song-li / odgen Goto Github PK
View Code? Open in Web Editor NEWODGen is a JavaScript Static Analysis tool to detect multiple types of vulnerabilities in Node.js packages.
ODGen is a JavaScript Static Analysis tool to detect multiple types of vulnerabilities in Node.js packages.
Hi,
Thanks for your amazingly useful open source. For recent few days, I have been trying to resolve an issue regarding using ODGen, but could not fix it.. I would really appreciate it if you could kindly help out on this.
This JS file (link) is what I have been trying to analyze by using ODGen. Basically, my goal is to do taint-tracking for some JavaScript variables in this JS file. So, I tried to generate an object dependency graph for this JS file and then create my own rule for taint-tracking. I ran the following command to generate an object dependency graph of the JS file:
python ./odgen.py web-code.js --max-rep=1 -s -m -a -q -t os_command
However, ODGen's generate_obj_graph()
function takes several hours to return. Further, another interesting issue is that if I cut down the JS file's size and create a smaller JS file (link) which contains only line 1~18387 of the original file (about 40% of the original file size), it takes only a few seconds to complete the whole execution of ODGen analysis.
I wonder if you could please take a look at this issue to figure out why the generate_obj_graph()
function is taking a too long time to complete, and much more importantly, how to make this function return much faster (losing analysis accuracy for a certain degree is ok, as far as the analysis becomes practically faster).
I really appreciate your kind help in advance.
Hi,
In the specification PDF https://www.usenix.org/system/files/sec22summer_li-song.pdf,
Shouldn't "and then follows the scope chain using s->v" be "and then follows the scope chain using s->s"?
And in Table 3, shouldn't the "PROTOTYPELOOKUP" function be "PROTOTYPE"?
Line 675 in 029d0ee
I was unable to run code. Got error:
# python3 ./odgen_test.py
Traceback (most recent call last):
File "./odgen_test.py", line 3, in <module>
from src.core.opgen import OPGen
File "/home/ODGen/src/core/opgen.py", line 8, in <module>
from ..plugins.internal.setup_env import setup_opg
File "/home/ODGen/src/plugins/internal/setup_env.py", line 1, in <module>
from . import modeled_js_builtins
File "/home/ODGen/src/plugins/internal/modeled_js_builtins.py", line 1768, in <module>
def convert_to_python_re(code) -> Tuple[re.Pattern, bool, bool]:
I can add "from Typing import re" to modeled_js_builtins.py
but then i got
ERROR: test_pp (__main__.BasicTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./odgen_test.py", line 82, in test_pp
self.opgen.test_module(file_loc, vul_type='proto_pollution')
File "/home/ODGen/src/core/opgen.py", line 137, in test_module
test_res = start_from_func(G, module_path, vul_type=vul_type)
File "/home/ODGen/src/core/opgen.py", line 345, in start_from_func
parse_string(G, js_call_templete)
File "/home/ODGen/src/core/helpers.py", line 134, in parse_string
input=source, print_func=loggers.main_logger.info)
File "/home/ODGen/src/core/esprima.py", line 14, in esprima_parse
stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
TypeError: __init__() got an unexpected keyword argument 'text'
======================================================================
FAIL: test_ipt (__main__.BasicTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./odgen_test.py", line 73, in test_ipt
assert len(self.opgen.graph.detection_res['ipt']) != 0
AssertionError
======================================================================
FAIL: test_os_command (__main__.BasicTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./odgen_test.py", line 63, in test_os_command
assert len(self.opgen.graph.detection_res['os_command']) != 0
AssertionError
======================================================================
FAIL: test_sqlite (__main__.BasicTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./odgen_test.py", line 53, in test_sqlite
assert len(self.opgen.graph.detection_res['os_command']) != 0
AssertionError
======================================================================
FAIL: test_typescript (__main__.BasicTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./odgen_test.py", line 43, in test_typescript
assert len(self.opgen.graph.detection_res['os_command']) != 0
AssertionError
======================================================================
FAIL: test_typescript_path_traversal (__main__.BasicTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./odgen_test.py", line 29, in test_typescript_path_traversal
assert len(self.opgen.graph.detection_res['path_traversal']) != 0
AssertionError
Hi,
Thanks a lot for open-sourcing such a great tool. I have looked into the source code and have a few questions. I would really appreciate it if you could answer them.
Q1.
In ODG, what is the role of the attribute "pythonfunc"? These are defined in src/plugins/internal/modeled_js_builtins.py as like string_p_reverse(). I think these Python functions model the logic of the target JavaScript native functions. If this is so, what is the purpose of modeling them?
Q2.
I run the following command:
$ python ./odgen.py hello.js -m -a -q --export hello -t os_command
If the file "hello.js" is as follows:
function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
module.exports = {exploit};
Then I get the following successful output:
|Checker| success: [['18', '37', '44', '51']] color: green
Attack Path:
==========================
$FilePath$/home/skyer/Desktop/ODGen-master/hello.js
Line 3 function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
$FilePath$/home/skyer/Desktop/ODGen-master/hello.js
Line 4 var inner = string + "123";
$FilePath$/home/skyer/Desktop/ODGen-master/hello.js
Line 5 var link = inner + "123";
$FilePath$/home/skyer/Desktop/ODGen-master/hello.js
Line 6 eval(link);
However, if the file "hello.js" is as follows (module.exports is replaced by export):
function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
module.exports = {exploit};
Then I get the following problematic output:
os_command not detected. Have you tried the "-ma" argument?
If it's a Node.js package, you can also try the '--nodejs -a' argument.
Is this because the usage of "import" and "export" is currently not supported by ODGen? If so, in order to add the support for this, which function am I supposed to modify?
[???]
If I run the analysis on a (non-module) regular NodeJS file such as the following:
function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
exploit(1,2,3);
What should be the command?
Hi,
I have a question about ODGen's data flow ability. If the same JS code is as follows:
function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
exploit(1,2,3);
module.exports = {
exploit};
ODgen successfully tracks the data flow as well as the vulnerability of os_command. However, if the JS code is as follows:
function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval({hello: link});
}
exploit(1,2,3);
module.exports = {
exploit};
ODGen does not track its data flow. Could you give me a clue on how to track data flows for objects (e.g., {hello: link} )? Thanks.
Would it be possible to add a LICENSE file to the codebase, and mark the license in GitHub project setting as well? Right now this is buried in one of the README files:
https://github.com/Song-Li/ODGen/blob/master/README_for_AE_reviewers.md#artifacts-available
Thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.