Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

do not convert byte array and char array to string for taints #361

Merged
merged 1 commit into from
Sep 22, 2022
Merged

do not convert byte array and char array to string for taints #361

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 10 additions & 14 deletions .../src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/PropagatorImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,18 +193,18 @@ private static void trackTaintRange(IastPropagatorModel propagator, MethodEvent
TaintRanges oldTaintRanges = new TaintRanges();
TaintRanges srcTaintRanges = new TaintRanges();

String srcValue = null;
Object src = null;
if (r != null) {
String srcLoc = propagator.getSource();
if (PARAMS_OBJECT.equals(srcLoc)) {
srcTaintRanges = getTaintRanges(event.object);
srcValue = TaintRangesBuilder.obj2String(event.object);
src = event.object;
srcTaintRanges = getTaintRanges(src);
} else if (srcLoc.startsWith("O|P")) {
oldTaintRanges = getTaintRanges(event.object);
int[] positions = (int[]) propagator.getSourcePosition();
if (positions.length == 1 && event.argumentArray.length >= positions[0]) {
srcTaintRanges = getTaintRanges(event.argumentArray[positions[0]]);
srcValue = TaintRangesBuilder.obj2String(event.argumentArray[positions[0]]);
src = event.argumentArray[positions[0]];
srcTaintRanges = getTaintRanges(src);
}
} else if (srcLoc.startsWith(PARAMS_PARAM)) {
// invalid policy
Expand All @@ -213,25 +213,22 @@ private static void trackTaintRange(IastPropagatorModel propagator, MethodEvent
}
int[] positions = (int[]) propagator.getSourcePosition();
if (positions.length == 1 && event.argumentArray.length >= positions[0]) {
srcTaintRanges = getTaintRanges(event.argumentArray[positions[0]]);
srcValue = TaintRangesBuilder.obj2String(event.argumentArray[positions[0]]);
src = event.argumentArray[positions[0]];
srcTaintRanges = getTaintRanges(src);
}
}
}

int tgtHash;
String tgtValue;
Object tgt;
String tgtLoc = propagator.getTarget();
if (PARAMS_OBJECT.equals(tgtLoc)) {
tgt = event.object;
tgtHash = System.identityHashCode(tgt);
tgtValue = TaintRangesBuilder.obj2String(tgt);
oldTaintRanges = getTaintRanges(tgt);
} else if (PARAMS_RETURN.equals(tgtLoc)) {
tgt = event.returnValue;
tgtHash = System.identityHashCode(tgt);
tgtValue = TaintRangesBuilder.obj2String(tgt);
} else if (tgtLoc.startsWith(PARAMS_PARAM)) {
// invalid policy
if (tgtLoc.contains(CONDITION_OR) || tgtLoc.contains(CONDITION_AND)) {
Expand All @@ -244,7 +241,6 @@ private static void trackTaintRange(IastPropagatorModel propagator, MethodEvent
}
tgt = event.argumentArray[positions[0]];
tgtHash = System.identityHashCode(tgt);
tgtValue = TaintRangesBuilder.obj2String(tgt);
oldTaintRanges = getTaintRanges(tgt);
} else {
// invalid policy
Expand All @@ -256,12 +252,12 @@ private static void trackTaintRange(IastPropagatorModel propagator, MethodEvent
}

TaintRanges tr;
if (r != null && srcValue != null) {
tr = r.run(srcValue, tgtValue, event.argumentArray, oldTaintRanges, srcTaintRanges);
if (r != null && src != null) {
tr = r.run(src, tgt, event.argumentArray, oldTaintRanges, srcTaintRanges);
} else {
tr = new TaintRanges(new TaintRange(0, TaintRangesBuilder.getLength(tgt)));
}
event.targetRanges.add(new MethodEvent.MethodEventTargetRange(tgtHash, tgtValue, tr));
event.targetRanges.add(new MethodEvent.MethodEventTargetRange(tgtHash, tr));
EngineManager.TAINT_RANGES_POOL.add(tgtHash, tr);
}

Expand Down
2 changes: 1 addition & 1 deletion ...core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/SourceImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ private static void trackObject(MethodEvent event, Object obj, int depth) {
}

TaintRanges tr = new TaintRanges(new TaintRange(0, len));
event.targetRanges.add(new MethodEvent.MethodEventTargetRange(hash, TaintRangesBuilder.obj2String(obj), tr));
event.targetRanges.add(new MethodEvent.MethodEventTargetRange(hash, tr));
EngineManager.TAINT_HASH_CODES.add(hash);
event.addTargetHash(hash);
EngineManager.TAINT_RANGES_POOL.add(hash, tr);
Expand Down
15 changes: 5 additions & 10 deletions dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
package io.dongtai.iast.core.handler.hookpoint.models;

import io.dongtai.iast.core.handler.hookpoint.vulscan.taintrange.TaintRanges;
import io.dongtai.iast.core.handler.hookpoint.vulscan.taintrange.TaintRangesBuilder;
import io.dongtai.iast.core.utils.PropertyUtils;
import io.dongtai.log.DongTaiLog;
import org.json.JSONObject;

import java.io.StringWriter;
import java.util.*;

/**
Expand Down Expand Up @@ -228,19 +228,16 @@ public JSONObject toJson() {

public static class MethodEventTargetRange {
private final Integer hash;
private final String value;
private final TaintRanges ranges;

public MethodEventTargetRange(Integer hash, String value, TaintRanges ranges) {
public MethodEventTargetRange(Integer hash, TaintRanges ranges) {
this.hash = hash;
this.value = value;
this.ranges = ranges;
}

public JSONObject toJson() {
JSONObject json = new JSONObject();
json.put("hash", this.hash);
json.put("value", this.value);
json.put("ranges", this.ranges.toJson());
return json;
}
Expand Down Expand Up @@ -324,11 +321,7 @@ public String obj2String(Object value) {
return "";
}
try {
if (value instanceof byte[]) {
return TaintRangesBuilder.trimRight((byte[]) value);
} else if (value instanceof char[]) {
return TaintRangesBuilder.trimRight((char[]) value);
} else if (value.getClass().isArray() && !value.getClass().getComponentType().isPrimitive()) {
if (value.getClass().isArray() && !value.getClass().getComponentType().isPrimitive()) {
// 判断是否是基本类型的数组,基本类型的数组无法类型转换为Object[],导致java.lang.ClassCastException异常
Object[] taints = (Object[]) value;
for (Object taint : taints) {
Expand All @@ -343,6 +336,8 @@ public String obj2String(Object value) {
}
}
}
} else if (value instanceof StringWriter) {
sb.append(((StringWriter) value).getBuffer().toString());
} else {
sb.append(value.toString());
}
Expand Down
22 changes: 0 additions & 22 deletions ...in/java/io/dongtai/iast/core/handler/hookpoint/vulscan/taintrange/TaintRangesBuilder.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,28 +163,6 @@ public void trim(TaintCommand command, TaintRanges taintRanges, Object source, T
}
}

public static String obj2String(Object obj) {
if (obj == null) {
return "";
}

if (obj instanceof CharSequence) {
return ((CharSequence) obj).toString();
} else if (obj instanceof StringWriter) {
return ((StringWriter) obj).getBuffer().toString();
} else if (obj instanceof ByteArrayOutputStream) {
return ((ByteArrayOutputStream) obj).toString();
} else if (obj instanceof Character) {
return ((Character) obj).toString();
} else if (obj instanceof byte[]) {
return trimRight((byte[]) obj);
} else if (obj instanceof char[]) {
return trimRight((char[]) obj);
} else {
return (obj.getClass().getName() + "@" + Integer.toHexString(obj.hashCode()));
}
}

public static int getLength(Object obj) {
if (obj == null) {
return 0;
Expand Down