song-li / odgen Goto Github PK
View Code? Open in Web Editor NEWODGen is a JavaScript Static Analysis tool to detect multiple types of vulnerabilities in Node.js packages.
odgen's People
Contributors
Stargazers
Watchers
odgen's Issues
generate_obj_graph() takes many hours to return
Hi,
Thanks for your amazingly useful open source. For recent few days, I have been trying to resolve an issue regarding using ODGen, but could not fix it.. I would really appreciate it if you could kindly help out on this.
This JS file (link) is what I have been trying to analyze by using ODGen. Basically, my goal is to do taint-tracking for some JavaScript variables in this JS file. So, I tried to generate an object dependency graph for this JS file and then create my own rule for taint-tracking. I ran the following command to generate an object dependency graph of the JS file:
python ./odgen.py web-code.js --max-rep=1 -s -m -a -q -t os_command
However, ODGen's generate_obj_graph() function takes several hours to return. Further, another interesting issue is that if I cut down the JS file's size and create a smaller JS file (link) which contains only line 1~18387 of the original file (about 40% of the original file size), it takes only a few seconds to complete the whole execution of ODGen analysis.
I wonder if you could please take a look at this issue to figure out why the generate_obj_graph() function is taking a too long time to complete, and much more importantly, how to make this function return much faster (losing analysis accuracy for a certain degree is ok, as far as the analysis becomes practically faster).
I really appreciate your kind help in advance.
About the specification
Hi,
In the specification PDF https://www.usenix.org/system/files/sec22summer_li-song.pdf,
Shouldn't "and then follows the scope chain using s->v" be "and then follows the scope chain using s->s"?
And in Table 3, shouldn't the "PROTOTYPELOOKUP" function be "PROTOTYPE"?
currentNode.operator is > ?
Line 675 in 029d0ee
error
I was unable to run code. Got error:
# python3 ./odgen_test.py
Traceback (most recent call last):
File "./odgen_test.py", line 3, in <module>
from src.core.opgen import OPGen
File "/home/ODGen/src/core/opgen.py", line 8, in <module>
from ..plugins.internal.setup_env import setup_opg
File "/home/ODGen/src/plugins/internal/setup_env.py", line 1, in <module>
from . import modeled_js_builtins
File "/home/ODGen/src/plugins/internal/modeled_js_builtins.py", line 1768, in <module>
def convert_to_python_re(code) -> Tuple[re.Pattern, bool, bool]:
I can add "from Typing import re" to modeled_js_builtins.py
but then i got
ERROR: test_pp (__main__.BasicTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./odgen_test.py", line 82, in test_pp
self.opgen.test_module(file_loc, vul_type='proto_pollution')
File "/home/ODGen/src/core/opgen.py", line 137, in test_module
test_res = start_from_func(G, module_path, vul_type=vul_type)
File "/home/ODGen/src/core/opgen.py", line 345, in start_from_func
parse_string(G, js_call_templete)
File "/home/ODGen/src/core/helpers.py", line 134, in parse_string
input=source, print_func=loggers.main_logger.info)
File "/home/ODGen/src/core/esprima.py", line 14, in esprima_parse
stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
TypeError: __init__() got an unexpected keyword argument 'text'
======================================================================
FAIL: test_ipt (__main__.BasicTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./odgen_test.py", line 73, in test_ipt
assert len(self.opgen.graph.detection_res['ipt']) != 0
AssertionError
======================================================================
FAIL: test_os_command (__main__.BasicTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./odgen_test.py", line 63, in test_os_command
assert len(self.opgen.graph.detection_res['os_command']) != 0
AssertionError
======================================================================
FAIL: test_sqlite (__main__.BasicTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./odgen_test.py", line 53, in test_sqlite
assert len(self.opgen.graph.detection_res['os_command']) != 0
AssertionError
======================================================================
FAIL: test_typescript (__main__.BasicTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./odgen_test.py", line 43, in test_typescript
assert len(self.opgen.graph.detection_res['os_command']) != 0
AssertionError
======================================================================
FAIL: test_typescript_path_traversal (__main__.BasicTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./odgen_test.py", line 29, in test_typescript_path_traversal
assert len(self.opgen.graph.detection_res['path_traversal']) != 0
AssertionError
A few technical questions about the source code
Hi,
Thanks a lot for open-sourcing such a great tool. I have looked into the source code and have a few questions. I would really appreciate it if you could answer them.
Q1.
In ODG, what is the role of the attribute "pythonfunc"? These are defined in src/plugins/internal/modeled_js_builtins.py as like string_p_reverse(). I think these Python functions model the logic of the target JavaScript native functions. If this is so, what is the purpose of modeling them?
Q2.
I run the following command:
$ python ./odgen.py hello.js -m -a -q --export hello -t os_command
If the file "hello.js" is as follows:
function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
module.exports = {exploit};
Then I get the following successful output:
|Checker| success: [['18', '37', '44', '51']] color: green
Attack Path:
==========================
$FilePath$/home/skyer/Desktop/ODGen-master/hello.js
Line 3 function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
$FilePath$/home/skyer/Desktop/ODGen-master/hello.js
Line 4 var inner = string + "123";
$FilePath$/home/skyer/Desktop/ODGen-master/hello.js
Line 5 var link = inner + "123";
$FilePath$/home/skyer/Desktop/ODGen-master/hello.js
Line 6 eval(link);
However, if the file "hello.js" is as follows (module.exports is replaced by export):
function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
module.exports = {exploit};
Then I get the following problematic output:
os_command not detected. Have you tried the "-ma" argument?
If it's a Node.js package, you can also try the '--nodejs -a' argument.
Is this because the usage of "import" and "export" is currently not supported by ODGen? If so, in order to add the support for this, which function am I supposed to modify?
[???]
If I run the analysis on a (non-module) regular NodeJS file such as the following:
function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
exploit(1,2,3);
What should be the command?
Tracking data flows for objects
Hi,
I have a question about ODGen's data flow ability. If the same JS code is as follows:
function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
exploit(1,2,3);
module.exports = {
exploit};
ODgen successfully tracks the data flow as well as the vulnerability of os_command. However, if the JS code is as follows:
function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval({hello: link});
}
exploit(1,2,3);
module.exports = {
exploit};
ODGen does not track its data flow. Could you give me a clue on how to track data flows for objects (e.g., {hello: link} )? Thanks.
Can a LICENSE file be added?
Would it be possible to add a LICENSE file to the codebase, and mark the license in GitHub project setting as well? Right now this is buried in one of the README files:
https://github.com/Song-Li/ODGen/blob/master/README_for_AE_reviewers.md#artifacts-available
Thanks
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.