ascanrules: Address External Redirect False Positives

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>

Author: kingthorin

addOns/ascanrules/CHANGELOG.md

@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- The External Redirect scan rule has been updated to account for potential false positives involving JavaScript comments.
 
 ## [73] - 2025-09-02
 ### Changed

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java

@@ -20,11 +20,15 @@
 package org.zaproxy.zap.extension.ascanrules;
 
 import java.io.IOException;
+import java.util.ArrayDeque;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.Deque;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.UUID;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -477,10 +481,155 @@ private static RedirectType isRedirected(String payload, HttpMessage msg) {
 
     private static boolean isRedirectPresent(Pattern pattern, String value) {
         Matcher matcher = pattern.matcher(value);
+        if (!matcher.find()) {
+            return false;
+        }
+        Set<String> extractedComments = extractJsComments(value);
+        String valueWithoutComments = value;
+        for (String comment : extractedComments) {
+            valueWithoutComments = valueWithoutComments.replace(comment, "");
+        }
+
+        matcher = pattern.matcher(valueWithoutComments);
         return matcher.find()
                 && StringUtils.startsWithIgnoreCase(matcher.group(1), HttpHeader.HTTP);
     }
 
+    private enum State {
+        NORMAL,
+        STRING_DOUBLE,
+        STRING_SINGLE,
+        TEMPLATE,
+        TEMPLATE_EXPR,
+        SLASH,
+        LINE_COMMENT,
+        BLOCK_COMMENT,
+        BLOCK_COMMENT_STAR
+    }
+
+    private static Set<String> extractJsComments(String code) {
+        Set<String> comments = new HashSet<>();
+        StringBuilder currentComment = new StringBuilder();
+
+        State state = State.NORMAL;
+        Deque<State> stack = new ArrayDeque<>();
+        boolean escape = false;
+
+        for (int i = 0; i < code.length(); i++) {
+            char c = code.charAt(i);
+
+            switch (state) {
+                case NORMAL:
+                    if (c == '"') {
+                        state = State.STRING_DOUBLE;
+                    } else if (c == '\'') {
+                        state = State.STRING_SINGLE;
+                    } else if (c == '`') {
+                        state = State.TEMPLATE;
+                    } else if (c == '/') {
+                        state = State.SLASH;
+                    }
+                    break;
+
+                case SLASH:
+                    if (c == '/') {
+                        state = State.LINE_COMMENT;
+                        currentComment.setLength(0);
+                        currentComment.append("//");
+                    } else if (c == '*') {
+                        state = State.BLOCK_COMMENT;
+                        currentComment.setLength(0);
+                        currentComment.append("/*");
+                    } else {
+                        state = State.NORMAL; // not actually a comment
+                    }
+                    break;
+
+                case LINE_COMMENT:
+                    currentComment.append(c);
+                    if (c == '\n' || c == '\r' || c == '\u2028' || c == '\u2029') {
+                        comments.add(currentComment.toString());
+                        state = State.NORMAL;
+                    }
+                    break;
+
+                case BLOCK_COMMENT:
+                    currentComment.append(c);
+                    if (c == '*') {
+                        state = State.BLOCK_COMMENT_STAR;
+                    }
+                    break;
+
+                case BLOCK_COMMENT_STAR:
+                    currentComment.append(c);
+                    if (c == '/') {
+                        comments.add(currentComment.toString());
+                        state = State.NORMAL;
+                    } else {
+                        state = State.BLOCK_COMMENT;
+                    }
+                    break;
+
+                case STRING_DOUBLE:
+                    if (escape) {
+                        escape = false;
+                    } else if (c == '\\') {
+                        escape = true;
+                    } else if (c == '"') {
+                        state = State.NORMAL;
+                    }
+                    break;
+
+                case STRING_SINGLE:
+                    if (escape) {
+                        escape = false;
+                    } else if (c == '\\') {
+                        escape = true;
+                    } else if (c == '\'') {
+                        state = State.NORMAL;
+                    }
+                    break;
+
+                case TEMPLATE:
+                    if (escape) {
+                        escape = false;
+                    } else if (c == '\\') {
+                        escape = true;
+                    } else if (c == '`') {
+                        state = State.NORMAL;
+                    } else if (c == '$' && i + 1 < code.length() && code.charAt(i + 1) == '{') {
+                        stack.push(state);
+                        state = State.TEMPLATE_EXPR;
+                        i++; // skip '{'
+                    }
+                    break;
+
+                case TEMPLATE_EXPR:
+                    if (c == '}') {
+                        state = stack.pop();
+                    } else if (c == '"') {
+                        state = State.STRING_DOUBLE;
+                    } else if (c == '\'') {
+                        state = State.STRING_SINGLE;
+                    } else if (c == '`') {
+                        state = State.TEMPLATE;
+                    } else if (c == '/') {
+                        state = State.SLASH;
+                    }
+                    break;
+            }
+        }
+
+        // Handle unterminated comments at EOF
+        if (state == State.LINE_COMMENT
+                || state == State.BLOCK_COMMENT
+                || state == State.BLOCK_COMMENT_STAR) {
+            comments.add(currentComment.toString());
+        }
+
+        return comments;
+    }
+
     @Override
     public int getRisk() {
         return Alert.RISK_HIGH;

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java

@@ -531,6 +531,114 @@ void shouldReportRedirectWithJsLocationMethods(String jsMethod) throws Exception
         assertThat(alertsRaised.get(0).getEvidence().startsWith(HttpHeader.HTTP), equalTo(true));
     }
 
+    private static Stream<Arguments> provideCommentStrings() {
+        return Stream.of(
+                // Some need to be double escaped because of Java
+                Arguments.of("Block comment", "/*  window.location.replace('@@@content@@@');\n*/"),
+                Arguments.of("Single line", "// window.location.replace('@@@content@@@');"),
+                Arguments.of(
+                        "Inline block",
+                        "console.log(\"example\"); /* console.log(window.location.replace('@@@content@@@')); */"),
+                Arguments.of(
+                        "Inline incomplete block",
+                        "console.log(\"example\"); /* console.log(window.location.replace('@@@content@@@')); "),
+                Arguments.of(
+                        "Inline single line",
+                        "console.log(\"example\"); // console.log(window.location.replace('@@@content@@@'));"),
+                Arguments.of(
+                        "Inline single line (w/ unicode escape)",
+                        "console.log(\"🔥 example\"); // console.log('\\u1F525 window.location.replace('@@@content@@@')');"),
+                Arguments.of(
+                        "Inline single line (w/ malformed (leading) unicode escape)",
+                        "console.log(\"🔥 example\"); // console.log('\\u 1F525 window.location.replace('@@@content@@@')');"),
+                Arguments.of(
+                        "Inline single line (w/ malformed (mid) unicode escape)",
+                        "console.log(\"🔥 example\"); // console.log('\\u1F 525 window.location.replace('@@@content@@@')');"),
+                Arguments.of(
+                        "Inline single line (surrogate pair unicode escape)",
+                        "console.log(\"example\"); // console.log('\\uD83D\\uDD25 window.location.replace('@@@content@@@')');"),
+                Arguments.of(
+                        "Inline single line (malformed surrogate pair unicode escape)",
+                        "console.log(\"example\"); // console.log('\\uD83D\\uD D25 window.location.replace('@@@content@@@')');"),
+                Arguments.of(
+                        "Inline single line (w/ braced unicode escape)",
+                        "console.log(\"🔥 example\"); // console.log('\\u{1F525} window.location.replace('@@@content@@@')');"),
+                Arguments.of(
+                        "Inline single line (w/ malformed braced unicode escape)",
+                        "console.log(\"🔥 example\"); // console.log('\\u {1F525} window.location.replace('@@@content@@@')');"),
+                Arguments.of(
+                        "Inline single line (octal escape)",
+                        "console.log(\"example\"); // console.log('\\141 window.location.replace('@@@content@@@')');"),
+                Arguments.of(
+                        "Inline single line (malformed octal)",
+                        "console.log(\"example\"); // console.log('\\8 window.location.replace('@@@content@@@')');"),
+                Arguments.of(
+                        "Inline single line (w/ hex escape)",
+                        "console.log(\"example\"); // console.log('\\x41 window.location.replace('@@@content@@@')');"),
+                Arguments.of(
+                        "Inline single line (w/ malformed (leading) hex escape)",
+                        "console.log(\"example\"); // console.log('\\x 41 window.location.replace('@@@content@@@')');"),
+                Arguments.of(
+                        "Inline single line (w/ malformed (mid) hex escape)",
+                        "console.log(\"example\"); // console.log('\\x4 1 window.location.replace('@@@content@@@')');"),
+                Arguments.of(
+                        "Inline single line (w/ single char escapes)",
+                        "console.log(\"example\"); // console.log('\\r\\n\\twindow.location.replace('@@@content@@@')');"),
+                Arguments.of(
+                        "Embedded template expression",
+                        "console.log('value ${1 + 1}'); // comment with window.location.replace('@@@content@@@');"),
+                Arguments.of(
+                        "Template literal with embedded expression",
+                        "console.log(`value ${1 + 1}`); // comment with window.location.replace('@@@content@@@');"),
+                Arguments.of(
+                        "Template literal expression containing //",
+                        "console.log(\"value ${ 'not // a comment' }\"); // real comment window.location.replace('@@@content@@@')"),
+                Arguments.of(
+                        "Template literal with escaped backtick",
+                        "console.log(\"escaped \\` backtick\"); // trailing comment window.location.replace('@@@content@@@')"));
+    }
+
+    @ParameterizedTest(name = "{0}")
+    @MethodSource("provideCommentStrings")
+    void shouldNotReportRedirectIfInsideJsComment(String name, String content) throws Exception {
+        // Given
+        String test = "/";
+        String body =
+                """
+                <!DOCTYPE html>
+                <html>
+                <head>
+                <title>Redirect commented out</title>
+                </head>
+                <body>
+
+                <script>function myRedirectFunction()
+                %s
+                //myRedirectFunction();
+                </script>
+                """
+                        .formatted(content);
+        nano.addHandler(
+                new NanoServerHandler(test) {
+                    @Override
+                    protected NanoHTTPD.Response serve(NanoHTTPD.IHTTPSession session) {
+                        String site = getFirstParamValue(session, "site");
+                        if (site != null && !site.isEmpty()) {
+                            String withPayload = body.replace(CONTENT_TOKEN, site);
+                            return newFixedLengthResponse(
+                                    NanoHTTPD.Response.Status.OK, NanoHTTPD.MIME_HTML, withPayload);
+                        }
+                        return newFixedLengthResponse("<html><body></body></html>");
+                    }
+                });
+        HttpMessage msg = getHttpMessage(test + "?site=xxx");
+        rule.init(msg, parent);
+        // When
+        rule.scan();
+        // Then
+        assertThat(alertsRaised.size(), equalTo(0));
+    }
+
     private static Stream<Arguments> createJsMethodBooleanPairs() {
         return Stream.of(
                 Arguments.of("location.reload", true),