Add commonly used taint configuration (#136)

Co-authored-by: auroraberry <[email protected]> Co-authored-by: Isla-top <[email protected]>
pascal-lab · Dec 31, 2024 · 36fc4f7 · 36fc4f7
1 parent 10efc00
commit 36fc4f7
Show file tree

Hide file tree

Showing 97 changed files with 2,126 additions and 0 deletions.
diff --git a/docs/en/taint-analysis.adoc b/docs/en/taint-analysis.adoc
@@ -15,6 +15,7 @@ Taint analysis can be enabled in one of two ways, or both approaches together:
 
 * using the programmatic configuration provider.
 
+[[yaml-configuration-file]]
 === YAML Configuration File
 
 In Tai-e, taint analysis is designed and implemented as a plugin of pointer analysis framework.
@@ -513,3 +514,95 @@ then you can open the TFG with your web browser and examine it.
 NOTE: We plan to develop more user-friendly mechanisms for examining taint analysis results in the future.
 
 // TODO: == Troubleshooting
+
+== Pre-prepared Commonly Used Taint Configuration
+
+Manually collecting and writing taint analysis configurations for different vulnerability types can be time-consuming and challenging, especially for developers and security researchers with limited experience.
+To help users streamline this process and improve the efficiency and accuracy of vulnerability detection, we have curated _Commonly Used Taint Configuration_. 
+When creating or modifying your own taint analysis configuration, you can refer to this configuration for guidance in your process.
+
+Commonly Used Taint Configuration is a comprehensive collection of source, sink, and transfer rules tailored for various common vulnerability types.
+ Currently, this collection contains 327 source rules, 920 sink rules, and 138 transfer rules, enabling users to adapt and extend them to detect 13 types of vulnerabilities.
+
+To further enhance the user experience, we have also carefully organized the project structure by packages and vulnerability types to ensure clarity and ease of understanding of the rules, allowing users to quickly locate and apply the relevant rules.
+
+
+=== Organizational structure
+
+The structure of this project is as follows:
+
+[source]
+----
+Tai-e/src/main/resources/commonly-used-taint-config
+├── sink
+│   ├── infoleak              # contains 141 sinks
+│   │   └── java-io
+│   └── injection             # contains 779 sinks
+│       ├── android
+│       │   └── sql-injection
+│       ├── java
+│       │   ├── crlf
+│       │   ├── path-traversal
+│       │   ├── rce
+│       │   └── ...
+│       └── ...
+├── source
+│   ├── infoleak              # contains 158 sources
+│   │   └── java
+│   └── injection             # contains 169 sources
+│       ├── apache-struts2
+│       ├── javax
+│       │   ├── javax-portlet
+│       │   ├── javax-servlet
+│       │   └── javax-swing
+│       └── ...
+└── transfer                  # contains 138 transfers about String
+----
+
+Specifically, this project firstly categorizes the configuration files into three main categories: sink, source, and transfer.
+
+* `sink` category: Contains sinks configurations files related to information leakage and injection vulnerabilities, further subdivided into two subdirectories:
+** `infoleak`: Categorized by package name.
+** `injection`: Categorized by vulnerability type.
+
+* `source` category: Contains sources configurations related to information leakage and injection vulnerabilities, further subdivided into two subdirectories:
+** `infoleak`: Categorized by package name.
+** `injection`: Categorized by package name.
+
+* `transfer` category: Contains transfers.
+
+Additionally, each subdirectory contains a corresponding `README` file that provides a brief overview of the relevant vulnerability types.
+
+=== How to Use it? (An Example)
+
+Users can directly integrate the configuration files from this collection into the <<yaml-configuration-file,Configuration File for the Tai-e taint analysis>>,
+or modify and extend them as needed to better meet specific analysis requirements.
+
+Here is an example of how to use the configuration files from this collection.
+If the user needs to detect an RCE (Remote Code Execution) injection vulnerability in a Java project using the *Jetty software library*, the following steps can be taken to modify the taint configuration file:
+
+1. Add the source rules related to the *Jetty software library* from the file `source/injection/jetty/jetty-http/jetty-http.yml`.
+2. Add the sink rules related to the *RCE type injection vulnerability* from the file `sink/injection/java/rce/command.yml`.
+3. Add the transfer rules related to *String type* from the file `transfer/string-transfers.yml`.
+
+After these steps, the taint configuration file will be as follows:
+
+```YAML
+source:
+  - { kind: call, method: "<org.eclipse.jetty.http.HttpCookie: java.lang.String getName()>", index: result, type: "java.lang.String" }
+  - { kind: call, method: "<org.eclipse.jetty.http.HttpCookie: java.lang.String getValue()>", index: result, type: "java.lang.String" }
+  - { kind: call, method: "<org.eclipse.jetty.http.HttpCookie: java.lang.String asString()>", index: result, type: "java.lang.String" }
+#...
+
+sinks:
+  - { method: "<java.lang.Runtime: java.lang.Process exec(java.lang.String)>", index: 0 }
+  - { method: "<java.lang.Runtime: java.lang.Process exec(java.lang.String[])>", index: 0 }
+  - { method: "<java.lang.Runtime: java.lang.Process exec(java.lang.String, java.lang.String[])>", index: 0 }
+#...
+
+transfer:
+  - { method: "<java.lang.String: java.lang.String substring(int)>", from: base, to: result }
+  - { method: "<java.lang.String: java.lang.String substring(int,int)>", from: base, to: result }
+#...
+```
+
diff --git a/src/main/resources/commonly-used-taint-config/sink/infoleak/java-io/README.adoc b/src/main/resources/commonly-used-taint-config/sink/infoleak/java-io/README.adoc
@@ -0,0 +1,10 @@
+= Description
+
+- **Overview**: 
+    The sinks in this directory are composed of output-related APIs from the Java standard library's `io` package, primarily including the `write` functions in various output component classes.
+
+- **Common Use Cases**:
+    These APIs are commonly used to output data carried by parameters to specified locations, such as files or command lines.
+
+- **Security Risks**:
+    Information Disclosure: Attackers can use these APIs to output sensitive information to a specified location, allowing them to exploit the acquired data for illegal activities such as extortion.
diff --git a/src/main/resources/commonly-used-taint-config/sink/infoleak/java-io/java-io.yml b/src/main/resources/commonly-used-taint-config/sink/infoleak/java-io/java-io.yml
@@ -0,0 +1,172 @@
+sinks:
+  - { method: "<java.io.BufferedOutputStream: void write(byte[],int,int)>", index: 0 }
+  - { method: "<java.io.BufferedOutputStream: void write(int)>", index: 0 }
+
+  - { method: "<java.io.BufferedWriter: void write(char[],int,int)>", index: 0 }
+  - { method: "<java.io.BufferedWriter: void write(int)>", index: 0 }
+  - { method: "<java.io.BufferedWriter: void write(java.lang.String,int,int)>", index: 0 }
+
+  - { method: "<java.io.ByteArrayOutputStream: void write(byte[],int,int)>", index: 0 }
+  - { method: "<java.io.ByteArrayOutputStream: void write(int)>", index: 0 }
+  - { method: "<java.io.ByteArrayOutputStream: void writeTo(java.io.OutputStream)>", index: 0 }
+
+  - { method: "<java.io.CharArrayWriter: void write(char[],int,int)>", index: 0 }
+  - { method: "<java.io.CharArrayWriter: void write(int)>", index: 0 }
+  - { method: "<java.io.CharArrayWriter: void write(java.lang.String,int,int)>", index: 0 }
+  - { method: "<java.io.CharArrayWriter: void writeTo(java.io.Writer)>", index: 0 }
+  - { method: "<java.io.CharArrayWriter: java.lang.CharSequence append(java.lang.CharSequence)>", index: 0 }
+  - { method: "<java.io.CharArrayWriter: java.lang.CharSequence append(java.lang.CharSequence,int,int)>", index: 0 }
+  - { method: "<java.io.CharArrayWriter: java.lang.CharSequence append(char)>", index: 0 }
+
+
+  - { method: "<java.io.DataOutputStream: void write(int)>", index: 0 }
+  - { method: "<java.io.DataOutputStream: void write(byte[],int,int)>", index: 0 }
+  - { method: "<java.io.DataOutputStream: void writeBoolean(boolean)>", index: 0 }
+  - { method: "<java.io.DataOutputStream: void writeByte(int)>", index: 0 }
+  - { method: "<java.io.DataOutputStream: void writeBytes(java.lang.String)>", index: 0 }
+  - { method: "<java.io.DataOutputStream: void writeChar(int)>", index: 0 }
+  - { method: "<java.io.DataOutputStream: void writeChars(java.lang.String)>", index: 0 }
+  - { method: "<java.io.DataOutputStream: void writeDouble(double)>", index: 0 }
+  - { method: "<java.io.DataOutputStream: void writeFloat(float)>", index: 0 }
+  - { method: "<java.io.DataOutputStream: void writeInt(int)>", index: 0 }
+  - { method: "<java.io.DataOutputStream: void writeLong(long)>", index: 0 }
+  - { method: "<java.io.DataOutputStream: void writeShort(int)>", index: 0 }
+  - { method: "<java.io.DataOutputStream: void writeUTF(java.lang.String)>", index: 0 }
+
+  - { method: "<java.io.FileOutputStream: void write(byte[],int,int)>", index: 0 }
+  - { method: "<java.io.FileOutputStream: void write(int)>", index: 0 }
+  - { method: "<java.io.FileOutputStream: void write(byte[])>", index: 0 }
+
+  - { method: "<java.io.FilterOutputStream: void write(byte[])>", index: 0 }
+  - { method: "<java.io.FilterOutputStream: void write(byte[],int,int)>", index: 0 }
+  - { method: "<java.io.FilterOutputStream: void write(int)>", index: 0 }
+
+  - { method: "<java.io.ObjectOutputStream: void write(int)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void write(byte[])>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void write(byte[],int,int)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void writeBoolean(boolean)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void writeByte(int)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void writeBytes(java.lang.String)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void writeChar(int)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void writeChars(java.lang.String)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void writeDouble(double)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void writeFloat(float)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void writeInt(int)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void writeLong(long)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void writeObject(java.lang.Object)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void writeShort(int)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void writeUTF(java.lang.String)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void defaultWriteObject()>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream: void writeUnshared(java.lang.Object)>", index: 0 }
+
+  - { method: "<java.io.ObjectOutputStream.PutFiled: void put(java.lang.String,boolean)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream.PutFiled: void put(java.lang.String,byte)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream.PutFiled: void put(java.lang.String,char)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream.PutFiled: void put(java.lang.String,short)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream.PutFiled: void put(java.lang.String,int)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream.PutFiled: void put(java.lang.String,long)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream.PutFiled: void put(java.lang.String,float)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream.PutFiled: void put(java.lang.String,double)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream.PutFiled: void put(java.lang.String,java.lang.Object)>", index: 0 }
+  - { method: "<java.io.ObjectOutputStream.PutFiled: void write(java.io.ObjectOutput)>", index: 0 }
+
+  - { method: "<java.io.RandomAccessFile: void write(byte[],int,int)>", index: 0 }
+  - { method: "<java.io.RandomAccessFile: void write(int)>", index: 0 }
+  - { method: "<java.io.RandomAccessFile: void write(byte[])>", index: 0 }
+
+  - { method: "<java.io.OutputStream: void write(byte[],int,int)>", index: 0 }
+  - { method: "<java.io.OutputStream: void write(byte[])>", index: 0 }
+  - { method: "<java.io.OutputStream: void write(int)>", index: 0 }
+
+  - { method: "<java.io.OutputStreamWriter: void write(java.lang.String,int,int)>", index: 0 }
+  - { method: "<java.io.OutputStreamWriter: void write(char[],int,int)>", index: 0 }
+  - { method: "<java.io.OutputStreamWriter: void write(int)>", index: 0 }
+
+  - { method: "<java.io.PipedOutputStream: void write(byte[],int,int)>", index: 0 }
+  - { method: "<java.io.PipedOutputStream: void write(int)>", index: 0 }
+
+  - { method: "<java.io.PipedWriter: void write(char[],int,int)>", index: 0 }
+  - { method: "<java.io.PipedWriter: void write(int)>", index: 0 }
+
+  - { method: "<java.io.PrintStream: void print(boolean)>", index: 0 }
+  - { method: "<java.io.PrintStream: void print(char)>", index: 0 }
+  - { method: "<java.io.PrintStream: void print(int)>", index: 0 }
+  - { method: "<java.io.PrintStream: void print(long)>", index: 0 }
+  - { method: "<java.io.PrintStream: void print(float)>", index: 0 }
+  - { method: "<java.io.PrintStream: void print(double)>", index: 0 }
+  - { method: "<java.io.PrintStream: void print(char[])>", index: 0 }
+  - { method: "<java.io.PrintStream: void print(java.lang.String)>", index: 0 }
+  - { method: "<java.io.PrintStream: void print(java.lang.Object)>", index: 0 }
+
+  - { method: "<java.io.PrintStream: void println(boolean)>", index: 0 }
+  - { method: "<java.io.PrintStream: void println(char)>", index: 0 }
+  - { method: "<java.io.PrintStream: void println(int)>", index: 0 }
+  - { method: "<java.io.PrintStream: void println(long)>", index: 0 }
+  - { method: "<java.io.PrintStream: void println(float)>", index: 0 }
+  - { method: "<java.io.PrintStream: void println(double)>", index: 0 }
+  - { method: "<java.io.PrintStream: void println(char[])>", index: 0 }
+  - { method: "<java.io.PrintStream: void println(java.lang.String)>", index: 0 }
+  - { method: "<java.io.PrintStream: void println(java.lang.Object)>", index: 0 }
+
+  - { method: "<java.io.PrintStream: java.io.PrintStream printf(java.util.Locale,java.lang.String,java.lang.Object[])>", index: 2 }
+  - { method: "<java.io.PrintStream: java.io.PrintStream printf(java.lang.String,java.lang.Object[])>", index: 1 }
+
+  - { method: "<java.io.PrintStream: java.io.PrintStream append(java.lang.CharSequence)>", index: 0 }
+  - { method: "<java.io.PrintStream: java.io.PrintStream append(java.lang.CharSequence,int,int)>", index: 0 }
+  - { method: "<java.io.PrintStream: java.io.PrintStream append(char)>", index: 0 }
+
+  - { method: "<java.io.PrintStream: java.io.PrintStream format(java.lang.String,java.lang.Object[])>", index: 1 }
+  - { method: "<java.io.PrintStream: java.io.PrintStream format(java.util.Locale,java.lang.String,java.lang.Object[])>", index: 2 }
+
+  - { method: "<java.io.PrintStream: void write(int)>", index: 0 }
+  - { method: "<java.io.PrintStream: void write(byte[],int,int)>", index: 0 }
+
+
+  - { method: "<java.io.PrintWriter: void print(boolean)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void print(char)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void print(int)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void print(long)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void print(float)>", index: 0}
+
+  - { method: "<java.io.PrintWriter: void write(char[],int,int)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void write(int)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void write(java.lang.String,int,int)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void write(java.lang.String)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void write(char[])>", index: 0 }
+
+  - { method: "<java.io.PrintWriter: void println(boolean)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void println(char)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void println(char[])>", index: 0 }
+  - { method: "<java.io.PrintWriter: void println(double)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void println(float)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void println(int)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void println(long)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void println(java.lang.Object)>", index: 0 }
+  - { method: "<java.io.PrintWriter: void println(java.lang.String)>", index: 0 }
+
+  - { method: "<java.io.PrintWriter: java.io.PrintWriter append(java.lang.CharSequence)>", index: 0 }
+  - { method: "<java.io.PrintWriter: java.io.PrintWriter append(java.lang.CharSequence,int,int)>", index: 0 }
+  - { method: "<java.io.PrintWriter: java.io.PrintWriter append(char)>", index: 0 }
+
+  - { method: "<java.io.PrintWrite: java.io.PrintWrite printf(java.util.Locale,java.lang.String,java.lang.Object[])>", index: 2 }
+  - { method: "<java.io.PrintWrite: java.io.PrintWrite printf(java.lang.String,java.lang.Object[])>", index: 1 }
+
+  - { method: "<java.io.StringWriter: java.io.StringWriter append(java.lang.CharSequence)>", index: 0 }
+  - { method: "<java.io.StringWriter: java.io.StringWriter append(java.lang.CharSequence,int,int)>", index: 0 }
+  - { method: "<java.io.StringWriter: java.io.StringWriter append(char)>", index: 0 }
+
+  - { method: "<java.io.StringWriter: void write(char[],int,int)>", index: 0 }
+  - { method: "<java.io.StringWriter: void write(int)>", index: 0 }
+  - { method: "<java.io.StringWriter: void write(java.lang.String,int,int)>", index: 0 }
+  - { method: "<java.io.StringWriter: void write(java.lang.String)>", index: 0 }
+  - { method: "<java.io.StringWriter: void write(char[])>", index: 0 }
+
+  - { method: "<java.io.Writer: java.io.Writer append(java.lang.CharSequence)>", index: 0 }
+  - { method: "<java.io.Writer: java.io.Writer append(java.lang.CharSequence,int,int)>", index: 0 }
+  - { method: "<java.io.Writer: java.io.Writer append(char)>", index: 0 }
+
+  - { method: "<java.io.Writer: void write(char[],int,int)>", index: 0 }
+  - { method: "<java.io.Writer: void write(int)>", index: 0 }
+  - { method: "<java.io.Writer: void write(java.lang.String,int,int)>", index: 0 }
+  - { method: "<java.io.Writer: void write(java.lang.String)>", index: 0 }
+  - { method: "<java.io.Writer: void write(char[])>", index: 0 }
diff --git a/...urces/commonly-used-taint-config/sink/injection/android/sql-injection/ContentProvider.yml b/...urces/commonly-used-taint-config/sink/injection/android/sql-injection/ContentProvider.yml
@@ -0,0 +1,5 @@
+sinks:
+  - { method: "<android.content.ContentProvider: android.database.Cursor query(android.net.Uri,java.lang.String[],java.lang.String[],java.lang.String,java.lang.String)>", index: 2 }
+  - { method: "<android.content.ContentProvider: android.database.Cursor query(android.net.Uri,java.lang.String[],java.lang.String[],java.lang.String,java.lang.String,android.os.CancellationSignal)>", index: 3 }
+  - { method: "<android.content.ContentProvider: int delete(android.net.Uri,java.lang.String,java.lang.String[])>", index: 1 }
+  - { method: "<android.content.ContentProvider: int update(android.net.Uri,android.content.ContentValues,java.lang.String,java.lang.String[])>", index: 1 }
diff --git a/...sources/commonly-used-taint-config/sink/injection/android/sql-injection/DatabaseUtils.yml b/...sources/commonly-used-taint-config/sink/injection/android/sql-injection/DatabaseUtils.yml
@@ -0,0 +1,6 @@
+sinks:
+  - { method: "<android.database.DatabaseUtils: long longForQuery(android.database.sqlite.SQLiteDatabase,java.lang.String,java.lang.String[])>", index: 1 }
+  - { method: "<android.database.DatabaseUtils: java.lang.String stringForQuery(android.database.sqlite.SQLiteDatabase,java.lang.String,java.lang.String[])>", index: 1 }
+  - { method: "<android.database.DatabaseUtils: android.os.ParcelFileDescriptor blobFileDescriptorForQuery(android.database.sqlite.SQLiteDatabase,java.lang.String,java.lang.String[])>", index: 1 }
+  - { method: "<android.database.DatabaseUtils: void createDbFromSqlStatements(android.content.Context,java.lang.String,int,java.lang.String)>", index: 0 }
+
diff --git a/...ces/commonly-used-taint-config/sink/injection/android/sql-injection/README.adoc b/...ces/commonly-used-taint-config/sink/injection/android/sql-injection/README.adoc
@@ -0,0 +1,10 @@
+= Description
+
+- **Overview**: 
+    The sinks in this directory consist of Android database SQL-related APIs, including but not limited to `query`, `update`, `delete`, and other methods. Their main functionality is to perform database queries and update operations.
+
+- **Common Use Cases**:
+    These APIs are commonly used for handling user-inputted data for queries, data insertion, data updates, data deletion, and SQL statement execution. Users typically have some level of control over the parameters.
+
+- **Security Risks**:
+    SQL Injection: Attackers can exploit these APIs by constructing malicious input to inject SQL commands, thereby gaining control over the database.