diff --git a/dongtai_agent_python/policy/tracking.py b/dongtai_agent_python/policy/tracking.py index 9e28e64..50592dd 100644 --- a/dongtai_agent_python/policy/tracking.py +++ b/dongtai_agent_python/policy/tracking.py @@ -90,8 +90,15 @@ def apply(self, args, kwargs, target): source_ids = recurse_tracking(source, self.node_type) if self.node_type != const.NODE_TYPE_SOURCE: - # if len([item for item in source_ids if item in self.context.taint_ids]) == 0: - if len(list(set(self.context.taint_ids) & set(source_ids))) == 0: + if self.signature in const.CRYPTO_BAD_CIPHER_NEW: + pass + elif (self.signature.startswith('Crypto.Cipher._mode_') or + self.signature.startswith('Cryptodome.Cipher._mode_')) and \ + self.signature.endswith('Mode.encrypt'): + for sid in source_ids: + if sid not in self.context.taint_ids: + return + elif len(list(set(self.context.taint_ids) & set(source_ids))) == 0: return self.get_caller(-4) @@ -148,6 +155,20 @@ def processing_invoke_args(signature=None, come_args=None, come_kwargs=None): 'pymongo.collection.Collection.find': {'args': [1], 'kwargs': ['filter']}, 'ldap3.core.connection.Connection.search': {'args': [2], 'kwargs': ['search_filter']}, 'ldap.ldapobject.SimpleLDAPObject.search_ext': {'args': [3], 'kwargs': ['filterstr']}, + 'Crypto.Cipher._mode_cbc.CbcMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']}, + 'Crypto.Cipher._mode_cfb.CfbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']}, + 'Crypto.Cipher._mode_ctr.CtrMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']}, + 'Crypto.Cipher._mode_eax.EaxMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']}, + 'Crypto.Cipher._mode_ecb.EcbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']}, + 'Crypto.Cipher._mode_ofb.OfbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']}, + 'Crypto.Cipher._mode_openpgp.OpenPgpMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']}, + 'Cryptodome.Cipher._mode_cbc.CbcMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']}, + 'Cryptodome.Cipher._mode_cfb.CfbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']}, + 'Cryptodome.Cipher._mode_ctr.CtrMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']}, + 'Cryptodome.Cipher._mode_eax.EaxMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']}, + 'Cryptodome.Cipher._mode_ecb.EcbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']}, + 'Cryptodome.Cipher._mode_ofb.OfbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']}, + 'Cryptodome.Cipher._mode_openpgp.OpenPgpMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']}, } context = CONTEXT_TRACKER.current() diff --git a/dongtai_agent_python/policy_api.json b/dongtai_agent_python/policy_api.json index 4ae7292..c8b9f63 100644 --- a/dongtai_agent_python/policy_api.json +++ b/dongtai_agent_python/policy_api.json @@ -296,6 +296,111 @@ } ] }, + { + "type": 4, + "enable": 1, + "value": "crypto-bad-cipher", + "details": [ + { + "source": "P1,2,plaintext", + "track": "true", + "target": "", + "value": "Crypto.Cipher._mode_cbc.CbcMode.encrypt", + "inherit": "false" + }, + { + "source": "P1,2,plaintext", + "track": "true", + "target": "", + "value": "Crypto.Cipher._mode_cfb.CfbMode.encrypt", + "inherit": "false" + }, + { + "source": "P1,2,plaintext", + "track": "true", + "target": "", + "value": "Crypto.Cipher._mode_ctr.CtrMode.encrypt", + "inherit": "false" + }, + { + "source": "P1,2,plaintext", + "track": "true", + "target": "", + "value": "Crypto.Cipher._mode_eax.EaxMode.encrypt", + "inherit": "false" + }, + { + "source": "P1,2,plaintext", + "track": "true", + "target": "", + "value": "Crypto.Cipher._mode_ecb.EcbMode.encrypt", + "inherit": "false" + }, + { + "source": "P1,2,plaintext", + "track": "true", + "target": "", + "value": "Crypto.Cipher._mode_ofb.OfbMode.encrypt", + "inherit": "false" + }, + { + "source": "P1,2,plaintext", + "track": "true", + "target": "", + "value": "Crypto.Cipher._mode_openpgp.OpenPgpMode.encrypt", + "inherit": "false" + }, + { + "source": "P1,2,plaintext", + "track": "true", + "target": "", + "value": "Cryptodome.Cipher._mode_cbc.CbcMode.encrypt", + "inherit": "false" + }, + { + "source": "P1,2,plaintext", + "track": "true", + "target": "", + "value": "Cryptodome.Cipher._mode_cfb.CfbMode.encrypt", + "inherit": "false" + }, + { + "source": "P1,2,plaintext", + "track": "true", + "target": "", + "value": "Cryptodome.Cipher._mode_ctr.CtrMode.encrypt", + "inherit": "false" + }, + { + "source": "P1,2,plaintext", + "track": "true", + "target": "", + "value": "Cryptodome.Cipher._mode_eax.EaxMode.encrypt", + "inherit": "false" + }, + { + "source": "P1,2,plaintext", + "track": "true", + "target": "", + "value": "Cryptodome.Cipher._mode_ecb.EcbMode.encrypt", + "inherit": "false" + }, + { + "source": "P1,2,plaintext", + "track": "true", + "target": "", + "value": "Cryptodome.Cipher._mode_ofb.OfbMode.encrypt", + "inherit": "false" + }, + { + "source": "P1,2,plaintext", + "track": "true", + "target": "", + "value": "Cryptodome.Cipher._mode_openpgp.OpenPgpMode.encrypt", + "inherit": "false" + } + ] + }, { "type": 2, "enable": 1, @@ -713,6 +818,34 @@ "target": "R", "value": "django.template.base.render_value_in_context", "inherit": "false" + }, + { + "source": "P", + "track": "true", + "target": "R", + "value": "Crypto.Cipher.Blowfish.new", + "inherit": "false" + }, + { + "source": "P", + "track": "true", + "target": "R", + "value": "Crypto.Cipher.DES.new", + "inherit": "false" + }, + { + "source": "P", + "track": "true", + "target": "R", + "value": "Cryptodome.Cipher.Blowfish.new", + "inherit": "false" + }, + { + "source": "P", + "track": "true", + "target": "R", + "value": "Cryptodome.Cipher.DES.new", + "inherit": "false" } ] }, diff --git a/dongtai_agent_python/setting/const.py b/dongtai_agent_python/setting/const.py index a9ca9ba..7d68ce7 100644 --- a/dongtai_agent_python/setting/const.py +++ b/dongtai_agent_python/setting/const.py @@ -31,6 +31,13 @@ 'builtins.bytearray.__init__', ] +CRYPTO_BAD_CIPHER_NEW = [ + 'Crypto.Cipher.Blowfish.new', + 'Crypto.Cipher.DES.new', + 'Cryptodome.Cipher.Blowfish.new', + 'Cryptodome.Cipher.DES.new', +] + RESPONSE_SIGNATURES = [ 'django.http.response.HttpResponse.__init__', ] diff --git a/dongtai_agent_python/tests/vul-test.sh b/dongtai_agent_python/tests/vul-test.sh index a83d544..a41f716 100755 --- a/dongtai_agent_python/tests/vul-test.sh +++ b/dongtai_agent_python/tests/vul-test.sh @@ -120,3 +120,12 @@ if [[ "x${FRAMEWORK}" == "xflask" ]]; then api_get "demo/ldap3_search" "username=*&password=*" api_get "demo/ldap3_safe_search" "username=*&password=*" fi + +headline "crypto-bad-cipher" +if [[ "x${FRAMEWORK}" == "xflask" ]]; then + api_get "demo/crypto/aes" "text=content" + api_get "demo/crypto/blowfish" "text=content" + api_get "demo/crypto/des" "text=content" + api_get "demo/cryptox/blowfish" "text=content" + api_get "demo/cryptox/des" "text=content" +fi