rm all eval and fix security bug

LoRexxar · Jun 22, 2021 · 41e6099 · 41e6099
1 parent 787e3c1
commit 41e6099
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 18 deletions.
diff --git a/core/console.py b/core/console.py
@@ -11,6 +11,7 @@
 
 import os
 import sys
+import ast
 import glob
 import time
 import codecs
@@ -505,7 +506,7 @@ def show_task(self, count=10):
                 if st:
                     if self.show_index <= index < count:
                         self.show_index += 1
-                        parameter_config = " ".join(eval(st.parameter_config)).replace('\\', '/')
+                        parameter_config = " ".join(ast.literal_eval(st.parameter_config)).replace('\\', '/')
 
                         sts_table.add_row(
                             [st.id, st.task_name, parameter_config, str(st.last_scan_time)[:19], st.is_finished])
@@ -819,7 +820,7 @@ def command_set(self, *args, **kwargs):
                 option_name = param[0]
                 option_value = param[1]
 
-                option_value = eval(option_value) if option_value in ['True', 'False', 'None'] else option_value
+                option_value = ast.literal_eval(option_value) if option_value in ['True', 'False', 'None'] else option_value
 
                 if option_name not in self.configurable_options:
                     logger.warn("[Console] You can't edit option {}.".format(option_name))
@@ -854,7 +855,7 @@ def command_set(self, *args, **kwargs):
                 logger.error("[Console] you can only set option in {}.".format(option_list))
                 return
 
-            option_value = eval(option_value) if option_value in ['True', 'False'] else option_value
+            option_value = ast.literal_eval(option_value) if option_value in ['True', 'False'] else option_value
 
             if option_value in self.result_option_list[option_name]:
                 self.result_options[option_name] = option_value
@@ -882,7 +883,7 @@ def command_set(self, *args, **kwargs):
                 logger.error("[Console] you can only set option in {}.".format(list(self.scan_options)))
                 return
 
-            option_value = eval(option_value) if option_value in ['True', 'False', 'None'] else option_value
+            option_value = ast.literal_eval(option_value) if option_value in ['True', 'False', 'None'] else option_value
 
             if option_value in self.scan_option_list[option_name]:
                 self.scan_options[option_name] = option_value
@@ -1140,7 +1141,7 @@ def command_show(self, *args, **kwargs):
 
                             for t in ts:
                                 if t.tam_type == 'Filter-Function':
-                                    filter_func[t.tam_key] = eval(t.tam_value)
+                                    filter_func[t.tam_key] = ast.literal_eval(t.tam_value)
                                 elif t.tam_type == 'Input-Control':
                                     input_control.append(t.tam_value)
 
@@ -1333,7 +1334,7 @@ def command_config(self, *args, **kwargs):
 
                 for t in ts:
                     if t.tam_type == 'Filter-Function':
-                        self.config_dict['filter_func'][t.tam_key] = eval(t.tam_value)
+                        self.config_dict['filter_func'][t.tam_key] = ast.literal_eval(t.tam_value)
                     elif t.tam_type == 'Input-Control':
                         self.config_dict['input_control'].append(t.tam_value)
 

diff --git a/core/plugins/phpunserializechain/main.py b/core/plugins/phpunserializechain/main.py
@@ -11,6 +11,7 @@
 
 
 import re
+import ast
 import traceback
 
 from utils.log import logger, logger_console
@@ -355,10 +356,10 @@ def get_params_from_sink_node(self, node_name):
             result = [node_name]
 
         elif node_name.startswith('Array-'):
-            result = eval(node_name[5:])
+            result = ast.literal_eval(node_name[5:])
 
         elif node_name[0] == '(' and node_name[0] == ')':
-            result = list(eval(result))
+            result = list(ast.literal_eval(result))
 
         return result
 
@@ -421,7 +422,7 @@ def check_danger_sink(self, node):
                                 }
 
         if node.node_type == 'FunctionCall' and node.source_node in self.danger_function:
-            sink_node = eval(node.sink_node) if node.sink_node.startswith('(') else (node.sink_node)
+            sink_node = ast.literal_eval(node.sink_node) if node.sink_node.startswith('(') else (node.sink_node)
 
             if len(sink_node) >= len(self.danger_function[node.source_node]):
 
@@ -570,7 +571,7 @@ def check_param_controllable(self, param_name, now_node):
                 # 暂时简单的认为这样可控
                 return True
             elif param_name.startswith('Array-'):
-                arraylist = eval(param_name[6:])
+                arraylist = ast.literal_eval(param_name[6:])
 
                 for key in arraylist:
                     if key.startswith('Variable-$this'):
@@ -603,9 +604,9 @@ def check_param_controllable(self, param_name, now_node):
                                                      node_type='Foreach').order_by('-id')
 
         for back_node in back_nodes:
-            if param_name == eval(back_node.sink_node)[-1]:
+            if param_name == ast.literal_eval(back_node.sink_node)[-1]:
                 # 找到参数赋值
-                new_param_name = self.deep_get_node_name(eval(back_node.sink_node)[0])
+                new_param_name = self.deep_get_node_name(ast.literal_eval(back_node.sink_node)[0])
 
                 # 递归继续
                 return self.check_param_controllable(new_param_name, back_node)
@@ -852,7 +853,7 @@ def find_prototype_class(self, now_class, find_method_name, unserchain, define_p
         deepth += 1
 
         if nc:
-            now_class_extend_classs = eval(nc.sink_node)
+            now_class_extend_classs = ast.literal_eval(nc.sink_node)
             if len(now_class_extend_classs) > 0:
                 # len > 0代表当前类存在原型类，所以向上寻找类的方法
 
@@ -900,7 +901,7 @@ def find_prototype_class(self, now_class, find_method_name, unserchain, define_p
         nc2s = self.dataflow_db.objects.filter(node_type='newClass', sink_node__contains=now_class_name)
 
         for nc2 in nc2s:
-            now_class_extend_classs = eval(nc2.sink_node)
+            now_class_extend_classs = ast.literal_eval(nc2.sink_node)
             if len(now_class_extend_classs) > 0 and now_class_name in now_class_extend_classs:
                 child_class = self.deep_get_node_name(nc2.source_node)
                 new_child_class_name = child_class

diff --git a/web/backend/views.py b/web/backend/views.py
@@ -6,6 +6,7 @@
 # @Contact : [email protected]
 
 import os
+import ast
 import codecs
 import json
 from django.contrib.auth.decorators import login_required
@@ -44,7 +45,7 @@ def tasklog(req, task_id):
     ResultFlow = get_resultflow_class(task_id)
     rfs = ResultFlow.objects.all()
 
-    task.parameter_config = " ".join(eval(task.parameter_config)).replace('\\', '/')
+    task.parameter_config = " ".join(ast.literal_eval(task.parameter_config)).replace('\\', '/')
     resultflowdict = {}
 
     for rf in rfs:

diff --git a/web/dashboard/controller/tasks.py b/web/dashboard/controller/tasks.py
@@ -4,6 +4,9 @@
 # @Author  : LoRexxar
 # @File    : tasks.py
 # @Contact : [email protected]
+
+import ast
+
 from django.contrib.auth.decorators import login_required
 from django.http import JsonResponse, HttpResponseNotFound
 from django.views.generic import TemplateView
@@ -29,7 +32,7 @@ def get_context_data(self, **kwargs):
 
         for task in context['tasks']:
             task.is_finished = int(task.is_finished)
-            task.parameter_config = " ".join(eval(task.parameter_config)).replace('\\', '/')
+            task.parameter_config = " ".join(ast.literal_eval(task.parameter_config)).replace('\\', '/')
 
         return context
 
@@ -50,7 +53,7 @@ def get(request, task_id):
         newevilfuncs = NewEvilFunc.objects.filter(scan_task_id=task_id).all()
 
         task.is_finished = int(task.is_finished)
-        task.parameter_config = " ".join(eval(task.parameter_config)).replace('\\', '/')
+        task.parameter_config = " ".join(ast.literal_eval(task.parameter_config)).replace('\\', '/')
 
         for taskresult in taskresults:
             taskresult.is_unconfirm = int(taskresult.is_unconfirm)

diff --git a/web/dashboard/views.py b/web/dashboard/views.py
@@ -5,6 +5,9 @@
 # @File    : views.py
 # @Contact : [email protected]
 
+
+import ast
+
 from django.contrib.auth.decorators import login_required
 from django.shortcuts import render, redirect
 from web.index.models import ScanTask
@@ -16,7 +19,7 @@ def index(req):
     tasks = ScanTask.objects.all().order_by("-id")
     for task in tasks:
         task.is_finished = int(task.is_finished)
-        task.parameter_config = " ".join(eval(task.parameter_config)).replace('\\', '/')
+        task.parameter_config = " ".join(ast.literal_eval(task.parameter_config)).replace('\\', '/')
 
     data = {'tasks': tasks}