├── .gitmodules ├── README.md ├── spring-boot-1 ├── SpringBootHandler.java ├── options.yml └── taint-config.yml ├── spring-boot-2 ├── DependencyInjectionHandler.java ├── options.yml ├── spring-web-6.1.4.jar └── taint-config.yml └── spring-boot-3 ├── AddMybatisSinkHandler.java ├── ExtractApi.java ├── options.yml ├── pojo ├── MethodRouter.java └── Router.java └── taint-config.yml /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "spring-boot-1/java-benchmarks"] 2 | path = spring-boot-1/java-benchmarks 3 | url = https://github.com/pascal-lab/java-benchmarks 4 | [submodule "spring-boot-2/java-benchmarks"] 5 | path = spring-boot-2/java-benchmarks 6 | url = https://github.com/pascal-lab/java-benchmarks 7 | [submodule "spring-boot-3/java-benchmarks"] 8 | path = spring-boot-3/java-benchmarks 9 | url = https://github.com/pascal-lab/java-benchmarks 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Tai-e-demo 2 | 用来将ai-e改造为开箱即用的静态代码安全分析框架的一些demo. 3 | 在写完分模块的内容后会有一个支持springboot的tai-e扫描框架,添加sink点即可使用。 4 | 5 | 6 | 公众号 7 | 公众号用来更新一些其他内容比如tai-e实验的课程代码、后续sca的原理分析等 8 | 9 | ![image](https://github.com/lcark/Tai-e-demo/assets/45418164/9f416059-7a6a-4c7a-8499-7916a5e142ff) 10 | -------------------------------------------------------------------------------- /spring-boot-1/SpringBootHandler.java: -------------------------------------------------------------------------------- 1 | package pascal.taie.analysis.pta.plugin.taint; 2 | 3 | import pascal.taie.analysis.pta.core.cs.context.Context; 4 | import pascal.taie.analysis.pta.core.cs.element.CSMethod; 5 | import pascal.taie.analysis.pta.core.heap.Obj; 6 | import pascal.taie.analysis.pta.core.solver.EmptyParamProvider; 7 | import pascal.taie.analysis.pta.core.solver.EntryPoint; 8 | import pascal.taie.analysis.pta.core.solver.Solver; 9 | import pascal.taie.analysis.pta.plugin.Plugin; 10 | import pascal.taie.ir.IR; 11 | import pascal.taie.ir.exp.Var; 12 | import pascal.taie.language.annotation.Annotation; 13 | import pascal.taie.language.classes.JClass; 14 | import pascal.taie.language.classes.JMethod; 15 | 16 | import java.util.List; 17 | 18 | public class SpringBootHandler implements Plugin { 19 | private Solver solver; 20 | private TaintManager manager; 21 | 22 | 23 | @Override 24 | public void setSolver(Solver solver) { 25 | this.solver = solver; 26 | manager = new TaintManager(solver.getHeapModel()); 27 | } 28 | 29 | @Override 30 | public void onStart() { 31 | //add all hsd mapping annotation methods to entrypoint 32 | List list = solver.getHierarchy().applicationClasses().toList(); 33 | for (JClass jClass : list) { 34 | jClass.getDeclaredMethods().forEach(jMethod->{ 35 | if (!jMethod.getAnnotations().stream().filter( 36 | annotation -> annotation.getType().matches("org.springframework.web.bind.annotation.\\w+Mapping") 37 | ).toList().isEmpty()) { 38 | solver.addEntryPoint(new EntryPoint(jMethod, EmptyParamProvider.get())); 39 | } 40 | }); 41 | 42 | 43 | } 44 | } 45 | 46 | @Override 47 | public void onNewCSMethod(CSMethod csMethod) { 48 | JMethod method = csMethod.getMethod(); 49 | Context context = csMethod.getContext(); 50 | boolean isMappingMethod = !method.getAnnotations() 51 | .stream().filter( 52 | annotation -> annotation.getType().matches("org.springframework.web.bind.annotation.\\w+Mapping") 53 | ).toList().isEmpty(); 54 | if(!isMappingMethod){ 55 | return; 56 | } 57 | IR ir = method.getIR(); 58 | for (int i = 0; i < ir.getParams().size(); i++) { 59 | Var param = ir.getParam(i); 60 | SourcePoint sourcePoint = new ParamSourcePoint(method, new IndexRef(IndexRef.Kind.VAR, i, null)); 61 | Obj taint = manager.makeTaint(sourcePoint, param.getType()); 62 | solver.addVarPointsTo(context, param, taint); 63 | } 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /spring-boot-1/options.yml: -------------------------------------------------------------------------------- 1 | optionsFile: null 2 | printHelp: false 3 | classPath: [] 4 | appClassPath: 5 | - ../../java-sec-code/target/classes 6 | mainClass: 7 | inputClasses: [] 8 | javaVersion: 8 9 | prependJVM: false 10 | allowPhantom: true 11 | worldBuilderClass: pascal.taie.frontend.soot.SootWorldBuilder 12 | outputDir: output 13 | preBuildIR: false 14 | worldCacheMode: true 15 | scope: REACHABLE 16 | nativeModel: true 17 | planFile: null 18 | analyses: 19 | # ir-dumper: ; 20 | pta: cs:ci;plugins:[pascal.taie.analysis.pta.plugin.taint.SpringBootHandler];implicit-entries:true;distinguish-string-constants:null;reflection-inference:solar;merge-string-objects:false;merge-string-builders:false;merge-exception-objects:false;taint-config:taint-config.yml; 21 | onlyGenPlan: false 22 | keepResult: 23 | - $KEEP-ALL 24 | 25 | -------------------------------------------------------------------------------- /spring-boot-1/taint-config.yml: -------------------------------------------------------------------------------- 1 | sources: 2 | # - { kind: param, method: "", index: 0} 3 | - { kind: param, method: "", index: 0} 4 | # - { kind: param, method: "", index: 0} 5 | # - {kind: param, method: "",index: 0} 6 | sinks: 7 | ## SQLI 8 | - { vuln: "SQL Injection", level: 4, method: "", index: 0 } 9 | - { vuln: "SQL Injection", level: 4, method: "", index: 0 } 10 | transfers: 11 | - { method: "", from: base, to: result } 12 | - { method: "", from: 0, to: result } 13 | - { method: "", from: base, to: result } 14 | - { method: "(char[])>", from: 0, to: base } 15 | - { method: "", from: base, to: 2 } 16 | - { method: "", from: "1[*]", to: result } 17 | - { method: "(java.lang.String)>", from: 0, to: base } 18 | - { method: "", from: 0, to: base } 19 | - { method: "", from: 0, to: result } 20 | - { method: "", from: base, to: result } 21 | - { method: "", from: base, to: result } 22 | - { method: "(java.lang.String)>", from: 0, to: base } 23 | - { method: "", from: 0, to: base } 24 | - { method: "", from: 0, to: result } 25 | - { method: "", from: base, to: result } 26 | - { method: "", from: base, to: result } 27 | 28 | call-site-mode: true 29 | 30 | -------------------------------------------------------------------------------- /spring-boot-2/DependencyInjectionHandler.java: -------------------------------------------------------------------------------- 1 | package pascal.taie.analysis.pta.plugin.taint; 2 | 3 | import pascal.taie.World; 4 | import pascal.taie.analysis.pta.core.cs.context.Context; 5 | import pascal.taie.analysis.pta.core.cs.element.CSMethod; 6 | import pascal.taie.analysis.pta.core.solver.Solver; 7 | import pascal.taie.analysis.pta.plugin.Plugin; 8 | import pascal.taie.ir.exp.InvokeInstanceExp; 9 | import pascal.taie.ir.exp.Var; 10 | import pascal.taie.ir.stmt.AssignStmt; 11 | import pascal.taie.ir.stmt.Invoke; 12 | import pascal.taie.ir.stmt.LoadField; 13 | import pascal.taie.language.classes.JClass; 14 | import pascal.taie.language.classes.JField; 15 | 16 | import java.util.ArrayList; 17 | import java.util.Collection; 18 | import java.util.List; 19 | import java.util.Set; 20 | import java.util.stream.Collectors; 21 | 22 | public class DependencyInjectionHandler implements Plugin { 23 | private Solver solver; 24 | private boolean isCalled; 25 | 26 | public DependencyInjectionHandler(){ 27 | isCalled = false; 28 | } 29 | 30 | @Override 31 | public void setSolver(Solver solver) { 32 | this.solver = solver; 33 | } 34 | 35 | // @Override 36 | // public void onPhaseFinish() { 37 | // if(isCalled){ 38 | // return; 39 | // } 40 | // isCalled = true; 41 | // 42 | // List injectedFields = new ArrayList<>(); 43 | // World.get().getClassHierarchy().allClasses() 44 | // .map(JClass::getDeclaredFields) 45 | // .flatMap(Collection::stream) 46 | // .forEach(field -> { 47 | // boolean isInjectedField = field.hasAnnotation("javax.annotation.Resource") || 48 | // field.hasAnnotation("org.springframework.beans.factory.annotation.Autowired") || 49 | // field.hasAnnotation("javax.inject.Inject"); 50 | // if(isInjectedField){ 51 | // injectedFields.add(field); 52 | // } 53 | // }); 54 | // 55 | // List implementationClasses = new ArrayList<>(); 56 | // implementationClasses.addAll( 57 | // World.get().getClassHierarchy().allClasses() 58 | // .filter(cls -> cls.hasAnnotation("org.springframework.stereotype.Service") || 59 | // cls.hasAnnotation("org.springframework.stereotype.Component")).collect(Collectors.toSet()) 60 | // ); 61 | // 62 | // injectedFields.stream().forEach(field -> { 63 | // JClass jClass = field.getDeclaringClass(); 64 | // 65 | // Collection subClasses = World.get().getClassHierarchy().getAllSubclassesOf( 66 | // World.get().getClassHierarchy().getClass(field.getType().getName()) 67 | // ); 68 | // List implementors = new ArrayList<>(subClasses); 69 | // implementors.retainAll(implementationClasses); 70 | // System.out.printf("%s %s\n", field, implementors); 71 | // 72 | // Set csMethodSet = solver.getCallGraph().reachableMethods() 73 | // .filter(csMethod -> csMethod.getMethod().getDeclaringClass().equals(jClass)) 74 | // .collect(Collectors.toSet()); 75 | // csMethodSet.forEach( 76 | // csMethod -> { 77 | // List vars = csMethod.getMethod().getIR().getStmts().stream() 78 | // .filter(stmt -> stmt instanceof LoadField loadField && 79 | // loadField.getFieldAccess().getFieldRef().resolve().equals(field)) 80 | // .map(stmt -> (LoadField) stmt) 81 | // .map(AssignStmt::getLValue) 82 | // .toList(); 83 | // implementors.forEach( 84 | // implementor -> { 85 | // vars.forEach( 86 | // var -> { 87 | // solver.addPointsTo(solver.getCSManager().getCSVar(csMethod.getContext(), var), 88 | // solver.getHeapModel().getMockObj(() -> "DEPENDENCY_INJECTION", implementor.getName(), implementor.getType())); 89 | // } 90 | // ); 91 | // } 92 | // ); 93 | // } 94 | // ); 95 | // }); 96 | // } 97 | 98 | @Override 99 | public void onPhaseFinish() { 100 | if(isCalled){ 101 | return; 102 | } 103 | isCalled = true; 104 | solver.getCallGraph().reachableMethods().forEach( 105 | csMethod -> { 106 | if (csMethod.getMethod().getDeclaringClass().getName().matches("^(java\\.|sun\\.|javax\\.|com\\.sun\\.).+$")){ 107 | return; 108 | } 109 | csMethod.getMethod().getIR().getStmts().forEach( 110 | stmt -> { 111 | if(stmt instanceof Invoke invoke && 112 | (invoke.isVirtual() || invoke.isInterface()) && 113 | invoke.getRValue() instanceof InvokeInstanceExp invokeInstanceExp){ 114 | Var var = invokeInstanceExp.getBase(); 115 | Context context = csMethod.getContext(); 116 | if(solver.getCSManager().getCSVar(context, var).getPointsToSet() != null && 117 | !solver.getCSManager().getCSVar(context, var).getPointsToSet().isEmpty()) { 118 | return; 119 | } 120 | JClass jClass = World.get().getClassHierarchy().getClass(var.getType().getName()); 121 | Collection implementors = new ArrayList<>(); 122 | if(invoke.isInterface()){ 123 | implementors.addAll(World.get().getClassHierarchy().getDirectImplementorsOf(jClass)); 124 | }else{ 125 | implementors.add(jClass); 126 | implementors.addAll(World.get().getClassHierarchy().getDirectSubclassesOf(jClass)); 127 | } 128 | if(invoke.toString().contains("RequestHttp")){ 129 | System.out.printf("%s %s %s\n", var, jClass, implementors); 130 | } 131 | if(implementors.size() <= 3) { 132 | implementors.forEach( 133 | implementor -> { 134 | solver.addPointsTo(solver.getCSManager().getCSVar(csMethod.getContext(), var), 135 | solver.getHeapModel().getMockObj(() -> "DEPENDENCY_INJECTION", implementor.getName(), implementor.getType())); 136 | } 137 | ); 138 | } 139 | } 140 | }); 141 | }); 142 | } 143 | } 144 | -------------------------------------------------------------------------------- /spring-boot-2/options.yml: -------------------------------------------------------------------------------- 1 | optionsFile: null 2 | printHelp: false 3 | classPath: 4 | - ./spring-web-6.1.4.jar 5 | appClassPath: 6 | - ../../java-sec-code/target/classes 7 | mainClass: 8 | inputClasses: [] 9 | javaVersion: 8 10 | prependJVM: false 11 | allowPhantom: true 12 | worldBuilderClass: pascal.taie.frontend.soot.SootWorldBuilder 13 | outputDir: output 14 | preBuildIR: false 15 | worldCacheMode: true 16 | scope: REACHABLE 17 | nativeModel: true 18 | planFile: null 19 | analyses: 20 | # ir-dumper: ; 21 | pta: cs:ci;plugins:[pascal.taie.analysis.pta.plugin.taint.SpringBootHandler,pascal.taie.analysis.pta.plugin.taint.DependencyInjectionHandler];implicit-entries:true;distinguish-string-constants:null;reflection-inference:solar;merge-string-objects:false;merge-string-builders:false;merge-exception-objects:false;taint-config:taint-config.yml; 22 | onlyGenPlan: false 23 | keepResult: 24 | - $KEEP-ALL 25 | 26 | -------------------------------------------------------------------------------- /spring-boot-2/spring-web-6.1.4.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lcark/Tai-e-demo/1a307f1782b1bc4bbdf17d97d72efea5f10153cf/spring-boot-2/spring-web-6.1.4.jar -------------------------------------------------------------------------------- /spring-boot-2/taint-config.yml: -------------------------------------------------------------------------------- 1 | sources: 2 | # - { kind: param, method: "", index: 0} 3 | - { kind: param, method: "", index: 0} 4 | sinks: 5 | ## SQLI 6 | - { vuln: "SQL Injection", level: 4, method: "", index: 0 } 7 | - { vuln: "SQL Injection", level: 4, method: "", index: 0 } 8 | - { vuln: "Server-side request forgery", level: 3, method: "", index: 0 } 9 | 10 | transfers: 11 | - { method: "", from: base, to: result } 12 | - { method: "", from: 0, to: result } 13 | - { method: "", from: base, to: result } 14 | - { method: "(char[])>", from: 0, to: base } 15 | - { method: "", from: base, to: 2 } 16 | - { method: "", from: "1[*]", to: result } 17 | - { method: "(java.lang.String)>", from: 0, to: base } 18 | - { method: "", from: 0, to: base } 19 | - { method: "", from: 0, to: result } 20 | - { method: "", from: base, to: result } 21 | - { method: "", from: base, to: result } 22 | - { method: "(java.lang.String)>", from: 0, to: base } 23 | - { method: "", from: 0, to: base } 24 | - { method: "", from: 0, to: result } 25 | - { method: "", from: base, to: result } 26 | - { method: "", from: base, to: result } 27 | 28 | call-site-mode: true 29 | 30 | -------------------------------------------------------------------------------- /spring-boot-3/AddMybatisSinkHandler.java: -------------------------------------------------------------------------------- 1 | package pascal.taie.analysis.pta.plugin.taint; 2 | 3 | import pascal.taie.World; 4 | import pascal.taie.analysis.pta.core.solver.EmptyParamProvider; 5 | import pascal.taie.analysis.pta.core.solver.EntryPoint; 6 | import pascal.taie.analysis.pta.core.solver.Solver; 7 | import pascal.taie.analysis.pta.plugin.Plugin; 8 | import pascal.taie.ir.exp.Var; 9 | import pascal.taie.language.annotation.Annotation; 10 | import pascal.taie.language.classes.JClass; 11 | 12 | import java.util.ArrayList; 13 | import java.util.Collection; 14 | import java.util.List; 15 | import java.util.Objects; 16 | import java.util.regex.Matcher; 17 | import java.util.regex.Pattern; 18 | 19 | public class AddMybatisSinkHandler { 20 | 21 | 22 | public static List AddMybatisSink() { 23 | List sinkList = new ArrayList<>(); 24 | 25 | List list = World.get().getClassHierarchy().applicationClasses().toList(); 26 | for (JClass jClass : list) { 27 | if (!jClass.getAnnotations().stream().filter( 28 | annotation -> annotation.getType().matches("org.apache.ibatis.annotations.Mapper") 29 | ).toList().isEmpty()) { 30 | // System.out.println(jClass); 31 | jClass.getDeclaredMethods().forEach(jMethod -> { 32 | if (!jMethod.getAnnotations().stream().filter(annotation -> annotation.getType().matches("org.apache.ibatis.annotations.Select")).toList().isEmpty()){ 33 | String valueFromAnnotation = getValueFromAnnotation(jMethod.getAnnotations()); 34 | if (valueFromAnnotation!=null){ 35 | if (valueFromAnnotation.contains("$")){ 36 | // System.out.println(jMethod); 37 | Pattern pattern = Pattern.compile("\\$\\{([^}]+)\\}"); 38 | Matcher matcher = pattern.matcher(valueFromAnnotation); 39 | 40 | while (matcher.find()) { 41 | String sink = matcher.group(1); 42 | int paramCount = jMethod.getParamCount(); 43 | for (int i = 0 ; i< paramCount;i++){ 44 | String paramValue = getValueFromAnnotation(jMethod.getParamAnnotations(i)); 45 | if (paramValue.contains(sink)){ 46 | Sink sink1 = new Sink(jMethod, new IndexRef(IndexRef.Kind.VAR, i,null)); 47 | sinkList.add(sink1); 48 | } 49 | } 50 | } 51 | } 52 | } 53 | }else { 54 | //dela with xml format 55 | } 56 | }); 57 | } 58 | 59 | } 60 | return sinkList; 61 | } 62 | public static String getValueFromAnnotation(Collection annotations) { 63 | ArrayList value = new ArrayList<>(); 64 | annotations.stream() 65 | .filter(annotation -> annotation.getType().matches("org.apache.ibatis.annotations..*")) 66 | .forEach(annotation -> value.add(Objects.requireNonNull(annotation.getElement("value")).toString())); 67 | return value.size() == 1 ? value.get(0) : null; 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /spring-boot-3/ExtractApi.java: -------------------------------------------------------------------------------- 1 | package pascal.taie.analysis.extractapi; 2 | 3 | import pascal.taie.World; 4 | import pascal.taie.analysis.ProgramAnalysis; 5 | import pascal.taie.analysis.extractapi.pojo.MethodRouter; 6 | import pascal.taie.analysis.extractapi.pojo.Router; 7 | import pascal.taie.config.AnalysisConfig; 8 | import pascal.taie.language.annotation.Annotation; 9 | 10 | import java.util.ArrayList; 11 | import java.util.Collection; 12 | import java.util.List; 13 | import java.util.Objects; 14 | import java.util.concurrent.atomic.AtomicReference; 15 | import java.util.regex.Matcher; 16 | import java.util.regex.Pattern; 17 | 18 | public class ExtractApi extends ProgramAnalysis { 19 | 20 | public static final String ID = "extractApi"; 21 | public List routers = new ArrayList<>(); 22 | public ExtractApi(AnalysisConfig config) { 23 | super(config); 24 | } 25 | 26 | @Override 27 | public Object analyze() { 28 | World.get().getClassHierarchy().applicationClasses().forEach(jClass -> { 29 | AtomicReference flag = new AtomicReference<>(false); 30 | ArrayList methodRouters = new ArrayList<>(); 31 | jClass.getDeclaredMethods().forEach(jMethod -> { 32 | //判断method是否有Mapping注解 33 | if (!jMethod.getAnnotations().stream().filter( 34 | annotation -> annotation.getType().matches("org.springframework.web.bind.annotation.\\w+Mapping") 35 | ).toList().isEmpty()) { 36 | flag.set(true); 37 | //获取method的注解内容并添加进methodRouter类 38 | MethodRouter methodRouter = new MethodRouter(jMethod.getName(), formatMappedPath(getPathFromAnnotation(jMethod.getAnnotations()))); 39 | methodRouters.add(methodRouter); 40 | } 41 | }); 42 | if (flag.get()) { 43 | //获得class的注解并加入router里 44 | Router router = new Router(jClass.getName(), formatMappedPath(getPathFromAnnotation(jClass.getAnnotations())),methodRouters); 45 | routers.add(router); 46 | } 47 | }); 48 | //将内容打印出来 49 | printPathFromRouters(); 50 | return null; 51 | } 52 | 53 | public String getPathFromAnnotation(Collection annotations) { 54 | ArrayList path = new ArrayList<>(); 55 | annotations.stream() 56 | .filter(annotation -> annotation.getType().matches("org.springframework.web.bind.annotation.\\w+Mapping")) 57 | .forEach(annotation -> path.add(Objects.requireNonNull(annotation.getElement("value")).toString())); 58 | return path.size() == 1 ? path.get(0) : null; 59 | } 60 | public void printPathFromRouters(){ 61 | routers.forEach(router -> { 62 | // System.out.println("class name:"+router.getClassName()); 63 | List completePathFromRouter = getCompletePathFromRouter(router); 64 | for (String path :completePathFromRouter){ 65 | System.out.println(path); 66 | } 67 | }); 68 | } 69 | public List getCompletePathFromRouter(Router router){ 70 | ArrayList routerList = new ArrayList<>(); 71 | String classPath = router.classPath(); 72 | 73 | router.methodRouters().forEach(methodRouter -> { 74 | String pathMethod = methodRouter.path(); 75 | routerList.add(classPath+pathMethod); 76 | }); 77 | return routerList; 78 | } 79 | public String formatMappedPath(String originPath){ 80 | String path=null; 81 | if (originPath==null){ 82 | return ""; 83 | } 84 | Pattern pattern = Pattern.compile("\\{\"(.*?)\"\\}"); 85 | Matcher matcher = pattern.matcher(originPath); 86 | if (matcher.find()) { 87 | path = matcher.group(1); // Extract the text between curly braces 88 | } 89 | if(path ==null){ 90 | return ""; 91 | } 92 | // /path/ => /path 93 | if (path.matches("/.*")&&path.matches(".*/")){ 94 | return path.substring(0,path.length()-1); 95 | } 96 | // path/ => /path 97 | if (path.matches(".*/")&& !path.matches("/.*")){ 98 | return "/"+path.substring(0,path.length()-1); 99 | } 100 | // path => /path 101 | if (!path.matches("/.*")&&!path.matches(".*/")){ 102 | return "/"+path; 103 | } 104 | // /path => /path 105 | return path; 106 | } 107 | } 108 | -------------------------------------------------------------------------------- /spring-boot-3/options.yml: -------------------------------------------------------------------------------- 1 | optionsFile: null 2 | printHelp: false 3 | classPath: [] 4 | appClassPath: 5 | - ../../java-sec-code/target/classes 6 | mainClass: 7 | inputClasses: [] 8 | javaVersion: 8 9 | prependJVM: false 10 | allowPhantom: true 11 | worldBuilderClass: pascal.taie.frontend.soot.SootWorldBuilder 12 | outputDir: output 13 | preBuildIR: false 14 | worldCacheMode: true 15 | scope: REACHABLE 16 | nativeModel: true 17 | planFile: null 18 | analyses: 19 | # ir-dumper: ; 20 | pta: cs:1-obj;implicit-entries:false;taint-config:taint-config.yml; 21 | extractApi: ; 22 | # testmethodanalysis: ; 23 | # process-result: analyses:[ir-dumper]; 24 | onlyGenPlan: false 25 | keepResult: 26 | - $KEEP-ALL 27 | -------------------------------------------------------------------------------- /spring-boot-3/pojo/MethodRouter.java: -------------------------------------------------------------------------------- 1 | package pascal.taie.analysis.extractapi.pojo; 2 | 3 | import java.util.HashMap; 4 | import java.util.LinkedHashMap; 5 | 6 | public record MethodRouter(String methodName,String path) { 7 | 8 | 9 | } 10 | -------------------------------------------------------------------------------- /spring-boot-3/pojo/Router.java: -------------------------------------------------------------------------------- 1 | package pascal.taie.analysis.extractapi.pojo; 2 | 3 | import java.util.List; 4 | 5 | public record Router(String className,String classPath,List methodRouters){ 6 | 7 | @Override 8 | public String toString() { 9 | return "Router{" + 10 | "className='" + className + '\'' + 11 | ", classPath='" + classPath + '\'' + 12 | ", methodRouters=" + methodRouters + 13 | '}'; 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /spring-boot-3/taint-config.yml: -------------------------------------------------------------------------------- 1 | sources: 2 | - { kind: param, method: "", index: 0} 3 | - { kind: param, method: "", index: 0} 4 | - {kind: param, method: "",index: 0} 5 | - {kind: param, method: "",index: 0} 6 | sinks: 7 | ## SQLI 8 | - { vuln: "SQL Injection", level: 4, method: "", index: 0 } 9 | - { vuln: "SQL Injection", level: 4, method: "", index: 0 } 10 | - { vuln: "SQL Injection", level: 4, method: "", index: 0 } 11 | - { vuln: "SQL Injection", level: 4, method: "", index: 0 } 12 | transfers: 13 | - { method: "", from: base, to: result } 14 | - { method: "", from: 0, to: result } 15 | - { method: "", from: base, to: result } 16 | - { method: "(char[])>", from: 0, to: base } 17 | - { method: "", from: base, to: 2 } 18 | - { method: "", from: "1[*]", to: result } 19 | - { method: "(java.lang.String)>", from: 0, to: base } 20 | - { method: "", from: 0, to: base } 21 | - { method: "", from: 0, to: result } 22 | - { method: "", from: base, to: result } 23 | - { method: "", from: base, to: result } 24 | - { method: "(java.lang.String)>", from: 0, to: base } 25 | - { method: "", from: 0, to: base } 26 | - { method: "", from: 0, to: result } 27 | - { method: "", from: base, to: result } 28 | - { method: "", from: base, to: result } 29 | call-site-mode: true 30 | # 31 | --------------------------------------------------------------------------------