Merge pull request #586 from Nizernizer/feature/costom-tag-config

Feature/costom tag config

Author: Nizernizer

dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/taint/tag/TaintTag.java

@@ -34,12 +34,36 @@ public enum TaintTag {
     VBSCRIPT_ENCODED("vbscript-encoded"),
     HTTP_TOKEN_LIMITED_CHARS("http-token-limited-chars"),
     NUMERIC_LIMITED_CHARS("numeric-limited-chars"),
+    CUSTOM_ENCODED_CMD_INJECTION("custom-encoded-cmd-injection"),
+    CUSTOM_DECODED_CMD_INJECTION("custom-decoded-cmd-injection"),
+    CUSTOM_ENCODED_JNDI_INJECTION("custom-encoded-jndi-injection"),
+    CUSTOM_DECODED_JNDI_INJECTION("custom-decoded-jndi-injection"),
+    CUSTOM_ENCODED_HQL_INJECTION("custom-encoded-hql-injection"),
+    CUSTOM_DECODED_HQL_INJECTION("custom-decoded-hql-injection"),
+    CUSTOM_ENCODED_NOSQL_INJECTION("custom-encoded-nosql-injection"),
+    CUSTOM_DECODED_NOSQL_INJECTION("custom-decoded-nosql-injection"),
+    CUSTOM_ENCODED_SMTP_INJECTION("custom-encoded-smtp-injection"),
+    CUSTOM_DECODED_SMTP_INJECTION("custom-decoded-smtp-injection"),
+    CUSTOM_ENCODED_XXE("custom-encoded-xxe"),
+    CUSTOM_DECODED_XXE("custom-decoded-xxe"),
+    CUSTOM_ENCODED_EL_INJECTION("custom-encoded-el-injection"),
+    CUSTOM_DECODED_EL_INJECTION("custom-decoded-el-injection"),
+    CUSTOM_ENCODED_REFLECTION_INJECTION("custom-encoded-reflection-injection"),
+    CUSTOM_DECODED_("custom-decoded-reflection-injection"),
+    CUSTOM_ENCODED_SSRF("custom-encoded-ssrf"),
+    CUSTOM_DECODED_SSRF("custom-decoded-ssrf"),
+    CUSTOM_ENCODED_PATH_TRAVERSAL("custom-encoded-path-traversal"),
+    CUSTOM_DECODED_PATH_TRAVERSAL("custom-decoded-path-traversal"),
+    CUSTOM_ENCODED_FILE_WRITE("custom-encoded-file-write"),
+    CUSTOM_DECODED_FILE_WRITE("custom-encoded-file-write"),
+    CUSTOM_ENCODED_REDOS("custom-encoded-redos"),
+    CUSTOM_DECODED_REDOS("custom-decoded-redos"),
     VALIDATED("validated"),
     ;
 
     private final String key;
 
-    private static final Map<String, TaintTag> LOOKUP = new HashMap<String, TaintTag>();
+    private static final Map<String, TaintTag> LOOKUP = new HashMap<>();
 
     static {
         for (TaintTag t : TaintTag.values()) {

dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/VulnType.java

@@ -7,7 +7,7 @@
 public enum VulnType {
 
     /**
-     * 漏洞
+     * 漏洞类型
      */
     SQL_OVER_POWER("sql-over-power", "info", false),
     CRYPTO_WEAK_RANDOMNESS("crypto-weak-randomness", "low", false),
@@ -22,6 +22,14 @@ public enum VulnType {
     XPATH_INJECTION("xpath-injection", "high", true),
     PATH_TRAVERSAL("path-traversal", "high", true),
     XXE("xxe", "medium", true),
+    JNDI_INJECTION("jndi-injection", "high", true),
+    NOSQL_INJECTION("nosql-injection", "high", true),
+    SMTP_INJECTION("smtp-injection", "high", true),
+    EL_INJECTION("el-injection", "high", true),
+    REFLECTION_INJECTION("reflection-injection", "high", true),
+    SSRF("ssrf", "high", true),
+    FILE_WRITE("file-write", "medium", true),
+    REDOS("redos", "low", true),
     UNVALIDATED_REDIRECT("unvalidated-redirect", "low", true),
     ;
 
@@ -32,9 +40,9 @@ public String getName() {
     /**
      * 漏洞类型 值
      */
-    String name;
-    String weight;
-    boolean tracked;
+    final String name;
+    final String weight;
+    final boolean tracked;
 
     VulnType(String name, String weight, boolean tracked) {
         this.name = name;
@@ -46,13 +54,4 @@ public String getName() {
     public boolean equals(String name) {
         return this.name.equals(name);
     }
-
-    public static VulnType getTypeByName(String name) {
-        for (VulnType vType : VulnType.values()) {
-            if (vType.equals(name)) {
-                return vType;
-            }
-        }
-        return null;
-    }
 }

dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/DynamicPropagatorScanner.java

@@ -23,18 +23,18 @@
  * @author [email protected]
  */
 public class DynamicPropagatorScanner implements IVulScan {
-    private final static Set<SinkSafeChecker> SAFE_CHECKERS = new HashSet<SinkSafeChecker>(Arrays.asList(
+    private final static Set<SinkSafeChecker> SAFE_CHECKERS = new HashSet<>(Arrays.asList(
             new FastjsonCheck(),
             new XXECheck()
     ));
 
-    private final static Set<SinkSourceChecker> SOURCE_CHECKERS = new HashSet<SinkSourceChecker>(Arrays.asList(
+    private final static Set<SinkSourceChecker> SOURCE_CHECKERS = new HashSet<>(Arrays.asList(
             new PathTraversalCheck(),
             new SSRFSourceCheck(),
             new UnvalidatedRedirectCheck()
     ));
 
-    private static final Set<ServiceTrace> SERVICE_TRACES = new HashSet<ServiceTrace>(Collections.singletonList(
+    private static final Set<ServiceTrace> SERVICE_TRACES = new HashSet<>(Collections.singletonList(
             new HttpService()
     ));
 
@@ -52,7 +52,8 @@ public class DynamicPropagatorScanner implements IVulScan {
         ));
         put(VulnType.HQL_INJECTION.getName(), Arrays.asList(
                 new TaintTag[]{TaintTag.UNTRUSTED},
-                new TaintTag[]{TaintTag.SQL_ENCODED, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+                new TaintTag[]{TaintTag.SQL_ENCODED, TaintTag.CUSTOM_ENCODED_HQL_INJECTION,
+                        TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
         ));
         put(VulnType.LDAP_INJECTION.getName(), Arrays.asList(
                 new TaintTag[]{TaintTag.UNTRUSTED},
@@ -68,7 +69,7 @@ public class DynamicPropagatorScanner implements IVulScan {
                 new TaintTag[]{TaintTag.UNTRUSTED},
                 new TaintTag[]{TaintTag.BASE64_ENCODED, TaintTag.HTML_ENCODED, TaintTag.LDAP_ENCODED,
                         TaintTag.SQL_ENCODED, TaintTag.URL_ENCODED, TaintTag.XML_ENCODED, TaintTag.XPATH_ENCODED,
-                        TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+                        TaintTag.CUSTOM_ENCODED_CMD_INJECTION,TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
         ));
         put(VulnType.PATH_TRAVERSAL.getName(), Arrays.asList(
                 new TaintTag[]{TaintTag.UNTRUSTED},
@@ -80,6 +81,42 @@ public class DynamicPropagatorScanner implements IVulScan {
                 new TaintTag[]{TaintTag.UNTRUSTED},
                 new TaintTag[]{TaintTag.URL_ENCODED, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
         ));
+        put(VulnType.XXE.getName(),Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.CUSTOM_ENCODED_XXE, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.JNDI_INJECTION.getName(),Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.CUSTOM_ENCODED_JNDI_INJECTION, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.NOSQL_INJECTION.getName(),Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.CUSTOM_ENCODED_NOSQL_INJECTION, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.SMTP_INJECTION.getName(),Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.CUSTOM_ENCODED_SMTP_INJECTION, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.EL_INJECTION.getName(),Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.CUSTOM_ENCODED_EL_INJECTION, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.REFLECTION_INJECTION.getName(),Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.CUSTOM_ENCODED_REFLECTION_INJECTION, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.SSRF.getName(),Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.CUSTOM_ENCODED_XXE, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.FILE_WRITE.getName(),Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.CUSTOM_ENCODED_FILE_WRITE, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
+        put(VulnType.REDOS.getName(),Arrays.asList(
+                new TaintTag[]{TaintTag.UNTRUSTED},
+                new TaintTag[]{TaintTag.CUSTOM_ENCODED_REDOS, TaintTag.HTTP_TOKEN_LIMITED_CHARS, TaintTag.NUMERIC_LIMITED_CHARS}
+        ));
     }};
 
     @Override
@@ -133,7 +170,7 @@ private boolean sinkSourceHitTaintPool(MethodEvent event, SinkNode sinkNode) {
             }
         }
 
-        List<Object> sourceInstances = new ArrayList<Object>();
+        List<Object> sourceInstances = new ArrayList<>();
         boolean hasTaint = false;
         boolean objHasTaint = false;
         Set<TaintPosition> sources = sinkNode.getSources();