自定义规则

概述

• 自定义规则采用 cyber查询语言，关于cyber语法可以参考neo4j的 cyber 语言官方手册

规则开发方法

• 铲子SAST的规则主要用于对图数据库进行查询,可以查询单个节点或数据流作为漏洞
• 查询数据流

• 下面是一条内置数据流规则,用于识别ssrf漏洞 MATCH (sourceNode:DubboServiceArg|ThriftHandlerArg|SpringControllerArg|JspServiceArg|WebServletArg|WebXmlServletArg|WebXmlFilterArg|JaxrsArg|HttpHandlerArg) MATCH (sinkNode) WHERE 'url' IN sinkNode.selectors OR 'URL' IN sinkNode.selectors OR sinkNode.AllocationClassName = 'URL' OR sinkNode.AllocationClassName = 'GetMethod' OR 'HttpGet' IN sinkNode.selectors OR ('execute' IN sinkNode.selectors AND 'CloseableHttpClient' IN sinkNode.receiverTypes) OR ('execute' IN sinkNode.selectors AND 'CloseableHttpAsyncClient' IN sinkNode.receiverTypes) OR ('connect' IN sinkNode.selectors AND 'Jsoup' IN sinkNode.receiverTypes) OR ('create' IN sinkNode.selectors AND 'URI' IN sinkNode.receiverTypes) OR ('read' IN sinkNode.selectors AND 'ImageIO' IN sinkNode.receiverTypes) OR ('executeMethod' IN sinkNode.selectors AND 'HttpClient' IN sinkNode.receiverTypes) OR ('Get' IN sinkNode.selectors AND 'Request' IN sinkNode.receiverTypes) OR ('Post' IN sinkNode.selectors AND 'Request' IN sinkNode.receiverTypes) OR ('exchange' IN sinkNode.selectors AND 'RestTemplate' IN sinkNode.receiverTypes) OR ('get' IN sinkNode.selectors AND 'HttpUtil' IN sinkNode.receiverTypes) OR ('post' IN sinkNode.selectors AND 'HttpUtil' IN sinkNode.receiverTypes) OR 'openConnection' IN sinkNode.receivers MATCH p = (sourceNode)-[ *..30]->(sinkNode) RETURN p AS path

• 查询单个节点

• 下面是一条单节点规则,用于识别actuator配置不当 MATCH (sinkNode:YmlKeyValue|PropertiesKeyValue) WHERE sinkNode.name = 'management.endpoints.web.exposure.include' AND (sinkNode.value = '*' OR sinkNode.value CONTAINS 'heapdump' ) RETURN sinkNode AS path