Merge pull request #32 from psiinon/main

Dont report dup storage objects
zaproxy · Jan 4, 2023 · 4f0d41a · 4f0d41a
2 parents 3c6a122 + f456857
commit 4f0d41a
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 3 deletions.
diff --git a/source/Background/index.ts b/source/Background/index.ts
@@ -19,9 +19,15 @@
  */
 import 'emoji-log';
 import {browser, Runtime} from 'webextension-polyfill-ts';
+import {ReportedStorage} from '../ContentScript/index';
 
 console.log('ZAP Service Worker 👋');
 
+/*
+  We check the storage on every page, so need to record which storage events we have reported to ZAP here so that we dont keep sending the same events.
+*/
+const reportedStorage = new Set<string>();
+
 /*
   A callback URL will only be available if the browser has been launched from ZAP, otherwise call the individual endpoints
 */
@@ -53,7 +59,20 @@ function handleMessage(
   console.log(encodeURIComponent(zapkey));
   console.log(`Type: ${request.type}`);
   console.log(`Data: ${request.data}`);
+
   if (request.type === 'reportObject') {
+    const repObj = JSON.parse(request.data);
+    if (repObj.type === 'localStorage' || repObj.type === 'sessionStorage') {
+      // Check to see if we have already reported this storage object
+      const repStorage = new ReportedStorage('', '', '', '', '');
+      Object.assign(repStorage, repObj);
+      const repStorStr: string = repStorage.toShortString();
+      if (reportedStorage.has(repStorStr)) {
+        // Already reported
+        return true;
+      }
+      reportedStorage.add(repStorStr);
+    }
     const body = `objectJson=${encodeURIComponent(
       request.data
     )}&apikey=${encodeURIComponent(zapkey)}`;

diff --git a/source/ContentScript/index.ts b/source/ContentScript/index.ts
@@ -82,8 +82,8 @@ class ReportedObject {
 class ReportedStorage extends ReportedObject {
   public toShortString(): string {
     return JSON.stringify(this, function replacer(k: string, v: string) {
-      if (k === 'xpath' || k === 'url' || k === 'href') {
-        // Storage events are not URL specific
+      if (k === 'xpath' || k === 'url' || k === 'href' || k === 'timestamp') {
+        // Storage events are not time or URL specific
         return undefined;
       }
       return v;
@@ -303,8 +303,9 @@ observer.observe(document, {
 reportPageLoaded(document, reportObject);
 
 export {
-  ReportedObject,
   ReportedElement,
+  ReportedObject,
+  ReportedStorage,
   reportPageLinks,
   reportPageLoaded,
   reportPageForms,