Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@manish-kapur-sonarsource
manish-kapur-sonarsource committed Jul 28, 2023
1 parent 82e35ac commit 691db54
Showing 1 changed file with 7 additions and 7 deletions.
14 changes: 7 additions & 7 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,22 @@

## Storyboard

The goal of this demo is to show the DeepSAST capabilities of the Java engine. We want to highlight that the usage of external libraries can introduce severe security vulnerabilities, which can be detected by Deep SAST.
The goal of this demo is to show the deeper SAST capabilities of the Java engine. We want to highlight that the usage of external libraries can introduce severe security vulnerabilities, which can be detected by Deep SAST.

The demo is a fictive Spring application implementing different functionalities which are vulnerable to security issues detected by our engine. All of these issues contain at least one step where the data flow:

1. originates from a user-controllable source within a library,
2. passes through a library, or
3. ends in a dangerous sink within a library.

Thus these issues are only detected because of the DeepSAST feature of the engine.
Thus these issues are only detected because of the deeper SAST feature of the engine.

There are four issues: two of these are already committed to the main branch of the application. Additionally, there are two pending pull requests (PR), which each introduce another vulnerability. For these issues, the chosen examples aim to demonstrate that the proposed source code in the PR does not look dangerous or security-sensitive and would likely be merged.

### Issue 1 - Session Cookie Handling (main branch)

* Vulnerability Type: Deserialization ([S5135](https://rules.sonarsource.com/java/RSPEC-5135/))
* DeepSAST Dataflow:
* Deeper SAST Dataflow:
* Passthrough: `org.apache.commons.codec.binary.Base64.decodeBase64`

This vulnerability resides within the session cookie handling of the application. A vulnerability is introduced by deserializing user-controllable data from a header (`Session-Auth`), which can be exploited to execute arbitrary code. The data provided in the header is passed through the `decodeBase64` library function before being deserialized.
Expand All @@ -26,7 +26,7 @@ This vulnerability resides within the session cookie handling of the application
### Issue 2 - User Images (main branch)

* Vulnerability Type: Path Injection ([S2083](https://rules.sonarsource.com/java/RSPEC-2083/))
* DeepSAST Dataflow:
* Deeper SAST Dataflow:
* Source: `org.springframework.web.context.request.getRemoteUser`
* Passthrough: `org.apache.tomcat.util.buf.UDecoder.URLDecode`
* Sink: `cn.hutool.cache.file.LRUFileCache.getFileBytes`
Expand All @@ -37,15 +37,15 @@ This vulnerability resides within the code responsible for retrieving user image
### Issue 3 - User Migration (PR 1 - Introduce user migration feature)

* Vulnerability Type: SQL Injection ([S3649](https://rules.sonarsource.com/java/RSPEC-3649/))
* DeepSAST Dataflow:
* Deeper SAST Dataflow:
* Sink: `com.mysql.cj.jdbc.ConnectionImpl.setSavepoint`

This PR adds a feature to migrate users from the existing H2 database to MySQL. Although the proposed change does not seem to contain any vulnerabilities, the `setSavepoint` library function is vulnerable to SQL injection if the passed argument is user-controllable. Thus this PR introduces a critical vulnerability due to the usage of the unsafe library function.

### Issue 4 - XML User Import (PR 2 - Allow the import of users)

* Vulnerability Type: Deserialization ([S5135](https://rules.sonarsource.com/java/RSPEC-5135/))
* DeepSAST Dataflow:
* Deeper SAST Dataflow:
* Sink: `ca.odell.glazedlists.impl.io.BeanXMLByteCoder.decode`

This PR adds a new feature to import users from an XML file. Although the code itself does not seem to contain any vulnerabilities, the `decode` library function is vulnerable to deserialization if the passed argument is user-controllable. Thus this PR introduces a critical vulnerability due to the usage of the unsafe library function.
Expand All @@ -72,7 +72,7 @@ The first two issues will be displayed on the `main` branch and the other two is

## Real-World Examples

This table contains examples of DeepSAST findings in real-world projects:
This table contains examples of deeper SAST findings in real-world projects:

| Link | Lang | Project | Issue type | Comment |
| --- | --- | --- | --- | --- |
Expand Down

0 comments on commit 691db54

Please sign in to comment.