change format for sf rule

yaklang · Aug 19, 2024 · b37bed3 · b37bed3
1 parent 562617f
commit b37bed3
Show file tree

Hide file tree

Showing 7 changed files with 237 additions and 28 deletions.
diff --git a/java-command-exec/java-command-exec.sf b/java-command-exec/java-command-exec.sf
@@ -1,5 +1,6 @@
 desc(
-    title: "Find Runtime.getRuntime().exec Point",
+    title: "Find Runtime.getRuntime().exec Sink Point",
+    title_zh: "查找 Runtime.getRuntime().exec 参数位置",
     lib: 'runtime-exec',
     type: audit,
 )

diff --git a/java-freemarker/java-freemaker-basic.sf b/java-freemarker/java-freemaker-basic.sf
@@ -1,15 +1,51 @@
 desc(
-  title: 'checking [freemaker.Template.Process directly]',
-  type: audit
+  title: 'checking [freemaker.Template.Process directly] audit prompt',
+  type: audit,
+  level: warning,
 )
+getTemplate(,*?{!opcode: const} as $sink).process(,* as $params,);
+check $params;
+$params.put(,,* as $sink);
+check $sink then "Found Freemaker Process Using" else "No Freemaker Process Simple";
+alert $sink;
+
+desc(
+    lang: java,
+    'file://basic.java': <<<BASIC
+import freemarker.template.*;
 
-// write your SyntaxFlow Rule, like:
-//     DocumentBuilderFactory.newInstance()...parse(* #-> * as $source) as $sink; // find some call chain for parse
-//     check $sink then 'find sink point' else 'No Found' // if not found sink, the rule will stop here and report error
-//     alert $source // record $source
+import java.io.*;
+import java.util.*;
 
-getTemplate().process() as $sink;
+public class FreemarkerExample {
+    public static void main(String[] args) {
+        // 配置 Freemarker
+        Configuration cfg = new Configuration(Configuration.VERSION_2_3_31);
+        try {
+            cfg.setDirectoryForTemplateLoading(new File("src/main/resources/templates"));
+            cfg.setDefaultEncoding("UTF-8");
+            cfg.setTemplateExceptionHandler(TemplateExceptionHandler.RETHROW_HANDLER);
+            cfg.setLogTemplateExceptions(false);
+            cfg.setWrapUncheckedExceptions(true);
 
-check $sink then "Found Freemaker Process Using" else "No Freemaker Process Simple";
+            // 加载模板
+            Template template = cfg.getTemplate("welcome.ftl");
+
+            // 数据模型
+            Map<String, Object> templateData = new HashMap<>();
+            templateData.put("user", "John Doe");
+
+            // 渲染模板
+            Writer out = new StringWriter();
+            template.process(templateData, out);
+
+            // 输出渲染后的文本
+            System.out.println(out.toString());
 
-// the template is generate by yak.ssa.syntaxflow command line
+        } catch (IOException | TemplateException e) {
+            e.printStackTrace();
+        }
+    }
+}
+BASIC
+)
diff --git a/java-freemarker/java-freemaker-create-process-env.sf b/java-freemarker/java-freemaker-create-process-env.sf
@@ -1,18 +1,12 @@
 desc(
-  title: 'checking [freemaker.Template.CreateProcessingEnvironment]',
-  type: audit
+  title: 'checking [freemaker.Template.CreateProcessingEnvironment] use point',
+  type: audit,
+  level: warning,
 )
 
-// write your SyntaxFlow Rule, like:
-//     DocumentBuilderFactory.newInstance()...parse(* #-> * as $source) as $sink; // find some call chain for parse
-//     check $sink then 'find sink point' else 'No Found' // if not found sink, the rule will stop here and report error
-//     alert $source // record $source
-
 getTemplate().createProcessingEnvironment() as $env;
 $env.process() as $sink;
 $env.invoke() as $sink;
 
 check $sink then "Found Freemaker CreateProcessingEnvironment invoke or process";
 alert $env;
-
-// the template is generate by yak.ssa.syntaxflow command line
diff --git a/java-jdbc/java-jdbc-execute.sf b/java-jdbc/java-jdbc-execute.sf
@@ -1,11 +1,56 @@
 desc(
     title: "JDBC getConnection.createStatement.executeQuery SQL",
     title_zh: "JDBC getConnection.createStatement.executeQuery SQL 执行语句",
-    is_vuln: "false",
+    type: audit,
+    level: 'low',
+    lib: 'jdbc-raw-execute-sink',
 )
 
 DriverManager.getConnection().createStatement() as $stmt;
 $stmt?{!.set*()} as $checkedStmt;
-$checkedStmt.executeQuery() as $sink;
+$checkedStmt.executeQuery(*<slice(start=1)> as $sink);
+check $sink;
 
-check $sink;
+$sink as $output;
+alert $output;
+
+desc(
+    lang: java,
+"file:///unsafe.java": <<<UNSAFE
+import java.sql.*;
+
+public class JdbcExample {
+    public static void main(String[] args) {
+        String url = "jdbc:mysql://localhost:3306/exampledb";
+        String username = "root";
+        String password = "password";
+
+        try {
+            // 加载和注册 JDBC 驱动
+            Class.forName("com.mysql.cj.jdbc.Driver");
+
+            // 建立连接
+            Connection conn = DriverManager.getConnection(url, username, password);
+
+            // 创建 Statement
+            Statement stmt = conn.createStatement();
+
+            // 执行查询
+            ResultSet rs = stmt.executeQuery("SELECT * FROM users");
+
+            // 处理 ResultSet
+            while (rs.next()) {
+                System.out.println(rs.getString("username"));
+            }
+
+            // 关闭连接
+            rs.close();
+            stmt.close();
+            conn.close();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
+UNSAFE
+)
diff --git a/java-jdbc/java-jdbc-prepare-stmt.sf b/java-jdbc/java-jdbc-prepare-stmt.sf
@@ -1,11 +1,51 @@
 desc(
     title: "JDBC getConnection.prepareStatement.executeQuery SQL",
     title_zh: "JDBC getConnection.prepareStatement.executeQuery SQL 执行语句",
-    is_vuln: "false",
+    type: audit,
+    level: low,
+    lib: 'jdbc-prepared-execute-sink'
 )
 
 DriverManager.getConnection() as $conn;
-$conn.prepareStatement() as $stmt;
-$stmt.executeQuery() as $sink;
+$conn.prepareStatement(*<slice(start=1)> as $output) as $stmt;
+$stmt.executeQuery() as $call;
+check $call;
+check $output;
+alert $output;
 
-// check $sink then "Prepared Statement SQL ExecuteQuery" then "Not Found Prepare Statement SQL ExecuteQuery";
+desc(
+    lang: java,
+"file://a.java": <<<CODE
+import java.sql.*;
+
+public class PreparedStatementExample {
+    public static void main(String[] args) {
+        String url = "jdbc:mysql://localhost:3306/exampledb";
+        String username = "root";
+        String password = "password";
+        String userId = "1"; // 假设这是用户输入
+
+        try {
+            Connection conn = DriverManager.getConnection(url, username, password);
+
+            // 使用 PreparedStatement
+            String sql = "SELECT * FROM users WHERE id = ?";
+            PreparedStatement pstmt = conn.prepareStatement(sql);
+            pstmt.setString(1, userId);  // 设置占位符的值
+
+            ResultSet rs = pstmt.executeQuery();
+
+            while (rs.next()) {
+                System.out.println(rs.getString("username"));
+            }
+
+            rs.close();
+            pstmt.close();
+            conn.close();
+        } catch (SQLException e) {
+            e.printStackTrace();
+        }
+    }
+}
+CODE
+)
diff --git a/java-security-config/java-spring-websecurity-disable-csrf.sf b/java-security-config/java-spring-websecurity-disable-csrf.sf
@@ -1,5 +1,65 @@
+desc(
+    title: "Unsafe Config for CSRF Protection '.csrf().disable()'",
+    title_zh: "关闭 CSRF 保护",
+    type: vuln,
+    level: low,
+)
+
 configure(* as $configEntry);
+check $configEntry;
 
 $configEntry ... csrf().disable() as $disableCSRF;
-
 check $disableCSRF;
+alert $disableCSRF;
+
+desc(
+    lang: java,
+    'safefile://config2.java': <<<SAFE
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            .csrf().enable().and() // 开启 CSRF 保护，默认使用
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())  // 使用 Cookie 存储 CSRF 令牌
+                .and()
+            .headers()
+                .contentSecurityPolicy("script-src 'self'; report-uri /csp-report-endpoint/");  // 添加 CSP 策略
+    }
+}
+SAFE,
+    'file://config.java': <<<CONFIG
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            .csrf().disable().and() // 开启 CSRF 保护，默认使用
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())  // 使用 Cookie 存储 CSRF 令牌
+                .and()
+            .headers()
+                .contentSecurityPolicy("script-src 'self'; report-uri /csp-report-endpoint/");  // 添加 CSP 策略
+    }
+}
+CONFIG
+)
diff --git a/java-security-config/java-string-replaced-xss-clear.sf b/java-security-config/java-string-replaced-xss-clear.sf
@@ -1,9 +1,42 @@
+desc(
+    title: "Find XSS Filter Call Existed, Please Checking Bypass tactics",
+    title_zh: "XSS 过滤器被使用，请排查是否可绕过",
+    type: audit,
+    level: low,
+)
+
 /(?i).*xss.*((clear)|(filter)|(escape)).*/ as $entryCall;
 /(?i)((clear)|(filter)|(escape)).*xss.*/ as $entryCall;
 
 $entryCall(* as $paramEntry);
 $paramEntry.../(?i)replace(all)?/() as $replacers;
 
 check $entryCall then "Find XSS Escaper" else "No XSS Escaper";
-alert $replacers;
+alert $entryCall;
+
+desc(
+    lang: java,
+    "file:///unsafe.java": <<<UNSAFE
+@ApiIgnore
+@Controller("dynamicPageAction")
+@RequestMapping("/demo/clearXSS")
+public class MCmsAction extends net.demo.cms.action.BaseAction {
+    private String clearXss(String value) {
+
+        if (value == null || "".equals(value)) {
+            return value;
+        }
+
+        value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
+        value = value.replaceAll("\\(", "&#40;").replace("\\)", "&#41;");
+        value = value.replaceAll("'", "&#39;");
+        value = value.replaceAll("eval\\((.*)\\)", "");
+        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']",
+                "\"\"");
+        value = value.replace("script", "");
 
+        return value;
+    }
+}
+UNSAFE
+)