From de385bdbce842e890f764c3a3d41c2ae8d8597e2 Mon Sep 17 00:00:00 2001 From: ayala-orca <93713792+ayala-orca@users.noreply.github.com> Date: Thu, 21 Nov 2024 13:42:54 +0200 Subject: [PATCH 1/2] Create VulnerableTaskHolder.java --- java/src/main/VulnerableTaskHolder.java | 76 +++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 java/src/main/VulnerableTaskHolder.java diff --git a/java/src/main/VulnerableTaskHolder.java b/java/src/main/VulnerableTaskHolder.java new file mode 100644 index 000000000..98c37a64e --- /dev/null +++ b/java/src/main/VulnerableTaskHolder.java @@ -0,0 +1,76 @@ +package org.dummy.insecure.framework; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStreamReader; +import java.io.ObjectInputStream; +import java.io.Serializable; +import java.time.LocalDateTime; +import lombok.extern.slf4j.Slf4j; + +@Slf4j +// TODO move back to lesson +public class VulnerableTaskHolder implements Serializable { + + private static final long serialVersionUID = 2; + + private String taskName; + private String taskAction; + private LocalDateTime requestedExecutionTime; + + public VulnerableTaskHolder(String taskName, String taskAction) { + super(); + this.taskName = taskName; + this.taskAction = taskAction; + this.requestedExecutionTime = LocalDateTime.now(); + } + + @Override + public String toString() { + return "VulnerableTaskHolder [taskName=" + + taskName + + ", taskAction=" + + taskAction + + ", requestedExecutionTime=" + + requestedExecutionTime + + "]"; + } + + /** + * Execute a task when de-serializing a saved or received object. + * + * @author stupid develop + */ + private void readObject(ObjectInputStream stream) throws Exception { + // unserialize data so taskName and taskAction are available + stream.defaultReadObject(); + + // do something with the data + log.info("restoring task: {}", taskName); + log.info("restoring time: {}", requestedExecutionTime); + + if (requestedExecutionTime != null + && (requestedExecutionTime.isBefore(LocalDateTime.now().minusMinutes(10)) + || requestedExecutionTime.isAfter(LocalDateTime.now()))) { + // do nothing is the time is not within 10 minutes after the object has been created + log.debug(this.toString()); + throw new IllegalArgumentException("outdated"); + } + + // condition is here to prevent you from destroying the goat altogether + if ((taskAction.startsWith("sleep") || taskAction.startsWith("ping")) + && taskAction.length() < 22) { + log.info("about to execute: {}", taskAction); + try { + Process p = Runtime.getRuntime().exec(taskAction); + BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream())); + String line = null; + while ((line = in.readLine()) != null) { + log.info(line); + } + } catch (IOException e) { + log.error("IO Exception", e); + } + } + } +} From 1f22b009e0ecbf341e4096fdfea51efed4d2fbe9 Mon Sep 17 00:00:00 2001 From: ayala-orca <93713792+ayala-orca@users.noreply.github.com> Date: Thu, 21 Nov 2024 13:51:17 +0200 Subject: [PATCH 2/2] Create flag.go --- flag.go | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 flag.go diff --git a/flag.go b/flag.go new file mode 100644 index 000000000..5aadb7f1a --- /dev/null +++ b/flag.go @@ -0,0 +1,30 @@ +package validator + +import ( + "fmt" + "reflect" + "strings" + + "golang.org/x/exp/slices" + + "github.com/orcasecurity/shiftleft-cli/lib/utils" +) + +type FlagDependencyValidator[T any] struct { +} + +func (v FlagDependencyValidator[T]) Validate(cmdOptions T, dependentField string, dependencyField string, allowedValues []string) error { + cmd := reflect.ValueOf(cmdOptions) + dependentFieldValue := reflect.Indirect(cmd).FieldByName(dependentField) + dependencyFieldValue := reflect.Indirect(cmd).FieldByName(dependencyField) + if slices.Contains(allowedValues, "") && dependencyFieldValue.IsZero() { + return nil + } + allowedValues = utils.RemoveFromSlice(allowedValues, "") + if !dependentFieldValue.IsZero() && !slices.Contains(allowedValues, dependencyFieldValue.String()) { + allowedValues := strings.Join(allowedValues, ",") + return fmt.Errorf("input error - '%s' option can be used only with %s=%s", dependentField, dependencyField, allowedValues) + } + + return nil +}