问题
有如下测试代码:
java代码:
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String param = request.getHeader("BenchmarkTest00008");
try {
java.sql.Connection connection = DriverManager.getConnection("jdbc:mysql://localhost:3306/testdb", "root", "password");
java.sql.CallableStatement statement = connection.prepareCall(param);
java.sql.ResultSet rs = statement.executeQuery();
} catch (java.sql.SQLException e) {
throw new ServletException(e);
}
}
污点配置:
[
{
"_": "MethodSource",
"methodInfo": {
"cls": {
"packageMatcher":{"_":"NameIsEqualTo","name":"javax.servlet.http"},
"classNameMatcher":{"_":"NameIsEqualTo","name":"HttpServletRequest"}
},
"functionName": {"_":"NameIsEqualTo","name":"getHeader"},
"parametersMatchers": [],
"returnTypeMatcher": {"_":"AnyTypeMatches"},
"applyToOverrides": true,
"functionLabel": null,
"modifier": -1,
"exclude": []
},
"condition": {"_":"ConstantTrue"},
"actionsAfter": [
{"_":"AssignMark","mark":{"name":"UNTRUSTED"},"position":{"_":"Result"}}
]
},
{
"_": "PassThrough",
"methodInfo": {
"cls": {
"packageMatcher":{"_":"NameIsEqualTo","name":"java.sql"},
"classNameMatcher":{"_":"NameIsEqualTo","name":"Connection"}
},
"functionName": {"_": "NameIsEqualTo","name": "prepareCall"},
"parametersMatchers": [],
"returnTypeMatcher": {"_": "AnyTypeMatches"},
"applyToOverrides": true,
"functionLabel": null,
"modifier": -1,
"exclude": []
},
"condition": {
"_": "Or",
"args": [
{"_":"ContainsMark","mark":{"name":"UNTRUSTED"},"position":{"_":"Argument","number":0}},
{"_":"ContainsMark","mark":{"name":"ENVIRONMENT"},"position":{"_":"Argument","number":0}}
]
},
"actionsAfter": [
{"_":"CopyAllMarks","from":{"_":"Argument","number":0},"to":{"_":"Result"}}
]
},
{
"_": "MethodSink",
"ruleNote": "SQL-Injection",
"cwe": [89],
"methodInfo": {
"cls": {
"packageMatcher": {"_": "NameIsEqualTo","name": "java.sql"},
"classNameMatcher": {"_": "NameMatches","pattern": "CallableStatement"}
},
"functionName": {"_":"NameMatches","pattern":"executeQuery"},
"parametersMatchers": [],
"returnTypeMatcher": {"_":"AnyTypeMatches"},
"applyToOverrides": true,
"functionLabel": null,
"modifier": -1,
"exclude": []
},
"condition": {
"_": "Or",
"args": [
{
"_": "ContainsMark",
"position": {
"_": "This"
},
"mark": {
"name": "UNTRUSTED"
}
}
]
}
}
]
解决过程
测试代码,都是按照代码配置的规则,而且规则也比较简单。但是在测试时就是不报问题,检查了很多遍规则都没发下什么问题。加上了new edge的日志输出,内容如下:
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=noop, fact=Zero))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=noop, fact=Zero))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%0 = request.getHeader("BenchmarkTest00008"), fact=Zero))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=this.doPost(request, response), fact=Zero))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%2 = java.sql.DriverManager.getConnection("jdbc:mysql://localhost:3306/testdb", "root", "password"), fact=Zero))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%2 = java.sql.DriverManager.getConnection("jdbc:mysql://localhost:3306/testdb", "root", "password"), fact=Tainted(variable=%0, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=return, fact=Zero))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%4 = %2.prepareCall(%0), fact=Zero))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=catch (%9: java.sql.SQLException), fact=Zero))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%4 = %2.prepareCall(%0), fact=Tainted(variable=%0, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=catch (%9: java.sql.SQLException), fact=Tainted(variable=%0, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%6 = %4.executeQuery(), fact=Zero))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%11 = new javax.servlet.ServletException, fact=Zero))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%6 = %4.executeQuery(), fact=Tainted(variable=%0, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%6 = %4.executeQuery(), fact=Tainted(variable=%4, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=catch (%9: java.sql.SQLException), fact=Tainted(variable=%4, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%11 = new javax.servlet.ServletException, fact=Tainted(variable=%0, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=goto JcInstRef(index=9), fact=Zero))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%11.<init>(%9), fact=Zero))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=goto JcInstRef(index=9), fact=Tainted(variable=%0, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=goto JcInstRef(index=9), fact=Tainted(variable=%4, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%11 = new javax.servlet.ServletException, fact=Tainted(variable=%4, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%11.<init>(%9), fact=Tainted(variable=%0, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=return, fact=Zero))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=throw %11, fact=Zero))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=return, fact=Tainted(variable=%0, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=return, fact=Tainted(variable=%4, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%11.<init>(%9), fact=Tainted(variable=%4, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=throw %11, fact=Tainted(variable=%0, mark=UNTRUSTED)))
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=throw %11, fact=Tainted(variable=%4, mark=UNTRUSTED)))
从该条edge处理可以看出,污点已经传播到了%4变量,就是源码中的statement,而且标的也是“UNTRUSTED”,和MethodSink中配置的一致,只是结果没报问题。
NewEdge=Edge(from=Vertex(statement=noop, fact=Zero), to=Vertex(statement=%6 = %4.executeQuery(), fact=Tainted(variable=%4, mark=UNTRUSTED)))
后面拿源码一步一步debug,发现根据污点配置匹配MethodSink时,源码中的statement类型变成了PreparedStatement,而看代码应该是CallableStatement 。
java.sql.CallableStatement statement = connection.prepareCall(param);
java.sql.ResultSet rs = statement.executeQuery();
将MethodSink中的类名匹配给为“PreparedStatement”后,终于报出了问题。
(TaintAnalyzers.kt:76)- Found sink=Vertex(statement=%6 = %4.executeQuery(), fact=Tainted(variable=%4, mark=UNTRUSTED)) in (id:72)org.owasp.benchmark.testcode.BenchmarkTest00008#doPost(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
此处也可以改成Statement,结合applyToVverrides参数设置为True,所有实现了Statement接口的类都可以匹配上了。
MethodSink配置改为
{
"_": "MethodSink",
"ruleNote": "SQL-Injection",
"cwe": [89],
"methodInfo": {
"cls": {
"packageMatcher": {"_": "NameIsEqualTo","name": "java.sql"},
"classNameMatcher": {"_": "NameMatches","pattern": "Statement"}
},
"functionName": {"_":"NameMatches","pattern":"executeQuery"},
"parametersMatchers": [],
"returnTypeMatcher": {"_":"AnyTypeMatches"},
"applyToOverrides": true,
"functionLabel": null,
"modifier": -1,
"exclude": []
},
"condition": {
"_": "Or",
"args": [
{
"_": "ContainsMark",
"position": {
"_": "This"
},
"mark": {
"name": "UNTRUSTED"
}
}
]
}
}
最终原因猜测
Statement 和 PreparedStatement 以及 CallableStatement的关系为:
public interface CallableStatement extends PreparedStatement {
public interface PreparedStatement extends Statement {
三个接口依次继承,后面发现只有PreparedStatement定义了executeQuery()方法,CallableStatement没有executeQuery方法,Statement中定义的是executeQuery(String sql),这就解析了为什么上面statement的类为PreparedStatement。
所有后续污点配置中需要关注类的层级问题,可以使配置文件精简一些,也可以避免配置错误。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
