conikeec · October 10, 2019 23:01
diff --git a/gistfile1.scala b/gistfile1.scala
 // Clone and build the project 

 git clone [email protected]:conikeec/tarpit.git

 cd tarpit

 mvn clean compile 

 // Download trial distribution of Ocular. Install and thereafter fire up the prompt to commence investigation

 ./ocular.sh


 createCpgAndSp("/Users/chetanconikee/demoenv/tarpit/target/servlettarpit.war")
 res0: Option[Cpg] = Some(io.shiftleft.codepropertygraph.Cpg@3a183218)

 workspace
 res5: Workspace =
 __________________________________________________________________________________________
 | name                  | overlays                                                | loaded|
 |=========================================================================================|
 | servlettarpit.war     | semanticcpg(l),dataflow(l),tagging(l),securityprofile(l)| true  |
 
 // CPG is created and loaded to commence investigation

 case class Validation(method: String, params: String*)

 def flowsWithValidations(validations: Validation*) = {
  
  // Mark attacker controlled API endpoints as sources
  val source = cpg.method.fullName(".*doGet.*").parameter
  
  // Mark Document*parse method call as sink
  val sink = cpg.method.name("parse").parameter
  
  var trav = sink.reachableBy(source).flows
  
  validations.foreach { validation => 
    validation.params.toList match {
      case List(feature) => 
        trav = trav.passes(_.isCall.name(validation.method).argument.order(1).code(feature))
      case List(feature1, feature2) => 
        trav = trav.passes(_.isCall.name(validation.method).and(_.argument.order(1).code(feature1), _.argument.order(2).code(feature2)))
    }
  }
  trav.p
 }

 val reachibility = flowsWithValidations(
  Validation("setFeature", "\"http://xml.org/sax/features/external-parameter-entities\"","0"),
  Validation("setFeature","\"http://xml.org/sax/features/external-parameter-entities\"","0"),
  Validation("setFeature","\"http://xml.org/sax/features/external-general-entities\"","0"),
  Validation("setFeature","\"http://apache.org/xml/features/disallow-doctype-decl\"","1"),
  Validation("setFeature","\"http://apache.org/xml/features/nonvalidating/load-external-dtd\"","0"),
  Validation("setXIncludeAware","0"),
  Validation("setExpandEntityReferences","0"))
  
 2019-10-10 15:38:17.411 [main] INFO mainTasksSize: 5, reachedEndNode: 1,
 reachibility: List[String] = List(
  """ _______________________________________________________________________________________________________________________
 | tracked                               | lineNumber| method               | file                                      |
 |======================================================================================================================|
 | request                               | 39        | doGet                | io/shiftleft/tarpit/ServletTarPit.java    |
 | request                               | 49        | doGet                | io/shiftleft/tarpit/ServletTarPit.java    |
 | this                                  | N/A       | getParameter         | javax/servlet/http/HttpServletRequest.java|
 | ret                                   | N/A       | getParameter         | javax/servlet/http/HttpServletRequest.java|
 | request.getParameter("entityDocument")| 49        | doGet                | io/shiftleft/tarpit/ServletTarPit.java    |
 | param1                                | N/A       | <operator>.assignment| N/A                                       |
 | param0                                | N/A       | <operator>.assignment| N/A                                       |
 | xxeDocumentContent                    | 49        | doGet                | io/shiftleft/tarpit/ServletTarPit.java    |
 | xxeDocumentContent                    | 50        | doGet                | io/shiftleft/tarpit/ServletTarPit.java    |
 | content                               | 17        | getDocument          | io/shiftleft/tarpit/DocumentTarpit.java   |
 | content                               | 56        | getDocument          | io/shiftleft/tarpit/DocumentTarpit.java   |
 | this                                  | N/A       | getBytes             | java/lang/String.java                     |
 | ret                                   | N/A       | getBytes             | java/lang/String.java                     |
 | content.getBytes()                    | 56        | getDocument          | io/shiftleft/tarpit/DocumentTarpit.java   |
 | param1                                | N/A       | <operator>.assignment| N/A                                       |
 | param0                                | N/A       | <operator>.assignment| N/A                                       |
 | $r1                                   | 56        | getDocument          | io/shiftleft/tarpit/DocumentTarpit.java   |
 | $r1                                   | 56        | getDocument          | io/shiftleft/tarpit/DocumentTarpit.java   |
 | param0                                | N/A       | <init>               | java/io/ByteArrayInputStream.java         |
 | this                                  | N/A       | <init>               | java/io/ByteArrayInputStream.java         |
 | $r0                                   | 56        | getDocument          | io/shiftleft/tarpit/DocumentTarpit.java   |
 | $r0                                   | 56        | getDocument          | io/shiftleft/tarpit/DocumentTarpit.java   |
 | param0                                | N/A       | parse                | javax/xml/parsers/DocumentBuilder.java    |
 """
 )
	// Clone and build the project

	git clone [email protected]:conikeec/tarpit.git

	cd tarpit

	mvn clean compile

	// Download trial distribution of Ocular. Install and thereafter fire up the prompt to commence investigation

	./ocular.sh


	createCpgAndSp("/Users/chetanconikee/demoenv/tarpit/target/servlettarpit.war")
	res0: Option[Cpg] = Some(io.shiftleft.codepropertygraph.Cpg@3a183218)

	workspace
	res5: Workspace =
	__________________________________________________________________________________________
	\| name \| overlays \| loaded\|
	\|=========================================================================================\|
	\| servlettarpit.war \| semanticcpg(l),dataflow(l),tagging(l),securityprofile(l)\| true \|

	// CPG is created and loaded to commence investigation

	case class Validation(method: String, params: String*)

	def flowsWithValidations(validations: Validation*) = {

	// Mark attacker controlled API endpoints as sources
	val source = cpg.method.fullName(".doGet.").parameter

	// Mark Document*parse method call as sink
	val sink = cpg.method.name("parse").parameter

	var trav = sink.reachableBy(source).flows

	validations.foreach { validation =>
	validation.params.toList match {
	case List(feature) =>
	trav = trav.passes(_.isCall.name(validation.method).argument.order(1).code(feature))
	case List(feature1, feature2) =>
	trav = trav.passes(_.isCall.name(validation.method).and(_.argument.order(1).code(feature1), _.argument.order(2).code(feature2)))
	}
	}
	trav.p
	}

	val reachibility = flowsWithValidations(
	Validation("setFeature", "\"http://xml.org/sax/features/external-parameter-entities\"","0"),
	Validation("setFeature","\"http://xml.org/sax/features/external-parameter-entities\"","0"),
	Validation("setFeature","\"http://xml.org/sax/features/external-general-entities\"","0"),
	Validation("setFeature","\"http://apache.org/xml/features/disallow-doctype-decl\"","1"),
	Validation("setFeature","\"http://apache.org/xml/features/nonvalidating/load-external-dtd\"","0"),
	Validation("setXIncludeAware","0"),
	Validation("setExpandEntityReferences","0"))

	2019-10-10 15:38:17.411 [main] INFO mainTasksSize: 5, reachedEndNode: 1,
	reachibility: List[String] = List(
	""" _______________________________________________________________________________________________________________________
	\| tracked \| lineNumber\| method \| file \|
	\|======================================================================================================================\|
	\| request \| 39 \| doGet \| io/shiftleft/tarpit/ServletTarPit.java \|
	\| request \| 49 \| doGet \| io/shiftleft/tarpit/ServletTarPit.java \|
	\| this \| N/A \| getParameter \| javax/servlet/http/HttpServletRequest.java\|
	\| ret \| N/A \| getParameter \| javax/servlet/http/HttpServletRequest.java\|
	\| request.getParameter("entityDocument")\| 49 \| doGet \| io/shiftleft/tarpit/ServletTarPit.java \|
	\| param1 \| N/A \| <operator>.assignment\| N/A \|
	\| param0 \| N/A \| <operator>.assignment\| N/A \|
	\| xxeDocumentContent \| 49 \| doGet \| io/shiftleft/tarpit/ServletTarPit.java \|
	\| xxeDocumentContent \| 50 \| doGet \| io/shiftleft/tarpit/ServletTarPit.java \|
	\| content \| 17 \| getDocument \| io/shiftleft/tarpit/DocumentTarpit.java \|
	\| content \| 56 \| getDocument \| io/shiftleft/tarpit/DocumentTarpit.java \|
	\| this \| N/A \| getBytes \| java/lang/String.java \|
	\| ret \| N/A \| getBytes \| java/lang/String.java \|
	\| content.getBytes() \| 56 \| getDocument \| io/shiftleft/tarpit/DocumentTarpit.java \|
	\| param1 \| N/A \| <operator>.assignment\| N/A \|
	\| param0 \| N/A \| <operator>.assignment\| N/A \|
	\| $r1 \| 56 \| getDocument \| io/shiftleft/tarpit/DocumentTarpit.java \|
	\| $r1 \| 56 \| getDocument \| io/shiftleft/tarpit/DocumentTarpit.java \|
	\| param0 \| N/A \| <init> \| java/io/ByteArrayInputStream.java \|
	\| this \| N/A \| <init> \| java/io/ByteArrayInputStream.java \|
	\| $r0 \| 56 \| getDocument \| io/shiftleft/tarpit/DocumentTarpit.java \|
	\| $r0 \| 56 \| getDocument \| io/shiftleft/tarpit/DocumentTarpit.java \|
	\| param0 \| N/A \| parse \| javax/xml/parsers/DocumentBuilder.java \|
	"""
	)