Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The -quickout option should not attempt to write to the directory where ZAP is installed #7580

Open
1 task
trevor-vaughan opened this issue Nov 4, 2022 · 7 comments · May be fixed by #7781
Open
1 task

The -quickout option should not attempt to write to the directory where ZAP is installed #7580

trevor-vaughan opened this issue Nov 4, 2022 · 7 comments · May be fixed by #7781
Labels
add-on bug

Comments

@trevor-vaughan
Copy link
Contributor

Describe the bug

Running zap.sh with -quickout will attempt to write the output file to the directory where ZAP is installed instead of the current directory.

Steps to reproduce the behavior

  1. Install ZAP
  2. Run zap.sh -cmd -quickurl <whatever> -quickout zapout.json

Results

Writing results to /home/user/Apps/ZAP/zapout.json
The directory of given '-quickout' file is not writable:

Expected behavior

The file would be created in my current working directory.

Software versions

ZAP 2.12.0

Screenshots

No response

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

  • Yes
@thc202 thc202 added the add-on label Nov 4, 2022
@cloudbuilderspa
Copy link

use ./zapout.json

@psiinon
Copy link
Member

psiinon commented Feb 24, 2023

Or use an absolute path 😁

@trevor-vaughan
Copy link
Contributor Author

I mean, yes, but this is a horrible default experience (and potentially leaves sensitive data somewhere mysterious).

@psiinon
Copy link
Member

psiinon commented Feb 24, 2023

I have to say I agree 😉
Part of the problem is the the zap.sh script performs a cd.
However one possible solution would be to save the cwd ZAP was launched from in an envvar (on all platforms) and for the code to be changed to use this for relative paths by default if its available..

@trevor-vaughan
Copy link
Contributor Author

I'd even take an error message of "hey, you have to specify a path, try ./<whatever>" or the like.

@trevor-vaughan
Copy link
Contributor Author

🤔 I haven't looked at the script code, but could you cd in a subshell to solve the issue?

@psiinon
Copy link
Member

psiinon commented Feb 24, 2023

It would require some restructuring :/ https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/dist/zap.sh

trevor-vaughan added a commit to trevor-vaughan/zaproxy that referenced this issue Mar 11, 2023
@trevor-vaughan
Do not change directory when running zap
d43ebcd 
Prevent the startup script from changing directory.

This ensures that any artifacts created by `zap`, such as the output of
`-quickout` will land in the current directory instead of the ZAP
installation directory.

Closes zaproxy#7580
@trevor-vaughan trevor-vaughan linked a pull request Mar 11, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
add-on bug
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Do not change directory when running zap trevor-vaughan/zaproxy
4 participants
@psiinon @thc202 @trevor-vaughan @cloudbuilderspa