Merge pull request #16 from austimkelly/log4j

add in a supply chain example that also uses CodeQL autobuild for java
austimkelly · Jan 10, 2024 · d5d53cc · d5d53cc
2 parents 9a29236 + 4c07af6
commit d5d53cc
Show file tree

Hide file tree

Showing 10 changed files with 228 additions and 14 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -38,7 +38,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'python', 'javascript-typescript' ]
+        language: [ 'python', 'javascript-typescript', 'java-kotlin' ]
         # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]
         # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both
         # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
@@ -63,8 +63,11 @@ jobs:
 
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
     # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+    # - name: Autobuild
+    #   uses: github/codeql-action/autobuild@v2
+    - if: matrix.language == 'java-kotlin'
+      name: Build Java
+      run: mvn -f ./supply-chain/vulnerable-application/pom.xml clean install -DskipTests
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,10 @@
 ._
 .DS_Store
 
+# Java build files
+*.class
+.idea
+
 # Byte-compiled / optimized / DLL files
 __pycache__/
 *.py[cod]

diff --git a/README.md b/README.md
@@ -8,19 +8,21 @@
 
 # Purpose
 
-The code samples here hserve several purposes:
+The code samples here here several purposes:
 
-1. For application security and training developers, it's easier to see an exploitable vulnerabity in code that you can actually reproduce. Too many times vulnerabities are too abstract, not reproducible, or reachable thus making alerts largely ignored _en masse_. Capture the Flag (CTF) exercieses great and get developers into the offensive mind-set, but they don't fully help developers understand the coding errors thus improving code review quality on PRs.
-2. Static Applicaiton Security Testing (SAST) - SAST tools are notoriously noisy, don't demonstrate reachabliity, and can't find more complex interactions. SAST tools definitley have their place, but should only be used as a backstop after good desing, threat modeling, and peer code reviews. This repository runs Github Advanced Security CodeQL scanner to see how well they do with finding what should be very simple OWASP Top 10 vulnerabities.
-3. AI Assistants, such as Github's CoPilot - Most developers have problably used some kind of LLM (ChatGPT, CoPilot) by this point to generate code. I've also used these examples to have CoPilot do a security analysis of simple programs with simple prompts:
-    * What security concers are there in this script?
-    * How would you recommend fixing vulnerabity X?
-4. Will ChatGPT generate insecure code and testing techinques which is may deem unethical?
+1. For application security and training developers, it's easier to see an exploitable vulnerability in code that you can actually reproduce. Too many times vulnerabilities are too abstract, not reproducible, or reachable thus making alerts largely ignored _en masse_. Capture the Flag (CTF) exercises great and get developers into the offensive mind-set, but they don't fully help developers understand the coding errors thus improving code review quality on PRs.
+2. Static Application Security Testing (SAST) - SAST tools are notoriously noisy, don't demonstrate reachability, and can't find more complex interactions. SAST tools have their place, but should only be used as a backstop after good design, threat modeling, and peer code reviews. This repository runs Github Advanced Security CodeQL scanner to see how well they do with finding what should be very simple OWASP Top 10 vulnerabilities.
+3. AI Assistants, such as Github's CoPilot - Most developers have likely used some kind of LLM (ChatGPT, CoPilot) by this point to generate code. I've also used these examples to have CoPilot do a security analysis of simple programs with simple prompts:
+    * What security concerns are there in this script?
+    * How would you recommend fixing vulnerability X?
+4. Will ChatGPT generate insecure code and testing techniques which is may deem unethical?
 
 # Code Authors
 
 Unless otherwise sited in the code, the scripts herein are generated by a combination of Tim Kelly (human) and AI coding assistants (ChatGPT, Github Copilot).  
 
+* The supply-chain example is based on source from https://github.com/kozmer/log4j-shell-poc
+
 # Installation Guide
 
 Follow these steps to install the necessary dependencies for the project:
@@ -37,9 +39,7 @@ Follow these steps to install the necessary dependencies for the project:
 
 `pip3 install -r requirements.txt`
 
-4. Navigate to the directory for the demo you want to run and run the python file there (e.g. `python3 idor.py`):
-
-    * This source code example also demonstrates sensitive data exposure where passwords are stored in code. See [OWASP Secrets Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html).
+4. Navigate to the directory for the demo you want to run and run the python file there (e.g. `$cd idor` then `$python3 idor.py`): 
 
 # Demo Listing & References
 
@@ -48,4 +48,5 @@ Follow these steps to install the necessary dependencies for the project:
 * [sqli](./sqli/) - Demonstrates standard SQL Injection being able to dump a database from a form field. See also [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection).
 * [ssrf](./ssrf/) - Demonstrate a server-side request forgery tricking the app to making an HTTP request to a not-allowed 3rd party domain. See also [OWASP Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery).
 * [xss](./xss/) - Demonstrates executing arbitrary javascript inside the application. See also [OWASP Cross Site Scripting](https://owasp.org/www-community/attacks/xss/)
-* [secrets](./secrets/) - An example of leaking a secrets file or environment variable configuration. These should all be caught by [Github Secrets Push Protection](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations).
+* [secrets](./secrets/) - An example of leaking a secrets file or environment variable configuration. These should all be caught by [Github Secrets Push Protection](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations). See also [OWASP Secrets Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html).
+* [supply-chain](./supply-chain/) - An example of a supply chain vulnerability in log4j. This one is to demonstrate dependency vulnerabilities and a security advisory. There are several OWASP Top 10 here: security misconfiguration, using components with known vulnerabilities, insufficient logging and monitoring. See also [OWASP Supply Chain Vulnerabilities](https://owasp.org/www-project-kubernetes-top-ten/2022/en/src/K02-supply-chain-vulnerabilities).
diff --git a/supply-chain/vulnerable-application/.gitignore b/supply-chain/vulnerable-application/.gitignore
@@ -0,0 +1 @@
+target/*
diff --git a/supply-chain/vulnerable-application/log4shell.iml b/supply-chain/vulnerable-application/log4shell.iml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
+  <component name="FacetManager">
+    <facet type="web" name="Web">
+      <configuration>
+        <descriptors>
+          <deploymentDescriptor name="web.xml" url="file://$MODULE_DIR$/src/main/webapp/WEB-INF/web.xml" />
+        </descriptors>
+        <webroots>
+          <root url="file://$MODULE_DIR$/src/main/webapp" relative="/" />
+        </webroots>
+        <sourceRoots>
+          <root url="file://$MODULE_DIR$/src/main/java" />
+          <root url="file://$MODULE_DIR$/src/main/resources" />
+        </sourceRoots>
+      </configuration>
+    </facet>
+  </component>
+  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
+    <output url="file://$MODULE_DIR$/target/classes" />
+    <output-test url="file://$MODULE_DIR$/target/test-classes" />
+    <content url="file://$MODULE_DIR$">
+      <sourceFolder url="file://$MODULE_DIR$/src/main/java" isTestSource="false" />
+      <sourceFolder url="file://$MODULE_DIR$/src/main/resources" type="java-resource" />
+      <sourceFolder url="file://$MODULE_DIR$/src/test/java" isTestSource="true" />
+      <sourceFolder url="file://$MODULE_DIR$/src/test/resources" type="java-test-resource" />
+      <excludeFolder url="file://$MODULE_DIR$/target" />
+    </content>
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+    <orderEntry type="library" scope="PROVIDED" name="Maven: javax.servlet:javax.servlet-api:4.0.1" level="project" />
+    <orderEntry type="library" scope="TEST" name="Maven: org.junit.jupiter:junit-jupiter-api:5.7.1" level="project" />
+    <orderEntry type="library" scope="TEST" name="Maven: org.apiguardian:apiguardian-api:1.1.0" level="project" />
+    <orderEntry type="library" scope="TEST" name="Maven: org.opentest4j:opentest4j:1.2.0" level="project" />
+    <orderEntry type="library" scope="TEST" name="Maven: org.junit.platform:junit-platform-commons:1.7.1" level="project" />
+    <orderEntry type="library" scope="TEST" name="Maven: org.junit.jupiter:junit-jupiter-engine:5.7.1" level="project" />
+    <orderEntry type="library" scope="TEST" name="Maven: org.junit.platform:junit-platform-engine:1.7.1" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-core:2.14.1" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.logging.log4j:log4j-api:2.14.1" level="project" />
+  </component>
+</module>
diff --git a/supply-chain/vulnerable-application/pom.xml b/supply-chain/vulnerable-application/pom.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.example</groupId>
+    <artifactId>log4shell</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <name>log4shell</name>
+    <packaging>war</packaging>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.target>1.8</maven.compiler.target>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <junit.version>5.7.1</junit.version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+            <version>4.0.1</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <version>${junit.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-engine</artifactId>
+            <version>${junit.version}</version>
+            <scope>test</scope>
+         </dependency>
+         <!-- <dependency>
+                 <groupId>com.sun.deploy.net</groupId>
+                <artifactId>HttpRequest</artifactId>
+                <version>1.8</version>
+         </dependency> -->
+        <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+            <version>2.14.1</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api -->
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-api</artifactId>
+            <version>2.14.1</version>
+        </dependency>
+    </dependencies>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-war-plugin</artifactId>
+                <version>3.3.1</version>
+            </plugin>
+        </plugins>
+    </build>
+
+
+</project>
diff --git a/supply-chain/vulnerable-application/src/main/java/com/example/log4shell/LoginServlet.java b/supply-chain/vulnerable-application/src/main/java/com/example/log4shell/LoginServlet.java
@@ -0,0 +1,41 @@
+package com.example.log4shell;
+
+import java.io.*;
+import javax.servlet.ServletException;
+import javax.servlet.http.*;
+import javax.servlet.annotation.*;
+
+//import com.sun.deploy.net.HttpRequest;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+
+@WebServlet(name = "loginServlet", value = "/login")
+public class LoginServlet extends HttpServlet {
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+
+        String userName = req.getParameter("uname");
+        String password = req.getParameter("password");
+
+        resp.setContentType("text/html");
+        PrintWriter out = resp.getWriter();
+        out.println("<html><body>");
+
+        if(userName.equals("admin") && password.equals("password")){
+            out.println("Welcome Back Admin");
+        }
+        else{
+
+            // vulnerable code
+            Logger logger = LogManager.getLogger(com.example.log4shell.log4j.class);
+            logger.error(userName);
+
+            out.println("<code> the password you entered was invalid, <u> we will log your information </u> </code>");
+        }
+    }
+
+    public void destroy() {
+    }
+}
diff --git a/supply-chain/vulnerable-application/src/main/java/com/example/log4shell/log4j.java b/supply-chain/vulnerable-application/src/main/java/com/example/log4shell/log4j.java
@@ -0,0 +1,9 @@
+package com.example.log4shell;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+public class log4j {
+    private static final Logger logger = LogManager.getLogger(log4j.class);
+
+}
diff --git a/supply-chain/vulnerable-application/src/main/webapp/WEB-INF/web.xml b/supply-chain/vulnerable-application/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
+         version="4.0">
+</web-app>
diff --git a/supply-chain/vulnerable-application/src/main/webapp/index.jsp b/supply-chain/vulnerable-application/src/main/webapp/index.jsp
@@ -0,0 +1,40 @@
+<!doctype html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <link href="https://unpkg.com/tailwindcss@2.2.4/dist/tailwind.min.css" rel="stylesheet">
+</head>
+<body>
+<div class="h-screen flex">
+    <div class="flex w-1/2 bg-gradient-to-tr from-blue-800 to-purple-700 i justify-around items-center">
+        <div>
+            <h1 class="text-white font-bold text-4xl font-sans">GoFinance</h1>
+            <p class="text-white mt-1">The most popular peer to peer lending at SEA</p>
+            <button type="submit" class="block w-28 bg-white text-indigo-800 mt-4 py-2 rounded-2xl font-bold mb-2">Read More</button>
+        </div>
+    </div>
+    <div class="flex w-1/2 justify-center items-center bg-white">
+        <form class="bg-white" method="POST" action="/login">
+            <h1 class="text-gray-800 font-bold text-2xl mb-1">Hello Again!</h1>
+            <p class="text-sm font-normal text-gray-600 mb-7">Welcome Back</p>
+            <div class="flex items-center border-2 py-2 px-3 rounded-2xl mb-4">
+                <svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M16 12a4 4 0 10-8 0 4 4 0 008 0zm0 0v1.5a2.5 2.5 0 005 0V12a9 9 0 10-9 9m4.5-1.206a8.959 8.959 0 01-4.5 1.207" />
+                </svg>
+                <input class="pl-2 outline-none border-none" type="text" name="uname" placeholder="Username" />
+            </div>
+            <div class="flex items-center border-2 py-2 px-3 rounded-2xl">
+                <svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5 text-gray-400" viewBox="0 0 20 20" fill="currentColor">
+                    <path fill-rule="evenodd" d="M5 9V7a5 5 0 0110 0v2a2 2 0 012 2v5a2 2 0 01-2 2H5a2 2 0 01-2-2v-5a2 2 0 012-2zm8-2v2H7V7a3 3 0 016 0z" clip-rule="evenodd" />
+                </svg>
+                <input class="pl-2 outline-none border-none" type="text" name="password" placeholder="Password" />
+            </div>
+            <button type="submit" class="block w-full bg-indigo-600 mt-4 py-2 rounded-2xl text-white font-semibold mb-2">Login</button>
+            <span class="text-sm ml-2 hover:text-blue-500 cursor-pointer">Forgot Password ?</span>
+        </form>
+    </div>
+</div>
+</body>
+</html>