Skip to content

Commit

Permalink
Merge branch 'google:master' into torchserve_rce_new
Browse files Browse the repository at this point in the history
  • Loading branch information
lokiuox authored Dec 3, 2024
2 parents 0376fac + 4d33236 commit d801812
Show file tree
Hide file tree
Showing 855 changed files with 787,421 additions and 8,760 deletions.
33 changes: 33 additions & 0 deletions .github/workflows/doyensec-build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: doyensec-plugins-build

on:
push:
paths:
- 'doyensec/**'
pull_request:
paths:
- 'doyensec/**'

jobs:
build:
strategy:
matrix:
os: [ ubuntu-latest, macos-latest ]
java: [ 11 ]
runs-on: ${{ matrix.os }}
name: 'Build doyensec plugins on ${{ matrix.os }} using Java ${{ matrix.java }}'
steps:
- name: 'Check out repository'
uses: actions/checkout@v2
- name: 'Set up JDK ${{ matrix.java }}'
uses: actions/setup-java@v1
with:
java-version: ${{ matrix.java }}
- name: 'Cache Gradle resources'
uses: actions/cache@v2
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
restore-keys: ${{ runner.os }}-gradle
- name: 'Build Doyensec plugins'
run: ./doyensec/build_all.sh
29 changes: 29 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,39 @@
This project aims to provide a central repository for many useful Tsunami
Security Scanner plugins.

## Tsunami's documentation

To learn more about Tsunami, visit our
[documentation](https://google.github.io/tsunami-security-scanner/).

## Contributing

Read how to [contribute to Tsunami](docs/contributing.md).

## Currently released Tsunami plugins

### Detectors
#### AI Relevant OSS
* [Pytorch Serve Expose API Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/exposedui/pytorch_serve)
* [Ray CVE-2023-48022 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/rce/ai/cve202348022)
* [Ray CVE-2023-6019 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/rce/ai/cve20236019)
* [H2O CVE-2023-6018 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/rce/ai/cve20236018)
* [MLflow CVE-2023-6977 & CVE-2023-1177 & CVE-2023-2780 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/mlflow_cve_2023_6977)
* [MLflow CVE-2023-6014 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/mlflow_cve_2023_6014)
* [MLflow Weak Credential Detector](https://github.com/google/tsunami-security-scanner-plugins/blob/master/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/mlflow/MlFlowCredentialTester.java)
* [Argo Workflow Exposed API Detector](https://github.com/google/tsunami-security-scanner-plugins/blob/master/google/detectors/exposedui/argoworkflow/)
* [MinIO Sensitive Info Disclosure Detector](https://github.com/google/tsunami-security-scanner-plugins/blob/master/community/detectors/minio_cve_2023_28432/)
* [Gradio CVE-2023-51449 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/gradio_cve_2023_51449)
* [Apache Spark CVE-2022-33891 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_spark_cve_2022_33891)
* [Apache Spark Expose UI Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_spark_exposed_webui)
* [Apache Spark Exposed API Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/rce/apache_spark_exposed_api)
* [Apache Airflow CVE-2020-17526 Auth Bypass RCE](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_airflow_cve_2020_17526)
* [Triton Inference Server RCE](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/triton_inference_server_model_overwrite)
* [Intel Neural Compressor CVE-2024-22476 RCE Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/intel_neural_compressor_cve_2024_22476)
* [ZenML Weak Credential Detector](https://github.com/google/tsunami-security-scanner-plugins/blob/master/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/zenml/ZenMlCredentialTester.java)
* [Argo CD Exposed UI](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/argocd_exposed_ui)
* [Airflow Exposed UI](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_airflow_exposed_ui)

## Source Code Headers

Every file containing source code must include copyright and license
Expand Down
18 changes: 15 additions & 3 deletions community/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,22 @@ This directory contains plugins contributed by community members.
* [CVE-2021-29441 Nacos < 1.4.1 Authentication Bypass](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/nacos_cve_2021_29441)

#### Remote Code Execution

* [Apache Druid Pre-Auth RCE vulnerability (CVE-2021-25646) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_druid_preauth_rce_cve_2021_25646)
* [Forgerock AM/OpenAM RCE (CVE-2021-35464) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/rce/cve202135464)
* [GitLab CE/EE Unauthenticated RCE using ExifTool and disclosure vulnerability (CVE-2021-29441)](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/gitlab_cve_2021_22205)
* [Unauthenticated RCE in Laravel <= 8.4.2 using Debug Mode (CVE-2021-3129) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/laravel_cve_2021_3129)
* [CVE-2021-26084 Confluence Server RCE via Pre-Auth OGNL Injection (CVE-2021-26084) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/confluence_cve_2021_26084)
* [GitLab CE/EE Unauthenticated RCE using ExifTool and disclosure
vulnerability
(CVE-2021-29441)](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/gitlab_cve_2021_22205)
* [Unauthenticated RCE in Laravel <= 8.4.2 using Debug Mode (CVE-2021-3129)
Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/laravel_cve_2021_3129)
* [CVE-2021-26084 Confluence Server RCE via Pre-Auth OGNL Injection
(CVE-2021-26084)
Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/confluence_cve_2021_26084)
* [CVE-2022-22965 Spring Framework RCE (CVE-2022-22965) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/spring_framework_cve_2022_22965)
* [CVE-2022-36804 Bitbucket Server RCE via command injection](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/bitbucket_cve_2022_36804)
* [Spring Cloud Function CVE-2022-22963 VulnDetector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/spring_cloud_function_cve_2022_22963)
* [Apache Spark Exposed API VulnDetector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/rce/apache_spark_exposed_api)

#### Information Disclosure

* [Apache Sparks exposed Web UI Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_spark_exposed_webui)
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ java {
}

ext {
tsunamiVersion = '0.0.14'
tsunamiVersion = 'latest.release'
junitVersion = '4.13'
mockitoVersion = '2.28.2'
truthVersion = '1.0.1'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@
import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.collect.ImmutableList.toImmutableList;
import static com.google.common.net.HttpHeaders.CONTENT_TYPE;
import static com.google.tsunami.common.data.NetworkEndpointUtils.toUriAuthority;
import static com.google.tsunami.common.net.http.HttpRequest.post;

import com.google.common.annotations.VisibleForTesting;
Expand Down Expand Up @@ -82,26 +81,6 @@ public final class Cve202140539VulnDetector implements VulnDetector {
this.utcClock = checkNotNull(utcClock);
}

private static boolean isWebServiceOrUnknownService(NetworkService networkService) {
return networkService.getServiceName().isEmpty()
|| NetworkServiceUtils.isWebService(networkService)
|| NetworkServiceUtils.getServiceName(networkService).equals("sun-answerbook");
}

private static StringBuilder buildTarget(NetworkService networkService) {
StringBuilder targetUrlBuilder = new StringBuilder();
if (NetworkServiceUtils.isWebService(networkService)) {
targetUrlBuilder.append(NetworkServiceUtils.buildWebApplicationRootUrl(networkService));
} else {
targetUrlBuilder
.append("http://")
.append(toUriAuthority(networkService.getNetworkEndpoint()))
.append("/");
}
targetUrlBuilder.append(VUL_PATH);
return targetUrlBuilder;
}

@Override
public DetectionReportList detect(
TargetInfo targetInfo, ImmutableList<NetworkService> matchedServices) {
Expand All @@ -110,15 +89,16 @@ public DetectionReportList detect(
return DetectionReportList.newBuilder()
.addAllDetectionReports(
matchedServices.stream()
.filter(Cve202140539VulnDetector::isWebServiceOrUnknownService)
.filter(NetworkServiceUtils::isWebService)
.filter(this::isServiceVulnerable)
.map(networkService -> buildDetectionReport(targetInfo, networkService))
.collect(toImmutableList()))
.build();
}

private boolean isServiceVulnerable(NetworkService networkService) {
String targetVulnerabilityUrl = buildTarget(networkService).toString();
String targetVulnerabilityUrl =
NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + VUL_PATH;
try {
HttpResponse httpResponse =
httpClient.sendAsIs(
Expand Down
25 changes: 25 additions & 0 deletions community/detectors/anything_llm_cve_2024_3104/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Anything-llm CVE-2024-3104 Detector

A remote code execution vulnerability exists in mintplex-labs/anything-llm due
to improper handling of environment variables. Attackers can exploit this
vulnerability by injecting arbitrary environment variables via the POST
/api/system/update-env endpoint, which allows for the execution of arbitrary
code on the host running anything-llm. The vulnerability is present in the
latest version of anything-llm, with the latest commit identified as
fde905aac1812b84066ff72e5f2f90b56d4c3a59. This issue has been fixed in version
1.0.0. Successful exploitation could lead to code execution on the host,
enabling attackers to read and modify data accessible to the user running the
service, potentially leading to a denial of service.

- https://huntr.com/bounties/4f2fcb45-5828-4bec-985a-9d3a0ee00462
- https://vulners.com/nvd/NVD:CVE-2024-3104

## Build jar file for this plugin

Using `gradlew`:

```shell
./gradlew jar
```

Tsunami identifiable jar file is located at `build/libs` directory.
68 changes: 68 additions & 0 deletions community/detectors/anything_llm_cve_2024_3104/build.gradle
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
plugins {
id 'java-library'
}

description = 'Tsunami CVE-2024-3104 VulnDetector plugin.'
group 'com.google.tsunami'
version '0.0.1-SNAPSHOT'


repositories {
maven { // The google mirror is less flaky than mavenCentral()
url 'https://maven-central.storage-download.googleapis.com/repos/central/data/'
}
mavenCentral()
mavenLocal()
}

java {
sourceCompatibility = JavaVersion.VERSION_11
targetCompatibility = JavaVersion.VERSION_11

jar.manifest {
attributes('Implementation-Title': name,
'Implementation-Version': version,
'Built-By': System.getProperty('user.name'),
'Built-JDK': System.getProperty('java.version'),
'Source-Compatibility': sourceCompatibility,
'Target-Compatibility': targetCompatibility)
}

javadoc.options {
encoding = 'UTF-8'
use = true
links 'https://docs.oracle.com/javase/8/docs/api/'
}

// Log stacktrace to console when test fails.
test {
testLogging {
exceptionFormat = 'full'
showExceptions true
showCauses true
showStackTraces true
}
maxHeapSize = '1500m'
}
}

ext {
tsunamiVersion = 'latest.release'
junitVersion = '4.13'
mockitoVersion = '2.28.2'
truthVersion = '1.0.1'
okhttpVersion = '3.12.0'
}

dependencies {
implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}"
implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}"
implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}"

testImplementation "junit:junit:${junitVersion}"
testImplementation "org.mockito:mockito-core:${mockitoVersion}"
testImplementation "com.google.truth:truth:${truthVersion}"
testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}"
testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}"
testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}"
}
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip
distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip
networkTimeout=10000
validateDistributionUrl=true
zipStoreBase=GRADLE_USER_HOME
Expand Down
Loading

0 comments on commit d801812

Please sign in to comment.