diff options
| author |  Dongge Liu <donggeliu@google.com> | 2022-06-07 11:50:30 +1000 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2022-06-07 11:50:30 +1000 |
| commit | 639cc9588e79c8053bc71b3ee7a4cfb8e8843234 (patch) | |
| tree | 9065375624918720446cc1fa06df079729978645 /infra | |
| parent | 4eb1930dda72f943756a47dfe484bb905b58ef5e (diff) | |
Execsan syntax error (minor fixes) (#7806)
* Removes the `: ` prefix in our previous pattern to capture case ii and reduce false negatives:
1. Our previous pattern (i.e. `: Syntax error`) is designed to reduce false positives, but it relies on `dash` to print out an error message within one `write` syscall. E.g. `sh: 1: Syntax error: "invalid_command" unexpected`.
2. In some cases, `dash` breaks the message into multiple `write` syscalls. E.g. it invokes 2 `writes` whose buffers respectively contain `sh: 1:`, ` Syntax error: "invalid_command" unexpected`.
* Fix outdated wording
* A TODO about using more specific patterns of error messages
Diffstat (limited to 'infra')
| -rw-r--r-- | infra/experimental/sanitizers/ExecSan/README.md | 3 | ||||
| -rw-r--r-- | infra/experimental/sanitizers/ExecSan/execSan.cpp | 8 | ||||
| -rw-r--r-- | infra/experimental/sanitizers/ExecSan/target.cpp | 2 |
3 files changed, 8 insertions, 5 deletions
diff --git a/infra/experimental/sanitizers/ExecSan/README.md b/infra/experimental/sanitizers/ExecSan/README.md index 5a96cc1e..a21e2b4f 100644 --- a/infra/experimental/sanitizers/ExecSan/README.md +++ b/infra/experimental/sanitizers/ExecSan/README.md @@ -36,4 +36,7 @@ which indicates the detection of executing a syntactic erroneous command. ## TODOs 1. Find real examples of past shell injection vulnerabilities using this. +2. More specific patterns of error messages (to avoid false postives/negatives) + * e.g. cache and concatenate the buffer of consecutive `write` syscalls + * e.g. define the RegEx of patterns and pattern-match with buffers diff --git a/infra/experimental/sanitizers/ExecSan/execSan.cpp b/infra/experimental/sanitizers/ExecSan/execSan.cpp index 68184d36..1a6db7f2 100644 --- a/infra/experimental/sanitizers/ExecSan/execSan.cpp +++ b/infra/experimental/sanitizers/ExecSan/execSan.cpp @@ -101,10 +101,10 @@ const std::map<std::string, std::set<std::string>> kShellSyntaxErrors = { }}, {"dash", { - ": not found", // General - ": Syntax error", // Unfinished " or ' or ` or if, leading | or ; or & - ": missing ]", // Unfinished [ - ": No such file", // Leading < + "not found", // General + "Syntax error", // Unfinished " or ' or ` or if, leading | or ; or & + "missing ]", // Unfinished [ + "No such file", // Leading < }}, {"zsh", { diff --git a/infra/experimental/sanitizers/ExecSan/target.cpp b/infra/experimental/sanitizers/ExecSan/target.cpp index 7e1dad3e..eb1b1dd0 100644 --- a/infra/experimental/sanitizers/ExecSan/target.cpp +++ b/infra/experimental/sanitizers/ExecSan/target.cpp @@ -14,7 +14,7 @@ * limitations under the License. */ /* A sample target program under test, - * the sand program will be injected into its shell command */ + * /tmp/tripwire or other commands will be injected into its shell command */ #include <stdlib.h> #include <string> |