Closed ww1024 closed 1 year ago
Nizernizer
commented
1 year ago please add two rules:
传播方法规则
Map类型
java.util.Map.put(java.lang.Object,java.lang.Object)
污点来源 参数 2
污点去向 对象
继承深度 子类危险方法规则
反射型xss类型
org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter.writeInternal(java.lang.Object,java.lang.reflect.Type,org.springframework.http.HttpOutputMessage)
污点来源 参数 1
继承深度 仅当前类These two rules may lead to performance issues, use with caution.
ww1024
commented
1 year ago 尝试新增了以上两种规则,还是没能检测出来
Nizernizer
commented
1 year ago Please add the following rule:
传播方法规则
Map类型
org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter.getJavaType(java.lang.reflect.Type,java.lang.Class<?>)
污点来源 参数 1
污点去向 对象
继承深度 当前类
白名单 ✅Note: This rule is unrelated to the detection logic and is only meant to add org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter to the whitelist.
ww1024
commented
1 year ago 尝试新增了以上白名单规则,结果还是一样
Nizernizer
commented
1 year ago 尝试新增了以上白名单规则,结果还是一样
@ResponseBody
@PostMapping(value = "/unsafe/xss_json")
public R unsafeXssJson(String cmd) {
return R.ok().setDate(cmd);
}package app.iast.common.utils;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.TypeReference;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
public class R extends HashMap<String, Object> {
private static final long serialVersionUID = 1L;
public Integer getCode() {
Integer code = (Integer) get("code");
return code;
}
public <T> T getData(String key,TypeReference<T> typeReference) {
Object data = get(key);
T t = JSON.parseObject(JSON.toJSONString(data), typeReference);
return t;
}
//泛型解决
public <T> T getData(TypeReference<T> typeReference) {
Object data = get("data");
T t = JSON.parseObject(JSON.toJSONString(data), typeReference);
return t;
}
public R setDate(Object data){
put("data", data);
return this;
}
public R() {
put("code", 0);
put("msg", "success");
}
public static R error() {
return error(202, "未知异常,请联系管理员");
}
public static R error(String msg) {
return error(202, msg);
}
public static R error(int code, String msg) {
R r = new R();
r.put("code", code);
r.put("msg", msg);
return r;
}
public static R ok(String msg) {
R r = new R();
r.put("msg", msg);
return r;
}
public static R ok(Map<String, Object> map) {
R r = new R();
r.putAll(map);
return r;
}
public static R ok() {
return new R();
}
public R put(String key, Object value) {
super.put(key, value);
return this;
}
}I can achieve vulnerability detection through the above configuration. You can expect version 1.14.0 to be able to detect this vulnerability.
ww1024
commented
1 year ago 使用您上面给出的返回模型,可以完成检测,我本地的返回模型如下(不能被检测到),是需要加哪些规则呢?
public class R<T> implements Serializable{
int code;
String message;
T data;
public static R ok() {
R r = new R();
r.code = 200;
r.message = "成功";
return r;
}
public static R ok(String message) {
R r = new R();
r.code = 200;
r.message = message;
return r;
}
public static R error() {
R r = new R();
r.code = 500;
r.message = "未知异常";
return r;
}
public static R error(String message) {
R r = new R();
r.code = 500;
r.message = message;
return r;
}
public static R error(int code, String message) {
R r = new R();
r.code = code;
r.message = message;
return r;
}
public R setData(T data) {
this.data = data;
return this;
}
public String getMessage() {
return message;
}
public int getCode() {
return code;
}
public R setCode(int code) {
this.code = code;
return this;
}
public R setMessage(String message) {
this.message = message;
return this;
}
public T getData() {
return data;
}
}使用您上面给出的返回模型,可以完成检测,我本地的返回模型如下(不能被检测到),是需要加哪些规则呢?
public class R<T> implements Serializable{ int code; String message; T data; public static R ok() { R r = new R(); r.code = 200; r.message = "成功"; return r; } public static R ok(String message) { R r = new R(); r.code = 200; r.message = message; return r; } public static R error() { R r = new R(); r.code = 500; r.message = "未知异常"; return r; } public static R error(String message) { R r = new R(); r.code = 500; r.message = message; return r; } public static R error(int code, String message) { R r = new R(); r.code = code; r.message = message; return r; } public R setData(T data) { this.data = data; return this; } public String getMessage() { return message; } public int getCode() { return code; } public R setCode(int code) { this.code = code; return this; } public R setMessage(String message) { this.message = message; return this; } public T getData() { return data; } }
传播方法规则
Map类型
{package}.R.setData(java.lang.Object)
污点来源 参数 1
污点去向 对象
继承深度 当前类Note: Replace the {package} in the rule with the actual package of your R class.
ww1024
commented
1 year ago 解决了,谢谢👍🏻
Preflight Checklist
Version
1.12.0
Installation Type
Official Docker Compose
Describe the details of the bug and the steps to reproduce it
Additional Information
No response
Logs
No response