Added the Play 2.5.x SSRF detection - Fixed issue #307

find-sec-bugs · Jun 22, 2017 · ed90fa8 · ed90fa8
1 parent d98a984
commit ed90fa8
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 28 deletions.
diff --git a/plugin/src/main/resources/taint-config/scala.txt b/plugin/src/main/resources/taint-config/scala.txt
@@ -64,4 +64,5 @@ anorm/package$.SqlStringInterpolation(Lscala/StringContext;)Lscala/StringContext
 anorm/package$SqlStringInterpolation$.SQL$extension(Lscala/StringContext;Lscala/collection/Seq;)Lanorm/SimpleSql;:1
 
 - Scala WebService Library
+play/api/libs/ws/WSClient.url(Ljava/lang/String;)Lplay/api/libs/ws/WSRequest;:0
 play/api/libs/ws/WS$.url(Ljava/lang/String;Lplay/api/Application;)Lplay/api/libs/ws/WSRequest;:1
diff --git a/plugin/src/test/java/com/h3xstream/findsecbugs/scala/SSRFDetectorTest.java b/plugin/src/test/java/com/h3xstream/findsecbugs/scala/SSRFDetectorTest.java
@@ -21,14 +21,20 @@
 import com.h3xstream.findbugs.test.EasyBugReporter;
 import com.h3xstream.findsecbugs.FindSecBugsGlobalConfig;
 import org.testng.annotations.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.verify;
 
 public class SSRFDetectorTest extends BaseDetectorTest {
 
+    private static final String SCALA_PLAY_SSRF_TYPE = "SCALA_PLAY_SSRF";
+
     @Test
-    public void detectXssInController() throws Exception {
+    public void detectSSRFInController() throws Exception {
         //FindSecBugsGlobalConfig.getInstance().setDebugPrintInstructionVisited(true);
         //FindSecBugsGlobalConfig.getInstance().setDebugPrintInvocationVisited(false);
         //FindSecBugsGlobalConfig.getInstance().setDebugTaintState(true);
@@ -42,48 +48,47 @@ public void detectXssInController() throws Exception {
         EasyBugReporter reporter = spy(new BaseDetectorTest.SecurityReporter());
         analyze(files, reporter);
 
-        // Test the MVC API checks
-        verify(reporter).doReportBug(
-                bugDefinition()
-                        .bugType("SCALA_PLAY_SSRF")
-                        .inClass("SSRFController").inMethod("vulnerableGet").atLine(20)
-                        .build()
-        );
+        //Assertions for bugs
+        Map<String, int[]> methodBugLines = new HashMap<String, int[]>();
+        methodBugLines.put("vulnerableGet", new int[]{24, 33});
+        methodBugLines.put("vulnerablePost", new int[]{44, 48, 53, /**/ 61, 65, 70});
 
-        verify(reporter).doReportBug(
-                bugDefinition()
-                        .bugType("SCALA_PLAY_SSRF")
-                        .inClass("SSRFController").inMethod("vulnerablePost").atLine(28)
-                        .build()
-        );
+        for (Map.Entry<String, int[]> entry : methodBugLines.entrySet()) {
+            // Lets check every line specified above
+            for (int line : entry.getValue()) {
+                verify(reporter).doReportBug(
+                        bugDefinition()
+                                .bugType(SCALA_PLAY_SSRF_TYPE)
+                                .inClass("SSRFController").inMethod(entry.getKey()).atLine(line)
+                                .build()
+                );
+            }
+        }
 
-        verify(reporter).doReportBug(
+        //Assertions for safe calls and false positives
+        verify(reporter, never()).doReportBug(
                 bugDefinition()
-                        .bugType("SCALA_PLAY_SSRF")
-                        .inClass("SSRFController").inMethod("vulnerablePost").atLine(32)
+                        .bugType(SCALA_PLAY_SSRF_TYPE)
+                        .inClass("SSRFController").inMethod("safeGetNotTainted")
                         .build()
         );
-
-        // Test the Twirl template engine checks
-        verify(reporter).doReportBug(
+        verify(reporter, never()).doReportBug(
                 bugDefinition()
-                        .bugType("SCALA_PLAY_SSRF")
-                        .inClass("SSRFController").inMethod("vulnerablePost").atLine(37)
+                        .bugType(SCALA_PLAY_SSRF_TYPE)
+                        .inClass("SSRFController").inMethod("safePostNotTainted")
                         .build()
         );
 
-        //Assertions for safe calls and false positives
-
         verify(reporter, never()).doReportBug(
                 bugDefinition()
-                        .bugType("SCALA_PLAY_SSRF")
-                        .inClass("SSRFController").inMethod("safeGetNotTainted")
+                        .bugType(SCALA_PLAY_SSRF_TYPE)
+                        .inClass("SSRFController").inMethod("safeGetWithWhitelist")
                         .build()
         );
         verify(reporter, never()).doReportBug(
                 bugDefinition()
-                        .bugType("SCALA_PLAY_SSRF")
-                        .inClass("SSRFController").inMethod("safePostNotTainted")
+                        .bugType(SCALA_PLAY_SSRF_TYPE)
+                        .inClass("SSRFController").inMethod("safePostWithWhitelist")
                         .build()
         );
     }

diff --git a/plugin/src/test/resources/bytecode_samples/scala_play_ssrf.jar b/plugin/src/test/resources/bytecode_samples/scala_play_ssrf.jar