Merge pull request diffblue#441 from diffblue/feature/citeseerx_script

[SEC-435] Adds in script to download & patch CiteSeerX then run SA on it

Author: JohnDumbell

benchmarks/GENUINE/CiteSeerX.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+if [ $1 ]; then
+    SECURITY_SCANNER_HOME=$1
+fi
+
+if [ -z "$SECURITY_SCANNER_HOME" ]; then
+    echo "Need to set SECURITY_SCANNER_HOME to cmake directory"
+    exit 1
+fi
+
+SCRIPT_WORKING_DIR=$(pwd)
+REPO_DIR=$SCRIPT_WORKING_DIR/CiteSeerX
+
+# Clone repo and check out a commit which builds (head of master)
+cd $REPO_DIR
+git clone https://github.com/SeerLabs/CiteSeerX.git .
+git checkout 8a62545ffc904f2b41b4ecd30ce91900dc7790f4
+
+# There are some example 'template' files that we need to rename to build correctly
+rename 's/\.template//' conf/*.template
+
+# Apply the git patch to remove sanitization of query
+patch -p1 -f < $SCRIPT_WORKING_DIR/CiteSeerX_files/introduce_XXS_vulnerability.patch
+
+# Build
+ant
+
+# Run security-analyser
+cd $SECURITY_SCANNER_HOME
+
+python3 $SCRIPT_WORKING_DIR/../../driver/run.py \
+-C $SCRIPT_WORKING_DIR/CiteSeerXRules.json \
+-I $REPO_DIR \
+-L $REPO_DIR \
+-R $SCRIPT_WORKING_DIR/CiteSeerX.results \
+-T $SCRIPT_WORKING_DIR/CiteSeerX.tmp \
+--name CiteSeerX --verbosity 9 \
+--use-models-library \
+--timeout 10000000 \
+--entry-point edu.psu.citeseerx.web.SearchController.handleRequest \
+--do-not-use-precise-access-paths \
+--dump-html-program \
+--dump-html-summaries \
+--dump-html-statistics \
+--rebuild \

benchmarks/GENUINE/CiteSeerXRules.json

@@ -0,0 +1,126 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+    [
+      {
+        "class": "org.springframework.web.bind.ServletRequestUtils",
+        "method": "getStringParameter:(Ljavax/servlet/ServletRequest;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;",
+        "result": {
+          "location": "returns",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "class": "java.util.HashMap",
+        "method": "put:(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;",
+        "input": {
+          "location": "arg2",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted map"
+        }
+      },
+      {
+        "class": "java.util.HashMap",
+        "method": "get:(Ljava/lang/Object;)Ljava/lang/Object;",
+        "input": {
+          "location": "this",
+          "taint": "Tainted map"
+        },
+        "result": {
+          "location": "returns",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "class": "org.jsoup.Jsoup",
+        "method": "clean:(Ljava/lang/String;Lorg/jsoup/safety/Whitelist;)Ljava/lang/String;",
+        "sanitizes": {
+          "location": "returns",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "class": "java.lang.String",
+        "method": "replaceAll:(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;",
+        "input": {
+          "location": "this",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "returns",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "class": "java.lang.StringBuilder",
+        "method": "append:(Ljava/lang/String;)Ljava/lang/StringBuilder;",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "returns",
+          "taint": "Tainted string builder"
+        }
+      },
+      {
+        "class": "java.lang.StringBuilder",
+        "method": "append:(Ljava/lang/String;)Ljava/lang/StringBuilder;",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted string builder"
+        }
+      },  
+      {
+        "class": "java.lang.StringBuilder",
+        "method": "toString:()Ljava/lang/String;",
+        "input": {
+          "location": "this",
+          "taint": "Tainted string builder"
+        },
+        "result": {
+          "location": "returns",
+          "taint": "Tainted string"
+        }
+      }, 
+      {
+        "class": "java.lang.StringBuffer",
+        "method": "<init>:(Ljava/lang/String;)V",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted string buffer"
+        }
+      }, 
+      {
+        "class": "java.lang.StringBuffer",
+        "method": "toString:()Ljava/lang/String;",
+        "input": {
+          "location": "this",
+          "taint": "Tainted string buffer"
+        },
+        "result": {
+          "location": "returns",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "class": "org.springframework.web.servlet.ModelAndView",
+        "method": "<init>:(Ljava/lang/String;Ljava/util/Map;)V",
+        "sinkTarget": {
+          "location": "arg2",
+          "vulnerability": "Tainted map"
+        }
+      }
+    ]
+}

benchmarks/GENUINE/CiteSeerX_files/introduce_XXS_vulnerability.patch

@@ -0,0 +1,24 @@
+Index: CiteSeerX/src/java/edu/psu/citeseerx/web/SearchController.java
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+--- CiteSeerX/src/java/edu/psu/citeseerx/web/SearchController.java	(date 1520977748000)
++++ CiteSeerX/src/java/edu/psu/citeseerx/web/SearchController.java	(date 1528210112000)
+@@ -219,12 +219,11 @@
+         String queststr = null;
+         String quest_organic = ServletRequestUtils.getStringParameter(request,
+                         QUERY_PARAMETER, null);
+-        if (quest_organic != null) {
+-            queststr = Jsoup.clean(quest_organic, Whitelist.none());
+-             
+-        }
++//        if (quest_organic != null) {
++//            queststr = Jsoup.clean(quest_organic, Whitelist.none());
++//        }
+ 
+-        queryParameters.put(QUERY_PARAMETER, queststr);
++        queryParameters.put(QUERY_PARAMETER, quest_organic);
+         queryParameters.put(QUERY_TYPE,
+                 ServletRequestUtils.getStringParameter(request, QUERY_TYPE,
+                         DOCUMENT_QUERY));