Merge pull request diffblue#548 from diffblue/add_support_of_XXE_models_lib_to_Python_driver_script

owen-jones-diffblue · web-flow · commit ebf716c922fa · 2018-08-17T17:51:52.000+01:00
SEC-633: Updated Python driver script to support XXE models library.
diff --git a/driver/mkbench.py b/driver/mkbench.py
@@ -102,9 +102,22 @@ def collect_java_binaries(cmdline):
         else:
             java_libraries.classpath_jar_files.append(path)
 
+    modelled_library_directories = []
+    modelled_java_libraries = CollectedJavaBinaries()
+    for path in cmdline.modelled_libraries:
+        if os.path.isdir(path):
+            _find_java_binaries(path, modelled_java_libraries)
+            modelled_library_directories.append(path)
+        else:
+            modelled_java_libraries.classpath_jar_files.append(path)
+
     prof["num_classes"] = len(java_binaries.class_files)
-    prof["num_classpath_jar_files"] = len(java_binaries.classpath_jar_files) + len(java_libraries.classpath_jar_files)
-    prof["num_classpath_directories"] = len(library_directories)
+    prof["num_classpath_jar_files"] = (
+            len(java_binaries.classpath_jar_files) +
+            len(java_libraries.classpath_jar_files) +
+            len(modelled_java_libraries.classpath_jar_files)
+    )
+    prof["num_classpath_directories"] = len(library_directories) + len(modelled_library_directories)
 
     # First we read packages of all collected class files.
     classes_info, java_class_info_call_duration = _read_info_of_class_files(
@@ -151,7 +164,11 @@ def collect_java_binaries(cmdline):
     copied_command_line = {key.replace("_", "-"): val for key, val in vars(cmdline).items()}
 
     # Loop over all our detected entry points and create a folder for each.
-    class_paths = [p for p in java_binaries.classpath_jar_files + java_libraries.classpath_jar_files + library_directories]
+    class_paths = (modelled_java_libraries.classpath_jar_files +
+                   modelled_library_directories +
+                   java_binaries.classpath_jar_files +
+                   java_libraries.classpath_jar_files +
+                   library_directories)
     for ep_data in ep_config["entryPoints"]:
 
         method_data = ep_data["method"]
diff --git a/driver/run.py b/driver/run.py
@@ -69,11 +69,24 @@ def get_spring_framework_props():
             props["spring_framework"]["error"] = "Cannot access Spring Framework's directory " + directory
         return props
 
+    def get_javax_xxe_library_props():
+        props = {"javax_xxe_library": {
+            "paths": [
+                os.path.join(get_benchmark_library_dir(), "javax_xxe_library", "target", "javax_xxe_models.jar")
+                ],
+            "error": None
+        }}
+        for jar in props["javax_xxe_library"]["paths"]:
+            if not os.path.isfile(jar):
+                props["javax_xxe_library"]["error"] = "Cannot find '" + os.path.basename(jar) + "' in the directory " + os.path.dirname(jar)
+        return props
+
     result = {}
     result.update(get_diffblue_models_library_props())
     result.update(get_java_runtime_library())
     result.update(get_apache_tomcat_props())
     result.update(get_spring_framework_props())
+    result.update(get_javax_xxe_library_props())
     return result
 
 
@@ -92,6 +105,11 @@ def create_parser():
     parser.add_argument("-L", "--libraries", nargs='+', default=[],
                         help="A list of disk paths to libraries you want to include into class path. A path "
                              "can either be a path-name of a JAR file, or a directory.")
+    parser.add_argument("-M", "--modelled-libraries", nargs='+', default=[],
+                        help="A list of disk paths to models of libraries you want to include into class path. A path "
+                             "can either be a path-name of a JAR file, or a directory. The paths will be put to the "
+                             "classpath BEFORE JAR files of the analysed web application and also libraries passed "
+                             "via the option --libraries.")
     parser.add_argument("-E", "--entry-point", "--entry-points", nargs='+', default=[],
                         help="Allows you to specify a list of Java functions which will be considered by the analyser as an "
                              "entry point. Typically, a function of a class implementing javax.servlet.http.HttpServlet "
@@ -139,7 +157,8 @@ def create_parser():
                              "option the GOTO binary won't be produced and taint analysis is applied directly to "
                              "the loaded Java program (translated to GOTO in the memory).")
     parser.add_argument("--use-models-library", action="store_true",
-                        help="Add the Diffblue Models Library's JAR file to the classpath of the security-scanner.")
+                        help="Add the Diffblue Models Library's JAR file to the classpath of the security-scanner. "
+                             "It will be put in front of the JARs of the analysed web application.")
     parser.add_argument("--use-java-runtime-library", action="store_true",
                         help="Add the Java standard library to the classpath. First, there will be attempt to add "
                              "OpenJDK version of the library. If it is not found (e.g. not installed), then the "
@@ -148,6 +167,9 @@ def create_parser():
                         help="Add the Apache Tomcat's JAR files to the classpath of the security-scanner.")
     parser.add_argument("--use-spring-framework", action="store_true",
                         help="Add the Spring Framework's JAR files to the classpath of the security-scanner.")
+    parser.add_argument("--use-xxe-models-library", action="store_true",
+                        help="Add the Diffblue XXE Models Library's JAR file to the classpath of the security-scanner. "
+                             "It will be put in front of the JARs of the analysed web application.")
     parser.add_argument("--data-flow-insensitive-instrumentation", action="store_true",
                         help="If specified, then the tool 'security-analyser' will use the data-flow insensitive "
                              "instrumentation of the checked properties into the output GOTO programs. In that case"
@@ -402,7 +424,7 @@ def __main():
             print("ERROR: " + common_libraries["diffblue_models_library"]["error"])
             return
         else:
-            cmdline.libraries += common_libraries["diffblue_models_library"]["paths"]
+            cmdline.modelled_libraries += common_libraries["diffblue_models_library"]["paths"]
 
     if cmdline.use_java_runtime_library:
         if common_libraries["java_runtime_library"]["error"] is not None:
@@ -425,6 +447,13 @@ def __main():
         else:
             cmdline.libraries += common_libraries["spring_framework"]["paths"]
 
+    if cmdline.use_xxe_models_library:
+        if common_libraries["javax_xxe_library"]["error"] is not None:
+            print("ERROR: " + common_libraries["javax_xxe_library"]["error"])
+            return
+        else:
+            cmdline.modelled_libraries += common_libraries["javax_xxe_library"]["paths"]
+
     cmdline.config = os.path.abspath(cmdline.config)
     cmdline.input_path = os.path.abspath(cmdline.input_path)
     cmdline.results_dir = os.path.abspath(cmdline.results_dir)
