Merge pull request #5802 from kingthorin/ssti-fix

ascanrules: Address SSTI false positive

addOns/ascanrules/CHANGELOG.md

@@ -14,6 +14,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
   - Server Side Template Injection (Blind)
   - XML External Entity Attack
 
+### Fixed
+- A situation where the Server-Side Template Injection (SSTI) scan rule might result in false positives related to the Go payloads (Issue 8622).
+
 ### Added
 - Standardized Scan Policy related alert tags on the rule.
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java

@@ -414,7 +414,9 @@ private void searchForMathsExecution(
                                             + DELIMITER
                                             + "[\\w\\W]*";
 
-                            if (output.contains(renderResult) && output.matches(regex)) {
+                            if (output.contains(renderResult)
+                                    && output.matches(regex)
+                                    && sstiPayload.engineSpecificCheck(regex, output, renderTest)) {
 
                                 String attack = getOtherInfo(sink.getLocation(), output);
 

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ssti/GoTemplateFormat.java

@@ -19,6 +19,9 @@
  */
 package org.zaproxy.zap.extension.ascanrules.ssti;
 
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
 /**
  * This represents the code that is necessary to execute an arithmetic operation in Golang template
  * engine and the expected result of the operation.
@@ -36,4 +39,11 @@ public int getExpectedResult(int number1, int number2) {
         String concatenated = String.format("%d%d", number1, number2);
         return Integer.parseInt(concatenated);
     }
+
+    @Override
+    public boolean engineSpecificCheck(String regex, String output, String renderTest) {
+        Matcher matcher = Pattern.compile(regex).matcher(output);
+        matcher.matches();
+        return !matcher.group(0).contains(renderTest.replaceAll("[^A-Za-z0-9]+", ""));
+    }
 }

addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ssti/TemplateFormat.java

@@ -84,4 +84,8 @@ public List<String> getRenderTestAndResult() {
 
         return values;
     }
+
+    public boolean engineSpecificCheck(String regex, String output, String renderTest) {
+        return true;
+    }
 }

addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/SstiScanRuleUnitTest.java

@@ -237,6 +237,37 @@ protected Response serve(IHTTPSession session) {
         assertThat(alertsRaised.get(0).getConfidence(), equalTo(Alert.CONFIDENCE_HIGH));
     }
 
+    @Test
+    void shouldReportGoBasedSsti() throws NullPointerException, IOException {
+        String test = "/shouldReportGoBasedSsti/";
+        // Given
+        nano.addHandler(createGoHandler(test, true));
+        HttpMessage msg = getHttpMessage(test + "?name=test");
+        rule.setConfig(new ZapXmlConfiguration());
+        rule.init(msg, parent);
+        // When
+        rule.scan();
+        // Then
+        assertThat(alertsRaised.size(), equalTo(1));
+        assertThat(alertsRaised.get(0).getRisk(), equalTo(Alert.RISK_HIGH));
+        assertThat(alertsRaised.get(0).getConfidence(), equalTo(Alert.CONFIDENCE_HIGH));
+    }
+
+    @Test
+    void shouldNotReportGoBasedSstiWhenDirectiveEchoed() throws NullPointerException, IOException {
+        String test = "/shouldNotReportGoBasedSstiWhenDirectiveEchoed/";
+        // Given
+        nano.addHandler(createGoHandler(test, false));
+        HttpMessage msg = getHttpMessage(test + "?name=test");
+        rule.setConfig(new ZapXmlConfiguration());
+        rule.setAttackStrength(Plugin.AttackStrength.MEDIUM);
+        rule.init(msg, parent);
+        // When
+        rule.scan();
+        // Then
+        assertThat(alertsRaised.size(), equalTo(0));
+    }
+
     @Test
     void shouldReturnExpectedMappings() {
         // Given / When
@@ -328,4 +359,35 @@ private static String getSimpleArithmeticResult(String expression)
             throw new IllegalArgumentException("invalid template code");
         }
     }
+
+    private NanoServerHandler createGoHandler(String path, boolean stripPrint) {
+        return new NanoServerHandler(path) {
+            @Override
+            protected Response serve(IHTTPSession session) {
+                String name = getFirstParamValue(session, "name");
+                String response;
+                if (name != null) {
+                    if (!name.contains("print")) {
+                        return newFixedLengthResponse(getHtml("sstiscanrule/NoInput.html"));
+                    }
+                    try {
+                        if (name.contains("print")) {
+                            name = name.replaceAll("[^A-Za-z0-9]+", "");
+                            name = stripPrint ? name.replace("print", "") : name;
+                        }
+                        name = templateRenderMock("{", "}", name);
+                        response =
+                                getHtml(
+                                        "sstiscanrule/Rendered.html",
+                                        new String[][] {{"name", name}});
+                    } catch (IllegalArgumentException e) {
+                        response = getHtml("sstiscanrule/ErrorPage.html");
+                    }
+                } else {
+                    response = getHtml("sstiscanrule/NoInput.html");
+                }
+                return newFixedLengthResponse(response);
+            }
+        };
+    }
 }