STRLCPY/tsunami-security-scanner

Add explicit path payload handling in FuzzingUtils.

PiperOrigin-RevId: 482766366
Change-Id: Ic1fb7509a0bc574a3aff8eccdac8eb36ada2cebc

Moritz Wilhelm committed with Copybara-Service 2 years ago

886526f3

1 parent 70b7a5ca

Total 2 files Show one by one

■ ■ ■ ■ ■ ■

common/src/main/java/com/google/tsunami/common/net/FuzzingUtils.java

		skipped 38 lines
39	39		*/
40	40		public static ImmutableList<HttpRequest> fuzzGetParametersWithDefaultParameter(
41	41		HttpRequest request, String payload, String defaultParameter) {
42		-	return fuzzGetParameters(request, payload, Optional.of(defaultParameter));
	42	+	return fuzzGetParameters(request, payload, Optional.of(defaultParameter), ImmutableSet.of());
	43	+	}
	44	+
	45	+	/**
	46	+	* Fuzz GET parameters by replacing values with the provided payload. Payloads are expected to
	47	+	* represent paths. If encountered, file extesions and path prefixes are kept and provided via
	48	+	* additional exploit requests. If no GET parameter is found, return an empty list.
	49	+	*/
	50	+	public static ImmutableList<HttpRequest> fuzzGetParametersExpectingPathValues(
	51	+	HttpRequest request, String payload) {
	52	+	return fuzzGetParameters(
	53	+	request, payload, Optional.empty(), ImmutableSet.of(FuzzingModifier.FUZZING_PATHS));
43	54		}
44	55
45	56		/**
		skipped 1 lines
47	58		* found, return an empty list.
48	59		*/
49	60		public static ImmutableList<HttpRequest> fuzzGetParameters(HttpRequest request, String payload) {
50		-	return fuzzGetParameters(request, payload, Optional.empty());
	61	+	return fuzzGetParameters(request, payload, Optional.empty(), ImmutableSet.of());
51	62		}
52	63
53	64		private static ImmutableList<HttpRequest> fuzzGetParameters(
54		-	HttpRequest request, String payload, Optional<String> defaultParameter) {
	65	+	HttpRequest request,
	66	+	String payload,
	67	+	Optional<String> defaultParameter,
	68	+	ImmutableSet<FuzzingModifier> modifiers) {
55	69		URI parsedUrl = URI.create(request.url());
56	70		ImmutableList<HttpQueryParameter> queryParams = parseQuery(parsedUrl.getQuery());
57	71		if (queryParams.isEmpty() && defaultParameter.isPresent()) {
		skipped 5 lines
63	77		ImmutableList.of(HttpQueryParameter.create(defaultParameter.get(), payload))))
64	78		.build());
65	79		}
66		-	return fuzzParams(queryParams, payload).stream()
	80	+	return fuzzParams(queryParams, payload, modifiers).stream()
67	81		.map(fuzzedParams -> assembleUrlWithQueries(parsedUrl, fuzzedParams))
68	82		.map(fuzzedUrl -> request.toBuilder().setUrl(fuzzedUrl).build())
69	83		.collect(toImmutableList());
70	84		}
71	85
	86	+	private static ImmutableList<HttpQueryParameter> setFuzzedParams(
	87	+	ImmutableList<HttpQueryParameter> params, int index, String payload) {
	88	+	List<HttpQueryParameter> paramsWithPayload = new ArrayList<>(params);
	89	+	paramsWithPayload.set(index, HttpQueryParameter.create(params.get(index).name(), payload));
	90	+	return ImmutableList.copyOf(paramsWithPayload);
	91	+	}
	92	+
	93	+	private static void fuzzParamsWithExtendedPathPayloads(
	94	+	ImmutableSet.Builder<ImmutableList<HttpQueryParameter>> builder,
	95	+	ImmutableList<HttpQueryParameter> params,
	96	+	int index,
	97	+	String payload) {
	98	+	int dotLocation = params.get(index).value().lastIndexOf('.');
	99	+	if (dotLocation != -1) {
	100	+	builder.add(
	101	+	setFuzzedParams(
	102	+	params, index, payload + "%00" + params.get(index).value().substring(dotLocation)));
	103	+	}
	104	+
	105	+	int slashLocation = params.get(index).value().lastIndexOf('/');
	106	+	if (slashLocation != -1) {
	107	+	builder.add(
	108	+	setFuzzedParams(
	109	+	params, index, params.get(index).value().substring(0, slashLocation + 1) + payload));
	110	+	}
	111	+
	112	+	if (dotLocation != -1 && slashLocation != -1 && slashLocation < dotLocation) {
	113	+	builder.add(
	114	+	setFuzzedParams(
	115	+	params,
	116	+	index,
	117	+	params.get(index).value().substring(0, slashLocation + 1)
	118	+	+ payload
	119	+	+ "%00"
	120	+	+ params.get(index).value().substring(dotLocation)));
	121	+	}
	122	+	}
	123	+
72	124		private static ImmutableSet<ImmutableList<HttpQueryParameter>> fuzzParams(
73		-	ImmutableList<HttpQueryParameter> params, String payload) {
74		-	ImmutableSet.Builder<ImmutableList<HttpQueryParameter>> fuzzedParamsbuilder =
	125	+	ImmutableList<HttpQueryParameter> params,
	126	+	String payload,
	127	+	ImmutableSet<FuzzingModifier> modifiers) {
	128	+	ImmutableSet.Builder<ImmutableList<HttpQueryParameter>> fuzzedParamsBuilder =
75	129		ImmutableSet.builder();
76	130
77	131		for (int i = 0; i < params.size(); i++) {
78		-	List<HttpQueryParameter> paramsWithPayload = new ArrayList<>(params);
79		-	paramsWithPayload.set(i, HttpQueryParameter.create(params.get(i).name(), payload));
80		-	fuzzedParamsbuilder.add(ImmutableList.copyOf(paramsWithPayload));
	132	+	fuzzedParamsBuilder.add(setFuzzedParams(params, i, payload));
	133	+
	134	+	if (modifiers.contains(FuzzingModifier.FUZZING_PATHS)) {
	135	+	fuzzParamsWithExtendedPathPayloads(fuzzedParamsBuilder, params, i, payload);
	136	+	}
81	137		}
82	138
83		-	return fuzzedParamsbuilder.build();
	139	+	return fuzzedParamsBuilder.build();
84	140		}
85	141
86	142		public static ImmutableList<HttpQueryParameter> parseQuery(String query) {
		skipped 47 lines
134	190		public static HttpQueryParameter create(String name, String value) {
135	191		return new AutoValue_FuzzingUtils_HttpQueryParameter(name, value);
136	192		}
	193	+	}
	194	+
	195	+	enum FuzzingModifier {
	196	+	FUZZING_PATHS;
137	197		}
138	198
139	199		private FuzzingUtils() {}
		skipped 2 lines

■ ■ ■ ■ ■ ■

common/src/test/java/com/google/tsunami/common/net/FuzzingUtilsTest.java

		skipped 69 lines
70	70		}
71	71
72	72		@Test
	73	+	public void
	74	+	fuzzGetParametersExpectingPathValues_whenGetParameterValueHasFileExtension_appendsFileExtensionToPayload() {
	75	+	HttpRequest requestWithFileExtension =
	76	+	HttpRequest.get("https://google.com?key=value.jpg").withEmptyHeaders().build();
	77	+	HttpRequest requestWithFuzzedGetParameterWithFileExtension =
	78	+	HttpRequest.get("https://google.com?key=<payload>%00.jpg").withEmptyHeaders().build();
	79	+
	80	+	assertThat(
	81	+	FuzzingUtils.fuzzGetParametersExpectingPathValues(
	82	+	requestWithFileExtension, "<payload>"))
	83	+	.contains(requestWithFuzzedGetParameterWithFileExtension);
	84	+	}
	85	+
	86	+	@Test
	87	+	public void
	88	+	fuzzGetParametersExpectingPathValues_whenGetParameterValueHasPathPrefix_prefixesPayload() {
	89	+	HttpRequest requestWithPathPrefix =
	90	+	HttpRequest.get("https://google.com?key=resources/value").withEmptyHeaders().build();
	91	+	HttpRequest requestWithFuzzedGetParameterWithPathPrefix =
	92	+	HttpRequest.get("https://google.com?key=resources/<payload>").withEmptyHeaders().build();
	93	+
	94	+	assertThat(
	95	+	FuzzingUtils.fuzzGetParametersExpectingPathValues(requestWithPathPrefix, "<payload>"))
	96	+	.contains(requestWithFuzzedGetParameterWithPathPrefix);
	97	+	}
	98	+
	99	+	@Test
	100	+	public void
	101	+	fuzzGetParametersExpectingPathValues_whenGetParameterValueHasPathPrefixAndFileExtension_prefixesPayloadAndAppendsFileExtension() {
	102	+	HttpRequest requestWithPathPrefixAndFileExtension =
	103	+	HttpRequest.get("https://google.com?key=resources/value.jpg").withEmptyHeaders().build();
	104	+	HttpRequest requestWithFuzzedGetParameterWithPathPrefixAndFileExtension =
	105	+	HttpRequest.get("https://google.com?key=resources/<payload>%00.jpg")
	106	+	.withEmptyHeaders()
	107	+	.build();
	108	+
	109	+	assertThat(
	110	+	FuzzingUtils.fuzzGetParametersExpectingPathValues(
	111	+	requestWithPathPrefixAndFileExtension, "<payload>"))
	112	+	.contains(requestWithFuzzedGetParameterWithPathPrefixAndFileExtension);
	113	+	}
	114	+
	115	+	@Test
	116	+	public void
	117	+	fuzzGetParametersExpectingPathValues_whenGetParameterValueHasPathPrefixOrFileExtension_prefixesPayloadOrAppendsFileExtension() {
	118	+	HttpRequest requestWithPathPrefixOrFileExtension =
	119	+	HttpRequest.get("https://google.com?key=resources./value").withEmptyHeaders().build();
	120	+	HttpRequest requestWithFuzzedGetParameterWithPathPrefixAndFileExtension =
	121	+	HttpRequest.get("https://google.com?key=resources./<payload>%00./value")
	122	+	.withEmptyHeaders()
	123	+	.build();
	124	+
	125	+	assertThat(
	126	+	FuzzingUtils.fuzzGetParametersExpectingPathValues(
	127	+	requestWithPathPrefixOrFileExtension, "<payload>"))
	128	+	.doesNotContain(requestWithFuzzedGetParameterWithPathPrefixAndFileExtension);
	129	+	}
	130	+
	131	+	@Test
73	132		public void fuzzGetParameters_whenNoGetParameters_returnsEmptyList() {
74	133		assertThat(FuzzingUtils.fuzzGetParameters(REQUEST_WITHOUT_GET_PARAMETERS, "<payload>"))
75	134		.isEmpty();
		skipped 18 lines