automation: correctly load numeric passwords

Make the credentials of the expected type to prevent class cast
exceptions.

Signed-off-by: thc202 <[email protected]>

addOns/automation/CHANGELOG.md

@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Fixed
+- Correctly load numeric user passwords.
 - Address malformed HTML in the help.
 - Correct default value of `threadPerHost` property of the `activeScan-config` job's help.
 

addOns/automation/src/main/java/org/zaproxy/addon/automation/ContextWrapper.java

@@ -198,6 +198,7 @@ public ContextWrapper(
                                                 "automation.error.context.baduser", userObj));
                             } else {
                                 UserData ud = new UserData();
+                                forceCredentialsStringType(userObj);
                                 JobUtils.applyParamsToObject(
                                         (LinkedHashMap<?, ?>) userObj, ud, "users", null, progress);
                                 if (env.getUser(ud.getName()) != null) {
@@ -233,6 +234,21 @@ public ContextWrapper(
         }
     }
 
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    private void forceCredentialsStringType(Object userObj) {
+        Object credentials = ((LinkedHashMap) userObj).get("credentials");
+        if (credentials instanceof LinkedHashMap) {
+            ((LinkedHashMap) credentials)
+                    .replaceAll(
+                            (k, v) -> {
+                                if (v instanceof Number) {
+                                    return v.toString();
+                                }
+                                return v;
+                            });
+        }
+    }
+
     private void validateUrl(String url, AutomationProgress progress) {
         try {
             if (!JobUtils.containsVars(url)) {

addOns/automation/src/test/java/org/zaproxy/addon/automation/ContextWrapperUnitTest.java

@@ -43,6 +43,8 @@
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 import org.parosproxy.paros.CommandLine;
@@ -741,6 +743,45 @@ void shouldLoadValidUsersInMultipleContextsNewFormat() {
                 is("654321"));
     }
 
+    @ParameterizedTest
+    @ValueSource(strings = {"123456", "'123456'", "\"123456\""})
+    void shouldLoadPasswordsOfDifferentDataType(String password) {
+        // Given
+        String contextStr =
+                """
+                env:
+                  contexts:
+                    - name: context
+                      urls:
+                      - http://www.example.com
+                      users:
+                      - name: user
+                        credentials:
+                          username: user
+                          password: %s
+                """
+                        .formatted(password);
+        Yaml yaml = new Yaml();
+        LinkedHashMap<?, ?> data = yaml.load(contextStr);
+        LinkedHashMap<?, ?> contextData = (LinkedHashMap<?, ?>) data.get("env");
+        AutomationProgress progress = new AutomationProgress();
+
+        // When
+        AutomationEnvironment env = new AutomationEnvironment(contextData, progress);
+
+        // Then
+        assertThat(progress.hasWarnings(), is(equalTo(false)));
+        assertThat(progress.hasErrors(), is(equalTo(false)));
+        assertThat(
+                env.getContextWrappers()
+                        .get(0)
+                        .getData()
+                        .getUsers()
+                        .get(0)
+                        .getCredential(UserData.PASSWORD_CREDENTIAL),
+                is("123456"));
+    }
+
     @Test
     void shouldErrorOnBadAuth() {
         // Given