From 9c2874d24a954ed5e99bf12dfa3c3b816517c9fe Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Wed, 21 Feb 2024 16:09:12 -0300 Subject: [PATCH 1/7] return feature to remove blank lines and comments --- lib/Zarn/AST.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Zarn/AST.pm b/lib/Zarn/AST.pm index f1e37ff..9977624 100644 --- a/lib/Zarn/AST.pm +++ b/lib/Zarn/AST.pm @@ -20,8 +20,8 @@ package Zarn::AST { if ($file && $rules) { my $document = PPI::Document -> new($file); - # $document -> prune("PPI::Token::Pod"); - # $document -> prune("PPI::Token::Comment"); + $document -> prune("PPI::Token::Pod"); + $document -> prune("PPI::Token::Comment"); foreach my $token (@{$document -> find("PPI::Token")}) { foreach my $rule (@{$rules}) { From 7cba4b30a377639367a9e7ece79b953040b0cece Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Fri, 29 Mar 2024 13:32:48 -0300 Subject: [PATCH 2/7] add samples to perform tests --- samples/code-injection.pl | 13 +++++++++++++ samples/false-positive.pl | 13 +++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 samples/code-injection.pl create mode 100644 samples/false-positive.pl diff --git a/samples/code-injection.pl b/samples/code-injection.pl new file mode 100644 index 0000000..129bcf7 --- /dev/null +++ b/samples/code-injection.pl @@ -0,0 +1,13 @@ +#!/usr/bin/perl + +use 5.018; +use strict; +use warnings; + +sub main { + my $name = $ARGV[0]; + + system ("echo Hello World! $name"); +} + +exit main(); \ No newline at end of file diff --git a/samples/false-positive.pl b/samples/false-positive.pl new file mode 100644 index 0000000..18eddd3 --- /dev/null +++ b/samples/false-positive.pl @@ -0,0 +1,13 @@ +#!/usr/bin/perl + +use 5.018; +use strict; +use warnings; + +sub main { + my $name = "Zarn"; + + system ("echo Hello World! $name"); +} + +exit main(); \ No newline at end of file From 5dfc632b229f1ce923b56cf89245677927581e6a Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Fri, 29 Mar 2024 13:33:16 -0300 Subject: [PATCH 3/7] pushing some tools to help during debug tasks --- tools/graph.pl | 21 +++++++++++++++++++++ tools/view-ast.pl | 18 ++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 tools/graph.pl create mode 100644 tools/view-ast.pl diff --git a/tools/graph.pl b/tools/graph.pl new file mode 100644 index 0000000..57aa019 --- /dev/null +++ b/tools/graph.pl @@ -0,0 +1,21 @@ +#!/usr/bin/env perl + +use 5.018; +use strict; +use warnings; +use Devel::Graph; + +sub main { + my $file = $ARGV[0]; + + if ($file) { + my $grapher = Devel::Graph -> new(); + my $decompose = $grapher -> decompose ($file); + + print $decompose -> as_ascii(); + } + + return 0; +} + +exit main(); \ No newline at end of file diff --git a/tools/view-ast.pl b/tools/view-ast.pl new file mode 100644 index 0000000..44efe68 --- /dev/null +++ b/tools/view-ast.pl @@ -0,0 +1,18 @@ +#!/usr/bin/env perl + +use 5.030; +use strict; +use warnings; +use PPI; +use Data::Dumper; + +sub main { + my $file = $ARGV[0]; + + if ($file) { + my $document = PPI::Document -> new($file); + print Dumper($document); + } +} + +main(); \ No newline at end of file From 22367a26be7375a826fcbe81a1b242a920cff38b Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Fri, 29 Mar 2024 13:34:05 -0300 Subject: [PATCH 4/7] skip false positives - draft function --- lib/Zarn/AST.pm | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/Zarn/AST.pm b/lib/Zarn/AST.pm index 4a60203..cc2cc9c 100644 --- a/lib/Zarn/AST.pm +++ b/lib/Zarn/AST.pm @@ -5,7 +5,7 @@ package Zarn::AST { use PPI::Find; use PPI::Document; - our $VERSION = '0.0.2'; + our $VERSION = '0.0.3'; sub new { my ($self, $parameters) = @_; @@ -41,6 +41,12 @@ package Zarn::AST { ); if ($var_token && $var_token -> can("parent")) { + my @childrens = $var_token -> parent -> children; + + if (grep {$_ -> isa("PPI::Token::Quote::Double")} @childrens) { + next; + } + if (( $var_token -> parent -> isa("PPI::Token::Operator") || $var_token -> parent -> isa("PPI::Statement::Expression") From 4e7dd58a5befcaab4a4638652a6f2dcb88476bdb Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Sat, 30 Mar 2024 18:40:24 -0300 Subject: [PATCH 5/7] improve taint analysis function --- lib/Zarn/AST.pm | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/lib/Zarn/AST.pm b/lib/Zarn/AST.pm index cc2cc9c..9ad6180 100644 --- a/lib/Zarn/AST.pm +++ b/lib/Zarn/AST.pm @@ -5,7 +5,7 @@ package Zarn::AST { use PPI::Find; use PPI::Document; - our $VERSION = '0.0.3'; + our $VERSION = '0.0.4'; sub new { my ($self, $parameters) = @_; @@ -36,14 +36,21 @@ package Zarn::AST { # this is a draft source-to-sink function if (defined $next_element && ref $next_element && $next_element -> content() =~ /[\$\@\%](\w+)/xms) { # perform taint analyis - my $var_token = $document -> find_first ( - sub { $_[1] -> isa("PPI::Token::Symbol") and $_[1] -> content eq "\$$1" } + my $var_token = $document -> find_first ( + sub { + $_[1] -> isa("PPI::Token::Symbol") and + ($_[1] ->content eq "\$$1" or $_[1] -> content eq "\@$1" or $_[1] -> content eq "\%$1") + } ); if ($var_token && $var_token -> can("parent")) { my @childrens = $var_token -> parent -> children; - if (grep {$_ -> isa("PPI::Token::Quote::Double")} @childrens) { + if (grep { # verifyng if the variable is a fixed string or a number + $_ -> isa("PPI::Token::Quote::Double") || + $_ -> isa("PPI::Token::Quote::Single") || + $_ -> isa("PPI::Token::Number") + } @childrens) { next; } From 5c9a01dcd95f94c1edf8b0d23825748c4fa3f67b Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Wed, 3 Apr 2024 21:36:02 -0300 Subject: [PATCH 6/7] drafting new rules --- rules/prototype.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 rules/prototype.yml diff --git a/rules/prototype.yml b/rules/prototype.yml new file mode 100644 index 0000000..3d6de96 --- /dev/null +++ b/rules/prototype.yml @@ -0,0 +1,8 @@ +--- +rules: + - id: '0001' + category: vuln + name: Cross Site Scripting (XSS) + message: Occur when untrusted data is rendered as HTML without proper escaping, allowing attackers to execute malicious scripts in the context of the victim's browser. + sample: + - render \ No newline at end of file From 55c5ec4e94cc409420ea398dde263d5f57c4f636 Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Wed, 3 Apr 2024 21:42:41 -0300 Subject: [PATCH 7/7] update sarif output with new variables --- lib/Zarn/Sarif.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Zarn/Sarif.pm b/lib/Zarn/Sarif.pm index 4b02ab2..6d39738 100644 --- a/lib/Zarn/Sarif.pm +++ b/lib/Zarn/Sarif.pm @@ -37,8 +37,8 @@ package Zarn::Sarif { uri => $info -> {file} }, region => { - startLine => $info -> {line}, - startColumn => $info -> {rowchar} + startLine => $info -> {line_sink}, + startColumn => $info -> {rowchar_sink} } } }]