Migration to a maintained version of the Apache HTTP Client

[mgmechanics]

Zest contains Apache HTTP Client 3.1 which is unmaintained since long time ago. Is there serious interest to update it to Apache HTTP Client 4 or better?

The company I am working for uses Zest internally. It is doing great but our source scan raises security errors of highest level because of the outdated HTTP client. Thus I already updated the HTTP Client to version 4.5.5. If there serious interest I can ask if I can merge my changes into the public code base.

[thc202]

I'm +1 to the change, but worth noting that it will break binary compatibility (if we completely drop Commons HttpClient).

[psiinon]

+1 as well.
Do we really need binary compatibility?
Zest script compatibility is the important thing to maintain :)

[thc202]

Well, this change will break (ZAP) Zest add-on, but not a problem we can update it easily :)

[mgmechanics]

Zest script compatibility is the important thing to maintain :)

I can run the same Zest scripts than before the change. org.mozilla.zest.core.v1.ZestRequest works with class Cookie from the Apache HTTP Client 4.5.5.

This is possible because JSON from the Class Cookie from HTTP Client 3.1 can be de-serialised in to objects of the class Cookie in the Apache HTTP Client 4.5.5.

Everything else in the package org.mozilla.zest.core.v1 was not changed.

[mgmechanics]

The changes took place in the class org.mozilla.zest.impl.ZestBasicRunner. There are some bigger changes because before migration to HTTP Client 4 I isolated all methods from this class using the HTTP Client 3 in a new class. ZestBasicRunner holds an interface of this class which gets an instance of the new class at runtime. This makes further migrations (Apache HTTP Client 5 is in the beta version) easier.

[mgmechanics]

I ask my boss if I can get a budget for this.

[thc202]

Which version/commit are you basing your work on? Asking because #118 refactored ZestBasicRunner to allow that.

[mgmechanics]

I did the migration on the master branch. I have checked #118. That looks good. You have already done an important part of the work.

A) ZestCookie: Good idea. Makes Zest independent from particular HTTP clients.

B) org.mozilla.zest.impl.CommonsHttpClient implements ZestHttpClient: Almost the same as my approach. I think I can begin. Have to ask for procedure/budget first.

[thc202]

Note that the work should be done in the develop branch (master is being used only for tagging releases).

Cool, let us know how that goes.

[mgmechanics]

Of course, in the develop branch.

[mgmechanics]

I did the work and made the pull request #171

[mgmechanics]

Tests were done successfully by running examples/BodgeIt_Register_XSS.zst against a dummy service so I could check the requests made by the zest runner.

[mgmechanics]

Do you plan to include the new HTTP client for the next release?

[thc202]

Sure, good to get this change in (added to milestone).