Font file string intepreted as Drupal Hash

[fzx404]

Describe the bug

False Positive:

Requires Passive Scanning Alpha in order to have the "Information Disclosure - Drupal Hash (Passive 100010).
A woff2 font file (and by extent, other files too?) content may contains strings that would trigger the regex

community-scripts/passive/Find Hashes.js

Line 60 in bf5135a

var drupal = /(\$\S\$\S{52})/g;

Here is what triggered this regex in my case : $½$�u°+ºº¥nu÷�{ûJ�0»2�¼ó¬$Ó���ë¾}'�d>æüºJV�õmMd�Ò��öVU<
As far as I know Drupal hashes are alphanumeric only.
Maybe a more restrictive regex like some others in the same file could do the job.

Steps to reproduce the behavior

1. Have ZAP passive scan analyze a response with the content of a woff2 font file.
2. If the file happens to contain a string starting with $ followed by a char, then another $ , and whatever 52 other char then the request is going to be tagged as "Information Disclosure - Drupal Hash".

Expected behavior

As the content of a font file has nothing to do with a Drupal hash, this alert should not be raised.

Software versions

ZAP 2.15.0 Desktop

Screenshots

No response

Errors from the zap.log file

No response

Additional context

Passive Scanner Alpha v42.0.0

Would you like to help fix this issue?

• Yes

[kingthorin]

With some quick research I did find that it always literally starts with $S followed to upper/lower alpha-numeric plus /. 52 char. So the regex could be better, there's probably a number of content/file types that can be ignored or excluded like the core hash rule.