Merge pull request diffblue#304 from diffblue/enhancment/add_few_OWASP_benchmarks

SEC-15: Added 5 OWASP benchmarks.

Author: marek-trtik

regression/OWASP/BenchmarkTest00002/.gitignore

@@ -0,0 +1 @@
+target

regression/OWASP/BenchmarkTest00002/pom.xml

@@ -0,0 +1,131 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>org.owasp</groupId>
+	<artifactId>benchmark</artifactId>
+	<version>1.2</version>
+	<packaging>war</packaging>
+	<name>OWASP Benchmark Project</name>
+	<url>https://www.owasp.org/index.php/Benchmark</url>
+
+	<repositories>
+		<repository>
+			<id>jenkins-releases</id>
+			<url>http://repo.jenkins-ci.org/releases/</url>
+		</repository>
+	</repositories>
+
+	<dependencies>
+		<dependency>
+			<groupId>javax</groupId>
+			<artifactId>javaee-api</artifactId>
+			<version>7.0</version>
+			<scope>provided</scope>
+		</dependency>
+		
+		<dependency>
+			<groupId>javax.servlet</groupId>
+			<artifactId>javax.servlet-api</artifactId>
+			<version>3.1.0</version>
+			<scope>provided</scope>
+		</dependency>
+		
+		<dependency>
+			<groupId>org.owasp.esapi</groupId>
+			<artifactId>esapi</artifactId>
+			<version>2.1.0</version>
+		</dependency>
+
+	</dependencies>
+
+	<build>
+		<finalName>benchmark</finalName>
+		<extensions>
+			<extension>
+				<groupId>co.leantechniques</groupId>
+				<artifactId>maven-buildtime-extension</artifactId>
+				<version>2.0.2</version>
+			</extension>
+		</extensions>
+
+		<resources>
+			<resource>
+				<directory>${basedir}/src/main/resources</directory>
+			</resource>
+		</resources>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<version>3.3</version>
+				<configuration>
+					<fork>true</fork>
+					<meminitial>1000m</meminitial>
+					<maxmem>2000m</maxmem>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.codehaus.mojo</groupId>
+				<artifactId>sonar-maven-plugin</artifactId>
+				<version>2.6</version>
+				<configuration>
+					<fork>true</fork>
+					<meminitial>1024m</meminitial>
+					<maxmem>4000m</maxmem>
+					<compilerArgs>
+						<arg>-XX:MaxPermSize=4000m</arg>
+					</compilerArgs>
+				</configuration>
+			</plugin>
+			<!-- FindBugs Static Analysis -->
+			<plugin>
+				<groupId>org.codehaus.mojo</groupId>
+				<artifactId>findbugs-maven-plugin</artifactId>
+				<version>3.0.1</version>
+				<configuration>
+					<effort>Max</effort>
+					<threshold>Low</threshold>
+					<failOnError>true</failOnError>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+
+	<reporting>
+		<plugins>
+			<plugin>
+				<groupId>org.codehaus.mojo</groupId>
+				<artifactId>findbugs-maven-plugin</artifactId>
+				<version>3.0.1</version>
+				<configuration>
+					<argLine>-debug -maxHeap 2048 -include findbugsfilter.xml</argLine>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-jxr-plugin</artifactId>
+				<version>2.3</version>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-pmd-plugin</artifactId>
+				<version>3.8</version>
+				<configuration>
+					<linkXref>true</linkXref>
+					<targetJdk>1.7</targetJdk>
+				</configuration>
+			</plugin>
+		</plugins>
+	</reporting>
+
+	<properties>
+		<maven.compiler.source>1.7</maven.compiler.source>
+		<maven.compiler.target>1.7</maven.compiler.target>
+		<failOnMissingWebXml>false</failOnMissingWebXml>
+		<skipTests>true</skipTests>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+		<runenv>local</runenv>
+	</properties>
+</project>
+

regression/OWASP/BenchmarkTest00002/rules.json

@@ -0,0 +1,89 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+  [
+    {
+      "comment": "Writing tainted path to a cookie.",
+      "class": "javax.servlet.http.HttpServletRequest",
+      "method": "getRequestURI:()Ljava/lang/String;",
+      "result": {
+        "location": "return_value",
+        "taint": "Tainted string"
+      }
+    },
+    {
+      "comment": "Constructing a cookie with tainted value.",
+      "class": "javax.servlet.http.Cookie",
+      "method": "<init>:(Ljava/lang/String;Ljava/lang/String;)V",
+      "input": {
+        "location": "arg2",
+        "taint": "Tainted string"
+      },
+      "result": {
+        "location": "this",
+        "taint": "Tainted cookie"
+      }
+    },
+    {
+      "comment": "Writing tainted path to a cookie.",
+      "class": "javax.servlet.http.Cookie",
+      "method": "setPath:(Ljava/lang/String;)V",
+      "input": {
+        "location": "arg1",
+        "taint": "Tainted string"
+      },
+      "result": {
+        "location": "this",
+        "taint": "Tainted cookie"
+      }
+    },
+    {
+      "comment": "Writing tainted value to a cookie.",
+      "class": "javax.servlet.http.Cookie",
+      "method": "setValue:(Ljava/lang/String;)V",
+      "input": {
+        "location": "arg1",
+        "taint": "Tainted string"
+      },
+      "result": {
+        "location": "this",
+        "taint": "Tainted cookie"
+      }
+    },
+    {
+      "comment": "Writing tainted domain to a cookie.",
+      "class": "javax.servlet.http.Cookie",
+      "method": "setDomain:(Ljava/lang/String;)V",
+      "input": {
+        "location": "arg1",
+        "taint": "Tainted string"
+      },
+      "result": {
+        "location": "this",
+        "taint": "Tainted cookie"
+      }
+    },
+    {
+      "comment": "Writing tainted comment to a cookie.",
+      "class": "javax.servlet.http.Cookie",
+      "method": "setComment:(Ljava/lang/String;)V",
+      "input": {
+        "location": "arg1",
+        "taint": "Tainted string"
+      },
+      "result": {
+        "location": "this",
+        "taint": "Tainted cookie"
+      }
+    },
+    {
+      "comment": "Writing tainted cookie to a sink.",
+      "class": "javax.servlet.http.HttpServletResponse",
+      "method": "addCookie:(Ljavax.servlet.http.Cookie;)V",
+      "sinkTarget": {
+        "location": "arg1",
+        "vulnerability": "Tainted cookie"
+      }
+    }
+  ]
+}

regression/OWASP/BenchmarkTest00002/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java

@@ -0,0 +1,95 @@
+/**
+* OWASP Benchmark v1.2
+*
+* This file is part of the Open Web Application Security Project (OWASP)
+* Benchmark Project. For details, please see
+* <a href="https://www.owasp.org/index.php/Benchmark">https://www.owasp.org/index.php/Benchmark</a>.
+*
+* The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+* of the GNU General Public License as published by the Free Software Foundation, version 2.
+*
+* The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU General Public License for more details.
+*
+* @author Dave Wichers <a href="https://www.aspectsecurity.com">Aspect Security</a>
+* @created 2015
+*/
+
+package org.owasp.benchmark.testcode;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@WebServlet(value="/pathtraver-00/BenchmarkTest00002")
+public class BenchmarkTest00002 extends HttpServlet {
+	
+	private static final long serialVersionUID = 1L;
+	
+	@Override
+	public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		javax.servlet.http.Cookie userCookie = new javax.servlet.http.Cookie("BenchmarkTest00002", "FileName");
+		userCookie.setMaxAge(60*3); //Store cookie for 3 minutes
+		userCookie.setSecure(true);
+		userCookie.setPath(request.getRequestURI());
+		response.addCookie(userCookie);
+		javax.servlet.RequestDispatcher rd = request.getRequestDispatcher("/pathtraver-00/BenchmarkTest00002.html");
+		rd.include(request, response);
+	}
+
+	@Override
+	public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		// some code
+		response.setContentType("text/html;charset=UTF-8");
+		
+
+		javax.servlet.http.Cookie[] theCookies = request.getCookies();
+		
+		String param = "noCookieValueSupplied";
+		if (theCookies != null) {
+			for (javax.servlet.http.Cookie theCookie : theCookies) {
+				if (theCookie.getName().equals("BenchmarkTest00002")) {
+					param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8");
+					break;
+				}
+			}
+		}
+
+		
+		String fileName = null;
+		java.io.FileOutputStream fos = null;
+
+		try {
+			/*<@DIFFBLUE[erase]>*/
+			// fileName = org.owasp.benchmark.helpers.Utils.testfileDir + param;
+			/*</@DIFFBLUE>*/
+			/*<@DIFFBLUE[insert]>*/
+			fileName = param;
+			/*<@DIFFBLUE/>*/
+
+			fos = new java.io.FileOutputStream(fileName, false);
+	        response.getWriter().println(
+			"Now ready to write to file: " + org.owasp.esapi.ESAPI.encoder().encodeForHTML(fileName)
+);
+
+		} catch (Exception e) {
+			System.out.println("Couldn't open FileOutputStream on file: '" + fileName + "'");
+//			System.out.println("File exception caught and swallowed: " + e.getMessage());
+		} finally {
+			if (fos != null) {
+				try {
+					fos.close();
+                    fos = null;
+				} catch (Exception e) {
+					// we tried...
+				}
+			}
+		}
+	}
+	
+}

regression/OWASP/BenchmarkTest00002/test_BenchmarkTest00002.py

@@ -0,0 +1,31 @@
+import regression.end_to_end.driver as pipeline_executor
+import os
+import pytest
+import regression.utils as utils
+
+
+@pytest.mark.xfail(strict=True)
+def test_BenchmarkTest00002():
+    """
+    This (adopted) OWASP test shows a propagation of tainted data into cookies.
+    Security scanner crashes on this test. Here is the log:
+        method: java::org.apache.catalina.tribes.util.StringManager.getManager
+            could not parse signature: (Ljava/lang/Class<*>;)Lorg/apache/catalina/tribes/util/StringManager;
+            Unsupported class signature: wild card generic
+            reverting to descriptor: (Ljava/lang/Class;)Lorg/apache/catalina/tribes/util/StringManager;
+            terminate called after throwing an instance of 'std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >'
+        Aborted (core dumped)
+    """
+    with utils.working_dir(os.path.abspath(os.path.dirname(__file__))):
+        os.system("mvn package")
+    traces = pipeline_executor.run_security_analyser_pipeline(
+        os.path.join("target", "benchmark.war"),
+        "rules.json",
+        os.path.realpath(os.path.dirname(__file__)),
+        ["--use-models-library", "--use-tomcat-library"]
+    )
+    assert traces.count_traces() == 1
+    assert traces.trace_exists(
+        "java::org.owasp.benchmark.testcode.BenchmarkTest00002.doGet:(Ljavax/servlet/http/HttpServletRequest;Ljavax/servlet/http/HttpServletResponse;)V",
+        40
+    )

regression/OWASP/BenchmarkTest00013/.gitignore

@@ -0,0 +1 @@
+target