Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GraphQL handleDetectedEngine exception when Technology Detection is not installed #8890

Open
1 task done
alexanderrtaylor opened this issue Mar 18, 2025 · 1 comment · May be fixed by zaproxy/zap-extensions#6284
Open
1 task done

GraphQL handleDetectedEngine exception when Technology Detection is not installed #8890

alexanderrtaylor opened this issue Mar 18, 2025 · 1 comment · May be fixed by zaproxy/zap-extensions#6284
Assignees
@kingthorin
Labels
add-on bug in:graphql Issues pertaining to GraphQL Support add-on.

Comments

@alexanderrtaylor
Copy link

alexanderrtaylor commented Mar 18, 2025
edited by thc202
Loading

Describe the bug:

When trying to run Zap against our GraphQL API, it throws an error when trying to initialize saying with a null pointer. The addon appears to be correctly installed but when it starts trying to hit the endpoints we get this stacktrace:

16405 [ZAP-IO-Server-1-1] WARN  org.zaproxy.addon.graphql.GraphQlFingerprinter - Failed to fingerprint GraphQL engine: apollo
java.lang.NullPointerException: Cannot invoke "java.util.List.iterator()" because "org.zaproxy.addon.graphql.GraphQlFingerprinter.handlers" is null
	at org.zaproxy.addon.graphql.GraphQlFingerprinter.handleDetectedEngine(GraphQlFingerprinter.java:121) ~[?:?]
	at org.zaproxy.addon.graphql.GraphQlFingerprinter.fingerprint(GraphQlFingerprinter.java:109) ~[?:?]
	at org.zaproxy.addon.graphql.GraphQlParser.fingerprint(GraphQlParser.java:181) ~[?:?]
	at org.zaproxy.addon.graphql.GraphQlParser.parse(GraphQlParser.java:159) ~[?:?]
	at org.zaproxy.addon.graphql.GraphQlParser.importFile(GraphQlParser.java:136) ~[?:?]
	at org.zaproxy.addon.graphql.GraphQlApi.importFile(GraphQlApi.java:90) ~[?:?]
	at org.zaproxy.addon.graphql.GraphQlApi.handleApiAction(GraphQlApi.java:71) ~[?:?]
	at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:538) ~[zap-2.16.0.jar:2.16.0]
	at org.zaproxy.addon.network.internal.server.http.handlers.ZapApiHandler.handleApiRequest(ZapApiHandler.java:111) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.handlers.ZapApiHandler.handleRequest(ZapApiHandler.java:85) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.handlers.ZapApiHandler.handleMessage(ZapApiHandler.java:70) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.notifyMessageHandlers(MainServerHandler.java:151) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.processMessage(MainServerHandler.java:131) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.LocalServerHandler.processMessage(LocalServerHandler.java:67) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.process(MainServerHandler.java:94) ~[?:?]
	at org.zaproxy.addon.network.internal.server.http.MainServerHandler.lambda$channelRead0$0(MainServerHandler.java:82) ~[?:?]
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [network-beta-0.21.0.zap:?]
	at java.base/java.lang.Thread.run(Thread.java:840) [?:?]

Steps to reproduce the behavior:

Sorry I am not SUPER experienced with zap so the steps to reproduce may not properly capture all the needed steps but this is what I am currently doing:

  1. pull the latest zapdock docker
  2. run zapdock in daemon mode with the graphql add in
  3. use a python script to import a .gql file and run a graphql scan

Expected behavior:

I would expect either it to work in the scan, add a new handler, re-check for a graphql engine, or fail with a better error message. Seems like this function:
https://github.com/zaproxy/zap-extensions/blob/main/addOns/graphql/src/main/java/org/zaproxy/addon/graphql/GraphQlFingerprinter.java#L642C24-L642C40

should probably have a null check in there or run:
https://github.com/zaproxy/zap-extensions/blob/main/addOns/graphql/src/main/java/org/zaproxy/addon/graphql/GraphQlFingerprinter.java#L642

Software versions:

zaproxy/zap-stable:2.16.0

Screenshots:

No response

Errors from the zap.log file:

No response

Additional context:

No response

Would you like to help fix this issue?

  • Yes
@kingthorin kingthorin added add-on in:graphql Issues pertaining to GraphQL Support add-on. labels Mar 18, 2025
@kingthorin kingthorin self-assigned this Mar 18, 2025
@kingthorin
Copy link
Member

Thanks for the report, I'll look into this.

@thc202 thc202 changed the title GraphQL handleDetectedEngine throws null when it cant find a handler GraphQL handleDetectedEngine exception when Technology Detection is not installed Mar 18, 2025
@kingthorin kingthorin linked a pull request Mar 18, 2025 that will close this issue
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kingthorin kingthorin

Labels
add-on bug in:graphql Issues pertaining to GraphQL Support add-on.
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

graphql: Prevent NPE when Tech Detection not installed kingthorin/zap-extensions
2 participants
@alexanderrtaylor @kingthorin