Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
Z
Zipr Toolchain
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container Registry
Model registry
Operate
Environments
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Open Source Software
Zipr Toolchain
Commits
04135f6c
Commit
04135f6c
authored
11 years ago
by
an7s
Browse files
Options
Downloads
Patches
Plain Diff
fixed bugs in matching partial critical tokens
Former-commit-id: af7a0ad2bbc02d7c3d6d99b53ff54d2518635aa3
parent
9d6c7451
No related branches found
No related tags found
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
appfw/src/appfw.cpp
+57
-22
57 additions, 22 deletions
appfw/src/appfw.cpp
with
57 additions
and
22 deletions
appfw/src/appfw.cpp
+
57
−
22
View file @
04135f6c
...
...
@@ -518,52 +518,84 @@ int fix_violations(char* taint, int value, int start, int len)
return
count
;
}
// SELECT * FROM users WHERE userid=3
// vvvvvv---wwww-------vvvvv-------w-
// 7
//
// sig: * FROM users WH
// sig: * FROM users WHERE
// bbbb
//
//
// mark critical tokens as blessed if wholly contained in the signature
// (implement same-fragment-origin-policy)
//
int
fix_violations_sfop
(
char
*
taint
,
int
value
,
int
start
,
const
char
*
sig
)
{
int
verbose
=
getenv
(
"APPFW_VERBOSE"
)
?
TRUE
:
FALSE
;
int
count
=
0
;
int
siglen
=
strlen
(
sig
);
int
lastpos
=
start
+
siglen
-
1
;
int
beforefirstpos
=
start
-
1
;
int
i
;
char
v
;
int
beg
,
end
;
if
(
!
is_security_violation
(
taint
[
lastpos
]))
if
(
!
is_security_violation
(
taint
[
lastpos
])
&&
!
is_security_violation
(
taint
[
start
]))
{
// last character covered by fragment is not a keyword/security violation
// first & last character covered by fragment is not a
// keyword/security violation
// therefore we know we don't have any partial matches
// use the old code to mark critical tokens as blessed
return
fix_violations
(
taint
,
value
,
start
,
siglen
);
}
else
if
(
taint
[
lastpos
]
!=
taint
[
lastpos
+
1
])
else
if
(
taint
[
lastpos
]
!=
taint
[
lastpos
+
1
]
&&
beforefirstpos
>=
0
&&
taint
[
start
]
!=
taint
[
beforefirstpos
])
{
// last character covered by fragment is a security violation
// if next character is a different critical keyword, or
//
first or
last character covered by fragment is a security violation
// if
prev/
next character is a different critical keyword, or
// not event a critical keyword, then we do don't have any partial
// matches
return
fix_violations
(
taint
,
value
,
start
,
siglen
);
}
else
if
(
is_security_violation
(
taint
[
lastpos
+
1
])
&&
beforefirstpos
>=
0
&&
is_security_violation
(
taint
[
beforefirstpos
]))
{
// security violation both before and after
// e.g.: query: SELECT * FROM
// sig: ELE
return
0
;
}
// we know we have a partial match
// find the starting position of the partial match
int
start_last_keyword
=
start
;
for
(
i
=
lastpos
,
v
=
taint
[
lastpos
];
i
>=
0
;
i
--
)
end
=
lastpos
;
if
(
taint
[
lastpos
]
==
taint
[
lastpos
+
1
])
{
if
(
taint
[
i
]
!=
v
)
// partial match on last critical token
end
=
start
-
1
;
for
(
i
=
lastpos
,
v
=
taint
[
lastpos
];
i
>=
0
;
i
--
)
{
start_last_keyword
=
i
+
1
;
break
;
if
(
taint
[
i
]
!=
v
)
{
end
=
i
+
1
;
break
;
}
}
}
beg
=
start
;
if
(
beforefirstpos
>=
0
&&
taint
[
start
]
==
taint
[
beforefirstpos
])
{
// partial match on first critical token
beg
=
end
+
1
;
// set past the end on purpose
for
(
i
=
start
+
1
,
v
=
taint
[
start
];
i
<=
lastpos
;
++
i
)
{
if
(
taint
[
i
]
!=
v
)
{
beg
=
i
+
1
;
break
;
}
}
}
// only bless those critical tokens that are fully
// contained in the signature
for
(
i
=
start
;
i
<
start_last_keyword
;
i
++
)
if
(
verbose
)
fprintf
(
stderr
,
"sig[%s] orig[%d..%d] effective[%d..%d]
\n
"
,
sig
,
start
,
lastpos
,
beg
,
end
);
for
(
i
=
beg
;
i
<=
end
;
i
++
)
{
if
(
is_security_violation
(
taint
[
i
]))
{
...
...
@@ -571,6 +603,7 @@ int fix_violations_sfop(char *taint, int value, int start, const char *sig)
taint
[
i
]
=
value
;
}
}
return
count
;
}
...
...
@@ -779,8 +812,10 @@ extern "C" int appfw_establish_taint_fast2(const char *command, char *taint, int
++
next
;
int
length_signature
=
strlen
(
sig
);
pos
=
0
;
/*
if(length_signature==1 && isalpha(*sig))
continue;
*/
while
(
pos
<
commandLength
)
{
if
(((
case_sensitive
&&
strncmp
(
&
command
[
pos
],
sig
,
length_signature
)
==
0
))
||
...
...
@@ -794,7 +829,7 @@ extern "C" int appfw_establish_taint_fast2(const char *command, char *taint, int
{
if
(
verbose
)
{
fprintf
(
stderr
,
"fixed %d violations at %d
\n
"
,
fixed_violations
,
pos
);
fprintf
(
stderr
,
"fixed %d violations at %d
sig[%s]
\n
"
,
fixed_violations
,
pos
,
sig
);
fflush
(
stderr
);
}
/* move to front */
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
