Skip to content

规则开发案例讲解

Jump to bottom
铲子科技 edited this page Nov 19, 2024 · 10 revisions
  • 本文以一部分内置规则为例介绍规则开发

命令执行


// 找到source点,铲子对大部分主流rpc框架的请求入参都打上了对应的标签,所以这里只需要根据标签查询对应的节点即可
MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

// 找到sink点,selector主要指方法调用表达式的方法名,命令注入的方法名比如 exec,方法的对象类型Runtime
MATCH
  (sinkNode)
  WHERE
  ('exec' IN  sinkNode.selectors AND 'Runtime' IN  sinkNode.receiverTypes) OR
// new一个对象,构造方法的入参,类型ProcessBuilder
  sinkNode.AllocationClassName = 'ProcessBuilder' OR
// ProcessBuilder 的command方法调用
  ('command' IN sinkNode.selectors AND 'ProcessBuilder' IN sinkNode.receiverTypes)
// 查找 source到sink的路径,只保留最短路径
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
// 返回路径,也就是数据流
RETURN
  p AS path

URL重定向

MATCH
// 同上  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

// sink点,调用sendRedirect方法时的入参
MATCH
  (sinkNode)
  WHERE
  'sendRedirect' IN sinkNode.selectors OR
  //    return "redirect:" + url;   // Spring MVC写法 302临时重定向 , 加法表达式左边拼接  redirect:
  sinkNode.addLeft = "\"redirect:\"" OR
// 调用 HttpHeaders类的setLocation时的入参
    ('setLocation' IN sinkNode.selectors AND 'HttpHeaders' IN  sinkNode.receiverTypes)
// 查找数据流
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
//返回数据流
RETURN
  p AS path

服务端请求伪造(SSRF)

MATCH
 // source点同上 (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

//sink点,这里包括了各种发起http请求的方式
MATCH
  (sinkNode)
  WHERE  'url' IN sinkNode.selectors OR
  'URL' IN sinkNode.selectors OR
// URL类构造方法的入参
  sinkNode.AllocationClassName = 'URL' OR
  sinkNode.AllocationClassName = 'GetMethod' OR
  sinkNode.AllocationClassName = 'XmlStreamReader' OR
  sinkNode.AllocationClassName = 'HttpGet' OR
  sinkNode.AllocationClassName = 'HttpPost' OR
  sinkNode.AllocationClassName = 'HttpUriRequestBase' OR
  sinkNode.AllocationClassName = 'BasicClassicHttpRequest' OR
  sinkNode.AllocationClassName = 'BasicHttpRequest' OR
  sinkNode.AllocationClassName = 'BasicRequestProducer' OR
  sinkNode.AllocationClassName = 'BasicHttpEntityEnclosingRequest' OR
  'HttpGet' IN sinkNode.selectors OR
  'HttpPost' IN sinkNode.selectors OR
  ('execute' IN sinkNode.selectors AND   'CloseableHttpClient' IN  sinkNode.receiverTypes) OR
  ('execute' IN sinkNode.selectors AND   'CloseableHttpAsyncClient' IN  sinkNode.receiverTypes) OR

// poitl组件中的方法,调用Pictures类的ofUrl
  ('ofUrl' IN sinkNode.selectors AND   'Pictures' IN  sinkNode.receiverTypes) OR
  ('execute' IN sinkNode.selectors AND   'HttpClient' IN  sinkNode.receiverTypes) OR
  ('createPost' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('createRequest' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('createGet' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('connect' IN sinkNode.selectors AND   'Jsoup' IN  sinkNode.receiverTypes) OR
  ('create' IN sinkNode.selectors AND   'URI' IN  sinkNode.receiverTypes) OR
  ('read' IN sinkNode.selectors AND   'ImageIO' IN  sinkNode.receiverTypes) OR
  ('executeMethod' IN sinkNode.selectors AND   'HttpClient' IN  sinkNode.receiverTypes) OR
  ('Get' IN sinkNode.selectors AND   'Request' IN  sinkNode.receiverTypes) OR
  ('Post' IN sinkNode.selectors AND   'Request' IN  sinkNode.receiverTypes) OR
  ('exchange' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('downloadString' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('downloadFile' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('downloadFileFromUrl' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('download' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('downloadBytes' IN sinkNode.selectors AND   'HttpUtil' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'HttpRequest' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'HttpRequest' IN  sinkNode.receiverTypes) OR
  ('of' IN sinkNode.selectors AND   'HttpRequest' IN  sinkNode.receiverTypes) OR
  ('HikariConfig' IN sinkNode.selectors AND   'HikariConfig' IN  sinkNode.receiverTypes) OR
  ('setQueryString' IN sinkNode.selectors AND   'GetMethod' IN  sinkNode.receiverTypes) OR
  ('copyFile' IN sinkNode.selectors AND   'PathUtils' IN  sinkNode.receiverTypes) OR
  ('copyFileToDirectory' IN sinkNode.selectors AND   'PathUtils' IN  sinkNode.receiverTypes) OR
  ('copyURLToFile' IN sinkNode.selectors AND   'FileUtils' IN  sinkNode.receiverTypes) OR
  ('copy' IN sinkNode.selectors AND   'IOUtils' IN  sinkNode.receiverTypes) OR
  ('toByteArray' IN sinkNode.selectors AND   'IOUtils' IN  sinkNode.receiverTypes) OR
  ('toString' IN sinkNode.selectors AND   'IOUtils' IN  sinkNode.receiverTypes) OR
  ('loadJSONHTML' IN sinkNode.selectors AND   'DownloadService' IN  sinkNode.receiverTypes) OR
  ('loadJSON' IN sinkNode.selectors AND   'DownloadService' IN  sinkNode.receiverTypes) OR
  ('download' IN sinkNode.selectors AND   'UpdateCenterConfiguration' IN  sinkNode.receiverTypes) OR
  ('loadJSONHTML' IN sinkNode.selectors AND   'DownloadService' IN  sinkNode.receiverTypes) OR
  ('newCall' IN sinkNode.selectors AND   'OkHttpClient' IN  sinkNode.receiverTypes) OR
  ('newWebSocket' IN sinkNode.selectors AND   'OkHttpClient' IN  sinkNode.receiverTypes) OR
  ('url' IN sinkNode.selectors AND   'Builder' IN  sinkNode.receiverTypes) OR
  ('create' IN sinkNode.selectors AND   'BasicHttpRequests' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'BasicHttpRequests' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'BasicHttpRequests' IN  sinkNode.receiverTypes) OR
  ('create' IN sinkNode.selectors AND   'SimpleHttpRequest' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'SimpleHttpRequest' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'SimpleHttpRequest' IN  sinkNode.receiverTypes) OR
  ('create' IN sinkNode.selectors AND   'ClassicHttpRequests' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'ClassicHttpRequests' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'ClassicHttpRequests' IN  sinkNode.receiverTypes) OR
  ('create' IN sinkNode.selectors AND   'Request' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'ClassicRequestBuilder' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'ClassicRequestBuilder' IN  sinkNode.receiverTypes) OR
  ('connect' IN sinkNode.selectors AND   'HttpAsyncRequester' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'AsyncRequestBuilder' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'AsyncRequestBuilder' IN  sinkNode.receiverTypes) OR
  ('setUri' IN sinkNode.selectors AND   'AbstractRequestBuilder' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'BasicRequestBuilder' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'BasicRequestBuilder' IN  sinkNode.receiverTypes) OR
  ('setURI' IN sinkNode.selectors AND   'HttpRequestBase' IN  sinkNode.receiverTypes) OR
  ('setURI' IN sinkNode.selectors AND   'HttpRequestWrapper' IN  sinkNode.receiverTypes) OR
  ('setURI' IN sinkNode.selectors AND   'RequestWrapper' IN  sinkNode.receiverTypes) OR
  ('get' IN sinkNode.selectors AND   'RequestBuilder' IN  sinkNode.receiverTypes) OR
  ('post' IN sinkNode.selectors AND   'RequestBuilder' IN  sinkNode.receiverTypes) OR
  ('newHttpRequest' IN sinkNode.selectors AND   'HttpRequestFactory' IN  sinkNode.receiverTypes) OR
  ('newRequest' IN sinkNode.selectors AND   'HttpClient' IN  sinkNode.receiverTypes) OR
  ('open' IN sinkNode.selectors AND   'Jdbi' IN  sinkNode.receiverTypes) OR
  ('doExecute' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('exchange' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('getForEntity' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('getForObject' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('postForEntity' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('postForLocation' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('postForObject' IN sinkNode.selectors AND   'RestTemplate' IN  sinkNode.receiverTypes) OR
  ('create' IN sinkNode.selectors AND   'WebClient' IN  sinkNode.receiverTypes) OR
  ('url' IN sinkNode.selectors AND   'WSClient' IN  sinkNode.receiverTypes) OR
  ('url' IN sinkNode.selectors AND   'StandaloneWSClient' IN  sinkNode.receiverTypes) OR
  ('getConnection' IN sinkNode.selectors AND   'DriverManager' IN  sinkNode.receiverTypes) OR
  (sinkNode.selector = 'getContent' AND sinkNode.type='URL') OR
// 这里数据流流到receiver,而不是方法调用入参,所以不太一样,sink点的类型URL
  (sinkNode.selector = 'openConnection' AND sinkNode.type='URL') OR
  (sinkNode.selector = 'openStream' AND sinkNode.type='URL') OR
  (sinkNode.selector = 'create' AND sinkNode.type='Retrofit')
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))

RETURN
  p AS path

XXE

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
  sinkNode.AllocationClassName = 'XSSFWorkbook' OR
  'setByteStream' IN sinkNode.selectors OR
  'createXMLStreamReader' IN sinkNode.selectors OR
  ( 'StreamingReader.builder()' IN sinkNode.receivers AND  'open' IN sinkNode.selectors) OR
  ( 'read' IN sinkNode.selectors AND  'SAXReader' IN sinkNode.receiverTypes) OR
  ( 'parse' IN sinkNode.selectors AND  'XMLReader' IN sinkNode.receiverTypes) OR
  ( 'build' IN sinkNode.selectors AND  'SAXBuilder' IN sinkNode.receiverTypes) OR
  ( 'parse' IN sinkNode.selectors AND  'SAXParser' IN sinkNode.receiverTypes) OR
  ( 'parse' IN sinkNode.selectors AND  'DocumentBuilder' IN sinkNode.receiverTypes) OR
  ( 'parse' IN sinkNode.selectors AND  'Digester' IN sinkNode.receiverTypes) OR
  ( 'parseText' IN sinkNode.selectors AND  'DocumentHelper' IN sinkNode.receiverTypes) OR
  ( 'transform' IN sinkNode.selectors AND  'Transformer' IN sinkNode.receiverTypes) OR
  ( 'read' IN sinkNode.selectors AND  'NodeBuilder' IN sinkNode.receiverTypes) OR
  ( 'format' IN sinkNode.selectors AND  'Formatter' IN sinkNode.receiverTypes) OR
  ( 'newSchema' IN sinkNode.selectors AND  'SchemaFactory' IN sinkNode.receiverTypes) OR
  ( 'evaluate' IN sinkNode.selectors AND  'XPathExpression' IN sinkNode.receiverTypes) OR
  ( 'validate' IN sinkNode.selectors AND  'Persister' IN sinkNode.receiverTypes) OR
  ( 'read' IN sinkNode.selectors AND  'Persister' IN sinkNode.receiverTypes) OR
  ( 'provide' IN sinkNode.selectors AND  'DocumentProvider' IN sinkNode.receiverTypes) OR
  ( 'provide' IN sinkNode.selectors AND  'StreamProvider' IN sinkNode.receiverTypes) OR
  ( 'newTransformer' IN sinkNode.selectors AND  'TransformerFactory' IN sinkNode.receiverTypes) OR
  ( 'newTransformer' IN sinkNode.selectors AND  'SAXTransformerFactory' IN sinkNode.receiverTypes) OR
  ( 'newXMLFilter' IN sinkNode.selectors AND  'SAXTransformerFactory' IN sinkNode.receiverTypes) OR
  ( 'unmarshal' IN sinkNode.selectors AND  'Unmarshaller' IN sinkNode.receiverTypes)
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

fastjson反序列化

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
// 找sink点,parseObject的入参,JSON作为receiver,因为是静态方法调用,所以receiver也就是类型,直接用receiver查询也可以
  ('parseObject' IN sinkNode.selectors AND  'JSON' IN sinkNode.receivers)
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

弱hash算法

// 这条规则是分两阶段查询数据流的,第一阶段先找到设置了 md5 的 MessageDigest, 作为 mds 变量传给下一个查询
// MessageDigest md = MessageDigest.getInstance("MD5");
MATCH
// 字符串常量类型
  (md5Node:StringLiteral)
  WHERE
//常量值
  (md5Node.name = 'MD5') OR  (md5Node.name = 'SHA-1')
// 常量流到MessageDigest类的对象
MATCH
  (md)
  WHERE
  (md.type = 'MessageDigest')
MATCH
  p = (md5Node)-[*..30]->(md)
WITH collect(md) AS mds

// 请求数据 流向 md5 的 md, 所以sink点是 md, 并且在 mds里
// md.update(msg.getBytes());
MATCH
// source,同上  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

// sink点,hash计算
MATCH
  (sinkNode)
  WHERE
  (
  (sinkNode.selector = 'update' OR  sinkNode.selector = 'digest') AND
  (sinkNode.type = 'MessageDigest')  AND
// sink点利用之前的结果过滤
  (sinkNode IN mds)
  )
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

Java反序列化

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
  ( sinkNode.selector='readObject'  AND  sinkNode.type='ObjectInputStream')
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

jdbc sql注入

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
  ('prepareCall' IN  sinkNode.selectors AND 'Connection' IN  sinkNode.receiverTypes) OR
  ('execute' IN  sinkNode.selectors AND 'Statement' IN  sinkNode.receiverTypes) OR
  ('executeUpdate' IN  sinkNode.selectors AND 'Statement' IN  sinkNode.receiverTypes) OR
  ('executeQuery' IN  sinkNode.selectors AND 'Statement' IN  sinkNode.receiverTypes) OR
  ('prepareStatement' IN  sinkNode.selectors AND 'Connection' IN  sinkNode.receiverTypes)
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

spel表达式注入

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
  ('parseExpression' IN sinkNode.selectors AND 'SpelExpressionParser' IN sinkNode.receiverTypes) OR
  ('parseExpression' IN sinkNode.selectors AND 'ExpressionParser' IN sinkNode.receiverTypes) OR
  ('parseExpression' IN sinkNode.selectors AND 'TemplateAwareExpressionParser' IN sinkNode.receiverTypes)
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

actuator配置不当

MATCH
// 单点规则,不需要查找数据流,查找节点即可,使用yaml prop文件的节点标签过滤节点
  (sinkNode:YmlKeyValue|PropertiesKeyValue)
WHERE
// 采用节点的名称 ,值进行查询
sinkNode.name = 'management.endpoints.web.exposure.include' AND
// *表示开启所有端点
(sinkNode.value = '*' OR
// 开启某一个端点
sinkNode.value  CONTAINS 'heapdump' OR
sinkNode.value  CONTAINS 'beans' OR
sinkNode.value  CONTAINS 'caches' OR
sinkNode.value  CONTAINS 'configprops' OR
sinkNode.value  CONTAINS 'env' OR
sinkNode.value  CONTAINS 'loggers' OR
sinkNode.value  CONTAINS 'restart' OR
sinkNode.value  CONTAINS 'threaddump'  OR
sinkNode.value  CONTAINS 'metrics'  OR
sinkNode.value  CONTAINS 'scheduledtasks'  OR
sinkNode.value  CONTAINS 'mappings'  OR
sinkNode.value  CONTAINS 'prometheus'  OR
sinkNode.value  CONTAINS 'logfile'  OR
sinkNode.value  CONTAINS 'liquibase'  OR
sinkNode.value  CONTAINS 'flyway'  OR
sinkNode.value  CONTAINS 'sessions'  OR
sinkNode.value  CONTAINS 'shutdown'  OR
sinkNode.value  CONTAINS 'httptrace'  OR
sinkNode.value  CONTAINS 'integrationgraph'  OR
sinkNode.value  CONTAINS 'metrics'  OR
sinkNode.value  CONTAINS 'quartz'  OR
sinkNode.value  CONTAINS 'jolokia'  OR
sinkNode.value  CONTAINS 'auditevents')

RETURN
  sinkNode AS path

druid未授权

MATCH
  (sinkNode:YmlKeyValue|PropertiesKeyValue)
WHERE
sinkNode.name = 'spring.datasource.druid.stat-view-servlet.enabled' AND
sinkNode.value = 'true'

RETURN
  sinkNode AS path

硬编码

MATCH
// 通过yaml prop标签过滤,只查找配置文件中的硬编码,java代码中的硬编码是另外的规则
  (sinkNode:YmlKeyValue|PropertiesKeyValue)
WHERE
// 使用 节点 名称进行过滤,同时节点的值不是 ${xxx}
(LOWER(sinkNode.name) ENDS WITH 'password' AND NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'pass' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'passwd' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'secretkey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'apikey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'apitoken' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'accesstoken' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'sessionKey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'encryptionkey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'decryptionkey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'bearertoken' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'sshkey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'jwtsecret' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'presharedkey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'privatekey' AND  NOT LOWER(sinkNode.value) STARTS WITH '${') OR
(LOWER(sinkNode.name) ENDS WITH 'secret' AND  NOT LOWER(sinkNode.value) STARTS WITH '${')

RETURN
  sinkNode AS path

Cookie 无httponly

// 两阶段查询,先找到设置了 httponly的cookie,后边过滤掉
MATCH
  (filterNode:StringLiteral)
MATCH
  (x)
  WHERE
  (x.selector = 'setHttpOnly')
MATCH
  (filterNode)-[*..30]->(x)
WITH collect(DISTINCT filterNode) AS filterNodes

// 查询设置的敏感cookie,过滤掉设置了 httponly的, 查询语句中强烈不建议用 CONTAINS ,节点多时性能会很差
MATCH
  (sourceNode:StringLiteral)
  WHERE
  (
  (lower(sourceNode.name) ENDS WITH '"ticket"') OR
  (lower(sourceNode.name)  ENDS WITH  'token') OR
  (lower(sourceNode.name)  ENDS WITH  'jwt') OR
  (lower(sourceNode.name)  ENDS WITH  'session') OR
  (lower(sourceNode.name)  ENDS WITH  'sessionid') OR
  (lower(sourceNode.name)  ENDS WITH  'password') OR
  (lower(sourceNode.name)  ENDS WITH  'passwd') OR
  (lower(sourceNode.name)  ENDS WITH  'pass')
  ) AND
  sourceNode.AllocationClassName = 'Cookie' AND (NOT sourceNode IN filterNodes)
MATCH
  (sinkNode)
  WHERE
  ('addCookie' IN sinkNode.selectors) OR
  ('setCookie' IN sinkNode.selectors)
MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

Java密钥硬编码

// String password = "xxxxxx" ;
MATCH
// source 点,字符串常量
  (sourceNode:StringLiteral)
    WHERE NOT sourceNode:CallArg
MATCH
  (sinkNode)
// sink点,密码密钥相关的变量名
  WHERE
  (LOWER(sinkNode.name) ENDS WITH  'secretkey') OR
  (LOWER(sinkNode.name) ENDS WITH 'accesskey') OR
  (LOWER(sinkNode.name) ENDS WITH 'privatekey') OR
  (LOWER(sinkNode.name) ENDS WITH 'password') OR
  (LOWER(sinkNode.name) ENDS WITH 'pass') OR
  (LOWER(sinkNode.name) ENDS WITH 'passwd')
 MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
 DISTINCT sourceNode AS path

swagger信息泄露

MATCH
  (sinkNode:Argument)
  WHERE
  ('EnableOpenApi' IN  sinkNode.classAnnotations AND 'Bean' IN sinkNode.methodAnnotations AND sinkNode.name='noArg') OR
  ('EnableSwagger2' IN  sinkNode.classAnnotations AND 'Bean' IN sinkNode.methodAnnotations AND sinkNode.name='noArg') OR
  ('EnableSwagger2' IN  sinkNode.classAnnotations) OR
  ('EnableDubboSwagger' IN  sinkNode.classAnnotations)
RETURN
  sinkNode AS path LIMIT 1

jsp xss

MATCH
// jsp请求入参标签匹配
  (sourceNode:JspServiceArg)

MATCH
  (sinkNode)
  WHERE
  ('format' IN  sinkNode.selectors AND 'PrintWriter' IN  sinkNode.receiverTypes) OR
  ('write' IN  sinkNode.selectors AND 'PrintWriter' IN  sinkNode.receiverTypes) OR
  ('append' IN  sinkNode.selectors AND 'PrintWriter' IN  sinkNode.receiverTypes) OR
  ('format' IN  sinkNode.selectors AND 'response.getWriter()' IN  sinkNode.receivers) OR
  ('printf' IN  sinkNode.selectors AND 'response.getWriter()' IN  sinkNode.receivers) OR
  ('println' IN  sinkNode.selectors AND 'PrintWriter' IN  sinkNode.receiverTypes) OR
  ('print' IN  sinkNode.selectors AND 'ServletOutputStream' IN  sinkNode.receiverTypes) OR
  ('println' IN  sinkNode.selectors AND 'ServletOutputStream' IN  sinkNode.receiverTypes) OR
  ('write' IN  sinkNode.selectors AND 'ServletOutputStream' IN  sinkNode.receiverTypes)

  MATCH
p = shortestPath((sourceNode)- [ * ..30] - >(sinkNode))

RETURN
  p AS path

log4j不安全的版本

// pom 的版本号可能是放在 properties标签里的, dependence标签里使用${xxx.version} 的方式引入
// 所以 sink点的version 是 ${xxx.version} ,而 realVersion才是真实的版本号
MATCH
  (sinkNode:PomDependency)
  WHERE
  sinkNode.groupId = 'org.apache.logging.log4j' AND   sinkNode.artifactId = 'log4j-core' AND   sinkNode.
    realVersion =~ '2\\.(1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17).*'
RETURN
  sinkNode AS path

snakeyaml不安全的版本

// pom 的版本号可能是放在 properties标签里的, dependence标签里使用${xxx.version} 的方式引入
// 所以 sink点的version 是 ${xxx.version} ,而 realVersion才是真实的版本号
MATCH
  (sinkNode:PomDependency)
  WHERE
  sinkNode.groupId = 'org.yaml' AND   sinkNode.artifactId = 'snakeyaml' AND sinkNode.realVersion STARTS WITH '1.'
RETURN
  sinkNode AS path

socket服务命令注入

MATCH
  (sourceNode)
  WHERE
  (sourceNode.type='Socket' AND sourceNode.selector ='getInputStream')

MATCH
  (sinkNode)
  WHERE
  ('exec' IN  sinkNode.selectors AND 'Runtime' IN  sinkNode.receiverTypes) OR
  sinkNode.AllocationClassName = 'ProcessBuilder' OR
  ('command' IN sinkNode.selectors AND 'ProcessBuilder' IN sinkNode.receiverTypes)

MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

websocket服务反序列化

MATCH
  (sourceNode:Argument)
  WHERE
  (sourceNode.method='onMessage') OR
  (sourceNode.method='handleTextMessage')

MATCH
  (sinkNode)
  WHERE
  ('exec' IN  sinkNode.selectors AND 'Runtime' IN  sinkNode.receiverTypes) OR
  sinkNode.AllocationClassName = 'ProcessBuilder' OR
  ('command' IN sinkNode.selectors AND 'ProcessBuilder' IN sinkNode.receiverTypes)

MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

velocity模版注入

MATCH
  (sourceNode:DubboServiceArg|ThriftHandlerArg|NettyHandlerArg|JfinalControllerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg)

MATCH
  (sinkNode)
  WHERE
  ('evaluate' IN sinkNode.selectors AND 'Velocity' IN sinkNode.receivers) OR
  ('mergeTemplate' IN sinkNode.selectors AND 'Velocity' IN sinkNode.receivers) OR
  ('evaluate' IN sinkNode.selectors AND 'VelocityEngine' IN sinkNode.receivers) OR
  ('mergeTemplate' IN sinkNode.selectors AND 'VelocityEngine' IN sinkNode.receivers) OR
  ('evaluate' IN sinkNode.selectors AND 'RuntimeServices' IN sinkNode.receivers) OR
  ('parse' IN sinkNode.selectors AND 'RuntimeServices' IN sinkNode.receivers) OR
  ('parse' IN sinkNode.selectors AND 'RuntimeSingleton' IN sinkNode.receivers)

MATCH
  p = shortestPath((sourceNode)-[*..30]->(sinkNode))
RETURN
  p AS path

其他规则参考铲子规则管理

铲子SAST,专注于发现Java代码安全漏洞

Clone this wiki locally