Checkmarx | Unsafe_Reflection

2023-02-17

前言

最近系統被 Checkmarx V9.4.5 掃出有 Unsafe_Reflection 的問題，
程式碼中有透過傳入的 Type Name 及參數值來動態建立物件執行該 Method 。
問題的來源是 Controller Action Method 的參數，
問題的目的地則是 Invoke Method 。

解決

查看 Checkmarx 中的 Search Rule 如下，

CxList inputs = Find_Inputs();
CxList objectCreates = Find_ObjectCreations();
CxList comCreations = objectCreates.FindByTypes(new String[]

{ "CodeSnippetExpression", "CodeEntryPointMethod", "CodeTypeReference", "CodeTypeReference", "CodeObjectCreateExpression", "CodeMethodInvokeExpression", "CodeTypeReferenceExpression", "CodeMethodReturnStatement", "CodeMemberMethod"}
);

CxList unknownList = Find_UnknownReference();
unknownList.Add(Find_Param());
unknownList.Add(Find_TypeRef());

CxList methodExpr = Find_Methods();
CxList ifs = Find_Ifs();

CxList auxInput = inputs.Clone();
auxInput.Add(unknownList.FindAllReferences(auxInput.GetAssignee()));
CxList typeofExpress = Find_TypeOfExpr();
typeofExpress.Add(methodExpr.FindByMemberAccesses(new string[]

{"Type.Get*", "Assembly.GetType", "*Info.Get*", "Assembly.Load*", "Assembly.ReflectionOnly*"}
));

CxList containsMethods = methodExpr.FindByMemberAccess("*.Contains").GetByAncs(ifs);
CxList influenceIfparams = auxInput.GetParameters(containsMethods.FindByParameters(auxInput), 0);
CxList allReferencesOfifParams = auxInput.FindAllReferences(influenceIfparams);

CxList notInfluencedChecks = typeofExpress - typeofExpress.FindByParameters(allReferencesOfifParams);
notInfluencedChecks.Add(All.FindAllReferences(notInfluencedChecks.GetAssignee()));

CxList notInfluencedComCreations = comCreations - comCreations.FindByParameters(allReferencesOfifParams);
CxList objsC = notInfluencedComCreations.FindByParameters(All.GetParameters(notInfluencedComCreations) * auxInput);

result = inputs.DataInfluencingOn(notInfluencedChecks.GetMembersOfTarget().FindByShortName("Invoke*"));
result.Add(inputs.DataInfluencingOn(objsC));

似乎是透過 Method 的參數找相關的 method 是否有 Invoke ，
並且沒透過 if + 白名單 + Contains 去排除，
所以程式碼中包含 invoke 就被認為是有問題。

Checkmarx 建議的解法如下，

public IActionResult MethodInvoker()
{
    var cls = Request.Query["class"];
    var method = Request.Query["method"];
    var val = Request.Query["val"];
    if (allowedClassesList.Contains(cls) && allowedMethodsList.Contains(method) {
        ViewBag.Result = Type.GetType(cls).GetMethod(method).Invoke(null, val);
        return View();
    }
    else{
        //Handle Exception
    }
}

原始程式碼類似如下，

private dynamic CreateReport(string ReportName, string ReportPrintDate, string condition)
{
    // ... codes ...
	string reportDll = WebConfigurationManager.AppSettings["ReportDll"];
	var types = Assembly.Load(reportDll).GetTypes().Where(t => t.Name == ReportName);
	if (types.Count() == 0)
	{
		throw new Exception("無此報表程式");
	}
	Type type = Assembly.Load(reportDll).GetTypes().Where(t => t.Name == ReportName).FirstOrDefault();

	dynamic report = Activator.CreateInstance(type);
	var queryMethod = type.GetMethod("Query");
	List<object> para = new List<object>();
	para.Add(condition);
	//  Unsafe_Reflection
	queryMethod.Invoke(report, para.ToArray());
	return report;
}

雖然上述程式碼中有透過 LINQ 的 Where 判斷，但沒有 if + 白名單 + Contains 所以還是被 Checkmarx 認為有問題。
所以調整程式碼，讓它符合 if + 白名單 + Contains 就可以通過了，如下，

private dynamic CreateReport(string ReportName, string ReportPrintDate, string condition)
{
    // ... codes ...
	string reportDll = WebConfigurationManager.AppSettings["ReportDll"];

	var types = Assembly.Load(reportDll).GetTypes().Where(t => t.Name == ReportName);
	if (types.Count() == 0)
	{
		throw new Exception("無此報表程式");
	}
    var typeNames = Assembly.Load(reportDll).GetTypes().Select(t=>t.Name);
    //要 invoke 的 method 要被包在 if + 白名單 + Contains 之中
    if(typeNames.Contains(ReportName))
    {
        Type type = Assembly.Load(reportDll).GetTypes().Where(t => t.Name == ReportName).FirstOrDefault();
        dynamic report = Activator.CreateInstance(type);
        var queryMethod = type.GetMethod("Query");
        List<object> para = new List<object>();
        para.Add(condition);
        //  Unsafe_Reflection
        queryMethod.Invoke(report, para.ToArray());
        return report;
    }else{return null;}

}

jsonContent: meta: false pages: false posts: title: true date: true path: true text: false raw: false content: false slug: false updated: false comments: false link: false permalink: false excerpt: false categories: false tags: true