qiqingshiwo
commented
1 year ago 谢谢师傅
Open qiqingshiwo opened 1 year ago
qiqingshiwo
commented
1 year ago 谢谢师傅
xsser
commented
1 year ago 有很多方法, 你可以写一个表达式 例如source (hasflow to sink1(service.getUserid)) and source hasflow to sink
就是两个数据流用and拼接 qiqingshiwo @.***>于2023年2月10日 周五18:06写道:
谢谢师傅
— Reply to this email directly, view it on GitHub https://github.com/xsser/pmd-security-rules/issues/1#issuecomment-1425553015, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOD3EZHF2U3KSSCFBA4U3LWWYHKJANCNFSM6AAAAAAUXTLUAA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
-- I'v got you email ;)
xsser
commented
1 year ago from RequestMapping rmapping, Method m, ModelAndView mv, Call c, UserService us, DataFlow df1, DataFlow df2 where rmapping.value = "/testRequest" and rmapping.method = RequestMethod.GET and rmapping.declaringType = m.declaringType and m.hasAnnotation(rmapping) and c.target = m and c.returnValue = mv and df1.to = c and df1.from = df2.to and df2.fromMethod = us.selectUser and df1.from.kind = "PARAMETER" and df1.from.name = "id" select c, "越权查询"
xsser Crazy @.***>于2023年2月10日 周五18:43写道:
有很多方法, 你可以写一个表达式 例如source (hasflow to sink1(service.getUserid)) and source hasflow to sink
就是两个数据流用and拼接 qiqingshiwo @.***>于2023年2月10日 周五18:06写道:
谢谢师傅
— Reply to this email directly, view it on GitHub https://github.com/xsser/pmd-security-rules/issues/1#issuecomment-1425553015, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOD3EZHF2U3KSSCFBA4U3LWWYHKJANCNFSM6AAAAAAUXTLUAA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
-- I'v got you email ;)
-- I'v got you email ;)
qiqingshiwo
commented
1 year ago 谢谢师傅的回答,我们之前也阅读了师傅的这篇文章 https://mp.weixin.qq.com/s?__biz=MzA4NzA5OTYzNw==&mid=2247484233&idx=1&sn=dec528945d54fe94c6492c3b774b5d81&chksm=903fd2d3a7485bc569a3ea4bc9ea8d2837224389e8c6351c99c0aba815270e2c84f528cfa6ba&mpshare=1&scene=23&srcid=07081Nc37ZXSTAMgk5b7cpG0&sharer_sharetime=1657244441300&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd 但是,我们觉得codeql的编译和查询需要消耗太多的性能了,因为不是持续性的工作,所以暂时没考虑codeql,使用了下位的pmd替代,我尝试看看pmd的data flow analysis能不能做相同的事情,师傅的规则,先收藏了,万一,pmd失败了再来尝试下codeql[呲牙]
xsser
commented
1 year ago 我用pmd是很久以前的事了,pmd只能做ast的事,做不到复杂的数据流检测。比较鸡肋
qiqingshiwo @.***>于2023年2月13日 周一14:39写道:
谢谢师傅的回答,我们之前也阅读了师傅的这篇文章
https://mp.weixin.qq.com/s?__biz=MzA4NzA5OTYzNw==&mid=2247484233&idx=1&sn=dec528945d54fe94c6492c3b774b5d81&chksm=903fd2d3a7485bc569a3ea4bc9ea8d2837224389e8c6351c99c0aba815270e2c84f528cfa6ba&mpshare=1&scene=23&srcid=07081Nc37ZXSTAMgk5b7cpG0&sharer_sharetime=1657244441300&sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd 但是,我们觉得codeql的编译和查询需要消耗太多的性能了,因为不是持续性的工作,所以暂时没考虑codeql,使用了下位的pmd替代,我尝试看看pmd的data flow analysis能不能做相同的事情,师傅的规则,先收藏了,万一,pmd失败了再来尝试下codeql[呲牙]
— Reply to this email directly, view it on GitHub https://github.com/xsser/pmd-security-rules/issues/1#issuecomment-1427426062, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOD3E27Q4J434OD5HYJ7L3WXHJJXANCNFSM6AAAAAAUXTLUAA . You are receiving this because you commented.Message ID: @.***>
-- I'v got you email ;)
师傅好,想咨询下pmd检查未授权漏洞好做不? 还有提issue,写规则的活动还有吗? 如果有,怎么写规则才能判断id是否经过了Servcie层呢