Styles changed

doyensec · Sep 5, 2024 · cd4cfcd · cd4cfcd
1 parent 81a7c5a
commit cd4cfcd
Show file tree

Hide file tree

Showing 227 changed files with 35,860 additions and 2,384 deletions.
diff --git a/README.md b/README.md
@@ -3,10 +3,39 @@
 This project aims to provide a central repository for many useful Tsunami
 Security Scanner plugins.
 
+## Tsunami's documentation
+
+To learn more about Tsunami, visit our
+[documentation](https://google.github.io/tsunami-security-scanner/).
+
 ## Contributing
 
 Read how to [contribute to Tsunami](docs/contributing.md).
 
+## Currently released Tsunami plugins
+
+### Detectors
+#### AI Relevant OSS
+* [Pytorch Serve Expose API Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/exposedui/pytorch_serve)
+* [Ray CVE-2023-48022 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/rce/ai/cve202348022)
+* [Ray CVE-2023-6019 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/rce/ai/cve20236019)
+* [H2O CVE-2023-6018 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/rce/ai/cve20236018)
+* [MLflow CVE-2023-6977 & CVE-2023-1177 & CVE-2023-2780 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/mlflow_cve_2023_6977)
+* [MLflow CVE-2023-6014 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/mlflow_cve_2023_6014)
+* [MLflow Weak Credential Detector](https://github.com/google/tsunami-security-scanner-plugins/blob/master/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/mlflow/MlFlowCredentialTester.java)
+* [Argo Workflow Exposed API Detector](https://github.com/google/tsunami-security-scanner-plugins/blob/master/google/detectors/exposedui/argoworkflow/)
+* [MinIO Sensitive Info Disclosure Detector](https://github.com/google/tsunami-security-scanner-plugins/blob/master/community/detectors/minio_cve_2023_28432/)
+* [Gradio CVE-2023-51449 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/gradio_cve_2023_51449)
+* [Apache Spark CVE-2022-33891 Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_spark_cve_2022_33891)
+* [Apache Spark Expose UI Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_spark_exposed_webui)
+* [Apache Spark Exposed API Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/rce/apache_spark_exposed_api)
+* [Apache Airflow CVE-2020-17526 Auth Bypass RCE](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_airflow_cve_2020_17526)
+* [Triton Inference Server RCE](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/triton_inference_server_model_overwrite)
+* [Intel Neural Compressor CVE-2024-22476 RCE Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/intel_neural_compressor_cve_2024_22476)
+* [ZenML Weak Credential Detector](https://github.com/google/tsunami-security-scanner-plugins/blob/master/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/zenml/ZenMlCredentialTester.java)
+* [Argo CD Exposed UI](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/argocd_exposed_ui)
+* [Airflow Exposed UI](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/apache_airflow_exposed_ui)
+
 ## Source Code Headers
 
 Every file containing source code must include copyright and license

diff --git a/community/README.md b/community/README.md
@@ -31,6 +31,7 @@ This directory contains plugins contributed by community members.
     (CVE-2021-26084)
     Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/confluence_cve_2021_26084)
 *   [CVE-2022-22965 Spring Framework RCE (CVE-2022-22965) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/spring_framework_cve_2022_22965)
+*   [CVE-2022-36804 Bitbucket Server RCE via command injection](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/bitbucket_cve_2022_36804)
 *   [Spring Cloud Function CVE-2022-22963 VulnDetector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/spring_cloud_function_cve_2022_22963)
 *   [Apache Spark Exposed API VulnDetector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/community/detectors/rce/apache_spark_exposed_api)
 

diff --git a/...java/com/google/tsunami/plugins/detectors/cves/cve202140539/Cve202140539VulnDetector.java b/...java/com/google/tsunami/plugins/detectors/cves/cve202140539/Cve202140539VulnDetector.java
@@ -18,7 +18,6 @@
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.collect.ImmutableList.toImmutableList;
 import static com.google.common.net.HttpHeaders.CONTENT_TYPE;
-import static com.google.tsunami.common.data.NetworkEndpointUtils.toUriAuthority;
 import static com.google.tsunami.common.net.http.HttpRequest.post;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -82,26 +81,6 @@ public final class Cve202140539VulnDetector implements VulnDetector {
     this.utcClock = checkNotNull(utcClock);
   }
 
-  private static boolean isWebServiceOrUnknownService(NetworkService networkService) {
-    return networkService.getServiceName().isEmpty()
-        || NetworkServiceUtils.isWebService(networkService)
-        || NetworkServiceUtils.getServiceName(networkService).equals("sun-answerbook");
-  }
-
-  private static StringBuilder buildTarget(NetworkService networkService) {
-    StringBuilder targetUrlBuilder = new StringBuilder();
-    if (NetworkServiceUtils.isWebService(networkService)) {
-      targetUrlBuilder.append(NetworkServiceUtils.buildWebApplicationRootUrl(networkService));
-    } else {
-      targetUrlBuilder
-          .append("http://")
-          .append(toUriAuthority(networkService.getNetworkEndpoint()))
-          .append("/");
-    }
-    targetUrlBuilder.append(VUL_PATH);
-    return targetUrlBuilder;
-  }
-
   @Override
   public DetectionReportList detect(
       TargetInfo targetInfo, ImmutableList<NetworkService> matchedServices) {
@@ -110,15 +89,16 @@ public DetectionReportList detect(
     return DetectionReportList.newBuilder()
         .addAllDetectionReports(
             matchedServices.stream()
-                .filter(Cve202140539VulnDetector::isWebServiceOrUnknownService)
+                .filter(NetworkServiceUtils::isWebService)
                 .filter(this::isServiceVulnerable)
                 .map(networkService -> buildDetectionReport(targetInfo, networkService))
                 .collect(toImmutableList()))
         .build();
   }
 
   private boolean isServiceVulnerable(NetworkService networkService) {
-    String targetVulnerabilityUrl = buildTarget(networkService).toString();
+    String targetVulnerabilityUrl =
+        NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + VUL_PATH;
     try {
       HttpResponse httpResponse =
           httpClient.sendAsIs(

diff --git a/community/detectors/anything_llm_cve_2024_3104/README.md b/community/detectors/anything_llm_cve_2024_3104/README.md
@@ -0,0 +1,25 @@
+# Anything-llm CVE-2024-3104 Detector
+
+A remote code execution vulnerability exists in mintplex-labs/anything-llm due
+to improper handling of environment variables. Attackers can exploit this
+vulnerability by injecting arbitrary environment variables via the POST
+/api/system/update-env endpoint, which allows for the execution of arbitrary
+code on the host running anything-llm. The vulnerability is present in the
+latest version of anything-llm, with the latest commit identified as
+fde905aac1812b84066ff72e5f2f90b56d4c3a59. This issue has been fixed in version
+1.0.0. Successful exploitation could lead to code execution on the host,
+enabling attackers to read and modify data accessible to the user running the
+service, potentially leading to a denial of service.
+
+-   https://huntr.com/bounties/4f2fcb45-5828-4bec-985a-9d3a0ee00462
+-   https://vulners.com/nvd/NVD:CVE-2024-3104
+
+## Build jar file for this plugin
+
+Using `gradlew`:
+
+```shell
+./gradlew jar
+```
+
+Tsunami identifiable jar file is located at `build/libs` directory.
diff --git a/community/detectors/anything_llm_cve_2024_3104/build.gradle b/community/detectors/anything_llm_cve_2024_3104/build.gradle
@@ -0,0 +1,68 @@
+plugins {
+    id 'java-library'
+}
+
+description = 'Tsunami CVE-2024-3104 VulnDetector plugin.'
+group 'com.google.tsunami'
+version '0.0.1-SNAPSHOT'
+
+
+repositories {
+    maven { // The google mirror is less flaky than mavenCentral()
+        url 'https://maven-central.storage-download.googleapis.com/repos/central/data/'
+    }
+    mavenCentral()
+    mavenLocal()
+}
+
+java {
+    sourceCompatibility = JavaVersion.VERSION_11
+    targetCompatibility = JavaVersion.VERSION_11
+
+    jar.manifest {
+        attributes('Implementation-Title': name,
+                'Implementation-Version': version,
+                'Built-By': System.getProperty('user.name'),
+                'Built-JDK': System.getProperty('java.version'),
+                'Source-Compatibility': sourceCompatibility,
+                'Target-Compatibility': targetCompatibility)
+    }
+
+    javadoc.options {
+        encoding = 'UTF-8'
+        use = true
+        links 'https://docs.oracle.com/javase/8/docs/api/'
+    }
+
+    // Log stacktrace to console when test fails.
+    test {
+        testLogging {
+            exceptionFormat = 'full'
+            showExceptions true
+            showCauses true
+            showStackTraces true
+        }
+        maxHeapSize = '1500m'
+    }
+}
+
+ext {
+    tsunamiVersion = 'latest.release'
+    junitVersion = '4.13'
+    mockitoVersion = '2.28.2'
+    truthVersion = '1.0.1'
+    okhttpVersion = '3.12.0'
+}
+
+dependencies {
+    implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}"
+    implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}"
+    implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}"
+
+    testImplementation "junit:junit:${junitVersion}"
+    testImplementation "org.mockito:mockito-core:${mockitoVersion}"
+    testImplementation "com.google.truth:truth:${truthVersion}"
+    testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}"
+    testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}"
+    testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}"
+}
diff --git a/community/detectors/anything_llm_cve_2024_3104/gradle/wrapper/gradle-wrapper.jar b/community/detectors/anything_llm_cve_2024_3104/gradle/wrapper/gradle-wrapper.jar
diff --git a/.../gradle/wrapper/gradle-wrapper.properties → .../gradle/wrapper/gradle-wrapper.properties b/.../gradle/wrapper/gradle-wrapper.properties → .../gradle/wrapper/gradle-wrapper.properties