diff --git a/iast-java/src/main/java/com/iast/astbenchmark/analyser/bean/consts/CaseTypeEnum.java b/iast-java/src/main/java/com/iast/astbenchmark/analyser/bean/consts/CaseTypeEnum.java index c69e234a..0681fe57 100644 --- a/iast-java/src/main/java/com/iast/astbenchmark/analyser/bean/consts/CaseTypeEnum.java +++ b/iast-java/src/main/java/com/iast/astbenchmark/analyser/bean/consts/CaseTypeEnum.java @@ -1,16 +1,32 @@ package com.iast.astbenchmark.analyser.bean.consts; +import org.apache.commons.lang.StringUtils; + public enum CaseTypeEnum { - T001("污点对象完整度能力检测"), - T002("污点链路完整度能力检测"), - T003("异步跟踪能力检测"), - T004("跨进程跟踪能力检测"), - T005("污点准确度能力检测"); + T001("IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度","污点对象完整度能力检测"), + T002("IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度","污点链路完整度能力检测"), + T003("IAST引擎能力评估体系(JAVA)->完整度->异步跟踪能力","异步跟踪能力检测"), + T004("IAST引擎能力评估体系(JAVA)->完整度->跨进城跟踪能力","跨进程跟踪能力检测"), + T005("IAST引擎能力评估体系(JAVA)->准确度","污点准确度能力检测"); String desc; - CaseTypeEnum(String desc){ + + String tag; + CaseTypeEnum(String tag,String desc){ this.desc=desc; + this.tag=tag; } + public static String getDescByTag(String data) { + if(StringUtils.isEmpty(data)){ + return data; + } + for (CaseTypeEnum caseTypeEnum : values()) { + if (data.contains(caseTypeEnum.getTag())) { + return caseTypeEnum.name(); + } + } + return null; + } public String getDesc() { return desc; @@ -19,4 +35,12 @@ public String getDesc() { public void setDesc(String desc) { this.desc = desc; } + + public String getTag() { + return tag; + } + + public void setTag(String tag) { + this.tag = tag; + } } diff --git a/iast-java/src/main/java/com/iast/astbenchmark/analyser/cache/AnnotationProcessorUtil.java b/iast-java/src/main/java/com/iast/astbenchmark/analyser/cache/AnnotationProcessorUtil.java new file mode 100644 index 00000000..bcac029a --- /dev/null +++ b/iast-java/src/main/java/com/iast/astbenchmark/analyser/cache/AnnotationProcessorUtil.java @@ -0,0 +1,127 @@ +package com.iast.astbenchmark.analyser.cache; + +import com.google.common.collect.Lists; +import com.iast.astbenchmark.analyser.bean.CaseTargetBean; +import com.iast.astbenchmark.analyser.bean.CaseTargetItemBean; +import com.iast.astbenchmark.analyser.bean.consts.CaseTypeEnum; +import org.springframework.util.CollectionUtils; + +import java.lang.reflect.Method; +import java.util.List; + +public final class AnnotationProcessorUtil { + + /** + * 处理类注解 + * test method + * @param clazz 待处理的类 + */ + public static void processAnnotations(Class clazz) { + // 处理方法注解 + + // 处理方法注解 + for (Method method : clazz.getDeclaredMethods()) { + // 判断方法是否有@CaseTag注解 + if (method.isAnnotationPresent(CaseTag.class)) { + // 获取方法上的@CaseTag注解 + CaseTag methodAnnotation = method.getAnnotation(CaseTag.class); + // 打印方法名和注解值 + System.out.println("Method " + method.getName() + " has annotation with value: " + methodAnnotation.caseNo()); + } + } + } + + + /** + * 构建用例映射 + * + * @param clazz 待处理的类 + */ + public static void buildCaseMap(Class clazz) { + // 遍历类中的所有方法 + for (Method method : clazz.getDeclaredMethods()) { + // 判断方法是否被@CaseTag注解标记 + if (method.isAnnotationPresent(CaseTag.class)) { + // 获取@CaseTag注解实例 + CaseTag methodAnnotation = method.getAnnotation(CaseTag.class); + // 获取用例编号 + String caseNo = methodAnnotation.caseNo(); + // 判断用例编号对应的目标对象是否已存在 + if (!CasetargeCache.targetMap.containsKey(caseNo)) { + // 如果不存在,则构建新的目标对象并添加到缓存中 + CasetargeCache.targetMap.put(caseNo, buildTargetBean(methodAnnotation)); + } else { + // 如果已存在,则修改目标对象并替换缓存中的对象 + CaseTargetBean modifyBean = modifyTargetBean(CasetargeCache.targetMap.get(caseNo), methodAnnotation); + CasetargeCache.targetMap.replace(caseNo, modifyBean); + } + } + } + } + + /** + * 构建用例目标 bean + * + * @param methodAnnotation 方法注解 + * @return 用例目标 bean + */ + private static CaseTargetBean buildTargetBean(CaseTag methodAnnotation) { + String caseNo = methodAnnotation.caseNo(); + String caseFullName = methodAnnotation.caseFullName(); + String thisMethodTag = methodAnnotation.thisMethodTag(); + boolean result = methodAnnotation.thisMethodExpectedResult(); + CaseTargetBean targetBean = new CaseTargetBean(); + targetBean.setCaseNo(caseNo); + CaseTargetItemBean itemBean = new CaseTargetItemBean(); + itemBean.setTag(thisMethodTag); + itemBean.setResult(result); + List item = Lists.newArrayList(); + item.add(itemBean); + targetBean.setCaseDesc(caseFullName); + targetBean.setData(item); + targetBean.setCaseType(CaseTypeEnum.getDescByTag(caseFullName)); + targetBean.setWeight(1); + return targetBean; + } + + /** + * 修改用例目标 bean + * + * @param caseTargetBean 原始的用例目标 bean + * @param methodAnnotation 方法注解,包含用例标签和预期结果 + * @return 修改后的用例目标 bean,包含新的用例标签和预期结果 + */ + private static CaseTargetBean modifyTargetBean(CaseTargetBean caseTargetBean, CaseTag methodAnnotation) { + // 获取方法注解中的用例标签和预期结果 + String thisMethodTag = methodAnnotation.thisMethodTag(); + boolean result = methodAnnotation.thisMethodExpectedResult(); + // 创建一个新的用例目标项 bean,设置用例标签和预期结果 + CaseTargetItemBean itemBean = new CaseTargetItemBean(); + itemBean.setTag(thisMethodTag); + itemBean.setResult(result); + // 获取原始用例目标 bean 中的用例目标项列表 + List itemBeans = caseTargetBean.getData(); + // 如果用例目标项列表为空,则直接将新的用例目标项添加到列表中 + if (CollectionUtils.isEmpty(itemBeans)) { + itemBeans.add(itemBean); + } else { + // 如果用例目标项列表不为空,则判断是否已存在相同标签的用例目标项 + boolean itemExist = false; + for (CaseTargetItemBean item : itemBeans) { + if (item.getTag().equalsIgnoreCase(thisMethodTag)) { + itemExist = true; + break; + } + } + // 如果不存在相同标签的用例目标项,则将新的用例目标项添加到列表中 + if (!itemExist) { + itemBeans.add(itemBean); + } + } + + // 将更新后的用例目标项列表设置回用例目标 bean 中,并返回修改后的用例目标 bean + caseTargetBean.setData(itemBeans); + return caseTargetBean; + } + +} diff --git a/iast-java/src/main/java/com/iast/astbenchmark/analyser/cache/CaseStuctCache.java b/iast-java/src/main/java/com/iast/astbenchmark/analyser/cache/CaseStuctCache.java index 2a097bf6..7fd31867 100644 --- a/iast-java/src/main/java/com/iast/astbenchmark/analyser/cache/CaseStuctCache.java +++ b/iast-java/src/main/java/com/iast/astbenchmark/analyser/cache/CaseStuctCache.java @@ -8,12 +8,9 @@ @Slf4j public class CaseStuctCache { - private static CaseNode root; - private static Map leafData ; - static { - root = CaseNodeTreeUtil.initRoot(); - leafData=CaseNodeTreeUtil.leafMap(root); - } + protected static CaseNode root; + protected static Map leafData ; + public static CaseNode getLeafByCaseNo(String caseNo){ try { @@ -31,9 +28,9 @@ public static CaseNode getRoot(){ return root; } - public static void main(String[] args) { - for (CaseNode value : CaseStuctCache.getAllLeaf().values()) { - System.out.println(value.getFullName()); - } - } + //public static void main(String[] args) { + // for (CaseNode value : CaseStuctCache.getAllLeaf().values()) { + // System.out.println(value.getFullName()); + // } + //} } diff --git a/iast-java/src/main/java/com/iast/astbenchmark/analyser/cache/CaseTag.java b/iast-java/src/main/java/com/iast/astbenchmark/analyser/cache/CaseTag.java new file mode 100644 index 00000000..11d97651 --- /dev/null +++ b/iast-java/src/main/java/com/iast/astbenchmark/analyser/cache/CaseTag.java @@ -0,0 +1,39 @@ +package com.iast.astbenchmark.analyser.cache; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +@Target(ElementType.METHOD) // 定义注解可以应用于方法 +@Retention(RetentionPolicy.RUNTIME) // 定义注解在运行时可用 +public @interface CaseTag { + /** + * Case编码 + * + * @return + */ + String caseNo(); + + + /** + * case 全名包括路径 + * + * @return + */ + String caseFullName(); + + /** + * 这个方法期望检出漏洞的结果,true为期待检出,false为不期待检出 + * + * @return + */ + boolean thisMethodExpectedResult(); + + /** + * 这个方法的标识,可以用于日志等检出结果中检索 + * + * @return + */ + String thisMethodTag(); +} \ No newline at end of file diff --git a/iast-java/src/main/java/com/iast/astbenchmark/analyser/cache/CasetargeCache.java b/iast-java/src/main/java/com/iast/astbenchmark/analyser/cache/CasetargeCache.java index 3d1df08e..5bcd20a6 100644 --- a/iast-java/src/main/java/com/iast/astbenchmark/analyser/cache/CasetargeCache.java +++ b/iast-java/src/main/java/com/iast/astbenchmark/analyser/cache/CasetargeCache.java @@ -1,23 +1,37 @@ package com.iast.astbenchmark.analyser.cache; -import cn.hutool.core.io.FileUtil; import cn.hutool.core.io.IoUtil; import cn.hutool.core.io.resource.ClassPathResource; import cn.hutool.json.JSONArray; import cn.hutool.json.JSONUtil; -import com.iast.astbenchmark.analyser.bean.CaseTargetBean; import com.google.common.collect.Maps; +import com.iast.astbenchmark.analyser.bean.CaseTargetBean; +import com.iast.astbenchmark.cases.AstTaintCase001; +import com.iast.astbenchmark.cases.AstTaintCase002; +import com.iast.astbenchmark.cases.AstTaintCase003; +import com.iast.astbenchmark.cases.AstTaintCase004; +import com.iast.astbenchmark.cli.tree.CaseNode; +import com.iast.astbenchmark.cli.tree.CaseNodeTreeUtil; import lombok.extern.slf4j.Slf4j; import org.springframework.stereotype.Component; import javax.annotation.PostConstruct; import java.nio.charset.Charset; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; import java.util.Map; +import java.util.Set; +import java.util.stream.Collectors; + +import static com.iast.astbenchmark.analyser.cache.AnnotationProcessorUtil.buildCaseMap; +import static com.iast.astbenchmark.analyser.cache.CaseStuctCache.leafData; @Component @Slf4j public class CasetargeCache { - private static Map targetMap = Maps.newLinkedHashMap(); + protected static Map targetMap = Maps.newLinkedHashMap(); + protected static Map targetMap2 = Maps.newLinkedHashMap(); @PostConstruct void init() { @@ -28,33 +42,65 @@ public static void initNow() { new CasetargeCache().goinit(); } + //public static void main(String[] args) { + // /** + // * json转注解,两边结果对比 + // * root2,json解析的root + // * leafData2,json解析的所有叶子节点数据 + // */ + // CaseNode root2; + // Map leafData2 ; + // new CasetargeCache().initNow(); + // String target = IoUtil.read(new ClassPathResource("config/case_target_list.json").getStream(), Charset.forName("utf-8")); + // JSONArray array = JSONUtil.parseArray(target); + // array.stream().forEach(e -> { + // CaseTargetBean bean = JSONUtil.toBean(JSONUtil.toJsonStr(e), CaseTargetBean.class); + // targetMap2.put(bean.getCaseNo(), bean); + // }); + // root2=CaseNodeTreeUtil.initRoot2(); + // leafData2=CaseNodeTreeUtil.leafMap(root2); + // System.out.println(leafData.size()+"/"+ leafData2.size()); + // Set keySet= new HashSet<>(); + // keySet.addAll(leafData2.keySet()) ; + // keySet.addAll(leafData.keySet()); + // for (String key : keySet) { + // if(!leafData.containsKey(key)){ + // System.out.println("注解缺少"+key); + // continue; + // } + // if(!leafData2.containsKey(key)){ + // System.out.println("json缺少:"+key); + // continue; + // } + // CaseTargetBean leaf =leafData.get(key).getLeafData(); + // List targetData=leaf.getData().stream().map(e->e.getTag()+e.getResult()).collect(Collectors.toList()); + // CaseTargetBean leaf2 =leafData2.get(key).getLeafData(); + // List targetData2=leaf2.getData().stream().map(e->e.getTag()+e.getResult()).collect(Collectors.toList()); + // Collections.sort(targetData); + // Collections.sort(targetData2); + // if(!targetData.equals(targetData2)){ + // System.out.println(key); + // } + // + // } + // + //} private void goinit() { if (targetMap.isEmpty()) { try { - String target = IoUtil.read(new ClassPathResource("config/case_target_list.json").getStream(),Charset.forName("utf-8")); - //JSONArray array = JSONUtil.readJSONArray(FileUtil.file("case_target_list.json"), Charset.forName("utf-8")); - JSONArray array =JSONUtil.parseArray(target); - array.stream().forEach(e -> { - CaseTargetBean bean = JSONUtil.toBean(JSONUtil.toJsonStr(e), CaseTargetBean.class); - targetMap.put(bean.getCaseNo(), bean); - }); - + buildCaseMap(AstTaintCase001.class); + buildCaseMap(AstTaintCase002.class); + buildCaseMap(AstTaintCase003.class); + buildCaseMap(AstTaintCase004.class); + CaseStuctCache.root = CaseNodeTreeUtil.initRoot(); + CaseStuctCache.leafData=CaseNodeTreeUtil.leafMap(CaseStuctCache.root); } catch (Exception e) { log.error("ERROR : Case加载失败,请检查您的case_target_list.json:{}", e); } } } - //public static void main(String[] args) { - // String target = IoUtil.read(new ClassPathResource("config/case_target_list.json").getStream(),Charset.forName("utf-8")); - // //JSONArray array = JSONUtil.readJSONArray(FileUtil.file("case_target_list.json"), Charset.forName("utf-8")); - // JSONArray array =JSONUtil.parseArray(target); - // array.stream().forEach(e -> { - // CaseTargetBean bean = JSONUtil.toBean(JSONUtil.toJsonStr(e), CaseTargetBean.class); - // targetMap.put(bean.getCaseNo(), bean); - // }); - // targetMap.forEach((k,v)-> System.out.println(k+"____"+v.getCaseDesc())); - //} + public static CaseTargetBean getTargetByCaseKey(String key) { return targetMap.get(key); diff --git a/iast-java/src/main/java/com/iast/astbenchmark/analyser/util/MermindUtil.java b/iast-java/src/main/java/com/iast/astbenchmark/analyser/util/MermindUtil.java new file mode 100644 index 00000000..fe0e4076 --- /dev/null +++ b/iast-java/src/main/java/com/iast/astbenchmark/analyser/util/MermindUtil.java @@ -0,0 +1,82 @@ +package com.iast.astbenchmark.analyser.util; + +import com.iast.astbenchmark.analyser.cache.CaseStuctCache; +import com.iast.astbenchmark.analyser.cache.CasetargeCache; +import com.iast.astbenchmark.cli.tree.CaseNode; +import org.springframework.util.CollectionUtils; +import org.springframework.util.StringUtils; + +import java.util.List; + +public class MermindUtil { + private static String mermindScript = ""; + + public static void main(String[] args) { + CasetargeCache.initNow(); + mermindScript = "```mermind\n"; + getGraph(CaseStuctCache.getRoot()); + //mermind graph脑图 + System.out.println(mermindScript); + //mermind 脑图,这个版本格式有点乱 + //printTree(CaseStuctCache.getRoot(),CaseStuctCache.getRoot().getDeepth()); + //FileUtil.writeUtf8String("JAVA.md", mermindScript); + } + public static void printTree(CaseNode node, int depth) { + if (node == null) { + return; + } + // 创建缩进字符串,每个深度级别增加一个空格 + String indent = new String(new char[depth]).replace('\0', ' '); + + String name =node.getName().replaceAll("\\)","").replace("(","") + .replaceAll("]","").replace("[",""); + // 打印当前节点的名称与缩进 + System.out.println(indent + "\""+name+ "\""); + + // 递归打印每个子节点,深度加一 + List children = node.getChildren(); + if (children != null) { + for (CaseNode child : children) { + printTree(child, depth + 1); + } + } + } + + public static String printMermindScript() { + mermindScript = "```mermind\n"; + getGraph(CaseStuctCache.getRoot()); + return mermindScript; + } + + private static void getGraph(CaseNode node) { + if (node.getDeepth() == 1) { + if (!mermindScript.contains("graph LR")) { + mermindScript = mermindScript + "graph LR\n"; + } + for (CaseNode child : node.getChildren()) { + getGraph(child); + } + return; + } + if (node.getDeepth() > 1) { + String parent = node.getParent().getId() + "[\"" + node.getParent().getName() + "\"]"; + String current = node.getId() + "[\"" + node.getName() + "\"]"; + + if (!StringUtils.isEmpty(node.getName())) { + if (node.getLeafData() != null) { + current = node.getLeafData().getCaseNo() + "[\"" + node.getName() + "\"]"; + } + mermindScript = mermindScript + parent + "==>" + current + "\n"; + } + if (!CollectionUtils.isEmpty(node.getChildren())) { + for (CaseNode child : node.getChildren()) { + getGraph(child); + } + } + + + + } + + } +} diff --git a/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase001.java b/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase001.java index 184b7567..344efff5 100644 --- a/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase001.java +++ b/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase001.java @@ -3,19 +3,16 @@ import com.iast.astbenchmark.cases.bean.SourceTestObject; import com.iast.astbenchmark.cases.bean.SourceTestWith100Filedsbject; import com.iast.astbenchmark.cases.bean.SourceTestWith10Filedsbject; -import com.iast.astbenchmark.cases.bean.SourceTestWithMPObject; import com.iast.astbenchmark.cases.bean.SoureWithQueueBean; import com.iast.astbenchmark.cases.bean.SoureWithSetBean; import com.iast.astbenchmark.cases.bean.layers.LayerBaseBean2; -import com.iast.astbenchmark.cases.bean.layers.LayerBaseBean3; import com.iast.astbenchmark.cases.bean.layers.LayerBaseBean9; +import com.iast.astbenchmark.analyser.cache.CaseTag; import org.springframework.util.CollectionUtils; import org.springframework.web.bind.annotation.*; import java.io.IOException; -import java.io.PrintWriter; import java.util.*; -import java.util.concurrent.LinkedBlockingQueue; import static com.iast.astbenchmark.common.CommonConsts.ERROR_STR; import static com.iast.astbenchmark.common.CommonConsts.SUCCESS_STR; @@ -31,6 +28,12 @@ public class AstTaintCase001 { * @return */ @PostMapping ("case00901") + @CaseTag( + caseNo = "aTaintCase00901", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->字符串对象->String", + thisMethodTag = "aTaintCase00901", + thisMethodExpectedResult = true + ) public Map aTaintCase00901(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -51,6 +54,12 @@ public Map aTaintCase00901(@RequestParam String cmd) { * @return */ @GetMapping("case001") + @CaseTag( + caseNo = "aTaintCase001", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->基本数据类型及其封装类型->int", + thisMethodTag = "aTaintCase001", + thisMethodExpectedResult = true + ) public Map aTaintCase001(@RequestParam int cmd) { Map modelMap = new HashMap<>(); try { @@ -70,6 +79,12 @@ public Map aTaintCase001(@RequestParam int cmd) { * @return */ @GetMapping("case002") + @CaseTag( + caseNo ="aTaintCase002", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->基本数据类型及其封装类型->char", + thisMethodTag = "aTaintCase002", + thisMethodExpectedResult = true + ) public Map aTaintCase002(@RequestParam char cmd) { Map modelMap = new HashMap<>(); try { @@ -88,6 +103,12 @@ public Map aTaintCase002(@RequestParam char cmd) { * @return */ @GetMapping("case003") + @CaseTag( + caseNo ="aTaintCase003", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->基本数据类型及其封装类型->byte", + thisMethodTag = "aTaintCase003", + thisMethodExpectedResult = true + ) public Map aTaintCase003(@RequestParam byte cmd) { Map modelMap = new HashMap<>(); try { @@ -106,6 +127,12 @@ public Map aTaintCase003(@RequestParam byte cmd) { * @return */ @GetMapping("case004") + @CaseTag( + caseNo ="aTaintCase004", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->基本数据类型及其封装类型->long", + thisMethodTag = "aTaintCase004", + thisMethodExpectedResult = true + ) public Map aTaintCase004(@RequestParam long cmd) { Map modelMap = new HashMap<>(); try { @@ -119,6 +146,12 @@ public Map aTaintCase004(@RequestParam long cmd) { @PostMapping("case005") + @CaseTag( + caseNo ="aTaintCase005", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->集合(集合对象全为污点)->Map元素", + thisMethodTag = "aTaintCase005", + thisMethodExpectedResult = true + ) public Map aTaintCase005(@RequestBody Map cmd) { Map modelMap = new HashMap<>(); if (cmd == null || cmd.isEmpty()) { @@ -141,6 +174,12 @@ public Map aTaintCase005(@RequestBody Map cmd) { * @return */ @PostMapping("case006") + @CaseTag( + caseNo ="aTaintCase006", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->集合(集合对象全为污点)->List元素", + thisMethodTag = "aTaintCase006", + thisMethodExpectedResult = true + ) public Map aTaintCase006(@RequestBody List cmd) { Map modelMap = new HashMap<>(); if (cmd == null || CollectionUtils.isEmpty(cmd)) { @@ -163,6 +202,13 @@ public Map aTaintCase006(@RequestBody List cmd) { * @return */ @PostMapping("case007") + + @CaseTag( + caseNo ="aTaintCase007", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->集合(集合对象全为污点)->Queue元素", + thisMethodTag = "aTaintCase007", + thisMethodExpectedResult = true + ) public Map aTaintCase007(@RequestBody SoureWithQueueBean queueBean) { Map modelMap = new HashMap<>(); try { @@ -181,6 +227,12 @@ public Map aTaintCase007(@RequestBody SoureWithQueueBean queueBe * @return */ @PostMapping("case008") + @CaseTag( + caseNo ="aTaintCase008", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->集合(集合对象全为污点)->Set元素", + thisMethodTag = "aTaintCase008", + thisMethodExpectedResult = true + ) public Map aTaintCase008(@RequestBody SoureWithSetBean setBean) { Map modelMap = new HashMap<>(); try { @@ -201,7 +253,13 @@ public Map aTaintCase008(@RequestBody SoureWithSetBean setBean) * @return */ @PostMapping("case009") - @Deprecated + @CaseTag( + caseNo ="aTaintCase009", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->基本数据类型及其封装类型->Byte", + thisMethodTag = "aTaintCase009", + thisMethodExpectedResult = true + ) + public Map aTaintCase009(@RequestParam Byte cmd) { Map modelMap = new HashMap<>(); if (cmd == null) { @@ -225,7 +283,12 @@ public Map aTaintCase009(@RequestParam Byte cmd) { * @return */ @PostMapping("case0010") - @Deprecated + @CaseTag( + caseNo ="aTaintCase0010", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->基本数据类型及其封装类型->Integer", + thisMethodTag = "aTaintCase0010", + thisMethodExpectedResult = true + ) public Map aTaintCase0010(@RequestParam Integer cmd) { Map modelMap = new HashMap<>(); if (cmd == null) { @@ -249,7 +312,12 @@ public Map aTaintCase0010(@RequestParam Integer cmd) { * @return */ @PostMapping("case0011") - @Deprecated + @CaseTag( + caseNo ="aTaintCase0011", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->基本数据类型及其封装类型->Long", + thisMethodTag = "aTaintCase0011", + thisMethodExpectedResult = true + ) public Map aTaintCase0011(@RequestParam Long cmd) { Map modelMap = new HashMap<>(); if (cmd == null) { @@ -272,7 +340,12 @@ public Map aTaintCase0011(@RequestParam Long cmd) { * @return */ @PostMapping("case0012") - @Deprecated + @CaseTag( + caseNo ="aTaintCase0012", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->基本数据类型及其封装类型->Character", + thisMethodTag = "aTaintCase0012", + thisMethodExpectedResult = true + ) public Map aTaintCase0012(@RequestParam Character cmd) { Map modelMap = new HashMap<>(); if (cmd == null) { @@ -295,6 +368,12 @@ public Map aTaintCase0012(@RequestParam Character cmd) { * @return */ @PostMapping("case0013") + @CaseTag( + caseNo ="aTaintCase0013", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->数组(数组对象全为污点)->数组对象String[]", + thisMethodTag = "aTaintCase0013", + thisMethodExpectedResult = true + ) public Map aTaintCase0013(@RequestBody String[] cmd) { Map modelMap = new HashMap<>(); if (cmd == null || cmd.length < 1) { @@ -317,6 +396,12 @@ public Map aTaintCase0013(@RequestBody String[] cmd) { * @return */ @PostMapping("case0014") + @CaseTag( + caseNo ="aTaintCase0014", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->数组(数组对象全为污点)->数组对象char[]", + thisMethodTag = "aTaintCase0014", + thisMethodExpectedResult = true + ) public Map aTaintCase0014(@RequestParam String cmd) { Map modelMap = new HashMap<>(); // if (cmd == null || cmd.length < 1) { @@ -343,6 +428,13 @@ public Map aTaintCase0014(@RequestParam String cmd) { * @return */ @PostMapping("case0015") + @CaseTag( + caseNo ="aTaintCase0015", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->数组(数组对象全为污点)->数组对象byte[]", + thisMethodTag = "aTaintCase0015", + thisMethodExpectedResult = true + ) + public Map aTaintCase0015(@RequestBody byte[] cmd) { Map modelMap = new HashMap<>(); if (cmd == null || cmd.length < 1) { @@ -365,6 +457,12 @@ public Map aTaintCase0015(@RequestBody byte[] cmd) { * @return */ @PostMapping("case0016") + @CaseTag( + caseNo ="aTaintCase0016", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->数组(数组对象全为污点)->单维数组对象的元素", + thisMethodTag = "aTaintCase0016", + thisMethodExpectedResult = true + ) public Map aTaintCase0016(@RequestBody SourceTestObject[] cmd) { Map modelMap = new HashMap<>(); if (cmd == null || cmd.length < 1) { @@ -380,6 +478,13 @@ public Map aTaintCase0016(@RequestBody SourceTestObject[] cmd) { return modelMap; } @PostMapping("case00926") + @CaseTag( + caseNo ="aTaintCase00926", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->数组(数组对象全为污点)->多维数组对象的元素", + thisMethodTag = "aTaintCase00926", + thisMethodExpectedResult = true + ) + public Map aTaintCase00926(@RequestBody SourceTestObject[][] cmd) { Map modelMap = new HashMap<>(); if (cmd == null || cmd.length < 1) { @@ -398,12 +503,18 @@ public Map aTaintCase00926(@RequestBody SourceTestObject[][] cmd /** - * 对象字段->单层字段(10)@aTaintCase00921 + * 对象字段->单层字段->10@aTaintCase00921 * * @param cmd * @return */ @PostMapping("case00921") + @CaseTag( + caseNo ="aTaintCase00921", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->自定义对象->对象字段->单层字段->10", + thisMethodTag = "aTaintCase00921", + thisMethodExpectedResult = true + ) public Map aTaintCase00921(@RequestBody SourceTestWith10Filedsbject cmd) { Map modelMap = new HashMap<>(); try { @@ -416,6 +527,12 @@ public Map aTaintCase00921(@RequestBody SourceTestWith10Filedsbj } @PostMapping("case00921/2") + @CaseTag( + caseNo ="aTaintCase00921", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->自定义对象->对象字段->单层字段->10", + thisMethodTag = "aTaintCase00921_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00921_2(@RequestBody SourceTestWith10Filedsbject cmd) { Map modelMap = new HashMap<>(); try { @@ -428,6 +545,12 @@ public Map aTaintCase00921_2(@RequestBody SourceTestWith10Fileds } @PostMapping("case00921/3") + @CaseTag( + caseNo ="aTaintCase00921", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->自定义对象->对象字段->单层字段->10", + thisMethodTag = "aTaintCase00921_3", + thisMethodExpectedResult = true + ) public Map aTaintCase00921_3(@RequestBody SourceTestWith10Filedsbject cmd) { Map modelMap = new HashMap<>(); try { @@ -440,12 +563,19 @@ public Map aTaintCase00921_3(@RequestBody SourceTestWith10Fileds } /** - * 对象字段->单层字段(100)@aTaintCase00921 + * 对象字段->单层字段->100@aTaintCase00921 * * @param cmd * @return */ @PostMapping("case00922") + @CaseTag( + caseNo ="aTaintCase00922", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->自定义对象->对象字段->单层字段->100", + thisMethodTag = "aTaintCase00922", + thisMethodExpectedResult = true + ) + public Map aTaintCase00922(@RequestBody SourceTestWith100Filedsbject cmd) { Map modelMap = new HashMap<>(); try { @@ -458,6 +588,12 @@ public Map aTaintCase00922(@RequestBody SourceTestWith100Filedsb } @PostMapping("case00922/2") + @CaseTag( + caseNo ="aTaintCase00922", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->自定义对象->对象字段->单层字段->100", + thisMethodTag = "aTaintCase00922_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00922_2(@RequestBody SourceTestWith100Filedsbject cmd) { Map modelMap = new HashMap<>(); try { @@ -470,6 +606,12 @@ public Map aTaintCase00922_2(@RequestBody SourceTestWith100Filed } @PostMapping("case00922/3") + @CaseTag( + caseNo ="aTaintCase00922", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->自定义对象->对象字段->单层字段->100", + thisMethodTag = "aTaintCase00922_3", + thisMethodExpectedResult = true + ) public Map aTaintCase00922_3(@RequestBody SourceTestWith100Filedsbject cmd) { Map modelMap = new HashMap<>(); try { @@ -481,6 +623,12 @@ public Map aTaintCase00922_3(@RequestBody SourceTestWith100Filed return modelMap; } @PostMapping("case00923") + @CaseTag( + caseNo ="aTaintCase00923", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->自定义对象->对象字段->多层字段->3层", + thisMethodTag = "aTaintCase00923", + thisMethodExpectedResult = true + ) public Map aTaintCase00923(@RequestBody LayerBaseBean2 cmd) { Map modelMap = new HashMap<>(); try { @@ -492,6 +640,12 @@ public Map aTaintCase00923(@RequestBody LayerBaseBean2 cmd) { return modelMap; } @PostMapping("case00923/2") + @CaseTag( + caseNo ="aTaintCase00923", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->自定义对象->对象字段->多层字段->3层", + thisMethodTag = "aTaintCase00923_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00923_2(@RequestBody LayerBaseBean2 cmd) { Map modelMap = new HashMap<>(); try { @@ -503,6 +657,12 @@ public Map aTaintCase00923_2(@RequestBody LayerBaseBean2 cmd) { return modelMap; } @PostMapping("case00923/3") + @CaseTag( + caseNo ="aTaintCase00923", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->自定义对象->对象字段->多层字段->3层", + thisMethodTag = "aTaintCase00923_3", + thisMethodExpectedResult = true + ) public Map aTaintCase00923_3(@RequestBody LayerBaseBean2 cmd) { Map modelMap = new HashMap<>(); try { @@ -515,6 +675,12 @@ public Map aTaintCase00923_3(@RequestBody LayerBaseBean2 cmd) { } @PostMapping("case00924") + @CaseTag( + caseNo ="aTaintCase00924", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->自定义对象->对象字段->多层字段->10层", + thisMethodTag = "aTaintCase00924", + thisMethodExpectedResult = true + ) public Map aTaintCase00924(@RequestBody LayerBaseBean9 cmd) { Map modelMap = new HashMap<>(); try { @@ -526,6 +692,12 @@ public Map aTaintCase00924(@RequestBody LayerBaseBean9 cmd) { return modelMap; } @PostMapping("case00924/2") + @CaseTag( + caseNo ="aTaintCase00924", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->自定义对象->对象字段->多层字段->10层", + thisMethodTag = "aTaintCase00924_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00924_2(@RequestBody LayerBaseBean9 cmd) { Map modelMap = new HashMap<>(); try { @@ -537,6 +709,12 @@ public Map aTaintCase00924_2(@RequestBody LayerBaseBean9 cmd) { return modelMap; } @PostMapping("case00924/3") + @CaseTag( + caseNo ="aTaintCase00924", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->自定义对象->对象字段->多层字段->10层", + thisMethodTag = "aTaintCase00924_3", + thisMethodExpectedResult = true + ) public Map aTaintCase00924_3(@RequestBody LayerBaseBean9 cmd) { Map modelMap = new HashMap<>(); try { @@ -549,6 +727,12 @@ public Map aTaintCase00924_3(@RequestBody LayerBaseBean9 cmd) { } @PostMapping("case00925") + @CaseTag( + caseNo ="aTaintCase00925", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->自定义对象->对象字段->污点为父类字段", + thisMethodTag = "aTaintCase00925", + thisMethodExpectedResult = true + ) public Map aTaintCase00925(@RequestBody LayerBaseBean2 cmd) { Map modelMap = new HashMap<>(); try { @@ -560,6 +744,12 @@ public Map aTaintCase00925(@RequestBody LayerBaseBean2 cmd) { return modelMap; } @PostMapping("case00925/2") + @CaseTag( + caseNo ="aTaintCase00925", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点对象完整度->自定义对象->对象字段->污点为父类字段", + thisMethodTag = "aTaintCase00925_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00925_2(@RequestBody LayerBaseBean2 cmd) { Map modelMap = new HashMap<>(); try { diff --git a/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase002.java b/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase002.java index 79da37f0..f26f0cc3 100644 --- a/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase002.java +++ b/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase002.java @@ -3,6 +3,7 @@ import cn.hutool.core.util.StrUtil; import com.iast.astbenchmark.cases.bean.SourceTestObject; import com.iast.astbenchmark.cases.bean.xml.TicketRequest; +import com.iast.astbenchmark.analyser.cache.CaseTag; import com.iast.astbenchmark.common.CommonConsts; import com.iast.astbenchmark.common.utils.JDKSerializationUtil; import com.iast.astbenchmark.common.utils.MyCommonTestUtil; @@ -42,6 +43,12 @@ public class AstTaintCase002 { * @return */ @PostMapping("case0022") + @CaseTag( + caseNo ="aTaintCase0022", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->特殊链路跟踪能力->三方包方法跟踪", + thisMethodTag = "aTaintCase0022", + thisMethodExpectedResult = true + ) public Map aTaintCase0022(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -60,6 +67,12 @@ public Map aTaintCase0022(@RequestParam String cmd) { * @return */ @PostMapping("case0023") + @CaseTag( + caseNo ="aTaintCase0023", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->特殊链路跟踪能力->超长链路追踪->100层", + thisMethodTag = "aTaintCase0023", + thisMethodExpectedResult = true + ) public Map aTaintCase0023(@RequestBody String cmd) { Map modelMap = new HashMap<>(); if (cmd == null) { @@ -84,6 +97,13 @@ public Map aTaintCase0023(@RequestBody String cmd) { * @return */ @PostMapping("case00931") + @CaseTag( + caseNo ="aTaintCase00931", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->特殊链路跟踪能力->超长链路追踪->1000层", + thisMethodTag = "aTaintCase00931", + thisMethodExpectedResult = true + ) + public Map aTaintCase00931(@RequestBody String cmd) { Map modelMap = new HashMap<>(); if (cmd == null) { @@ -108,6 +128,13 @@ public Map aTaintCase00931(@RequestBody String cmd) { * @return */ @PostMapping("case0024") + @CaseTag( + caseNo ="aTaintCase0024", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->特殊链路跟踪能力->反射调用方法跟踪", + thisMethodTag = "aTaintCase0024", + thisMethodExpectedResult = true + ) + public Map aTaintCase0024(@RequestParam String cmd) throws NoSuchMethodException, InvocationTargetException, IllegalAccessException { Map modelMap = new HashMap<>(); @@ -135,6 +162,13 @@ public Map aTaintCase0024(@RequestParam String cmd) * @return */ @PostMapping("case0025") + @CaseTag( + caseNo ="aTaintCase0025", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->特殊链路跟踪能力->调用native方法", + thisMethodTag = "aTaintCase0025", + thisMethodExpectedResult = true + ) + public Map aTaintCase0025(@RequestBody String[] cmd) { Map modelMap = new HashMap<>(); if (cmd == null) { @@ -162,6 +196,12 @@ public Map aTaintCase0025(@RequestBody String[] cmd) { * @return */ @PostMapping("case0027") + @CaseTag( + caseNo ="aTaintCase0027", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http getQueryString", + thisMethodTag = "aTaintCase0027", + thisMethodExpectedResult = true + ) public Map aTaintCase0027(HttpServletRequest request, @RequestParam String data) { Map modelMap = new HashMap<>(); try { @@ -280,6 +320,12 @@ public Map aTaintCase0027(HttpServletRequest request, @RequestPa * @return //TODO */ @PostMapping("case0033") + @CaseTag( + caseNo ="aTaintCase0033", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http body->json/RequestBody", + thisMethodTag = "aTaintCase0033", + thisMethodExpectedResult = true + ) public Map aTaintCase0033(@RequestBody Map json) { Map modelMap = new HashMap<>(); try { @@ -299,6 +345,12 @@ public Map aTaintCase0033(@RequestBody Map json) */ @PostMapping(value = "/case0034", consumes = {MediaType.APPLICATION_XML_VALUE}, produces = MediaType.APPLICATION_XML_VALUE) @ResponseBody + @CaseTag( + caseNo ="aTaintCase0034", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http body->xml/getInputStream", + thisMethodTag = "aTaintCase0034", + thisMethodExpectedResult = true + ) public Map aTaintCase0034(@RequestBody TicketRequest ticketRequest) { Map modelMap = new HashMap<>(); try { @@ -317,6 +369,12 @@ public Map aTaintCase0034(@RequestBody TicketRequest ticketReque * @return */ @PostMapping(value = "case0035") + @CaseTag( + caseNo ="aTaintCase0035", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http body->multipart/form-data->getPart", + thisMethodTag = "aTaintCase0035", + thisMethodExpectedResult = true + ) public Map aTaintCase0035(@RequestParam MultipartFile file, HttpServletRequest request) { Map modelMap = new HashMap<>(); try { @@ -338,6 +396,12 @@ public Map aTaintCase0035(@RequestParam MultipartFile file, Http * @return */ @PostMapping(value = "case0036") + @CaseTag( + caseNo ="aTaintCase0036", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http body->multipart/form-data->getParts", + thisMethodTag = "aTaintCase0036", + thisMethodExpectedResult = true + ) public Map aTaintCase0036(@RequestParam MultipartFile file, HttpServletRequest request) { Map modelMap = new HashMap<>(); try { @@ -359,6 +423,13 @@ public Map aTaintCase0036(@RequestParam MultipartFile file, Http * @return */ @PostMapping(value = "case0037") + @CaseTag( + caseNo ="aTaintCase0037", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http body->form/url-encode->getParameter", + thisMethodTag = "aTaintCase0037", + thisMethodExpectedResult = true + ) + public Map aTaintCase0037(@RequestParam("cmd") String cmd, HttpServletRequest request) { Map modelMap = new HashMap<>(); try { @@ -378,6 +449,13 @@ public Map aTaintCase0037(@RequestParam("cmd") String cmd, HttpS * @return */ @PostMapping(value = "case0038") + @CaseTag( + caseNo ="aTaintCase0038", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http body->form/url-encode->getParameterMap", + thisMethodTag = "aTaintCase0038", + thisMethodExpectedResult = true + ) + public Map aTaintCase0038(@RequestParam("cmd") String cmd, HttpServletRequest request) { Map modelMap = new HashMap<>(); try { @@ -397,6 +475,13 @@ public Map aTaintCase0038(@RequestParam("cmd") String cmd, HttpS * @return */ @PostMapping(value = "case0039") + @CaseTag( + caseNo ="aTaintCase0039", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http body->form/url-encode->getParameterValues", + thisMethodTag = "aTaintCase0039", + thisMethodExpectedResult = true + ) + public Map aTaintCase0039(@RequestParam("cmd") String cmd, HttpServletRequest request) { Map modelMap = new HashMap<>(); try { @@ -416,6 +501,12 @@ public Map aTaintCase0039(@RequestParam("cmd") String cmd, HttpS * @return */ @PostMapping(value = "case0040") + @CaseTag( + caseNo ="aTaintCase0040", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http body->form/url-encode->getParameterNames", + thisMethodTag = "aTaintCase0040", + thisMethodExpectedResult = true + ) public Map aTaintCase0040(@RequestParam("cmd") String cmd, HttpServletRequest request) { Map modelMap = new HashMap<>(); try { @@ -436,6 +527,12 @@ public Map aTaintCase0040(@RequestParam("cmd") String cmd, HttpS * @return */ @PostMapping(value = "case0041") + @CaseTag( + caseNo ="aTaintCase0041", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http body->getReader", + thisMethodTag = "aTaintCase0041", + thisMethodExpectedResult = true + ) public Map aTaintCase0041(@RequestBody String[] cmd, HttpServletRequest request) { Map modelMap = new HashMap<>(); try { @@ -499,6 +596,13 @@ public Map aTaintCase0041(@RequestBody String[] cmd, HttpServlet * @return */ @PostMapping(value = "case0044/{cmd}") + @CaseTag( + caseNo ="aTaintCase0044", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http pathVarlables", + thisMethodTag = "aTaintCase0044", + thisMethodExpectedResult = true + ) + public Map aTaintCase0044(@PathVariable String cmd) { Map modelMap = new HashMap<>(); try { @@ -517,6 +621,13 @@ public Map aTaintCase0044(@PathVariable String cmd) { * @return */ @PostMapping(value = "case0045") + @CaseTag( + caseNo ="aTaintCase0045", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http header->getCookies", + thisMethodTag = "aTaintCase0045", + thisMethodExpectedResult = true + ) + public Map aTaintCase0045(HttpServletRequest request) { Map modelMap = new HashMap<>(); try { @@ -536,6 +647,12 @@ public Map aTaintCase0045(HttpServletRequest request) { * @return */ @PostMapping(value = "case0046") + @CaseTag( + caseNo ="aTaintCase0046", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http header->getHeader", + thisMethodTag = "aTaintCase0046", + thisMethodExpectedResult = true + ) public Map aTaintCase0046(HttpServletRequest request) { Map modelMap = new HashMap<>(); try { @@ -555,6 +672,12 @@ public Map aTaintCase0046(HttpServletRequest request) { * @return */ @PostMapping(value = "case0047") + @CaseTag( + caseNo ="aTaintCase0047", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http header->getHeaders", + thisMethodTag = "aTaintCase0047", + thisMethodExpectedResult = true + ) public Map aTaintCase0047(HttpServletRequest request) { Map modelMap = new HashMap<>(); try { @@ -574,6 +697,12 @@ public Map aTaintCase0047(HttpServletRequest request) { * @return */ @PostMapping(value = "case00139") + @CaseTag( + caseNo ="aTaintCase00139", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点来源识别能力(source)->污点来自http header->getHeaderNames", + thisMethodTag = "aTaintCase00139", + thisMethodExpectedResult = true + ) public Map aTaintCase00139(HttpServletRequest request) { Map modelMap = new HashMap<>(); try { @@ -873,6 +1002,13 @@ public Map aTaintCase00139(HttpServletRequest request) { * aTaintCase0062 传播场景->String操作->构造方法 */ @PostMapping(value = "case0062") + @CaseTag( + caseNo ="aTaintCase0062", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->构造方法->String(String original)", + thisMethodTag = "aTaintCase0062", + thisMethodExpectedResult = true + ) + public Map aTaintCase0062(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -886,6 +1022,12 @@ public Map aTaintCase0062(@RequestParam String cmd) { } @PostMapping(value = "case00143") + @CaseTag( + caseNo ="aTaintCase00143", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->构造方法->String(char value[])", + thisMethodTag = "aTaintCase00143", + thisMethodExpectedResult = true + ) public Map aTaintCase00143(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -898,6 +1040,13 @@ public Map aTaintCase00143(@RequestParam String cmd) { } @PostMapping(value = "case00144") + @CaseTag( + caseNo ="aTaintCase00144", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->构造方法->String(char value[], int offset, int count)", + thisMethodTag = "aTaintCase00144", + thisMethodExpectedResult = true + ) + public Map aTaintCase00144(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -914,6 +1063,12 @@ public Map aTaintCase00144(@RequestParam String cmd) { * @return */ @PostMapping(value = "case00145") + @CaseTag( + caseNo ="aTaintCase00145", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->构造方法->String(int[] codePoints, int offset, int count)", + thisMethodTag = "aTaintCase00145", + thisMethodExpectedResult = true + ) public Map aTaintCase00145(@RequestBody int[] codePoints) { Map modelMap = new HashMap<>(); try { @@ -936,6 +1091,12 @@ public Map aTaintCase00145(@RequestBody int[] codePoints) { } @PostMapping(value = "case00146") + @CaseTag( + caseNo ="aTaintCase00146", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->构造方法->String(byte bytes[], int offset, int length, String charsetName)", + thisMethodTag = "aTaintCase00146", + thisMethodExpectedResult = true + ) public Map aTaintCase00146(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -949,6 +1110,12 @@ public Map aTaintCase00146(@RequestParam String cmd) { } @PostMapping(value = "case00147") + @CaseTag( + caseNo ="aTaintCase00147", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->构造方法->String(byte bytes[], int offset, int length, Charset charset)", + thisMethodTag = "aTaintCase00147", + thisMethodExpectedResult = true + ) public Map aTaintCase00147(@RequestBody byte[] bytes) { Map modelMap = new HashMap<>(); try { @@ -962,6 +1129,12 @@ public Map aTaintCase00147(@RequestBody byte[] bytes) { } @PostMapping(value = "case00148") + @CaseTag( + caseNo ="aTaintCase00148", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->构造方法->String(StringBuffer buffer)", + thisMethodTag = "aTaintCase00148", + thisMethodExpectedResult = true + ) public Map aTaintCase00148(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -975,6 +1148,12 @@ public Map aTaintCase00148(@RequestParam String cmd) { } @PostMapping(value = "case00149") + @CaseTag( + caseNo ="aTaintCase00149", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->构造方法->String(StringBuilder builder)", + thisMethodTag = "aTaintCase00149", + thisMethodExpectedResult = true + ) public Map aTaintCase00149(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -991,6 +1170,12 @@ public Map aTaintCase00149(@RequestParam String cmd) { * aTaintCase0063 传播场景->String操作->conact */ @PostMapping(value = "case0063") + @CaseTag( + caseNo ="aTaintCase0063", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->conact", + thisMethodTag = "aTaintCase0063", + thisMethodExpectedResult = true + ) public Map aTaintCase0063(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1007,6 +1192,12 @@ public Map aTaintCase0063(@RequestParam String cmd) { * aTaintCase0064 传播场景->String操作->copyValueOf */ @PostMapping(value = "case0064") + @CaseTag( + caseNo ="aTaintCase0064", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->copyValueOf", + thisMethodTag = "aTaintCase0064", + thisMethodExpectedResult = true + ) public Map aTaintCase0064(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1023,6 +1214,12 @@ public Map aTaintCase0064(@RequestParam String cmd) { * aTaintCase0065 传播场景->String操作->format */ @PostMapping(value = "case0065") + @CaseTag( + caseNo ="aTaintCase0065", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->format", + thisMethodTag = "aTaintCase0065", + thisMethodExpectedResult = true + ) public Map aTaintCase0065(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1040,6 +1237,12 @@ public Map aTaintCase0065(@RequestParam String cmd) { */ @PostMapping(value = "case0066") + @CaseTag( + caseNo ="aTaintCase0066", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->getBytes", + thisMethodTag = "aTaintCase0066", + thisMethodExpectedResult = true + ) public Map aTaintCase0066(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1056,6 +1259,13 @@ public Map aTaintCase0066(@RequestParam String cmd) { * aTaintCase0067 传播场景->String操作->getChars */ @PostMapping(value = "case0067") + @CaseTag( + caseNo ="aTaintCase0067", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->getChars", + thisMethodTag = "aTaintCase0067", + thisMethodExpectedResult = true + ) + public Map aTaintCase0067(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1073,6 +1283,12 @@ public Map aTaintCase0067(@RequestParam String cmd) { * aTaintCase0068 传播场景->String操作->intern */ @PostMapping(value = "case0068") + @CaseTag( + caseNo ="aTaintCase0068", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->intern", + thisMethodTag = "aTaintCase0068", + thisMethodExpectedResult = true + ) public Map aTaintCase0068(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1088,6 +1304,12 @@ public Map aTaintCase0068(@RequestParam String cmd) { * aTaintCase0069 传播场景->String操作->join */ @PostMapping(value = "case0069") + @CaseTag( + caseNo ="aTaintCase0069", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->join", + thisMethodTag = "aTaintCase0069", + thisMethodExpectedResult = true + ) public Map aTaintCase0069(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1123,6 +1345,13 @@ public Map aTaintCase0069(@RequestParam String cmd) { * ls;-la */ @PostMapping(value = "case0071") + @CaseTag( + caseNo ="aTaintCase0071", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->replace", + thisMethodTag = "aTaintCase0071", + thisMethodExpectedResult = true + ) + public Map aTaintCase0071(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1140,6 +1369,13 @@ public Map aTaintCase0071(@RequestParam String cmd) { * alasa */ @PostMapping(value = "case00140") + @CaseTag( + caseNo ="aTaintCase00140", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->replaceAll", + thisMethodTag = "aTaintCase00140", + thisMethodExpectedResult = true + ) + public Map aTaintCase00140(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1156,6 +1392,12 @@ public Map aTaintCase00140(@RequestParam String cmd) { * aTaintCase0072 传播场景->String操作->split */ @PostMapping(value = "case0072") + @CaseTag( + caseNo ="aTaintCase0072", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->split", + thisMethodTag = "aTaintCase0072", + thisMethodExpectedResult = true + ) public Map aTaintCase0072(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1190,6 +1432,13 @@ public Map aTaintCase0072(@RequestParam String cmd) { * aTaintCase0074 传播场景->String操作->subSequence */ @PostMapping(value = "case0074") + @CaseTag( + caseNo ="aTaintCase0074", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->subSequence", + thisMethodTag = "aTaintCase0074", + thisMethodExpectedResult = true + ) + public Map aTaintCase0074(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1206,6 +1455,12 @@ public Map aTaintCase0074(@RequestParam String cmd) { * lsabc */ @PostMapping(value = "case0075") + @CaseTag( + caseNo ="aTaintCase0075", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->substring", + thisMethodTag = "aTaintCase0075", + thisMethodExpectedResult = true + ) public Map aTaintCase0075(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1221,6 +1476,12 @@ public Map aTaintCase0075(@RequestParam String cmd) { * aTaintCase0076 传播场景->String操作->toCharArray */ @PostMapping(value = "case0076") + @CaseTag( + caseNo ="aTaintCase0076", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->toCharArray", + thisMethodTag = "aTaintCase0076", + thisMethodExpectedResult = true + ) public Map aTaintCase0076(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1237,6 +1498,12 @@ public Map aTaintCase0076(@RequestParam String cmd) { * aTaintCase0077 传播场景->String操作->toLowerCase */ @PostMapping(value = "case0077") + @CaseTag( + caseNo ="aTaintCase0077", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->toLowerCase", + thisMethodTag = "aTaintCase0077", + thisMethodExpectedResult = true + ) public Map aTaintCase0077(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1253,6 +1520,12 @@ public Map aTaintCase0077(@RequestParam String cmd) { * aTaintCase0078 传播场景->String操作->toString */ @PostMapping(value = "case0078") + @CaseTag( + caseNo ="aTaintCase0078", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->toString", + thisMethodTag = "aTaintCase0078", + thisMethodExpectedResult = true + ) public Map aTaintCase0078(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1269,6 +1542,12 @@ public Map aTaintCase0078(@RequestParam String cmd) { * aTaintCase0079 传播场景->String操作->toUpperCase */ @PostMapping(value = "case0079") + @CaseTag( + caseNo ="aTaintCase0079", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->toUpperCase", + thisMethodTag = "aTaintCase0079", + thisMethodExpectedResult = true + ) public Map aTaintCase0079(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1286,6 +1565,13 @@ public Map aTaintCase0079(@RequestParam String cmd) { */ @PostMapping(value = "case0080") + + @CaseTag( + caseNo ="aTaintCase0080", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->trim", + thisMethodTag = "aTaintCase0080", + thisMethodExpectedResult = true + ) public Map aTaintCase0080(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1302,6 +1588,12 @@ public Map aTaintCase0080(@RequestParam String cmd) { * aTaintCase0081 传播场景->String操作->valueOf */ @PostMapping(value = "case0081") + @CaseTag( + caseNo ="aTaintCase0081", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->String操作->valueOf", + thisMethodTag = "aTaintCase0081", + thisMethodExpectedResult = true + ) public Map aTaintCase0081(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1318,6 +1610,12 @@ public Map aTaintCase0081(@RequestParam String cmd) { * aTaintCase0082 传播场景->StringBuilder操作->构造方法 */ @PostMapping(value = "case0082") + @CaseTag( + caseNo ="aTaintCase0082", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->StringBuilder操作->构造方法", + thisMethodTag = "aTaintCase0082", + thisMethodExpectedResult = true + ) public Map aTaintCase0082(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1334,6 +1632,12 @@ public Map aTaintCase0082(@RequestParam String cmd) { * aTaintCase0083 传播场景->StringBuilder操作->append */ @PostMapping(value = "case0083") + @CaseTag( + caseNo ="aTaintCase0083", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->StringBuilder操作->append", + thisMethodTag = "aTaintCase0083", + thisMethodExpectedResult = true + ) public Map aTaintCase0083(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1369,6 +1673,12 @@ public Map aTaintCase0083(@RequestParam String cmd) { * aTaintCase0085 传播场景->StringBuilder操作->delete */ @PostMapping(value = "case0085") + @CaseTag( + caseNo ="aTaintCase0085", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->StringBuilder操作->delete", + thisMethodTag = "aTaintCase0085", + thisMethodExpectedResult = true + ) public Map aTaintCase0085(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1387,6 +1697,12 @@ public Map aTaintCase0085(@RequestParam String cmd) { * aTaintCase0086 传播场景->StringBuilder操作->deleteCharAt */ @PostMapping(value = "case0086") + @CaseTag( + caseNo ="aTaintCase0086", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->StringBuilder操作->deleteCharAt", + thisMethodTag = "aTaintCase0086", + thisMethodExpectedResult = true + ) public Map aTaintCase0086(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1405,6 +1721,12 @@ public Map aTaintCase0086(@RequestParam String cmd) { * aTaintCase0087 传播场景->StringBuilder操作->getChars */ @PostMapping(value = "case0087") + @CaseTag( + caseNo ="aTaintCase0087", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->StringBuilder操作->getChars", + thisMethodTag = "aTaintCase0087", + thisMethodExpectedResult = true + ) public Map aTaintCase0087(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1424,6 +1746,12 @@ public Map aTaintCase0087(@RequestParam String cmd) { * aTaintCase0088 传播场景->StringBuilder操作->insert */ @PostMapping(value = "case0088") + @CaseTag( + caseNo ="aTaintCase0088", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->StringBuilder操作->insert", + thisMethodTag = "aTaintCase0088", + thisMethodExpectedResult = true + ) public Map aTaintCase0088(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1441,6 +1769,13 @@ public Map aTaintCase0088(@RequestParam String cmd) { * aTaintCase0089 传播场景->StringBuilder操作->replace */ @PostMapping(value = "case0089") + @CaseTag( + caseNo ="aTaintCase0089", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->StringBuilder操作->replace", + thisMethodTag = "aTaintCase0089", + thisMethodExpectedResult = true + ) + public Map aTaintCase0089(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1458,6 +1793,12 @@ public Map aTaintCase0089(@RequestParam String cmd) { * aTaintCase0090 传播场景->StringBuilder操作->subSequence */ @PostMapping(value = "case0090") + @CaseTag( + caseNo ="aTaintCase0090", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->StringBuilder操作->subSequence", + thisMethodTag = "aTaintCase0090", + thisMethodExpectedResult = true + ) public Map aTaintCase0090(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1476,6 +1817,12 @@ public Map aTaintCase0090(@RequestParam String cmd) { * aTaintCase0091 传播场景->StringBuilder操作->subString */ @PostMapping(value = "case0091") + @CaseTag( + caseNo ="aTaintCase0091", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->StringBuilder操作->subString", + thisMethodTag = "aTaintCase0091", + thisMethodExpectedResult = true + ) public Map aTaintCase0091(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1493,6 +1840,12 @@ public Map aTaintCase0091(@RequestParam String cmd) { * aTaintCase0092 传播场景->StringBuilder操作->toString */ @PostMapping(value = "case0092") + @CaseTag( + caseNo ="aTaintCase0092", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->StringBuilder操作->toString", + thisMethodTag = "aTaintCase0092", + thisMethodExpectedResult = true + ) public Map aTaintCase0092(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1510,6 +1863,13 @@ public Map aTaintCase0092(@RequestParam String cmd) { * aTaintCase0093 传播场景-char[],byte[]操作->copyOf */ @PostMapping(value = "case0093") + + @CaseTag( + caseNo ="aTaintCase0093", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->char[],byte[]操作->copyOf", + thisMethodTag = "aTaintCase0093", + thisMethodExpectedResult = true + ) public Map aTaintCase0093(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1527,6 +1887,12 @@ public Map aTaintCase0093(@RequestParam String cmd) { * aTaintCase0094 传播场景-char[],byte[]操作-->copyOfRange */ @PostMapping(value = "case0094") + @CaseTag( + caseNo ="aTaintCase0094", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->char[],byte[]操作->copyOfRange", + thisMethodTag = "aTaintCase0094", + thisMethodExpectedResult = true + ) public Map aTaintCase0094(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1545,6 +1911,12 @@ public Map aTaintCase0094(@RequestParam String cmd) { * //deepToString 的参数是Object[] *使用Byte[] */ @PostMapping(value = "case0095") + @CaseTag( + caseNo ="aTaintCase0095", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->char[],byte[]操作->deepToString", + thisMethodTag = "aTaintCase0095", + thisMethodExpectedResult = true + ) public Map aTaintCase0095(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1562,6 +1934,12 @@ public Map aTaintCase0095(@RequestParam String cmd) { * aTaintCase0096 传播场景-char[],byte[]操作->toString */ @PostMapping(value = "case0096") + @CaseTag( + caseNo ="aTaintCase0096", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->char[],byte[]操作->toString", + thisMethodTag = "aTaintCase0096", + thisMethodExpectedResult = true + ) public Map aTaintCase0096(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1598,6 +1976,12 @@ public Map aTaintCase0096(@RequestParam String cmd) { * @throws ClassNotFoundException */ @PostMapping(value = "case00932") + @CaseTag( + caseNo ="aTaintCase00932", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点传播跟踪能力->传播场景->JDK序列化与反序列化", + thisMethodTag = "aTaintCase00932", + thisMethodExpectedResult = true + ) public Map aTaintCase00932(@RequestBody SourceTestObject sourceTestObject) throws ClassNotFoundException { Map modelMap = new HashMap<>(); try { @@ -1928,6 +2312,12 @@ public Map aTaintCase00932(@RequestBody SourceTestObject sourceT * @return */ @PostMapping(value = "case00141") + @CaseTag( + caseNo ="aTaintCase00141", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点无害化处理能力(sanitizer)->污点直接赋值为硬编码值", + thisMethodTag = "aTaintCase00141", + thisMethodExpectedResult = false + ) public Map aTaintCase00141(@RequestParam String cmd) { Map modelMap = new HashMap<>(); cmd = "test"; @@ -1937,6 +2327,12 @@ public Map aTaintCase00141(@RequestParam String cmd) { } @PostMapping(value = "case00141/1") + @CaseTag( + caseNo ="aTaintCase00141", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点无害化处理能力(sanitizer)->污点直接赋值为硬编码值", + thisMethodTag = "aTaintCase00141_1", + thisMethodExpectedResult = true + ) public Map aTaintCase00141_1(@RequestParam String cmd) { Map modelMap = new HashMap<>(); TaintMethodUtil.sink(cmd); @@ -1948,6 +2344,12 @@ public Map aTaintCase00141_1(@RequestParam String cmd) { * aTaintCase00103 污点无害化处理能力sanitizer->sanitizer支持区分类型 */ @PostMapping(value = "case00103/2") + @CaseTag( + caseNo ="aTaintCase00103", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点无害化处理能力(sanitizer)->sanitizer支持区分类型", + thisMethodTag = "aTaintCase00103_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00103_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -1961,6 +2363,12 @@ public Map aTaintCase00103_2(@RequestParam String cmd) { } @PostMapping(value = "case00103/1") + @CaseTag( + caseNo ="aTaintCase00103", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点无害化处理能力(sanitizer)->sanitizer支持区分类型", + thisMethodTag = "aTaintCase00103_1", + thisMethodExpectedResult = true + ) public Map aTaintCase00103_1(@RequestParam String cmd) { Map modelMap = new HashMap<>(); TaintMethodUtil.sink(cmd); @@ -1969,6 +2377,12 @@ public Map aTaintCase00103_1(@RequestParam String cmd) { } @PostMapping(value = "case00103") + @CaseTag( + caseNo ="aTaintCase00103", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点无害化处理能力(sanitizer)->sanitizer支持区分类型", + thisMethodTag = "aTaintCase00103", + thisMethodExpectedResult = false + ) public Map aTaintCase00103(@RequestParam String cmd) { Map modelMap = new HashMap<>(); String res = TaintMethodUtil.sanitizer(cmd); @@ -1981,6 +2395,12 @@ public Map aTaintCase00103(@RequestParam String cmd) { * aTaintCase00104 污点无害化处理能力sanitizer->触发sink后再执行sanitizer */ @PostMapping(value = "case00104") + @CaseTag( + caseNo ="aTaintCase00104", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点无害化处理能力(sanitizer)->触发sink后再执行sanitizer", + thisMethodTag = "aTaintCase00104", + thisMethodExpectedResult = true + ) public Map aTaintCase00104(@RequestParam String cmd) { Map modelMap = new HashMap<>(); TaintMethodUtil.sink(cmd); @@ -1990,6 +2410,12 @@ public Map aTaintCase00104(@RequestParam String cmd) { } @PostMapping(value = "case00104/1") + @CaseTag( + caseNo ="aTaintCase00104", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点无害化处理能力(sanitizer)->触发sink后再执行sanitizer", + thisMethodTag = "aTaintCase00104_1", + thisMethodExpectedResult = false + ) public Map aTaintCase00104_1(@RequestParam String cmd) { Map modelMap = new HashMap<>(); String res = TaintMethodUtil.sanitizer(cmd); @@ -1999,6 +2425,12 @@ public Map aTaintCase00104_1(@RequestParam String cmd) { } @PostMapping(value = "case00104/2") + @CaseTag( + caseNo ="aTaintCase00104", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点无害化处理能力(sanitizer)->触发sink后再执行sanitizer", + thisMethodTag = "aTaintCase00104_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00104_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); TaintMethodUtil.sink(cmd); @@ -2011,6 +2443,12 @@ public Map aTaintCase00104_2(@RequestParam String cmd) { * 检出 */ @PostMapping(value = "case00105") + @CaseTag( + caseNo ="aTaintCase00105", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点无害化处理能力(sanitizer)->支持自定义unSanitizer(再次污点化)", + thisMethodTag = "aTaintCase00105", + thisMethodExpectedResult = true + ) public Map aTaintCase00105(@RequestParam String cmd) { Map modelMap = new HashMap<>(); TaintMethodUtil.sink(cmd); @@ -2020,6 +2458,12 @@ public Map aTaintCase00105(@RequestParam String cmd) { // 不检出 @PostMapping(value = "case00105/1") + @CaseTag( + caseNo ="aTaintCase00105", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点无害化处理能力(sanitizer)->支持自定义unSanitizer(再次污点化)", + thisMethodTag = "aTaintCase00105_1", + thisMethodExpectedResult = false + ) public Map aTaintCase00105_1(@RequestParam String cmd) { Map modelMap = new HashMap<>(); cmd = TaintMethodUtil.sanitizer(cmd); @@ -2030,6 +2474,12 @@ public Map aTaintCase00105_1(@RequestParam String cmd) { // 检出 @PostMapping(value = "case00105/2") + @CaseTag( + caseNo ="aTaintCase00105", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->污点无害化处理能力(sanitizer)->支持自定义unSanitizer(再次污点化)", + thisMethodTag = "aTaintCase00105_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00105_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); cmd = TaintMethodUtil.sanitizer(cmd); @@ -2101,13 +2551,19 @@ public Map aTaintCase00105_2(@RequestParam String cmd) { * aTaintCase00109 触发污点跟踪能力(sink)->单污点来源传播至多sink点 */ @PostMapping(value = "case00109") + @CaseTag( + caseNo ="aTaintCase00109", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->触发污点跟踪能力(sink)->单污点来源传播至多sink点", + thisMethodTag = "aTaintCase00109", + thisMethodExpectedResult = true + ) public Map aTaintCase00109(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); cmd = cmd + " -la"; - //TODO 加另一个漏洞 + TaintMethodUtil.sink(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); @@ -2119,6 +2575,13 @@ public Map aTaintCase00109(@RequestParam String cmd) { * aTaintCase00110 触发污点跟踪能力(sink)->多污点来源传播至单sink点 */ @PostMapping(value = "case00110") + @CaseTag( + caseNo ="aTaintCase00110", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->触发污点跟踪能力(sink)->多污点来源传播至单sink点", + thisMethodTag = "aTaintCase00110", + thisMethodExpectedResult = true + ) + public Map aTaintCase00110(@RequestParam String cmd1, @RequestParam String cmd2) { Map modelMap = new HashMap<>(); try { @@ -2134,24 +2597,36 @@ public Map aTaintCase00110(@RequestParam String cmd1, @RequestPa * aTaintCase00111 触发污点跟踪能力(sink)->sink点中嵌套其他sink点 * 从文件中读取命令,并用命令行执行 */ - @PostMapping(value = "case00111") - @Deprecated - public Map aTaintCase00111(@RequestParam String path) { - Map modelMap = new HashMap<>(); - - try { - Runtime.getRuntime().exec(path + MyCommonTestUtil.readStrFromFile(path)); - modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { - modelMap.put("status", CommonConsts.ERROR_STR); - } - return modelMap; - } + //@PostMapping(value = "case00111") + //@CaseTag( + // caseNo ="aTaintCase00111", + // caseFullName = "#IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->触发污点跟踪能力(sink)->sink点中嵌套其他sink点", + // thisMethodTag = "aTaintCase00111", + // thisMethodExpectedResult = true + //) + //@Deprecated + //public Map aTaintCase00111(@RequestParam String path) { + // Map modelMap = new HashMap<>(); + // + // try { + // Runtime.getRuntime().exec(path + MyCommonTestUtil.readStrFromFile(path)); + // modelMap.put("status", CommonConsts.SUCCESS_STR); + // } catch (IOException e) { + // modelMap.put("status", CommonConsts.ERROR_STR); + // } + // return modelMap; + //} /** * aTaintCase00112 触发污点跟踪能力(sink)->无污点传播过程,污点直接传入sink */ @PostMapping(value = "case00112") + @CaseTag( + caseNo ="aTaintCase00112", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->基础跟踪能力->污点链路完整度->触发污点跟踪能力(sink)->无污点传播过程,污点直接传入sink", + thisMethodTag = "aTaintCase00112", + thisMethodExpectedResult = true + ) public Map aTaintCase00112(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { diff --git a/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase003.java b/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase003.java index 8f65347e..713c0e37 100644 --- a/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase003.java +++ b/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase003.java @@ -7,6 +7,7 @@ import cn.hutool.db.Db; import cn.hutool.db.Entity; import cn.hutool.http.HttpRequest; +import com.iast.astbenchmark.analyser.cache.CaseTag; import com.iast.astbenchmark.common.CommonConsts; import com.iast.astbenchmark.common.utils.MyCommonTestUtil; import com.iast.astbenchmark.common.utils.SessionUtil; @@ -51,6 +52,12 @@ public Map aTaintCase00113(@RequestParam String cmd) { return modelMap; } @PostMapping(value = "case00113/1") + @CaseTag( + caseNo ="aTaintCase00113", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->异步跟踪能力->存储型异步->污点通过db存储后触发", + thisMethodTag = "aTaintCase00113_1", + thisMethodExpectedResult = true + ) public Map aTaintCase00113_1(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -83,6 +90,12 @@ public Map aTaintCase00114(HttpServletRequest request, @PathVari return modelMap; } @PostMapping(value = "case00114/1") + @CaseTag( + caseNo ="aTaintCase00114", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->异步跟踪能力->存储型异步->污点通过session存储后触发", + thisMethodTag = "aTaintCase00114_1", + thisMethodExpectedResult = true + ) public Map aTaintCase00114_1(HttpServletRequest request) { Map modelMap = new HashMap<>(); try { @@ -106,6 +119,12 @@ public Map aTaintCase00115(@RequestParam String cmd) { return modelMap; } @PostMapping(value = "case00115/1") + @CaseTag( + caseNo ="aTaintCase00115", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->异步跟踪能力->存储型异步->污点通过缓存存储后触发->本地缓存", + thisMethodTag = "aTaintCase00115_1", + thisMethodExpectedResult = true + ) public Map aTaintCase00115_1() { Map modelMap = new HashMap<>(); try { @@ -130,6 +149,12 @@ public Map aTaintCase00138(@RequestParam String cmd) { return modelMap; } @PostMapping(value = "case00138/1") + @CaseTag( + caseNo ="aTaintCase00138", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->异步跟踪能力->存储型异步->污点通过缓存存储后触发->非本地缓存", + thisMethodTag = "aTaintCase00138_1", + thisMethodExpectedResult = true + ) public Map aTaintCase00138_1() { Map modelMap = new HashMap<>(); String key ="cmd_key"; @@ -158,6 +183,12 @@ public Map aTaintCase00116(@RequestParam String cmd) { return modelMap; } @PostMapping(value = "case00116/1") + @CaseTag( + caseNo ="aTaintCase00116", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->异步跟踪能力->存储型异步->污点通过文件存储后触发->本地文件", + thisMethodTag = "aTaintCase00116_1", + thisMethodExpectedResult = true + ) public Map aTaintCase00116_1() { Map modelMap = new HashMap<>(); try { @@ -171,7 +202,7 @@ public Map aTaintCase00116_1() { } /** - * aTaintCase00117 异步跟踪能力->存储行异步->污点通过缓存存储后触发-> OSS + * TODO aTaintCase00117 异步跟踪能力->存储行异步->污点通过缓存存储后触发-> OSS */ /** @@ -181,6 +212,12 @@ public Map aTaintCase00116_1() { * aTaintCase00119 异步跟踪能力->多线程异步->污点的来源和触发在不同线程 */ @PostMapping(value = "case00119") + @CaseTag( + caseNo ="aTaintCase00119", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->异步跟踪能力->多线程异步->污点的来源和触发在不同线程", + thisMethodTag = "aTaintCase00119", + thisMethodExpectedResult = true + ) public Map aTaintCase00119(@RequestParam String cmd) { Map modelMap = new HashMap<>(); Thread thread = new Thread(()->{ @@ -199,6 +236,12 @@ public Map aTaintCase00119(@RequestParam String cmd) { */ ThreadPoolExecutor executorForTest = ThreadUtil.newExecutor(1,1); @PostMapping(value = "case00120") + @CaseTag( + caseNo ="aTaintCase00120", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->异步跟踪能力->多线程异步->污点的来源和触发在不同线程,sink的触发由线程池中的线程触发", + thisMethodTag = "aTaintCase00120", + thisMethodExpectedResult = true + ) public Map aTaintCase00120(@RequestParam String cmd) { Map modelMap = new HashMap<>(); executorForTest.execute(()->{ @@ -212,14 +255,14 @@ public Map aTaintCase00120(@RequestParam String cmd) { } /** - * aTaintCase00121 跨进城跟踪能力->sofa tr(阿里内部)->单次rpc调用触发sink + * aTaintCase00121 跨进程跟踪能力->调用方式->sofa tr(阿里内部)->单次rpc调用触发sink */ /** - * aTaintCase00122 跨进城跟踪能力->sofa tr(阿里内部)->跨多个应用rpc 触发sink + * aTaintCase00122 跨进程跟踪能力->调用方式->sofa tr(阿里内部)->跨多个应用rpc 触发sink */ /** - * aTaintCase00123 跨进城跟踪能力->http->单次http调用触发sink + * aTaintCase00123 跨进程跟踪能力->调用方式->调用方式->http->单次http调用触发sink */ @PostMapping(value = "case00123") public Map aTaintCase00123(@RequestParam String cmd,@RequestParam String auto_check_start_time) { @@ -231,6 +274,12 @@ public Map aTaintCase00123(@RequestParam String cmd,@RequestPara } @PostMapping(value = "case00123/2") + @CaseTag( + caseNo ="aTaintCase00123", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->跨进程跟踪能力->调用方式->http->跨一层进程调用", + thisMethodTag = "aTaintCase00123_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00123_2(@RequestParam String cmd,@RequestParam String auto_check_start_time) { Map modelMap = new HashMap<>(); try { @@ -243,7 +292,7 @@ public Map aTaintCase00123_2(@RequestParam String cmd,@RequestPa } /** - * aTaintCase00124 跨进城跟踪能力->http->跨多个应用http触发sink + * aTaintCase00124 跨进程跟踪能力->调用方式->http->跨多个应用http触发sink */ @PostMapping(value = "case00124") @@ -265,6 +314,12 @@ public Map aTaintCase00124_2(@RequestParam String cmd,@RequestPa } @PostMapping(value = "case00124/3") + @CaseTag( + caseNo ="aTaintCase00124", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->跨进程跟踪能力->调用方式->http->跨多层进程调用", + thisMethodTag = "aTaintCase00124_3", + thisMethodExpectedResult = true + ) public Map aTaintCase00124_3(@RequestParam String cmd,@RequestParam String auto_check_start_time) { Map modelMap = new HashMap<>(); try { @@ -281,4 +336,28 @@ public Map aTaintCase00124_3(@RequestParam String cmd,@RequestPa * TODO 需要多工程之间的调用,暂无case作为单独工程调用验证 */ + + @PostMapping(value = "case001241") + @CaseTag( + caseNo ="aTaintCase001241", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->跨进程跟踪能力->调用方式->rpc(至少支持一种框架:Sofa/SpringCloud/Dubbo/gRpc/HSF)->跨一层进程间调用(暂无实现)", + thisMethodTag = "aTaintCase001241", + thisMethodExpectedResult = true + ) + public Map aTaintCase001241() { + //TODO + return null; + } + @PostMapping(value = "case001242") + @CaseTag( + caseNo ="aTaintCase001242", + caseFullName = "IAST引擎能力评估体系(JAVA)->完整度->跨进程跟踪能力->调用方式->rpc(至少支持一种框架:Sofa/SpringCloud/Dubbo/gRpc/HSF)->跨多层进程间调用(暂无实现)", + thisMethodTag = "aTaintCase001242", + thisMethodExpectedResult = true + ) + public Map aTaintCase001242() { + //TODO + return null; + } + } diff --git a/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase004.java b/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase004.java index b869a0a5..91158220 100644 --- a/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase004.java +++ b/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintCase004.java @@ -5,6 +5,7 @@ import com.iast.astbenchmark.cases.bean.SoureWithQueueBean; import com.iast.astbenchmark.cases.bean.SoureWithSetBean; import com.iast.astbenchmark.cases.bean.layers.LayerBaseBean99; +import com.iast.astbenchmark.analyser.cache.CaseTag; import com.iast.astbenchmark.common.CommonConsts; import com.iast.astbenchmark.common.utils.JDKSerializationUtil; import org.springframework.web.bind.annotation.PostMapping; @@ -32,30 +33,61 @@ public class AstTaintCase004 { * aTaintCase00125 污点对象跟踪粒度->变量级别->sink点的值非外部可控,但与某个参数值相同 * 这个case期望不能被检出污点 */ -// 考虑使用这个sink点 -// private PrintWriter pw = new PrintWriter(System.out); -// private void sink(Object obj) throws Exception{ -// pw.println(obj); -// pw.flush(); -// } + // 考虑使用这个sink点 + // private PrintWriter pw = new PrintWriter(System.out); + // private void sink(Object obj) throws Exception{ + // pw.println(obj); + // pw.flush(); + // } @PostMapping(value = "case00125") + @CaseTag( + caseNo = "aTaintCase00125", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->变量级别->sink点的值非外部可控,但与某个参数值相同", + thisMethodTag = "aTaintCase00125", + thisMethodExpectedResult = false + ) public Map aTaintCase00125(@RequestParam String cmd1, @RequestParam(defaultValue = "ls") String cmd2) { Map modelMap = new HashMap<>(); try { String exec = "ls"; Runtime.getRuntime().exec(exec); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { + modelMap.put("status", CommonConsts.ERROR_STR); + } + return modelMap; + } + + @PostMapping(value = "case00125/2") + @CaseTag( + caseNo = "aTaintCase00125", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->变量级别->sink点的值非外部可控,但与某个参数值相同", + thisMethodTag = "aTaintCase00125", + thisMethodExpectedResult = false + ) + public Map aTaintCase00125_2(@RequestParam String cmd1, @RequestParam(defaultValue = "") String cmd2) { + Map modelMap = new HashMap<>(); + try { + String exec = ""; + Runtime.getRuntime().exec(exec); + modelMap.put("status", CommonConsts.SUCCESS_STR); + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } /** - * aTaintCase00126 污点对象跟踪粒度->字段/元素级别->对象字段->单层简单对象部分字段为污点 + * aTaintCase00126 污点对象跟踪粒度->字段/元素级别->部分字段对象为污点->单层简单对象部分字段为污点 * /2为参照组,期望case被检测出,参照组不被检测出 */ @PostMapping(value = "case00126") + @CaseTag( + caseNo = "aTaintCase00126", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分字段对象为污点->单层简单对象部分字段为污点", + thisMethodTag = "aTaintCase00126", + thisMethodExpectedResult = true + ) public Map aTaintCase00126(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -64,13 +96,19 @@ public Map aTaintCase00126(@RequestParam String cmd) { simpleBean.setCmd2("cd /"); Runtime.getRuntime().exec(simpleBean.getCmd()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00126/2") + @CaseTag( + caseNo = "aTaintCase00126", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分字段对象为污点->单层简单对象部分字段为污点", + thisMethodTag = "aTaintCase00126_2", + thisMethodExpectedResult = false + ) public Map aTaintCase00126_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -79,16 +117,22 @@ public Map aTaintCase00126_2(@RequestParam String cmd) { simpleBean.setCmd2("cd /"); Runtime.getRuntime().exec(simpleBean.getCmd2()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } /** - * aTaintCase00127 污点对象跟踪粒度->字段/元素级别->对象字段->多层复杂对象部分字段为污点->污点来自父类 + * aTaintCase00127 污点对象跟踪粒度->字段/元素级别->部分字段对象为污点->多层复杂对象部分字段为污点->污点来自父类 */ @PostMapping(value = "case00127") + @CaseTag( + caseNo = "aTaintCase00127", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分字段对象为污点->多层复杂对象部分字段为污点->污点来自父类", + thisMethodTag = "aTaintCase00127", + thisMethodExpectedResult = true + ) public Map aTaintCase00127(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -99,13 +143,19 @@ public Map aTaintCase00127(@RequestParam String cmd) { simpleBean.setCmdb99("cd ~"); Runtime.getRuntime().exec(simpleBean.getCmda0()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00127/2") + @CaseTag( + caseNo = "aTaintCase00127", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分字段对象为污点->多层复杂对象部分字段为污点->污点来自父类", + thisMethodTag = "aTaintCase00127_2", + thisMethodExpectedResult = false + ) public Map aTaintCase00127_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -116,16 +166,22 @@ public Map aTaintCase00127_2(@RequestParam String cmd) { simpleBean.setCmdb99("cd ~"); Runtime.getRuntime().exec(simpleBean.getCmdb0()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } /** - * aTaintCase00128 污点对象跟踪粒度->字段/元素级别->对象字段->多层复杂对象部分字段为污点->污点来自子类 + * aTaintCase00128 污点对象跟踪粒度->字段/元素级别->部分字段对象为污点->多层复杂对象部分字段为污点->污点来自子类 */ @PostMapping(value = "case00128") + @CaseTag( + caseNo = "aTaintCase00128", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分字段对象为污点->多层复杂对象部分字段为污点->污点来当前类字段", + thisMethodTag = "aTaintCase00128", + thisMethodExpectedResult = true + ) public Map aTaintCase00128(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -136,13 +192,19 @@ public Map aTaintCase00128(@RequestParam String cmd) { simpleBean.setCmdb99("ls"); Runtime.getRuntime().exec(simpleBean.getCmda99()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00128/2") + @CaseTag( + caseNo = "aTaintCase00128", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分字段对象为污点->多层复杂对象部分字段为污点->污点来当前类字段", + thisMethodTag = "aTaintCase00128_2", + thisMethodExpectedResult = false + ) public Map aTaintCase00128_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -154,16 +216,23 @@ public Map aTaintCase00128_2(@RequestParam String cmd) { Runtime.getRuntime().exec(simpleBean.getCmdb99()); ; modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } /** - * aTaintCase00129 污点对象跟踪粒度->字段/元素级别->数组元素->单维数组中的部分元素为污点 + * aTaintCase00129 污点对象跟踪粒度->字段/元素级别->部分数据元素为污点->单维数组中的部分元素为污点 */ @PostMapping(value = "case00129") + @CaseTag( + caseNo = "aTaintCase00129", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分数据元素为污点->单维数组中的部分元素为污点", + thisMethodTag = "aTaintCase00129", + thisMethodExpectedResult = true + ) + public Map aTaintCase00129(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -173,13 +242,19 @@ public Map aTaintCase00129(@RequestParam String cmd) { strings[2] = "cd /"; Runtime.getRuntime().exec(strings[1]); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00129/2") + @CaseTag( + caseNo = "aTaintCase00129", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分数据元素为污点->单维数组中的部分元素为污点", + thisMethodTag = "aTaintCase00129", + thisMethodExpectedResult = false + ) public Map aTaintCase00129_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { @@ -194,12 +269,17 @@ public Map aTaintCase00129_2(@RequestParam String cmd) { } return modelMap; } - /** - * aTaintCase00130 污点对象跟踪粒度->字段/元素级别->数组元素->多维数组中的部分元素为污点 + * aTaintCase00130 污点对象跟踪粒度->字段/元素级别->部分数据元素为污点->多维数组中的部分元素为污点 */ @PostMapping(value = "case00130") + @CaseTag( + caseNo = "aTaintCase00130", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分数据元素为污点->多维数组中的部分元素为污点", + thisMethodTag = "aTaintCase00130", + thisMethodExpectedResult = true + ) public Map aTaintCase00130(@RequestBody String[][] strings) { Map modelMap = new HashMap<>(); try { @@ -208,18 +288,24 @@ public Map aTaintCase00130(@RequestBody String[][] strings) { //strings[0][1] = cmd; //strings[1][0] = "cd /"; //strings[1][1] = "cd /home"; - strings[0][0]="ls"; + strings[0][0] = "ls"; strings[1][0] = "cd /"; strings[1][1] = "cd /home"; Runtime.getRuntime().exec(strings[0][1]); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00130/2") + @CaseTag( + caseNo = "aTaintCase00130", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分数据元素为污点->多维数组中的部分元素为污点", + thisMethodTag = "aTaintCase00130_2", + thisMethodExpectedResult = false + ) public Map aTaintCase00130_2(@RequestBody String[][] strings) { Map modelMap = new HashMap<>(); try { @@ -228,17 +314,23 @@ public Map aTaintCase00130_2(@RequestBody String[][] strings) { strings[1][1] = "cd /home"; Runtime.getRuntime().exec(strings[0][0]); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } /** - * aTaintCase00131 污点对象跟踪粒度->字段/元素级别->数组元素->部分元素为污点,序列化后再反序列化 + * aTaintCase00131 污点对象跟踪粒度->字段/元素级别->部分数据元素为污点->部分元素为污点,序列化后再反序列化 */ @PostMapping(value = "case00131") + @CaseTag( + caseNo = "aTaintCase00131", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分数据元素为污点->部分元素为污点,经过JDK序列化后再反序列化", + thisMethodTag = "aTaintCase00131", + thisMethodExpectedResult = true + ) public Map aTaintCase00131(@RequestBody String[][] strings) { Map modelMap = new HashMap<>(); try { @@ -249,7 +341,7 @@ public Map aTaintCase00131(@RequestBody String[][] strings) { String[][] res = JDKSerializationUtil.deSerialize(bytes); Runtime.getRuntime().exec(res[0][1]); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } catch (ClassNotFoundException e) { throw new RuntimeException(e); @@ -258,6 +350,12 @@ public Map aTaintCase00131(@RequestBody String[][] strings) { } @PostMapping(value = "case00131/2") + @CaseTag( + caseNo = "aTaintCase00131", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分数据元素为污点->部分元素为污点,经过JDK序列化后再反序列化", + thisMethodTag = "aTaintCase00131_2", + thisMethodExpectedResult = false + ) public Map aTaintCase00131_2(@RequestBody String[][] strings) { Map modelMap = new HashMap<>(); try { @@ -268,7 +366,7 @@ public Map aTaintCase00131_2(@RequestBody String[][] strings) { String[][] res = JDKSerializationUtil.deSerialize(bytes); Runtime.getRuntime().exec(res[0][0]); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } catch (ClassNotFoundException e) { throw new RuntimeException(e); @@ -277,9 +375,15 @@ public Map aTaintCase00131_2(@RequestBody String[][] strings) { } /** - * aTaintCase00132 污点对象跟踪粒度->字段/元素级别->集合元素->List中部分元素为污点 + * aTaintCase00132 污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->List中部分元素为污点 */ @PostMapping(value = "case00132") + @CaseTag( + caseNo = "aTaintCase00132", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->List中部分元素为污点", + thisMethodTag = "aTaintCase00132", + thisMethodExpectedResult = true + ) public Map aTaintCase00132(@RequestBody List stringList) { Map modelMap = new HashMap<>(); try { @@ -287,13 +391,19 @@ public Map aTaintCase00132(@RequestBody List stringList) stringList.add("cd ~"); Runtime.getRuntime().exec(stringList.get(0)); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00132/2") + @CaseTag( + caseNo = "aTaintCase00132", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->List中部分元素为污点", + thisMethodTag = "aTaintCase00132_2", + thisMethodExpectedResult = false + ) public Map aTaintCase00132_2(@RequestBody List stringList) { Map modelMap = new HashMap<>(); try { @@ -301,16 +411,22 @@ public Map aTaintCase00132_2(@RequestBody List stringLis stringList.add("cd ~"); Runtime.getRuntime().exec(stringList.get(1)); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } /** - * aTaintCase00133 污点对象跟踪粒度->字段/元素级别->集合元素->Map中部分元素为污点 + * aTaintCase00133 污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->Map中部分元素为污点 */ @PostMapping(value = "case00133") + @CaseTag( + caseNo = "aTaintCase00133", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->Map中部分元素为污点", + thisMethodTag = "aTaintCase00133", + thisMethodExpectedResult = true + ) public Map aTaintCase00133(@RequestBody Map map) { Map modelMap = new HashMap<>(); try { @@ -320,13 +436,19 @@ public Map aTaintCase00133(@RequestBody Map map) map.put("3", "cd ~"); Runtime.getRuntime().exec(map.get("1")); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00133/2") + @CaseTag( + caseNo = "aTaintCase00133", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->Map中部分元素为污点", + thisMethodTag = "aTaintCase00133_2", + thisMethodExpectedResult = false + ) public Map aTaintCase00133_2(@RequestBody Map map) { Map modelMap = new HashMap<>(); try { @@ -334,16 +456,22 @@ public Map aTaintCase00133_2(@RequestBody Map ma map.put("3", "cd ~"); Runtime.getRuntime().exec(map.get("2")); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } /** - * aTaintCase00134 污点对象跟踪粒度->字段/元素级别->集合元素->Set中部分元素为污点 + * aTaintCase00134 污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->Set中部分元素为污点 */ @PostMapping(value = "case00134") + @CaseTag( + caseNo = "aTaintCase00134", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->Set中部分元素为污点", + thisMethodTag = "aTaintCase00134", + thisMethodExpectedResult = true + ) public Map aTaintCase00134(@RequestBody SoureWithSetBean setBean) { Map modelMap = new HashMap<>(); Set set = setBean.getValue(); @@ -363,6 +491,12 @@ public Map aTaintCase00134(@RequestBody SoureWithSetBean setBean } @PostMapping(value = "case00134/2") + @CaseTag( + caseNo = "aTaintCase00134", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->Set中部分元素为污点", + thisMethodTag = "aTaintCase00134", + thisMethodExpectedResult = false + ) public Map aTaintCase00134_2(@RequestBody SoureWithSetBean setBean) { Map modelMap = new HashMap<>(); Set set = setBean.getValue(); @@ -382,9 +516,15 @@ public Map aTaintCase00134_2(@RequestBody SoureWithSetBean setBe } /** - * aTaintCase00135 污点对象跟踪粒度->字段/元素级别->集合元素->Queue中部分元素为污点 + * aTaintCase00135 污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->Queue中部分元素为污点 */ @PostMapping(value = "case00135") + @CaseTag( + caseNo = "aTaintCase00135", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->Queue中部分元素为污点", + thisMethodTag = "aTaintCase00135", + thisMethodExpectedResult = true + ) public Map aTaintCase00135(@RequestBody SoureWithQueueBean queueBean) { Map modelMap = new HashMap<>(); Queue queue = queueBean.getQueue(); @@ -404,6 +544,12 @@ public Map aTaintCase00135(@RequestBody SoureWithQueueBean queue } @PostMapping(value = "case00135/2") + @CaseTag( + caseNo = "aTaintCase00135", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->Queue中部分元素为污点", + thisMethodTag = "aTaintCase00135", + thisMethodExpectedResult = false + ) public Map aTaintCase00135_2(@RequestBody SoureWithQueueBean queueBean) { Map modelMap = new HashMap<>(); Queue queue = queueBean.getQueue(); @@ -423,10 +569,17 @@ public Map aTaintCase00135_2(@RequestBody SoureWithQueueBean que } /** - * aTaintCase00136 污点对象跟踪粒度->字段/元素级别->集合元素->集合中部分元素为污点,序列化后再反序列化 + * aTaintCase00136 污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->集合中部分元素为污点,序列化后再反序列化 */ @PostMapping(value = "case00136") + @CaseTag( + caseNo = "aTaintCase00136", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->集合中部分元素为污点,经过JDK序列化后再反序列化", + thisMethodTag = "aTaintCase00136", + thisMethodExpectedResult = true + ) + public Map aTaintCase00136(@RequestBody List list) { Map modelMap = new HashMap<>(); try { @@ -438,7 +591,7 @@ public Map aTaintCase00136(@RequestBody List list) { List strings = JDKSerializationUtil.deSerialize(bytes); Runtime.getRuntime().exec(strings.get(0)); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } catch (ClassNotFoundException e) { throw new RuntimeException(e); @@ -447,6 +600,13 @@ public Map aTaintCase00136(@RequestBody List list) { } @PostMapping(value = "case00136/2") + @CaseTag( + caseNo = "aTaintCase00136", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分集合元素为污点->集合中部分元素为污点,经过JDK序列化后再反序列化", + thisMethodTag = "aTaintCase00136", + thisMethodExpectedResult = false + ) + public Map aTaintCase00136_2(@RequestBody List list) { Map modelMap = new HashMap<>(); try { @@ -458,7 +618,7 @@ public Map aTaintCase00136_2(@RequestBody List list) { List strings = JDKSerializationUtil.deSerialize(bytes); Runtime.getRuntime().exec(strings.get(1)); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } catch (ClassNotFoundException e) { throw new RuntimeException(e); @@ -496,519 +656,772 @@ public Map aTaintCase00136_2(@RequestBody List list) { //} @PostMapping(value = "case00940") + + @CaseTag( + caseNo = "aTaintCase00940", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->replcace", + thisMethodTag = "aTaintCase00940", + thisMethodExpectedResult = true + ) public Map aTaintCase00940(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; String urlfull = hardcode + cmd; - String data=urlfull.replace(hardcode,""); + String data = urlfull.replace(hardcode, ""); Runtime.getRuntime().exec(data); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00940/2") + @CaseTag( + caseNo = "aTaintCase00940", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->replcace", + thisMethodTag = "aTaintCase00940_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00940_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00940/3") + @CaseTag( + caseNo = "aTaintCase00940", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->replcace", + thisMethodTag = "aTaintCase00940_3", + thisMethodExpectedResult = false + ) public Map aTaintCase00940_3(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; String cmdfull = hardcode + cmd; - String data=cmdfull.replace(cmd,""); + String data = cmdfull.replace(cmd, ""); Runtime.getRuntime().exec(data); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00941") + @CaseTag( + caseNo = "aTaintCase00941", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->replcaceAll", + thisMethodTag = "aTaintCase00941", + thisMethodExpectedResult = true + ) public Map aTaintCase00941(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; - String cmdfull = hardcode + cmd+hardcode; - String data=cmdfull.replaceAll(hardcode,""); + String cmdfull = hardcode + cmd + hardcode; + String data = cmdfull.replaceAll(hardcode, ""); Runtime.getRuntime().exec(data); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00941/2") + @CaseTag( + caseNo = "aTaintCase00941", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->replcaceAll", + thisMethodTag = "aTaintCase00941_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00941_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00941/3") + @CaseTag( + caseNo = "aTaintCase00941", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->replcaceAll", + thisMethodTag = "aTaintCase00941_3", + thisMethodExpectedResult = false + ) public Map aTaintCase00941_3(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; - String cmdfull = hardcode + cmd+hardcode; - String data=cmdfull.replaceAll(cmd,""); + String cmdfull = hardcode + cmd + hardcode; + String data = cmdfull.replaceAll(cmd, ""); Runtime.getRuntime().exec(data); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00942") + @CaseTag( + caseNo = "aTaintCase00942", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->split", + thisMethodTag = "aTaintCase00942", + thisMethodExpectedResult = true + ) public Map aTaintCase00942(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc@"; String cmdfull = hardcode + cmd; - String[] data=cmdfull.split("@"); + String[] data = cmdfull.split("@"); Runtime.getRuntime().exec(data[1]); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00942/2") + @CaseTag( + caseNo = "aTaintCase00942", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->split", + thisMethodTag = "aTaintCase00942_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00942_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00942/3") + @CaseTag( + caseNo = "aTaintCase00942", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->split", + thisMethodTag = "aTaintCase00942_3", + thisMethodExpectedResult = false + ) public Map aTaintCase00942_3(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc@"; String cmdfull = hardcode + cmd; - String[] data=cmdfull.split("@"); + String[] data = cmdfull.split("@"); Runtime.getRuntime().exec(data[0]); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00943") + @CaseTag( + caseNo = "aTaintCase00943", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->subSequence", + thisMethodTag = "aTaintCase00943", + thisMethodExpectedResult = true + ) public Map aTaintCase00943(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; String cmdfull = hardcode + cmd; - CharSequence data=cmdfull.subSequence(hardcode.length(),cmdfull.length()); + CharSequence data = cmdfull.subSequence(hardcode.length(), cmdfull.length()); Runtime.getRuntime().exec(data.toString()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00943/2") + @CaseTag( + caseNo = "aTaintCase00943", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->subSequence", + thisMethodTag = "aTaintCase00943_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00943_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00943/3") + @CaseTag( + caseNo = "aTaintCase00943", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->subSequence", + thisMethodTag = "aTaintCase00943_3", + thisMethodExpectedResult = false + ) public Map aTaintCase00943_3(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; String cmdfull = hardcode + cmd; - CharSequence data=cmdfull.subSequence(0,hardcode.length()); + CharSequence data = cmdfull.subSequence(0, hardcode.length()); Runtime.getRuntime().exec(data.toString()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } - @PostMapping(value = "case00944") + @CaseTag( + caseNo = "aTaintCase00944", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->substring", + thisMethodTag = "aTaintCase00944", + thisMethodExpectedResult = true + ) + public Map aTaintCase00944(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; String cmdfull = hardcode + cmd; - String data=cmdfull.substring(hardcode.length()); + String data = cmdfull.substring(hardcode.length()); Runtime.getRuntime().exec(data); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00944/2") + @CaseTag( + caseNo = "aTaintCase00944", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->substring", + thisMethodTag = "aTaintCase00944_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00944_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00944/3") + @CaseTag( + caseNo = "aTaintCase00944", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->substring", + thisMethodTag = "aTaintCase00944_3", + thisMethodExpectedResult = false + ) public Map aTaintCase00944_3(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; String cmdfull = hardcode + cmd; - String data=cmdfull.substring(0,hardcode.length()); + String data = cmdfull.substring(0, hardcode.length()); Runtime.getRuntime().exec(data); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00945") + @CaseTag( + caseNo = "aTaintCase00945", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->trim", + thisMethodTag = "aTaintCase00945", + thisMethodExpectedResult = true + ) public Map aTaintCase00945(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = " "; - String cmdfull = hardcode + cmd+hardcode; - String data=cmdfull.trim(); + String cmdfull = hardcode + cmd + hardcode; + String data = cmdfull.trim(); Runtime.getRuntime().exec(data); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00945/2") + @CaseTag( + caseNo = "aTaintCase00945", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->String操作->trim", + thisMethodTag = "aTaintCase00945_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00945_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00946") + @CaseTag( + caseNo = "aTaintCase00946", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->delete", + thisMethodTag = "aTaintCase00946", + thisMethodExpectedResult = true + ) public Map aTaintCase00946(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; - StringBuilder builder = new StringBuilder(hardcode+cmd); - builder.delete(0,hardcode.length()); + StringBuilder builder = new StringBuilder(hardcode + cmd); + builder.delete(0, hardcode.length()); Runtime.getRuntime().exec(builder.toString()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00946/2") + @CaseTag( + caseNo = "aTaintCase00946", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->delete", + thisMethodTag = "aTaintCase00946_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00946_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00946/3") + @CaseTag( + caseNo = "aTaintCase00946", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->delete", + thisMethodTag = "aTaintCase00946_3", + thisMethodExpectedResult = false + ) public Map aTaintCase00946_3(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; - StringBuilder builder = new StringBuilder(hardcode+cmd); - builder.delete(hardcode.length(),builder.length()); + StringBuilder builder = new StringBuilder(hardcode + cmd); + builder.delete(hardcode.length(), builder.length()); Runtime.getRuntime().exec(builder.toString()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00947") + + @CaseTag( + caseNo = "aTaintCase00947", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->deleteCharAt", + thisMethodTag = "aTaintCase00947", + thisMethodExpectedResult = true + ) public Map aTaintCase00947(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "a"; - StringBuilder builder = new StringBuilder(hardcode+cmd); + StringBuilder builder = new StringBuilder(hardcode + cmd); builder.deleteCharAt(0); Runtime.getRuntime().exec(builder.toString()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00947/2") + + @CaseTag( + caseNo = "aTaintCase00947", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->deleteCharAt", + thisMethodTag = "aTaintCase00947_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00947_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00947/3") + @CaseTag( + caseNo = "aTaintCase00947", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->deleteCharAt", + thisMethodTag = "aTaintCase00947_3", + thisMethodExpectedResult = false + ) public Map aTaintCase00947_3(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "a"; - StringBuilder builder = new StringBuilder(hardcode+cmd); + StringBuilder builder = new StringBuilder(hardcode + cmd); builder.deleteCharAt(1); Runtime.getRuntime().exec(builder.toString()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } - @PostMapping(value = "case00948") + @CaseTag( + caseNo = "aTaintCase00948", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->getChars", + thisMethodTag = "aTaintCase00948", + thisMethodExpectedResult = true + ) public Map aTaintCase00948(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "aa"; - char[] aa=new char[2]; - StringBuilder builder = new StringBuilder(hardcode+cmd); - builder.getChars(2,4,aa,0); + char[] aa = new char[2]; + StringBuilder builder = new StringBuilder(hardcode + cmd); + builder.getChars(2, 4, aa, 0); Runtime.getRuntime().exec(new String(aa)); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00948/2") + @CaseTag( + caseNo = "aTaintCase00948", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->getChars", + thisMethodTag = "aTaintCase00948_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00948_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00948/3") + @CaseTag( + caseNo = "aTaintCase00948", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->getChars", + thisMethodTag = "aTaintCase00948_3", + thisMethodExpectedResult = false + ) public Map aTaintCase00948_3(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "aa"; - char[] aa=new char[2]; - StringBuilder builder = new StringBuilder(hardcode+cmd); - builder.getChars(0,2,aa,0); + char[] aa = new char[2]; + StringBuilder builder = new StringBuilder(hardcode + cmd); + builder.getChars(0, 2, aa, 0); Runtime.getRuntime().exec(new String(aa)); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00949") + @CaseTag( + caseNo = "aTaintCase00949", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->replace", + thisMethodTag = "aTaintCase00949", + thisMethodExpectedResult = false + ) public Map aTaintCase00949(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; - StringBuilder builder = new StringBuilder(hardcode+cmd); - builder.replace(0,builder.length(),hardcode); + StringBuilder builder = new StringBuilder(hardcode + cmd); + builder.replace(0, builder.length(), hardcode); Runtime.getRuntime().exec(builder.toString()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00949/2") + + @CaseTag( + caseNo = "aTaintCase00949", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->replace", + thisMethodTag = "aTaintCase00949_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00949_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00949/3") + @CaseTag( + caseNo = "aTaintCase00949", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->replace", + thisMethodTag = "aTaintCase00949_3", + thisMethodExpectedResult = true + ) public Map aTaintCase00949_3(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; - StringBuilder builder = new StringBuilder(hardcode+cmd); - builder.replace(0,builder.length(),cmd); + StringBuilder builder = new StringBuilder(hardcode + cmd); + builder.replace(0, builder.length(), cmd); Runtime.getRuntime().exec(builder.toString()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00950") + @CaseTag( + caseNo = "aTaintCase00950", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->subSequence", + thisMethodTag = "aTaintCase00950", + thisMethodExpectedResult = true + ) public Map aTaintCase00950(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; - StringBuilder builder = new StringBuilder(hardcode+cmd); - CharSequence res = builder.subSequence(hardcode.length(),builder.length()); + StringBuilder builder = new StringBuilder(hardcode + cmd); + CharSequence res = builder.subSequence(hardcode.length(), builder.length()); Runtime.getRuntime().exec(res.toString()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00950/2") + @CaseTag( + caseNo = "aTaintCase00950", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->subSequence", + thisMethodTag = "aTaintCase00950_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00950_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00950/3") + @CaseTag( + caseNo = "aTaintCase00950", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->subSequence", + thisMethodTag = "aTaintCase00950_3", + thisMethodExpectedResult = false + ) public Map aTaintCase00950_3(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; - StringBuilder builder = new StringBuilder(hardcode+cmd); - CharSequence res = builder.subSequence(0,hardcode.length()); + StringBuilder builder = new StringBuilder(hardcode + cmd); + CharSequence res = builder.subSequence(0, hardcode.length()); Runtime.getRuntime().exec(res.toString()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00951") + @CaseTag( + caseNo = "aTaintCase00951", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->substring", + thisMethodTag = "aTaintCase00951", + thisMethodExpectedResult = true + ) + public Map aTaintCase00951(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; - StringBuilder builder = new StringBuilder(hardcode+cmd); + StringBuilder builder = new StringBuilder(hardcode + cmd); String res = builder.substring(hardcode.length()); Runtime.getRuntime().exec(res); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00951/2") + @CaseTag( + caseNo = "aTaintCase00951", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->substring", + thisMethodTag = "aTaintCase00951_2", + thisMethodExpectedResult = true + ) + public Map aTaintCase00951_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00951/3") + @CaseTag( + caseNo = "aTaintCase00951", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->StringBuilder操作->substring", + thisMethodTag = "aTaintCase00951_3", + thisMethodExpectedResult = true + ) public Map aTaintCase00951_3(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; - StringBuilder builder = new StringBuilder(hardcode+cmd); - String res = builder.substring(0,hardcode.length()); + StringBuilder builder = new StringBuilder(hardcode + cmd); + String res = builder.substring(0, hardcode.length()); Runtime.getRuntime().exec(res); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00952") + @CaseTag( + caseNo = "aTaintCase00952", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->char[]/byte[]操作->copyOfRange", + thisMethodTag = "aTaintCase00952", + thisMethodExpectedResult = true + ) public Map aTaintCase00952(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; - String aa = hardcode+cmd; - char[] chars = aa.toCharArray(); - char[] data = Arrays.copyOfRange(chars,hardcode.length(),chars.length);; + String aa = hardcode + cmd; + char[] chars = aa.toCharArray(); + char[] data = Arrays.copyOfRange(chars, hardcode.length(), chars.length); + ; Runtime.getRuntime().exec(new String(data)); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00952/2") + @CaseTag( + caseNo = "aTaintCase00952", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->char[]/byte[]操作->copyOfRange", + thisMethodTag = "aTaintCase00952_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00952_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00952/3") + @CaseTag( + caseNo = "aTaintCase00952", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分->char[]/byte[]操作->copyOfRange", + thisMethodTag = "aTaintCase00952_2", + thisMethodExpectedResult = false + ) public Map aTaintCase00952_3(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "ab"; - String aa = hardcode+cmd; + String aa = hardcode + cmd; char[] chars = aa.toCharArray(); - char[] data = Arrays.copyOfRange(chars,0,hardcode.length());; + char[] data = Arrays.copyOfRange(chars, 0, hardcode.length()); + ; Runtime.getRuntime().exec(new String(data)); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; @@ -1016,153 +1429,220 @@ public Map aTaintCase00952_3(@RequestParam String cmd) { /** * 字符串部分存在污点->截取非污点部分后再拼接污点->String操作->concat@aTaintCase00953 + * * @param cmd * @return */ @PostMapping(value = "case00953") + @CaseTag( + caseNo = "aTaintCase00953", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->String操作->concat", + thisMethodTag = "aTaintCase00953", + thisMethodExpectedResult = true + ) + public Map aTaintCase00953(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "ls"; String cmdfull = hardcode + cmd; - String data1=cmdfull.substring(0,hardcode.length()); //截取到非无污点数据 - String dara2=data1.concat(cmd); //再拼接上污点 + String data1 = cmdfull.substring(0, hardcode.length()); //截取到非无污点数据 + String dara2 = data1.concat(cmd); //再拼接上污点 Runtime.getRuntime().exec(dara2); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00953/1") + @CaseTag( + caseNo = "aTaintCase00953", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->String操作->concat", + thisMethodTag = "aTaintCase00953_1", + thisMethodExpectedResult = false + ) public Map aTaintCase00953_1(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "ls"; String cmdfull = hardcode + cmd; - String data1=cmdfull.substring(0,hardcode.length()); - String dara2=data1.concat(hardcode); //再拼接上非污点 + String data1 = cmdfull.substring(0, hardcode.length()); + String dara2 = data1.concat(hardcode); //再拼接上非污点 Runtime.getRuntime().exec(dara2); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00953/2") + @CaseTag( + caseNo = "aTaintCase00953", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->String操作->concat", + thisMethodTag = "aTaintCase00953_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00953_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } - @PostMapping(value = "case00954") + @CaseTag( + caseNo = "aTaintCase00954", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->String操作->join", + thisMethodTag = "aTaintCase00954", + thisMethodExpectedResult = true + ) + public Map aTaintCase00954(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "ls"; String cmdfull = hardcode + cmd; - String data1=cmdfull.substring(0,hardcode.length()); - String dara2=String.join(cmd,data1,hardcode); + String data1 = cmdfull.substring(0, hardcode.length()); + String dara2 = String.join(cmd, data1, hardcode); Runtime.getRuntime().exec(dara2); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00954/1") + @CaseTag( + caseNo = "aTaintCase00954", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->String操作->join", + thisMethodTag = "aTaintCase00954_1", + thisMethodExpectedResult = false + ) + public Map aTaintCase00954_1(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "ls"; String cmdfull = hardcode + cmd; - String data1=cmdfull.substring(0,hardcode.length()); - String dara2=String.join(hardcode,data1,hardcode); + String data1 = cmdfull.substring(0, hardcode.length()); + String dara2 = String.join(hardcode, data1, hardcode); Runtime.getRuntime().exec(dara2); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00954/2") + @CaseTag( + caseNo = "aTaintCase00954", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->String操作->join", + thisMethodTag = "aTaintCase00954_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00954_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } - /** * 字符串部分存在污点->截取非污点部分后再拼接污点->String操作->replace@aTaintCase00955 + * * @param cmd * @return */ @PostMapping(value = "case00955") + @CaseTag( + caseNo = "aTaintCase00955", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->String操作->replace", + thisMethodTag = "aTaintCase00955", + thisMethodExpectedResult = true + ) public Map aTaintCase00955(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; String cmdfull = hardcode + cmd; - String data1=cmdfull.replace(cmd,""); //去掉污点 - String dara2=data1+cmd; //拼接污点 + String data1 = cmdfull.replace(cmd, ""); //去掉污点 + String dara2 = data1 + cmd; //拼接污点 Runtime.getRuntime().exec(dara2); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00955/2") + @CaseTag( + caseNo = "aTaintCase00955", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->String操作->replace", + thisMethodTag = "aTaintCase00955_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00955_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00956") + @CaseTag( + caseNo = "aTaintCase00956", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->String操作->replaceAll", + thisMethodTag = "aTaintCase00956", + thisMethodExpectedResult = true + ) + public Map aTaintCase00956(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; - String cmdfull = cmd+hardcode + cmd; - String data1=cmdfull.replaceAll(cmd,""); //去掉污点 - String dara2=data1+cmd; //拼接污点 + String cmdfull = cmd + hardcode + cmd; + String data1 = cmdfull.replaceAll(cmd, ""); //去掉污点 + String dara2 = data1 + cmd; //拼接污点 Runtime.getRuntime().exec(dara2); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00956/2") + @CaseTag( + caseNo = "aTaintCase00956", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->String操作->replaceAll", + thisMethodTag = "aTaintCase00956_2", + thisMethodExpectedResult = true + ) + public Map aTaintCase00956_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; @@ -1170,135 +1650,190 @@ public Map aTaintCase00956_2(@RequestParam String cmd) { /** * cmd = " " + * * @param cmd * @return */ @PostMapping(value = "case00957") + @CaseTag( + caseNo = "aTaintCase00957", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->String操作->trim", + thisMethodTag = "aTaintCase00957", + thisMethodExpectedResult = true + ) public Map aTaintCase00957(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "ls"; - String cmdfull = cmd+hardcode + cmd; - String data1=cmdfull.trim(); //去掉污点 - String dara2=data1+cmd; //拼接污点 + String cmdfull = cmd + hardcode + cmd; + String data1 = cmdfull.trim(); //去掉污点 + String dara2 = data1 + cmd; //拼接污点 Runtime.getRuntime().exec(dara2); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00957/2") + @CaseTag( + caseNo = "aTaintCase00957", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->String操作->trim", + thisMethodTag = "aTaintCase00957_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00957_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } + @PostMapping(value = "case00958") + @CaseTag( + caseNo = "aTaintCase00958", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->StringBuilder操作->append", + thisMethodTag = "aTaintCase00958", + thisMethodExpectedResult = true + ) public Map aTaintCase00958(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; StringBuilder cmdfull = new StringBuilder(hardcode + cmd); - StringBuilder data1=cmdfull.replace(hardcode.length(),cmdfull.length(),""); + StringBuilder data1 = cmdfull.replace(hardcode.length(), cmdfull.length(), ""); data1.append(cmd); Runtime.getRuntime().exec(data1.toString()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00958/2") + @CaseTag( + caseNo = "aTaintCase00958", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->StringBuilder操作->append", + thisMethodTag = "aTaintCase00958_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00958_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00959") + @CaseTag( + caseNo = "aTaintCase00959", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->StringBuilder操作->replace", + thisMethodTag = "aTaintCase00959", + thisMethodExpectedResult = true + ) public Map aTaintCase00959(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; StringBuilder cmdfull = new StringBuilder(hardcode + cmd); - StringBuilder data1=cmdfull.replace(hardcode.length(),cmdfull.length(),""); + StringBuilder data1 = cmdfull.replace(hardcode.length(), cmdfull.length(), ""); data1.append(cmd); Runtime.getRuntime().exec(data1.toString()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00959/2") + @CaseTag( + caseNo = "aTaintCase00959", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->StringBuilder操作->replace", + thisMethodTag = "aTaintCase00959_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00959_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } @PostMapping(value = "case00960") + @CaseTag( + caseNo = "aTaintCase00960", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字符串级别->字符串部分存在污点->截取非污点部分后再拼接污点->char[]/byte[]操作->copyOfRange", + thisMethodTag = "aTaintCase00960", + thisMethodExpectedResult = true + ) public Map aTaintCase00960(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { String hardcode = "abc"; - String aa = hardcode+cmd; + String aa = hardcode + cmd; char[] chars = aa.toCharArray(); - char[] data = Arrays.copyOfRange(chars,0,hardcode.length());//非无污点部分 + char[] data = Arrays.copyOfRange(chars, 0, hardcode.length());//非无污点部分 //char result[] = new char[info.length + data.length]; //System.arraycopy(info, 0, result, 0, info.length); //System.arraycopy(data, 0, result, info.length, data.length); char[] cmdChars = cmd.toCharArray(); - char[] res= new char[data.length+cmd.length()]; //将污点与非污点组合 + char[] res = new char[data.length + cmd.length()]; //将污点与非污点组合 for (int i = 0; i < res.length; i++) { - if(i aTaintCase00960_2(@RequestParam String cmd) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(cmd); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; } - - @PostMapping(value = "case00142") + @CaseTag( + caseNo = "aTaintCase00142", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分字段对象为污点->对象部分字段为污点,经过JDK序列化后再反序列化", + thisMethodTag = "aTaintCase00142", + thisMethodExpectedResult = true + ) public Map aTaintCase00142(@RequestBody SourceTestObject testObject) { Map modelMap = new HashMap<>(); try { @@ -1308,20 +1843,27 @@ public Map aTaintCase00142(@RequestBody SourceTestObject testObj SourceTestObject object = JDKSerializationUtil.deSerialize(bytes); Runtime.getRuntime().exec(object.getCmd()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } catch (ClassNotFoundException e) { throw new RuntimeException(e); } return modelMap; } + @PostMapping(value = "case00142/2") + @CaseTag( + caseNo = "aTaintCase00142", + caseFullName = "IAST引擎能力评估体系(JAVA)->准确度->污点对象跟踪粒度->字段/元素级别->部分字段对象为污点->对象部分字段为污点,经过JDK序列化后再反序列化", + thisMethodTag = "aTaintCase00142_2", + thisMethodExpectedResult = true + ) public Map aTaintCase00142_2(@RequestBody SourceTestObject testObject) { Map modelMap = new HashMap<>(); try { Runtime.getRuntime().exec(testObject.getCmd()); modelMap.put("status", CommonConsts.SUCCESS_STR); - } catch (IOException e) { + } catch (IOException e) { modelMap.put("status", CommonConsts.ERROR_STR); } return modelMap; diff --git a/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintOtherCasesForxind.java b/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintOtherCasesForxind.java new file mode 100644 index 00000000..3184f743 --- /dev/null +++ b/iast-java/src/main/java/com/iast/astbenchmark/cases/AstTaintOtherCasesForxind.java @@ -0,0 +1,5 @@ +package com.iast.astbenchmark.cases; + +public class AstTaintOtherCasesForxind { + +} diff --git a/iast-java/src/main/java/com/iast/astbenchmark/cases/TestController.java b/iast-java/src/main/java/com/iast/astbenchmark/cases/TestController.java index ad397b99..4a263bf8 100644 --- a/iast-java/src/main/java/com/iast/astbenchmark/cases/TestController.java +++ b/iast-java/src/main/java/com/iast/astbenchmark/cases/TestController.java @@ -6,8 +6,7 @@ import com.iast.astbenchmark.analyser.service.DataAnalysisService; import com.iast.astbenchmark.analyser.bean.CaseDataCollectResultBean; import com.iast.astbenchmark.analyser.bean.consts.VendorEnum; -import com.iast.astbenchmark.analyser.factory.stategy.IastCaseDataTransfer; -import com.iast.astbenchmark.analyser.factory.stategy.SeekerCaseDataTransfer; +import com.iast.astbenchmark.analyser.cache.AnnotationProcessorUtil; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.PathVariable; @@ -52,4 +51,9 @@ public void test003(@PathVariable Long id) { } System.out.println(res); } + + @PostMapping(value = "process") + public void test004() { + AnnotationProcessorUtil.processAnnotations(AstTaintCase001.class); + } } diff --git a/iast-java/src/main/java/com/iast/astbenchmark/cli/MyCommands.java b/iast-java/src/main/java/com/iast/astbenchmark/cli/IastBenchmarkCommand.java similarity index 84% rename from iast-java/src/main/java/com/iast/astbenchmark/cli/MyCommands.java rename to iast-java/src/main/java/com/iast/astbenchmark/cli/IastBenchmarkCommand.java index 9c522525..6c54b909 100644 --- a/iast-java/src/main/java/com/iast/astbenchmark/cli/MyCommands.java +++ b/iast-java/src/main/java/com/iast/astbenchmark/cli/IastBenchmarkCommand.java @@ -6,6 +6,7 @@ import com.iast.astbenchmark.analyser.bean.consts.VendorEnum; import com.iast.astbenchmark.analyser.service.ConfigService; import com.iast.astbenchmark.analyser.service.DataAnalysisService; +import com.iast.astbenchmark.analyser.util.MermindUtil; import com.iast.astbenchmark.cli.test.AutoRunTest; import com.iast.astbenchmark.cli.xmind.XmindUtil; import lombok.extern.slf4j.Slf4j; @@ -27,7 +28,7 @@ @ShellComponent @Slf4j -public class MyCommands { +public class IastBenchmarkCommand { @Autowired private DataAnalysisService dataAnalysisService; @@ -42,7 +43,7 @@ public PromptProvider promptProvider() { * 1 run Test ? */ - @ShellMethod("-v :input vendor;-p :input file;-c :input checkFlag;-o :result to file") + @ShellMethod("分析iast软件的跑测结果 -v :input vendor;-p :input file;-c :input checkFlag;-o :result to file") public String analysis(@ShellOption("-v") String vendor , @ShellOption(defaultValue = "", value = "-p") String path, @ShellOption(defaultValue = "", value = "-c") String checkFlag, @ShellOption(defaultValue = "", value = "-o") String resultFile) { @@ -77,7 +78,7 @@ public String analysis(@ShellOption("-v") String vendor } } - @ShellMethod("-i :input reportId;-o :result to file;-l list ;-x export results(xmind,plain txt...)") + @ShellMethod("查询已跑测的结果报告 -i :input reportId;-o :result to file;-l list ;-x export results(xmind,plain txt...)") public String search(@ShellOption(value = {"-i"}, defaultValue = "") String reportId, @ShellOption(defaultValue = "", value = "-o") String resultFile , @ShellOption(defaultValue = "", value = "-l") String listId, @@ -111,7 +112,7 @@ public String search(@ShellOption(value = {"-i"}, defaultValue = "") String repo return "请根据提示输入操作"; } - @ShellMethod("-a :input reportId1;-b: input reportId2;-o:result to file; (compare reportId1 to reportId2)") + @ShellMethod("对比两次跑测报告的差异 -a :input reportId1;-b: input reportId2;-o:result to file; (compare reportId1 to reportId2)") public String compare(@ShellOption(value = "-a") String reportId1, @ShellOption(value = "-b") String reportId2, @ShellOption(defaultValue = "", value = "-o") String resultFile) { try { @@ -134,7 +135,7 @@ public String compare(@ShellOption(value = "-a") String reportId1, @ShellOption( } } - @ShellMethod("-m :input MethodName(Which is CaseTag. eg:aTaintCase001);-i: input benchmark host (eg: http://localhost:39100/)") + @ShellMethod("跑测靶场 -m :input MethodName(Which is CaseTag. eg:aTaintCase001);-i: input benchmark host (eg: http://localhost:39100/)") public String runtest(@ShellOption(value = {"-m"}, defaultValue = "") String methodName, @ShellOption(defaultValue = "", value = "-i") String url) { @@ -150,7 +151,27 @@ public String runtest(@ShellOption(value = {"-m"}, defaultValue = "") String met } } + @ShellMethod("导出评价体系脑图(mermind格式) -o :mermind scripts to md file") + public String mermind(@ShellOption(defaultValue = "", value = "-o") String resultFile) { + + try { + if(StrUtil.isNotEmpty(resultFile)&&resultFile.endsWith(".md")){ + return "ERROR:请输入以md结尾的markdown文档"; + } + String res = MermindUtil.printMermindScript(); + if(StrUtil.isNotEmpty(resultFile)){ + FileUtil.writeString(res, resultFile, Charset.forName("utf-8")); + return "结果已写入文件" + resultFile + "请查看"; + } + return res; + } catch (Exception e) { + log.error("跑测异常:{}", e); + return "ERROR:跑测异常"; + } + } + private String checkParamSearch(String reportId, String resultFile, String vendor, Boolean exportFlag) { + if (StrUtil.isNotEmpty(reportId) && StrUtil.isNotEmpty(vendor)) { return "请选择输入一个操作 -i or -l"; } diff --git a/iast-java/src/main/java/com/iast/astbenchmark/cli/tree/CaseNode.java b/iast-java/src/main/java/com/iast/astbenchmark/cli/tree/CaseNode.java index e3475dbf..05e898d3 100644 --- a/iast-java/src/main/java/com/iast/astbenchmark/cli/tree/CaseNode.java +++ b/iast-java/src/main/java/com/iast/astbenchmark/cli/tree/CaseNode.java @@ -9,15 +9,11 @@ @Data @Builder public class CaseNode { - /** - * 类型 - */ - private CaseNodeType type; /** * 基础数据 */ - private Integer id; + private String id; private String name; private Integer deepth; @@ -27,6 +23,12 @@ public class CaseNode { private CaseNode parent; private List children; + /** + * 类型 + */ + private CaseNodeType type; + + /** * 以上为存储结构 * children 叶子节点数据区 diff --git a/iast-java/src/main/java/com/iast/astbenchmark/cli/tree/CaseNodeTreeUtil.java b/iast-java/src/main/java/com/iast/astbenchmark/cli/tree/CaseNodeTreeUtil.java index 21b5b182..f9e5ea6a 100644 --- a/iast-java/src/main/java/com/iast/astbenchmark/cli/tree/CaseNodeTreeUtil.java +++ b/iast-java/src/main/java/com/iast/astbenchmark/cli/tree/CaseNodeTreeUtil.java @@ -1,41 +1,59 @@ package com.iast.astbenchmark.cli.tree; -import cn.hutool.core.io.FileUtil; -import cn.hutool.core.io.resource.ResourceUtil; import cn.hutool.core.util.StrUtil; -import com.iast.astbenchmark.analyser.bean.CaseTargetBean; -import com.iast.astbenchmark.analyser.cache.CasetargeCache; import com.google.common.collect.Lists; import com.google.common.collect.Maps; +import com.iast.astbenchmark.analyser.bean.CaseTargetBean; +import com.iast.astbenchmark.analyser.cache.CasetargeCache; import lombok.extern.slf4j.Slf4j; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.core.io.ResourceLoader; -import org.springframework.stereotype.Component; import org.springframework.util.CollectionUtils; import java.io.BufferedReader; -import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; -import java.io.Reader; -import java.nio.charset.Charset; import java.util.List; import java.util.Map; +import java.util.stream.Collectors; @Slf4j public class CaseNodeTreeUtil { - public static void main(String[] args) { - System.out.println(CaseNodeTreeUtil.initRoot()); + public static CaseNode initRoot() { + try { + // CasetargeCache.initNow(); + List lines = + CasetargeCache.getAllCases().values().stream() + .map(e -> e.getCaseDesc() + "@" + e.getCaseNo()).collect(Collectors.toList()); + + CaseNode root = CaseNode.builder() + .type(CaseNodeType.ROOT) + .id("ROOT") + .deepth(1) + .name("IAST引擎能力评估体系(JAVA)") + .build(); + + for (int row = 0; row < lines.size(); row++) { + if (StrUtil.isEmpty(lines.get(row)) || lines.get(row).startsWith("#")) { + continue; + } + String[] nodesData = lines.get(row).split("->"); + addTreeNode(root, 0, row + 1, nodesData); + } + return root; + } catch (Exception e) { + log.error("初始化异常:{}", e); + } + return null; + } - public static CaseNode initRoot() { - BufferedReader reader =null; - InputStream inputStream =null; + public static CaseNode initRoot2() { + BufferedReader reader = null; + InputStream inputStream = null; try { inputStream = CaseNodeTreeUtil.class.getClassLoader().getResourceAsStream("config/caseNodeTree.txt"); - reader= new BufferedReader(new InputStreamReader(inputStream)); - List lines =Lists.newArrayList(); + reader = new BufferedReader(new InputStreamReader(inputStream)); + List lines = Lists.newArrayList(); String line; while ((line = reader.readLine()) != null) { lines.add(line); @@ -44,39 +62,39 @@ public static CaseNode initRoot() { CasetargeCache.initNow(); CaseNode root = CaseNode.builder() .type(CaseNodeType.ROOT) - .id(0) + .id("ROOT") .deepth(1) .name("IAST引擎能力评估体系(JAVA)") .build(); for (int row = 0; row < lines.size(); row++) { - if (StrUtil.isEmpty(lines.get(row))||lines.get(row).startsWith("#")) { + if (StrUtil.isEmpty(lines.get(row)) || lines.get(row).startsWith("#")) { continue; } String[] nodesData = lines.get(row).split("->"); addTreeNode(root, 0, row + 1, nodesData); } return root; - }catch (Exception e){ - log.error("初始化异常:{}",e); - }finally { + } catch (Exception e) { + log.error("初始化异常:{}", e); + } finally { try { - if(reader!=null){ + if (reader != null) { reader.close(); } - if(inputStream!=null){ + if (inputStream != null) { inputStream.close(); } - }catch (IOException e){ + } catch (IOException e) { } } - return null; + return null; } public static Map leafMap(CaseNode root) { - Map leafMap =Maps.newLinkedHashMap(); + Map leafMap = Maps.newLinkedHashMap(); findLeaf(leafMap, root); return leafMap; } @@ -84,9 +102,9 @@ public static Map leafMap(CaseNode root) { private static void findLeaf(Map leafMap, CaseNode parent) { if (parent.getType().equals(CaseNodeType.LEAF)) { CaseNode leaf = parent; - if(leaf.getLeafData()!=null&&StrUtil.isNotEmpty(leaf.getLeafData().getCaseNo())&&leaf!=null){ + if (leaf.getLeafData() != null && StrUtil.isNotEmpty(leaf.getLeafData().getCaseNo()) && leaf != null) { leafMap.put(leaf.getLeafData().getCaseNo(), leaf); - }else { + } else { System.out.println(leaf.getName()); } } else { @@ -96,55 +114,45 @@ private static void findLeaf(Map leafMap, CaseNode parent) { } } -// public static void main(String[] args) { -// List lines = FileUtil.readLines("data/caseNodeTree.txt", Charset.forName("utf-8")); -// List linesNew = Lists.newArrayList(); -// for (int i = 0; i <= 46; i++) { -// linesNew.add(lines.get(i)+"@aTaintCase00"+(i+1)); -// } -// linesNew.add(lines.get(47)+"@aTaintCase00139"); -// for (int i = 48; i <= 72; i++) { -// linesNew.add(lines.get(i)+"@aTaintCase00"+(i)); -// } -// linesNew.add(lines.get(73)+"@aTaintCase00140"); -// for (int i = 74; i <= 104; i++) { -// linesNew.add(lines.get(i)+"@aTaintCase00"+(i-1)); -// } -// linesNew.add(lines.get(105)+"@aTaintCase00141"); -// linesNew.add(lines.get(106)+"@aTaintCase00103_2"); -// for (int i = 107; i <= 129; i++) { -// linesNew.add(lines.get(i)+"@aTaintCase00"+(i-2)); -// } -// File file = FileUtil.file("data/caseNodeTree_bak.txt"); -// FileUtil.writeUtf8Lines(linesNew,file); -// -// } - + /** + * 添加树节点 + * + * @param parent 父节点 + * @param deepth 深度 + * @param row 行数 + * @param nodesData 节点数据 + */ private static void addTreeNode(CaseNode parent, Integer deepth, Integer row, String[] nodesData) { deepth = deepth + 1; + // 默认节点类型为NODE CaseNodeType type = CaseNodeType.NODE; - Integer id = Integer.valueOf("" + String.valueOf(row) + String.valueOf(deepth)); - if (nodesData.length <= deepth) { + // 节点id + String id = "L" + deepth +"H"+ row; + // 判断节点类型 + if (nodesData.length <= deepth) { type = CaseNodeType.LEAF; - } - String name = nodesData[deepth-1]; + String name = nodesData[deepth - 1]; + // 获取父节点的子节点列表 List children = parent.getChildren(); + // 如果子节点列表为空,则初始化一个新的子节点列表 if (CollectionUtils.isEmpty(children)) { children = Lists.newArrayList(); parent.setChildren(children); } CaseNode currentNode = nodeExit(children, name); + // 判断子节点是否存在 if (currentNode == null) { currentNode = buildNode(type, id, deepth, name, parent); children.add(currentNode); } + // 递归添加子节点 if (type.equals(CaseNodeType.NODE)) { addTreeNode(currentNode, deepth, row, nodesData); } } - private static CaseNode buildNode(CaseNodeType type, Integer id, Integer deepth, String name, CaseNode parent) { + private static CaseNode buildNode(CaseNodeType type, String id, Integer deepth, String name, CaseNode parent) { CaseNode node = CaseNode.builder() .type(type) .id(id) @@ -173,6 +181,48 @@ private static CaseNode nodeExit(List caseNodes, String name) { } return null; } + + //public static void main(String[] args) { + // BufferedReader reader = null; + // InputStream inputStream = null; + // try { + // inputStream = CaseNodeTreeUtil.class.getClassLoader().getResourceAsStream("config/caseNodeTree.txt"); + // reader = new BufferedReader(new InputStreamReader(inputStream)); + // List lines = Lists.newArrayList(); + // String line; + // while ((line = reader.readLine()) != null) { + // if (StrUtil.isNotEmpty(line) && line.contains("@")) { + // String[] tags = line.split("@"); + // Arrays.asList(tags); + // String caseNo = tags[1]; + // String caseFullName = tags[0]; + // System.out.println(" @CaseTag(\n" + // + " caseNo =\"" + caseNo + "\",\n" + // + " caseFullName = \"" + caseFullName + "\",\n" + // + " thisMethodTag = \"" + caseNo + "\",\n" + // + " thisMethodExpectedResult = true\n" + // + " )"); + // } + // System.out.println(); + // + // } + // + // } catch (Exception e) { + // log.error("初始化异常:{}", e); + // } finally { + // try { + // if (reader != null) { + // reader.close(); + // } + // if (inputStream != null) { + // inputStream.close(); + // } + // } catch (IOException e) { + // + // } + // + // } + //} } diff --git a/iast-java/src/main/resources/doc/JAVA.md b/iast-java/src/main/resources/doc/JAVA.md new file mode 100644 index 00000000..e73df81c --- /dev/null +++ b/iast-java/src/main/resources/doc/JAVA.md @@ -0,0 +1,225 @@ +
Java IAST引擎能力评价体系
+ +```mermaid +graph LR +L1H1["IAST引擎能力评估体系(JAVA)"]==>L2H1["完整度"] +L2H1["完整度"]==>L3H1["基础跟踪能力"] +L3H1["基础跟踪能力"]==>L4H1["污点对象完整度"] +L4H1["污点对象完整度"]==>L5H1["字符串对象"] +L5H1["字符串对象"]==>aTaintCase00901["String"] +L4H1["污点对象完整度"]==>L5H2["基本数据类型及其封装类型"] +L5H2["基本数据类型及其封装类型"]==>aTaintCase001["int"] +L5H2["基本数据类型及其封装类型"]==>aTaintCase002["char"] +L5H2["基本数据类型及其封装类型"]==>aTaintCase003["byte"] +L5H2["基本数据类型及其封装类型"]==>aTaintCase004["long"] +L5H2["基本数据类型及其封装类型"]==>aTaintCase009["Byte"] +L5H2["基本数据类型及其封装类型"]==>aTaintCase0010["Integer"] +L5H2["基本数据类型及其封装类型"]==>aTaintCase0011["Long"] +L5H2["基本数据类型及其封装类型"]==>aTaintCase0012["Character"] +L4H1["污点对象完整度"]==>L5H6["集合(集合对象全为污点)"] +L5H6["集合(集合对象全为污点)"]==>aTaintCase005["Map元素"] +L5H6["集合(集合对象全为污点)"]==>aTaintCase006["List元素"] +L5H6["集合(集合对象全为污点)"]==>aTaintCase007["Queue元素"] +L5H6["集合(集合对象全为污点)"]==>aTaintCase008["Set元素"] +L4H1["污点对象完整度"]==>L5H14["数组(数组对象全为污点)"] +L5H14["数组(数组对象全为污点)"]==>aTaintCase0013["数组对象String[]"] +L5H14["数组(数组对象全为污点)"]==>aTaintCase0014["数组对象char[]"] +L5H14["数组(数组对象全为污点)"]==>aTaintCase0015["数组对象byte[]"] +L5H14["数组(数组对象全为污点)"]==>aTaintCase0016["单维数组对象的元素"] +L5H14["数组(数组对象全为污点)"]==>aTaintCase00926["多维数组对象的元素"] +L4H1["污点对象完整度"]==>L5H19["自定义对象"] +L5H19["自定义对象"]==>L6H19["对象字段"] +L6H19["对象字段"]==>L7H19["单层字段"] +L7H19["单层字段"]==>aTaintCase00921["10"] +L7H19["单层字段"]==>aTaintCase00922["100"] +L6H19["对象字段"]==>L7H21["多层字段"] +L7H21["多层字段"]==>aTaintCase00923["3层"] +L7H21["多层字段"]==>aTaintCase00924["10层"] +L6H19["对象字段"]==>aTaintCase00925["污点为父类字段"] +L3H1["基础跟踪能力"]==>L4H24["污点链路完整度"] +L4H24["污点链路完整度"]==>L5H24["特殊链路跟踪能力"] +L5H24["特殊链路跟踪能力"]==>aTaintCase0022["三方包方法跟踪"] +L5H24["特殊链路跟踪能力"]==>L6H25["超长链路追踪"] +L6H25["超长链路追踪"]==>aTaintCase0023["100层"] +L6H25["超长链路追踪"]==>aTaintCase00931["1000层"] +L5H24["特殊链路跟踪能力"]==>aTaintCase0024["反射调用方法跟踪"] +L5H24["特殊链路跟踪能力"]==>aTaintCase0025["调用native方法"] +L4H24["污点链路完整度"]==>L5H29["污点来源识别能力(source)"] +L5H29["污点来源识别能力(source)"]==>aTaintCase0027["污点来自http getQueryString"] +L5H29["污点来源识别能力(source)"]==>L6H30["污点来自http body"] +L6H30["污点来自http body"]==>aTaintCase0033["json/RequestBody"] +L6H30["污点来自http body"]==>aTaintCase0034["xml/getInputStream"] +L6H30["污点来自http body"]==>L7H32["multipart/form-data"] +L7H32["multipart/form-data"]==>aTaintCase0035["getPart"] +L7H32["multipart/form-data"]==>aTaintCase0036["getParts"] +L6H30["污点来自http body"]==>L7H34["form/url-encode"] +L7H34["form/url-encode"]==>aTaintCase0037["getParameter"] +L7H34["form/url-encode"]==>aTaintCase0038["getParameterMap"] +L7H34["form/url-encode"]==>aTaintCase0039["getParameterValues"] +L7H34["form/url-encode"]==>aTaintCase0040["getParameterNames"] +L6H30["污点来自http body"]==>aTaintCase0041["getReader"] +L5H29["污点来源识别能力(source)"]==>aTaintCase0044["污点来自http pathVarlables"] +L5H29["污点来源识别能力(source)"]==>L6H40["污点来自http header"] +L6H40["污点来自http header"]==>aTaintCase0045["getCookies"] +L6H40["污点来自http header"]==>aTaintCase0046["getHeader"] +L6H40["污点来自http header"]==>aTaintCase00139["getHeaderNames"] +L6H40["污点来自http header"]==>aTaintCase0047["getHeaders"] +L4H24["污点链路完整度"]==>L5H44["污点传播跟踪能力"] +L5H44["污点传播跟踪能力"]==>L6H45["--"] +L6H45["--"]==>L6H46["--"] +L6H46["--"]==>L6H44["传播场景"] +L6H44["传播场景"]==>L7H44["String操作"] +L7H44["String操作"]==>L8H44["构造方法"] +L8H44["构造方法"]==>aTaintCase0062["String(String original)"] +L8H44["构造方法"]==>aTaintCase00143["String(char value[])"] +L8H44["构造方法"]==>aTaintCase00144["String(char value[], int offset, int count)"] +L8H44["构造方法"]==>aTaintCase00145["String(int[] codePoints, int offset, int count)"] +L8H44["构造方法"]==>aTaintCase00146["String(byte bytes[], int offset, int length, String charsetName)"] +L8H44["构造方法"]==>aTaintCase00147["String(byte bytes[], int offset, int length, Charset charset)"] +L8H44["构造方法"]==>aTaintCase00148["String(StringBuffer buffer)"] +L8H44["构造方法"]==>aTaintCase00149["String(StringBuilder builder)"] +L7H44["String操作"]==>aTaintCase0063["conact"] +L7H44["String操作"]==>aTaintCase0064["copyValueOf"] +L7H44["String操作"]==>aTaintCase0065["format"] +L7H44["String操作"]==>aTaintCase0066["getBytes"] +L7H44["String操作"]==>aTaintCase0067["getChars"] +L7H44["String操作"]==>aTaintCase0068["intern"] +L7H44["String操作"]==>aTaintCase0069["join"] +L7H44["String操作"]==>aTaintCase0071["replace"] +L7H44["String操作"]==>aTaintCase00140["replaceAll"] +L7H44["String操作"]==>aTaintCase0072["split"] +L7H44["String操作"]==>aTaintCase0074["subSequence"] +L7H44["String操作"]==>aTaintCase0075["substring"] +L7H44["String操作"]==>aTaintCase0076["toCharArray"] +L7H44["String操作"]==>aTaintCase0078["toString"] +L7H44["String操作"]==>aTaintCase0077["toLowerCase"] +L7H44["String操作"]==>aTaintCase0079["toUpperCase"] +L7H44["String操作"]==>aTaintCase0080["trim"] +L7H44["String操作"]==>aTaintCase0081["valueOf"] +L6H44["传播场景"]==>L7H70["StringBuilder操作"] +L7H70["StringBuilder操作"]==>aTaintCase0082["构造方法"] +L7H70["StringBuilder操作"]==>aTaintCase0083["append"] +L7H70["StringBuilder操作"]==>aTaintCase0086["deleteCharAt"] +L7H70["StringBuilder操作"]==>aTaintCase0085["delete"] +L7H70["StringBuilder操作"]==>aTaintCase0087["getChars"] +L7H70["StringBuilder操作"]==>aTaintCase0088["insert"] +L7H70["StringBuilder操作"]==>aTaintCase0089["replace"] +L7H70["StringBuilder操作"]==>aTaintCase0090["subSequence"] +L7H70["StringBuilder操作"]==>aTaintCase0091["subString"] +L7H70["StringBuilder操作"]==>aTaintCase0092["toString"] +L6H44["传播场景"]==>L7H80["char[],byte[]操作"] +L7H80["char[],byte[]操作"]==>aTaintCase0093["copyOf"] +L7H80["char[],byte[]操作"]==>aTaintCase0094["copyOfRange"] +L7H80["char[],byte[]操作"]==>aTaintCase0095["deepToString"] +L7H80["char[],byte[]操作"]==>aTaintCase0096["toString"] +L6H44["传播场景"]==>aTaintCase00932["JDK序列化与反序列化"] +L4H24["污点链路完整度"]==>L5H85["污点无害化处理能力(sanitizer)"] +L5H85["污点无害化处理能力(sanitizer)"]==>aTaintCase00141["污点直接赋值为硬编码值"] +L5H85["污点无害化处理能力(sanitizer)"]==>aTaintCase00103["sanitizer支持区分类型"] +L5H85["污点无害化处理能力(sanitizer)"]==>aTaintCase00104["触发sink后再执行sanitizer"] +L5H85["污点无害化处理能力(sanitizer)"]==>aTaintCase00105["支持自定义unSanitizer(再次污点化)"] +L4H24["污点链路完整度"]==>L5H89["触发污点跟踪能力(sink)"] +L5H89["触发污点跟踪能力(sink)"]==>aTaintCase00109["单污点来源传播至多sink点"] +L5H89["触发污点跟踪能力(sink)"]==>aTaintCase00110["多污点来源传播至单sink点"] +L5H89["触发污点跟踪能力(sink)"]==>aTaintCase00112["无污点传播过程,污点直接传入sink"] +L2H1["完整度"]==>L3H92["异步跟踪能力"] +L3H92["异步跟踪能力"]==>L4H92["存储型异步"] +L4H92["存储型异步"]==>aTaintCase00113["污点通过db存储后触发"] +L4H92["存储型异步"]==>aTaintCase00114["污点通过session存储后触发"] +L4H92["存储型异步"]==>L5H94["污点通过缓存存储后触发"] +L5H94["污点通过缓存存储后触发"]==>aTaintCase00115["本地缓存"] +L5H94["污点通过缓存存储后触发"]==>aTaintCase00138["非本地缓存"] +L4H92["存储型异步"]==>L5H96["污点通过文件存储后触发"] +L5H96["污点通过文件存储后触发"]==>aTaintCase00116["本地文件"] +L3H92["异步跟踪能力"]==>L4H97["多线程异步"] +L4H97["多线程异步"]==>aTaintCase00119["污点的来源和触发在不同线程"] +L4H97["多线程异步"]==>aTaintCase00120["污点的来源和触发在不同线程,sink的触发由线程池中的线程触发"] +L2H1["完整度"]==>L3H99["跨进程跟踪能力"] +L3H99["跨进程跟踪能力"]==>L4H99["调用方式"] +L4H99["调用方式"]==>L5H99["http"] +L5H99["http"]==>aTaintCase00123["跨一层进程调用"] +L5H99["http"]==>aTaintCase00124["跨多层进程调用"] +L4H99["调用方式"]==>L5H101["rpc(至少支持一种框架:Sofa/SpringCloud/Dubbo/gRpc/HSF)"] +L5H101["rpc(至少支持一种框架:Sofa/SpringCloud/Dubbo/gRpc/HSF)"]==>aTaintCase001241["跨一层进程间调用(暂无实现)"] +L5H101["rpc(至少支持一种框架:Sofa/SpringCloud/Dubbo/gRpc/HSF)"]==>aTaintCase001242["跨多层进程间调用(暂无实现)"] +L1H1["IAST引擎能力评估体系(JAVA)"]==>L2H103["准确度"] +L2H103["准确度"]==>L3H103["污点对象跟踪粒度"] +L3H103["污点对象跟踪粒度"]==>L4H103["变量级别"] +L4H103["变量级别"]==>aTaintCase00125["sink点的值非外部可控,但与某个参数值相同"] +L3H103["污点对象跟踪粒度"]==>L4H104["字段/元素级别"] +L4H104["字段/元素级别"]==>L5H104["部分字段对象为污点"] +L5H104["部分字段对象为污点"]==>aTaintCase00126["单层简单对象部分字段为污点"] +L5H104["部分字段对象为污点"]==>L6H105["多层复杂对象部分字段为污点"] +L6H105["多层复杂对象部分字段为污点"]==>aTaintCase00127["污点来自父类"] +L6H105["多层复杂对象部分字段为污点"]==>aTaintCase00128["污点来当前类字段"] +L5H104["部分字段对象为污点"]==>aTaintCase00142["对象部分字段为污点,经过JDK序列化后再反序列化"] +L4H104["字段/元素级别"]==>L5H107["部分数据元素为污点"] +L5H107["部分数据元素为污点"]==>aTaintCase00129["单维数组中的部分元素为污点"] +L5H107["部分数据元素为污点"]==>aTaintCase00130["多维数组中的部分元素为污点"] +L5H107["部分数据元素为污点"]==>aTaintCase00131["部分元素为污点,经过JDK序列化后再反序列化"] +L4H104["字段/元素级别"]==>L5H110["部分集合元素为污点"] +L5H110["部分集合元素为污点"]==>aTaintCase00132["List中部分元素为污点"] +L5H110["部分集合元素为污点"]==>aTaintCase00133["Map中部分元素为污点"] +L5H110["部分集合元素为污点"]==>aTaintCase00134["Set中部分元素为污点"] +L5H110["部分集合元素为污点"]==>aTaintCase00135["Queue中部分元素为污点"] +L5H110["部分集合元素为污点"]==>aTaintCase00136["集合中部分元素为污点,经过JDK序列化后再反序列化"] +L3H103["污点对象跟踪粒度"]==>L4H115["字符串级别"] +L4H115["字符串级别"]==>L5H115["字符串部分存在污点"] +L5H115["字符串部分存在污点"]==>L6H115["截取非污点部分"] +L6H115["截取非污点部分"]==>L7H115["String操作"] +L7H115["String操作"]==>aTaintCase00940["replcace"] +L7H115["String操作"]==>aTaintCase00941["replcaceAll"] +L7H115["String操作"]==>aTaintCase00942["split"] +L7H115["String操作"]==>aTaintCase00943["subSequence"] +L7H115["String操作"]==>aTaintCase00944["substring"] +L7H115["String操作"]==>aTaintCase00945["trim"] +L6H115["截取非污点部分"]==>L7H121["StringBuilder操作"] +L7H121["StringBuilder操作"]==>aTaintCase00946["delete"] +L7H121["StringBuilder操作"]==>aTaintCase00947["deleteCharAt"] +L7H121["StringBuilder操作"]==>aTaintCase00948["getChars"] +L7H121["StringBuilder操作"]==>aTaintCase00949["replace"] +L7H121["StringBuilder操作"]==>aTaintCase00950["subSequence"] +L7H121["StringBuilder操作"]==>aTaintCase00951["substring"] +L6H115["截取非污点部分"]==>L7H127["char[]/byte[]操作"] +L7H127["char[]/byte[]操作"]==>aTaintCase00952["copyOfRange"] +L5H115["字符串部分存在污点"]==>L6H128["截取非污点部分后再拼接污点"] +L6H128["截取非污点部分后再拼接污点"]==>L7H128["String操作"] +L7H128["String操作"]==>aTaintCase00953["concat"] +L7H128["String操作"]==>aTaintCase00954["join"] +L7H128["String操作"]==>aTaintCase00955["replace"] +L7H128["String操作"]==>aTaintCase00956["replaceAll"] +L7H128["String操作"]==>aTaintCase00957["trim"] +L6H128["截取非污点部分后再拼接污点"]==>L7H133["StringBuilder操作"] +L7H133["StringBuilder操作"]==>aTaintCase00958["append"] +L7H133["StringBuilder操作"]==>aTaintCase00959["replace"] +L6H128["截取非污点部分后再拼接污点"]==>L7H135["char[]/byte[]操作"] +L7H135["char[]/byte[]操作"]==>aTaintCase00960["copyOfRange"] +L1H1["IAST引擎能力评估体系(JAVA)"]==>L2H137["兼容性/JDK兼容性"] +L2H137["兼容性/JDK兼容性"]==>L3H138["Oracle JDK"] +L3H138["Oracle JDK"]==>L4H139["JDK 1.4 以下"] +L3H138["Oracle JDK"]==>L4H141["JDK 1.5"] +L3H138["Oracle JDK"]==>L4H142["JDK 1.6 以上"] +L2H137["兼容性/JDK兼容性"]==>L3H143["OpenJDK"] +L3H143["OpenJDK"]==>L3H144["JDK 1.4 以下"] +L3H143["OpenJDK"]==>L3H145["JDK 1.5"] +L3H143["OpenJDK"]==>L3H146["JDK 1.6 以上"] +L2H137["兼容性/JDK兼容性"]==>L3H147["JRocket"] +L2H137["兼容性/JDK兼容性"]==>L3H148["IBM J9"] +L2H137["兼容性/JDK兼容性"]==>L3H149["AdoptOpen JDK"] +L2H137["兼容性/JDK兼容性"]==>L3H150["Amazon Corretto"] +L2H137["兼容性/JDK兼容性"]==>L3H151["Eclipse OpenJ9"] +L2H137["兼容性/JDK兼容性"]==>L3H152["Red Hat Open JDK"] +L1H1["IAST引擎能力评估体系(JAVA)"]==>L2H153["性能"] +L2H153["性能"]==>L3H154["无漏洞场景"] +L3H154["无漏洞场景"]==>L3H155["内存占用"] +L3H154["无漏洞场景"]==>L3H156["CPU占用"] +L3H154["无漏洞场景"]==>L3H157["RT时长增幅"] +L3H154["无漏洞场景"]==>L3H158["load"] +L2H153["性能"]==>L3H159["有漏洞场景"] +L2H153["性能"]==>L3H160["超长调用链路有漏洞场景"] +L2H153["性能"]==>L3H161["超长调用链路无漏洞场景"] +L2H153["性能"]==>L3H162["大污点对象场景"] +L1H1["IAST引擎能力评估体系(JAVA)"]==>L2H163["接入成本"] +L2H163["接入成本"]==>L3H164["离线插桩-需被测程序使用插桩后的jdk"] +L2H163["接入成本"]==>L3H165["离线插桩-被测程序全部字节码静态插桩后使用"] +L2H163["接入成本"]==>L3H166["动态运行时插桩-需被测程序修改配置"] diff --git a/iast-java/src/test/java/com/iast/astbenchmark/AstbenchmarkApplicationTests.java b/iast-java/src/test/java/com/iast/astbenchmark/AstbenchmarkApplicationTests.java index fca2015b..a47a46d5 100644 --- a/iast-java/src/test/java/com/iast/astbenchmark/AstbenchmarkApplicationTests.java +++ b/iast-java/src/test/java/com/iast/astbenchmark/AstbenchmarkApplicationTests.java @@ -905,6 +905,7 @@ void aTaintCase00124() { @Test void aTaintCase00125() { HttpResponse response = doPost(url_root + "ataint/case00125?cmd1=cd%20/&cmd2=ls"); + HttpResponse response2 = doPost(url_root + "ataint/case00125/2?cmd1=&cmd2="); System.out.println(response.body()); }