UNPKG

@hclsoftware/secagent

Version:

IAST agent

328 lines (301 loc) 16.5 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
//IASTIGNORE /* * **************************************************** * Licensed Materials - Property of HCL. * (c) Copyright HCL Technologies Ltd. 2017, 2025. * Note to U.S. Government Users *Restricted Rights. * **************************************************** */ 'use strict' /* * **************************************************** * Licensed Materials - Property of HCL. * (c) Copyright HCL Technologies Ltd. 2017, 2025. * Note to U.S. Government Users *Restricted Rights. * **************************************************** */ const {SinkTask} = require("./SinkTask") const TaskType = require("./TaskType") const {VulnerabilityContext} = require("./VulnerabilityContext") const ContextType = require("./ContextType") const ContextInfo = require("./ContextInfo") const {ParameterUnderTest} = require("./ParameterUnderTest") const SinkTaskInfo = require("./SinkInfo/SinkTaskInfo") const BASH_OS_COMMANDING_COMMENTS = { "\\" : "\\\\", "`" : "`", "$" : "\\$", "(" : "\\(", ")" : "\\)", "|" : "\\|", "&" : "&", ";" : ";", "#" : "#", "!" : "!", "<" : "<", ">" : ">", "\n" : "\\n" } const SHELL_COMMAND_CHARS = { "`" : "`", "$(" : "\\$\\(", "\\" : "\\\\", } const SHELL_COMMAND_BLACKLIST = { "`" : "`", "$" : "\\$", "(" : "\\(", "\\" : "\\\\", } const DOUBLE_QUOTE_ESCAPE_AS_LIST = { "\"" : "\"", "\\" : "\\\\" } const BRACKETS_ESCAPE_AS_LIST = { "]" : "]", "\\" : "\\\\" } const BRACES_ESCAPE_AS_LIST = { "}" : "}", "\\" : "\\\\" } const WHITESPACE_CHARS_AS_LIST = { " " : " ", "\t": "\\t", "\r": "\\r" } const ctxOpeners = { "'" : ContextType.SINGLE_QUOTE, "\"": ContextType.DOUBLE_QUOTE, "(": ContextType.PARENTHESES, "[": ContextType.BRACKETS, "{": ContextType.BRACES, "`": ContextType.BACK_TICK, "$(": ContextType.DOLLAR_SINGLE_PARENTHESES } // THE BASH OS COMMANDING ALGORITHM : // // 1.single-Quote-other within context does not count // a.if['] must be replaced and ["\\", "`", "$", "(", ")", "|", "&", ";", "#", "!", "<", ">", "\n"] then vuln // // 2. double-Quote-other within context does not count excluding[``,$()]**** // a.if[ `` or $() \]then vuln // b.if[" OR \] and ["\\", "`", "$", "(", ")", "|", "&", ";", "#", "!", "<", ">", "\n"] then vuln // // 3.if["["]-> // a.if[ `` or $() \]then vuln // b.if[']'OR \] and ["\\", "`", "$", "(", ")", "|", "&", ";", "#", "!", "<", ">", "\n"] then vuln // // 4.if["{"]->[}OR \] and ["\\", "`", "$", "(", ")", "|", "&", ";", "#", "!", "<", ">", "\n"] then vuln // // 5.no-Context // ["\\", "`", "$", "(", ")", "|", "&", ";", "#", "!", "<", ">", "\n"] then vuln // // 6.if["("] -> Same as 5 // // 7.ctx-> `Jakrata` then // Same as 5 // // 8.ctx->$(Jakrata)then // Same as 5 // // 9. if [${] - no currently support // 10. if [$'] - no currently support // // // ****in case we are in double context we do not count parenthesis UNLESS we are in nested Backtick context // within doubleQuote context(ex: \"`(INPUT)`\") - then we DO have to follow the parenthesis. // "backTicInDoubleQuoteCtx"is the flag for this case and if we close Backtick context // in case of nested backTick context within doubleQuote(ex: \"`$((INPUT))`\") "backTicInDoubleQuoteCtx" // would be true only when we close the most external backtick(`` in the ex) class BashOsCommandingSinkTask extends SinkTask{ constructor(source, v, stack, parameters, obj) { super(source, v, stack, parameters); this.taskType = TaskType.OS_COMMANDING_SINK this.command = obj == null ? null : obj.toString() } performAction() { // We have a list of verifications and sanitizers that have been run on a string. In order to validate that they actually work, we need // to send through multiple tainted strings and see whether they were validated or not. // return value of source - original param let parameterUnderTest = new ParameterUnderTest(this.taintedObjectFlow.entity.value, this.taintedObjectFlow.taskList) let bashOsCommandingContext = new BashOsCommandingContext(parameterUnderTest, this.command) this.performContextsAnalysis(bashOsCommandingContext, parameterUnderTest) return "" } runContextAwareAnalysis(contextType, parameterUnderTest) { let exploitList let containUnescapeContext = false for (let currentContext of contextType.getContextTypesStackBased()){ if(currentContext === ContextType.SINGLE_QUOTE.contextTypeName){ let processingResult = parameterUnderTest.getMutatedProcessedParam("'") let processedLegitimateExploitForCodePath = processingResult.afterProcessing if(processedLegitimateExploitForCodePath != null){ if(processedLegitimateExploitForCodePath.origStringIncludes("'")) containUnescapeContext = true } } else if(currentContext === ContextType.DOUBLE_QUOTE.contextTypeName || currentContext === ContextType.BRACKETS.contextTypeName){ // in case of ["\"", "[]"] context - first test if ["`", "$(", "\"] are replaced - context does not matter // otherwise continue testing with all other characters AND their context exploitList = Object.keys(SHELL_COMMAND_CHARS) for (let exploit of exploitList){ let processingResult = parameterUnderTest.getMutatedProcessedParam(exploit) let processedLegitimateExploitForCodePath = processingResult.afterProcessing if (processedLegitimateExploitForCodePath != null){ if(SinkTask.containsUnescapedChars(processedLegitimateExploitForCodePath, SHELL_COMMAND_BLACKLIST, false, '\\' )) return new SinkTaskInfo(exploit, [currentContext], exploitList, this.vulnerability) } } if(currentContext === ContextType.DOUBLE_QUOTE.contextTypeName){ //test if double quote is replaced let processingResult = parameterUnderTest.getMutatedProcessedParam("\"") let processedLegitimateExploitForCodePath = processingResult.afterProcessing if(processedLegitimateExploitForCodePath != null){ if(SinkTask.containsUnescapedChars(processedLegitimateExploitForCodePath, DOUBLE_QUOTE_ESCAPE_AS_LIST, false, '\\')) containUnescapeContext = true } } else { // test if bracket ([) is replaced let processingResult = parameterUnderTest.getMutatedProcessedParam("]") let processedLegitimateExploitForCodePath = processingResult.afterProcessing if(processedLegitimateExploitForCodePath != null){ if(SinkTask.containsUnescapedChars(processedLegitimateExploitForCodePath, BRACKETS_ESCAPE_AS_LIST, false, '\\')) containUnescapeContext = true } } } else if (currentContext === ContextType.BRACES.contextTypeName) { // if context is {} //test if braces are replaced {} let processingResult = parameterUnderTest.getMutatedProcessedParam("}") let processedLegitimateExploitForCodePath = processingResult.afterProcessing if(processedLegitimateExploitForCodePath != null){ if(SinkTask.containsUnescapedChars(processedLegitimateExploitForCodePath, BRACES_ESCAPE_AS_LIST, false, '\\')) containUnescapeContext = true } } // TODO add $'___' context support ($' allows singleQuote escaping) AND ${___} context if(currentContext === ContextType.UNQUOTED.contextTypeName || currentContext === ContextType.PARENTHESES.contextTypeName || containUnescapeContext){ exploitList = this.getPayloadsForContextStack(new ContextInfo([currentContext])) for(const exploit of exploitList){ let processingResult = parameterUnderTest.getMutatedProcessedParam(exploit) let processedLegitimateExploitForCodePath = processingResult.afterProcessing if(processedLegitimateExploitForCodePath != null){ if(this.containsBlacklistedChars(processedLegitimateExploitForCodePath,false)){ return new SinkTaskInfo(exploit, [currentContext], exploitList, this.vulnerability) } } } } } } containsBlacklistedChars(possiblySanitizedPayload, checkWhitespaceChars){ return BashOsCommandingSinkTask.containsBlacklistedChars(possiblySanitizedPayload, checkWhitespaceChars) } static containsBlacklistedChars(possiblySanitizaedPayload, checkWhitespaceChars){ // List of escapable chars was modified from: https://stackoverflow.com/questions/15783701/which-characters-need-to-be-escaped-when-using-bash // Further info regarding context sensitive escapable chars can be found here: https://stackoverflow.com/questions/6697753/difference-between-single-and-double-quotes-in-bash let blackListedChars = BASH_OS_COMMANDING_COMMENTS; // Check whitespace chars if (checkWhitespaceChars) { blackListedChars.concat(WHITESPACE_CHARS_AS_LIST); } return SinkTask.containsUnescapedChars(possiblySanitizaedPayload, blackListedChars, false, '\\'); } getCommentChars() { return Object.keys(BASH_OS_COMMANDING_COMMENTS) } } class BashOsCommandingContext extends VulnerabilityContext { constructor(parameter, osCommandingQuery) { super(osCommandingQuery, parameter); } estimateContextStackBased(leftEdge, rightEdge) { let leftCtxStack =[] let rightCtxStack =[] var currentCtx = null let inSingleQuoteCtx = false; let inDoubleQuoteCtx = false; let backTicInDoubleQuoteCtxCounter = 0 ; let dollarParenthesisInDoubleQuoteCtxCounter = 0 for(let i = 0; i < leftEdge.length; i++) { let c if(i > 0) { if(leftEdge.charAt(i-1) === '\\') continue; } c = leftEdge.charAt(i) // check if we are in $() context if(i + 1 < leftEdge.length && leftEdge.charAt(i) === '$' && leftEdge.charAt(i + 1) === '(') { i++ c = "$(" } //Check if we can close the current context if(currentCtx != null && currentCtx.getCtxCloser != null && currentCtx.getCtxCloser === c) { leftCtxStack.pop() // in case we are in double context we do not count parenthesis UNLESS we are in nested Backtick context // within doubleQuote context (ex: \"`(INPUT)`\") - then we DO have to follow the parenthesis. // "backTicInDoubleQuoteCtx" is the flag for this case and if we close Backtick context // we need to set the boolean flag to its actual value // in case of nested backTick context within doubleQuote (ex: \"`$((INPUT))`\") "backTicInDoubleQuoteCtx" // would be true only when we close the most external backtick(`` in the ex) if(inDoubleQuoteCtx){ if(currentCtx === ContextType["BACK_TICK"]) backTicInDoubleQuoteCtxCounter-- else if(currentCtx === ContextType["DOLLAR_SINGLE_PARENTHESES"]) dollarParenthesisInDoubleQuoteCtxCounter-- } currentCtx = !leftCtxStack.length ? null : ContextType[leftCtxStack[leftCtxStack.length -1 ]] } // Check if we are opening a new context // Can only open a new context if we're not in a single quoted context else if (!inSingleQuoteCtx && !inDoubleQuoteCtx && Object.keys(ctxOpeners).origArrayIncludes(c)){ currentCtx = ctxOpeners[c] leftCtxStack.push(currentCtx.contextTypeName) } // can open only backTic context UNLESS backTicInDoubleQuoteCtx is TRUE // in case we are in double context we do not count parenthesis UNLESS we are in nested Backtick context // within doubleQuote context (ex: \"`(INPUT)`\") - then we DO have to follow the parenthesis. // "backTicInDoubleQuoteCtx" is the flag for this case and if we close Backtick context // we need to set the boolean flag to its actual value // in case of nested backTick context within doubleQuote (ex: \"`$((INPUT))`\") "backTicInDoubleQuoteCtx" // would be true only when we close the most external backtick(`` in the ex) else if(inDoubleQuoteCtx){ if((backTicInDoubleQuoteCtxCounter || dollarParenthesisInDoubleQuoteCtxCounter) && Object.keys(ctxOpeners).origArrayIncludes(c) || c === "`" || c === "$("){ currentCtx = ctxOpeners[c] leftCtxStack.push(currentCtx.contextTypeName) } if(c === "$(") dollarParenthesisInDoubleQuoteCtxCounter++ else if(c === "`") backTicInDoubleQuoteCtxCounter++ } inSingleQuoteCtx = currentCtx === ContextType["SINGLE_QUOTE"] inDoubleQuoteCtx = leftCtxStack.origArrayIncludes(ContextType["DOUBLE_QUOTE"].contextTypeName) } // currentCtx is null IFF all the contexts before the user parameter have been closed // This indicates we're in an UNQUOTED context // Furthermore, in most cases (except when in a SINGLE_QUOTE context) , if currentCtx is BACK_TICK we can run commands directly // We can definitively say a BACK_TICK context is unquoted IFF it's not within a SINGLE_QUOTE context if(currentCtx == null || currentCtx === ContextType["BACK_TICK"] || currentCtx === ContextType["DOLLAR_SINGLE_PARENTHESES"]){ return new ContextInfo([ContextType["UNQUOTED"].contextTypeName]) } // At this point, leftCtxStack holds all the unterminated contexts from the left of the user parameter // Scanning the rightEdge we're trying to match each open context with a terminator // Each terminator we find is added to the rightCtxStack for(const c of rightEdge){ if(currentCtx == null || currentCtx.getCtxCloser === c){ rightCtxStack.push(currentCtx.contextTypeName) leftCtxStack.pop() currentCtx = !leftCtxStack.length ? null : ContextType[leftCtxStack[leftCtxStack.length-1]] } if(currentCtx == null || currentCtx === ContextType["BACK_TICK"] || currentCtx === ContextType["DOLLAR_SINGLE_PARENTHESES"]) break; } // When we get to this point, we should have depleted all the unterminated contexts in leftCtxStack // If we did, rightCtxStack holds all the contexts we need to break/escape (in order) // One sub-case relevant specifically to shell style injections is the use of a BACK_TICK context // Simply put, if a context stack contains a BACK_TICK context we have to escape contexts only until we reach the BACK_TICK context // For example: // ls ['(TAINTED_PARAM)'] -> in this case, it's enough to break out of the innermost parentheses to have arbitrary code execution //TODO: is the last line of the comment true for subshells to? Maybe it's enough to break into () or {} contexts if(currentCtx === ContextType["BACK_TICK"] || currentCtx === ContextType["DOLLAR_SINGLE_PARENTHESES"]) return rightCtxStack.length !== 0 ? new ContextInfo(rightCtxStack) : new ContextInfo([ContextType["UNQUOTED"].contextTypeName]) else return leftCtxStack.length === 0 ? new ContextInfo(rightCtxStack) : new ContextInfo([ContextType["UNKNOWN"].contextTypeName]) } } module.exports = BashOsCommandingSinkTask module.exports.BashOsCommandingContext = BashOsCommandingContext