update beta3

update beta3

README.md

@@ -14,7 +14,7 @@
 | |/ / _   _ _ __ | |    _   _ _ __       | .  . |
 |    \| | | | '_ \| |   | | | | '_ \ _____| |\/| |
 | |\  \ |_| | | | | |___| |_| | | | |_____| |  | |
-\_| \_/\__,_|_| |_\_____/\__,_|_| |_|     \_|  |_/  -v2.0 beta1
+\_| \_/\__,_|_| |_\_____/\__,_|_| |_|     \_|  |_/  -v2.0
 
 GitHub: https://github.com/LoRexxar/Kunlun-M
 

core/__version__.py

@@ -7,7 +7,7 @@
 __issue_page__ = 'https://github.com/LoRexxar/Kunlun-M/issues/new'
 __python_version__ = sys.version.split()[0]
 __platform__ = platform.platform()
-__version__ = '2.0 beta2'
+__version__ = '2.0 beta3'
 __author__ = 'LoRexxar'
 __author_email__ = 'LoRexxar@gmail.com'
 __license__ = 'MIT License'

core/core_engine/javascript/engine.py

@@ -29,7 +29,7 @@ def init_match_rule(data):
         type = data[1]
         match = ""
 
-        if data[2]:
+        if len(data) > 2 and data[2]:
             origin_func_name = data[2]
         else:
             origin_func_name = ""

core/core_engine/javascript/parser.py

@@ -68,7 +68,7 @@ def get_member_data(node, check=False, isparam=False, isclean_prototype=False, i
         if type == "Literal":  # 数组位移
             value = node.value
             if check:
-                value = 1
+                value = "1"
 
             if isreverse:
                 value = node.value[::-1]
@@ -116,11 +116,11 @@ def get_member_data(node, check=False, isparam=False, isclean_prototype=False, i
                 data_left = get_member_data(node.left, check=True, isclean_prototype=isclean_prototype)
                 data_right = get_member_data(node.right, check=True, isclean_prototype=isclean_prototype)
 
-                if data_left != 1:
+                if data_left != "1":
                     value = data_left
-                if data_right != 1 and value:
+                if data_right != "1" and value:
                     value = str(value) + " + " + str(data_right)
-                if data_right != 1 and not value:
+                if data_right != "1" and not value:
                     value = data_right
 
         elif type == "NewExpression":
@@ -267,7 +267,7 @@ def is_memberexp(node):
 
 
 def is_thisexp(node):
-    if hasattr(node, "type"):
+    if hasattr(node.object, "type"):
         # member的this
         if node.object.type == "ThisExpression":
             return True
@@ -387,10 +387,10 @@ def function_back(function_node, function_params, back_nodes=None, file_path=Non
 
     logger.debug("[AST] Sounds like found a new function define {}".format(function_name))
 
-    for node in function_body[::-1]:
+    param = vul_function
+    nodes = function_body
 
-        param = vul_function
-        nodes = function_body
+    for node in function_body[::-1]:
 
         if hasattr(node, "type") and node.type == "ReturnStatement":
             param = node.argument
@@ -900,7 +900,7 @@ def parameters_back(param, nodes, function_params=None, lineno=0,
                 # 获取右值
                 param_expr = node.init
                 param_expr_name = get_member_data(param_expr)
-                expr_lineno = node.init.loc.start.line
+                expr_lineno = node.init.loc.start.line if param_expr else 0
 
                 # log
                 logger.debug(
@@ -1135,7 +1135,7 @@ def parameters_back(param, nodes, function_params=None, lineno=0,
                 callee_name = get_member_data(expression.callee)
                 expr_lineno = expression.loc.start.line
 
-                if callee_name == vul_function or callee_name == "this." + vul_function.split(".")[-1]:
+                if callee_name and callee_name == vul_function or callee_name == "this." + vul_function.split(".")[-1]:
                     callee_params = expression.arguments
                     param_name = get_member_data(callee_params)
 
@@ -1155,7 +1155,7 @@ def parameters_back(param, nodes, function_params=None, lineno=0,
                                                                  isback=True, method_name=method_name)
                         return is_co, cp, expr_lineno
 
-                elif expression.callee.type == "FunctionExpression":
+                elif expression.callee and expression.callee.type == "FunctionExpression":
                     # 这个分支代表处理在js中特有的一种常见语义结构
                     # (function(a){return a})(c)
                     # 闭包
@@ -1405,7 +1405,10 @@ def analysis_params(expression, back_node, vul_function, vul_lineno, file_path,
         scan_chain = ['start']
         param_list = [check_param(expression, vul_lineno=vul_lineno)]
 
-        back_node = ast_object.get_nodes(file_path, vul_lineno=vul_lineno, lan='javascript').body
+        if type(ast_object.get_nodes(file_path, vul_lineno=vul_lineno, lan='javascript')) is list:
+            back_node = ast_object.get_nodes(file_path, vul_lineno=vul_lineno, lan='javascript')
+        else:
+            back_node = ast_object.get_nodes(file_path, vul_lineno=vul_lineno, lan='javascript').body
 
     elif is_function:
         param_list = [check_param(expression, vul_lineno=vul_lineno)]

core/core_engine/php/parser.py

@@ -495,6 +495,9 @@ def array_back(param, nodes, vul_function=None, file_path=None, isback=None):  #
     param_name = param.node.name
     param_expr = param.expr
 
+    # print(param_name)
+    # print(param_expr)
+
     is_co = 3
     cp = param
     expr_lineno = param.lineno
@@ -676,9 +679,13 @@ def parameters_back(param, nodes, function_params=None, lineno=0,
         return is_co, cp, expr_lineno
 
     if isinstance(param, php.ArrayOffset):  # 当污点为数组时，递归进入寻找数组声明或赋值
-        logger.debug("[AST] AST analysis for ArrayOffset  in line {}".format(param.lineno))
-        is_co, cp, expr_lineno = array_back(param, nodes, file_path=file_path, isback=isback)
-        return is_co, cp, expr_lineno
+        logger.debug("[AST] AST analysis for ArrayOffset in line {}".format(param.lineno))
+        # is_co, cp, expr_lineno = array_back(param, nodes, file_path=file_path, isback=isback)
+
+        param = param.node
+        param_name = param.name
+
+        is_co, cp = is_controllable(param)
 
     if isinstance(param, php.New) or (
                 hasattr(param, "name") and isinstance(param.name, php.New)):  # 当污点为新建类事，进入类中tostring函数分析

core/pretreatment.py

@@ -414,7 +414,7 @@ async def pre_ast(self):
                         logger.warning('[AST] [ERROR] Invalid regular expression in {}...'.format(filepath))
 
                     except KeyboardInterrupt:
-                        logger.log('[AST] stop...')
+                        logger.stop('[AST] stop...')
                         exit()
 
                     except:
@@ -436,7 +436,7 @@ def get_nodes(self, filepath, vul_lineno=None, lan=None):
                 if lan == 'javascript':
                     backnodes = lambda: None
                     backnodes.body = []
-                    allnodes = self.pre_result[filepath]['ast_nodes'].body
+                    allnodes = self.pre_result[filepath]['ast_nodes'].body if self.pre_result[filepath]['ast_nodes'] else []
 
                     for node in allnodes:
                         if node.loc.start.line <= int(vul_lineno):

docs/changelog.md

@@ -193,4 +193,10 @@
     - 更新了部分PHP的rule和1个Solidity rule样例
     - 更新了部分模板tamper
     - 修复了一个mac下的bug
-    - 添加了演示视频在文档中
+    - 添加了演示视频在文档中
+- 2020-09-22
+    - KunLun-M 2.0.0 beta3
+    - 在扫描文件时添加了限制，现在只扫描目标文件
+    - 修复了PHP扫描中有关数组变量传递的问题 #85
+    - 修复了mac下console模式的bug #82
+    - 修复了一部分bug

tests/test_directory.py

@@ -24,13 +24,13 @@
 from utils.file import Directory
 
 def test_file():
-    absolute_path = os.path.join(PROJECT_DIRECTORY, 'kunlun.py')
+    absolute_path = os.path.join(PROJECT_DIRECTORY, 'tests', 'vulnerabilities')
     files, file_sum, time_consume = Directory(absolute_path).collect_files()
     ext, ext_info = files[0]
-    assert '.py' == ext
-    assert 1 == ext_info['count']
-    assert 'kunlun.py' in ext_info['list']
-    assert 1 == file_sum
+    assert '.php' == ext
+    assert 2 == ext_info['count']
+    assert '/v.php' in ext_info['list']
+    assert 2 == file_sum
     assert time_consume < 1
 
 

utils/file.py

@@ -424,12 +424,22 @@ def keyword_object_parse(self, keywords, object, index=0):
 
 
 class Directory(object):
-    def __init__(self, absolute_path, black_path_list=[]):
+    def __init__(self, absolute_path, black_path_list=[], lans=None):
         self.absolute_path = absolute_path
         self.black_path_list = default_black_list
 
         self.black_path_list.extend(black_path_list)
 
+        self.ext_list = []
+
+        if lans and lans in ext_dict:
+            for lan in lans:
+                self.ext_list.extend(ext_dict[lan])
+
+        else:
+            for lan in ext_dict:
+                self.ext_list.extend(ext_dict[lan])
+
     file_sum = 0
     type_nums = {}
     result = {}
@@ -502,11 +512,15 @@ def files(self, absolute_path, level=1):
     def file_info(self, path, filename):
         # Statistic File Type Count
         file_name, file_extension = os.path.splitext(path)
-        self.type_nums.setdefault(file_extension.lower(), []).append(filename)
 
-        path = path.replace(self.absolute_path, '')
-        self.file.append(path)
-        self.file_sum += 1
+        # 当设定了lan时加入检查
+        if file_extension.lower() in self.ext_list:
+
+            self.type_nums.setdefault(file_extension.lower(), []).append(filename)
+
+            path = path.replace(self.absolute_path, '')
+            self.file.append(path)
+            self.file_sum += 1
 
 
 class File(object):