Merge branch 'jsvoboda_cve_2022_22963_spring' into 'master'

Detection script for CVE-2022-22963 and CVE-2022-22965 (spring)

See merge request Insights/vulnerability-detection-scripts!41

CVE-2022-22963_spring/approved_rm_blocks.txt

@@ -0,0 +1,47 @@
+    for required_command in readlink file unzip stat sha256sum basename cat grep uname pwd /bin/rm head ; do
+        if ! command -v "$required_command" &> /dev/null; then
+            echo "Error: '$required_command' command is required, but not installed. Exiting."
+            if [[ "$required_command" == "unzip" ]] ; then
+--
+    if [[ -d "$tmp_path/$backtrack/$dir_to_delete" && ! -L "$tmp_path/$backtrack/$dir_to_delete"  ]] ; then
+        if [[ "$dir_to_delete" != *..* && "$dir_to_delete" != */* ]] ; then
+            if [[ "$tmp_path/$backtrack/$dir_to_delete" == "$audit_tmp_path/$backtrack/$dir_to_delete" ]] ; then
+                ( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${backtrack:?}/${dir_to_delete:?}" ; )
+            fi
+        fi
+    fi
+--
+    if [[ -d "$tmp_path/$decompressed/$dir_to_delete" && ! -L "$tmp_path/$decompressed/$dir_to_delete"  ]] ; then
+        if [[ "$dir_to_delete" != *..* && "$dir_to_delete" != */* ]] ; then
+            if [[ "$tmp_path/$decompressed/$dir_to_delete" == "$audit_tmp_path/$decompressed/$dir_to_delete" ]] ; then
+                ( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${decompressed:?}/${dir_to_delete:?}" ; )
+            fi
+        fi
+    fi
+--
+
+
+        if [[ "$tmp_path/$queue" == "$audit_tmp_path/$queue" ]] ; then
+            ( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${queue:?}" ; )
+        fi
+
+        if [[ "$tmp_path/$catalog" == "$audit_tmp_path/$catalog" ]] ; then
+            ( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${catalog:?}" ; )
+        fi
+
+        if [[ "$tmp_path/$decompressed" == "$audit_tmp_path/$decompressed" ]] ; then
+            ( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${decompressed:?}" ; )
+        fi
+
+        if [[ "$tmp_path/$parents" == "$audit_tmp_path/$parents" ]] ; then
+            ( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${parents:?}" ; )
+        fi
+
+        if [[ "$tmp_path/$backtrack" == "$audit_tmp_path/$backtrack" ]] ; then
+            ( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${backtrack:?}" ; )
+        fi
+
+        if [[ "$tmp_path/$detections" == "$audit_tmp_path/$detections" ]] ; then
+            ( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${detections:?}" ; )
+        fi
+

CVE-2022-22963_spring/approved_rm_lines.txt

@@ -0,0 +1,9 @@
+for required_command in readlink file unzip stat sha256sum basename cat grep uname pwd /bin/rm head ; do
+( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${backtrack:?}/${dir_to_delete:?}" ; )
+( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${decompressed:?}/${dir_to_delete:?}" ; )
+( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${queue:?}" ; )
+( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${catalog:?}" ; )
+( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${decompressed:?}" ; )
+( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${parents:?}" ; )
+( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${backtrack:?}" ; )
+( cd -- "${audit_tmp_path:?}" && /bin/rm -rf --one-file-system -- "${detections:?}" ; )

CVE-2022-22963_spring/fake_jars_delete.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+
+rm -rf fake_jars_nonvuln
+rm -rf fake_jars_nonvuln_additional
+rm -rf fake_jars_vuln
+rm -rf fake_jars_vuln_additional
+rm -rf fake_jar_test_battery_smoke_1
+rm -rf fake_jar_test_battery_smoke_2
+rm -rf fake_jar_test_battery_smoke_3
+

CVE-2022-22963_spring/fake_jars_generate.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+rm -rf fake_jars_nonvuln
+mkdir fake_jars_nonvuln
+(
+    cd fake_jars_nonvuln && (
+        bash ../gen-fake-jars-fixed-spring-beans.sh
+        bash ../gen-fake-jars-fixed-spring-cloud.sh
+        bash ../gen-fake-jars-fixed-spring-webflux.sh
+        bash ../gen-fake-jars-fixed-spring-webmvc.sh
+    )
+)
+
+
+rm -rf fake_jars_nonvuln_additional
+mkdir fake_jars_nonvuln_additional
+(
+    cd fake_jars_nonvuln_additional && (
+        bash ../gen-fake-jars-fixed-quarkus-beans.sh
+        bash ../gen-fake-jars-fixed-quarkus-beans-rh.sh
+        bash ../gen-fake-jars-fixed-servicemix.sh
+    )
+)
+
+
+rm -rf fake_jars_vuln
+mkdir fake_jars_vuln
+(
+    cd fake_jars_vuln && (
+        bash ../gen-fake-jars-vuln-spring-beans.sh
+        bash ../gen-fake-jars-vuln-spring-cloud.sh
+        bash ../gen-fake-jars-vuln-spring-webflux.sh
+        bash ../gen-fake-jars-vuln-spring-webmvc.sh
+    )
+)
+
+
+rm -rf fake_jars_vuln_additional
+mkdir fake_jars_vuln_additional
+(
+    cd fake_jars_vuln_additional && (
+        bash ../gen-fake-jars-vuln-quarkus-beans.sh
+        bash ../gen-fake-jars-vuln-quarkus-beans-rh.sh
+        bash ../gen-fake-jars-vuln-servicemix.sh
+    )
+)
+
+
+rm -rf fake_jar_test_battery_smoke_1
+mkdir fake_jar_test_battery_smoke_1
+cp fake_jars_vuln/spring-webmvc-5.3.17.jar fake_jar_test_battery_smoke_1/
+cp fake_jars_nonvuln/spring-webmvc-5.3.18.jar fake_jar_test_battery_smoke_1/
+
+
+rm -rf fake_jar_test_battery_smoke_2
+mkdir -p fake_jar_test_battery_smoke_2/subdir
+cp fake_jars_vuln/spring-webmvc-5.3.17.jar fake_jar_test_battery_smoke_2/subdir/
+cp fake_jars_nonvuln/spring-webmvc-5.3.18.jar fake_jar_test_battery_smoke_2/subdir/
+cp fake_jars_nonvuln/spring-webflux-5.2.20.RELEASE.jar fake_jar_test_battery_smoke_2/-X
+cp fake_jars_vuln/spring-webflux-5.2.19.RELEASE.jar fake_jar_test_battery_smoke_2/-i
+cp fake_jars_vuln/spring-cloud-function-context-3.2.2.jar fake_jar_test_battery_smoke_2/-E
+
+rm -rf fake_jar_test_battery_smoke_3
+mkdir fake_jar_test_battery_smoke_3
+cp -R fake_jar_test_battery_smoke_1 fake_jar_test_battery_smoke_3/
+cp -R fake_jar_test_battery_smoke_2 fake_jar_test_battery_smoke_3/
+(
+    cd fake_jar_test_battery_smoke_3 && (
+        zip -0 -r zipped.zip fake_jar_test_battery_smoke_*
+        rm -rf fake_jar_test_battery_smoke_*
+    )
+)
+

CVE-2022-22963_spring/fake_jars_pack.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+rm -rf fake_jars.tar.gz
+tar -czf fake_jars.tar.gz fake_jars_vuln fake_jars_vuln_additional fake_jars_nonvuln fake_jars_nonvuln_additional fake_jar_test_battery_*

CVE-2022-22963_spring/fake_jars_unpack.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+
+rm -rf fake_jars_nonvuln
+rm -rf fake_jars_nonvuln_additional
+rm -rf fake_jars_vuln
+rm -rf fake_jars_vuln_additional
+rm -rf fake_jar_test_battery_smoke_1
+rm -rf fake_jar_test_battery_smoke_2
+rm -rf fake_jar_test_battery_smoke_3
+tar -xf fake_jars.tar.gz
+
+

CVE-2022-22963_spring/gen-fake-jars-fixed-quarkus-beans-rh.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+# shellcheck disable=SC2164,SC2035
+
+mkdir tmp
+(
+  cd tmp
+  mkdir -p META-INF/maven/org.apache.camel.quarkus/camel-quarkus-support-spring-beans
+  cat > META-INF/maven/org.apache.camel.quarkus/camel-quarkus-support-spring-beans/pom.xml << 'EOFEOF'
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+         http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <groupId>org.apache.camel.quarkus</groupId>
+        <artifactId>camel-quarkus-support-spring-parent</artifactId>
+        <version>2.2.1.fuse-800015-redhat-00004</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>camel-quarkus-support-spring-beans</artifactId>
+    <name>Camel Quarkus :: Support :: Spring :: Beans</name>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.apache.camel.quarkus</groupId>
+                <artifactId>camel-quarkus-bom</artifactId>
+                <version>${project.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+EOFEOF
+  dd if=/dev/zero of=filler bs=32k count=1
+  zip -0 -r ../camel-quarkus-support-spring-beans-2.2.1.fuse-800015-redhat-00004.jar *
+)
+rm -rf tmp
+

CVE-2022-22963_spring/gen-fake-jars-fixed-quarkus-beans.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+# shellcheck disable=SC2164,SC2035
+
+mkdir tmp
+(
+  cd tmp
+  mkdir -p META-INF/maven/org.apache.camel.quarkus/camel-quarkus-support-spring-beans
+  cat > META-INF/maven/org.apache.camel.quarkus/camel-quarkus-support-spring-beans/pom.xml << 'EOFEOF'
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+         http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <groupId>org.apache.camel.quarkus</groupId>
+        <artifactId>camel-quarkus-support-spring-parent</artifactId>
+        <version>2.8.0</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>camel-quarkus-support-spring-beans</artifactId>
+    <name>Camel Quarkus :: Support :: Spring :: Beans</name>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.camel.quarkus</groupId>
+            <artifactId>camel-quarkus-support-spring-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-beans</artifactId>
+            <scope>runtime</scope>
+        </dependency>
+EOFEOF
+  dd if=/dev/zero of=filler bs=32k count=1
+  zip -0 -r ../camel-quarkus-support-spring-beans-2.8.0.jar *
+)
+rm -rf tmp
+

CVE-2022-22963_spring/gen-fake-jars-fixed-servicemix.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+
+# shellcheck disable=SC2164,SC2035
+
+mkdir tmp
+(
+  cd tmp
+  mkdir -p META-INF/maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-webmvc
+  cat > META-INF/maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-webmvc/pom.xml << 'EOFEOF'
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+    <!--
+
+        Licensed to the Apache Software Foundation (ASF) under one or more
+        contributor license agreements.  See the NOTICE file distributed with
+        this work for additional information regarding copyright ownership.
+        The ASF licenses this file to You under the Apache License, Version 2.0
+        (the "License"); you may not use this file except in compliance with
+        the License.  You may obtain a copy of the License at
+
+           http://www.apache.org/licenses/LICENSE-2.0
+
+        Unless required by applicable law or agreed to in writing, software
+        distributed under the License is distributed on an "AS IS" BASIS,
+        WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+        See the License for the specific language governing permissions and
+        limitations under the License.
+    -->
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.apache.servicemix.bundles</groupId>
+        <artifactId>bundles-pom</artifactId>
+        <version>14</version>
+        <relativePath>../bundles-pom/pom.xml</relativePath>
+    </parent>
+
+    <groupId>org.apache.servicemix.bundles</groupId>
+    <artifactId>org.apache.servicemix.bundles.spring-webmvc</artifactId>
+    <version>5.2.20.RELEASE_1</version>
+    <packaging>bundle</packaging>
+    <name>Apache ServiceMix :: Bundles :: ${pkgArtifactId}</name>
+
+    <scm>
+        <connection>scm:git:https://gitbox.apache.org/repos/asf/servicemix-bundles.git</connection>
+        <developerConnection>scm:git:https://gitbox.apache.org/repos/asf/servicemix-bundles.git</developerConnection>
+        <url>https://gitbox.apache.org/repos/asf?p=servicemix-bundles.git</url>
+EOFEOF
+  dd if=/dev/zero of=filler bs=32k count=1
+  zip -0 -r ../org.apache.servicemix.bundles.spring-webmvc-5.2.20.RELEASE_1.jar *
+)
+rm -rf tmp
+
+mkdir tmp
+(
+  cd tmp
+  mkdir -p META-INF/maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-webmvc
+  cat > META-INF/maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.spring-webmvc/pom.xml << 'EOFEOF'
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+    <!--
+
+        Licensed to the Apache Software Foundation (ASF) under one or more
+        contributor license agreements.  See the NOTICE file distributed with
+        this work for additional information regarding copyright ownership.
+        The ASF licenses this file to You under the Apache License, Version 2.0
+        (the "License"); you may not use this file except in compliance with
+        the License.  You may obtain a copy of the License at
+
+           http://www.apache.org/licenses/LICENSE-2.0
+
+        Unless required by applicable law or agreed to in writing, software
+        distributed under the License is distributed on an "AS IS" BASIS,
+        WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+        See the License for the specific language governing permissions and
+        limitations under the License.
+    -->
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.apache.servicemix.bundles</groupId>
+        <artifactId>bundles-pom</artifactId>
+        <version>14</version>
+        <relativePath>../bundles-pom/pom.xml</relativePath>
+    </parent>
+
+    <groupId>org.apache.servicemix.bundles</groupId>
+    <artifactId>org.apache.servicemix.bundles.spring-webmvc</artifactId>
+    <version>5.3.18_1</version>
+    <packaging>bundle</packaging>
+    <name>Apache ServiceMix :: Bundles :: ${pkgArtifactId}</name>
+
+    <scm>
+        <connection>scm:git:https://gitbox.apache.org/repos/asf/servicemix-bundles.git</connection>
+        <developerConnection>scm:git:https://gitbox.apache.org/repos/asf/servicemix-bundles.git</developerConnection>
+        <url>https://gitbox.apache.org/repos/asf?p=servicemix-bundles.git</url>
+EOFEOF
+  dd if=/dev/zero of=filler bs=32k count=1
+  zip -0 -r ../org.apache.servicemix.bundles.spring-webmvc-5.3.18_1.jar *
+)
+rm -rf tmp
+