├── .gitignore
├── CHANGELOG.md
├── LICENSE
├── README.md
├── code-inspector-api
    ├── README.md
    ├── pom.xml
    └── src
    │   ├── main
    │       └── java
    │       │   └── code
    │       │       └── inspector
    │       │           └── api
    │       │               ├── CodeInspector.java
    │       │               └── CodeInspectorImpl.java
    │   └── test
    │       └── code
    │           └── inspector
    │               └── api
    │                   └── Test.java
├── code-inspector-build
    ├── README.md
    ├── pom.xml
    └── src
    │   └── main
    │       └── java
    │           └── code
    │               └── inspector
    │                   └── Build.java
├── code-inspector-const
    ├── README.md
    ├── pom.xml
    └── src
    │   └── main
    │       └── java
    │           └── code
    │               └── inspector
    │                   └── core
    │                       ├── Const.java
    │                       └── Taint.java
├── code-inspector-core
    ├── README.md
    ├── pom.xml
    └── src
    │   └── main
    │       └── java
    │           └── code
    │               └── inspector
    │                   ├── core
    │                       ├── Application.java
    │                       ├── Command.java
    │                       ├── asm
    │                       │   ├── DOSClassVisitor.java
    │                       │   ├── DOSMethodAdapter.java
    │                       │   ├── DesClassVisitor.java
    │                       │   ├── DesMethodAdapter.java
    │                       │   ├── RCEClassVisitor.java
    │                       │   ├── RCEMethodAdapter.java
    │                       │   ├── RedirectClassVisitor.java
    │                       │   ├── RedirectMethodAdapter.java
    │                       │   ├── SSRFClassVisitor.java
    │                       │   ├── SSRFMethodAdapter.java
    │                       │   ├── SqlInjectClassVisitor.java
    │                       │   ├── SqlInjectMethodAdapter.java
    │                       │   ├── base
    │                       │   │   ├── BaseClassVisitor.java
    │                       │   │   └── ParamTaintMethodAdapter.java
    │                       │   └── system
    │                       │   │   ├── CallGraphClassVisitor.java
    │                       │   │   ├── CallGraphMethodAdapter.java
    │                       │   │   ├── DiscoveryClassVisitor.java
    │                       │   │   ├── MethodCallClassVisitor.java
    │                       │   │   └── MethodCallMethodAdapter.java
    │                       ├── data
    │                       │   ├── DesCollector.java
    │                       │   ├── DoSCollector.java
    │                       │   ├── RCECollector.java
    │                       │   ├── RedirectCollector.java
    │                       │   ├── SSRFCollector.java
    │                       │   └── SqlCollector.java
    │                       ├── inherit
    │                       │   ├── InheritanceMap.java
    │                       │   └── InheritanceUtil.java
    │                       └── service
    │                       │   ├── DOSService.java
    │                       │   ├── DesService.java
    │                       │   ├── RCEService.java
    │                       │   ├── RedirectService.java
    │                       │   ├── SSRFService.java
    │                       │   ├── SqlInjectService.java
    │                       │   ├── base
    │                       │       └── BaseService.java
    │                       │   └── system
    │                       │       ├── CallGraphService.java
    │                       │       ├── DiscoveryService.java
    │                       │       ├── InheritanceService.java
    │                       │       ├── MethodCallService.java
    │                       │       ├── SortService.java
    │                       │       └── SpringService.java
    │                   ├── data
    │                       ├── Output.java
    │                       └── ResultOutput.java
    │                   ├── form
    │                       ├── AuthorForm.form
    │                       ├── AuthorForm.java
    │                       ├── CodeInspector.form
    │                       ├── CodeInspector.java
    │                       ├── Graphviz.form
    │                       ├── Graphviz.java
    │                       ├── HowThisWork.form
    │                       ├── HowThisWork.java
    │                       └── module
    │                       │   ├── DeserializationModule.form
    │                       │   ├── DeserializationModule.java
    │                       │   ├── DoSModule.form
    │                       │   ├── DoSModule.java
    │                       │   ├── RCEModule.form
    │                       │   ├── RCEModule.java
    │                       │   ├── RedirectModule.form
    │                       │   ├── RedirectModule.java
    │                       │   ├── SQLModule.form
    │                       │   ├── SQLModule.java
    │                       │   ├── SSRFModule.form
    │                       │   └── SSRFModule.java
    │                   └── log
    │                       └── Log.java
├── code-inspector-demo
    ├── README.md
    ├── pom.xml
    └── src
    │   └── main
    │       └── java
    │           └── code
    │               └── inspector
    │                   └── demo
    │                       ├── DemoApplication.java
    │                       ├── dao
    │                           ├── SQLIDao.java
    │                           └── impl
    │                           │   └── SQLIDaoImpl.java
    │                       ├── model
    │                           ├── Message.java
    │                           ├── Obj.java
    │                           └── User.java
    │                       ├── service
    │                           ├── DOSService.java
    │                           ├── DesService.java
    │                           ├── RCEService.java
    │                           ├── SQLIService.java
    │                           ├── SSRFService.java
    │                           └── impl
    │                           │   ├── DOSServiceImpl.java
    │                           │   ├── DesServiceImpl.java
    │                           │   ├── RCEServiceImpl.java
    │                           │   ├── RCEUtil.java
    │                           │   ├── SQLIServiceImpl.java
    │                           │   └── SSRFServiceImpl.java
    │                       └── web
    │                           ├── DOSController.java
    │                           ├── DesController.java
    │                           ├── RCEController.java
    │                           ├── SQLIController.java
    │                           ├── SSRFController.java
    │                           └── URLController.java
├── code-inspector-graphviz
    ├── pom.xml
    └── src
    │   └── main
    │       ├── java
    │           └── code
    │           │   └── inspector
    │           │       └── graphviz
    │           │           └── GraphvizCore.java
    │       └── resources
    │           └── log4j.properties
├── code-inspector-jvm
    ├── README.md
    ├── pom.xml
    └── src
    │   └── main
    │       └── java
    │           └── code
    │               └── inspector
    │                   └── jvm
    │                       ├── CoreMethodAdapter.java
    │                       ├── GotoState.java
    │                       ├── LocalVariables.java
    │                       └── OperandStack.java
├── code-inspector-model
    ├── README.md
    ├── pom.xml
    └── src
    │   └── main
    │       └── java
    │           └── code
    │               └── inspector
    │                   └── model
    │                       ├── CallGraph.java
    │                       ├── ClassFile.java
    │                       ├── ClassReference.java
    │                       ├── MethodReference.java
    │                       └── ResultInfo.java
├── code-inspector-render
    ├── README.md
    ├── pom.xml
    └── src
    │   └── main
    │       ├── java
    │           └── code
    │           │   └── inspector
    │           │       └── render
    │           │           ├── IOUtil.java
    │           │           ├── Render.java
    │           │           └── RenderData.java
    │       └── resources
    │           ├── prefix
    │           └── suffix
├── code-inspector-spring
    ├── README.md
    ├── pom.xml
    └── src
    │   └── main
    │       └── java
    │           └── code
    │               └── inspector
    │                   └── core
    │                       └── spring
    │                           ├── SpringConstant.java
    │                           ├── SpringController.java
    │                           ├── SpringMapping.java
    │                           ├── SpringParam.java
    │                           └── asm
    │                               ├── SpringAnnoAdapter.java
    │                               ├── SpringClassVisitor.java
    │                               ├── SpringMethodAdapter.java
    │                               └── SpringPathAnnoAdapter.java
├── code-inspector-starter
    ├── README.md
    ├── pom.xml
    └── src
    │   └── main
    │       └── java
    │           └── code
    │               └── inspector
    │                   └── start
    │                       └── Application.java
├── code-inspector-util
    ├── README.md
    ├── pom.xml
    └── src
    │   └── main
    │       └── java
    │           └── code
    │               └── inspector
    │                   └── core
    │                       └── util
    │                           ├── ClassUtil.java
    │                           ├── DirUtil.java
    │                           ├── ExecUtil.java
    │                           ├── IOUtil.java
    │                           ├── JarUtil.java
    │                           └── OSUtil.java
├── doc
    ├── ACHIEVE.md
    ├── CHAINS.md
    ├── LABEL.md
    ├── NEW.md
    ├── QUESTIONS.md
    └── TAINT.md
├── images
    ├── 00000.png
    ├── 00001.png
    ├── 00002.png
    ├── 00003.png
    ├── 00004.png
    ├── 00005.png
    ├── 00006.png
    ├── 00007.png
    ├── 00008.png
    ├── 00009.png
    ├── 00010.png
    ├── 00011.png
    ├── 00012.png
    └── 00013.png
├── pom.xml
└── target-list.txt


/.gitignore:
--------------------------------------------------------------------------------
1 | .idea/
2 | target/
3 | *.jar
4 | 


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
 1 | ## 0.1-beta
 2 | 
 3 | 初始版本
 4 | 
 5 | ## 0.2-beta
 6 | 
 7 | 没有新功能，主要是修复关键BUG，代码优化
 8 | 
 9 | 更新内容：
10 | - [important] [bug] 分支处理的BUG #1
11 | - [bug] debug模式的call graph输出有问题 #5
12 | - [bug] 拼接字符串操作应该加入call graph默认规则 #6
13 | - [improve] SPEL检测逻辑需要加强 #2
14 | - [improve] snakeyaml 规则加强 #7
15 | - [feat] 应该提供对war包的支持 #3
16 | - 提取工具类，新增Maven模块
17 | - 优化代码，小幅提高扫描效率
18 | - 补充README部分
19 | 
20 | ## 0.3-beta
21 | 
22 | 更新内容：
23 | - [feat] 添加Graphviz输出图片 #8


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2023 4ra1n
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # code-inspector
  2 | 
  3 | ![](https://img.shields.io/badge/build-passing-brightgreen)
  4 | ![](https://img.shields.io/badge/ASM-9.4-blue)
  5 | ![](https://img.shields.io/badge/Java-8-red)
  6 | ![](https://img.shields.io/badge/Line-6176-yellow)
  7 | 
  8 | **注意：本项目是一个学习项目，可能不会长期维护，作者精力有限，欢迎大佬们二次开发**
  9 | 
 10 | 一个Java自动代码审计工具，尤其针对SpringBoot框架，也可自行改造以适配其他情况
 11 | 
 12 | 提供一个SpringBoot的Jar包即可进行自动代码审计并生成报告，底层技术基于字节码分析
 13 | 
 14 | ![](images/00000.png)
 15 | 
 16 | 由于没有真正的执行，例如无法识别过滤等操作，所以会存在误报`false positive`
 17 | 
 18 | 注意：漏洞检测并不是简单地检测某个方法内是否包含敏感方法，而是从每个`Controller`的每个`Mapping`的每一个用户可控参数开始分析与追踪，构建出方法调用链，分析这个参数在整个链路的过程
 19 | 
 20 | ## 成果
 21 | 
 22 | [漏洞扫描成果](doc/ACHIEVE.md)
 23 | 
 24 | ## 使用`GUI`启动器
 25 | 
 26 | 选择好你的`Jar`包后点击`Start`即可，默认开启所有配置
 27 | 
 28 | 注意：目标`Jar`是`Java 8`编译的情况下兼容性最佳，高版本`Java`可能优化指令导致与原规则不匹配产生漏报
 29 | 
 30 | 选项：
 31 | - import rt.jar 绝大多数情况请勿勾选
 32 | - analyze all libs 绝大多数情况请勿勾选
 33 | - debug mode 保存一些临时的分析结果到当前目录中
 34 | 
 35 | ![](images/00006.png)
 36 | 
 37 | ### DoS
 38 | 
 39 | 配置`DoS`模块：
 40 | - `for`循环停止条件可控
 41 | - 正则规则和输入同时可控
 42 | - 数组初始化大小可控
 43 | - `ArrayList`初始化大小可控
 44 | 
 45 | ![](images/00007.png)
 46 | 
 47 | ### RCE
 48 | 
 49 | 配置`RCE`模块：
 50 | - `Runtime.exec`直接/拼接执行命令
 51 | - `ProcessBuilder`直接/拼接执行命令
 52 | - `JNDI`注入导致RCE（`lookup`内容可控）
 53 | - `GroovyShell.evaluate`直接/拼接执行命令
 54 | - `Spring EL`直接/拼接执行命令
 55 | 
 56 | ![](images/00008.png)
 57 | 
 58 | ### SSRF
 59 | 
 60 | 配置`SSRF`模块：
 61 | - `HttpUrlConnection`请求
 62 | - `Apache HttpClient`请求
 63 | - `Socket`建立新连接
 64 | - `OKHttp`请求
 65 | 
 66 | ![](images/00009.png)
 67 | 
 68 | ### SQL Injection
 69 | 
 70 | 配置`SQL Injection`模块：
 71 | - `JdbcTemplate.update`存在字符串拼接
 72 | - `JdbcTemplate.execute`存在字符串拼接
 73 | - `JdbcTemplate.queryAny`存在字符串拼接
 74 | - `Statement.executeQuery`存在字符串拼接
 75 | - `Statement.executeUpdate`存在字符串拼接
 76 | - `Statement.execute`存在字符串拼接
 77 | 
 78 | ![](images/00010.png)
 79 | 
 80 | ### Open Redirect
 81 | 
 82 | 配置`Redirect`模块：
 83 | - 使用`HttpServletResponse.sendRedirect`重定向
 84 | - 使用`SpringMVC`直接返回`String`可控
 85 | - 使用`SpringMVC`返回`ModelAndView`可控
 86 | 
 87 | ![](images/00011.png)
 88 | 
 89 | ### Deserialization
 90 | 
 91 | 配置`Deserialization`模块：
 92 | - `Java`原生反序列化
 93 | - `Fastjson`反序列化
 94 | - `SnakeYAML`反序列化
 95 | - `Jackson`反序列化
 96 | - `Hessian2`反序列化
 97 | - `XMLDecoder`反序列化
 98 | 
 99 | ![](images/00012.png)
100 | 
101 | ## 使用`API`
102 | 
103 | 可以使用以下的方式方便地进行扫描，注意三个`boolean`参数绝大多数情况应该设置为`false`
104 | 
105 | ```java
106 | public static void testRCE() {
107 |     CodeInspector inspector = new CodeInspectorImpl();
108 |     List<ResultInfo> results = inspector.analyzeRCE(
109 |             "your/path/to/jar/file",
110 |             false, false, false);
111 |     System.out.println(results.size());
112 | }
113 | ```
114 | 
115 | ## Graphviz
116 | 
117 | 指定`Controller`类名和`Mapping`的方法名，以及分析的参数索引，即可画图
118 | 
119 | ![](images/00013.png)
120 | 
121 | ## 常见问题
122 | 
123 | [常见问题](doc/QUESTIONS.md)
124 | 
125 | ## 如何构建方法调用链
126 | 
127 | [如何构建方法调用链](doc/CHAINS.md)
128 | 
129 | ## 如何处理分支
130 | 
131 | [如何处理分支](doc/LABEL.md)
132 | 
133 | ## 通用污点传递规则
134 | 
135 | [通用污点传递规则](doc/TAINT.md)
136 | 
137 | ## 如何编写新规则
138 | 
139 | [如何编写新规则](doc/NEW.md)


--------------------------------------------------------------------------------
/code-inspector-api/README.md:
--------------------------------------------------------------------------------
1 | # code-inspector-api
2 | 
3 | 该模块提供了通过代码启动扫描的方式


--------------------------------------------------------------------------------
/code-inspector-api/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <artifactId>code-inspector</artifactId>
 7 |         <groupId>n1ar4</groupId>
 8 |         <version>0.2-beta</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>code-inspector-api</artifactId>
13 | 
14 |     <properties>
15 |         <maven.compiler.source>8</maven.compiler.source>
16 |         <maven.compiler.target>8</maven.compiler.target>
17 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
18 |     </properties>
19 | 
20 |     <dependencies>
21 |         <dependency>
22 |             <groupId>n1ar4</groupId>
23 |             <artifactId>code-inspector-core</artifactId>
24 |             <scope>compile</scope>
25 |             <version>0.2-beta</version>
26 |         </dependency>
27 |     </dependencies>
28 | 
29 | </project>


--------------------------------------------------------------------------------
/code-inspector-api/src/main/java/code/inspector/api/CodeInspector.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.api;
 2 | 
 3 | import code.inspector.model.ResultInfo;
 4 | 
 5 | import java.util.List;
 6 | 
 7 | public interface CodeInspector {
 8 |     List<ResultInfo> analyzeAll(String jarPath, boolean isDebug, boolean useRt, boolean allLib);
 9 | 
10 |     List<ResultInfo> analyzeRCE(String jarPath, boolean isDebug, boolean useRt, boolean allLib);
11 | 
12 |     List<ResultInfo> analyzeSSRF(String jarPath, boolean isDebug, boolean useRt, boolean allLib);
13 | 
14 |     List<ResultInfo> analyzeRedirect(String jarPath, boolean isDebug, boolean useRt, boolean allLib);
15 | 
16 |     List<ResultInfo> analyzeSQLInjection(String jarPath, boolean isDebug, boolean useRt, boolean allLib);
17 | 
18 |     List<ResultInfo> analyzeDeserialization(String jarPath, boolean isDebug, boolean useRt, boolean allLib);
19 | 
20 |     List<ResultInfo> analyzeDoS(String jarPath, boolean isDebug, boolean useRt, boolean allLib);
21 | }
22 | 
23 | 


--------------------------------------------------------------------------------
/code-inspector-api/src/test/code/inspector/api/Test.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.api;
 2 | 
 3 | import code.inspector.model.ResultInfo;
 4 | 
 5 | import java.util.List;
 6 | 
 7 | @SuppressWarnings("all")
 8 | public class Test {
 9 | 
10 |     public static void testRCE() {
11 |         CodeInspector inspector = new CodeInspectorImpl();
12 |         List<ResultInfo> results = inspector.analyzeRCE(
13 |                 "./bin/code-inspector-demo-0.1-beta.jar",
14 |                 false, false, false);
15 |         for (ResultInfo r : results) {
16 |             System.out.println(r.getType() + ":" + r.getVulName());
17 |         }
18 |     }
19 | 
20 |     public static void testSSRF() {
21 |         CodeInspector inspector = new CodeInspectorImpl();
22 |         List<ResultInfo> results = inspector.analyzeSSRF(
23 |                 "./bin/code-inspector-demo-0.1-beta.jar",
24 |                 false, false, false);
25 |         for (ResultInfo r : results) {
26 |             System.out.println(r.getType() + ":" + r.getVulName());
27 |         }
28 |     }
29 | 
30 |     public static void testDoS() {
31 |         CodeInspector inspector = new CodeInspectorImpl();
32 |         List<ResultInfo> results = inspector.analyzeDoS(
33 |                 "./bin/code-inspector-demo-0.1-beta.jar",
34 |                 false, false, false);
35 |         for (ResultInfo r : results) {
36 |             System.out.println(r.getType() + ":" + r.getVulName());
37 |         }
38 |     }
39 | 
40 |     public static void testDeserialization() {
41 |         CodeInspector inspector = new CodeInspectorImpl();
42 |         List<ResultInfo> results = inspector.analyzeDeserialization(
43 |                 "./bin/code-inspector-demo-0.1-beta.jar",
44 |                 false, false, false);
45 |         for (ResultInfo r : results) {
46 |             System.out.println(r.getType() + ":" + r.getVulName());
47 |         }
48 |     }
49 | 
50 |     public static void testSQLInjection() {
51 |         CodeInspector inspector = new CodeInspectorImpl();
52 |         List<ResultInfo> results = inspector.analyzeSQLInjection(
53 |                 "./bin/code-inspector-demo-0.1-beta.jar",
54 |                 false, false, false);
55 |         for (ResultInfo r : results) {
56 |             System.out.println(r.getType() + ":" + r.getVulName());
57 |         }
58 |     }
59 | 
60 |     public static void testRedirect() {
61 |         CodeInspector inspector = new CodeInspectorImpl();
62 |         List<ResultInfo> results = inspector.analyzeRedirect(
63 |                 "./bin/code-inspector-demo-0.1-beta.jar",
64 |                 false, false, false);
65 |         for (ResultInfo r : results) {
66 |             System.out.println(r.getType() + ":" + r.getVulName());
67 |         }
68 |     }
69 | 
70 |     public static void testAll() {
71 |         CodeInspector inspector = new CodeInspectorImpl();
72 |         List<ResultInfo> results = inspector.analyzeAll(
73 |                 "./bin/code-inspector-demo-0.1-beta.jar",
74 |                 false, false, false);
75 |         for (ResultInfo r : results) {
76 |             System.out.println(r.getType() + ":" + r.getVulName());
77 |         }
78 |     }
79 | 
80 |     public static void testTarget() {
81 |         CodeInspector inspector = new CodeInspectorImpl();
82 |         List<ResultInfo> results = inspector.analyzeRCE(
83 |                 "./bin/code-inspector-demo-0.1-beta.jar",
84 |                 false, false, false);
85 |         for (ResultInfo r : results) {
86 |             System.out.println(r.getType() + ":" + r.getVulName());
87 |         }
88 |     }
89 | 
90 |     public static void main(String[] args) {
91 |         testSSRF();
92 |     }
93 | }
94 | 


--------------------------------------------------------------------------------
/code-inspector-build/README.md:
--------------------------------------------------------------------------------
1 | # code-inspector-build
2 | 
3 | 该模块仅用于build前更新版本


--------------------------------------------------------------------------------
/code-inspector-build/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <artifactId>code-inspector</artifactId>
 7 |         <groupId>n1ar4</groupId>
 8 |         <version>0.2-beta</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>code-inspector-build</artifactId>
13 | 
14 |     <properties>
15 |         <maven.compiler.source>8</maven.compiler.source>
16 |         <maven.compiler.target>8</maven.compiler.target>
17 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
18 |     </properties>
19 | 
20 | </project>


--------------------------------------------------------------------------------
/code-inspector-build/src/main/java/code/inspector/Build.java:
--------------------------------------------------------------------------------
 1 | package code.inspector;
 2 | 
 3 | import java.nio.file.Files;
 4 | import java.nio.file.Path;
 5 | import java.nio.file.Paths;
 6 | 
 7 | public class Build {
 8 |     static String oldVersion = "0.2-beta";
 9 |     static String newVersion = "0.3-beta";
10 | 
11 |     public static void main(String[] args) throws Exception {
12 |         Path rootPom = Paths.get("pom.xml");
13 |         Path apiPom = Paths.get("code-inspector-api/pom.xml");
14 |         Path buildPom = Paths.get("code-inspector-build/pom.xml");
15 |         Path constPom = Paths.get("code-inspector-const/pom.xml");
16 |         Path corePom = Paths.get("code-inspector-core/pom.xml");
17 |         Path demoPom = Paths.get("code-inspector-demo/pom.xml");
18 |         Path jvmPom = Paths.get("code-inspector-jvm/pom.xml");
19 |         Path modelPom = Paths.get("code-inspector-model/pom.xml");
20 |         Path renderPom = Paths.get("code-inspector-render/pom.xml");
21 |         Path springPom = Paths.get("code-inspector-spring/pom.xml");
22 |         Path starterPom = Paths.get("code-inspector-starter/pom.xml");
23 |         Path utilPom = Paths.get("code-inspector-util/pom.xml");
24 |         Path starterCode = Paths.get("code-inspector-starter/src/main/java/" +
25 |                 "code/inspector/start/Application.java");
26 | 
27 |         replace(rootPom);
28 |         replace(apiPom);
29 |         replace(buildPom);
30 |         replace(constPom);
31 |         replace(corePom);
32 |         replace(demoPom);
33 |         replace(jvmPom);
34 |         replace(modelPom);
35 |         replace(renderPom);
36 |         replace(springPom);
37 |         replace(starterPom);
38 |         replace(utilPom);
39 |         replace(starterCode);
40 |     }
41 | 
42 |     private static void replace(Path path) throws Exception {
43 |         byte[] data = Files.readAllBytes(path);
44 |         String newData = new String(data).replace(oldVersion, newVersion);
45 |         Files.write(path, newData.getBytes());
46 |     }
47 | }
48 | 


--------------------------------------------------------------------------------
/code-inspector-const/README.md:
--------------------------------------------------------------------------------
1 | # code-inspector-const
2 | 
3 | 该模块是项目用到到常量


--------------------------------------------------------------------------------
/code-inspector-const/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <artifactId>code-inspector</artifactId>
 7 |         <groupId>n1ar4</groupId>
 8 |         <version>0.2-beta</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>code-inspector-const</artifactId>
13 | 
14 |     <properties>
15 |         <maven.compiler.source>8</maven.compiler.source>
16 |         <maven.compiler.target>8</maven.compiler.target>
17 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
18 |     </properties>
19 | 
20 | </project>


--------------------------------------------------------------------------------
/code-inspector-const/src/main/java/code/inspector/core/Const.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core;
 2 | 
 3 | public interface Const {
 4 |     // DOS
 5 |     String DOS_MODULE = "DOS_MODULE";
 6 |     String DOS_FOR_TYPE = "DOS_FOR_TYPE";
 7 |     String DOS_ARRAY_TYPE = "DOS_ARRAY_TYPE";
 8 |     String DOS_LIST_TYPE = "DOS_LIST_TYPE";
 9 |     String DOS_REGEX_TYPE = "DOS_REGEX_TYPE";
10 |     // RCE
11 |     String RCE_MODULE = "RCE_MODULE";
12 |     String RCE_RUNTIME_TYPE = "RCE_RUNTIME_TYPE";
13 |     String RCE_PROCESS_TYPE = "RCE_PROCESS_TYPE";
14 |     String RCE_GROOVY_TYPE = "RCE_GROOVY_TYPE";
15 |     String RCE_JNDI_TYPE = "RCE_JNDI_TYPE";
16 |     String RCE_SP_EL_TYPE = "RCE_SP_EL_TYPE";
17 |     // Redirect
18 |     String REDIRECT_MODULE = "REDIRECT_MODULE";
19 |     String REDIRECT_STRING_TYPE = "REDIRECT_STRING_TYPE";
20 |     String REDIRECT_SEND_RESPONSE_TYPE = "REDIRECT_SEND_RESPONSE_TYPE";
21 |     String REDIRECT_MODEL_AND_VIEW_TYPE = "REDIRECT_MODEL_AND_VIEW_TYPE";
22 |     // SQL Injection
23 |     String SQL_MODULE = "SQL_MODULE";
24 |     String SQL_JDBC_TEMPLATE_UPDATE = "SQL_JDBC_TEMPLATE_UPDATE";
25 |     String SQL_JDBC_TEMPLATE_EXECUTE = "SQL_JDBC_TEMPLATE_EXECUTE";
26 |     String SQL_JDBC_TEMPLATE_QUERY_ANY = "SQL_JDBC_TEMPLATE_QUERY_ANY";
27 |     String SQL_EXECUTE_UPDATE = "SQL_EXECUTE_UPDATE";
28 |     String SQL_EXECUTE_QUERY = "SQL_EXECUTE_QUERY";
29 |     String SQL_EXECUTE = "SQL_EXECUTE";
30 |     // SSRF
31 |     String SSRF_MODULE = "SSRF_MODULE";
32 |     String SSRF_JDK_TYPE = "SSRF_JDK_TYPE";
33 |     String SSRF_APACHE_TYPE = "SSRF_APACHE_TYPE";
34 |     String SSRF_OKHTTP_TYPE = "SSRF_OKHTTP_TYPE";
35 |     String SSRF_SOCKET_TYPE = "SSRF_SOCKET_TYPE";
36 |     // Deserialization
37 |     String DESERIALIZATION_MODULE = "DESERIALIZATION_MODULE";
38 |     String DESERIALIZATION_JDK = "DESERIALIZATION_JDK";
39 |     String DESERIALIZATION_FASTJSON = "DESERIALIZATION_FASTJSON";
40 |     String DESERIALIZATION_JACKSON = "DESERIALIZATION_JACKSON";
41 |     String DESERIALIZATION_SNAKEYAML = "DESERIALIZATION_SNAKEYAML";
42 |     String DESERIALIZATION_HESSIAN = "DESERIALIZATION_HESSIAN";
43 |     String DESERIALIZATION_XML_DECODER = "DESERIALIZATION_XML_DECODER";
44 | }
45 | 


--------------------------------------------------------------------------------
/code-inspector-const/src/main/java/code/inspector/core/Taint.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core;
 2 | 
 3 | public interface Taint {
 4 |     String PARAM_TAINT = "PARAM-TAINT";
 5 |     String BUILD_STRING = "BUILD_STRING";
 6 |     String TO_STRING = "TO_STRING";
 7 |     String PROCESS_INIT = "PROCESS_INIT";
 8 |     String MODEL_AND_VIEW = "MODEL_AND_VIEW";
 9 |     String LIST_INIT = "LIST_INIT";
10 |     String SPRING_STANDARD = "SPRING_STANDARD";
11 |     String YAML_INIT = "YAML_INIT";
12 | }
13 | 


--------------------------------------------------------------------------------
/code-inspector-core/README.md:
--------------------------------------------------------------------------------
1 | # code-inspector-core
2 | 
3 | 项目核心模块，其中包含了GUI代码和核心代码


--------------------------------------------------------------------------------
/code-inspector-core/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <artifactId>code-inspector</artifactId>
 7 |         <groupId>n1ar4</groupId>
 8 |         <version>0.2-beta</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>code-inspector-core</artifactId>
13 |     <dependencies>
14 |         <dependency>
15 |             <groupId>n1ar4</groupId>
16 |             <artifactId>code-inspector-const</artifactId>
17 |             <scope>compile</scope>
18 |             <version>0.2-beta</version>
19 |         </dependency>
20 |         <dependency>
21 |             <groupId>n1ar4</groupId>
22 |             <artifactId>code-inspector-util</artifactId>
23 |             <scope>compile</scope>
24 |             <version>0.2-beta</version>
25 |         </dependency>
26 |         <dependency>
27 |             <groupId>n1ar4</groupId>
28 |             <artifactId>code-inspector-render</artifactId>
29 |             <version>0.2-beta</version>
30 |             <scope>compile</scope>
31 |         </dependency>
32 |         <dependency>
33 |             <groupId>n1ar4</groupId>
34 |             <artifactId>code-inspector-jvm</artifactId>
35 |             <scope>compile</scope>
36 |             <version>0.2-beta</version>
37 |         </dependency>
38 |         <dependency>
39 |             <groupId>n1ar4</groupId>
40 |             <artifactId>code-inspector-spring</artifactId>
41 |             <version>0.2-beta</version>
42 |             <scope>compile</scope>
43 |         </dependency>
44 |         <dependency>
45 |             <groupId>n1ar4</groupId>
46 |             <artifactId>code-inspector-graphviz</artifactId>
47 |             <version>0.2-beta</version>
48 |             <scope>compile</scope>
49 |         </dependency>
50 |     </dependencies>
51 | 
52 |     <properties>
53 |         <maven.compiler.source>8</maven.compiler.source>
54 |         <maven.compiler.target>8</maven.compiler.target>
55 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
56 |     </properties>
57 | 
58 | </project>


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/Command.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core;
 2 | 
 3 | import java.util.ArrayList;
 4 | import java.util.HashMap;
 5 | import java.util.List;
 6 | 
 7 | public class Command {
 8 |     public List<String> jars;
 9 |     public String module;
10 |     public boolean isDebug;
11 |     public boolean jdk;
12 |     public boolean springBoot;
13 |     public boolean lib;
14 |     public String path;
15 |     public String packageName;
16 |     private HashMap<String,Boolean> options = new HashMap<>();
17 | 
18 |     public void setOptions(HashMap<String, Boolean> options) {
19 |         this.options = options;
20 |     }
21 | 
22 |     public HashMap<String,Boolean>  getOptions(){
23 |         return this.options;
24 |     }
25 |     public Command(){
26 |         this.jars = new ArrayList<>();
27 |         this.module = "";
28 |         this.isDebug = false;
29 |         this.jdk = false;
30 |         this.springBoot = true;
31 |         this.lib = false;
32 |         this.path = "result.html";
33 |         this.packageName = "";
34 |     }
35 | }
36 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/asm/DOSClassVisitor.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.asm;
 2 | 
 3 | 
 4 | import code.inspector.core.asm.base.BaseClassVisitor;
 5 | import code.inspector.model.MethodReference;
 6 | 
 7 | public class DOSClassVisitor extends BaseClassVisitor {
 8 |     public DOSClassVisitor(MethodReference.Handle targetMethod, int targetIndex) {
 9 |         super(targetMethod, targetIndex, DOSMethodAdapter.class);
10 |     }
11 | }
12 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/asm/DOSMethodAdapter.java:
--------------------------------------------------------------------------------
  1 | package code.inspector.core.asm;
  2 | 
  3 | import code.inspector.core.Application;
  4 | import code.inspector.core.Const;
  5 | import code.inspector.core.Taint;
  6 | import code.inspector.core.asm.base.ParamTaintMethodAdapter;
  7 | import org.objectweb.asm.Label;
  8 | import org.objectweb.asm.MethodVisitor;
  9 | import org.objectweb.asm.Opcodes;
 10 | 
 11 | import java.util.ArrayList;
 12 | import java.util.List;
 13 | import java.util.Map;
 14 | 
 15 | public class DOSMethodAdapter extends ParamTaintMethodAdapter {
 16 |     private final Map<String, Boolean> pass;
 17 |     private static List<Boolean> flag = new ArrayList<>();
 18 |     private final List<Label> labelList = new ArrayList<>();
 19 |     private boolean forFlag;
 20 | 
 21 |     private final boolean arrayOption;
 22 |     private final boolean forOption;
 23 |     private final boolean regexOption;
 24 |     private final boolean listOption;
 25 | 
 26 |     public DOSMethodAdapter(int methodArgIndex, Map<String, Boolean> pass, int api, MethodVisitor mv,
 27 |                             String owner, int access, String name, String desc) {
 28 |         super(methodArgIndex, api, mv, owner, access, name, desc);
 29 |         this.pass = pass;
 30 |         this.forOption = Application.globalOptions.getOrDefault(Const.DOS_FOR_TYPE, false);
 31 |         this.arrayOption = Application.globalOptions.getOrDefault(Const.DOS_ARRAY_TYPE, false);
 32 |         this.regexOption = Application.globalOptions.getOrDefault(Const.DOS_REGEX_TYPE, false);
 33 |         this.listOption = Application.globalOptions.getOrDefault(Const.DOS_LIST_TYPE, false);
 34 |     }
 35 | 
 36 |     @Override
 37 |     public void visitLabel(Label label) {
 38 |         this.labelList.add(label);
 39 |         super.visitLabel(label);
 40 |     }
 41 | 
 42 |     @Override
 43 |     public void visitJumpInsn(int opcode, Label label) {
 44 |         if (opcode == Opcodes.GOTO) {
 45 |             if (labelList.contains(label)) {
 46 |                 if (forOption && this.forFlag) {
 47 |                     pass.put(Const.DOS_FOR_TYPE, true);
 48 |                     this.forFlag = false;
 49 |                 }
 50 |             }
 51 |         }
 52 |         if (opcode == Opcodes.IF_ICMPGE) {
 53 |             if (operandStack.get(0).contains(Taint.PARAM_TAINT)) {
 54 |                 this.forFlag = true;
 55 |             }
 56 |         }
 57 |         super.visitJumpInsn(opcode, label);
 58 |     }
 59 | 
 60 |     @Override
 61 |     public void visitIntInsn(int opcode, int operand) {
 62 |         if (opcode == Opcodes.NEWARRAY) {
 63 |             if (arrayOption && operandStack.get(0).contains(Taint.PARAM_TAINT)) {
 64 |                 pass.put(Const.DOS_ARRAY_TYPE, true);
 65 |             }
 66 |         }
 67 |         super.visitIntInsn(opcode, operand);
 68 |     }
 69 | 
 70 |     @Override
 71 |     public void visitTypeInsn(int opcode, String type) {
 72 |         if (opcode == Opcodes.ANEWARRAY) {
 73 |             if (arrayOption && operandStack.get(0).contains(Taint.PARAM_TAINT)) {
 74 |                 pass.put(Const.DOS_ARRAY_TYPE, true);
 75 |             }
 76 |         }
 77 |         super.visitTypeInsn(opcode, type);
 78 |     }
 79 | 
 80 |     @Override
 81 |     public void visitMethodInsn(int opcode, String owner, String name, String desc, boolean itf) {
 82 |         boolean patternMatches = (opcode == Opcodes.INVOKESTATIC) &&
 83 |                 (owner.equals("java/util/regex/Pattern")) &&
 84 |                 (name.equals("matches")) &&
 85 |                 (desc.equals("(Ljava/lang/String;Ljava/lang/CharSequence;)Z"));
 86 | 
 87 |         boolean listInit = (opcode == Opcodes.INVOKESPECIAL) &&
 88 |                 (owner.equals("java/util/ArrayList")) &&
 89 |                 (name.equals("<init>")) &&
 90 |                 (desc.equals("(I)V"));
 91 | 
 92 |         if (regexOption && patternMatches) {
 93 |             if (operandStack.get(0).contains(Taint.PARAM_TAINT)) {
 94 |                 flag.add(true);
 95 |                 super.visitMethodInsn(opcode, owner, name, desc, itf);
 96 |                 return;
 97 |             }
 98 |             if (operandStack.get(1).contains(Taint.PARAM_TAINT)) {
 99 |                 flag.add(true);
100 |                 super.visitMethodInsn(opcode, owner, name, desc, itf);
101 |                 return;
102 |             }
103 |         }
104 | 
105 |         if (regexOption && flag.size() == 2 && !flag.contains(false)) {
106 |             pass.put(Const.DOS_REGEX_TYPE, true);
107 |             flag = new ArrayList<>();
108 |             super.visitMethodInsn(opcode, owner, name, desc, itf);
109 |             return;
110 |         }
111 | 
112 |         if (listOption && listInit) {
113 |             if (operandStack.get(0).contains(Taint.PARAM_TAINT)) {
114 |                 pass.put(Const.DOS_LIST_TYPE, true);
115 |                 super.visitMethodInsn(opcode, owner, name, desc, itf);
116 |                 return;
117 |             }
118 |         }
119 | 
120 |         super.visitMethodInsn(opcode, owner, name, desc, itf);
121 |     }
122 | }
123 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/asm/DesClassVisitor.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.asm;
 2 | 
 3 | 
 4 | import code.inspector.core.asm.base.BaseClassVisitor;
 5 | import code.inspector.model.MethodReference;
 6 | 
 7 | public class DesClassVisitor extends BaseClassVisitor {
 8 |     public DesClassVisitor(MethodReference.Handle targetMethod, int targetIndex) {
 9 |         super(targetMethod, targetIndex, DesMethodAdapter.class);
10 |     }
11 | }
12 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/asm/RCEClassVisitor.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.asm;
 2 | 
 3 | 
 4 | import code.inspector.core.asm.base.BaseClassVisitor;
 5 | import code.inspector.model.MethodReference;
 6 | 
 7 | public class RCEClassVisitor extends BaseClassVisitor {
 8 |     public RCEClassVisitor(MethodReference.Handle targetMethod, int targetIndex) {
 9 |         super(targetMethod, targetIndex, RCEMethodAdapter.class);
10 |     }
11 | }
12 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/asm/RedirectClassVisitor.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.asm;
 2 | 
 3 | import code.inspector.core.asm.base.BaseClassVisitor;
 4 | import code.inspector.model.MethodReference;
 5 | import org.objectweb.asm.MethodVisitor;
 6 | import org.objectweb.asm.Opcodes;
 7 | import org.objectweb.asm.commons.JSRInlinerAdapter;
 8 | 
 9 | import java.util.HashMap;
10 | import java.util.Map;
11 | 
12 | public class RedirectClassVisitor extends BaseClassVisitor {
13 |     private String name;
14 |     private final Map<String, Boolean> pass;
15 |     private final MethodReference methodReference;
16 | 
17 |     public RedirectClassVisitor(MethodReference methodReference) {
18 |         super(null,0,null);
19 |         this.methodReference = methodReference;
20 |         this.pass = new HashMap<>();
21 |     }
22 | 
23 |     public Boolean getPass(String key) {
24 |         return pass.getOrDefault(key,false);
25 |     }
26 | 
27 |     @Override
28 |     public void visit(int version, int access, String name, String signature,
29 |                       String superName, String[] interfaces) {
30 |         super.visit(version, access, name, signature, superName, interfaces);
31 |         this.name = name;
32 |     }
33 | 
34 |     @Override
35 |     public MethodVisitor visitMethod(int access, String name, String descriptor,
36 |                                      String signature, String[] exceptions) {
37 |         MethodVisitor mv = super.visitMethod(access, name, descriptor, signature, exceptions);
38 |         if (methodReference.getName().equals(name)) {
39 |             RedirectMethodAdapter redirectMethodAdapter = new RedirectMethodAdapter(
40 |                     this.pass, Opcodes.ASM6, mv, this.name, access, name, descriptor);
41 |             return new JSRInlinerAdapter(redirectMethodAdapter,
42 |                     access, name, descriptor, signature, exceptions);
43 |         }
44 |         return mv;
45 |     }
46 | }
47 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/asm/SSRFClassVisitor.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.asm;
 2 | 
 3 | 
 4 | import code.inspector.core.asm.base.BaseClassVisitor;
 5 | import code.inspector.model.MethodReference;
 6 | 
 7 | public class SSRFClassVisitor extends BaseClassVisitor {
 8 |     public SSRFClassVisitor(MethodReference.Handle targetMethod, int targetIndex) {
 9 |         super(targetMethod, targetIndex, SSRFMethodAdapter.class);
10 |     }
11 | }
12 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/asm/SqlInjectClassVisitor.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.asm;
 2 | 
 3 | import code.inspector.core.asm.base.BaseClassVisitor;
 4 | import code.inspector.model.MethodReference;
 5 | 
 6 | public class SqlInjectClassVisitor extends BaseClassVisitor {
 7 |     public SqlInjectClassVisitor(MethodReference.Handle targetMethod, int targetIndex) {
 8 |         super(targetMethod, targetIndex, SqlInjectMethodAdapter.class);
 9 |     }
10 | }
11 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/asm/base/BaseClassVisitor.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.asm.base;
 2 | 
 3 | import code.inspector.model.MethodReference;
 4 | import org.objectweb.asm.ClassVisitor;
 5 | import org.objectweb.asm.MethodVisitor;
 6 | import org.objectweb.asm.Opcodes;
 7 | import org.objectweb.asm.commons.JSRInlinerAdapter;
 8 | 
 9 | import java.util.HashMap;
10 | import java.util.Map;
11 | 
12 | public class BaseClassVisitor extends ClassVisitor {
13 |     protected String name;
14 |     private final MethodReference.Handle methodHandle;
15 |     private final int methodArgIndex;
16 |     private final Class<?> targetMethodAdapter;
17 |     private final Map<String, Boolean> pass;
18 | 
19 |     public BaseClassVisitor(MethodReference.Handle targetMethod,
20 |                             int targetIndex,Class<?> targetMethodAdapter) {
21 |         super(Opcodes.ASM6);
22 |         this.methodHandle = targetMethod;
23 |         this.methodArgIndex = targetIndex;
24 |         this.pass = new HashMap<>();
25 |         this.targetMethodAdapter = targetMethodAdapter;
26 |     }
27 | 
28 |     public Boolean getPass(String key) {
29 |         return pass.getOrDefault(key,false);
30 |     }
31 | 
32 |     public int getPassSize(){
33 |         return pass.size();
34 |     }
35 | 
36 |     @Override
37 |     public void visit(int version, int access, String name, String signature,
38 |                       String superName, String[] interfaces) {
39 |         super.visit(version, access, name, signature, superName, interfaces);
40 |         this.name = name;
41 |     }
42 | 
43 |     @Override
44 |     public MethodVisitor visitMethod(int access, String name, String descriptor,
45 |                                      String signature, String[] exceptions) {
46 |         MethodVisitor mv = super.visitMethod(access, name, descriptor, signature, exceptions);
47 |         try {
48 |             if (this.methodHandle!=null && name.equals(this.methodHandle.getName())) {
49 |                 MethodVisitor methodVisitor = (MethodVisitor) targetMethodAdapter
50 |                         .getConstructors()[0].newInstance(this.methodArgIndex, this.pass,
51 |                         Opcodes.ASM6, mv, this.name, access, name, descriptor);
52 |                 return new JSRInlinerAdapter(methodVisitor,
53 |                         access, name, descriptor, signature, exceptions);
54 |             }
55 |         }catch (Exception e){
56 |             e.printStackTrace();
57 |         }
58 |         return mv;
59 |     }
60 | }
61 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/asm/system/CallGraphClassVisitor.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.asm.system;
 2 | 
 3 | import code.inspector.model.CallGraph;
 4 | import org.objectweb.asm.ClassVisitor;
 5 | import org.objectweb.asm.MethodVisitor;
 6 | import org.objectweb.asm.Opcodes;
 7 | import org.objectweb.asm.commons.JSRInlinerAdapter;
 8 | 
 9 | import java.util.Set;
10 | 
11 | 
12 | public class CallGraphClassVisitor extends ClassVisitor {
13 |     private final Set<CallGraph> discoveredCalls;
14 |     private String name;
15 | 
16 |     public CallGraphClassVisitor(Set<CallGraph> discoveredCalls) {
17 |         super(Opcodes.ASM6);
18 |         this.discoveredCalls = discoveredCalls;
19 |     }
20 | 
21 |     @Override
22 |     public void visit(int version, int access, String name, String signature,
23 |                       String superName, String[] interfaces) {
24 |         super.visit(version, access, name, signature, superName, interfaces);
25 |         this.name = name;
26 |     }
27 | 
28 |     @Override
29 |     public MethodVisitor visitMethod(int access, String name, String desc,
30 |                                      String signature, String[] exceptions) {
31 |         MethodVisitor mv = super.visitMethod(access, name, desc, signature, exceptions);
32 |         CallGraphMethodAdapter callGraphMethodVisitor = new CallGraphMethodAdapter(api, discoveredCalls,
33 |                 mv, this.name, access, name, desc);
34 |         return new JSRInlinerAdapter(callGraphMethodVisitor, access, name, desc, signature, exceptions);
35 |     }
36 | 
37 |     @Override
38 |     public void visitEnd() {
39 |         super.visitEnd();
40 |     }
41 | }
42 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/asm/system/DiscoveryClassVisitor.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.asm.system;
 2 | 
 3 | import code.inspector.model.ClassReference;
 4 | import code.inspector.model.MethodReference;
 5 | import org.objectweb.asm.*;
 6 | 
 7 | import java.util.*;
 8 | 
 9 | public class DiscoveryClassVisitor extends ClassVisitor {
10 |     private String name;
11 |     private String superName;
12 |     private String[] interfaces;
13 |     private boolean isInterface;
14 |     private List<ClassReference.Member> members;
15 |     private ClassReference.Handle classHandle;
16 |     private Set<String> annotations;
17 |     private final List<ClassReference> discoveredClasses;
18 |     private final List<MethodReference> discoveredMethods;
19 | 
20 |     public DiscoveryClassVisitor(List<ClassReference> discoveredClasses,
21 |                                  List<MethodReference> discoveredMethods) {
22 |         super(Opcodes.ASM6);
23 |         this.discoveredClasses = discoveredClasses;
24 |         this.discoveredMethods = discoveredMethods;
25 |     }
26 | 
27 |     @Override
28 |     public void visit(int version, int access, String name,
29 |                       String signature, String superName, String[] interfaces) {
30 |         this.name = name;
31 |         this.superName = superName;
32 |         this.interfaces = interfaces;
33 |         this.isInterface = (access & Opcodes.ACC_INTERFACE) != 0;
34 |         this.members = new ArrayList<>();
35 |         this.classHandle = new ClassReference.Handle(name);
36 |         annotations = new HashSet<>();
37 |         super.visit(version, access, name, signature, superName, interfaces);
38 |     }
39 | 
40 |     public String getName(){
41 |         return this.name;
42 |     }
43 | 
44 |     @Override
45 |     public AnnotationVisitor visitAnnotation(String descriptor, boolean visible) {
46 |         annotations.add(descriptor);
47 |         return super.visitAnnotation(descriptor, visible);
48 |     }
49 | 
50 |     public FieldVisitor visitField(int access, String name, String desc,
51 |                                    String signature, Object value) {
52 |         if ((access & Opcodes.ACC_STATIC) == 0) {
53 |             Type type = Type.getType(desc);
54 |             String typeName;
55 |             if (type.getSort() == Type.OBJECT || type.getSort() == Type.ARRAY) {
56 |                 typeName = type.getInternalName();
57 |             } else {
58 |                 typeName = type.getDescriptor();
59 |             }
60 |             members.add(new ClassReference.Member(name, access, new ClassReference.Handle(typeName)));
61 |         }
62 |         return super.visitField(access, name, desc, signature, value);
63 |     }
64 | 
65 |     @Override
66 |     public MethodVisitor visitMethod(int access, String name, String desc,
67 |                                      String signature, String[] exceptions) {
68 |         boolean isStatic = (access & Opcodes.ACC_STATIC) != 0;
69 |         discoveredMethods.add(new MethodReference(
70 |                 classHandle,
71 |                 name,
72 |                 desc,
73 |                 isStatic));
74 |         return super.visitMethod(access, name, desc, signature, exceptions);
75 |     }
76 | 
77 |     @Override
78 |     public void visitEnd() {
79 |         ClassReference classReference = new ClassReference(
80 |                 name,
81 |                 superName,
82 |                 Arrays.asList(interfaces),
83 |                 isInterface,
84 |                 members,
85 |                 annotations);
86 |         discoveredClasses.add(classReference);
87 |         super.visitEnd();
88 |     }
89 | }
90 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/asm/system/MethodCallClassVisitor.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.asm.system;
 2 | 
 3 | import code.inspector.model.MethodReference;
 4 | import org.objectweb.asm.ClassVisitor;
 5 | import org.objectweb.asm.MethodVisitor;
 6 | import org.objectweb.asm.Opcodes;
 7 | import org.objectweb.asm.commons.JSRInlinerAdapter;
 8 | 
 9 | import java.util.Map;
10 | import java.util.Set;
11 | 
12 | 
13 | public class MethodCallClassVisitor extends ClassVisitor {
14 |     private String name = null;
15 |     private final Map<MethodReference.Handle, Set<MethodReference.Handle>> methodCalls;
16 | 
17 |     public MethodCallClassVisitor(Map<MethodReference.Handle, Set<MethodReference.Handle>> methodCalls) {
18 |         super(Opcodes.ASM6);
19 |         this.methodCalls = methodCalls;
20 |     }
21 | 
22 |     @Override
23 |     public void visit(int version, int access, String name, String signature,
24 |                       String superName, String[] interfaces) {
25 |         super.visit(version, access, name, signature, superName, interfaces);
26 |         if (this.name != null) {
27 |             throw new IllegalStateException("ClassVisitor already visited a class!");
28 |         }
29 |         this.name = name;
30 |     }
31 | 
32 |     @Override
33 |     public MethodVisitor visitMethod(int access, String name, String desc,
34 |                                      String signature, String[] exceptions) {
35 |         MethodVisitor mv = super.visitMethod(access, name, desc, signature, exceptions);
36 |         MethodCallMethodAdapter adapter = new MethodCallMethodAdapter(
37 |                 api, this.methodCalls, mv, this.name, name, desc);
38 |         return new JSRInlinerAdapter(adapter, access, name, desc, signature, exceptions);
39 |     }
40 | 
41 |     @Override
42 |     public void visitEnd() {
43 |         super.visitEnd();
44 |     }
45 | }
46 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/asm/system/MethodCallMethodAdapter.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.asm.system;
 2 | 
 3 | import code.inspector.model.ClassReference;
 4 | import code.inspector.model.MethodReference;
 5 | import org.objectweb.asm.MethodVisitor;
 6 | 
 7 | import java.util.HashSet;
 8 | import java.util.Map;
 9 | import java.util.Set;
10 | 
11 | 
12 | public class MethodCallMethodAdapter extends MethodVisitor {
13 |     private final Set<MethodReference.Handle> calledMethods;
14 | 
15 |     public MethodCallMethodAdapter(int api, Map<MethodReference.Handle, Set<MethodReference.Handle>> methodCalls,
16 |                                    final MethodVisitor mv, final String owner, String name, String desc) {
17 |         super(api, mv);
18 |         this.calledMethods = new HashSet<>();
19 |         methodCalls.put(new MethodReference.Handle(new ClassReference.Handle(owner), name, desc), calledMethods);
20 |     }
21 | 
22 |     @Override
23 |     public void visitMethodInsn(int opcode, String owner, String name, String desc, boolean itf) {
24 |         calledMethods.add(new MethodReference.Handle(new ClassReference.Handle(owner), name, desc));
25 |         super.visitMethodInsn(opcode, owner, name, desc, itf);
26 |     }
27 | }
28 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/data/DesCollector.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.data;
 2 | 
 3 | 
 4 | import code.inspector.core.Const;
 5 | import code.inspector.core.asm.base.BaseClassVisitor;
 6 | import code.inspector.log.Log;
 7 | import code.inspector.model.ResultInfo;
 8 | 
 9 | import java.util.List;
10 | 
11 | public class DesCollector {
12 |     private static final String DES = "Deserialization";
13 | 
14 |     public static void collect(BaseClassVisitor cv, List<String> tempChain, List<ResultInfo> results) {
15 |         if (cv.getPass(Const.DESERIALIZATION_JDK)) {
16 |             ResultInfo resultInfo = new ResultInfo();
17 |             resultInfo.setType(DES);
18 |             resultInfo.setVulName("JDK readObject");
19 |             resultInfo.getChains().addAll(tempChain);
20 |             results.add(resultInfo);
21 |             Log.info(resultInfo.toString());
22 |         }
23 |         if (cv.getPass(Const.DESERIALIZATION_FASTJSON)) {
24 |             ResultInfo resultInfo = new ResultInfo();
25 |             resultInfo.setType(DES);
26 |             resultInfo.setVulName("Fastjson");
27 |             resultInfo.getChains().addAll(tempChain);
28 |             results.add(resultInfo);
29 |             Log.info(resultInfo.toString());
30 |         }
31 |         if (cv.getPass(Const.DESERIALIZATION_SNAKEYAML)) {
32 |             ResultInfo resultInfo = new ResultInfo();
33 |             resultInfo.setType(DES);
34 |             resultInfo.setVulName("SnakeYAML load");
35 |             resultInfo.getChains().addAll(tempChain);
36 |             results.add(resultInfo);
37 |             Log.info(resultInfo.toString());
38 |         }
39 |         if (cv.getPass(Const.DESERIALIZATION_JACKSON)) {
40 |             ResultInfo resultInfo = new ResultInfo();
41 |             resultInfo.setType(DES);
42 |             resultInfo.setVulName("Jackson");
43 |             resultInfo.getChains().addAll(tempChain);
44 |             results.add(resultInfo);
45 |             Log.info(resultInfo.toString());
46 |         }
47 |         if (cv.getPass(Const.DESERIALIZATION_HESSIAN)) {
48 |             ResultInfo resultInfo = new ResultInfo();
49 |             resultInfo.setType(DES);
50 |             resultInfo.setVulName("Hessian2 readObject");
51 |             resultInfo.getChains().addAll(tempChain);
52 |             results.add(resultInfo);
53 |             Log.info(resultInfo.toString());
54 |         }
55 |         if (cv.getPass(Const.DESERIALIZATION_XML_DECODER)) {
56 |             ResultInfo resultInfo = new ResultInfo();
57 |             resultInfo.setType(DES);
58 |             resultInfo.setVulName("XMLDecoder readObject");
59 |             resultInfo.getChains().addAll(tempChain);
60 |             results.add(resultInfo);
61 |             Log.info(resultInfo.toString());
62 |         }
63 |     }
64 | }
65 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/data/DoSCollector.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.data;
 2 | 
 3 | 
 4 | import code.inspector.core.Const;
 5 | import code.inspector.core.asm.base.BaseClassVisitor;
 6 | import code.inspector.log.Log;
 7 | import code.inspector.model.ResultInfo;
 8 | 
 9 | import java.util.List;
10 | 
11 | public class DoSCollector {
12 |     private static final String DOS = "Denial of Service";
13 | 
14 |     public static void collect(BaseClassVisitor cv, List<String> tempChain, List<ResultInfo> results) {
15 |         if (cv.getPass(Const.DOS_REGEX_TYPE)) {
16 |             ResultInfo resultInfo = new ResultInfo();
17 |             resultInfo.setType(DOS);
18 |             resultInfo.setVulName("Pattern matches ReDoS");
19 |             resultInfo.getChains().addAll(tempChain);
20 |             results.add(resultInfo);
21 |             Log.info(resultInfo.toString());
22 |         }
23 |         if (cv.getPass(Const.DOS_ARRAY_TYPE)) {
24 |             ResultInfo resultInfo = new ResultInfo();
25 |             resultInfo.setType(DOS);
26 |             resultInfo.setVulName("Array init memory DoS");
27 |             resultInfo.getChains().addAll(tempChain);
28 |             results.add(resultInfo);
29 |             Log.info(resultInfo.toString());
30 |         }
31 |         if (cv.getPass(Const.DOS_FOR_TYPE)) {
32 |             ResultInfo resultInfo = new ResultInfo();
33 |             resultInfo.setType(DOS);
34 |             resultInfo.setVulName("For loop controllable DoS");
35 |             resultInfo.getChains().addAll(tempChain);
36 |             results.add(resultInfo);
37 |             Log.info(resultInfo.toString());
38 |         }
39 |         if ( cv.getPass(Const.DOS_LIST_TYPE)) {
40 |             ResultInfo resultInfo = new ResultInfo();
41 |             resultInfo.setType(DOS);
42 |             resultInfo.setVulName("ArrayList init memory DoS");
43 |             resultInfo.getChains().addAll(tempChain);
44 |             results.add(resultInfo);
45 |             Log.info(resultInfo.toString());
46 |         }
47 |     }
48 | }
49 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/data/RCECollector.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.data;
 2 | 
 3 | import code.inspector.core.Const;
 4 | import code.inspector.core.asm.base.BaseClassVisitor;
 5 | import code.inspector.log.Log;
 6 | import code.inspector.model.ResultInfo;
 7 | 
 8 | import java.util.List;
 9 | 
10 | public class RCECollector {
11 | 
12 |     private static final String RCE = "Remote Code/Command Execute";
13 | 
14 |     public static void collect(BaseClassVisitor cv, List<String> tempChain, List<ResultInfo> results) {
15 |         if (cv.getPass(Const.RCE_RUNTIME_TYPE)) {
16 |             ResultInfo resultInfo = new ResultInfo();
17 |             resultInfo.setType(RCE);
18 |             resultInfo.setVulName("Runtime exec RCE");
19 |             resultInfo.getChains().addAll(tempChain);
20 |             results.add(resultInfo);
21 |             Log.info(resultInfo.toString());
22 |         }
23 |         if (cv.getPass(Const.RCE_PROCESS_TYPE)) {
24 |             ResultInfo resultInfo = new ResultInfo();
25 |             resultInfo.setType(RCE);
26 |             resultInfo.setVulName("ProcessBuilder start RCE");
27 |             resultInfo.getChains().addAll(tempChain);
28 |             results.add(resultInfo);
29 |             Log.info(resultInfo.toString());
30 |         }
31 |         if (cv.getPass(Const.RCE_GROOVY_TYPE)) {
32 |             ResultInfo resultInfo = new ResultInfo();
33 |             resultInfo.setType(RCE);
34 |             resultInfo.setVulName("GroovyShell evaluate RCE");
35 |             resultInfo.getChains().addAll(tempChain);
36 |             results.add(resultInfo);
37 |             Log.info(resultInfo.toString());
38 |         }
39 |         if (cv.getPass(Const.RCE_JNDI_TYPE)) {
40 |             ResultInfo resultInfo = new ResultInfo();
41 |             resultInfo.setType(RCE);
42 |             resultInfo.setVulName("JNDI Injection RCE");
43 |             resultInfo.getChains().addAll(tempChain);
44 |             results.add(resultInfo);
45 |             Log.info(resultInfo.toString());
46 |         }
47 |         if (cv.getPass(Const.RCE_SP_EL_TYPE)) {
48 |             ResultInfo resultInfo = new ResultInfo();
49 |             resultInfo.setType(RCE);
50 |             resultInfo.setVulName("Spring EL RCE");
51 |             resultInfo.getChains().addAll(tempChain);
52 |             results.add(resultInfo);
53 |             Log.info(resultInfo.toString());
54 |         }
55 |     }
56 | }
57 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/data/RedirectCollector.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.data;
 2 | 
 3 | import code.inspector.core.Const;
 4 | import code.inspector.core.asm.base.BaseClassVisitor;
 5 | import code.inspector.core.spring.SpringMapping;
 6 | import code.inspector.log.Log;
 7 | import code.inspector.model.ResultInfo;
 8 | 
 9 | import java.util.List;
10 | 
11 | public class RedirectCollector {
12 |     private static final String REDIRECT = "Open Redirect";
13 |     public static void collect(BaseClassVisitor cv, SpringMapping mapping, List<ResultInfo> results) {
14 |         if (cv.getPass(Const.REDIRECT_SEND_RESPONSE_TYPE)) {
15 |             ResultInfo resultInfo = new ResultInfo();
16 |             resultInfo.setType(REDIRECT);
17 |             resultInfo.setVulName("Servlet sendResponse Redirect");
18 |             resultInfo.getChains().add(mapping.getController().getClassReference().getName() + "."
19 |                     + mapping.getMethodReference().getName());
20 |             results.add(resultInfo);
21 |             Log.info(resultInfo.toString());
22 |         }
23 |         if (cv.getPass(Const.REDIRECT_STRING_TYPE)) {
24 |             ResultInfo resultInfo = new ResultInfo();
25 |             resultInfo.setType(REDIRECT);
26 |             resultInfo.setVulName("Spring String Redirect");
27 |             resultInfo.getChains().add(mapping.getController().getClassReference().getName() + "."
28 |                     + mapping.getMethodReference().getName());
29 |             results.add(resultInfo);
30 |             Log.info(resultInfo.toString());
31 |         }
32 |         if (cv.getPass(Const.REDIRECT_MODEL_AND_VIEW_TYPE)) {
33 |             ResultInfo resultInfo = new ResultInfo();
34 |             resultInfo.setType(REDIRECT);
35 |             resultInfo.setVulName("Spring ModelAndView Redirect");
36 |             resultInfo.getChains().add(mapping.getController().getClassReference().getName() + "."
37 |                     + mapping.getMethodReference().getName());
38 |             results.add(resultInfo);
39 |             Log.info(resultInfo.toString());
40 |         }
41 |     }
42 | }
43 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/data/SSRFCollector.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.data;
 2 | 
 3 | 
 4 | import code.inspector.core.Const;
 5 | import code.inspector.core.asm.base.BaseClassVisitor;
 6 | import code.inspector.log.Log;
 7 | import code.inspector.model.ResultInfo;
 8 | 
 9 | import java.util.List;
10 | 
11 | public class SSRFCollector {
12 |     private static final String SSRF = "Server-Side Request Forgery";
13 | 
14 |     public static void collect(BaseClassVisitor cv, List<String> tempChain, List<ResultInfo> results) {
15 |         if (cv.getPass(Const.SSRF_OKHTTP_TYPE)) {
16 |             ResultInfo resultInfo = new ResultInfo();
17 |             resultInfo.setType(SSRF);
18 |             resultInfo.setVulName("OKHTTP SSRF");
19 |             resultInfo.getChains().addAll(tempChain);
20 |             results.add(resultInfo);
21 |             Log.info(resultInfo.toString());
22 |         }
23 |         if (cv.getPass(Const.SSRF_SOCKET_TYPE)) {
24 |             ResultInfo resultInfo = new ResultInfo();
25 |             resultInfo.setType(SSRF);
26 |             resultInfo.setVulName("Socket SSRF");
27 |             resultInfo.getChains().addAll(tempChain);
28 |             results.add(resultInfo);
29 |             Log.info(resultInfo.toString());
30 |         }
31 |         if (cv.getPass(Const.SSRF_APACHE_TYPE)) {
32 |             ResultInfo resultInfo = new ResultInfo();
33 |             resultInfo.setType(SSRF);
34 |             resultInfo.setVulName("Apache HttpClient SSRF");
35 |             resultInfo.getChains().addAll(tempChain);
36 |             results.add(resultInfo);
37 |             Log.info(resultInfo.toString());
38 |         }
39 |         if (cv.getPass(Const.SSRF_JDK_TYPE)) {
40 |             ResultInfo resultInfo = new ResultInfo();
41 |             resultInfo.setType(SSRF);
42 |             resultInfo.setVulName("HttpUrlConnection SSRF");
43 |             resultInfo.getChains().addAll(tempChain);
44 |             results.add(resultInfo);
45 |             Log.info(resultInfo.toString());
46 |         }
47 |     }
48 | }
49 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/data/SqlCollector.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.data;
 2 | 
 3 | import code.inspector.core.Const;
 4 | import code.inspector.core.asm.base.BaseClassVisitor;
 5 | import code.inspector.log.Log;
 6 | import code.inspector.model.ResultInfo;
 7 | 
 8 | import java.util.List;
 9 | 
10 | public class SqlCollector {
11 |     private static final String SQL = "SQL Injection";
12 |     public static void collect(BaseClassVisitor cv, List<String> tempChain, List<ResultInfo> results) {
13 |         if (cv.getPass(Const.SQL_EXECUTE)) {
14 |             ResultInfo resultInfo = new ResultInfo();
15 |             resultInfo.setType(SQL);
16 |             resultInfo.setVulName("Statement execute");
17 |             resultInfo.getChains().addAll(tempChain);
18 |             results.add(resultInfo);
19 |             Log.info(resultInfo.toString());
20 |         }
21 |         if (cv.getPass(Const.SQL_EXECUTE_UPDATE)) {
22 |             ResultInfo resultInfo = new ResultInfo();
23 |             resultInfo.setType(SQL);
24 |             resultInfo.setVulName("Statement executeUpdate");
25 |             resultInfo.getChains().addAll(tempChain);
26 |             results.add(resultInfo);
27 |             Log.info(resultInfo.toString());
28 |         }
29 |         if (cv.getPass(Const.SQL_EXECUTE_QUERY)) {
30 |             ResultInfo resultInfo = new ResultInfo();
31 |             resultInfo.setType(SQL);
32 |             resultInfo.setVulName("Statement executeQuery");
33 |             resultInfo.getChains().addAll(tempChain);
34 |             results.add(resultInfo);
35 |             Log.info(resultInfo.toString());
36 |         }
37 |         if (cv.getPass(Const.SQL_JDBC_TEMPLATE_EXECUTE)) {
38 |             ResultInfo resultInfo = new ResultInfo();
39 |             resultInfo.setType(SQL);
40 |             resultInfo.setVulName("JdbcTemplate execute");
41 |             resultInfo.getChains().addAll(tempChain);
42 |             results.add(resultInfo);
43 |             Log.info(resultInfo.toString());
44 |         }
45 |         if (cv.getPass(Const.SQL_JDBC_TEMPLATE_UPDATE)) {
46 |             ResultInfo resultInfo = new ResultInfo();
47 |             resultInfo.setType(SQL);
48 |             resultInfo.setVulName("JdbcTemplate update");
49 |             resultInfo.getChains().addAll(tempChain);
50 |             results.add(resultInfo);
51 |             Log.info(resultInfo.toString());
52 |         }
53 |         if (cv.getPass(Const.SQL_JDBC_TEMPLATE_QUERY_ANY)) {
54 |             ResultInfo resultInfo = new ResultInfo();
55 |             resultInfo.setType(SQL);
56 |             resultInfo.setVulName("JdbcTemplate queryAnyMethod");
57 |             resultInfo.getChains().addAll(tempChain);
58 |             results.add(resultInfo);
59 |             Log.info(resultInfo.toString());
60 |         }
61 |     }
62 | }
63 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/inherit/InheritanceMap.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.inherit;
 2 | 
 3 | import code.inspector.model.ClassReference;
 4 | 
 5 | import java.util.*;
 6 | 
 7 | 
 8 | @SuppressWarnings("all")
 9 | public class InheritanceMap {
10 |     /**
11 |      * 子类 -> 所有父类
12 |      */
13 |     private final Map<ClassReference.Handle, Set<ClassReference.Handle>> inheritanceMap;
14 |     /**
15 |      * 父类 -> 所有子类
16 |      */
17 |     private final Map<ClassReference.Handle, Set<ClassReference.Handle>> subClassMap;
18 | 
19 |     public InheritanceMap(Map<ClassReference.Handle, Set<ClassReference.Handle>> inheritanceMap) {
20 |         this.inheritanceMap = inheritanceMap;
21 |         subClassMap = new HashMap<>();
22 |         for (Map.Entry<ClassReference.Handle, Set<ClassReference.Handle>> entry : inheritanceMap.entrySet()) {
23 |             ClassReference.Handle child = entry.getKey();
24 |             for (ClassReference.Handle parent : entry.getValue()) {
25 |                 if (!subClassMap.containsKey(parent)) {
26 |                     Set<ClassReference.Handle> tempSet = new HashSet<>();
27 |                     tempSet.add(child);
28 |                     subClassMap.put(parent, tempSet);
29 |                 } else {
30 |                     subClassMap.get(parent).add(child);
31 |                 }
32 |             }
33 |         }
34 |     }
35 | 
36 |     public Set<Map.Entry<ClassReference.Handle, Set<ClassReference.Handle>>> entrySet() {
37 |         return inheritanceMap.entrySet();
38 |     }
39 | 
40 |     public Set<ClassReference.Handle> getSuperClasses(ClassReference.Handle clazz) {
41 |         Set<ClassReference.Handle> parents = inheritanceMap.get(clazz);
42 |         if (parents == null) {
43 |             return null;
44 |         }
45 |         return Collections.unmodifiableSet(parents);
46 |     }
47 | 
48 |     public boolean isSubclassOf(ClassReference.Handle clazz, ClassReference.Handle superClass) {
49 |         Set<ClassReference.Handle> parents = inheritanceMap.get(clazz);
50 |         if (parents == null) {
51 |             return false;
52 |         }
53 |         return parents.contains(superClass);
54 |     }
55 | 
56 |     public Set<ClassReference.Handle> getSubClasses(ClassReference.Handle clazz) {
57 |         Set<ClassReference.Handle> subClasses = subClassMap.get(clazz);
58 |         if (subClasses == null) {
59 |             return null;
60 |         }
61 |         return Collections.unmodifiableSet(subClasses);
62 |     }
63 | }
64 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/inherit/InheritanceUtil.java:
--------------------------------------------------------------------------------
  1 | package code.inspector.core.inherit;
  2 | 
  3 | import code.inspector.model.ClassReference;
  4 | import code.inspector.model.MethodReference;
  5 | 
  6 | import java.util.HashMap;
  7 | import java.util.HashSet;
  8 | import java.util.Map;
  9 | import java.util.Set;
 10 | 
 11 | 
 12 | public class InheritanceUtil {
 13 |     public static InheritanceMap derive(Map<ClassReference.Handle, ClassReference> classMap) {
 14 |         Map<ClassReference.Handle, Set<ClassReference.Handle>> implicitInheritance = new HashMap<>();
 15 |         for (ClassReference classReference : classMap.values()) {
 16 |             Set<ClassReference.Handle> allParents = new HashSet<>();
 17 |             getAllParents(classReference, classMap, allParents);
 18 |             implicitInheritance.put(classReference.getHandle(), allParents);
 19 |         }
 20 |         return new InheritanceMap(implicitInheritance);
 21 |     }
 22 | 
 23 |     private static void getAllParents(ClassReference classReference,
 24 |                                       Map<ClassReference.Handle, ClassReference> classMap,
 25 |                                       Set<ClassReference.Handle> allParents) {
 26 |         Set<ClassReference.Handle> parents = new HashSet<>();
 27 |         if (classReference.getSuperClass() != null) {
 28 |             parents.add(new ClassReference.Handle(classReference.getSuperClass()));
 29 |         }
 30 |         for (String i : classReference.getInterfaces()) {
 31 |             parents.add(new ClassReference.Handle(i));
 32 |         }
 33 | 
 34 |         for (ClassReference.Handle immediateParent : parents) {
 35 |             ClassReference parentClassReference = classMap.get(immediateParent);
 36 |             if (parentClassReference == null) {
 37 |                 continue;
 38 |             }
 39 |             allParents.add(parentClassReference.getHandle());
 40 |             getAllParents(parentClassReference, classMap, allParents);
 41 |         }
 42 |     }
 43 | 
 44 |     public static Map<MethodReference.Handle, Set<MethodReference.Handle>> getAllMethodImplementations(
 45 |             InheritanceMap inheritanceMap, Map<MethodReference.Handle, MethodReference> methodMap) {
 46 |         Map<ClassReference.Handle, Set<MethodReference.Handle>> methodsByClass = getMethodsByClass(methodMap);
 47 |         Map<ClassReference.Handle, Set<ClassReference.Handle>> subClassMap = new HashMap<>();
 48 |         for (Map.Entry<ClassReference.Handle, Set<ClassReference.Handle>> entry : inheritanceMap.entrySet()) {
 49 |             for (ClassReference.Handle parent : entry.getValue()) {
 50 |                 if (!subClassMap.containsKey(parent)) {
 51 |                     Set<ClassReference.Handle> subClasses = new HashSet<>();
 52 |                     subClasses.add(entry.getKey());
 53 |                     subClassMap.put(parent, subClasses);
 54 |                 } else {
 55 |                     subClassMap.get(parent).add(entry.getKey());
 56 |                 }
 57 |             }
 58 |         }
 59 |         Map<MethodReference.Handle, Set<MethodReference.Handle>> methodImplMap = new HashMap<>();
 60 |         for (MethodReference method : methodMap.values()) {
 61 |             if (method.isStatic()) {
 62 |                 continue;
 63 |             }
 64 |             Set<MethodReference.Handle> overridingMethods = new HashSet<>();
 65 |             Set<ClassReference.Handle> subClasses = subClassMap.get(method.getClassReference());
 66 |             if (subClasses != null) {
 67 |                 for (ClassReference.Handle subClass : subClasses) {
 68 |                     Set<MethodReference.Handle> subClassMethods = methodsByClass.get(subClass);
 69 |                     if (subClassMethods != null) {
 70 |                         for (MethodReference.Handle subClassMethod : subClassMethods) {
 71 |                             if (subClassMethod.getName().equals(method.getName()) &&
 72 |                                     subClassMethod.getDesc().equals(method.getDesc())) {
 73 |                                 overridingMethods.add(subClassMethod);
 74 |                             }
 75 |                         }
 76 |                     }
 77 |                 }
 78 |             }
 79 |             if (overridingMethods.size() > 0) {
 80 |                 methodImplMap.put(method.getHandle(), overridingMethods);
 81 |             }
 82 |         }
 83 |         return methodImplMap;
 84 |     }
 85 | 
 86 |     public static Map<ClassReference.Handle, Set<MethodReference.Handle>> getMethodsByClass(
 87 |             Map<MethodReference.Handle, MethodReference> methodMap) {
 88 |         Map<ClassReference.Handle, Set<MethodReference.Handle>> methodsByClass = new HashMap<>();
 89 |         for (MethodReference.Handle method : methodMap.keySet()) {
 90 |             ClassReference.Handle classReference = method.getClassReference();
 91 |             if (!methodsByClass.containsKey(classReference)) {
 92 |                 Set<MethodReference.Handle> methods = new HashSet<>();
 93 |                 methods.add(method);
 94 |                 methodsByClass.put(classReference, methods);
 95 |             } else {
 96 |                 methodsByClass.get(classReference).add(method);
 97 |             }
 98 |         }
 99 |         return methodsByClass;
100 |     }
101 | }
102 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/service/DOSService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.service;
 2 | 
 3 | import code.inspector.core.asm.DOSClassVisitor;
 4 | import code.inspector.core.data.DoSCollector;
 5 | import code.inspector.core.service.base.BaseService;
 6 | import code.inspector.core.spring.SpringController;
 7 | import code.inspector.model.CallGraph;
 8 | import code.inspector.model.ClassFile;
 9 | import code.inspector.model.MethodReference;
10 | 
11 | import java.util.List;
12 | import java.util.Map;
13 | import java.util.Set;
14 | 
15 | public class DOSService extends BaseService {
16 |     public static void start(Map<String, ClassFile> classFileByName,
17 |                              List<SpringController> controllers,
18 |                              Map<MethodReference.Handle, Set<CallGraph>> discoveredCalls) {
19 |         start0(classFileByName,controllers,discoveredCalls,
20 |                 DOSClassVisitor.class, DoSCollector.class);
21 | 
22 |     }
23 | }
24 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/service/DesService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.service;
 2 | 
 3 | import code.inspector.core.asm.DesClassVisitor;
 4 | import code.inspector.core.data.DesCollector;
 5 | import code.inspector.core.service.base.BaseService;
 6 | import code.inspector.core.spring.SpringController;
 7 | import code.inspector.model.CallGraph;
 8 | import code.inspector.model.ClassFile;
 9 | import code.inspector.model.MethodReference;
10 | 
11 | import java.util.List;
12 | import java.util.Map;
13 | import java.util.Set;
14 | 
15 | public class DesService extends BaseService {
16 |     public static void start(Map<String, ClassFile> classFileByName,
17 |                              List<SpringController> controllers,
18 |                              Map<MethodReference.Handle, Set<CallGraph>> discoveredCalls) {
19 |         start0(classFileByName,controllers,discoveredCalls,
20 |                 DesClassVisitor.class, DesCollector.class);
21 | 
22 |     }
23 | }
24 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/service/RCEService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.service;
 2 | 
 3 | import code.inspector.core.asm.RCEClassVisitor;
 4 | import code.inspector.core.data.RCECollector;
 5 | import code.inspector.core.service.base.BaseService;
 6 | import code.inspector.core.spring.SpringController;
 7 | import code.inspector.model.CallGraph;
 8 | import code.inspector.model.ClassFile;
 9 | import code.inspector.model.MethodReference;
10 | 
11 | import java.util.List;
12 | import java.util.Map;
13 | import java.util.Set;
14 | 
15 | 
16 | public class RCEService extends BaseService {
17 | 
18 |     public static void start(Map<String, ClassFile> classFileByName,
19 |                              List<SpringController> controllers,
20 |                              Map<MethodReference.Handle, Set<CallGraph>> discoveredCalls) {
21 |         start0(classFileByName, controllers, discoveredCalls,
22 |                 RCEClassVisitor.class, RCECollector.class);
23 |     }
24 | }
25 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/service/RedirectService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.service;
 2 | 
 3 | import code.inspector.core.asm.RedirectClassVisitor;
 4 | import code.inspector.core.data.RedirectCollector;
 5 | import code.inspector.core.spring.SpringController;
 6 | import code.inspector.core.spring.SpringMapping;
 7 | import code.inspector.model.ClassFile;
 8 | import code.inspector.model.MethodReference;
 9 | import code.inspector.model.ResultInfo;
10 | import org.objectweb.asm.ClassReader;
11 | 
12 | import java.util.ArrayList;
13 | import java.util.List;
14 | import java.util.Map;
15 | 
16 | 
17 | public class RedirectService {
18 | 
19 |     private static final List<ResultInfo> results = new ArrayList<>();
20 | 
21 |     public static void start(Map<String, ClassFile> classFileByName,
22 |                              List<SpringController> controllers) {
23 | 
24 |         for (SpringController controller : controllers) {
25 |             for (SpringMapping mapping : controller.getMappings()) {
26 |                 MethodReference methodReference = mapping.getMethodReference();
27 |                 if (methodReference == null) {
28 |                     continue;
29 |                 }
30 |                 ClassFile file = classFileByName.get(mapping.getController().getClassReference().getName());
31 |                 try {
32 |                     if (file == null) {
33 |                         continue;
34 |                     }
35 |                     ClassReader cr = new ClassReader(file.getFile());
36 |                     RedirectClassVisitor cv = new RedirectClassVisitor(mapping.getMethodReference());
37 |                     cr.accept(cv, ClassReader.EXPAND_FRAMES);
38 |                     RedirectCollector.collect(cv, mapping, results);
39 |                 } catch (Exception e) {
40 |                     e.printStackTrace();
41 |                 }
42 |             }
43 |         }
44 |     }
45 | 
46 |     public static List<ResultInfo> getResults() {
47 |         return new ArrayList<>(results);
48 |     }
49 | }
50 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/service/SSRFService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.service;
 2 | 
 3 | 
 4 | import code.inspector.core.asm.SSRFClassVisitor;
 5 | import code.inspector.core.data.SSRFCollector;
 6 | import code.inspector.core.service.base.BaseService;
 7 | import code.inspector.core.spring.SpringController;
 8 | import code.inspector.model.CallGraph;
 9 | import code.inspector.model.ClassFile;
10 | import code.inspector.model.MethodReference;
11 | 
12 | import java.util.List;
13 | import java.util.Map;
14 | import java.util.Set;
15 | 
16 | public class SSRFService extends BaseService {
17 |     public static void start(Map<String, ClassFile> classFileByName,
18 |                              List<SpringController> controllers,
19 |                              Map<MethodReference.Handle, Set<CallGraph>> discoveredCalls) {
20 |         start0(classFileByName, controllers, discoveredCalls,
21 |                 SSRFClassVisitor.class, SSRFCollector.class);
22 |     }
23 | }
24 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/service/SqlInjectService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.service;
 2 | 
 3 | import code.inspector.core.asm.SqlInjectClassVisitor;
 4 | import code.inspector.core.data.SqlCollector;
 5 | import code.inspector.core.service.base.BaseService;
 6 | import code.inspector.core.spring.SpringController;
 7 | import code.inspector.model.CallGraph;
 8 | import code.inspector.model.ClassFile;
 9 | import code.inspector.model.MethodReference;
10 | 
11 | import java.util.List;
12 | import java.util.Map;
13 | import java.util.Set;
14 | 
15 | public class SqlInjectService extends BaseService {
16 |     public static void start(Map<String, ClassFile> classFileByName,
17 |                              List<SpringController> controllers,
18 |                              Map<MethodReference.Handle, Set<CallGraph>> discoveredCalls) {
19 |         start0(classFileByName, controllers, discoveredCalls,
20 |                 SqlInjectClassVisitor.class, SqlCollector.class);
21 | 
22 |     }
23 | }


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/service/system/CallGraphService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.service.system;
 2 | 
 3 | import code.inspector.core.asm.system.CallGraphClassVisitor;
 4 | import code.inspector.model.CallGraph;
 5 | import code.inspector.model.ClassFile;
 6 | import code.inspector.model.ClassReference;
 7 | import code.inspector.model.MethodReference;
 8 | import org.objectweb.asm.ClassReader;
 9 | 
10 | import java.util.*;
11 | 
12 | public class CallGraphService {
13 | 
14 |     public static void start(Set<CallGraph> discoveredCalls,
15 |                              List<MethodReference.Handle> sortedMethods,
16 |                              Map<String, ClassFile> classFileByName,
17 |                              Map<ClassReference.Handle, ClassReference> classMap,
18 |                              Map<MethodReference.Handle, Set<CallGraph>> graphCallMap,
19 |                              Map<MethodReference.Handle, MethodReference> methodMap,
20 |                              Map<MethodReference.Handle, Set<MethodReference.Handle>> methodImplMap) {
21 |         for (MethodReference.Handle method : sortedMethods) {
22 |             ClassFile file = classFileByName.get(method.getClassReference().getName());
23 |             try {
24 |                 ClassReader cr = new ClassReader(file.getFile());
25 |                 CallGraphClassVisitor cv = new CallGraphClassVisitor(discoveredCalls);
26 |                 cr.accept(cv, ClassReader.EXPAND_FRAMES);
27 |             } catch (Exception e) {
28 |                 e.printStackTrace();
29 |             }
30 |         }
31 |         // call graph set -> call graph list
32 |         List<CallGraph> tempList = new ArrayList<>(discoveredCalls);
33 |         // remove unnecessary method
34 |         for (int i = 0; i < tempList.size(); i++) {
35 |             MethodReference.Handle target = tempList.get(i).getTargetMethod();
36 |             if (target.getClassReference().getName().equals("java/lang/Object")) {
37 |                 if (target.getName().equals("<init>") && target.getDesc().equals("()V")) {
38 |                     tempList.remove(tempList.get(i));
39 |                 }
40 |             }
41 |         }
42 |         // resolve interface problem: interface -> impls
43 |         for (int i = 0; i < discoveredCalls.size(); i++) {
44 |             if (i >= tempList.size()) {
45 |                 break;
46 |             }
47 |             MethodReference.Handle targetMethod = tempList.get(i).getTargetMethod();
48 |             ClassReference.Handle handle = targetMethod.getClassReference();
49 |             ClassReference targetClass = classMap.get(handle);
50 |             if (targetClass == null) {
51 |                 continue;
52 |             }
53 |             if (targetClass.isInterface()) {
54 |                 Set<MethodReference.Handle> implSet = methodImplMap.get(targetMethod);
55 |                 if (implSet == null || implSet.size() == 0) {
56 |                     continue;
57 |                 }
58 |                 for (MethodReference.Handle implMethod : implSet) {
59 |                     String callerDesc = methodMap.get(implMethod).getDesc();
60 |                     if (targetMethod.getDesc().equals(callerDesc)) {
61 |                         tempList.add(new CallGraph(
62 |                                 targetMethod,
63 |                                 implMethod,
64 |                                 tempList.get(i).getTargetArgIndex(),
65 |                                 tempList.get(i).getTargetArgIndex()
66 |                         ));
67 |                     }
68 |                 }
69 |             }
70 |         }
71 |         // unique
72 |         discoveredCalls.clear();
73 |         discoveredCalls.addAll(tempList);
74 |         // build call graph map: method -> call graphs
75 |         for (CallGraph graphCall : discoveredCalls) {
76 |             MethodReference.Handle caller = graphCall.getCallerMethod();
77 |             if (!graphCallMap.containsKey(caller)) {
78 |                 Set<CallGraph> graphCalls = new HashSet<>();
79 |                 graphCalls.add(graphCall);
80 |                 graphCallMap.put(caller, graphCalls);
81 |             } else {
82 |                 graphCallMap.get(caller).add(graphCall);
83 |             }
84 |         }
85 |     }
86 | }
87 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/service/system/DiscoveryService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.service.system;
 2 | 
 3 | import code.inspector.core.asm.system.DiscoveryClassVisitor;
 4 | import code.inspector.model.ClassFile;
 5 | import code.inspector.model.ClassReference;
 6 | import code.inspector.model.MethodReference;
 7 | import org.objectweb.asm.ClassReader;
 8 | 
 9 | import java.util.List;
10 | import java.util.Map;
11 | 
12 | public class DiscoveryService {
13 | 
14 |     public static void start(List<ClassFile> classFileList,
15 |                              List<ClassReference> discoveredClasses,
16 |                              List<MethodReference> discoveredMethods,
17 |                              Map<ClassReference.Handle, ClassReference> classMap,
18 |                              Map<MethodReference.Handle, MethodReference> methodMap,
19 |                              Map<String, ClassFile> classFileByName) {
20 |         for (ClassFile file : classFileList) {
21 |             try {
22 |                 DiscoveryClassVisitor dcv = new DiscoveryClassVisitor(discoveredClasses, discoveredMethods);
23 |                 ClassReader cr = new ClassReader(file.getFile());
24 |                 cr.accept(dcv, ClassReader.EXPAND_FRAMES);
25 |                 classFileByName.put(dcv.getName(), file);
26 |             } catch (Exception e) {
27 |                 e.printStackTrace();
28 |             }
29 |         }
30 |         for (ClassReference clazz : discoveredClasses) {
31 |             classMap.put(clazz.getHandle(), clazz);
32 |         }
33 |         for (MethodReference method : discoveredMethods) {
34 |             methodMap.put(method.getHandle(), method);
35 |         }
36 |     }
37 | }
38 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/service/system/InheritanceService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.service.system;
 2 | 
 3 | 
 4 | import code.inspector.core.inherit.InheritanceMap;
 5 | import code.inspector.core.inherit.InheritanceUtil;
 6 | import code.inspector.model.ClassReference;
 7 | 
 8 | import java.util.Map;
 9 | 
10 | public class InheritanceService {
11 | 
12 |     public static InheritanceMap start(Map<ClassReference.Handle, ClassReference> classMap) {
13 |         return InheritanceUtil.derive(classMap);
14 |     }
15 | }
16 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/service/system/MethodCallService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.service.system;
 2 | 
 3 | import code.inspector.core.asm.system.MethodCallClassVisitor;
 4 | import code.inspector.model.ClassFile;
 5 | import code.inspector.model.MethodReference;
 6 | import org.objectweb.asm.ClassReader;
 7 | 
 8 | import java.util.List;
 9 | import java.util.Map;
10 | import java.util.Set;
11 | 
12 | 
13 | public class MethodCallService {
14 | 
15 |     public static void start(List<ClassFile> classFileList,
16 |                              Map<MethodReference.Handle, Set<MethodReference.Handle>> methodCalls) {
17 |         for (ClassFile file : classFileList) {
18 |             try {
19 |                 MethodCallClassVisitor mcv = new MethodCallClassVisitor(methodCalls);
20 |                 ClassReader cr = new ClassReader(file.getFile());
21 |                 cr.accept(mcv, ClassReader.EXPAND_FRAMES);
22 |             } catch (Exception e) {
23 |                 e.printStackTrace();
24 |             }
25 |         }
26 |     }
27 | }
28 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/service/system/SortService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.service.system;
 2 | 
 3 | 
 4 | import code.inspector.model.MethodReference;
 5 | 
 6 | import java.util.*;
 7 | 
 8 | public class SortService {
 9 |     public static List<MethodReference.Handle> start(
10 |             Map<MethodReference.Handle, Set<MethodReference.Handle>> methodCalls) {
11 |         Map<MethodReference.Handle, Set<MethodReference.Handle>> outgoingReferences = new HashMap<>();
12 |         for (Map.Entry<MethodReference.Handle, Set<MethodReference.Handle>> entry : methodCalls.entrySet()) {
13 |             MethodReference.Handle method = entry.getKey();
14 |             outgoingReferences.put(method, new HashSet<>(entry.getValue()));
15 |         }
16 |         Set<MethodReference.Handle> dfsStack = new HashSet<>();
17 |         Set<MethodReference.Handle> visitedNodes = new HashSet<>();
18 |         List<MethodReference.Handle> sortedMethods = new ArrayList<>(outgoingReferences.size());
19 |         for (MethodReference.Handle root : outgoingReferences.keySet()) {
20 |             dfsSort(outgoingReferences, sortedMethods, visitedNodes, dfsStack, root);
21 |         }
22 |         return sortedMethods;
23 |     }
24 | 
25 |     private static void dfsSort(Map<MethodReference.Handle, Set<MethodReference.Handle>> outgoingReferences,
26 |                                 List<MethodReference.Handle> sortedMethods, Set<MethodReference.Handle> visitedNodes,
27 |                                 Set<MethodReference.Handle> stack, MethodReference.Handle node) {
28 |         if (stack.contains(node)) {
29 |             return;
30 |         }
31 |         if (visitedNodes.contains(node)) {
32 |             return;
33 |         }
34 |         Set<MethodReference.Handle> outgoingRefs = outgoingReferences.get(node);
35 |         if (outgoingRefs == null) {
36 |             return;
37 |         }
38 |         stack.add(node);
39 |         for (MethodReference.Handle child : outgoingRefs) {
40 |             dfsSort(outgoingReferences, sortedMethods, visitedNodes, stack, child);
41 |         }
42 |         stack.remove(node);
43 |         visitedNodes.add(node);
44 |         sortedMethods.add(node);
45 |     }
46 | }
47 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/core/service/system/SpringService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.service.system;
 2 | 
 3 | import code.inspector.core.spring.SpringController;
 4 | import code.inspector.core.spring.asm.SpringClassVisitor;
 5 | import code.inspector.model.ClassFile;
 6 | import code.inspector.model.ClassReference;
 7 | import code.inspector.model.MethodReference;
 8 | import org.objectweb.asm.ClassReader;
 9 | 
10 | import java.util.List;
11 | import java.util.Map;
12 | 
13 | public class SpringService {
14 |     public static void start(List<ClassFile> classFileList,
15 |                              List<SpringController> controllers,
16 |                              Map<ClassReference.Handle, ClassReference> classMap,
17 |                              Map<MethodReference.Handle, MethodReference> methodMap) {
18 |         for (ClassFile file : classFileList) {
19 |             try {
20 |                 SpringClassVisitor mcv = new SpringClassVisitor(controllers, classMap, methodMap);
21 |                 ClassReader cr = new ClassReader(file.getFile());
22 |                 cr.accept(mcv, ClassReader.EXPAND_FRAMES);
23 |             } catch (Exception e) {
24 |                 e.printStackTrace();
25 |             }
26 |         }
27 |     }
28 | }


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/data/Output.java:
--------------------------------------------------------------------------------
  1 | package code.inspector.data;
  2 | 
  3 | 
  4 | import code.inspector.core.spring.SpringController;
  5 | import code.inspector.core.spring.SpringMapping;
  6 | import code.inspector.core.spring.SpringParam;
  7 | import code.inspector.model.CallGraph;
  8 | import code.inspector.model.MethodReference;
  9 | 
 10 | import java.nio.charset.StandardCharsets;
 11 | import java.nio.file.Files;
 12 | import java.nio.file.Path;
 13 | import java.nio.file.Paths;
 14 | import java.util.List;
 15 | import java.util.Map;
 16 | import java.util.Set;
 17 | 
 18 | public class Output {
 19 | 
 20 |     private static String getCallGraph(Map<MethodReference.Handle, Set<CallGraph>> graphCallMap,
 21 |                                        String packageName) {
 22 |         StringBuilder sb = new StringBuilder();
 23 |         for (Map.Entry<MethodReference.Handle, Set<CallGraph>> item : graphCallMap.entrySet()) {
 24 |             if (item.getKey().getClassReference().getName().startsWith(packageName)) {
 25 |                 for (CallGraph callGraph : item.getValue()) {
 26 |                     sb.append(callGraph.getCallerMethod().getClassReference().getName());
 27 |                     sb.append(".");
 28 |                     sb.append(callGraph.getCallerMethod().getName());
 29 |                     sb.append("#");
 30 |                     sb.append(callGraph.getCallerArgIndex());
 31 |                     sb.append("--->");
 32 |                     sb.append(callGraph.getTargetMethod().getClassReference().getName());
 33 |                     sb.append(".");
 34 |                     sb.append(callGraph.getTargetMethod().getName());
 35 |                     sb.append("#");
 36 |                     sb.append(callGraph.getTargetArgIndex());
 37 |                     sb.append("\n");
 38 |                 }
 39 |             }
 40 |         }
 41 |         return sb.toString();
 42 |     }
 43 | 
 44 |     public static void writeTargetCallGraphs(Map<MethodReference.Handle, Set<CallGraph>> graphCallMap,
 45 |                                              String packageName) {
 46 |         packageName = packageName.replace(".", "/");
 47 |         try {
 48 |             Path callPath = Paths.get("calls.txt");
 49 |             try {
 50 |                 Files.delete(callPath);
 51 |             } catch (Exception ignored) {
 52 |             }
 53 |             Files.write(callPath,
 54 |                     getCallGraph(graphCallMap, packageName).getBytes(StandardCharsets.UTF_8));
 55 |         } catch (Exception e) {
 56 |             e.printStackTrace();
 57 |         }
 58 |     }
 59 | 
 60 |     public static void writeSortedMethod(List<MethodReference.Handle> sortedMethods) {
 61 |         StringBuilder sb = new StringBuilder();
 62 |         for (MethodReference.Handle method : sortedMethods) {
 63 |             sb.append(method.getClassReference().getName());
 64 |             sb.append(".");
 65 |             sb.append(method.getName());
 66 |             sb.append("\n");
 67 |         }
 68 |         try {
 69 |             Path sortedPath = Paths.get("sorted.txt");
 70 |             try {
 71 |                 Files.delete(sortedPath);
 72 |             } catch (Exception ignored) {
 73 |             }
 74 |             Files.write(sortedPath, sb.toString().getBytes(StandardCharsets.UTF_8));
 75 |         } catch (Exception e) {
 76 |             e.printStackTrace();
 77 |         }
 78 |     }
 79 | 
 80 |     public static void writeControllers(List<SpringController> controllers) {
 81 |         StringBuilder sb = new StringBuilder();
 82 |         for (SpringController controller : controllers) {
 83 |             sb.append(controller.getClassReference().getName());
 84 |             sb.append("\n");
 85 |             for (SpringMapping mapping : controller.getMappings()) {
 86 |                 sb.append("\t");
 87 |                 sb.append(mapping.getMethodName().getName());
 88 |                 sb.append("\t");
 89 |                 for (SpringParam param : mapping.getParamMap()) {
 90 |                     sb.append(param.getReqName());
 91 |                     sb.append("->");
 92 |                     sb.append(param.getParamName());
 93 |                     sb.append(" ");
 94 |                     sb.append(param.getParamType());
 95 |                     sb.append(" ");
 96 |                 }
 97 |                 sb.append("\n");
 98 |             }
 99 |             sb.append("\n");
100 |         }
101 |         try {
102 |             Path conPath = Paths.get("controllers.txt");
103 |             try {
104 |                 Files.delete(conPath);
105 |             } catch (Exception ignored) {
106 |             }
107 |             Files.write(conPath, sb.toString().getBytes(StandardCharsets.UTF_8));
108 |         } catch (Exception e) {
109 |             e.printStackTrace();
110 |         }
111 |     }
112 | }
113 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/data/ResultOutput.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.data;
 2 | 
 3 | 
 4 | import code.inspector.log.Log;
 5 | import code.inspector.model.ResultInfo;
 6 | import code.inspector.render.Render;
 7 | import code.inspector.render.RenderData;
 8 | 
 9 | import java.nio.file.Paths;
10 | import java.util.ArrayList;
11 | import java.util.LinkedHashSet;
12 | import java.util.List;
13 | import java.util.Set;
14 | 
15 | public class ResultOutput {
16 |     public static void write(String path, List<ResultInfo> results) {
17 |         try {
18 |             Set<ResultInfo> newResults = new LinkedHashSet<>(results);
19 |             Log.info("total results: " + newResults.size());
20 |             List<RenderData> rd = new ArrayList<>();
21 |             for (ResultInfo r : newResults) {
22 |                 RenderData d = new RenderData();
23 |                 d.setType(r.getType());
24 |                 d.setCategory(r.getVulName());
25 |                 StringBuilder sb = new StringBuilder();
26 |                 for (String c : r.getChains()) {
27 |                     sb.append(c);
28 |                     sb.append("<br>");
29 |                 }
30 |                 String detail = sb.toString();
31 |                 d.setDetails(detail.substring(0, detail.length() - 4));
32 |                 rd.add(d);
33 |             }
34 |             Render.renderHtml(Paths.get(path), rd);
35 |         } catch (Exception ignored) {
36 |         }
37 |     }
38 | }
39 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/form/AuthorForm.form:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <form xmlns="http://www.intellij.com/uidesigner/form/" version="1" bind-to-class="code.inspector.form.AuthorForm">
 3 |   <grid id="27dc6" binding="authorPanel" layout-manager="GridLayoutManager" row-count="2" column-count="2" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
 4 |     <margin top="0" left="0" bottom="0" right="0"/>
 5 |     <constraints>
 6 |       <xy x="20" y="20" width="278" height="83"/>
 7 |     </constraints>
 8 |     <properties/>
 9 |     <border type="none" title=""/>
10 |     <children>
11 |       <component id="34e67" class="javax.swing.JTextField" binding="github">
12 |         <constraints>
13 |           <grid row="1" column="1" row-span="1" col-span="1" vsize-policy="0" hsize-policy="6" anchor="8" fill="1" indent="1" use-parent-layout="false">
14 |             <minimum-size width="200" height="-1"/>
15 |             <preferred-size width="150" height="-1"/>
16 |           </grid>
17 |         </constraints>
18 |         <properties>
19 |           <editable value="false"/>
20 |           <text value="https://github.com/4ra1n"/>
21 |         </properties>
22 |       </component>
23 |       <component id="91a49" class="javax.swing.JLabel" binding="nameLabel">
24 |         <constraints>
25 |           <grid row="0" column="1" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
26 |         </constraints>
27 |         <properties>
28 |           <text value="4ra1n"/>
29 |         </properties>
30 |       </component>
31 |       <component id="5f616" class="javax.swing.JLabel" binding="name">
32 |         <constraints>
33 |           <grid row="0" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
34 |         </constraints>
35 |         <properties>
36 |           <text value="Name"/>
37 |         </properties>
38 |       </component>
39 |       <component id="69f1c" class="javax.swing.JLabel" binding="githubLabel">
40 |         <constraints>
41 |           <grid row="1" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
42 |         </constraints>
43 |         <properties>
44 |           <text value="Github"/>
45 |         </properties>
46 |       </component>
47 |     </children>
48 |   </grid>
49 | </form>
50 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/form/AuthorForm.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.form;
 2 | 
 3 | import com.intellij.uiDesigner.core.GridConstraints;
 4 | import com.intellij.uiDesigner.core.GridLayoutManager;
 5 | 
 6 | import javax.swing.*;
 7 | import javax.swing.border.TitledBorder;
 8 | import java.awt.*;
 9 | 
10 | public class AuthorForm {
11 |     public JPanel authorPanel;
12 |     private JTextField github;
13 |     private JLabel nameLabel;
14 |     private JLabel name;
15 |     private JLabel githubLabel;
16 | 
17 |     {
18 | // GUI initializer generated by IntelliJ IDEA GUI Designer
19 | // >>> IMPORTANT!! <<<
20 | // DO NOT EDIT OR ADD ANY CODE HERE!
21 |         $$$setupUI$$$();
22 |     }
23 | 
24 |     /**
25 |      * Method generated by IntelliJ IDEA GUI Designer
26 |      * >>> IMPORTANT!! <<<
27 |      * DO NOT edit this method OR call it in your code!
28 |      *
29 |      * @noinspection ALL
30 |      */
31 |     private void $$$setupUI$$$() {
32 |         authorPanel = new JPanel();
33 |         authorPanel.setLayout(new GridLayoutManager(2, 2, new Insets(0, 0, 0, 0), -1, -1));
34 |         authorPanel.setBorder(BorderFactory.createTitledBorder(null, "", TitledBorder.DEFAULT_JUSTIFICATION, TitledBorder.DEFAULT_POSITION, null, null));
35 |         github = new JTextField();
36 |         github.setEditable(false);
37 |         github.setText("https://github.com/4ra1n");
38 |         authorPanel.add(github, new GridConstraints(1, 1, 1, 1, GridConstraints.ANCHOR_WEST, GridConstraints.FILL_HORIZONTAL, GridConstraints.SIZEPOLICY_WANT_GROW, GridConstraints.SIZEPOLICY_FIXED, new Dimension(200, -1), new Dimension(150, -1), null, 1, false));
39 |         nameLabel = new JLabel();
40 |         nameLabel.setText("4ra1n");
41 |         authorPanel.add(nameLabel, new GridConstraints(0, 1, 1, 1, GridConstraints.ANCHOR_WEST, GridConstraints.FILL_NONE, GridConstraints.SIZEPOLICY_FIXED, GridConstraints.SIZEPOLICY_FIXED, null, null, null, 1, false));
42 |         name = new JLabel();
43 |         name.setText("Name");
44 |         authorPanel.add(name, new GridConstraints(0, 0, 1, 1, GridConstraints.ANCHOR_WEST, GridConstraints.FILL_NONE, GridConstraints.SIZEPOLICY_FIXED, GridConstraints.SIZEPOLICY_FIXED, null, null, null, 1, false));
45 |         githubLabel = new JLabel();
46 |         githubLabel.setText("Github");
47 |         authorPanel.add(githubLabel, new GridConstraints(1, 0, 1, 1, GridConstraints.ANCHOR_WEST, GridConstraints.FILL_NONE, GridConstraints.SIZEPOLICY_FIXED, GridConstraints.SIZEPOLICY_FIXED, null, null, null, 1, false));
48 |     }
49 | 
50 |     /**
51 |      * @noinspection ALL
52 |      */
53 |     public JComponent $$$getRootComponent$$$() {
54 |         return authorPanel;
55 |     }
56 | 
57 | }
58 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/form/Graphviz.form:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <form xmlns="http://www.intellij.com/uidesigner/form/" version="1" bind-to-class="code.inspector.form.Graphviz">
 3 |   <grid id="27dc6" binding="graphvizPanel" layout-manager="GridLayoutManager" row-count="1" column-count="1" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
 4 |     <margin top="0" left="0" bottom="0" right="0"/>
 5 |     <constraints>
 6 |       <xy x="20" y="20" width="500" height="400"/>
 7 |     </constraints>
 8 |     <properties/>
 9 |     <border type="none"/>
10 |     <children>
11 |       <component id="2b296" class="javax.swing.JLabel" binding="label">
12 |         <constraints>
13 |           <grid row="0" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="0" use-parent-layout="false"/>
14 |         </constraints>
15 |         <properties>
16 |           <text value=""/>
17 |         </properties>
18 |       </component>
19 |     </children>
20 |   </grid>
21 | </form>
22 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/form/Graphviz.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.form;
 2 | 
 3 | import com.intellij.uiDesigner.core.GridConstraints;
 4 | import com.intellij.uiDesigner.core.GridLayoutManager;
 5 | 
 6 | import javax.swing.*;
 7 | import java.awt.*;
 8 | import java.awt.image.BufferedImage;
 9 | 
10 | public class Graphviz {
11 |     public JPanel graphvizPanel;
12 |     public JLabel label;
13 | 
14 |     public Graphviz(BufferedImage wPic) {
15 |         label.setIcon(new ImageIcon(wPic));
16 |     }
17 | 
18 |     {
19 | // GUI initializer generated by IntelliJ IDEA GUI Designer
20 | // >>> IMPORTANT!! <<<
21 | // DO NOT EDIT OR ADD ANY CODE HERE!
22 |         $$$setupUI$$$();
23 |     }
24 | 
25 |     /**
26 |      * Method generated by IntelliJ IDEA GUI Designer
27 |      * >>> IMPORTANT!! <<<
28 |      * DO NOT edit this method OR call it in your code!
29 |      *
30 |      * @noinspection ALL
31 |      */
32 |     private void $$$setupUI$$$() {
33 |         graphvizPanel = new JPanel();
34 |         graphvizPanel.setLayout(new GridLayoutManager(1, 1, new Insets(0, 0, 0, 0), -1, -1));
35 |         label = new JLabel();
36 |         label.setText("");
37 |         graphvizPanel.add(label, new GridConstraints(0, 0, 1, 1, GridConstraints.ANCHOR_WEST, GridConstraints.FILL_NONE, GridConstraints.SIZEPOLICY_FIXED, GridConstraints.SIZEPOLICY_FIXED, null, null, null, 0, false));
38 |     }
39 | 
40 |     /**
41 |      * @noinspection ALL
42 |      */
43 |     public JComponent $$$getRootComponent$$$() {
44 |         return graphvizPanel;
45 |     }
46 | 
47 | }
48 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/form/HowThisWork.form:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <form xmlns="http://www.intellij.com/uidesigner/form/" version="1" bind-to-class="code.inspector.form.HowThisWork">
 3 |   <grid id="27dc6" binding="workPanel" layout-manager="GridLayoutManager" row-count="9" column-count="1" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
 4 |     <margin top="0" left="0" bottom="0" right="0"/>
 5 |     <constraints>
 6 |       <xy x="20" y="20" width="500" height="400"/>
 7 |     </constraints>
 8 |     <properties/>
 9 |     <border type="none" title="steps"/>
10 |     <children>
11 |       <component id="7256f" class="javax.swing.JLabel" binding="firstLabel">
12 |         <constraints>
13 |           <grid row="0" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
14 |         </constraints>
15 |         <properties>
16 |           <text value="1. unzip jar and parse class files"/>
17 |         </properties>
18 |       </component>
19 |       <component id="8364d" class="javax.swing.JLabel" binding="secondLabel">
20 |         <constraints>
21 |           <grid row="1" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
22 |         </constraints>
23 |         <properties>
24 |           <text value="2. discover all classes and metdhos"/>
25 |         </properties>
26 |       </component>
27 |       <component id="2a745" class="javax.swing.JLabel" binding="thirdLabel">
28 |         <constraints>
29 |           <grid row="2" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
30 |         </constraints>
31 |         <properties>
32 |           <text value="3. build inheritance between classes"/>
33 |         </properties>
34 |       </component>
35 |       <component id="9bf4b" class="javax.swing.JLabel" binding="fourthLabel">
36 |         <constraints>
37 |           <grid row="3" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
38 |         </constraints>
39 |         <properties>
40 |           <text value="4. find all method call in each methods"/>
41 |         </properties>
42 |       </component>
43 |       <component id="a5509" class="javax.swing.JLabel" binding="fifthLabel">
44 |         <constraints>
45 |           <grid row="4" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
46 |         </constraints>
47 |         <properties>
48 |           <text value="5. topological sort methods"/>
49 |         </properties>
50 |       </component>
51 |       <component id="6e6e1" class="javax.swing.JLabel" binding="sixthLabel">
52 |         <constraints>
53 |           <grid row="5" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
54 |         </constraints>
55 |         <properties>
56 |           <text value="6. get args taint between method calls"/>
57 |         </properties>
58 |       </component>
59 |       <component id="75a43" class="javax.swing.JLabel" binding="seventhLabel">
60 |         <constraints>
61 |           <grid row="6" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
62 |         </constraints>
63 |         <properties>
64 |           <text value="7. parse spring mapping and set it to the source   "/>
65 |         </properties>
66 |       </component>
67 |       <component id="c44f4" class="javax.swing.JLabel" binding="eighthLabel">
68 |         <constraints>
69 |           <grid row="7" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
70 |         </constraints>
71 |         <properties>
72 |           <text value="8. start vulnerability scan (some modules)"/>
73 |         </properties>
74 |       </component>
75 |       <component id="3b09" class="javax.swing.JLabel" binding="ninthLabel">
76 |         <constraints>
77 |           <grid row="8" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
78 |         </constraints>
79 |         <properties>
80 |           <text value="9. simulate jvm stack frame for taint analysis"/>
81 |         </properties>
82 |       </component>
83 |     </children>
84 |   </grid>
85 | </form>
86 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/form/HowThisWork.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.form;
 2 | 
 3 | import com.intellij.uiDesigner.core.GridConstraints;
 4 | import com.intellij.uiDesigner.core.GridLayoutManager;
 5 | 
 6 | import javax.swing.*;
 7 | import javax.swing.border.TitledBorder;
 8 | import java.awt.*;
 9 | 
10 | public class HowThisWork {
11 |     public JPanel workPanel;
12 |     private JLabel firstLabel;
13 |     private JLabel secondLabel;
14 |     private JLabel thirdLabel;
15 |     private JLabel fourthLabel;
16 |     private JLabel fifthLabel;
17 |     private JLabel sixthLabel;
18 |     private JLabel seventhLabel;
19 |     private JLabel eighthLabel;
20 |     private JLabel ninthLabel;
21 | 
22 |     {
23 | // GUI initializer generated by IntelliJ IDEA GUI Designer
24 | // >>> IMPORTANT!! <<<
25 | // DO NOT EDIT OR ADD ANY CODE HERE!
26 |         $$$setupUI$$$();
27 |     }
28 | 
29 |     /**
30 |      * Method generated by IntelliJ IDEA GUI Designer
31 |      * >>> IMPORTANT!! <<<
32 |      * DO NOT edit this method OR call it in your code!
33 |      *
34 |      * @noinspection ALL
35 |      */
36 |     private void $$$setupUI$$$() {
37 |         workPanel = new JPanel();
38 |         workPanel.setLayout(new GridLayoutManager(9, 1, new Insets(0, 0, 0, 0), -1, -1));
39 |         workPanel.setBorder(BorderFactory.createTitledBorder(null, "steps", TitledBorder.DEFAULT_JUSTIFICATION, TitledBorder.DEFAULT_POSITION, null, null));
40 |         firstLabel = new JLabel();
41 |         firstLabel.setText("1. unzip jar and parse class files");
42 |         workPanel.add(firstLabel, new GridConstraints(0, 0, 1, 1, GridConstraints.ANCHOR_WEST, GridConstraints.FILL_NONE, GridConstraints.SIZEPOLICY_FIXED, GridConstraints.SIZEPOLICY_FIXED, null, null, null, 1, false));
43 |         secondLabel = new JLabel();
44 |         secondLabel.setText("2. discover all classes and metdhos");
45 |         workPanel.add(secondLabel, new GridConstraints(1, 0, 1, 1, GridConstraints.ANCHOR_WEST, GridConstraints.FILL_NONE, GridConstraints.SIZEPOLICY_FIXED, GridConstraints.SIZEPOLICY_FIXED, null, null, null, 1, false));
46 |         thirdLabel = new JLabel();
47 |         thirdLabel.setText("3. build inheritance between classes");
48 |         workPanel.add(thirdLabel, new GridConstraints(2, 0, 1, 1, GridConstraints.ANCHOR_WEST, GridConstraints.FILL_NONE, GridConstraints.SIZEPOLICY_FIXED, GridConstraints.SIZEPOLICY_FIXED, null, null, null, 1, false));
49 |         fourthLabel = new JLabel();
50 |         fourthLabel.setText("4. find all method call in each methods");
51 |         workPanel.add(fourthLabel, new GridConstraints(3, 0, 1, 1, GridConstraints.ANCHOR_WEST, GridConstraints.FILL_NONE, GridConstraints.SIZEPOLICY_FIXED, GridConstraints.SIZEPOLICY_FIXED, null, null, null, 1, false));
52 |         fifthLabel = new JLabel();
53 |         fifthLabel.setText("5. topological sort methods");
54 |         workPanel.add(fifthLabel, new GridConstraints(4, 0, 1, 1, GridConstraints.ANCHOR_WEST, GridConstraints.FILL_NONE, GridConstraints.SIZEPOLICY_FIXED, GridConstraints.SIZEPOLICY_FIXED, null, null, null, 1, false));
55 |         sixthLabel = new JLabel();
56 |         sixthLabel.setText("6. get args taint between method calls");
57 |         workPanel.add(sixthLabel, new GridConstraints(5, 0, 1, 1, GridConstraints.ANCHOR_WEST, GridConstraints.FILL_NONE, GridConstraints.SIZEPOLICY_FIXED, GridConstraints.SIZEPOLICY_FIXED, null, null, null, 1, false));
58 |         seventhLabel = new JLabel();
59 |         seventhLabel.setText("7. parse spring mapping and set it to the source   ");
60 |         workPanel.add(seventhLabel, new GridConstraints(6, 0, 1, 1, GridConstraints.ANCHOR_WEST, GridConstraints.FILL_NONE, GridConstraints.SIZEPOLICY_FIXED, GridConstraints.SIZEPOLICY_FIXED, null, null, null, 1, false));
61 |         eighthLabel = new JLabel();
62 |         eighthLabel.setText("8. start vulnerability scan (some modules)");
63 |         workPanel.add(eighthLabel, new GridConstraints(7, 0, 1, 1, GridConstraints.ANCHOR_WEST, GridConstraints.FILL_NONE, GridConstraints.SIZEPOLICY_FIXED, GridConstraints.SIZEPOLICY_FIXED, null, null, null, 1, false));
64 |         ninthLabel = new JLabel();
65 |         ninthLabel.setText("9. simulate jvm stack frame for taint analysis");
66 |         workPanel.add(ninthLabel, new GridConstraints(8, 0, 1, 1, GridConstraints.ANCHOR_WEST, GridConstraints.FILL_NONE, GridConstraints.SIZEPOLICY_FIXED, GridConstraints.SIZEPOLICY_FIXED, null, null, null, 1, false));
67 |     }
68 | 
69 |     /**
70 |      * @noinspection ALL
71 |      */
72 |     public JComponent $$$getRootComponent$$$() {
73 |         return workPanel;
74 |     }
75 | 
76 | }
77 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/form/module/RedirectModule.form:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <form xmlns="http://www.intellij.com/uidesigner/form/" version="1" bind-to-class="code.inspector.form.module.RedirectModule">
 3 |   <grid id="27dc6" binding="parentPanel" layout-manager="GridLayoutManager" row-count="4" column-count="2" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
 4 |     <margin top="0" left="0" bottom="0" right="0"/>
 5 |     <constraints>
 6 |       <xy x="20" y="20" width="590" height="400"/>
 7 |     </constraints>
 8 |     <properties/>
 9 |     <border type="none" title="Redirect Module"/>
10 |     <children>
11 |       <component id="28cd6" class="javax.swing.JCheckBox" binding="sendRedirectCheckBox">
12 |         <constraints>
13 |           <grid row="0" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="3" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
14 |         </constraints>
15 |         <properties>
16 |           <text value="servlet send redirect"/>
17 |         </properties>
18 |       </component>
19 |       <component id="92dc7" class="javax.swing.JTextArea" binding="sendRedirectArea">
20 |         <constraints>
21 |           <grid row="0" column="1" row-span="1" col-span="1" vsize-policy="6" hsize-policy="6" anchor="0" fill="3" indent="0" use-parent-layout="false">
22 |             <preferred-size width="150" height="50"/>
23 |           </grid>
24 |         </constraints>
25 |         <properties>
26 |           <editable value="false"/>
27 |           <font name="Consolas" size="12"/>
28 |           <foreground color="-9097"/>
29 |           <text value="@RequestMapping(&quot;/redirect&quot;)&#10;public void redirect1(HttpServletRequest request,&#10;                      HttpServletResponse response) {&#10;    String newUrl = request.getParameter(&quot;input&quot;);&#10;    response.sendRedirect(newUrl);&#10;}&#10;"/>
30 |         </properties>
31 |       </component>
32 |       <component id="6d0b1" class="javax.swing.JCheckBox" binding="stringRedirectCheckBox">
33 |         <constraints>
34 |           <grid row="1" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="3" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
35 |         </constraints>
36 |         <properties>
37 |           <text value="return string redirect"/>
38 |         </properties>
39 |       </component>
40 |       <component id="89ae3" class="javax.swing.JTextArea" binding="returnStringArea">
41 |         <constraints>
42 |           <grid row="1" column="1" row-span="1" col-span="1" vsize-policy="6" hsize-policy="6" anchor="0" fill="3" indent="0" use-parent-layout="false">
43 |             <preferred-size width="150" height="50"/>
44 |           </grid>
45 |         </constraints>
46 |         <properties>
47 |           <editable value="false"/>
48 |           <font name="Consolas" size="12"/>
49 |           <foreground color="-9097"/>
50 |           <text value="@RequestMapping(&quot;/redirect&quot;)&#10;public String redirect(String input) {&#10;    String redirect = &quot;redirect://&quot; + input;&#10;    return redirect;&#10;}"/>
51 |         </properties>
52 |       </component>
53 |       <component id="2a514" class="javax.swing.JCheckBox" binding="mavRedirectCheckBox">
54 |         <constraints>
55 |           <grid row="2" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="3" anchor="8" fill="0" indent="1" use-parent-layout="false"/>
56 |         </constraints>
57 |         <properties>
58 |           <text value="model and view redirect"/>
59 |         </properties>
60 |       </component>
61 |       <component id="afbfb" class="javax.swing.JTextArea" binding="mavArea">
62 |         <constraints>
63 |           <grid row="2" column="1" row-span="1" col-span="1" vsize-policy="6" hsize-policy="6" anchor="0" fill="3" indent="0" use-parent-layout="false">
64 |             <preferred-size width="150" height="50"/>
65 |           </grid>
66 |         </constraints>
67 |         <properties>
68 |           <editable value="false"/>
69 |           <font name="Consolas" size="12"/>
70 |           <foreground color="-9097"/>
71 |           <text value="@RequestMapping(&quot;/redirect&quot;)&#10;public ModelAndView redirect(String input) {&#10;    String redirect = &quot;redirect://&quot; + input;&#10;    return new ModelAndView(redirect);&#10;}"/>
72 |         </properties>
73 |       </component>
74 |       <component id="157ac" class="javax.swing.JButton" binding="saveConfigButton" default-binding="true">
75 |         <constraints>
76 |           <grid row="3" column="0" row-span="1" col-span="2" vsize-policy="0" hsize-policy="3" anchor="0" fill="1" indent="0" use-parent-layout="false"/>
77 |         </constraints>
78 |         <properties>
79 |           <text value="Save Config"/>
80 |         </properties>
81 |       </component>
82 |     </children>
83 |   </grid>
84 | </form>
85 | 


--------------------------------------------------------------------------------
/code-inspector-core/src/main/java/code/inspector/log/Log.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.log;
 2 | 
 3 | import code.inspector.form.CodeInspector;
 4 | 
 5 | import javax.swing.*;
 6 | import java.text.SimpleDateFormat;
 7 | import java.util.Date;
 8 | 
 9 | @SuppressWarnings("unused")
10 | public class Log {
11 |     public static void info(String info) {
12 |         if (CodeInspector.instance == null) {
13 |             return;
14 |         }
15 |         info(CodeInspector.instance.getLogArea(), info);
16 |     }
17 | 
18 |     public static void warn(String info) {
19 |         if (CodeInspector.instance == null) {
20 |             return;
21 |         }
22 |         warn(CodeInspector.instance.getLogArea(), info);
23 |     }
24 | 
25 |     public static void error(String info) {
26 |         if (CodeInspector.instance == null) {
27 |             return;
28 |         }
29 |         info(CodeInspector.instance.getLogArea(), info);
30 |     }
31 | 
32 |     private static String getDate() {
33 |         SimpleDateFormat sdf = new SimpleDateFormat();
34 |         sdf.applyPattern("HH:mm:ss");
35 |         Date date = new Date();
36 |         return sdf.format(date);
37 |     }
38 | 
39 |     private static void info(JTextArea area, String info) {
40 |         if (area == null) {
41 |             return;
42 |         }
43 |         area.append(String.format("[info] [%s] %s\n", getDate(), info));
44 |         area.setCaretPosition(area.getDocument().getLength());
45 |     }
46 | 
47 |     private static void warn(JTextArea area, String info) {
48 |         if (area == null) {
49 |             return;
50 |         }
51 |         area.append(String.format("[warn] [%s] %s\n", getDate(), info));
52 |         area.setCaretPosition(area.getDocument().getLength());
53 |     }
54 | 
55 |     private static void error(JTextArea area, String info) {
56 |         if (area == null) {
57 |             return;
58 |         }
59 |         area.append(String.format("[error] [%s] %s\n", getDate(), info));
60 |         area.setCaretPosition(area.getDocument().getLength());
61 |     }
62 | }


--------------------------------------------------------------------------------
/code-inspector-demo/README.md:
--------------------------------------------------------------------------------
1 | # code-inspector-demo
2 | 
3 | 这是一个由SpringBoot编写的靶机，请不要直接运行，因为各种配置原因只能打包jar用来测试，并不能直接跑起来


--------------------------------------------------------------------------------
/code-inspector-demo/pom.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
  3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  5 |     <parent>
  6 |         <groupId>org.springframework.boot</groupId>
  7 |         <artifactId>spring-boot-starter-parent</artifactId>
  8 |         <version>2.5.5</version>
  9 |         <relativePath/>
 10 |     </parent>
 11 |     <modelVersion>4.0.0</modelVersion>
 12 | 
 13 |     <groupId>n1ar4</groupId>
 14 |     <artifactId>code-inspector-demo</artifactId>
 15 |     <version>0.2-beta</version>
 16 |     <properties>
 17 |         <java.version>1.8</java.version>
 18 |     </properties>
 19 | 
 20 |     <dependencies>
 21 |         <dependency>
 22 |             <groupId>com.alibaba</groupId>
 23 |             <artifactId>hessian-lite</artifactId>
 24 |             <version>3.2.13</version>
 25 |         </dependency>
 26 |         <dependency>
 27 |             <groupId>org.yaml</groupId>
 28 |             <artifactId>snakeyaml</artifactId>
 29 |             <version>1.33</version>
 30 |         </dependency>
 31 |         <dependency>
 32 |             <groupId>com.alibaba</groupId>
 33 |             <artifactId>fastjson</artifactId>
 34 |             <version>1.2.47</version>
 35 |         </dependency>
 36 |         <dependency>
 37 |             <groupId>mysql</groupId>
 38 |             <artifactId>mysql-connector-java</artifactId>
 39 |         </dependency>
 40 |         <dependency>
 41 |             <groupId>org.springframework.boot</groupId>
 42 |             <artifactId>spring-boot-starter-jdbc</artifactId>
 43 |         </dependency>
 44 |         <dependency>
 45 |             <groupId>org.springframework.boot</groupId>
 46 |             <artifactId>spring-boot-starter-thymeleaf</artifactId>
 47 |         </dependency>
 48 |         <dependency>
 49 |             <groupId>com.squareup.okhttp3</groupId>
 50 |             <artifactId>okhttp</artifactId>
 51 |             <version>4.9.2</version>
 52 |         </dependency>
 53 |         <dependency>
 54 |             <groupId>org.apache.httpcomponents</groupId>
 55 |             <artifactId>httpclient</artifactId>
 56 |             <version>4.5.2</version>
 57 |         </dependency>
 58 |         <dependency>
 59 |             <groupId>commons-httpclient</groupId>
 60 |             <artifactId>commons-httpclient</artifactId>
 61 |             <version>3.1</version>
 62 |         </dependency>
 63 |         <dependency>
 64 |             <groupId>commons-lang</groupId>
 65 |             <artifactId>commons-lang</artifactId>
 66 |             <version>2.6</version>
 67 |         </dependency>
 68 |         <dependency>
 69 |             <groupId>org.springframework.boot</groupId>
 70 |             <artifactId>spring-boot-starter-web</artifactId>
 71 |         </dependency>
 72 |         <dependency>
 73 |             <groupId>org.springframework.boot</groupId>
 74 |             <artifactId>spring-boot-starter-test</artifactId>
 75 |             <scope>test</scope>
 76 |         </dependency>
 77 |         <dependency>
 78 |             <groupId>org.jdom</groupId>
 79 |             <artifactId>jdom2</artifactId>
 80 |             <version>2.0.6</version>
 81 |         </dependency>
 82 |         <dependency>
 83 |             <groupId>org.codehaus.groovy</groupId>
 84 |             <artifactId>groovy</artifactId>
 85 |             <version>3.0.9</version>
 86 |         </dependency>
 87 |     </dependencies>
 88 | 
 89 |     <repositories>
 90 |         <repository>
 91 |             <id>central</id>
 92 |             <name>ali maven</name>
 93 |             <url>https://maven.aliyun.com/repository/public/</url>
 94 |             <layout>default</layout>
 95 |             <releases>
 96 |                 <enabled>true</enabled>
 97 |             </releases>
 98 |             <snapshots>
 99 |                 <enabled>false</enabled>
100 |             </snapshots>
101 |         </repository>
102 |     </repositories>
103 | 
104 |     <build>
105 |         <plugins>
106 |             <plugin>
107 |                 <groupId>org.springframework.boot</groupId>
108 |                 <artifactId>spring-boot-maven-plugin</artifactId>
109 |                 <configuration>
110 |                     <outputDirectory>../bin</outputDirectory>
111 |                 </configuration>
112 |             </plugin>
113 |         </plugins>
114 |     </build>
115 | 
116 | </project>


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/DemoApplication.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo;
 2 | 
 3 | import org.springframework.boot.SpringApplication;
 4 | import org.springframework.boot.autoconfigure.SpringBootApplication;
 5 | 
 6 | @SpringBootApplication
 7 | public class DemoApplication {
 8 | 
 9 |     public static void main(String[] args) {
10 |         SpringApplication.run(DemoApplication.class, args);
11 |     }
12 | }
13 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/dao/SQLIDao.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.dao;
 2 | 
 3 | import code.inspector.demo.model.User;
 4 | 
 5 | import java.util.List;
 6 | 
 7 | public interface SQLIDao {
 8 |     String addUser(String name, int age);
 9 | 
10 |     List<User> selectUser(String name);
11 | }
12 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/dao/impl/SQLIDaoImpl.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.dao.impl;
 2 | 
 3 | import code.inspector.demo.dao.SQLIDao;
 4 | import code.inspector.demo.model.User;
 5 | import org.springframework.jdbc.core.BeanPropertyRowMapper;
 6 | import org.springframework.jdbc.core.JdbcTemplate;
 7 | import org.springframework.stereotype.Repository;
 8 | 
 9 | import java.sql.Connection;
10 | import java.sql.DriverManager;
11 | import java.sql.Statement;
12 | import java.util.List;
13 | 
14 | @Repository
15 | public class SQLIDaoImpl implements SQLIDao {
16 |     private final JdbcTemplate jdbcTemplate;
17 | 
18 |     public SQLIDaoImpl(JdbcTemplate jdbcTemplate) {
19 |         this.jdbcTemplate = jdbcTemplate;
20 |     }
21 | 
22 |     @Override
23 |     public String addUser(String name, int age) {
24 |         try {
25 |             Connection conn = DriverManager.getConnection("", "", "");
26 |             Statement stmt = conn.createStatement();
27 |             stmt.executeQuery("select * from t_user where name=\"" + name + "\"");
28 |             stmt.execute("select * from t_user where name=\"" + name + "\"");
29 |             stmt.executeUpdate("select * from t_user where name=\"" + name + "\"");
30 |         } catch (Exception e) {
31 |             e.printStackTrace();
32 |         }
33 |         return "success";
34 |     }
35 | 
36 |     @Override
37 |     public List<User> selectUser(String name) {
38 |         List<User> users = jdbcTemplate.query("select * from t_user where name=\"" + name + "\"",
39 |                 new BeanPropertyRowMapper(User.class));
40 |         return users;
41 |     }
42 | }
43 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/model/Message.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.model;
 2 | 
 3 | public class Message {
 4 |     private int id;
 5 |     private String data;
 6 | 
 7 |     public int getId() {
 8 |         return id;
 9 |     }
10 | 
11 |     public void setId(int id) {
12 |         this.id = id;
13 |     }
14 | 
15 |     public String getData() {
16 |         return data;
17 |     }
18 | 
19 |     public void setData(String data) {
20 |         this.data = data;
21 |     }
22 | }
23 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/model/Obj.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.model;
 2 | 
 3 | public class Obj {
 4 |     private String cmd;
 5 |     private String data;
 6 | 
 7 |     public String getCmd() {
 8 |         return cmd;
 9 |     }
10 | 
11 |     public void setCmd(String cmd) {
12 |         this.cmd = cmd;
13 |     }
14 | 
15 |     public String getData() {
16 |         return data;
17 |     }
18 | 
19 |     public void setData(String data) {
20 |         this.data = data;
21 |     }
22 | }
23 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/model/User.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.model;
 2 | 
 3 | public class User {
 4 |     private int id;
 5 |     private String name;
 6 |     private int age;
 7 | 
 8 |     public int getId() {
 9 |         return id;
10 |     }
11 | 
12 |     public void setId(int id) {
13 |         this.id = id;
14 |     }
15 | 
16 |     public String getName() {
17 |         return name;
18 |     }
19 | 
20 |     public void setName(String name) {
21 |         this.name = name;
22 |     }
23 | 
24 |     public int getAge() {
25 |         return age;
26 |     }
27 | 
28 |     public void setAge(int age) {
29 |         this.age = age;
30 |     }
31 | }
32 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/service/DOSService.java:
--------------------------------------------------------------------------------
1 | package code.inspector.demo.service;
2 | 
3 | public interface DOSService {
4 |     String dos1(String a,String b);
5 |     String dos2(int a);
6 |     String dos3(int a);
7 |     String dos4(int a);
8 | }
9 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/service/DesService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.service;
 2 | 
 3 | import code.inspector.demo.model.Obj;
 4 | 
 5 | public interface DesService {
 6 |     String jdk(Obj obj);
 7 |     String fastjson(Obj obj);
 8 |     String yaml(Obj obj);
 9 |     String jackson(Obj obj);
10 |     String hessian(Obj obj);
11 |     String xml(Obj obj);
12 | }
13 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/service/RCEService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.service;
 2 | 
 3 | import code.inspector.demo.model.Obj;
 4 | 
 5 | public interface RCEService {
 6 |     String rce1(String data);
 7 |     String rce2(String data);
 8 |     String rce3(String data);
 9 |     String rce4(Obj obj);
10 |     String rce5(String data);
11 |     String rce6(String data);
12 | }
13 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/service/SQLIService.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.service;
 2 | 
 3 | import code.inspector.demo.model.User;
 4 | 
 5 | import java.util.List;
 6 | 
 7 | public interface SQLIService {
 8 |     String addUser(String name,int age);
 9 |     List<User> selectUser(String name);
10 | }
11 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/service/SSRFService.java:
--------------------------------------------------------------------------------
1 | package code.inspector.demo.service;
2 | 
3 | public interface SSRFService {
4 |     String ssrf1(String data);
5 |     String ssrf2(String data);
6 |     String ssrf3(String host, int port);
7 |     String ssrf4(String url);
8 | }
9 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/service/impl/DOSServiceImpl.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.service.impl;
 2 | 
 3 | import code.inspector.demo.service.DOSService;
 4 | import org.springframework.stereotype.Service;
 5 | 
 6 | import java.util.ArrayList;
 7 | import java.util.HashMap;
 8 | import java.util.List;
 9 | import java.util.Map;
10 | import java.util.regex.Pattern;
11 | 
12 | @Service
13 | public class DOSServiceImpl implements DOSService {
14 |     @Override
15 |     public String dos1(String a, String b) {
16 |         try {
17 |             Pattern.matches(a, b);
18 |         } catch (Exception e) {
19 |             e.printStackTrace();
20 |         }
21 |         return "ok";
22 |     }
23 | 
24 |     @Override
25 |     public String dos2(int a) {
26 |         try {
27 |             byte[] test = new byte[a];
28 |         } catch (Exception e) {
29 |             e.printStackTrace();
30 |         }
31 |         return "ok";
32 |     }
33 | 
34 |     @Override
35 |     public String dos3(int a) {
36 |         try {
37 |             List<Object> list = new ArrayList<>(a);
38 |         } catch (Exception e) {
39 |             e.printStackTrace();
40 |         }
41 |         return "ok";
42 |     }
43 | 
44 |     @Override
45 |     public String dos4(int a) {
46 |         try {
47 |             for (int i = 0; i < a; i++) {
48 |                 System.out.println(a);
49 |             }
50 |         } catch (Exception e) {
51 |             e.printStackTrace();
52 |         }
53 |         return "ok";
54 |     }
55 | 
56 | }
57 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/service/impl/DesServiceImpl.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.service.impl;
 2 | 
 3 | import code.inspector.demo.model.Obj;
 4 | import code.inspector.demo.model.User;
 5 | import code.inspector.demo.service.DesService;
 6 | import com.alibaba.com.caucho.hessian.io.Hessian2Input;
 7 | import com.alibaba.fastjson.JSON;
 8 | import com.fasterxml.jackson.databind.ObjectMapper;
 9 | import org.springframework.stereotype.Service;
10 | import org.yaml.snakeyaml.Yaml;
11 | 
12 | import java.beans.XMLDecoder;
13 | import java.io.*;
14 | 
15 | @Service
16 | public class DesServiceImpl implements DesService {
17 |     @Override
18 |     public String jdk(Obj obj) {
19 |         try {
20 |             InputStream is = new ByteArrayInputStream(obj.getData().getBytes());
21 |             ObjectInputStream ois = new ObjectInputStream(is);
22 |             Object o = ois.readObject();
23 |             return o.toString();
24 |         } catch (Exception ex) {
25 |             ex.printStackTrace();
26 |         }
27 |         return "ok";
28 |     }
29 | 
30 |     @Override
31 |     public String fastjson(Obj obj) {
32 |         JSON.parse(obj.getData());
33 |         JSON.parseArray(obj.getData());
34 |         JSON.parseObject(obj.getData());
35 |         return "ok";
36 |     }
37 | 
38 |     @Override
39 |     public String yaml(Obj obj) {
40 |         Yaml yaml = new Yaml();
41 |         yaml.load(obj.getData());
42 |         return "ok";
43 |     }
44 | 
45 |     @Override
46 |     public String jackson(Obj obj) {
47 |         try {
48 |             ObjectMapper mapper = new ObjectMapper();
49 |             mapper.enableDefaultTyping();
50 |             mapper.readValue(obj.getData(), User.class);
51 |         } catch (Exception ex) {
52 |             ex.printStackTrace();
53 |         }
54 |         return "ok";
55 |     }
56 | 
57 |     @Override
58 |     public String hessian(Obj obj) {
59 |         try {
60 |             InputStream is = new ByteArrayInputStream(obj.getData().getBytes());
61 |             Hessian2Input in = new Hessian2Input(is);
62 |             Object o = in.readObject();
63 |             return o.toString();
64 |         } catch (Exception ex) {
65 |             ex.printStackTrace();
66 |         }
67 |         return "ok";
68 |     }
69 | 
70 |     @Override
71 |     public String xml(Obj obj) {
72 |         File file = new File(obj.getData());
73 |         FileInputStream fis = null;
74 |         try {
75 |             fis = new FileInputStream(file);
76 |         } catch (Exception e) {
77 |             e.printStackTrace();
78 |         }
79 |         BufferedInputStream bis = new BufferedInputStream(fis);
80 |         XMLDecoder xmlDecoder = new XMLDecoder(bis);
81 |         xmlDecoder.readObject();
82 |         xmlDecoder.close();
83 |         return "ok";
84 |     }
85 | }
86 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/service/impl/RCEServiceImpl.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.service.impl;
 2 | 
 3 | import code.inspector.demo.model.Obj;
 4 | import code.inspector.demo.service.RCEService;
 5 | import groovy.lang.GroovyShell;
 6 | import org.springframework.stereotype.Service;
 7 | 
 8 | import javax.naming.Context;
 9 | import javax.naming.InitialContext;
10 | 
11 | @Service
12 | public class RCEServiceImpl implements RCEService {
13 |     @Override
14 |     public String rce1(String data) {
15 |         try {
16 |             Runtime.getRuntime().exec(data);
17 |         } catch (Exception e) {
18 |             e.printStackTrace();
19 |         }
20 |         return "ok";
21 |     }
22 | 
23 |     @Override
24 |     public String rce2(String data) {
25 |         try {
26 |             new ProcessBuilder(data).start();
27 |         } catch (Exception e) {
28 |             e.printStackTrace();
29 |         }
30 |         return "ok";
31 |     }
32 | 
33 |     @Override
34 |     public String rce3(String data) {
35 |         try {
36 |             GroovyShell shell = new GroovyShell();
37 |             shell.evaluate(data);
38 |         } catch (Exception e) {
39 |             e.printStackTrace();
40 |         }
41 |         return "ok";
42 |     }
43 | 
44 |     @Override
45 |     public String rce4(Obj obj) {
46 |         try {
47 |             Runtime.getRuntime().exec(obj.getCmd());
48 |         } catch (Exception e) {
49 |             e.printStackTrace();
50 |         }
51 |         return "ok";
52 |     }
53 | 
54 |     @Override
55 |     public String rce5(String data) {
56 |         try{
57 |             Context context = new InitialContext();
58 |             context.lookup(data);
59 |         } catch (Exception ex){
60 |             ex.printStackTrace();
61 |         }
62 |         return "ok";
63 |     }
64 | 
65 |     @Override
66 |     public String rce6(String data) {
67 |         try{
68 |             Context context = new InitialContext();
69 |             Runtime runtime;
70 |             runtime = Runtime.getRuntime();
71 |             Process process = null;
72 |             if(runtime.equals("obj")){
73 |                 System.out.println(runtime);
74 |             }
75 |             String finalData = "ping "+data;
76 |             process = RCEUtil.exec(finalData);
77 |         } catch (Exception ex){
78 |             ex.printStackTrace();
79 |         }
80 |         return "ok";
81 |     }
82 | }
83 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/service/impl/RCEUtil.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.service.impl;
 2 | 
 3 | import java.io.IOException;
 4 | 
 5 | public class RCEUtil {
 6 |     public static Process  exec(String cmd){
 7 |         try {
 8 |             Runtime.getRuntime().exec(cmd);
 9 |         } catch (IOException e) {
10 |             throw new RuntimeException(e);
11 |         }
12 |         return null;
13 |     }
14 | }
15 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/service/impl/SQLIServiceImpl.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.service.impl;
 2 | 
 3 | import code.inspector.demo.dao.SQLIDao;
 4 | import code.inspector.demo.model.User;
 5 | import code.inspector.demo.service.SQLIService;
 6 | import org.springframework.stereotype.Service;
 7 | 
 8 | import java.util.List;
 9 | 
10 | @Service
11 | public class SQLIServiceImpl implements SQLIService {
12 | 
13 |     private final SQLIDao sqliDao;
14 | 
15 |     public SQLIServiceImpl(SQLIDao sqliDao) {
16 |         this.sqliDao = sqliDao;
17 |     }
18 | 
19 |     @Override
20 |     public String addUser(String name, int age) {
21 |         return sqliDao.addUser(name, age);
22 |     }
23 | 
24 |     @Override
25 |     public List<User> selectUser(String name) {
26 |         return sqliDao.selectUser(name);
27 |     }
28 | }
29 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/service/impl/SSRFServiceImpl.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.service.impl;
 2 | 
 3 | 
 4 | import code.inspector.demo.service.SSRFService;
 5 | import okhttp3.OkHttpClient;
 6 | import okhttp3.Request;
 7 | import okhttp3.Response;
 8 | import org.apache.http.HttpEntity;
 9 | import org.apache.http.HttpResponse;
10 | import org.apache.http.client.methods.HttpGet;
11 | import org.apache.http.impl.client.CloseableHttpClient;
12 | import org.apache.http.impl.client.HttpClients;
13 | import org.springframework.stereotype.Service;
14 | 
15 | import java.io.BufferedReader;
16 | import java.io.InputStream;
17 | import java.io.InputStreamReader;
18 | import java.net.HttpURLConnection;
19 | import java.net.Socket;
20 | import java.net.URL;
21 | 
22 | @Service
23 | public class SSRFServiceImpl implements SSRFService {
24 |     @Override
25 |     public String ssrf1(String data) {
26 |         StringBuilder response = new StringBuilder();
27 |         try {
28 |             URL url = new URL(data);
29 |             HttpURLConnection con = (HttpURLConnection) url.openConnection();
30 |             con.setRequestMethod("GET");
31 |             con.setRequestProperty("User-Agent", "Mozilla/5.0");
32 |             BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
33 |             String inputLine;
34 |             while ((inputLine = in.readLine()) != null) {
35 |                 response.append(inputLine);
36 |             }
37 |             in.close();
38 |             return String.valueOf(response.length());
39 |         } catch (Exception e) {
40 |             e.printStackTrace();
41 |             return e.getMessage();
42 |         }
43 |     }
44 | 
45 |     @Override
46 |     public String ssrf2(String data) {
47 |         try {
48 |             CloseableHttpClient httpClient = HttpClients.createDefault();
49 |             HttpGet getRequest = new HttpGet(data);
50 |             HttpResponse response = httpClient.execute(getRequest);
51 |             HttpEntity entity = response.getEntity();
52 |             return String.valueOf(entity.getContentLength());
53 |         } catch (Exception e) {
54 |             e.printStackTrace();
55 |             return e.getMessage();
56 |         }
57 |     }
58 | 
59 |     @Override
60 |     public String ssrf3(String host, int port) {
61 |         try {
62 |             Socket socket = new Socket(host, port);
63 |             InputStream in = socket.getInputStream();
64 |             return in.toString();
65 |         } catch (Exception e) {
66 |             e.printStackTrace();
67 |             return e.getMessage();
68 |         }
69 |     }
70 | 
71 |     @Override
72 |     public String ssrf4(String url) {
73 |         try {
74 |             OkHttpClient httpClient = new OkHttpClient();
75 |             Request request = new Request.Builder()
76 |                     .url(url)
77 |                     .build();
78 |             Response response = httpClient.newCall(request).execute();
79 |             return response.toString();
80 |         } catch (Exception e) {
81 |             e.printStackTrace();
82 |             return e.getMessage();
83 |         }
84 |     }
85 | }
86 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/web/DOSController.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.web;
 2 | 
 3 | import code.inspector.demo.service.DOSService;
 4 | import org.springframework.stereotype.Controller;
 5 | import org.springframework.web.bind.annotation.RequestMapping;
 6 | 
 7 | @Controller
 8 | @RequestMapping("/dos")
 9 | public class DOSController {
10 | 
11 |     private final DOSService dosService;
12 | 
13 |     public DOSController(DOSService dosService) {
14 |         this.dosService = dosService;
15 |     }
16 | 
17 | 
18 |     @RequestMapping("/dos1")
19 |     public String dos1(String a, String b) {
20 |         return dosService.dos1(a, b);
21 |     }
22 | 
23 |     @RequestMapping("/dos2")
24 |     public String rce2(int a) {
25 |         return dosService.dos2(a);
26 |     }
27 | 
28 |     @RequestMapping("/dos3")
29 |     public String dop3(int a) {
30 |         return dosService.dos3(a);
31 |     }
32 | 
33 |     @RequestMapping("/dos4")
34 |     public String dop4(int a) {
35 |         return dosService.dos4(a);
36 |     }
37 | }
38 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/web/DesController.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.web;
 2 | 
 3 | import code.inspector.demo.model.Obj;
 4 | import code.inspector.demo.service.DesService;
 5 | import org.springframework.stereotype.Controller;
 6 | import org.springframework.web.bind.annotation.RequestMapping;
 7 | import org.springframework.web.bind.annotation.ResponseBody;
 8 | 
 9 | @Controller
10 | public class DesController {
11 | 
12 |     private final DesService desService;
13 | 
14 |     public DesController(DesService desService){
15 |         this.desService =desService;
16 |     }
17 | 
18 |     @RequestMapping("/jdk")
19 |     @ResponseBody
20 |     public String jdk(Obj obj) {
21 |         return desService.jdk(obj);
22 |     }
23 | 
24 |     @RequestMapping
25 |     @ResponseBody
26 |     public String fastjson(Obj obj){
27 |         return desService.fastjson(obj);
28 |     }
29 | 
30 |     @RequestMapping
31 |     @ResponseBody
32 |     public String snakeyaml(Obj obj){
33 |         return desService.yaml(obj);
34 |     }
35 | 
36 |     @RequestMapping
37 |     @ResponseBody
38 |     public String jackson(Obj obj){
39 |         return desService.jackson(obj);
40 |     }
41 | 
42 |     @RequestMapping
43 |     @ResponseBody
44 |     public String hessian(Obj obj){
45 |         return desService.hessian(obj);
46 |     }
47 | 
48 |     @RequestMapping
49 |     @ResponseBody
50 |     public String xmlDecoder(Obj obj){
51 |         return desService.xml(obj);
52 |     }
53 | }
54 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/web/RCEController.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.web;
 2 | 
 3 | import code.inspector.demo.model.Obj;
 4 | import code.inspector.demo.service.RCEService;
 5 | import org.springframework.expression.EvaluationContext;
 6 | import org.springframework.expression.Expression;
 7 | import org.springframework.expression.ExpressionParser;
 8 | import org.springframework.expression.spel.standard.SpelExpressionParser;
 9 | import org.springframework.expression.spel.support.SimpleEvaluationContext;
10 | import org.springframework.expression.spel.support.StandardEvaluationContext;
11 | import org.springframework.stereotype.Controller;
12 | import org.springframework.web.bind.annotation.RequestMapping;
13 | 
14 | @Controller
15 | @RequestMapping("/rce")
16 | public class RCEController {
17 | 
18 |     private final RCEService rceService;
19 | 
20 |     public RCEController(RCEService rceService) {
21 |         this.rceService = rceService;
22 |     }
23 | 
24 |     @RequestMapping(path = "/")
25 |     public String index(String input) {
26 |         ExpressionParser parser = new SpelExpressionParser();
27 |         EvaluationContext evaluationContext = null;
28 |         Expression expr = null;
29 |         if (input.contains("test")) {
30 |             evaluationContext = new StandardEvaluationContext();
31 |         } else {
32 |             evaluationContext = new SimpleEvaluationContext.Builder().build();
33 |         }
34 |         expr = parser.parseExpression(input);
35 |         expr.getValue(evaluationContext);
36 |         return "ok";
37 |     }
38 | 
39 |     @RequestMapping("/rce1")
40 |     public String rce1(String data) {
41 |         return rceService.rce1(data);
42 |     }
43 | 
44 |     @RequestMapping("/rce2")
45 |     public String rce2(String data) {
46 |         return rceService.rce2(data);
47 |     }
48 | 
49 |     @RequestMapping("/rce3")
50 |     public String rce3(String data) {
51 |         return rceService.rce3(data);
52 |     }
53 | 
54 |     @RequestMapping("/rce4")
55 |     public String rce4(Obj obj) {
56 |         return rceService.rce4(obj);
57 |     }
58 | 
59 |     @RequestMapping("/rce5")
60 |     public String rce5(String str) {
61 |         return rceService.rce5(str);
62 |     }
63 | 
64 |     @RequestMapping("/rce6")
65 |     public String rce6(String str) {
66 |         if(str.contains("cmd")){
67 |             return "error";
68 |         }
69 |         for(int i=0;i<10;i++){
70 |             System.out.println(i);
71 |             System.out.println(str);
72 |         }
73 |         rceService.rce6(str);
74 |         for(int i=0;i<10;i++){
75 |             System.out.println(i);
76 |             if(str.equals("test")){
77 |                 System.out.println(str);
78 |             }
79 |         }
80 |         return "ok";
81 |     }
82 | }
83 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/web/SQLIController.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.web;
 2 | 
 3 | import code.inspector.demo.model.User;
 4 | import code.inspector.demo.service.SQLIService;
 5 | import org.springframework.stereotype.Controller;
 6 | import org.springframework.web.bind.annotation.GetMapping;
 7 | import org.springframework.web.bind.annotation.RequestMapping;
 8 | import org.springframework.web.bind.annotation.ResponseBody;
 9 | 
10 | import java.util.List;
11 | 
12 | @Controller
13 | @RequestMapping("/sqli")
14 | public class SQLIController {
15 | 
16 |     private final SQLIService sqliService;
17 | 
18 |     public SQLIController(SQLIService sqliService) {
19 |         this.sqliService = sqliService;
20 |     }
21 | 
22 |     @GetMapping("add")
23 |     @ResponseBody
24 |     public String addUser(String name, int age) {
25 |         return sqliService.addUser(name, age);
26 |     }
27 | 
28 |     @RequestMapping("/select")
29 |     @ResponseBody
30 |     public List<User> select(String name) {
31 |         return sqliService.selectUser(name);
32 |     }
33 | }
34 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/web/SSRFController.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.web;
 2 | 
 3 | import code.inspector.demo.service.SSRFService;
 4 | import okhttp3.Call;
 5 | import okhttp3.OkHttpClient;
 6 | import org.apache.http.HttpResponse;
 7 | import org.apache.http.client.methods.HttpGet;
 8 | import org.apache.http.impl.client.DefaultHttpClient;
 9 | import org.springframework.stereotype.Controller;
10 | import org.springframework.web.bind.annotation.RequestMapping;
11 | import org.springframework.web.bind.annotation.RequestParam;
12 | import org.springframework.web.bind.annotation.ResponseBody;
13 | 
14 | import java.io.IOException;
15 | import java.io.InputStream;
16 | import java.net.HttpURLConnection;
17 | import java.net.URL;
18 | 
19 | @Controller
20 | @RequestMapping("/ssrf")
21 | public class SSRFController {
22 |     private final SSRFService ssrfService;
23 | 
24 |     public SSRFController(SSRFService ssrfService) {
25 |         this.ssrfService = ssrfService;
26 |     }
27 | 
28 |     @RequestMapping(path = "/test1")
29 |     @ResponseBody
30 |     public String ssrf1(@RequestParam(name = "url") String data) {
31 |         return ssrfService.ssrf1(data);
32 |     }
33 | 
34 |     @RequestMapping(path = "/test2")
35 |     @ResponseBody
36 |     public String ssrf2(@RequestParam(name = "url") String data) {
37 |         return ssrfService.ssrf2(data);
38 |     }
39 | 
40 |     @RequestMapping(path = "/test3")
41 |     @ResponseBody
42 |     public String ssrf3(@RequestParam(name = "host") String host,
43 |                         @RequestParam(name = "port") int port) {
44 |         return ssrfService.ssrf3(host, port);
45 |     }
46 | 
47 |     @RequestMapping(path = "/test4")
48 |     @ResponseBody
49 |     public String ssrf4(@RequestParam(name = "url") String data) {
50 |         return ssrfService.ssrf4(data);
51 |     }
52 | 
53 |     @RequestMapping(value = "/one")
54 |     public String One(@RequestParam(value = "url") String imageUrl) {
55 |         try {
56 |             URL url = new URL(imageUrl);
57 |             HttpURLConnection connection = (HttpURLConnection) url.openConnection();
58 |             connection.setRequestMethod("GET");
59 |             return connection.getResponseMessage();
60 |         } catch (IOException var3) {
61 |             System.out.println(var3);
62 |             return "Hello";
63 |         }
64 |     }
65 | 
66 |     @RequestMapping(value = "/four")
67 |     public String Four(@RequestParam(value = "url") String imageUrl) {
68 |         try {
69 |             DefaultHttpClient client = new DefaultHttpClient();
70 |             HttpGet get = new HttpGet(imageUrl);
71 |             HttpResponse response = client.execute(get);
72 |             return response.toString();
73 |         } catch (IOException var1) {
74 |             System.out.println(var1);
75 |             return "Hello";
76 |         }
77 |     }
78 | 
79 |     @RequestMapping(value = "five")
80 |     public String Five(@RequestParam(value = "url") String imageUrl) {
81 |         try {
82 |             URL url = new URL(imageUrl);
83 |             InputStream inputStream = url.openStream();
84 |             return String.valueOf(inputStream.read());
85 |         } catch (IOException var1) {
86 |             System.out.println(var1);
87 |             return "Hello";
88 |         }
89 |     }
90 | }
91 | 


--------------------------------------------------------------------------------
/code-inspector-demo/src/main/java/code/inspector/demo/web/URLController.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.demo.web;
 2 | 
 3 | import org.springframework.stereotype.Controller;
 4 | import org.springframework.web.bind.annotation.RequestMapping;
 5 | import org.springframework.web.servlet.ModelAndView;
 6 | 
 7 | import javax.servlet.http.HttpServletRequest;
 8 | import javax.servlet.http.HttpServletResponse;
 9 | 
10 | @Controller
11 | @RequestMapping("/url")
12 | public class URLController {
13 |     @RequestMapping("/redirect1")
14 |     public void redirect1(HttpServletRequest request,
15 |                           HttpServletResponse response) {
16 |         try {
17 |             String newUrl = request.getParameter("url");
18 |             response.sendRedirect(newUrl);
19 |         } catch (Exception e) {
20 |             e.printStackTrace();
21 |         }
22 |     }
23 | 
24 |     @RequestMapping("/redirect2")
25 |     public String redirect2(String url) {
26 |         return "redirect:" + url;
27 |     }
28 | 
29 |     @RequestMapping("/redirect3")
30 |     public ModelAndView redirect3(String url) {
31 |         String redirect = "redirect://" + url;
32 |         return new ModelAndView(redirect);
33 |     }
34 | 
35 | }
36 | 


--------------------------------------------------------------------------------
/code-inspector-graphviz/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <artifactId>code-inspector</artifactId>
 7 |         <groupId>n1ar4</groupId>
 8 |         <version>0.2-beta</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>code-inspector-graphviz</artifactId>
13 | 
14 |     <dependencies>
15 |         <dependency>
16 |             <groupId>n1ar4</groupId>
17 |             <artifactId>code-inspector-model</artifactId>
18 |             <version>0.2-beta</version>
19 |             <scope>compile</scope>
20 |         </dependency>
21 |     </dependencies>
22 | 
23 |     <properties>
24 |         <maven.compiler.source>8</maven.compiler.source>
25 |         <maven.compiler.target>8</maven.compiler.target>
26 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
27 |     </properties>
28 | 
29 | </project>


--------------------------------------------------------------------------------
/code-inspector-graphviz/src/main/java/code/inspector/graphviz/GraphvizCore.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.graphviz;
 2 | 
 3 | import code.inspector.model.MethodReference;
 4 | import guru.nidi.graphviz.attribute.Shape;
 5 | import guru.nidi.graphviz.engine.Format;
 6 | import guru.nidi.graphviz.engine.Graphviz;
 7 | import guru.nidi.graphviz.model.MutableGraph;
 8 | import guru.nidi.graphviz.model.MutableNode;
 9 | 
10 | import java.io.File;
11 | import java.nio.file.Files;
12 | import java.nio.file.Path;
13 | import java.nio.file.Paths;
14 | import java.util.List;
15 | 
16 | import static guru.nidi.graphviz.model.Factory.*;
17 | 
18 | public class GraphvizCore {
19 |     @SuppressWarnings("all")
20 |     private static String getOutput(MethodReference mr) {
21 |         StringBuilder sb = new StringBuilder();
22 |         sb.append(mr.getClassReference().getName());
23 |         sb.append("\n");
24 |         sb.append(mr.getName());
25 |         return sb.toString();
26 |     }
27 | 
28 |     @SuppressWarnings("all")
29 |     private static String getFirstOutput(MethodReference mr,int index) {
30 |         StringBuilder sb = new StringBuilder();
31 |         sb.append(mr.getClassReference().getName());
32 |         sb.append("\n");
33 |         sb.append(mr.getName());
34 |         sb.append("\n");
35 |         sb.append("param index: ");
36 |         sb.append(String.valueOf(index));
37 |         return sb.toString();
38 |     }
39 | 
40 |     public static void work(String outputDir, List<MethodReference> mrList,int pIndex) {
41 |         try {
42 |             Path targetDir = Paths.get(outputDir);
43 |             if (Files.notExists(targetDir)) {
44 |                 Files.createDirectories(targetDir);
45 |             }
46 |             String output = String.format("%s%s%s%s", outputDir, File.separator, "test", ".jpg");
47 |             MutableGraph g = mutGraph("code-inspector")
48 |                     .setDirected(true).use((gr, ctx) -> {
49 |                         int index = 0;
50 |                         MutableNode lastMn = null;
51 |                         for (MethodReference mr : mrList) {
52 |                             index++;
53 |                             if (index == 1) {
54 |                                 lastMn = mutNode(getFirstOutput(mr,pIndex)).add(Shape.RECTANGLE);
55 |                                 continue;
56 |                             }
57 |                             MutableNode newMn = mutNode(getOutput(mr)).add(Shape.RECTANGLE);
58 |                             lastMn.addLink(newMn);
59 |                             lastMn = newMn;
60 |                         }
61 |                     });
62 |             Graphviz.fromGraph(g).width(800).render(Format.PNG).toFile(new File(output));
63 |         } catch (Exception ex) {
64 |             ex.printStackTrace();
65 |         }
66 |     }
67 | }
68 | 


--------------------------------------------------------------------------------
/code-inspector-graphviz/src/main/resources/log4j.properties:
--------------------------------------------------------------------------------
1 | log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender


--------------------------------------------------------------------------------
/code-inspector-jvm/README.md:
--------------------------------------------------------------------------------
1 | # code-inspector-jvm
2 | 
3 | 项目核心模块的底层依赖，模拟JVM栈帧进行分析


--------------------------------------------------------------------------------
/code-inspector-jvm/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <artifactId>code-inspector</artifactId>
 7 |         <groupId>n1ar4</groupId>
 8 |         <version>0.2-beta</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>code-inspector-jvm</artifactId>
13 | 
14 |     <properties>
15 |         <maven.compiler.source>8</maven.compiler.source>
16 |         <maven.compiler.target>8</maven.compiler.target>
17 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
18 |     </properties>
19 | 
20 | </project>


--------------------------------------------------------------------------------
/code-inspector-jvm/src/main/java/code/inspector/jvm/GotoState.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.jvm;
 2 | 
 3 | 
 4 | public class GotoState<T> {
 5 |     private LocalVariables<T> localVariables;
 6 |     private OperandStack<T> operandStack;
 7 | 
 8 |     public LocalVariables<T> getLocalVariables() {
 9 |         return localVariables;
10 |     }
11 | 
12 |     public void setLocalVariables(LocalVariables<T> localVariables) {
13 |         this.localVariables = localVariables;
14 |     }
15 | 
16 |     public OperandStack<T> getOperandStack() {
17 |         return operandStack;
18 |     }
19 | 
20 |     public void setOperandStack(OperandStack<T> operandStack) {
21 |         this.operandStack = operandStack;
22 |     }
23 | }
24 | 


--------------------------------------------------------------------------------
/code-inspector-jvm/src/main/java/code/inspector/jvm/LocalVariables.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.jvm;
 2 | 
 3 | import java.util.ArrayList;
 4 | import java.util.HashSet;
 5 | import java.util.List;
 6 | import java.util.Set;
 7 | 
 8 | public class LocalVariables<T> {
 9 |     private final ArrayList<Set<T>> array;
10 | 
11 |     public LocalVariables() {
12 |         this.array = new ArrayList<>();
13 |     }
14 | 
15 |     public void clear() {
16 |         this.array.clear();
17 |     }
18 | 
19 |     public void add(Set<T> t) {
20 |         this.array.add(t);
21 |     }
22 | 
23 |     public void set(int index, Set<T> t) {
24 |         array.set(index, t);
25 |     }
26 | 
27 |     public void set(int index, T t) {
28 |         Set<T> set = new HashSet<>();
29 |         set.add(t);
30 |         array.set(index, set);
31 |     }
32 | 
33 |     public Set<T> get(int index) {
34 |         return array.get(index);
35 |     }
36 | 
37 |     public int size() {
38 |         return this.array.size();
39 |     }
40 | 
41 |     public void remove(int index) {
42 |         this.array.remove(index);
43 |     }
44 | 
45 |     public List<Set<T>> getList() {
46 |         return this.array;
47 |     }
48 | }
49 | 


--------------------------------------------------------------------------------
/code-inspector-jvm/src/main/java/code/inspector/jvm/OperandStack.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.jvm;
 2 | 
 3 | import java.util.HashSet;
 4 | import java.util.LinkedList;
 5 | import java.util.List;
 6 | import java.util.Set;
 7 | 
 8 | @SuppressWarnings("all")
 9 | public class OperandStack<T> {
10 |     private final LinkedList<Set<T>> stack;
11 | 
12 |     public OperandStack() {
13 |         this.stack = new LinkedList<>();
14 |     }
15 | 
16 |     public Set<T> pop() {
17 |         return stack.remove(stack.size() - 1);
18 |     }
19 | 
20 |     public void push(T t) {
21 |         Set<T> set = new HashSet<>();
22 |         set.add(t);
23 |         stack.add(set);
24 |     }
25 | 
26 |     public void push() {
27 |         stack.add(new HashSet<>());
28 |     }
29 | 
30 |     public void push(Set<T> t) {
31 |         stack.add(t);
32 |     }
33 | 
34 |     public void clear() {
35 |         stack.clear();
36 |     }
37 | 
38 |     public Set<T> get(int index) {
39 |         return stack.get(stack.size() - index - 1);
40 |     }
41 | 
42 |     public void set(int index, Set<T> t) {
43 |         stack.set(stack.size() - index - 1, t);
44 |     }
45 | 
46 |     public void set(int index, T t) {
47 |         Set<T> set = new HashSet<>();
48 |         set.add(t);
49 |         stack.set(stack.size() - index - 1, set);
50 |     }
51 | 
52 |     public void add(Set<T> t) {
53 |         this.stack.add(t);
54 |     }
55 | 
56 |     public int size() {
57 |         return this.stack.size();
58 |     }
59 | 
60 |     public void remove(int index) {
61 |         this.stack.remove(index);
62 |     }
63 | 
64 |     public List<Set<T>> getList() {
65 |         return this.stack;
66 |     }
67 | }
68 | 


--------------------------------------------------------------------------------
/code-inspector-model/README.md:
--------------------------------------------------------------------------------
1 | # code-inspector-model
2 | 
3 | 项目使用到的一些实体类/包装类


--------------------------------------------------------------------------------
/code-inspector-model/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <artifactId>code-inspector</artifactId>
 7 |         <groupId>n1ar4</groupId>
 8 |         <version>0.2-beta</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>code-inspector-model</artifactId>
13 | 
14 |     <properties>
15 |         <maven.compiler.source>8</maven.compiler.source>
16 |         <maven.compiler.target>8</maven.compiler.target>
17 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
18 |     </properties>
19 | 
20 | </project>


--------------------------------------------------------------------------------
/code-inspector-model/src/main/java/code/inspector/model/CallGraph.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.model;
 2 | 
 3 | import java.util.Objects;
 4 | 
 5 | public class CallGraph {
 6 |     private final MethodReference.Handle callerMethod;
 7 |     private final MethodReference.Handle targetMethod;
 8 |     private final int callerArgIndex;
 9 |     private final int targetArgIndex;
10 | 
11 |     public CallGraph(MethodReference.Handle callerMethod, MethodReference.Handle targetMethod,
12 |                      int callerArgIndex, int targetArgIndex) {
13 |         this.callerMethod = callerMethod;
14 |         this.targetMethod = targetMethod;
15 |         this.callerArgIndex = callerArgIndex;
16 |         this.targetArgIndex = targetArgIndex;
17 |     }
18 | 
19 |     public MethodReference.Handle getCallerMethod() {
20 |         return callerMethod;
21 |     }
22 | 
23 |     public MethodReference.Handle getTargetMethod() {
24 |         return targetMethod;
25 |     }
26 | 
27 |     public int getCallerArgIndex() {
28 |         return callerArgIndex;
29 |     }
30 | 
31 |     public int getTargetArgIndex() {
32 |         return targetArgIndex;
33 |     }
34 | 
35 |     @Override
36 |     public boolean equals(Object o) {
37 |         if (this == o) return true;
38 |         if (o == null || getClass() != o.getClass()) {
39 |             return false;
40 |         }
41 | 
42 |         CallGraph CallGraph = (CallGraph) o;
43 | 
44 |         if (callerArgIndex != CallGraph.callerArgIndex) {
45 |             return false;
46 |         }
47 |         if (targetArgIndex != CallGraph.targetArgIndex) {
48 |             return false;
49 |         }
50 |         if (!Objects.equals(callerMethod, CallGraph.callerMethod)) {
51 |             return false;
52 |         }
53 |         return Objects.equals(targetMethod, CallGraph.targetMethod);
54 |     }
55 | 
56 |     @Override
57 |     public int hashCode() {
58 |         int result = callerMethod != null ? callerMethod.hashCode() : 0;
59 |         result = 31 * result + (targetMethod != null ? targetMethod.hashCode() : 0);
60 |         result = 31 * result + callerArgIndex;
61 |         result = 31 * result + targetArgIndex;
62 |         return result;
63 |     }
64 | }
65 | 


--------------------------------------------------------------------------------
/code-inspector-model/src/main/java/code/inspector/model/ClassFile.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.model;
 2 | 
 3 | import java.nio.file.Files;
 4 | import java.nio.file.Path;
 5 | import java.util.Objects;
 6 | 
 7 | public class ClassFile {
 8 |     private final String className;
 9 |     private final Path path;
10 | 
11 |     public ClassFile(String className, Path path) {
12 |         this.className = className;
13 |         this.path = path;
14 |     }
15 | 
16 |     @Override
17 |     public boolean equals(Object o) {
18 |         if (this == o) {
19 |             return true;
20 |         }
21 |         if (o == null || getClass() != o.getClass()) {
22 |             return false;
23 |         }
24 |         ClassFile classFile = (ClassFile) o;
25 |         return Objects.equals(className, classFile.className);
26 |     }
27 | 
28 |     @Override
29 |     public int hashCode() {
30 |         return className != null ? className.hashCode() : 0;
31 |     }
32 | 
33 |     public String getClassName() {
34 |         return className;
35 |     }
36 | 
37 |     public byte[] getFile() {
38 |         try {
39 |             return Files.readAllBytes(this.path);
40 |         } catch (Exception e) {
41 |             e.printStackTrace();
42 |         }
43 |         return null;
44 |     }
45 | }


--------------------------------------------------------------------------------
/code-inspector-model/src/main/java/code/inspector/model/ClassReference.java:
--------------------------------------------------------------------------------
  1 | package code.inspector.model;
  2 | 
  3 | import java.util.List;
  4 | import java.util.Objects;
  5 | import java.util.Set;
  6 | 
  7 | public class ClassReference {
  8 |     private final String name;
  9 |     private final String superClass;
 10 |     private final List<String> interfaces;
 11 |     private final boolean isInterface;
 12 |     private final List<Member> members;
 13 |     private final Set<String> annotations;
 14 | 
 15 |     public static class Member {
 16 |         private final String name;
 17 |         private final int modifiers;
 18 |         private final Handle type;
 19 | 
 20 |         public Member(String name, int modifiers, Handle type) {
 21 |             this.name = name;
 22 |             this.modifiers = modifiers;
 23 |             this.type = type;
 24 |         }
 25 | 
 26 |         public String getName() {
 27 |             return name;
 28 |         }
 29 | 
 30 |         public int getModifiers() {
 31 |             return modifiers;
 32 |         }
 33 | 
 34 |         public Handle getType() {
 35 |             return type;
 36 |         }
 37 |     }
 38 | 
 39 |     public ClassReference(String name, String superClass, List<String> interfaces,
 40 |                           boolean isInterface, List<Member> members, Set<String> annotations) {
 41 |         this.name = name;
 42 |         this.superClass = superClass;
 43 |         this.interfaces = interfaces;
 44 |         this.isInterface = isInterface;
 45 |         this.members = members;
 46 |         this.annotations = annotations;
 47 |     }
 48 | 
 49 |     public String getName() {
 50 |         return name;
 51 |     }
 52 | 
 53 |     public String getSuperClass() {
 54 |         return superClass;
 55 |     }
 56 | 
 57 |     public List<String> getInterfaces() {
 58 |         return interfaces;
 59 |     }
 60 | 
 61 |     public boolean isInterface() {
 62 |         return isInterface;
 63 |     }
 64 | 
 65 |     public List<Member> getMembers() {
 66 |         return members;
 67 |     }
 68 | 
 69 |     public Handle getHandle() {
 70 |         return new Handle(name);
 71 |     }
 72 | 
 73 |     public Set<String> getAnnotations() {
 74 |         return annotations;
 75 |     }
 76 | 
 77 |     public static class Handle {
 78 |         private final String name;
 79 | 
 80 |         public Handle(String name) {
 81 |             this.name = name;
 82 |         }
 83 | 
 84 |         public String getName() {
 85 |             return name;
 86 |         }
 87 | 
 88 |         @Override
 89 |         public boolean equals(Object o) {
 90 |             if (this == o) {
 91 |                 return true;
 92 |             }
 93 |             if (o == null || getClass() != o.getClass()) {
 94 |                 return false;
 95 |             }
 96 |             Handle handle = (Handle) o;
 97 |             return Objects.equals(name, handle.name);
 98 |         }
 99 | 
100 |         @Override
101 |         public int hashCode() {
102 |             return name != null ? name.hashCode() : 0;
103 |         }
104 |     }
105 | }
106 | 


--------------------------------------------------------------------------------
/code-inspector-model/src/main/java/code/inspector/model/MethodReference.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.model;
 2 | 
 3 | import java.util.Objects;
 4 | 
 5 | public class MethodReference {
 6 |     private final ClassReference.Handle classReference;
 7 |     private final String name;
 8 |     private final String desc;
 9 |     private final boolean isStatic;
10 | 
11 |     public MethodReference(ClassReference.Handle classReference,
12 |                            String name, String desc, boolean isStatic) {
13 |         this.classReference = classReference;
14 |         this.name = name;
15 |         this.desc = desc;
16 |         this.isStatic = isStatic;
17 |     }
18 | 
19 |     public ClassReference.Handle getClassReference() {
20 |         return classReference;
21 |     }
22 | 
23 |     public String getName() {
24 |         return name;
25 |     }
26 | 
27 |     public String getDesc() {
28 |         return desc;
29 |     }
30 | 
31 |     public boolean isStatic() {
32 |         return isStatic;
33 |     }
34 | 
35 |     public Handle getHandle() {
36 |         return new Handle(classReference, name, desc);
37 |     }
38 | 
39 |     public static class Handle {
40 |         private final ClassReference.Handle classReference;
41 |         private final String name;
42 |         private final String desc;
43 | 
44 |         public Handle(ClassReference.Handle classReference, String name, String desc) {
45 |             this.classReference = classReference;
46 |             this.name = name;
47 |             this.desc = desc;
48 |         }
49 | 
50 |         public ClassReference.Handle getClassReference() {
51 |             return classReference;
52 |         }
53 | 
54 |         public String getName() {
55 |             return name;
56 |         }
57 | 
58 |         public String getDesc() {
59 |             return desc;
60 |         }
61 | 
62 |         @Override
63 |         public boolean equals(Object o) {
64 |             if (this == o) return true;
65 |             if (o == null || getClass() != o.getClass()) return false;
66 |             Handle handle = (Handle) o;
67 |             if (!Objects.equals(classReference, handle.classReference)) {
68 |                 return false;
69 |             }
70 |             if (!Objects.equals(name, handle.name)) {
71 |                 return false;
72 |             }
73 |             return Objects.equals(desc, handle.desc);
74 |         }
75 | 
76 |         @Override
77 |         public int hashCode() {
78 |             int result = classReference != null ? classReference.hashCode() : 0;
79 |             result = 31 * result + (name != null ? name.hashCode() : 0);
80 |             result = 31 * result + (desc != null ? desc.hashCode() : 0);
81 |             return result;
82 |         }
83 |     }
84 | }
85 | 


--------------------------------------------------------------------------------
/code-inspector-model/src/main/java/code/inspector/model/ResultInfo.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.model;
 2 | 
 3 | import java.util.ArrayList;
 4 | import java.util.List;
 5 | import java.util.Objects;
 6 | 
 7 | public class ResultInfo {
 8 |     private String vulName;
 9 |     private String type;
10 |     private final List<String> chains = new ArrayList<>();
11 | 
12 |     public String getType() {
13 |         return type;
14 |     }
15 | 
16 |     public void setType(String type) {
17 |         this.type = type;
18 |     }
19 | 
20 |     public String getVulName() {
21 |         return vulName;
22 |     }
23 | 
24 |     public void setVulName(String vulName) {
25 |         this.vulName = vulName;
26 |     }
27 | 
28 |     public List<String> getChains() {
29 |         return chains;
30 |     }
31 | 
32 |     @Override
33 |     public String toString() {
34 |         StringBuilder sb = new StringBuilder();
35 |         sb.append(this.vulName);
36 |         sb.append("\n");
37 |         for (String s : chains) {
38 |             sb.append("\t");
39 |             sb.append(s);
40 |             sb.append("\n");
41 |         }
42 |         return sb.toString();
43 |     }
44 | 
45 |     @Override
46 |     public boolean equals(Object o) {
47 |         if (this == o) return true;
48 |         if (o == null || getClass() != o.getClass()) return false;
49 |         ResultInfo that = (ResultInfo) o;
50 |         boolean first = Objects.equals(vulName, that.vulName);
51 |         boolean second = Objects.equals(type, that.type);
52 |         boolean third = true;
53 |         if (chains.size() == that.chains.size()) {
54 |             for (int i = 0; i < chains.size(); i++) {
55 |                 if (!chains.get(i).equals(that.chains.get(i))) {
56 |                     third = false;
57 |                     break;
58 |                 }
59 |             }
60 |             return first & second & third;
61 |         } else {
62 |             return false;
63 |         }
64 |     }
65 | 
66 |     @Override
67 |     public int hashCode() {
68 |         return Objects.hash(vulName, type, chains);
69 |     }
70 | }
71 | 


--------------------------------------------------------------------------------
/code-inspector-render/README.md:
--------------------------------------------------------------------------------
1 | # code-inspector-render
2 | 
3 | 得到扫描结果后渲染到html页面的模块


--------------------------------------------------------------------------------
/code-inspector-render/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <artifactId>code-inspector</artifactId>
 7 |         <groupId>n1ar4</groupId>
 8 |         <version>0.2-beta</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>code-inspector-render</artifactId>
13 | 
14 | </project>


--------------------------------------------------------------------------------
/code-inspector-render/src/main/java/code/inspector/render/IOUtil.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.render;
 2 | 
 3 | import java.io.ByteArrayOutputStream;
 4 | import java.io.InputStream;
 5 | 
 6 | public class IOUtil {
 7 |     public static byte[] readBytesFromIs(InputStream is) {
 8 |         try {
 9 |             ByteArrayOutputStream buffer = new ByteArrayOutputStream();
10 |             int nRead;
11 |             byte[] data = new byte[16384];
12 |             while ((nRead = is.read(data, 0, data.length)) != -1) {
13 |                 buffer.write(data, 0, nRead);
14 |             }
15 |             return buffer.toByteArray();
16 |         } catch (Exception e) {
17 |             e.printStackTrace();
18 |         }
19 |         return null;
20 |     }
21 | }
22 | 


--------------------------------------------------------------------------------
/code-inspector-render/src/main/java/code/inspector/render/Render.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.render;
 2 | 
 3 | import java.io.IOException;
 4 | import java.nio.file.Files;
 5 | import java.nio.file.Path;
 6 | import java.util.List;
 7 | 
 8 | public class Render {
 9 |     public static void renderHtml(Path savePath, List<RenderData> dataList) {
10 |         byte[] prefix = IOUtil.readBytesFromIs(Render.class.getClassLoader().getResourceAsStream("prefix"));
11 |         byte[] suffix = IOUtil.readBytesFromIs(Render.class.getClassLoader().getResourceAsStream("suffix"));
12 |         if (prefix == null || prefix.length == 0 || suffix == null || suffix.length == 0) {
13 |             return;
14 |         }
15 |         StringBuilder sb = new StringBuilder();
16 |         int index = 0;
17 |         if (dataList == null) {
18 |             return;
19 |         }
20 |         for (RenderData renderData : dataList) {
21 |             index++;
22 |             String temp = String.format("<tr>\n" +
23 |                             "<th scope=\"row\">%s</th>\n" +
24 |                             "<td><span class=\"badge badge-danger\">%s</span></td>\n" +
25 |                             "<td><span class=\"badge badge-warning\">%s</span></td>\n" +
26 |                             "<td>%s</td></tr>", index, renderData.getType(),
27 |                     renderData.getCategory(), renderData.getDetails());
28 |             sb.append(temp);
29 |         }
30 |         String data = sb.toString();
31 |         byte[] dataBytes = data.getBytes();
32 |         byte[] total = new byte[prefix.length + suffix.length + dataBytes.length];
33 |         System.arraycopy(prefix, 0, total, 0, prefix.length);
34 |         System.arraycopy(dataBytes, 0, total, prefix.length, dataBytes.length);
35 |         System.arraycopy(suffix, 0, total, prefix.length + dataBytes.length, suffix.length);
36 |         try {
37 |             Files.write(savePath, total);
38 |         } catch (IOException e) {
39 |             e.printStackTrace();
40 |         }
41 |     }
42 | }
43 | 


--------------------------------------------------------------------------------
/code-inspector-render/src/main/java/code/inspector/render/RenderData.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.render;
 2 | 
 3 | public class RenderData {
 4 |     private String type;
 5 |     private String category;
 6 |     private String details;
 7 | 
 8 |     public String getType() {
 9 |         return type;
10 |     }
11 | 
12 |     public void setType(String type) {
13 |         this.type = type;
14 |     }
15 | 
16 |     public String getCategory() {
17 |         return category;
18 |     }
19 | 
20 |     public void setCategory(String category) {
21 |         this.category = category;
22 |     }
23 | 
24 |     public String getDetails() {
25 |         return details;
26 |     }
27 | 
28 |     public void setDetails(String details) {
29 |         this.details = details;
30 |     }
31 | }
32 | 


--------------------------------------------------------------------------------
/code-inspector-render/src/main/resources/suffix:
--------------------------------------------------------------------------------
 1 | </table>
 2 | <footer class="footer py-3 bg-dark text-light">
 3 |     <div class="container">
 4 |                 <div>
 5 |                     <p>Author <span class="badge badge-success">4ra1n</span></p>
 6 |                     <p>Github <a href="https://github.com/4ra1n/code-inspector">
 7 |                         https://github.com/4ra1n/code-inspector</a></p>
 8 |                 </div>
 9 |     </div>
10 | </footer>
11 | </body>
12 | </html>


--------------------------------------------------------------------------------
/code-inspector-spring/README.md:
--------------------------------------------------------------------------------
1 | # code-inspector-spring
2 | 
3 | 分析Spring框架的核心代码


--------------------------------------------------------------------------------
/code-inspector-spring/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <artifactId>code-inspector</artifactId>
 7 |         <groupId>n1ar4</groupId>
 8 |         <version>0.2-beta</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>code-inspector-spring</artifactId>
13 | 
14 |     <dependencies>
15 |         <dependency>
16 |             <groupId>n1ar4</groupId>
17 |             <artifactId>code-inspector-model</artifactId>
18 |             <version>0.2-beta</version>
19 |             <scope>compile</scope>
20 |         </dependency>
21 |     </dependencies>
22 | 
23 |     <properties>
24 |         <maven.compiler.source>8</maven.compiler.source>
25 |         <maven.compiler.target>8</maven.compiler.target>
26 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
27 |     </properties>
28 | 
29 | </project>


--------------------------------------------------------------------------------
/code-inspector-spring/src/main/java/code/inspector/core/spring/SpringConstant.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.spring;
 2 | 
 3 | public interface SpringConstant {
 4 |     String ControllerAnno = "Lorg/springframework/stereotype/Controller;";
 5 |     String RestControllerAnno = "Lorg/springframework/web/bind/annotation/RestController;";
 6 |     String RequestMappingAnno = "Lorg/springframework/web/bind/annotation/RequestMapping;";
 7 |     String GetMappingAnno = "Lorg/springframework/web/bind/annotation/GetMapping;";
 8 |     String PostMappingAnno = "Lorg/springframework/web/bind/annotation/PostMapping;";
 9 |     String ResponseBodyAnno = "Lorg/springframework/web/bind/annotation/ResponseBody;";
10 |     String RequestParamAnno = "Lorg/springframework/web/bind/annotation/RequestParam;";
11 | }
12 | 


--------------------------------------------------------------------------------
/code-inspector-spring/src/main/java/code/inspector/core/spring/SpringController.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.spring;
 2 | 
 3 | 
 4 | import code.inspector.model.ClassReference;
 5 | 
 6 | import java.util.ArrayList;
 7 | import java.util.List;
 8 | 
 9 | @SuppressWarnings("all")
10 | public class SpringController {
11 |     private boolean isRest;
12 |     private ClassReference.Handle className;
13 |     private ClassReference classReference;
14 |     private final List<SpringMapping> mappings = new ArrayList<>();
15 | 
16 |     public boolean isRest() {
17 |         return isRest;
18 |     }
19 | 
20 |     public void setRest(boolean rest) {
21 |         isRest = rest;
22 |     }
23 | 
24 |     public ClassReference.Handle getClassName() {
25 |         return className;
26 |     }
27 | 
28 |     public void setClassName(ClassReference.Handle className) {
29 |         this.className = className;
30 |     }
31 | 
32 |     public ClassReference getClassReference() {
33 |         return classReference;
34 |     }
35 | 
36 |     public void setClassReference(ClassReference classReference) {
37 |         this.classReference = classReference;
38 |     }
39 | 
40 |     public List<SpringMapping> getMappings() {
41 |         return mappings;
42 |     }
43 | 
44 |     public void addMapping(SpringMapping mapping) {
45 |         this.mappings.add(mapping);
46 |     }
47 | }
48 | 


--------------------------------------------------------------------------------
/code-inspector-spring/src/main/java/code/inspector/core/spring/SpringMapping.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.spring;
 2 | 
 3 | 
 4 | import code.inspector.model.MethodReference;
 5 | 
 6 | import java.util.ArrayList;
 7 | import java.util.List;
 8 | 
 9 | @SuppressWarnings("all")
10 | public class SpringMapping {
11 |     private boolean isRest;
12 |     private SpringController controller;
13 |     private MethodReference.Handle methodName;
14 |     private MethodReference methodReference;
15 |     private String path;
16 |     private List<SpringParam> paramMap = new ArrayList<>();
17 | 
18 |     public List<SpringParam> getParamMap() {
19 |         return paramMap;
20 |     }
21 | 
22 |     public void setParamMap(List<SpringParam> paramMap) {
23 |         this.paramMap = paramMap;
24 |     }
25 | 
26 |     public boolean isRest() {
27 |         return isRest;
28 |     }
29 | 
30 |     public void setRest(boolean rest) {
31 |         isRest = rest;
32 |     }
33 | 
34 |     public SpringController getController() {
35 |         return controller;
36 |     }
37 | 
38 |     public void setController(SpringController controller) {
39 |         this.controller = controller;
40 |     }
41 | 
42 |     public MethodReference.Handle getMethodName() {
43 |         return methodName;
44 |     }
45 | 
46 |     public void setMethodName(MethodReference.Handle methodName) {
47 |         this.methodName = methodName;
48 |     }
49 | 
50 |     public MethodReference getMethodReference() {
51 |         return methodReference;
52 |     }
53 | 
54 |     public void setMethodReference(MethodReference methodReference) {
55 |         this.methodReference = methodReference;
56 |     }
57 | 
58 |     public String getPath() {
59 |         return path;
60 |     }
61 | 
62 |     public void setPath(String path) {
63 |         this.path = path;
64 |     }
65 | }
66 | 


--------------------------------------------------------------------------------
/code-inspector-spring/src/main/java/code/inspector/core/spring/SpringParam.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.spring;
 2 | 
 3 | @SuppressWarnings("all")
 4 | public class SpringParam {
 5 |     private int paramIndex;
 6 |     private String paramName;
 7 |     private String paramType;
 8 |     private String reqName;
 9 | 
10 |     public int getParamIndex() {
11 |         return paramIndex;
12 |     }
13 | 
14 |     public void setParamIndex(int paramIndex) {
15 |         this.paramIndex = paramIndex;
16 |     }
17 | 
18 |     public String getParamName() {
19 |         return paramName;
20 |     }
21 | 
22 |     public void setParamName(String paramName) {
23 |         this.paramName = paramName;
24 |     }
25 | 
26 |     public String getParamType() {
27 |         return paramType;
28 |     }
29 | 
30 |     public void setParamType(String paramType) {
31 |         this.paramType = paramType;
32 |     }
33 | 
34 |     public String getReqName() {
35 |         return reqName;
36 |     }
37 | 
38 |     public void setReqName(String reqName) {
39 |         this.reqName = reqName;
40 |     }
41 | }
42 | 


--------------------------------------------------------------------------------
/code-inspector-spring/src/main/java/code/inspector/core/spring/asm/SpringAnnoAdapter.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.spring.asm;
 2 | 
 3 | import code.inspector.core.spring.SpringParam;
 4 | import org.objectweb.asm.AnnotationVisitor;
 5 | 
 6 | import java.util.List;
 7 | 
 8 | public class SpringAnnoAdapter extends AnnotationVisitor {
 9 |     private final List<SpringParam> params;
10 |     private final int index;
11 | 
12 |     public SpringAnnoAdapter(int api, AnnotationVisitor annotationVisitor,
13 |                              List<SpringParam> params, int parameter) {
14 |         super(api, annotationVisitor);
15 |         this.index = parameter;
16 |         this.params = params;
17 |     }
18 | 
19 |     @Override
20 |     public void visit(String name, Object value) {
21 |         if (name.equals("name") || name.equals("value")) {
22 |             SpringParam param = this.params.get(this.index);
23 |             param.setReqName(value.toString());
24 |             param.setParamIndex(this.index);
25 |             this.params.set(this.index, param);
26 |         }
27 |         super.visit(name, value);
28 |     }
29 | }
30 | 


--------------------------------------------------------------------------------
/code-inspector-spring/src/main/java/code/inspector/core/spring/asm/SpringClassVisitor.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.spring.asm;
 2 | 
 3 | import code.inspector.core.spring.SpringConstant;
 4 | import code.inspector.core.spring.SpringController;
 5 | import code.inspector.model.ClassReference;
 6 | import code.inspector.model.MethodReference;
 7 | import org.objectweb.asm.ClassVisitor;
 8 | import org.objectweb.asm.MethodVisitor;
 9 | import org.objectweb.asm.Opcodes;
10 | 
11 | import java.util.List;
12 | import java.util.Map;
13 | import java.util.Set;
14 | 
15 | public class SpringClassVisitor extends ClassVisitor {
16 |     private final Map<ClassReference.Handle, ClassReference> classMap;
17 |     private final Map<MethodReference.Handle, MethodReference> methodMap;
18 |     private final List<SpringController> controllers;
19 |     private boolean isSpring;
20 |     private SpringController currentController;
21 |     private String name;
22 | 
23 |     public SpringClassVisitor(List<SpringController> controllers,
24 |                               Map<ClassReference.Handle, ClassReference> classMap,
25 |                               Map<MethodReference.Handle, MethodReference> methodMap) {
26 |         super(Opcodes.ASM6);
27 |         this.methodMap = methodMap;
28 |         this.controllers = controllers;
29 |         this.classMap = classMap;
30 |     }
31 | 
32 |     @Override
33 |     public void visit(int version, int access, String name, String signature,
34 |                       String superName, String[] interfaces) {
35 |         this.name = name;
36 |         Set<String> annotations = classMap.get(new ClassReference.Handle(name)).getAnnotations();
37 |         if (annotations.contains(SpringConstant.ControllerAnno) ||
38 |                 annotations.contains(SpringConstant.RestControllerAnno)) {
39 |             this.isSpring = true;
40 |             currentController = new SpringController();
41 |             currentController.setClassReference(classMap.get(new ClassReference.Handle(name)));
42 |             currentController.setClassName(new ClassReference.Handle(name));
43 |             currentController.setRest(!annotations.contains(SpringConstant.ControllerAnno));
44 |         } else {
45 |             this.isSpring = false;
46 |         }
47 |         super.visit(version, access, name, signature, superName, interfaces);
48 |     }
49 | 
50 |     @Override
51 |     public MethodVisitor visitMethod(int access, String name, String descriptor,
52 |                                      String signature, String[] exceptions) {
53 |         MethodVisitor mv = super.visitMethod(access, name, descriptor, signature, exceptions);
54 |         if (this.isSpring) {
55 |             if (this.name.equals("<init>") || this.name.equals("<clinit>")) {
56 |                 return mv;
57 |             }
58 |             return new SpringMethodAdapter(name, descriptor, this.name, Opcodes.ASM6, mv,
59 |                     currentController, this.methodMap);
60 |         } else {
61 |             return mv;
62 |         }
63 |     }
64 | 
65 |     @Override
66 |     public void visitEnd() {
67 |         if (isSpring) {
68 |             controllers.add(currentController);
69 |         }
70 |         super.visitEnd();
71 |     }
72 | }
73 | 


--------------------------------------------------------------------------------
/code-inspector-spring/src/main/java/code/inspector/core/spring/asm/SpringMethodAdapter.java:
--------------------------------------------------------------------------------
  1 | package code.inspector.core.spring.asm;
  2 | 
  3 | import code.inspector.core.spring.SpringConstant;
  4 | import code.inspector.core.spring.SpringController;
  5 | import code.inspector.core.spring.SpringMapping;
  6 | import code.inspector.core.spring.SpringParam;
  7 | import code.inspector.model.ClassReference;
  8 | import code.inspector.model.MethodReference;
  9 | import org.objectweb.asm.AnnotationVisitor;
 10 | import org.objectweb.asm.MethodVisitor;
 11 | import org.objectweb.asm.Opcodes;
 12 | import org.objectweb.asm.Type;
 13 | 
 14 | import java.util.ArrayList;
 15 | import java.util.List;
 16 | import java.util.Map;
 17 | 
 18 | 
 19 | public class SpringMethodAdapter extends MethodVisitor {
 20 |     private final Map<MethodReference.Handle, MethodReference> methodMap;
 21 |     private final List<SpringParam> requestParam = new ArrayList<>();
 22 |     private final SpringMapping currentMapping;
 23 |     private final SpringController controller;
 24 |     private final String name;
 25 |     private final String owner;
 26 |     private final String desc;
 27 | 
 28 |     private SpringPathAnnoAdapter pathAnnoAdapter;
 29 | 
 30 |     public SpringMethodAdapter(String name, String descriptor, String owner,
 31 |                                int api, MethodVisitor methodVisitor,
 32 |                                SpringController currentController,
 33 |                                Map<MethodReference.Handle, MethodReference> methodMap) {
 34 |         super(api, methodVisitor);
 35 |         this.owner = owner;
 36 |         this.desc = descriptor;
 37 |         this.name = name;
 38 |         this.methodMap = methodMap;
 39 |         this.controller = currentController;
 40 |         this.currentMapping = new SpringMapping();
 41 |     }
 42 | 
 43 |     @Override
 44 |     public AnnotationVisitor visitAnnotation(String descriptor, boolean visible) {
 45 |         AnnotationVisitor av = super.visitAnnotation(descriptor, visible);
 46 |         if (descriptor.equals(SpringConstant.RequestMappingAnno) ||
 47 |                 descriptor.equals(SpringConstant.GetMappingAnno) ||
 48 |                 descriptor.equals(SpringConstant.PostMappingAnno)) {
 49 |             currentMapping.setMethodName(new MethodReference.Handle(
 50 |                     new ClassReference.Handle(this.owner), this.name, this.desc));
 51 |             currentMapping.setController(controller);
 52 |             currentMapping.setMethodReference(methodMap.get(currentMapping.getMethodName()));
 53 |             currentMapping.setParamMap(this.requestParam);
 54 |             pathAnnoAdapter = new SpringPathAnnoAdapter(Opcodes.ASM6, av);
 55 |             av = pathAnnoAdapter;
 56 |         }
 57 |         if (descriptor.equals(SpringConstant.ResponseBodyAnno)) {
 58 |             currentMapping.setRest(true);
 59 |         }
 60 |         return av;
 61 |     }
 62 | 
 63 |     @Override
 64 |     public void visitCode() {
 65 |         if (this.currentMapping != null) {
 66 |             if (pathAnnoAdapter.getResults().size() > 0) {
 67 |                 currentMapping.setPath(pathAnnoAdapter.getResults().get(0));
 68 |             }
 69 |         }
 70 |         Type[] argTypes = Type.getArgumentTypes(this.desc);
 71 |         for (int i = 0; i < argTypes.length; i++) {
 72 |             if (i < this.requestParam.size()) {
 73 |                 this.requestParam.get(i).setParamType(argTypes[i].getClassName());
 74 |                 this.requestParam.get(i).setParamIndex(i);
 75 |             }
 76 |         }
 77 |         super.visitCode();
 78 |     }
 79 | 
 80 |     @Override
 81 |     public AnnotationVisitor visitParameterAnnotation(int parameter, String descriptor, boolean visible) {
 82 |         AnnotationVisitor av = super.visitParameterAnnotation(parameter, descriptor, visible);
 83 |         if (descriptor.equals(SpringConstant.RequestParamAnno)) {
 84 |             return new SpringAnnoAdapter(Opcodes.ASM6, av, requestParam, parameter);
 85 |         }
 86 |         return av;
 87 |     }
 88 | 
 89 | 
 90 |     @Override
 91 |     public void visitParameter(String name, int access) {
 92 |         SpringParam param = new SpringParam();
 93 |         param.setParamName(name);
 94 |         this.requestParam.add(param);
 95 |         super.visitParameter(name, access);
 96 |     }
 97 | 
 98 | 
 99 |     @Override
100 |     public void visitEnd() {
101 |         if (currentMapping != null) {
102 |             this.requestParam.forEach(param -> {
103 |                 if (param.getReqName() == null || param.getReqName().equals("")) {
104 |                     param.setReqName(param.getParamName());
105 |                 }
106 |             });
107 |             controller.addMapping(currentMapping);
108 |         }
109 |         super.visitEnd();
110 |     }
111 | }
112 | 


--------------------------------------------------------------------------------
/code-inspector-spring/src/main/java/code/inspector/core/spring/asm/SpringPathAnnoAdapter.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.spring.asm;
 2 | 
 3 | import org.objectweb.asm.AnnotationVisitor;
 4 | import org.objectweb.asm.Opcodes;
 5 | 
 6 | import java.util.ArrayList;
 7 | import java.util.List;
 8 | 
 9 | public class SpringPathAnnoAdapter extends AnnotationVisitor {
10 |     private final List<String> results = new ArrayList<>();
11 | 
12 |     public SpringPathAnnoAdapter(int api, AnnotationVisitor annotationVisitor) {
13 |         super(api, annotationVisitor);
14 |     }
15 | 
16 |     public List<String> getResults() {
17 |         return results;
18 |     }
19 | 
20 |     @Override
21 |     public AnnotationVisitor visitArray(String name) {
22 |         AnnotationVisitor av = super.visitArray(name);
23 |         return new ArrayVisitor(Opcodes.ASM6, av,results);
24 |     }
25 | 
26 |     static class ArrayVisitor extends AnnotationVisitor {
27 |         private final List<String> results;
28 | 
29 |         public ArrayVisitor(int api, AnnotationVisitor annotationVisitor, List<String> results) {
30 |             super(api, annotationVisitor);
31 |             this.results = results;
32 |         }
33 | 
34 |         @Override
35 |         public void visit(String name, Object value) {
36 |             if (!value.toString().trim().equals("")) {
37 |                 results.add(value.toString());
38 |             }
39 |             super.visit(name, value);
40 |         }
41 |     }
42 | }
43 | 


--------------------------------------------------------------------------------
/code-inspector-starter/README.md:
--------------------------------------------------------------------------------
1 | # code-inspector-starter
2 | 
3 | 项目启动模块（其实只是一个main方法）


--------------------------------------------------------------------------------
/code-inspector-starter/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <artifactId>code-inspector</artifactId>
 7 |         <groupId>n1ar4</groupId>
 8 |         <version>0.2-beta</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>code-inspector-starter</artifactId>
13 |     <dependencies>
14 |         <dependency>
15 |             <groupId>n1ar4</groupId>
16 |             <artifactId>code-inspector-core</artifactId>
17 |             <scope>compile</scope>
18 |             <version>0.2-beta</version>
19 |         </dependency>
20 |     </dependencies>
21 | 
22 |     <properties>
23 |         <maven.compiler.source>8</maven.compiler.source>
24 |         <maven.compiler.target>8</maven.compiler.target>
25 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
26 |     </properties>
27 | 
28 | 
29 |     <build>
30 |         <plugins>
31 |             <plugin>
32 |                 <artifactId>maven-assembly-plugin</artifactId>
33 |                 <configuration>
34 |                     <appendAssemblyId>false</appendAssemblyId>
35 |                     <descriptorRefs>
36 |                         <descriptorRef>jar-with-dependencies</descriptorRef>
37 |                     </descriptorRefs>
38 |                     <archive>
39 |                         <manifest>
40 |                             <mainClass>code.inspector.start.Application</mainClass>
41 |                         </manifest>
42 |                     </archive>
43 |                     <outputDirectory>../bin</outputDirectory>
44 |                 </configuration>
45 |                 <executions>
46 |                     <execution>
47 |                         <id>make-assembly</id>
48 |                         <phase>package</phase>
49 |                         <goals>
50 |                             <goal>assembly</goal>
51 |                         </goals>
52 |                     </execution>
53 |                 </executions>
54 |             </plugin>
55 |             <plugin>
56 |                 <groupId>org.apache.maven.plugins</groupId>
57 |                 <artifactId>maven-compiler-plugin</artifactId>
58 |                 <configuration>
59 |                     <source>${maven.compiler.source}</source>
60 |                     <target>${maven.compiler.target}</target>
61 |                 </configuration>
62 |             </plugin>
63 |         </plugins>
64 |     </build>
65 | 
66 | </project>


--------------------------------------------------------------------------------
/code-inspector-starter/src/main/java/code/inspector/start/Application.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.start;
 2 | 
 3 | public class Application {
 4 |     public static void main(String[] args) {
 5 |         String logo = " ___   ___  ________  ________    _____  ________      \n" +
 6 |                 "|\\  \\ |\\  \\|\\   __  \\|\\   __  \\  / __  \\|\\   ___  \\    \n" +
 7 |                 "\\ \\  \\\\_\\  \\ \\  \\|\\  \\ \\  \\|\\  \\|\\/_|\\  \\ \\  \\\\ \\  \\   \n" +
 8 |                 " \\ \\______  \\ \\   _  _\\ \\   __  \\|/ \\ \\  \\ \\  \\\\ \\  \\  \n" +
 9 |                 "  \\|_____|\\  \\ \\  \\\\  \\\\ \\  \\ \\  \\   \\ \\  \\ \\  \\\\ \\  \\ \n" +
10 |                 "         \\ \\__\\ \\__\\\\ _\\\\ \\__\\ \\__\\   \\ \\__\\ \\__\\\\ \\__\\\n" +
11 |                 "          \\|__|\\|__|\\|__|\\|__|\\|__|    \\|__|\\|__| \\|__|\n";
12 |         System.out.println(logo);
13 |         System.out.println("Project: code-inspector");
14 |         System.out.println("Version: 0.2-beta");
15 |         System.out.println("Author : 4ra1n");
16 |         System.out.println("Github : github.com/4ra1n/code-inspector");
17 |         code.inspector.form.CodeInspector.start0();
18 |     }
19 | }
20 | 


--------------------------------------------------------------------------------
/code-inspector-util/README.md:
--------------------------------------------------------------------------------
1 | # code-inspector-util
2 | 
3 | 工具类


--------------------------------------------------------------------------------
/code-inspector-util/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <artifactId>code-inspector</artifactId>
 7 |         <groupId>n1ar4</groupId>
 8 |         <version>0.2-beta</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>code-inspector-util</artifactId>
13 | 
14 |     <properties>
15 |         <maven.compiler.source>8</maven.compiler.source>
16 |         <maven.compiler.target>8</maven.compiler.target>
17 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
18 |     </properties>
19 | 
20 |     <dependencies>
21 |         <dependency>
22 |             <groupId>n1ar4</groupId>
23 |             <artifactId>code-inspector-model</artifactId>
24 |             <scope>compile</scope>
25 |             <version>0.2-beta</version>
26 |         </dependency>
27 |     </dependencies>
28 | 
29 | </project>


--------------------------------------------------------------------------------
/code-inspector-util/src/main/java/code/inspector/core/util/ClassUtil.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.util;
 2 | 
 3 | import code.inspector.model.ClassFile;
 4 | 
 5 | import java.io.File;
 6 | import java.nio.file.Files;
 7 | import java.nio.file.Path;
 8 | import java.nio.file.Paths;
 9 | import java.util.ArrayList;
10 | import java.util.HashSet;
11 | import java.util.List;
12 | import java.util.Set;
13 | 
14 | public class ClassUtil {
15 | 
16 |     public static List<ClassFile> getAllClassesFromJars(List<String> jarPathList,
17 |                                                         boolean runtime) {
18 |         Set<ClassFile> classFileSet = new HashSet<>();
19 |         if (runtime) {
20 |             getRuntime(classFileSet);
21 |         }
22 |         for (String jarPath : jarPathList) {
23 |             classFileSet.addAll(JarUtil.resolveNormalJarFile(jarPath));
24 |         }
25 |         return new ArrayList<>(classFileSet);
26 |     }
27 | 
28 |     public static List<ClassFile> getAllClassesFromBoots(List<String> bootPathList,
29 |                                                          boolean runtime,
30 |                                                          boolean useAllLib) {
31 |         Set<ClassFile> classFileSet = new HashSet<>();
32 |         if (runtime) {
33 |             getRuntime(classFileSet);
34 |         }
35 |         for (String jarPath : bootPathList) {
36 |             classFileSet.addAll(JarUtil.resolveSpringBootJarFile(jarPath, useAllLib));
37 |         }
38 |         return new ArrayList<>(classFileSet);
39 |     }
40 | 
41 |     private static void getRuntime(Set<ClassFile> classFileSet) {
42 |         String rtJarPath = System.getenv("JAVA_HOME") +
43 |                 File.separator + "jre" +
44 |                 File.separator + "lib" +
45 |                 File.separator + "rt.jar";
46 |         Path rtPath = Paths.get(rtJarPath);
47 |         if (!Files.exists(rtPath)) {
48 |             throw new RuntimeException("rt.jar not exists");
49 |         }
50 |         classFileSet.addAll(JarUtil.resolveNormalJarFile(rtJarPath));
51 |     }
52 | }
53 | 


--------------------------------------------------------------------------------
/code-inspector-util/src/main/java/code/inspector/core/util/DirUtil.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.util;
 2 | 
 3 | 
 4 | import java.io.File;
 5 | import java.util.ArrayList;
 6 | import java.util.List;
 7 | 
 8 | public class DirUtil {
 9 |     private static final List<String> filenames = new ArrayList<>();
10 | 
11 |     public static List<String> GetFiles(String path) {
12 |         filenames.clear();
13 |         return getFiles(path);
14 |     }
15 | 
16 |     private static List<String> getFiles(String path) {
17 |         File file = new File(path);
18 |         if (file.isDirectory()) {
19 |             File[] files = file.listFiles();
20 |             if (files == null) {
21 |                 return filenames;
22 |             }
23 |             for (File value : files) {
24 |                 if (value.isDirectory()) {
25 |                     getFiles(value.getPath());
26 |                 } else {
27 |                     filenames.add(value.getAbsolutePath());
28 |                 }
29 |             }
30 |         } else {
31 |             filenames.add(file.getAbsolutePath());
32 |         }
33 |         return filenames;
34 |     }
35 | 
36 |     public static boolean removeDir(File dir) {
37 |         if (dir.isDirectory()) {
38 |             String[] children = dir.list();
39 |             if (children != null) {
40 |                 for (String child : children) {
41 |                     boolean success = removeDir(new File(dir, child));
42 |                     if (!success) {
43 |                         return false;
44 |                     }
45 |                 }
46 |             }
47 |         }
48 |         return dir.delete();
49 |     }
50 | }
51 | 


--------------------------------------------------------------------------------
/code-inspector-util/src/main/java/code/inspector/core/util/ExecUtil.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.util;
 2 | 
 3 | public class ExecUtil {
 4 |     public static void exec(String[] cmdArray) {
 5 |         try {
 6 |             new ProcessBuilder(cmdArray).start();
 7 |         } catch (Exception ex) {
 8 |             ex.printStackTrace();
 9 |         }
10 |     }
11 | 
12 |     public static void execOpen(String outputFilePath) {
13 |         if (OSUtil.isWindows()) {
14 |             String cmd = String.format("start %s", outputFilePath);
15 |             String[] xrayCmd = new String[]{"cmd.exe", "/c", String.format("%s", cmd)};
16 |             exec(xrayCmd);
17 |         } else {
18 |             String cmd = String.format("open %s", outputFilePath);
19 |             String[] xrayCmd = new String[]{"/bin/bash", "-c", String.format("%s", cmd)};
20 |             exec(xrayCmd);
21 |         }
22 |     }
23 | }
24 | 


--------------------------------------------------------------------------------
/code-inspector-util/src/main/java/code/inspector/core/util/IOUtil.java:
--------------------------------------------------------------------------------
 1 | package code.inspector.core.util;
 2 | 
 3 | import java.io.InputStream;
 4 | import java.io.OutputStream;
 5 | 
 6 | public class IOUtil {
 7 | 
 8 |     public static void copy(InputStream inputStream, OutputStream outputStream) {
 9 |         try {
10 |             final byte[] buffer = new byte[4096];
11 |             int n;
12 |             while ((n = inputStream.read(buffer)) > 0) {
13 |                 outputStream.write(buffer, 0, n);
14 |             }
15 |         } catch (Exception ignored) {
16 |         }
17 |     }
18 | }
19 | 


--------------------------------------------------------------------------------
/code-inspector-util/src/main/java/code/inspector/core/util/JarUtil.java:
--------------------------------------------------------------------------------
  1 | package code.inspector.core.util;
  2 | 
  3 | import code.inspector.model.ClassFile;
  4 | 
  5 | import java.io.File;
  6 | import java.io.InputStream;
  7 | import java.io.OutputStream;
  8 | import java.nio.file.Files;
  9 | import java.nio.file.Path;
 10 | import java.nio.file.Paths;
 11 | import java.util.ArrayList;
 12 | import java.util.HashSet;
 13 | import java.util.List;
 14 | import java.util.Set;
 15 | import java.util.jar.JarEntry;
 16 | import java.util.jar.JarInputStream;
 17 | import java.util.stream.Stream;
 18 | 
 19 | public class JarUtil {
 20 | 
 21 |     private static final Set<ClassFile> classFileSet = new HashSet<>();
 22 | 
 23 |     public static List<ClassFile> resolveNormalJarFile(String jarPath) {
 24 |         try {
 25 |             final Path tmpDir = Files.createDirectory(Paths.get(
 26 |                     "temp" + File.separator + Paths.get(jarPath).getFileName().toString()));
 27 |             resolve(jarPath, tmpDir);
 28 |             return new ArrayList<>(classFileSet);
 29 |         } catch (Exception ignored) {
 30 |         }
 31 |         return new ArrayList<>();
 32 |     }
 33 | 
 34 |     private static void resolve(String jarPath, Path tmpDir) {
 35 |         try {
 36 |             InputStream is = Files.newInputStream(Paths.get(jarPath));
 37 |             JarInputStream jarInputStream = new JarInputStream(is);
 38 |             JarEntry jarEntry;
 39 |             while ((jarEntry = jarInputStream.getNextJarEntry()) != null) {
 40 |                 Path fullPath = tmpDir.resolve(jarEntry.getName());
 41 |                 if (!jarEntry.isDirectory()) {
 42 |                     if (!jarEntry.getName().endsWith(".class")) {
 43 |                         continue;
 44 |                     }
 45 |                     Path dirName = fullPath.getParent();
 46 |                     if (!Files.exists(dirName)) {
 47 |                         Files.createDirectories(dirName);
 48 |                     }
 49 |                     OutputStream outputStream = Files.newOutputStream(fullPath);
 50 |                     IOUtil.copy(jarInputStream, outputStream);
 51 |                     ClassFile classFile = new ClassFile(jarEntry.getName(), fullPath);
 52 |                     classFileSet.add(classFile);
 53 |                 }
 54 |             }
 55 |         } catch (Exception ignored) {
 56 |         }
 57 |     }
 58 | 
 59 |     public static List<ClassFile> resolveSpringBootJarFile(String jarPath, boolean useAllLib) {
 60 |         try {
 61 |             final Path tmpDir = Files.createDirectory(Paths.get(
 62 |                     "temp" + File.separator + Paths.get(jarPath).getFileName().toString()));
 63 |             resolve(jarPath, tmpDir);
 64 |             if (useAllLib) {
 65 |                 resolveBoot(jarPath, tmpDir);
 66 |                 Stream<Path> paths;
 67 |                 try {
 68 |                     paths = Files.list(tmpDir.resolve("BOOT-INF/lib"));
 69 |                 } catch (Exception ignored) {
 70 |                     paths = Files.list(tmpDir.resolve("WEB-INF/lib"));
 71 |                 }
 72 |                 paths.forEach(p -> resolveNormalJarFile(p.toFile().getAbsolutePath()));
 73 |                 paths.close();
 74 |             }
 75 |             return new ArrayList<>(classFileSet);
 76 |         } catch (Exception ignored) {
 77 |         }
 78 |         return new ArrayList<>();
 79 |     }
 80 | 
 81 |     private static void resolveBoot(String jarPath, Path tmpDir) {
 82 |         try {
 83 |             InputStream is = Files.newInputStream(Paths.get(jarPath));
 84 |             JarInputStream jarInputStream = new JarInputStream(is);
 85 |             JarEntry jarEntry;
 86 |             while ((jarEntry = jarInputStream.getNextJarEntry()) != null) {
 87 |                 Path fullPath = tmpDir.resolve(jarEntry.getName());
 88 |                 if (!jarEntry.isDirectory()) {
 89 |                     if (!jarEntry.getName().endsWith(".jar")) {
 90 |                         continue;
 91 |                     }
 92 |                     Path dirName = fullPath.getParent();
 93 |                     if (!Files.exists(dirName)) {
 94 |                         Files.createDirectories(dirName);
 95 |                     }
 96 |                     OutputStream outputStream = Files.newOutputStream(fullPath);
 97 |                     IOUtil.copy(jarInputStream, outputStream);
 98 |                 }
 99 |             }
100 |         } catch (Exception ignored) {
101 |         }
102 |     }
103 | }


--------------------------------------------------------------------------------
/code-inspector-util/src/main/java/code/inspector/core/util/OSUtil.java:
--------------------------------------------------------------------------------
1 | package code.inspector.core.util;
2 | 
3 | public class OSUtil {
4 |     public static boolean isWindows() {
5 |         String osName = System.getProperty("os.name");
6 |         return osName.toLowerCase().contains("windows");
7 |     }
8 | }
9 | 


--------------------------------------------------------------------------------
/doc/ACHIEVE.md:
--------------------------------------------------------------------------------
 1 | ## 成果
 2 | 
 3 | 以下靶机存在`JDK 8`下编译打包
 4 | 
 5 | ### 靶机一
 6 | 
 7 | 靶机`https://github.com/j3ers3/Hello-Java-Sec`的扫描报告：
 8 | 
 9 | <img src="../images/00001.png">
10 | 
11 | ### 靶机二
12 | 
13 | 靶机`https://github.com/l4yn3/micro_service_seclab`的扫描报告：
14 | 
15 | <img src="../images/00002.png">
16 | 
17 | ### 靶机三
18 | 
19 | 靶机`https://github.com/ffffffff0x/JVWA`的扫描报告：
20 | 
21 | <img src="../images/00003.png">
22 | 
23 | ### 靶机四
24 | 
25 | 靶机`https://github.com/tangxiaofeng7/SecExample`的扫描报告：
26 | 
27 | <img src="../images/00004.png">
28 | 
29 | ### 靶机五
30 | 
31 | 自带靶机`code-inspector-demo`的扫描报告：
32 | 
33 | <img src="../images/00005.png">
34 | 


--------------------------------------------------------------------------------
/doc/CHAINS.md:
--------------------------------------------------------------------------------
 1 | ## 如何构建方法调用链
 2 | 
 3 | 通过`Controller`传递的所有参数都认为是污点（以此为开头进行分析）
 4 | 
 5 | 例如以下`rce1`方法的`data`参数，首先会查找该方法中所有和`data`有关的方法调用，认为是下一步调用链
 6 | 
 7 | 注意：我会记录所有调用方法的污点参数位置，并且在下一个链的方法中设置对应位置参数是污点以继续分析
 8 | 
 9 | ```java
10 | @RequestMapping("/rce1")
11 | public String rce1(String data) {
12 |     return rceService.rce1(data);
13 | }
14 | ```
15 | 
16 | 实际上调用的`Service`是一个接口
17 | 
18 | 我已经做了处理，可以通过接口找到它的实现，并且认为每一个实现都是一个新的方法调用链
19 | 
20 | ```java
21 | public interface RCEService {
22 |     String rce1(String data);
23 | }
24 | ```
25 | 
26 | 由于我记录了污点`data`的参数位置，在`ServiceImpl`类的`rce1`方法中设置对应的参数是污点
27 | 
28 | 注意：并不一定同名，这里命名`data`只是恰好
29 | 
30 | ```java
31 | @Service
32 | public class RCEServiceImpl implements RCEService {
33 |     @Override
34 |     public String rce1(String data) {
35 |         try {
36 |             // 此时污点data被当成参数传入了exec方法
37 |             // 认为这里是漏洞
38 |             Runtime.getRuntime().exec(data);
39 |         } catch (Exception e) {
40 |             e.printStackTrace();
41 |         }
42 |         return "ok";
43 |     }
44 | }
45 | ```
46 | 
47 | 通过扫描可以发现这样一条漏洞链：
48 | 
49 | ```text
50 | [info] [18:40:43] Runtime exec RCE
51 | 	code/inspector/demo/web/RCEController.rce1
52 | 	code/inspector/demo/service/RCEService.rce1
53 | 	code/inspector/demo/service/impl/RCEServiceImpl.rce1
54 | ```


--------------------------------------------------------------------------------
/doc/NEW.md:
--------------------------------------------------------------------------------
  1 | ## 新规则
  2 | 
  3 | 如何自定义并添加新的规则
  4 | 
  5 | （1）新的`ClassVisitor`应该继承自`BaseClassVisitor`
  6 | 
  7 | 除非你明白自己在做什么，否则绝大多数情况代码应该如下
  8 | 
  9 | ```java
 10 | public class NewClassVisitor extends BaseClassVisitor {
 11 |     public NewClassVisitor(MethodReference.Handle targetMethod, int targetIndex) {
 12 |         super(targetMethod, targetIndex, DesMethodAdapter.class);
 13 |     }
 14 | }
 15 | ```
 16 | 
 17 | （2）新的`MethodAdapter`应该继承自`ParamTaintMethodAdapter`
 18 | 
 19 | 除非你明白自己在做什么，否则绝大多数情况代码应该如下
 20 | 
 21 | 在其中编写你需要`Hook`的`JVM`指令，并可以直接通过`operandStack`和`localVariables`拿到栈帧数据进行分析
 22 | 
 23 | ```java
 24 | public class NewMethodAdapter extends ParamTaintMethodAdapter {
 25 |     private final Map<String, Boolean> pass;
 26 |     public NewMethodAdapter(int methodArgIndex, Map<String, Boolean> pass, int api, MethodVisitor mv,
 27 |                             String owner, int access, String name, String desc) {
 28 |         super(methodArgIndex, api, mv, owner, access, name, desc);
 29 |         this.pass = pass;
 30 |     }
 31 |     // 添加你需要Hook的指令以及规则
 32 | }
 33 | ```
 34 | 
 35 | （3）注意在`Const`中添加你的新规则
 36 | 
 37 | 一般新分类应该有`NEW_MODULE`变量来表示是否开启整个模块，其次有一些具体的分类变量，例如以下`RCE`相关
 38 | 
 39 | ```java
 40 | // 表示模块是否开启
 41 | String RCE_MODULE = "RCE_MODULE";
 42 | // 多个分类
 43 | String RCE_RUNTIME_TYPE = "RCE_RUNTIME_TYPE";
 44 | String RCE_PROCESS_TYPE = "RCE_PROCESS_TYPE";
 45 | String RCE_GROOVY_TYPE = "RCE_GROOVY_TYPE";
 46 | String RCE_JNDI_TYPE = "RCE_JNDI_TYPE";
 47 | String RCE_SP_EL_TYPE = "RCE_SP_EL_TYPE";
 48 | ```
 49 | 
 50 | 这个`Const`变量用于保存具体漏洞和收集漏洞信息
 51 | 
 52 | ```java
 53 | // 例如这里的XMLDecoder反序列化漏洞
 54 | if (operandStack.get(0).contains(Taint.PARAM_TAINT)) {
 55 |     super.visitMethodInsn(opcode, owner, name, desc, itf);
 56 |     pass.put(Const.DESERIALIZATION_XML_DECODER, true);
 57 |     return;
 58 | }
 59 | ```
 60 | 
 61 | 例如在`DesCollector`中确认对应的反序列化漏洞信息
 62 | 
 63 | ```java
 64 | // 例如这里的XMLDecoder反序列化漏洞
 65 | if (cv.getPass(Const.DESERIALIZATION_XML_DECODER)) {
 66 |     ResultInfo resultInfo = new ResultInfo();
 67 |     resultInfo.setType(DES);
 68 |     resultInfo.setVulName("XMLDecoder readObject");
 69 |     resultInfo.getChains().addAll(tempChain);
 70 |     results.add(resultInfo);
 71 |     Log.info(resultInfo.toString());
 72 | }
 73 | ```
 74 | 
 75 | （4）新建`collector`类用于收集扫描结果数据
 76 | 
 77 | 注意`collect`方法和参数不变，底层使用反射调用
 78 | 
 79 | ```java
 80 | public class NewCollector {
 81 |     private static final String NEW = "Your New Type";
 82 | 
 83 |     public static void collect(BaseClassVisitor cv, List<String> tempChain, List<ResultInfo> results) {
 84 |         if (cv.getPass(Const.YOUR_NEW_VULN)) {
 85 |             ResultInfo resultInfo = new ResultInfo();
 86 |             resultInfo.setType(NEW);
 87 |             resultInfo.setVulName("Your New Vulnerability");
 88 |             resultInfo.getChains().addAll(tempChain);
 89 |             results.add(resultInfo);
 90 |             Log.info(resultInfo.toString());
 91 |         }
 92 |     }
 93 | }
 94 | ```
 95 | 
 96 | (5) 新建`Service`类继承自`BaseService`用于启动分析
 97 | 
 98 | `BaseService`类是一切分析的核心，除非你真的明白自己在做什么，否则绝大多数情况代码应该如下
 99 | 
100 | ```java
101 | public class NewService extends BaseService {
102 |     public static void start(Map<String, ClassFile> classFileByName,
103 |                              List<SpringController> controllers,
104 |                              Map<MethodReference.Handle, Set<CallGraph>> discoveredCalls) {
105 |         start0(classFileByName,controllers,discoveredCalls,
106 |                 NewClassVisitor.class, NewCollector.class);
107 |     }
108 | }
109 | ```
110 | 
111 | (6) 在`Application`中添加新的`Service`即可成功配置
112 | 
113 | ```java
114 | if (globalOptions.getOrDefault(Const.NEW_MODULE, false)) {
115 |     NewService.start(classFileByName, controllers, graphCallMap);
116 |     resultInfoList.addAll(NewService.getResults());
117 | }
118 | ```
119 | 
120 | 通过以上的配置，可以使用`API`来扫描，通过`GUI`启动扫描任务的还需要对界面进行编辑
121 | 


--------------------------------------------------------------------------------
/doc/QUESTIONS.md:
--------------------------------------------------------------------------------
1 | ## 常见问题 
2 | 
3 | （1）为什么启动或打包时报错
4 | 
5 | 尝试：Preferences -> Editor -> UI Designer -> Generate UI into: Java source code
6 | 
7 | 然后：mvn clean 再 mvn package 即可 


--------------------------------------------------------------------------------
/doc/TAINT.md:
--------------------------------------------------------------------------------
 1 | ## 通用污点传递规则
 2 | 
 3 | （1）数组`AASTORE`指令的处理
 4 | 
 5 | 对数组某个位置赋值的指令一般如下
 6 | 
 7 | ```text
 8 | ANEWARRAY java/lang/String
 9 | DUP
10 | ICONST_0
11 | ALOAD 1
12 | AASTORE
13 | ```
14 | 
15 | 如果设置到数组的新元素是污点，那么执行`AASTORE`指令后栈顶的`array ref`也应设为污点
16 | 
17 | （`AASTORE`指令弹出三个参数，此时栈顶被`DUP`的另一份`array ref`是保存污点元素的数组引用）
18 | 
19 | ```java
20 | @Override
21 | public void visitInsn(int opcode) {
22 |     if (opcode == Opcodes.AASTORE) {
23 |         if (operandStack.get(0).contains(Taint.PARAM_TAINT) ||
24 |                 operandStack.get(0).contains(Taint.TO_STRING)) {
25 |             super.visitInsn(opcode);
26 |             operandStack.set(0, Taint.PARAM_TAINT);
27 |             return;
28 |         }
29 |     }
30 |     super.visitInsn(opcode);
31 | }
32 | ```
33 | 
34 | （2）处理`getter`方法的传递
35 | 
36 | 调用非静态方法且以`get`开头只有一个参数，当栈顶为污点时可以确定是`getter`方法，应该进行污点传递
37 | 
38 | ```text
39 | INVOKEVIRTUAL xxx/Obj.getXxx ()Ljava/lang/String;
40 | ```
41 | 
42 | ```java
43 | if (operandStack.size() > 0 &&
44 |         operandStack.get(0).contains(Taint.PARAM_TAINT) &&
45 |         opcode != Opcodes.INVOKESTATIC) {
46 |     Type[] argTypes = Type.getArgumentTypes(desc);
47 |     Type[] extendedArgTypes = new Type[argTypes.length + 1];
48 |     System.arraycopy(argTypes, 0, extendedArgTypes, 1, argTypes.length);
49 |     extendedArgTypes[0] = Type.getObjectType(owner);
50 |     argTypes = extendedArgTypes;
51 |     super.visitMethodInsn(opcode, owner, name, desc, itf);
52 |     if (operandStack.size() > 0) {
53 |         if (argTypes.length == 1 && name.startsWith("get")) {
54 |             operandStack.set(0, Taint.PARAM_TAINT);
55 |         }
56 |     }
57 |     return;
58 | }
59 | ```
60 | 
61 | （3）一些常见的情况
62 | 当以下方法的参数是污点时，执行后认为返回值也被污染了，根据实际情况应该添加更多
63 | - java/util/Base64$Decoder#decode
64 | - java/lang/String#replace
65 | - java/lang/String#format
66 | - java/io/BufferedInputStream#<init>
67 | - java/io/File#<init>
68 | - java/io/FileInputStream#<init>
69 | 
70 | ref: https://docs.oracle.com/javase/specs/jvms/se8/html/jvms-6.html


--------------------------------------------------------------------------------
/images/00000.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/4ra1n/code-inspector/a6e43e053971a7444bfa321d8998501b4ded047b/images/00000.png


--------------------------------------------------------------------------------
/images/00001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/4ra1n/code-inspector/a6e43e053971a7444bfa321d8998501b4ded047b/images/00001.png


--------------------------------------------------------------------------------
/images/00002.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/4ra1n/code-inspector/a6e43e053971a7444bfa321d8998501b4ded047b/images/00002.png


--------------------------------------------------------------------------------
/images/00003.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/4ra1n/code-inspector/a6e43e053971a7444bfa321d8998501b4ded047b/images/00003.png


--------------------------------------------------------------------------------
/images/00004.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/4ra1n/code-inspector/a6e43e053971a7444bfa321d8998501b4ded047b/images/00004.png


--------------------------------------------------------------------------------
/images/00005.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/4ra1n/code-inspector/a6e43e053971a7444bfa321d8998501b4ded047b/images/00005.png


--------------------------------------------------------------------------------
/images/00006.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/4ra1n/code-inspector/a6e43e053971a7444bfa321d8998501b4ded047b/images/00006.png


--------------------------------------------------------------------------------
/images/00007.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/4ra1n/code-inspector/a6e43e053971a7444bfa321d8998501b4ded047b/images/00007.png


--------------------------------------------------------------------------------
/images/00008.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/4ra1n/code-inspector/a6e43e053971a7444bfa321d8998501b4ded047b/images/00008.png


--------------------------------------------------------------------------------
/images/00009.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/4ra1n/code-inspector/a6e43e053971a7444bfa321d8998501b4ded047b/images/00009.png


--------------------------------------------------------------------------------
/images/00010.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/4ra1n/code-inspector/a6e43e053971a7444bfa321d8998501b4ded047b/images/00010.png


--------------------------------------------------------------------------------
/images/00011.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/4ra1n/code-inspector/a6e43e053971a7444bfa321d8998501b4ded047b/images/00011.png


--------------------------------------------------------------------------------
/images/00012.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/4ra1n/code-inspector/a6e43e053971a7444bfa321d8998501b4ded047b/images/00012.png


--------------------------------------------------------------------------------
/images/00013.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/4ra1n/code-inspector/a6e43e053971a7444bfa321d8998501b4ded047b/images/00013.png


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>n1ar4</groupId>
 8 |     <artifactId>code-inspector</artifactId>
 9 |     <packaging>pom</packaging>
10 |     <version>0.2-beta</version>
11 | 
12 |     <modules>
13 |         <module>code-inspector-model</module>
14 |         <module>code-inspector-core</module>
15 |         <module>code-inspector-const</module>
16 |         <module>code-inspector-starter</module>
17 |         <module>code-inspector-jvm</module>
18 |         <module>code-inspector-spring</module>
19 |         <module>code-inspector-api</module>
20 |         <module>code-inspector-build</module>
21 |         <module>code-inspector-render</module>
22 |         <module>code-inspector-demo</module>
23 |         <module>code-inspector-util</module>
24 |         <module>code-inspector-graphviz</module>
25 |     </modules>
26 | 
27 |     <properties>
28 |         <maven.compiler.source>8</maven.compiler.source>
29 |         <maven.compiler.target>8</maven.compiler.target>
30 |         <asm.version>9.4</asm.version>
31 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
32 |     </properties>
33 | 
34 |     <dependencies>
35 |         <dependency>
36 |             <groupId>guru.nidi</groupId>
37 |             <artifactId>graphviz-java</artifactId>
38 |             <version>0.18.1</version>
39 |         </dependency>
40 |         <dependency>
41 |             <groupId>org.apache.logging.log4j</groupId>
42 |             <artifactId>log4j-core</artifactId>
43 |             <version>2.19.0</version>
44 |         </dependency>
45 |         <dependency>
46 |             <groupId>org.apache.logging.log4j</groupId>
47 |             <artifactId>log4j-slf4j-impl</artifactId>
48 |             <version>2.19.0</version>
49 |         </dependency>
50 |         <dependency>
51 |             <groupId>org.ow2.asm</groupId>
52 |             <artifactId>asm</artifactId>
53 |             <version>${asm.version}</version>
54 |         </dependency>
55 |         <dependency>
56 |             <groupId>org.ow2.asm</groupId>
57 |             <artifactId>asm-commons</artifactId>
58 |             <version>${asm.version}</version>
59 |         </dependency>
60 |         <dependency>
61 |             <groupId>org.ow2.asm</groupId>
62 |             <artifactId>asm-util</artifactId>
63 |             <version>${asm.version}</version>
64 |         </dependency>
65 |         <dependency>
66 |             <groupId>com.formdev</groupId>
67 |             <artifactId>flatlaf</artifactId>
68 |             <version>3.0</version>
69 |         </dependency>
70 |         <dependency>
71 |             <groupId>com.intellij</groupId>
72 |             <artifactId>forms_rt</artifactId>
73 |             <version>7.0.3</version>
74 |         </dependency>
75 |     </dependencies>
76 | </project>


--------------------------------------------------------------------------------
/target-list.txt:
--------------------------------------------------------------------------------
1 | https://github.com/j3ers3/Hello-Java-Sec
2 | https://github.com/l4yn3/micro_service_seclab
3 | https://github.com/ffffffff0x/JVWA
4 | https://github.com/tangxiaofeng7/SecExample
5 | 


--------------------------------------------------------------------------------