From 322cad6eb5fe6e53a37723721e87b3815ccd06ef Mon Sep 17 00:00:00 2001 From: Jan Bessai Date: Mon, 8 Feb 2021 06:00:34 +0100 Subject: [PATCH 1/9] Update dependencies --- .gitignore | 2 ++ .scalafmt.conf | 2 ++ build.sbt | 14 +++++++------- project/build.properties | 2 +- project/plugins.sbt | 4 +++- 5 files changed, 15 insertions(+), 9 deletions(-) create mode 100644 .scalafmt.conf diff --git a/.gitignore b/.gitignore index 2da52ba..487ddde 100644 --- a/.gitignore +++ b/.gitignore @@ -213,3 +213,5 @@ tags .idea/ project/metals.sbt + +.bsp/sbt.json diff --git a/.scalafmt.conf b/.scalafmt.conf new file mode 100644 index 0000000..7253c63 --- /dev/null +++ b/.scalafmt.conf @@ -0,0 +1,2 @@ +version = 2.4.2 +rewrite.rules = [ AvoidInfix, SortImports ] diff --git a/build.sbt b/build.sbt index 352142f..8b64203 100644 --- a/build.sbt +++ b/build.sbt @@ -2,7 +2,7 @@ lazy val commonSettings = Seq( version := "1.0.0-SNAPSHOT", organization := "org.combinators", - scalaVersion := "2.12.10", + scalaVersion := "2.12.13", resolvers ++= Seq( Resolver.sonatypeRepo("releases"), @@ -18,13 +18,13 @@ lazy val commonSettings = Seq( libraryDependencies ++= Seq( "org.combinators" %% "templating" % "1.1.0", - "org.scalactic" %% "scalactic" % "3.0.1" % "test", - "org.scalatest" %% "scalatest" % "3.0.1" % "test" + "org.scalactic" %% "scalactic" % "3.2.2" % "test", + "org.scalatest" %% "scalatest" % "3.2.2" % "test" ), headerLicense := Some(HeaderLicense.Custom( """|Websecbench is a suite of web security benchmarks generated by (CL)S. - |Copyright (C) 2020 Jan Bessai and Malte Mues + |Copyright (C) 2021 Jan Bessai and Malte Mues | |This program is free software; you can redistribute it and/or |modify it under the terms of the GNU General Public License @@ -40,8 +40,8 @@ lazy val commonSettings = Seq( |along with this program; if not, write to the Free Software |Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |""".stripMargin - )) - + )), + scapegoatVersion in ThisBuild := "1.4.7" ) lazy val root = (Project(id = "websecbench", base = file("."))) @@ -49,7 +49,7 @@ lazy val root = (Project(id = "websecbench", base = file("."))) .settings( moduleName := "websecbench", libraryDependencies ++= Seq( - "org.combinators" %% "cls-scala" % "2.0.0+12-8d994c6b", + "org.combinators" %% "cls-scala" % "3.0.0", "org.scalameta" %% "scalameta" % "3.4.0", "org.scalameta" %% "contrib" % "3.4.0", "org.combinators" %% "jgitserv" % "0.0.1" diff --git a/project/build.properties b/project/build.properties index 059dc1f..d18a12e 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version = 1.0.4 +sbt.version = 1.4.7 diff --git a/project/plugins.sbt b/project/plugins.sbt index b31e1af..cc5dfb3 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -1 +1,3 @@ -addSbtPlugin("de.heikoseeberger" % "sbt-header" % "5.4.0") +addSbtPlugin("de.heikoseeberger" % "sbt-header" % "5.6.0") +addSbtPlugin("com.sksamuel.scapegoat" %% "sbt-scapegoat" % "1.1.0") +addSbtPlugin("org.scalameta" % "sbt-scalafmt" % "2.4.2") From 15db78ac1cc9286ed0f77492676a635bcc2a018f Mon Sep 17 00:00:00 2001 From: Jan Bessai Date: Mon, 8 Feb 2021 06:01:03 +0100 Subject: [PATCH 2/9] Update GPL header information --- src/main/resources/org/owasp/benchmark/helpers/Utils.java | 2 +- src/main/scala/org/combinators/websecbench/CodeGenerator.scala | 2 +- src/main/scala/org/combinators/websecbench/ComponentTag.scala | 2 +- .../org/combinators/websecbench/InhabitationController.scala | 2 +- src/main/scala/org/combinators/websecbench/MetaData.scala | 2 +- src/main/scala/org/combinators/websecbench/Repository.scala | 2 +- src/main/scala/org/combinators/websecbench/SemanticTypes.scala | 2 +- .../scala/org/combinators/websecbench/TaggedComponent.scala | 2 +- .../websecbench/databaseinteraction/ReadFromDatabase.scala | 2 +- .../combinators/websecbench/databaseinteraction/package.scala | 2 +- .../websecbench/iointeraction/CloseInputStream.scala | 2 +- .../websecbench/iointeraction/CloseOutputStream.scala | 2 +- .../websecbench/iointeraction/CreateFileInputStream.scala | 2 +- .../websecbench/iointeraction/CreateFileOutputStream.scala | 2 +- .../websecbench/iointeraction/ReadFromInputStream.scala | 2 +- .../org/combinators/websecbench/iointeraction/package.scala | 2 +- .../websecbench/processing/AttachDirectoryName.scala | 2 +- .../combinators/websecbench/processing/CreateSQLQuery1.scala | 2 +- .../processing/ReplaceFilenameWithStaticString.scala | 2 +- .../org/combinators/websecbench/processing/URLDecoder.scala | 2 +- .../scala/org/combinators/websecbench/processing/package.scala | 2 +- .../scala/org/combinators/websecbench/request/GetCookie.scala | 2 +- .../scala/org/combinators/websecbench/request/GetHeader.scala | 2 +- .../org/combinators/websecbench/request/SemanticTypes.scala | 2 +- .../scala/org/combinators/websecbench/request/package.scala | 2 +- 25 files changed, 25 insertions(+), 25 deletions(-) diff --git a/src/main/resources/org/owasp/benchmark/helpers/Utils.java b/src/main/resources/org/owasp/benchmark/helpers/Utils.java index 580eaaa..2d63058 100644 --- a/src/main/resources/org/owasp/benchmark/helpers/Utils.java +++ b/src/main/resources/org/owasp/benchmark/helpers/Utils.java @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/CodeGenerator.scala b/src/main/scala/org/combinators/websecbench/CodeGenerator.scala index 36d772c..7ec4987 100644 --- a/src/main/scala/org/combinators/websecbench/CodeGenerator.scala +++ b/src/main/scala/org/combinators/websecbench/CodeGenerator.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/ComponentTag.scala b/src/main/scala/org/combinators/websecbench/ComponentTag.scala index 835394f..7c98b18 100644 --- a/src/main/scala/org/combinators/websecbench/ComponentTag.scala +++ b/src/main/scala/org/combinators/websecbench/ComponentTag.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/InhabitationController.scala b/src/main/scala/org/combinators/websecbench/InhabitationController.scala index f2e9a82..1f68856 100644 --- a/src/main/scala/org/combinators/websecbench/InhabitationController.scala +++ b/src/main/scala/org/combinators/websecbench/InhabitationController.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/MetaData.scala b/src/main/scala/org/combinators/websecbench/MetaData.scala index ae8aa96..1dd13ae 100644 --- a/src/main/scala/org/combinators/websecbench/MetaData.scala +++ b/src/main/scala/org/combinators/websecbench/MetaData.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/Repository.scala b/src/main/scala/org/combinators/websecbench/Repository.scala index 1b583e1..b9d0554 100644 --- a/src/main/scala/org/combinators/websecbench/Repository.scala +++ b/src/main/scala/org/combinators/websecbench/Repository.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/SemanticTypes.scala b/src/main/scala/org/combinators/websecbench/SemanticTypes.scala index 12b38a7..d45fa04 100644 --- a/src/main/scala/org/combinators/websecbench/SemanticTypes.scala +++ b/src/main/scala/org/combinators/websecbench/SemanticTypes.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/TaggedComponent.scala b/src/main/scala/org/combinators/websecbench/TaggedComponent.scala index 617bfa5..3f0f9b3 100644 --- a/src/main/scala/org/combinators/websecbench/TaggedComponent.scala +++ b/src/main/scala/org/combinators/websecbench/TaggedComponent.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/databaseinteraction/ReadFromDatabase.scala b/src/main/scala/org/combinators/websecbench/databaseinteraction/ReadFromDatabase.scala index eddd50c..e32b339 100644 --- a/src/main/scala/org/combinators/websecbench/databaseinteraction/ReadFromDatabase.scala +++ b/src/main/scala/org/combinators/websecbench/databaseinteraction/ReadFromDatabase.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/databaseinteraction/package.scala b/src/main/scala/org/combinators/websecbench/databaseinteraction/package.scala index a41a905..244e273 100644 --- a/src/main/scala/org/combinators/websecbench/databaseinteraction/package.scala +++ b/src/main/scala/org/combinators/websecbench/databaseinteraction/package.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/iointeraction/CloseInputStream.scala b/src/main/scala/org/combinators/websecbench/iointeraction/CloseInputStream.scala index ffb8067..ae347e5 100644 --- a/src/main/scala/org/combinators/websecbench/iointeraction/CloseInputStream.scala +++ b/src/main/scala/org/combinators/websecbench/iointeraction/CloseInputStream.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/iointeraction/CloseOutputStream.scala b/src/main/scala/org/combinators/websecbench/iointeraction/CloseOutputStream.scala index 4d28a66..be36426 100644 --- a/src/main/scala/org/combinators/websecbench/iointeraction/CloseOutputStream.scala +++ b/src/main/scala/org/combinators/websecbench/iointeraction/CloseOutputStream.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileInputStream.scala b/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileInputStream.scala index c967a5c..56716a9 100644 --- a/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileInputStream.scala +++ b/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileInputStream.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileOutputStream.scala b/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileOutputStream.scala index a8cc258..c3c614d 100644 --- a/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileOutputStream.scala +++ b/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileOutputStream.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/iointeraction/ReadFromInputStream.scala b/src/main/scala/org/combinators/websecbench/iointeraction/ReadFromInputStream.scala index dd14ba3..d7c51d2 100644 --- a/src/main/scala/org/combinators/websecbench/iointeraction/ReadFromInputStream.scala +++ b/src/main/scala/org/combinators/websecbench/iointeraction/ReadFromInputStream.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/iointeraction/package.scala b/src/main/scala/org/combinators/websecbench/iointeraction/package.scala index 7d0a02b..df6ce6c 100644 --- a/src/main/scala/org/combinators/websecbench/iointeraction/package.scala +++ b/src/main/scala/org/combinators/websecbench/iointeraction/package.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/processing/AttachDirectoryName.scala b/src/main/scala/org/combinators/websecbench/processing/AttachDirectoryName.scala index 3aa7da7..8a11351 100644 --- a/src/main/scala/org/combinators/websecbench/processing/AttachDirectoryName.scala +++ b/src/main/scala/org/combinators/websecbench/processing/AttachDirectoryName.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/processing/CreateSQLQuery1.scala b/src/main/scala/org/combinators/websecbench/processing/CreateSQLQuery1.scala index 109a546..8c90bd2 100644 --- a/src/main/scala/org/combinators/websecbench/processing/CreateSQLQuery1.scala +++ b/src/main/scala/org/combinators/websecbench/processing/CreateSQLQuery1.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala b/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala index 71b5de3..cfd5c12 100644 --- a/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala +++ b/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/processing/URLDecoder.scala b/src/main/scala/org/combinators/websecbench/processing/URLDecoder.scala index aa7d03b..8981c32 100644 --- a/src/main/scala/org/combinators/websecbench/processing/URLDecoder.scala +++ b/src/main/scala/org/combinators/websecbench/processing/URLDecoder.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/processing/package.scala b/src/main/scala/org/combinators/websecbench/processing/package.scala index 3c75bc5..c0f2acc 100644 --- a/src/main/scala/org/combinators/websecbench/processing/package.scala +++ b/src/main/scala/org/combinators/websecbench/processing/package.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/request/GetCookie.scala b/src/main/scala/org/combinators/websecbench/request/GetCookie.scala index cb25ce5..2b00979 100644 --- a/src/main/scala/org/combinators/websecbench/request/GetCookie.scala +++ b/src/main/scala/org/combinators/websecbench/request/GetCookie.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/request/GetHeader.scala b/src/main/scala/org/combinators/websecbench/request/GetHeader.scala index 62955c1..b5ecc08 100644 --- a/src/main/scala/org/combinators/websecbench/request/GetHeader.scala +++ b/src/main/scala/org/combinators/websecbench/request/GetHeader.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/request/SemanticTypes.scala b/src/main/scala/org/combinators/websecbench/request/SemanticTypes.scala index ed928bc..6af63a3 100644 --- a/src/main/scala/org/combinators/websecbench/request/SemanticTypes.scala +++ b/src/main/scala/org/combinators/websecbench/request/SemanticTypes.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License diff --git a/src/main/scala/org/combinators/websecbench/request/package.scala b/src/main/scala/org/combinators/websecbench/request/package.scala index 91e4093..ecaa4e2 100644 --- a/src/main/scala/org/combinators/websecbench/request/package.scala +++ b/src/main/scala/org/combinators/websecbench/request/package.scala @@ -1,6 +1,6 @@ /* * Websecbench is a suite of web security benchmarks generated by (CL)S. - * Copyright (C) 2020 Jan Bessai and Malte Mues + * Copyright (C) 2021 Jan Bessai and Malte Mues * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License From 973dce486fb82dc92b2180f6974782b75fbb9a2b Mon Sep 17 00:00:00 2001 From: Jan Bessai Date: Mon, 8 Feb 2021 06:06:59 +0100 Subject: [PATCH 3/9] Make formating consistent using scalafmt --- .../websecbench/CodeGenerator.scala | 42 +++--- .../websecbench/InhabitationController.scala | 132 +++++++++++------- .../combinators/websecbench/MetaData.scala | 2 +- .../combinators/websecbench/Repository.scala | 19 ++- .../websecbench/SemanticTypes.scala | 3 +- .../websecbench/TaggedComponent.scala | 4 +- .../ReadFromDatabase.scala | 25 ++-- .../databaseinteraction/package.scala | 2 +- .../iointeraction/CloseInputStream.scala | 42 +++--- .../iointeraction/CloseOutputStream.scala | 35 +++-- .../iointeraction/CreateFileInputStream.scala | 29 ++-- .../CreateFileOutputStream.scala | 31 ++-- .../iointeraction/ReadFromInputStream.scala | 20 ++- .../processing/AttachDirectoryName.scala | 17 ++- .../processing/CreateSQLQuery1.scala | 16 ++- .../ReplaceFilenameWithStaticString.scala | 19 ++- .../websecbench/processing/URLDecoder.scala | 16 ++- .../websecbench/request/GetCookie.scala | 18 ++- .../websecbench/request/GetHeader.scala | 24 +++- 19 files changed, 322 insertions(+), 174 deletions(-) diff --git a/src/main/scala/org/combinators/websecbench/CodeGenerator.scala b/src/main/scala/org/combinators/websecbench/CodeGenerator.scala index 7ec4987..489438f 100644 --- a/src/main/scala/org/combinators/websecbench/CodeGenerator.scala +++ b/src/main/scala/org/combinators/websecbench/CodeGenerator.scala @@ -29,16 +29,15 @@ import org.combinators.templating.persistable.{JavaPersistable, Persistable} import org.combinators.templating.twirl.Java case class CodeGenerator[NodeType]( - methods: List[MethodDeclaration], - currentNode: NodeType, - toMethodBody: NodeType => Seq[Statement], - unitTests : Seq[CompilationUnit], - metaData: Seq[MetaData], - sourceData: Seq[TaintSource] + methods: List[MethodDeclaration], + currentNode: NodeType, + toMethodBody: NodeType => Seq[Statement], + unitTests: Seq[CompilationUnit], + metaData: Seq[MetaData], + sourceData: Seq[TaintSource] ) { def toCode(benchmarkName: String): CompilationUnit = { - Java( - s""" + Java(s""" |import javax.servlet.http.HttpServlet; |import javax.servlet.http.HttpServletRequest; |import javax.servlet.http.HttpServletResponse; @@ -58,16 +57,17 @@ case class CodeGenerator[NodeType]( } def vulnerabilityReport(benchmarkName: String): String = { - metaData.map(n =>{ - n.getTaintSources.intersect(sourceData).isEmpty match { - case true => n.makeSafe.toReportElement(benchmarkName) - case false => n.toReportElement(benchmarkName) - } - }).mkString("\n") + metaData + .map(n => { + n.getTaintSources.intersect(sourceData).isEmpty match { + case true => n.makeSafe.toReportElement(benchmarkName) + case false => n.toReportElement(benchmarkName) + } + }) + .mkString("\n") } } - object CodeGenerator { def requestExpr: Expression = Java(s"request").expression() @@ -75,9 +75,9 @@ object CodeGenerator { def responseExpr: Expression = Java(s"response").expression() - - - def compilationUnitPersistable[A](benchmarkName: String)(implicit javaPersistable: Persistable.Aux[CompilationUnit]): Persistable.Aux[CodeGenerator[A]] = + def compilationUnitPersistable[A](benchmarkName: String)( + implicit javaPersistable: Persistable.Aux[CompilationUnit] + ): Persistable.Aux[CodeGenerator[A]] = new Persistable { type T = CodeGenerator[A] def rawText(elem: CodeGenerator[A]) = @@ -87,13 +87,15 @@ object CodeGenerator { javaPersistable.path(elem.toCode(benchmarkName)) } - def vulnerabilityReportPersistable[A](benchmarkName: String): Persistable.Aux[CodeGenerator[A]] = + def vulnerabilityReportPersistable[A]( + benchmarkName: String + ): Persistable.Aux[CodeGenerator[A]] = new Persistable { type T = CodeGenerator[A] def rawText(elem: CodeGenerator[A]): Array[Byte] = elem.vulnerabilityReport(benchmarkName).getBytes(StandardCharsets.UTF_8) - def path(elem: CodeGenerator[A]): Path = + def path(elem: CodeGenerator[A]): Path = Paths.get(".", "src", "main", "reports", s"$benchmarkName.xml") } } diff --git a/src/main/scala/org/combinators/websecbench/InhabitationController.scala b/src/main/scala/org/combinators/websecbench/InhabitationController.scala index 1f68856..ac61c74 100644 --- a/src/main/scala/org/combinators/websecbench/InhabitationController.scala +++ b/src/main/scala/org/combinators/websecbench/InhabitationController.scala @@ -24,31 +24,47 @@ import cats.effect.{ExitCode, IO, IOApp} import com.github.javaparser.ast.expr.Expression import org.combinators.templating.persistable.JavaPersistable._ import org.combinators.cls.types.Type -import org.combinators.jgitserv.{BranchTransaction, GitService, ResourcePersistable} +import org.combinators.jgitserv.{ + BranchTransaction, + GitService, + ResourcePersistable +} import org.combinators.templating.persistable.BundledResource import org.combinators.websecbench.SemanticTypes.JavaVoid import org.eclipse.jgit.lib.BranchConfig case class BenchmarkSelector( - tags: Set[ComponentTag], - targetType: Type, - maximalNumberOfResults: Int + tags: Set[ComponentTag], + targetType: Type, + maximalNumberOfResults: Int ) class BenchmarkController( - selectedBenchmarks: Set[BenchmarkSelector], - benchmarkName: String, - shuffleSolutions: Boolean = true, - port: Int = 9000) extends IOApp { + selectedBenchmarks: Set[BenchmarkSelector], + benchmarkName: String, + shuffleSolutions: Boolean = true, + port: Int = 9000 +) extends IOApp { lazy val buildDotSbt: BundledResource = BundledResource("/build.sbt", Paths.get("build.sbt"), getClass) lazy val owaspUtils: BundledResource = - BundledResource("/org/owasp/benchmark/helpers/Utils.java", - Paths.get("src", "main", "java", "org", "owasp", "benchmark", "helpers", "Utils.java"), - getClass) + BundledResource( + "/org/owasp/benchmark/helpers/Utils.java", + Paths.get( + "src", + "main", + "java", + "org", + "owasp", + "benchmark", + "helpers", + "Utils.java" + ), + getClass + ) lazy val storeResource = ResourcePersistable.apply - + lazy val emptyBenchmark: BranchTransaction = BranchTransaction .empty(benchmarkName) @@ -58,32 +74,39 @@ class BenchmarkController( lazy val numberFormat: String = { val maxBenchmarks = selectedBenchmarks.map(_.maximalNumberOfResults).sum - s"%0${maxBenchmarks.toString.length}d" + s"%0${maxBenchmarks.toString.length}d" } - def transactionFor(benchmarkSelector: BenchmarkSelector): Seq[Int => BranchTransaction] = { + def transactionFor( + benchmarkSelector: BenchmarkSelector + ): Seq[Int => BranchTransaction] = { val Gamma = Repository.repository(benchmarkSelector.tags) - val results = Gamma.inhabit[CodeGenerator[Expression]](benchmarkSelector.targetType) - val toStore = results.size.map(s => - Math.min(benchmarkSelector.maximalNumberOfResults, s.toInt) - ).getOrElse(benchmarkSelector.maximalNumberOfResults) + val results = + Gamma.inhabit[CodeGenerator[Expression]](benchmarkSelector.targetType) + val toStore = results.size + .map(s => Math.min(benchmarkSelector.maximalNumberOfResults, s.toInt)) + .getOrElse(benchmarkSelector.maximalNumberOfResults) - (0 until toStore).foldLeft(Seq.empty[Int => BranchTransaction]) { case (transactions, resultNumber) => - val nextTransaction = (nextNumber : Int) => { - val currentName = s"%s_$numberFormat".format(benchmarkName, nextNumber) - val storeCompilationUnit = CodeGenerator.compilationUnitPersistable[Expression](currentName) - val storeVulnerabilityReport = CodeGenerator.vulnerabilityReportPersistable[Expression](currentName) - val result = results.interpretedTerms.index(BigInt(resultNumber)) - BranchTransaction - .checkout(benchmarkName) - .persist(result)(storeCompilationUnit) - .persist(result)(storeVulnerabilityReport) - .commit(s"Add benchmark ${currentName}") - } - nextTransaction +: transactions + (0 until toStore).foldLeft(Seq.empty[Int => BranchTransaction]) { + case (transactions, resultNumber) => + val nextTransaction = (nextNumber: Int) => { + val currentName = + s"%s_$numberFormat".format(benchmarkName, nextNumber) + val storeCompilationUnit = + CodeGenerator.compilationUnitPersistable[Expression](currentName) + val storeVulnerabilityReport = CodeGenerator + .vulnerabilityReportPersistable[Expression](currentName) + val result = results.interpretedTerms.index(BigInt(resultNumber)) + BranchTransaction + .checkout(benchmarkName) + .persist(result)(storeCompilationUnit) + .persist(result)(storeVulnerabilityReport) + .commit(s"Add benchmark ${currentName}") + } + nextTransaction +: transactions } } - + def computeTransactions: Seq[BranchTransaction] = { val transactions = selectedBenchmarks.toSeq.flatMap(transactionFor) @@ -91,37 +114,38 @@ class BenchmarkController( if (shuffleSolutions) scala.util.Random.shuffle(transactions) else transactions emptyBenchmark +: - suffledTransactions - .zipWithIndex - .map { case (transaction, number) => transaction(number) } + suffledTransactions.zipWithIndex + .map { case (transaction, number) => transaction(number) } } def run(args: List[String]): IO[ExitCode] = { for { _ <- IO { println(s"Computing solutions") } transactions = computeTransactions - _ <- IO { println(s"Use: git clone http://127.0.0.1:${port}/$benchmarkName $benchmarkName") } + _ <- IO { + println( + s"Use: git clone http://127.0.0.1:${port}/$benchmarkName $benchmarkName" + ) + } exitCode <- new GitService(transactions, benchmarkName, port).run(args) } yield exitCode } } object Benchmark42 - extends BenchmarkController( - Set( - BenchmarkSelector( - tags = Set( - ComponentTag.FileIO, - ComponentTag.Process, - ComponentTag.ReadFromRequest, - ComponentTag.DatabaseIO - ), - targetType = JavaVoid, - maximalNumberOfResults = 100 - ) - ), - benchmarkName = "benchmark42", - shuffleSolutions = false - ) - - + extends BenchmarkController( + Set( + BenchmarkSelector( + tags = Set( + ComponentTag.FileIO, + ComponentTag.Process, + ComponentTag.ReadFromRequest, + ComponentTag.DatabaseIO + ), + targetType = JavaVoid, + maximalNumberOfResults = 100 + ) + ), + benchmarkName = "benchmark42", + shuffleSolutions = false + ) diff --git a/src/main/scala/org/combinators/websecbench/MetaData.scala b/src/main/scala/org/combinators/websecbench/MetaData.scala index 1dd13ae..e6cbc03 100644 --- a/src/main/scala/org/combinators/websecbench/MetaData.scala +++ b/src/main/scala/org/combinators/websecbench/MetaData.scala @@ -23,7 +23,7 @@ trait MetaData { def toReportElement(testNumber: String): String def getTaintSources: Seq[TaintSource] - def makeSafe:MetaData + def makeSafe: MetaData } case class PathTraversalVulnerability(isVulnerable: Boolean) extends MetaData { diff --git a/src/main/scala/org/combinators/websecbench/Repository.scala b/src/main/scala/org/combinators/websecbench/Repository.scala index b9d0554..8fd32a5 100644 --- a/src/main/scala/org/combinators/websecbench/Repository.scala +++ b/src/main/scala/org/combinators/websecbench/Repository.scala @@ -23,7 +23,6 @@ import com.github.javaparser.ast.expr.Expression import org.combinators.cls.interpreter.{InhabitationResult, ReflectedRepository} import org.combinators.cls.types.Type - object Repository { val components: Seq[TaggedComponent] = Seq( @@ -33,11 +32,21 @@ object Repository { databaseinteraction.components ).flatten - def repository(componentTags: Set[ComponentTag]): ReflectedRepository[Repository.type] = { - val selectedComponents = components.filter(comp => comp.tags.intersect(componentTags).nonEmpty) + def repository( + componentTags: Set[ComponentTag] + ): ReflectedRepository[Repository.type] = { + val selectedComponents = + components.filter(comp => comp.tags.intersect(componentTags).nonEmpty) - selectedComponents.foldLeft(ReflectedRepository(this, classLoader = getClass.getClassLoader,substitutionSpace = SemanticTypes.kinding)) { case (repo, component) => - component.addToRepository(repo) + selectedComponents.foldLeft( + ReflectedRepository( + this, + classLoader = getClass.getClassLoader, + substitutionSpace = SemanticTypes.kinding + ) + ) { + case (repo, component) => + component.addToRepository(repo) } } } diff --git a/src/main/scala/org/combinators/websecbench/SemanticTypes.scala b/src/main/scala/org/combinators/websecbench/SemanticTypes.scala index d45fa04..0de289c 100644 --- a/src/main/scala/org/combinators/websecbench/SemanticTypes.scala +++ b/src/main/scala/org/combinators/websecbench/SemanticTypes.scala @@ -33,7 +33,6 @@ object SemanticTypes { val Encoded: Type = Constructor("Encoded") val JavaSQL: Type = Constructor("JavaSQL"); - val UsageStatus: Variable= Variable("streamStatus") + val UsageStatus: Variable = Variable("streamStatus") val kinding = Kinding(UsageStatus).addOption(Used).addOption(Unused) } - diff --git a/src/main/scala/org/combinators/websecbench/TaggedComponent.scala b/src/main/scala/org/combinators/websecbench/TaggedComponent.scala index 3f0f9b3..9497bcf 100644 --- a/src/main/scala/org/combinators/websecbench/TaggedComponent.scala +++ b/src/main/scala/org/combinators/websecbench/TaggedComponent.scala @@ -23,5 +23,7 @@ import org.combinators.cls.interpreter.ReflectedRepository trait TaggedComponent { val tags: Set[ComponentTag] - def addToRepository(repository: ReflectedRepository[Repository.type]): ReflectedRepository[Repository.type] + def addToRepository( + repository: ReflectedRepository[Repository.type] + ): ReflectedRepository[Repository.type] } diff --git a/src/main/scala/org/combinators/websecbench/databaseinteraction/ReadFromDatabase.scala b/src/main/scala/org/combinators/websecbench/databaseinteraction/ReadFromDatabase.scala index e32b339..3370115 100644 --- a/src/main/scala/org/combinators/websecbench/databaseinteraction/ReadFromDatabase.scala +++ b/src/main/scala/org/combinators/websecbench/databaseinteraction/ReadFromDatabase.scala @@ -23,17 +23,21 @@ import com.github.javaparser.ast.body.MethodDeclaration import com.github.javaparser.ast.expr.Expression import org.combinators.cls.interpreter.ReflectedRepository import org.combinators.templating.twirl.Java -import org.combinators.websecbench.{CodeGenerator, ComponentTag, Repository, SQLInjectionVulnerability, TaggedComponent} +import org.combinators.websecbench.{ + CodeGenerator, + ComponentTag, + Repository, + SQLInjectionVulnerability, + TaggedComponent +} import org.combinators.websecbench.SemanticTypes.{JavaSQL, JavaString, JavaVoid} import org.combinators.cls.types.syntax._ -object ReadFromDatabase extends TaggedComponent{ +object ReadFromDatabase extends TaggedComponent { override val tags: Set[ComponentTag] = Set(ComponentTag.DatabaseIO) - val readFromDatabase: MethodDeclaration = { - Java( - s""" + Java(s""" |private void readFromDatabase(String sql, HttpServletResponse response) { | try { | java.sql.Connection connection = org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection(); @@ -53,12 +57,15 @@ object ReadFromDatabase extends TaggedComponent{ def apply(sql: CodeGenerator[Expression]): CodeGenerator[Expression] = { sql.copy( methods = readFromDatabase +: sql.methods, - currentNode = Java(s"readFromDatabase(${sql.currentNode}, ${CodeGenerator.responseExpr})").expression[Expression](), + currentNode = Java( + s"readFromDatabase(${sql.currentNode}, ${CodeGenerator.responseExpr})" + ).expression[Expression](), metaData = sql.metaData :+ SQLInjectionVulnerability(true) - ) + ) } val semanticType = JavaSQL :&: JavaString =>: JavaVoid - override def addToRepository(repository: ReflectedRepository[Repository.type]) - : ReflectedRepository[Repository.type] = repository.addCombinator(this) + override def addToRepository( + repository: ReflectedRepository[Repository.type] + ): ReflectedRepository[Repository.type] = repository.addCombinator(this) } diff --git a/src/main/scala/org/combinators/websecbench/databaseinteraction/package.scala b/src/main/scala/org/combinators/websecbench/databaseinteraction/package.scala index 244e273..623c1a1 100644 --- a/src/main/scala/org/combinators/websecbench/databaseinteraction/package.scala +++ b/src/main/scala/org/combinators/websecbench/databaseinteraction/package.scala @@ -23,5 +23,5 @@ package object databaseinteraction { val components: Seq[TaggedComponent] = Seq( ReadFromDatabase - ) + ) } diff --git a/src/main/scala/org/combinators/websecbench/iointeraction/CloseInputStream.scala b/src/main/scala/org/combinators/websecbench/iointeraction/CloseInputStream.scala index ae347e5..d9907f9 100644 --- a/src/main/scala/org/combinators/websecbench/iointeraction/CloseInputStream.scala +++ b/src/main/scala/org/combinators/websecbench/iointeraction/CloseInputStream.scala @@ -23,17 +23,21 @@ import com.github.javaparser.ast.body.MethodDeclaration import com.github.javaparser.ast.expr.Expression import org.combinators.cls.interpreter.ReflectedRepository import org.combinators.templating.twirl.Java -import org.combinators.websecbench.{CodeGenerator, ComponentTag, Repository, TaggedComponent} +import org.combinators.websecbench.{ + CodeGenerator, + ComponentTag, + Repository, + TaggedComponent +} import org.combinators.websecbench.SemanticTypes.JavaInputStream import org.combinators.websecbench.SemanticTypes.JavaVoid -import org.combinators.websecbench.SemanticTypes.{Used, Unused, UsageStatus} +import org.combinators.websecbench.SemanticTypes.{Unused, UsageStatus, Used} import org.combinators.cls.types.syntax._ object CloseInputStream extends TaggedComponent { - val tags = Set(ComponentTag.FileIO) - val closeInputStream: MethodDeclaration = { - Java( - s""" + val tags = Set(ComponentTag.FileIO) + val closeInputStream: MethodDeclaration = { + Java(s""" |private void closeInputStream(java.io.InputStream is) { | try { | if(is != null) { @@ -44,17 +48,23 @@ object CloseInputStream extends TaggedComponent { | } |} |""".stripMargin).methodDeclarations().head - } + } - def apply(inputStreamGenerator: CodeGenerator[Expression]): CodeGenerator[Expression] = { - inputStreamGenerator.copy( - methods = closeInputStream +: inputStreamGenerator.methods, - currentNode = Java(s"closeInputStream(${inputStreamGenerator.currentNode})").expression[Expression]() - ) - } + def apply( + inputStreamGenerator: CodeGenerator[Expression] + ): CodeGenerator[Expression] = { + inputStreamGenerator.copy( + methods = closeInputStream +: inputStreamGenerator.methods, + currentNode = Java( + s"closeInputStream(${inputStreamGenerator.currentNode})" + ).expression[Expression]() + ) + } - val semanticType = JavaInputStream(Used) =>: JavaVoid + val semanticType = JavaInputStream(Used) =>: JavaVoid - def addToRepository(repository: ReflectedRepository[Repository.type]): ReflectedRepository[Repository.type] = - repository.addCombinator(this) + def addToRepository( + repository: ReflectedRepository[Repository.type] + ): ReflectedRepository[Repository.type] = + repository.addCombinator(this) } diff --git a/src/main/scala/org/combinators/websecbench/iointeraction/CloseOutputStream.scala b/src/main/scala/org/combinators/websecbench/iointeraction/CloseOutputStream.scala index 84eedd9..1c02be4 100644 --- a/src/main/scala/org/combinators/websecbench/iointeraction/CloseOutputStream.scala +++ b/src/main/scala/org/combinators/websecbench/iointeraction/CloseOutputStream.scala @@ -23,14 +23,23 @@ import com.github.javaparser.ast.expr.Expression import org.combinators.cls.interpreter.ReflectedRepository import org.combinators.cls.types.syntax._ import org.combinators.templating.twirl.Java -import org.combinators.websecbench.{CodeGenerator, ComponentTag, Repository, TaggedComponent} -import org.combinators.websecbench.SemanticTypes.{JavaOutputStream, JavaVoid, Unused, UsageStatus} +import org.combinators.websecbench.{ + CodeGenerator, + ComponentTag, + Repository, + TaggedComponent +} +import org.combinators.websecbench.SemanticTypes.{ + JavaOutputStream, + JavaVoid, + Unused, + UsageStatus +} object CloseOutputStream extends TaggedComponent { val tags = Set(ComponentTag.FileIO) val closeInputStream: MethodDeclaration = { - Java( - s""" + Java(s""" |private void closeOutputStream(java.io.OutputStream os) { | try { | if(os != null) { @@ -43,15 +52,21 @@ object CloseOutputStream extends TaggedComponent { |""".stripMargin).methodDeclarations().head } - def apply(inputStreamGenerator: CodeGenerator[Expression]): CodeGenerator[Expression] = { + def apply( + inputStreamGenerator: CodeGenerator[Expression] + ): CodeGenerator[Expression] = { inputStreamGenerator.copy( methods = closeInputStream +: inputStreamGenerator.methods, - currentNode = Java(s"closeOutputStream(${inputStreamGenerator.currentNode})").expression[Expression]() - ) + currentNode = Java( + s"closeOutputStream(${inputStreamGenerator.currentNode})" + ).expression[Expression]() + ) } - - val semanticType = JavaOutputStream(UsageStatus) =>: JavaVoid - def addToRepository(repository: ReflectedRepository[Repository.type]): ReflectedRepository[Repository.type] = + val semanticType = JavaOutputStream(UsageStatus) =>: JavaVoid + + def addToRepository( + repository: ReflectedRepository[Repository.type] + ): ReflectedRepository[Repository.type] = repository.addCombinator(this) } diff --git a/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileInputStream.scala b/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileInputStream.scala index 56716a9..fcefada 100644 --- a/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileInputStream.scala +++ b/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileInputStream.scala @@ -24,15 +24,24 @@ import com.github.javaparser.ast.expr.Expression import org.combinators.cls.interpreter.ReflectedRepository import org.combinators.cls.types.syntax._ import org.combinators.templating.twirl.Java -import org.combinators.websecbench.{CodeGenerator, ComponentTag, PathTraversalVulnerability, Repository, TaggedComponent} -import org.combinators.websecbench.SemanticTypes.{JavaFilename, JavaInputStream, Unused} +import org.combinators.websecbench.{ + CodeGenerator, + ComponentTag, + PathTraversalVulnerability, + Repository, + TaggedComponent +} +import org.combinators.websecbench.SemanticTypes.{ + JavaFilename, + JavaInputStream, + Unused +} object CreateFileInputStream extends TaggedComponent { val tags = Set(ComponentTag.FileIO) val createFileInputStream: MethodDeclaration = { - Java( - s""" + Java(s""" |public java.io.InputStream openFileInputStream(String filename, HttpServletResponse response) throws java.io.IOException { | try { | java.io.FileInputStream fis = null; @@ -56,13 +65,17 @@ object CreateFileInputStream extends TaggedComponent { def apply(fileName: CodeGenerator[Expression]): CodeGenerator[Expression] = { fileName.copy( methods = createFileInputStream +: fileName.methods, - currentNode = Java(s"openFileInputStream(${fileName.currentNode}, ${CodeGenerator.responseExpr})").expression[Expression](), - metaData = fileName.metaData :+ PathTraversalVulnerability(true) - ) + currentNode = Java( + s"openFileInputStream(${fileName.currentNode}, ${CodeGenerator.responseExpr})" + ).expression[Expression](), + metaData = fileName.metaData :+ PathTraversalVulnerability(true) + ) } val semanticType = JavaFilename =>: JavaInputStream(Unused) - def addToRepository(repository: ReflectedRepository[Repository.type]): ReflectedRepository[Repository.type] = + def addToRepository( + repository: ReflectedRepository[Repository.type] + ): ReflectedRepository[Repository.type] = repository.addCombinator(this) } diff --git a/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileOutputStream.scala b/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileOutputStream.scala index 8b11275..49adcc3 100644 --- a/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileOutputStream.scala +++ b/src/main/scala/org/combinators/websecbench/iointeraction/CreateFileOutputStream.scala @@ -24,15 +24,24 @@ import com.github.javaparser.ast.expr.Expression import org.combinators.cls.interpreter.ReflectedRepository import org.combinators.cls.types.syntax._ import org.combinators.templating.twirl.Java -import org.combinators.websecbench.{CodeGenerator, ComponentTag, PathTraversalVulnerability, Repository, TaggedComponent} -import org.combinators.websecbench.SemanticTypes.{JavaFilename, JavaOutputStream, Unused} +import org.combinators.websecbench.{ + CodeGenerator, + ComponentTag, + PathTraversalVulnerability, + Repository, + TaggedComponent +} +import org.combinators.websecbench.SemanticTypes.{ + JavaFilename, + JavaOutputStream, + Unused +} -object CreateFileOutputStream extends TaggedComponent{ +object CreateFileOutputStream extends TaggedComponent { val tags = Set(ComponentTag.FileIO) val createFileInputStream: MethodDeclaration = { - Java( - s""" + Java(s""" |public java.io.FileOutputStream openFileOutputStream(String fileName, HttpServletResponse response) throws java.io.IOException { | java.io.FileOutputStream fos = null; | try { @@ -53,13 +62,17 @@ object CreateFileOutputStream extends TaggedComponent{ def apply(fileName: CodeGenerator[Expression]): CodeGenerator[Expression] = { fileName.copy( methods = createFileInputStream +: fileName.methods, - currentNode = Java(s"openFileOutputStream(${fileName.currentNode}, ${CodeGenerator.responseExpr})").expression[Expression](), - metaData = fileName.metaData :+ PathTraversalVulnerability(true) - ) + currentNode = Java( + s"openFileOutputStream(${fileName.currentNode}, ${CodeGenerator.responseExpr})" + ).expression[Expression](), + metaData = fileName.metaData :+ PathTraversalVulnerability(true) + ) } val semanticType = JavaFilename =>: JavaOutputStream(Unused) - def addToRepository(repository: ReflectedRepository[Repository.type]): ReflectedRepository[Repository.type] = + def addToRepository( + repository: ReflectedRepository[Repository.type] + ): ReflectedRepository[Repository.type] = repository.addCombinator(this) } diff --git a/src/main/scala/org/combinators/websecbench/iointeraction/ReadFromInputStream.scala b/src/main/scala/org/combinators/websecbench/iointeraction/ReadFromInputStream.scala index d7c51d2..0ff1909 100644 --- a/src/main/scala/org/combinators/websecbench/iointeraction/ReadFromInputStream.scala +++ b/src/main/scala/org/combinators/websecbench/iointeraction/ReadFromInputStream.scala @@ -24,17 +24,21 @@ import com.github.javaparser.ast.expr.Expression import org.combinators.cls.interpreter.ReflectedRepository import org.combinators.cls.types.Type import org.combinators.templating.twirl.Java -import org.combinators.websecbench.{CodeGenerator, ComponentTag, Repository, TaggedComponent} +import org.combinators.websecbench.{ + CodeGenerator, + ComponentTag, + Repository, + TaggedComponent +} import org.combinators.websecbench.SemanticTypes.JavaInputStream -import org.combinators.websecbench.SemanticTypes.{Used, Unused} +import org.combinators.websecbench.SemanticTypes.{Unused, Used} import org.combinators.cls.types.syntax._ object ReadFromInputStream extends TaggedComponent { val tags = Set(ComponentTag.FileIO) val readFromInputStream: MethodDeclaration = { - Java( - s""" + Java(s""" |private java.io.InputStream readFromInputStream(java.io.InputStream is, HttpServletResponse response) throws java.io.IOException { | try { | byte[] b = new byte[1000]; @@ -61,12 +65,16 @@ object ReadFromInputStream extends TaggedComponent { def apply(fileName: CodeGenerator[Expression]): CodeGenerator[Expression] = { fileName.copy( methods = readFromInputStream +: fileName.methods, - currentNode = Java(s"readFromInputStream(${fileName.currentNode}, ${CodeGenerator.responseExpr})").expression() + currentNode = Java( + s"readFromInputStream(${fileName.currentNode}, ${CodeGenerator.responseExpr})" + ).expression() ) } val semanticType: Type = JavaInputStream(Unused) =>: JavaInputStream(Used) - def addToRepository(repository: ReflectedRepository[Repository.type]): ReflectedRepository[Repository.type] = + def addToRepository( + repository: ReflectedRepository[Repository.type] + ): ReflectedRepository[Repository.type] = repository.addCombinator(this) } diff --git a/src/main/scala/org/combinators/websecbench/processing/AttachDirectoryName.scala b/src/main/scala/org/combinators/websecbench/processing/AttachDirectoryName.scala index 8a11351..c9c6136 100644 --- a/src/main/scala/org/combinators/websecbench/processing/AttachDirectoryName.scala +++ b/src/main/scala/org/combinators/websecbench/processing/AttachDirectoryName.scala @@ -23,7 +23,12 @@ import com.github.javaparser.ast.body.MethodDeclaration import com.github.javaparser.ast.expr.Expression import org.combinators.cls.interpreter.ReflectedRepository import org.combinators.templating.twirl.Java -import org.combinators.websecbench.{CodeGenerator, ComponentTag, Repository, TaggedComponent} +import org.combinators.websecbench.{ + CodeGenerator, + ComponentTag, + Repository, + TaggedComponent +} import org.combinators.cls.types.syntax._ import org.combinators.websecbench.SemanticTypes._ @@ -31,8 +36,7 @@ object AttachDirectoryName extends TaggedComponent { val tags = Set(ComponentTag.Process) val relativeToBenchmarkDir: MethodDeclaration = { - Java( - s""" + Java(s""" |public String relativeToBenchmarkDir(String filename) { | return org.owasp.benchmark.helpers.Utils.testfileDir + filename; |} @@ -42,12 +46,15 @@ object AttachDirectoryName extends TaggedComponent { def apply(fileName: CodeGenerator[Expression]): CodeGenerator[Expression] = { fileName.copy( methods = relativeToBenchmarkDir +: fileName.methods, - currentNode = Java(s"relativeToBenchmarkDir(${fileName.currentNode})").expression[Expression]() + currentNode = Java(s"relativeToBenchmarkDir(${fileName.currentNode})") + .expression[Expression]() ) } val semanticType = JavaString =>: JavaFilename - def addToRepository(repository: ReflectedRepository[Repository.type]): ReflectedRepository[Repository.type] = + def addToRepository( + repository: ReflectedRepository[Repository.type] + ): ReflectedRepository[Repository.type] = repository.addCombinator(this) } diff --git a/src/main/scala/org/combinators/websecbench/processing/CreateSQLQuery1.scala b/src/main/scala/org/combinators/websecbench/processing/CreateSQLQuery1.scala index 8c90bd2..83d7130 100644 --- a/src/main/scala/org/combinators/websecbench/processing/CreateSQLQuery1.scala +++ b/src/main/scala/org/combinators/websecbench/processing/CreateSQLQuery1.scala @@ -23,11 +23,17 @@ import com.github.javaparser.ast.body.MethodDeclaration import com.github.javaparser.ast.expr.Expression import org.combinators.cls.interpreter.ReflectedRepository import org.combinators.templating.twirl.Java -import org.combinators.websecbench.{CodeGenerator, ComponentTag, MetaData, PathTraversalVulnerability, Repository, TaggedComponent} +import org.combinators.websecbench.{ + CodeGenerator, + ComponentTag, + MetaData, + PathTraversalVulnerability, + Repository, + TaggedComponent +} import org.combinators.cls.types.syntax._ import org.combinators.websecbench.SemanticTypes._ - object CreateSQLQuery1 extends TaggedComponent { val tags = Set(ComponentTag.Process) @@ -44,13 +50,13 @@ object CreateSQLQuery1 extends TaggedComponent { methods = relativeToBenchmarkDir +: fileName.methods, currentNode = Java(s"createSQLQuery(${fileName.currentNode})") .expression[Expression]() - ) + ) } val semanticType = JavaString :&: Decoded =>: JavaSQL def addToRepository( - repository: ReflectedRepository[Repository.type] - ): ReflectedRepository[Repository.type] = + repository: ReflectedRepository[Repository.type] + ): ReflectedRepository[Repository.type] = repository.addCombinator(this) } diff --git a/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala b/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala index cfd5c12..21de8fd 100644 --- a/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala +++ b/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala @@ -23,11 +23,20 @@ import com.github.javaparser.ast.body.MethodDeclaration import com.github.javaparser.ast.expr.Expression import org.combinators.cls.interpreter.ReflectedRepository import org.combinators.templating.twirl.Java -import org.combinators.websecbench.{CodeGenerator, ComponentTag, MetaData, PathTraversalVulnerability, Repository, StaticString, TaggedComponent, TaintSource, UncheckedString} +import org.combinators.websecbench.{ + CodeGenerator, + ComponentTag, + MetaData, + PathTraversalVulnerability, + Repository, + StaticString, + TaggedComponent, + TaintSource, + UncheckedString +} import org.combinators.cls.types.syntax._ import org.combinators.websecbench.SemanticTypes._ - object ReplaceFilenameWithStaticString extends TaggedComponent { val tags = Set(ComponentTag.Process) @@ -46,9 +55,9 @@ object ReplaceFilenameWithStaticString extends TaggedComponent { methods = relativeToBenchmarkDir +: fileName.methods, currentNode = Java(s"relativeToBenchmarkDir(${fileName.currentNode})") .expression[Expression](), - sourceData = fileName.sourceData.map{ + sourceData = fileName.sourceData.map { case UncheckedString() => StaticString() - case x:TaintSource => x + case x: TaintSource => x } ) } @@ -56,7 +65,7 @@ object ReplaceFilenameWithStaticString extends TaggedComponent { val semanticType = JavaString =>: JavaFilename def addToRepository( - repository: ReflectedRepository[Repository.type] + repository: ReflectedRepository[Repository.type] ): ReflectedRepository[Repository.type] = repository.addCombinator(this) } diff --git a/src/main/scala/org/combinators/websecbench/processing/URLDecoder.scala b/src/main/scala/org/combinators/websecbench/processing/URLDecoder.scala index 8981c32..e3a8ca4 100644 --- a/src/main/scala/org/combinators/websecbench/processing/URLDecoder.scala +++ b/src/main/scala/org/combinators/websecbench/processing/URLDecoder.scala @@ -23,11 +23,17 @@ import com.github.javaparser.ast.body.MethodDeclaration import com.github.javaparser.ast.expr.Expression import org.combinators.cls.interpreter.ReflectedRepository import org.combinators.templating.twirl.Java -import org.combinators.websecbench.{CodeGenerator, ComponentTag, MetaData, PathTraversalVulnerability, Repository, TaggedComponent} +import org.combinators.websecbench.{ + CodeGenerator, + ComponentTag, + MetaData, + PathTraversalVulnerability, + Repository, + TaggedComponent +} import org.combinators.cls.types.syntax._ import org.combinators.websecbench.SemanticTypes._ - object URLDecoder extends TaggedComponent { val tags = Set(ComponentTag.Process) @@ -44,13 +50,13 @@ object URLDecoder extends TaggedComponent { methods = relativeToBenchmarkDir +: fileName.methods, currentNode = Java(s"urlDecoding(${fileName.currentNode})") .expression[Expression]() - ) + ) } val semanticType = JavaString :&: Encoded =>: JavaString :&: Decoded def addToRepository( - repository: ReflectedRepository[Repository.type] - ): ReflectedRepository[Repository.type] = + repository: ReflectedRepository[Repository.type] + ): ReflectedRepository[Repository.type] = repository.addCombinator(this) } diff --git a/src/main/scala/org/combinators/websecbench/request/GetCookie.scala b/src/main/scala/org/combinators/websecbench/request/GetCookie.scala index 2b00979..4a0bc19 100644 --- a/src/main/scala/org/combinators/websecbench/request/GetCookie.scala +++ b/src/main/scala/org/combinators/websecbench/request/GetCookie.scala @@ -25,7 +25,13 @@ import org.combinators.cls.interpreter.ReflectedRepository import org.combinators.cls.types.Type import org.combinators.cls.types.syntax._ import org.combinators.templating.twirl.Java -import org.combinators.websecbench.{CodeGenerator, ComponentTag, Repository, TaggedComponent, UncheckedString} +import org.combinators.websecbench.{ + CodeGenerator, + ComponentTag, + Repository, + TaggedComponent, + UncheckedString +} import org.combinators.websecbench.SemanticTypes.JavaString import org.combinators.websecbench.request.SemanticTypes._ @@ -33,8 +39,7 @@ object GetCookie extends TaggedComponent { val tags = Set(ComponentTag.ReadFromRequest) val getCookieMethod: MethodDeclaration = { - Java( - s""" + Java(s""" |public String getCookie(HttpServletRequest request) throws IOException { | javax.servlet.http.Cookie[] theCookies = request.getCookies(); | @@ -55,7 +60,8 @@ object GetCookie extends TaggedComponent { def apply(): CodeGenerator[Expression] = { CodeGenerator( methods = List(getCookieMethod), - currentNode = Java(s"getCookie(${CodeGenerator.requestExpr})").expression[Expression](), + currentNode = Java(s"getCookie(${CodeGenerator.requestExpr})") + .expression[Expression](), toMethodBody = expr => Java(s"${expr};").statements(), unitTests = Seq.empty, metaData = Seq.empty, @@ -65,6 +71,8 @@ object GetCookie extends TaggedComponent { val semanticType: Type = RequestContent :&: JavaString - def addToRepository(repository: ReflectedRepository[Repository.type]): ReflectedRepository[Repository.type] = + def addToRepository( + repository: ReflectedRepository[Repository.type] + ): ReflectedRepository[Repository.type] = repository.addCombinator(this) } diff --git a/src/main/scala/org/combinators/websecbench/request/GetHeader.scala b/src/main/scala/org/combinators/websecbench/request/GetHeader.scala index b5ecc08..94cf09a 100644 --- a/src/main/scala/org/combinators/websecbench/request/GetHeader.scala +++ b/src/main/scala/org/combinators/websecbench/request/GetHeader.scala @@ -21,7 +21,15 @@ package org.combinators.websecbench.request import com.github.javaparser.ast.expr.Expression import org.combinators.templating.twirl.Java -import org.combinators.websecbench.{CodeGenerator, ComponentTag, PathTraversalVulnerability, Repository, SQLInjectionVulnerability, TaggedComponent, UncheckedString} +import org.combinators.websecbench.{ + CodeGenerator, + ComponentTag, + PathTraversalVulnerability, + Repository, + SQLInjectionVulnerability, + TaggedComponent, + UncheckedString +} import org.combinators.websecbench.SemanticTypes.{Encoded, JavaString} import SemanticTypes._ import com.github.javaparser.ast.body.MethodDeclaration @@ -32,8 +40,7 @@ import org.combinators.cls.types.syntax._ object GetHeader extends TaggedComponent { val tags = Set(ComponentTag.ReadFromRequest) - val getCookieMethod: MethodDeclaration = Java( - s""" + val getCookieMethod: MethodDeclaration = Java(s""" |public String getHeader(HttpServletRequest request) throws IOException { | String param = ""; | if (request.getHeader("BenchmarkTest00008") != null) { @@ -46,16 +53,19 @@ object GetHeader extends TaggedComponent { def apply(): CodeGenerator[Expression] = { CodeGenerator( methods = List(getCookieMethod), - currentNode = Java(s"getHeader(${CodeGenerator.requestExpr})").expression[Expression](), + currentNode = Java(s"getHeader(${CodeGenerator.requestExpr})") + .expression[Expression](), toMethodBody = expr => Java(s"${expr};").statements(), unitTests = Seq.empty, - metaData = Seq.empty, + metaData = Seq.empty, sourceData = Seq(UncheckedString()) - ) + ) } val semanticType: Type = RequestContent :&: JavaString :&: Encoded - def addToRepository(repository: ReflectedRepository[Repository.type]): ReflectedRepository[Repository.type] = + def addToRepository( + repository: ReflectedRepository[Repository.type] + ): ReflectedRepository[Repository.type] = repository.addCombinator(this) } From 491c42b1096ea2c2c4335f999df70afb14506c24 Mon Sep 17 00:00:00 2001 From: Jan Bessai Date: Mon, 8 Feb 2021 06:27:13 +0100 Subject: [PATCH 4/9] Improve code using scapegoat suggestions --- build.sbt | 6 +++++- .../combinators/websecbench/CodeGenerator.scala | 2 +- .../websecbench/InhabitationController.scala | 4 ++-- .../org/combinators/websecbench/MetaData.scala | 12 ++++++------ .../ReplaceFilenameWithStaticString.scala | 17 ++++------------- .../websecbench/request/GetCookie.scala | 2 +- .../websecbench/request/GetHeader.scala | 2 +- 7 files changed, 20 insertions(+), 25 deletions(-) diff --git a/build.sbt b/build.sbt index 8b64203..3ae27da 100644 --- a/build.sbt +++ b/build.sbt @@ -41,7 +41,11 @@ lazy val commonSettings = Seq( |Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |""".stripMargin )), - scapegoatVersion in ThisBuild := "1.4.7" + scapegoatVersion in ThisBuild := "1.4.7", + scapegoatDisabledInspections := Seq( + "EmptyInterpolatedString", + "UnsafeTraversableMethods" + ) ) lazy val root = (Project(id = "websecbench", base = file("."))) diff --git a/src/main/scala/org/combinators/websecbench/CodeGenerator.scala b/src/main/scala/org/combinators/websecbench/CodeGenerator.scala index 489438f..cf22c27 100644 --- a/src/main/scala/org/combinators/websecbench/CodeGenerator.scala +++ b/src/main/scala/org/combinators/websecbench/CodeGenerator.scala @@ -28,7 +28,7 @@ import com.github.javaparser.ast.stmt.Statement import org.combinators.templating.persistable.{JavaPersistable, Persistable} import org.combinators.templating.twirl.Java -case class CodeGenerator[NodeType]( +final case class CodeGenerator[NodeType]( methods: List[MethodDeclaration], currentNode: NodeType, toMethodBody: NodeType => Seq[Statement], diff --git a/src/main/scala/org/combinators/websecbench/InhabitationController.scala b/src/main/scala/org/combinators/websecbench/InhabitationController.scala index ac61c74..8ab5b37 100644 --- a/src/main/scala/org/combinators/websecbench/InhabitationController.scala +++ b/src/main/scala/org/combinators/websecbench/InhabitationController.scala @@ -33,7 +33,7 @@ import org.combinators.templating.persistable.BundledResource import org.combinators.websecbench.SemanticTypes.JavaVoid import org.eclipse.jgit.lib.BranchConfig -case class BenchmarkSelector( +final case class BenchmarkSelector( tags: Set[ComponentTag], targetType: Type, maximalNumberOfResults: Int @@ -120,7 +120,7 @@ class BenchmarkController( def run(args: List[String]): IO[ExitCode] = { for { - _ <- IO { println(s"Computing solutions") } + _ <- IO { println("Computing solutions") } transactions = computeTransactions _ <- IO { println( diff --git a/src/main/scala/org/combinators/websecbench/MetaData.scala b/src/main/scala/org/combinators/websecbench/MetaData.scala index e6cbc03..cbc0ca4 100644 --- a/src/main/scala/org/combinators/websecbench/MetaData.scala +++ b/src/main/scala/org/combinators/websecbench/MetaData.scala @@ -26,7 +26,7 @@ trait MetaData { def makeSafe: MetaData } -case class PathTraversalVulnerability(isVulnerable: Boolean) extends MetaData { +final case class PathTraversalVulnerability(isVulnerable: Boolean) extends MetaData { def toReportElement(testNumber: String): String = { s""" | @@ -39,12 +39,12 @@ case class PathTraversalVulnerability(isVulnerable: Boolean) extends MetaData { |""".stripMargin } - override def getTaintSources = Seq(UncheckedString()) + override def getTaintSources = Seq(UncheckedString) override def makeSafe: MetaData = PathTraversalVulnerability(false) } -case class SQLInjectionVulnerability(isVulnerable: Boolean) extends MetaData { +final case class SQLInjectionVulnerability(isVulnerable: Boolean) extends MetaData { def toReportElement(testNumber: String): String = { s""" | @@ -57,12 +57,12 @@ case class SQLInjectionVulnerability(isVulnerable: Boolean) extends MetaData { |""".stripMargin } - override def getTaintSources = Seq(UncheckedString()) + override def getTaintSources = Seq(UncheckedString) override def makeSafe: MetaData = SQLInjectionVulnerability(false) } trait TaintSource -case class UncheckedString() extends TaintSource -case class StaticString() extends TaintSource +case object UncheckedString extends TaintSource +case object StaticString extends TaintSource diff --git a/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala b/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala index 21de8fd..efa82fb 100644 --- a/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala +++ b/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala @@ -22,18 +22,9 @@ package org.combinators.websecbench.processing import com.github.javaparser.ast.body.MethodDeclaration import com.github.javaparser.ast.expr.Expression import org.combinators.cls.interpreter.ReflectedRepository +import org.combinators.cls.types.Type import org.combinators.templating.twirl.Java -import org.combinators.websecbench.{ - CodeGenerator, - ComponentTag, - MetaData, - PathTraversalVulnerability, - Repository, - StaticString, - TaggedComponent, - TaintSource, - UncheckedString -} +import org.combinators.websecbench.{CodeGenerator, ComponentTag, MetaData, PathTraversalVulnerability, Repository, StaticString, TaggedComponent, TaintSource, UncheckedString} import org.combinators.cls.types.syntax._ import org.combinators.websecbench.SemanticTypes._ @@ -56,13 +47,13 @@ object ReplaceFilenameWithStaticString extends TaggedComponent { currentNode = Java(s"relativeToBenchmarkDir(${fileName.currentNode})") .expression[Expression](), sourceData = fileName.sourceData.map { - case UncheckedString() => StaticString() + case UncheckedString => StaticString case x: TaintSource => x } ) } - val semanticType = JavaString =>: JavaFilename + val semanticType: Type = JavaString =>: JavaFilename def addToRepository( repository: ReflectedRepository[Repository.type] diff --git a/src/main/scala/org/combinators/websecbench/request/GetCookie.scala b/src/main/scala/org/combinators/websecbench/request/GetCookie.scala index 4a0bc19..2e4dd29 100644 --- a/src/main/scala/org/combinators/websecbench/request/GetCookie.scala +++ b/src/main/scala/org/combinators/websecbench/request/GetCookie.scala @@ -65,7 +65,7 @@ object GetCookie extends TaggedComponent { toMethodBody = expr => Java(s"${expr};").statements(), unitTests = Seq.empty, metaData = Seq.empty, - sourceData = Seq(UncheckedString()) + sourceData = Seq(UncheckedString) ) } diff --git a/src/main/scala/org/combinators/websecbench/request/GetHeader.scala b/src/main/scala/org/combinators/websecbench/request/GetHeader.scala index 94cf09a..f18656c 100644 --- a/src/main/scala/org/combinators/websecbench/request/GetHeader.scala +++ b/src/main/scala/org/combinators/websecbench/request/GetHeader.scala @@ -58,7 +58,7 @@ object GetHeader extends TaggedComponent { toMethodBody = expr => Java(s"${expr};").statements(), unitTests = Seq.empty, metaData = Seq.empty, - sourceData = Seq(UncheckedString()) + sourceData = Seq(UncheckedString) ) } From 4fb66a54371415ee1bf4b1ff76a272b7bc4c299c Mon Sep 17 00:00:00 2001 From: Jan Bessai Date: Mon, 8 Feb 2021 07:03:00 +0100 Subject: [PATCH 5/9] More formating adjustments --- .../org/combinators/websecbench/MetaData.scala | 6 ++++-- .../ReplaceFilenameWithStaticString.scala | 14 ++++++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/src/main/scala/org/combinators/websecbench/MetaData.scala b/src/main/scala/org/combinators/websecbench/MetaData.scala index cbc0ca4..ce4361b 100644 --- a/src/main/scala/org/combinators/websecbench/MetaData.scala +++ b/src/main/scala/org/combinators/websecbench/MetaData.scala @@ -26,7 +26,8 @@ trait MetaData { def makeSafe: MetaData } -final case class PathTraversalVulnerability(isVulnerable: Boolean) extends MetaData { +final case class PathTraversalVulnerability(isVulnerable: Boolean) + extends MetaData { def toReportElement(testNumber: String): String = { s""" | @@ -44,7 +45,8 @@ final case class PathTraversalVulnerability(isVulnerable: Boolean) extends MetaD override def makeSafe: MetaData = PathTraversalVulnerability(false) } -final case class SQLInjectionVulnerability(isVulnerable: Boolean) extends MetaData { +final case class SQLInjectionVulnerability(isVulnerable: Boolean) + extends MetaData { def toReportElement(testNumber: String): String = { s""" | diff --git a/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala b/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala index efa82fb..1c2b80e 100644 --- a/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala +++ b/src/main/scala/org/combinators/websecbench/processing/ReplaceFilenameWithStaticString.scala @@ -24,7 +24,17 @@ import com.github.javaparser.ast.expr.Expression import org.combinators.cls.interpreter.ReflectedRepository import org.combinators.cls.types.Type import org.combinators.templating.twirl.Java -import org.combinators.websecbench.{CodeGenerator, ComponentTag, MetaData, PathTraversalVulnerability, Repository, StaticString, TaggedComponent, TaintSource, UncheckedString} +import org.combinators.websecbench.{ + CodeGenerator, + ComponentTag, + MetaData, + PathTraversalVulnerability, + Repository, + StaticString, + TaggedComponent, + TaintSource, + UncheckedString +} import org.combinators.cls.types.syntax._ import org.combinators.websecbench.SemanticTypes._ @@ -48,7 +58,7 @@ object ReplaceFilenameWithStaticString extends TaggedComponent { .expression[Expression](), sourceData = fileName.sourceData.map { case UncheckedString => StaticString - case x: TaintSource => x + case x: TaintSource => x } ) } From bb2ca32eb9a7f362fa2df3f90ac4bb7095e16f6f Mon Sep 17 00:00:00 2001 From: Jan Bessai Date: Mon, 8 Feb 2021 07:08:36 +0100 Subject: [PATCH 6/9] Change InhabitationController to write results to disk instead of Git --- build.sbt | 7 ++- .../websecbench/InhabitationController.scala | 51 ++++++++----------- 2 files changed, 25 insertions(+), 33 deletions(-) diff --git a/build.sbt b/build.sbt index 3ae27da..fb27247 100644 --- a/build.sbt +++ b/build.sbt @@ -13,7 +13,8 @@ lazy val commonSettings = Seq( "-unchecked", "-deprecation", "-feature", - "-language:implicitConversions" + "-language:implicitConversions", + "-Ypartial-unification" ), libraryDependencies ++= Seq( @@ -56,7 +57,9 @@ lazy val root = (Project(id = "websecbench", base = file("."))) "org.combinators" %% "cls-scala" % "3.0.0", "org.scalameta" %% "scalameta" % "3.4.0", "org.scalameta" %% "contrib" % "3.4.0", - "org.combinators" %% "jgitserv" % "0.0.1" + "org.combinators" %% "jgitserv" % "0.0.1", + "org.typelevel" %% "cats-core" % "2.3.1", + "org.typelevel" %% "cats-effect" % "2.3.1" ) ) diff --git a/src/main/scala/org/combinators/websecbench/InhabitationController.scala b/src/main/scala/org/combinators/websecbench/InhabitationController.scala index 8ab5b37..7b11aa2 100644 --- a/src/main/scala/org/combinators/websecbench/InhabitationController.scala +++ b/src/main/scala/org/combinators/websecbench/InhabitationController.scala @@ -18,20 +18,15 @@ */ package org.combinators.websecbench -import java.nio.file.Paths - +import java.nio.file.{Files, Path, Paths} import cats.effect.{ExitCode, IO, IOApp} +import cats.implicits._ import com.github.javaparser.ast.expr.Expression import org.combinators.templating.persistable.JavaPersistable._ import org.combinators.cls.types.Type -import org.combinators.jgitserv.{ - BranchTransaction, - GitService, - ResourcePersistable -} +import org.combinators.jgitserv.{BranchTransaction, ResourcePersistable} import org.combinators.templating.persistable.BundledResource import org.combinators.websecbench.SemanticTypes.JavaVoid -import org.eclipse.jgit.lib.BranchConfig final case class BenchmarkSelector( tags: Set[ComponentTag], @@ -42,8 +37,8 @@ final case class BenchmarkSelector( class BenchmarkController( selectedBenchmarks: Set[BenchmarkSelector], benchmarkName: String, - shuffleSolutions: Boolean = true, - port: Int = 9000 + targetDirectory: Path, + shuffleSolutions: Boolean = true ) extends IOApp { lazy val buildDotSbt: BundledResource = @@ -65,12 +60,11 @@ class BenchmarkController( ) lazy val storeResource = ResourcePersistable.apply - lazy val emptyBenchmark: BranchTransaction = - BranchTransaction - .empty(benchmarkName) - .persist(buildDotSbt)(storeResource) - .persist(owaspUtils)(storeResource) - .commit("Add shared resources") + lazy val emptyBenchmark: IO[Unit] = IO { + Files.createDirectories(targetDirectory) + storeResource.persistOverwriting(targetDirectory, buildDotSbt) + storeResource.persistOverwriting(targetDirectory, owaspUtils) + } lazy val numberFormat: String = { val maxBenchmarks = selectedBenchmarks.map(_.maximalNumberOfResults).sum @@ -79,7 +73,7 @@ class BenchmarkController( def transactionFor( benchmarkSelector: BenchmarkSelector - ): Seq[Int => BranchTransaction] = { + ): Seq[Int => IO[Unit]] = { val Gamma = Repository.repository(benchmarkSelector.tags) val results = Gamma.inhabit[CodeGenerator[Expression]](benchmarkSelector.targetType) @@ -87,7 +81,7 @@ class BenchmarkController( .map(s => Math.min(benchmarkSelector.maximalNumberOfResults, s.toInt)) .getOrElse(benchmarkSelector.maximalNumberOfResults) - (0 until toStore).foldLeft(Seq.empty[Int => BranchTransaction]) { + (0 until toStore).foldLeft(Seq.empty[Int => IO[Unit]]) { case (transactions, resultNumber) => val nextTransaction = (nextNumber: Int) => { val currentName = @@ -97,17 +91,16 @@ class BenchmarkController( val storeVulnerabilityReport = CodeGenerator .vulnerabilityReportPersistable[Expression](currentName) val result = results.interpretedTerms.index(BigInt(resultNumber)) - BranchTransaction - .checkout(benchmarkName) - .persist(result)(storeCompilationUnit) - .persist(result)(storeVulnerabilityReport) - .commit(s"Add benchmark ${currentName}") + IO[Unit] { + storeCompilationUnit.persistOverwriting(targetDirectory, result) + storeVulnerabilityReport.persistOverwriting(targetDirectory, result) + } } nextTransaction +: transactions } } - def computeTransactions: Seq[BranchTransaction] = { + def computeTransactions: Seq[IO[Unit]] = { val transactions = selectedBenchmarks.toSeq.flatMap(transactionFor) val suffledTransactions = @@ -122,13 +115,8 @@ class BenchmarkController( for { _ <- IO { println("Computing solutions") } transactions = computeTransactions - _ <- IO { - println( - s"Use: git clone http://127.0.0.1:${port}/$benchmarkName $benchmarkName" - ) - } - exitCode <- new GitService(transactions, benchmarkName, port).run(args) - } yield exitCode + _ <- transactions.toList.sequence + } yield ExitCode.Success } } @@ -147,5 +135,6 @@ object Benchmark42 ) ), benchmarkName = "benchmark42", + targetDirectory = Paths.get("target", "benchmarks"), shuffleSolutions = false ) From 14c26ba4abc054d6f14d65676f8f0da1cd4e146c Mon Sep 17 00:00:00 2001 From: Jan Bessai Date: Mon, 8 Feb 2021 07:12:19 +0100 Subject: [PATCH 7/9] Adjust github workflow to use generated files instead of Git --- .github/workflows/generate-repository.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/generate-repository.yml b/.github/workflows/generate-repository.yml index 412aa32..2965c83 100644 --- a/.github/workflows/generate-repository.yml +++ b/.github/workflows/generate-repository.yml @@ -20,10 +20,7 @@ jobs: java-version: 12 - name: compile, run, and test run: | - sbt run && sleep 4m & - sleep 130s - cd /tmp - git clone http://127.0.0.1:9000/benchmark42 benchmark42 - cd /tmp/benchmark42 + sbt run + cd target/benchmarks sbt compile From e75155030d4f39ab8c56d6acd50ed68595b68a81 Mon Sep 17 00:00:00 2001 From: Jan Bessai Date: Mon, 8 Feb 2021 07:17:09 +0100 Subject: [PATCH 8/9] Enable ci for all pull-requests --- .github/workflows/generate-repository.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/generate-repository.yml b/.github/workflows/generate-repository.yml index 2965c83..60a69c0 100644 --- a/.github/workflows/generate-repository.yml +++ b/.github/workflows/generate-repository.yml @@ -4,7 +4,6 @@ on: push: branches: [ master ] pull_request: - branches: [ master ] jobs: build: From e367f1b505b534594240439b5651575c702347bf Mon Sep 17 00:00:00 2001 From: Jan Bessai Date: Mon, 8 Feb 2021 07:21:25 +0100 Subject: [PATCH 9/9] Update JDK in Github workflow --- .github/workflows/generate-repository.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/generate-repository.yml b/.github/workflows/generate-repository.yml index 60a69c0..c472ec5 100644 --- a/.github/workflows/generate-repository.yml +++ b/.github/workflows/generate-repository.yml @@ -13,10 +13,10 @@ jobs: steps: - name: checkout uses: actions/checkout@v2 - - name: Set up JDK 12 - uses: actions/setup-java@v1.3.0 + - name: Set up JDK, Scala, and SBT + uses: olafurpg/setup-scala@v10 with: - java-version: 12 + java-version: adopt@1.15 - name: compile, run, and test run: | sbt run