-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathscan_spring.py
273 lines (233 loc) · 8.8 KB
/
scan_spring.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
import os
import sys
from collections import namedtuple
from enum import Enum, IntEnum
from zipfile import BadZipFile, ZipFile
from tarfile import open as tar_open
from tarfile import CompressionError, ReadError
import zlib
from io import BytesIO
import struct
from jawa.classloader import ClassFile
RED = "\x1b[31m"
GREEN = "\x1b[32m"
YELLOW = "\x1b[33m"
RESET_ALL = "\x1b[0m"
ZIP_EXTENSIONS = {".jar", ".war", ".sar", ".ear", ".par", ".zip", ".apk"}
TAR_EXTENSIONS = {".tar.gz", ".tar"}
ANNOTATION_STRS = {
b"annotation/RequestMapping",
b"annotation/GetMapping",
b"annotation/PostMapping",
b"annotation/PutMapping",
b"annotation/DeleteMapping",
b"annotation/PatchMapping",
}
ANNOTATION_STRSs = {s.decode("utf-8") for s in ANNOTATION_STRS}
ALLOWED_TYPES = {
"java/lang/String",
"boolean",
"long",
"int",
"java/lang/CharSequence",
"java/lang/Number",
"java/time/temporal/Temporal",
"java/time/DateTime",
"java/util/ArrayList",
"java/util/Locale",
"java/net/URI",
"java/net/URL",
"org/springframework/web/context/request/NativeWebRequest",
"org/springframework/web/context/request/WebRequest",
"javax/servlet/http/HttpServletResponse",
"javax/servlet/http/HttpServletRequest",
"javax/servlet/http/HttpSession",
"javax/servlet/http/PushBuilder",
"java/security/Principal",
"org/springframework/http/HttpMethod",
"java/time/TimeZone",
"java/time/ZoneId",
"java/io/InputStream",
"java/io/OutputStream",
"java/io/Reader",
"java/io/Writer",
"java/util/Map",
"org/springframework/ui/Model",
"org/springframework/ui/ModelMap",
} # TO BE UPDATED
CLASSES_EXEMPTLIST = {"org/springframework/boot"}
def get_annotation_constants(c):
for const in c.constants:
if hasattr(const, "value") and isinstance(const.value, str):
if any(
const.value.endswith(substr) or const.value.endswith(substr + ";")
for substr in ANNOTATION_STRSs
):
yield const.index
def check_method_annotations(c, req_constants):
for method in c.methods:
for attr in method.attributes:
if attr.name == "RuntimeVisibleAnnotations":
index = struct.unpack(">H", attr.info[2:4])[0]
if index in req_constants and method.args:
yield (method.name.value, {arg.name for arg in method.args})
def examine_class(rel_path, file_name, content, silent_mode) -> bool:
problem_found = False
try:
cl = ClassFile(BytesIO(content))
except: # IndexError, but I don't trust jawa not to throw someting else
if not silent_mode:
print("Could not open class: %s" % file_name)
return False
annotation_constants = list(get_annotation_constants(cl))
if not annotation_constants:
return False
for method_name, arg_type_names in check_method_annotations(
cl, annotation_constants
):
bad_arg_type_names = [
arg_type_name
for arg_type_name in arg_type_names
if arg_type_name not in ALLOWED_TYPES
]
if bad_arg_type_names:
problem_found = True
print(
"In %s/%s%s%s: endpoint method %s%s%s accepts %s\n\n"
% (
rel_path,
RED,
file_name,
RESET_ALL,
RED,
method_name,
RESET_ALL,
", ".join(bad_arg_type_names),
)
)
return problem_found
def zip_file(file, rel_path: str, silent_mode: bool) -> bool:
problem_found = False
try:
with ZipFile(file) as jarfile:
for file_name in jarfile.namelist():
if acceptable_filename(file_name):
with jarfile.open(file_name, "r") as next_file:
problem_found |= test_file(
next_file, os.path.join(rel_path, file_name), silent_mode
)
continue
if (
file_name.endswith(".class")
and not file_name.endswith("module-info.class")
and not any(
file_name.startswith(exempt_class)
for exempt_class in CLASSES_EXEMPTLIST
)
):
content = jarfile.read(file_name)
if any(substr in content for substr in ANNOTATION_STRS):
problem_found |= examine_class(
rel_path, file_name, content, silent_mode
)
# went over all the files in the current layer; draw conclusions
except (IOError, BadZipFile, UnicodeDecodeError, zlib.error, RuntimeError) as e:
if not silent_mode:
print(rel_path + ": " + str(e))
return problem_found
def tar_file(file, rel_path: str, silent_mode: bool) -> bool:
problem_found = False
try:
with tar_open(fileobj=file) as tarfile:
for item in tarfile.getmembers():
if "../" in item.name:
continue
if item.isfile() and acceptable_filename(item.name):
fileobj = tarfile.extractfile(item)
new_path = rel_path + "/" + item.name
problem_found |= test_file(fileobj, new_path, silent_mode)
except (
IOError,
FileExistsError,
CompressionError,
ReadError,
RuntimeError,
UnicodeDecodeError,
zlib.error,
) as e:
if not silent_mode:
print(rel_path + ": " + str(e))
return False
return problem_found
def test_file(file, rel_path: str, silent_mode: bool) -> bool:
if any(rel_path.endswith(ext) for ext in ZIP_EXTENSIONS):
return zip_file(file, rel_path, silent_mode)
elif any(rel_path.endswith(ext) for ext in TAR_EXTENSIONS):
return tar_file(file, rel_path, silent_mode)
return False
def acceptable_filename(filename: str):
return any(filename.endswith(ext) for ext in ZIP_EXTENSIONS | TAR_EXTENSIONS)
def run_scanner(root_dir: str, exclude_dirs, silent_mode: bool) -> bool:
problem_found = False
if os.path.isdir(root_dir):
for directory, dirs, files in os.walk(root_dir, topdown=True):
[
dirs.remove(excluded_dir)
for excluded_dir in list(dirs)
if os.path.join(directory, excluded_dir) in exclude_dirs
]
for filename in files:
if acceptable_filename(filename):
full_path = os.path.join(directory, filename)
rel_path = os.path.relpath(full_path, root_dir)
try:
with open(full_path, "rb") as file:
problem_found |= test_file(file, rel_path, silent_mode)
except FileNotFoundError as fnf_error:
if not silent_mode:
print(fnf_error)
elif os.path.isfile(root_dir):
if acceptable_filename(root_dir):
with open(root_dir, "rb") as file:
if any(root_dir.endswith(ext) for ext in ZIP_EXTENSIONS):
problem_found = zip_file(file, "", silent_mode)
elif any(root_dir.endswith(ext) for ext in TAR_EXTENSIONS):
problem_found = tar_file(file, "", silent_mode)
return problem_found
def print_usage():
print(
"Usage: "
+ sys.argv[0]
+ " <root_folder> [-quiet] [-exclude <folder1> <folder2> ...]"
)
print("or: " + sys.argv[0] + "<archive_file> [-quiet]")
exit()
def parse_command_line():
if len(sys.argv) < 2:
print_usage()
root_dir = sys.argv[1]
exclude_folders = []
silent = len(sys.argv) > 2 and sys.argv[2] == "-quiet"
exclude_start = 3 if silent else 2
if len(sys.argv) > exclude_start:
if not sys.argv[exclude_start] == "-exclude":
print_usage()
exclude_folders = sys.argv[exclude_start + 1 :]
return root_dir, exclude_folders, silent
if __name__ == "__main__":
root_dir, exclude_dirs, silent_mode = parse_command_line()
for dir_to_check in exclude_dirs:
if not os.path.isdir(dir_to_check):
print(dir_to_check + " is not a directory")
print_usage()
if not os.path.isdir(root_dir) and not (
os.path.isfile(root_dir) and acceptable_filename(root_dir)
):
print(root_dir + " is not a directory or an archive")
print_usage()
print("Scanning " + root_dir)
if exclude_dirs:
print("Excluded: " + ", ".join(exclude_dirs))
problem_found = run_scanner(root_dir, set(exclude_dirs), silent_mode)
if problem_found:
sys.exit(1)