Merge pull request #107 from lostsnow/feature/crypto-bad-cipher

add crypto-bad-cipher detection

dongtai_agent_python/policy/tracking.py

@@ -90,8 +90,15 @@ def apply(self, args, kwargs, target):
         source_ids = recurse_tracking(source, self.node_type)
 
         if self.node_type != const.NODE_TYPE_SOURCE:
-            # if len([item for item in source_ids if item in self.context.taint_ids]) == 0:
-            if len(list(set(self.context.taint_ids) & set(source_ids))) == 0:
+            if self.signature in const.CRYPTO_BAD_CIPHER_NEW:
+                pass
+            elif (self.signature.startswith('Crypto.Cipher._mode_') or
+                  self.signature.startswith('Cryptodome.Cipher._mode_')) and \
+                    self.signature.endswith('Mode.encrypt'):
+                for sid in source_ids:
+                    if sid not in self.context.taint_ids:
+                        return
+            elif len(list(set(self.context.taint_ids) & set(source_ids))) == 0:
                 return
 
         self.get_caller(-4)
@@ -148,6 +155,20 @@ def processing_invoke_args(signature=None, come_args=None, come_kwargs=None):
         'pymongo.collection.Collection.find': {'args': [1], 'kwargs': ['filter']},
         'ldap3.core.connection.Connection.search': {'args': [2], 'kwargs': ['search_filter']},
         'ldap.ldapobject.SimpleLDAPObject.search_ext': {'args': [3], 'kwargs': ['filterstr']},
+        'Crypto.Cipher._mode_cbc.CbcMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
+        'Crypto.Cipher._mode_cfb.CfbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
+        'Crypto.Cipher._mode_ctr.CtrMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
+        'Crypto.Cipher._mode_eax.EaxMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
+        'Crypto.Cipher._mode_ecb.EcbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
+        'Crypto.Cipher._mode_ofb.OfbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
+        'Crypto.Cipher._mode_openpgp.OpenPgpMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
+        'Cryptodome.Cipher._mode_cbc.CbcMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
+        'Cryptodome.Cipher._mode_cfb.CfbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
+        'Cryptodome.Cipher._mode_ctr.CtrMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
+        'Cryptodome.Cipher._mode_eax.EaxMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
+        'Cryptodome.Cipher._mode_ecb.EcbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
+        'Cryptodome.Cipher._mode_ofb.OfbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
+        'Cryptodome.Cipher._mode_openpgp.OpenPgpMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
     }
 
     context = CONTEXT_TRACKER.current()

dongtai_agent_python/policy_api.json

@@ -296,6 +296,111 @@
         }
       ]
     },
+    {
+      "type": 4,
+      "enable": 1,
+      "value": "crypto-bad-cipher",
+      "details": [
+        {
+          "source": "P1,2,plaintext",
+          "track": "true",
+          "target": "",
+          "value": "Crypto.Cipher._mode_cbc.CbcMode.encrypt",
+          "inherit": "false"
+        },
+        {
+          "source": "P1,2,plaintext",
+          "track": "true",
+          "target": "",
+          "value": "Crypto.Cipher._mode_cfb.CfbMode.encrypt",
+          "inherit": "false"
+        },
+        {
+          "source": "P1,2,plaintext",
+          "track": "true",
+          "target": "",
+          "value": "Crypto.Cipher._mode_ctr.CtrMode.encrypt",
+          "inherit": "false"
+        },
+        {
+          "source": "P1,2,plaintext",
+          "track": "true",
+          "target": "",
+          "value": "Crypto.Cipher._mode_eax.EaxMode.encrypt",
+          "inherit": "false"
+        },
+        {
+          "source": "P1,2,plaintext",
+          "track": "true",
+          "target": "",
+          "value": "Crypto.Cipher._mode_ecb.EcbMode.encrypt",
+          "inherit": "false"
+        },
+        {
+          "source": "P1,2,plaintext",
+          "track": "true",
+          "target": "",
+          "value": "Crypto.Cipher._mode_ofb.OfbMode.encrypt",
+          "inherit": "false"
+        },
+        {
+          "source": "P1,2,plaintext",
+          "track": "true",
+          "target": "",
+          "value": "Crypto.Cipher._mode_openpgp.OpenPgpMode.encrypt",
+          "inherit": "false"
+        },
+        {
+          "source": "P1,2,plaintext",
+          "track": "true",
+          "target": "",
+          "value": "Cryptodome.Cipher._mode_cbc.CbcMode.encrypt",
+          "inherit": "false"
+        },
+        {
+          "source": "P1,2,plaintext",
+          "track": "true",
+          "target": "",
+          "value": "Cryptodome.Cipher._mode_cfb.CfbMode.encrypt",
+          "inherit": "false"
+        },
+        {
+          "source": "P1,2,plaintext",
+          "track": "true",
+          "target": "",
+          "value": "Cryptodome.Cipher._mode_ctr.CtrMode.encrypt",
+          "inherit": "false"
+        },
+        {
+          "source": "P1,2,plaintext",
+          "track": "true",
+          "target": "",
+          "value": "Cryptodome.Cipher._mode_eax.EaxMode.encrypt",
+          "inherit": "false"
+        },
+        {
+          "source": "P1,2,plaintext",
+          "track": "true",
+          "target": "",
+          "value": "Cryptodome.Cipher._mode_ecb.EcbMode.encrypt",
+          "inherit": "false"
+        },
+        {
+          "source": "P1,2,plaintext",
+          "track": "true",
+          "target": "",
+          "value": "Cryptodome.Cipher._mode_ofb.OfbMode.encrypt",
+          "inherit": "false"
+        },
+        {
+          "source": "P1,2,plaintext",
+          "track": "true",
+          "target": "",
+          "value": "Cryptodome.Cipher._mode_openpgp.OpenPgpMode.encrypt",
+          "inherit": "false"
+        }
+      ]
+    },
     {
       "type": 2,
       "enable": 1,
@@ -713,6 +818,34 @@
           "target": "R",
           "value": "django.template.base.render_value_in_context",
           "inherit": "false"
+        },
+        {
+          "source": "P",
+          "track": "true",
+          "target": "R",
+          "value": "Crypto.Cipher.Blowfish.new",
+          "inherit": "false"
+        },
+        {
+          "source": "P",
+          "track": "true",
+          "target": "R",
+          "value": "Crypto.Cipher.DES.new",
+          "inherit": "false"
+        },
+        {
+          "source": "P",
+          "track": "true",
+          "target": "R",
+          "value": "Cryptodome.Cipher.Blowfish.new",
+          "inherit": "false"
+        },
+        {
+          "source": "P",
+          "track": "true",
+          "target": "R",
+          "value": "Cryptodome.Cipher.DES.new",
+          "inherit": "false"
         }
       ]
     },

dongtai_agent_python/setting/const.py

@@ -31,6 +31,13 @@
     'builtins.bytearray.__init__',
 ]
 
+CRYPTO_BAD_CIPHER_NEW = [
+    'Crypto.Cipher.Blowfish.new',
+    'Crypto.Cipher.DES.new',
+    'Cryptodome.Cipher.Blowfish.new',
+    'Cryptodome.Cipher.DES.new',
+]
+
 RESPONSE_SIGNATURES = [
     'django.http.response.HttpResponse.__init__',
 ]

dongtai_agent_python/tests/vul-test.sh

@@ -120,3 +120,12 @@ if [[ "x${FRAMEWORK}" == "xflask" ]]; then
   api_get "demo/ldap3_search" "username=*&password=*"
   api_get "demo/ldap3_safe_search" "username=*&password=*"
 fi
+
+headline "crypto-bad-cipher"
+if [[ "x${FRAMEWORK}" == "xflask" ]]; then
+  api_get "demo/crypto/aes" "text=content"
+  api_get "demo/crypto/blowfish" "text=content"
+  api_get "demo/crypto/des" "text=content"
+  api_get "demo/cryptox/blowfish" "text=content"
+  api_get "demo/cryptox/des" "text=content"
+fi