Fix codes for the reviews

Author: frkngksl

Diff for: community/detectors/intel_neural_compressor_cve_2024_22476/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202422476/Cve202422476DetectorBootstrapModule.java

@@ -13,6 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package com.google.tsunami.plugins.detectors.cves.cve202422476;
 
 import com.google.tsunami.plugin.PluginBootstrapModule;

Diff for: community/detectors/intel_neural_compressor_cve_2024_22476/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202422476/Cve202422476VulnDetector.java

@@ -13,6 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package com.google.tsunami.plugins.detectors.cves.cve202422476;
 
 import static com.google.common.base.Preconditions.checkNotNull;
@@ -32,6 +33,7 @@
 import com.google.tsunami.common.data.NetworkServiceUtils;
 import com.google.tsunami.common.net.http.HttpClient;
 import com.google.tsunami.common.net.http.HttpHeaders;
+import com.google.tsunami.common.net.http.HttpRequest;
 import com.google.tsunami.common.net.http.HttpResponse;
 import com.google.tsunami.common.time.UtcClock;
 import com.google.tsunami.plugin.PluginType;
@@ -68,12 +70,12 @@ public final class Cve202422476VulnDetector implements VulnDetector {
   private static final GoogleLogger logger = GoogleLogger.forEnclosingClass();
 
   private final Clock utcClock;
-  private final HttpClient httpClient;
   private final PayloadGenerator payloadGenerator;
 
   private static final String VUL_PATH = "task/submit/";
   private static final int BATCH_REQUEST_WAIT_AFTER_TIMEOUT = 10;
   private final String taskRequestTemplate;
+  private static HttpClient httpClient;
 
   @Inject
   Cve202422476VulnDetector(
@@ -104,10 +106,26 @@ public DetectionReportList detect(
         .build();
   }
 
+  private static boolean checkNeuralSolutionFingerprint(NetworkService networkService) {
+    String targetWebAddress = buildTarget(networkService).toString();
+    var request = HttpRequest.get(targetWebAddress).withEmptyHeaders().build();
+
+    try {
+      HttpResponse response = httpClient.send(request, networkService);
+      return response.status().isSuccess()
+          && response
+              .bodyString()
+              .map(body -> body.contains("{\"message\":\"Welcome to Neural Solution!\"}"))
+              .orElse(false);
+    } catch (IOException e) {
+      logger.atWarning().withCause(e).log("Failed to send request.");
+      return false;
+    }
+  }
+
   private static boolean isWebServiceOrUnknownService(NetworkService networkService) {
-    return networkService.getServiceName().isEmpty()
-        || NetworkServiceUtils.isWebService(networkService)
-        || NetworkServiceUtils.getServiceName(networkService).equals("unknown");
+    return NetworkServiceUtils.isWebService(networkService)
+        && checkNeuralSolutionFingerprint(networkService);
   }
 
   private static StringBuilder buildTarget(NetworkService networkService) {
@@ -124,43 +142,37 @@ private static StringBuilder buildTarget(NetworkService networkService) {
   }
 
   private boolean isServiceVulnerable(NetworkService networkService) {
-    return isRceExecutable(networkService);
-  }
-
-  private boolean isRceExecutable(NetworkService networkService) {
-    if (payloadGenerator.isCallbackServerEnabled()) {
-      String taskRequestBody = taskRequestTemplate;
-      // Check callback server is enabled
-      logger.atInfo().log("Callback server is available!");
-      Payload payload = generateCallbackServerPayload();
-      taskRequestBody =
-          taskRequestBody.replace(
-              "{{CALLBACK_PAYLOAD}}",
-              BaseEncoding.base64().encode(payload.getPayload().getBytes(UTF_8)));
-      String targetVulnerabilityUrl = buildTarget(networkService).append(VUL_PATH).toString();
-      logger.atInfo().log(taskRequestBody);
-      try {
-        HttpResponse httpResponse =
-            httpClient.send(
-                post(targetVulnerabilityUrl)
-                    .setHeaders(
-                        HttpHeaders.builder().addHeader(CONTENT_TYPE, "application/json").build())
-                    .setRequestBody(ByteString.copyFromUtf8(taskRequestBody))
-                    .build(),
-                networkService);
-        logger.atInfo().log(
-            "Callback Server Payload Response: %s", httpResponse.bodyString().get());
-        Uninterruptibles.sleepUninterruptibly(Duration.ofSeconds(BATCH_REQUEST_WAIT_AFTER_TIMEOUT));
-        return payload.checkIfExecuted();
-
-      } catch (IOException e) {
-        logger.atWarning().withCause(e).log("Failed to send request.");
-        return false;
-      }
-    } else {
+    Payload payload = generateCallbackServerPayload();
+    if (!payload.getPayloadAttributes().getUsesCallbackServer()) {
       logger.atInfo().log(
-          "Callback server is not available! This vulnerability cannot be detected without a"
-              + " callback server!");
+          "The Tsunami callback server is not setup for this environment, so we cannot confirm the"
+              + " RCE callback");
+      return false;
+    }
+    String taskRequestBody = taskRequestTemplate;
+    // Check callback server is enabled
+    logger.atInfo().log("Callback server is available!");
+    taskRequestBody =
+        taskRequestBody.replace(
+            "{{CALLBACK_PAYLOAD}}",
+            BaseEncoding.base64().encode(payload.getPayload().getBytes(UTF_8)));
+    String targetVulnerabilityUrl = buildTarget(networkService).append(VUL_PATH).toString();
+    logger.atInfo().log(taskRequestBody);
+    try {
+      HttpResponse httpResponse =
+          httpClient.send(
+              post(targetVulnerabilityUrl)
+                  .setHeaders(
+                      HttpHeaders.builder().addHeader(CONTENT_TYPE, "application/json").build())
+                  .setRequestBody(ByteString.copyFromUtf8(taskRequestBody))
+                  .build(),
+              networkService);
+      logger.atInfo().log("Callback Server Payload Response: %s", httpResponse.bodyString().get());
+      Uninterruptibles.sleepUninterruptibly(Duration.ofSeconds(BATCH_REQUEST_WAIT_AFTER_TIMEOUT));
+      return payload.checkIfExecuted();
+
+    } catch (IOException e) {
+      logger.atWarning().withCause(e).log("Failed to send request.");
       return false;
     }
   }

Diff for: community/detectors/intel_neural_compressor_cve_2024_22476/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202422476/Cve202422476VulnDetectorTest.java

@@ -13,18 +13,17 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package com.google.tsunami.plugins.detectors.cves.cve202422476;
 
 import static com.google.common.truth.Truth.assertThat;
 import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat;
-import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostname;
 import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort;
 
 import com.google.common.collect.ImmutableList;
 import com.google.inject.Guice;
 import com.google.protobuf.util.Timestamps;
 import com.google.tsunami.common.net.http.HttpClientModule;
-import com.google.tsunami.common.net.http.HttpStatus;
 import com.google.tsunami.common.time.testing.FakeUtcClock;
 import com.google.tsunami.common.time.testing.FakeUtcClockModule;
 import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule;
@@ -34,16 +33,16 @@
 import com.google.tsunami.proto.DetectionStatus;
 import com.google.tsunami.proto.NetworkService;
 import com.google.tsunami.proto.Severity;
-import com.google.tsunami.proto.Software;
 import com.google.tsunami.proto.TargetInfo;
-import com.google.tsunami.proto.TransportProtocol;
 import com.google.tsunami.proto.Vulnerability;
 import com.google.tsunami.proto.VulnerabilityId;
 import java.io.IOException;
 import java.time.Instant;
 import javax.inject.Inject;
+import okhttp3.mockwebserver.Dispatcher;
 import okhttp3.mockwebserver.MockResponse;
 import okhttp3.mockwebserver.MockWebServer;
+import okhttp3.mockwebserver.RecordedRequest;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -57,7 +56,7 @@ public class Cve202422476VulnDetectorTest {
       FakeUtcClock.create().setNow(Instant.parse("2022-05-23T00:00:00.00Z"));
   private MockWebServer mockWebServer;
   private MockWebServer mockCallbackServer;
-  private NetworkService service;
+  private NetworkService targetNetworkService;
   private TargetInfo targetInfo;
 
   @Inject private Cve202422476VulnDetector detector;
@@ -74,20 +73,6 @@ public void setUp() throws IOException {
             FakePayloadGeneratorModule.builder().setCallbackServer(mockCallbackServer).build(),
             new Cve202422476DetectorBootstrapModule())
         .injectMembers(this);
-
-    service =
-        NetworkService.newBuilder()
-            .setNetworkEndpoint(
-                forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort()))
-            .setTransportProtocol(TransportProtocol.TCP)
-            .setSoftware(Software.newBuilder().setName("http"))
-            .setServiceName("http")
-            .build();
-
-    targetInfo =
-        TargetInfo.newBuilder()
-            .addNetworkEndpoints(forHostname(mockWebServer.getHostName()))
-            .build();
   }
 
   @After
@@ -99,21 +84,16 @@ public void tearDown() throws IOException {
   @Test
   public void detect_whenVulnerable_returnsVulnerability() throws IOException {
     // It is a blind RCE, body is not important. This is a part of a valid response.
-    mockWebServer.enqueue(
-        new MockResponse()
-            .setResponseCode(200)
-            .setBody(
-                "{\"status\":\"successfully\",\"task_id\":\"065d95dd70524cb2baa743def3ff7036\",\"msg\":\"Task"
-                    + " submitted successfully\"}"));
-
+    startMockWebServer(true);
     mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse());
-    DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service));
+    DetectionReportList detectionReports =
+        detector.detect(targetInfo, ImmutableList.of(targetNetworkService));
 
     assertThat(detectionReports.getDetectionReportsList())
         .containsExactly(
             DetectionReport.newBuilder()
                 .setTargetInfo(targetInfo)
-                .setNetworkService(service)
+                .setNetworkService(targetNetworkService)
                 .setDetectionTimestamp(
                     Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli()))
                 .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED)
@@ -138,17 +118,63 @@ public void detect_whenVulnerable_returnsVulnerability() throws IOException {
                                 + " result, attackers can manipulate this parameter to remotely"
                                 + " execute arbitrary commands."))
                 .build());
-    assertThat(mockWebServer.getRequestCount()).isEqualTo(1);
+    assertThat(mockWebServer.getRequestCount()).isEqualTo(2);
     assertThat(mockCallbackServer.getRequestCount()).isEqualTo(1);
   }
 
   @Test
   public void detect_ifNotVulnerable_doesNotReportVuln() throws IOException {
-    mockWebServer.enqueue(
-        new MockResponse().setResponseCode(HttpStatus.OK.code()).setBody("Hello world!"));
+    startMockWebServer(false);
 
-    DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service));
+    DetectionReportList detectionReports =
+        detector.detect(targetInfo, ImmutableList.of(targetNetworkService));
     assertThat(detectionReports.getDetectionReportsList()).isEmpty();
-    assertThat(mockWebServer.getRequestCount()).isEqualTo(1);
+    assertThat(mockWebServer.getRequestCount()).isEqualTo(2);
+  }
+
+  private void startMockWebServer(boolean isVulnerableServer) throws IOException {
+    final Dispatcher dispatcher =
+        new Dispatcher() {
+
+          @Override
+          public MockResponse dispatch(RecordedRequest request) {
+            switch (request.getPath()) {
+              case "/":
+                return new MockResponse()
+                    .setResponseCode(200)
+                    .setBody("{\"message\":\"Welcome to Neural Solution!\"}");
+              case "/task/submit/":
+                if (isVulnerableServer) {
+                  return new MockResponse()
+                      .setResponseCode(200)
+                      .setBody(
+                          "{\"status\":\"successfully\",\"task_id\":\"065d95dd70524cb2baa743def3ff7036\",\"msg\":\"Task"
+                              + " submitted successfully\"}");
+                } else {
+                  return new MockResponse()
+                      .setResponseCode(422)
+                      .setBody("{\"detail\":\"Invalid task\"}");
+                }
+              default:
+                return new MockResponse()
+                    .setResponseCode(404)
+                    .setBody("{\"detail\":\"Not Found\"}");
+            }
+          }
+        };
+    mockWebServer.setDispatcher(dispatcher);
+    mockWebServer.start();
+    mockWebServer.url("/");
+    targetNetworkService =
+        NetworkService.newBuilder()
+            .setNetworkEndpoint(
+                forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort()))
+            .addSupportedHttpMethods("POST")
+            .addSupportedHttpMethods("GET")
+            .build();
+    targetInfo =
+        TargetInfo.newBuilder()
+            .addNetworkEndpoints(targetNetworkService.getNetworkEndpoint())
+            .build();
   }
 }