Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Http3 xx status code based injection vulnerability fix #368

Merged
merged 6 commits into from
Jun 29, 2022
Merged

Http3 xx status code based injection vulnerability fix #368

merged 6 commits into from
Jun 29, 2022

Conversation

ehizman
Copy link
Contributor

@ehizman ehizman commented Jun 4, 2022

used the browser's window location reference to determine redirect URL

preetkaran20
preetkaran20 reviewed Jun 6, 2022
View reviewed changes
...n/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java Outdated
@@ -53,7 +53,7 @@ public class Http3xxStatusCodeBasedInjection {

private static final String LOCATION_HEADER_KEY = "Location";
private static final String RETURN_TO = "returnTo";
private static final Set<String> WHITELISTED_URLS = new HashSet<>(Arrays.asList("/"));
private static final Set<String> WHITELISTED_URLS = new HashSet<>(Arrays.asList("/", "/VulnerableApp/"));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if possible, can you please write a unit test case?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure thing!

@preetkaran20
Copy link
Member

@ehizman can you please execute ./gradlew spotlessApply in your machine and then checkin the change? it is failing due to checkstyle issue.

@ehizman
Copy link
Contributor Author

ehizman commented Jun 20, 2022 via email

@preetkaran20
Copy link
Member

@ehizman there was one error due to newer java google formatter, i removed that and it compiled successfully.

Will be merging the PR, Thank You!!!

@preetkaran20 preetkaran20 merged commit bdcc492 into SasanLabs:master Jun 29, 2022
@ehizman
Copy link
Contributor Author

ehizman commented Jul 2, 2022

Hello @preetkaran20. I noticed that you removed the version number of the googleJavaFormat extension. Why is that? Because whenever I try to run ./gradlew spotlessApply. It returns this:
java.lang.NoSuchFieldError: reader.

Specifying the version of the googleJavaFormat extension fixes it.

@preetkaran20
Copy link
Member

The PR build is failing with that version as we are using older Java version in PR build. So please update that as well with format version.

Also which Java version are you using?

@ehizman
Copy link
Contributor Author

ehizman commented Jul 2, 2022
edited
Loading

I am using java 17 with the following gradle properties as a workaround for some issues with the googleJavaFormat plugin for java 16+

org.gradle.jvmargs=--add-exports jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED \
  --add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED \
  --add-exports jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED \
  --add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED \
  --add-exports jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED

The project refuses to build now that I have changed to java 8

@ehizman
Copy link
Contributor Author

ehizman commented Jul 2, 2022

What gradle properties do you use for Java 8 on your machine

@preetkaran20
Copy link
Member

I am using java 17 with the following gradle properties as a workaround for some issues with the googleJavaFormat plugin for java 16+

org.gradle.jvmargs=--add-exports jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED \
  --add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED \
  --add-exports jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED \
  --add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED \
  --add-exports jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED

The project refuses to build now that I have changed to java 8

My java version is:
openjdk version "1.8.0_322"
OpenJDK Runtime Environment (build 1.8.0_322-bre_2022_02_28_15_01-b00)
OpenJDK 64-Bit Server VM (build 25.322-b00, mixed mode)

The project PR is build using following github action:
https://github.com/SasanLabs/VulnerableApp/blob/master/.github/workflows/gradle.yml

Please let me know what error are you facing and also please run java -version and send the the output of the command.

@ehizman
Copy link
Contributor Author

ehizman commented Jul 3, 2022

my java version is:

openjdk version "1.8.0_332"
OpenJDK Runtime Environment (Zulu 8.62.0.19-CA-linux64) (build 1.8.0_332-b09)
OpenJDK 64-Bit Server VM (Zulu 8.62.0.19-CA-linux64) (build 25.332-b09, mixed mode)

@ehizman
Copy link
Contributor Author

ehizman commented Jul 3, 2022

Now when I try to apply spotless, I get the following error:

Starting a Gradle Daemon, 1 incompatible Daemon could not be reused, use --status for details
Could not write standard input to Gradle build daemon.
java.io.IOException: Stream closed
        at java.lang.ProcessBuilder$NullOutputStream.write(ProcessBuilder.java:433)
        at java.io.OutputStream.write(OutputStream.java:116)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at org.gradle.process.internal.streams.ExecOutputHandleRunner.forwardContent(ExecOutputHandleRunner.java:68)
        at org.gradle.process.internal.streams.ExecOutputHandleRunner.run(ExecOutputHandleRunner.java:53)
        at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64)
        at org.gradle.internal.concurrent.ManagedExecutorImpl$1.run(ManagedExecutorImpl.java:48)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.gradle.internal.concurrent.ThreadFactoryImpl$ManagedThreadRunnable.run(ThreadFactoryImpl.java:56)
        at java.lang.Thread.run(Thread.java:750)

FAILURE: Build failed with an exception.

* What went wrong:
Unable to start the daemon process.
This problem might be caused by incorrect configuration of the daemon.
For example, an unrecognized jvm option is used.
Please refer to the User Manual chapter on the daemon at https://docs.gradle.org/7.0/userguide/gradle_daemon.html
Process command line: /home/***/.sdkman/candidates/java/8.0.332-zulu/bin/java --add-exports jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED -Dfile.encoding=UTF-8 -Duser.country=NG -Duser.language=en -Duser.variant -cp /home/anina/.gradle/wrapper/dists/gradle-7.0-bin/2p9ebqfz6ilrfozi676ogco7n/gradle-7.0/lib/gradle-launcher-7.0.jar org.gradle.launcher.daemon.bootstrap.GradleDaemon 7.0
Please read the following process output to find out more:
-----------------------
Unrecognized option: --add-exports
Error: Could not create the Java Virtual Machine.
Error: A fatal exception has occurred. Program will exit.


* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

I think that it is because of the gradle properties defined in USER_HOME/gradle

@ehizman
Copy link
Contributor Author

ehizman commented Jul 3, 2022

I have removed the gradle properties. When I apply spotless, I get the same error as above.

@preetkaran20
Copy link
Member

I think somehow gradle is still pointing to newer java version. can you please check JAVA_HOME and see if it is pointing to newer versions and also there is no need to modify gradle.properties and instead using gradle wrapper ./gradlew spotlessApply

thanks,
Karan

@preetkaran20
Copy link
Member

preetkaran20 commented Jul 4, 2022
edited
Loading

actually, --add-exports should not be added as JVM option, did you changes something in the project for making it compatible with java 17?

@ehizman
Copy link
Contributor Author

ehizman commented Jul 4, 2022

My project SDK was set to java 17 but I just changed it to Java 8. Also, JAVA_HOME points to java 8. Still, when I run ./gradlew spotlessApply, it still gives the --add-exports error.

@preetkaran20
Copy link
Member

there should be something wrong in your setup for sure. I would suggest to uninstall java17 and any other versions and then try.

@ehizman
Copy link
Contributor Author

ehizman commented Jul 4, 2022

Okay. I was also thinking of deleting my local version and then cloning the project again

@ehizman
Copy link
Contributor Author

ehizman commented Jul 4, 2022

Hey @preetkaran20, I found the error. There was a gradle.properties file in my GRADLE_USER_HOME.
Deleted it and ./gradlew spotlessApply now works

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@preetkaran20 preetkaran20 preetkaran20 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ehizman @preetkaran20