From a1f3fa7104328f043c8ac209d228f20afd35c537 Mon Sep 17 00:00:00 2001 From: LoRexxar Date: Wed, 5 Jan 2022 16:33:01 +0800 Subject: [PATCH 1/6] fix bug for ternaryop bug --- core/core_engine/php/parser.py | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/core/core_engine/php/parser.py b/core/core_engine/php/parser.py index 576be089..b16cbf70 100644 --- a/core/core_engine/php/parser.py +++ b/core/core_engine/php/parser.py @@ -819,8 +819,25 @@ def parameters_back(param, nodes, function_params=None, lineno=0, code = "{}={}?{}:{}".format(param_name, param_ex, terna1, terna2) scan_chain.append(('TernaryOp', code, file_path, node.lineno)) - param = node.expr - is_co = 3 + # 没办法判断这种三元条件的结果 + # 如果1是可控,则1,如果2是可控则2 + # 如果1和2中有-1,则选另一个 + # 否则选1 + + is_co, cp = is_controllable(terna1) + if is_co == 1: + param = terna1 + else: + is_co2, cp = is_controllable(terna2) + + if is_co2 == 1: + param = terna2 + + else: + if is_co == -1: + param = terna2 + else: + param = terna1 if param_name == param_node and isinstance(node.expr, php.FunctionCall): # 当变量来源是函数时,处理函数内容 function_name = node.expr.name From 9d2d207b4ffc6cfc9a3a544bda6d078bab6ea631 Mon Sep 17 00:00:00 2001 From: LoRexxar Date: Wed, 5 Jan 2022 18:20:55 +0800 Subject: [PATCH 2/6] fix bug for param from list --- core/core_engine/php/parser.py | 8 ++++++++ core/engine.py | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/core/core_engine/php/parser.py b/core/core_engine/php/parser.py index b16cbf70..3fcc0460 100644 --- a/core/core_engine/php/parser.py +++ b/core/core_engine/php/parser.py @@ -926,6 +926,14 @@ def parameters_back(param, nodes, function_params=None, lineno=0, if param_name in param_expr: logger.debug("[AST] param {} in list {}, continue...".format(param_name, param_expr)) + # 如果列表中直接就有可控变量,先算作漏洞 + for p in param_expr: + is_co, cp = is_controllable(p) + + if is_co == 1: + param = p + return is_co, cp, expr_lineno + is_co = 3 cp = param diff --git a/core/engine.py b/core/engine.py index 8640826b..aa01061e 100644 --- a/core/engine.py +++ b/core/engine.py @@ -178,7 +178,6 @@ def store(result): logger.debug('[SCAN] [STORE] Not found vulnerabilities on this rule!') async def start_scan(target_directory, rule, files, language, tamper_name): - result = scan_single(target_directory, rule, files, language, tamper_name, is_unconfirm, newcore_function_list) store(result) @@ -444,6 +443,7 @@ def origin_results(self): if match: f = FileParseAll(self.files, self.target_directory, language=self.lan) result = f.grep(match) + else: result = None except Exception as e: From 520782598002989ac8977c16064702ae495dd6a9 Mon Sep 17 00:00:00 2001 From: LoRexxar Date: Thu, 13 Jan 2022 10:09:54 +0800 Subject: [PATCH 3/6] fix result path error --- utils/export.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/export.py b/utils/export.py index c565dabf..0a93b0ea 100644 --- a/utils/export.py +++ b/utils/export.py @@ -133,7 +133,7 @@ def write_to_file(target, sid, output_format='', filename=None): filename = targetlist[-2] else: filename = targetlist[-1] - filename = DEFAULT_RESULT_PATH + filename + "." + output_format + filename = os.path.join(DEFAULT_RESULT_PATH, filename + "." + output_format) # return False scan_data_file = os.path.join(RUNNING_PATH, '{sid}_data'.format(sid=sid)) From 96bf022b1ccafac58b8723da50f8dffd59b87ad8 Mon Sep 17 00:00:00 2001 From: LoRexxar Date: Mon, 24 Jan 2022 18:02:54 +0800 Subject: [PATCH 4/6] try bug for java mevan --- core/vendors.py | 51 +++++++++++++++++++++++++------------------------ 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/core/vendors.py b/core/vendors.py index 856e69c0..05c093cb 100644 --- a/core/vendors.py +++ b/core/vendors.py @@ -87,7 +87,7 @@ def get_project_by_version(vendor_name, vendor_version): is_need_version_check = True result_project = {} - if vendor_version == 'latest': + if vendor_version == 'unknown': is_need_version_check = False vendor_version = abstract_version(vendor_version) @@ -100,7 +100,7 @@ def get_project_by_version(vendor_name, vendor_version): for pv in pvs: # pv_versions = pv.version.split(',') - if not is_need_version_check or compare_vendor(pv.version, vendor_version): + if is_need_version_check and compare_vendor(pv.version, vendor_version): pid = pv.project_id project = Project.objects.filter(id=pid).first() @@ -362,9 +362,10 @@ def check_vendor(self): default_xpath_reg = ".//parent" parents = root.findall(default_xpath_reg) - default_version = "lastest" + default_version = "unknown" + project_version = "unknown" for parent in parents: - default_version = parent.getchildren()[2].text + project_version = parent.getchildren()[2].text # 匹配通用配置 if pom_ns: @@ -395,7 +396,7 @@ def check_vendor(self): version = default_version var_reg = "\${([\w\.\_-]+)}" - if re.search(var_reg, version, re.I): + if re.search(var_reg, version, re.I) and version == default_version: p2 = re.compile(var_reg) matchs = p2.finditer(version) @@ -404,33 +405,33 @@ def check_vendor(self): # 处理内置变量 if varname == "project.version": - version = default_version + version = project_version continue if varname in self.java_temp_vendor_list: version = self.java_temp_vendor_list[varname] continue - if pom_ns: - var_xpath_reg = ".//{%s}%s" % (pom_ns, varname) - else: - var_xpath_reg = ".//%s" % varname - - varchilds = root.findall(var_xpath_reg) - - for child in varchilds: - version = child.text - ext = varname - - # 如果没有匹配到,那么需要去数据库查询 - if not varchilds: - pv = ProjectVendors.objects.filter(project_id=self.project_id, ext=varname).first() - if pv: - version = pv.version + # if pom_ns: + # var_xpath_reg = ".//{%s}%s" % (pom_ns, varname) + # else: + # var_xpath_reg = ".//%s" % varname + # + # varchilds = root.findall(var_xpath_reg) + + # for child in varchilds: + # version = child.text + # ext = varname + # + # # 如果没有匹配到,那么需要去数据库查询 + # if not varchilds: + # pv = ProjectVendors.objects.filter(project_id=self.project_id, ext=varname).first() + # if pv: + # version = pv.version vendor_name = "{}:{}".format(group_id, artifact_id) vendor_version = version - # ext = "maven" + ext = "mevan" update_and_new_project_vendor(self.project_id, name=vendor_name, version=vendor_version, language=language, source=savefilepath, ext=ext) @@ -487,7 +488,7 @@ def check_vendor(self): ext = "{}.{}".format(node_version, "dependencies") update_and_new_project_vendor(self.project_id, name=dependency, version=vendor_version, - language=language, ext=savefilepath) + language=language, source=savefilepath) get_and_save_vendor_vuls(self.task_id, dependency, vendor_version, language, ext) @@ -496,7 +497,7 @@ def check_vendor(self): ext = "{}.{}".format(node_version, "devDependencies") update_and_new_project_vendor(self.project_id, name=dependency, version=vendor_version, - language=language, ext=savefilepath) + language=language, source=savefilepath) get_and_save_vendor_vuls(self.task_id, dependency, vendor_version, language, ext) From fd53f472095aceab0961b49f4fe6e7db72de2d5e Mon Sep 17 00:00:00 2001 From: LoRexxar Date: Wed, 2 Mar 2022 11:20:59 +0800 Subject: [PATCH 5/6] update vendor scan --- core/vendors.py | 34 +++++++++++++++++++++++++++++++++- web/index/models.py | 2 +- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/core/vendors.py b/core/vendors.py index 05c093cb..7b2d1b21 100644 --- a/core/vendors.py +++ b/core/vendors.py @@ -210,6 +210,7 @@ def __init__(self, task_id, project_id, target, files): # 检查列表 self.get_vendor_file() self.exist_file_list = list(set(self.exist_file_list)) + self.exist_file_list = sorted(self.exist_file_list, key=lambda i:len(i)) if len(self.exist_file_list): self.check_vendor() @@ -271,6 +272,8 @@ def check_vendor(self): f.seek(0, os.SEEK_SET) savefilepath = filepath.replace(self.target_path, "").replace('\\', '/') + logger.info("[Vendor] Parse File {}.".format(savefilepath)) + if filename == "requirements.txt": for line in f: @@ -365,8 +368,29 @@ def check_vendor(self): default_version = "unknown" project_version = "unknown" for parent in parents: + project_groupid = parent.getchildren()[0].text + project_artifactId = parent.getchildren()[1].text project_version = parent.getchildren()[2].text + # project version 格式检查 + var_reg = "\${([\w\.\_-]+)}" + if re.search(var_reg, project_version, re.I): + p2 = re.compile(var_reg) + matchs = p2.finditer(project_version) + + for match in matchs: + varname = match.group(1) + + if varname in self.java_temp_vendor_list: + project_version = self.java_temp_vendor_list[varname] + continue + + # project 依赖版本也可以加入全局表 + vendor_name = "{}.{}".format(project_groupid, project_artifactId) + self.java_temp_vendor_list[vendor_name] = project_version + update_and_new_project_vendor(self.project_id, name=vendor_name, version=project_version, + language=language, source=savefilepath, ext=ext) + # 匹配通用配置 if pom_ns: java_base_xpath_reg = ".//{%s}properties" % pom_ns @@ -380,6 +404,12 @@ def check_vendor(self): for btag in btags: self.java_temp_vendor_list[btag.tag.replace("{%s}" % pom_ns, "")] = btag.text + # 全局表 + vendor_name = btag.tag.replace("{%s}" % pom_ns, "") + self.java_temp_vendor_list[vendor_name] = btag.text + update_and_new_project_vendor(self.project_id, name=vendor_name, version=btag.text, + language=language, source=savefilepath, ext=ext) + # 匹配dependency if pom_ns: xpath_reg = ".//{%s}dependency" % pom_ns @@ -396,7 +426,7 @@ def check_vendor(self): version = default_version var_reg = "\${([\w\.\_-]+)}" - if re.search(var_reg, version, re.I) and version == default_version: + if re.search(var_reg, version, re.I): p2 = re.compile(var_reg) matchs = p2.finditer(version) @@ -433,6 +463,8 @@ def check_vendor(self): vendor_version = version ext = "mevan" + logger.debug("[Vendor][pom.xml] Found Vendor {} vension {} in file {}".format(vendor_name, vendor_version, savefilepath)) + update_and_new_project_vendor(self.project_id, name=vendor_name, version=vendor_version, language=language, source=savefilepath, ext=ext) diff --git a/web/index/models.py b/web/index/models.py index e3f94db2..75ec5870 100644 --- a/web/index/models.py +++ b/web/index/models.py @@ -111,7 +111,7 @@ def update_and_new_project_vendor(project_id, name, version, language, source=No vendor = ProjectVendors.objects.filter(project_id=project_id, hash=hash).first() if vendor: - if vendor.version != version: + if vendor.version != version and version != 'unknown': logger.debug("[Vendors] Component {} update to version {}".format(name, version)) vendor.version = version From bd3ba14b490b8d9864cd85c5742f45e4efa1601c Mon Sep 17 00:00:00 2001 From: LoRexxar Date: Wed, 2 Mar 2022 11:25:19 +0800 Subject: [PATCH 6/6] update 2.6.4.2 --- core/__version__.py | 2 +- docs/changelog.md | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/core/__version__.py b/core/__version__.py index 20a5ec11..c370e1e1 100644 --- a/core/__version__.py +++ b/core/__version__.py @@ -7,7 +7,7 @@ __issue_page__ = 'https://github.com/LoRexxar/Kunlun-M/issues/new' __python_version__ = sys.version.split()[0] __platform__ = platform.platform() -__version__ = '2.6.4.1' +__version__ = '2.6.4.2' __author__ = 'LoRexxar' __author_email__ = 'LoRexxar@gmail.com' __license__ = 'MIT License' diff --git a/docs/changelog.md b/docs/changelog.md index 08fd9a06..18a0232d 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -294,4 +294,9 @@ - 为组件数据添加了source字段,标准了组件的来源位置 - 更新了相应的前端显示 - 为项目页面做了数据优化,现在不那么烧资源了,并添加了项目搜索功能 - \ No newline at end of file +- 2022-03-02 + - KunLun-M 2.6.4.2 + - 修复了几个PHP的语法支持问题 + - 修复了组件扫描中关于pom.xml静态扫描的几个语法解析错误 + - 修改了组件数据储存格式 + - 从这个版本后不再做小版本的更新,只做bug修复维护,后续会有一个直接更新到3.0的大版本更新 \ No newline at end of file