Add CVE-2022-26148 Detector Plugin #581
Conversation
There was a problem hiding this comment.
Hello @just-hms, thank you for your contribution!
Overall, the plugin is well designed as works as intended. I added some suggestions to clean up the description and some improvements on the supplied unit tests.
Let me know if you have any questions.
doyensec/detectors/grafana_zabbix_credential_disclosure/README.md
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| @Test | ||
| public void detect_whenVulnerable_reportsVulnerability() |
There was a problem hiding this comment.
The test is currently performing 4 consecutive requests and verifying that the report contains the scanned target. This presents multiple issues:
- If any of the mocked requests is not vulnerable, the test will still pass, resulting in a false positive. This can be verified by simply changing one of the mocked requests to:
mockGrafanaService.enqueue(
new MockResponse()
.setResponseCode(HttpStatus.OK.code())
.setBody(secureGrafanaLoginResponse));- The test mocks 4 requests in an attempt to verify that all vulnerable endpoints are covered. However it does not verify that the detector actually invoked them. The mocks are generic and will be returned for any URL.
With regards to 1) I'd recommend verifying that the number of instances of the target service in the report is equal to the number of mocked requests. This will ensure that all mocked requests did in fact are vulnerable.
Regarding 2), consider adding a custom Dispatcher such as the one defined here, that will return a request only for the expected endpoints. Then you can verify the number of expected request with:
assertThat(mockWebServer.getRequestCount()).isEqualTo(<EXPECTED_COUNT>);This applies for both test.
There was a problem hiding this comment.
Replying to 1.
Apologies for not being clear earlier. The paths listed here represent possible locations where Zabbix credentials might be exposed. The plugin should return a positive result if the credentials are exposed on any of these paths.
Still, a better approach than mine could be to implement a matrix test to validate that the vulnerability is detected on each path individually.
Replying to 2.
Agreed, that’s a better approach. I’ll add it once we’ve addressed point 1.
There was a problem hiding this comment.
Hey @just-hms! Apologies for the late reply.
I gave it some thought, I might have a simpler solution. My suggestion is this: what about defining the set of vulnerable paths as a constant that can be used by both the plugin and the test. The test can then mock and execute based on that list. And finally, the verification can just be updated with the second suggestion, i.e. checking if the report contains the expected path.
This would ensure that any future updates of the path are also picked up by the test. If any detection fails, the count check should be sufficient to catch the bug.
Does that make sense? What do you think?
doyensec/detectors/grafana_zabbix_credential_disclosure/README.md
Outdated
Show resolved
Hide resolved
doyensec/detectors/grafana_zabbix_credential_disclosure/README.md
Outdated
Show resolved
Hide resolved
doyensec/detectors/grafana_zabbix_credential_disclosure/README.md
Outdated
Show resolved
Hide resolved
|
Hi @v1ktor0t , thanks for your suggestions, I’ve updated the README as recommended and left a comment on the unit test #581 (comment) , let me know your thoughts. |
Hello,
This PR contains the implementation for the CVE-2022-26148 detector.
Below it is possible to find the necessary information for review:
Thank you.