diff --git a/build.sbt b/build.sbt index a7dfb026..1b5b6538 100644 --- a/build.sbt +++ b/build.sbt @@ -1,6 +1,6 @@ name := "chen" ThisBuild / organization := "io.appthreat" -ThisBuild / version := "0.5.3" +ThisBuild / version := "0.5.4" ThisBuild / scalaVersion := "3.3.1" val cpgVersion = "1.4.22" diff --git a/platform/frontends/x2cpg/src/main/scala/io/appthreat/x2cpg/passes/taggers/CdxPass.scala b/platform/frontends/x2cpg/src/main/scala/io/appthreat/x2cpg/passes/taggers/CdxPass.scala index de7d9e15..f25e4e1b 100644 --- a/platform/frontends/x2cpg/src/main/scala/io/appthreat/x2cpg/passes/taggers/CdxPass.scala +++ b/platform/frontends/x2cpg/src/main/scala/io/appthreat/x2cpg/passes/taggers/CdxPass.scala @@ -42,6 +42,8 @@ class CdxPass(atom: Cpg) extends CpgPass(atom) { "(?s)(?i).*(\\s|\\.)(list|create|upload|delete|execute|command|invoke|submit|send)" ) + private def PY_REQUEST_PATTERNS = Array(".*views.py:.*") + private def containsRegex(str: String) = Pattern.quote(str) == str || str.contains("*") private val BOM_JSON_FILE = ".*(bom|cdx).json" @@ -69,6 +71,10 @@ class CdxPass(atom: Cpg) extends CpgPass(atom) { JS_REQUEST_PATTERNS.foreach(p => atom.call.code(p).newTagNode("framework-input").store()(dstGraph)) JS_RESPONSE_PATTERNS.foreach(p => atom.call.code(p).newTagNode("framework-output").store()(dstGraph)) } + if (language == Languages.PYTHON || language == Languages.PYTHONSRC) { + PY_REQUEST_PATTERNS + .foreach(p => atom.method.fullName(p).parameter.newTagNode("framework-input").store()(dstGraph)) + } components.foreach { comp => val PURL_TYPE = "purl" val compPurl = comp.hcursor.downField(PURL_TYPE).as[String].getOrElse("") @@ -115,6 +121,7 @@ class CdxPass(atom: Cpg) extends CpgPass(atom) { } if (language == Languages.PYTHON || language == Languages.PYTHONSRC) { atom.call.where(_.methodFullName(bpkg)).argument.newTagNode(compPurl).store()(dstGraph) + atom.identifier.typeFullName(bpkg).newTagNode(compPurl).store()(dstGraph) } } if (compType != "library") { diff --git a/platform/frontends/x2cpg/src/main/scala/io/appthreat/x2cpg/passes/taggers/ChennaiTagsPass.scala b/platform/frontends/x2cpg/src/main/scala/io/appthreat/x2cpg/passes/taggers/ChennaiTagsPass.scala index 6e40e9f6..b272de54 100644 --- a/platform/frontends/x2cpg/src/main/scala/io/appthreat/x2cpg/passes/taggers/ChennaiTagsPass.scala +++ b/platform/frontends/x2cpg/src/main/scala/io/appthreat/x2cpg/passes/taggers/ChennaiTagsPass.scala @@ -20,11 +20,12 @@ class ChennaiTagsPass(atom: Cpg) extends CpgPass(atom) { private val FRAMEWORK_OUTPUT = "framework-output" private val PYTHON_ROUTES_CALL_REGEXES = - Array("django/(conf/)?urls.py:.(path|re_path|url).*", ".*(route|web\\.).*") + Array("django/(conf/)?urls.py:.(path|re_path|url).*", ".*(route|web\\.|add_resource).*") private val PYTHON_ROUTES_DECORATORS_REGEXES = Array( - ".*(route|endpoint|_request|require_http_methods|require_GET|require_POST|require_safe|_required)\\(.*" + ".*(route|endpoint|_request|require_http_methods|require_GET|require_POST|require_safe|_required)\\(.*", + ".*def\\s(get|post|put)\\(.*" ) - private val HTTP_METHODS_REGEX = ".*(request|session)\\.(args|get|post|form).*" + private val HTTP_METHODS_REGEX = ".*(request|session)\\.(args|get|post|put|form).*" private def tagPythonRoutes(dstGraph: DiffGraphBuilder): Unit = { PYTHON_ROUTES_CALL_REGEXES.foreach { r => atom.call @@ -33,28 +34,23 @@ class ChennaiTagsPass(atom: Cpg) extends CpgPass(atom) { .isLiteral .newTagNode(FRAMEWORK_ROUTE) .store()(dstGraph) - - PYTHON_ROUTES_DECORATORS_REGEXES.foreach { r => - def decoratedMethods = atom.methodRef - .where(_.inCall.code(r).argument) - ._refOut - .collectAll[Method] - decoratedMethods.call.assignment - .code(HTTP_METHODS_REGEX) - .argument - .isIdentifier - .newTagNode(FRAMEWORK_INPUT) - .store()(dstGraph) - decoratedMethods - .newTagNode(FRAMEWORK_INPUT) - .store()(dstGraph) - decoratedMethods.parameter - .newTagNode(FRAMEWORK_INPUT) - .store()(dstGraph) - } - atom.ret - .where(_.method.tag.name(FRAMEWORK_INPUT)) - .newTagNode(FRAMEWORK_OUTPUT) + } + PYTHON_ROUTES_DECORATORS_REGEXES.foreach { r => + def decoratedMethods = atom.methodRef + .where(_.inCall.code(r).argument) + ._refOut + .collectAll[Method] + decoratedMethods.call.assignment + .code(HTTP_METHODS_REGEX) + .argument + .isIdentifier + .newTagNode(FRAMEWORK_INPUT) + .store()(dstGraph) + decoratedMethods + .newTagNode(FRAMEWORK_INPUT) + .store()(dstGraph) + decoratedMethods.parameter + .newTagNode(FRAMEWORK_INPUT) .store()(dstGraph) } } diff --git a/project/build.properties b/project/build.properties index 27430827..e8a1e246 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version=1.9.6 +sbt.version=1.9.7 diff --git a/pyproject.toml b/pyproject.toml index 3903b196..3e6f54f4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "appthreat-chen" -version = "0.5.3" +version = "0.5.4" description = "Code Hierarchy Exploration Net (chen)" authors = ["Team AppThreat "] license = "Apache-2.0"