preview

SpringKill-team · Oct 24, 2024 · c2cccc1 · c2cccc1
1 parent 4833b43
commit c2cccc1
Show file tree

Hide file tree

Showing 214 changed files with 9,885 additions and 3,260 deletions.
diff --git a/.idea/gradle.xml b/.idea/gradle.xml
diff --git a/.idea/misc.xml b/.idea/misc.xml
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -5,19 +5,28 @@ plugins {
 }
 
 group = "com.skgroup"
-version = "1.0-SNAPSHOT"
+version = "1.0"
 
 repositories {
     mavenCentral()
 }
 
+dependencies {
+    implementation("me.gosimple:nbvcxz:1.5.1")
+    // https://mvnrepository.com/artifact/org.jboss.windup.decompiler/decompiler-fernflower
+    implementation("org.jboss.windup.decompiler:decompiler-fernflower:6.3.9.Final")
+    implementation("org.apache.maven:maven-model:3.6.3")
+    implementation("org.apache.maven:maven-model-builder:3.6.3")
+}
+
+
 // Configure Gradle IntelliJ Plugin
 // Read more: https://plugins.jetbrains.com/docs/intellij/tools-gradle-intellij-plugin.html
 intellij {
     version.set("2023.2.6")
     type.set("IC") // Target IDE Platform
 
-    plugins.set(listOf(/* Plugin Dependencies */))
+    plugins.set(listOf("Git4Idea", "java"))
 }
 
 tasks {

diff --git a/src/main/kotlin/org/skgroup/securityinspector/enums/VulnElemType.kt b/src/main/kotlin/org/skgroup/securityinspector/enums/VulnElemType.kt
@@ -1,4 +1,7 @@
 package org.skgroup.securityinspector.enums
 
-class VulnElemType {
+enum class VulnElemType {
+    ASSIGNMENT_EXPRESSION,
+    LOCAL_VARIABLE,
+    CLASS_FIELD
 }
diff --git a/src/main/kotlin/org/skgroup/securityinspector/enums/VulnType.kt b/src/main/kotlin/org/skgroup/securityinspector/enums/VulnType.kt
@@ -1,4 +1,4 @@
-package org.skgroup.securityinspector.utils
+package org.skgroup.securityinspector.enums
 
 enum class VulnType {
 

diff --git a/src/main/kotlin/org/skgroup/securityinspector/enums/XmlFactory.kt b/src/main/kotlin/org/skgroup/securityinspector/enums/XmlFactory.kt
@@ -1,4 +1,14 @@
 package org.skgroup.securityinspector.enums
 
-class XmlFactory {
+enum class XmlFactory {
+    DOCUMENT_BUILDER_FACTORY,
+    SAX_PARSER_FACTORY,
+    SAX_TRANSFORMER_FACTORY,
+    SAX_BUILDER,
+    SAX_READER,
+    XML_READER_FACTORY,
+    SCHEMA_FACTORY,
+    XML_INPUT_FACTORY,
+    TRANSFORMER_FACTORY,
+    VALIDATOR_OF_SCHEMA
 }
diff --git a/src/main/kotlin/org/skgroup/securityinspector/inspectors/BaseLocalInspectionTool.kt b/src/main/kotlin/org/skgroup/securityinspector/inspectors/BaseLocalInspectionTool.kt
@@ -1,10 +1,10 @@
-package com.skgroup.securityinspector.inspectors
+package org.skgroup.securityinspector.inspectors
 
 import com.intellij.codeInspection.AbstractBaseJavaLocalInspectionTool
 import com.intellij.psi.*
-import com.skgroup.securityinspector.utils.SecExpressionUtils
-import com.skgroup.securityinspector.visitors.BaseFixElementWalkingVisitor
 import org.apache.commons.codec.digest.MurmurHash3
+import org.skgroup.securityinspector.utils.SecExpressionUtils
+import org.skgroup.securityinspector.visitors.BaseFixElementWalkingVisitor
 
 abstract class BaseLocalInspectionTool : AbstractBaseJavaLocalInspectionTool() {
 

diff --git a/src/main/kotlin/org/skgroup/securityinspector/inspectors/InspectionTool.kt b/src/main/kotlin/org/skgroup/securityinspector/inspectors/InspectionTool.kt
@@ -1,4 +1,13 @@
 package org.skgroup.securityinspector.inspectors
 
+import com.intellij.codeInspection.ProblemsHolder
+import com.intellij.psi.PsiFile
+
 interface InspectionTool {
+    /**
+     * 针对给定的 PsiFile 运行检查器
+     * @param psiFile 目标 PsiFile
+     * @param problemsHolder 用于收集问题
+     */
+    fun inspectFile(psiFile: PsiFile, problemsHolder: ProblemsHolder)
 }
diff --git a/src/main/kotlin/org/skgroup/securityinspector/rules/dos/NettyResponseSplitting.kt b/src/main/kotlin/org/skgroup/securityinspector/rules/dos/NettyResponseSplitting.kt
@@ -1,32 +1,21 @@
-package com.skgroup.securityinspector.rules.dos
+package org.skgroup.securityinspector.rules.dos
 
-import com.intellij.codeInsight.completion.ml.JavaCompletionFeatures
 import com.intellij.codeInspection.LocalQuickFix
 import com.intellij.codeInspection.ProblemDescriptor
 import com.intellij.codeInspection.ProblemHighlightType
 import com.intellij.codeInspection.ProblemsHolder
 import com.intellij.openapi.project.Project
 import com.intellij.psi.*
-import com.skgroup.securityinspector.inspectors.BaseLocalInspectionTool
-import com.skgroup.securityinspector.utils.InspectionBundle
-import com.skgroup.securityinspector.utils.SecExpressionUtils
-import org.jetbrains.annotations.Nls
+import org.skgroup.securityinspector.inspectors.BaseLocalInspectionTool
+import org.skgroup.securityinspector.utils.InspectionBundle
+import org.skgroup.securityinspector.utils.SecExpressionUtils
+import org.skgroup.securityinspector.inspectors.InspectionTool
 
-/**
- * 1051: Netty响应拆分攻击
- *
- * ref:
- * (1) https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java
- * (2) http://www.infosecwriters.com/Papers/DCrab_HTTP_Response.pdf
- */
-const val NETTY_RESPONSE_MESSAGE = "netty.response.splitting.msg"
-const val NETTY_RESPONSE_FIX = "netty.response.splitting.fix"
-
-class NettyResponseSplitting : BaseLocalInspectionTool() {
+class NettyResponseSplitting : BaseLocalInspectionTool(), InspectionTool {
 
     companion object {
-        private val MESSAGE = InspectionBundle.message(NETTY_RESPONSE_MESSAGE)
-        private val QUICK_FIX_NAME = InspectionBundle.message(NETTY_RESPONSE_FIX)
+        private val MESSAGE = InspectionBundle.message("vuln.massage.NettyResponseSplittingRisk")
+        private val QUICK_FIX_NAME = InspectionBundle.message("vuln.fix.NettyResponseSplittingRisk")
     }
 
     override fun buildVisitor(holder: ProblemsHolder, isOnTheFly: Boolean): PsiElementVisitor {
@@ -48,9 +37,6 @@ class NettyResponseSplitting : BaseLocalInspectionTool() {
         }
     }
 
-    /**
-     * 通用方法：检查表达式是否有问题，并注册问题
-     */
     private fun checkForProblem(
         expression: PsiNewExpression,
         qualifiedName: String,
@@ -60,7 +46,7 @@ class NettyResponseSplitting : BaseLocalInspectionTool() {
         if (SecExpressionUtils.hasFullQualifiedName(expression, qualifiedName)) {
             expression.argumentList?.expressions?.let { args ->
                 if (args.size > argIndex && args[argIndex] is PsiLiteralExpression &&
-                    JavaCompletionFeatures.JavaKeyword.FALSE == (args[argIndex] as PsiLiteralExpression).value
+                    (args[argIndex] as PsiLiteralExpression).value == false
                 ) {
                     holder.registerProblem(
                         expression,
@@ -73,9 +59,7 @@ class NettyResponseSplitting : BaseLocalInspectionTool() {
         }
     }
 
-    /**
-     * 快速修复类
-     */
+
     class NettyResponseSplittingQuickFix(private val fixArgIndex: Int) : LocalQuickFix {
 
         override fun getFamilyName(): String {
@@ -92,4 +76,8 @@ class NettyResponseSplitting : BaseLocalInspectionTool() {
             }
         }
     }
+
+    override fun inspectFile(psiFile: PsiFile, problemsHolder: ProblemsHolder) {
+        psiFile.accept(buildVisitor(problemsHolder, false))
+    }
 }
diff --git a/src/main/kotlin/org/skgroup/securityinspector/rules/dos/PatternDOS.kt b/src/main/kotlin/org/skgroup/securityinspector/rules/dos/PatternDOS.kt
@@ -1,39 +1,20 @@
-package com.skgroup.securityinspector.rules.dos
+package org.skgroup.securityinspector.rules.dos
 
 import com.intellij.codeInspection.ProblemHighlightType
 import com.intellij.codeInspection.ProblemsHolder
 import com.intellij.psi.*
 import com.siyeh.ig.psiutils.MethodCallUtils
-import com.skgroup.securityinspector.inspectors.BaseLocalInspectionTool
-import com.skgroup.securityinspector.utils.InspectionBundle
-import com.skgroup.securityinspector.utils.SecExpressionUtils
+import org.skgroup.securityinspector.inspectors.BaseLocalInspectionTool
+import org.skgroup.securityinspector.utils.InspectionBundle
+import org.skgroup.securityinspector.utils.SecExpressionUtils
 import org.jetbrains.annotations.NotNull
-import org.jetbrains.annotations.Nullable
 import java.util.regex.Pattern
-/**
- * 1039
- * 正则表达式拒绝服务攻击 (RegexDos)
- *
- * 当编写校验的正则表达式存在缺陷时，攻击者可以构造特殊的字符串来大量消耗服务器的资源，造成服务中断或停止。
- * ref: https://cloud.tencent.com/developer/article/1041326
- *
- * check:
- * java.util.regex.Pattern#compile args:0
- * java.util.regex.Pattern#matches args:0
- *
- * fix:
- * (1) 优化正则表达式
- * (2) 使用 com.google.re2j 库
- *
- * notes:
- * `isExponentialRegex` 方法来源于 CodeQL
- */
-const val PATTERN_DOS_MESSAGE = "pattern.matches.type.msg"
+
 
 class PatternDOS : BaseLocalInspectionTool() {
 
     companion object {
-        private val MESSAGE = InspectionBundle.message(PATTERN_DOS_MESSAGE)
+        private val MESSAGE = InspectionBundle.message("vuln.massage.PatternMatchesDOS")
 
         /**
          * 检查是否为指数型正则表达式
@@ -69,10 +50,6 @@ class PatternDOS : BaseLocalInspectionTool() {
         }
     }
 
-    /**
-     * 提取字面量表达式
-     */
-    @Nullable
     private fun getLiteralExpression(expression: PsiExpression?): PsiLiteralExpression? {
         return when (expression) {
             is PsiReferenceExpression -> {

diff --git a/src/main/kotlin/org/skgroup/securityinspector/rules/dos/SystemDOS.kt b/src/main/kotlin/org/skgroup/securityinspector/rules/dos/SystemDOS.kt
@@ -1,27 +1,22 @@
-package com.skgroup.securityinspector.rules.dos
+package org.skgroup.securityinspector.rules.dos
 
 import com.intellij.codeInspection.ProblemHighlightType
 import com.intellij.codeInspection.ProblemsHolder
 import com.intellij.psi.JavaElementVisitor
 import com.intellij.psi.PsiElementVisitor
 import com.intellij.psi.PsiMethodCallExpression
-import com.skgroup.securityinspector.inspectors.BaseLocalInspectionTool
-import com.skgroup.securityinspector.utils.InspectionBundle
-import com.skgroup.securityinspector.utils.SecExpressionUtils
-
-/**
- * 1038: 检查系统退出方法，防止系统退出导致DOS攻击
- */
-const val SYSTEM_DOS_MESSAGE = "system.exit.type.msg"
+import org.skgroup.securityinspector.inspectors.BaseLocalInspectionTool
+import org.skgroup.securityinspector.utils.InspectionBundle
+import org.skgroup.securityinspector.utils.SecExpressionUtils
 
 class SystemDOS : BaseLocalInspectionTool() {
 
     companion object {
-        private val MESSAGE = InspectionBundle.message(SYSTEM_DOS_MESSAGE)
-        private val EXIT_METHODS = listOf(
-            "java.lang.System" to "exit",
-            "java.lang.Shutdown" to "exit",
-            "java.lang.Runtime" to "exit"
+        private val MESSAGE = InspectionBundle.message("vuln.massage.SystemEXITDOS")
+        private val EXIT_METHODS = mapOf(
+            "java.lang.System" to listOf("exit"),
+            "java.lang.Shutdown" to listOf("exit"),
+            "java.lang.Runtime" to listOf("exit")
         )
     }
 
@@ -39,12 +34,12 @@ class SystemDOS : BaseLocalInspectionTool() {
         }
     }
 
-    /**
-     * 检查方法调用是否是系统退出相关的方法
-     */
     private fun isSystemExitCall(expression: PsiMethodCallExpression): Boolean {
-        return EXIT_METHODS.any { (className, methodName) ->
-            SecExpressionUtils.hasFullQualifiedName(expression, className, methodName)
+        return EXIT_METHODS.any { (className, methodNames) ->
+            methodNames.any { methodName ->
+                SecExpressionUtils.hasFullQualifiedName(expression, className, methodName)
+            }
+
         }
     }
 }
diff --git a/src/main/kotlin/org/skgroup/securityinspector/rules/files/read/ReadFile.kt b/src/main/kotlin/org/skgroup/securityinspector/rules/files/read/ReadFile.kt
@@ -1,4 +1,64 @@
 package org.skgroup.securityinspector.rules.files.read
 
-class ReadFile {
-}
+import com.intellij.codeInspection.ProblemHighlightType
+import com.intellij.codeInspection.ProblemsHolder
+import com.intellij.psi.JavaElementVisitor
+import com.intellij.psi.PsiElementVisitor
+import com.intellij.psi.PsiMethodCallExpression
+import com.intellij.psi.PsiNewExpression
+import org.jetbrains.annotations.NotNull
+import org.skgroup.securityinspector.inspectors.BaseLocalInspectionTool
+import org.skgroup.securityinspector.utils.InspectionBundle
+import org.skgroup.securityinspector.utils.SecExpressionUtils
+
+/**
+ * 检查任意文件读取漏洞
+ */
+class ReadFile : BaseLocalInspectionTool() {
+
+    companion object {
+        private val MESSAGE = InspectionBundle.message("vuln.massage.ReadFile")
+        private val READFILE_METHOD_SINKS: Map<String, List<String>> = mapOf(
+            "java.lang.Class" to listOf("getResourceAsStream"),
+            "org.apache.commons.io.FileUtils" to listOf(
+                "readFileToByteArray",
+                "readFileToString",
+                "readLines"
+            ),
+            "java.nio.file.Files" to listOf(
+                "readAllBytes",
+                "readAllLines"
+            ),
+            "java.io.BufferedReader" to listOf("readLine")
+        )
+    }
+
+    @NotNull
+    override fun buildVisitor(holder: ProblemsHolder, isOnTheFly: Boolean): PsiElementVisitor {
+        return object : JavaElementVisitor() {
+
+            override fun visitMethodCallExpression(expression: PsiMethodCallExpression) {
+                if (SecExpressionUtils.isMethodSink(expression, READFILE_METHOD_SINKS)) {
+                    holder.registerProblem(
+                        expression,
+                        MESSAGE,
+                        ProblemHighlightType.GENERIC_ERROR_OR_WARNING
+                    )
+                }
+            }
+
+            override fun visitNewExpression(expression: PsiNewExpression) {
+                if (SecExpressionUtils.hasFullQualifiedName(expression, "java.io.FileInputStream")
+                    || SecExpressionUtils.hasFullQualifiedName(expression, "java.io.FileReader")
+                ) {
+                    holder.registerProblem(
+                        expression,
+                        MESSAGE,
+                        ProblemHighlightType.GENERIC_ERROR_OR_WARNING
+                    )
+                }
+            }
+        }
+    }
+
+}