pascal-lab/Tai-e

How can I tell if an element in a Map is tainted?

Closed this issue · 7 comments

springkill commented

Description

When I am doing taint analysis, if I set Map.get() as the propagation point, this time what I want to determine is whether the element taken out by get() is tainted or not, but the way provided by Tai-e based on the parameter index or base/result can't achieve this, is there a solution for this please?

springkill commented

Another question, when I don't consider whether the specific object in the Map contains a taint or not, but only the Map object itself, after I put a parameter into the Map and then use get to retrieve it, the taint disappears as well, but when I try to go and add HashMap.put() with HashMap.get() to the propagation point, the put method can't be found, is it a problem with myHaving trouble using it?Is there a problem with the usage?

  ## HashMap.get()
  - { method: "<java.util.HashMap: java.lang.Object get(java.lang.Object)>",from: base, to: result }
  ## HashMap.put()
  - { method: "<java.util.HashMap: java.lang.Object put(java.lang.Object, java.lang.Object)>",from: 0, to: base }
  - { method: "<java.util.HashMap: java.lang.Object put(java.lang.Object, java.lang.Object)>",from: 1, to: base }

image

zhangt2333 commented

When I am doing taint analysis, if I set Map.get() as the propagation point, this time what I want to determine is whether the element taken out by get() is tainted or not, but the way provided by Tai-e based on the parameter index or base/result can't achieve this, is there a solution for this please?

I didn't understand your question clearly. Could you provide more information (Current Behavior/Expected Behavior/Reproducible Case/...)?

Is there a problem with the usage?

Redundant spaces between parameter types should be removed, such as:

-  - { method: "<java.util.HashMap: java.lang.Object put(java.lang.Object, java.lang.Object)>",from: 1, to: base }
+  - { method: "<java.util.HashMap: java.lang.Object put(java.lang.Object,java.lang.Object)>",from: 1, to: base }
springkill commented

Thank you very much, I solved my problem!
After removing the extra spaces my code worked, but my other query is that when I use the request.getParameterMap() method in tomcat, it doesn't seem to pass the taint correctly.
The actual map implementation class that request.getParameterMap() gets is org.apache.catalina.util.ParameterMap which extends HashMap, what should I do?

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet(value="/cmdi-00/BenchmarkTest00016")
public class BenchmarkTest00016 extends HttpServlet {
	
	private static final long serialVersionUID = 1L;
	
	@Override
	public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		doPost(request, response);
	}

	@Override
	public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		response.setContentType("text/html;charset=UTF-8");

		java.util.Map<String,String[]> map = request.getParameterMap();
		String param = "";
		if (!map.isEmpty()) {
			String[] values = map.get("BenchmarkTest00016");
			if (values != null) param = values[0];
		}
		

		String bar = doSomething(request, param);
		
		String cmd = "";
        String osName = System.getProperty("os.name");
        if (osName.indexOf("Windows") != -1) {
        	cmd = org.owasp.benchmark.helpers.Utils.getOSCommandString("echo");
        }
        
		Runtime r = Runtime.getRuntime();

		try {
			Process p = r.exec(cmd + bar);
			org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
		} catch (IOException e) {
			System.out.println("Problem executing cmdi - TestCase");
			response.getWriter().println(
			  org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage())
			);
			return;
		}
	}  // end doPost
	
		
	private static String doSomething(HttpServletRequest request, String param) throws ServletException, IOException {

		String bar = param;
	
		return bar;	
	}
}

Here's my code, I'm using some testcase to refine the taint propagation points .
And my taint-config is:

  - { method: "<javax.servlet.ServletRequestWrapper: java.util.Map getParameterMap()>", from: base, to: result }
  ## HashMap.get()
  - { method: "<java.util.HashMap: java.lang.Object get(java.lang.Object)>",from: base, to: result }
  ## HashMap.put()
  - { method: "<java.util.HashMap: java.lang.Object put(java.lang.Object,java.lang.Object)>",from: 0, to: base }
  - { method: "<java.util.HashMap: java.lang.Object put(java.lang.Object,java.lang.Object)>",from: 1, to: base }
zhangt2333 commented

Thank you for providing this example code; it's incredibly helpful.

I would suggest examining the Points-to Set of the return value of request.getParameterMap() in the Points-to Result to determine its actual object (and class). Then, consider using its own method signature (if it overrides the method Map::put/Map::get) to write taint-config.yml, e.g.

  - { method: "<org.apache.catalina.util.ParameterMap: java.lang.Object get(java.lang.Object)>", from: base, to: result }
...
springkill commented

When I try to do this, the following problem arises:
image
Even though I have added the directory where the corresponding class is located.
image
image
As far as I can see, ParamaterMap does not override the get method.
image
I tried to add:

  - { method: "<java.util.LinkedHashMap: java.lang.Object get(java.lang.Object)>",from: base, to: result }

Although this get method was added successfully, it still fails to capture the taint.

zhangt2333 commented

Even though I have added the directory where the corresponding class is located.

If the class ParamaterMap is not found in reference analysis beinning from entrypoint (main method), you should use option --input-classes manually to add this class to the analyzed program P.

As far as I can see, ParamaterMap does not override the get method.

It doesn't seem like that: https://github.com/apache/tomcat/blob/510c71b009085f94122bc18501d1981322846540/java/org/apache/catalina/util/ParameterMap.java#L204-L207

springkill commented

尽管我已经添加了对应类所在的目录。

ParamaterMap如果在从入口点(主方法)开始的引用分析中没有找到该类,则应手动使用选项--input-classes将该类添加到分析的程序_P_中。

据我所知,ParamaterMap 不会重写 get 方法。

看起来并非如此:https://github.com/apache/tomcat/blob/510c71b009085f94122bc18501d1981322846540/java/org/apache/catalina/util/ParameterMap.java#L204-L207

Even though I have added the directory where the corresponding class is located.

If the class ParamaterMap is not found in reference analysis beinning from entrypoint (main method), you should use option --input-classes manually to add this class to the analyzed program P.

As far as I can see, ParamaterMap does not override the get method.

It doesn't seem like that: https://github.com/apache/tomcat/blob/510c71b009085f94122bc18501d1981322846540/java/org/apache/catalina/util/ParameterMap.java#L204-L207

Thank you very much, this was solved when I analysed the tomcat9 jar packages together!