add sink taint tag check

Author: lostsnow

dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/taint/range/TaintRanges.java

@@ -58,6 +58,9 @@ public void untag(String[] untags) {
     }
 
     public boolean hasRequiredTaintTags(TaintTag[] tags) {
+        if (tags == null) {
+            return true;
+        }
         int total = tags.length;
         Map<String, Boolean> found = new HashMap<String, Boolean>();
         for (TaintTag tag : tags) {
@@ -71,6 +74,9 @@ public boolean hasRequiredTaintTags(TaintTag[] tags) {
     }
 
     public boolean hasDisallowedTaintTags(TaintTag[] tags) {
+        if (tags == null) {
+            return false;
+        }
         for (TaintTag tag : tags) {
             for (TaintRange taintRange : this.taintRanges) {
                 if (tag.equals(taintRange.getName())) {

dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/taint/tag/TaintTag.java

@@ -27,9 +27,13 @@ public enum TaintTag {
     FTL_DECODED("ftl-decoded"),
     CSS_ENCODED("css-encoded"),
     XPATH_ENCODED("xpath-encoded"),
+    XPATH_DECODED("xpath-decoded"),
     LDAP_ENCODED("ldap-encoded"),
+    LDAP_DECODED("ldap-decoded"),
     OS_ENCODED("os-encoded"),
     VBSCRIPT_ENCODED("vbscript-encoded"),
+    HTTP_TOKEN_LIMITED_CHARS("http-token-limited-chars"),
+    NUMERIC_LIMITED_CHARS("numeric-limited-chars"),
     ;
 
     private final String key;

dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/VulnType.java

@@ -15,6 +15,14 @@ public enum VulnType {
     CRYPTO_BAD_MAC("crypto-bad-mac", "high", false),
     COOKIE_FLAGS_MISSING("cookie-flags-missing", "high", true),
     REFLECTED_XSS("reflected-xss", "medium", true),
+    SQL_INJECTION("sql-injection", "high", true),
+    HQL_INJECTION("hql-injection", "high", true),
+    LDAP_INJECTION("ldap-injection", "high", true),
+    CMD_INJECTION("cmd-injection", "high", true),
+    XPATH_INJECTION("xpath-injection", "high", true),
+    PATH_TRAVERSAL("path-traversal", "high", true),
+    XXE("xxe", "medium", true),
+    UNVALIDATED_REDIRECT("unvalidated-redirect", "low", true),
     ;
 
     public String getName() {

dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/DynamicPropagatorScanner.java

@@ -36,6 +36,50 @@ public class DynamicPropagatorScanner implements IVulScan {
             new HttpService()
     ));
 
+    // VulnType => List<TAGS, UNTAGS>
+    private static final Map<String, List<TaintTag[]>> TAINT_TAG_CHECKS = new HashMap<String, List<TaintTag[]>>() {{
+        put(VulnType.REFLECTED_XSS.getName(), Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED, TaintTag.CROSS_SITE},
+                new TaintTag[]{TaintTag.BASE64_ENCODED, TaintTag.HTML_ENCODED, TaintTag.LDAP_ENCODED,
+                        TaintTag.SQL_ENCODED, TaintTag.URL_ENCODED, TaintTag.XML_ENCODED, TaintTag.XPATH_ENCODED,
+                        TaintTag.XSS_ENCODED, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.SQL_INJECTION.getName(), Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.SQL_ENCODED, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.HQL_INJECTION.getName(), Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.SQL_ENCODED, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.LDAP_INJECTION.getName(), Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.BASE64_ENCODED, TaintTag.HTML_ENCODED, TaintTag.LDAP_ENCODED,
+                        TaintTag.SQL_ENCODED, TaintTag.URL_ENCODED, TaintTag.XML_ENCODED, TaintTag.XPATH_ENCODED,
+                        TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.XPATH_INJECTION.getName(), Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.XML_ENCODED, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.CMD_INJECTION.getName(), Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.BASE64_ENCODED, TaintTag.HTML_ENCODED, TaintTag.LDAP_ENCODED,
+                        TaintTag.SQL_ENCODED, TaintTag.URL_ENCODED, TaintTag.XML_ENCODED, TaintTag.XPATH_ENCODED,
+                        TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.PATH_TRAVERSAL.getName(), Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.BASE64_ENCODED, TaintTag.HTML_ENCODED, TaintTag.LDAP_ENCODED,
+                        TaintTag.URL_ENCODED, TaintTag.XML_ENCODED, TaintTag.XPATH_ENCODED,
+                        TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.UNVALIDATED_REDIRECT.getName(), Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.URL_ENCODED, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+    }};
+
     @Override
     public void scan(MethodEvent event, SinkNode sinkNode) {
         for (SinkSafeChecker chk : SAFE_CHECKERS) {
@@ -118,29 +162,28 @@ private boolean sinkSourceHitTaintPool(MethodEvent event, SinkNode sinkNode) {
         }
 
 
-        // TODO: check taint tags at server
-        if (VulnType.REFLECTED_XSS.equals(sinkNode.getVulType()) && !sourceInstances.isEmpty()) {
-            boolean tagsHit = false;
-            for (Object sourceInstance : sourceInstances) {
-                long hash = TaintPoolUtils.getStringHash(sourceInstance);
-                TaintRanges tr = EngineManager.TAINT_RANGES_POOL.get(hash);
-                if (tr == null || tr.isEmpty()) {
-                    continue;
+        if (!sourceInstances.isEmpty()) {
+            List<TaintTag[]> tagList = TAINT_TAG_CHECKS.get(sinkNode.getVulType());
+            if (tagList != null) {
+                boolean tagsHit = false;
+                TaintTag[] required = tagList.get(0);
+                TaintTag[] disallowed = tagList.get(1);
+
+                for (Object sourceInstance : sourceInstances) {
+                    long hash = TaintPoolUtils.getStringHash(sourceInstance);
+                    TaintRanges tr = EngineManager.TAINT_RANGES_POOL.get(hash);
+                    if (tr == null || tr.isEmpty()) {
+                        continue;
+                    }
+
+                    if (tr.hasRequiredTaintTags(required) && !tr.hasDisallowedTaintTags(disallowed)) {
+                        tagsHit = true;
+                    }
                 }
-                TaintTag[] required = new TaintTag[]{
-                        TaintTag.UNTRUSTED, TaintTag.CROSS_SITE
-                };
-                TaintTag[] disallowed = new TaintTag[]{
-                        TaintTag.XSS_ENCODED, TaintTag.URL_ENCODED,
-                        TaintTag.HTML_ENCODED, TaintTag.BASE64_ENCODED
-                };
-                if (tr.hasRequiredTaintTags(required) && !tr.hasDisallowedTaintTags(disallowed)) {
-                    tagsHit = true;
+                if (!tagsHit) {
+                    return false;
                 }
             }
-            if (!tagsHit) {
-                return false;
-            }
         }
 
         if (hasTaint) {