\np.  \n" }
+      result.gsub!(/<code>(.*?)<\/code>/m) { |m| "\n\nbc.. #{$1}\n\np.  \n" }
 
       result.gsub!(/(<ul>)|(<\/ul>|(<ol>)|(<\/ol>))/, "\n")
-      result.gsub!(/<li(.*?)>(.*?)<\/li>/m) {"\n* #{$2}\n" }
+      result.gsub!(/<li(.*?)>(.*?)<\/li>/m) { "\n* #{$2}\n" }
       result.gsub!(/<li>/, "\n* ")
       result.gsub!(/<\/li>/, "\n")
 
       result
     end
 
-    # Some of the values have embedded HTML conent that we need to strip
+    def cleanup_nested(source)
+      result = source.dup
+      result.gsub!(/^\s+/, '')
+      result
+    end
+
+    # Some of the values have embedded HTML content that we need to strip
     def tags_with_html_content
       [
         :actions_to_take, :description, :external_references, :extrainformation,
         :impact, :remedy, :remedy_references, :required_skills_for_exploitation
       ]
     end
+
+    def tags_with_nested_content
+      [ :extrainformation, :proofs ]
+    end
   end
 end

templates/evidence.fields

@@ -1,3 +1,5 @@
+evidence.extrainformation
+evidence.proofs
 evidence.rawrequest
 evidence.rawresponse
 evidence.url

templates/evidence.sample

@@ -39,11 +39,18 @@ function openFlyout() {
   });
 }
 ]]></rawresponse>
-  <extrainformation></extrainformation>
-
-  <proofs></proofs>
-
-
+  <extrainformation>
+      <info>
+          <name>Example Name</name>
+          <value><![CDATA[Example Value]]></value>
+      </info>
+  </extrainformation>
+  <proofs>
+      <proof>
+          <key><![CDATA[example key]]></key>
+          <value><![CDATA[example value.]]></value>
+      </proof>
+  </proofs>
   <classification>
     <OWASP2013></OWASP2013>
     <WASC></WASC>