ssrf sink点缺失 #525
Description
Preflight Checklist
- I agree to follow the Code of Conduct that this project adheres to.
- I have searched the issue tracker for an issue that matches the one I want to file, without success.
- I am not looking for support or already pursued the available support channels without success.
Version
1.9.1
Installation Type
Official SaaS Service
Service Name
DongTai-agent-java
Describe the details of the bug and the steps to reproduce it
昨天提了 SSRFSourceCheck的addSourceType方法只会返回false 的问题
今天看代码有个新的疑问
在 DynamicPropagatorScanner scan 函数里
boolean serviceCall = false;
for (ServiceTrace serviceTrace : SERVICE_TRACES) { // HttpService()
if (serviceTrace.match(event, sinkNode)) {
serviceCall = true;
serviceTrace.addTrace(event, sinkNode);
}
}
boolean hit = sinkSourceHitTaintPool(event, sinkNode);
if (serviceCall || hit) {
....
EngineManager.TRACK_MAP.addTrackMethod(invokeId, event)
}
由于SSRFSourceCheck addSourceType方法只会返回false, SERVICE_TRACES 只有 httpService match,
如果ssrf发起的不是http请求(如ftp或其它请求), TRACK_MAP 就不会记录 methodEvent, 服务端就拿不到 sink点的 methodEvent
于是进行了测试, 但发现 当location 是ftp协议url时, sink点会匹配不到
protected String ssrf(String location) {
try {
URL url = new URL(location);
URLConnection connection = url.openConnection();
BufferedReader reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));
System.out.println("ssrf " + location);
String body = reader.lines().collect(Collectors.joining());
return location;
}catch (Exception e){
}
return location;
}
在 location 传入 http链接时, sinkPolicy 会命中sun.net.www.protocol.http.HttpURLConnection.getInputStream
传入 ftp链接时,sinkPolicy无法命中 sun.net.www.protocol.ftp.FtpURLConnection.getInputStream
Additional Information
No response
Logs
No response