diff --git a/.gitignore b/.gitignore index 73a551e95..979d5f7a1 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,4 @@ celerybeat.pid *.o *.c *.prof +*.dat diff --git a/Pipfile b/Pipfile index ed65d3a55..28a33a7f1 100644 --- a/Pipfile +++ b/Pipfile @@ -75,7 +75,7 @@ pillow = "==9.3.0" pyrsistent = "==0.19.1" pytz = "==2022.6" types-pyyaml = ">=6.0.12.2" -uwsgi = "==2.0.21" +uwsgi = "==2.0.22" marisa-trie = "==0.8.0" gunicorn = "==20.1.0" celery-singleton = "*" @@ -89,6 +89,11 @@ networkit = "*" flower = "~=2.0.0" django-health-check = "==3.17.0" django-prometheus = "==2.3.1" +django-add-default-value = "==0.10.0" +networkx = {extras = ["all"], version = "*"} +pandas = "~=2.1.0" +pydot = "*" +more-itertools = "*" [dev-packages] diff --git a/Pipfile.lock b/Pipfile.lock index 9b2dd31f4..95183592a 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "ea26523ac717832c23ff3c25488c707c515b73495a620c03ffd5ee7d2e2b1205" + "sha256": "c9e58f315e908fc3858271e78cc4ee73aa4f703e1320fe97d6ba4c7b02a782e0" }, "pipfile-spec": 6, "requires": { @@ -30,10 +30,10 @@ }, "aliyun-python-sdk-kms": { "hashes": [ - "sha256:9bc39c693ba83944f5dfb871b118a2925eb8a5ee214dfcce61ee2ea3b6317ef1", - "sha256:a372737715682014bace68bd40fe83332f4fd925009a3eb110d41bc66f270e7a" + "sha256:83166468817a4fbc4c958af43ec22856e1bd80f1363f56acf822206febe6b059", + "sha256:f87234a8b64d457ca2338f87650db18a3ce7f7dbc9bfef71efe8f2894aded3d6" ], - "version": "==2.16.1" + "version": "==2.16.2" }, "amqp": { "hashes": [ @@ -43,14 +43,6 @@ "markers": "python_version >= '3.6'", "version": "==5.1.1" }, - "annotated-types": { - "hashes": [ - "sha256:47cdc3490d9ac1506ce92c7aaa76c579dc3509ff11e098fc867e5130ab7be802", - "sha256:58da39888f92c276ad970249761ebea80ba544b77acddaa1a4d6cf78287d45fd" - ], - "markers": "python_version >= '3.7'", - "version": "==0.5.0" - }, "asgiref": { "hashes": [ "sha256:89b2ef2247e3b562a16eef663bc0e2e703ec6468e2fa8a5cd61cd449786d4f6e", @@ -77,11 +69,11 @@ }, "autopep8": { "hashes": [ - "sha256:86e9303b5e5c8160872b2f5ef611161b2893e9bfe8ccc7e2f76385947d57a2f1", - "sha256:f9849cdd62108cb739dbcdbfb7fdcc9a30d1b63c4cc3e1c1f893b5360941b61c" + "sha256:067959ca4a07b24dbd5345efa8325f5f58da4298dab0dde0443d5ed765de80cb", + "sha256:2913064abd97b3419d1cc83ea71f042cb821f87e45b9c88cad5ad3c4ea87fe0c" ], "markers": "python_version >= '3.6'", - "version": "==2.0.2" + "version": "==2.0.4" }, "billiard": { "hashes": [ @@ -101,11 +93,11 @@ }, "boto3-stubs": { "hashes": [ - "sha256:b140f56315cd99c659a2cbae32dc4ae1ee44073b4250e1ad391d03ecf4b5eb40", - "sha256:bcef1fcbd758de6078e75b036d3632dd95eaef00311e6688554b5b883a194563" + "sha256:489a027b5298e840f889cb3213ecfe44fbbdc16156a648fcd2bf0824156dfe2b", + "sha256:a448163c1ef6e3fb383b0a2b25dcadb2cf8b0571ff4a39db9cf6b83760bad7f0" ], "index": "pypi", - "version": "==1.28.2" + "version": "==1.28.46" }, "botocore": { "hashes": [ @@ -117,11 +109,11 @@ }, "botocore-stubs": { "hashes": [ - "sha256:020de306ca1e18263e5a73b9142ec9901080f36d7c302ca53850483955e894ad", - "sha256:e9b23f54137bffbe7dcc08d9ca072172368cf92723aee34ec1de6e665f767c60" + "sha256:120334397569ec75f17dc0503d438b5d7791c82ea375bfac98d41a4fad0e1fe9", + "sha256:5d19d73de8aabef48ea7d9fe6ffab83bb46d066080d5aed82403fc3478f6b5b9" ], "index": "pypi", - "version": "==1.29.165" + "version": "==1.31.46" }, "celery": { "hashes": [ @@ -219,11 +211,11 @@ }, "chardet": { "hashes": [ - "sha256:0d62712b956bc154f85fb0a266e2a3c5913c2967e00348701b32411d6def31e5", - "sha256:362777fb014af596ad31334fde1e8c327dfdb076e1960d1694662d46a6917ab9" + "sha256:1b3b6ff479a8c414bc3fa2c0852995695c4a026dcd6d0633b2dd092ca39c1cf7", + "sha256:e1cf59446890a00105fe7b7912492ea04b6e6f06d4b742b2c788469e34c82970" ], "index": "pypi", - "version": "==5.1.0" + "version": "==5.2.0" }, "charset-normalizer": { "hashes": [ @@ -303,23 +295,23 @@ "sha256:f779d3ad205f108d14e99bb3859aa7dd8e9c68874617c72354d7ecaec2a054ac", "sha256:f87f746ee241d30d6ed93969de31e5ffd09a2961a051e60ae6bddde9ec3583aa" ], - "markers": "python_version >= '3.7'", + "markers": "python_full_version >= '3.7.0'", "version": "==3.2.0" }, "click": { "hashes": [ - "sha256:48ee849951919527a045bfe3bf7baa8a959c423134e1a5b98c05c20ba75a1cbd", - "sha256:fa244bb30b3b5ee2cae3da8f55c9e5e0c0e86093306301fb418eb9dc40fbded5" + "sha256:ae74fb96c20a0277a1d615f1e4d73c8414f5a98db8b799a7931d1582f3390c28", + "sha256:ca9853ad459e787e2192211578cc907e7594e294c7ccc834310722b41b9ca6de" ], "markers": "python_version >= '3.7'", - "version": "==8.1.6" + "version": "==8.1.7" }, "click-didyoumean": { "hashes": [ "sha256:a0713dc7a1de3f06bc0df5a9567ad19ead2d3d5689b434768a6145bff77c0667", "sha256:f184f0d851d96b6d29297354ed981b7dd71df7ff500d82fa6d11f0856bee8035" ], - "markers": "python_version < '4.0' and python_full_version >= '3.6.2'", + "markers": "python_full_version >= '3.6.2' and python_full_version < '4.0.0'", "version": "==0.3.0" }, "click-plugins": { @@ -377,11 +369,11 @@ }, "dataclasses-json": { "hashes": [ - "sha256:1280542631df1c375b7bc92e5b86d39e06c44760d7e3571a537b3b8acabf2f0c", - "sha256:e9ac87b73edc0141aafbce02b44e93553c3123ad574958f0fe52a534b6707e8e" + "sha256:5bcd5c1d946a69ef94d8cbb726d87af1256f7ba0898809c7695d299ab9b45122", + "sha256:77cbc80041007c27db90abad79eeed9ea00d4627324b1208266379a6ebdc81e4" ], "index": "pypi", - "version": "==0.5.9" + "version": "==0.6.0" }, "ddt": { "hashes": [ @@ -409,11 +401,19 @@ }, "django": { "hashes": [ - "sha256:a477ab326ae7d8807dc25c186b951ab8c7648a3a23f9497763c37307a2b5ef87", - "sha256:dec2a116787b8e14962014bf78e120bba454135108e1af9e9b91ade7b2964c40" + "sha256:a5de4c484e7b7418e6d3e52a5b8794f0e6b9f9e4ce3c037018cf1c489fa87f3c", + "sha256:d31b06c58aa2cd73998ca5966bc3001243d3c4e77ee2d0c479bced124765fd99" ], "index": "pypi", - "version": "==3.2.20" + "version": "==3.2.21" + }, + "django-add-default-value": { + "hashes": [ + "sha256:514b357f4a5e5c5dd9f02ca42d19d51688ed4a9cac62a7e35d09025f632bba93", + "sha256:a539767f498ab2e3022f98f743aa4473354a24df037859543cd2545f650cadcc" + ], + "index": "pypi", + "version": "==0.10.0" }, "django-celery-beat": { "hashes": [ @@ -516,11 +516,11 @@ }, "django-seriously": { "hashes": [ - "sha256:3143c6d397ac82803a8890247c52466a70863c8dbb59065888ebd2c6d10cec8c", - "sha256:e20e06b33894cfd8d58370aca9a0c8a991080d71186a841454a16dc192b66a53" + "sha256:591a2be6e18c229117e0196d9c8e6bd600f5c52f9eebe868e709c71acb53ef58", + "sha256:771f88a24f6166bdb3a944769fa09e24c317ea1b8f5ee8040d121d30b4395219" ], "index": "pypi", - "version": "==0.4.0" + "version": "==0.4.3" }, "django-silk": { "hashes": [ @@ -599,11 +599,11 @@ }, "djangorestframework-dataclasses": { "hashes": [ - "sha256:4fa8d93a19a3e256487674e9c654b45992bc76de155bd097eced6fe4af4100a2", - "sha256:e4f54a2a21b6dfdb07ba657f91b5a97a41d03c6760203e8a6c3749276d3f129c" + "sha256:ca1aa1ca99b5306af874376f37355593bb3d1ac7d658d54e2790f9b303968065", + "sha256:d3796b5ce3f7266d525493c557ce7df9ffeae4367006250298ea4d94da4106c4" ], "index": "pypi", - "version": "==1.2.0" + "version": "==1.3.1" }, "djangorestframework-stubs": { "extras": [ @@ -665,11 +665,11 @@ }, "flower": { "hashes": [ - "sha256:5657785d728a54914256c34fd0551fe2d7152aab08062ebc645bf86b97b8aec5", - "sha256:571f9ed1c57a622e862de35eceb8a4244f023fbcfb7175f53e45ebe679f46d90" + "sha256:5ab717b979530770c16afb48b50d2a98d23c3e9fe39851dcf6bc4d01845a02a0", + "sha256:9db2c621eeefbc844c8dd88be64aef61e84e2deb29b271e02ab2b5b9f01068e2" ], "index": "pypi", - "version": "==2.0.0" + "version": "==2.0.1" }, "gevent": { "hashes": [ @@ -741,6 +741,7 @@ "hashes": [ "sha256:03a8f4f3430c3b3ff8d10a2a86028c660355ab637cee9333d63d66b56f09d52a", "sha256:0bf60faf0bc2468089bdc5edd10555bab6e85152191df713e2ab1fcc86382b5a", + "sha256:1087300cf9700bbf455b1b97e24db18f2f77b55302a68272c56209d5587c12d1", "sha256:18a7f18b82b52ee85322d7a7874e676f34ab319b9f8cce5de06067384aa8ff43", "sha256:18e98fb3de7dba1c0a852731c3070cf022d14f0d68b4c87a19cc1016f3bb8b33", "sha256:1a819eef4b0e0b96bb0d98d797bef17dc1b4a10e8d7446be32d1da33e095dbb8", @@ -766,6 +767,7 @@ "sha256:76ae285c8104046b3a7f06b42f29c7b73f77683df18c49ab5af7983994c2dd91", "sha256:7cafd1208fdbe93b67c7086876f061f660cfddc44f404279c1585bbf3cdc64c5", "sha256:7efde645ca1cc441d6dc4b48c0f7101e8d86b54c8530141b09fd31cef5149ec9", + "sha256:8512a0c38cfd4e66a858ddd1b17705587900dd760c6003998e9472b77b56d417", "sha256:88d9ab96491d38a5ab7c56dd7a3cc37d83336ecc564e4e8816dbed12e5aaefc8", "sha256:8eab883b3b2a38cc1e050819ef06a7e6344d4a990d24d45bc6f2cf959045a45b", "sha256:910841381caba4f744a44bf81bfd573c94e10b3045ee00de0cbf436fe50673a6", @@ -789,8 +791,10 @@ "sha256:c9c59a2120b55788e800d82dfa99b9e156ff8f2227f07c5e3012a45a399620b7", "sha256:cd021c754b162c0fb55ad5d6b9d960db667faad0fa2ff25bb6e1301b0b6e6a75", "sha256:d27ec7509b9c18b6d73f2f5ede2622441de812e7b1a80bbd446cb0633bd3d5ae", + "sha256:d4606a527e30548153be1a9f155f4e283d109ffba663a15856089fb55f933e47", "sha256:d5508f0b173e6aa47273bdc0a0b5ba055b59662ba7c7ee5119528f466585526b", "sha256:d75209eed723105f9596807495d58d10b3470fa6732dd6756595e89925ce2470", + "sha256:d967650d3f56af314b72df7089d96cda1083a7fc2da05b375d2bc48c82ab3f3c", "sha256:db1a39669102a1d8d12b57de2bb7e2ec9066a6f2b3da35ae511ff93b01b5d564", "sha256:dbfcfc0218093a19c252ca8eb9aee3d29cfdcb586df21049b9d777fd32c14fd9", "sha256:e0f72c9ddb8cd28532185f54cc1453f2c16fb417a08b53a855c4e6a418edd099", @@ -937,11 +941,11 @@ }, "kombu": { "hashes": [ - "sha256:48ee589e8833126fd01ceaa08f8a2041334e9f5894e5763c8486a550454551e9", - "sha256:fbd7572d92c0bf71c112a6b45163153dea5a7b6a701ec16b568c27d0fd2370f2" + "sha256:0ba213f630a2cb2772728aef56ac6883dc3a2f13435e10048f6e97d48506dbbd", + "sha256:b753c9cfc9b1e976e637a7cbc1a65d446a22e45546cd996ea28f932082b7dc9e" ], "markers": "python_version >= '3.8'", - "version": "==5.3.1" + "version": "==5.3.2" }, "lxml": { "hashes": [ @@ -1100,8 +1104,11 @@ "sha256:0a4e4a1aff6c7ac4cd55792abf96c915634c2b97e3cc1c7129578aa68ebd754e", "sha256:10bbfe99883db80bdbaff2dcf681dfc6533a614f700da1287707e8a5d78a8431", "sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686", + "sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c", "sha256:1577735524cdad32f9f694208aa75e422adba74f1baee7551620e43a3141f559", "sha256:1b40069d487e7edb2676d3fbdb2b0829ffa2cd63a2ec26c4938b2d34391b4ecc", + "sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb", + "sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939", "sha256:282c2cb35b5b673bbcadb33a585408104df04f14b2d9b01d4c345a3b92861c2c", "sha256:2c1b19b3aaacc6e57b7e25710ff571c24d6c3613a45e905b1fde04d691b98ee0", "sha256:2ef12179d3a291be237280175b542c07a36e7f60718296278d8593d21ca937d4", @@ -1109,6 +1116,7 @@ "sha256:3c0fae6c3be832a0a0473ac912810b2877c8cb9d76ca48de1ed31e1c68386575", "sha256:3fd4abcb888d15a94f32b75d8fd18ee162ca0c064f35b11134be77050296d6ba", "sha256:42de32b22b6b804f42c5d98be4f7e5e977ecdd9ee9b660fda1a3edf03b11792d", + "sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd", "sha256:504b320cd4b7eff6f968eddf81127112db685e81f7e36e75f9f84f0df46041c3", "sha256:525808b8019e36eb524b8c68acdd63a37e75714eac50e988180b169d64480a00", "sha256:56d9f2ecac662ca1611d183feb03a3fa4406469dafe241673d521dd5ae92a155", @@ -1117,6 +1125,7 @@ "sha256:68e78619a61ecf91e76aa3e6e8e33fc4894a2bebe93410754bd28fce0a8a4f9f", "sha256:69c0f17e9f5a7afdf2cc9fb2d1ce6aabdb3bafb7f38017c0b77862bcec2bbad8", "sha256:6b2b56950d93e41f33b4223ead100ea0fe11f8e6ee5f641eb753ce4b77a7042b", + "sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007", "sha256:787003c0ddb00500e49a10f2844fac87aa6ce977b90b0feaaf9de23c22508b24", "sha256:7ef3cb2ebbf91e330e3bb937efada0edd9003683db6b57bb108c4001f37a02ea", "sha256:8023faf4e01efadfa183e863fefde0046de576c6f14659e8782065bcece22198", @@ -1124,9 +1133,12 @@ "sha256:8afafd99945ead6e075b973fefa56379c5b5c53fd8937dad92c662da5d8fd5ee", "sha256:8c41976a29d078bb235fea9b2ecd3da465df42a562910f9022f1a03107bd02be", "sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2", + "sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1", "sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707", "sha256:962f82a3086483f5e5f64dbad880d31038b698494799b097bc59c2edf392fce6", + "sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c", "sha256:9dcdfd0eaf283af041973bff14a2e143b8bd64e069f4c383416ecd79a81aab58", + "sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823", "sha256:aa7bd130efab1c280bed0f45501b7c8795f9fdbeb02e965371bbef3523627779", "sha256:ab4a0df41e7c16a1392727727e7998a467472d0ad65f3ad5e6e765015df08636", "sha256:ad9e82fb8f09ade1c3e1b996a6337afac2b8b9e365f926f5a61aacc71adc5b3c", @@ -1145,7 +1157,9 @@ "sha256:df0be2b576a7abbf737b1575f048c23fb1d769f267ec4358296f31c2479db8f9", "sha256:e09031c87a1e51556fdcb46e5bd4f59dfb743061cf93c4d6831bf894f125eb57", "sha256:e4dd52d80b8c83fdce44e12478ad2e85c64ea965e75d66dbeafb0a3e77308fcc", - "sha256:fec21693218efe39aa7f8599346e90c705afa52c5b31ae019b2e57e8f6542bb2" + "sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc", + "sha256:fec21693218efe39aa7f8599346e90c705afa52c5b31ae019b2e57e8f6542bb2", + "sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11" ], "markers": "python_version >= '3.7'", "version": "==2.1.3" @@ -1158,13 +1172,6 @@ "markers": "python_version >= '3.8'", "version": "==3.20.1" }, - "marshmallow-enum": { - "hashes": [ - "sha256:38e697e11f45a8e64b4a1e664000897c659b60aa57bfa18d44e226a9920b6e58", - "sha256:57161ab3dbfde4f57adeb12090f39592e992b9c86d206d02f6bd03ebec60f072" - ], - "version": "==1.5.1" - }, "mock": { "hashes": [ "sha256:18c694e5ae8a208cdb3d2c20a993ca1a7b0efa258c247a1e565150f477f83744", @@ -1175,11 +1182,19 @@ }, "model-bakery": { "hashes": [ - "sha256:0f54a4548722ecee0183d82eabe1adf8f74303e6ce08705cfe228a96ef3bb7d9", - "sha256:dba7444c9593261b12dcb21f8f9e1ba668fafc70804f15dfd6aa208b9e3f558f" + "sha256:16178e608e2f414814e3383a9855e39c08810c9dee7b1d8e1354f1fdb7c013bc", + "sha256:c76813d8836ce339df4abd8648d6ed195fd0363f395dd1cb11b8a1898224e4e7" ], - "markers": "python_version >= '3.7'", - "version": "==1.13.0" + "markers": "python_version >= '3'", + "version": "==1.15.0" + }, + "more-itertools": { + "hashes": [ + "sha256:626c369fa0eb37bac0291bce8259b332fd59ac792fa5497b59837309cd5b114a", + "sha256:64e0735fcfdc6f3464ea133afe8ea4483b1c5fe3a3d69852e6503b43a0b222e6" + ], + "index": "pypi", + "version": "==10.1.0" }, "mypy": { "hashes": [ @@ -1256,6 +1271,17 @@ "index": "pypi", "version": "==10.1" }, + "networkx": { + "extras": [ + "all" + ], + "hashes": [ + "sha256:4f33f68cb2afcf86f28a45f43efc27a9386b535d567d2127f8f61d51dec58d36", + "sha256:de346335408f84de0eada6ff9fafafff9bcda11f0a0dfaa931133debb146ab61" + ], + "index": "pypi", + "version": "==3.1" + }, "numpy": { "hashes": [ "sha256:0d60fbae8e0019865fc4784745814cff1c421df5afee233db6d88ab4f14655a2", @@ -1317,6 +1343,31 @@ "index": "pypi", "version": "==21.3" }, + "pandas": { + "hashes": [ + "sha256:0164b85937707ec7f70b34a6c3a578dbf0f50787f910f21ca3b26a7fd3363437", + "sha256:28f330845ad21c11db51e02d8d69acc9035edfd1116926ff7245c7215db57957", + "sha256:38f74ef7ebc0ffb43b3d633e23d74882bce7e27bfa09607f3c5d3e03ffd9a4a5", + "sha256:40dd20439ff94f1b2ed55b393ecee9cb6f3b08104c2c40b0cb7186a2f0046242", + "sha256:629124923bcf798965b054a540f9ccdfd60f71361255c81fa1ecd94a904b9dd3", + "sha256:62c24c7fc59e42b775ce0679cfa7b14a5f9bfb7643cfbe708c960699e05fb918", + "sha256:6e6a0fe052cf27ceb29be9429428b4918f3740e37ff185658f40d8702f0b3e09", + "sha256:70cf866af3ab346a10debba8ea78077cf3a8cd14bd5e4bed3d41555a3280041c", + "sha256:86f100b3876b8c6d1a2c66207288ead435dc71041ee4aea789e55ef0e06408cb", + "sha256:9d81e1813191070440d4c7a413cb673052b3b4a984ffd86b8dd468c45742d3cc", + "sha256:b31da36d376d50a1a492efb18097b9101bdbd8b3fbb3f49006e02d4495d4c644", + "sha256:b9a6ccf0963db88f9b12df6720e55f337447aea217f426a22d71f4213a3099a6", + "sha256:cda72cc8c4761c8f1d97b169661f23a86b16fdb240bdc341173aee17e4d6cedd", + "sha256:d4f38e4fedeba580285eaac7ede4f686c6701a9e618d8a857b138a126d067f2f", + "sha256:d53c8c1001f6a192ff1de1efe03b31a423d0eee2e9e855e69d004308e046e694", + "sha256:d8c58b1113892e0c8078f006a167cc210a92bdae23322bb4614f2f0b7a4b510f", + "sha256:d97daeac0db8c993420b10da4f5f5b39b01fc9ca689a17844e07c0a35ac96b4b", + "sha256:d99e678180bc59b0c9443314297bddce4ad35727a1a2656dbe585fd78710b3b9", + "sha256:eb20252720b1cc1b7d0b2879ffc7e0542dd568f24d7c4b2347cb035206936421" + ], + "index": "pypi", + "version": "==2.1.0" + }, "pep8": { "hashes": [ "sha256:b22cfae5db09833bb9bd7c8463b53e1a9c9b39f12e304a8d0bba729c501827ee", @@ -1405,7 +1456,7 @@ "sha256:04505ade687dc26dc4284b1ad19a83be2f2afe83e7a828ace0c72f3a1df72aac", "sha256:9dffbe1d8acf91e3de75f3b544e4842382fc06c6babe903ac9acb74dc6e08d88" ], - "markers": "python_version >= '3.7'", + "markers": "python_full_version >= '3.7.0'", "version": "==3.0.39" }, "pycodestyle": { @@ -1496,118 +1547,53 @@ }, "pydantic": { "hashes": [ - "sha256:22d63db5ce4831afd16e7c58b3192d3faf8f79154980d9397d9867254310ba4b", - "sha256:43bdbf359d6304c57afda15c2b95797295b702948082d4c23851ce752f21da70" + "sha256:0fe8a415cea8f340e7a9af9c54fc71a649b43e8ca3cc732986116b3cb135d303", + "sha256:1289c180abd4bd4555bb927c42ee42abc3aee02b0fb2d1223fb7c6e5bef87dbe", + "sha256:1eb2085c13bce1612da8537b2d90f549c8cbb05c67e8f22854e201bde5d98a47", + "sha256:2031de0967c279df0d8a1c72b4ffc411ecd06bac607a212892757db7462fc494", + "sha256:2a7bac939fa326db1ab741c9d7f44c565a1d1e80908b3797f7f81a4f86bc8d33", + "sha256:2d5a58feb9a39f481eda4d5ca220aa8b9d4f21a41274760b9bc66bfd72595b86", + "sha256:2f9a6fab5f82ada41d56b0602606a5506aab165ca54e52bc4545028382ef1c5d", + "sha256:2fcfb5296d7877af406ba1547dfde9943b1256d8928732267e2653c26938cd9c", + "sha256:549a8e3d81df0a85226963611950b12d2d334f214436a19537b2efed61b7639a", + "sha256:598da88dfa127b666852bef6d0d796573a8cf5009ffd62104094a4fe39599565", + "sha256:5d1197e462e0364906cbc19681605cb7c036f2475c899b6f296104ad42b9f5fb", + "sha256:69328e15cfda2c392da4e713443c7dbffa1505bc9d566e71e55abe14c97ddc62", + "sha256:6a9dfa722316f4acf4460afdf5d41d5246a80e249c7ff475c43a3a1e9d75cf62", + "sha256:6b30bcb8cbfccfcf02acb8f1a261143fab622831d9c0989707e0e659f77a18e0", + "sha256:6c076be61cd0177a8433c0adcb03475baf4ee91edf5a4e550161ad57fc90f523", + "sha256:771735dc43cf8383959dc9b90aa281f0b6092321ca98677c5fb6125a6f56d58d", + "sha256:795e34e6cc065f8f498c89b894a3c6da294a936ee71e644e4bd44de048af1405", + "sha256:87afda5539d5140cb8ba9e8b8c8865cb5b1463924d38490d73d3ccfd80896b3f", + "sha256:8fb2aa3ab3728d950bcc885a2e9eff6c8fc40bc0b7bb434e555c215491bcf48b", + "sha256:a1fcb59f2f355ec350073af41d927bf83a63b50e640f4dbaa01053a28b7a7718", + "sha256:a5e7add47a5b5a40c49b3036d464e3c7802f8ae0d1e66035ea16aa5b7a3923ed", + "sha256:a73f489aebd0c2121ed974054cb2759af8a9f747de120acd2c3394cf84176ccb", + "sha256:ab26038b8375581dc832a63c948f261ae0aa21f1d34c1293469f135fa92972a5", + "sha256:b0d191db0f92dfcb1dec210ca244fdae5cbe918c6050b342d619c09d31eea0cc", + "sha256:b749a43aa51e32839c9d71dc67eb1e4221bb04af1033a32e3923d46f9effa942", + "sha256:b7ccf02d7eb340b216ec33e53a3a629856afe1c6e0ef91d84a4e6f2fb2ca70fe", + "sha256:ba5b2e6fe6ca2b7e013398bc7d7b170e21cce322d266ffcd57cca313e54fb246", + "sha256:ba5c4a8552bff16c61882db58544116d021d0b31ee7c66958d14cf386a5b5350", + "sha256:c79e6a11a07da7374f46970410b41d5e266f7f38f6a17a9c4823db80dadf4303", + "sha256:ca48477862372ac3770969b9d75f1bf66131d386dba79506c46d75e6b48c1e09", + "sha256:dea7adcc33d5d105896401a1f37d56b47d443a2b2605ff8a969a0ed5543f7e33", + "sha256:e0a16d274b588767602b7646fa05af2782576a6cf1022f4ba74cbb4db66f6ca8", + "sha256:e4129b528c6baa99a429f97ce733fff478ec955513630e61b49804b6cf9b224a", + "sha256:e5f805d2d5d0a41633651a73fa4ecdd0b3d7a49de4ec3fadf062fe16501ddbf1", + "sha256:ef6c96b2baa2100ec91a4b428f80d8f28a3c9e53568219b6c298c1125572ebc6", + "sha256:fdbdd1d630195689f325c9ef1a12900524dceb503b00a987663ff4f58669b93d" ], "markers": "python_version >= '3.7'", - "version": "==2.1.1" - }, - "pydantic-core": { - "hashes": [ - "sha256:01947ad728f426fa07fcb26457ebf90ce29320259938414bc0edd1476e75addb", - "sha256:0455876d575a35defc4da7e0a199596d6c773e20d3d42fa1fc29f6aa640369ed", - "sha256:047580388644c473b934d27849f8ed8dbe45df0adb72104e78b543e13bf69762", - "sha256:04922fea7b13cd480586fa106345fe06e43220b8327358873c22d8dfa7a711c7", - "sha256:08f89697625e453421401c7f661b9d1eb4c9e4c0a12fd256eeb55b06994ac6af", - "sha256:0a507d7fa44688bbac76af6521e488b3da93de155b9cba6f2c9b7833ce243d59", - "sha256:0d726108c1c0380b88b6dd4db559f0280e0ceda9e077f46ff90bc85cd4d03e77", - "sha256:12ef6838245569fd60a179fade81ca4b90ae2fa0ef355d616f519f7bb27582db", - "sha256:153a61ac4030fa019b70b31fb7986461119230d3ba0ab661c757cfea652f4332", - "sha256:16468bd074fa4567592d3255bf25528ed41e6b616d69bf07096bdb5b66f947d1", - "sha256:17156abac20a9feed10feec867fddd91a80819a485b0107fe61f09f2117fe5f3", - "sha256:1927f0e15d190f11f0b8344373731e28fd774c6d676d8a6cfadc95c77214a48b", - "sha256:1e8a7c62d15a5c4b307271e4252d76ebb981d6251c6ecea4daf203ef0179ea4f", - "sha256:2ad538b7e07343001934417cdc8584623b4d8823c5b8b258e75ec8d327cec969", - "sha256:2ca4687dd996bde7f3c420def450797feeb20dcee2b9687023e3323c73fc14a2", - "sha256:2edef05b63d82568b877002dc4cb5cc18f8929b59077120192df1e03e0c633f8", - "sha256:2f9ea0355f90db2a76af530245fa42f04d98f752a1236ed7c6809ec484560d5b", - "sha256:30527d173e826f2f7651f91c821e337073df1555e3b5a0b7b1e2c39e26e50678", - "sha256:32a1e0352558cd7ccc014ffe818c7d87b15ec6145875e2cc5fa4bb7351a1033d", - "sha256:3534118289e33130ed3f1cc487002e8d09b9f359be48b02e9cd3de58ce58fba9", - "sha256:36ba9e728588588f0196deaf6751b9222492331b5552f865a8ff120869d372e0", - "sha256:382f0baa044d674ad59455a5eff83d7965572b745cc72df35c52c2ce8c731d37", - "sha256:394f12a2671ff8c4dfa2e85be6c08be0651ad85bc1e6aa9c77c21671baaf28cd", - "sha256:3ba2c9c94a9176f6321a879c8b864d7c5b12d34f549a4c216c72ce213d7d953c", - "sha256:3ded19dcaefe2f6706d81e0db787b59095f4ad0fbadce1edffdf092294c8a23f", - "sha256:3fcf529382b282a30b466bd7af05be28e22aa620e016135ac414f14e1ee6b9e1", - "sha256:43a405ce520b45941df9ff55d0cd09762017756a7b413bbad3a6e8178e64a2c2", - "sha256:453862ab268f6326b01f067ed89cb3a527d34dc46f6f4eeec46a15bbc706d0da", - "sha256:4665f7ed345012a8d2eddf4203ef145f5f56a291d010382d235b94e91813f88a", - "sha256:478f5f6d7e32bd4a04d102160efb2d389432ecf095fe87c555c0a6fc4adfc1a4", - "sha256:49db206eb8fdc4b4f30e6e3e410584146d813c151928f94ec0db06c4f2595538", - "sha256:4b262bbc13022f2097c48a21adcc360a81d83dc1d854c11b94953cd46d7d3c07", - "sha256:4cbe929efa77a806e8f1a97793f2dc3ea3475ae21a9ed0f37c21320fe93f6f50", - "sha256:4e562cc63b04636cde361fd47569162f1daa94c759220ff202a8129902229114", - "sha256:546064c55264156b973b5e65e5fafbe5e62390902ce3cf6b4005765505e8ff56", - "sha256:54df7df399b777c1fd144f541c95d351b3aa110535a6810a6a569905d106b6f3", - "sha256:56a85fa0dab1567bd0cac10f0c3837b03e8a0d939e6a8061a3a420acd97e9421", - "sha256:57a53a75010c635b3ad6499e7721eaa3b450e03f6862afe2dbef9c8f66e46ec8", - "sha256:584a7a818c84767af16ce8bda5d4f7fedb37d3d231fc89928a192f567e4ef685", - "sha256:5fd905a69ac74eaba5041e21a1e8b1a479dab2b41c93bdcc4c1cede3c12a8d86", - "sha256:61d4e713f467abcdd59b47665d488bb898ad3dd47ce7446522a50e0cbd8e8279", - "sha256:6213b471b68146af97b8551294e59e7392c2117e28ffad9c557c65087f4baee3", - "sha256:63797499a219d8e81eb4e0c42222d0a4c8ec896f5c76751d4258af95de41fdf1", - "sha256:64e8012ad60a5f0da09ed48725e6e923d1be25f2f091a640af6079f874663813", - "sha256:664402ef0c238a7f8a46efb101789d5f2275600fb18114446efec83cfadb5b66", - "sha256:68199ada7c310ddb8c76efbb606a0de656b40899388a7498954f423e03fc38be", - "sha256:69159afc2f2dc43285725f16143bc5df3c853bc1cb7df6021fce7ef1c69e8171", - "sha256:6f855bcc96ed3dd56da7373cfcc9dcbabbc2073cac7f65c185772d08884790ce", - "sha256:6feb4b64d11d5420e517910d60a907d08d846cacaf4e029668725cd21d16743c", - "sha256:72f1216ca8cef7b8adacd4c4c6b89c3b0c4f97503197f5284c80f36d6e4edd30", - "sha256:77dadc764cf7c5405e04866181c5bd94a447372a9763e473abb63d1dfe9b7387", - "sha256:782fced7d61469fd1231b184a80e4f2fa7ad54cd7173834651a453f96f29d673", - "sha256:79262be5a292d1df060f29b9a7cdd66934801f987a817632d7552534a172709a", - "sha256:7aa82d483d5fb867d4fb10a138ffd57b0f1644e99f2f4f336e48790ada9ada5e", - "sha256:853f103e2b9a58832fdd08a587a51de8b552ae90e1a5d167f316b7eabf8d7dde", - "sha256:867d3eea954bea807cabba83cfc939c889a18576d66d197c60025b15269d7cc0", - "sha256:878a5017d93e776c379af4e7b20f173c82594d94fa073059bcc546789ad50bf8", - "sha256:884235507549a6b2d3c4113fb1877ae263109e787d9e0eb25c35982ab28d0399", - "sha256:8c938c96294d983dcf419b54dba2d21056959c22911d41788efbf949a29ae30d", - "sha256:8efc1be43b036c2b6bcfb1451df24ee0ddcf69c31351003daf2699ed93f5687b", - "sha256:8fba0aff4c407d0274e43697e785bcac155ad962be57518d1c711f45e72da70f", - "sha256:90f3785146f701e053bb6b9e8f53acce2c919aca91df88bd4975be0cb926eb41", - "sha256:9137289de8fe845c246a8c3482dd0cb40338846ba683756d8f489a4bd8fddcae", - "sha256:9206c14a67c38de7b916e486ae280017cf394fa4b1aa95cfe88621a4e1d79725", - "sha256:94d2b36a74623caab262bf95f0e365c2c058396082bd9d6a9e825657d0c1e7fa", - "sha256:97c6349c81cee2e69ef59eba6e6c08c5936e6b01c2d50b9e4ac152217845ae09", - "sha256:a027f41c5008571314861744d83aff75a34cf3a07022e0be32b214a5bc93f7f1", - "sha256:a08fd490ba36d1fbb2cd5dcdcfb9f3892deb93bd53456724389135712b5fc735", - "sha256:a297c0d6c61963c5c3726840677b798ca5b7dfc71bc9c02b9a4af11d23236008", - "sha256:a4ea23b07f29487a7bef2a869f68c7ee0e05424d81375ce3d3de829314c6b5ec", - "sha256:a8b7acd04896e8f161e1500dc5f218017db05c1d322f054e89cbd089ce5d0071", - "sha256:ac2b680de398f293b68183317432b3d67ab3faeba216aec18de0c395cb5e3060", - "sha256:af24ad4fbaa5e4a2000beae0c3b7fd1c78d7819ab90f9370a1cfd8998e3f8a3c", - "sha256:af788b64e13d52fc3600a68b16d31fa8d8573e3ff2fc9a38f8a60b8d94d1f012", - "sha256:b013c7861a7c7bfcec48fd709513fea6f9f31727e7a0a93ca0dd12e056740717", - "sha256:b2799c2eaf182769889761d4fb4d78b82bc47dae833799fedbf69fc7de306faa", - "sha256:b27f3e67f6e031f6620655741b7d0d6bebea8b25d415924b3e8bfef2dd7bd841", - "sha256:b7206e41e04b443016e930e01685bab7a308113c0b251b3f906942c8d4b48fcb", - "sha256:b85778308bf945e9b33ac604e6793df9b07933108d20bdf53811bc7c2798a4af", - "sha256:bd7d1dde70ff3e09e4bc7a1cbb91a7a538add291bfd5b3e70ef1e7b45192440f", - "sha256:be86c2eb12fb0f846262ace9d8f032dc6978b8cb26a058920ecb723dbcb87d05", - "sha256:bf10963d8aed8bbe0165b41797c9463d4c5c8788ae6a77c68427569be6bead41", - "sha256:c1375025f0bfc9155286ebae8eecc65e33e494c90025cda69e247c3ccd2bab00", - "sha256:c5d8e764b5646623e57575f624f8ebb8f7a9f7fd1fae682ef87869ca5fec8dcf", - "sha256:cba5ad5eef02c86a1f3da00544cbc59a510d596b27566479a7cd4d91c6187a11", - "sha256:cc086ddb6dc654a15deeed1d1f2bcb1cb924ebd70df9dca738af19f64229b06c", - "sha256:d0c2b713464a8e263a243ae7980d81ce2de5ac59a9f798a282e44350b42dc516", - "sha256:d93aedbc4614cc21b9ab0d0c4ccd7143354c1f7cffbbe96ae5216ad21d1b21b5", - "sha256:d9610b47b5fe4aacbbba6a9cb5f12cbe864eec99dbfed5710bd32ef5dd8a5d5b", - "sha256:da055a1b0bfa8041bb2ff586b2cb0353ed03944a3472186a02cc44a557a0e661", - "sha256:dd2429f7635ad4857b5881503f9c310be7761dc681c467a9d27787b674d1250a", - "sha256:de39eb3bab93a99ddda1ac1b9aa331b944d8bcc4aa9141148f7fd8ee0299dafc", - "sha256:e40b1e97edd3dc127aa53d8a5e539a3d0c227d71574d3f9ac1af02d58218a122", - "sha256:e412607ca89a0ced10758dfb8f9adcc365ce4c1c377e637c01989a75e9a9ec8a", - "sha256:e953353180bec330c3b830891d260b6f8e576e2d18db3c78d314e56bb2276066", - "sha256:ec3473c9789cc00c7260d840c3db2c16dbfc816ca70ec87a00cddfa3e1a1cdd5", - "sha256:efff8b6761a1f6e45cebd1b7a6406eb2723d2d5710ff0d1b624fe11313693989", - "sha256:f773b39780323a0499b53ebd91a28ad11cde6705605d98d999dfa08624caf064", - "sha256:fa8e48001b39d54d97d7b380a0669fa99fc0feeb972e35a2d677ba59164a9a22", - "sha256:ff246c0111076c8022f9ba325c294f2cb5983403506989253e04dbae565e019b", - "sha256:ffe18407a4d000c568182ce5388bbbedeb099896904e43fc14eee76cfae6dec5" + "version": "==1.10.12" + }, + "pydot": { + "hashes": [ + "sha256:248081a39bcb56784deb018977e428605c1c758f10897a339fce1dd728ff007d", + "sha256:66c98190c65b8d2e2382a441b4c0edfdb4f4c025ef9cb9874de478fb0793a451" ], - "markers": "python_version >= '3.7'", - "version": "==2.4.0" + "index": "pypi", + "version": "==1.4.2" }, "pymysql": { "hashes": [ @@ -1716,7 +1702,9 @@ }, "pyyaml": { "hashes": [ + "sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5", "sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc", + "sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df", "sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741", "sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206", "sha256:18aeb1bf9a78867dc38b259769503436b7c72f7a1f1f4c93ff9a17de54319b27", @@ -1724,7 +1712,10 @@ "sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62", "sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98", "sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696", + "sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290", + "sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9", "sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d", + "sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6", "sha256:4fb147e7a67ef577a588a0e2c17b6db51dda102c71de36f8549b6816a96e1867", "sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47", "sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486", @@ -1732,9 +1723,12 @@ "sha256:596106435fa6ad000c2991a98fa58eeb8656ef2325d7e158344fb33864ed87e3", "sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007", "sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938", + "sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0", "sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c", "sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735", "sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d", + "sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28", + "sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4", "sha256:9046c58c4395dff28dd494285c82ba00b546adfc7ef001486fbf0324bc174fba", "sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8", "sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5", @@ -1749,7 +1743,9 @@ "sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43", "sha256:c8098ddcc2a85b61647b2590f825f3db38891662cfc2fc776415143f599bb859", "sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673", + "sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54", "sha256:d858aa552c999bc8a8d57426ed01e40bef403cd8ccdd0fc5f6f04a00414cac2a", + "sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b", "sha256:f003ed9ad21d6a4713f0a9b5a7a0a79e08dd0f221aff4525a2be4c346ee60aab", "sha256:f22ac1c3cac4dbc50079e965eba2c1058622631e526bd9afd45fedd49ba781fa", "sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c", @@ -1794,28 +1790,34 @@ }, "scipy": { "hashes": [ - "sha256:08d957ca82d3535b3b9ba6c8ff355d78fe975271874e2af267cb5add5bd78625", - "sha256:249cfa465c379c9bb2c20123001e151ff5e29b351cbb7f9c91587260602c58d0", - "sha256:366a6a937110d80dca4f63b3f5b00cc89d36f678b2d124a01067b154e692bab1", - "sha256:39154437654260a52871dfde852adf1b93b1d1bc5dc0ffa70068f16ec0be2624", - "sha256:396fae3f8c12ad14c5f3eb40499fd06a6fef8393a6baa352a652ecd51e74e029", - "sha256:3b9963798df1d8a52db41a6fc0e6fa65b1c60e85d73da27ae8bb754de4792481", - "sha256:3e8eb42db36526b130dfbc417609498a6192381abc1975b91e3eb238e0b41c1a", - "sha256:512fdc18c65f76dadaca139348e525646d440220d8d05f6d21965b8d4466bccd", - "sha256:aec8c62fbe52914f9cf28d846cf0401dd80ab80788bbab909434eb336ed07c04", - "sha256:b41a0f322b4eb51b078cb3441e950ad661ede490c3aca66edef66f4b37ab1877", - "sha256:b4bb943010203465ac81efa392e4645265077b4d9e99b66cf3ed33ae12254173", - "sha256:b588311875c58d1acd4ef17c983b9f1ab5391755a47c3d70b6bd503a45bfaf71", - "sha256:ba94eeef3c9caa4cea7b402a35bb02a5714ee1ee77eb98aca1eed4543beb0f4c", - "sha256:be8c962a821957fdde8c4044efdab7a140c13294997a407eaee777acf63cbf0c", - "sha256:cce154372f0ebe88556ed06d7b196e9c2e0c13080ecb58d0f35062dc7cc28b47", - "sha256:d51565560565a0307ed06fa0ec4c6f21ff094947d4844d6068ed04400c72d0c3", - "sha256:e866514bc2d660608447b6ba95c8900d591f2865c07cca0aa4f7ff3c4ca70f30", - "sha256:fb5b492fa035334fd249f0973cc79ecad8b09c604b42a127a677b45a9a3d4289", - "sha256:ffb28e3fa31b9c376d0fb1f74c1f13911c8c154a760312fbee87a21eb21efe31" + "sha256:0f3261f14b767b316d7137c66cc4f33a80ea05841b9c87ad83a726205b901423", + "sha256:10eb6af2f751aa3424762948e5352f707b0dece77288206f227864ddf675aca0", + "sha256:1342ca385c673208f32472830c10110a9dcd053cf0c4b7d4cd7026d0335a6c1d", + "sha256:214cdf04bbae7a54784f8431f976704ed607c4bc69ba0d5d5d6a9df84374df76", + "sha256:2b997a5369e2d30c97995dcb29d638701f8000d04df01b8e947f206e5d0ac788", + "sha256:2c91cf049ffb5575917f2a01da1da082fd24ed48120d08a6e7297dfcac771dcd", + "sha256:3aeb87661de987f8ec56fa6950863994cd427209158255a389fc5aea51fa7055", + "sha256:4447ad057d7597476f9862ecbd9285bbf13ba9d73ce25acfa4e4b11c6801b4c9", + "sha256:542a757e2a6ec409e71df3d8fd20127afbbacb1c07990cb23c5870c13953d899", + "sha256:8d9886f44ef8c9e776cb7527fb01455bf4f4a46c455c4682edc2c2cc8cd78562", + "sha256:90d3b1364e751d8214e325c371f0ee0dd38419268bf4888b2ae1040a6b266b2a", + "sha256:95763fbda1206bec41157582bea482f50eb3702c85fffcf6d24394b071c0e87a", + "sha256:ac74b1512d38718fb6a491c439aa7b3605b96b1ed3be6599c17d49d6c60fca18", + "sha256:afdb0d983f6135d50770dd979df50bf1c7f58b5b33e0eb8cf5c73c70600eae1d", + "sha256:b0620240ef445b5ddde52460e6bc3483b7c9c750275369379e5f609a1050911c", + "sha256:b133f237bd8ba73bad51bc12eb4f2d84cbec999753bf25ba58235e9fc2096d80", + "sha256:b29318a5e39bd200ca4381d80b065cdf3076c7d7281c5e36569e99273867f61d", + "sha256:b8425fa963a32936c9773ee3ce44a765d8ff67eed5f4ac81dc1e4a819a238ee9", + "sha256:d2b813bfbe8dec6a75164523de650bad41f4405d35b0fa24c2c28ae07fcefb20", + "sha256:d690e1ca993c8f7ede6d22e5637541217fc6a4d3f78b3672a6fe454dbb7eb9a7", + "sha256:e367904a0fec76433bf3fbf3e85bf60dae8e9e585ffd21898ab1085a29a04d16", + "sha256:ea932570b1c2a30edafca922345854ff2cd20d43cd9123b6dacfdecebfc1a80b", + "sha256:f28f1f6cfeb48339c192efc6275749b2a25a7e49c4d8369a28b6591da02fbc9a", + "sha256:f73102f769ee06041a3aa26b5841359b1a93cc364ce45609657751795e8f4a4a", + "sha256:fa4909c6c20c3d91480533cddbc0e7c6d849e7d9ded692918c76ce5964997898" ], "markers": "python_version < '3.13' and python_version >= '3.9'", - "version": "==1.11.1" + "version": "==1.11.2" }, "setuptools": { "hashes": [ @@ -1880,7 +1882,7 @@ "sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc", "sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f" ], - "markers": "python_version >= '3.7'", + "markers": "python_version < '3.11'", "version": "==2.0.1" }, "tornado": { @@ -1902,19 +1904,19 @@ }, "types-awscrt": { "hashes": [ - "sha256:0e31d7ba44e1898af37d224b94d28ffaef19baf89bb18ea2599de9ac0910a07f", - "sha256:eaef60422cf716b4ae216f164b74d679c82b0d9c53db380a37deb29ae5579b1b" + "sha256:61833aa140e724a9098025610f4b8cde3dcf65b842631d7447378f9f5db4e1fd", + "sha256:68fffeb75396e9e7614cd930b2d52295f680230774750907bcafb56f11514043" ], "markers": "python_version >= '3.7' and python_version < '4.0'", - "version": "==0.19.0" + "version": "==0.19.1" }, "types-pymysql": { "hashes": [ - "sha256:cbd0c123a8116f7b99970a7c663399bb3b4bb9d97b8f843909c5cc27abea064f", - "sha256:e350c8920455eb5cb3f8a65fd95a1350340e396f6f1451f0fe1d035240929969" + "sha256:72bdaecb88de4a30bc3e1842e1d4522ceb3c4b2e883a6a2a7a7162775dd27b93", + "sha256:9aec9ee0453314d477ef26e5832b4a992bc4cc3557358d62b0fe4af760a7728f" ], "index": "pypi", - "version": "==1.1.0.0" + "version": "==1.1.0.1" }, "types-pyopenssl": { "hashes": [ @@ -1925,11 +1927,11 @@ }, "types-python-dateutil": { "hashes": [ - "sha256:09a0275f95ee31ce68196710ed2c3d1b9dc42e0b61cc43acc369a42cb939134f", - "sha256:0b0e7c68e7043b0354b26a1e0225cb1baea7abb1b324d02b50e2d08f1221043f" + "sha256:1f4f10ac98bb8b16ade9dbee3518d9ace017821d94b057a425b069f834737f4b", + "sha256:f977b8de27787639986b4e28963263fd0e5158942b3ecef91b9335c130cb1ce9" ], "index": "pypi", - "version": "==2.8.19.13" + "version": "==2.8.19.14" }, "types-pytz": { "hashes": [ @@ -1940,27 +1942,27 @@ }, "types-pyyaml": { "hashes": [ - "sha256:662fa444963eff9b68120d70cda1af5a5f2aa57900003c2006d7626450eaae5f", - "sha256:ebab3d0700b946553724ae6ca636ea932c1b0868701d4af121630e78d695fc97" + "sha256:7d340b19ca28cddfdba438ee638cd4084bde213e501a3978738543e27094775b", + "sha256:a461508f3096d1d5810ec5ab95d7eeecb651f3a15b71959999988942063bf01d" ], "index": "pypi", - "version": "==6.0.12.10" + "version": "==6.0.12.11" }, "types-redis": { "hashes": [ - "sha256:a98f3386f44d045057696f3efc8869c53dda0060610e0fe3d8a4d391e2a8916a", - "sha256:d0efcd96f65fd2036437c29d8c12566cfdc549345d73eddacb0488b81aff9f9e" + "sha256:7865a843802937ab2ddca33579c4e255bfe73f87af85824ead7a6729ba92fc52", + "sha256:e0e9dcc530623db3a41ec058ccefdcd5c7582557f02ab5f7aa9a27fe10a78d7e" ], "index": "pypi", - "version": "==4.6.0.2" + "version": "==4.6.0.6" }, "types-requests": { "hashes": [ - "sha256:3de667cffa123ce698591de0ad7db034a5317457a596eb0b4944e5a9d9e8d1ac", - "sha256:afb06ef8f25ba83d59a1d424bd7a5a939082f94b94e90ab5e6116bd2559deaa3" + "sha256:56d181c85b5925cbc59f4489a57e72a8b2166f18273fd8ba7b6fe0c0b986f12a", + "sha256:6aa3f7faf0ea52d728bb18c0a0d1522d9bfd8c72d26ff6f61bfc3d06a411cf40" ], "index": "pypi", - "version": "==2.31.0.1" + "version": "==2.31.0.2" }, "types-s3transfer": { "hashes": [ @@ -1972,11 +1974,11 @@ }, "types-urllib3": { "hashes": [ - "sha256:3300538c9dc11dad32eae4827ac313f5d986b8b21494801f1bf97a1ac6c03ae5", - "sha256:5dbd1d2bef14efee43f5318b5d36d805a489f6600252bb53626d4bfafd95e27c" + "sha256:229b7f577c951b8c1b92c1bc2b2fdb0b49847bd2af6d1cc2a2e3dd340f3bda8f", + "sha256:9683bbb7fb72e32bfe9d2be6e04875fbe1b3eeec3cbb4ea231435aa7fd6b4f0e" ], "index": "pypi", - "version": "==1.26.25.13" + "version": "==1.26.25.14" }, "typing-extensions": { "hashes": [ @@ -2019,10 +2021,10 @@ }, "uwsgi": { "hashes": [ - "sha256:35a30d83791329429bc04fe44183ce4ab512fcf6968070a7bfba42fc5a0552a9" + "sha256:4cc4727258671ac5fa17ab422155e9aaef8a2008ebb86e4404b66deaae965db2" ], "index": "pypi", - "version": "==2.0.21" + "version": "==2.0.22" }, "uwsgitop": { "hashes": [ diff --git a/deploy/commands/management/commands/load_hook_strategy.py b/deploy/commands/management/commands/load_hook_strategy.py index 3dd4d6fe6..13180b4a6 100644 --- a/deploy/commands/management/commands/load_hook_strategy.py +++ b/deploy/commands/management/commands/load_hook_strategy.py @@ -3,9 +3,11 @@ from collections import OrderedDict from django.core.management.base import BaseCommand +from django.db.models import Q from dongtai_common.models.hook_strategy import HookStrategy from dongtai_common.models.hook_type import HookType +from dongtai_common.models.sensitive_info import IastSensitiveInfoRule from dongtai_common.models.strategy import IastStrategyModel from dongtai_common.utils.validate import save_hook_stratefile_sha1sum from dongtai_conf.settings import BASE_DIR @@ -23,6 +25,9 @@ def handle(self, *args, **options): POLICY_DIR = os.path.join(BASE_DIR, "static/data/") with open(os.path.join(POLICY_DIR, "vul_strategy.json")) as fp: full_strategies = json.load(fp, object_pairs_hook=OrderedDict) + if os.path.exists(os.path.join(POLICY_DIR, "sensitive_info_strategy.json")): + with open(os.path.exists(os.path.join(POLICY_DIR, "sensitive_info_strategy.json"))) as fp: + full_strategies.extend(json.load(fp, object_pairs_hook=OrderedDict)) strategy_dict = {} for strategy in full_strategies: if IastStrategyModel.objects.filter( @@ -110,7 +115,6 @@ def handle(self, *args, **options): hooktype_obj.save() hooktype_dict[f"{hook_type['value']}-{hook_type['type']}"] = hooktype_obj - HookStrategy.objects.filter(language_id=v, system_type=1).delete() with open(os.path.join(POLICY_DIR, f"{k.lower()}_full_policy.json")) as fp: full_policy = json.load(fp, object_pairs_hook=OrderedDict) for policy in full_policy: @@ -119,6 +123,21 @@ def handle(self, *args, **options): continue policy_strategy = strategy_dict[policy["value"]] for hook_strategy in policy["details"]: + if HookStrategy.objects.filter( + value=hook_strategy["value"], type=hook_strategy["type"], language_id=v, system_type=1 + ).exists(): + # 如果已经存在规则,跳过创建 + continue + if HookStrategy.objects.filter( + value=hook_strategy["value"], type=hook_strategy["type"], language_id=v, system_type=0 + ): + # 如果已经存在用户自定义规则,设置为系统规则,跳过创建 + hook_strategy_obj = HookStrategy.objects.filter( + value=hook_strategy["value"], type=hook_strategy["type"], language_id=v, system_type=0 + ).get() + hook_strategy_obj.system_type = 1 + hook_strategy_obj.save() + continue del hook_strategy["language"] hook_strategy["language_id"] = v HookStrategy.objects.create(strategy=policy_strategy, **hook_strategy) @@ -127,8 +146,49 @@ def handle(self, *args, **options): continue policy_hook_type = hooktype_dict[f"{policy['value']}-{policy['type']}"] for hook_strategy in policy["details"]: + if HookStrategy.objects.filter( + value=hook_strategy["value"], type=hook_strategy["type"], language_id=v, system_type=1 + ).exists(): + # 如果已经存在规则,跳过创建 + continue + if HookStrategy.objects.filter( + value=hook_strategy["value"], type=hook_strategy["type"], language_id=v, system_type=0 + ): + # 如果已经存在用户自定义规则,设置为系统规则,跳过创建 + hook_strategy_obj = HookStrategy.objects.filter( + value=hook_strategy["value"], type=hook_strategy["type"], language_id=v, system_type=0 + ).get() + hook_strategy_obj.system_type = 1 + hook_strategy_obj.save() + continue del hook_strategy["language"] hook_strategy["language_id"] = v HookStrategy.objects.create(hooktype=policy_hook_type, **hook_strategy) save_hook_stratefile_sha1sum() + + sensitive_info_rule = [] + if os.path.exists(os.path.join(POLICY_DIR, "sensitive_info_rule.json")): + with open(os.path.join(POLICY_DIR, "sensitive_info_rule.json")) as fp: + sensitive_info_rule = json.load(fp, object_pairs_hook=OrderedDict) + sensitive_info_rule_ids = [] + for rule in sensitive_info_rule: + if rule["strategy"] not in strategy_dict: + continue + strategy = strategy_dict[rule["strategy"]] + exist_rule = IastSensitiveInfoRule.objects.filter( + strategy=strategy, pattern_type_id=rule["pattern_type"], pattern=rule["pattern"], system_type=1 + ).first() + if exist_rule: + sensitive_info_rule_ids.append(exist_rule.pk) + else: + obj = IastSensitiveInfoRule.objects.create( + user_id=1, + strategy=strategy, + pattern_type_id=rule["pattern_type"], + pattern=rule["pattern"], + status=1, + system_type=1, + ) + sensitive_info_rule_ids.append(obj.pk) + IastSensitiveInfoRule.objects.filter(~Q(id__in=sensitive_info_rule_ids), system_type=1).delete() self.stdout.write(self.style.SUCCESS("Successfully load strategy .")) diff --git a/deploy/commands/management/commands/unlock_user.py b/deploy/commands/management/commands/unlock_user.py new file mode 100644 index 000000000..c00ea6c5a --- /dev/null +++ b/deploy/commands/management/commands/unlock_user.py @@ -0,0 +1,16 @@ +from django.core.management.base import BaseCommand + +from dongtai_common.models.user import User + + +class Command(BaseCommand): + help = "scripts to unlock user" + functions = [] + + def add_arguments(self, parser): + parser.add_argument("id", nargs="*", default=[], type=int) + + def handle(self, *args, **options): + users = User.objects.filter(pk__in=options["id"]).all() if options["id"] else User.objects.all() + users.update(failed_login_count=0) + self.stdout.write(self.style.SUCCESS("Successfully Unlock Users")) diff --git a/deploy/kubernetes/helm/templates/_helpers.tpl b/deploy/kubernetes/helm/templates/_helpers.tpl index ab1232419..5ecea3fda 100644 --- a/deploy/kubernetes/helm/templates/_helpers.tpl +++ b/deploy/kubernetes/helm/templates/_helpers.tpl @@ -150,7 +150,7 @@ initContainers: {{- define "deploy.initContainers" -}} initContainers: - - image: {{ .Values.images }}/dongtai-logrotate:{{ .Values.tag }} + - image: {{ .Values.images }}/dongtai-server:{{ .Values.tag }} command: - sh - -c @@ -247,7 +247,7 @@ Create the name of the service account to use [security] csrf_trust_origins ={{.Values.csrfTrustOrigins}} - secret_key ={{.Values.secretKey}} + secret_key ={{ randAlphaNum 50 }} [smtp] server ={{.Values.smtp.server}} @@ -345,6 +345,17 @@ Create the name of the service account to use location /log/ { proxy_pass http://dongtai-logstash-svc:8082/; } + {{- if .Values.max }} + location /dongtai_doc/ { + proxy_pass http://dongtai-doc-svc/; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header User-Agent $http_user_agent; + proxy_set_header X-Host $http_x_forwarded_host; + } + {{- end }} location = /50x.html { root /usr/share/nginx/html; } diff --git a/deploy/kubernetes/helm/templates/deployments/dongtai-doc.yaml b/deploy/kubernetes/helm/templates/deployments/dongtai-doc.yaml new file mode 100644 index 000000000..fb31d51c5 --- /dev/null +++ b/deploy/kubernetes/helm/templates/deployments/dongtai-doc.yaml @@ -0,0 +1,43 @@ +{{- if .Values.max }} +--- +# dongtai-doc服务 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "dongtai.fullname" . }}-doc + namespace: {{.Release.Namespace}} + annotations: + kubesphere.io/description: {{ template "dongtai.fullname" . }}-doc + labels: + app: {{ template "dongtai.fullname" . }}-doc + {{- include "dongtai.labels" . | nindent 4 }} +spec: + replicas: {{.Values.replicaCount}} + selector: + matchLabels: + app: {{ template "dongtai.fullname" . }}-doc + {{- include "dongtai.labels" . | nindent 6 }} + template: + metadata: + annotations: + doc_number: {{.Values.build.server_number}} + labels: + app: {{ template "dongtai.fullname" . }}-doc + {{- include "dongtai.labels" . | nindent 8 }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + containers: + - name: {{ template "dongtai.fullname" . }}-doc-container + image: {{ .Values.images }}/dongtai-doc:{{ .Values.tag }} + imagePullPolicy: Always + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 500m + memory: 500Mi +{{- end }} \ No newline at end of file diff --git a/deploy/kubernetes/helm/templates/job/dongtai_update.yaml b/deploy/kubernetes/helm/templates/job/dongtai_update.yaml new file mode 100644 index 000000000..01b94945d --- /dev/null +++ b/deploy/kubernetes/helm/templates/job/dongtai_update.yaml @@ -0,0 +1,38 @@ +{{- if .Values.migrate }} +--- +# dongtai-update服务 +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "dongtai.fullname" . }}-update-{{ randNumeric 10 }} + namespace: {{.Release.Namespace}} + annotations: + {{- if not .Values.develop.dev }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" + kubesphere.io/description: {{ template "dongtai.fullname" . }}-update + labels: + app: {{ template "dongtai.fullname" . }}-update + {{- include "dongtai.labels" . | nindent 4 }} +spec: + template: + metadata: + labels: + app: {{ template "dongtai.fullname" . }}-update + {{- include "dongtai.labels" . | nindent 8 }} + spec: + restartPolicy: Never +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + containers: + - name: {{ template "dongtai.fullname" . }}-update-container + image: {{ .Values.images }}/dongtai-server:{{ .Values.tag }} + command: [ "/bin/sh","/opt/dongtai/deploy/docker/entrypoint.sh" ] + args: [ "migrate" ] + {{- include "deploy.config" . | nindent 10 }} + {{- include "deploy.config.vo" . | nindent 6 }} +{{- end }} \ No newline at end of file diff --git a/deploy/kubernetes/helm/templates/service/dongtai-doc.yaml b/deploy/kubernetes/helm/templates/service/dongtai-doc.yaml new file mode 100644 index 000000000..799890cc9 --- /dev/null +++ b/deploy/kubernetes/helm/templates/service/dongtai-doc.yaml @@ -0,0 +1,17 @@ +{{- if .Values.max }} +--- +apiVersion: v1 +kind: Service +metadata: + name: dongtai-doc-svc + namespace: {{.Release.Namespace}} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + selector: + app: {{ template "dongtai.fullname" . }}-doc + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/deploy/kubernetes/helm/values.yaml b/deploy/kubernetes/helm/values.yaml index 394967028..aa61d0066 100644 --- a/deploy/kubernetes/helm/values.yaml +++ b/deploy/kubernetes/helm/values.yaml @@ -17,6 +17,7 @@ logging_level: INFO # DEBUG, INFO somaxconn: null #If system max net.core.somaxconn (128) . Example: somaxconn: 4096 healthcheck: true logstash: "true" +migrate: true nodeSelector: kubernetes.io/os: linux @@ -54,7 +55,6 @@ storage: persistentVolumeClaim: iast-agent-pvc # or null(The agent needs to close the reporting log function 'dongtai.log.disable-collector: false') csrfTrustOrigins: .example.com -secretKey: vbjlvbxfvazjfprywuxgyclmvhtmselddsefxxlcixovmqfpgy smtp: server: smtp_server diff --git a/dongtai_common/common/utils/__init__.py b/dongtai_common/common/utils/__init__.py index 78703b80e..78f313491 100644 --- a/dongtai_common/common/utils/__init__.py +++ b/dongtai_common/common/utils/__init__.py @@ -159,3 +159,38 @@ def authenticate(self, request): return None token = auth.lower().replace(self.keyword.lower().encode(), b"", 1).decode() return self.auth_decodedenticate_credentials(token) + + +@cached_decorator(random_range=(300, 600), use_celery_update=False) +def get_user_from_project_key(key): + from dongtai_common.models.project import IastProject + from dongtai_common.models.user import User + + project = IastProject.objects.get(token=key) + principal = User.objects.filter(pk=project.user_id).first() + user = principal if principal else User.objects.filter(pk=1).first() + user.using_project = project + return user + + +class ProjectTokenAuthentication(TokenAuthentication): + keyword = "Token PROJECT" + model = None + + def auth_decodedenticate_credentials(self, key): + from rest_framework import exceptions + + from dongtai_common.models.project import IastProject + + try: + user = get_user_from_project_key(key) + except IastProject.DoesNotExist as e: + raise exceptions.AuthenticationFailed(_("Invalid token.")) from e + return (user, key) + + def authenticate(self, request): + auth = get_authorization_header(request) + if not auth or not auth.lower().startswith(self.keyword.lower().encode()): + return None + token = auth[13:].decode() + return self.auth_decodedenticate_credentials(token) diff --git a/dongtai_common/endpoint/__init__.py b/dongtai_common/endpoint/__init__.py index 217b14cf9..253e41ca2 100644 --- a/dongtai_common/endpoint/__init__.py +++ b/dongtai_common/endpoint/__init__.py @@ -6,7 +6,6 @@ from operator import ior from typing import TYPE_CHECKING -from django.contrib.auth import logout from django.core.paginator import EmptyPage, Paginator from django.db.models import Count from django.http import JsonResponse @@ -18,7 +17,10 @@ from rest_framework.exceptions import AuthenticationFailed from rest_framework.views import APIView -from dongtai_common.common.utils import DepartmentTokenAuthentication +from dongtai_common.common.utils import ( + DepartmentTokenAuthentication, + ProjectTokenAuthentication, +) from dongtai_common.models import User from dongtai_common.models.agent import IastAgent from dongtai_common.models.asset import Asset @@ -31,7 +33,6 @@ ) from dongtai_common.utils import const from dongtai_common.utils.init_schema import VIEW_CLASS_TO_SCHEMA -from dongtai_conf import settings if TYPE_CHECKING: from django.core.paginator import _SupportsPagination @@ -96,23 +97,6 @@ def dispatch(self, request, *args, **kwargs): self.request = request self.headers = self.default_response_headers # deprecate? - is_protocol_api = False - try: - if self.request.method is not None: - _path, _path_regex, _schema, filepath = VIEW_CLASS_TO_SCHEMA[self.__class__][self.request.method] - is_protocol_api = "dongtai_protocol" in filepath - except Exception: - pass - - if not is_protocol_api and not request.user.is_active and not request.user.is_anonymous: - logout(request) - request.session.delete() - response = R.failure(msg="用户已经禁用", status_code=403) - request.session.delete() - response.delete_cookie(key=settings.CSRF_COOKIE_NAME, domain=settings.SESSION_COOKIE_DOMAIN) - response.delete_cookie(key="sessionid", domain=settings.SESSION_COOKIE_DOMAIN) - return response - try: self.initial(request, *args, **kwargs) @@ -205,7 +189,7 @@ def parse_args(self, request): @staticmethod def get_paginator( - queryset: "QuerySet | ValuesQuerySet", page: int = 1, page_size: int = 20 + queryset: "QuerySet | ValuesQuerySet", page: int = 1, page_size: int = 20, max_page_size: int = 50 ) -> tuple[dict, "QuerySet | _SupportsPagination"]: """ 根据模型集合、页号、每页大小获取分页数据 @@ -216,7 +200,7 @@ def get_paginator( :param page_size: :return: """ - page_size = min(50, int(page_size)) + page_size = min(max_page_size, int(page_size)) page = int(page) try: page_info = Paginator(queryset, per_page=page_size) @@ -356,7 +340,11 @@ class UserEndPoint(MixinAuthEndPoint): class OpenApiEndPoint(EndPoint): - authentication_classes = (DepartmentTokenAuthentication, TokenAuthentication) + authentication_classes = ( + ProjectTokenAuthentication, + DepartmentTokenAuthentication, + TokenAuthentication, + ) permission_classes = (UserPermission,) diff --git a/dongtai_common/engine/vul_engine.py b/dongtai_common/engine/vul_engine.py index 9b87c6cdd..69ef30ae9 100644 --- a/dongtai_common/engine/vul_engine.py +++ b/dongtai_common/engine/vul_engine.py @@ -1,8 +1,6 @@ #!/usr/bin/env python # datetime: 2021/7/21 下午7:07 -import copy import logging -import sys from collections import defaultdict from django.utils.functional import cached_property @@ -133,7 +131,7 @@ def search(self, method_pool, vul_method_signature, vul_type=None): from functools import reduce from itertools import product - import networkit as nk + import networkx as nk # Gather data source_hash_dict = defaultdict(set) @@ -157,7 +155,7 @@ def search(self, method_pool, vul_method_signature, vul_type=None): ) ] # Build a graph - g = nk.Graph(weighted=True, directed=True) + g = nk.DiGraph(weighted=True, directed=True) for pool in self.method_pool: if "sourceType" in pool: vecs = () @@ -171,20 +169,16 @@ def search(self, method_pool, vul_method_signature, vul_type=None): for s in reduce(lambda x, y: x | y, (target_hash_dict[i] for i in pool["sourceHash"]), set()) ) for source, target in vecs: - g.addEdge(source, target, (source - target) * (source - target), addMissing=True) - # Checkout each pair source/target have a path or not - # It may lost sth when multi paths exists. + # g.addEdge(source, target, (source - target) * (source - target), addMissing=True) + g.add_edge(source, target, weight=(source - target) * (source - target)) final_stack = [] total_path_list = [] for s, t in product(source_methods, vul_methods): - if not g.hasNode(s) or not g.hasNode(t): + if not g.has_node(s) or not g.has_node(t): continue - dij_obj = nk.distance.BidirectionalDijkstra(g, s, t).run() - if dij_obj.getDistance() < sys.float_info.max: - logger.info("find sink here!") - path = dij_obj.getPath() - total_path = [s, *path, t] - # Check taint range exists + if nk.has_path(g, s, t): + path = nk.shortest_path(g, s, t, weight="weight") + total_path = path if ( len(total_path) > 1 and "targetRange" in invokeid_dict[total_path[-2]] @@ -204,7 +198,7 @@ def search(self, method_pool, vul_method_signature, vul_type=None): find_index = None # Merge if path take same node for ind, target_path in enumerate(final_path): - if set(path[1:]) & set(target_path[1:]): + if set(path[1:]) & set(target_path[1:]) and path[-1] == target_path[-1]: find_index = ind break if find_index is not None: @@ -264,7 +258,7 @@ def vul_filter(self): # mark there has a vul # if vul_type has filter, do escape stack_count = len(self.vul_stack) - for index in range(0, stack_count): + for index in range(stack_count): stack = self.vul_stack[index] for item in stack: if item["signature"] == "java.net.URL.": @@ -278,7 +272,7 @@ def vul_filter(self): break vul_source_signature = self.vul_source_signature self.vul_source_signature = None - for index in range(0, stack_count): + for index in range(stack_count): if self.vul_stack[index]: self.vul_source_signature = vul_source_signature else: @@ -286,8 +280,7 @@ def vul_filter(self): @staticmethod def copy_method(method_detail, sink=False, source=False, propagator=False, filter=False): - vul_method_detail = copy.deepcopy(method_detail) - vul_method_detail["originClassName"] = vul_method_detail["originClassName"] + vul_method_detail = method_detail # todo 根据类型进行拼接 if source: vul_method_detail["tag"] = "source" diff --git a/dongtai_common/migrations/0012_session.py b/dongtai_common/migrations/0012_session.py new file mode 100644 index 000000000..552ec17ae --- /dev/null +++ b/dongtai_common/migrations/0012_session.py @@ -0,0 +1,40 @@ +# Generated by Django 3.2.20 on 2023-08-21 17:06 + +import django.db.models.deletion +from django.conf import settings +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("dongtai_common", "0011_auto_20230814_1537"), + ] + + operations = [ + migrations.CreateModel( + name="Session", + fields=[ + ( + "session_key", + models.CharField(max_length=40, primary_key=True, serialize=False, verbose_name="session key"), + ), + ("session_data", models.TextField(verbose_name="session data")), + ("expire_date", models.DateTimeField(db_index=True, verbose_name="expire date")), + ( + "user", + models.ForeignKey( + db_constraint=False, + null=True, + on_delete=django.db.models.deletion.DO_NOTHING, + to=settings.AUTH_USER_MODEL, + ), + ), + ], + options={ + "verbose_name": "session", + "verbose_name_plural": "sessions", + "db_table": "iast_session", + "abstract": False, + }, + ), + ] diff --git a/dongtai_common/migrations/0013_auto_20230822_1202.py b/dongtai_common/migrations/0013_auto_20230822_1202.py new file mode 100644 index 000000000..59114450d --- /dev/null +++ b/dongtai_common/migrations/0013_auto_20230822_1202.py @@ -0,0 +1,23 @@ +# Generated by Django 3.2.20 on 2023-08-22 12:02 + +import django.utils.timezone +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("dongtai_common", "0012_session"), + ] + + operations = [ + migrations.AddField( + model_name="user", + name="failed_login_count", + field=models.IntegerField(default=0), + ), + migrations.AddField( + model_name="user", + name="failed_login_time", + field=models.DateTimeField(default=django.utils.timezone.now), + ), + ] diff --git a/dongtai_common/migrations/0014_auto_20230828_1132.py b/dongtai_common/migrations/0014_auto_20230828_1132.py new file mode 100644 index 000000000..254bd63d2 --- /dev/null +++ b/dongtai_common/migrations/0014_auto_20230828_1132.py @@ -0,0 +1,72 @@ +# Generated by Django 3.2.20 on 2023-08-28 11:32 + +import django.db.models.deletion +from django.db import migrations, models +from django_add_default_value import AddDefaultValue + + +class Migration(migrations.Migration): + dependencies = [ + ("dongtai_common", "0013_auto_20230822_1202"), + ] + + operations = [ + migrations.CreateModel( + name="VulMethodPool", + fields=[ + ("id", models.BigAutoField(primary_key=True, serialize=False)), + ("method_pool_id", models.IntegerField(default=0)), + ("url", models.CharField(blank=True, max_length=2000)), + ("uri", models.CharField(blank=True, max_length=2000)), + ("http_method", models.CharField(blank=True, max_length=10)), + ("http_scheme", models.CharField(blank=True, max_length=20)), + ("http_protocol", models.CharField(blank=True, max_length=255)), + ("req_header", models.CharField(blank=True, max_length=2000, null=True)), + ("req_params", models.CharField(blank=True, max_length=2000, null=True)), + ("req_data", models.CharField(blank=True, max_length=4000, null=True)), + ("res_header", models.CharField(blank=True, max_length=1000, null=True)), + ("res_body", models.TextField(blank=True, null=True)), + ("req_header_fs", models.TextField(db_column="req_header_for_search")), + ("context_path", models.CharField(blank=True, max_length=255, null=True)), + ("method_pool", models.TextField()), + ("pool_sign", models.CharField(blank=True, max_length=40, unique=True)), + ("clent_ip", models.CharField(blank=True, max_length=255)), + ("create_time", models.IntegerField()), + ("update_time", models.IntegerField()), + ("uri_sha1", models.CharField(blank=True, db_index=True, max_length=40)), + ( + "agent", + models.ForeignKey( + db_constraint=False, + on_delete=django.db.models.deletion.DO_NOTHING, + to="dongtai_common.iastagent", + ), + ), + ( + "vul", + models.ForeignKey( + db_constraint=False, + on_delete=django.db.models.deletion.CASCADE, + to="dongtai_common.iastvulnerabilitymodel", + ), + ), + ], + options={ + "db_table": "iast_agent_method_pool_vul", + "managed": True, + }, + ), + migrations.AddIndex( + model_name="vulmethodpool", + index=models.Index(fields=["uri_sha1", "http_method", "agent"], name="iast_agent__uri_sha_c94d8d_idx"), + ), + migrations.AddIndex( + model_name="vulmethodpool", + index=models.Index(fields=["method_pool_id"], name="iast_agent__method__46f7b0_idx"), + ), + migrations.AddIndex( + model_name="vulmethodpool", + index=models.Index(fields=["vul_id", "update_time"], name="iast_agent__vul_id_47b430_idx"), + ), + AddDefaultValue(model_name="vulmethodpool", name="method_pool_id", value=0), + ] diff --git a/dongtai_common/migrations/0015_vul_status.py b/dongtai_common/migrations/0015_vul_status.py new file mode 100644 index 000000000..19f79dba0 --- /dev/null +++ b/dongtai_common/migrations/0015_vul_status.py @@ -0,0 +1,18 @@ +from django.db import migrations + + +def update_vul_status(apps, schema_editor): + # We can't import the Person model directly as it may be a newer + # version than this migration expects. We use the historical version. + IastVulnerabilityStatus = apps.get_model("dongtai_common", "IastVulnerabilityStatus") + IastVulnerabilityStatus(id=7, name="已忽略", name_zh="已忽略", name_en="Ignored").save() + + +class Migration(migrations.Migration): + dependencies = [ + ("dongtai_common", "0014_auto_20230828_1132"), + ] + + operations = [ + migrations.RunPython(update_vul_status), + ] diff --git a/dongtai_common/migrations/0016_auto_20230829_1145.py b/dongtai_common/migrations/0016_auto_20230829_1145.py new file mode 100644 index 000000000..05051936d --- /dev/null +++ b/dongtai_common/migrations/0016_auto_20230829_1145.py @@ -0,0 +1,59 @@ +# Generated by Django 3.2.20 on 2023-08-29 11:45 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("dongtai_common", "0015_vul_status"), + ] + + operations = [ + migrations.AlterField( + model_name="iastvulnerabilitymodel", + name="bottom_stack", + field=models.CharField(blank=True, default="", max_length=255), + ), + migrations.AlterField( + model_name="iastvulnerabilitymodel", + name="full_stack", + field=models.TextField(blank=True, default=""), + ), + migrations.AlterField( + model_name="iastvulnerabilitymodel", + name="language", + field=models.CharField(blank=True, default="", max_length=10), + ), + migrations.AlterField( + model_name="iastvulnerabilitymodel", + name="param_name", + field=models.CharField(blank=True, default="", max_length=255), + ), + migrations.AlterField( + model_name="iastvulnerabilitymodel", + name="pattern_uri", + field=models.CharField(blank=True, default="", max_length=255), + ), + migrations.AlterField( + model_name="iastvulnerabilitymodel", + name="taint_position", + field=models.CharField(blank=True, default="", max_length=255), + ), + migrations.AlterField( + model_name="iastvulnerabilitymodel", + name="taint_value", + field=models.CharField(blank=True, default="", max_length=4000), + ), + migrations.AlterField( + model_name="iastvulnerabilitymodel", + name="top_stack", + field=models.CharField(blank=True, default="", max_length=255), + ), + migrations.AddIndex( + model_name="iastvulnerabilitymodel", + index=models.Index( + fields=["http_method", "param_name", "pattern_uri", "project_id", "status_id", "strategy_id"], + name="iast_vulner_http_me_f84d4f_idx", + ), + ), + ] diff --git a/dongtai_common/migrations/0017_alter_vulmethodpool_pool_sign.py b/dongtai_common/migrations/0017_alter_vulmethodpool_pool_sign.py new file mode 100644 index 000000000..c817b0a33 --- /dev/null +++ b/dongtai_common/migrations/0017_alter_vulmethodpool_pool_sign.py @@ -0,0 +1,17 @@ +# Generated by Django 3.2.20 on 2023-08-29 14:57 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("dongtai_common", "0016_auto_20230829_1145"), + ] + + operations = [ + migrations.AlterField( + model_name="vulmethodpool", + name="pool_sign", + field=models.CharField(blank=True, max_length=40), + ), + ] diff --git a/dongtai_common/migrations/0018_auto_20230830_1105.py b/dongtai_common/migrations/0018_auto_20230830_1105.py new file mode 100644 index 000000000..c40b6e472 --- /dev/null +++ b/dongtai_common/migrations/0018_auto_20230830_1105.py @@ -0,0 +1,29 @@ +# Generated by Django 3.2.20 on 2023-08-30 11:05 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("dongtai_common", "0017_alter_vulmethodpool_pool_sign"), + ] + + operations = [ + migrations.CreateModel( + name="IastPackageFocus", + fields=[ + ("id", models.BigAutoField(primary_key=True, serialize=False)), + ("language_id", models.IntegerField()), + ("package_name", models.CharField(max_length=255)), + ("package_version", models.CharField(blank=True, default="", max_length=255)), + ], + options={ + "db_table": "iast_package_focus", + }, + ), + migrations.AddField( + model_name="assetv2global", + name="is_focus", + field=models.BooleanField(default=False), + ), + ] diff --git a/dongtai_common/migrations/0019_assetv2global_iast_asset__is_focu_31e975_idx.py b/dongtai_common/migrations/0019_assetv2global_iast_asset__is_focu_31e975_idx.py new file mode 100644 index 000000000..537e6c12f --- /dev/null +++ b/dongtai_common/migrations/0019_assetv2global_iast_asset__is_focu_31e975_idx.py @@ -0,0 +1,18 @@ +# Generated by Django 3.2.20 on 2023-08-30 16:10 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("dongtai_common", "0018_auto_20230830_1105"), + ] + + operations = [ + migrations.AddIndex( + model_name="assetv2global", + index=models.Index( + fields=["is_focus", "vul_count", "aql", "level", "language_id"], name="iast_asset__is_focu_31e975_idx" + ), + ), + ] diff --git a/dongtai_common/migrations/0020_iastagentrequestchainstopograph_iastagentrequestchainstopographvec_iastagentrequestchainstotalprojec.py b/dongtai_common/migrations/0020_iastagentrequestchainstopograph_iastagentrequestchainstopographvec_iastagentrequestchainstotalprojec.py new file mode 100644 index 000000000..51fa6e73d --- /dev/null +++ b/dongtai_common/migrations/0020_iastagentrequestchainstopograph_iastagentrequestchainstopographvec_iastagentrequestchainstotalprojec.py @@ -0,0 +1,180 @@ +# Generated by Django 3.2.20 on 2023-09-01 16:41 + +import django.db.models.deletion +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("dongtai_common", "0019_assetv2global_iast_asset__is_focu_31e975_idx"), + ] + + operations = [ + migrations.CreateModel( + name="IastAgentRequestChainsTopoGraph", + fields=[ + ("id", models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")), + ("graph_hash", models.CharField(blank=True, max_length=255, unique=True)), + ("dot_string", models.TextField()), + ("max_depth", models.IntegerField()), + ( + "start_project", + models.ForeignKey( + blank=True, + db_constraint=False, + default=-1, + on_delete=django.db.models.deletion.DO_NOTHING, + to="dongtai_common.iastproject", + ), + ), + ( + "start_project_version", + models.ForeignKey( + blank=True, + db_constraint=False, + default=-1, + on_delete=django.db.models.deletion.DO_NOTHING, + to="dongtai_common.iastprojectversion", + ), + ), + ], + options={ + "db_table": "iast_request_chains_topo_graph", + "managed": True, + }, + ), + migrations.CreateModel( + name="IastAgentRequestChainsTopoGraphVec", + fields=[ + ("id", models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")), + ("level_id", models.IntegerField()), + ("source_node_tag", models.CharField(blank=True, max_length=255)), + ("target_node_tag", models.CharField(blank=True, max_length=255)), + ( + "graph_hash", + models.ForeignKey( + blank=True, + db_constraint=False, + max_length=255, + on_delete=django.db.models.deletion.CASCADE, + to="dongtai_common.iastagentrequestchainstopograph", + to_field="graph_hash", + ), + ), + ( + "source_project", + models.ForeignKey( + blank=True, + db_constraint=False, + default=-1, + on_delete=django.db.models.deletion.DO_NOTHING, + related_name="source_project", + to="dongtai_common.iastproject", + ), + ), + ( + "source_project_version", + models.ForeignKey( + blank=True, + db_constraint=False, + default=-1, + on_delete=django.db.models.deletion.DO_NOTHING, + related_name="source_project_version", + to="dongtai_common.iastprojectversion", + ), + ), + ( + "target_project", + models.ForeignKey( + blank=True, + db_constraint=False, + default=-1, + on_delete=django.db.models.deletion.DO_NOTHING, + related_name="target_project", + to="dongtai_common.iastproject", + ), + ), + ( + "target_project_version", + models.ForeignKey( + blank=True, + db_constraint=False, + default=-1, + on_delete=django.db.models.deletion.DO_NOTHING, + related_name="target_project_version", + to="dongtai_common.iastprojectversion", + ), + ), + ], + options={ + "db_table": "iast_request_chains_topo_graph_vecs", + "managed": True, + }, + ), + migrations.CreateModel( + name="IastAgentRequestChainsTotalProjectVersionGraphVec", + fields=[ + ("id", models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")), + ( + "source_project_version", + models.ForeignKey( + blank=True, + db_constraint=False, + default=-1, + on_delete=django.db.models.deletion.DO_NOTHING, + related_name="total_source_project_version", + to="dongtai_common.iastprojectversion", + ), + ), + ( + "target_project_version", + models.ForeignKey( + blank=True, + db_constraint=False, + default=-1, + on_delete=django.db.models.deletion.DO_NOTHING, + related_name="total_target_project_version", + to="dongtai_common.iastprojectversion", + ), + ), + ], + options={ + "db_table": "iast_request_chains_total_project_version_graph_vec", + "managed": True, + "unique_together": {("source_project_version", "target_project_version")}, + }, + ), + migrations.CreateModel( + name="IastAgentRequestChainsTotalProjectGraphVec", + fields=[ + ("id", models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")), + ( + "source_project", + models.ForeignKey( + blank=True, + db_constraint=False, + default=-1, + on_delete=django.db.models.deletion.DO_NOTHING, + related_name="total_source_project", + to="dongtai_common.iastproject", + ), + ), + ( + "target_project", + models.ForeignKey( + blank=True, + db_constraint=False, + default=-1, + on_delete=django.db.models.deletion.DO_NOTHING, + related_name="total_target_project", + to="dongtai_common.iastproject", + ), + ), + ], + options={ + "db_table": "iast_request_chains_total_project_graph_vec", + "managed": True, + "unique_together": {("source_project", "target_project")}, + }, + ), + ] diff --git a/dongtai_common/migrations/0021_iastwebhooklog.py b/dongtai_common/migrations/0021_iastwebhooklog.py new file mode 100644 index 000000000..c8528c0ed --- /dev/null +++ b/dongtai_common/migrations/0021_iastwebhooklog.py @@ -0,0 +1,28 @@ +# Generated by Django 3.2.20 on 2023-09-04 16:12 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ( + "dongtai_common", + "0020_iastagentrequestchainstopograph_iastagentrequestchainstopographvec_iastagentrequestchainstotalprojec", + ), + ] + + operations = [ + migrations.CreateModel( + name="IastWebHookLog", + fields=[ + ("id", models.BigAutoField(primary_key=True, serialize=False)), + ("event_type", models.CharField(max_length=255)), + ("body", models.JSONField()), + ("create_time", models.IntegerField()), + ], + options={ + "db_table": "iast_webhook_log", + "managed": True, + }, + ), + ] diff --git a/dongtai_common/migrations/0022_iastproject_token.py b/dongtai_common/migrations/0022_iastproject_token.py new file mode 100644 index 000000000..20083d2e7 --- /dev/null +++ b/dongtai_common/migrations/0022_iastproject_token.py @@ -0,0 +1,36 @@ +# Generated by Django 3.2.20 on 2023-09-11 14:16 + +import shortuuid.django_fields +from django.db import migrations +from shortuuid import ShortUUID + + +def update_exist_project_token(apps, schema_editor): + IastProject = apps.get_model("dongtai_common", "IastProject") + objs_list = [] + for project in IastProject.objects.all(): + project.token = ShortUUID(alphabet="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789").random( + length=22 + ) + objs_list.append(project) + IastProject.objects.bulk_update(objs_list, ["token"]) + + +class Migration(migrations.Migration): + dependencies = [ + ("dongtai_common", "0021_iastwebhooklog"), + ] + + operations = [ + migrations.AddField( + model_name="iastproject", + name="token", + field=shortuuid.django_fields.ShortUUIDField( + alphabet="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", + length=22, + max_length=22, + prefix="", + ), + ), + migrations.RunPython(update_exist_project_token), + ] diff --git a/dongtai_common/migrations/0023_auto_20230912_1211.py b/dongtai_common/migrations/0023_auto_20230912_1211.py new file mode 100644 index 000000000..c330dfd3e --- /dev/null +++ b/dongtai_common/migrations/0023_auto_20230912_1211.py @@ -0,0 +1,17 @@ +# Generated by Django 3.2.20 on 2023-09-12 12:11 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("dongtai_common", "0022_iastproject_token"), + ] + + operations = [ + migrations.AddField( + model_name="iastagentrequestchainstopographvec", + name="expandable", + field=models.BooleanField(default=False), + ), + ] diff --git a/dongtai_common/migrations/0024_iastsensitiveinforule_system_type.py b/dongtai_common/migrations/0024_iastsensitiveinforule_system_type.py new file mode 100644 index 000000000..bc9844991 --- /dev/null +++ b/dongtai_common/migrations/0024_iastsensitiveinforule_system_type.py @@ -0,0 +1,17 @@ +# Generated by Django 3.2.20 on 2023-09-13 18:07 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("dongtai_common", "0023_auto_20230912_1211"), + ] + + operations = [ + migrations.AddField( + model_name="iastsensitiveinforule", + name="system_type", + field=models.IntegerField(default=0), + ), + ] diff --git a/dongtai_common/migrations/0025_alter_iastagentrequestchainstopographvec_unique_together.py b/dongtai_common/migrations/0025_alter_iastagentrequestchainstopographvec_unique_together.py new file mode 100644 index 000000000..69f3f9473 --- /dev/null +++ b/dongtai_common/migrations/0025_alter_iastagentrequestchainstopographvec_unique_together.py @@ -0,0 +1,16 @@ +# Generated by Django 3.2.20 on 2023-09-14 18:03 + +from django.db import migrations + + +class Migration(migrations.Migration): + dependencies = [ + ("dongtai_common", "0024_iastsensitiveinforule_system_type"), + ] + + operations = [ + migrations.AlterUniqueTogether( + name="iastagentrequestchainstopographvec", + unique_together={("graph_hash", "source_node_tag", "target_node_tag")}, + ), + ] diff --git a/dongtai_common/models/__init__.py b/dongtai_common/models/__init__.py index 44e3d43fc..3a3e5bae4 100644 --- a/dongtai_common/models/__init__.py +++ b/dongtai_common/models/__init__.py @@ -1,15 +1,19 @@ #!/usr/bin/env python # datetime:2021/1/25 下午6:43 -from .user import User # noqa: I001, F401 -from . import api_route # noqa: F401 -from .project_group import IastProjectGroup # noqa: F401 -from .project_metadata import IastProjectMetaData # noqa: F401 -from .api_route_v2 import * # noqa: F403 -from .integration import * # noqa: F403 -from .license import * # noqa: F403 -from .request_chains import * # noqa: F403 -from .share_token import * # noqa: F403 +# ruff: noqa: I001, F401, F403 + +from .user import User +from . import api_route +from .project_group import IastProjectGroup +from .project_metadata import IastProjectMetaData +from .api_route_v2 import * +from .integration import * +from .license import * +from .request_chains import * +from .share_token import * +from dongtai_common.utils.db_session_engine import Session +from .notify_log import IastWebHookLog LANGUAGE_DICT = {"JAVA": 1, "PYTHON": 2, "PHP": 3, "GO": 4} diff --git a/dongtai_common/models/agent_method_pool.py b/dongtai_common/models/agent_method_pool.py index bcb7a7763..aa5e24619 100644 --- a/dongtai_common/models/agent_method_pool.py +++ b/dongtai_common/models/agent_method_pool.py @@ -7,6 +7,7 @@ from dongtai_common.models.agent import IastAgent from dongtai_common.models.hook_strategy import HookStrategy +from dongtai_common.models.vulnerablity import IastVulnerabilityModel from dongtai_common.utils.settings import get_managed from dongtai_conf.settings import METHOD_POOL_INDEX @@ -48,6 +49,40 @@ class Meta: indexes = [models.Index(fields=["uri_sha1", "http_method", "agent"])] +class VulMethodPool(models.Model): + id = models.BigAutoField(primary_key=True) + method_pool_id = models.IntegerField(default=0) + vul = models.ForeignKey(IastVulnerabilityModel, models.CASCADE, db_constraint=False) + agent = models.ForeignKey(IastAgent, models.DO_NOTHING, db_constraint=False) + url = models.CharField(max_length=2000, blank=True) + uri = models.CharField(max_length=2000, blank=True) + http_method = models.CharField(max_length=10, blank=True) + http_scheme = models.CharField(max_length=20, blank=True) + http_protocol = models.CharField(max_length=255, blank=True) + req_header = models.CharField(max_length=2000, blank=True, null=True) + req_params = models.CharField(max_length=2000, blank=True, null=True) + req_data = models.CharField(max_length=4000, blank=True, null=True) + res_header = models.CharField(max_length=1000, blank=True, null=True) + res_body = models.TextField(blank=True, null=True) + req_header_fs = models.TextField(db_column="req_header_for_search") + context_path = models.CharField(max_length=255, blank=True, null=True) + method_pool = models.TextField() # This field type is a guess. + pool_sign = models.CharField(blank=True, max_length=40) # This field type is a guess. + clent_ip = models.CharField(max_length=255, blank=True) + create_time = models.IntegerField() + update_time = models.IntegerField() + uri_sha1 = models.CharField(max_length=40, blank=True, db_index=True) + + class Meta: + managed = get_managed() + db_table = "iast_agent_method_pool_vul" + indexes = [ + models.Index(fields=["uri_sha1", "http_method", "agent"]), + models.Index(fields=["method_pool_id"]), + models.Index(fields=["vul_id", "update_time"]), + ] + + @registry.register_document class MethodPoolDocument(Document): user_id = fields.IntegerField(attr="agent.user_id") diff --git a/dongtai_common/models/asset_vul_v2.py b/dongtai_common/models/asset_vul_v2.py index f71c31013..d0a11ebfe 100644 --- a/dongtai_common/models/asset_vul_v2.py +++ b/dongtai_common/models/asset_vul_v2.py @@ -5,27 +5,24 @@ class IastAssetVulV2(models.Model): - vul_name = models.CharField(max_length=255, blank=True) - vul_name_zh = models.CharField(max_length=255, blank=True) - vul_detail = models.TextField() - vul_detail_zh = models.TextField(blank=True) + vul_name = models.CharField(max_length=255, blank=True, help_text="漏洞名") + vul_name_zh = models.CharField(max_length=255, blank=True, help_text="漏洞名(中文)") + vul_detail = models.TextField(help_text="漏洞详情") + vul_detail_zh = models.TextField(blank=True, help_text="漏洞详情(中文)") # 漏洞类型等级 level = models.IntegerField( - choices=AssetRiskLevel.choices, - blank=True, - db_column="level_id", - default=AssetRiskLevel.LOW, + choices=AssetRiskLevel.choices, blank=True, db_column="level_id", default=AssetRiskLevel.LOW, help_text="漏洞等级" ) - update_time = models.IntegerField() - create_time = models.IntegerField() - references = models.JSONField(default=list) - change_time = models.IntegerField() - published_time = models.IntegerField() - vul_id = models.CharField(max_length=255, unique=True, blank=True) - vul_type = models.JSONField() - vul_codes = models.JSONField() - affected_versions = models.JSONField() - unaffected_versions = models.JSONField() + update_time = models.IntegerField(help_text="更新时间") + create_time = models.IntegerField(help_text="创建时间") + references = models.JSONField(default=list, help_text="引用文章") + change_time = models.IntegerField(help_text="修改时间") + published_time = models.IntegerField(help_text="发布时间") + vul_id = models.CharField(max_length=255, unique=True, blank=True, help_text="漏洞id") + vul_type = models.JSONField(help_text="漏洞类型") + vul_codes = models.JSONField(help_text="漏洞编号") + affected_versions = models.JSONField(help_text="影响版本") + unaffected_versions = models.JSONField(help_text="不影响版本") class Meta: managed = True diff --git a/dongtai_common/models/assetv2.py b/dongtai_common/models/assetv2.py index 84dc22d3b..3e523b212 100644 --- a/dongtai_common/models/assetv2.py +++ b/dongtai_common/models/assetv2.py @@ -75,10 +75,12 @@ class AssetV2Global(models.Model): license_list = models.JSONField(blank=True, default=list) language_id = models.IntegerField(default=1, blank=True) aql = models.CharField(max_length=255, blank=True, unique=True) + is_focus = models.BooleanField(default=False) class Meta: managed = get_managed() db_table = "iast_asset_v2_global" + indexes = [models.Index(fields=("is_focus", "vul_count", "aql", "level", "language_id"))] def get_vul_count_groupby_level(self): return [ diff --git a/dongtai_common/models/iast_vul_log.py b/dongtai_common/models/iast_vul_log.py index 1272f7deb..63a73a0f2 100644 --- a/dongtai_common/models/iast_vul_log.py +++ b/dongtai_common/models/iast_vul_log.py @@ -13,6 +13,7 @@ class MessageTypeChoices(IntegerChoices): VUL_RECHECK = 2 PUSH_TO_INTEGRATION = 3 VUL_FOUND = 4 + VUL_REPLAY = 5 class IastVulLog(models.Model): diff --git a/dongtai_common/models/notify_log.py b/dongtai_common/models/notify_log.py new file mode 100644 index 000000000..11ab597ec --- /dev/null +++ b/dongtai_common/models/notify_log.py @@ -0,0 +1,14 @@ +from django.db import models + +from dongtai_common.utils.settings import get_managed + + +class IastWebHookLog(models.Model): + id = models.BigAutoField(primary_key=True) + event_type = models.CharField(max_length=255) + body = models.JSONField() + create_time = models.IntegerField() + + class Meta: + managed = get_managed() + db_table = "iast_webhook_log" diff --git a/dongtai_common/models/package_focus.py b/dongtai_common/models/package_focus.py new file mode 100644 index 000000000..3d6eca256 --- /dev/null +++ b/dongtai_common/models/package_focus.py @@ -0,0 +1,11 @@ +from django.db import models + + +class IastPackageFocus(models.Model): + id = models.BigAutoField(primary_key=True) + language_id = models.IntegerField() + package_name = models.CharField(max_length=255) + package_version = models.CharField(max_length=255, blank=True, default="") + + class Meta: + db_table = "iast_package_focus" diff --git a/dongtai_common/models/project.py b/dongtai_common/models/project.py index b54e4469d..ddfbc87a8 100644 --- a/dongtai_common/models/project.py +++ b/dongtai_common/models/project.py @@ -1,8 +1,10 @@ #!/usr/bin/env python # datetime:2020/11/30 下午5:32 +import string import time from django.db import models +from shortuuid.django_fields import ShortUUIDField from dongtai_common.models import User from dongtai_common.models.department import Department @@ -79,6 +81,7 @@ class IastProject(models.Model): status = models.IntegerField(default=0, choices=ProjectStatus.choices) projectgroups = models.ManyToManyField("IastProjectGroup", through="IastProjectGroupProject") users = models.ManyToManyField("User", through="IastProjectUser", related_name="auth_projects") + token = ShortUUIDField(max_length=22, alphabet=string.ascii_letters + string.digits) class Meta: managed = get_managed() diff --git a/dongtai_common/models/request_chains.py b/dongtai_common/models/request_chains.py index 7b0985d35..3aea01273 100644 --- a/dongtai_common/models/request_chains.py +++ b/dongtai_common/models/request_chains.py @@ -12,6 +12,7 @@ from dongtai_common.models.agent import IastAgent from dongtai_common.models.agent_method_pool import MethodPool from dongtai_common.models.project import IastProject +from dongtai_common.models.project_version import IastProjectVersion from dongtai_common.utils.db import get_timestamp from dongtai_common.utils.settings import get_managed @@ -58,3 +59,137 @@ class IastAgentRequestChainsVulContext(models.Model): class Meta: managed = get_managed() db_table = "iast_request_chains_vul_context" + + +class IastAgentRequestChainsTopoGraph(models.Model): + start_project = models.ForeignKey( + IastProject, + models.DO_NOTHING, + blank=True, + default=-1, + db_constraint=False, + ) + start_project_version = models.ForeignKey( + IastProjectVersion, + models.DO_NOTHING, + blank=True, + default=-1, + db_constraint=False, + ) + graph_hash = models.CharField( + max_length=255, + blank=True, + unique=True, + ) + dot_string = models.TextField() + max_depth = models.IntegerField() + + class Meta: + managed = get_managed() + db_table = "iast_request_chains_topo_graph" + + +class IastAgentRequestChainsTopoGraphVec(models.Model): + graph_hash = models.ForeignKey( + IastAgentRequestChainsTopoGraph, + max_length=255, + blank=True, + to_field="graph_hash", + on_delete=models.CASCADE, + db_constraint=False, + ) + level_id = models.IntegerField() + source_project_version = models.ForeignKey( + IastProjectVersion, + models.DO_NOTHING, + blank=True, + default=-1, + db_constraint=False, + related_name="source_project_version", + ) + target_project_version = models.ForeignKey( + IastProjectVersion, + models.DO_NOTHING, + blank=True, + default=-1, + db_constraint=False, + related_name="target_project_version", + ) + source_project = models.ForeignKey( + IastProject, + models.DO_NOTHING, + blank=True, + default=-1, + db_constraint=False, + related_name="source_project", + ) + target_project = models.ForeignKey( + IastProject, + models.DO_NOTHING, + blank=True, + default=-1, + db_constraint=False, + related_name="target_project", + ) + source_node_tag = models.CharField( + max_length=255, + blank=True, + ) + target_node_tag = models.CharField( + max_length=255, + blank=True, + ) + expandable = models.BooleanField(default=False) + + class Meta: + managed = get_managed() + db_table = "iast_request_chains_topo_graph_vecs" + unique_together = (("graph_hash", "source_node_tag", "target_node_tag"),) + + +class IastAgentRequestChainsTotalProjectVersionGraphVec(models.Model): + source_project_version = models.ForeignKey( + IastProjectVersion, + models.DO_NOTHING, + blank=True, + default=-1, + db_constraint=False, + related_name="total_source_project_version", + ) + target_project_version = models.ForeignKey( + IastProjectVersion, + models.DO_NOTHING, + blank=True, + default=-1, + db_constraint=False, + related_name="total_target_project_version", + ) + + class Meta: + managed = get_managed() + db_table = "iast_request_chains_total_project_version_graph_vec" + unique_together = (("source_project_version", "target_project_version"),) + + +class IastAgentRequestChainsTotalProjectGraphVec(models.Model): + source_project = models.ForeignKey( + IastProject, + models.DO_NOTHING, + blank=True, + default=-1, + db_constraint=False, + related_name="total_source_project", + ) + target_project = models.ForeignKey( + IastProject, + models.DO_NOTHING, + blank=True, + default=-1, + db_constraint=False, + related_name="total_target_project", + ) + + class Meta: + managed = get_managed() + db_table = "iast_request_chains_total_project_graph_vec" + unique_together = (("source_project", "target_project"),) diff --git a/dongtai_common/models/sensitive_info.py b/dongtai_common/models/sensitive_info.py index b5364cac2..af6c9f01f 100644 --- a/dongtai_common/models/sensitive_info.py +++ b/dongtai_common/models/sensitive_info.py @@ -30,6 +30,7 @@ class IastSensitiveInfoRule(models.Model): pattern = models.CharField(default=None, max_length=255) status = models.IntegerField(default=None) latest_time = models.IntegerField(default=get_timestamp) + system_type = models.IntegerField(default=0) class Meta: db_table = "iast_sensitive_info_rule" diff --git a/dongtai_common/models/user.py b/dongtai_common/models/user.py index 53eb32e3b..25428255b 100644 --- a/dongtai_common/models/user.py +++ b/dongtai_common/models/user.py @@ -4,11 +4,12 @@ from django.contrib.auth.models import AbstractUser, UserManager from django.db import models from django.db.models import Q, QuerySet +from django.utils import timezone from django.utils.translation import gettext_lazy as _ from dongtai_common.models.department import Department from dongtai_common.models.iast_role import IastRoleV2 -from dongtai_conf.patch import patch_point +from dongtai_conf.patch import patch_point, to_patch class PermissionsMixin(models.Model): @@ -65,9 +66,12 @@ class User(AbstractUser, PermissionsMixin): role = models.ForeignKey(IastRoleV2, models.DO_NOTHING, default=1, db_constraint=False) is_global_permission = models.BooleanField(default=False) deleted = models.BooleanField(default=False) + failed_login_count = models.IntegerField(default=0) + failed_login_time = models.DateTimeField(default=timezone.now) objects = SaaSUserManager() using_department = None + using_project = None class Meta(AbstractUser.Meta): db_table = "auth_user" @@ -117,6 +121,7 @@ def get_using_department(self): return self.using_department return self.get_department() + @to_patch def get_projects(self) -> QuerySet: from dongtai_common.models.project import IastProject diff --git a/dongtai_common/models/vulnerablity.py b/dongtai_common/models/vulnerablity.py index 0ecb65e6c..ebfc123f5 100644 --- a/dongtai_common/models/vulnerablity.py +++ b/dongtai_common/models/vulnerablity.py @@ -34,7 +34,7 @@ class IastVulnerabilityModel(models.Model): level = models.ForeignKey(IastVulLevel, models.DO_NOTHING, blank=True) url = models.CharField(max_length=2000, blank=True) uri = models.CharField(max_length=255, blank=True) - pattern_uri = models.CharField(max_length=255, blank=True, null=True) + pattern_uri = models.CharField(max_length=255, blank=True, default="") # 模糊搜索 全文索引 查询 vul_title = models.CharField(max_length=255, blank=True, default="") http_method = models.CharField(max_length=10, blank=True) @@ -42,18 +42,16 @@ class IastVulnerabilityModel(models.Model): http_protocol = models.CharField(max_length=255, blank=True) req_header = models.TextField(blank=True) req_params = models.CharField(max_length=2000, blank=True, default="") - req_data = models.TextField( - blank=True, - ) + req_data = models.TextField(blank=True) res_header = models.TextField(blank=True) res_body = models.TextField(blank=True) - full_stack = models.TextField(blank=True, null=True) - top_stack = models.CharField(max_length=255, blank=True, null=True) - bottom_stack = models.CharField(max_length=255, blank=True, null=True) - taint_value = models.CharField(max_length=255, blank=True, null=True) - taint_position = models.CharField(max_length=255, blank=True, null=True) + full_stack = models.TextField(blank=True, default="") + top_stack = models.CharField(max_length=255, blank=True, default="") + bottom_stack = models.CharField(max_length=255, blank=True, default="") + taint_value = models.CharField(max_length=4000, blank=True, default="") + taint_position = models.CharField(max_length=255, blank=True, default="") agent = models.ForeignKey(IastAgent, models.DO_NOTHING, blank=True) - language = models.CharField(max_length=10, blank=True, null=True) + language = models.CharField(max_length=10, blank=True, default="") context_path = models.CharField(max_length=255, blank=True) counts = models.IntegerField(blank=True) first_time = models.IntegerField(blank=True) @@ -61,7 +59,7 @@ class IastVulnerabilityModel(models.Model): latest_time_desc = models.IntegerField(blank=True, default=0) level_id_desc = models.SmallIntegerField(blank=True, default=0) client_ip = models.CharField(max_length=255, blank=True) - param_name = models.CharField(max_length=255, blank=True, null=True) + param_name = models.CharField(max_length=255, blank=True, default="") is_del = models.SmallIntegerField(blank=True, default=0) method_pool_id = models.IntegerField(default=-1, blank=True) strategy = models.ForeignKey( @@ -90,6 +88,9 @@ class IastVulnerabilityModel(models.Model): class Meta: managed = get_managed() db_table = "iast_vulnerability" + indexes = [ + models.Index(fields=("http_method", "param_name", "pattern_uri", "project_id", "status_id", "strategy_id")), + ] def save(self, *args, **kwargs): key_works = [ diff --git a/dongtai_common/permissions/__init__.py b/dongtai_common/permissions/__init__.py index 8646fe53e..cdb5c2bb5 100644 --- a/dongtai_common/permissions/__init__.py +++ b/dongtai_common/permissions/__init__.py @@ -3,7 +3,7 @@ from rest_framework import permissions -from dongtai_conf.patch import patch_point +from dongtai_conf.patch import patch_point, to_patch class ScopedPermission(permissions.BasePermission): @@ -44,6 +44,7 @@ class UserPermission(ScopedPermission): 用户权限验证类,验证是否为有效用户 """ + @to_patch def has_permission(self, request, view): user = request.user from dongtai_common.endpoint import OpenApiEndPoint diff --git a/dongtai_common/serializers/assetv2.py b/dongtai_common/serializers/assetv2.py index 4ef704d39..430cd8700 100644 --- a/dongtai_common/serializers/assetv2.py +++ b/dongtai_common/serializers/assetv2.py @@ -7,12 +7,12 @@ class PackeageScaAssetDetailSerializer(serializers.ModelSerializer): - affected_versions = serializers.ListField(source="package_fullname.affected_versions") - unaffected_versions = serializers.ListField(source="package_fullname.unaffected_versions") - language = serializers.SerializerMethodField() - level_name = serializers.CharField(source="get_level_display") - level_id = serializers.IntegerField(source="level") - vul_count_groupby_level = serializers.ListField(source="get_vul_count_groupby_level") + affected_versions = serializers.ListField(source="package_fullname.affected_versions", help_text="影响版本") + unaffected_versions = serializers.ListField(source="package_fullname.unaffected_versions", help_text="安全版本") + language = serializers.SerializerMethodField(help_text="语言") + level_name = serializers.CharField(source="get_level_display", help_text="危险等级名") + level_id = serializers.IntegerField(source="level", help_text="危险等级id") + vul_count_groupby_level = serializers.ListField(source="get_vul_count_groupby_level", help_text="漏洞统计") class Meta: model = AssetV2Global diff --git a/dongtai_common/serializers/assetvulv2.py b/dongtai_common/serializers/assetvulv2.py index a642f81f7..5b49bd391 100644 --- a/dongtai_common/serializers/assetvulv2.py +++ b/dongtai_common/serializers/assetvulv2.py @@ -5,11 +5,11 @@ class PackageVulSerializer(serializers.ModelSerializer): - vul_name = serializers.SerializerMethodField() - vul_detail = serializers.SerializerMethodField() - references = serializers.SerializerMethodField() - level_name = serializers.CharField(source="get_level_display") - level_id = serializers.IntegerField(source="level") + vul_name = serializers.SerializerMethodField(help_text="漏洞名") + vul_detail = serializers.SerializerMethodField(help_text="漏洞详情") + references = serializers.SerializerMethodField(help_text="引用文章") + level_name = serializers.CharField(source="get_level_display", help_text="等级名") + level_id = serializers.IntegerField(source="level", help_text="等级id") class Meta: model = IastAssetVulV2 diff --git a/dongtai_common/utils/const.py b/dongtai_common/utils/const.py index 834f10819..d553cd10e 100644 --- a/dongtai_common/utils/const.py +++ b/dongtai_common/utils/const.py @@ -84,8 +84,9 @@ VUL_PENDING = 1 VUL_VERIFYING = 2 VUL_CONFIRMED = 3 -VUL_IGNORE = 4 VUL_SOLVED = 5 +VUL_FIXED = 6 +VUL_IGNORE = 7 # API 操作 tag diff --git a/dongtai_common/utils/db_session_engine.py b/dongtai_common/utils/db_session_engine.py new file mode 100644 index 000000000..365045b5c --- /dev/null +++ b/dongtai_common/utils/db_session_engine.py @@ -0,0 +1,48 @@ +import json + +from django.conf import settings +from django.contrib.auth import SESSION_KEY +from django.contrib.sessions.backends.db import SessionStore as DBSessionStore +from django.contrib.sessions.base_session import AbstractBaseSession +from django.db import models + +from dongtai_common.models.profile import IastProfile +from dongtai_common.models.user import User + +SESSION_EXPIRY_PROFILE_KEY = "session_expiry" + + +class Session(AbstractBaseSession): + user = models.ForeignKey(User, models.DO_NOTHING, null=True, db_constraint=False) + + @classmethod + def get_session_store_class(cls): + return SessionStore + + class Meta(AbstractBaseSession.Meta): + db_table = "iast_session" + + +class SessionStore(DBSessionStore): + @classmethod + def get_model_class(cls): + return Session + + def create_model_instance(self, data): + """ + Return a new instance of the session model object, which represents the + current session state. Intended to be used for saving the session data + to the database. + """ + return self.model( + user_id=self.get(SESSION_KEY), + session_key=self._get_or_create_session_key(), # type: ignore + session_data=self.encode(data), + expire_date=self.get_expiry_date(), + ) + + def get_session_cookie_age(self): + profile = IastProfile.objects.filter(key=SESSION_EXPIRY_PROFILE_KEY).values_list("value", flat=True).first() + if profile is None: + return settings.SESSION_COOKIE_AGE + return json.loads(profile)[SESSION_EXPIRY_PROFILE_KEY] diff --git a/dongtai_conf/celery.py b/dongtai_conf/celery.py index d1221183c..9924a2326 100644 --- a/dongtai_conf/celery.py +++ b/dongtai_conf/celery.py @@ -54,6 +54,11 @@ Exchange("dongtai-es-save-task"), routing_key="dongtai-es-save-task", ), + Queue( + "dongtai-update-heartbeat", + Exchange("dongtai-update-heartbeat"), + routing_key="dongtai-update-heartbeat", + ), # cronjob Queue( "dongtai-periodic-task", @@ -118,6 +123,10 @@ "exchange": "dongtai-es-save-task", "routing_key": "dongtai-es-save-task", }, + "dongtai_protocol.report.handler.heartbeat_handler.update_heartbeat": { + "exchange": "dongtai-update-heartbeat", + "routing_key": "dongtai-update-heartbeat", + }, # cronjob "dongtai_engine.tasks.update_agent_status": { "exchange": "dongtai-periodic-task", diff --git a/dongtai_conf/patch/__init__.py b/dongtai_conf/patch/__init__.py index 57fbcd704..e470ce348 100644 --- a/dongtai_conf/patch/__init__.py +++ b/dongtai_conf/patch/__init__.py @@ -1,12 +1,11 @@ import importlib -import inspect import logging import pkgutil from collections import defaultdict from collections.abc import Callable -from dataclasses import dataclass +from contextvars import ContextVar +from functools import wraps from pathlib import Path -from types import CodeType from typing import Any, TypeVar, overload from typing_extensions import TypeVarTuple, Unpack @@ -16,13 +15,11 @@ logger = logging.getLogger("patch") -@dataclass -class PatchConfig: - type_check: bool - - is_init_patch = False -PATCH_HANDLER: dict[CodeType, dict[int, tuple[Callable, PatchConfig]]] = defaultdict(dict) +PATCH_HANDLER: dict[Callable[..., Any], dict[int, Callable[..., Any]]] = defaultdict(dict) + +context_func: ContextVar[Callable[..., Any] | None] = ContextVar("context_func", default=None) +context_count: ContextVar[int] = ContextVar("context_count", default=0) def init_patch() -> None: @@ -33,7 +30,6 @@ def init_patch() -> None: if not module_info.name.startswith("_"): importlib.import_module("dongtai_conf.patch." + module_info.name) is_init_patch = True - print(PATCH_HANDLER) T = TypeVar("T") @@ -41,45 +37,22 @@ def init_patch() -> None: @overload -def patch_point(*args: Unpack[tuple[T]], patch_id: int = 0) -> T: +def patch_point(*args: Unpack[tuple[T]]) -> T: ... @overload -def patch_point(*args: Unpack[Ts], patch_id: int = 0) -> tuple[Unpack[Ts]]: +def patch_point(*args: Unpack[Ts]) -> tuple[Unpack[Ts]]: ... -def patch_point(*args: Any, patch_id: int = 0) -> Any: - init_patch() - current_frame = inspect.currentframe() - if current_frame is None: - logger.error("current frame is None, can not patch") - return _return_args(*args) - caller_frame = current_frame.f_back - if caller_frame is None: - logger.error("caller frame is None, can not patch") - return _return_args(*args) - caller_code = caller_frame.f_code - if caller_code in PATCH_HANDLER: - func, patch_config = PATCH_HANDLER[caller_code][patch_id] - func_args, _, _, _, kwonlyargs, _, annotations = inspect.getfullargspec(func) - func_args += kwonlyargs - - patch_func_args = {} - for name in func_args: - if name in caller_frame.f_locals: - local_value = caller_frame.f_locals[name] - if patch_config.type_check: - # 如果启用类型检查,进行类型检查 - type_ = annotations.get(name, None) - if type(type_) is type and not isinstance(local_value, type_): - logger.error(f"type check error, name {name}, expect {type_}, get{type(local_value)}") - patch_func_args[name] = local_value - else: - logger.error(f"can not call patch function, miss local var {name}") - return _return_args(*args) - return_value = func(**patch_func_args) +def patch_point(*args: Any) -> Any: + patch_func = context_func.get() + patch_id = context_count.get() + context_count.set(patch_id + 1) + if patch_func in PATCH_HANDLER: + func = PATCH_HANDLER[patch_func][patch_id] + return_value = func(*args) if return_value is None: return _return_args(*args) if len(args) == 1: @@ -95,25 +68,33 @@ def patch_point(*args: Any, patch_id: int = 0) -> Any: def _return_args(*args: Unpack[Ts]) -> tuple[Unpack[Ts]] | Any: - print(args) if len(args) == 1: return args[0] return args -def patch(patch_func: Callable, type_check: bool = False, patch_id: int = 0): - def wrapper(func: Callable): - PATCH_HANDLER[patch_func.__code__][patch_id] = ( - func, - PatchConfig(type_check=type_check), - ) - return func +def to_patch(to_patch_func: Callable[..., Any]): + @wraps(to_patch_func) + def wrapper(*args: Any, **kwargs: Any): + token_func = context_func.set(to_patch_func) + token_count = context_count.set(0) + try: + return to_patch_func(*args, **kwargs) + finally: + context_func.reset(token_func) + context_count.reset(token_count) + wrapper.to_patch_func = to_patch_func # type: ignore return wrapper -def check_patch() -> None: - for code, func in PATCH_HANDLER.items(): - args, _, _, _, kwonlyargs, _, _ = inspect.getfullargspec(func) - if not set(args + kwonlyargs).issubset(set(code.co_varnames)): - logger.error(f"error: expect args {args + kwonlyargs}, varnames {code.co_varnames}") +def patch(patch_func: Callable[..., Any], patch_id: int = 0): + def wrapper(func: Callable[..., Any]): + to_patch_func = getattr(patch_func, "to_patch_func", None) + if to_patch_func is None: + logger.error(f"to patch function {patch_func} must be decorated by @to_patch") + else: + PATCH_HANDLER[to_patch_func][patch_id] = func + return func + + return wrapper diff --git a/dongtai_conf/settings.py b/dongtai_conf/settings.py index 63c65efe4..dfaf4d211 100644 --- a/dongtai_conf/settings.py +++ b/dongtai_conf/settings.py @@ -120,6 +120,7 @@ def get_installed_apps(): "DEFAULT_PAGINATION_CLASS": ["django.core.paginator"], "DEFAULT_AUTHENTICATION_CLASSES": [ "rest_framework.authentication.SessionAuthentication", + "dongtai_common.common.utils.ProjectTokenAuthentication", "dongtai_common.common.utils.DepartmentTokenAuthentication", "rest_framework.authentication.TokenAuthentication", ], @@ -482,6 +483,7 @@ def safe_execute(default, exception, function, *args): ENABLE_SSL = config.get("smtp", "ssl") == "True" ADMIN_EMAIL = config.get("smtp", "cc_addr") SESSION_COOKIE_DOMAIN = None +SESSION_ENGINE = "dongtai_common.utils.db_session_engine" CSRF_COOKIE_DOMAIN = None SECURE_BROWSER_XSS_FILTER = True @@ -654,6 +656,30 @@ def safe_execute(default, exception, function, *args): "ldap-decoded", "http-token-limited-chars", "numeric-limited-chars", + "custom-encoded-cmd-injection", + "custom-decoded-cmd-injection", + "custom-encoded-jnd-injection", + "custom-decoded-jnd-injection", + "custom-encoded-hql-injection", + "custom-decoded-hql-injection", + "custom-encoded-nosql-injection", + "custom-decoded-nosql-injection", + "custom-encoded-smtp-injection", + "custom-decoded-smtp-injection", + "custom-encoded-xxe", + "custom-decoded-xxe", + "custom-encoded-el-injection", + "custom-decoded-el-injection", + "custom-encoded-reflection-injection", + "custom-decoded-reflection-injection", + "custom-encoded-ssrf", + "custom-decoded-ssrf", + "custom-encoded-path-traversal", + "custom-decoded-path-traversal", + "custom-encoded-file-write", + "custom-encoded-file-write", + "custom-encoded-redos", + "custom-decoded-redos", ] DEFAULT_TAINT_VALUE_RANGE_COMMANDS = [ "KEEP", diff --git a/dongtai_engine/plugins/strategy_headers.py b/dongtai_engine/plugins/strategy_headers.py index bb174ad2d..308b59c94 100644 --- a/dongtai_engine/plugins/strategy_headers.py +++ b/dongtai_engine/plugins/strategy_headers.py @@ -121,7 +121,7 @@ def check_response_header(method_pool): ) -def save_vul(vul_type, method_pool, position=None, data=None): +def save_vul(vul_type, method_pool, position="", data=""): if is_strategy_enable(vul_type, method_pool) is False: return vul_strategy = IastStrategyModel.objects.filter( @@ -206,9 +206,9 @@ def save_vul(vul_type, method_pool, position=None, data=None): req_data=method_pool.req_data, res_header=method_pool.res_header, res_body=method_pool.res_body, - full_stack=None, - top_stack=None, - bottom_stack=None, + full_stack="", + top_stack="", + bottom_stack="", taint_value=data, taint_position=position, agent=method_pool.agent, @@ -218,7 +218,7 @@ def save_vul(vul_type, method_pool, position=None, data=None): first_time=method_pool.create_time, latest_time=timestamp, client_ip=method_pool.clent_ip, - param_name=None, + param_name="", method_pool_id=method_pool.id, project_version_id=method_pool.agent.project_version_id, project_id=method_pool.agent.bind_project_id, @@ -232,11 +232,7 @@ def save_vul(vul_type, method_pool, position=None, data=None): vul.id, vul.strategy.vul_name, ) # type: ignore - send_notify.send_robust( - sender=save_vul, - vul_id=vul.id, - department_id=method_pool.agent.department_id, - ) + send_notify.send_robust(sender=save_vul, vul_id=vul.id) cache.delete(cache_key) header_vul = None if not IastHeaderVulnerability.objects.filter( diff --git a/dongtai_engine/signals/handlers/vul_handler.py b/dongtai_engine/signals/handlers/vul_handler.py index c950e1789..7da4e670f 100644 --- a/dongtai_engine/signals/handlers/vul_handler.py +++ b/dongtai_engine/signals/handlers/vul_handler.py @@ -1,5 +1,6 @@ #!/usr/bin/env python # datetime: 2021/4/30 下午3:00 +import base64 import json import time import uuid @@ -13,7 +14,8 @@ from django.dispatch import receiver from dongtai_common.engine.compatibility import method_pool_3_to_2 -from dongtai_common.models.agent_method_pool import MethodPool +from dongtai_common.models.agent_method_pool import MethodPool, VulMethodPool +from dongtai_common.models.iast_vul_log import IastVulLog, MessageTypeChoices from dongtai_common.models.profile import IastProfile from dongtai_common.models.project import IastProject, VulValidation from dongtai_common.models.replay_queue import IastReplayQueue @@ -95,7 +97,7 @@ def parse_header(req_header: str, taint_value: str) -> str | None: header_dict = parse_headers_dict_from_bytes(base64.b64decode(req_header)) for k, v in header_dict.items(): - if v == taint_value or k == taint_value: + if taint_value in {v, k}: return k return None @@ -266,6 +268,17 @@ def save_vul(vul_meta, vul_level, strategy_id, vul_stack, top_stack, bottom_stac is_api_cached = uuid_key != cache.get_or_set(cache_key, uuid_key) if is_api_cached: return None + + if IastVulnerabilityModel.objects.filter( + strategy_id=strategy_id, + pattern_uri=pattern_uri, + http_method=vul_meta.http_method, + project_id=vul_meta.agent.bind_project_id, + param_name=param_name, + status_id=const.VUL_IGNORE, + ).exists(): + return None + # 获取 相同项目版本下的数据 vul = ( IastVulnerabilityModel.objects.filter( @@ -283,7 +296,6 @@ def save_vul(vul_meta, vul_level, strategy_id, vul_stack, top_stack, bottom_stac if vul: vul.url = vul_meta.url vul.uri = vul_meta.uri - vul.pattern_uri = pattern_uri vul.req_header = vul_meta.req_header vul.req_params = vul_meta.req_params vul.req_data = vul_meta.req_data @@ -300,9 +312,11 @@ def save_vul(vul_meta, vul_level, strategy_id, vul_stack, top_stack, bottom_stac vul.method_pool_id = vul_meta.id vul.language = vul_meta.agent.language vul.full_stack = json.dumps(vul_stack, ensure_ascii=False) + vul.is_del = 0 vul.save( update_fields=[ "url", + "uri", "req_header", "req_params", "req_data", @@ -320,6 +334,7 @@ def save_vul(vul_meta, vul_level, strategy_id, vul_stack, top_stack, bottom_stac "latest_time", "latest_time_desc", "language", + "is_del", ] ) else: @@ -368,17 +383,54 @@ def save_vul(vul_meta, vul_level, strategy_id, vul_stack, top_stack, bottom_stac vul.id, vul.strategy.vul_name, ) # type: ignore - send_notify.send_robust( - sender=save_vul, - vul_id=vul.id, - department_id=vul_meta.agent.department_id, - ) + send_notify.send_robust(sender=save_vul, vul_id=vul.id) + + VulMethodPool.objects.update_or_create( + vul_id=vul.id, + defaults={ + "method_pool_id": vul_meta.id, + "vul_id": vul.id, + "agent_id": vul_meta.agent_id, + "url": vul_meta.url, + "uri": vul_meta.uri, + "http_method": vul_meta.http_method, + "http_scheme": vul_meta.http_scheme, + "http_protocol": vul_meta.http_protocol, + "req_header": vul_meta.req_header, + "req_params": vul_meta.req_params, + "req_data": vul_meta.req_data, + "res_header": vul_meta.res_header, + "res_body": vul_meta.res_body, + "req_header_fs": vul_meta.req_header_fs, + "context_path": vul_meta.context_path, + "method_pool": vul_meta.method_pool, + "pool_sign": vul_meta.pool_sign, + "clent_ip": vul_meta.clent_ip, + "create_time": vul_meta.create_time, + "update_time": vul_meta.update_time, + "uri_sha1": vul_meta.uri_sha1, + }, + ) cache.delete(cache_key) # delete if exists more than one departured use redis lock # IastVulnerabilityModel.objects.filter( # ).delete() + # 记录漏洞重放 + for header in base64.b64decode(vul.req_header).decode("utf-8").split("\n"): + if header.startswith("iast-server-replay-uuid:"): + replay_uuid = header.removeprefix("iast-server-replay-uuid:") + msg = f"id为{vul.agent.bind_project.id}的项目{vul.agent.bind_project.name}在UUID为{replay_uuid}的漏洞重放中检测到漏洞{vul.strategy.vul_name}" + IastVulLog.objects.create( + msg_type=MessageTypeChoices.VUL_REPLAY, + msg=msg, + meta_data=kwargs, + vul_id=vul.id, + user_id=vul.agent.user_id, + ) + break + logger.info(f"vul_found {vul.id}") return vul diff --git a/dongtai_protocol/report/handler/hardencode_vul_handler.py b/dongtai_protocol/report/handler/hardencode_vul_handler.py index c05eb8785..359cfd154 100644 --- a/dongtai_protocol/report/handler/hardencode_vul_handler.py +++ b/dongtai_protocol/report/handler/hardencode_vul_handler.py @@ -133,8 +133,4 @@ def save(self): iast_vul.id, # type: ignore iast_vul.strategy.vul_name, ) - send_notify.send_robust( - sender=self.__class__, - vul_id=iast_vul.id, - department_id=self.agent.department_id, - ) + send_notify.send_robust(sender=self.__class__, vul_id=iast_vul.id) diff --git a/dongtai_protocol/report/handler/heartbeat_handler.py b/dongtai_protocol/report/handler/heartbeat_handler.py index af1586bdf..f25cc1f6d 100644 --- a/dongtai_protocol/report/handler/heartbeat_handler.py +++ b/dongtai_protocol/report/handler/heartbeat_handler.py @@ -2,7 +2,10 @@ # datetime:2020/10/23 11:56 import logging import time +from typing import Any +from celery import shared_task +from celery_singleton import Singleton from django.core.cache import cache from django.db.models import Q, QuerySet from django.utils.translation import gettext_lazy as _ @@ -29,6 +32,12 @@ def check_agent_incache(agent_id): return bool(cache.get(f"heartbeat-{agent_id}")) +@shared_task(base=Singleton, unique_on=["agent_id"], lock_expiry=20) +def update_heartbeat(agent_id: int, defaults: dict[str, Any]): + IastHeartbeat.objects.update_or_create(agent_id=agent_id, defaults=defaults) + IastAgent.objects.update_or_create(pk=agent_id, defaults={"is_running": 1, "online": 1}) + + @ReportHandler.register(const.REPORT_HEART_BEAT) class HeartBeatHandler(IReportHandler): def __init__(self): @@ -58,9 +67,6 @@ def has_permission(self): def save_heartbeat(self): default_dict = {"dt": int(time.time())} - if not check_agent_incache(self.agent_id): - IastHeartbeat.objects.update_or_create(agent_id=self.agent_id, defaults=default_dict) - IastAgent.objects.update_or_create(pk=self.agent_id, defaults={"is_running": 1, "online": 1}) if self.return_queue == 1: default_dict["req_count"] = self.req_count default_dict["report_queue"] = self.report_queue @@ -72,7 +78,7 @@ def save_heartbeat(self): default_dict["memory"] = self.memory default_dict["cpu"] = self.cpu default_dict["disk"] = self.disk - IastHeartbeat.objects.update_or_create(agent_id=self.agent_id, defaults=default_dict) + update_heartbeat.delay(agent_id=self.agent_id, defaults=default_dict) else: default_dict["memory"] = self.memory default_dict["cpu"] = self.cpu @@ -81,7 +87,7 @@ def save_heartbeat(self): default_dict["method_queue"] = self.method_queue default_dict["replay_queue"] = self.replay_queue default_dict["disk"] = self.disk - IastHeartbeat.objects.update_or_create(agent_id=self.agent_id, defaults=default_dict) + update_heartbeat.delay(agent_id=self.agent_id, defaults=default_dict) update_agent_cache(self.agent_id, default_dict) def get_result(self, msg=None): diff --git a/dongtai_protocol/report/handler/narmal_vul_handler.py b/dongtai_protocol/report/handler/narmal_vul_handler.py index 14b9157c7..a014e75b2 100644 --- a/dongtai_protocol/report/handler/narmal_vul_handler.py +++ b/dongtai_protocol/report/handler/narmal_vul_handler.py @@ -252,11 +252,7 @@ def save(self): iast_vul.id, # type: ignore iast_vul.strategy.vul_name, ) - send_notify.send_robust( - sender=self.__class__, - vul_id=iast_vul.id, - department_id=self.agent.department_id, - ) + send_notify.send_robust(sender=self.__class__, vul_id=iast_vul.id) IastVulnerabilityModel.objects.filter( strategy_id=iast_vul.strategy_id, diff --git a/dongtai_protocol/report/handler/saas_method_pool_handler.py b/dongtai_protocol/report/handler/saas_method_pool_handler.py index fdb5047cf..d0203b9e2 100644 --- a/dongtai_protocol/report/handler/saas_method_pool_handler.py +++ b/dongtai_protocol/report/handler/saas_method_pool_handler.py @@ -17,13 +17,11 @@ from dongtai_common.models.agent import IastAgent from dongtai_common.models.agent_method_pool import MethodPool from dongtai_common.models.api_route import ( - FromWhereChoices, - HttpMethod, IastApiMethod, - IastApiMethodHttpMethodRelation, IastApiParameter, IastApiRoute, ) +from dongtai_common.models.api_route_v2 import IastApiRouteV2 from dongtai_common.models.replay_method_pool import IastAgentMethodPoolReplay from dongtai_common.models.replay_queue import IastReplayQueue from dongtai_common.models.res_header import ( @@ -111,6 +109,7 @@ def save(self): ) # update_api_route_deatil(self.agent_id, self.http_uri, self.http_method, # params_dict) + add_new_api_route(self.agent, self.http_uri, self.http_method) if self.http_replay: # 保存数据至重放请求池 replay_id = headers.get("dongtai-replay-id") @@ -412,27 +411,9 @@ def add_new_api_route(agent: IastAgent, path, method): logger.info(f"found cache api_route-{agent.id}-{path}-{method} ,skip its insert") return try: - api_method, is_create = IastApiMethod.objects.get_or_create(method=method.upper()) - http_method, _ = HttpMethod.objects.get_or_create(method=method.upper()) - IastApiMethodHttpMethodRelation.objects.get_or_create( - api_method_id=api_method.id, http_method_id=http_method.id - ) - api_route, is_create = IastApiRoute.objects.get_or_create( - from_where=FromWhereChoices.FROM_METHOD_POOL, - method_id=api_method.id, - path=path, - agent_id=agent.id, - project_id=agent.bind_project_id, - project_version_id=agent.project_version_id, - ) - except (IntegrityError, MultipleObjectsReturned) as e: - logger.info(e) - logger.debug(e, exc_info=e) - try: - api_method, is_create = IastApiMethod.objects.get_or_create(method=method.upper()) - IastApiRoute.objects.filter( + IastApiRouteV2.objects.filter( path=path, - method_id=api_method.id, + method=method.lower(), project_id=agent.bind_project_id, project_version_id=agent.project_version_id, ).update(is_cover=1) diff --git a/dongtai_protocol/report/handler/sca_handler.py b/dongtai_protocol/report/handler/sca_handler.py index 84ac29a44..0c591a187 100644 --- a/dongtai_protocol/report/handler/sca_handler.py +++ b/dongtai_protocol/report/handler/sca_handler.py @@ -3,6 +3,7 @@ import json import logging +from celery import group from django.utils.translation import gettext_lazy as _ from dongtai_common.utils import const @@ -77,7 +78,7 @@ def save(self): @ReportHandler.register(const.REPORT_SCA + 1) -class ScaBulkHandler(ScaHandler): +class ScaBulkHandler(IReportHandler): def parse(self): self.packages = self.detail.get("packages") self.package_path = self.detail.get("packagePath") @@ -87,10 +88,45 @@ def parse(self): self.package_version = self.detail.get("packageVersion", "") def save(self): + task_group = [] for package in self.packages: self.package_path = package.get("packagePath", None) self.package_signature = package.get("packageSignature", None) self.package_name = package.get("packageName", None) self.package_algorithm = package.get("packageAlgorithm", None) self.package_version = package.get("packageVersion", "") - super().save() + + try: + logger.info( + f"[+] 处理SCA请求[{self.agent_id}, {self.package_path}, {self.package_signature}, {self.package_name}, {self.package_algorithm} {self.package_version}]正在下发扫描任务" + ) + if self.package_signature: + task_group.append( + new_update_one_sca.s( + self.agent_id, + self.package_path, + self.package_signature, + self.package_name, + self.package_algorithm, + self.package_version, + ) + ) + else: + task_group.append( + update_one_sca.s( + self.agent_id, + self.package_path, + self.package_signature, + self.package_name, + self.package_algorithm, + self.package_version, + ) + ) + logger.info( + f"[+] 处理SCA请求[{self.agent_id}, {self.package_path}, {self.package_signature}, {self.package_name}, {self.package_algorithm} {self.package_version}]任务下发完成" + ) + except Exception as e: + logger.info( + f"[-] Failure: sca package [{self.agent_id} {self.package_path} {self.package_signature} {self.package_name} {self.package_algorithm} {self.package_version}], Error: {e}" + ) + group(*task_group).delay() diff --git a/dongtai_protocol/views/agent_configv2.py b/dongtai_protocol/views/agent_configv2.py index b593c589a..8ac159e66 100644 --- a/dongtai_protocol/views/agent_configv2.py +++ b/dongtai_protocol/views/agent_configv2.py @@ -8,7 +8,7 @@ from dongtai_common.endpoint import OpenApiEndPoint, R from dongtai_common.models.agent import IastAgent from dongtai_common.models.profile import IastProfile -from dongtai_conf.patch import patch_point +from dongtai_conf.patch import patch_point, to_patch from dongtai_web.utils import extend_schema_with_envcheck @@ -38,6 +38,7 @@ class AgentConfigAllinOneView(OpenApiEndPoint): tags=["Agent服务端交互协议"], methods=["GET"], ) + @to_patch def get(self, request): ser = _AgentConfigArgsSerializer(data=request.GET) try: diff --git a/dongtai_protocol/views/agent_download.py b/dongtai_protocol/views/agent_download.py index e5f8262b6..43e727002 100644 --- a/dongtai_protocol/views/agent_download.py +++ b/dongtai_protocol/views/agent_download.py @@ -16,7 +16,10 @@ from rest_framework.authentication import SessionAuthentication, TokenAuthentication from rest_framework.authtoken.models import Token -from dongtai_common.common.utils import DepartmentTokenAuthentication +from dongtai_common.common.utils import ( + DepartmentTokenAuthentication, + ProjectTokenAuthentication, +) from dongtai_common.endpoint import OpenApiEndPoint, R from dongtai_conf.settings import BUCKET_NAME_BASE_URL, VERSION from dongtai_protocol.api_schema import DongTaiParameter @@ -283,6 +286,7 @@ class AgentDownload(OpenApiEndPoint): name = "download_iast_agent" description = "下载洞态Agent" authentication_classes = ( + ProjectTokenAuthentication, DepartmentTokenAuthentication, TokenAuthentication, SessionAuthentication, @@ -338,6 +342,8 @@ def get(self, request): user_token = request.query_params.get("token", None) if department_token: final_token = department_token + elif request.user.using_project is not None: + final_token = request.user.using_project.token elif not user_token: token, success = Token.objects.get_or_create(user=request.user) final_token = token.key diff --git a/dongtai_protocol/views/agent_register.py b/dongtai_protocol/views/agent_register.py index dcb1a2e71..0e094e8bf 100644 --- a/dongtai_protocol/views/agent_register.py +++ b/dongtai_protocol/views/agent_register.py @@ -3,11 +3,13 @@ import base64 import json import logging +import string import time from django.db import transaction from django.utils.translation import gettext_lazy as _ from drf_spectacular.utils import extend_schema +from shortuuid import ShortUUID from dongtai_common.endpoint import OpenApiEndPoint, R from dongtai_common.models.agent import IastAgent @@ -24,6 +26,10 @@ logger = logging.getLogger("dongtai.openapi") +def generate_shoutuuid() -> str: + return ShortUUID(alphabet=string.ascii_letters + string.digits).random(length=22) + + def get_agent_allow_report(agent_id): return 1 @@ -262,10 +268,12 @@ def post(self, request: Request): "template_id": template.id if template else -1, "user": user, "department_id": 1, + "token": generate_shoutuuid(), } default_params.update(template.to_full_project_args() if template else {}) - + if request.user.using_project is not None: + project_name = request.user.using_project.name with transaction.atomic(): ( obj, diff --git a/dongtai_web/aggr_vul/app_vul_list.py b/dongtai_web/aggr_vul/app_vul_list.py index b0f825434..9dce56a7f 100644 --- a/dongtai_web/aggr_vul/app_vul_list.py +++ b/dongtai_web/aggr_vul/app_vul_list.py @@ -6,13 +6,16 @@ from django.core.cache import cache from django.db.models import Count, F from django.utils.translation import gettext_lazy as _ +from drf_spectacular.utils import extend_schema from elasticsearch import Elasticsearch from elasticsearch_dsl import Q +from rest_framework import serializers from rest_framework.serializers import ValidationError from dongtai_common.common.utils import make_hash from dongtai_common.endpoint import R, UserEndPoint from dongtai_common.models import APP_LEVEL_RISK, APP_VUL_ORDER +from dongtai_common.models.agent_method_pool import VulMethodPool from dongtai_common.models.dast_integration import IastDastIntegrationRelation from dongtai_common.models.vulnerablity import ( IastVulnerabilityDocument, @@ -22,23 +25,79 @@ from dongtai_common.utils.const import OPERATE_GET from dongtai_common.utils.db import SearchLanguageMode from dongtai_conf import settings -from dongtai_conf.patch import patch_point +from dongtai_conf.patch import patch_point, to_patch from dongtai_conf.settings import ELASTICSEARCH_STATE from dongtai_engine.elatic_search.data_correction import data_correction_interpetor from dongtai_web.aggregation.aggregation_common import turnIntListOfStr from dongtai_web.serializers.aggregation import AggregationArgsSerializer from dongtai_web.serializers.vul import VulSerializer -from dongtai_web.utils import extend_schema_with_envcheck +from dongtai_web.utils import get_response_serializer INT_LIMIT: int = 2**64 - 1 +class AppVulSerializer(serializers.ModelSerializer): + level_name = serializers.CharField() + server_type = serializers.CharField() + is_header_vul = serializers.CharField() + agent__project_name = serializers.CharField() + agent__server__container = serializers.CharField() + agent__language = serializers.CharField() + agent__bind_project_id = serializers.CharField() + header_vul_urls = serializers.ListField() + dastvul__vul_type = serializers.CharField() + dastvul_count = serializers.CharField() + dast_validation_status = serializers.CharField() + strategy__vul_name = serializers.CharField() + project__name = serializers.CharField() + server__container = serializers.CharField() + project_version__version_name = serializers.CharField() + + class Meta: + model = IastVulnerabilityModel + fields = [ + "id", + "uri", + "http_method", + "top_stack", + "bottom_stack", + "level_id", + "taint_position", + "status_id", + "first_time", + "latest_time", + "strategy__vul_name", + "language", + "project__name", + "server__container", + "project_id", + "strategy_id", + "project_version_id", + "project_version__version_name", + "level_name", + "server_type", + "is_header_vul", + "agent__project_name", + "agent__server__container", + "agent__language", + "agent__bind_project_id", + "header_vul_urls", + "dastvul__vul_type", + "dastvul_count", + "dast_validation_status", + ] + + +_NewResponseSerializer = get_response_serializer(AppVulSerializer(many=True)) + + class GetAppVulsList(UserEndPoint): - @extend_schema_with_envcheck( + @extend_schema( request=AggregationArgsSerializer, - tags=[_("Vulnerability"), OPERATE_GET], + tags=[_("Vulnerability"), OPERATE_GET, "集成"], summary="应用漏洞列表", ) + @to_patch def post(self, request): """ :param request: @@ -176,6 +235,7 @@ def post(self, request): lambda: 0, {item["iastvul_id"]: item["dastvul_count"] for item in dastvul_rel_count_res}, ) + has_vul_method_pool_set = set(VulMethodPool.objects.filter(vul_id__in=vul_ids).values_list("vul_id", flat=True)) if vul_data: for item in vul_data: item["level_name"] = APP_LEVEL_RISK.get(str(item["level_id"]), "") @@ -189,6 +249,7 @@ def post(self, request): item["dastvul__vul_type"] = dast_vul_types_dict[item["id"]] item["dastvul_count"] = dastvul_rel_count_res_dict[item["id"]] item["dast_validation_status"] = bool(dastvul_rel_count_res_dict[item["id"]]) + item["has_vul_method_pool"] = item["id"] in has_vul_method_pool_set end["data"].append(item) # all Iast Vulnerability Status status = IastVulnerabilityStatus.objects.all() diff --git a/dongtai_web/aggr_vul/app_vul_summary.py b/dongtai_web/aggr_vul/app_vul_summary.py index 6e475120a..fb8420009 100644 --- a/dongtai_web/aggr_vul/app_vul_summary.py +++ b/dongtai_web/aggr_vul/app_vul_summary.py @@ -9,7 +9,7 @@ from dongtai_common.models.project import IastProject from dongtai_common.models.vulnerablity import IastVulnerabilityModel from dongtai_common.utils.const import OPERATE_GET -from dongtai_conf.patch import patch_point +from dongtai_conf.patch import patch_point, to_patch from dongtai_conf.settings import ELASTICSEARCH_STATE from dongtai_web.serializers.aggregation import AggregationArgsSerializer from dongtai_web.utils import dict_transfrom, extend_schema_with_envcheck @@ -25,6 +25,7 @@ def get_annotate_cache_data(projects: QuerySet[IastProject]): return get_annotate_data(projects, 0, 0) +@to_patch def get_annotate_data(projects: QuerySet[IastProject], bind_project_id: int, project_version_id: int) -> dict: cache_q = Q(is_del=0, project_id__gt=0, project__in=projects) @@ -123,6 +124,7 @@ def post(self, request): ) +@to_patch def get_annotate_data_es(projects: QuerySet[IastProject], bind_project_id: int, project_version_id: int): from elasticsearch import Elasticsearch from elasticsearch_dsl import A, Q @@ -154,7 +156,7 @@ def get_annotate_data_es(projects: QuerySet[IastProject], bind_project_id: int, "strategy": A("terms", field="strategy_id", size=2147483647), "status": A("terms", field="status_id", size=2147483647), } - buckets = patch_point(buckets, patch_id=0) + buckets = patch_point(buckets) for k, v in buckets.items(): search.aggs.bucket(k, v) from dongtai_conf import settings @@ -189,6 +191,6 @@ def get_annotate_data_es(projects: QuerySet[IastProject], bind_project_id: int, for i in origin_buckets: i["name"] = level_dic[i["id"]]["name_value"] origin_buckets = sorted(origin_buckets, key=lambda x: x["id"]) - key, origin_buckets = patch_point(key, origin_buckets, patch_id=1) + key, origin_buckets = patch_point(key, origin_buckets) dic[key] = list(origin_buckets) return dict(dic) diff --git a/dongtai_web/dongtai_sca/scan/tasks.py b/dongtai_web/dongtai_sca/scan/tasks.py index bffe4ceea..bde7c7db1 100644 --- a/dongtai_web/dongtai_sca/scan/tasks.py +++ b/dongtai_web/dongtai_sca/scan/tasks.py @@ -7,6 +7,7 @@ from celery import shared_task from django.db import IntegrityError +from django.db.models import Q from dongtai_common.models.agent import IastAgent from dongtai_common.models.asset import Asset @@ -18,7 +19,10 @@ IastVulAssetRelation, IastVulLevel, ) +from dongtai_common.models.package_focus import IastPackageFocus from dongtai_conf.settings import SCA_SETUP +from dongtai_engine.signals import send_notify +from dongtai_protocol.views.hook_profiles import LANGUAGE_DICT from dongtai_web.dongtai_sca.common.dataclass import VulInfo from .cwe import get_cwe_name @@ -95,7 +99,7 @@ class PackageVulSummary: unaffected_versions: tuple[str, ...] = () -def sca_scan_asset_v2(aql: str, ecosystem: str, package_name: str, version: str) -> PackageVulSummary: +def sca_scan_asset_v2(aql: str, ecosystem: str, package_name: str, version: str) -> tuple[PackageVulSummary, list[int]]: from dongtai_common.models.asset_vul_v2 import IastAssetVulV2, IastVulAssetRelationV2 vuls, affected_versions, unaffected_versions = get_package_vul_v4( @@ -104,9 +108,10 @@ def sca_scan_asset_v2(aql: str, ecosystem: str, package_name: str, version: str) package_name=package_name, ) vul_asset_rel_list = [] + vul_asset_list = [] for vul in vuls: logger.debug("vul_level %s", get_vul_level_dict()[vul.vul_info.severity.lower()]) - IastAssetVulV2.objects.update_or_create( + obj, _ = IastAssetVulV2.objects.update_or_create( vul_id=vul.vul_info.vul_id, defaults={ "vul_codes": vul.vul_codes.to_dict(), @@ -132,15 +137,19 @@ def sca_scan_asset_v2(aql: str, ecosystem: str, package_name: str, version: str) asset_vul_id=vul.vul_info.vul_id, asset_id=aql, ) + vul_asset_list.append(obj.pk) vul_asset_rel_list.append(vul_asset_rel) IastVulAssetRelationV2.objects.filter(asset_id=aql).delete() IastVulAssetRelationV2.objects.bulk_create(vul_asset_rel_list, ignore_conflicts=True) package_info_dict = stat_severity_v2([vul.vul_info for vul in vuls]) logger.debug("package_info_dict: %s", package_info_dict) - return PackageVulSummary( - affected_versions=affected_versions, - unaffected_versions=unaffected_versions, - **package_info_dict, + return ( + PackageVulSummary( + affected_versions=affected_versions, + unaffected_versions=unaffected_versions, + **package_info_dict, + ), + vul_asset_list, ) @@ -276,10 +285,15 @@ def new_update_one_sca( else: packages = get_package_v3(aql=package_name) asset_license_list = [] + is_focus = IastPackageFocus.objects.filter( + Q(package_version=package_version) | Q(package_version=""), + language_id=LANGUAGE_DICT.get(agent.language, None), + package_name=package_name, + ).exists() for package in packages: aql = get_package_aql(package.name, package.ecosystem, package.version) license_list = get_license_list_v2(package.license) - package_info = sca_scan_asset_v2(aql, package.ecosystem, package.name, package.version) + package_info, vul_asset_list = sca_scan_asset_v2(aql, package.ecosystem, package.name, package.version) obj, created = IastPackageGAInfo.objects.update_or_create( package_fullname=package.ecosystem + package.name, defaults={ @@ -297,9 +311,10 @@ def new_update_one_sca( "signature_value": package.hash, "version": package.version, "license_list": license_list, + "is_focus": is_focus, }, ) - AssetV2.objects.update_or_create( + asset, _ = AssetV2.objects.update_or_create( aql=assetglobalobj, project_id=agent.bind_project_id, project_version_id=agent.project_version_id, @@ -322,6 +337,8 @@ def new_update_one_sca( for i in license_list: license = IastAssetLicense(license_id=i["id"], asset=assetglobalobj) asset_license_list.append(license) + for i in vul_asset_list: + send_notify.send_robust(sender=new_update_one_sca, asset_id=asset.id, asset_vul_id=i) IastAssetLicense.objects.bulk_create(asset_license_list, ignore_conflicts=True) # create license list diff --git a/dongtai_web/dongtai_sca/views/newpackage.py b/dongtai_web/dongtai_sca/views/newpackage.py index dbdf9a47f..ecae1cb81 100644 --- a/dongtai_web/dongtai_sca/views/newpackage.py +++ b/dongtai_web/dongtai_sca/views/newpackage.py @@ -17,14 +17,22 @@ class PackageListArgsSerializer(serializers.Serializer): page_size = serializers.IntegerField(default=20, help_text=_("Number per page")) page = serializers.IntegerField(default=1, help_text=_("Page index")) - language_ids = serializers.ListField(required=False, child=serializers.IntegerField(help_text=_("language"))) - license_ids = serializers.ListField(required=False, child=serializers.IntegerField(help_text=_("license"))) - level_ids = serializers.ListField(required=False, child=serializers.IntegerField(help_text=_("level"))) - project_id = serializers.IntegerField(required=False, help_text=_("Page index")) - project_version_id = serializers.IntegerField(required=False, help_text=_("Page index")) - keyword = serializers.CharField(required=False, help_text=_("search_keyword")) - order_field = serializers.ChoiceField(["vul_count", "level"], default="vul_count") - order = serializers.ChoiceField(["desc", "asc"], default="desc") + language_ids = serializers.ListField( + required=False, + child=serializers.IntegerField(help_text=_("language")), + help_text="筛选语言id: 1 Java 2 Python 3 PHP 4 Go", + ) + license_ids = serializers.ListField( + required=False, child=serializers.IntegerField(help_text=_("license")), help_text="筛选, 许可证id, 该id范围可在组件概况获取" + ) + level_ids = serializers.ListField( + required=False, child=serializers.IntegerField(help_text=_("level")), help_text="筛选, 危险等级id" + ) + project_id = serializers.IntegerField(required=False, help_text="项目id") + project_version_id = serializers.IntegerField(required=False, help_text="项目版本id") + keyword = serializers.CharField(required=False, help_text="搜索关键字") + order_field = serializers.ChoiceField(["vul_count", "level"], default="vul_count", help_text="排序字段") + order = serializers.ChoiceField(["desc", "asc"], default="desc", help_text="排序方式") class PackeageScaAssetSerializer(PackeageScaAssetDetailSerializer): @@ -49,6 +57,7 @@ class Meta: "language_id", "aql", "vul_count_groupby_level", + "is_focus", ] @@ -58,7 +67,7 @@ class Meta: class PackageList(UserEndPoint): @extend_schema_with_envcheck_v2( request=PackageListArgsSerializer, - tags=[_("Component"), OPERATE_GET], + tags=[_("Component"), OPERATE_GET, "集成"], summary=_("Component List"), responses={200: _NewResponseSerializer}, ) @@ -84,7 +93,7 @@ def post(self, request): q = q & Q(aql__contains=ser.validated_data["keyword"]) order = ("-" if ser.validated_data["order"] == "desc" else "") + ser.validated_data["order_field"] page_info, data = self.get_paginator( - AssetV2Global.objects.filter(q).order_by(order).all(), + AssetV2Global.objects.filter(q).order_by("-is_focus", order).all(), ser.validated_data["page"], ser.validated_data["page_size"], ) diff --git a/dongtai_web/dongtai_sca/views/newpackagesummary.py b/dongtai_web/dongtai_sca/views/newpackagesummary.py index 251af6c5d..04d572210 100644 --- a/dongtai_web/dongtai_sca/views/newpackagesummary.py +++ b/dongtai_web/dongtai_sca/views/newpackagesummary.py @@ -73,7 +73,7 @@ class Meta: class NewPackageSummary(UserEndPoint): @extend_schema_with_envcheck_v2( parameters=[PackageSummaryArgsSerializer], - tags=[_("Component")], + tags=[_("Component"), "集成"], summary="组件概况", responses={200: FullSummaryResponseSerializer}, ) diff --git a/dongtai_web/dongtai_sca/views/newpackagevuls.py b/dongtai_web/dongtai_sca/views/newpackagevuls.py index cfd5dae5c..034928698 100644 --- a/dongtai_web/dongtai_sca/views/newpackagevuls.py +++ b/dongtai_web/dongtai_sca/views/newpackagevuls.py @@ -23,7 +23,7 @@ class PackageVulsListArgsSerializer(serializers.Serializer): class NewPackageVuls(UserEndPoint): @extend_schema_with_envcheck_v2( - tags=[_("Component")], + tags=[_("Component"), "集成"], summary="组件漏洞列表", parameters=[PackageVulsListArgsSerializer], responses={200: NewPackageVulSResponseSerializer}, diff --git a/dongtai_web/serializers/aggregation.py b/dongtai_web/serializers/aggregation.py index 6bd901d93..275020f91 100644 --- a/dongtai_web/serializers/aggregation.py +++ b/dongtai_web/serializers/aggregation.py @@ -16,8 +16,8 @@ class AggregationArgsSerializer(serializers.Serializer): order_type = serializers.IntegerField(default=0, help_text=_("Order by")) order_type_desc = serializers.IntegerField(default=0, help_text=_("Order by desc")) - bind_project_id = serializers.IntegerField(default=0, help_text=_("bind_project_id")) - project_version_id = serializers.IntegerField(default=0, help_text=_("project_version_id")) + bind_project_id = serializers.IntegerField(default=0, help_text="项目id") + project_version_id = serializers.IntegerField(default=0, help_text="项目版本id") uri = serializers.CharField( required=False, max_length=1024, @@ -40,7 +40,7 @@ class AggregationArgsSerializer(serializers.Serializer): required=False, max_length=100, error_messages={"keywords": _("Length limit exceeded")}, - help_text=_("Keywords select"), + help_text="搜索关键字", ) source_type_str = serializers.CharField( diff --git a/dongtai_web/serializers/hook_strategy.py b/dongtai_web/serializers/hook_strategy.py index 4171472c0..0035d45dc 100644 --- a/dongtai_web/serializers/hook_strategy.py +++ b/dongtai_web/serializers/hook_strategy.py @@ -95,6 +95,7 @@ class Meta: "untags", "stack_blacklist", "command", + "system_type", ] def get_rule_type(self, obj): diff --git a/dongtai_web/serializers/hook_type_strategy.py b/dongtai_web/serializers/hook_type_strategy.py index 5a07bceea..50dd05d05 100644 --- a/dongtai_web/serializers/hook_type_strategy.py +++ b/dongtai_web/serializers/hook_type_strategy.py @@ -8,7 +8,7 @@ class HookTypeSerialize(serializers.ModelSerializer): class Meta: model = HookType - fields = ["id", "name"] + fields = ["id", "name", "system_type"] class StrategySerialize(serializers.ModelSerializer): @@ -16,7 +16,7 @@ class StrategySerialize(serializers.ModelSerializer): class Meta: model = IastStrategyModel - fields = ["id", "vul_name", "name"] + fields = ["id", "vul_name", "name", "system_type"] def get_name(self, obj): return obj.vul_name diff --git a/dongtai_web/serializers/strategy.py b/dongtai_web/serializers/strategy.py index b52c7d45d..d3239b285 100644 --- a/dongtai_web/serializers/strategy.py +++ b/dongtai_web/serializers/strategy.py @@ -16,4 +16,5 @@ class Meta: "vul_name", "vul_desc", "dt", + "system_type", ] diff --git a/dongtai_web/urls.py b/dongtai_web/urls.py index 03b7cde43..2359b7259 100644 --- a/dongtai_web/urls.py +++ b/dongtai_web/urls.py @@ -74,6 +74,7 @@ from dongtai_web.views.project_engines import ProjectEngines from dongtai_web.views.project_search import ProjectSearch from dongtai_web.views.project_summary import ProjectSummary +from dongtai_web.views.project_token import ProjectToken from dongtai_web.views.project_version_add import ProjectVersionAdd from dongtai_web.views.project_version_current import ProjectVersionCurrent from dongtai_web.views.project_version_delete import ProjectVersionDelete @@ -114,6 +115,7 @@ ) from dongtai_web.views.vul_levels import VulLevelList from dongtai_web.views.vul_list_for_plugin import VulListEndPoint +from dongtai_web.views.vul_method_pool_download import VulMethodPoolDownload from dongtai_web.views.vul_request_replay import RequestReplayEndPoint from dongtai_web.views.vul_status import VulStatus from dongtai_web.views.vul_summary import VulSummary @@ -136,6 +138,7 @@ path("user/password/reset", UserPasswordReset.as_view()), path("captcha/", include("captcha.urls")), path(r"captcha/refresh", CaptchaCreate.as_view()), + path("project//token", ProjectToken.as_view()), path("project/", ProjectDetail.as_view()), path("project/add", ProjectAdd.as_view()), path("project/delete", ProjectDel.as_view()), @@ -156,6 +159,7 @@ path("vuln/", VulDetail.as_view()), path("vuln/status", VulStatus.as_view()), path("vuln/delete/", VulDelete.as_view()), + path("vuln//method_pool", VulMethodPoolDownload.as_view()), path("vul/status_list", VulnerabilityStatusView.as_view()), path("plugin/vuln/list", VulListEndPoint.as_view()), path("plugin/vuln/count", VulCountForPluginEndPoint.as_view()), diff --git a/dongtai_web/views/engine_hook_rule_add.py b/dongtai_web/views/engine_hook_rule_add.py index 4333e9ff7..db2c9b275 100644 --- a/dongtai_web/views/engine_hook_rule_add.py +++ b/dongtai_web/views/engine_hook_rule_add.py @@ -28,7 +28,7 @@ class _HookRuleAddBodyargsSerializer(serializers.Serializer): language_id = serializers.IntegerField(help_text=_("The id of language.")) rule_value = serializers.CharField( help_text=_("The value of strategy"), - max_length=255, + max_length=2000, allow_blank=True, ) rule_source = serializers.CharField( @@ -197,18 +197,7 @@ def post(self, request): ignore_blacklist, ignore_internal, ) = self.parse_args(request) - if ( - all( - ( - rule_type, - rule_value, - rule_source, - inherit, - is_track, - ) - ) - is False - ): + if all((rule_type, rule_value, rule_source, inherit, is_track)) is False: return R.failure(msg=_("Incomplete parameter, please check again")) ser = _HookRuleAddBodyargsSerializer(data=request.data) @@ -240,6 +229,12 @@ def post(self, request): if "type" not in ser.validated_data else ser.validated_data["type"] ) + + if HookStrategy.objects.filter( + language_id=ser.validated_data["language_id"], type=type_, value=rule_value + ).exists(): + return R.failure(msg="Already exists same rule") + strategy = self.create_strategy( rule_value, rule_source, diff --git a/dongtai_web/views/engine_hook_rule_modify.py b/dongtai_web/views/engine_hook_rule_modify.py index 5fe9c299d..7a73651eb 100644 --- a/dongtai_web/views/engine_hook_rule_modify.py +++ b/dongtai_web/views/engine_hook_rule_modify.py @@ -32,7 +32,7 @@ class _EngineHookRuleModifySerializer(serializers.Serializer): rule_type_id = serializers.IntegerField(help_text=_("The id of hook rule type.")) rule_value = serializers.CharField( help_text=_("The value of strategy"), - max_length=255, + max_length=2000, allow_blank=True, ) rule_source = serializers.CharField( @@ -147,6 +147,9 @@ def post(self, request): strategy = HookStrategy.objects.filter(id=rule_id).first() if not strategy: return R.failure(msg=_("No such hookstrategy.")) + if strategy.system_type and rule_value != strategy.value: + return R.failure(msg="Can not modify preset rule") + if strategy.type == 4: hook_type = IastStrategyModel.objects.filter( id=rule_type, @@ -155,20 +158,7 @@ def post(self, request): hook_type = HookType.objects.filter( id=rule_type, ).first() - if ( - all( - ( - rule_id, - rule_type, - rule_value, - rule_source, - inherit, - is_track, - strategy, - ) - ) - is False - ): + if all((rule_id, rule_type, rule_value, rule_source, inherit, is_track, strategy)) is False: return R.failure(msg=_("Incomplete parameter, please check again")) ser = _EngineHookRuleModifySerializer(data=request.data) diff --git a/dongtai_web/views/engine_hook_rule_status.py b/dongtai_web/views/engine_hook_rule_status.py index 9f6c8d454..bea260236 100644 --- a/dongtai_web/views/engine_hook_rule_status.py +++ b/dongtai_web/views/engine_hook_rule_status.py @@ -1,6 +1,7 @@ #!/usr/bin/env python import logging +from django.db.models import Q from django.utils.translation import gettext_lazy as _ from rest_framework import serializers @@ -65,16 +66,14 @@ def parse_args(self, request): @staticmethod def set_strategy_status(strategy_id, strategy_ids, enable_status): if strategy_id: - rule = HookStrategy.objects.filter( - id=strategy_id, - ).first() + rule = HookStrategy.objects.filter(Q(system_type=0) if enable_status == -1 else Q(), id=strategy_id).first() if rule: rule.enable = enable_status rule.save() return 1 elif strategy_ids: return HookStrategy.objects.filter( - id__in=strategy_ids, + Q(system_type=0) if enable_status == -1 else Q(), id__in=strategy_ids ).update(enable=enable_status) return 0 @@ -112,7 +111,10 @@ def get(self, request): if op is None: return R.failure(msg=_("Operation type does not exist")) if rule_type is not None and scope == "all": - count = HookStrategy.objects.filter(hooktype__id=rule_type).update(enable=op) + count = HookStrategy.objects.filter( + Q(system_type=0) if op == -1 else Q(), + hooktype__id=rule_type, + ).update(enable=op) logger.info(_("Policy type {} operation success, total of {} Policy types").format(rule_type, count)) status = True if hook_rule_type is not None and language_id is not None and scope == "all": @@ -120,6 +122,7 @@ def get(self, request): HookType.objects.filter(language_id=language_id, type=hook_rule_type).values_list("id", flat=True).all() ) count = HookStrategy.objects.filter( + Q(system_type=0) if op == -1 else Q(), hooktype__id__in=hook_type_ids, ).update(enable=op) logger.info(_("total of {} Policy types").format(count)) diff --git a/dongtai_web/views/project_token.py b/dongtai_web/views/project_token.py new file mode 100644 index 000000000..70baeb4c9 --- /dev/null +++ b/dongtai_web/views/project_token.py @@ -0,0 +1,24 @@ +from django.utils.translation import gettext_lazy as _ + +from dongtai_common.endpoint import R, UserEndPoint +from dongtai_web.utils import extend_schema_with_envcheck + + +class ProjectToken(UserEndPoint): + @extend_schema_with_envcheck( + tags=[_("Project")], + summary=_("Projects Token"), + description=_( + "Get project information by project id, including the current version information of the project." + ), + ) + def get(self, request, pk): + project = request.user.get_projects().filter(pk=pk).first() + if project: + return R.success( + data={ + "id": project.id, + "token": f"PROJECT{project.token}", + } + ) + return R.failure(status=203, msg=_("no permission")) diff --git a/dongtai_web/views/project_version_list.py b/dongtai_web/views/project_version_list.py index 68796a941..b8899bc21 100644 --- a/dongtai_web/views/project_version_list.py +++ b/dongtai_web/views/project_version_list.py @@ -32,7 +32,7 @@ class ProjectVersionList(UserEndPoint): description = _("View application version list") @extend_schema_with_envcheck( - tags=[_("Project")], + tags=[_("Project"), "集成"], summary=_("Projects Version List"), description=_("Get the version information list of the item corresponding to the id"), response_schema=_ProjectVersionListResponseSerializer, diff --git a/dongtai_web/views/projects.py b/dongtai_web/views/projects.py index ed8f8968f..3742acca9 100644 --- a/dongtai_web/views/projects.py +++ b/dongtai_web/views/projects.py @@ -52,7 +52,7 @@ class Projects(UserEndPoint): @extend_schema_with_envcheck( [_ProjectsArgsSerializer], - tags=[_("Project")], + tags=[_("Project"), "集成"], summary=_("Projects List"), description=_("Get the item corresponding to the user, support fuzzy search based on name."), response_schema=_SuccessSerializer, diff --git a/dongtai_web/views/sensitive_info_rule.py b/dongtai_web/views/sensitive_info_rule.py index ca953d2ca..5f36d1945 100644 --- a/dongtai_web/views/sensitive_info_rule.py +++ b/dongtai_web/views/sensitive_info_rule.py @@ -58,6 +58,7 @@ class Meta: "pattern", "status", "latest_time", + "system_type", ] def get_strategy_name(self, obj): @@ -208,7 +209,7 @@ def update(self, request, pk): except ValidationError as e: return R.failure(data=e.detail) users = self.get_auth_users(request.user) - IastSensitiveInfoRule.objects.filter(pk=pk, user__in=users).update( + IastSensitiveInfoRule.objects.filter(pk=pk, user__in=users, system_type=0).update( **ser.validated_data, latest_time=time.time() ) return R.success(msg=_("update success")) @@ -220,7 +221,7 @@ def update(self, request, pk): ) def destory(self, request, pk): users = self.get_auth_users(request.user) - IastSensitiveInfoRule.objects.filter(pk=pk, user__in=users).update(status=-1) + IastSensitiveInfoRule.objects.filter(pk=pk, user__in=users, system_type=0).update(status=-1) return R.success(msg=_("delete success")) @extend_schema_with_envcheck( diff --git a/dongtai_web/views/strategy_delete.py b/dongtai_web/views/strategy_delete.py index 57d78c567..91ec46c71 100644 --- a/dongtai_web/views/strategy_delete.py +++ b/dongtai_web/views/strategy_delete.py @@ -33,6 +33,8 @@ def delete(self, request, id_: int): strategy = IastStrategyModel.objects.filter(pk=id_).first() if not strategy: return R.failure(msg=_("This strategy does not exist")) + if strategy.system_type == 1: + return R.failure(msg="Can not delete system strategy") hook_types = HookType.objects.filter(vul_strategy=strategy).all() strategy.state = DELETE strategy.save() diff --git a/dongtai_web/views/strategy_modified.py b/dongtai_web/views/strategy_modified.py index 201b08485..c7ca09799 100644 --- a/dongtai_web/views/strategy_modified.py +++ b/dongtai_web/views/strategy_modified.py @@ -40,18 +40,14 @@ def put(self, request, id_): strategy = IastStrategyModel.objects.filter(pk=id_).first() if not strategy: return R.failure() - _update(strategy, data) + for k, v in data.items(): + if k in {"vul_name", "vul_type"} and strategy.system_type == 1: + continue + setattr(strategy, k, v) + strategy.save() HookType.objects.filter(vul_strategy=strategy, type=4).update(name=data["vul_name"]) HookType.objects.filter(vul_strategy=strategy, type=3).update(name=data["vul_name"]) return R.success(data={"id": id_}) - # hook_type=hook_type.id).first() - # if strategy: - - -def _update(model, dic): - for k, v in dic.items(): - setattr(model, k, v) - model.save() def get_model_field(model, exclude=None, include=None): diff --git a/dongtai_web/views/user_login.py b/dongtai_web/views/user_login.py index 694b5d953..5f5ead513 100644 --- a/dongtai_web/views/user_login.py +++ b/dongtai_web/views/user_login.py @@ -1,14 +1,17 @@ #!/usr/local/env python import logging import time +from datetime import timedelta from captcha.models import CaptchaStore from django.contrib.auth import authenticate, login +from django.utils import timezone from django.utils.translation import gettext_lazy as _ from drf_spectacular.utils import extend_schema from dongtai_common.endpoint import R, UserEndPoint from dongtai_common.models.user import User +from dongtai_common.utils.request_type import Request logger = logging.getLogger("dongtai-webapi") @@ -23,7 +26,7 @@ class UserLogin(UserEndPoint): summary=_("User login"), tags=[_("User")], ) - def post(self, request): + def post(self, request: Request): """{ 'username': "", 'password': "", @@ -41,8 +44,20 @@ def post(self, request): if captcha_obj.response == captcha.lower(): username = request.data["username"] password = request.data["password"] - user = authenticate(username=username, password=password) + user: User | None = authenticate(username=username, password=password) # type: ignore if user is not None: + current_time = timezone.now() + delta = current_time - user.failed_login_time + if ( + (user.failed_login_count == 6 and delta < timedelta(minutes=1)) + or (user.failed_login_count == 7 and delta < timedelta(minutes=5)) + or (user.failed_login_count == 8 and delta < timedelta(minutes=15)) + or (user.failed_login_count == 9 and delta < timedelta(minutes=60)) + or user.failed_login_count >= 10 + ): + return R.failure(status=206, msg="账号已被锁定") + user.failed_login_count = 0 + user.save() login(request, user) return R.success( msg=_("Login successful"), @@ -51,7 +66,7 @@ def post(self, request): "is_active": user.is_active, }, ) - user_login = User.objects.filter(username=username).first() + user_login: User | None = User.objects.filter(username=username).first() if user_login and not user_login.is_active: return R.failure( status=205, @@ -61,6 +76,11 @@ def post(self, request): "is_active": user_login.is_active, }, ) + if user_login is not None: + user_login.failed_login_count += 1 + user_login.failed_login_time = timezone.now() + user_login.save() + return R.failure(msg="密码错误") logger.warn( f"user [{username}] login failure, rease: {'user not exist' if user is None else 'user is disable'}" ) diff --git a/dongtai_web/views/utils/commonstats.py b/dongtai_web/views/utils/commonstats.py index 1d629af9e..7ba10d00f 100644 --- a/dongtai_web/views/utils/commonstats.py +++ b/dongtai_web/views/utils/commonstats.py @@ -95,17 +95,26 @@ def get_summary_by_agent_ids(agent_ids: Iterable): else: day_num_dict[i["day_label"]] = [i] day_num_data = [] - for _, day_label in daylist: - obj = {"day_label": day_label, "day_num": 0} - for i in range(1, 5 + 1): - obj["day_num_level_" + str(i)] = 0 + last_timestamp: int = 0 + for day_label_i in range(len(daylist)): + timestamp, day_label = daylist[day_label_i] if day_label in day_num_dict: + # show this day if this day has data + last_timestamp = timestamp + obj = get_empty_day_num_num(day_label) count = 0 for i in day_num_dict[day_label]: obj["day_num_level_" + str(i["level_id"])] = i["count"] count += i["count"] obj["day_num"] = count - day_num_data.append(obj) + day_num_data.append(obj) + elif day_label_i + 1 < len(daylist) and daylist[day_label_i + 1][1] in day_num_dict: + # show this day if this yesterday has data + last_timestamp = timestamp + day_num_data.append(get_empty_day_num_num(day_label)) + for i in range(1, 8 - len(day_num_data) + 1): + day = time.localtime(last_timestamp + 86400 * i) + day_num_data.append(get_empty_day_num_num(str(day.tm_mon) + "-" + str(day.tm_mday))) data["day_num"] = day_num_data levelInfo = IastVulLevel.objects.all() levelIdArr = {} @@ -178,7 +187,10 @@ def get_summary_by_project(project_id: int, project_version_id: int): timestamp_gt = current_timestamp queryset_list = [] queryset_ = IastVulnerabilityModel.objects.filter( - project_id=project_id, project_version_id=project_version_id, is_del=0 + project_id=project_id, + project_version_id=project_version_id, + is_del=0, + level_id__in=(1, 2, 3, 5), ) for timestamp, _ in daylist: queryset_list.append(geneatre_vul_timerange_count_queryset(queryset_, timestamp_gt, timestamp, wkey)) @@ -193,19 +205,28 @@ def get_summary_by_project(project_id: int, project_version_id: int): else: day_num_dict[i["day_label"]] = [i] day_num_data = [] - for _, day_label in daylist: - obj = {"day_label": day_label, "day_num": 0} - for i in range(1, 5 + 1): - obj["day_num_level_" + str(i)] = 0 + last_timestamp: int = 0 + for day_label_i in range(len(daylist)): + timestamp, day_label = daylist[day_label_i] if day_label in day_num_dict: + # show this day if this day has data + last_timestamp = timestamp + obj = get_empty_day_num_num(day_label) count = 0 for i in day_num_dict[day_label]: obj["day_num_level_" + str(i["level_id"])] = i["count"] count += i["count"] obj["day_num"] = count - day_num_data.append(obj) + day_num_data.append(obj) + elif day_label_i + 1 < len(daylist) and daylist[day_label_i + 1][1] in day_num_dict: + # show this day if this yesterday has data + last_timestamp = timestamp + day_num_data.append(get_empty_day_num_num(day_label)) + for i in range(1, 8 - len(day_num_data) + 1): + day = time.localtime(last_timestamp + 86400 * i) + day_num_data.append(get_empty_day_num_num(str(day.tm_mon) + "-" + str(day.tm_mday))) data["day_num"] = day_num_data - levelInfo = IastVulLevel.objects.all() + levelInfo = IastVulLevel.objects.filter(pk__in=(1, 2, 3, 5)).all() levelIdArr = {} levelNum = [] if levelInfo: @@ -222,6 +243,13 @@ def get_summary_by_project(project_id: int, project_version_id: int): return data +def get_empty_day_num_num(day_label: str): + obj = {"day_label": day_label, "day_num": 0} + for i in (1, 2, 3, 5): + obj["day_num_level_" + str(i)] = 0 + return obj + + def geneatre_vul_timerange_count_queryset( vul_queryset: QuerySet, time_gt: int, diff --git a/dongtai_web/views/vul_details.py b/dongtai_web/views/vul_details.py index 068c70c5f..2efbf635e 100644 --- a/dongtai_web/views/vul_details.py +++ b/dongtai_web/views/vul_details.py @@ -5,10 +5,10 @@ from django.db.models.base import ObjectDoesNotExist from django.utils.translation import gettext_lazy as _ -from drf_spectacular.utils import extend_schema from rest_framework import serializers from dongtai_common.endpoint import R, UserEndPoint +from dongtai_common.models.agent_method_pool import VulMethodPool from dongtai_common.models.hook_type import HookType from dongtai_common.models.project import IastProject from dongtai_common.models.project_version import IastProjectVersion @@ -116,8 +116,8 @@ def get_server(self): "command": "", } + @staticmethod def parse_graphy( - self, graphy, extend_black_list: list | None = None, extend_white_list: list | None = None, @@ -135,7 +135,7 @@ def parse_graphy( results = [] try: - if graphy is None: + if not graphy: return results method_note_pool = json.loads(graphy)[0] method_counts = len(method_note_pool) @@ -327,6 +327,7 @@ def get_vul(self, projects): "method_pool_id": vul.method_pool_id, "project_id": project_id, "is_need_http_detail": is_need_http_detail(strategy_name), + "has_vul_method_pool": VulMethodPool.objects.filter(vul_id=vul.id).exists(), } def get_strategy(self): @@ -454,9 +455,68 @@ def get_graph_and_headers(self, data): ] return res - @extend_schema( + @extend_schema_with_envcheck( + response_bodys=[ + { + "name": _("Get data sample"), + "description": _( + "The aggregation results are programming language, risk level, vulnerability type, project" + ), + "value": { + "status": 201, + "msg": "success", + "data": { + "vul": { + "url": "http://localhost:81/captcha/captchaImage", + "uri": "/captcha/captchaImage", + "agent_name": "Mac OS X-localhost-v1.0.0-d24bf703ca62499ebdd12770708296f5", + "http_method": "GET", + "type": "Weak Random Number Generation", + "taint_position": None, + "first_time": 1631089870, + "latest_time": 1631089961, + "project_name": "demo-4.6.1", + "project_version": "V1.0", + "language": "JAVA", + "level": "LOW", + "level_type": 3, + "counts": 6, + "req_header": 'GET /captcha/captchaImage?type=math HTTP/1.1\nhost:localhost:81\nconnection:keep-alive\nsec-ch-ua:"Google Chrome";v="93", " Not;A Brand";v="99", "Chromium";v="93"\nsec-ch-ua-mobile:?0\nuser-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36\nsec-ch-ua-platform:"macOS"\naccept:image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8\nsec-fetch-site:same-origin\nsec-fetch-mode:no-cors\nsec-fetch-dest:image\nreferer:http://localhost:81/login\naccept-encoding:gzip, deflate, br\naccept-language:zh-CN,zh;q=0.9\ncookie:JSESSIONID=4bada2e5-d848-4218-8e24-3b28f765b986\n', + "response": "None\n\nNone", + "graph": None, + "context_path": "127.0.0.1", + "client_ip": "127.0.0.1", + "status": "Confirmed", + "taint_value": None, + "param_name": {}, + "method_pool_id": None, + "project_id": 69, + }, + "server": { + "name": "server.name", + "hostname": "localhost", + "ip": "localhost", + "port": 81, + "container": "Apache Tomcat/9.0.41", + "server_type": "apache tomcat", + "container_path": "/Users/erzhuangniu/workspace/vul/demo-4.6.1", + "runtime": "OpenJDK Runtime Environment", + "environment": "java.runtime.name=OpenJDK Runtime Environment, spring.output.ansi.enabled=always, project.name=demo-4.6.1, sun.boot.library.path=/Users/erzhuangniu/Library/Java/JavaVirtualMachines/corretto-1.8.0_292/Contents/Home/jre/lib, java.vm.version=25.292-b10, gop", + "command": "com.ruoyi.demoApplication", + }, + "strategy": { + "desc": "Verifies that weak sources of entropy are not used.", + "sample_code": "", + "repair_suggestion": None, + }, + }, + }, + } + ], + description=_("Use the corresponding id of the vulnerability to query the details of the vulnerability"), summary="获取漏洞详情", - tags=["Vulnerability"], + tags=["Vulnerability", "集成"], + response_schema=_ResponseSerializer, ) def get( self, diff --git a/dongtai_web/views/vul_method_pool_download.py b/dongtai_web/views/vul_method_pool_download.py new file mode 100644 index 000000000..2e94fa177 --- /dev/null +++ b/dongtai_web/views/vul_method_pool_download.py @@ -0,0 +1,57 @@ +import logging + +from django.utils.translation import gettext_lazy as _ +from drf_spectacular.utils import extend_schema +from rest_framework import serializers + +from dongtai_common.endpoint import R, UserEndPoint +from dongtai_common.models.agent_method_pool import VulMethodPool +from dongtai_common.utils.request_type import Request + +logger = logging.getLogger("dongtai-webapi") + + +class VulMethodPoolSerializer(serializers.ModelSerializer): + class Meta: + model = VulMethodPool + fields = [ + "method_pool_id", + "vul_id", + "agent_id", + "url", + "uri", + "http_method", + "http_scheme", + "http_protocol", + "req_header", + "req_params", + "req_data", + "res_header", + "res_body", + "req_header_fs", + "context_path", + "method_pool", + "pool_sign", + "clent_ip", + "create_time", + "update_time", + "uri_sha1", + ] + + +class VulMethodPoolDownload(UserEndPoint): + @extend_schema( + summary=_("Vulnerability Method Pool Download"), + tags=[_("Vulnerability")], + description=_("Get the raw method pool of the corresponding vulnerability by specifying the id"), + ) + def get(self, request: Request, id: int): + try: + return R.success( + data=VulMethodPoolSerializer( + VulMethodPool.objects.filter(vul_id=id).order_by("-update_time").first() + ).data + ) + except Exception as e: + logger.exception("operation failed", exc_info=e) + return R.failure(data="operation failed") diff --git a/dongtai_web/vul_log/vul_log.py b/dongtai_web/vul_log/vul_log.py index e1e6e05ab..3298dfad8 100644 --- a/dongtai_web/vul_log/vul_log.py +++ b/dongtai_web/vul_log/vul_log.py @@ -50,7 +50,7 @@ def log_push_to_integration( source_vul_type: int, ): kwargs = locals() - msg = f"id为{user_id}的用户{user_name}推送漏洞到{integration_name}" + msg = f"推送漏洞到{integration_name}" if source_vul_type == 1: IastVulLog.objects.create( msg_type=MessageTypeChoices.PUSH_TO_INTEGRATION, diff --git a/pyproject.toml b/pyproject.toml index b7db3b821..ae0a9afeb 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -30,7 +30,6 @@ select = [ "SIM", # flake8-simplify "TCH", # flake8-type-checking "INT", # flake8-gettext - "ERA", # eradicate "PGH", # pygrep-hooks "PL", # Pylint "TRY", # tryceratops diff --git a/requirements.txt b/requirements.txt index 93347062e..51269b430 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,150 +2,150 @@ aliyun-python-sdk-core==2.13.36 aliyun-python-sdk-core-v3==2.13.33 aliyun-python-sdk-kms==2.16.1 -amqp==5.1.1 ; python_version >= '3.6' -annotated-types==0.5.0 ; python_version >= '3.7' -asgiref==3.7.2 -async-timeout==4.0.2 ; python_version >= '3.6' -attrs==23.1.0 ; python_version >= '3.7' -autopep8==2.0.2 ; python_version >= '3.6' -billiard==4.1.0 ; python_version >= '3.7' -boto3==1.24.59 -boto3-stubs==1.28.2 -botocore==1.27.91 -botocore-stubs==1.29.165 -celery==5.3.0rc1 -celery-singleton==0.3.1 -certifi==2023.7.22 +amqp==5.1.1; python_version >= '3.6' +asgiref==3.7.2; python_version >= '3.7' +async-timeout==4.0.3; python_version >= '3.7' +attrs==23.1.0; python_version >= '3.7' +autopep8==2.0.4; python_version >= '3.6' +billiard==4.1.0; python_version >= '3.7' +boto3==1.24.59; python_version >= '3.7' +boto3-stubs==1.28.40; python_version >= '3.7' +botocore==1.27.91; python_version >= '3.7' +botocore-stubs==1.31.40; python_version >= '3.7' and python_version < '4.0' +celery==5.3.0rc1; python_version >= '3.7' +celery-singleton==0.3.1; python_version >= '3.6' and python_version < '4.0' +certifi==2023.7.22; python_version >= '3.6' cffi==1.15.1 -chardet==5.1.0 -charset-normalizer==3.2.0 ; python_full_version >= '3.7.0' -click==8.1.4 ; python_version >= '3.7' -click-didyoumean==0.3.0 ; python_full_version >= '3.6.2' and python_full_version < '4.0.0' +chardet==5.2.0; python_version >= '3.7' +charset-normalizer==3.2.0; python_full_version >= '3.7.0' +click==8.1.7; python_version >= '3.7' +click-didyoumean==0.3.0; python_full_version >= '3.6.2' and python_full_version < '4.0.0' click-plugins==1.1.1 -click-repl==0.3.0 ; python_version >= '3.6' +click-repl==0.3.0; python_version >= '3.6' crcmod==1.7 -cryptography==41.0.3 -dataclasses-json==0.5.9 +cryptography==41.0.3; python_version >= '3.7' +dataclasses-json==0.5.14; python_version < '3.13' and python_version >= '3.7' ddt==1.6.0 -defusedxml==0.7.1 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' -diff-match-patch==20230430 ; python_version >= '3.7' -django==3.2.20 +defusedxml==0.7.1; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' +diff-match-patch==20230430; python_version >= '3.7' +django==3.2.20; python_version >= '3.6' +django-add-default-value==0.10.0 django-celery-beat==2.2.0 -django-cors-headers==4.2.0 +django-cors-headers==4.2.0; python_version >= '3.8' django-cprofile-middleware==1.0.5 django-elasticsearch-dsl==7.2.2 -django-filter==23.2 -django-health-check==3.17.0 -django-import-export==2.5.0 -django-mock-queries==v2.1.7 +django-filter==23.2; python_version >= '3.7' +django-health-check==3.17.0; python_version >= '3.8' +django-import-export==2.5.0; python_version >= '3.5' +django-mock-queries==2.1.7 django-modeltranslation==0.17.7 django-prometheus==2.3.1 django-ranged-response==0.2.0 -django-redis==5.2.0 +django-redis==5.2.0; python_version >= '3.6' django-rest-framework-proxy==1.6.0 -django-seriously==0.4.0 -django-silk==5.0.3 +django-seriously==0.4.3; python_version >= '3.6' +django-silk==5.0.3; python_version >= '3.7' django-simple-captcha==0.5.18 -django-stubs[compatible-mypy]==1.15.0 -django-stubs-ext==4.2.2 ; python_version >= '3.8' -django-timezone-field==4.2.3 ; python_version >= '3.5' +django-stubs[compatible-mypy]==1.15.0; python_version >= '3.7' +django-stubs-ext==4.2.2; python_version >= '3.8' +django-timezone-field==4.2.3; python_version >= '3.5' django-utils==0.0.2 -django-utils-six==2.0 +django-utils-six==2.0; python_version >= '3.6' and python_version < '4.0' django-xff==1.4.0 -djangorestframework==3.12.4 -djangorestframework-dataclasses==1.2.0 -djangorestframework-stubs[compatible-mypy]==1.9.1 +djangorestframework==3.12.4; python_version >= '3.5' +djangorestframework-dataclasses==1.3.0; python_version >= '3.7' +djangorestframework-stubs[compatible-mypy]==1.9.1; python_version >= '3.7' docxcompose==1.3.4 docxtpl==0.16.0 -drf-spectacular==0.22.1 -elasticsearch==7.17.7 -elasticsearch-dsl==7.4.1 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3' -et-xmlfile==1.1.0 ; python_version >= '3.6' -flower==2.0.0 -gevent==22.10.2 -gprof2dot==2022.7.29 ; python_version >= '2.7' -greenlet==2.0.2 ; platform_python_implementation == 'CPython' -gunicorn==20.1.0 -humanize==4.7.0 ; python_version >= '3.8' -id-validator==1.0.20 -idna==2.10 -inflection==0.5.1 ; python_version >= '3.5' -jinja2==3.1.2 ; python_version >= '3.7' -jmespath==0.10.0 ; python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3' -jq==1.3.0 -jsonlog==4.0.0 -jsonschema==4.17.0 -kombu==5.3.1 ; python_version >= '3.8' -lxml==4.9.1 -marisa-trie==0.8.0 +drf-spectacular==0.22.1; python_version >= '3.6' +elasticsearch==7.17.7; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3' and python_version < '4' +elasticsearch-dsl==7.4.1; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3' +et-xmlfile==1.1.0; python_version >= '3.6' +flower==2.0.1; python_version >= '3.7' +gevent==22.10.2; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5' +gprof2dot==2022.7.29; python_version >= '2.7' +greenlet==2.0.2; platform_python_implementation == 'CPython' +gunicorn==20.1.0; python_version >= '3.5' +humanize==4.8.0; python_version >= '3.8' +id-validator==1.0.20; python_version >= '3' +idna==2.10; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3' +inflection==0.5.1; python_version >= '3.5' +jinja2==3.1.2; python_version >= '3.7' +jmespath==0.10.0; python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3' +jq==1.3.0; python_version >= '3.5' +jsonlog==4.0.0; python_version >= '3.6' and python_version < '4.0' +jsonschema==4.17.0; python_version >= '3.7' +kombu==5.3.2; python_version >= '3.8' +lxml==4.9.1; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' +marisa-trie==0.8.0; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3' markuppy==1.14 -markupsafe==2.1.3 ; python_version >= '3.7' -marshmallow==3.19.0 ; python_version >= '3.7' -marshmallow-enum==1.5.1 -mock==5.0.2 ; python_version >= '3.6' -model-bakery==1.12.0 ; python_version >= '3' -mypy==1.0.1 -mypy-extensions==1.0.0 ; python_version >= '3.5' -mysqlclient==2.2.0 +markupsafe==2.1.3; python_version >= '3.7' +marshmallow==3.20.1; python_version >= '3.8' +mock==5.1.0; python_version >= '3.6' +model-bakery==1.15.0; python_version >= '3' +mypy==1.0.1; python_version >= '3.7' +mypy-extensions==1.0.0; python_version >= '3.5' +mysqlclient==2.2.0; python_version >= '3.8' networkit==10.1 -numpy==1.25.1 ; python_version >= '3.9' +networkx[all]==3.1; python_version >= '3.8' +numpy==1.25.2; python_version >= '3.9' odfpy==1.4.1 -openpyxl==3.0.9 +openpyxl==3.0.9; python_version >= '3.6' oss2==2.13.1 -packaging==21.3 +packaging==21.3; python_version >= '3.6' +pandas==2.1.0; python_version >= '3.9' pep8==1.7.1 -pillow==9.3.0 -prometheus-client==0.17.1 ; python_version >= '3.6' -prompt-toolkit==3.0.39 ; python_full_version >= '3.7.0' -pycodestyle==2.10.0 ; python_version >= '3.6' +pillow==9.3.0; python_version >= '3.7' +prometheus-client==0.17.1; python_version >= '3.6' +prompt-toolkit==3.0.39; python_full_version >= '3.7.0' +pycodestyle==2.11.0; python_version >= '3.8' pycparser==2.21 -pycryptodome==3.18.0 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' -pycryptodomex==3.14.1 -pydantic==2.0.2 ; python_version >= '3.7' -pydantic-core==2.1.2 ; python_version >= '3.7' -pymysql==1.0.2 -pyparsing==3.1.0 ; python_full_version >= '3.6.8' -pyre2==0.3.6 -pyrsistent==0.19.1 -python-crontab==2.7.1 -python-dateutil==2.8.2 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3' +pycryptodome==3.18.0; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' +pycryptodomex==3.14.1; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' +pydantic==1.10.12; python_version >= '3.7' +pymysql==1.0.2; python_version >= '3.6' +pyparsing==3.1.1; python_full_version >= '3.6.8' +pyre2==0.3.6; python_version >= '3.6' +pyrsistent==0.19.1; python_version >= '3.7' +python-crontab==3.0.0 +python-dateutil==2.8.2; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3' python-docx==0.8.11 -python-json-logger==2.0.7 +python-json-logger==2.0.7; python_version >= '3.6' pytz==2022.6 -pyyaml==6.0 ; python_version >= '3.6' -redis==4.4.4 -requests==2.31.0 -result==0.8.0 -s3transfer==0.6.1 ; python_version >= '3.7' -scipy==1.11.1 ; python_version < '3.13' and python_version >= '3.9' -setuptools==65.5.1 -shortuuid==1.0.11 +pyyaml==6.0.1; python_version >= '3.6' +redis==4.4.4; python_version >= '3.7' +requests==2.31.0; python_version >= '3.7' +result==0.8.0; python_version >= '3.7' +s3transfer==0.6.2; python_version >= '3.7' +scipy==1.11.2; python_version < '3.13' and python_version >= '3.9' +setuptools==65.5.1; python_version >= '3.7' +shortuuid==1.0.11; python_version >= '3.5' simhash==2.1.2 -six==1.15.0 -sqlparse==0.4.4 ; python_version >= '3.5' -tablib[html,ods,xls,xlsx,yaml]==3.5.0 ; python_version >= '3.8' -tomli==2.0.1 ; python_version < '3.11' -tornado==6.3.3 ; python_version >= '3.8' -types-awscrt==0.16.23 ; python_version >= '3.7' and python_version < '4.0' -types-pymysql==1.1.0.0 -types-pyopenssl==23.2.0.1 -types-python-dateutil==2.8.19.13 -types-pytz==2023.3.0.0 -types-pyyaml==6.0.12.10 -types-redis==4.6.0.2 -types-requests==2.31.0.1 -types-s3transfer==0.6.1 ; python_version >= '3.7' and python_version < '4.0' -types-urllib3==1.26.25.13 -typing-extensions==4.7.1 +six==1.15.0; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3' +sqlparse==0.4.4; python_version >= '3.5' +tablib[html,ods,xls,xlsx,yaml]==3.5.0; python_version >= '3.8' +tomli==2.0.1; python_version < '3.11' +tornado==6.3.3; python_version >= '3.8' +types-awscrt==0.19.1; python_version >= '3.7' and python_version < '4.0' +types-pymysql==1.1.0.1 +types-pyopenssl==23.2.0.2 +types-python-dateutil==2.8.19.14 +types-pytz==2023.3.0.1 +types-pyyaml==6.0.12.11 +types-redis==4.6.0.5 +types-requests==2.31.0.2 +types-s3transfer==0.6.2; python_version >= '3.7' and python_version < '4.0' +types-urllib3==1.26.25.14 +typing-extensions==4.7.1; python_version >= '3.7' typing-inspect==0.9.0 -tzdata==2023.3 ; python_version >= '2' -uritemplate==4.1.1 ; python_version >= '3.6' -urllib3==1.26.5 -uwsgi==2.0.21 +tzdata==2023.3; python_version >= '2' +uritemplate==4.1.1; python_version >= '3.6' +urllib3==1.26.5; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4' +uwsgi==2.0.22 uwsgitop==0.11 -vine==5.0.0 ; python_version >= '3.6' +vine==5.0.0; python_version >= '3.6' wcwidth==0.2.6 xlrd==2.0.1 xlwt==1.3.0 -zope.event==5.0 ; python_version >= '3.7' -zope.interface==6.0 ; python_version >= '3.7' +zope.event==5.0; python_version >= '3.7' +zope.interface==6.0; python_version >= '3.7' diff --git a/static/data/java_full_policy.json b/static/data/java_full_policy.json index b467a5bdc..f866c9227 100644 --- a/static/data/java_full_policy.json +++ b/static/data/java_full_policy.json @@ -80,6 +80,24 @@ }, { "details": [ + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.nio.ByteBuffer.array()" + }, { "command": "SUBSET(P2,P3)", "created_by": 1, @@ -172,32 +190,25 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "all", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "java.util.Enumeration.nextElement()" - } - ], - "enable": 1, - "type": 1, - "value": "Enumeration" - }, - { - "details": [ + "value": "jakarta.el.ELProcessor.eval(java.lang.String)" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], @@ -207,36 +218,25 @@ "track": "true", "type": 4, "untags": [], - "value": "org.apache.commons.fileupload.FileItem.write(java.io.File)" - } - ], - "enable": 1, - "type": 4, - "value": "FileWrite" - }, - { - "details": [ + "value": "jakarta.el.ELProcessor.getValue(java.lang.String,java.lang.Class)" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "html-encoded" - ], - "target": "P4", - "track": "false", - "type": 1, - "untags": [ - "html-decoded" - ], - "value": "org.unbescape.html.HtmlEscapeUtil.escape(char[],int,int,java.io.Writer,org.unbescape.html.HtmlEscapeType,org.unbescape.html.HtmlEscapeLevel)" + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "jakarta.el.ELProcessor.setValue(java.lang.String,java.lang.Object)" }, { "command": "", @@ -244,21 +244,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, - "tags": [ - "html-encoded" - ], - "target": "P2", - "track": "false", - "type": 1, - "untags": [ - "html-decoded" - ], - "value": "org.unbescape.html.HtmlEscapeUtil.escape(java.io.Reader,java.io.Writer,org.unbescape.html.HtmlEscapeType,org.unbescape.html.HtmlEscapeLevel)" + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "jakarta.el.ELProcessor.setVariable(java.lang.String,java.lang.String)" }, { "command": "", @@ -266,21 +262,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, - "tags": [ - "html-encoded" - ], - "target": "R", - "track": "false", - "type": 1, - "untags": [ - "html-decoded" - ], - "value": "org.unbescape.html.HtmlEscapeUtil.escape(java.lang.String,org.unbescape.html.HtmlEscapeType,org.unbescape.html.HtmlEscapeLevel)" + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "jakarta.el.ExpressionFactory.createMethodExpression(jakarta.el.ELContext,java.lang.String,java.lang.Class,java.lang.Class[])" }, { "command": "", @@ -288,21 +280,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, - "tags": [ - "html-encoded" - ], - "target": "P4", - "track": "false", - "type": 1, - "untags": [ - "html-decoded" - ], - "value": "org.unbescape.html.HtmlEscapeUtil.unescape(char[],int,int,java.io.Writer)" + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "jakarta.el.ExpressionFactory.createValueExpression(jakarta.el.ELContext,java.lang.String,java.lang.Class)" }, { "command": "", @@ -310,21 +298,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "html-encoded" - ], - "target": "P2", - "track": "false", - "type": 1, - "untags": [ - "html-decoded" - ], - "value": "org.unbescape.html.HtmlEscapeUtil.unescape(java.io.Reader,java.io.Writer)" + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "jakarta.servlet.jsp.el.ExpressionEvaluator.evaluate(java.lang.String,java.lang.Class,jakarta.servlet.jsp.el.VariableResolver,jakarta.servlet.jsp.el.FunctionMapper)" }, { "command": "", @@ -332,99 +316,81 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "html-encoded" - ], - "target": "R", - "track": "false", - "type": 1, - "untags": [ - "html-decoded" - ], - "value": "org.unbescape.html.HtmlEscapeUtil.unescape(java.lang.String)" - } - ], - "enable": 1, - "type": 1, - "value": "Html5EscapeSymbolsInitializer" - }, - { - "details": [ + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "javax.el.ELProcessor.eval(java.lang.String)" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, - "ignore_internal": true, - "inherit": "false", + "ignore_internal": false, + "inherit": "all", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "false", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "com.mysql.jdbc.ResultSetImpl.next()" + "value": "javax.el.ELProcessor.getValue(java.lang.String,java.lang.Class)" }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, - "ignore_internal": true, - "inherit": "false", + "ignore_internal": false, + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "false", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "org.jruby.runtime.load.LibrarySearcher.isAbsolute(java.lang.String)" + "value": "javax.el.ELProcessor.setValue(java.lang.String,java.lang.Object)" }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, - "ignore_internal": true, - "inherit": "false", + "ignore_internal": false, + "inherit": "all", "language": 1, - "source": "O", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "false", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "org.thymeleaf.spring5.view.ThymeleafView.render(java.util.Map,javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)" - } - ], - "enable": 1, - "type": 1, - "value": "InvalidPropagator" - }, - { - "details": [ + "value": "javax.el.ELProcessor.setVariable(java.lang.String,java.lang.String)" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "all", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -432,7 +398,7 @@ "track": "true", "type": 4, "untags": [], - "value": "jakarta.naming.Context.lookup(java.lang.String)" + "value": "javax.el.ExpressionFactory.createMethodExpression(javax.el.ELContext,java.lang.String,java.lang.Class,java.lang.Class[])" }, { "command": "", @@ -440,7 +406,25 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "all", + "language": 1, + "source": "P2", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "javax.el.ExpressionFactory.createValueExpression(javax.el.ELContext,java.lang.String,java.lang.Class)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], @@ -450,12 +434,12 @@ "track": "true", "type": 4, "untags": [], - "value": "javax.naming.Context.lookup(java.lang.String)" + "value": "javax.servlet.jsp.el.ExpressionEvaluator.evaluate(java.lang.String,java.lang.Class,javax.servlet.jsp.el.VariableResolver,javax.servlet.jsp.el.FunctionMapper)" } ], "enable": 1, "type": 4, - "value": "JNDI\u6ce8\u5165" + "value": "EL\u8868\u8fbe\u5f0f\u6ce8\u5165" }, { "details": [ @@ -465,40 +449,47 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "R", - "track": "false", + "track": "", "type": 1, "untags": [], - "value": "org.apache.kafka.clients.consumer.ConsumerRecord.value()" - }, + "value": "java.util.Enumeration.nextElement()" + } + ], + "enable": 1, + "type": 1, + "value": "Enumeration" + }, + { + "details": [ { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, - "source": "P4,5", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "false", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "org.apache.kafka.clients.producer.ProducerRecord.(java.lang.String,java.lang.Integer,java.lang.Long,java.lang.Object,java.lang.Object,java.lang.Iterable)" + "value": "org.apache.commons.fileupload.FileItem.write(java.io.File)" } ], "enable": 1, - "type": 1, - "value": "Kafka\u4f20\u64ad" + "type": 4, + "value": "FileWrite" }, { "details": [ @@ -510,15 +501,19 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1,2", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "R", + "tags": [ + "html-encoded" + ], + "target": "P4", "track": "false", "type": 1, - "untags": [], - "value": "com.baomidou.mybatisplus.core.override.MybatisMapperMethod.execute(org.apache.ibatis.session.SqlSession,java.lang.Object[])" + "untags": [ + "html-decoded" + ], + "value": "org.unbescape.html.HtmlEscapeUtil.escape(char[],int,int,java.io.Writer,org.unbescape.html.HtmlEscapeType,org.unbescape.html.HtmlEscapeLevel)" }, { "command": "", @@ -531,45 +526,39 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "R", + "tags": [ + "html-encoded" + ], + "target": "P2", "track": "false", "type": 1, - "untags": [], - "value": "org.apache.ibatis.executor.resultset.DefaultResultSetHandler.handleResultSets(java.sql.Statement)" - } - ], - "enable": 1, - "type": 1, - "value": "Mybatis\u4f20\u64ad" - }, - { - "details": [ + "untags": [ + "html-decoded" + ], + "value": "org.unbescape.html.HtmlEscapeUtil.escape(java.io.Reader,java.io.Writer,org.unbescape.html.HtmlEscapeType,org.unbescape.html.HtmlEscapeLevel)" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", + "tags": [ + "html-encoded" + ], + "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.sql.Statement.setString(int,java.lang.String)" - } - ], - "enable": 1, - "type": 1, - "value": "PreparedStatement" - }, - { - "details": [ + "untags": [ + "html-decoded" + ], + "value": "org.unbescape.html.HtmlEscapeUtil.escape(java.lang.String,org.unbescape.html.HtmlEscapeType,org.unbescape.html.HtmlEscapeLevel)" + }, { "command": "", "created_by": 1, @@ -581,39 +570,38 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", + "tags": [ + "html-encoded" + ], + "target": "P4", "track": "false", "type": 1, - "untags": [], - "value": "com.caucho.hessian.io.HessianInput.init(java.io.InputStream)" - } - ], - "enable": 1, - "type": 1, - "value": "Propagator:Hessian" - }, - { - "details": [ + "untags": [ + "html-decoded" + ], + "value": "org.unbescape.html.HtmlEscapeUtil.unescape(char[],int,int,java.io.Writer)" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [ - "cross-site" + "html-encoded" ], - "target": "R", - "track": "", + "target": "P2", + "track": "false", "type": 1, - "untags": [], - "value": "javax.servlet.ServletRequest.getParameterNames()" + "untags": [ + "html-decoded" + ], + "value": "org.unbescape.html.HtmlEscapeUtil.unescape(java.io.Reader,java.io.Writer)" }, { "command": "", @@ -621,24 +609,26 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [ - "cross-site" + "html-encoded" ], "target": "R", - "track": "", + "track": "false", "type": 1, - "untags": [], - "value": "javax.servlet.ServletRequest.getParameterValues(java.lang.String)" + "untags": [ + "html-decoded" + ], + "value": "org.unbescape.html.HtmlEscapeUtil.unescape(java.lang.String)" } ], "enable": 1, "type": 1, - "value": "RequestFacade" + "value": "Html5EscapeSymbolsInitializer" }, { "details": [ @@ -647,46 +637,46 @@ "created_by": 1, "enable": 1, "ignore_blacklist": false, - "ignore_internal": false, + "ignore_internal": true, "inherit": "false", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.util.Scanner.(java.io.InputStream)" + "value": "com.mysql.jdbc.ResultSetImpl.next()" }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, - "ignore_internal": false, + "ignore_internal": true, "inherit": "false", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.util.Scanner.(java.io.InputStream,java.lang.String)" + "value": "org.jruby.runtime.load.LibrarySearcher.isAbsolute(java.lang.String)" }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, - "ignore_internal": false, + "ignore_internal": true, "inherit": "false", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -694,25 +684,32 @@ "track": "false", "type": 1, "untags": [], - "value": "java.util.Scanner.(java.io.InputStream,java.nio.charset.Charset)" - }, + "value": "org.thymeleaf.spring5.view.ThymeleafView.render(java.util.Map,javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)" + } + ], + "enable": 1, + "type": 1, + "value": "InvalidPropagator" + }, + { + "details": [ { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "false", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "java.util.Scanner.(java.lang.Readable,java.util.regex.Pattern)" + "value": "jakarta.naming.Context.lookup(java.lang.String)" }, { "command": "", @@ -720,18 +717,25 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "false", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "java.util.Scanner.(java.lang.String)" - }, + "value": "javax.naming.Context.lookup(java.lang.String)" + } + ], + "enable": 1, + "type": 4, + "value": "JNDI\u6ce8\u5165" + }, + { + "details": [ { "command": "", "created_by": 1, @@ -748,7 +752,7 @@ "track": "false", "type": 1, "untags": [], - "value": "java.util.Scanner.findInLine(java.lang.String)" + "value": "org.apache.kafka.clients.consumer.ConsumerRecord.value()" }, { "command": "", @@ -758,16 +762,23 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P4,5", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "O", "track": "false", "type": 1, "untags": [], - "value": "java.util.Scanner.findInLine(java.util.regex.Pattern)" - }, + "value": "org.apache.kafka.clients.producer.ProducerRecord.(java.lang.String,java.lang.Integer,java.lang.Long,java.lang.Object,java.lang.Object,java.lang.Iterable)" + } + ], + "enable": 1, + "type": 1, + "value": "Kafka\u4f20\u64ad" + }, + { + "details": [ { "command": "", "created_by": 1, @@ -776,7 +787,7 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1,2", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -784,7 +795,7 @@ "track": "false", "type": 1, "untags": [], - "value": "java.util.Scanner.findWithinHorizon(java.lang.String,int)" + "value": "com.baomidou.mybatisplus.core.override.MybatisMapperMethod.execute(org.apache.ibatis.session.SqlSession,java.lang.Object[])" }, { "command": "", @@ -794,7 +805,7 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -802,25 +813,32 @@ "track": "false", "type": 1, "untags": [], - "value": "java.util.Scanner.findWithinHorizon(java.util.regex.Pattern,int)" - }, + "value": "org.apache.ibatis.executor.resultset.DefaultResultSetHandler.handleResultSets(java.sql.Statement)" + } + ], + "enable": 1, + "type": 1, + "value": "Mybatis\u4f20\u64ad" + }, + { + "details": [ { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "false", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "java.util.Scanner.next()" + "value": "ognl.Ognl.getValue(java.lang.Object,java.lang.Object)" }, { "command": "", @@ -828,17 +846,1605 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "false", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "java.util.Scanner.next(java.lang.String)" + "value": "ognl.Ognl.getValue(java.lang.Object,java.lang.Object,java.lang.Class)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "ognl.Ognl.getValue(java.lang.Object,java.util.Map,java.lang.Object)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "ognl.Ognl.getValue(java.lang.Object,java.util.Map,java.lang.Object,java.lang.Class)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "ognl.Ognl.getValue(java.lang.String,java.lang.Object)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "ognl.Ognl.getValue(java.lang.String,java.lang.Object,java.lang.Class)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "ognl.Ognl.getValue(java.lang.String,java.util.Map,java.lang.Object)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "ognl.Ognl.getValue(java.lang.String,java.util.Map,java.lang.Object,java.lang.Class)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "ognl.Ognl.parseExpression(java.lang.String)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "org.apache.commons.ognl.Ognl.parseExpression(java.lang.String)" + } + ], + "enable": 1, + "type": 4, + "value": "Ognl\u8868\u8fbe\u5f0f\u6ce8\u5165" + }, + { + "details": [ + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "P2", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.sql.Statement.setString(int,java.lang.String)" + } + ], + "enable": 1, + "type": 1, + "value": "PreparedStatement" + }, + { + "details": [ + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "com.caucho.hessian.io.HessianInput.init(java.io.InputStream)" + } + ], + "enable": 1, + "type": 1, + "value": "Propagator:Hessian" + }, + { + "details": [ + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [ + "cross-site" + ], + "target": "R", + "track": "", + "type": 1, + "untags": [], + "value": "javax.servlet.ServletRequest.getParameterNames()" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [ + "cross-site" + ], + "target": "R", + "track": "", + "type": 1, + "untags": [], + "value": "javax.servlet.ServletRequest.getParameterValues(java.lang.String)" + } + ], + "enable": 1, + "type": 1, + "value": "RequestFacade" + }, + { + "details": [ + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "org.springframework.expression.Expression.getValue()" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "org.springframework.expression.Expression.getValue(java.lang.Class)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "org.springframework.expression.Expression.getValue(java.lang.Object)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "org.springframework.expression.Expression.getValue(java.lang.Object,java.lang.Class)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext,java.lang.Class)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext,java.lang.Object)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext,java.lang.Object,java.lang.Class)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "org.springframework.expression.Expression.getValueTypeDescriptor()" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "org.springframework.expression.Expression.getValueTypeDescriptor(java.lang.Object)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "org.springframework.expression.Expression.getValueTypeDescriptor(org.springframework.expression.EvaluationContext)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "org.springframework.expression.Expression.getValueTypeDescriptor(org.springframework.expression.EvaluationContext,java.lang.Object)" + } + ], + "enable": 1, + "type": 4, + "value": "SPEL\u8868\u8fbe\u5f0f\u6ce8\u5165" + }, + { + "details": [ + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.util.Scanner.(java.io.InputStream)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.util.Scanner.(java.io.InputStream,java.lang.String)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.util.Scanner.(java.io.InputStream,java.nio.charset.Charset)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.util.Scanner.(java.lang.Readable,java.util.regex.Pattern)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.util.Scanner.(java.lang.String)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.util.Scanner.findInLine(java.lang.String)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.util.Scanner.findInLine(java.util.regex.Pattern)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.util.Scanner.findWithinHorizon(java.lang.String,int)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.util.Scanner.findWithinHorizon(java.util.regex.Pattern,int)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.util.Scanner.next()" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.util.Scanner.next(java.lang.String)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.util.Scanner.next(java.util.regex.Pattern)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.util.Scanner.nextLine()" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "sun.misc.CharacterDecoder.decodeBuffer(java.io.InputStream)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "sun.misc.CharacterDecoder.decodeBuffer(java.lang.String)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "sun.misc.CharacterEncoder.encode(byte[])" + } + ], + "enable": 1, + "type": 1, + "value": "Scanner" + }, + { + "details": [ + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "org.apache.solr.common.params.SolrParams.get(java.lang.String)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "org.apache.solr.common.params.SolrParams.getParams(java.lang.String)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "org.apache.solr.servlet.SolrRequestParsers.parseQueryString(java.lang.String)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "P2", + "track": "false", + "type": 1, + "untags": [], + "value": "org.apache.solr.servlet.SolrRequestParsers.parseQueryString(java.lang.String,java.util.Map)" + } + ], + "enable": 1, + "type": 1, + "value": "SolrParamParser" + }, + { + "details": [ + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 2, + "untags": [], + "value": "io.grpc.MethodDescriptor.parseRequest(java.io.InputStream)" + } + ], + "enable": 1, + "type": 2, + "value": "Source:GrpcV1" + }, + { + "details": [ + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.String.(byte[],byte)" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.(byte[],int,int)" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.(byte[],int,int,int)" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.(byte[],int,int,java.lang.String)" + }, + { + "command": "SUBSET(P2,P3)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.(byte[],int,int,java.nio.charset.Charset)" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.String.(byte[],java.nio.charset.Charset)" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.(char[])" + }, + { + "command": "APPEND(P2,P3,0)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.(char[],int,int)" + }, + { + "command": "APPEND(P2,P3,0)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.(char[],int,int,boolean)" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.(java.lang.String)" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.(java.lang.StringBuffer)" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.(java.lang.StringBuilder)" + }, + { + "command": "CONCAT()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O|P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.concat(java.lang.String)" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.getBytes()" + }, + { + "command": "OVERWRITE(P2)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "P1", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.String.getBytes(byte[],int,byte)" + }, + { + "command": "SUBSET(P1,P2,P4)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "P3", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.getBytes(int,int,byte[],int)" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.getBytes(java.lang.String)" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.String.getBytes(java.nio.charset.Charset)" + }, + { + "command": "SUBSET(P1,P2,P4)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "P3", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.getChars(int,int,char[],int)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O|P2", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.String.replace(java.lang.CharSequence,java.lang.CharSequence)" + }, + { + "command": "TRIM()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.String.strip()" + }, + { + "command": "TRIM_LEFT()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.String.stripLeading()" + }, + { + "command": "TRIM_RIGHT()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.String.stripTrailing()" + }, + { + "command": "SUBSET(P1)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.substring(int)" + }, + { + "command": "SUBSET(P1,P2)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.substring(int,int)" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.toCharArray()" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.toLowerCase(java.util.Locale)" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "", + "type": 1, + "untags": [], + "value": "java.lang.String.toUpperCase(java.util.Locale)" + }, + { + "command": "TRIM()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.String.trim()" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.StringConcatHelper.newString(byte[],int,byte)" + }, + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.StringConcatHelper.newString(byte[],long)" + }, + { + "command": "SUBSET(P2,P3)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.StringLatin1$LinesSpliterator.(byte[],int,int)" + }, + { + "command": "APPEND(P2,P3,0)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.StringLatin1.newString(byte[],int,int)" + }, + { + "command": "SUBSET(P2,P3)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.StringUTF16$LinesSpliterator.(byte[],int,int)" + }, + { + "command": "APPEND(P2,P3,0)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.StringUTF16.newString(byte[],int,int)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [ + "sql-encoded" + ], + "target": "R", + "track": "false", + "type": 1, + "untags": [ + "sql-decoded" + ], + "value": "java.sql.Statement.enquoteIdentifier(java.lang.String,boolean)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [ + "sql-encoded" + ], + "target": "R", + "track": "false", + "type": 1, + "untags": [ + "sql-decoded" + ], + "value": "java.sql.Statement.enquoteLiteral(java.lang.String)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [ + "sql-encoded" + ], + "target": "R", + "track": "false", + "type": 1, + "untags": [ + "sql-decoded" + ], + "value": "java.sql.Statement.enquoteNCharLiteral(java.lang.String)" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [ + "ldap-encoded" + ], + "target": "R", + "track": "false", + "type": 1, + "untags": [ + "ldap-decoded" + ], + "value": "org.owasp.esapi.Encoder.encodeForLDAP(java.lang.String)" }, { "command": "", @@ -848,15 +2454,19 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], + "tags": [ + "xml-encoded" + ], "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.util.Scanner.next(java.util.regex.Pattern)" + "untags": [ + "xml-decoded" + ], + "value": "org.thymeleaf.util.DOMUtils.escapeXml(char[],boolean)" }, { "command": "", @@ -866,36 +2476,65 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], + "tags": [ + "xml-encoded" + ], "target": "R", "track": "false", "type": 1, + "untags": [ + "xml-decoded" + ], + "value": "org.thymeleaf.util.DOMUtils.escapeXml(java.lang.String,boolean)" + } + ], + "enable": 1, + "type": 1, + "value": "String" + }, + { + "details": [ + { + "command": "KEEP()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, "untags": [], - "value": "java.util.Scanner.nextLine()" + "value": "java.lang.StringBuffer.(java.lang.CharSequence)" }, { - "command": "", + "command": "KEEP()", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "O", "track": "false", "type": 1, "untags": [], - "value": "sun.misc.CharacterDecoder.decodeBuffer(java.io.InputStream)" + "value": "java.lang.StringBuffer.(java.lang.String)" }, { - "command": "", + "command": "APPEND()", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -906,150 +2545,255 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "O", "track": "false", "type": 1, "untags": [], - "value": "sun.misc.CharacterDecoder.decodeBuffer(java.lang.String)" + "value": "java.lang.StringBuffer.append(char[])" }, { - "command": "", + "command": "APPEND(P2,P3,0)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.StringBuffer.append(char[],int,int)" + }, + { + "command": "APPEND()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.StringBuffer.append(java.lang.CharSequence)" + }, + { + "command": "APPEND(P2,P3)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.StringBuffer.append(java.lang.CharSequence,int,int)" + }, + { + "command": "APPEND()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.StringBuffer.append(java.lang.String)" + }, + { + "command": "APPEND()", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.StringBuffer.append(java.lang.StringBuffer)" + }, + { + "command": "REMOVE(P1,P2)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.StringBuffer.delete(int,int)" + }, + { + "command": "REMOVE(P1)", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.lang.StringBuffer.deleteCharAt(int)" + }, + { + "command": "SUBSET(P1,P2,P4)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "P3", "track": "false", "type": 1, "untags": [], - "value": "sun.misc.CharacterEncoder.encode(byte[])" - } - ], - "enable": 1, - "type": 1, - "value": "Scanner" - }, - { - "details": [ + "value": "java.lang.StringBuffer.getChars(int,int,char[],int)" + }, { - "command": "", + "command": "INSERT(P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "O", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "O", "track": "false", "type": 1, "untags": [], - "value": "org.apache.solr.common.params.SolrParams.get(java.lang.String)" + "value": "java.lang.StringBuffer.insert(int,char)" }, { - "command": "", + "command": "INSERT(P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "O", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "O", "track": "false", "type": 1, "untags": [], - "value": "org.apache.solr.common.params.SolrParams.getParams(java.lang.String)" + "value": "java.lang.StringBuffer.insert(int,char[])" }, { - "command": "", + "command": "INSERT(P1,P3,P4)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "O", "track": "false", "type": 1, "untags": [], - "value": "org.apache.solr.servlet.SolrRequestParsers.parseQueryString(java.lang.String)" + "value": "java.lang.StringBuffer.insert(int,char[],int,int)" }, { - "command": "", + "command": "INSERT(P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "P2", + "target": "O", "track": "false", "type": 1, "untags": [], - "value": "org.apache.solr.servlet.SolrRequestParsers.parseQueryString(java.lang.String,java.util.Map)" - } - ], - "enable": 1, - "type": 1, - "value": "SolrParamParser" - }, - { - "details": [ + "value": "java.lang.StringBuffer.insert(int,java.lang.CharSequence)" + }, { - "command": "", + "command": "INSERT(P1,P3,P4)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "O", "track": "false", - "type": 2, + "type": 1, "untags": [], - "value": "io.grpc.MethodDescriptor.parseRequest(java.io.InputStream)" - } - ], - "enable": 1, - "type": 2, - "value": "Source:GrpcV1" - }, - { - "details": [ + "value": "java.lang.StringBuffer.insert(int,java.lang.CharSequence,int,int)" + }, { - "command": "KEEP()", + "command": "INSERT(P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -1057,79 +2801,79 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.(byte[],byte)" + "value": "java.lang.StringBuffer.insert(int,java.lang.String)" }, { - "command": "KEEP()", + "command": "REPLACE(P1,P2)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "O|P3", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "O", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.(byte[],int,int)" + "value": "java.lang.StringBuffer.replace(int,int,java.lang.String)" }, { - "command": "KEEP()", + "command": "SUBSET(0,P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "O", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.(byte[],int,int,int)" + "value": "java.lang.StringBuffer.setLength(int)" }, { - "command": "KEEP()", + "command": "SUBSET(P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.(byte[],int,int,java.lang.String)" + "value": "java.lang.StringBuffer.substring(int)" }, { - "command": "SUBSET(P2,P3)", + "command": "SUBSET(P1,P2)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.(byte[],int,int,java.nio.charset.Charset)" + "value": "java.lang.StringBuffer.substring(int,int)" }, { "command": "KEEP()", @@ -1139,18 +2883,25 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.(byte[],java.nio.charset.Charset)" - }, + "value": "java.lang.StringBuffer.toString()" + } + ], + "enable": 1, + "type": 1, + "value": "StringBuffer" + }, + { + "details": [ { - "command": "KEEP()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -1160,228 +2911,236 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", - "track": "", + "tags": [ + "html-encoded" + ], + "target": "R", + "track": "false", "type": 1, - "untags": [], - "value": "java.lang.String.(char[])" + "untags": [ + "html-decoded" + ], + "value": "com.bea.jsptools.tree.TreeNode.htmlChars(java.lang.String)" }, { - "command": "APPEND(P2,P3,0)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.(char[],int,int)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(byte[],com.fasterxml.jackson.core.type.TypeReference)" }, { - "command": "APPEND(P2,P3,0)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.(char[],int,int,boolean)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(byte[],com.fasterxml.jackson.databind.JavaType)" }, { - "command": "KEEP()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.(java.lang.String)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(byte[],int,int,com.fasterxml.jackson.core.type.TypeReference)" }, { - "command": "KEEP()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.(java.lang.StringBuffer)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(byte[],int,int,com.fasterxml.jackson.databind.JavaType)" }, { - "command": "KEEP()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.(java.lang.StringBuilder)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(byte[],java.lang.Class)" }, { - "command": "CONCAT()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "O|P1", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "R", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.concat(java.lang.String)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.InputStream,com.fasterxml.jackson.core.type.TypeReference)" }, { - "command": "KEEP()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "R", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.getBytes()" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.Reader,java.lang.Class)" }, { - "command": "OVERWRITE(P2)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "P1", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.getBytes(byte[],int,byte)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.lang.String,com.fasterxml.jackson.core.type.TypeReference)" }, { - "command": "SUBSET(P1,P2,P4)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "P3", - "track": "", + "target": "R", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.getBytes(int,int,byte[],int)" + "value": "com.github.pagehelper.parser.CountSqlParser.getSmartCountSql(java.lang.String,java.lang.String)" }, { - "command": "KEEP()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], + "tags": [ + "html-encoded" + ], "target": "R", - "track": "", + "track": "false", "type": 1, - "untags": [], - "value": "java.lang.String.getBytes(java.lang.String)" + "untags": [ + "html-decoded" + ], + "value": "com.opensymphony.util.TextUtils.htmlEncode(java.lang.String)" }, { - "command": "KEEP()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "O", "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.getBytes(java.nio.charset.Charset)" + "value": "java.io.CharArrayWriter.append(java.lang.CharSequence)" }, { - "command": "SUBSET(P1,P2,P4)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "P3", - "track": "", + "target": "O", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.getChars(int,int,char[],int)" + "value": "java.io.CharArrayWriter.append(java.lang.CharSequence,int,int)" }, { "command": "", @@ -1391,7 +3150,7 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O|P2", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -1399,10 +3158,10 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.replace(java.lang.CharSequence,java.lang.CharSequence)" + "value": "java.io.CharArrayWriter.toCharArray()" }, { - "command": "TRIM()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -1417,64 +3176,64 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.strip()" + "value": "java.io.CharArrayWriter.toString()" }, { - "command": "TRIM_LEFT()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "O", "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.stripLeading()" + "value": "java.io.CharArrayWriter.write(char[],int,int)" }, { - "command": "TRIM_RIGHT()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "O", "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.stripTrailing()" + "value": "java.io.CharArrayWriter.write(java.lang.String,int,int)" }, { - "command": "SUBSET(P1)", + "command": "APPEND()", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "", + "target": "O", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.substring(int)" + "value": "java.lang.AbstractStringBuilder.append(java.lang.String)" }, { - "command": "SUBSET(P1,P2)", + "command": "SUBSET(P1,P2,P4)", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -1485,14 +3244,14 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "", + "target": "P3", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.substring(int,int)" + "value": "java.lang.AbstractStringBuilder.getChars(int,int,char[],int)" }, { - "command": "KEEP()", + "command": "SUBSET(0,P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -1503,14 +3262,14 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "", + "target": "O", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.toCharArray()" + "value": "java.lang.AbstractStringBuilder.setLength(int)" }, { - "command": "KEEP()", + "command": "SUBSET(P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -1522,13 +3281,13 @@ "system_type": 1, "tags": [], "target": "R", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.toLowerCase(java.util.Locale)" + "value": "java.lang.AbstractStringBuilder.substring(int)" }, { - "command": "KEEP()", + "command": "SUBSET(P1,P2)", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -1540,28 +3299,28 @@ "system_type": 1, "tags": [], "target": "R", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.String.toUpperCase(java.util.Locale)" + "value": "java.lang.AbstractStringBuilder.substring(int,int)" }, { - "command": "TRIM()", + "command": "KEEP()", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "false", + "target": "O", + "track": "", "type": 1, "untags": [], - "value": "java.lang.String.trim()" + "value": "java.lang.StringBuilder.(java.lang.CharSequence)" }, { "command": "KEEP()", @@ -1575,14 +3334,14 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "false", + "target": "O", + "track": "", "type": 1, "untags": [], - "value": "java.lang.StringConcatHelper.newString(byte[],int,byte)" + "value": "java.lang.StringBuilder.(java.lang.String)" }, { - "command": "KEEP()", + "command": "APPEND(P2,P3,0)", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -1593,14 +3352,14 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "false", + "target": "O", + "track": "", "type": 1, "untags": [], - "value": "java.lang.StringConcatHelper.newString(byte[],long)" + "value": "java.lang.StringBuilder.append(char[],int,int)" }, { - "command": "SUBSET(P2,P3)", + "command": "APPEND()", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -1612,13 +3371,13 @@ "system_type": 1, "tags": [], "target": "O", - "track": "false", + "track": "", "type": 1, "untags": [], - "value": "java.lang.StringLatin1$LinesSpliterator.(byte[],int,int)" + "value": "java.lang.StringBuilder.append(java.lang.CharSequence)" }, { - "command": "APPEND(P2,P3,0)", + "command": "APPEND(P2,P3)", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -1629,14 +3388,14 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "false", + "target": "O", + "track": "", "type": 1, "untags": [], - "value": "java.lang.StringLatin1.newString(byte[],int,int)" + "value": "java.lang.StringBuilder.append(java.lang.CharSequence,int,int)" }, { - "command": "SUBSET(P2,P3)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -1648,13 +3407,13 @@ "system_type": 1, "tags": [], "target": "O", - "track": "false", + "track": "", "type": 1, "untags": [], - "value": "java.lang.StringUTF16$LinesSpliterator.(byte[],int,int)" + "value": "java.lang.StringBuilder.append(java.lang.Object)" }, { - "command": "APPEND(P2,P3,0)", + "command": "APPEND()", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -1665,160 +3424,129 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "false", + "target": "O", + "track": "", "type": 1, "untags": [], - "value": "java.lang.StringUTF16.newString(byte[],int,int)" + "value": "java.lang.StringBuilder.append(java.lang.String)" }, { - "command": "", + "command": "APPEND()", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "sql-encoded" - ], - "target": "R", - "track": "false", + "tags": [], + "target": "O", + "track": "", "type": 1, - "untags": [ - "sql-decoded" - ], - "value": "java.sql.Statement.enquoteIdentifier(java.lang.String,boolean)" + "untags": [], + "value": "java.lang.StringBuilder.append(java.lang.StringBuffer)" }, { - "command": "", + "command": "REMOVE(P1,P2)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, - "tags": [ - "sql-encoded" - ], - "target": "R", + "tags": [], + "target": "O", "track": "false", "type": 1, - "untags": [ - "sql-decoded" - ], - "value": "java.sql.Statement.enquoteLiteral(java.lang.String)" + "untags": [], + "value": "java.lang.StringBuilder.delete(int,int)" }, { - "command": "", + "command": "REMOVE(P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, - "tags": [ - "sql-encoded" - ], - "target": "R", + "tags": [], + "target": "O", "track": "false", "type": 1, - "untags": [ - "sql-decoded" - ], - "value": "java.sql.Statement.enquoteNCharLiteral(java.lang.String)" + "untags": [], + "value": "java.lang.StringBuilder.deleteCharAt(int)" }, { - "command": "", + "command": "SUBSET(P1,P2,P4)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, - "tags": [ - "ldap-encoded" - ], - "target": "R", + "tags": [], + "target": "P3", "track": "false", "type": 1, - "untags": [ - "ldap-decoded" - ], - "value": "org.owasp.esapi.Encoder.encodeForLDAP(java.lang.String)" + "untags": [], + "value": "java.lang.StringBuilder.getChars(int,int,char[],int)" }, { - "command": "", + "command": "INSERT(P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, - "tags": [ - "xml-encoded" - ], - "target": "R", + "tags": [], + "target": "O", "track": "false", "type": 1, - "untags": [ - "xml-decoded" - ], - "value": "org.thymeleaf.util.DOMUtils.escapeXml(char[],boolean)" + "untags": [], + "value": "java.lang.StringBuilder.insert(int,char)" }, { - "command": "", + "command": "INSERT(P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, - "tags": [ - "xml-encoded" - ], - "target": "R", + "tags": [], + "target": "O", "track": "false", "type": 1, - "untags": [ - "xml-decoded" - ], - "value": "org.thymeleaf.util.DOMUtils.escapeXml(java.lang.String,boolean)" - } - ], - "enable": 1, - "type": 1, - "value": "String" - }, - { - "details": [ + "untags": [], + "value": "java.lang.StringBuilder.insert(int,char[])" + }, { - "command": "KEEP()", + "command": "INSERT(P1,P3,P4)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -1826,17 +3554,17 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.(java.lang.CharSequence)" + "value": "java.lang.StringBuilder.insert(int,char[],int,int)" }, { - "command": "KEEP()", + "command": "INSERT(P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -1844,17 +3572,17 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.(java.lang.String)" + "value": "java.lang.StringBuilder.insert(int,java.lang.CharSequence)" }, { - "command": "APPEND()", + "command": "INSERT(P1,P3,P4)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -1862,17 +3590,17 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.append(char[])" + "value": "java.lang.StringBuilder.insert(int,java.lang.CharSequence,int,int)" }, { - "command": "APPEND(P2,P3,0)", + "command": "INSERT(P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -1880,17 +3608,17 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.append(char[],int,int)" + "value": "java.lang.StringBuilder.insert(int,java.lang.String)" }, { - "command": "APPEND()", + "command": "REPLACE(P1,P2)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "O|P3", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -1898,17 +3626,17 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.append(java.lang.CharSequence)" + "value": "java.lang.StringBuilder.replace(int,int,java.lang.String)" }, { - "command": "APPEND(P2,P3)", + "command": "SUBSET(0,P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -1916,46 +3644,46 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.append(java.lang.CharSequence,int,int)" + "value": "java.lang.StringBuilder.setLength(int)" }, { - "command": "APPEND()", + "command": "SUBSET(P1)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.append(java.lang.String)" + "value": "java.lang.StringBuilder.substring(int)" }, { - "command": "APPEND()", + "command": "SUBSET(P1,P2)", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.append(java.lang.StringBuffer)" + "value": "java.lang.StringBuilder.substring(int,int)" }, { - "command": "REMOVE(P1,P2)", + "command": "SUBSET(P1,P2)", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -1966,14 +3694,14 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.delete(int,int)" + "value": "java.lang.StringBuilder.substring(int,int)" }, { - "command": "REMOVE(P1)", + "command": "KEEP()", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -1984,14 +3712,14 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "false", + "target": "R", + "track": "", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.deleteCharAt(int)" + "value": "java.lang.StringBuilder.toString()" }, { - "command": "SUBSET(P1,P2,P4)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -2002,129 +3730,129 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "P3", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.getChars(int,int,char[],int)" + "value": "java.lang.StringTokenizer.nextElement()" }, { - "command": "INSERT(P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.insert(int,char)" + "value": "java.lang.StringTokenizer.nextToken()" }, { - "command": "INSERT(P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.insert(int,char[])" + "value": "java.net.IDN.toASCII(java.lang.String,int)" }, { - "command": "INSERT(P1,P3,P4)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.insert(int,char[],int,int)" + "value": "java.net.IDN.toUnicode(java.lang.String,int)" }, { - "command": "INSERT(P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.insert(int,java.lang.CharSequence)" + "value": "java.nio.channels.Channels.newChannel(java.io.InputStream)" }, { - "command": "INSERT(P1,P3,P4)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "P1", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.insert(int,java.lang.CharSequence,int,int)" + "value": "java.nio.channels.ReadableByteChannel.read(java.nio.ByteBuffer)" }, { - "command": "INSERT(P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "P1", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.insert(int,java.lang.String)" + "value": "java.security.SecureRandom.nextBytes(byte[])" }, { - "command": "REPLACE(P1,P2)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O|P3", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -2132,17 +3860,17 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.replace(int,int,java.lang.String)" + "value": "java.util.StringTokenizer.(java.lang.String)" }, { - "command": "SUBSET(0,P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -2150,43 +3878,43 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.setLength(int)" + "value": "java.util.StringTokenizer.(java.lang.String,java.lang.String)" }, { - "command": "SUBSET(P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "O", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.substring(int)" + "value": "java.util.StringTokenizer.(java.lang.String,java.lang.String,boolean)" }, { - "command": "SUBSET(P1,P2)", + "command": "KEEP()", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "O", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.substring(int,int)" + "value": "java.util.logging.LogRecord.(java.util.logging.Level,java.lang.String)" }, { "command": "KEEP()", @@ -2204,17 +3932,10 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuffer.toString()" - } - ], - "enable": 1, - "type": 1, - "value": "StringBuffer" - }, - { - "details": [ + "value": "java.util.logging.LogRecord.getMessage()" + }, { - "command": "", + "command": "KEEP()", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -2225,14 +3946,14 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "O", "track": "false", "type": 1, "untags": [], - "value": "com.github.pagehelper.parser.CountSqlParser.getSmartCountSql(java.lang.String,java.lang.String)" + "value": "java.util.logging.LogRecord.setMessage(java.lang.String)" }, { - "command": "APPEND()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -2242,87 +3963,103 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", + "tags": [ + "html-encoded" + ], + "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.lang.AbstractStringBuilder.append(java.lang.String)" + "untags": [ + "html-decoded" + ], + "value": "nu.xom.Attribute.escapeText(java.lang.String)" }, { - "command": "SUBSET(P1,P2,P4)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "P3", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.lang.AbstractStringBuilder.getChars(int,int,char[],int)" + "value": "org.apache.catalina.connector.Request.unescape(java.lang.String)" }, { - "command": "SUBSET(0,P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", + "tags": [ + "html-encoded" + ], + "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.lang.AbstractStringBuilder.setLength(int)" + "untags": [ + "html-decoded" + ], + "value": "org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(java.lang.String)" }, { - "command": "SUBSET(P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], + "tags": [ + "sql-encoded" + ], "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.lang.AbstractStringBuilder.substring(int)" + "untags": [ + "sql-decoded" + ], + "value": "org.apache.commons.lang.StringEscapeUtils.escapeSQL(java.lang.String)" }, { - "command": "SUBSET(P1,P2)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], + "tags": [ + "html-decoded" + ], "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.lang.AbstractStringBuilder.substring(int,int)" + "untags": [ + "html-encoded" + ], + "value": "org.apache.commons.lang.StringEscapeUtils.unescapeJavaScript(java.lang.String)" }, { - "command": "KEEP()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -2333,84 +4070,105 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuilder.(java.lang.CharSequence)" + "value": "org.apache.commons.lang3.StringEscapeUtils.escapeEcmaScript(java.lang.String)" }, { - "command": "KEEP()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuilder.(java.lang.String)" - }, + "value": "sun.net.www.protocol.http.HttpURLConnection.getInputStream()" + } + ], + "enable": 1, + "type": 1, + "value": "StringBuilder" + }, + { + "details": [ { - "command": "APPEND(P2,P3,0)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "", - "type": 1, + "target": "R", + "track": "false", + "type": 2, "untags": [], - "value": "java.lang.StringBuilder.append(char[],int,int)" - }, + "value": "org.apache.struts2.dispatcher.multipart.MultiPartRequest.getParameterValues(java.lang.String)" + } + ], + "enable": 1, + "type": 2, + "value": "Struts2" + }, + { + "details": [ { - "command": "APPEND()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "java.lang.StringBuilder.append(java.lang.CharSequence)" + "value": "org.thymeleaf.standard.expression.Expression.parse(java.lang.String)" }, { - "command": "APPEND(P2,P3)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", - "track": "", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "java.lang.StringBuilder.append(java.lang.CharSequence,int,int)" - }, + "value": "org.thymeleaf.standard.expression.IStandardExpressionParser.parseExpression(org.thymeleaf.context.IExpressionContext,java.lang.String)" + } + ], + "enable": 1, + "type": 4, + "value": "Thymeleaf\u6a21\u7248\u6ce8\u5165" + }, + { + "details": [ { "command": "", "created_by": 1, @@ -2424,74 +4182,74 @@ "system_type": 1, "tags": [], "target": "O", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuilder.append(java.lang.Object)" + "value": "java.net.URI.(java.lang.String)" }, { - "command": "APPEND()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P1,2,3", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "O", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuilder.append(java.lang.String)" + "value": "java.net.URI.(java.lang.String,java.lang.String,java.lang.String)" }, { - "command": "APPEND()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P1,2,3,5,6,7", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "O", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuilder.append(java.lang.StringBuffer)" + "value": "java.net.URI.(java.lang.String,java.lang.String,java.lang.String,int,java.lang.String,java.lang.String,java.lang.String)" }, { - "command": "REMOVE(P1,P2)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1,2,3,4", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuilder.delete(int,int)" + "value": "java.net.URI.(java.lang.String,java.lang.String,java.lang.String,java.lang.String)" }, { - "command": "REMOVE(P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1,2,3,4,5", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -2499,10 +4257,10 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuilder.deleteCharAt(int)" + "value": "java.net.URI.(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String)" }, { - "command": "SUBSET(P1,P2,P4)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, @@ -2513,39 +4271,46 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "P3", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuilder.getChars(int,int,char[],int)" + "value": "java.net.URI.toURL()" }, { - "command": "INSERT(P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuilder.insert(int,char)" - }, + "value": "java.nio.file.spi.FileSystemProvider.getPath(java.net.URI)" + } + ], + "enable": 1, + "type": 1, + "value": "URI" + }, + { + "details": [ { - "command": "INSERT(P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "P1,2,4", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -2553,17 +4318,17 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuilder.insert(int,char[])" + "value": "java.net.URL.(java.lang.String,java.lang.String,int,java.lang.String,java.net.URLStreamHandler)" }, { - "command": "INSERT(P1,P3,P4)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "P1,2", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -2571,174 +4336,212 @@ "track": "false", "type": 1, "untags": [], - "value": "java.lang.StringBuilder.insert(int,char[],int,int)" + "value": "java.net.URL.(java.net.URL,java.lang.String,java.net.URLStreamHandler)" }, { - "command": "INSERT(P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", + "tags": [ + "url-decoded" + ], + "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.lang.StringBuilder.insert(int,java.lang.CharSequence)" + "untags": [ + "url-encoded", + "xss-encoded" + ], + "value": "java.net.URLDecoder.decode(java.lang.String,java.lang.String)" }, { - "command": "INSERT(P1,P3,P4)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", + "tags": [ + "url-decoded" + ], + "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.lang.StringBuilder.insert(int,java.lang.CharSequence,int,int)" + "untags": [ + "url-encoded", + "xss-encoded" + ], + "value": "java.net.URLDecoder.decode(java.lang.String,java.nio.charset.Charset)" }, { - "command": "INSERT(P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", + "tags": [ + "url-encoded" + ], + "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.lang.StringBuilder.insert(int,java.lang.String)" + "untags": [ + "url-decoded" + ], + "value": "java.net.URLEncoder.encode(java.lang.String,java.lang.String)" }, { - "command": "REPLACE(P1,P2)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O|P3", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", + "tags": [ + "url-encoded" + ], + "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.lang.StringBuilder.replace(int,int,java.lang.String)" + "untags": [ + "url-decoded" + ], + "value": "java.net.URLEncoder.encode(java.lang.String,java.nio.charset.Charset)" }, { - "command": "SUBSET(0,P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", + "tags": [ + "url-encoded" + ], + "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.lang.StringBuilder.setLength(int)" + "untags": [ + "url-decoded" + ], + "value": "javax.servlet.http.HttpServletResponse.encodeRedirectURL(java.lang.String)" }, { - "command": "SUBSET(P1)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], + "tags": [ + "url-encoded" + ], "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.lang.StringBuilder.substring(int)" + "untags": [ + "url-decoded" + ], + "value": "javax.servlet.http.HttpServletResponse.encodeRedirectUrl(java.lang.String)" }, { - "command": "SUBSET(P1,P2)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], + "tags": [ + "url-encoded" + ], "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.lang.StringBuilder.substring(int,int)" + "untags": [ + "url-decoded" + ], + "value": "javax.servlet.http.HttpServletResponse.encodeURL(java.lang.String)" }, { - "command": "SUBSET(P1,P2)", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], + "tags": [ + "url-encoded" + ], "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.lang.StringBuilder.substring(int,int)" + "untags": [ + "url-decoded" + ], + "value": "javax.servlet.http.HttpServletResponse.encodeUrl(java.lang.String)" }, { - "command": "KEEP()", + "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], + "tags": [ + "url-encoded" + ], "target": "R", - "track": "", + "track": "false", "type": 1, - "untags": [], - "value": "java.lang.StringBuilder.toString()" + "untags": [ + "url-decoded" + ], + "value": "org.apache.catalina.util.URLEncoder.encode(java.lang.String)" } ], "enable": 1, "type": 1, - "value": "StringBuilder" + "value": "URL" }, { "details": [ @@ -2748,25 +4551,22 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "R", + "tags": [ + "html-encoded" + ], + "target": "P1", "track": "false", - "type": 2, - "untags": [], - "value": "org.apache.struts2.dispatcher.multipart.MultiPartRequest.getParameterValues(java.lang.String)" - } - ], - "enable": 1, - "type": 2, - "value": "Struts2" - }, - { - "details": [ + "type": 1, + "untags": [ + "html-decoded" + ], + "value": "org.apache.commons.lang.StringEscapeUtils.escapeHtml(java.io.Writer,java.lang.String)" + }, { "command": "", "created_by": 1, @@ -2778,12 +4578,16 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", - "track": "false", + "tags": [ + "html-encoded" + ], + "target": "R", + "track": "", "type": 1, - "untags": [], - "value": "java.net.URI.(java.lang.String)" + "untags": [ + "html-decoded" + ], + "value": "org.apache.commons.lang.StringEscapeUtils.escapeHtml(java.lang.String)" }, { "command": "", @@ -2793,15 +4597,19 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1,2,3", + "source": "P2", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", + "tags": [ + "xss-encoded" + ], + "target": "P1", "track": "false", "type": 1, - "untags": [], - "value": "java.net.URI.(java.lang.String,java.lang.String,java.lang.String)" + "untags": [ + "xml-decoded" + ], + "value": "org.apache.commons.lang.StringEscapeUtils.escapeXml(java.io.Writer,java.lang.String)" }, { "command": "", @@ -2811,15 +4619,19 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1,2,3,5,6,7", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", + "tags": [ + "xml-encoded" + ], + "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.net.URI.(java.lang.String,java.lang.String,java.lang.String,int,java.lang.String,java.lang.String,java.lang.String)" + "untags": [ + "xml-decoded" + ], + "value": "org.apache.commons.lang.StringEscapeUtils.escapeXml(java.lang.String)" }, { "command": "", @@ -2829,15 +4641,19 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1,2,3,4,5", + "source": "P2", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", + "tags": [ + "html-decoded" + ], + "target": "P1", "track": "false", "type": 1, - "untags": [], - "value": "java.net.URI.(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String)" + "untags": [ + "html-encoded" + ], + "value": "org.apache.commons.lang.StringEscapeUtils.unescapeHtml(java.io.Writer,java.lang.String)" }, { "command": "", @@ -2847,23 +4663,20 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], + "tags": [ + "html-decoded" + ], "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.net.URI.toURL()" - } - ], - "enable": 1, - "type": 1, - "value": "URI" - }, - { - "details": [ + "untags": [ + "html-encoded" + ], + "value": "org.apache.commons.lang.StringEscapeUtils.unescapeHtml(java.lang.String)" + }, { "command": "", "created_by": 1, @@ -2872,15 +4685,19 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1,2,4", + "source": "P2", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", + "tags": [ + "xml-decoded" + ], + "target": "P1", "track": "false", "type": 1, - "untags": [], - "value": "java.net.URL.(java.lang.String,java.lang.String,int,java.lang.String,java.net.URLStreamHandler)" + "untags": [ + "xml-encoded" + ], + "value": "org.apache.commons.lang.StringEscapeUtils.unescapeXml(java.io.Writer,java.lang.String)" }, { "command": "", @@ -2890,15 +4707,19 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1,2", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [], - "target": "O", + "tags": [ + "xml-decoded" + ], + "target": "R", "track": "false", "type": 1, - "untags": [], - "value": "java.net.URL.(java.net.URL,java.lang.String,java.net.URLStreamHandler)" + "untags": [ + "xml-encoded" + ], + "value": "org.apache.commons.lang.StringEscapeUtils.unescapeXml(java.lang.String)" }, { "command": "", @@ -2912,16 +4733,15 @@ "stack_blacklist": [], "system_type": 1, "tags": [ - "url-decoded" + "html-encoded" ], "target": "R", "track": "false", "type": 1, "untags": [ - "url-encoded", - "xss-encoded" + "html-decoded" ], - "value": "java.net.URLDecoder.decode(java.lang.String,java.lang.String)" + "value": "org.apache.commons.lang3.StringEscapeUtils.escapeHtml3(java.lang.String)" }, { "command": "", @@ -2935,16 +4755,15 @@ "stack_blacklist": [], "system_type": 1, "tags": [ - "url-decoded" + "html-encoded" ], "target": "R", "track": "false", "type": 1, "untags": [ - "url-encoded", - "xss-encoded" + "html-decoded" ], - "value": "java.net.URLDecoder.decode(java.lang.String,java.nio.charset.Charset)" + "value": "org.apache.commons.lang3.StringEscapeUtils.escapeHtml4(java.lang.String)" }, { "command": "", @@ -2958,15 +4777,15 @@ "stack_blacklist": [], "system_type": 1, "tags": [ - "url-encoded" + "xml-encoded" ], "target": "R", "track": "false", "type": 1, "untags": [ - "url-decoded" + "xml-decoded" ], - "value": "java.net.URLEncoder.encode(java.lang.String,java.lang.String)" + "value": "org.apache.commons.lang3.StringEscapeUtils.escapeXml(java.lang.String)" }, { "command": "", @@ -2980,15 +4799,15 @@ "stack_blacklist": [], "system_type": 1, "tags": [ - "url-encoded" + "xml-encoded" ], "target": "R", "track": "false", "type": 1, "untags": [ - "url-decoded" + "xml-decoded" ], - "value": "java.net.URLEncoder.encode(java.lang.String,java.nio.charset.Charset)" + "value": "org.apache.commons.lang3.StringEscapeUtils.escapeXml10(java.lang.String)" }, { "command": "", @@ -2996,21 +4815,21 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [ - "url-encoded" + "xml-encoded" ], "target": "R", "track": "false", "type": 1, "untags": [ - "url-decoded" + "xml-decoded" ], - "value": "javax.servlet.http.HttpServletResponse.encodeRedirectURL(java.lang.String)" + "value": "org.apache.commons.lang3.StringEscapeUtils.escapeXml11(java.lang.String)" }, { "command": "", @@ -3018,21 +4837,21 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [ - "url-encoded" + "html-decoded" ], "target": "R", "track": "false", "type": 1, "untags": [ - "url-decoded" + "html-encoded" ], - "value": "javax.servlet.http.HttpServletResponse.encodeRedirectUrl(java.lang.String)" + "value": "org.apache.commons.lang3.StringEscapeUtils.unescapeHtml3(java.lang.String)" }, { "command": "", @@ -3040,21 +4859,21 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [ - "url-encoded" + "html-decoded" ], "target": "R", "track": "false", "type": 1, "untags": [ - "url-decoded" + "html-encoded" ], - "value": "javax.servlet.http.HttpServletResponse.encodeURL(java.lang.String)" + "value": "org.apache.commons.lang3.StringEscapeUtils.unescapeHtml4(java.lang.String)" }, { "command": "", @@ -3062,21 +4881,21 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [ - "url-encoded" + "xml-decoded" ], "target": "R", "track": "false", "type": 1, "untags": [ - "url-decoded" + "xml-encoded" ], - "value": "javax.servlet.http.HttpServletResponse.encodeUrl(java.lang.String)" + "value": "org.apache.commons.lang3.StringEscapeUtils.unescapeXml(java.lang.String)" }, { "command": "", @@ -3090,20 +4909,20 @@ "stack_blacklist": [], "system_type": 1, "tags": [ - "url-encoded" + "xml-encoded" ], "target": "R", "track": "false", "type": 1, "untags": [ - "url-decoded" + "xml-decoded" ], - "value": "org.apache.catalina.util.URLEncoder.encode(java.lang.String)" + "value": "org.apache.taglibs.standard.tag.common.core.Util.escapeXml(java.lang.String)" } ], "enable": 1, "type": 1, - "value": "URL" + "value": "apache-filter" }, { "details": [ @@ -3115,19 +4934,15 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "html-encoded" - ], - "target": "P1", - "track": "false", + "tags": [], + "target": "R", + "track": "", "type": 1, - "untags": [ - "html-decoded" - ], - "value": "org.apache.commons.lang.StringEscapeUtils.escapeHtml(java.io.Writer,java.lang.String)" + "untags": [], + "value": "java.util.Base64$Decoder.decode(byte[])" }, { "command": "", @@ -3140,16 +4955,30 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "html-encoded" - ], + "tags": [], + "target": "P2", + "track": "", + "type": 1, + "untags": [], + "value": "java.util.Base64$Decoder.decode(byte[],byte[])" + }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], "target": "R", "track": "", "type": 1, - "untags": [ - "html-decoded" - ], - "value": "org.apache.commons.lang.StringEscapeUtils.escapeHtml(java.lang.String)" + "untags": [], + "value": "java.util.Base64$Decoder.decode(java.lang.String)" }, { "command": "", @@ -3159,19 +4988,15 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "xss-encoded" - ], - "target": "P1", - "track": "false", + "tags": [], + "target": "R", + "track": "", "type": 1, - "untags": [ - "xml-decoded" - ], - "value": "org.apache.commons.lang.StringEscapeUtils.escapeXml(java.io.Writer,java.lang.String)" + "untags": [], + "value": "java.util.Base64$Decoder.decode(java.nio.ByteBuffer)" }, { "command": "", @@ -3184,16 +5009,12 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "xml-encoded" - ], + "tags": [], "target": "R", - "track": "false", + "track": "", "type": 1, - "untags": [ - "xml-decoded" - ], - "value": "org.apache.commons.lang.StringEscapeUtils.escapeXml(java.lang.String)" + "untags": [], + "value": "org.apache.commons.codec.binary.Base64.decode(byte[],int,int,org.apache.commons.codec.binary.BaseNCodec$Context)" }, { "command": "", @@ -3203,19 +5024,15 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "html-decoded" - ], - "target": "P1", - "track": "false", + "tags": [], + "target": "R", + "track": "", "type": 1, - "untags": [ - "html-encoded" - ], - "value": "org.apache.commons.lang.StringEscapeUtils.unescapeHtml(java.io.Writer,java.lang.String)" + "untags": [], + "value": "org.apache.commons.codec.binary.Base64.decodeBase64(byte[])" }, { "command": "", @@ -3228,16 +5045,12 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "html-decoded" - ], + "tags": [], "target": "R", - "track": "false", + "track": "", "type": 1, - "untags": [ - "html-encoded" - ], - "value": "org.apache.commons.lang.StringEscapeUtils.unescapeHtml(java.lang.String)" + "untags": [], + "value": "org.apache.commons.codec.binary.Base64.decodeBase64(java.lang.String)" }, { "command": "", @@ -3247,19 +5060,15 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "xml-decoded" - ], - "target": "P1", - "track": "false", + "tags": [], + "target": "R", + "track": "", "type": 1, - "untags": [ - "xml-encoded" - ], - "value": "org.apache.commons.lang.StringEscapeUtils.unescapeXml(java.io.Writer,java.lang.String)" + "untags": [], + "value": "org.apache.commons.codec.binary.Base64.decodeInteger(byte[])" }, { "command": "", @@ -3267,21 +5076,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "xml-decoded" - ], + "tags": [], "target": "R", - "track": "false", + "track": "", "type": 1, - "untags": [ - "xml-encoded" - ], - "value": "org.apache.commons.lang.StringEscapeUtils.unescapeXml(java.lang.String)" + "untags": [], + "value": "org.apache.commons.codec.binary.BaseNCodec.decode(byte[])" }, { "command": "", @@ -3289,21 +5094,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "html-encoded" - ], + "tags": [], "target": "R", - "track": "false", + "track": "", "type": 1, - "untags": [ - "html-decoded" - ], - "value": "org.apache.commons.lang3.StringEscapeUtils.escapeHtml3(java.lang.String)" + "untags": [], + "value": "org.apache.commons.codec.binary.BaseNCodec.decode(java.lang.Object)" }, { "command": "", @@ -3311,22 +5112,25 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "html-encoded" - ], + "tags": [], "target": "R", - "track": "false", + "track": "", "type": 1, - "untags": [ - "html-decoded" - ], - "value": "org.apache.commons.lang3.StringEscapeUtils.escapeHtml4(java.lang.String)" - }, + "untags": [], + "value": "org.apache.commons.codec.binary.BaseNCodec.decode(java.lang.String)" + } + ], + "enable": 1, + "type": 1, + "value": "base64-dec" + }, + { + "details": [ { "command": "", "created_by": 1, @@ -3338,16 +5142,12 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "xml-encoded" - ], + "tags": [], "target": "R", - "track": "false", + "track": "", "type": 1, - "untags": [ - "xml-decoded" - ], - "value": "org.apache.commons.lang3.StringEscapeUtils.escapeXml(java.lang.String)" + "untags": [], + "value": "java.util.Base64$Encoder.encode(byte[])" }, { "command": "", @@ -3360,16 +5160,12 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "xml-encoded" - ], - "target": "R", - "track": "false", + "tags": [], + "target": "P2", + "track": "", "type": 1, - "untags": [ - "xml-decoded" - ], - "value": "org.apache.commons.lang3.StringEscapeUtils.escapeXml10(java.lang.String)" + "untags": [], + "value": "java.util.Base64$Encoder.encode(byte[],byte[])" }, { "command": "", @@ -3382,16 +5178,12 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "xml-encoded" - ], + "tags": [], "target": "R", - "track": "false", + "track": "", "type": 1, - "untags": [ - "xml-decoded" - ], - "value": "org.apache.commons.lang3.StringEscapeUtils.escapeXml11(java.lang.String)" + "untags": [], + "value": "java.util.Base64$Encoder.encode(java.nio.ByteBuffer)" }, { "command": "", @@ -3404,16 +5196,12 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "html-decoded" - ], + "tags": [], "target": "R", - "track": "false", + "track": "", "type": 1, - "untags": [ - "html-encoded" - ], - "value": "org.apache.commons.lang3.StringEscapeUtils.unescapeHtml3(java.lang.String)" + "untags": [], + "value": "java.util.Base64$Encoder.encodeToString(byte[])" }, { "command": "", @@ -3426,16 +5214,12 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "html-decoded" - ], + "tags": [], "target": "R", - "track": "false", + "track": "", "type": 1, - "untags": [ - "html-encoded" - ], - "value": "org.apache.commons.lang3.StringEscapeUtils.unescapeHtml4(java.lang.String)" + "untags": [], + "value": "org.apache.commons.codec.binary.Base64.encodeBase64(byte[])" }, { "command": "", @@ -3448,16 +5232,12 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "xml-decoded" - ], + "tags": [], "target": "R", - "track": "false", + "track": "", "type": 1, - "untags": [ - "xml-encoded" - ], - "value": "org.apache.commons.lang3.StringEscapeUtils.unescapeXml(java.lang.String)" + "untags": [], + "value": "org.apache.commons.codec.binary.Base64.encodeBase64(byte[],boolean)" }, { "command": "", @@ -3470,24 +5250,13 @@ "source": "P1", "stack_blacklist": [], "system_type": 1, - "tags": [ - "xml-encoded" - ], + "tags": [], "target": "R", - "track": "false", + "track": "", "type": 1, - "untags": [ - "xml-decoded" - ], - "value": "org.apache.taglibs.standard.tag.common.core.Util.escapeXml(java.lang.String)" - } - ], - "enable": 1, - "type": 1, - "value": "apache-filter" - }, - { - "details": [ + "untags": [], + "value": "org.apache.commons.codec.binary.Base64.encodeBase64(byte[],boolean,boolean)" + }, { "command": "", "created_by": 1, @@ -3504,7 +5273,7 @@ "track": "", "type": 1, "untags": [], - "value": "java.util.Base64$Decoder.decode(byte[])" + "value": "org.apache.commons.codec.binary.Base64.encodeBase64(byte[],boolean,boolean,int)" }, { "command": "", @@ -3512,17 +5281,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "P2", + "target": "R", "track": "", "type": 1, "untags": [], - "value": "java.util.Base64$Decoder.decode(byte[],byte[])" + "value": "org.apache.commons.codec.binary.BaseNCodec.encode(byte[])" }, { "command": "", @@ -3530,7 +5299,7 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, "source": "P1", "stack_blacklist": [], @@ -3540,7 +5309,7 @@ "track": "", "type": 1, "untags": [], - "value": "java.util.Base64$Decoder.decode(java.lang.String)" + "value": "org.apache.commons.codec.binary.BaseNCodec.encode(byte[],int,int)" }, { "command": "", @@ -3548,7 +5317,7 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, "source": "P1", "stack_blacklist": [], @@ -3558,7 +5327,7 @@ "track": "", "type": 1, "untags": [], - "value": "java.util.Base64$Decoder.decode(java.nio.ByteBuffer)" + "value": "org.apache.commons.codec.binary.BaseNCodec.encode(java.lang.Object)" }, { "command": "", @@ -3566,7 +5335,7 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, "source": "P1", "stack_blacklist": [], @@ -3576,7 +5345,7 @@ "track": "", "type": 1, "untags": [], - "value": "org.apache.commons.codec.binary.Base64.decode(byte[],int,int,org.apache.commons.codec.binary.BaseNCodec$Context)" + "value": "org.apache.commons.codec.binary.BaseNCodec.encodeAsString(byte[])" }, { "command": "", @@ -3584,7 +5353,7 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, "source": "P1", "stack_blacklist": [], @@ -3594,7 +5363,32 @@ "track": "", "type": 1, "untags": [], - "value": "org.apache.commons.codec.binary.Base64.decodeBase64(byte[])" + "value": "org.apache.commons.codec.binary.BaseNCodec.encodeToString(byte[])" + } + ], + "enable": 1, + "type": 1, + "value": "base64-enc" + }, + { + "details": [ + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "", + "track": "true", + "type": 4, + "untags": [], + "value": "java.awt.Desktop.browse(java.net.URI)" }, { "command": "", @@ -3602,17 +5396,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "true", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "org.apache.commons.codec.binary.Base64.decodeBase64(java.lang.String)" + "value": "java.lang.ProcessImpl.start(java.lang.String[],java.util.Map,java.lang.String,boolean)" }, { "command": "", @@ -3622,15 +5416,15 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P1,2", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "org.apache.commons.codec.binary.Base64.decodeInteger(byte[])" + "value": "java.lang.ProcessImpl.start(java.lang.String[],java.util.Map,java.lang.String,java.lang.ProcessBuilder$Redirect[],boolean)" }, { "command": "", @@ -3638,17 +5432,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "org.apache.commons.codec.binary.BaseNCodec.decode(byte[])" + "value": "java.lang.Runtime.exec(java.lang.String)" }, { "command": "", @@ -3656,17 +5450,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "P1", + "source": "P1,2", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "org.apache.commons.codec.binary.BaseNCodec.decode(java.lang.Object)" + "value": "java.lang.Runtime.exec(java.lang.String,java.lang.String[])" }, { "command": "", @@ -3674,25 +5468,18 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "P1", + "source": "P1,2", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "org.apache.commons.codec.binary.BaseNCodec.decode(java.lang.String)" - } - ], - "enable": 1, - "type": 1, - "value": "base64-dec" - }, - { - "details": [ + "value": "java.lang.Runtime.exec(java.lang.String,java.lang.String[],java.io.File)" + }, { "command": "", "created_by": 1, @@ -3705,11 +5492,11 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "java.util.Base64$Encoder.encode(byte[])" + "value": "java.lang.Runtime.exec(java.lang.String[])" }, { "command": "", @@ -3719,15 +5506,15 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P1,2", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "P2", - "track": "", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "java.util.Base64$Encoder.encode(byte[],byte[])" + "value": "java.lang.Runtime.exec(java.lang.String[],java.lang.String[])" }, { "command": "", @@ -3737,16 +5524,23 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1", + "source": "P1,2", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "", - "type": 1, + "target": "", + "track": "true", + "type": 4, "untags": [], - "value": "java.util.Base64$Encoder.encode(java.nio.ByteBuffer)" - }, + "value": "java.lang.Runtime.exec(java.lang.String[],java.lang.String[],java.io.File)" + } + ], + "enable": 1, + "type": 4, + "value": "cmd-injection" + }, + { + "details": [ { "command": "", "created_by": 1, @@ -3759,11 +5553,11 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "", + "target": "P2", + "track": "false", "type": 1, "untags": [], - "value": "java.util.Base64$Encoder.encodeToString(byte[])" + "value": "com.alibaba.fastjson.parser.DefaultJSONParser.(java.lang.Object,com.alibaba.fastjson.parser.JSONLexer,com.alibaba.fastjson.parser.ParserConfig)" }, { "command": "", @@ -3777,11 +5571,11 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", - "track": "", + "target": "O", + "track": "false", "type": 1, "untags": [], - "value": "org.apache.commons.codec.binary.Base64.encodeBase64(byte[])" + "value": "com.alibaba.fastjson.parser.DefaultJSONParser.(java.lang.String,com.alibaba.fastjson.parser.ParserConfig,int)" }, { "command": "", @@ -3789,17 +5583,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "R", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "org.apache.commons.codec.binary.Base64.encodeBase64(byte[],boolean)" + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldBigInteger(char[])" }, { "command": "", @@ -3807,17 +5601,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "R", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "org.apache.commons.codec.binary.Base64.encodeBase64(byte[],boolean,boolean)" + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldDate(char[])" }, { "command": "", @@ -3825,17 +5619,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "R", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "org.apache.commons.codec.binary.Base64.encodeBase64(byte[],boolean,boolean,int)" + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldDecimal(char[])" }, { "command": "", @@ -3843,17 +5637,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "R", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "org.apache.commons.codec.binary.BaseNCodec.encode(byte[])" + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldDouble(char[])" }, { "command": "", @@ -3861,17 +5655,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "R", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "org.apache.commons.codec.binary.BaseNCodec.encode(byte[],int,int)" + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldFloatArray(char[])" }, { "command": "", @@ -3879,17 +5673,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "R", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "org.apache.commons.codec.binary.BaseNCodec.encode(java.lang.Object)" + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldFloatArray2(char[])" }, { "command": "", @@ -3897,17 +5691,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "R", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "org.apache.commons.codec.binary.BaseNCodec.encodeAsString(byte[])" + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldInt(char[])" }, { "command": "", @@ -3915,42 +5709,35 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "R", - "track": "", + "track": "false", "type": 1, "untags": [], - "value": "org.apache.commons.codec.binary.BaseNCodec.encodeToString(byte[])" - } - ], - "enable": 1, - "type": 1, - "value": "base64-enc" - }, - { - "details": [ + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldIntArray(char[])" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.awt.Desktop.browse(java.net.URI)" + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldLong(char[])" }, { "command": "", @@ -3958,17 +5745,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.lang.ProcessImpl.start(java.lang.String[],java.util.Map,java.lang.String,boolean)" + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldString(char[])" }, { "command": "", @@ -3976,17 +5763,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1,2", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.lang.ProcessImpl.start(java.lang.String[],java.util.Map,java.lang.String,java.lang.ProcessBuilder$Redirect[],boolean)" + "value": "com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.scanFieldFloat(char[])" }, { "command": "", @@ -4000,29 +5787,36 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "P4", + "track": "false", + "type": 1, "untags": [], - "value": "java.lang.Runtime.exec(java.lang.String)" - }, + "value": "com.alibaba.fastjson.util.IOUtils.decodeUTF8(byte[],int,int,char[])" + } + ], + "enable": 1, + "type": 1, + "value": "com.alibaba.fastjson" + }, + { + "details": [ { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1,2", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.lang.Runtime.exec(java.lang.String,java.lang.String[])" + "value": "com.fasterxml.jackson.core.JsonFactory.createParser(byte[])" }, { "command": "", @@ -4030,17 +5824,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1,2", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.lang.Runtime.exec(java.lang.String,java.lang.String[],java.io.File)" + "value": "com.fasterxml.jackson.core.JsonFactory.createParser(byte[],int,int)" }, { "command": "", @@ -4048,17 +5842,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.lang.Runtime.exec(java.lang.String[])" + "value": "com.fasterxml.jackson.core.JsonFactory.createParser(java.io.DataInput)" }, { "command": "", @@ -4068,15 +5862,15 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "P1,2", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.lang.Runtime.exec(java.lang.String[],java.lang.String[])" + "value": "com.fasterxml.jackson.core.JsonFactory.createParser(java.io.InputStream)" }, { "command": "", @@ -4084,42 +5878,35 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1,2", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.lang.Runtime.exec(java.lang.String[],java.lang.String[],java.io.File)" - } - ], - "enable": 1, - "type": 4, - "value": "cmd-injection" - }, - { - "details": [ + "value": "com.fasterxml.jackson.core.JsonFactory.createParser(java.io.Reader)" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "P2", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "com.alibaba.fastjson.parser.DefaultJSONParser.(java.lang.Object,com.alibaba.fastjson.parser.JSONLexer,com.alibaba.fastjson.parser.ParserConfig)" + "value": "com.fasterxml.jackson.core.JsonFactory.createParser(java.lang.String)" }, { "command": "", @@ -4127,17 +5914,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "com.alibaba.fastjson.parser.DefaultJSONParser.(java.lang.String,com.alibaba.fastjson.parser.ParserConfig,int)" + "value": "com.fasterxml.jackson.core.JsonParser.getBinaryValue(com.fasterxml.jackson.core.Base64Variant)" }, { "command": "", @@ -4155,7 +5942,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldBigInteger(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.getCurrentName()" }, { "command": "", @@ -4173,7 +5960,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldDate(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.getParsingContext()" }, { "command": "", @@ -4191,7 +5978,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldDecimal(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.getText()" }, { "command": "", @@ -4205,11 +5992,11 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "R", + "target": "P1", "track": "false", "type": 1, "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldDouble(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.getText(java.io.Writer)" }, { "command": "", @@ -4227,7 +6014,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldFloatArray(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.getTextCharacters()" }, { "command": "", @@ -4245,7 +6032,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldFloatArray2(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.getValueAsString()" }, { "command": "", @@ -4263,7 +6050,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldInt(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.getValueAsString(java.lang.String)" }, { "command": "", @@ -4281,7 +6068,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldIntArray(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.nextFieldName()" }, { "command": "", @@ -4299,7 +6086,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldLong(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.nextTextValue()" }, { "command": "", @@ -4317,7 +6104,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldString(char[])" + "value": "com.fasterxml.jackson.core.JsonStreamContext.getCurrentName()" }, { "command": "", @@ -4327,7 +6114,7 @@ "ignore_internal": false, "inherit": "all", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -4335,7 +6122,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.scanFieldFloat(char[])" + "value": "com.fasterxml.jackson.databind.JsonDeserializer.deserialize(com.fasterxml.jackson.core.JsonParser,com.fasterxml.jackson.databind.DeserializationContext)" }, { "command": "", @@ -4343,34 +6130,27 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "P4", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "com.alibaba.fastjson.util.IOUtils.decodeUTF8(byte[],int,int,char[])" - } - ], - "enable": 1, - "type": 1, - "value": "com.alibaba.fastjson" - }, - { - "details": [ + "value": "com.fasterxml.jackson.databind.JsonNode.asText()" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -4378,7 +6158,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.fasterxml.jackson.core.JsonFactory.createParser(java.io.InputStream)" + "value": "com.fasterxml.jackson.databind.JsonNode.asToken()" }, { "command": "", @@ -4388,7 +6168,7 @@ "ignore_internal": false, "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -4396,7 +6176,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.fasterxml.jackson.databind.JsonDeserializer.deserialize(com.fasterxml.jackson.core.JsonParser,com.fasterxml.jackson.databind.DeserializationContext)" + "value": "com.fasterxml.jackson.databind.JsonNode.binaryValue()" }, { "command": "", @@ -4404,9 +6184,9 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -4414,7 +6194,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.fasterxml.jackson.databind.ObjectMapper.createDeserializationContext(com.fasterxml.jackson.core.JsonParser,com.fasterxml.jackson.databind.DeserializationConfig)" + "value": "com.fasterxml.jackson.databind.JsonNode.deepCopy()" }, { "command": "", @@ -4422,9 +6202,9 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -4432,7 +6212,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.InputStream,com.fasterxml.jackson.databind.JavaType)" + "value": "com.fasterxml.jackson.databind.JsonNode.elements()" }, { "command": "", @@ -4442,7 +6222,7 @@ "ignore_internal": false, "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -4450,7 +6230,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.InputStream,java.lang.Class)" + "value": "com.fasterxml.jackson.databind.JsonNode.fieldNames()" }, { "command": "", @@ -4460,7 +6240,7 @@ "ignore_internal": false, "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -4468,7 +6248,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.lang.String,com.fasterxml.jackson.databind.JavaType)" + "value": "com.fasterxml.jackson.databind.JsonNode.fields()" }, { "command": "", @@ -4478,7 +6258,7 @@ "ignore_internal": false, "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -4486,7 +6266,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.lang.String,java.lang.Class)" + "value": "com.fasterxml.jackson.databind.JsonNode.findPath(java.lang.String)" }, { "command": "", @@ -4496,7 +6276,7 @@ "ignore_internal": false, "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -4504,24 +6284,17 @@ "track": "false", "type": 1, "untags": [], - "value": "com.fasterxml.jackson.databind.deser.ValueInstantiator.createUsingDefault(com.fasterxml.jackson.databind.DeserializationContext)" - } - ], - "enable": 1, - "type": 1, - "value": "com.fasterxml.jackson" - }, - { - "details": [ + "value": "com.fasterxml.jackson.databind.JsonNode.findValue(java.lang.String)" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -4529,7 +6302,7 @@ "track": "false", "type": 1, "untags": [], - "value": "com.google.gson.TypeAdapter.read(com.google.gson.stream.JsonReader)" + "value": "com.fasterxml.jackson.databind.JsonNode.findValues(java.lang.String)" }, { "command": "", @@ -4539,23 +6312,16 @@ "ignore_internal": false, "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "O", + "target": "R", "track": "false", "type": 1, "untags": [], - "value": "com.google.gson.stream.JsonReader.(java.io.Reader)" - } - ], - "enable": 1, - "type": 1, - "value": "com.google.gson" - }, - { - "details": [ + "value": "com.fasterxml.jackson.databind.JsonNode.findValues(java.lang.String,java.util.List)" + }, { "command": "", "created_by": 1, @@ -4564,15 +6330,15 @@ "ignore_internal": false, "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "javax.servlet.http.Cookie.setSecure(boolean)" + "value": "com.fasterxml.jackson.databind.JsonNode.findValuesAsText(java.lang.String)" }, { "command": "", @@ -4580,17 +6346,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P9", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "javax.ws.rs.core.NewCookie.(java.lang.String,java.lang.String,java.lang.String,java.lang.String,int,java.lang.String,int,java.util.Date,boolean,boolean)" + "value": "com.fasterxml.jackson.databind.JsonNode.findValuesAsText(java.lang.String,java.util.List)" }, { "command": "", @@ -4598,17 +6364,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P5", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "javax.ws.rs.core.NewCookie.(javax.ws.rs.core.Cookie,java.lang.String,int,java.util.Date,boolean,boolean)" + "value": "com.fasterxml.jackson.databind.JsonNode.get(int)" }, { "command": "", @@ -4616,46 +6382,35 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "org.glassfish.grizzly.http.Cookie.setSecure(boolean)" - } - ], - "enable": 0, - "type": 4, - "value": "cookie-flags-missing" - }, - { - "details": [ + "value": "com.fasterxml.jackson.databind.JsonNode.get(java.lang.String)" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", - "stack_blacklist": [ - "com.ibm.ejs.util.am._Alarm.run", - "com.ibm.crypto.provider.PKCS12KeyStore.engineLoad", - "util.StateUtils.encrypt" - ], + "source": "O", + "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "javax.crypto.Cipher.getInstance(java.lang.String)" + "value": "com.fasterxml.jackson.databind.JsonNode.iterator()" }, { "command": "", @@ -4663,17 +6418,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "javax.crypto.Cipher.getInstance(java.lang.String,java.lang.String)" + "value": "com.fasterxml.jackson.databind.JsonNode.path(int)" }, { "command": "", @@ -4681,77 +6436,35 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", - "stack_blacklist": [ - "com.ca.siteminder" - ], + "source": "O", + "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider)" - } - ], - "enable": 0, - "type": 4, - "value": "crypto-bad-ciphers" - }, - { - "details": [ + "value": "com.fasterxml.jackson.databind.JsonNode.path(java.lang.String)" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", - "stack_blacklist": [ - "com.mysql.jdbc", - "org.skife.jdbi.v2.Query", - "com.amazonaws.services.s3.AmazonS3Client.putObject", - "com.ibm.crypto.provider.PKCS12KeyStore.engineLoad", - "com.ibm.ws.security.ltpa.LTPAToken2.getBytes", - "com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake", - "com.jcraft.jsch.Session.connect", - "com.microsoft.sqlserver.jdbc.TDSChannel.enableSS", - "com.newrelic.agent", - "com.compuware.apm.agent", - "asset.pipeline.AssetPipeline.serveUncompiledAsset", - "controllers.AssetsBuilder", - "JITCompiler", - "java.security.SecureRandom", - "java.util.jar.JarVerifier", - "javax.crypto.JarVerifier", - "jakarta.crypto.JarVerifier", - "maybeNotModified", - "oracle.jdbc.driver", - "java.security.Signature.initVerify", - "oracle.jdbc.xa.client.OracleXADataSource.getXAConnection", - "org.eclipse.jetty.io.ssl.SslConnection", - "org.springframework.web.client.RestTemplate", - "org.thymeleaf.spring4.view.ThymeleafView.render", - "play.api.libs.Codecs$", - "play.api.mvc.CookieBaker", - "play.router.RoutesCompiler", - "play.PlaySourceGenerators", - "sbt.compiler", - "sbt.inc.Stamp", - "org.jets3t.service.utils.ServiceUtils.signWithHmacSha1", - "org.jboss.resteasy.spi.ResteasyDeployment.start" - ], + "source": "O", + "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.security.MessageDigest.getInstance(java.lang.String)" + "value": "com.fasterxml.jackson.databind.JsonNode.textValue()" }, { "command": "", @@ -4759,21 +6472,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", - "stack_blacklist": [ - "java.security.SecureRandom", - "java.util.jar.JarVerifier", - "com.microsoft.sqlserver.jdbc.TDSChannel.enableSS" - ], + "source": "O", + "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.security.MessageDigest.getInstance(java.lang.String,java.lang.String)" + "value": "com.fasterxml.jackson.databind.JsonNode.toString()" }, { "command": "", @@ -4781,45 +6490,35 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P1", - "stack_blacklist": [ - "java.security.SecureRandom", - "java.util.jar.JarVerifier" - ], + "source": "O", + "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)" - } - ], - "enable": 0, - "type": 4, - "value": "crypto-bad-mac" - }, - { - "details": [ + "value": "com.fasterxml.jackson.databind.JsonNode.traverse()" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "java.lang.Math.random()" + "value": "com.fasterxml.jackson.databind.JsonNode.with(java.lang.String)" }, { "command": "", @@ -4827,17 +6526,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "", + "source": "O", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "java.util.Random.nextBoolean()" + "value": "com.fasterxml.jackson.databind.JsonNode.withArray(java.lang.String)" }, { "command": "", @@ -4851,11 +6550,11 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.util.Random.nextBytes(byte[])" + "value": "com.fasterxml.jackson.databind.ObjectMapper.createDeserializationContext(com.fasterxml.jackson.core.JsonParser,com.fasterxml.jackson.databind.DeserializationConfig)" }, { "command": "", @@ -4863,17 +6562,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "java.util.Random.nextDouble()" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(byte[],int,int,java.lang.Class)" }, { "command": "", @@ -4881,19 +6580,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "O", - "stack_blacklist": [ - "weblogic.work.IncrementAdvisor.run" - ], + "source": "P1", + "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.util.Random.nextFloat()" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(com.fasterxml.jackson.core.JsonParser,com.fasterxml.jackson.core.type.TypeReference)" }, { "command": "", @@ -4901,17 +6598,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "java.util.Random.nextGaussian()" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(com.fasterxml.jackson.core.JsonParser,com.fasterxml.jackson.databind.JavaType)" }, { "command": "", @@ -4919,20 +6616,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "O", - "stack_blacklist": [ - "com.google.gson.JsonObject", - "java.util.Hashtable" - ], + "source": "P1", + "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.util.Random.nextInt()" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(com.fasterxml.jackson.core.JsonParser,java.lang.Class)" }, { "command": "", @@ -4942,23 +6636,15 @@ "ignore_internal": false, "inherit": "false", "language": 1, - "source": "O", - "stack_blacklist": [ - "getRandomSample", - "java.util.Hashtable", - "NullSafeConcurrentHashMap", - "org.apache.tomcat.websocket.WsWebSocketContainer.generateWsKeyValue", - "org.quartz.core.QuartzSchedulerThread.getRandomizedIdleWaitTime", - "SelectableConcurrentHashMap", - "net.bytebuddy.utility.RandomString.nextString" - ], + "source": "P1", + "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "java.util.Random.nextInt(int)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.InputStream,com.fasterxml.jackson.databind.JavaType)" }, { "command": "", @@ -4966,17 +6652,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "java.util.Random.nextLong()" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.InputStream,java.lang.Class)" }, { "command": "", @@ -4984,17 +6670,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "org.apache.commons.lang.RandomStringUtils.random(int,int,int,boolean,boolean)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.Reader,com.fasterxml.jackson.core.type.TypeReference)" }, { "command": "", @@ -5002,17 +6688,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "org.apache.commons.lang.RandomStringUtils.random(int,int,int,boolean,boolean,char[])" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.Reader,com.fasterxml.jackson.databind.JavaType)" }, { "command": "", @@ -5020,17 +6706,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "org.apache.commons.lang.RandomStringUtils.randomAlphabetic(int)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.lang.String,com.fasterxml.jackson.databind.JavaType)" }, { "command": "", @@ -5038,17 +6724,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "org.apache.commons.lang.RandomStringUtils.randomAlphanumeric(int)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.lang.String,java.lang.Class)" }, { "command": "", @@ -5056,17 +6742,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "org.apache.commons.lang.RandomStringUtils.randomAscii(int)" + "value": "com.fasterxml.jackson.databind.deser.ValueInstantiator.createUsingDefault(com.fasterxml.jackson.databind.DeserializationContext)" }, { "command": "", @@ -5074,32 +6760,25 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "org.apache.commons.lang.RandomStringUtils.randomNumeric(int)" - } - ], - "enable": 0, - "type": 4, - "value": "crypto-weak-randomness" - }, - { - "details": [ + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(byte[],int,int,java.lang.Class)" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, "source": "P1", "stack_blacklist": [], @@ -5109,32 +6788,25 @@ "track": "false", "type": 1, "untags": [], - "value": "org.iast.springsec.common.DataManager.doManage(java.lang.String)" - } - ], - "enable": 1, - "type": 1, - "value": "custom-encrypt" - }, - { - "details": [ + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(byte[],int,int,org.codehaus.jackson.type.JavaType)" + }, { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", + "target": "R", "track": "false", - "type": 4, + "type": 1, "untags": [], - "value": "java.lang.ClassLoader.loadLibrary(java.lang.Class,java.lang.String,boolean)" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(byte[],int,int,org.codehaus.jackson.type.TypeReference)" }, { "command": "", @@ -5142,25 +6814,18 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], - "system_type": 1, - "tags": [], - "target": "", - "track": "true", - "type": 4, - "untags": [], - "value": "java.lang.Runtime.load0(java.lang.Class,java.lang.String)" - } - ], - "enable": 1, - "type": 4, - "value": "dynamic-library-load" - }, - { - "details": [ + "system_type": 1, + "tags": [], + "target": "R", + "track": "false", + "type": 1, + "untags": [], + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(byte[],java.lang.Class)" + }, { "command": "", "created_by": 1, @@ -5173,11 +6838,11 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "jakarta.el.ELProcessor.eval(java.lang.String)" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(byte[],org.codehaus.jackson.type.JavaType)" }, { "command": "", @@ -5191,11 +6856,11 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "jakarta.el.ELProcessor.getValue(java.lang.String,java.lang.Class)" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(byte[],org.codehaus.jackson.type.TypeReference)" }, { "command": "", @@ -5209,11 +6874,11 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "jakarta.el.ELProcessor.setValue(java.lang.String,java.lang.Object)" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(java.io.InputStream,java.lang.Class)" }, { "command": "", @@ -5223,15 +6888,15 @@ "ignore_internal": false, "inherit": "all", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "jakarta.el.ELProcessor.setVariable(java.lang.String,java.lang.String)" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(java.lang.String,java.lang.Class)" }, { "command": "", @@ -5241,15 +6906,15 @@ "ignore_internal": false, "inherit": "all", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "jakarta.el.ExpressionFactory.createMethodExpression(jakarta.el.ELContext,java.lang.String,java.lang.Class,java.lang.Class[])" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(java.lang.String,org.codehaus.jackson.type.JavaType)" }, { "command": "", @@ -5259,33 +6924,40 @@ "ignore_internal": false, "inherit": "all", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "jakarta.el.ExpressionFactory.createValueExpression(jakarta.el.ELContext,java.lang.String,java.lang.Class)" - }, + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(java.lang.String,org.codehaus.jackson.type.TypeReference)" + } + ], + "enable": 1, + "type": 1, + "value": "com.fasterxml.jackson" + }, + { + "details": [ { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "jakarta.servlet.jsp.el.ExpressionEvaluator.evaluate(java.lang.String,java.lang.Class,jakarta.servlet.jsp.el.VariableResolver,jakarta.servlet.jsp.el.FunctionMapper)" + "value": "com.google.gson.Gson.fromJson(java.io.Reader,java.lang.Class)" }, { "command": "", @@ -5293,17 +6965,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "javax.el.ELProcessor.eval(java.lang.String)" + "value": "com.google.gson.Gson.fromJson(java.lang.String,java.lang.Class)" }, { "command": "", @@ -5311,17 +6983,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "javax.el.ELProcessor.getValue(java.lang.String,java.lang.Class)" + "value": "com.google.gson.TypeAdapter.read(com.google.gson.stream.JsonReader)" }, { "command": "", @@ -5335,12 +7007,19 @@ "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "O", + "track": "false", + "type": 1, "untags": [], - "value": "javax.el.ELProcessor.setValue(java.lang.String,java.lang.Object)" - }, + "value": "com.google.gson.stream.JsonReader.(java.io.Reader)" + } + ], + "enable": 1, + "type": 1, + "value": "com.google.gson" + }, + { + "details": [ { "command": "", "created_by": 1, @@ -5349,7 +7028,7 @@ "ignore_internal": false, "inherit": "all", "language": 1, - "source": "P2", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], @@ -5357,7 +7036,7 @@ "track": "true", "type": 4, "untags": [], - "value": "javax.el.ELProcessor.setVariable(java.lang.String,java.lang.String)" + "value": "javax.servlet.http.Cookie.setSecure(boolean)" }, { "command": "", @@ -5365,17 +7044,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, - "source": "P2", + "source": "P9", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "javax.el.ExpressionFactory.createMethodExpression(javax.el.ELContext,java.lang.String,java.lang.Class,java.lang.Class[])" + "value": "javax.ws.rs.core.NewCookie.(java.lang.String,java.lang.String,java.lang.String,java.lang.String,int,java.lang.String,int,java.util.Date,boolean,boolean)" }, { "command": "", @@ -5383,17 +7062,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, - "source": "P2", + "source": "P5", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "javax.el.ExpressionFactory.createValueExpression(javax.el.ELContext,java.lang.String,java.lang.Class)" + "value": "javax.ws.rs.core.NewCookie.(javax.ws.rs.core.Cookie,java.lang.String,int,java.util.Date,boolean,boolean)" }, { "command": "", @@ -5401,35 +7080,46 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "javax.servlet.jsp.el.ExpressionEvaluator.evaluate(java.lang.String,java.lang.Class,javax.servlet.jsp.el.VariableResolver,javax.servlet.jsp.el.FunctionMapper)" - }, + "value": "org.glassfish.grizzly.http.Cookie.setSecure(boolean)" + } + ], + "enable": 0, + "type": 4, + "value": "cookie-flags-missing" + }, + { + "details": [ { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, "source": "P1", - "stack_blacklist": [], + "stack_blacklist": [ + "com.ibm.ejs.util.am._Alarm.run", + "com.ibm.crypto.provider.PKCS12KeyStore.engineLoad", + "util.StateUtils.encrypt" + ], "system_type": 1, "tags": [], "target": "", "track": "true", "type": 4, "untags": [], - "value": "ognl.Ognl.getValue(java.lang.Object,java.lang.Object)" + "value": "javax.crypto.Cipher.getInstance(java.lang.String)" }, { "command": "", @@ -5437,17 +7127,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "ognl.Ognl.getValue(java.lang.Object,java.lang.Object,java.lang.Class)" + "value": "javax.crypto.Cipher.getInstance(java.lang.String,java.lang.String)" }, { "command": "", @@ -5455,35 +7145,77 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, "source": "P1", - "stack_blacklist": [], + "stack_blacklist": [ + "com.ca.siteminder" + ], "system_type": 1, "tags": [], "target": "", "track": "true", "type": 4, "untags": [], - "value": "ognl.Ognl.getValue(java.lang.Object,java.util.Map,java.lang.Object)" - }, + "value": "javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider)" + } + ], + "enable": 0, + "type": 4, + "value": "crypto-bad-ciphers" + }, + { + "details": [ { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, "source": "P1", - "stack_blacklist": [], + "stack_blacklist": [ + "com.mysql.jdbc", + "org.skife.jdbi.v2.Query", + "com.amazonaws.services.s3.AmazonS3Client.putObject", + "com.ibm.crypto.provider.PKCS12KeyStore.engineLoad", + "com.ibm.ws.security.ltpa.LTPAToken2.getBytes", + "com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake", + "com.jcraft.jsch.Session.connect", + "com.microsoft.sqlserver.jdbc.TDSChannel.enableSS", + "com.newrelic.agent", + "com.compuware.apm.agent", + "asset.pipeline.AssetPipeline.serveUncompiledAsset", + "controllers.AssetsBuilder", + "JITCompiler", + "java.security.SecureRandom", + "java.util.jar.JarVerifier", + "javax.crypto.JarVerifier", + "jakarta.crypto.JarVerifier", + "maybeNotModified", + "oracle.jdbc.driver", + "java.security.Signature.initVerify", + "oracle.jdbc.xa.client.OracleXADataSource.getXAConnection", + "org.eclipse.jetty.io.ssl.SslConnection", + "org.springframework.web.client.RestTemplate", + "org.thymeleaf.spring4.view.ThymeleafView.render", + "play.api.libs.Codecs$", + "play.api.mvc.CookieBaker", + "play.router.RoutesCompiler", + "play.PlaySourceGenerators", + "sbt.compiler", + "sbt.inc.Stamp", + "org.jets3t.service.utils.ServiceUtils.signWithHmacSha1", + "org.jboss.resteasy.spi.ResteasyDeployment.start" + ], "system_type": 1, "tags": [], "target": "", "track": "true", "type": 4, "untags": [], - "value": "ognl.Ognl.getValue(java.lang.Object,java.util.Map,java.lang.Object,java.lang.Class)" + "value": "java.security.MessageDigest.getInstance(java.lang.String)" }, { "command": "", @@ -5491,17 +7223,21 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, "source": "P1", - "stack_blacklist": [], + "stack_blacklist": [ + "java.security.SecureRandom", + "java.util.jar.JarVerifier", + "com.microsoft.sqlserver.jdbc.TDSChannel.enableSS" + ], "system_type": 1, "tags": [], "target": "", "track": "true", "type": 4, "untags": [], - "value": "ognl.Ognl.getValue(java.lang.String,java.lang.Object)" + "value": "java.security.MessageDigest.getInstance(java.lang.String,java.lang.String)" }, { "command": "", @@ -5509,35 +7245,45 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, "source": "P1", - "stack_blacklist": [], + "stack_blacklist": [ + "java.security.SecureRandom", + "java.util.jar.JarVerifier" + ], "system_type": 1, "tags": [], "target": "", "track": "true", "type": 4, "untags": [], - "value": "ognl.Ognl.getValue(java.lang.String,java.lang.Object,java.lang.Class)" - }, + "value": "java.security.MessageDigest.getInstance(java.lang.String,java.security.Provider)" + } + ], + "enable": 0, + "type": 4, + "value": "crypto-bad-mac" + }, + { + "details": [ { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, - "source": "P1", + "source": "", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "ognl.Ognl.getValue(java.lang.String,java.util.Map,java.lang.Object)" + "value": "java.lang.Math.random()" }, { "command": "", @@ -5545,17 +7291,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, - "source": "P1", + "source": "", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "ognl.Ognl.getValue(java.lang.String,java.util.Map,java.lang.Object,java.lang.Class)" + "value": "java.util.Random.nextBoolean()" }, { "command": "", @@ -5563,7 +7309,7 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, "source": "P1", "stack_blacklist": [], @@ -5573,7 +7319,7 @@ "track": "true", "type": 4, "untags": [], - "value": "ognl.Ognl.parseExpression(java.lang.String)" + "value": "java.util.Random.nextBytes(byte[])" }, { "command": "", @@ -5581,17 +7327,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, - "source": "P1", + "source": "", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "org.apache.commons.ognl.Ognl.parseExpression(java.lang.String)" + "value": "java.util.Random.nextDouble()" }, { "command": "", @@ -5599,17 +7345,19 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, "source": "O", - "stack_blacklist": [], + "stack_blacklist": [ + "weblogic.work.IncrementAdvisor.run" + ], "system_type": 1, "tags": [], "target": "", "track": "true", "type": 4, "untags": [], - "value": "org.springframework.expression.Expression.getValue()" + "value": "java.util.Random.nextFloat()" }, { "command": "", @@ -5617,17 +7365,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "O", + "source": "", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "org.springframework.expression.Expression.getValue(java.lang.Class)" + "value": "java.util.Random.nextGaussian()" }, { "command": "", @@ -5635,17 +7383,20 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, "source": "O", - "stack_blacklist": [], + "stack_blacklist": [ + "com.google.gson.JsonObject", + "java.util.Hashtable" + ], "system_type": 1, "tags": [], "target": "", "track": "true", "type": 4, "untags": [], - "value": "org.springframework.expression.Expression.getValue(java.lang.Object)" + "value": "java.util.Random.nextInt()" }, { "command": "", @@ -5653,17 +7404,25 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, "source": "O", - "stack_blacklist": [], + "stack_blacklist": [ + "getRandomSample", + "java.util.Hashtable", + "NullSafeConcurrentHashMap", + "org.apache.tomcat.websocket.WsWebSocketContainer.generateWsKeyValue", + "org.quartz.core.QuartzSchedulerThread.getRandomizedIdleWaitTime", + "SelectableConcurrentHashMap", + "net.bytebuddy.utility.RandomString.nextString" + ], "system_type": 1, "tags": [], "target": "", "track": "true", "type": 4, "untags": [], - "value": "org.springframework.expression.Expression.getValue(java.lang.Object,java.lang.Class)" + "value": "java.util.Random.nextInt(int)" }, { "command": "", @@ -5671,17 +7430,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "O", + "source": "", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext)" + "value": "java.util.Random.nextLong()" }, { "command": "", @@ -5689,17 +7448,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "O", + "source": "", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext,java.lang.Class)" + "value": "org.apache.commons.lang.RandomStringUtils.random(int,int,int,boolean,boolean)" }, { "command": "", @@ -5707,17 +7466,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "O", + "source": "", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext,java.lang.Object)" + "value": "org.apache.commons.lang.RandomStringUtils.random(int,int,int,boolean,boolean,char[])" }, { "command": "", @@ -5725,17 +7484,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "O", + "source": "", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext,java.lang.Object,java.lang.Class)" + "value": "org.apache.commons.lang.RandomStringUtils.randomAlphabetic(int)" }, { "command": "", @@ -5743,17 +7502,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "O", + "source": "", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "org.springframework.expression.Expression.getValueTypeDescriptor()" + "value": "org.apache.commons.lang.RandomStringUtils.randomAlphanumeric(int)" }, { "command": "", @@ -5761,17 +7520,17 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "O", + "source": "", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "org.springframework.expression.Expression.getValueTypeDescriptor(java.lang.Object)" + "value": "org.apache.commons.lang.RandomStringUtils.randomAscii(int)" }, { "command": "", @@ -5779,53 +7538,67 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "O", + "source": "", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "org.springframework.expression.Expression.getValueTypeDescriptor(org.springframework.expression.EvaluationContext)" - }, + "value": "org.apache.commons.lang.RandomStringUtils.randomNumeric(int)" + } + ], + "enable": 0, + "type": 4, + "value": "crypto-weak-randomness" + }, + { + "details": [ { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, - "source": "O", + "source": "P1", "stack_blacklist": [], "system_type": 1, "tags": [], - "target": "", - "track": "true", - "type": 4, + "target": "R", + "track": "false", + "type": 1, "untags": [], - "value": "org.springframework.expression.Expression.getValueTypeDescriptor(org.springframework.expression.EvaluationContext,java.lang.Object)" - }, + "value": "org.iast.springsec.common.DataManager.doManage(java.lang.String)" + } + ], + "enable": 1, + "type": 1, + "value": "custom-encrypt" + }, + { + "details": [ { "command": "", "created_by": 1, "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "language": 1, - "source": "P1", + "source": "P2", "stack_blacklist": [], "system_type": 1, "tags": [], "target": "", - "track": "true", + "track": "false", "type": 4, "untags": [], - "value": "org.thymeleaf.standard.expression.Expression.parse(java.lang.String)" + "value": "java.lang.ClassLoader.loadLibrary(java.lang.Class,java.lang.String,boolean)" }, { "command": "", @@ -5833,7 +7606,7 @@ "enable": 1, "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "language": 1, "source": "P2", "stack_blacklist": [], @@ -5843,12 +7616,12 @@ "track": "true", "type": 4, "untags": [], - "value": "org.thymeleaf.standard.expression.IStandardExpressionParser.parseExpression(org.thymeleaf.context.IExpressionContext,java.lang.String)" + "value": "java.lang.Runtime.load0(java.lang.Class,java.lang.String)" } ], "enable": 1, "type": 4, - "value": "expression-language-injection" + "value": "dynamic-library-load" }, { "details": [ @@ -6906,6 +8679,24 @@ "untags": [], "value": "java.io.InputStream.(java.io.InputStream)" }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "P1", + "track": "false", + "type": 1, + "untags": [], + "value": "java.io.InputStream.read(byte[])" + }, { "command": "", "created_by": 1, @@ -6924,6 +8715,24 @@ "untags": [], "value": "java.io.InputStream.read(byte[],int,int)" }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "P1", + "track": "false", + "type": 1, + "untags": [], + "value": "java.io.InputStream.transferTo(java.io.OutputStream)" + }, { "command": "", "created_by": 1, @@ -6942,6 +8751,24 @@ "untags": [], "value": "java.io.InputStreamReader.(java.io.InputStream)" }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.io.InputStreamReader.(java.io.InputStream,java.lang.String)" + }, { "command": "", "created_by": 1, @@ -7014,6 +8841,24 @@ "untags": [], "value": "java.io.PipedInputStream.read(byte[],int,int)" }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.io.PipedInputStream.receive(byte[],int,int)" + }, { "command": "INSERT(0,P2,P3)", "created_by": 1, @@ -7032,6 +8877,24 @@ "untags": [], "value": "java.io.PipedReader.read(char[],int,int)" }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "language": 1, + "source": "P1", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "O", + "track": "false", + "type": 1, + "untags": [], + "value": "java.io.PipedReader.receive(char[],int,int)" + }, { "command": "", "created_by": 1, @@ -7086,6 +8949,24 @@ "untags": [], "value": "java.io.Reader.read(char[])" }, + { + "command": "", + "created_by": 1, + "enable": 1, + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "language": 1, + "source": "O", + "stack_blacklist": [], + "system_type": 1, + "tags": [], + "target": "P1", + "track": "false", + "type": 1, + "untags": [], + "value": "java.io.Reader.transferTo(java.io.Writer)" + }, { "command": "", "created_by": 1, diff --git a/static/data/java_policy.json b/static/data/java_policy.json index b61c13ff0..67ed1a13b 100644 --- a/static/data/java_policy.json +++ b/static/data/java_policy.json @@ -60,6 +60,19 @@ }, { "details": [ + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "java.nio.ByteBuffer.array()" + }, { "command": "SUBSET(P2,P3)", "ignore_blacklist": false, @@ -124,6 +137,195 @@ "type": 1, "value": "Cookie" }, + { + "details": [ + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "jakarta.el.ELProcessor.eval(java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "jakarta.el.ELProcessor.getValue(java.lang.String,java.lang.Class)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "jakarta.el.ELProcessor.setValue(java.lang.String,java.lang.Object)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P2", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "jakarta.el.ELProcessor.setVariable(java.lang.String,java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P2", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "jakarta.el.ExpressionFactory.createMethodExpression(jakarta.el.ELContext,java.lang.String,java.lang.Class,java.lang.Class[])" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P2", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "jakarta.el.ExpressionFactory.createValueExpression(jakarta.el.ELContext,java.lang.String,java.lang.Class)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "jakarta.servlet.jsp.el.ExpressionEvaluator.evaluate(java.lang.String,java.lang.Class,jakarta.servlet.jsp.el.VariableResolver,jakarta.servlet.jsp.el.FunctionMapper)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "javax.el.ELProcessor.eval(java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "javax.el.ELProcessor.getValue(java.lang.String,java.lang.Class)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "javax.el.ELProcessor.setValue(java.lang.String,java.lang.Object)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P2", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "javax.el.ELProcessor.setVariable(java.lang.String,java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P2", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "javax.el.ExpressionFactory.createMethodExpression(javax.el.ELContext,java.lang.String,java.lang.Class,java.lang.Class[])" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P2", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "javax.el.ExpressionFactory.createValueExpression(javax.el.ELContext,java.lang.String,java.lang.Class)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "javax.servlet.jsp.el.ExpressionEvaluator.evaluate(java.lang.String,java.lang.Class,javax.servlet.jsp.el.VariableResolver,javax.servlet.jsp.el.FunctionMapper)" + } + ], + "enable": 1, + "type": 4, + "value": "EL\u8868\u8fbe\u5f0f\u6ce8\u5165" + }, { "details": [ { @@ -424,66 +626,203 @@ "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "P2", + "inherit": "all", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "O", - "track": "false", + "target": "", + "track": "true", "untags": [], - "value": "java.sql.Statement.setString(int,java.lang.String)" - } - ], - "enable": 1, - "type": 1, - "value": "PreparedStatement" - }, - { - "details": [ + "value": "ognl.Ognl.getValue(java.lang.Object,java.lang.Object)" + }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "source": "P1", "stack_blacklist": [], "tags": [], - "target": "O", - "track": "false", + "target": "", + "track": "true", "untags": [], - "value": "com.caucho.hessian.io.HessianInput.init(java.io.InputStream)" - } - ], - "enable": 1, - "type": 1, - "value": "Propagator:Hessian" - }, - { - "details": [ + "value": "ognl.Ognl.getValue(java.lang.Object,java.lang.Object,java.lang.Class)" + }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "all", + "source": "P1", "stack_blacklist": [], - "tags": [ - "cross-site" - ], - "target": "R", - "track": "", + "tags": [], + "target": "", + "track": "true", "untags": [], - "value": "javax.servlet.ServletRequest.getParameterNames()" + "value": "ognl.Ognl.getValue(java.lang.Object,java.util.Map,java.lang.Object)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "all", + "source": "P1", "stack_blacklist": [], - "tags": [ - "cross-site" + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "ognl.Ognl.getValue(java.lang.Object,java.util.Map,java.lang.Object,java.lang.Class)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "ognl.Ognl.getValue(java.lang.String,java.lang.Object)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "ognl.Ognl.getValue(java.lang.String,java.lang.Object,java.lang.Class)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "ognl.Ognl.getValue(java.lang.String,java.util.Map,java.lang.Object)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "ognl.Ognl.getValue(java.lang.String,java.util.Map,java.lang.Object,java.lang.Class)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "ognl.Ognl.parseExpression(java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.apache.commons.ognl.Ognl.parseExpression(java.lang.String)" + } + ], + "enable": 1, + "type": 4, + "value": "Ognl\u8868\u8fbe\u5f0f\u6ce8\u5165" + }, + { + "details": [ + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "P2", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "false", + "untags": [], + "value": "java.sql.Statement.setString(int,java.lang.String)" + } + ], + "enable": 1, + "type": 1, + "value": "PreparedStatement" + }, + { + "details": [ + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "false", + "untags": [], + "value": "com.caucho.hessian.io.HessianInput.init(java.io.InputStream)" + } + ], + "enable": 1, + "type": 1, + "value": "Propagator:Hessian" + }, + { + "details": [ + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [ + "cross-site" + ], + "target": "R", + "track": "", + "untags": [], + "value": "javax.servlet.ServletRequest.getParameterNames()" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [ + "cross-site" ], "target": "R", "track": "", @@ -498,7 +837,607 @@ { "details": [ { - "command": "", + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.springframework.expression.Expression.getValue()" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.springframework.expression.Expression.getValue(java.lang.Class)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.springframework.expression.Expression.getValue(java.lang.Object)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.springframework.expression.Expression.getValue(java.lang.Object,java.lang.Class)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext,java.lang.Class)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext,java.lang.Object)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext,java.lang.Object,java.lang.Class)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.springframework.expression.Expression.getValueTypeDescriptor()" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.springframework.expression.Expression.getValueTypeDescriptor(java.lang.Object)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.springframework.expression.Expression.getValueTypeDescriptor(org.springframework.expression.EvaluationContext)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.springframework.expression.Expression.getValueTypeDescriptor(org.springframework.expression.EvaluationContext,java.lang.Object)" + } + ], + "enable": 1, + "type": 4, + "value": "SPEL\u8868\u8fbe\u5f0f\u6ce8\u5165" + }, + { + "details": [ + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "false", + "untags": [], + "value": "java.util.Scanner.(java.io.InputStream)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "false", + "untags": [], + "value": "java.util.Scanner.(java.io.InputStream,java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "false", + "untags": [], + "value": "java.util.Scanner.(java.io.InputStream,java.nio.charset.Charset)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "false", + "untags": [], + "value": "java.util.Scanner.(java.lang.Readable,java.util.regex.Pattern)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "false", + "untags": [], + "value": "java.util.Scanner.(java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "java.util.Scanner.findInLine(java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "java.util.Scanner.findInLine(java.util.regex.Pattern)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "java.util.Scanner.findWithinHorizon(java.lang.String,int)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "java.util.Scanner.findWithinHorizon(java.util.regex.Pattern,int)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "java.util.Scanner.next()" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "java.util.Scanner.next(java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "java.util.Scanner.next(java.util.regex.Pattern)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "java.util.Scanner.nextLine()" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "sun.misc.CharacterDecoder.decodeBuffer(java.io.InputStream)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "sun.misc.CharacterDecoder.decodeBuffer(java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "sun.misc.CharacterEncoder.encode(byte[])" + } + ], + "enable": 1, + "type": 1, + "value": "Scanner" + }, + { + "details": [ + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "org.apache.solr.common.params.SolrParams.get(java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "org.apache.solr.common.params.SolrParams.getParams(java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "org.apache.solr.servlet.SolrRequestParsers.parseQueryString(java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "P2", + "track": "false", + "untags": [], + "value": "org.apache.solr.servlet.SolrRequestParsers.parseQueryString(java.lang.String,java.util.Map)" + } + ], + "enable": 1, + "type": 1, + "value": "SolrParamParser" + }, + { + "details": [ + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "io.grpc.MethodDescriptor.parseRequest(java.io.InputStream)" + } + ], + "enable": 1, + "type": 2, + "value": "Source:GrpcV1" + }, + { + "details": [ + { + "command": "KEEP()", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "false", + "untags": [], + "value": "java.lang.String.(byte[],byte)" + }, + { + "command": "KEEP()", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "", + "untags": [], + "value": "java.lang.String.(byte[],int,int)" + }, + { + "command": "KEEP()", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "", + "untags": [], + "value": "java.lang.String.(byte[],int,int,int)" + }, + { + "command": "KEEP()", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "", + "untags": [], + "value": "java.lang.String.(byte[],int,int,java.lang.String)" + }, + { + "command": "SUBSET(P2,P3)", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "", + "untags": [], + "value": "java.lang.String.(byte[],int,int,java.nio.charset.Charset)" + }, + { + "command": "KEEP()", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "false", + "untags": [], + "value": "java.lang.String.(byte[],java.nio.charset.Charset)" + }, + { + "command": "KEEP()", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "", + "untags": [], + "value": "java.lang.String.(char[])" + }, + { + "command": "APPEND(P2,P3,0)", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "", + "untags": [], + "value": "java.lang.String.(char[],int,int)" + }, + { + "command": "APPEND(P2,P3,0)", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "", + "untags": [], + "value": "java.lang.String.(char[],int,int,boolean)" + }, + { + "command": "KEEP()", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "", + "untags": [], + "value": "java.lang.String.(java.lang.String)" + }, + { + "command": "KEEP()", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "", + "untags": [], + "value": "java.lang.String.(java.lang.StringBuffer)" + }, + { + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -506,64 +1445,64 @@ "stack_blacklist": [], "tags": [], "target": "O", - "track": "false", + "track": "", "untags": [], - "value": "java.util.Scanner.(java.io.InputStream)" + "value": "java.lang.String.(java.lang.StringBuilder)" }, { - "command": "", + "command": "CONCAT()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O|P1", "stack_blacklist": [], "tags": [], - "target": "O", - "track": "false", + "target": "R", + "track": "", "untags": [], - "value": "java.util.Scanner.(java.io.InputStream,java.lang.String)" + "value": "java.lang.String.concat(java.lang.String)" }, { - "command": "", + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", - "track": "false", + "target": "R", + "track": "", "untags": [], - "value": "java.util.Scanner.(java.io.InputStream,java.nio.charset.Charset)" + "value": "java.lang.String.getBytes()" }, { - "command": "", + "command": "OVERWRITE(P2)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "P1", "track": "false", "untags": [], - "value": "java.util.Scanner.(java.lang.Readable,java.util.regex.Pattern)" + "value": "java.lang.String.getBytes(byte[],int,byte)" }, { - "command": "", + "command": "SUBSET(P1,P2,P4)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", - "track": "false", + "target": "P3", + "track": "", "untags": [], - "value": "java.util.Scanner.(java.lang.String)" + "value": "java.lang.String.getBytes(int,int,byte[],int)" }, { - "command": "", + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -571,12 +1510,12 @@ "stack_blacklist": [], "tags": [], "target": "R", - "track": "false", + "track": "", "untags": [], - "value": "java.util.Scanner.findInLine(java.lang.String)" + "value": "java.lang.String.getBytes(java.lang.String)" }, { - "command": "", + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -586,23 +1525,36 @@ "target": "R", "track": "false", "untags": [], - "value": "java.util.Scanner.findInLine(java.util.regex.Pattern)" + "value": "java.lang.String.getBytes(java.nio.charset.Charset)" }, { - "command": "", + "command": "SUBSET(P1,P2,P4)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "source": "O", "stack_blacklist": [], "tags": [], + "target": "P3", + "track": "", + "untags": [], + "value": "java.lang.String.getChars(int,int,char[],int)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "O|P2", + "stack_blacklist": [], + "tags": [], "target": "R", "track": "false", "untags": [], - "value": "java.util.Scanner.findWithinHorizon(java.lang.String,int)" + "value": "java.lang.String.replace(java.lang.CharSequence,java.lang.CharSequence)" }, { - "command": "", + "command": "TRIM()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -612,10 +1564,10 @@ "target": "R", "track": "false", "untags": [], - "value": "java.util.Scanner.findWithinHorizon(java.util.regex.Pattern,int)" + "value": "java.lang.String.strip()" }, { - "command": "", + "command": "TRIM_LEFT()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -625,10 +1577,10 @@ "target": "R", "track": "false", "untags": [], - "value": "java.util.Scanner.next()" + "value": "java.lang.String.stripLeading()" }, { - "command": "", + "command": "TRIM_RIGHT()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -638,10 +1590,10 @@ "target": "R", "track": "false", "untags": [], - "value": "java.util.Scanner.next(java.lang.String)" + "value": "java.lang.String.stripTrailing()" }, { - "command": "", + "command": "SUBSET(P1)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -649,12 +1601,12 @@ "stack_blacklist": [], "tags": [], "target": "R", - "track": "false", + "track": "", "untags": [], - "value": "java.util.Scanner.next(java.util.regex.Pattern)" + "value": "java.lang.String.substring(int)" }, { - "command": "", + "command": "SUBSET(P1,P2)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -662,84 +1614,77 @@ "stack_blacklist": [], "tags": [], "target": "R", - "track": "false", + "track": "", "untags": [], - "value": "java.util.Scanner.nextLine()" + "value": "java.lang.String.substring(int,int)" }, { - "command": "", + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", - "source": "P1", + "inherit": "false", + "source": "O", "stack_blacklist": [], "tags": [], "target": "R", - "track": "false", + "track": "", "untags": [], - "value": "sun.misc.CharacterDecoder.decodeBuffer(java.io.InputStream)" + "value": "java.lang.String.toCharArray()" }, { - "command": "", + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], "target": "R", - "track": "false", + "track": "", "untags": [], - "value": "sun.misc.CharacterDecoder.decodeBuffer(java.lang.String)" + "value": "java.lang.String.toLowerCase(java.util.Locale)" }, { - "command": "", + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], "target": "R", - "track": "false", + "track": "", "untags": [], - "value": "sun.misc.CharacterEncoder.encode(byte[])" - } - ], - "enable": 1, - "type": 1, - "value": "Scanner" - }, - { - "details": [ + "value": "java.lang.String.toUpperCase(java.util.Locale)" + }, { - "command": "", + "command": "TRIM()", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "source": "O", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "org.apache.solr.common.params.SolrParams.get(java.lang.String)" + "value": "java.lang.String.trim()" }, { - "command": "", + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "false", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "org.apache.solr.common.params.SolrParams.getParams(java.lang.String)" + "value": "java.lang.StringConcatHelper.newString(byte[],int,byte)" }, { - "command": "", + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -749,30 +1694,23 @@ "target": "R", "track": "false", "untags": [], - "value": "org.apache.solr.servlet.SolrRequestParsers.parseQueryString(java.lang.String)" + "value": "java.lang.StringConcatHelper.newString(byte[],long)" }, { - "command": "", + "command": "SUBSET(P2,P3)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "source": "P1", "stack_blacklist": [], "tags": [], - "target": "P2", + "target": "O", "track": "false", "untags": [], - "value": "org.apache.solr.servlet.SolrRequestParsers.parseQueryString(java.lang.String,java.util.Map)" - } - ], - "enable": 1, - "type": 1, - "value": "SolrParamParser" - }, - { - "details": [ + "value": "java.lang.StringLatin1$LinesSpliterator.(byte[],int,int)" + }, { - "command": "", + "command": "APPEND(P2,P3,0)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -782,17 +1720,10 @@ "target": "R", "track": "false", "untags": [], - "value": "io.grpc.MethodDescriptor.parseRequest(java.io.InputStream)" - } - ], - "enable": 1, - "type": 2, - "value": "Source:GrpcV1" - }, - { - "details": [ + "value": "java.lang.StringLatin1.newString(byte[],int,int)" + }, { - "command": "KEEP()", + "command": "SUBSET(P2,P3)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -802,49 +1733,132 @@ "target": "O", "track": "false", "untags": [], - "value": "java.lang.String.(byte[],byte)" + "value": "java.lang.StringUTF16$LinesSpliterator.(byte[],int,int)" }, { - "command": "KEEP()", + "command": "APPEND(P2,P3,0)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "source": "P1", "stack_blacklist": [], "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "untags": [], - "value": "java.lang.String.(byte[],int,int)" + "value": "java.lang.StringUTF16.newString(byte[],int,int)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "P1", + "stack_blacklist": [], + "tags": [ + "sql-encoded" + ], + "target": "R", + "track": "false", + "untags": [ + "sql-decoded" + ], + "value": "java.sql.Statement.enquoteIdentifier(java.lang.String,boolean)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "P1", + "stack_blacklist": [], + "tags": [ + "sql-encoded" + ], + "target": "R", + "track": "false", + "untags": [ + "sql-decoded" + ], + "value": "java.sql.Statement.enquoteLiteral(java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "P1", + "stack_blacklist": [], + "tags": [ + "sql-encoded" + ], + "target": "R", + "track": "false", + "untags": [ + "sql-decoded" + ], + "value": "java.sql.Statement.enquoteNCharLiteral(java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "P1", + "stack_blacklist": [], + "tags": [ + "ldap-encoded" + ], + "target": "R", + "track": "false", + "untags": [ + "ldap-decoded" + ], + "value": "org.owasp.esapi.Encoder.encodeForLDAP(java.lang.String)" }, { - "command": "KEEP()", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "source": "P1", "stack_blacklist": [], - "tags": [], - "target": "O", - "track": "", - "untags": [], - "value": "java.lang.String.(byte[],int,int,int)" + "tags": [ + "xml-encoded" + ], + "target": "R", + "track": "false", + "untags": [ + "xml-decoded" + ], + "value": "org.thymeleaf.util.DOMUtils.escapeXml(char[],boolean)" }, { - "command": "KEEP()", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "source": "P1", "stack_blacklist": [], - "tags": [], - "target": "O", - "track": "", - "untags": [], - "value": "java.lang.String.(byte[],int,int,java.lang.String)" - }, + "tags": [ + "xml-encoded" + ], + "target": "R", + "track": "false", + "untags": [ + "xml-decoded" + ], + "value": "org.thymeleaf.util.DOMUtils.escapeXml(java.lang.String,boolean)" + } + ], + "enable": 1, + "type": 1, + "value": "String" + }, + { + "details": [ { - "command": "SUBSET(P2,P3)", + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -852,9 +1866,9 @@ "stack_blacklist": [], "tags": [], "target": "O", - "track": "", + "track": "false", "untags": [], - "value": "java.lang.String.(byte[],int,int,java.nio.charset.Charset)" + "value": "java.lang.StringBuffer.(java.lang.CharSequence)" }, { "command": "KEEP()", @@ -867,10 +1881,10 @@ "target": "O", "track": "false", "untags": [], - "value": "java.lang.String.(byte[],java.nio.charset.Charset)" + "value": "java.lang.StringBuffer.(java.lang.String)" }, { - "command": "KEEP()", + "command": "APPEND()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -878,9 +1892,9 @@ "stack_blacklist": [], "tags": [], "target": "O", - "track": "", + "track": "false", "untags": [], - "value": "java.lang.String.(char[])" + "value": "java.lang.StringBuffer.append(char[])" }, { "command": "APPEND(P2,P3,0)", @@ -891,12 +1905,12 @@ "stack_blacklist": [], "tags": [], "target": "O", - "track": "", + "track": "false", "untags": [], - "value": "java.lang.String.(char[],int,int)" + "value": "java.lang.StringBuffer.append(char[],int,int)" }, { - "command": "APPEND(P2,P3,0)", + "command": "APPEND()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -904,12 +1918,12 @@ "stack_blacklist": [], "tags": [], "target": "O", - "track": "", + "track": "false", "untags": [], - "value": "java.lang.String.(char[],int,int,boolean)" + "value": "java.lang.StringBuffer.append(java.lang.CharSequence)" }, { - "command": "KEEP()", + "command": "APPEND(P2,P3)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -917,12 +1931,12 @@ "stack_blacklist": [], "tags": [], "target": "O", - "track": "", + "track": "false", "untags": [], - "value": "java.lang.String.(java.lang.String)" + "value": "java.lang.StringBuffer.append(java.lang.CharSequence,int,int)" }, { - "command": "KEEP()", + "command": "APPEND()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -930,12 +1944,12 @@ "stack_blacklist": [], "tags": [], "target": "O", - "track": "", + "track": "false", "untags": [], - "value": "java.lang.String.(java.lang.StringBuffer)" + "value": "java.lang.StringBuffer.append(java.lang.String)" }, { - "command": "KEEP()", + "command": "APPEND()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -943,152 +1957,152 @@ "stack_blacklist": [], "tags": [], "target": "O", - "track": "", + "track": "false", "untags": [], - "value": "java.lang.String.(java.lang.StringBuilder)" + "value": "java.lang.StringBuffer.append(java.lang.StringBuffer)" }, { - "command": "CONCAT()", + "command": "REMOVE(P1,P2)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O|P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "R", - "track": "", + "target": "O", + "track": "false", "untags": [], - "value": "java.lang.String.concat(java.lang.String)" + "value": "java.lang.StringBuffer.delete(int,int)" }, { - "command": "KEEP()", + "command": "REMOVE(P1)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "source": "O", "stack_blacklist": [], "tags": [], - "target": "R", - "track": "", + "target": "O", + "track": "false", "untags": [], - "value": "java.lang.String.getBytes()" + "value": "java.lang.StringBuffer.deleteCharAt(int)" }, { - "command": "OVERWRITE(P2)", + "command": "SUBSET(P1,P2,P4)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "source": "O", "stack_blacklist": [], "tags": [], - "target": "P1", + "target": "P3", "track": "false", "untags": [], - "value": "java.lang.String.getBytes(byte[],int,byte)" + "value": "java.lang.StringBuffer.getChars(int,int,char[],int)" }, { - "command": "SUBSET(P1,P2,P4)", + "command": "INSERT(P1)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P2", "stack_blacklist": [], "tags": [], - "target": "P3", - "track": "", + "target": "O", + "track": "false", "untags": [], - "value": "java.lang.String.getBytes(int,int,byte[],int)" + "value": "java.lang.StringBuffer.insert(int,char)" }, { - "command": "KEEP()", + "command": "INSERT(P1)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P2", "stack_blacklist": [], "tags": [], - "target": "R", - "track": "", + "target": "O", + "track": "false", "untags": [], - "value": "java.lang.String.getBytes(java.lang.String)" + "value": "java.lang.StringBuffer.insert(int,char[])" }, { - "command": "KEEP()", + "command": "INSERT(P1,P3,P4)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P2", "stack_blacklist": [], "tags": [], - "target": "R", + "target": "O", "track": "false", "untags": [], - "value": "java.lang.String.getBytes(java.nio.charset.Charset)" + "value": "java.lang.StringBuffer.insert(int,char[],int,int)" }, { - "command": "SUBSET(P1,P2,P4)", + "command": "INSERT(P1)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P2", "stack_blacklist": [], "tags": [], - "target": "P3", - "track": "", + "target": "O", + "track": "false", "untags": [], - "value": "java.lang.String.getChars(int,int,char[],int)" + "value": "java.lang.StringBuffer.insert(int,java.lang.CharSequence)" }, { - "command": "", + "command": "INSERT(P1,P3,P4)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O|P2", + "source": "P2", "stack_blacklist": [], "tags": [], - "target": "R", + "target": "O", "track": "false", "untags": [], - "value": "java.lang.String.replace(java.lang.CharSequence,java.lang.CharSequence)" + "value": "java.lang.StringBuffer.insert(int,java.lang.CharSequence,int,int)" }, { - "command": "TRIM()", + "command": "INSERT(P1)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P2", "stack_blacklist": [], "tags": [], - "target": "R", + "target": "O", "track": "false", "untags": [], - "value": "java.lang.String.strip()" + "value": "java.lang.StringBuffer.insert(int,java.lang.String)" }, { - "command": "TRIM_LEFT()", + "command": "REPLACE(P1,P2)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "O|P3", "stack_blacklist": [], "tags": [], - "target": "R", + "target": "O", "track": "false", "untags": [], - "value": "java.lang.String.stripLeading()" + "value": "java.lang.StringBuffer.replace(int,int,java.lang.String)" }, { - "command": "TRIM_RIGHT()", + "command": "SUBSET(0,P1)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "source": "O", "stack_blacklist": [], "tags": [], - "target": "R", + "target": "O", "track": "false", "untags": [], - "value": "java.lang.String.stripTrailing()" + "value": "java.lang.StringBuffer.setLength(int)" }, { "command": "SUBSET(P1)", @@ -1099,9 +2113,9 @@ "stack_blacklist": [], "tags": [], "target": "R", - "track": "", + "track": "false", "untags": [], - "value": "java.lang.String.substring(int)" + "value": "java.lang.StringBuffer.substring(int)" }, { "command": "SUBSET(P1,P2)", @@ -1112,9 +2126,9 @@ "stack_blacklist": [], "tags": [], "target": "R", - "track": "", + "track": "false", "untags": [], - "value": "java.lang.String.substring(int,int)" + "value": "java.lang.StringBuffer.substring(int,int)" }, { "command": "KEEP()", @@ -1125,238 +2139,222 @@ "stack_blacklist": [], "tags": [], "target": "R", - "track": "", + "track": "false", "untags": [], - "value": "java.lang.String.toCharArray()" - }, + "value": "java.lang.StringBuffer.toString()" + } + ], + "enable": 1, + "type": 1, + "value": "StringBuffer" + }, + { + "details": [ { - "command": "KEEP()", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P1", "stack_blacklist": [], - "tags": [], + "tags": [ + "html-encoded" + ], "target": "R", - "track": "", - "untags": [], - "value": "java.lang.String.toLowerCase(java.util.Locale)" + "track": "false", + "untags": [ + "html-decoded" + ], + "value": "com.bea.jsptools.tree.TreeNode.htmlChars(java.lang.String)" }, { - "command": "KEEP()", + "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", - "source": "O", + "inherit": "all", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "R", - "track": "", + "track": "false", "untags": [], - "value": "java.lang.String.toUpperCase(java.util.Locale)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(byte[],com.fasterxml.jackson.core.type.TypeReference)" }, { - "command": "TRIM()", + "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", - "source": "O", + "inherit": "all", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "java.lang.String.trim()" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(byte[],com.fasterxml.jackson.databind.JavaType)" }, { - "command": "KEEP()", + "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "source": "P1", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "java.lang.StringConcatHelper.newString(byte[],int,byte)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(byte[],int,int,com.fasterxml.jackson.core.type.TypeReference)" }, { - "command": "KEEP()", + "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "source": "P1", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "java.lang.StringConcatHelper.newString(byte[],long)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(byte[],int,int,com.fasterxml.jackson.databind.JavaType)" }, { - "command": "SUBSET(P2,P3)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "source": "P1", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "R", "track": "false", "untags": [], - "value": "java.lang.StringLatin1$LinesSpliterator.(byte[],int,int)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(byte[],java.lang.Class)" }, { - "command": "APPEND(P2,P3,0)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "source": "P1", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "java.lang.StringLatin1.newString(byte[],int,int)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.InputStream,com.fasterxml.jackson.core.type.TypeReference)" }, { - "command": "SUBSET(P2,P3)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "source": "P1", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "R", "track": "false", "untags": [], - "value": "java.lang.StringUTF16$LinesSpliterator.(byte[],int,int)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.Reader,java.lang.Class)" }, { - "command": "APPEND(P2,P3,0)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", + "inherit": "all", "source": "P1", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "java.lang.StringUTF16.newString(byte[],int,int)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.lang.String,com.fasterxml.jackson.core.type.TypeReference)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "source": "P1", "stack_blacklist": [], - "tags": [ - "sql-encoded" - ], + "tags": [], "target": "R", "track": "false", - "untags": [ - "sql-decoded" - ], - "value": "java.sql.Statement.enquoteIdentifier(java.lang.String,boolean)" + "untags": [], + "value": "com.github.pagehelper.parser.CountSqlParser.getSmartCountSql(java.lang.String,java.lang.String)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "source": "P1", "stack_blacklist": [], "tags": [ - "sql-encoded" + "html-encoded" ], "target": "R", "track": "false", "untags": [ - "sql-decoded" + "html-decoded" ], - "value": "java.sql.Statement.enquoteLiteral(java.lang.String)" + "value": "com.opensymphony.util.TextUtils.htmlEncode(java.lang.String)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "source": "P1", "stack_blacklist": [], - "tags": [ - "sql-encoded" - ], - "target": "R", + "tags": [], + "target": "O", "track": "false", - "untags": [ - "sql-decoded" - ], - "value": "java.sql.Statement.enquoteNCharLiteral(java.lang.String)" + "untags": [], + "value": "java.io.CharArrayWriter.append(java.lang.CharSequence)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "source": "P1", "stack_blacklist": [], - "tags": [ - "ldap-encoded" - ], - "target": "R", + "tags": [], + "target": "O", "track": "false", - "untags": [ - "ldap-decoded" - ], - "value": "org.owasp.esapi.Encoder.encodeForLDAP(java.lang.String)" + "untags": [], + "value": "java.io.CharArrayWriter.append(java.lang.CharSequence,int,int)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], - "tags": [ - "xml-encoded" - ], + "tags": [], "target": "R", "track": "false", - "untags": [ - "xml-decoded" - ], - "value": "org.thymeleaf.util.DOMUtils.escapeXml(char[],boolean)" + "untags": [], + "value": "java.io.CharArrayWriter.toCharArray()" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], - "tags": [ - "xml-encoded" - ], + "tags": [], "target": "R", "track": "false", - "untags": [ - "xml-decoded" - ], - "value": "org.thymeleaf.util.DOMUtils.escapeXml(java.lang.String,boolean)" - } - ], - "enable": 1, - "type": 1, - "value": "String" - }, - { - "details": [ + "untags": [], + "value": "java.io.CharArrayWriter.toString()" + }, { - "command": "KEEP()", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -1366,10 +2364,10 @@ "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuffer.(java.lang.CharSequence)" + "value": "java.io.CharArrayWriter.write(char[],int,int)" }, { - "command": "KEEP()", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -1379,7 +2377,7 @@ "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuffer.(java.lang.String)" + "value": "java.io.CharArrayWriter.write(java.lang.String,int,int)" }, { "command": "APPEND()", @@ -1392,62 +2390,62 @@ "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuffer.append(char[])" + "value": "java.lang.AbstractStringBuilder.append(java.lang.String)" }, { - "command": "APPEND(P2,P3,0)", + "command": "SUBSET(P1,P2,P4)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "P3", "track": "false", "untags": [], - "value": "java.lang.StringBuffer.append(char[],int,int)" + "value": "java.lang.AbstractStringBuilder.getChars(int,int,char[],int)" }, { - "command": "APPEND()", + "command": "SUBSET(0,P1)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuffer.append(java.lang.CharSequence)" + "value": "java.lang.AbstractStringBuilder.setLength(int)" }, { - "command": "APPEND(P2,P3)", + "command": "SUBSET(P1)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "R", "track": "false", "untags": [], - "value": "java.lang.StringBuffer.append(java.lang.CharSequence,int,int)" + "value": "java.lang.AbstractStringBuilder.substring(int)" }, { - "command": "APPEND()", + "command": "SUBSET(P1,P2)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "R", "track": "false", "untags": [], - "value": "java.lang.StringBuffer.append(java.lang.String)" + "value": "java.lang.AbstractStringBuilder.substring(int,int)" }, { - "command": "APPEND()", + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -1455,237 +2453,230 @@ "stack_blacklist": [], "tags": [], "target": "O", - "track": "false", + "track": "", "untags": [], - "value": "java.lang.StringBuffer.append(java.lang.StringBuffer)" + "value": "java.lang.StringBuilder.(java.lang.CharSequence)" }, { - "command": "REMOVE(P1,P2)", + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "O", - "track": "false", + "track": "", "untags": [], - "value": "java.lang.StringBuffer.delete(int,int)" + "value": "java.lang.StringBuilder.(java.lang.String)" }, { - "command": "REMOVE(P1)", + "command": "APPEND(P2,P3,0)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "O", - "track": "false", + "track": "", "untags": [], - "value": "java.lang.StringBuffer.deleteCharAt(int)" + "value": "java.lang.StringBuilder.append(char[],int,int)" }, { - "command": "SUBSET(P1,P2,P4)", + "command": "APPEND()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "P3", - "track": "false", + "target": "O", + "track": "", "untags": [], - "value": "java.lang.StringBuffer.getChars(int,int,char[],int)" + "value": "java.lang.StringBuilder.append(java.lang.CharSequence)" }, { - "command": "INSERT(P1)", + "command": "APPEND(P2,P3)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P2", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "O", - "track": "false", + "track": "", "untags": [], - "value": "java.lang.StringBuffer.insert(int,char)" + "value": "java.lang.StringBuilder.append(java.lang.CharSequence,int,int)" }, { - "command": "INSERT(P1)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P2", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "O", - "track": "false", + "track": "", "untags": [], - "value": "java.lang.StringBuffer.insert(int,char[])" + "value": "java.lang.StringBuilder.append(java.lang.Object)" }, { - "command": "INSERT(P1,P3,P4)", + "command": "APPEND()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P2", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "O", - "track": "false", + "track": "", "untags": [], - "value": "java.lang.StringBuffer.insert(int,char[],int,int)" + "value": "java.lang.StringBuilder.append(java.lang.String)" }, { - "command": "INSERT(P1)", + "command": "APPEND()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P2", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "O", - "track": "false", + "track": "", "untags": [], - "value": "java.lang.StringBuffer.insert(int,java.lang.CharSequence)" + "value": "java.lang.StringBuilder.append(java.lang.StringBuffer)" }, { - "command": "INSERT(P1,P3,P4)", + "command": "REMOVE(P1,P2)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P2", + "source": "O", "stack_blacklist": [], "tags": [], "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuffer.insert(int,java.lang.CharSequence,int,int)" + "value": "java.lang.StringBuilder.delete(int,int)" }, { - "command": "INSERT(P1)", + "command": "REMOVE(P1)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P2", + "source": "O", "stack_blacklist": [], "tags": [], "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuffer.insert(int,java.lang.String)" + "value": "java.lang.StringBuilder.deleteCharAt(int)" }, { - "command": "REPLACE(P1,P2)", + "command": "SUBSET(P1,P2,P4)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O|P3", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "P3", "track": "false", "untags": [], - "value": "java.lang.StringBuffer.replace(int,int,java.lang.String)" + "value": "java.lang.StringBuilder.getChars(int,int,char[],int)" }, { - "command": "SUBSET(0,P1)", + "command": "INSERT(P1)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P2", "stack_blacklist": [], "tags": [], "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuffer.setLength(int)" + "value": "java.lang.StringBuilder.insert(int,char)" }, { - "command": "SUBSET(P1)", + "command": "INSERT(P1)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P2", "stack_blacklist": [], "tags": [], - "target": "R", + "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuffer.substring(int)" + "value": "java.lang.StringBuilder.insert(int,char[])" }, { - "command": "SUBSET(P1,P2)", + "command": "INSERT(P1,P3,P4)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P2", "stack_blacklist": [], "tags": [], - "target": "R", + "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuffer.substring(int,int)" + "value": "java.lang.StringBuilder.insert(int,char[],int,int)" }, { - "command": "KEEP()", + "command": "INSERT(P1)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P2", "stack_blacklist": [], "tags": [], - "target": "R", + "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuffer.toString()" - } - ], - "enable": 1, - "type": 1, - "value": "StringBuffer" - }, - { - "details": [ + "value": "java.lang.StringBuilder.insert(int,java.lang.CharSequence)" + }, { - "command": "", + "command": "INSERT(P1,P3,P4)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "P2", "stack_blacklist": [], "tags": [], - "target": "R", + "target": "O", "track": "false", "untags": [], - "value": "com.github.pagehelper.parser.CountSqlParser.getSmartCountSql(java.lang.String,java.lang.String)" + "value": "java.lang.StringBuilder.insert(int,java.lang.CharSequence,int,int)" }, { - "command": "APPEND()", + "command": "INSERT(P1)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "P2", "stack_blacklist": [], "tags": [], "target": "O", "track": "false", "untags": [], - "value": "java.lang.AbstractStringBuilder.append(java.lang.String)" + "value": "java.lang.StringBuilder.insert(int,java.lang.String)" }, { - "command": "SUBSET(P1,P2,P4)", + "command": "REPLACE(P1,P2)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "O|P3", "stack_blacklist": [], "tags": [], - "target": "P3", + "target": "O", "track": "false", "untags": [], - "value": "java.lang.AbstractStringBuilder.getChars(int,int,char[],int)" + "value": "java.lang.StringBuilder.replace(int,int,java.lang.String)" }, { "command": "SUBSET(0,P1)", @@ -1698,7 +2689,7 @@ "target": "O", "track": "false", "untags": [], - "value": "java.lang.AbstractStringBuilder.setLength(int)" + "value": "java.lang.StringBuilder.setLength(int)" }, { "command": "SUBSET(P1)", @@ -1711,7 +2702,7 @@ "target": "R", "track": "false", "untags": [], - "value": "java.lang.AbstractStringBuilder.substring(int)" + "value": "java.lang.StringBuilder.substring(int)" }, { "command": "SUBSET(P1,P2)", @@ -1724,72 +2715,59 @@ "target": "R", "track": "false", "untags": [], - "value": "java.lang.AbstractStringBuilder.substring(int,int)" + "value": "java.lang.StringBuilder.substring(int,int)" }, { - "command": "KEEP()", + "command": "SUBSET(P1,P2)", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "untags": [], - "value": "java.lang.StringBuilder.(java.lang.CharSequence)" + "value": "java.lang.StringBuilder.substring(int,int)" }, { "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", - "stack_blacklist": [], - "tags": [], - "target": "O", - "track": "", - "untags": [], - "value": "java.lang.StringBuilder.(java.lang.String)" - }, - { - "command": "APPEND(P2,P3,0)", - "ignore_blacklist": false, - "ignore_internal": false, - "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "R", "track": "", "untags": [], - "value": "java.lang.StringBuilder.append(char[],int,int)" + "value": "java.lang.StringBuilder.toString()" }, { - "command": "APPEND()", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "untags": [], - "value": "java.lang.StringBuilder.append(java.lang.CharSequence)" + "value": "java.lang.StringTokenizer.nextElement()" }, { - "command": "APPEND(P2,P3)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "untags": [], - "value": "java.lang.StringBuilder.append(java.lang.CharSequence,int,int)" + "value": "java.lang.StringTokenizer.nextToken()" }, { "command": "", @@ -1799,104 +2777,104 @@ "source": "P1", "stack_blacklist": [], "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "untags": [], - "value": "java.lang.StringBuilder.append(java.lang.Object)" + "value": "java.net.IDN.toASCII(java.lang.String,int)" }, { - "command": "APPEND()", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "source": "P1", "stack_blacklist": [], "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "untags": [], - "value": "java.lang.StringBuilder.append(java.lang.String)" + "value": "java.net.IDN.toUnicode(java.lang.String,int)" }, { - "command": "APPEND()", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "source": "P1", "stack_blacklist": [], "tags": [], - "target": "O", - "track": "", + "target": "R", + "track": "false", "untags": [], - "value": "java.lang.StringBuilder.append(java.lang.StringBuffer)" + "value": "java.nio.channels.Channels.newChannel(java.io.InputStream)" }, { - "command": "REMOVE(P1,P2)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "P1", "track": "false", "untags": [], - "value": "java.lang.StringBuilder.delete(int,int)" + "value": "java.nio.channels.ReadableByteChannel.read(java.nio.ByteBuffer)" }, { - "command": "REMOVE(P1)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "P1", "track": "false", "untags": [], - "value": "java.lang.StringBuilder.deleteCharAt(int)" + "value": "java.security.SecureRandom.nextBytes(byte[])" }, { - "command": "SUBSET(P1,P2,P4)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "P3", + "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuilder.getChars(int,int,char[],int)" + "value": "java.util.StringTokenizer.(java.lang.String)" }, { - "command": "INSERT(P1)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P2", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuilder.insert(int,char)" + "value": "java.util.StringTokenizer.(java.lang.String,java.lang.String)" }, { - "command": "INSERT(P1)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P2", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuilder.insert(int,char[])" + "value": "java.util.StringTokenizer.(java.lang.String,java.lang.String,boolean)" }, { - "command": "INSERT(P1,P3,P4)", + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -1906,114 +2884,130 @@ "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuilder.insert(int,char[],int,int)" + "value": "java.util.logging.LogRecord.(java.util.logging.Level,java.lang.String)" }, { - "command": "INSERT(P1)", + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P2", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "R", "track": "false", "untags": [], - "value": "java.lang.StringBuilder.insert(int,java.lang.CharSequence)" + "value": "java.util.logging.LogRecord.getMessage()" }, { - "command": "INSERT(P1,P3,P4)", + "command": "KEEP()", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P2", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "O", "track": "false", "untags": [], - "value": "java.lang.StringBuilder.insert(int,java.lang.CharSequence,int,int)" + "value": "java.util.logging.LogRecord.setMessage(java.lang.String)" }, { - "command": "INSERT(P1)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "P2", + "source": "P1", "stack_blacklist": [], - "tags": [], - "target": "O", + "tags": [ + "html-encoded" + ], + "target": "R", "track": "false", - "untags": [], - "value": "java.lang.StringBuilder.insert(int,java.lang.String)" + "untags": [ + "html-decoded" + ], + "value": "nu.xom.Attribute.escapeText(java.lang.String)" }, { - "command": "REPLACE(P1,P2)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O|P3", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "R", "track": "false", "untags": [], - "value": "java.lang.StringBuilder.replace(int,int,java.lang.String)" + "value": "org.apache.catalina.connector.Request.unescape(java.lang.String)" }, { - "command": "SUBSET(0,P1)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P1", "stack_blacklist": [], - "tags": [], - "target": "O", + "tags": [ + "html-encoded" + ], + "target": "R", "track": "false", - "untags": [], - "value": "java.lang.StringBuilder.setLength(int)" + "untags": [ + "html-decoded" + ], + "value": "org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(java.lang.String)" }, { - "command": "SUBSET(P1)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P1", "stack_blacklist": [], - "tags": [], + "tags": [ + "sql-encoded" + ], "target": "R", "track": "false", - "untags": [], - "value": "java.lang.StringBuilder.substring(int)" + "untags": [ + "sql-decoded" + ], + "value": "org.apache.commons.lang.StringEscapeUtils.escapeSQL(java.lang.String)" }, { - "command": "SUBSET(P1,P2)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P1", "stack_blacklist": [], - "tags": [], + "tags": [ + "html-decoded" + ], "target": "R", "track": "false", - "untags": [], - "value": "java.lang.StringBuilder.substring(int,int)" + "untags": [ + "html-encoded" + ], + "value": "org.apache.commons.lang.StringEscapeUtils.unescapeJavaScript(java.lang.String)" }, { - "command": "SUBSET(P1,P2)", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", - "source": "O", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "java.lang.StringBuilder.substring(int,int)" + "value": "org.apache.commons.lang3.StringEscapeUtils.escapeEcmaScript(java.lang.String)" }, { - "command": "KEEP()", + "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "false", @@ -2021,9 +3015,9 @@ "stack_blacklist": [], "tags": [], "target": "R", - "track": "", + "track": "false", "untags": [], - "value": "java.lang.StringBuilder.toString()" + "value": "sun.net.www.protocol.http.HttpURLConnection.getInputStream()" } ], "enable": 1, @@ -2050,6 +3044,39 @@ "type": 2, "value": "Struts2" }, + { + "details": [ + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.thymeleaf.standard.expression.Expression.parse(java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "true", + "source": "P2", + "stack_blacklist": [], + "tags": [], + "target": "", + "track": "true", + "untags": [], + "value": "org.thymeleaf.standard.expression.IStandardExpressionParser.parseExpression(org.thymeleaf.context.IExpressionContext,java.lang.String)" + } + ], + "enable": 1, + "type": 4, + "value": "Thymeleaf\u6a21\u7248\u6ce8\u5165" + }, { "details": [ { @@ -2091,6 +3118,19 @@ "untags": [], "value": "java.net.URI.(java.lang.String,java.lang.String,java.lang.String,int,java.lang.String,java.lang.String,java.lang.String)" }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1,2,3,4", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "java.net.URI.(java.lang.String,java.lang.String,java.lang.String,java.lang.String)" + }, { "command": "", "ignore_blacklist": false, @@ -2099,23 +3139,36 @@ "source": "P1,2,3,4,5", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "O", + "track": "false", + "untags": [], + "value": "java.net.URI.(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", "track": "false", "untags": [], - "value": "java.net.URI.(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String)" + "value": "java.net.URI.toURL()" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", - "source": "O", + "inherit": "true", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "java.net.URI.toURL()" + "value": "java.nio.file.spi.FileSystemProvider.getPath(java.net.URI)" } ], "enable": 1, @@ -3079,10 +4132,264 @@ "source": "P1", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "O", + "track": "false", + "untags": [], + "value": "com.alibaba.fastjson.parser.DefaultJSONParser.(java.lang.String,com.alibaba.fastjson.parser.ParserConfig,int)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldBigInteger(char[])" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldDate(char[])" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldDecimal(char[])" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldDouble(char[])" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldFloatArray(char[])" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldFloatArray2(char[])" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldInt(char[])" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldIntArray(char[])" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldLong(char[])" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldString(char[])" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.scanFieldFloat(char[])" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "P4", + "track": "false", + "untags": [], + "value": "com.alibaba.fastjson.util.IOUtils.decodeUTF8(byte[],int,int,char[])" + } + ], + "enable": 1, + "type": 1, + "value": "com.alibaba.fastjson" + }, + { + "details": [ + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.fasterxml.jackson.core.JsonFactory.createParser(byte[])" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.fasterxml.jackson.core.JsonFactory.createParser(byte[],int,int)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.fasterxml.jackson.core.JsonFactory.createParser(java.io.DataInput)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.fasterxml.jackson.core.JsonFactory.createParser(java.io.InputStream)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.fasterxml.jackson.core.JsonFactory.createParser(java.io.Reader)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "R", + "track": "false", + "untags": [], + "value": "com.fasterxml.jackson.core.JsonFactory.createParser(java.lang.String)" + }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "R", "track": "false", "untags": [], - "value": "com.alibaba.fastjson.parser.DefaultJSONParser.(java.lang.String,com.alibaba.fastjson.parser.ParserConfig,int)" + "value": "com.fasterxml.jackson.core.JsonParser.getBinaryValue(com.fasterxml.jackson.core.Base64Variant)" }, { "command": "", @@ -3095,7 +4402,7 @@ "target": "R", "track": "false", "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldBigInteger(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.getCurrentName()" }, { "command": "", @@ -3108,7 +4415,7 @@ "target": "R", "track": "false", "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldDate(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.getParsingContext()" }, { "command": "", @@ -3121,7 +4428,7 @@ "target": "R", "track": "false", "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldDecimal(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.getText()" }, { "command": "", @@ -3131,10 +4438,10 @@ "source": "O", "stack_blacklist": [], "tags": [], - "target": "R", + "target": "P1", "track": "false", "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldDouble(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.getText(java.io.Writer)" }, { "command": "", @@ -3147,7 +4454,7 @@ "target": "R", "track": "false", "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldFloatArray(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.getTextCharacters()" }, { "command": "", @@ -3160,7 +4467,7 @@ "target": "R", "track": "false", "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldFloatArray2(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.getValueAsString()" }, { "command": "", @@ -3173,7 +4480,7 @@ "target": "R", "track": "false", "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldInt(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.getValueAsString(java.lang.String)" }, { "command": "", @@ -3186,7 +4493,7 @@ "target": "R", "track": "false", "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldIntArray(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.nextFieldName()" }, { "command": "", @@ -3199,7 +4506,7 @@ "target": "R", "track": "false", "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldLong(char[])" + "value": "com.fasterxml.jackson.core.JsonParser.nextTextValue()" }, { "command": "", @@ -3212,406 +4519,371 @@ "target": "R", "track": "false", "untags": [], - "value": "com.alibaba.fastjson.parser.JSONLexerBase.scanFieldString(char[])" + "value": "com.fasterxml.jackson.core.JsonStreamContext.getCurrentName()" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "O", + "source": "P1", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer.scanFieldFloat(char[])" + "value": "com.fasterxml.jackson.databind.JsonDeserializer.deserialize(com.fasterxml.jackson.core.JsonParser,com.fasterxml.jackson.databind.DeserializationContext)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", - "source": "P1", + "inherit": "all", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "P4", + "target": "R", "track": "false", "untags": [], - "value": "com.alibaba.fastjson.util.IOUtils.decodeUTF8(byte[],int,int,char[])" - } - ], - "enable": 1, - "type": 1, - "value": "com.alibaba.fastjson" - }, - { - "details": [ + "value": "com.fasterxml.jackson.databind.JsonNode.asText()" + }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", - "source": "P1", + "inherit": "all", + "source": "O", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "com.fasterxml.jackson.core.JsonFactory.createParser(java.io.InputStream)" + "value": "com.fasterxml.jackson.databind.JsonNode.asToken()" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "com.fasterxml.jackson.databind.JsonDeserializer.deserialize(com.fasterxml.jackson.core.JsonParser,com.fasterxml.jackson.databind.DeserializationContext)" + "value": "com.fasterxml.jackson.databind.JsonNode.binaryValue()" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", - "source": "P1", + "inherit": "all", + "source": "O", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "com.fasterxml.jackson.databind.ObjectMapper.createDeserializationContext(com.fasterxml.jackson.core.JsonParser,com.fasterxml.jackson.databind.DeserializationConfig)" + "value": "com.fasterxml.jackson.databind.JsonNode.deepCopy()" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", - "source": "P1", + "inherit": "all", + "source": "O", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.InputStream,com.fasterxml.jackson.databind.JavaType)" + "value": "com.fasterxml.jackson.databind.JsonNode.elements()" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.InputStream,java.lang.Class)" + "value": "com.fasterxml.jackson.databind.JsonNode.fieldNames()" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.lang.String,com.fasterxml.jackson.databind.JavaType)" + "value": "com.fasterxml.jackson.databind.JsonNode.fields()" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.lang.String,java.lang.Class)" + "value": "com.fasterxml.jackson.databind.JsonNode.findPath(java.lang.String)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "com.fasterxml.jackson.databind.deser.ValueInstantiator.createUsingDefault(com.fasterxml.jackson.databind.DeserializationContext)" - } - ], - "enable": 1, - "type": 1, - "value": "com.fasterxml.jackson" - }, - { - "details": [ + "value": "com.fasterxml.jackson.databind.JsonNode.findValue(java.lang.String)" + }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", - "source": "P1", + "inherit": "all", + "source": "O", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "com.google.gson.TypeAdapter.read(com.google.gson.stream.JsonReader)" + "value": "com.fasterxml.jackson.databind.JsonNode.findValues(java.lang.String)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "O", + "target": "R", "track": "false", "untags": [], - "value": "com.google.gson.stream.JsonReader.(java.io.Reader)" - } - ], - "enable": 1, - "type": 1, - "value": "com.google.gson" - }, - { - "details": [ + "value": "com.fasterxml.jackson.databind.JsonNode.findValues(java.lang.String,java.util.List)" + }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", - "source": "P1", + "inherit": "all", + "source": "O", "stack_blacklist": [], "tags": [], "target": "R", "track": "false", "untags": [], - "value": "org.iast.springsec.common.DataManager.doManage(java.lang.String)" - } - ], - "enable": 1, - "type": 1, - "value": "custom-encrypt" - }, - { - "details": [ + "value": "com.fasterxml.jackson.databind.JsonNode.findValuesAsText(java.lang.String)" + }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", - "source": "P2", + "inherit": "all", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "", + "target": "R", "track": "false", "untags": [], - "value": "java.lang.ClassLoader.loadLibrary(java.lang.Class,java.lang.String,boolean)" + "value": "com.fasterxml.jackson.databind.JsonNode.findValuesAsText(java.lang.String,java.util.List)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "false", - "source": "P2", + "inherit": "all", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "java.lang.Runtime.load0(java.lang.Class,java.lang.String)" - } - ], - "enable": 1, - "type": 4, - "value": "dynamic-library-load" - }, - { - "details": [ + "value": "com.fasterxml.jackson.databind.JsonNode.get(int)" + }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "jakarta.el.ELProcessor.eval(java.lang.String)" + "value": "com.fasterxml.jackson.databind.JsonNode.get(java.lang.String)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "jakarta.el.ELProcessor.getValue(java.lang.String,java.lang.Class)" + "value": "com.fasterxml.jackson.databind.JsonNode.iterator()" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "jakarta.el.ELProcessor.setValue(java.lang.String,java.lang.Object)" + "value": "com.fasterxml.jackson.databind.JsonNode.path(int)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P2", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "jakarta.el.ELProcessor.setVariable(java.lang.String,java.lang.String)" + "value": "com.fasterxml.jackson.databind.JsonNode.path(java.lang.String)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P2", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "jakarta.el.ExpressionFactory.createMethodExpression(jakarta.el.ELContext,java.lang.String,java.lang.Class,java.lang.Class[])" + "value": "com.fasterxml.jackson.databind.JsonNode.textValue()" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P2", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "jakarta.el.ExpressionFactory.createValueExpression(jakarta.el.ELContext,java.lang.String,java.lang.Class)" + "value": "com.fasterxml.jackson.databind.JsonNode.toString()" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "jakarta.servlet.jsp.el.ExpressionEvaluator.evaluate(java.lang.String,java.lang.Class,jakarta.servlet.jsp.el.VariableResolver,jakarta.servlet.jsp.el.FunctionMapper)" + "value": "com.fasterxml.jackson.databind.JsonNode.traverse()" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "javax.el.ELProcessor.eval(java.lang.String)" + "value": "com.fasterxml.jackson.databind.JsonNode.with(java.lang.String)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P1", + "source": "O", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "javax.el.ELProcessor.getValue(java.lang.String,java.lang.Class)" + "value": "com.fasterxml.jackson.databind.JsonNode.withArray(java.lang.String)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "javax.el.ELProcessor.setValue(java.lang.String,java.lang.Object)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.createDeserializationContext(com.fasterxml.jackson.core.JsonParser,com.fasterxml.jackson.databind.DeserializationConfig)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P2", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "javax.el.ELProcessor.setVariable(java.lang.String,java.lang.String)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(byte[],int,int,java.lang.Class)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P2", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "javax.el.ExpressionFactory.createMethodExpression(javax.el.ELContext,java.lang.String,java.lang.Class,java.lang.Class[])" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(com.fasterxml.jackson.core.JsonParser,com.fasterxml.jackson.core.type.TypeReference)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, "inherit": "all", - "source": "P2", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "javax.el.ExpressionFactory.createValueExpression(javax.el.ELContext,java.lang.String,java.lang.Class)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(com.fasterxml.jackson.core.JsonParser,com.fasterxml.jackson.databind.JavaType)" }, { "command": "", @@ -3621,23 +4893,23 @@ "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "javax.servlet.jsp.el.ExpressionEvaluator.evaluate(java.lang.String,java.lang.Class,javax.servlet.jsp.el.VariableResolver,javax.servlet.jsp.el.FunctionMapper)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(com.fasterxml.jackson.core.JsonParser,java.lang.Class)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", + "inherit": "false", "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "ognl.Ognl.getValue(java.lang.Object,java.lang.Object)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.InputStream,com.fasterxml.jackson.databind.JavaType)" }, { "command": "", @@ -3647,10 +4919,10 @@ "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "ognl.Ognl.getValue(java.lang.Object,java.lang.Object,java.lang.Class)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.InputStream,java.lang.Class)" }, { "command": "", @@ -3660,10 +4932,10 @@ "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "ognl.Ognl.getValue(java.lang.Object,java.util.Map,java.lang.Object)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.Reader,com.fasterxml.jackson.core.type.TypeReference)" }, { "command": "", @@ -3673,10 +4945,10 @@ "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "ognl.Ognl.getValue(java.lang.Object,java.util.Map,java.lang.Object,java.lang.Class)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.io.Reader,com.fasterxml.jackson.databind.JavaType)" }, { "command": "", @@ -3686,10 +4958,10 @@ "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "ognl.Ognl.getValue(java.lang.String,java.lang.Object)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.lang.String,com.fasterxml.jackson.databind.JavaType)" }, { "command": "", @@ -3699,10 +4971,10 @@ "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "ognl.Ognl.getValue(java.lang.String,java.lang.Object,java.lang.Class)" + "value": "com.fasterxml.jackson.databind.ObjectMapper.readValue(java.lang.String,java.lang.Class)" }, { "command": "", @@ -3712,10 +4984,10 @@ "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "ognl.Ognl.getValue(java.lang.String,java.util.Map,java.lang.Object)" + "value": "com.fasterxml.jackson.databind.deser.ValueInstantiator.createUsingDefault(com.fasterxml.jackson.databind.DeserializationContext)" }, { "command": "", @@ -3725,10 +4997,10 @@ "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "ognl.Ognl.getValue(java.lang.String,java.util.Map,java.lang.Object,java.lang.Class)" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(byte[],int,int,java.lang.Class)" }, { "command": "", @@ -3738,10 +5010,10 @@ "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "ognl.Ognl.parseExpression(java.lang.String)" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(byte[],int,int,org.codehaus.jackson.type.JavaType)" }, { "command": "", @@ -3751,197 +5023,218 @@ "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "org.apache.commons.ognl.Ognl.parseExpression(java.lang.String)" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(byte[],int,int,org.codehaus.jackson.type.TypeReference)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "all", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "org.springframework.expression.Expression.getValue()" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(byte[],java.lang.Class)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "all", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "org.springframework.expression.Expression.getValue(java.lang.Class)" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(byte[],org.codehaus.jackson.type.JavaType)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "all", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "org.springframework.expression.Expression.getValue(java.lang.Object)" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(byte[],org.codehaus.jackson.type.TypeReference)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "all", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "org.springframework.expression.Expression.getValue(java.lang.Object,java.lang.Class)" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(java.io.InputStream,java.lang.Class)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "all", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext)" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(java.lang.String,java.lang.Class)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "all", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext,java.lang.Class)" + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(java.lang.String,org.codehaus.jackson.type.JavaType)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "all", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext,java.lang.Object)" - }, + "value": "org.codehaus.jackson.map.ObjectMapper.readValue(java.lang.String,org.codehaus.jackson.type.TypeReference)" + } + ], + "enable": 1, + "type": 1, + "value": "com.fasterxml.jackson" + }, + { + "details": [ { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "false", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "org.springframework.expression.Expression.getValue(org.springframework.expression.EvaluationContext,java.lang.Object,java.lang.Class)" + "value": "com.google.gson.Gson.fromJson(java.io.Reader,java.lang.Class)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "false", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "org.springframework.expression.Expression.getValueTypeDescriptor()" + "value": "com.google.gson.Gson.fromJson(java.lang.String,java.lang.Class)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "false", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "org.springframework.expression.Expression.getValueTypeDescriptor(java.lang.Object)" + "value": "com.google.gson.TypeAdapter.read(com.google.gson.stream.JsonReader)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "all", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "O", + "track": "false", "untags": [], - "value": "org.springframework.expression.Expression.getValueTypeDescriptor(org.springframework.expression.EvaluationContext)" - }, + "value": "com.google.gson.stream.JsonReader.(java.io.Reader)" + } + ], + "enable": 1, + "type": 1, + "value": "com.google.gson" + }, + { + "details": [ { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", - "source": "O", + "inherit": "false", + "source": "P1", "stack_blacklist": [], "tags": [], - "target": "", - "track": "true", + "target": "R", + "track": "false", "untags": [], - "value": "org.springframework.expression.Expression.getValueTypeDescriptor(org.springframework.expression.EvaluationContext,java.lang.Object)" - }, + "value": "org.iast.springsec.common.DataManager.doManage(java.lang.String)" + } + ], + "enable": 1, + "type": 1, + "value": "custom-encrypt" + }, + { + "details": [ { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "all", - "source": "P1", + "inherit": "false", + "source": "P2", "stack_blacklist": [], "tags": [], "target": "", - "track": "true", + "track": "false", "untags": [], - "value": "org.thymeleaf.standard.expression.Expression.parse(java.lang.String)" + "value": "java.lang.ClassLoader.loadLibrary(java.lang.Class,java.lang.String,boolean)" }, { "command": "", "ignore_blacklist": false, "ignore_internal": false, - "inherit": "true", + "inherit": "false", "source": "P2", "stack_blacklist": [], "tags": [], "target": "", "track": "true", "untags": [], - "value": "org.thymeleaf.standard.expression.IStandardExpressionParser.parseExpression(org.thymeleaf.context.IExpressionContext,java.lang.String)" + "value": "java.lang.Runtime.load0(java.lang.Class,java.lang.String)" } ], "enable": 1, "type": 4, - "value": "expression-language-injection" + "value": "dynamic-library-load" }, { "details": [ @@ -4714,6 +6007,19 @@ "untags": [], "value": "java.io.InputStream.(java.io.InputStream)" }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "P1", + "track": "false", + "untags": [], + "value": "java.io.InputStream.read(byte[])" + }, { "command": "", "ignore_blacklist": false, @@ -4727,6 +6033,19 @@ "untags": [], "value": "java.io.InputStream.read(byte[],int,int)" }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "P1", + "track": "false", + "untags": [], + "value": "java.io.InputStream.transferTo(java.io.OutputStream)" + }, { "command": "", "ignore_blacklist": false, @@ -4740,6 +6059,19 @@ "untags": [], "value": "java.io.InputStreamReader.(java.io.InputStream)" }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "false", + "untags": [], + "value": "java.io.InputStreamReader.(java.io.InputStream,java.lang.String)" + }, { "command": "", "ignore_blacklist": false, @@ -4792,6 +6124,19 @@ "untags": [], "value": "java.io.PipedInputStream.read(byte[],int,int)" }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "false", + "untags": [], + "value": "java.io.PipedInputStream.receive(byte[],int,int)" + }, { "command": "INSERT(0,P2,P3)", "ignore_blacklist": false, @@ -4805,6 +6150,19 @@ "untags": [], "value": "java.io.PipedReader.read(char[],int,int)" }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "false", + "source": "P1", + "stack_blacklist": [], + "tags": [], + "target": "O", + "track": "false", + "untags": [], + "value": "java.io.PipedReader.receive(char[],int,int)" + }, { "command": "", "ignore_blacklist": false, @@ -4844,6 +6202,19 @@ "untags": [], "value": "java.io.Reader.read(char[])" }, + { + "command": "", + "ignore_blacklist": false, + "ignore_internal": false, + "inherit": "all", + "source": "O", + "stack_blacklist": [], + "tags": [], + "target": "P1", + "track": "false", + "untags": [], + "value": "java.io.Reader.transferTo(java.io.Writer)" + }, { "command": "", "ignore_blacklist": false, diff --git a/static/data/vul_strategy.json b/static/data/vul_strategy.json index 3f52604ab..702d3095b 100644 --- a/static/data/vul_strategy.json +++ b/static/data/vul_strategy.json @@ -1,4 +1,20 @@ [ + { + "level": 1, + "state": "enable", + "system_type": 1, + "user": 1, + "vul_desc": "CWE-917\uff0c\u8be5\u8f6f\u4ef6\u4f7f\u7528\u6765\u81ea\u4e0a\u6e38\u7ec4\u4ef6\u7684\u5916\u90e8\u5f71\u54cd\u7684\u8f93\u5165\u6765\u6784\u9020Java Server Page\uff08JSP\uff09\u4e2d\u7684\u5168\u90e8\u6216\u90e8\u5206\u8868\u8fbe\u8bed\u8a00\uff08EL\uff09\u8bed\u53e5\uff0c\u4f46\u4e0d\u4f1a\u4e2d\u548c\u6216\u9519\u8bef\u5730\u4e2d\u548c\u4e86\u53ef\u4ee5\u4fee\u6539\u9884\u671f\u7684EL\u8bed\u53e5\u7684\u7279\u6b8a\u5143\u7d20\u3002\u5b83\u88ab\u6267\u884c\u3002\n\nEL\uff08Expression Language\uff09 \u662f\u4e3a\u4e86\u4f7fJSP\u5199\u8d77\u6765\u66f4\u52a0\u7b80\u5355\u3002\u8868\u8fbe\u5f0f\u8bed\u8a00\u7684\u7075\u611f\u6765\u81ea\u4e8e ECMAScript \u548c XPath \u8868\u8fbe\u5f0f\u8bed\u8a00\uff0c\u5b83\u63d0\u4f9b\u4e86\u5728 JSP \u4e2d\u7b80\u5316\u8868\u8fbe\u5f0f\u7684\u65b9\u6cd5\uff0c\u8ba9Jsp\u7684\u4ee3\u7801\u66f4\u52a0\u7b80\u5316\u3002\n\nEL\u8868\u8fbe\u5f0f\u6ce8\u5165\u6f0f\u6d1e\u548cSpEL\u3001OGNL\u7b49\u8868\u8fbe\u5f0f\u6ce8\u5165\u6f0f\u6d1e\u662f\u4e00\u6837\u7684\u6f0f\u6d1e\u539f\u7406\u7684\uff0c\u5373\u8868\u8fbe\u5f0f\u5916\u90e8\u53ef\u63a7\u5bfc\u81f4\u653b\u51fb\u8005\u6ce8\u5165\u6076\u610f\u8868\u8fbe\u5f0f\u5b9e\u73b0\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002\n\n\u4e00\u822c\u6765\u8bf4\uff0cEL\u8868\u8fbe\u5f0f\u6ce8\u5165\u6f0f\u6d1e\u7684\u5916\u90e8\u53ef\u63a7\u70b9\u5165\u53e3\u90fd\u662f\u5728Java\u7a0b\u5e8f\u4ee3\u7801\u4e2d\uff0c\u5373Java\u7a0b\u5e8f\u4e2d\u7684EL\u8868\u8fbe\u5f0f\u5185\u5bb9\u5168\u90e8\u6216\u90e8\u5206\u662f\u4ece\u5916\u90e8\u83b7\u53d6\u7684\u3002\n\n**\u901a\u7528POC**\n\n```Java\n//\u5bf9\u5e94\u4e8eJSP\u9875\u9762\u4e2d\u7684pageContext\u5bf9\u8c61\uff08\u6ce8\u610f\uff1a\u53d6\u7684\u662fpageContext\u5bf9\u8c61\uff09\n${pageContext}\n\n//\u83b7\u53d6Web\u8def\u5f84\n${pageContext.getSession().getServletContext().getClassLoader().getResource(\"\")}\n\n//\u6587\u4ef6\u5934\u53c2\u6570\n${header}\n\n//\u83b7\u53d6webRoot\n${applicationScope}\n\n//\u6267\u884c\u547d\u4ee4\n${pageContext.request.getSession().setAttribute(\"a\",pageContext.request.getClass().forName(\"java.lang.Runtime\").getMethod(\"getRuntime\",null).invoke(null,null).exec(\"calc\").getInputStream())}\n```", + "vul_desc_en": null, + "vul_desc_zh": "CWE-917\uff0c\u8be5\u8f6f\u4ef6\u4f7f\u7528\u6765\u81ea\u4e0a\u6e38\u7ec4\u4ef6\u7684\u5916\u90e8\u5f71\u54cd\u7684\u8f93\u5165\u6765\u6784\u9020Java Server Page\uff08JSP\uff09\u4e2d\u7684\u5168\u90e8\u6216\u90e8\u5206\u8868\u8fbe\u8bed\u8a00\uff08EL\uff09\u8bed\u53e5\uff0c\u4f46\u4e0d\u4f1a\u4e2d\u548c\u6216\u9519\u8bef\u5730\u4e2d\u548c\u4e86\u53ef\u4ee5\u4fee\u6539\u9884\u671f\u7684EL\u8bed\u53e5\u7684\u7279\u6b8a\u5143\u7d20\u3002\u5b83\u88ab\u6267\u884c\u3002\n\nEL\uff08Expression Language\uff09 \u662f\u4e3a\u4e86\u4f7fJSP\u5199\u8d77\u6765\u66f4\u52a0\u7b80\u5355\u3002\u8868\u8fbe\u5f0f\u8bed\u8a00\u7684\u7075\u611f\u6765\u81ea\u4e8e ECMAScript \u548c XPath \u8868\u8fbe\u5f0f\u8bed\u8a00\uff0c\u5b83\u63d0\u4f9b\u4e86\u5728 JSP \u4e2d\u7b80\u5316\u8868\u8fbe\u5f0f\u7684\u65b9\u6cd5\uff0c\u8ba9Jsp\u7684\u4ee3\u7801\u66f4\u52a0\u7b80\u5316\u3002\n\nEL\u8868\u8fbe\u5f0f\u6ce8\u5165\u6f0f\u6d1e\u548cSpEL\u3001OGNL\u7b49\u8868\u8fbe\u5f0f\u6ce8\u5165\u6f0f\u6d1e\u662f\u4e00\u6837\u7684\u6f0f\u6d1e\u539f\u7406\u7684\uff0c\u5373\u8868\u8fbe\u5f0f\u5916\u90e8\u53ef\u63a7\u5bfc\u81f4\u653b\u51fb\u8005\u6ce8\u5165\u6076\u610f\u8868\u8fbe\u5f0f\u5b9e\u73b0\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002\n\n\u4e00\u822c\u6765\u8bf4\uff0cEL\u8868\u8fbe\u5f0f\u6ce8\u5165\u6f0f\u6d1e\u7684\u5916\u90e8\u53ef\u63a7\u70b9\u5165\u53e3\u90fd\u662f\u5728Java\u7a0b\u5e8f\u4ee3\u7801\u4e2d\uff0c\u5373Java\u7a0b\u5e8f\u4e2d\u7684EL\u8868\u8fbe\u5f0f\u5185\u5bb9\u5168\u90e8\u6216\u90e8\u5206\u662f\u4ece\u5916\u90e8\u83b7\u53d6\u7684\u3002\n\n**\u901a\u7528POC**\n\n```Java\n//\u5bf9\u5e94\u4e8eJSP\u9875\u9762\u4e2d\u7684pageContext\u5bf9\u8c61\uff08\u6ce8\u610f\uff1a\u53d6\u7684\u662fpageContext\u5bf9\u8c61\uff09\n${pageContext}\n\n//\u83b7\u53d6Web\u8def\u5f84\n${pageContext.getSession().getServletContext().getClassLoader().getResource(\"\")}\n\n//\u6587\u4ef6\u5934\u53c2\u6570\n${header}\n\n//\u83b7\u53d6webRoot\n${applicationScope}\n\n//\u6267\u884c\u547d\u4ee4\n${pageContext.request.getSession().setAttribute(\"a\",pageContext.request.getClass().forName(\"java.lang.Runtime\").getMethod(\"getRuntime\",null).invoke(null,null).exec(\"calc\").getInputStream())}\n```", + "vul_fix": "1", + "vul_fix_en": null, + "vul_fix_zh": "1", + "vul_name": "EL\u8868\u8fbe\u5f0f\u6ce8\u5165", + "vul_name_en": null, + "vul_name_zh": "EL\u8868\u8fbe\u5f0f\u6ce8\u5165", + "vul_type": "EL\u8868\u8fbe\u5f0f\u6ce8\u5165" + }, { "level": 3, "state": "enable", @@ -31,6 +47,22 @@ "vul_name_zh": "JNDI\u6ce8\u5165", "vul_type": "JNDI\u6ce8\u5165" }, + { + "level": 1, + "state": "enable", + "system_type": 1, + "user": 1, + "vul_desc": "\u5168\u79f0Object Graph Navigation Library\nOGNL\u4ee3\u8868\u5bf9\u8c61\u56fe\u5bfc\u822a\u8bed\u8a00\uff1b\u5b83\u662f\u4e00\u79cd\u8868\u8fbe\u8bed\u8a00\uff0c\u7528\u4e8e\u83b7\u53d6\u548c\u8bbe\u7f6eJava\u5bf9\u8c61\u7684\u5c5e\u6027\uff0c\u4ee5\u53ca\u5176\u4ed6\u9644\u52a0\u529f\u80fd\uff0c\u4f8b\u5982\u5217\u8868\u6295\u5f71\u548c\u9009\u62e9\u4ee5\u53calambda\u8868\u8fbe\u5f0f\u3002\u60a8\u53ef\u4ee5\u4f7f\u7528\u76f8\u540c\u7684\u8868\u8fbe\u5f0f\u6765\u83b7\u53d6\u548c\u8bbe\u7f6e\u5c5e\u6027\u503c\u3002", + "vul_desc_en": null, + "vul_desc_zh": "\u5168\u79f0Object Graph Navigation Library\nOGNL\u4ee3\u8868\u5bf9\u8c61\u56fe\u5bfc\u822a\u8bed\u8a00\uff1b\u5b83\u662f\u4e00\u79cd\u8868\u8fbe\u8bed\u8a00\uff0c\u7528\u4e8e\u83b7\u53d6\u548c\u8bbe\u7f6eJava\u5bf9\u8c61\u7684\u5c5e\u6027\uff0c\u4ee5\u53ca\u5176\u4ed6\u9644\u52a0\u529f\u80fd\uff0c\u4f8b\u5982\u5217\u8868\u6295\u5f71\u548c\u9009\u62e9\u4ee5\u53calambda\u8868\u8fbe\u5f0f\u3002\u60a8\u53ef\u4ee5\u4f7f\u7528\u76f8\u540c\u7684\u8868\u8fbe\u5f0f\u6765\u83b7\u53d6\u548c\u8bbe\u7f6e\u5c5e\u6027\u503c\u3002", + "vul_fix": "Ognl\u8868\u8fbe\u5f0f\u6ce8\u5165", + "vul_fix_en": null, + "vul_fix_zh": "Ognl\u8868\u8fbe\u5f0f\u6ce8\u5165", + "vul_name": "Ognl\u8868\u8fbe\u5f0f\u6ce8\u5165", + "vul_name_en": null, + "vul_name_zh": "Ognl\u8868\u8fbe\u5f0f\u6ce8\u5165", + "vul_type": "Ognl\u8868\u8fbe\u5f0f\u6ce8\u5165" + }, { "level": 5, "state": "enable", @@ -111,6 +143,38 @@ "vul_name_zh": "Response Without X-Content-Type-Options Header", "vul_type": "Response Without X-Content-Type-Options Header" }, + { + "level": 1, + "state": "enable", + "system_type": 1, + "user": 1, + "vul_desc": "Spring Expression Language\uff08\u7b80\u79f0SpEL\uff09\u662f\u4e00\u79cd\u5f3a\u5927\u7684\u8868\u8fbe\u5f0f\u8bed\u8a00\uff0c\u652f\u6301\u5728\u8fd0\u884c\u65f6\u67e5\u8be2\u548c\u64cd\u4f5c\u5bf9\u8c61\u56fe\u3002\u8bed\u8a00\u8bed\u6cd5\u7c7b\u4f3c\u4e8eUnified EL\uff0c\u4f46\u63d0\u4f9b\u4e86\u989d\u5916\u7684\u529f\u80fd\uff0c\u7279\u522b\u662f\u65b9\u6cd5\u8c03\u7528\u548c\u57fa\u672c\u7684\u5b57\u7b26\u4e32\u6a21\u677f\u529f\u80fd\u3002\u540c\u65f6\u56e0\u4e3aSpEL\u662f\u4ee5API\u63a5\u53e3\u7684\u5f62\u5f0f\u521b\u5efa\u7684\uff0c\u6240\u4ee5\u5141\u8bb8\u5c06\u5176\u96c6\u6210\u5230\u5176\u4ed6\u5e94\u7528\u7a0b\u5e8f\u548c\u6846\u67b6\u4e2d\u3002\n", + "vul_desc_en": null, + "vul_desc_zh": "Spring Expression Language\uff08\u7b80\u79f0SpEL\uff09\u662f\u4e00\u79cd\u5f3a\u5927\u7684\u8868\u8fbe\u5f0f\u8bed\u8a00\uff0c\u652f\u6301\u5728\u8fd0\u884c\u65f6\u67e5\u8be2\u548c\u64cd\u4f5c\u5bf9\u8c61\u56fe\u3002\u8bed\u8a00\u8bed\u6cd5\u7c7b\u4f3c\u4e8eUnified EL\uff0c\u4f46\u63d0\u4f9b\u4e86\u989d\u5916\u7684\u529f\u80fd\uff0c\u7279\u522b\u662f\u65b9\u6cd5\u8c03\u7528\u548c\u57fa\u672c\u7684\u5b57\u7b26\u4e32\u6a21\u677f\u529f\u80fd\u3002\u540c\u65f6\u56e0\u4e3aSpEL\u662f\u4ee5API\u63a5\u53e3\u7684\u5f62\u5f0f\u521b\u5efa\u7684\uff0c\u6240\u4ee5\u5141\u8bb8\u5c06\u5176\u96c6\u6210\u5230\u5176\u4ed6\u5e94\u7528\u7a0b\u5e8f\u548c\u6846\u67b6\u4e2d\u3002\n", + "vul_fix": "1", + "vul_fix_en": null, + "vul_fix_zh": "1", + "vul_name": "SPEL\u8868\u8fbe\u5f0f\u6ce8\u5165", + "vul_name_en": null, + "vul_name_zh": "SPEL\u8868\u8fbe\u5f0f\u6ce8\u5165", + "vul_type": "SPEL\u8868\u8fbe\u5f0f\u6ce8\u5165" + }, + { + "level": 1, + "state": "enable", + "system_type": 1, + "user": 1, + "vul_desc": "Thymeleaf \u662f\u4e0e java \u914d\u5408\u4f7f\u7528\u7684\u4e00\u6b3e\u670d\u52a1\u7aef\u6a21\u677f\u5f15\u64ce\uff0c\u4e5f\u662f spring \u5b98\u65b9\u652f\u6301\u7684\u4e00\u6b3e\u670d\u52a1\u7aef\u6a21\u677f\u5f15\u64ce\u3002\u4ed6\u652f\u6301 HTML \u539f\u578b\uff0c\u5728 HTML \u6807\u7b7e\u4e2d\u589e\u52a0\u989d\u5916\u7684\u5c5e\u6027\u6765\u8fbe\u5230\u6a21\u677f + \u6570\u636e\u7684\u5c55\u793a\u65b9\u5f0f\u3002\u9ed8\u8ba4\u524d\u7f00\uff1a/templates/ \uff0c\u9ed8\u8ba4\u540e\u7f00\uff1a.html \n- Thymeleaf\u4f7f\u7528html\u901a\u8fc7\u4e00\u4e9b\u7279\u5b9a\u6807\u7b7e\u8bed\u6cd5\u4ee3\u8868\u5176\u542b\u4e49\uff0c\u4f46\u5e76\u672a\u7834\u574fhtml\u7ed3\u6784\uff0c\u5373\u4f7f\u65e0\u7f51\u7edc\u3001\u4e0d\u901a\u8fc7\u540e\u7aef\u6e32\u67d3\u4e5f\u80fd\u5728\u6d4f\u89c8\u5668\u6210\u529f\u6253\u5f00\uff0c\u5927\u5927\u65b9\u4fbf\u754c\u9762\u7684\u6d4b\u8bd5\u548c\u4fee\u6539\u3002\n- Thymeleaf\u63d0\u4f9b\u6807\u51c6\u548cSpring\u6807\u51c6\u4e24\u79cd\u65b9\u8a00\uff0c\u53ef\u4ee5\u76f4\u63a5\u5957\u7528\u6a21\u677f\u5b9e\u73b0JSTL\u3001 OGNL\u8868\u8fbe\u5f0f\u6548\u679c\uff0c\u907f\u514d\u6bcf\u5929\u5957\u6a21\u677f\u3001\u6539JSTL\u3001\u6539\u6807\u7b7e\u7684\u56f0\u6270\u3002\u540c\u65f6\u5f00\u53d1\u4eba\u5458\u4e5f\u53ef\u4ee5\u6269\u5c55\u548c\u521b\u5efa\u81ea\u5b9a\u4e49\u7684\u65b9\u8a00\u3002\n- Springboot\u5b98\u65b9\u5927\u529b\u63a8\u8350\u548c\u652f\u6301\uff0cSpringboot\u5b98\u65b9\u505a\u4e86\u5f88\u591a\u9ed8\u8ba4\u914d\u7f6e\uff0c\u5f00\u53d1\u8005\u53ea\u9700\u7f16\u5199\u5bf9\u5e94html\u5373\u53ef\uff0c\u5927\u5927\u51cf\u8f7b\u4e86\u4e0a\u624b\u96be\u5ea6\u548c\u914d\u7f6e\u590d\u6742\u5ea6\u3002\n\nThymeleaf\u652f\u6301\u8868\u8fbe\u5f0f\u8bed\u6cd5\uff0c\u5982\u679c\u6a21\u7248\u53c2\u6570\u5916\u90e8\u8def\u7531\u4f20\u5165\uff0c\u7528\u6237\u53ef\u63a7\uff0c\u53ef\u80fd\u4f1a\u5bfc\u81f4\u6076\u610f\u653b\u51fb\u8005\u83b7\u53d6\u670d\u52a1\u5668\u7cfb\u7edf\u6743\u9650\u7b49\u3002\nThymeleaf \u63d0\u4f9b\u4e86\u00a0[\u9884\u5904\u7406](https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#preprocessing)\u00a0\u8868\u8fbe\u5f0f\u7684\u529f\u80fd\uff0c\u9884\u5904\u7406\u8868\u8fbe\u5f0f\u4e0e\u666e\u901a\u8868\u8fbe\u5f0f\u5b8c\u5168\u4e00\u6837\uff0c\u4f46\u7531\u53cc\u4e0b\u5212\u7ebf\u7b26\u53f7\u5305\u56f4\uff0c\u5982`__${expression}__`\u00a0\uff0c\u88ab\u9884\u5904\u7406\u7684\u8868\u8fbe\u5f0f\u5c06\u4f1a\u88ab\u63d0\u524d\u6267\u884c\uff0c\u5e76\u4e14\u53ef\u4ee5\u8fd4\u56de\u5f53\u4f5c\u5916\u5c42\u5305\u88f9\u7684\u540e\u7eed\u8868\u8fbe\u5f0f\u7684\u4e00\u90e8\u5206\uff0c\u4f8b\u5982\uff1a`#{selection.__${sel.code}__}`\uff0cThymeleaf \u9996\u5148\u8fdb\u884c\u9884\u5904\u7406`${sel.code}`\u3002\u7136\u540e\uff0c\u5b83\u4f7f\u7528\u7ed3\u679c\uff08\u5728\u672c\u4f8b\u4e2d\u4e3a\u5b58\u50a8\u503c\u00a0_ALL_\u00a0\uff09\u4f5c\u4e3a\u7a0d\u540e\u8ba1\u7b97\u7684\u5b9e\u6570\u8868\u8fbe\u5f0f (\u00a0`#{selection.ALL}`) \u7684\u4e00\u90e8\u5206\u3002\nPayload\u5982\u4e0b\n\u901a\u8fc7${}::.x\u6784\u9020\u8868\u8fbe\u5f0f\u4f1a\u7531Thymeleaf\u53bb\u6267\u884c\n```java\n__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22calc%22).getInputStream()).next()%7d__::.x\n```\n", + "vul_desc_en": null, + "vul_desc_zh": "Thymeleaf \u662f\u4e0e java \u914d\u5408\u4f7f\u7528\u7684\u4e00\u6b3e\u670d\u52a1\u7aef\u6a21\u677f\u5f15\u64ce\uff0c\u4e5f\u662f spring \u5b98\u65b9\u652f\u6301\u7684\u4e00\u6b3e\u670d\u52a1\u7aef\u6a21\u677f\u5f15\u64ce\u3002\u4ed6\u652f\u6301 HTML \u539f\u578b\uff0c\u5728 HTML \u6807\u7b7e\u4e2d\u589e\u52a0\u989d\u5916\u7684\u5c5e\u6027\u6765\u8fbe\u5230\u6a21\u677f + \u6570\u636e\u7684\u5c55\u793a\u65b9\u5f0f\u3002\u9ed8\u8ba4\u524d\u7f00\uff1a/templates/ \uff0c\u9ed8\u8ba4\u540e\u7f00\uff1a.html \n- Thymeleaf\u4f7f\u7528html\u901a\u8fc7\u4e00\u4e9b\u7279\u5b9a\u6807\u7b7e\u8bed\u6cd5\u4ee3\u8868\u5176\u542b\u4e49\uff0c\u4f46\u5e76\u672a\u7834\u574fhtml\u7ed3\u6784\uff0c\u5373\u4f7f\u65e0\u7f51\u7edc\u3001\u4e0d\u901a\u8fc7\u540e\u7aef\u6e32\u67d3\u4e5f\u80fd\u5728\u6d4f\u89c8\u5668\u6210\u529f\u6253\u5f00\uff0c\u5927\u5927\u65b9\u4fbf\u754c\u9762\u7684\u6d4b\u8bd5\u548c\u4fee\u6539\u3002\n- Thymeleaf\u63d0\u4f9b\u6807\u51c6\u548cSpring\u6807\u51c6\u4e24\u79cd\u65b9\u8a00\uff0c\u53ef\u4ee5\u76f4\u63a5\u5957\u7528\u6a21\u677f\u5b9e\u73b0JSTL\u3001 OGNL\u8868\u8fbe\u5f0f\u6548\u679c\uff0c\u907f\u514d\u6bcf\u5929\u5957\u6a21\u677f\u3001\u6539JSTL\u3001\u6539\u6807\u7b7e\u7684\u56f0\u6270\u3002\u540c\u65f6\u5f00\u53d1\u4eba\u5458\u4e5f\u53ef\u4ee5\u6269\u5c55\u548c\u521b\u5efa\u81ea\u5b9a\u4e49\u7684\u65b9\u8a00\u3002\n- Springboot\u5b98\u65b9\u5927\u529b\u63a8\u8350\u548c\u652f\u6301\uff0cSpringboot\u5b98\u65b9\u505a\u4e86\u5f88\u591a\u9ed8\u8ba4\u914d\u7f6e\uff0c\u5f00\u53d1\u8005\u53ea\u9700\u7f16\u5199\u5bf9\u5e94html\u5373\u53ef\uff0c\u5927\u5927\u51cf\u8f7b\u4e86\u4e0a\u624b\u96be\u5ea6\u548c\u914d\u7f6e\u590d\u6742\u5ea6\u3002\n\nThymeleaf\u652f\u6301\u8868\u8fbe\u5f0f\u8bed\u6cd5\uff0c\u5982\u679c\u6a21\u7248\u53c2\u6570\u5916\u90e8\u8def\u7531\u4f20\u5165\uff0c\u7528\u6237\u53ef\u63a7\uff0c\u53ef\u80fd\u4f1a\u5bfc\u81f4\u6076\u610f\u653b\u51fb\u8005\u83b7\u53d6\u670d\u52a1\u5668\u7cfb\u7edf\u6743\u9650\u7b49\u3002\nThymeleaf \u63d0\u4f9b\u4e86\u00a0[\u9884\u5904\u7406](https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#preprocessing)\u00a0\u8868\u8fbe\u5f0f\u7684\u529f\u80fd\uff0c\u9884\u5904\u7406\u8868\u8fbe\u5f0f\u4e0e\u666e\u901a\u8868\u8fbe\u5f0f\u5b8c\u5168\u4e00\u6837\uff0c\u4f46\u7531\u53cc\u4e0b\u5212\u7ebf\u7b26\u53f7\u5305\u56f4\uff0c\u5982`__${expression}__`\u00a0\uff0c\u88ab\u9884\u5904\u7406\u7684\u8868\u8fbe\u5f0f\u5c06\u4f1a\u88ab\u63d0\u524d\u6267\u884c\uff0c\u5e76\u4e14\u53ef\u4ee5\u8fd4\u56de\u5f53\u4f5c\u5916\u5c42\u5305\u88f9\u7684\u540e\u7eed\u8868\u8fbe\u5f0f\u7684\u4e00\u90e8\u5206\uff0c\u4f8b\u5982\uff1a`#{selection.__${sel.code}__}`\uff0cThymeleaf \u9996\u5148\u8fdb\u884c\u9884\u5904\u7406`${sel.code}`\u3002\u7136\u540e\uff0c\u5b83\u4f7f\u7528\u7ed3\u679c\uff08\u5728\u672c\u4f8b\u4e2d\u4e3a\u5b58\u50a8\u503c\u00a0_ALL_\u00a0\uff09\u4f5c\u4e3a\u7a0d\u540e\u8ba1\u7b97\u7684\u5b9e\u6570\u8868\u8fbe\u5f0f (\u00a0`#{selection.ALL}`) \u7684\u4e00\u90e8\u5206\u3002\nPayload\u5982\u4e0b\n\u901a\u8fc7${}::.x\u6784\u9020\u8868\u8fbe\u5f0f\u4f1a\u7531Thymeleaf\u53bb\u6267\u884c\n```java\n__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22calc%22).getInputStream()).next()%7d__::.x\n```\n", + "vul_fix": "", + "vul_fix_en": null, + "vul_fix_zh": "", + "vul_name": "Thymeleaf\u6a21\u7248\u6ce8\u5165", + "vul_name_en": null, + "vul_name_zh": "Thymeleaf\u6a21\u7248\u6ce8\u5165", + "vul_type": "Thymeleaf\u6a21\u7248\u6ce8\u5165" + }, { "level": 1, "state": "enable", diff --git a/static/i18n/views/setlang.py b/static/i18n/views/setlang.py index cafb25565..205675f08 100644 --- a/static/i18n/views/setlang.py +++ b/static/i18n/views/setlang.py @@ -8,9 +8,8 @@ from django.conf import settings from django.http import JsonResponse -from django.utils.translation import gettext_lazy as _ -from dongtai_common.endpoint import AnonymousAndUserEndPoint, R +from dongtai_common.endpoint import AnonymousAndUserEndPoint from dongtai_conf.settings import LANGUAGES from dongtai_web.utils import extend_schema_with_envcheck @@ -32,9 +31,7 @@ class LanguageSetting(AnonymousAndUserEndPoint): summary="切换语言", ) def get(self, request): - lang_code = request.GET.get(LANGUAGE_QUERY_PARAMETER) - if lang_code not in ALLOWED_LANG_CODE: - return R.failure(msg=_("this language not supported now")) + lang_code = "zh" response = JsonResponse({"status": 201}) if request.user.is_authenticated: user = request.user