Mlflow weak credential tester

[lanced00m]

#412

Hi @maoning
I couldn't test the plugin on a vulnerable target because of this error:

Apr 06, 2024 4:43:41 AM com.google.tsunami.workflow.DefaultScanningWorkflow runAsync
INFO: Staring Tsunami scanning workflow.
Apr 06, 2024 4:43:41 AM com.google.tsunami.workflow.DefaultScanningWorkflow fingerprintNetworkServices
INFO: Port scanning phase done, moving to service fingerprinting phase with '0' fingerprinter(s) selected.
Apr 06, 2024 4:43:41 AM com.google.tsunami.main.cli.TsunamiCli main
SEVERE: Exiting due to workflow execution exceptions.
java.util.concurrent.ExecutionException: com.google.inject.ProvisionException: Unable to provision, see the following errors:

1) Error in custom provider, java.lang.IllegalAccessError: class com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.proto.ServiceDefaultCredentials tried to access method 'com.google.protobuf.LazyStringArrayList com.google.protobuf.LazyStringArrayList.emptyList()' (com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.proto.ServiceDefaultCredentials and com.google.protobuf.LazyStringArrayList are in unnamed module of loader 'app')

  at com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.GenericWeakCredentialDetectorBootstrapModule.providesDefaultCredentialsData(GenericWeakCredentialDetectorBootstrapModule.java:166) (via modules: com.google.tsunami.main.cli.TsunamiCli$TsunamiCliModule -> com.google.tsunami.plugin.PluginLoadingModule -> com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.GenericWeakCredentialDetectorBootstrapModule)
  while locating com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.proto.DefaultCredentialsData
    for the 1st parameter of com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.DefaultCredentials.<init>(DefaultCredentials.java:37)
  while locating com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.DefaultCredentials
  while locating com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.CredentialProvider annotated with @com.google.inject.internal.Element(setName=,uniqueId=11, type=MULTIBINDER, keyType=)
  while locating java.util.Set<com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.CredentialProvider>
    for the 1st parameter of com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.GenericWeakCredentialDetector.<init>(GenericWeakCredentialDetector.java:103)
  while locating com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.GenericWeakCredentialDetector
  while locating com.google.tsunami.plugin.TsunamiPlugin annotated with @com.google.inject.internal.Element(setName=,uniqueId=13, type=MAPBINDER, keyType=com.google.tsunami.plugin.PluginDefinition)

but I'm sure it works because of the Comprehensive test cases I've implemented.

what I'm doing is simply running ./gradlew build in google/detectors/credentials/generic_weak_credential_detector directory and then I copy the Nmap plugin to google/detectors/credentials/generic_weak_credential_detector/build/libs/ because it is needed.
finally, I run this command:

java -cp "tsunami-main-0.0.22-SNAPSHOT-cli.jar:/absolute/path/to/tsunami-security-scanner-plugins/google/detectors/credentials/generic_weak_credential_detector/build/libs/*" com.google.tsunami.main.cli.TsunamiCli --uri-target=http://127.0.0.1:5000

I'm working with openjdk-11.

[pisqu4red]

Thanks for your pull request. Please review the comments.

Regarding failure to build - did you follow instructions for setup in README of the main Tsunami repo? Particularly, what is the - gradle --version? We need 6.5 for building Tsunami.

[pisqu4red]

Don't create a user - the scanner acts on live systems and this will create a user with a username and password that can be found in the code below.

Instead, use the Get User endpoint to check for the existence of the user https://mlflow.org/docs/latest/auth/rest-api.html#get-user

[pisqu4red]

Remove this second check for UserRegistration. See above - just check for a successful response.

[pisqu4red]

Rename or remove this method as discussed above.

[lanced00m]

@pisqu4red The error is because of the tsunami CLI, when I compiled it with the docker command and copied the final tsunami CLI jar file from docker to my environment, everything was normal. the Gradle version was the same from the beginning. Maybe The reason is that I was building the tsunami CLI with OpenJDK 11 and it should be 13 instead.

[pisqu4red]

@lanced00m could you please sync with master branch?

We have upgraded gradle to 7.0 in this commit so this should resolve the last failures.

The reason for asking for the gradle --version command is that it gives other information about the JVM and OS environment as well.

Could you please address my previous comments before doing another round of review. Thanks!

[lanced00m]

@pisqu4red Sorry I didn't understand fully your last comment.
I updated the branch and I tested the compilation now and the ./gradlew compile worked fine.
should I still show you the gradle --version output? because my problem is solved.
I double-checked the first round of reviews and I applied the changes, do you mean that I should mark the comments as resolved in this pull request?
Also, I'm sorry I put all the changes in one commit so from diff, it seems that it is really hard to compare the code, I'll revert the additional spaces now so I hope it gets better.

[lanced00m]

@pisqu4red Now you can compare the initial commit with the last commit easier 0de8e9a581b994cce339d60f1743c17b3e2c8d30.
I'm going to add one more commit to add proper spaces and google format.

[pisqu4red]

Thanks for the changes, small nitpicks from my side before we merge.

[pisqu4red]

Hi @lanced00m,

Your PR has been merged. This usually means a reward will be granted. Google will start the internal QC process and the reward amount will be determined based on the quality of the detector report. Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made.

Thanks!