feat: add warning if acl right but not calling acl element

ff35ee59 · Fawwaz Anugrah Wiradhika Dharmasatya · 67cf12c0 · ff35ee59 · ff35ee59 · ff35ee59
Commit ff35ee59 authored 10 months ago by Fawwaz Anugrah Wiradhika Dharmasatya
--- a/src/lib/CFGGenerator.py
+++ b/src/lib/CFGGenerator.py
@@ -34,6 +34,19 @@ class CFG():
  def get_dependency_list(self):
      # Dapatkan daftar dependency beserta lokasi barisnya
      deps_list = []
+                # # Cek apakah sudah ada
+          # module_name = {}
+          # dep_idx = -1 
+          # imported_elmts:list[dict] = []
+          # for i in range(len(deps_list)):
+          #   if deps_list[i][1]['original']==parts[0]:
+          #     module_name = deps_list[i][1]
+          #     imported_elmts = deps_list[i][2]
+          #     dep_idx = i
+          #     break
+          # if dep_idx==-1:
+          #   module_name = {"original":parts[0],"rename":None}
+          # Cek apakah sudah ada
      for i,line in enumerate(self.source_code.decode().split("\n")):
        if re.search(r"(from +.+ +import +.+)|(import +.+)",line):
          # Dapetin nama modul

--- a/src/lib/MainMenu.py
+++ b/src/lib/MainMenu.py
@@ -35,8 +35,10 @@ class MainMenu():
      try:
        self.acl_data = ACReader(self.acl_path).read()
        format_log("ACL data acquired.")
+        print(self.acl_data)
        self.project_ctx = FileReader(self.project_path).analyze_project()
        format_log("ACL and routes context gathered...")
+        print(self.project_ctx)
      except FileNotFoundError:
        format_log("File not found. Exiting...",status='error')
      else:

--- a/src/lib/RouteSanitizationAnalyzer.py
+++ b/src/lib/RouteSanitizationAnalyzer.py
@@ -53,6 +53,7 @@ class RouteSanitizationAnalyzer():
    return unsanitized_methods

  def analyze_function(self,route:ElementContext)->bool:
+    print("Route",route)
    var_list = []
    # Cek parent nya untuk menentukaan apakah ada dekorator
    route.cfg.reset()
@@ -66,6 +67,7 @@ class RouteSanitizationAnalyzer():
          else:
            dekorator = dec.children[-1] 
      # Cek apakah ada di fungsi atau library
+          print(dekorator.text.decode().split("(")[0].replace("@","").strip())
          if self.is_in_acl_list(route,dekorator.text.decode().split("(")[0].replace("@","").strip()):
            return True
    # Gak ada dekorator/dekorator gak cocok
@@ -303,6 +305,7 @@ class RouteSanitizationAnalyzer():
    for acl_class in self.project_info.acl_class:
      acl_class.cfg.reset()
      if(acl_class.type=='library' and acl_class.location==route.location):
+        print("acl",acl_class)
        if(acl_class.context):
          # Cek apakah fungsi yang merupakan acl digunakan
          # context berisi daftar fungsi yang merupakan fungsi untuk cek ACL
@@ -310,8 +313,11 @@ class RouteSanitizationAnalyzer():
            acl_node:Node|None = acl_class.cfg.traverse()
            if not acl_node:
              break
+            # acl_node = None
+            # print("asu",acl_class.context,acl_node.text.decode())
            # Handle kasus antara gak ada context fungsi mana yang acl maupun ada
            if(not acl_class.context or  (acl_node.text.decode().split(".")[0] in acl_class.context)):
+              print(name, acl_class.cfg.get_name(acl_node))
              # Cek jika ini fungsi ataupun kelas
              if(name==acl_class.cfg.get_name(acl_node) or name.split(".")[0]==acl_class.cfg.get_name(acl_node)):
              # Cek apakah dia manggil fungsi yang diimport di acl

--- a/src/lib/VulnerabilitReporter.py
+++ b/src/lib/VulnerabilitReporter.py
@@ -13,7 +13,15 @@ class VulnerabilityReporter:
            print("-")
        else:
            for i in range(len(self.element_not_contacting_acl)):
-                print(f"{i+1}. {self.element_not_contacting_acl[i]}")
+                # Untuk kasus memang tidak perlu ada pengecekan
+                extra  = ""
+                try:
+                    key = self.element_not_contacting_acl[i].split("(")[0]
+                    if self.expected_acl_data.route_acl[key]==self.real_acl_data.principal_list:
+                        extra = " | Possibily doesn't need control access?"
+                except KeyError:
+                    pass
+                print(f"{i+1}. {self.element_not_contacting_acl[i]}{extra}")
        print()

    def get_acl_table(self)->None:

--- a/tests/tc1/views.py
+++ b/tests/tc1/views.py
@@ -68,7 +68,7 @@ def get_note():
 @views.route('/logs', methods=['GET'])
 # @login_required
 def get_logs():
-    rolecheck = RoleCheck(1)
+    rolecheck = RoleCheck()
    if (rolecheck.is_admin(current_user)):
        abort(403)
    logs = Log.query.get()