pscan: add max body size to the API

Allow to configure the option max body size through the API.

Fix zaproxy/zaproxy#8974.

Signed-off-by: thc202 <[email protected]>

Author: thc202

addOns/pscan/CHANGELOG.md

@@ -5,7 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
-
+### Added
+- Allow to configure the option max body size through the API (Issue 8974).
 
 ## [0.3.0] - 2025-06-20
 ### Changed

addOns/pscan/src/main/java/org/zaproxy/addon/pscan/PassiveScanApi.java

@@ -53,6 +53,7 @@ public class PassiveScanApi extends ApiImplementor {
     private static final String VIEW_CURRENT_RULE = "currentRule";
     private static final String VIEW_CURRENT_TASKS = "currentTasks";
     private static final String VIEW_MAX_ALERTS_PER_RULE = "maxAlertsPerRule";
+    private static final String VIEW_MAX_BODY_SIZE_IN_BYTES = "maxBodySizeInBytes";
 
     private static final String ACTION_SET_ENABLED = "setEnabled";
     private static final String ACTION_SET_SCAN_ONLY_IN_SCOPE = "setScanOnlyInScope";
@@ -62,6 +63,7 @@ public class PassiveScanApi extends ApiImplementor {
     private static final String ACTION_DISABLE_SCANNERS = "disableScanners";
     private static final String ACTION_SET_SCANNER_ALERT_THRESHOLD = "setScannerAlertThreshold";
     private static final String ACTION_SET_MAX_ALERTS_PER_RULE = "setMaxAlertsPerRule";
+    private static final String ACTION_SET_MAX_BODY_SIZE_IN_BYTES = "setMaxBodySizeInBytes";
     private static final String ACTION_DISABLE_ALL_TAGS = "disableAllTags";
     private static final String ACTION_ENABLE_ALL_TAGS = "enableAllTags";
     private static final String ACTION_CLEAR_QUEUE = "clearQueue";
@@ -72,6 +74,7 @@ public class PassiveScanApi extends ApiImplementor {
     private static final String PARAM_ID = "id";
     private static final String PARAM_ALERT_THRESHOLD = "alertThreshold";
     private static final String PARAM_MAX_ALERTS = "maxAlerts";
+    private static final String PARAM_MAX_SIZE = "maxSize";
 
     private final ExtensionPassiveScan2 extension;
     private final PassiveScannersManager scannersManager;
@@ -97,6 +100,8 @@ public PassiveScanApi(ExtensionPassiveScan2 extension, PassiveScannersManager sc
                         new String[] {PARAM_ID, PARAM_ALERT_THRESHOLD}));
         this.addApiAction(
                 new ApiAction(ACTION_SET_MAX_ALERTS_PER_RULE, new String[] {PARAM_MAX_ALERTS}));
+        this.addApiAction(
+                new ApiAction(ACTION_SET_MAX_BODY_SIZE_IN_BYTES, new String[] {PARAM_MAX_SIZE}));
         this.addApiAction(new ApiAction(ACTION_DISABLE_ALL_TAGS));
         this.addApiAction(new ApiAction(ACTION_ENABLE_ALL_TAGS));
         this.addApiAction(new ApiAction(ACTION_CLEAR_QUEUE));
@@ -113,6 +118,7 @@ public PassiveScanApi(ExtensionPassiveScan2 extension, PassiveScannersManager sc
         this.addApiView(currentRule);
         this.addApiView(new ApiView(VIEW_CURRENT_TASKS));
         this.addApiView(new ApiView(VIEW_MAX_ALERTS_PER_RULE));
+        this.addApiView(new ApiView(VIEW_MAX_BODY_SIZE_IN_BYTES));
     }
 
     @Override
@@ -162,6 +168,11 @@ public ApiResponse handleApiAction(String name, JSONObject params) throws ApiExc
             case ACTION_SET_MAX_ALERTS_PER_RULE:
                 getOptions().setMaxAlertsPerRule(ApiUtils.getIntParam(params, PARAM_MAX_ALERTS));
                 break;
+            case ACTION_SET_MAX_BODY_SIZE_IN_BYTES:
+                getOptions()
+                        .setMaxBodySizeInBytesToScan(
+                                Math.max(0, ApiUtils.getIntParam(params, PARAM_MAX_SIZE)));
+                break;
             case ACTION_DISABLE_ALL_TAGS:
                 getOptions()
                         .getAutoTagScanners()
@@ -325,6 +336,12 @@ public ApiResponse handleApiView(String name, JSONObject params) throws ApiExcep
                                 VIEW_MAX_ALERTS_PER_RULE,
                                 Integer.toString(getOptions().getMaxAlertsPerRule()));
                 break;
+            case VIEW_MAX_BODY_SIZE_IN_BYTES:
+                result =
+                        new ApiResponseElement(
+                                VIEW_MAX_BODY_SIZE_IN_BYTES,
+                                Integer.toString(getOptions().getMaxBodySizeInBytesToScan()));
+                break;
             default:
                 throw new ApiException(ApiException.Type.BAD_VIEW);
         }

addOns/pscan/src/main/javahelp/org/zaproxy/addon/pscan/help/contents/api.html

@@ -49,6 +49,12 @@ <h3>Actions</h3>
 				<li>maxAlerts: The maximum number of alerts.</li>
 			</ul>
 		</li>
+		<li>
+			setMaxBodySizeInBytes (maxSize*): Sets the maximum body size in bytes that the passive scanner will scan.
+			<ul>
+				<li>maxSize: The maximum size in bytes, 0 to unset.</li>
+			</ul>
+		</li>
 		<li>
 			setScanOnlyInScope (onlyInScope*): Sets whether or not the passive scan should be performed only on messages that are in scope.
 			<ul>
@@ -68,6 +74,7 @@ <h3>Views</h3>
 	<ul>
 		<li>currentTasks: Shows information about the passive scan tasks currently being run (if any).</li>
 		<li>maxAlertsPerRule: Gets the maximum number of alerts a passive scan rule should raise.</li>
+		<li>maxBodySizeInBytes: Gets the maximum body size in bytes that the passive scanner will scan.</li>
 		<li>recordsToScan: The number of records the passive scanner still has to scan.</li>
 		<li>scanOnlyInScope: Tells whether or not the passive scan should be performed only on messages that are in scope.</li>
 		<li>scanners: Lists all passive scan rules with their ID, name, enabled state, and alert threshold.</li>

addOns/pscan/src/main/resources/org/zaproxy/addon/pscan/resources/Messages.properties

@@ -11,6 +11,8 @@ pscan.api.action.setEnabled = Sets whether or not the passive scanning is enable
 pscan.api.action.setEnabled.param.enabled = The enabled state, true or false.
 pscan.api.action.setMaxAlertsPerRule = Sets the maximum number of alerts a passive scan rule can raise.
 pscan.api.action.setMaxAlertsPerRule.param.maxAlerts = The maximum number of alerts.
+pscan.api.action.setMaxBodySizeInBytes = Sets the maximum body size in bytes that the passive scanner will scan.
+pscan.api.action.setMaxBodySizeInBytes.param.maxSize = The maximum size in bytes, 0 to unset.
 pscan.api.action.setScanOnlyInScope = Sets whether or not the passive scan should be performed only on messages that are in scope.
 pscan.api.action.setScanOnlyInScope.param.onlyInScope = The scan state, true or false.
 pscan.api.action.setScannerAlertThreshold = Sets the alert threshold of a passive scan rule.
@@ -21,6 +23,7 @@ pscan.api.view.currentRule = Shows information about the passive scan rule curre
 pscan.api.view.currentRule.deprecated = Use the currentTasks view instead.
 pscan.api.view.currentTasks = Shows information about the passive scan tasks currently being run (if any).
 pscan.api.view.maxAlertsPerRule = Gets the maximum number of alerts a passive scan rule should raise.
+pscan.api.view.maxBodySizeInBytes = Gets the maximum body size in bytes that the passive scanner will scan.
 pscan.api.view.recordsToScan = The number of records the passive scanner still has to scan.
 pscan.api.view.scanOnlyInScope = Tells whether or not the passive scan should be performed only on messages that are in scope.
 pscan.api.view.scanners = Lists all passive scan rules with their ID, name, enabled state, and alert threshold.

addOns/pscan/src/test/java/org/zaproxy/addon/pscan/PassiveScanApiUnitTest.java

@@ -79,8 +79,8 @@ void shouldAddApiElements() {
         // Given / When
         pscanApi = new PassiveScanApi(extension, scannersManager);
         // Then
-        assertThat(pscanApi.getApiActions(), hasSize(11));
-        assertThat(pscanApi.getApiViews(), hasSize(6));
+        assertThat(pscanApi.getApiActions(), hasSize(12));
+        assertThat(pscanApi.getApiViews(), hasSize(7));
         assertThat(pscanApi.getApiOthers(), hasSize(0));
     }