Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
Apache License 2.0
8.27k
stars
890
forks
source link
NullPointerException in config parser when using the plugin server #122
When the Tsunami scanner is launched with the --remote-plugin-server-* arguments and the default tsunami_tcs.yaml file generated from the quick_start_advanced.sh script, Tsunami crashes with a NullPointerException right after launching it:
INFO: An exception was caught and reported. Message: java.lang.NullPointerException
java.lang.NullPointerException
at com.google.tsunami.main.cli.TsunamiCli$TsunamiCliModule.extractPluginServerArgs(TsunamiCli.java:228)
at com.google.tsunami.main.cli.TsunamiCli$TsunamiCliModule.configure(TsunamiCli.java:183)
at com.google.inject.AbstractModule.configure(AbstractModule.java:64)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:426)
at com.google.inject.spi.Elements.getElements(Elements.java:113)
at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:160)
at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:107)
at com.google.inject.internal.InjectorImpl.createChildInjector(InjectorImpl.java:240)
at com.google.inject.internal.InjectorImpl.createChildInjector(InjectorImpl.java:245)
at com.google.tsunami.main.cli.TsunamiCli.main(TsunamiCli.java:300)
Sep 16, 2024 2:40:31 PM com.google.tsunami.main.cli.TsunamiCli main
SEVERE: Exiting due to workflow execution exceptions.
com.google.inject.CreationException: Unable to create injector, see the following errors:
1) An exception was caught and reported. Message: null
at [unknown source]
1 error
at com.google.inject.internal.Errors.throwCreationExceptionIfErrorsExist(Errors.java:589)
at com.google.inject.internal.InternalInjectorCreator.initializeStatically(InternalInjectorCreator.java:163)
at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:110)
at com.google.inject.internal.InjectorImpl.createChildInjector(InjectorImpl.java:240)
at com.google.inject.internal.InjectorImpl.createChildInjector(InjectorImpl.java:245)
at com.google.tsunami.main.cli.TsunamiCli.main(TsunamiCli.java:300)
Caused by: java.lang.NullPointerException
at com.google.tsunami.main.cli.TsunamiCli$TsunamiCliModule.extractPluginServerArgs(TsunamiCli.java:228)
at com.google.tsunami.main.cli.TsunamiCli$TsunamiCliModule.configure(TsunamiCli.java:183)
at com.google.inject.AbstractModule.configure(AbstractModule.java:64)
at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:426)
at com.google.inject.spi.Elements.getElements(Elements.java:113)
at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:160)
at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:107)
... 3 more
The issue here is that the extractPluginServerArgs function tries to access some nested config values loaded from the yaml config file, without ensuring whether those values actually exist or not; calling .get("key") with a non-present key will return null, and the subsequent get() call on it is what causes the exception. Note that the function returns early when the remote plugin server is not used.
Moreover, the parser code references some config keys which are not present in the default tsunami_tcs.yaml config file.
By looking at the code, we can see that Tsunami needs the following snippet to be in the yaml file (connect timeout value chosen arbitrarily):
Set Tsunami up using the quick_start_advanced.sh script
Launch Tsunami with the following command (Note: the bug happens really early in the execution, so there's no need to load the plugins or actually launching the Python plugin server)
When the Tsunami scanner is launched with the
--remote-plugin-server-*arguments and the defaulttsunami_tcs.yamlfile generated from thequick_start_advanced.shscript, Tsunami crashes with aNullPointerExceptionright after launching it:The cause seems to be a bug in the
extractPluginServerArgsfunction located inTsunamiCli.java: https://github.com/google/tsunami-security-scanner/blob/4719a5ed3b348612efba5da8bd52071095410178/main/src/main/java/com/google/tsunami/main/cli/TsunamiCli.java#L227-L240The issue here is that the
extractPluginServerArgsfunction tries to access some nested config values loaded from the yaml config file, without ensuring whether those values actually exist or not; calling.get("key")with a non-present key will returnnull, and the subsequentget()call on it is what causes the exception. Note that the function returns early when the remote plugin server is not used.Moreover, the parser code references some config keys which are not present in the default
tsunami_tcs.yamlconfig file. By looking at the code, we can see that Tsunami needs the following snippet to be in the yaml file (connect timeout value chosen arbitrarily):To reproduce:
quick_start_advanced.shscriptAdding the required yaml snippet in the
tsunami_tcs.yamlconfig file allows Tsunami to run correctly.