Merge pull request #212 from LoRexxar/develop

update 2.6.4.2
LoRexxar · Mar 2, 2022 · da516c0 · da516c0
2 parents 06a68cf + bd3ba14
commit da516c0
Show file tree

Hide file tree

Showing 7 changed files with 94 additions and 31 deletions.
diff --git a/core/__version__.py b/core/__version__.py
@@ -7,7 +7,7 @@
 __issue_page__ = 'https://github.com/LoRexxar/Kunlun-M/issues/new'
 __python_version__ = sys.version.split()[0]
 __platform__ = platform.platform()
-__version__ = '2.6.4.1'
+__version__ = '2.6.4.2'
 __author__ = 'LoRexxar'
 __author_email__ = 'LoRexxar@gmail.com'
 __license__ = 'MIT License'

diff --git a/core/core_engine/php/parser.py b/core/core_engine/php/parser.py
@@ -819,8 +819,25 @@ def parameters_back(param, nodes, function_params=None, lineno=0,
                 code = "{}={}?{}:{}".format(param_name, param_ex, terna1, terna2)
                 scan_chain.append(('TernaryOp', code, file_path, node.lineno))
 
-                param = node.expr
-                is_co = 3
+                # 没办法判断这种三元条件的结果
+                # 如果1是可控，则1，如果2是可控则2
+                # 如果1和2中有-1，则选另一个
+                # 否则选1
+
+                is_co, cp = is_controllable(terna1)
+                if is_co == 1:
+                    param = terna1
+                else:
+                    is_co2, cp = is_controllable(terna2)
+
+                    if is_co2 == 1:
+                        param = terna2
+
+                    else:
+                        if is_co == -1:
+                            param = terna2
+                        else:
+                            param = terna1
 
             if param_name == param_node and isinstance(node.expr, php.FunctionCall):  # 当变量来源是函数时，处理函数内容
                 function_name = node.expr.name
@@ -909,6 +926,14 @@ def parameters_back(param, nodes, function_params=None, lineno=0,
                 if param_name in param_expr:
                     logger.debug("[AST] param {} in list {}, continue...".format(param_name, param_expr))
 
+                    # 如果列表中直接就有可控变量，先算作漏洞
+                    for p in param_expr:
+                        is_co, cp = is_controllable(p)
+
+                        if is_co == 1:
+                            param = p
+                            return is_co, cp, expr_lineno
+
                     is_co = 3
                     cp = param
 

diff --git a/core/engine.py b/core/engine.py
@@ -178,7 +178,6 @@ def store(result):
             logger.debug('[SCAN] [STORE] Not found vulnerabilities on this rule!')
 
     async def start_scan(target_directory, rule, files, language, tamper_name):
-
         result = scan_single(target_directory, rule, files, language, tamper_name, is_unconfirm, newcore_function_list)
         store(result)
 
@@ -444,6 +443,7 @@ def origin_results(self):
                 if match:
                     f = FileParseAll(self.files, self.target_directory, language=self.lan)
                     result = f.grep(match)
+
                 else:
                     result = None
             except Exception as e:

diff --git a/core/vendors.py b/core/vendors.py
@@ -87,7 +87,7 @@ def get_project_by_version(vendor_name, vendor_version):
     is_need_version_check = True
     result_project = {}
 
-    if vendor_version == 'latest':
+    if vendor_version == 'unknown':
         is_need_version_check = False
 
     vendor_version = abstract_version(vendor_version)
@@ -100,7 +100,7 @@ def get_project_by_version(vendor_name, vendor_version):
     for pv in pvs:
         # pv_versions = pv.version.split(',')
 
-        if not is_need_version_check or compare_vendor(pv.version, vendor_version):
+        if is_need_version_check and compare_vendor(pv.version, vendor_version):
             pid = pv.project_id
             project = Project.objects.filter(id=pid).first()
 
@@ -210,6 +210,7 @@ def __init__(self, task_id, project_id, target, files):
         # 检查列表
         self.get_vendor_file()
         self.exist_file_list = list(set(self.exist_file_list))
+        self.exist_file_list = sorted(self.exist_file_list, key=lambda i:len(i))
 
         if len(self.exist_file_list):
             self.check_vendor()
@@ -271,6 +272,8 @@ def check_vendor(self):
                 f.seek(0, os.SEEK_SET)
                 savefilepath = filepath.replace(self.target_path, "").replace('\\', '/')
 
+                logger.info("[Vendor] Parse File {}.".format(savefilepath))
+
                 if filename == "requirements.txt":
 
                     for line in f:
@@ -362,9 +365,31 @@ def check_vendor(self):
                         default_xpath_reg = ".//parent"
 
                     parents = root.findall(default_xpath_reg)
-                    default_version = "lastest"
+                    default_version = "unknown"
+                    project_version = "unknown"
                     for parent in parents:
-                        default_version = parent.getchildren()[2].text
+                        project_groupid = parent.getchildren()[0].text
+                        project_artifactId = parent.getchildren()[1].text
+                        project_version = parent.getchildren()[2].text
+
+                        # project version 格式检查
+                        var_reg = "\${([\w\.\_-]+)}"
+                        if re.search(var_reg, project_version, re.I):
+                            p2 = re.compile(var_reg)
+                            matchs = p2.finditer(project_version)
+
+                            for match in matchs:
+                                varname = match.group(1)
+
+                                if varname in self.java_temp_vendor_list:
+                                    project_version = self.java_temp_vendor_list[varname]
+                                    continue
+
+                        # project 依赖版本也可以加入全局表
+                        vendor_name = "{}.{}".format(project_groupid, project_artifactId)
+                        self.java_temp_vendor_list[vendor_name] = project_version
+                        update_and_new_project_vendor(self.project_id, name=vendor_name, version=project_version,
+                                                      language=language, source=savefilepath, ext=ext)
 
                     # 匹配通用配置
                     if pom_ns:
@@ -379,6 +404,12 @@ def check_vendor(self):
                         for btag in btags:
                             self.java_temp_vendor_list[btag.tag.replace("{%s}" % pom_ns, "")] = btag.text
 
+                            # 全局表
+                            vendor_name = btag.tag.replace("{%s}" % pom_ns, "")
+                            self.java_temp_vendor_list[vendor_name] = btag.text
+                            update_and_new_project_vendor(self.project_id, name=vendor_name, version=btag.text,
+                                                          language=language, source=savefilepath, ext=ext)
+
                     # 匹配dependency
                     if pom_ns:
                         xpath_reg = ".//{%s}dependency" % pom_ns
@@ -404,33 +435,35 @@ def check_vendor(self):
 
                                 # 处理内置变量
                                 if varname == "project.version":
-                                    version = default_version
+                                    version = project_version
                                     continue
 
                                 if varname in self.java_temp_vendor_list:
                                     version = self.java_temp_vendor_list[varname]
                                     continue
 
-                                if pom_ns:
-                                    var_xpath_reg = ".//{%s}%s" % (pom_ns, varname)
-                                else:
-                                    var_xpath_reg = ".//%s" % varname
-
-                                varchilds = root.findall(var_xpath_reg)
-
-                                for child in varchilds:
-                                    version = child.text
-                                    ext = varname
-
-                                # 如果没有匹配到，那么需要去数据库查询
-                                if not varchilds:
-                                    pv = ProjectVendors.objects.filter(project_id=self.project_id, ext=varname).first()
-                                    if pv:
-                                        version = pv.version
+                                # if pom_ns:
+                                #     var_xpath_reg = ".//{%s}%s" % (pom_ns, varname)
+                                # else:
+                                #     var_xpath_reg = ".//%s" % varname
+                                #
+                                # varchilds = root.findall(var_xpath_reg)
+
+                                # for child in varchilds:
+                                #     version = child.text
+                                #     ext = varname
+                                #
+                                # # 如果没有匹配到，那么需要去数据库查询
+                                # if not varchilds:
+                                #     pv = ProjectVendors.objects.filter(project_id=self.project_id, ext=varname).first()
+                                #     if pv:
+                                #         version = pv.version
 
                         vendor_name = "{}:{}".format(group_id, artifact_id)
                         vendor_version = version
-                        # ext = "maven"
+                        ext = "mevan"
+
+                        logger.debug("[Vendor][pom.xml] Found Vendor {} vension {} in file {}".format(vendor_name, vendor_version, savefilepath))
 
                         update_and_new_project_vendor(self.project_id, name=vendor_name, version=vendor_version,
                                                       language=language, source=savefilepath, ext=ext)
@@ -487,7 +520,7 @@ def check_vendor(self):
                         ext = "{}.{}".format(node_version, "dependencies")
 
                         update_and_new_project_vendor(self.project_id, name=dependency, version=vendor_version,
-                                                      language=language, ext=savefilepath)
+                                                      language=language, source=savefilepath)
 
                         get_and_save_vendor_vuls(self.task_id, dependency, vendor_version, language, ext)
 
@@ -496,7 +529,7 @@ def check_vendor(self):
                         ext = "{}.{}".format(node_version, "devDependencies")
 
                         update_and_new_project_vendor(self.project_id, name=dependency, version=vendor_version,
-                                                      language=language, ext=savefilepath)
+                                                      language=language, source=savefilepath)
 
                         get_and_save_vendor_vuls(self.task_id, dependency, vendor_version, language, ext)
 

diff --git a/docs/changelog.md b/docs/changelog.md
@@ -294,4 +294,9 @@
     - 为组件数据添加了source字段，标准了组件的来源位置
     - 更新了相应的前端显示
     - 为项目页面做了数据优化，现在不那么烧资源了，并添加了项目搜索功能
-
+- 2022-03-02
+    - KunLun-M 2.6.4.2
+    - 修复了几个PHP的语法支持问题
+    - 修复了组件扫描中关于pom.xml静态扫描的几个语法解析错误
+    - 修改了组件数据储存格式
+    - 从这个版本后不再做小版本的更新，只做bug修复维护，后续会有一个直接更新到3.0的大版本更新
diff --git a/utils/export.py b/utils/export.py
@@ -133,7 +133,7 @@ def write_to_file(target, sid, output_format='', filename=None):
             filename = targetlist[-2]
         else:
             filename = targetlist[-1]
-        filename = DEFAULT_RESULT_PATH + filename + "." + output_format
+        filename = os.path.join(DEFAULT_RESULT_PATH, filename + "." + output_format)
     #     return False
 
     scan_data_file = os.path.join(RUNNING_PATH, '{sid}_data'.format(sid=sid))

diff --git a/web/index/models.py b/web/index/models.py
@@ -111,7 +111,7 @@ def update_and_new_project_vendor(project_id, name, version, language, source=No
         vendor = ProjectVendors.objects.filter(project_id=project_id, hash=hash).first()
 
     if vendor:
-        if vendor.version != version:
+        if vendor.version != version and version != 'unknown':
             logger.debug("[Vendors] Component {} update to version {}".format(name, version))
 
             vendor.version = version