Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssrf sink点缺失 #525

Open
3 tasks done
mdkk opened this issue May 11, 2023 · 1 comment
Open
3 tasks done

ssrf sink点缺失 #525

mdkk opened this issue May 11, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@mdkk
Copy link

mdkk commented May 11, 2023

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.

Version

1.9.1

Installation Type

Official SaaS Service

Service Name

DongTai-agent-java

Describe the details of the bug and the steps to reproduce it

昨天提了 SSRFSourceCheck的addSourceType方法只会返回false 的问题

今天看代码有个新的疑问
在 DynamicPropagatorScanner scan 函数里
boolean serviceCall = false;
for (ServiceTrace serviceTrace : SERVICE_TRACES) { // HttpService()
if (serviceTrace.match(event, sinkNode)) {
serviceCall = true;
serviceTrace.addTrace(event, sinkNode);
}
}
boolean hit = sinkSourceHitTaintPool(event, sinkNode);
if (serviceCall || hit) {
....
EngineManager.TRACK_MAP.addTrackMethod(invokeId, event)
}
由于SSRFSourceCheck addSourceType方法只会返回false, SERVICE_TRACES 只有 httpService match,
如果ssrf发起的不是http请求(如ftp或其它请求), TRACK_MAP 就不会记录 methodEvent, 服务端就拿不到 sink点的 methodEvent

于是进行了测试, 但发现 当location 是ftp协议url时, sink点会匹配不到

protected String ssrf(String location) {
try {
URL url = new URL(location);
URLConnection connection = url.openConnection();
BufferedReader reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));
System.out.println("ssrf " + location);
String body = reader.lines().collect(Collectors.joining());
return location;
}catch (Exception e){

    }

    return location;
}

在 location 传入 http链接时, sinkPolicy 会命中sun.net.www.protocol.http.HttpURLConnection.getInputStream
传入 ftp链接时,sinkPolicy无法命中 sun.net.www.protocol.ftp.FtpURLConnection.getInputStream

image

Additional Information

No response

Logs

No response
@mdkk mdkk added the bug Something isn't working label May 11, 2023
@Bidaya0 Bidaya0 transferred this issue from HXSecurity/DongTai May 16, 2023
@lostsnow
Copy link
Member

This case requires adding relevant methods like connect or getInputStream in the class sun.net.www.protocol.ftp.FtpURLConnection to the constant io.dongtai.iast.core.handler.hookpoint.service.HttpClient.JAVA_NET_URL_SIGNATURE, and also adding corresponding methods to the custom hook rules on the server side.

We need to perform the fix after completing comprehensive testing. If possible, you can try to modify and validate it yourself first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lostsnow @mdkk