Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Outdated extensions and open pull requests

Nicolas | Last updated: Jan 15, 2020 06:28PM UTC

Hello, some extensions (like "Add Custom Header") don't have their latest version available in the BAppStore, and that lasts for a few months (and I hate having to maintain private versions) First, I wonder how the process used to update existing extensions works. AFAIK, it isn't explicitly documented. In a previous ticket, I was told that it "is the responsibility of the BApp author to inform us of new versions so that we can then initiate the process to update the version hosted in our BApp store". How should the author inform PortSwigger? Email? Github pull requests? The second point is that, if notifications are based on pull requests (that's my current understanding), then a few month-old ones exist (here two related to "Add Custom Header) https://github.com/PortSwigger/add-custom-header/pulls Is there an official way to get them examined? Nicolas

Hannah, PortSwigger Agent | Last updated: Jan 16, 2020 08:12AM UTC

Hi Nicolas Our current procedure is: - The author creates a pull request against the PortSwigger branch of their repository - The author emails support@portswigger.net to inform us that they've opened a pull request - Changes are reviewed and merged into the PortSwigger branch - The extension is tested for loading errors - The updated version is published to the BApp Store Currently, when a new submission is approved, the author is informed of the update procedure. However, that isn't too helpful if they forget, or if it's an older BApp needing an update. We will look into providing a more detailed explanation for Authors to update their BApps.

Hannah, PortSwigger Agent | Last updated: Jan 16, 2020 09:45AM UTC

At present, unless the original user is completely uncontactable and inactive, we only allow the original author to make changes to their BApp. If the original author gets in contact and requests for someone else to take over the maintenance of their BApp, then we can make allowances for that. Pull requests can be opened on the original authors GitHub repository, for the original author to merge in changes and then create a pull request to the PortSwigger branch, which allows for community contributions.

Burp User | Last updated: Jan 16, 2020 11:14AM UTC

Thanks for the detailed answer! However, pull requests may be opened by other people than the original author (example at https://github.com/PortSwigger/add-custom-header/pull/1, also common with older and possibly unmaintained extensions). For this reason, the update procedure should imo be public (i.e. not being shared only with authors), ideally as an integral part of the documentation. Currently, I can't find any reference to the update process, and only one to the submission process (at https://portswigger.net/bappstore) I'll ping support@ ASAP regarding the open pull requests...

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.