@appland/scanner 1.67.0 → 1.69.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +28 -0
- package/built/cli/scan/breakpoint.js +65 -0
- package/built/cli/scan/command.js +28 -18
- package/built/cli/scan/interactiveScan.js +34 -0
- package/built/cli/scan/singleScan.js +6 -14
- package/built/cli/scan/ui/interactiveProgess.js +147 -0
- package/built/cli/scan/ui/scanContext.js +67 -0
- package/built/cli/scan/ui/state/addBreakpoint.js +120 -0
- package/built/cli/scan/ui/state/eval.js +41 -0
- package/built/cli/scan/ui/state/hint.js +23 -0
- package/built/cli/scan/ui/state/hitBreakpoint.js +68 -0
- package/built/cli/scan/ui/state/initial.js +58 -0
- package/built/cli/scan/ui/state/scan.js +33 -0
- package/built/cli/scan/ui/state.js +2 -0
- package/built/cli/scan/ui/userInteraction.js +97 -0
- package/built/progressReporter.js +2 -0
- package/built/ruleChecker.js +22 -10
- package/built/rules/deserializationOfUntrustedData.js +52 -35
- package/built/rules/lib/analyzeDataFlow.js +80 -0
- package/built/rules/lib/parseRuleDescription.js +4 -1
- package/built/rules/lib/util.js +32 -2
- package/doc/rules/deserialization-of-untrusted-data.md +28 -8
- package/doc/rules/http-500.md +1 -1
- package/package.json +3 -1
|
@@ -10,18 +10,35 @@ labels:
|
|
|
10
10
|
- deserialize.unsafe
|
|
11
11
|
- deserialize.safe
|
|
12
12
|
- deserialize.sanitize
|
|
13
|
+
scope: http_server_request
|
|
13
14
|
---
|
|
14
15
|
|
|
15
16
|
Finds occurrances of deserialization in which the mechanism employed is known to be unsafe, and the
|
|
16
|
-
data
|
|
17
|
+
data comes from an untrusted source and hasn't passed through a sanitization mechanism.
|
|
17
18
|
|
|
18
19
|
### Rule logic
|
|
19
20
|
|
|
20
|
-
Finds all events labeled `deserialize.unsafe
|
|
21
|
-
|
|
21
|
+
Finds all events labeled `deserialize.unsafe` that receive tainted data (as
|
|
22
|
+
determined by object identity or string value) as an input.
|
|
22
23
|
|
|
23
|
-
|
|
24
|
-
|
|
24
|
+
For each of these events; checks if all the inputs have been sanitized.
|
|
25
|
+
|
|
26
|
+
Data that has been passed to a function labeled `deserialize.sanitize` is
|
|
27
|
+
assumed to be sanitized from this point onwards. Such a function could either
|
|
28
|
+
check the value is sanitized (note no verification is currently done to ensure
|
|
29
|
+
this result is checked) or return the transformed value after any necessary sanitization.
|
|
30
|
+
|
|
31
|
+
Data passed to a function labeled `deserialized.safe` is considered in all
|
|
32
|
+
functions called by it (down the callstack). Functions that first sanitize data
|
|
33
|
+
and then use an unsafe deserialization function should carry this label.
|
|
34
|
+
|
|
35
|
+
The set of tracked tainted data initially includes the HTTP message parameters
|
|
36
|
+
and is expanded to include any non-primitive (ie. longer than 5 characters)
|
|
37
|
+
observed outputs of functions that consume tainted data.
|
|
38
|
+
|
|
39
|
+
The reliability of this rule now depends on completeness of the AppMap.
|
|
40
|
+
If there is a data transformation that is not captured it's invisible to the
|
|
41
|
+
rule and will result in failure to associate it with the tracked untrusted data.
|
|
25
42
|
|
|
26
43
|
### Notes
|
|
27
44
|
|
|
@@ -30,9 +47,12 @@ that executes code shortly after deserialization.
|
|
|
30
47
|
|
|
31
48
|
### Resolution
|
|
32
49
|
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
50
|
+
Consider if the library you're using offers a safe deserialization function variant that you can
|
|
51
|
+
use instead. Using unsafe functions is only rarely needed and typically requires a good reason.
|
|
52
|
+
|
|
53
|
+
If you need to use the unsafe function, make sure you're able to handle unexpected input safely.
|
|
54
|
+
Sanitize the data thoroughly first; label the sanitization function with `deserialize.sanitize` label
|
|
55
|
+
or wrap the whole sanitization and deserialization logic in a function labeled `deserialize.safe`.
|
|
36
56
|
|
|
37
57
|
If you need to deserialize untrusted data, JSON is often a good choice as it is only capable of
|
|
38
58
|
returning ‘primitive’ types such as strings, arrays, hashes, numbers and nil. If you need to
|
package/doc/rules/http-500.md
CHANGED
|
@@ -8,7 +8,7 @@ impactDomain: Stability
|
|
|
8
8
|
scope: http_server_request
|
|
9
9
|
---
|
|
10
10
|
|
|
11
|
-
Identifies when an HTTP server
|
|
11
|
+
Identifies when an HTTP server request has returned a 500 status code. HTTP 500 status code
|
|
12
12
|
generally indicate an unanticipated problem in the backend that is not handled in a predictable way.
|
|
13
13
|
500 status codes are also hard for client code to handle, because they don't indicate any particular
|
|
14
14
|
problem or suggest a solution.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@appland/scanner",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.69.1",
|
|
4
4
|
"description": "",
|
|
5
5
|
"bin": "built/cli.js",
|
|
6
6
|
"files": [
|
|
@@ -63,12 +63,14 @@
|
|
|
63
63
|
"ajv": "^8.8.2",
|
|
64
64
|
"applicationinsights": "^2.1.4",
|
|
65
65
|
"async": "^3.2.3",
|
|
66
|
+
"boxen": "^5.0.1",
|
|
66
67
|
"chalk": "^4.1.2",
|
|
67
68
|
"chokidar": "applandinc/chokidar#fix/new-file-new-directory-race-on-linux",
|
|
68
69
|
"cli-progress": "^3.11.0",
|
|
69
70
|
"conf": "^10.0.2",
|
|
70
71
|
"form-data": "^4.0.0",
|
|
71
72
|
"glob": "7.2.3",
|
|
73
|
+
"inquirer": "^8.1.2",
|
|
72
74
|
"js-yaml": "^4.1.0",
|
|
73
75
|
"lru-cache": "^6.0.0",
|
|
74
76
|
"minimatch": "^3.0.4",
|