From ff988b43fc017e8130e414e284ab122e074647ac Mon Sep 17 00:00:00 2001 From: springkill Date: Sun, 3 Nov 2024 23:00:16 +0800 Subject: [PATCH] feat: Add injection filter detection rules Find possible injection filters by looking for keywords (SQLFilter,XSSFilter, ClearXSS, etc.). --- .../rules/filters/InjectionFilter.kt | 76 ++++++++++++++++++- .../rules/jndi/JNDIInjection.kt | 1 - .../utils/SecExpressionUtils.kt | 18 +++-- .../resources/InspectionBundle.properties | 3 + .../resources/InspectionBundle_zh.properties | 2 +- src/main/resources/META-INF/plugin.xml | 6 ++ .../InjectionFilter.html | 51 +++++++++++++ .../InjectionFilter.html | 51 +++++++++++++ 8 files changed, 200 insertions(+), 8 deletions(-) create mode 100644 src/main/resources/inspectionDescriptions/InjectionFilter.html create mode 100644 src/main/resources/inspectionDescriptions_en/InjectionFilter.html diff --git a/src/main/kotlin/org/skgroup/securityinspector/rules/filters/InjectionFilter.kt b/src/main/kotlin/org/skgroup/securityinspector/rules/filters/InjectionFilter.kt index 9d23dbc..736dec4 100644 --- a/src/main/kotlin/org/skgroup/securityinspector/rules/filters/InjectionFilter.kt +++ b/src/main/kotlin/org/skgroup/securityinspector/rules/filters/InjectionFilter.kt @@ -1,5 +1,79 @@ package org.skgroup.securityinspector.rules.filters -class InjectionFilter { +import com.intellij.codeInspection.ProblemHighlightType +import com.intellij.codeInspection.ProblemsHolder +import com.intellij.psi.JavaElementVisitor +import com.intellij.psi.PsiClass +import com.intellij.psi.PsiElementVisitor +import com.intellij.psi.PsiMethod +import com.intellij.psi.PsiMethodCallExpression +import org.skgroup.securityinspector.inspectors.BaseLocalInspectionTool +import org.skgroup.securityinspector.utils.InspectionBundle +import org.skgroup.securityinspector.utils.SecExpressionUtils +class InjectionFilter : BaseLocalInspectionTool() { + + companion object { + private val SQLFILTER_MESSAGE = InspectionBundle.message("vuln.massage.SQLFilter") + private val XSSFILTER_MESSAGE = InspectionBundle.message("vuln.massage.XSSFilter") + private val MAYBE_SQL_FILTER_NAME = listOf( + "SQLFilter", "SQLInjectionFilter", "SQLInjection" + ) + private val MAYBE_XSS_FILTER_NAME = listOf( + "XSSFilter", "XSSClear", "ClearXSS" + ) + private val MAYBE_SQL_FILTER_METHODS = listOf( + "ClearSQL", "SQLClear" + ) + private val MAYBE_XSS_FILTER_METHODS = listOf( + "ClearXSS", "XSSClear" + ) + } + + override fun buildVisitor(holder: ProblemsHolder, isOnTheFly: Boolean): PsiElementVisitor { + return object : JavaElementVisitor() { + override fun visitClass(aClass: PsiClass) { + MAYBE_SQL_FILTER_NAME.forEach { + if (SecExpressionUtils.matchesClassName(aClass, it)) { + holder.registerProblem( + aClass, + SQLFILTER_MESSAGE, + ProblemHighlightType.GENERIC_ERROR_OR_WARNING + ) + } + } + MAYBE_XSS_FILTER_NAME.forEach { + if (SecExpressionUtils.matchesClassName(aClass, it)) { + holder.registerProblem( + aClass, + XSSFILTER_MESSAGE, + ProblemHighlightType.GENERIC_ERROR_OR_WARNING + ) + } + } + } + + //需要检查的是定义点而不是调用点,直接用methodName防止warning位置不对 + override fun visitMethod(methodName: PsiMethod) { + MAYBE_SQL_FILTER_METHODS.forEach { + if (SecExpressionUtils.matchesMethodName(methodName, it)) { + holder.registerProblem( + methodName, + SQLFILTER_MESSAGE, + ProblemHighlightType.GENERIC_ERROR_OR_WARNING + ) + } + } + MAYBE_XSS_FILTER_METHODS.forEach { + if (SecExpressionUtils.matchesMethodName(methodName, it)) { + holder.registerProblem( + methodName, + XSSFILTER_MESSAGE, + ProblemHighlightType.GENERIC_ERROR_OR_WARNING + ) + } + } + } + } + } } \ No newline at end of file diff --git a/src/main/kotlin/org/skgroup/securityinspector/rules/jndi/JNDIInjection.kt b/src/main/kotlin/org/skgroup/securityinspector/rules/jndi/JNDIInjection.kt index 0f10b45..0ac4239 100644 --- a/src/main/kotlin/org/skgroup/securityinspector/rules/jndi/JNDIInjection.kt +++ b/src/main/kotlin/org/skgroup/securityinspector/rules/jndi/JNDIInjection.kt @@ -13,7 +13,6 @@ class JNDIInjection : BaseLocalInspectionTool() { private val MESSAGE = InspectionBundle.message("vuln.massage.JNDIInjection") private val JNDIINJECTION_METHOS_SINKS = mapOf( - "javax.management.remote.JMXServiceURL" to emptyList(), "java.rmi.registry.Registry" to listOf("lookup"), "javax.naming.Context" to listOf("lookup", "list", "listBindings", "lookupLink", "rename"), "javax.naming.InitialContext" to listOf("doLookup", "lookup", "rename", "list", "listBindings"), diff --git a/src/main/kotlin/org/skgroup/securityinspector/utils/SecExpressionUtils.kt b/src/main/kotlin/org/skgroup/securityinspector/utils/SecExpressionUtils.kt index 82066c5..f9dbbd9 100644 --- a/src/main/kotlin/org/skgroup/securityinspector/utils/SecExpressionUtils.kt +++ b/src/main/kotlin/org/skgroup/securityinspector/utils/SecExpressionUtils.kt @@ -14,13 +14,13 @@ object SecExpressionUtils { private val SQLiCareTypeStr = mutableSetOf("java.lang.String", "java.lang.StringBuilder", "java.lang.StringBuffer") - fun resolveField( expression: PsiExpression?): PsiField? { + fun resolveField(expression: PsiExpression?): PsiField? { var expression = PsiUtil.skipParenthesizedExprDown(expression) val referenceExpression = ObjectUtils.tryCast(expression, PsiReferenceExpression::class.java) return referenceExpression?.let { ObjectUtils.tryCast(it.resolve(), PsiField::class.java) } } - fun getLiteralInnerText( expression: PsiExpression?): String? { + fun getLiteralInnerText(expression: PsiExpression?): String? { val literal = ExpressionUtils.getLiteral(expression) return literal?.value?.toString() } @@ -29,7 +29,7 @@ object SecExpressionUtils { return getText(expression, false) } - fun getText( expression: PsiExpression?, force: Boolean): String? { + fun getText(expression: PsiExpression?, force: Boolean): String? { if (expression == null) return null var value = getLiteralInnerText(expression) @@ -69,7 +69,7 @@ object SecExpressionUtils { return value } - fun isText( expression: PsiExpression): Boolean { + fun isText(expression: PsiExpression): Boolean { return getText(expression) != null } @@ -359,10 +359,18 @@ object SecExpressionUtils { } } - fun isNewExpressionSink(expression: PsiNewExpression,newExpressionSinks:List): Boolean { + fun isNewExpressionSink(expression: PsiNewExpression, newExpressionSinks: List): Boolean { return newExpressionSinks.any { className -> hasFullQualifiedName(expression, className) } } + fun matchesClassName(psiClass: PsiClass, pattern: String): Boolean { + return psiClass.name?.contains(pattern, true) == true + } + + fun matchesMethodName(psiMethod: PsiMethod, pattern: String): Boolean { + return psiMethod.name.contains(pattern, true) + } + } diff --git a/src/main/resources/InspectionBundle.properties b/src/main/resources/InspectionBundle.properties index 613513b..2e3c267 100644 --- a/src/main/resources/InspectionBundle.properties +++ b/src/main/resources/InspectionBundle.properties @@ -5,6 +5,7 @@ vuln.name.SystemEXITDOS=System EXIT DOS Risk vuln.name.ReadFile=Arbitrary File Read Risk vuln.name.CommonIOFileWrite=CommonIO File Write Risk vuln.name.IOFilesWrite=Arbitrary File Write Risk +vuln.name.InjectionFilter=Maybe injection filter class vuln.name.JDBCAttack=JDBC Attack Risk vuln.name.JNDIInjection=JNDI Injection Risk vuln.name.LDAPUnserialize=LDAP Unserialize Risk @@ -73,6 +74,8 @@ vuln.massage.SystemEXITDOS=Please check for System EXIT DOS Risk vuln.massage.ReadFile=Please check for Arbitrary File Read Risk vuln.massage.CommonIOFileWrite=Please check for CommonIO File Write Risk vuln.massage.IOFilesWrite=Please check for Arbitrary File Write Risk +vuln.massage.SQLFilter=Maybe SQL filter class +vuln.massage.XSSFilter=Maybe XSS filter class vuln.massage.JDBCAttack=Please check for JDBC Attack Risk vuln.massage.JNDIInjection=Please check for JNDI Injection Risk vuln.massage.LDAPUnserialize=Please check for LDAP Unserialize Risk diff --git a/src/main/resources/InspectionBundle_zh.properties b/src/main/resources/InspectionBundle_zh.properties index 2a9f490..f727349 100644 --- a/src/main/resources/InspectionBundle_zh.properties +++ b/src/main/resources/InspectionBundle_zh.properties @@ -1 +1 @@ -# ????? vuln.name.NettyResponseSplittingRisk=Netty \u54cd\u5e94\u62c6\u5206\u98ce\u9669 vuln.name.PatternMatchesDOS=\u6a21\u5f0f\u5339\u914d DOS \u98ce\u9669 vuln.name.SystemEXITDOS=\u7cfb\u7edf EXIT DOS \u98ce\u9669 vuln.name.ReadFile=\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u98ce\u9669 vuln.name.CommonIOFileWrite=CommonIO \u6587\u4ef6\u5199\u5165\u98ce\u9669 vuln.name.IOFilesWrite=\u4efb\u610f\u6587\u4ef6\u5199\u5165\u98ce\u9669 vuln.name.JDBCAttack=JDBC \u653b\u51fb\u98ce\u9669 vuln.name.JNDIInjection=JNDI \u6ce8\u5165\u98ce\u9669 vuln.name.LDAPUnserialize=LDAP \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.BroadCORSAllowOrigin=\u5bbd\u677e\u7684 CORS \u5141\u8bb8\u6e90\u98ce\u9669 vuln.name.HardCodedCredential=\u786c\u7f16\u7801\u51ed\u636e\u98ce\u9669 vuln.name.OpenSAML2IgnoreComments=OpenSAML2 \u5ffd\u7565\u6ce8\u91ca\u98ce\u9669 vuln.name.BSHRCE=BSH \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.BurlapUnserialize=Burlap \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.CastorUnserialize=Castor \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.CompilableRCE=\u53ef\u7f16\u8bd1\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.ELRCE=EL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.ExpressionRCE=\u8868\u8fbe\u5f0f\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.FastjsonAutoType=Fastjson AutoType \u98ce\u9669 vuln.name.FastjsonUnserialize=Fastjson \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.GroovyRCE=Groovy \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.HessianUnserialize=Hessian \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.JacksonDatabindDefaultTyping=Jackson Databind \u9ed8\u8ba4\u7c7b\u578b\u98ce\u9669 vuln.name.JEXLRCE=JEXL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.JSchOSRCE=JSch \u64cd\u4f5c\u7cfb\u7edf\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.JsonIOUnserialize=JsonIO \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.JYamlUnserialize=JYaml \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.JythonRCE=Jython \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.KryoUnserialize=Kryo \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.MVELRCE=MVEL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.NashornScriptEngineRCE=Nashorn \u811a\u672c\u5f15\u64ce\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.ObjectInputStreamUnserialize=ObjectInputStream \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.OGNLInjectionRCE=OGNL \u6ce8\u5165\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.RhinoRCE=Rhino \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.RuntimeRCE=Runtime \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.ScriptEngineRCE=\u811a\u672c\u5f15\u64ce\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.SnakeYamlUnserialize=SnakeYaml \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.SPELRCE=SPEL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.XMLDecoderUnserialize=XMLDecoder \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.XSLTRCE=XSLT \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.XStreamUnserialize=XStream \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.YamlBeansUnserialize=YamlBeans \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.JakartaRedirect=Jakarta \u91cd\u5b9a\u5411\u98ce\u9669 vuln.name.JavaxRedirect=Javax \u91cd\u5b9a\u5411\u98ce\u9669 vuln.name.Reflect=\u53cd\u5c04\u98ce\u9669 vuln.name.MybatisAnnotationSQLi=Mybatis \u6ce8\u89e3 SQL \u6ce8\u5165\u98ce\u9669 vuln.name.MybatisXmlSQLi=Mybatis XML SQL \u6ce8\u5165\u98ce\u9669 vuln.name.PlaceholderStringSQLi=\u5360\u4f4d\u7b26\u5b57\u7b26\u4e32 SQL \u6ce8\u5165\u98ce\u9669 vuln.name.PolyadicExpressionSQLi=\u591a\u9879\u8868\u8fbe\u5f0f SQL \u6ce8\u5165\u98ce\u9669 vuln.name.SQLi=SQL \u6ce8\u5165\u98ce\u9669 vuln.name.ApacheSSRF=Apache SSRF \u98ce\u9669 vuln.name.GoogleIOSSRF=Google IO SSRF \u98ce\u9669 vuln.name.JavaURLSSRF=Java URL SSRF \u98ce\u9669 vuln.name.JsoupSSRF=Jsoup SSRF \u98ce\u9669 vuln.name.OkhttpSSRF=Okhttp SSRF \u98ce\u9669 vuln.name.SpringSSRF=Spring SSRF \u98ce\u9669 vuln.name.URLConnectionSSRF=URL \u8fde\u63a5 SSRF \u98ce\u9669 vuln.name.BeetlSSTI=Beetl \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.name.FreemarkeraSSTI=Freemarker \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.name.JinjavaSSTI=Jinjava \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.name.PebbleSSTI=Pebble \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.name.ThymeleafSSTI=Thymeleaf \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.name.ValidationSSTI=Validation \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.name.VelocitySSTI=Velocity \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.name.XXE=XML \u5916\u90e8\u5b9e\u4f53 (XXE) \u98ce\u9669 # ??????? vuln.massage.NettyResponseSplittingRisk=\u8bf7\u68c0\u67e5 Netty \u54cd\u5e94\u62c6\u5206\u98ce\u9669 vuln.massage.PatternMatchesDOS=\u8bf7\u68c0\u67e5\u6a21\u5f0f\u5339\u914d DOS \u98ce\u9669 vuln.massage.SystemEXITDOS=\u8bf7\u68c0\u67e5\u7cfb\u7edf EXIT DOS \u98ce\u9669 vuln.massage.ReadFile=\u8bf7\u68c0\u67e5\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u98ce\u9669 vuln.massage.CommonIOFileWrite=\u8bf7\u68c0\u67e5 CommonIO \u6587\u4ef6\u5199\u5165\u98ce\u9669 vuln.massage.IOFilesWrite=\u8bf7\u68c0\u67e5\u4efb\u610f\u6587\u4ef6\u5199\u5165\u98ce\u9669 vuln.massage.JDBCAttack=\u8bf7\u68c0\u67e5 JDBC \u653b\u51fb\u98ce\u9669 vuln.massage.JNDIInjection=\u8bf7\u68c0\u67e5 JNDI \u6ce8\u5165\u98ce\u9669 vuln.massage.LDAPUnserialize=\u8bf7\u68c0\u67e5 LDAP \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.BroadCORSAllowOrigin=\u8bf7\u68c0\u67e5\u5bbd\u677e\u7684 CORS \u5141\u8bb8\u6e90\u98ce\u9669 vuln.massage.HardCodedCredential=\u8bf7\u68c0\u67e5\u786c\u7f16\u7801\u51ed\u636e\u98ce\u9669 vuln.massage.OpenSAML2IgnoreComments=\u8bf7\u68c0\u67e5 OpenSAML2 \u5ffd\u7565\u6ce8\u91ca\u98ce\u9669 vuln.massage.BSHRCE=\u8bf7\u68c0\u67e5 BSH \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.BurlapUnserialize=\u8bf7\u68c0\u67e5 Burlap \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.CastorUnserialize=\u8bf7\u68c0\u67e5 Castor \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.CompilableRCE=\u8bf7\u68c0\u67e5\u53ef\u7f16\u8bd1\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.ELRCE=\u8bf7\u68c0\u67e5 EL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.ExpressionRCE=\u8bf7\u68c0\u67e5\u8868\u8fbe\u5f0f\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.FastjsonAutoType=\u8bf7\u68c0\u67e5 Fastjson AutoType \u98ce\u9669 vuln.massage.FastjsonUnserialize=\u8bf7\u68c0\u67e5 Fastjson \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.GroovyRCE=\u8bf7\u68c0\u67e5 Groovy \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.HessianUnserialize=\u8bf7\u68c0\u67e5 Hessian \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.JacksonDatabindDefaultTyping=\u8bf7\u68c0\u67e5 Jackson Databind \u9ed8\u8ba4\u7c7b\u578b\u98ce\u9669 vuln.massage.JEXLRCE=\u8bf7\u68c0\u67e5 JEXL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.JSchOSRCE=\u8bf7\u68c0\u67e5 JSch \u64cd\u4f5c\u7cfb\u7edf\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.JsonIOUnserialize=\u8bf7\u68c0\u67e5 JsonIO \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.JYamlUnserialize=\u8bf7\u68c0\u67e5 JYaml \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.JythonRCE=\u8bf7\u68c0\u67e5 Jython \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.KryoUnserialize=\u8bf7\u68c0\u67e5 Kryo \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.MVELRCE=\u8bf7\u68c0\u67e5 MVEL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.NashornScriptEngineRCE=\u8bf7\u68c0\u67e5 Nashorn \u811a\u672c\u5f15\u64ce\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.ObjectInputStreamUnserialize=\u8bf7\u68c0\u67e5 ObjectInputStream \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.OGNLInjectionRCE=\u8bf7\u68c0\u67e5 OGNL \u6ce8\u5165\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.RhinoRCE=\u8bf7\u68c0\u67e5 Rhino \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.RuntimeRCE=\u8bf7\u68c0\u67e5 Runtime \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.ScriptEngineRCE=\u8bf7\u68c0\u67e5\u811a\u672c\u5f15\u64ce\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.SnakeYamlUnserialize=\u8bf7\u68c0\u67e5 SnakeYaml \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.SPELRCE=\u8bf7\u68c0\u67e5 SPEL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.XMLDecoderUnserialize=\u8bf7\u68c0\u67e5 XMLDecoder \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.XSLTRCE=\u8bf7\u68c0\u67e5 XSLT \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.XStreamUnserialize=\u8bf7\u68c0\u67e5 XStream \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.YamlBeansUnserialize=\u8bf7\u68c0\u67e5 YamlBeans \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.JakartaRedirect=\u8bf7\u68c0\u67e5 Jakarta \u91cd\u5b9a\u5411\u98ce\u9669 vuln.massage.JavaxRedirect=\u8bf7\u68c0\u67e5 Javax \u91cd\u5b9a\u5411\u98ce\u9669 vuln.massage.Reflect=\u8bf7\u68c0\u67e5\u53cd\u5c04\u98ce\u9669 vuln.massage.MybatisAnnotationSQLi=\u8bf7\u68c0\u67e5 Mybatis \u6ce8\u89e3 SQL \u6ce8\u5165\u98ce\u9669 vuln.massage.MybatisXmlSQLi=\u8bf7\u68c0\u67e5 Mybatis XML SQL \u6ce8\u5165\u98ce\u9669 vuln.massage.PlaceholderStringSQLi=\u8bf7\u68c0\u67e5\u5360\u4f4d\u7b26\u5b57\u7b26\u4e32 SQL \u6ce8\u5165\u98ce\u9669 vuln.massage.PolyadicExpressionSQLi=\u8bf7\u68c0\u67e5\u591a\u9879\u8868\u8fbe\u5f0f SQL \u6ce8\u5165\u98ce\u9669 vuln.massage.SQLi=\u8bf7\u68c0\u67e5 SQL \u6ce8\u5165\u98ce\u9669 vuln.massage.ApacheSSRF=\u8bf7\u68c0\u67e5 Apache SSRF \u98ce\u9669 vuln.massage.GoogleIOSSRF=\u8bf7\u68c0\u67e5 Google IO SSRF \u98ce\u9669 vuln.massage.JavaURLSSRF=\u8bf7\u68c0\u67e5 Java URL SSRF \u98ce\u9669 vuln.massage.JsoupSSRF=\u8bf7\u68c0\u67e5 Jsoup SSRF \u98ce\u9669 vuln.massage.OkhttpSSRF=\u8bf7\u68c0\u67e5 Okhttp SSRF \u98ce\u9669 vuln.massage.SpringSSRF=\u8bf7\u68c0\u67e5 Spring SSRF \u98ce\u9669 vuln.massage.URLConnectionSSRF=\u8bf7\u68c0\u67e5 URL \u5bfc\u81f4\u7684 SSRF \u98ce\u9669 vuln.massage.BeetlSSTI=\u8bf7\u68c0\u67e5 Beetl \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.massage.FreemarkerSSTI=\u8bf7\u68c0\u67e5 Freemarker \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.massage.JinjavaSSTI=\u8bf7\u68c0\u67e5 Jinjava \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.massage.PebbleSSTI=\u8bf7\u68c0\u67e5 Pebble \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.massage.ThymeleafSSTI=\u8bf7\u68c0\u67e5 Thymeleaf \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.massage.ValidationSSTI=\u8bf7\u68c0\u67e5 Validation \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.massage.VelocitySSTI=\u8bf7\u68c0\u67e5 Velocity \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.massage.XXE=\u8bf7\u68c0\u67e5 XML \u5916\u90e8\u5b9e\u4f53 (XXE) \u98ce\u9669 # ??????? vuln.fix.NettyResponseSplittingRisk = \u5728 HttpServerCodec \u4e2d\u542f\u7528 validateHeaders \u5c5e\u6027 vuln.fix.LDAPUnserialize = \u5728 LDAP \u8fde\u63a5\u4e2d\u5c06 returnObject \u53c2\u6570\u8bbe\u7f6e\u4e3a false vuln.fix.OpenSAML2IgnoreComments = \u5c06 org.opensaml.xml.parse.ParserPool.ignoreComments \u5c5e\u6027\u8bbe\u7f6e\u4e3a true vuln.fix.FastjsonAutoType = \u79fb\u9664 Fastjson AutoType \u529f\u80fd vuln.fix.JacksonDatabindDefaultTypingAnnotation = \u4f7f\u7528 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, property = "class") \u6ce8\u89e3 vuln.fix.JacksonDatabindDefaultTypingDefault = \u4f7f\u7528 ObjectMapper.enableDefaultTyping() \u65b9\u6cd5 vuln.fix.MybatisAnnotationSQLi = \u5728 Mybatis \u6ce8\u89e3\u4e2d\u4f7f\u7528 #{xxx} \u4ee3\u66ff ${xxx} vuln.fix.MybatisXmlSQLi = \u5728 Mybatis XML \u4e2d\u4f7f\u7528 #{xxx} \u4ee3\u66ff ${xxx} vuln.fix.XXE = \u7981\u7528 XML \u5916\u90e8\u5b9e\u4f53\u5904\u7406 \ No newline at end of file +# ????? vuln.name.NettyResponseSplittingRisk=Netty \u54cd\u5e94\u62c6\u5206\u98ce\u9669 vuln.name.PatternMatchesDOS=\u6a21\u5f0f\u5339\u914d DOS \u98ce\u9669 vuln.name.SystemEXITDOS=\u7cfb\u7edf EXIT DOS \u98ce\u9669 vuln.name.ReadFile=\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u98ce\u9669 vuln.name.CommonIOFileWrite=CommonIO \u6587\u4ef6\u5199\u5165\u98ce\u9669 vuln.name.IOFilesWrite=\u4efb\u610f\u6587\u4ef6\u5199\u5165\u98ce\u9669 vuln.name.InjectionFilter=\u53ef\u80fd\u7684\u6ce8\u5165\u8fc7\u6ee4\u5668\u7c7b vuln.name.JDBCAttack=JDBC \u653b\u51fb\u98ce\u9669 vuln.name.JNDIInjection=JNDI \u6ce8\u5165\u98ce\u9669 vuln.name.LDAPUnserialize=LDAP \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.BroadCORSAllowOrigin=\u5bbd\u677e\u7684 CORS \u5141\u8bb8\u6e90\u98ce\u9669 vuln.name.HardCodedCredential=\u786c\u7f16\u7801\u51ed\u636e\u98ce\u9669 vuln.name.OpenSAML2IgnoreComments=OpenSAML2 \u5ffd\u7565\u6ce8\u91ca\u98ce\u9669 vuln.name.BSHRCE=BSH \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.BurlapUnserialize=Burlap \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.CastorUnserialize=Castor \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.CompilableRCE=\u53ef\u7f16\u8bd1\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.ELRCE=EL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.ExpressionRCE=\u8868\u8fbe\u5f0f\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.FastjsonAutoType=Fastjson AutoType \u98ce\u9669 vuln.name.FastjsonUnserialize=Fastjson \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.GroovyRCE=Groovy \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.HessianUnserialize=Hessian \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.JacksonDatabindDefaultTyping=Jackson Databind \u9ed8\u8ba4\u7c7b\u578b\u98ce\u9669 vuln.name.JEXLRCE=JEXL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.JSchOSRCE=JSch \u64cd\u4f5c\u7cfb\u7edf\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.JsonIOUnserialize=JsonIO \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.JYamlUnserialize=JYaml \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.JythonRCE=Jython \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.KryoUnserialize=Kryo \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.MVELRCE=MVEL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.NashornScriptEngineRCE=Nashorn \u811a\u672c\u5f15\u64ce\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.ObjectInputStreamUnserialize=ObjectInputStream \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.OGNLInjectionRCE=OGNL \u6ce8\u5165\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.RhinoRCE=Rhino \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.RuntimeRCE=Runtime \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.ScriptEngineRCE=\u811a\u672c\u5f15\u64ce\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.SnakeYamlUnserialize=SnakeYaml \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.SPELRCE=SPEL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.XMLDecoderUnserialize=XMLDecoder \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.XSLTRCE=XSLT \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.name.XStreamUnserialize=XStream \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.YamlBeansUnserialize=YamlBeans \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.name.JakartaRedirect=Jakarta \u91cd\u5b9a\u5411\u98ce\u9669 vuln.name.JavaxRedirect=Javax \u91cd\u5b9a\u5411\u98ce\u9669 vuln.name.Reflect=\u53cd\u5c04\u98ce\u9669 vuln.name.MybatisAnnotationSQLi=Mybatis \u6ce8\u89e3 SQL \u6ce8\u5165\u98ce\u9669 vuln.name.MybatisXmlSQLi=Mybatis XML SQL \u6ce8\u5165\u98ce\u9669 vuln.name.PlaceholderStringSQLi=\u5360\u4f4d\u7b26\u5b57\u7b26\u4e32 SQL \u6ce8\u5165\u98ce\u9669 vuln.name.PolyadicExpressionSQLi=\u591a\u9879\u8868\u8fbe\u5f0f SQL \u6ce8\u5165\u98ce\u9669 vuln.name.SQLi=SQL \u6ce8\u5165\u98ce\u9669 vuln.name.ApacheSSRF=Apache SSRF \u98ce\u9669 vuln.name.GoogleIOSSRF=Google IO SSRF \u98ce\u9669 vuln.name.JavaURLSSRF=Java URL SSRF \u98ce\u9669 vuln.name.JsoupSSRF=Jsoup SSRF \u98ce\u9669 vuln.name.OkhttpSSRF=Okhttp SSRF \u98ce\u9669 vuln.name.SpringSSRF=Spring SSRF \u98ce\u9669 vuln.name.URLConnectionSSRF=URL \u8fde\u63a5 SSRF \u98ce\u9669 vuln.name.BeetlSSTI=Beetl \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.name.FreemarkeraSSTI=Freemarker \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.name.JinjavaSSTI=Jinjava \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.name.PebbleSSTI=Pebble \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.name.ThymeleafSSTI=Thymeleaf \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.name.ValidationSSTI=Validation \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.name.VelocitySSTI=Velocity \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.name.XXE=XML \u5916\u90e8\u5b9e\u4f53 (XXE) \u98ce\u9669 # ??????? vuln.massage.NettyResponseSplittingRisk=\u8bf7\u68c0\u67e5 Netty \u54cd\u5e94\u62c6\u5206\u98ce\u9669 vuln.massage.PatternMatchesDOS=\u8bf7\u68c0\u67e5\u6a21\u5f0f\u5339\u914d DOS \u98ce\u9669 vuln.massage.SystemEXITDOS=\u8bf7\u68c0\u67e5\u7cfb\u7edf EXIT DOS \u98ce\u9669 vuln.massage.ReadFile=\u8bf7\u68c0\u67e5\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u98ce\u9669 vuln.massage.CommonIOFileWrite=\u8bf7\u68c0\u67e5 CommonIO \u6587\u4ef6\u5199\u5165\u98ce\u9669 vuln.massage.IOFilesWrite=\u8bf7\u68c0\u67e5\u4efb\u610f\u6587\u4ef6\u5199\u5165\u98ce\u9669 vuln.massage.SQLFilter=\u53d1\u73b0\u53ef\u80fd\u7684 SQL\u6ce8\u5165 \u8fc7\u6ee4\u5668 vuln.massage.XSSFilter=\u53d1\u73b0\u53ef\u80fd\u7684 XSS \u8fc7\u6ee4\u5668 vuln.massage.JDBCAttack=\u8bf7\u68c0\u67e5 JDBC \u653b\u51fb\u98ce\u9669 vuln.massage.JNDIInjection=\u8bf7\u68c0\u67e5 JNDI \u6ce8\u5165\u98ce\u9669 vuln.massage.LDAPUnserialize=\u8bf7\u68c0\u67e5 LDAP \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.BroadCORSAllowOrigin=\u8bf7\u68c0\u67e5\u5bbd\u677e\u7684 CORS \u5141\u8bb8\u6e90\u98ce\u9669 vuln.massage.HardCodedCredential=\u8bf7\u68c0\u67e5\u786c\u7f16\u7801\u51ed\u636e\u98ce\u9669 vuln.massage.OpenSAML2IgnoreComments=\u8bf7\u68c0\u67e5 OpenSAML2 \u5ffd\u7565\u6ce8\u91ca\u98ce\u9669 vuln.massage.BSHRCE=\u8bf7\u68c0\u67e5 BSH \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.BurlapUnserialize=\u8bf7\u68c0\u67e5 Burlap \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.CastorUnserialize=\u8bf7\u68c0\u67e5 Castor \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.CompilableRCE=\u8bf7\u68c0\u67e5\u53ef\u7f16\u8bd1\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.ELRCE=\u8bf7\u68c0\u67e5 EL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.ExpressionRCE=\u8bf7\u68c0\u67e5\u8868\u8fbe\u5f0f\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.FastjsonAutoType=\u8bf7\u68c0\u67e5 Fastjson AutoType \u98ce\u9669 vuln.massage.FastjsonUnserialize=\u8bf7\u68c0\u67e5 Fastjson \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.GroovyRCE=\u8bf7\u68c0\u67e5 Groovy \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.HessianUnserialize=\u8bf7\u68c0\u67e5 Hessian \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.JacksonDatabindDefaultTyping=\u8bf7\u68c0\u67e5 Jackson Databind \u9ed8\u8ba4\u7c7b\u578b\u98ce\u9669 vuln.massage.JEXLRCE=\u8bf7\u68c0\u67e5 JEXL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.JSchOSRCE=\u8bf7\u68c0\u67e5 JSch \u64cd\u4f5c\u7cfb\u7edf\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.JsonIOUnserialize=\u8bf7\u68c0\u67e5 JsonIO \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.JYamlUnserialize=\u8bf7\u68c0\u67e5 JYaml \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.JythonRCE=\u8bf7\u68c0\u67e5 Jython \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.KryoUnserialize=\u8bf7\u68c0\u67e5 Kryo \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.MVELRCE=\u8bf7\u68c0\u67e5 MVEL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.NashornScriptEngineRCE=\u8bf7\u68c0\u67e5 Nashorn \u811a\u672c\u5f15\u64ce\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.ObjectInputStreamUnserialize=\u8bf7\u68c0\u67e5 ObjectInputStream \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.OGNLInjectionRCE=\u8bf7\u68c0\u67e5 OGNL \u6ce8\u5165\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.RhinoRCE=\u8bf7\u68c0\u67e5 Rhino \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.RuntimeRCE=\u8bf7\u68c0\u67e5 Runtime \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.ScriptEngineRCE=\u8bf7\u68c0\u67e5\u811a\u672c\u5f15\u64ce\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.SnakeYamlUnserialize=\u8bf7\u68c0\u67e5 SnakeYaml \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.SPELRCE=\u8bf7\u68c0\u67e5 SPEL \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.XMLDecoderUnserialize=\u8bf7\u68c0\u67e5 XMLDecoder \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.XSLTRCE=\u8bf7\u68c0\u67e5 XSLT \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE) \u98ce\u9669 vuln.massage.XStreamUnserialize=\u8bf7\u68c0\u67e5 XStream \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.YamlBeansUnserialize=\u8bf7\u68c0\u67e5 YamlBeans \u53cd\u5e8f\u5217\u5316\u98ce\u9669 vuln.massage.JakartaRedirect=\u8bf7\u68c0\u67e5 Jakarta \u91cd\u5b9a\u5411\u98ce\u9669 vuln.massage.JavaxRedirect=\u8bf7\u68c0\u67e5 Javax \u91cd\u5b9a\u5411\u98ce\u9669 vuln.massage.Reflect=\u8bf7\u68c0\u67e5\u53cd\u5c04\u98ce\u9669 vuln.massage.MybatisAnnotationSQLi=\u8bf7\u68c0\u67e5 Mybatis \u6ce8\u89e3 SQL \u6ce8\u5165\u98ce\u9669 vuln.massage.MybatisXmlSQLi=\u8bf7\u68c0\u67e5 Mybatis XML SQL \u6ce8\u5165\u98ce\u9669 vuln.massage.PlaceholderStringSQLi=\u8bf7\u68c0\u67e5\u5360\u4f4d\u7b26\u5b57\u7b26\u4e32 SQL \u6ce8\u5165\u98ce\u9669 vuln.massage.PolyadicExpressionSQLi=\u8bf7\u68c0\u67e5\u591a\u9879\u8868\u8fbe\u5f0f SQL \u6ce8\u5165\u98ce\u9669 vuln.massage.SQLi=\u8bf7\u68c0\u67e5 SQL \u6ce8\u5165\u98ce\u9669 vuln.massage.ApacheSSRF=\u8bf7\u68c0\u67e5 Apache SSRF \u98ce\u9669 vuln.massage.GoogleIOSSRF=\u8bf7\u68c0\u67e5 Google IO SSRF \u98ce\u9669 vuln.massage.JavaURLSSRF=\u8bf7\u68c0\u67e5 Java URL SSRF \u98ce\u9669 vuln.massage.JsoupSSRF=\u8bf7\u68c0\u67e5 Jsoup SSRF \u98ce\u9669 vuln.massage.OkhttpSSRF=\u8bf7\u68c0\u67e5 Okhttp SSRF \u98ce\u9669 vuln.massage.SpringSSRF=\u8bf7\u68c0\u67e5 Spring SSRF \u98ce\u9669 vuln.massage.URLConnectionSSRF=\u8bf7\u68c0\u67e5 URL \u5bfc\u81f4\u7684 SSRF \u98ce\u9669 vuln.massage.BeetlSSTI=\u8bf7\u68c0\u67e5 Beetl \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.massage.FreemarkerSSTI=\u8bf7\u68c0\u67e5 Freemarker \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.massage.JinjavaSSTI=\u8bf7\u68c0\u67e5 Jinjava \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.massage.PebbleSSTI=\u8bf7\u68c0\u67e5 Pebble \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.massage.ThymeleafSSTI=\u8bf7\u68c0\u67e5 Thymeleaf \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.massage.ValidationSSTI=\u8bf7\u68c0\u67e5 Validation \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.massage.VelocitySSTI=\u8bf7\u68c0\u67e5 Velocity \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 (SSTI) \u98ce\u9669 vuln.massage.XXE=\u8bf7\u68c0\u67e5 XML \u5916\u90e8\u5b9e\u4f53 (XXE) \u98ce\u9669 # ??????? vuln.fix.NettyResponseSplittingRisk = \u5728 HttpServerCodec \u4e2d\u542f\u7528 validateHeaders \u5c5e\u6027 vuln.fix.LDAPUnserialize = \u5728 LDAP \u8fde\u63a5\u4e2d\u5c06 returnObject \u53c2\u6570\u8bbe\u7f6e\u4e3a false vuln.fix.OpenSAML2IgnoreComments = \u5c06 org.opensaml.xml.parse.ParserPool.ignoreComments \u5c5e\u6027\u8bbe\u7f6e\u4e3a true vuln.fix.FastjsonAutoType = \u79fb\u9664 Fastjson AutoType \u529f\u80fd vuln.fix.JacksonDatabindDefaultTypingAnnotation = \u4f7f\u7528 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, property = "class") \u6ce8\u89e3 vuln.fix.JacksonDatabindDefaultTypingDefault = \u4f7f\u7528 ObjectMapper.enableDefaultTyping() \u65b9\u6cd5 vuln.fix.MybatisAnnotationSQLi = \u5728 Mybatis \u6ce8\u89e3\u4e2d\u4f7f\u7528 #{xxx} \u4ee3\u66ff ${xxx} vuln.fix.MybatisXmlSQLi = \u5728 Mybatis XML \u4e2d\u4f7f\u7528 #{xxx} \u4ee3\u66ff ${xxx} vuln.fix.XXE = \u7981\u7528 XML \u5916\u90e8\u5b9e\u4f53\u5904\u7406 \ No newline at end of file diff --git a/src/main/resources/META-INF/plugin.xml b/src/main/resources/META-INF/plugin.xml index df85971..0e09d28 100644 --- a/src/main/resources/META-INF/plugin.xml +++ b/src/main/resources/META-INF/plugin.xml @@ -79,6 +79,12 @@ bundle="InspectionBundle" key="vuln.name.IOFilesWrite" implementationClass="org.skgroup.securityinspector.rules.files.write.IOFiles" /> + + + 注入过滤器检查项 + + +

注入过滤器检查项

+

漏洞类型

+

+ SQL 注入跨站脚本(XSS)注入是常见的安全漏洞。SQL 注入会导致攻击者可以操控 SQL 查询,进而访问、修改或删除数据库数据。而 XSS 注入则允许攻击者在页面中插入恶意脚本,从而窃取用户信息或劫持会话。 +

+

检查了什么内容

+

+ 该条目检查了类名和方法名中是否存在可能被误认为是 SQL 或 XSS 过滤器的定义。某些命名(例如 SQLFilterClearXSS)可能误导开发人员,给人以过滤功能的假象,但实际上这些方法或类可能并不具备有效的安全过滤功能,从而产生安全风险。 +

+

检查逻辑

+
    +
  • 如果类名与 SQLFilterSQLInjectionFilterSQLInjection 等模式匹配,则认为该类可能不安全,显示相应的 SQL 注入警告。
    • +
  • 如果类名包含 XSSFilterXSSClearClearXSS,则会提示可能存在 XSS 安全风险。
    • +
  • 同样地,如果方法名匹配 ClearSQLSQLClearClearXSSXSSClear,则认为该方法可能涉及不安全的过滤操作,显示相应的警告。
    • +
+

修复建议

+

+ 对于 SQL 和 XSS 过滤器,建议确保过滤器功能实际有效,并避免在命名上造成误导。推荐使用成熟的防注入框架或库(例如使用正则表达式、编码函数等),以确保数据的输入有效过滤,防止攻击者进行注入攻击。 +

+

快速修复

+

+ 该条目会提醒开发者检查这些类和方法的实现,确保它们具备真正的 SQL 或 XSS 防护能力,而不是仅具备误导性的命名。 +

+

相关示例

+

+ 例如,代码中有以下不安全的类或方法命名: +

+
+
+class SQLFilter { ... }  // 可能不安全
+void ClearXSS(String input) { ... }  // 可能不安全
+
+
+

+ 建议确保这些类或方法实现真正的过滤功能,或者使用更具描述性的命名。 +

+

参考资料

+

+ 了解更多关于 SQL 和 XSS 注入的风险和修复方法,可以参考以下资源: +

+

+ + diff --git a/src/main/resources/inspectionDescriptions_en/InjectionFilter.html b/src/main/resources/inspectionDescriptions_en/InjectionFilter.html new file mode 100644 index 0000000..4ec8234 --- /dev/null +++ b/src/main/resources/inspectionDescriptions_en/InjectionFilter.html @@ -0,0 +1,51 @@ + + + Injection Filter Inspection Item + + +

Injection Filter Inspection Item

+

Vulnerability Type

+

+ SQL Injection and Cross-Site Scripting (XSS) Injection are common security vulnerabilities. SQL injection can allow attackers to manipulate SQL queries, potentially giving them access to or control over database data. XSS injection allows attackers to insert malicious scripts, which may steal user information or hijack sessions. +

+

What This Item Checks

+

+ This item checks for class and method names that may be misleadingly perceived as SQL or XSS filters. Certain names, such as SQLFilter or ClearXSS, may give a false sense of filtering security, while these methods or classes may lack actual filtering functionality, creating potential security risks. +

+

Inspection Logic

+
    +
  • If a class name matches patterns like SQLFilter, SQLInjectionFilter, or SQLInjection, it flags the class as potentially unsafe and displays a warning for SQL injection risk.
    • +
  • If a class name contains XSSFilter, XSSClear, or ClearXSS, it indicates potential XSS security risks.
    • +
  • Similarly, if a method name matches ClearSQL, SQLClear, ClearXSS, or XSSClear, it considers the method potentially unsafe and highlights it accordingly.
    • +
+

Fix Recommendation

+

+ For SQL and XSS filters, it is recommended to ensure that the filtering functionality is genuinely effective and avoids misleading naming. Consider using established anti-injection frameworks or libraries (e.g., regular expressions, encoding functions) to properly validate data inputs and prevent injection attacks. +

+

Quick Fix

+

+ This item reminds developers to review the implementations of these classes and methods to ensure they have real SQL or XSS protection capabilities rather than merely misleading names. +

+

Example

+

+ For example, the following code includes potentially unsafe class or method names: +

+
+
+class SQLFilter { ... }  // Potentially unsafe
+void ClearXSS(String input) { ... }  // Potentially unsafe
+
+
+

+ It is recommended to ensure these classes or methods perform real filtering functions or to use more descriptive names. +

+

References

+

+ To learn more about SQL and XSS injection risks and how to address them, you can refer to the following resources: +

+

+ +