分析spring的漏洞场景，未发现结果

[sf197]

描述

在使用靶场：https://github.com/tangxiaofeng7/SecExample 进行测试的时候未检测出结果，根据console中显示的内容明确Source和Sink的配置规则有正确加载。查看callgraph.json ，也是发现有存在对应sink的调用边。

输出情况

./yasa-engine-linux-x64 --sourcePath /opt/app/SecExample/ --checkerPackIds taint-flow-java-default --ruleConfigFile ./example-rule-config/rule_config_java.json --language java --report /tmp/xxx/ --dumpAllCG
main file:/snapshot/YASA-Engine/dist/main.js
Specific checkerPackIds: [ 'taint-flow-java-default' ]
Rule config file:  /root/flaaaaag/pyinstxtractor/semgrep-rules/java/example-rule-config/rule_config_java.json
source path: /opt/app/SecExample/
Report directory: /tmp/xxx/
Analyze Language: java
Analyze Analyer: SpringAnalyzer

=======================  Register rules  =======================
resolveCheckerPath projectRoot : /snapshot/YASA-Engine
Resolved checker path :/snapshot/YASA-Engine/dist/checker/callgraph/callgraph-checker.js
rules-basic-handler [CONFIG] Loaded from: /snapshot/YASA-Engine/dist/config.js
resolveCheckerPath projectRoot : /snapshot/YASA-Engine
Resolved checker path :/snapshot/YASA-Engine/dist/checker/taint/java/java-default-taint-checker.js
rules-basic-handler [CONFIG] Loaded from: /snapshot/YASA-Engine/dist/config.js
resolveCheckerPath projectRoot : /snapshot/YASA-Engine
Resolved checker path :/snapshot/YASA-Engine/dist/checker/sanitizer/sanitizer-checker.js
rules-basic-handler [CONFIG] Loaded from: /snapshot/YASA-Engine/dist/config.js
load checkers: [ 'callgraph', 'taint_flow_java_input', 'sanitizer' ]
================================================================

[YASA] Begin execution
[YASA] Executing preProcess
[YASA][preProcess] Executing parseCode
[YASA][preProcess] Executing preload
[YASA][preProcess] Completed preload, cost: 3ms
[YASA][preProcess] Completed parseCode, cost: 419ms
[YASA][preProcess] Executing processModule
[YASA][preProcess] Completed processModule, cost: 36ms
[YASA] Completed preProcess, cost: 483ms
[YASA] Executing startAnalyze
rules-basic-handler [CONFIG] Loaded from: /snapshot/YASA-Engine/dist/config.js
makeAllCG-start
        makeAllCG-10%
        makeAllCG-30%
        makeAllCG-70%
        makeAllCG-100%
YASA will collect Entrypoint and Source
rules-basic-handler [CONFIG] Loaded from: /snapshot/YASA-Engine/dist/config.js
makeAllCG-start
        makeAllCG-10%
        makeAllCG-30%
        makeAllCG-70%
        makeAllCG-100%
[YASA] Completed startAnalyze, cost: 95ms
[YASA] Executing symbolInterpret
EntryPoint [/src/main/java/com/suyu/secexample/SecexampleApplication.main] is executing
EntryPoint [/src/main/java/com/suyu/secexample/cors/controller/corscontroller.vuln1] is executing
EntryPoint [/src/main/java/com/suyu/secexample/cors/controller/corscontroller.vuln2] is executing
EntryPoint [/src/main/java/com/suyu/secexample/csrf/controller/csrfcontroller.input] is executing
EntryPoint [/src/main/java/com/suyu/secexample/csrf/controller/csrfcontroller.addUser] is executing
EntryPoint [/src/main/java/com/suyu/secexample/fastjson/controller/fastjsoncontroller.input] is executing
EntryPoint [/src/main/java/com/suyu/secexample/fastjson/controller/fastjsoncontroller.fastjson1] is executing
EntryPoint [/src/main/java/com/suyu/secexample/fastjson/controller/fastjsoncontroller.fastjson2] is executing
EntryPoint [/src/main/java/com/suyu/secexample/messageecho/controller/messagecontroller.index] is executing
EntryPoint [/src/main/java/com/suyu/secexample/messageecho/controller/messagecontroller.getcode] is executing
EntryPoint [/src/main/java/com/suyu/secexample/messageecho/controller/messagecontroller.testcode] is executing
EntryPoint [/src/main/java/com/suyu/secexample/rce/controller/rcecontroller.input] is executing
EntryPoint [/src/main/java/com/suyu/secexample/rce/controller/rcecontroller.index] is executing
EntryPoint [/src/main/java/com/suyu/secexample/sql/controller/sqlcontroller.index] is executing
EntryPoint [/src/main/java/com/suyu/secexample/sql/controller/sqlcontroller.listUserByName] is executing
EntryPoint [/src/main/java/com/suyu/secexample/ssrf/controller/ssrfcontroller.index] is executing
EntryPoint [/src/main/java/com/suyu/secexample/xss/controller/xsscontroller.index] is executing
EntryPoint [/src/main/java/com/suyu/secexample/xss/controller/xsscontroller.input] is executing
EntryPoint [/src/main/java/com/suyu/secexample/xss/controller/xsscontroller.outputmessage] is executing
EntryPoint [/src/main/java/com/suyu/secexample/xxe/controller/xxecontroller.input] is executing
EntryPoint [/src/main/java/com/suyu/secexample/SecexampleApplication.main] is executing
EntryPoint [/src/main/java/com/suyu/secexample/cors/controller/corscontroller.vuln1] is executing
EntryPoint [/src/main/java/com/suyu/secexample/cors/controller/corscontroller.vuln2] is executing
EntryPoint [/src/main/java/com/suyu/secexample/csrf/service/UsernameService.addUser] is executing
EntryPoint [/src/main/java/com/suyu/secexample/csrf/controller/csrfcontroller.input] is executing
EntryPoint [/src/main/java/com/suyu/secexample/csrf/controller/csrfcontroller.addUser] is executing
EntryPoint [/src/main/java/com/suyu/secexample/csrf/mapper/UsernameMapper.addUser] is executing
EntryPoint [/src/main/java/com/suyu/secexample/fastjson/controller/fastjsoncontroller.input] is executing
EntryPoint [/src/main/java/com/suyu/secexample/fastjson/controller/fastjsoncontroller.fastjson1] is executing
EntryPoint [/src/main/java/com/suyu/secexample/fastjson/controller/fastjsoncontroller.fastjson2] is executing
EntryPoint [/src/main/java/com/suyu/secexample/messageecho/controller/messagecontroller.index] is executing
EntryPoint [/src/main/java/com/suyu/secexample/messageecho/controller/messagecontroller.getcode] is executing
EntryPoint [/src/main/java/com/suyu/secexample/messageecho/controller/messagecontroller.testcode] is executing
EntryPoint [/src/main/java/com/suyu/secexample/rce/controller/rcecontroller.input] is executing
EntryPoint [/src/main/java/com/suyu/secexample/rce/controller/rcecontroller.index] is executing
EntryPoint [/src/main/java/com/suyu/secexample/sql/service/UserService.listUser] is executing
EntryPoint [/src/main/java/com/suyu/secexample/sql/service/UserService.listUserByName] is executing
EntryPoint [/src/main/java/com/suyu/secexample/sql/controller/sqlcontroller.index] is executing
EntryPoint [/src/main/java/com/suyu/secexample/sql/controller/sqlcontroller.listUserByName] is executing
EntryPoint [/src/main/java/com/suyu/secexample/sql/mapper/UserMapper.listUser] is executing
EntryPoint [/src/main/java/com/suyu/secexample/sql/mapper/UserMapper.listUserByName] is executing
EntryPoint [/src/main/java/com/suyu/secexample/ssrf/controller/ssrfcontroller.index] is executing
EntryPoint [/src/main/java/com/suyu/secexample/ssrf/utils/HttpTool.getHttpReuest] is executing
EntryPoint [/src/main/java/com/suyu/secexample/xss/controller/xsscontroller.index] is executing
EntryPoint [/src/main/java/com/suyu/secexample/xss/controller/xsscontroller.input] is executing
EntryPoint [/src/main/java/com/suyu/secexample/xss/controller/xsscontroller.outputmessage] is executing
EntryPoint [/src/main/java/com/suyu/secexample/xxe/controller/xxecontroller.input] is executing
EntryPoint [/src/main/java/com/suyu/secexample/csrf/service/impl/UsernameServiceImpl.addUser] is executing
EntryPoint [/src/main/java/com/suyu/secexample/sql/service/impl/UserServiceImpl.listUser] is executing
EntryPoint [/src/main/java/com/suyu/secexample/sql/service/impl/UserServiceImpl.listUserByName] is executing
[YASA] Completed symbolInterpret, cost: 108ms
[YASA] Execution completed, cost: 687ms

======================  Analysis Overview  =====================
Language                           : java
Files analyzed                     : 23
Lines of code                      : 541
Total time                         : 687ms
Total instruction                  : 809
Executed instruction               : 809
Execution count                    : 1708
Sources configured                 : 23
Sinks configured                   : 10
Valid entrypoints                  : 50
Avg execution time per instruction : 0.00ms
Avg instruction execution count    : 2.11
Execution time 70%/99%/100%        : 0.00ms/0.00ms/0.00ms
Execution times 70%/99%/100%       : 3.00/6.00/31.00
================================================================


===================  Performance Statistics  ===================
total cost: 687ms
preProcess cost: 483ms
  parseCode cost: 419ms
    parse cost: 414ms
    other cost: 5ms
  preload cost: 3ms
  processModule cost: 36ms
  other cost: 25ms
startAnalyze cost: 95ms
symbolInterpret cost: 108ms
other cost: 1ms
================================================================

Found 3 potential output strategy files
Registered strategy: callgraph from callgraph-output-strategy.js
Registered strategy: interactive from interactive-output-strategy.js
Registered strategy: taintflow from taint-output-strategy.js
Successfully registered 3 output strategies

=======================  outputFindings  =======================
start dump CG to /tmp/xxx/callgraph.json
CG info is write to /tmp/xxx/callgraph.json
================================================================

analyze done

查看 callgraph.json 的调用情况：

"rcecontroller :: index \\n[rcecontroller.java : 24_49]->Runtime.getRuntime": {
      "id": "rcecontroller :: index \\n[rcecontroller.java : 24_49]->Runtime.getRuntime",
      "sourceNodeId": "rcecontroller :: index \\n[rcecontroller.java : 24_49]",
      "targetNodeId": "Runtime.getRuntime",
      "callSite": {
          "loc": {
              "start": {
                  "line": 32,
                  "column": 17
              },
              "end": {
                  "line": 32,
                  "column": 36
              },
              "sourcefile": "/opt/app/SecExample/src/main/java/com/suyu/secexample/rce/controller/rcecontroller.java"
          }
      }
  },
  "rcecontroller :: index \\n[rcecontroller.java : 24_49]->Runtime.getRuntime().exec": {
      "id": "rcecontroller :: index \\n[rcecontroller.java : 24_49]->Runtime.getRuntime().exec",
      "sourceNodeId": "rcecontroller :: index \\n[rcecontroller.java : 24_49]",
      "targetNodeId": "Runtime.getRuntime().exec",
      "callSite": {
          "loc": {
              "start": {
                  "line": 32,
                  "column": 17
              },
              "end": {
                  "line": 32,
                  "column": 50
              },
              "sourcefile": "/opt/app/SecExample/src/main/java/com/suyu/secexample/rce/controller/rcecontroller.java"
          }
      }
  },

而默认的rule_config_java.json中也有Runtime.getRuntime.exec()这个sink

[
  {
    "checkerIds": [
      "taint_flow_java_input",
      "taint_flow_spring_input"
    ],
    "sources": {},
    "sinks": {
      "FuncCallTaintSink": [
        {
          "args": [
            "0"
          ],
          "attribute": "JavaCommandExec",    
          "calleeType": "",
          "fsig": "Runtime.getRuntime().exec"
        },
        {
          "args": [
            "0"
          ],
          "attribute": "JavaCommandExec",
          "calleeType": "",
          "fsig": "SinkUtil.sink"
        },
        {
          "args": [
            "0"
          ],
          "attribute": "JavaCommandExec",
          "calleeType": "Runtime.getRuntime()",
          "fsig": "exec"
        },
        {
          "args": [
            "0"
          ],
          "attribute": "JavaCommandExec",
          "calleeType": "Runtime",
          "fsig": "exec"
        },
....

但是在最后输出的时候却没有任何结果输出

[sapbenben]

感谢反馈。是if逻辑有bug导致的