Skip to content
/ JavaID Public

java source code static code analysis and danger function identify prog

Notifications You must be signed in to change notification settings

Cryin/JavaID

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 

Repository files navigation

JavaID

java source code danger function identify prog

How does it work?

JavaID identify some dangerous functions in java source code by way of regular matching.

For further details, check out the source code on the main site, github.com/Cryin/JavaID.

What does it identify?

XXE:
   "SAXReader",
   "DocumentBuilder",
   "XMLStreamReader",
   "SAXBuilder",
   "SAXParser",
   "XMLReader",
   "SAXSource",
   "TransformerFactory",
   "SAXTransformerFactory",
   "SchemaFactory",
   "Unmarshaller",
   "XPathExpression"

JavaObjectDeserialization:
   "readObject",
   "readUnshared",
   "Yaml.load",
   "fromXML",
   "ObjectMapper.readValue",
   "JSON.parseObject"
SSRF:
   "HttpClient",
   "Socket",
   "URL",
   "ImageIO",
   "HttpURLConnection",
   "OkHttpClient" 
   "SimpleDriverDataSource.getConnection"
   "DriverManager.getConnection"
FILE:
   "MultipartFile",
   "createNewFile",
   "FileInputStream"
SPelInjection:
   "SpelExpressionParser",
   "getValue"
Autobinding:
   "@SessionAttributes",
   "@ModelAttribute"
URL-Redirect:
   "sendRedirect",
   "forward",
   "setHeader"
EXEC:
   "getRuntime.exec",
   "ProcessBuilder.start",
   "GroovyShell.evaluate"

and so on...

Also you can add function id with regexp.xml!

How do I use it?

Usage: python javaid.py -d dir

Questions?

contact me :)

About

java source code static code analysis and danger function identify prog

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages