diff --git a/src/lib/ACLAnalyzer.py b/src/lib/ACLAnalyzer.py index 0a67f3be971fe57cfe33e7b9397600b6cd681b1e..b7968de977684e80c94757f96f3e29ecbe2a5906 100644 --- a/src/lib/ACLAnalyzer.py +++ b/src/lib/ACLAnalyzer.py @@ -52,13 +52,13 @@ class ACLAnalyzer(): # start_node = cm ctx = ElementContext(f"{f['parent']}.{f['name']}",'function',route.location,[f"Parent::{f['parent']}"]) # if start_node: - ctx.set_cfg(CFGGenerator().generate(ctx)) + # ctx.set_cfg(CFGGenerator().generate(ctx)) + ctx.set_cfg(CFG(f['ast'],f['ctx'],f['cursor'],route.cfg.source_code_method_list,route.cfg.source_code)) result = self.analyze_function(ctx) class_acls.append([ctx.name,result]) # print("class acl",class_acls) return class_acls - def analyze_function(self,route:ElementContext,is_route=True)->list[str]: # Cek parent nya untuk menentukaan apakah ada dekorator # Inisialisasi principal_list @@ -413,6 +413,7 @@ class ACLAnalyzer(): route_acls = [] for f in method_lists: if f['type']=='class_method': + #TODO class method ctx = ElementContext(f"{f['parent']}.{f['name']}",'function',route.location,[]) result = self.analyze_function(ctx) route_acls.append([f"{f['parent']}.{ctx.get_base_element_name()}",result]) @@ -459,8 +460,6 @@ class ACLAnalyzer(): for k in acl_class.context: if k.startswith("Parent::"): parent_class = k.split("::")[1] - # print("KLASS",parent_class) - # print("NAMA",name) if acl_class.location==route.location: # Kelas/fungsi lokal # Kali aja ada di module ini diff --git a/src/lib/RouteSanitizationAnalyzer.py b/src/lib/RouteSanitizationAnalyzer.py index 82e0140981fe090826e291ef717d12cfd3395c62..b49b9ca527e5d0e79f951f77ce059f9c2e88f928 100644 --- a/src/lib/RouteSanitizationAnalyzer.py +++ b/src/lib/RouteSanitizationAnalyzer.py @@ -31,11 +31,9 @@ class RouteSanitizationAnalyzer(): vuln_routes.append(f"{func[1]}() in {route.location}") else: vuln_routes.append(f"{func[2]}.{func[1]}() in {route.location}") - return vuln_routes def analyze_class(self,route:ElementContext)->list[str]: - #TODO CFG method_lists = list(filter(lambda x:x['type']=='class_method' and x['parent']==route.get_base_element_name(),route.cfg.source_code_method_list)) # Remove yang ada di no check list for ctx in route.context: @@ -48,11 +46,11 @@ class RouteSanitizationAnalyzer(): unsanitized_methods = [] for f in method_lists: ctx = ElementContext(f['name'],'function',route.location,[]) + ctx.set_cfg(CFG(f['ast'],f['ctx'],f['cursor'],route.cfg.source_code_method_list,route.cfg.source_code)) if(not self.analyze_function(ctx)): unsanitized_methods.append(f['name']) return unsanitized_methods - def analyze_function(self,route:ElementContext)->bool: ##print(self.project_info.acl_class) # Cek parent nya untuk menentukaan apakah ada dekorator diff --git a/src/lib/VulnerabilitReporter.py b/src/lib/VulnerabilitReporter.py index bfec0a8846ab7642106070b5d01bdd518686c412..71fe53e5fe59c8b2423688973f1f089ebb5bd1e4 100644 --- a/src/lib/VulnerabilitReporter.py +++ b/src/lib/VulnerabilitReporter.py @@ -28,7 +28,6 @@ class VulnerabilityReporter: print() print("> Potential Broken ACL:") i = 0 - print("a",self.real_acl_data.route_acl) for key,value in self.real_acl_data.route_acl.items(): try: # print(set(self.expected_acl_data.route_acl[key])) diff --git a/tests/tc1/acl.txt b/tests/tc1/acl.txt index 80aafd10dc351842c2809c776cf9408869faf63a..13f3317a55dba6df3437654eba6721f3069574ee 100644 --- a/tests/tc1/acl.txt +++ b/tests/tc1/acl.txt @@ -6,6 +6,11 @@ add_note:admin,user update_note:admin,user get_note:admin,user delete_note:admin,user +Views.class_add_note:admin,user +Views.class_update_note:admin,user +Views.class_delete_note:admin,user +Views.class_get_note:admin,user +Views.class_get_logs: admin =====DETAIL===== var:user::var:role; [admin:admin,user:user,none:guest] lib:flask_login::login_required; admin,user \ No newline at end of file diff --git a/tests/tc1/class_views.py b/tests/tc1/class_views.py new file mode 100644 index 0000000000000000000000000000000000000000..67a9fd48d9019569e187bb8e96b2956a39c55b20 --- /dev/null +++ b/tests/tc1/class_views.py @@ -0,0 +1,73 @@ +from flask import Blueprint, render_template, request, flash, jsonify,abort +# @ACL(login_required) +from flask_login import login_required, current_user +from .models import Note,Log +from .db import db +import json +from lib.RoleCheck import RoleCheck + +views = Blueprint('views', __name__) +# @Routes +class Views(): + # @NoCheck + def __init__(self) -> None: + pass + @views.route('/add', methods=['POST']) + @login_required + def class_add_note(self): + if request.method == 'POST': + note = request.form.get('note') + + if len(note) < 1: + flash('Note is too short!', category='error') + else: + new_note = Note(data=note, user_id=current_user.id) + db.session.add(new_note) + db.session.commit() + flash('Note added!', category='success') + + return render_template("home.html") + + @views.route('/update', methods=['POST']) + @login_required + def class_update_note(self): + if request.method == 'POST': + n = request.form.get('note') + noteId = n['noteId'] + note = Note.query.get(noteId) + + if note.user_id == current_user.id: + if len(n.note) < 1: + flash('Note is too short!', category='error') + else: + db.session.update().where(Note.id==n.id).values(data=n.note) + db.session.commit() + flash('Note updated!', category='success') + + return render_template("home.html") + + @views.route('/delete', methods=['POST']) + @login_required + def class_delete_note(self): + note = json.loads(request.data) + noteId = note['noteId'] + note = Note.query.get(noteId) + if note: + if note.user_id == current_user.id: + db.session.delete(note) + db.session.commit() + return jsonify({}) + + @views.route('/note', methods=['GET']) + # @login_required + def class_get_note(self): + notes = Note.query.filter(Note.user_id==current_user.id) + return jsonify(notes) + + @views.route('/logs', methods=['GET']) + @login_required + def class_get_logs(self): + # if (RoleCheck().is_admin(current_user)): + # abort(403) + logs = Log.query.get() + return jsonify(logs) \ No newline at end of file diff --git a/tests/tc1/views.py b/tests/tc1/views.py index 4d4ce7c47a8d96769da53af959b0e26de22f299d..0c10a90feb78adfbb7f7bd5180cc124b6a5bf926 100644 --- a/tests/tc1/views.py +++ b/tests/tc1/views.py @@ -26,7 +26,7 @@ def add_note(): return render_template("home.html") @views.route('/update', methods=['POST']) -@login_required +# @login_required def update_note(): if request.method == 'POST': n = request.form.get('note')