bugfix scrab_lines() returns no result, changes sql_injection rule

.gitignore

@@ -1,3 +1,6 @@
 config.json
+*.json
 output.txt
 **/__pycache__/
+.DS_Store
+

plugin/go/go.py

@@ -23,12 +23,14 @@ def audit(self,audititem):
         '''
         match = self.rules.match(data=audititem.line)
         if match :
+
             vulnerability  = "==============================================\n"
-            vulnerability += "dangerous go function : " + match[0].rule + "\n"
             vulnerability += "filename : " + audititem.filename + "\n"
+            vulnerability += "dangerous go function : " + match[0].rule + "\n"
+            length, variable, m_string = match[0].strings[0]
+            vulnerability += "dangerous matches : "  + str(m_string,'utf-8') + "\n"
             vulnerability += "==============================================\n"
             vulnerability += audititem.lines 
-
             audititem.output.list.append(vulnerability)
 
     def finish(self):

plugin/go/go_danger_functions.rule

@@ -16,26 +16,26 @@ rule sql_injection
         $sql13 ="Having("
         $sql14 = "Exec("   
         $sql15 = "ExecContext(" 
-        $op1 = "%s" 
-        $op2 = "+" 
+        $op1 = /.*%s/ 
+        $op2 = /.*\+/
 
     condition:
         1 of ($sql*) and ( $op1 or $op2 )
 }
 
 rule sql_injection2 
 {
-    strings : 
+   strings : 
+
         $sql1 = "raw" nocase 
         $sql2 = "query" nocase 
         $sql3 = "sql" nocase
-        $op1 = "=" 
-        $op2 = "%s" 
-        $func1 = "Sprintf("  
+        $sql5 = "stmt" nocase 
+        $sql6 = "statement" nocase 
+        $param = /.*=.*%s/ nocase 
 
     condition : 
-        1 of ($sql*) and $op1 and ($func1 and $op2)
-
+       1 of ($sql*) and $param 
 }
 
 rule cmd_excute

plugin/nodejs/nodejs.py

@@ -24,16 +24,14 @@ def audit(self,audititem):
         '''
         match = self.rules.match(data=audititem.line)
         if match :
-            length, variable, m_string = match[0].strings[0]
             vulnerability  = "==============================================\n"
-            vulnerability += "dangerous nodejs function : " + match[0].rule + "\n"
-            vulnerability += "dangerous matches : " + str(m_string,'utf-8') + "\n"
             vulnerability += "filename : " + audititem.filename + "\n"
+            vulnerability += "dangerous nodejs function : " + match[0].rule + "\n"
+            length, variable, m_string = match[0].strings[0]
+            vulnerability += "dangerous matches : "  + str(m_string,'utf-8') + "\n"
             vulnerability += "==============================================\n"
             vulnerability += audititem.lines 
-
-            audititem.output.list.append(vulnerability)
-
+            audititem.output.list.append(vulnerability)        
     def finish(self):
         print("nodejs plugin finish")
 

plugin/nodejs/nodejs_danger_functions.rule

@@ -63,17 +63,17 @@ rule sql_injection1_mongodb
 rule sql_injection2 
 {
     strings : 
+
         $sql1 = "raw" nocase 
         $sql2 = "query" nocase 
         $sql3 = "sql" nocase
         $sql4 = "fmt" nocase 
-        $op1 = "=" 
-        $op2 = "%s" 
-        $func1 = "format("  
-        $func2 = "sprintf(" 
-
+        $sql5 = "stmt" nocase 
+        $sql6 = "statement" nocase 
+        $param = /.*=.*%s/ nocase 
+
     condition : 
-        1 of ($sql*) and $op1 and ( 1 of ($func*) and $op2)
+       1 of ($sql*) and $param 
 }
 
 rule js_excute 
@@ -91,45 +91,47 @@ rule xss
 {
     strings : 
 
+        $eql = /.*=/
         $xss2 = "dangerouslySetInnerHTML"
         $xss3 = "trustAsHtml"
 
 
     condition : 
-        1 of ($xss*) and "="  
+        1 of ($xss*) and $eql 
 }
 
 rule ssl 
 {
     strings : 
+        $true = /.*:.*true/ nocase 
+        $false = /.*:.*false/ nocase 
+        $zero = /.*:.*0/ nocase 
         $ssl1 = "NODE_TLS_REJECT_UNAUTHORIZED"
         $ssl2 = "rejectUnauthorized"
         $ssl3 = "insecure"
         $ssl4 = "strictSSL"
         $ssl5 = "clientPemCrtSignedBySelfSignedRootCaBuffer"
     condition :
-        ( $ssl1 and "0" ) or 
-        ( $ssl2 and "false" ) or 
-        ( $ssl3 and "true" ) or 
-        ( $ssl4 and "false") or 
+        ( $ssl1 and $zero ) or 
+        ( ($ssl2 or $ssl4) and $false ) or 
+        ( $ssl3 and $true ) or 
         ( $ssl5 ) 
 }
 
 rule ssi 
 {
     strings : 
-        $qoute1 = "<%"
-        $qoute2 = "%>" 
+        $qoute1 = /<%.*%>/
     condition : 
-        $qoute1 and $qoute2 
+        $qoute1 
 }
 
 rule cookie 
 {
     strings :
-        $cookie = "document.cookie"
+        $cookie = /document.cookie.*=/
     condition : 
-        $cookie and "=" 
+        $cookie 
 }
 
 rule electron_setting1 
@@ -148,12 +150,15 @@ rule electron_setting1
         $tg3 = "sandbox"
         $tg4 = "webSecurity"
 
-        $pre = "preload" 
+        $pre = /preload.*:/
+
+        $true = /.*:.*true/
+        $false = /.*:.*false/ 
 
     condition: 
-        (1 of ($fg*) and ":" and "true") or 
-        (1 of ($tg*) and ":" and "false") or 
-        ($pre and ":" )
+        (1 of ($fg*) and $true) or 
+        (1 of ($tg*) and $false) or 
+        $pre
 
 }
 

plugin/php/php.py

@@ -24,12 +24,14 @@ def audit(self,audititem):
         '''
         match = self.rules.match(data=audititem.line)
         if match :
+
             vulnerability  = "==============================================\n"
-            vulnerability += "dangerous php function : " + match[0].rule + "\n"
             vulnerability += "filename : " + audititem.filename + "\n"
+            vulnerability += "dangerous php function : " + match[0].rule + "\n"
+            length, variable, m_string = match[0].strings[0]
+            vulnerability += "dangerous matches : "  + str(m_string,'utf-8') + "\n"
             vulnerability += "==============================================\n"
             vulnerability += audititem.lines 
-
             audititem.output.list.append(vulnerability)
 
     def finish(self):

plugin/php/php_danger_functions.rule

@@ -32,16 +32,18 @@ rule sql_injection1
 rule sql_injection2 
 {
     strings : 
+
         $sql1 = "raw" nocase 
         $sql2 = "query" nocase 
         $sql3 = "sql" nocase
-        $op1 = "=" 
-        $sql4 = "sprintf("  
-        $op2 = "%s" 
-
+        $sql4 = "fmt" nocase 
+        $sql5 = "stmt" nocase 
+        $sql6 = "statement" nocase 
+        $param = /.*=.*%s/ nocase 
+
     condition : 
-        ($sql1 or $sql2 or $sql3) and $op1 and ($sql4 and $op2)
-
+       1 of ($sql*) and $param 
+    
 }
 
 rule xss 

plugin/python/python.py

@@ -24,17 +24,17 @@ def audit(self,audititem):
         '''
         match = self.rules.match(data=audititem.line)
         if match :
-            length, variable, m_string = match[0].strings[0]
+
             vulnerability  = "==============================================\n"
+            vulnerability += "filename : " + audititem.filename + "\n"
             vulnerability += "dangerous python function : " + match[0].rule + "\n"
+            length, variable, m_string = match[0].strings[0]
             vulnerability += "dangerous matches : "  + str(m_string,'utf-8') + "\n"
-            vulnerability += "filename : " + audititem.filename + "\n"
-
             vulnerability += "==============================================\n"
             vulnerability += audititem.lines 
-
             audititem.output.list.append(vulnerability)
-
+
+
     def finish(self):
         print("python plugin finish")
 

plugin/python/python_danger_functions.rule

@@ -7,7 +7,7 @@ rule cmd_excute_python3_shellspawn
         $cmd4 = "check_call("
         $cmd5 = "check_output(" 
 
-        $opt1 = "shell=True"
+        $opt1 = "shell=True" nocase 
         $sys1 = "system("
 
     condition:
@@ -98,7 +98,7 @@ rule py_excute
 rule django1 
 {
     strings:
-        $dj = "redirect("
+        $dj1 = "redirect("
     condition:
         all of them 
 
@@ -108,8 +108,9 @@ rule django2
 {
     strings:
         $dj1 = "__setitem__(" 
+        $opt1 = "Content-Type" 
     condition:
-        $dj1 and "Content-Type" 
+        $dj1 and $opt1 
 }
 
 rule flask1 
@@ -149,15 +150,17 @@ rule sql_injection1
 rule sql_injection2 
 {
     strings : 
-        $sql1 = /raw*=*%s/ nocase 
-        $sql2 = /query*=*%s/ nocase 
-        $sql3 = /sql*=*%s/ nocase
-        $sql4 = /fmt*=*%s/ nocase 
-        $sql5 = /stmt*=*%s/ nocase 
-        $sql6 = /statement*=*%s/ nocase 
+
+        $sql1 = "raw" nocase 
+        $sql2 = "query" nocase 
+        $sql3 = "sql" nocase
+        $sql4 = "fmt" nocase 
+        $sql5 = "stmt" nocase 
+        $sql6 = "statement" nocase 
+        $param = /.*=.*%s/ nocase 
 
     condition : 
-       any of ($sql*) 
+       1 of ($sql*) and $param 
 }
 
 

tonbi.py

@@ -209,13 +209,26 @@ def scrap_lines(line, datafile, i):
 	head_n = i-config.head_count
 	tail_n = i+config.tail_count+1
 
-	if ( head_n > 0 and tail_n < len(datafile) ):
+	if head_n > 0 :
+		if tail_n < len(datafile) :
+			j = head_n 
+			for x in datafile[head_n:tail_n] : 
+				lines += str(j) + ": " +  x 
+				j =j +1 
+		else :
+			tail_n = len(datafile)
+			j = head_n 
+			for x in datafile[head_n:tail_n] : 
+				lines += str(j) + ": " +  x 
+				j =j +1
+	else :
+		head_n = 0 
 		j = head_n 
 		for x in datafile[head_n:tail_n] : 
 			lines += str(j) + ": " +  x 
-			j =j +1 
-		else : 
-			lines += str(i) + ": " + line 
+			j =j +1
+		#lines += str(i) + ": " + line 
+
 	return lines