find-sec-bugs icon indicating copy to clipboard operation
find-sec-bugs copied to clipboard

Published 20 hours ago verified publisher icon find-sec-bugs

Interface sinks not working?

Open Quiark opened this issue 5 years ago • 0 comments
trafficstars

Environment

Component Version
Maven n/a
Gradle 5.6.4
Java 8
SpotBugs 4.4.4
FindSecBugs 1.11

Problem

I'm trying to add SSRF sinks for Spring RestTemplate as well as RestOperations interface (into findsecbugs-plugin/src/main/resources/injection-sinks/scala-play-ssrf.txt). They look like this:

org/springframework/web/client/RestTemplate.delete(Ljava/net/URI;)V:0

org/springframework/web/client/RestOperations.delete(Ljava/net/URI;)V:0

...etc...

calls on the concrete class RestTemplate do get picked up but the ones on interface don't.

Test cases:

    fun keraa(arg: URI) {
        val ops: RestOperations = client

        val qhuhu = ops.delete(arg)
    }

    fun direct(arg: URI) {
        val qhuhu = client.delete(arg)
    }

same code, decompiled:

  public void keraa(java.net.URI);
    Code:
       0: aload_1
       1: ldc           #202                // String arg
       3: invokestatic  #25                 // Method kotlin/jvm/internal/Intrinsics.checkParameterIsNotNull:(Ljava/lang/Object;Ljava/lang/String;)V
       6: aload_0
       7: getfield      #85                 // Field client:Lorg/springframework/web/client/RestTemplate;
      10: checkcast     #87                 // class org/springframework/web/client/RestOperations
      13: astore_2
      14: aload_2
      15: aload_1
      16: invokeinterface #205,  2          // InterfaceMethod org/springframework/web/client/RestOperations.delete:(Ljava/net/URI;)V
      21: getstatic     #211                // Field kotlin/Unit.INSTANCE:Lkotlin/Unit;
      24: astore_3
      25: return

  public void direct(java.net.URI);
    Code:
       0: aload_1
       1: ldc           #202                // String arg
       3: invokestatic  #25                 // Method kotlin/jvm/internal/Intrinsics.checkParameterIsNotNull:(Ljava/lang/Object;Ljava/lang/String;)V
       6: aload_0
       7: getfield      #85                 // Field client:Lorg/springframework/web/client/RestTemplate;
      10: aload_1
      11: invokevirtual #217                // Method org/springframework/web/client/RestTemplate.delete:(Ljava/net/URI;)V
      14: getstatic     #211                // Field kotlin/Unit.INSTANCE:Lkotlin/Unit;
      17: astore_2
      18: return

there seems to be only a small difference between the two, is something wrong on my side?

Quiark avatar Oct 21 '20 09:10 Quiark