CN116881930B - Analysis method and device for SQL injection loopholes based on ORM framework - Google Patents
Analysis method and device for SQL injection loopholes based on ORM framework Download PDFInfo
- Publication number
- CN116881930B CN116881930B CN202311146704.5A CN202311146704A CN116881930B CN 116881930 B CN116881930 B CN 116881930B CN 202311146704 A CN202311146704 A CN 202311146704A CN 116881930 B CN116881930 B CN 116881930B
- Authority
- CN
- China
- Prior art keywords
- sql
- data
- vulnerability
- analysis
- mapping file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application relates to an analysis method and a device of SQL injection vulnerabilities based on an ORM framework, wherein the method comprises the steps of obtaining SQL mapping tags of all binding external data sources in a persistent layer mapping file of the ORM framework and root tags of the persistent layer mapping file, carrying out tag association on the SQL mapping tags and the root tags, setting up a data stream Sink rule of the persistent layer mapping file according to attribute parameters after the tag association result is called, carrying out data stream analysis of the SQL injection vulnerabilities on the data stream Sink rule to obtain SQL injection vulnerability data of the data stream Sink rule, carrying out cross-layer data association on the SQL injection vulnerability data and the persistent layer mapping file, and carrying out tracking processing according to the cross-layer data association result to obtain vulnerability analysis data of the persistent layer mapping file. The method has the effect of improving the identification accuracy of SQL injection holes.
Description
Technical Field
The application relates to the technical field of ORM frameworks, in particular to an analysis method and device for SQL injection loopholes based on an ORM framework.
Background
At present, the SQL injection vulnerability is one of the common application system security vulnerabilities at present, and an attacker illegally accesses and falsifies the database through the SQL injection vulnerability, so that the potential SQL injection vulnerability in the system needs to be accurately analyzed in the system development process or before the system is online, which is also one of the important works in the DevSecOps security development mode.
The existing SQL injection vulnerability detection mode generally carries out SQL injection vulnerability detection on system source codes in a DevSecOps safety development mode through a static code analysis tool SAST, the SAST tool always carries out SQL injection vulnerability detection on layered development frameworks independently, cross-layer analysis cannot be carried out between different detection algorithms or different layered development frameworks, the current database operation is often packaged into a persistent layer in an ORM framework, all methods for constructing and executing SQL sentences of the persistent layer can be written randomly, vulnerabilities can exist in the configuration process of the SQL sentences, and the SQL configuration with the SQL injection vulnerabilities possibly existing in the development framework is completely marked through the static code analysis tool, so that consideration of whether a data source is credible or not and whether the data source can be utilized by an attacker is lacked, and the risk of false report exists.
The prior art solutions described above have the following drawbacks: the static code analysis tool risks false alarms in a way that SQL configurations in a development architecture, where SQL injection holes may exist, are all marked.
Disclosure of Invention
In order to improve the recognition accuracy of SQL injection vulnerabilities, the application provides an analysis method and an analysis device of SQL injection vulnerabilities based on an ORM framework.
In a first aspect, the above object of the present application is achieved by the following technical solutions:
an analysis method of SQL injection vulnerabilities based on an ORM framework comprises the following steps:
acquiring SQL mapping labels of all binding external data sources in a persistent layer mapping file of an ORM framework and root labels of the persistent layer mapping file;
performing label association on the SQL mapping label and the root label, and building a data stream Sink rule of the persistent layer mapping file according to the attribute parameters after the association is called according to a label association result;
performing data flow analysis of SQL injection holes on the data flow Sink rule to obtain SQL injection hole data of the data flow Sink rule;
and performing cross-layer data association on the SQL injection vulnerability data and the persistent layer mapping file, and performing vulnerability tracking processing according to a cross-layer data association result to obtain vulnerability analysis data of the persistent layer mapping file.
By adopting the technical scheme, in order to solve the problem that a data stream analysis algorithm cannot preset Sink rules and generate a missing report, and solve the problem that an XML analysis algorithm has no false report of a reliable data source, the application combines two analysis algorithms to perform cross-layer analysis on SQL injection holes of an ORM framework, improves the data relevance between the SQL mapping file and a root file by performing label association on SQL mapping labels of all binding external data sources in the persistent layer mapping file and root labels of the persistent layer mapping file, performs automatic leak analysis on the persistent layer mapping file by constructing the data stream Sink rules, solves the problem that the data stream analysis algorithm cannot preset Sink rules, performs SQL injection analysis on the data stream Sink rules by combining the data stream analysis algorithm, is favorable for obtaining a complete tracking path of SQL injection holes in the persistent layer mapping file, performs cross-layer data association on SQL injection data and the persistent layer mapping file, performs tracking processing according to cross-layer data association results, and solves the problem that the missing report analysis is caused by the data stream analysis algorithm cannot perform cross-layer analysis, and improves the accuracy of the joint analysis of the SQL injection holes.
The present application may be further configured in a preferred example to: the step of building the data stream Sink rule of the persistent layer mapping file according to the attribute parameters after the label association result is called, specifically comprising the following steps:
acquiring and analyzing an SQL mapping file corresponding to the SQL mapping tag to obtain tree structure node information of the SQL mapping file in the persistent layer mapping file;
obtaining a Mapper interface parameter of the SQL mapping file in the persistent layer mapping file, and searching a target SQL statement corresponding to the tree structure node information in the Mapper interface parameter;
judging whether external data source parameters are injected into the target SQL statement or not, and acquiring parameter mapping data of the external data source parameters according to a judging result;
and inputting the parameter mapping data and the Mapper interface parameters into a preset rule template to perform attribute parameter association, and building a data stream Sink rule of the persistent layer mapping file according to the associated attribute parameters.
By adopting the technical scheme, the corresponding SQL mapping file is searched through the SQL mapping label, the SQL mapping file is analyzed to obtain the tree structure node information of the persistence layer mapping file, the parameters of the SQL mapping file are accurately read, the specific naming space attribute of the SQL mapping file is accurately obtained through the interface full-limit name of the Mapper interface of the SQL mapping file in the persistence layer mapping file, the tree structure node information of the SQL mapping file is traversed, the target SQL statement corresponding to the tree structure node information in the Mapper interface parameter is searched, the identification accuracy of part of SQL statements with SQL injection problems is facilitated, whether external data source parameters are injected into the target SQL statement is judged, the parameter mapping data of the external data source parameters are obtained according to the judging result, the rule construction parameters are screened, the attribute parameter association is carried out on the parameter mapping data and the Mapper interface parameters through the preset rule template, the association degree between the attribute parameters is improved, and the possible loophole in the SLQ mapping file is further screened out according to the data stream Sink rule of the associated attribute parameter persistence layer mapping file.
The present application may be further configured in a preferred example to: and traversing the tree structure node information to search the Mapper interface parameter, and after obtaining a target SQL statement corresponding to the tree structure node information in the Mapper interface parameter, further comprising:
acquiring statement label parameters of the target SQL statement, and marking the statement label parameters as Sink points convenient for data flow analysis;
and analyzing the Sink point by injecting data flow to obtain a complete construction path of the target SQL statement in the persistent layer mapping file.
By adopting the technical scheme, the statement label parameters of the target SQL statement are obtained and Sink point marks are carried out, so that the invoking of a data flow analysis algorithm on the target SQL statement is facilitated, the injection data flow analysis is carried out on the Sink point through the data flow analysis algorithm, the complete construction path of the target SQL statement in the persistent layer mapping file is obtained, and the construction path analysis accuracy of the target SQL statement is improved.
The present application may be further configured in a preferred example to: the step of obtaining and analyzing the SQL mapping file corresponding to the SQL mapping tag, before obtaining the tree structure node information of the SQL mapping file in the persistent layer mapping file, further comprises:
Obtaining a target persistent layer mapping file of a given item, and analyzing whether specific naming parameters exist in the target persistent layer mapping file to obtain a parameter analysis result of the target persistent layer mapping file;
judging whether the target persistent layer mapping file is an SQL mapping file according to the parameter analysis result, and acquiring all SQL mapping files in the target persistent layer mapping file according to the judgment result;
analyzing all the SQL mapping files, acquiring element attributes of the SQL mapping files according to analysis results, and taking the element attributes as tree structure nodes corresponding to the SQL mapping files;
and constructing association relations between all SQL mapping files and the target persistent layer mapping files, and generating a tree structure framework of the given item by combining tree structure nodes of each SQL mapping file.
By adopting the technical scheme, the target persistent layer mapping file of the given item is screened, whether the target persistent layer mapping file contains specific naming parameters is analyzed, attribute analysis is conducted on the specific naming space in the target persistent layer mapping file according to the parameter analysis result, whether the target persistent layer mapping file is an SQL mapping file is judged, all SQL mapping files in the target persistent layer mapping file are collected according to the judgment result, analysis comprehensiveness of the SQL mapping file is improved, all SQL mapping files are analyzed, element attributes in the SQL mapping file are obtained, the element attributes are used as tree structure nodes of the SQL mapping file, effective information of the SQL mapping file is obtained through accessing the tree structure nodes, convenience of data access is improved, association between the SQL mapping file and the target persistent layer mapping file is constructed, and the tree structure frame construction is conducted by combining the corresponding tree structure nodes, so that the effective information of the given item is quickly accessed.
The present application may be further configured in a preferred example to: performing data flow analysis of SQL injection holes on the data flow Sink rule to obtain SQL injection hole data of the data flow Sink rule, wherein the SQL injection hole data comprises the following specific steps:
carrying out data flow analysis on the data flow Sink rule to obtain a function tag parameter corresponding to the data flow Sink rule;
performing SQL injection vulnerability detection processing on the function tag parameters, and acquiring a complete call link of the SQL injection vulnerability according to a vulnerability detection result;
judging whether SQL injection vulnerability risks exist in the persistent layer mapping file corresponding to the data stream Sink rule according to the complete call link;
if yes, summarizing the complete call link of the SQL injection vulnerability and the corresponding SQL injection vulnerability analysis record to the same result set, and generating SQL injection vulnerability data containing an SQL injection vulnerability tracking process.
By adopting the technical scheme, the data stream Sink rule is subjected to data stream analysis, the function tag parameters corresponding to the data stream Sink rule are obtained, targeted analysis is facilitated for each SQL injection vulnerability, SQL injection vulnerability detection is performed for the function tag parameters, the complete call link of the SQL injection vulnerability is obtained according to the detection result, the path analysis integrity of the SQL injection vulnerability is improved, whether the SQL injection vulnerability risk exists in the persistent layer mapping file corresponding to the data stream Sink rule is judged, whether the data source of the data stream Sink rule is reliably analyzed, whether the SQL injection risk exists in the persistent layer mapping file is confirmed, the detection accuracy is improved, the complete call link of the SQL injection vulnerability and the corresponding DQL injection analysis record are summarized to the same result set, call tracking is facilitated for related data of the SQL injection vulnerability, and the SQL injection vulnerability identification accuracy is further improved.
The present application may be further configured in a preferred example to: performing cross-layer data association on the SQL injection vulnerability data and the persistent layer mapping file, and performing vulnerability tracking processing according to a cross-layer data association result to obtain vulnerability analysis data of the persistent layer mapping file, wherein the vulnerability analysis data specifically comprises:
acquiring an SQL mapping path and an SQL mapping line number of the persistent layer mapping file;
performing cross-layer data association on the SQL injection vulnerability data and the SQL mapping path and the SQL mapping line number respectively to obtain a cross-layer data association result of the SQL injection vulnerability;
performing vulnerability construction path analysis on the SQL injection vulnerability according to the cross-layer data association result to obtain a vulnerability injection analysis result;
and carrying out path tracking processing on the SQL injection loopholes according to the loophole injection analysis result to obtain loophole analysis data of the persistent layer mapping file.
By adopting the technical scheme, the SQL mapping path and the corresponding SQL mapping line number of the persistent layer mapping file are obtained, accurate data cross-line combination of SQL injection vulnerabilities is facilitated, SQL injection vulnerabilities data, the SQL mapping path and the SQL mapping line number are respectively subjected to data association to obtain cross-layer data association results of the SQL injection vulnerabilities, correlation among a plurality of data line numbers of the SQL injection vulnerabilities is facilitated, vulnerability construction path analysis is conducted on the SQL injection vulnerabilities by combining the cross-layer data association results, the complete calling path of the SQL injection vulnerabilities in the persistent layer mapping file is obtained through the vulnerability injection analysis results, accuracy of data cross-layer analysis is improved, path tracking is conducted on the SQL injection vulnerabilities by combining the vulnerability injection analysis results to obtain vulnerability analysis data of the persistent layer mapping file, and implementation of cross-layer analysis accuracy of the SQL injection vulnerabilities is facilitated.
The present application may be further configured in a preferred example to: and performing path tracking processing on the SQL injection vulnerability according to the vulnerability injection analysis result to obtain vulnerability analysis data of the persistent layer mapping file, wherein the vulnerability analysis data specifically comprises:
according to the vulnerability injection analysis result, acquiring SQL call information of a target SQL statement corresponding to the SQL injection vulnerability;
performing row number splicing on all SQL call information of the persistent layer mapping file and the SQL injection vulnerability data to obtain an injection vulnerability construction path of the SQL injection vulnerability in the persistent layer mapping file;
and performing cross-layer analysis on all SQL injection vulnerabilities of the persistent layer mapping file according to the injection vulnerability construction path to obtain vulnerability analysis data of the persistent layer mapping file.
By adopting the technical scheme, the target SQL statement corresponding to the SQL injection vulnerability is obtained by combining the vulnerability injection analysis result, SQL call information of the target SQL statement is further obtained, targeted analysis of the SQL statement with SQL injection vulnerability risk is facilitated, all SQL call information in the persistent layer mapping file and SQL injection vulnerability data are subjected to line number splicing, the line number in the SQL injection vulnerability data is used as the last point of the vulnerability tracking path to be spliced in the SQL call information, the injection vulnerability construction path of the SQL injection vulnerability in the persistent layer mapping file is obtained, the accuracy of data cross-layer splicing is improved, cross-layer analysis is performed on all SQL injection vulnerabilities in the persistent layer file by combining the injection vulnerability construction path, and the accuracy of injection vulnerability analysis of the persistent layer mapping file is facilitated.
In a second aspect, the above object of the present application is achieved by the following technical solutions:
an analysis device of SQL injection loopholes based on an ORM framework, comprising:
the data acquisition module is used for acquiring SQL mapping labels of all binding external data sources in the persistent layer mapping file of the ORM framework and root labels of the persistent layer mapping file;
the data association module is used for carrying out label association on the SQL mapping label and the root label, and setting up a data stream Sink rule of the persistent layer mapping file according to the attribute parameters after the association is called according to a label association result;
the data analysis module is used for carrying out data flow analysis of SQL injection holes on the data flow Sink rule to obtain SQL injection hole data of the data flow Sink rule;
the data tracking module is used for carrying out cross-layer data association on the SQL injection vulnerability data and the persistent layer mapping file, carrying out vulnerability tracking processing according to a cross-layer data association result and obtaining vulnerability analysis data of the persistent layer mapping file
By adopting the technical scheme, in order to solve the problem that a data stream analysis algorithm cannot preset Sink rules and generate a missing report, and solve the problem that an XML analysis algorithm has no false report of a reliable data source, the application combines two analysis algorithms to perform cross-layer analysis on SQL injection holes of an ORM framework, improves the data relevance between the SQL mapping file and a root file by performing label association on SQL mapping labels of all binding external data sources in the persistent layer mapping file and root labels of the persistent layer mapping file, performs automatic leak analysis on the persistent layer mapping file by constructing the data stream Sink rules, solves the problem that the data stream analysis algorithm cannot preset Sink rules, performs SQL injection analysis on the data stream Sink rules by combining the data stream analysis algorithm, is favorable for obtaining a complete tracking path of SQL injection holes in the persistent layer mapping file, performs cross-layer data association on SQL injection data and the persistent layer mapping file, performs tracking processing according to cross-layer data association results, and solves the problem that the missing report analysis is caused by the data stream analysis algorithm cannot perform cross-layer analysis, and improves the accuracy of the joint analysis of the SQL injection holes.
In a third aspect, the above object of the present application is achieved by the following technical solutions:
a computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the ORM framework based SQL injection vulnerability analysis method described above when the computer program is executed.
In a fourth aspect, the above object of the present application is achieved by the following technical solutions:
a computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method for analyzing SQL injection vulnerabilities based on an ORM framework described above.
In summary, the present application includes at least one of the following beneficial technical effects:
1. aiming at the application degree of applying the MyBatis framework, the application aims at solving the problem that SQL injection holes of a layered application system of an ORM framework cannot be accurately identified through a single data stream analysis algorithm and an XML analysis algorithm, overcomes the defect that data stream analysis cannot be carried out between a JAVA code layer and an ORM persistent layer in a cross-layer manner, improves the static identification capability of the SQL injection holes, improves the identification accuracy, solves the problem of missing report caused by the fact that the ORM framework is adopted as the application system of the persistent layer, solves the problem of misreport caused by the fact that the data stream analysis algorithm cannot carry out cross-layer analysis, and does not judge whether a data source is safe and reliable or not through the XML analysis algorithm;
2. According to the method, metadata information in an ORM framework is analyzed and submitted in advance, sink rules required by a data stream analysis algorithm are automatically generated on the metadata information, whether an unreliable or unverified data source enters a persistent layer mapping file or not is analyzed in a service code layer, so that SQL injection loopholes of the persistent layer mapping file are caused, specifically, the configuration using '$' binding data is identified by analyzing SQL mapping file mappers defined in MyBatis, primary information such as parameters, conditions and output in the binding data source is extracted, sink rules required by the SQL injection loopholes are constructed according to the information, whether the unreliable or unverified data source enters the mapping file or not is analyzed in a service code layer through a data call link of the Sink rules, and therefore the existence risk of SQL injection loopholes is determined, for example, files, line numbers, call links and the like generated in the JAVA code layer are recorded, and the loopholes of the corresponding XML mapping file in the ORM framework are identified, cross-layer loopholes are tracked, and the loopholes injected are convenient to analyze and repair by development personnel;
3. According to the method, the configuration items of SQL injection holes possibly existing in the persistent layer are automatically generated according to the mapping file of the ORM framework, the configuration items are used as Sink points of a data stream analysis algorithm, the Sink points participate in data stream analysis of the SQL injection holes, the defect that the data stream analysis algorithm cannot preset rules is overcome, the transmission process of external input data and a method calling link are tracked and recorded through cross-layer and cross-language data analysis until dynamic SQL construction sentences of the persistent layer mapping file are completely tracked and recorded to the same result set, and a developer can conveniently identify potential SQL injection holes.
Drawings
FIG. 1 is a flow chart of an implementation of a method for analyzing SQL injection vulnerabilities based on an ORM framework.
Fig. 2 is a flowchart of an implementation of the analysis method step S20 of the SQL injection vulnerability based on the ORM framework.
FIG. 3 is a flowchart of the construction of a tree structure framework of an analysis method for SQL injection vulnerabilities based on an ORM framework.
FIG. 4 is a flowchart of an analysis method for SQL injection vulnerabilities based on an ORM framework for file parsing.
FIG. 5 is a flow chart of an implementation of data flow analysis by an analysis method of SQL injection vulnerabilities based on an ORM framework.
Fig. 6 is a flowchart of an implementation of the analysis method step S30 of the SQL injection vulnerability based on the ORM framework.
Fig. 7 is a flowchart of an implementation of the analysis method step S40 of the SQL injection vulnerability based on the ORM framework.
FIG. 8 is a flowchart illustrating an implementation of the analysis method step S404 of SQL injection vulnerability based on ORM framework.
FIG. 9 is a block diagram of an analysis device for SQL injection vulnerabilities based on an ORM framework.
Fig. 10 is a schematic diagram of an internal structure of a computer device implementing an analysis method of an ORM framework-based SQL injection vulnerability.
Detailed Description
The present application will be described in further detail with reference to the accompanying drawings.
In an embodiment, as shown in fig. 1, the application discloses an analysis method of SQL injection loopholes based on an ORM framework, which specifically comprises the following steps:
s10: and acquiring SQL mapping labels of all binding external data sources in the persistent layer mapping file of the ORM framework and root labels of the persistent layer mapping file.
Specifically, the XML analysis algorithm analyzes the persistent layer mapping file in the ORM framework, acquires the root tag of the persistent layer mapping tag, and searches all SQL mapping tags containing "$" dynamically bound external data sources in the persistent layer mapping file.
S20: and carrying out label association on the SQL mapping labels and the root labels, and calling the associated attribute parameters according to the label association result to build a data stream Sink rule of the persistent layer mapping file.
Specifically, according to the searched SQL mapping tag and the root tag of the mapping file, acquiring 'NameSpace' attribute data of the persistent layer mapping file, and performing automatic generation of a data stream Sink rule, as shown in fig. 2, specifically including:
s201: and acquiring and analyzing the SQL mapping file corresponding to the SQL mapping label to obtain tree structure node information of the SQL mapping file in the persistent layer mapping file.
Specifically, all SQL mapping files in the project-specific folder are screened according to the SQL mapping tags, the screened SQL mapping files are analyzed through the DOM analyzer, and tree structure node information of the SQL mapping files in the persistent layer mapping files is obtained according to analysis results, so that node information calling is conveniently carried out in the subsequent analysis process.
In an embodiment, before the SQL mapping file corresponding to the SQL mapping label is obtained and parsed to obtain the tree structure node information of the SQL mapping file in the persistent layer mapping file, as shown in fig. 3, the method further includes:
S2011: and acquiring a target persistent layer mapping file of the given item, and analyzing whether specific naming parameters exist in the target persistent layer mapping file to obtain a parameter analysis result of the target persistent layer mapping file.
Specifically, the target persistent layer mapping file of the given item is screened through an XML analysis algorithm, all XML files in a specified folder of the given item are obtained through the XML analysis algorithm, and a parameter analysis result of the target persistent layer mapping file is obtained through analyzing whether each XML file contains specific naming parameters of MyBatis or not, wherein the specific naming parameters comprise specific naming space and corresponding space attribute parameters such as the full-limit names of interface classes and the like.
S2012: judging whether the target persistent layer mapping file is an SQL mapping file according to the parameter analysis result, and acquiring all SQL mapping files in the target persistent layer mapping file according to the judgment result.
Specifically, whether each XML file is an SQL mapping file is judged according to specific naming parameters in the parameter analysis result, usually one SQL mapping file needs specific DTD definition and MyBatis naming space statement, usually the fully-defined naming parameters of the interface class are assigned to the naming space attribute values of MyBatis, when the specific naming parameters exist in the XML file, the target persistent layer file is indicated to be the SQL mapping file, all the target persistent layer mapping files in a given project are traversed, and all the SQL mapping files in the target persistent layer file with the specific naming parameters are acquired.
S2013: analyzing all the SQL mapping files, acquiring element attributes of the SQL mapping files according to analysis results, and taking the element attributes as tree structure nodes corresponding to the SQL mapping files.
Specifically, all SQL mapping files are parsed through a document object model such as a DOM parser, elements and attribute parameters of the SQL mapping files are identified in the parsing process, and the identified element attribute parameters are converted into nodes of a tree structure, so that the subsequent tree structure construction is convenient to call.
In this embodiment, the SQL mapping file is parsed by the DOM parser, the mapping file generally includes SQL sentences, parameter mapping, result mapping and the like, selective content processing is performed by the XML analysis algorithm, and a data stream Sink rule is automatically generated, the parsing process is as shown in fig. 4, and mainly includes loading a Mapper file, using the DOM parser to parse the Mapper file to obtain tree structure node information in the Mapper file, obtaining a fully qualified name of a JAVA interface class, parsing node information of the tree structure node, judging whether the Mapper file has injected parameters according to the parsing result, if yes, recording, storing corresponding vulnerability information such as a method name and parameter mapping information, obtaining the number of rows where "$" is located, and generating a rule file; if not, the piece of information is not recorded.
In an embodiment, invoking a data stream analysis engine to execute JAVA code analysis is shown in fig. 5, and mainly includes loading a rule file into the engine, analyzing a Sink rule file by the data stream analysis engine, reading JAVA class, method, security hole detection analysis statement and the like corresponding to the Sink rule, matching analysis results with a mapping file integration link, detecting and searching SQL injection holes according to Sink rule content, obtaining a complete invoking link of the SQL injection holes, judging whether the mapping file integration link meets "$" injection conditions, if yes, recording corresponding integration link data and associating corresponding JAVA class and XML file; if not, the corresponding analysis result is not recorded.
S2014: and constructing association relations between all SQL mapping files and target persistent layer mapping files, and generating a tree structure framework of a given item by combining tree structure nodes of each SQL mapping file.
Specifically, according to the attribution relation of each SQL mapping file in the target persistent layer mapping file, the association relation between all SQL mapping files and the target persistent layer mapping file is constructed, the tree structure node of each SQL mapping file is combined, the tree structure frame of a given item is built through a DOM parser, and the corresponding attribute effective information is acquired through accessing the tree structure node of the tree structure frame.
S202: and acquiring the Mapper interface parameters of the SQL mapping file in the persistent layer mapping file, and searching a target SQL statement corresponding to the tree structure node information in the Mapper interface parameters.
Specifically, the 'NameSpace' attribute value of the SQL mapping file is read, the Mapper interface parameter of the SQL mapping file in the persistence layer mapping file, such as the full-limit name of the Mapper interface, is obtained, the tree structure node information of the persistence layer mapping file is traversed, and the SQL statement related to the full-limit name of the Mapper interface in the tree structure node information is searched to obtain the target SQL statement.
In an embodiment, after traversing the tree structure node information to search the Mapper interface parameter, obtaining a target SQL statement corresponding to the tree structure node information in the Mapper interface parameter, the method further includes:
s2021: and acquiring statement label parameters of the target SQL statement, and marking the statement label parameters as Sink points convenient for data stream analysis.
Specifically, the tag attribute of the target SQL statement in step S202 is obtained, and one SQL statement tag usually has "id" (unique identifier of the target SQL statement), "paramettype" (parameter type accepted by the target SQL statement may be entity class, basic data type, etc.), and "resultatttype" (type of returned result of the target SQL statement may be entity class, basic data type, etc.), etc. The method comprises the steps of obtaining the value of an 'id' attribute, namely a method name in a corresponding JAVA class, obtaining the value of a 'parameter type' attribute, namely an entry type, marking sentence label parameters such as the method name, the entry type, a return result type and the like into Sink points in advance, and supplying the Sink points to a data stream analysis algorithm for SQL injection vulnerability analysis.
S2022: and carrying out injection data flow analysis on Sink points to obtain a complete construction path of the target SQL statement in the persistent layer mapping file.
Specifically, the Sink point is subjected to injection data flow analysis through an XML analysis algorithm, and according to the calling sequence of the target SQL statement corresponding to the Sink point in the persistent layer mapping file, the data calling condition of the Sink point in the persistent layer mapping file is subjected to data tracking, so that a complete construction path of the target SQL statement in the persistent layer mapping file is generated.
S203: judging whether external data source parameters are injected into the target SQL statement, and acquiring parameter mapping data of the external data source parameters according to a judging result.
Specifically, in this embodiment, the external data source parameters are dynamically bound by "$", so in this embodiment, whether the external data source parameters are injected into the target SQL statement is determined by determining whether the data parameters of "$" are included in the SQL statement, if the "$" symbol is carried in the SQL statement, it is indicated that the external data source parameters are dynamically bound into the target SQL statement, if the "$" symbol is not included in the SQL statement, it is indicated that the external data source parameters are not included in the target SQL statement, and if the "$" symbol is not included in the target SQL statement, the parameter mapping label of the external data source parameters of the target SQL statement in which the "$" symbol is injected is marked according to the determination result, so as to obtain the parameter mapping data corresponding to the external data source parameters.
It should be noted that, SQL statements are generally defined by tags such as < select >, < insert >, < update >, and < delete >, where < SQL > also requires the retrieval of all definition tags referencing the < SQL > tag. Reusable SQL fragments are typically defined using < SQL > tags, for example, when a < select > tag contains a < include > tag, the "redirect" attribute value therein is obtained, and the obtained attribute value is the "id" attribute value of the < SQL > tag. Judging whether the parameters of "$" injection exist in the tags such as < select >, < insert >, < update >, and < delete >, or whether the parameters of "$" injection exist in the SQL statement referenced by the < include > tag, and if so, judging that the SQL injection risk exists in the corresponding tag.
S204: inputting the parameter mapping data and the interface full-limit name into a preset rule template to perform attribute parameter association, and building a data stream Sink rule of the persistent layer mapping file according to the associated attribute parameters.
Specifically, basic information such as a vulnerability name, a type, a risk degree and the like is preset in a preset rule template, corresponding function labels including names, methods, types and the like are created, parameter mapping data including data such as full-limit names, method names, parameter entering types and the like of JAVA classes are associated with the interface full-limit names of the corresponding JAVA interface classes and the corresponding methods and the like to perform attribute parameter association, such as the interface full-limit names are associated with the parameters such as the corresponding method names, parameter types and the like, and a data stream Sink rule of the persistent layer mapping file is built according to the association relation of the attribute parameters.
S30: and carrying out data flow analysis of SQL injection holes on the data flow Sink rule to obtain SQL injection hole data of the data flow Sink rule.
Specifically, as shown in fig. 6, step S30 specifically includes the following steps:
s301: and carrying out data flow analysis on the data flow Sink rule to obtain the function tag parameters corresponding to the data flow Sink rule.
Specifically, adding a data stream Sink rule into a data stream analysis algorithm of the SAST tool, for example, loading the data stream Sink rule into a scanning engine of the SAST tool, scanning submitted project source codes and the added data stream Sink rule through the data stream analysis algorithm, carrying out data analysis on the data stream Sink rule according to a scanning result, and reading corresponding JAVA categories, methods, security vulnerability detection analysis sentences and other contents in the Sink rule, thereby obtaining function tag parameters corresponding to the data stream Sink rule.
S302: and performing SQL injection vulnerability detection processing on the function tag parameters, and acquiring a complete call link of the SQL injection vulnerability according to the vulnerability detection result.
Specifically, SQL injection vulnerability detection is performed on the function tag parameters according to an XML analysis algorithm, SQL injection vulnerabilities in the data stream Sink rules are searched, and a calling process of the SQL injection vulnerabilities in the Sink rules is obtained according to a vulnerability detection result, so that a complete calling link of the SQL injection vulnerabilities is obtained.
S303: judging whether SQL injection vulnerability risks exist in the persistent layer mapping file corresponding to the data stream Sink rule according to the complete call link.
Specifically, according to the complete call link of the SQL injection vulnerability, judging whether the SQL injection vulnerability risk exists in the persistent layer mapping file corresponding to the data stream Sink rule, if so, whether the parameter of the external data source injection is bound with $', and if so, judging whether the external data source is an unverified external input parameter, and if so, judging that the SQL injection vulnerability risk exists in the corresponding call link.
S304: if yes, summarizing the complete call link of the SQL injection vulnerability and the corresponding SQL injection vulnerability analysis record to the same result set, and generating SQL injection vulnerability data containing the SQL injection vulnerability tracking process.
Specifically, when the SQL injection vulnerability risk exists in the persistent layer mapping file, the complete calling link of the SQL injection vulnerability and the corresponding SQL injection vulnerability analysis record are summarized under the same storage path to obtain an SQL injection vulnerability analysis result set, wherein the injection vulnerability analysis result set comprises information such as a vulnerability name, a file name, a key code, a key position and the like, and SQL injection vulnerability tracking is performed according to all SQL injection vulnerability analysis result sets of the persistent layer mapping file to obtain SQL injection vulnerability data comprising an SQL injection vulnerability tracking process.
S40: and performing cross-layer data association on the SQL injection vulnerability data and the persistent layer mapping file, and performing vulnerability tracking processing according to a cross-layer data association result to obtain vulnerability analysis data of the persistent layer mapping file.
Specifically, as shown in fig. 7, step S40 specifically includes the following steps:
s401: and acquiring the SQL mapping path and the SQL mapping line number of the persistent layer mapping file.
Specifically, the MyBatis mapping file is analyzed through an XML analysis algorithm, and the SQL mapping path and the SQL mapping line number of the persistent layer mapping file are obtained according to the analysis result.
S402: and respectively carrying out cross-layer data association on the SQL injection vulnerability data and the SQL mapping path and the SQL mapping line number to obtain a cross-layer data association result of the SQL injection vulnerability.
Specifically, the SQL injection vulnerability data are respectively associated with the SQL mapping path and the SQL mapping line number, for example, the SQL injection vulnerability data are associated with the SQL mapping path, the complete mapping path of the SQL injection vulnerability in the persistent layer mapping file is obtained, and the complete mapping line number of the SQL injection vulnerability in the persistent layer file is obtained according to the SQL injection vulnerability data associated with the SQL mapping line number, so that cross-layer data association of the SQL injection vulnerability is carried out according to the interrelation relationship among the SQL injection vulnerability data, the SQL mapping path and the SQL mapping line number, and cross-layer data association results of the SQL injection vulnerability in the persistent layer mapping file are obtained.
S403: and performing vulnerability construction path analysis on the SQL injection vulnerability according to the cross-layer data association result to obtain a vulnerability injection analysis result.
Specifically, performing vulnerability construction path analysis on the SQL injection vulnerability according to the cross-layer data association result, for example, analyzing the complete mapping paths of SQL sentences corresponding to the SQL injection vulnerability in a plurality of mapping line numbers according to the mapping paths and the mapping line numbers of the SQL injection vulnerability, and analyzing the mapping line numbers corresponding to the SQL injection vulnerability, thereby obtaining a vulnerability injection analysis result of the SQL sentences corresponding to the SQL injection vulnerability.
S404: and carrying out path tracking processing on the SQL injection loopholes according to the loophole injection analysis result to obtain loophole analysis data of the persistent layer mapping file.
Specifically, as shown in fig. 8, step S404 specifically includes the following steps:
s4041: and acquiring SQL call information of a target SQL statement corresponding to the SQL injection vulnerability according to the vulnerability injection analysis result.
Specifically, according to the analysis result of the vulnerability injection, a target SQL statement corresponding to the SQL injection vulnerability is obtained, and according to whether an external data source parameter is bound in the target SQL statement through "$", the method name, parameter mapping information, the number of lines where "$" is located and other SQL call information of the target SQL statement are obtained.
S4042: and performing row number splicing on all SQL call information of the persistent layer mapping file and SQL injection vulnerability data to obtain an injection vulnerability construction path of the SQL injection vulnerability in the persistent layer mapping file.
Specifically, all SQL call information of the persistent layer mapping file is respectively spliced with SQL injection vulnerability data in a row number mode, the row number recorded in the SQL injection vulnerability data is used as the last point of a vulnerability tracking path, the SQL call information is spliced, and an injection vulnerability construction path of the SQL injection vulnerability in the persistent layer mapping file is obtained according to a splicing result.
S4043: and performing cross-layer analysis on all SQL injection vulnerabilities of the persistent layer mapping file according to the injection vulnerability construction path to obtain vulnerability analysis data of the persistent layer mapping file.
Specifically, cross-layer analysis is performed on all SQL injection vulnerabilities in the persistent layer mapping file according to the injection vulnerability construction path, related parameters are searched for on SQL call information of the SQL injection vulnerabilities in each row number, cross-layer analysis is performed on the SQL injection vulnerabilities among a plurality of row numbers according to the searched related parameters, and cross-layer vulnerability analysis data of the SQL injection vulnerabilities in the persistent layer mapping file is obtained.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present application.
In an embodiment, an analysis device for an ORM frame-based SQL injection vulnerability is provided, where the analysis device for an ORM frame-based SQL injection vulnerability is in one-to-one correspondence with the analysis method for an ORM frame-based SQL injection vulnerability in the above embodiment. As shown in fig. 9, the analysis device for SQL injection vulnerability based on ORM framework includes a data acquisition module, a data association module, a data analysis module and a data tracking module. The functional modules are described in detail as follows:
the data acquisition module is used for acquiring SQL mapping labels of all binding external data sources in the persistent layer mapping file of the ORM framework and root labels of the persistent layer mapping file.
And the data association module is used for carrying out label association on the SQL mapping labels and the root labels, and setting up a data stream Sink rule of the persistent layer mapping file according to the attribute parameters after the association is called according to the label association result.
The data analysis module is used for carrying out data flow analysis of SQL injection holes on the data flow Sink rules to obtain SQL injection hole data of the data flow Sink rules.
And the data tracking module is used for carrying out cross-layer data association on SQL injection vulnerability data and the persistent layer mapping file, and carrying out vulnerability tracking processing according to a cross-layer data association result to obtain vulnerability analysis data of the persistent layer mapping file.
Preferably, the data association module specifically includes:
the node information acquisition sub-module is used for acquiring and analyzing the SQL mapping file corresponding to the SQL mapping label to obtain tree structure node information of the SQL mapping file in the persistent layer mapping file.
The interface parameter acquisition sub-module is used for acquiring the Mapper interface parameters of the SQL mapping file in the persistent layer mapping file and searching the target SQL statement corresponding to the tree structure node information in the Mapper interface parameters.
And the vulnerability judging sub-module is used for judging whether external data source parameters are injected into the target SQL statement or not, and acquiring parameter mapping data of the external data source parameters according to a judging result.
And the rule generation sub-module is used for inputting the parameter mapping data and the interface full-limit name into a preset rule template to carry out attribute parameter association, and constructing a data stream Sink rule of the persistent layer mapping file according to the associated attribute parameters.
Preferably, after traversing the tree structure node information to search the Mapper interface parameter, obtaining a target SQL statement corresponding to the tree structure node information in the Mapper interface parameter, the method further comprises:
The parameter marking sub-module is used for acquiring statement label parameters of the target SQL statement and marking the statement label parameters as Sink points convenient for data flow analysis.
And the path construction sub-module is used for carrying out injection data flow analysis on Sink points to obtain a complete construction path of the target SQL statement in the persistent layer mapping file.
Preferably, the method further comprises the steps of before obtaining and analyzing the SQL mapping file corresponding to the SQL mapping label to obtain the tree structure node information of the SQL mapping file in the persistent layer mapping file:
and the parameter analysis sub-module is used for acquiring a target persistent layer mapping file of the given item, analyzing whether specific naming parameters exist in the target persistent layer mapping file, and obtaining a parameter analysis result of the target persistent layer mapping file.
And the parameter judging sub-module is used for judging whether the target persistent layer mapping file is an SQL mapping file according to the parameter analysis result, and acquiring all SQL mapping files in the target persistent layer mapping file according to the judgment result.
The data analysis sub-module is used for analyzing all the SQL mapping files, acquiring the element attributes of the SQL mapping files according to the analysis result, and taking the element attributes as tree structure nodes corresponding to the SQL mapping files.
The framework construction submodule is used for constructing the association relation between all SQL mapping files and the target persistent layer mapping files and generating a tree structure framework of a given item by combining tree structure nodes of each SQL mapping file.
Preferably, the data analysis module specifically includes:
and the data analysis sub-module is used for carrying out data flow analysis on the data flow Sink rule to obtain the function label parameters corresponding to the data flow Sink rule.
And the vulnerability detection sub-module is used for carrying out SQL injection vulnerability detection processing on the function tag parameters and obtaining a complete call link of the SQL injection vulnerability according to the vulnerability detection result.
And the risk analysis sub-module is used for judging whether SQL injection vulnerability risks exist in the persistent layer mapping file corresponding to the data stream Sink rule according to the complete call link.
And the data summarizing sub-module is used for summarizing the complete calling link of the SQL injection vulnerability and the corresponding SQL injection vulnerability analysis record to the same result set if yes, and generating SQL injection vulnerability data containing the SQL injection vulnerability tracking process.
Preferably, the data tracking module specifically includes:
the mapping parameter acquisition sub-module is used for acquiring the SQL mapping path and the SQL mapping line number of the persistent layer mapping file.
And the data association sub-module is used for respectively carrying out cross-layer data association on the SQL injection vulnerability data with the SQL mapping path and the SQL mapping line number to obtain a cross-layer data association result of the SQL injection vulnerability.
And the path analysis sub-module is used for carrying out vulnerability construction path analysis on the SQL injection vulnerability according to the cross-layer data association result to obtain a vulnerability injection analysis result.
And the path tracking sub-module is used for carrying out path tracking processing on SQL injection holes according to the hole injection analysis result to obtain the hole analysis data of the persistent layer mapping file.
Preferably, the path tracking submodule specifically includes:
the call information acquisition unit is used for acquiring SQL call information of a target SQL statement corresponding to the SQL injection vulnerability according to the vulnerability injection analysis result.
And the data splicing unit is used for performing row number splicing on all SQL call information of the persistent layer mapping file and SQL injection vulnerability data to obtain an injection vulnerability construction path of the SQL injection vulnerability in the persistent layer mapping file.
And the vulnerability analysis unit is used for performing cross-layer analysis on all SQL injection vulnerabilities of the persistent layer mapping file according to the injection vulnerability construction path to obtain vulnerability analysis data of the persistent layer mapping file.
For specific limitations regarding the analysis device of the ORM framework-based SQL injection hole, reference may be made to the above limitation of the analysis method of the ORM framework-based SQL injection hole, which is not described herein. The various modules in the analysis device for SQL injection vulnerabilities based on the ORM framework can be fully or partially implemented by software, hardware and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 10. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used to store analysis data of SQL injection vulnerabilities of the ORM framework. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a method for analyzing SQL injection vulnerabilities based on an ORM framework.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, implements the steps of the above method for analyzing SQL injection vulnerabilities based on an ORM framework.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (8)
1. An analysis method of SQL injection vulnerabilities based on an ORM framework is characterized by comprising the following steps: acquiring SQL mapping labels of all binding external data sources in a persistent layer mapping file of an ORM framework and root labels of the persistent layer mapping file; performing label association on the SQL mapping label and the root label, and building a data stream Sink rule of the persistent layer mapping file according to the attribute parameters after the association is called according to a label association result; performing data flow analysis of SQL injection holes on the data flow Sink rule to obtain SQL injection hole data of the data flow Sink rule; performing cross-layer data association on the SQL injection vulnerability data and the persistent layer mapping file, and performing vulnerability tracking processing according to a cross-layer data association result to obtain vulnerability analysis data of the persistent layer mapping file;
Performing cross-layer data association on the SQL injection vulnerability data and the persistent layer mapping file, and performing vulnerability tracking processing according to a cross-layer data association result to obtain vulnerability analysis data of the persistent layer mapping file, wherein the vulnerability analysis data specifically comprises: acquiring an SQL mapping path and an SQL mapping line number of the persistent layer mapping file; performing cross-layer data association on the SQL injection vulnerability data and the SQL mapping path and the SQL mapping line number respectively to obtain a cross-layer data association result of the SQL injection vulnerability; performing vulnerability construction path analysis on the SQL injection vulnerability according to the cross-layer data association result to obtain a vulnerability injection analysis result; performing path tracking processing on the SQL injection vulnerability according to the vulnerability injection analysis result to obtain vulnerability analysis data of the persistent layer mapping file;
and performing path tracking processing on the SQL injection vulnerability according to the vulnerability injection analysis result to obtain vulnerability analysis data of the persistent layer mapping file, wherein the vulnerability analysis data specifically comprises: according to the vulnerability injection analysis result, acquiring SQL call information of a target SQL statement corresponding to the SQL injection vulnerability; performing row number splicing on all SQL call information of the persistent layer mapping file and the SQL injection vulnerability data to obtain an injection vulnerability construction path of the SQL injection vulnerability in the persistent layer mapping file; and performing cross-layer analysis on all SQL injection vulnerabilities of the persistent layer mapping file according to the injection vulnerability construction path to obtain vulnerability analysis data of the persistent layer mapping file.
2. The analysis method of the SQL injection vulnerability based on the ORM framework according to claim 1, wherein the step of building the data stream Sink rule of the persistent layer mapping file according to the attribute parameters after the label association result call comprises the following steps: acquiring and analyzing an SQL mapping file corresponding to the SQL mapping tag to obtain tree structure node information of the SQL mapping file in the persistent layer mapping file; obtaining a Mapper interface parameter of the SQL mapping file in the persistent layer mapping file, and searching a target SQL statement corresponding to the tree structure node information in the Mapper interface parameter; judging whether external data source parameters are injected into the target SQL statement or not, and acquiring parameter mapping data of the external data source parameters according to a judging result; and inputting the parameter mapping data and the interface full-limit name into a preset rule template to perform attribute parameter association, and building a data stream Sink rule of the persistent layer mapping file according to the associated attribute parameters.
3. The analysis method of the ORM-frame-based SQL injection vulnerability according to claim 2, wherein after traversing the tree structure node information to search a Mapper interface parameter, obtaining a target SQL statement corresponding to the tree structure node information in the Mapper interface parameter, further comprising: acquiring statement label parameters of the target SQL statement, and marking the statement label parameters as Sink points convenient for data flow analysis; and analyzing the Sink point by injecting data flow to obtain a complete construction path of the target SQL statement in the persistent layer mapping file.
4. The analysis method of the ORM framework-based SQL injection vulnerability according to claim 2, wherein before obtaining and analyzing the SQL mapping file corresponding to the SQL mapping tag to obtain the tree structure node information of the SQL mapping file in the persistent layer mapping file, further comprises: obtaining a target persistent layer mapping file of a given item, and analyzing whether specific naming parameters exist in the target persistent layer mapping file to obtain a parameter analysis result of the target persistent layer mapping file; judging whether the target persistent layer mapping file is an SQL mapping file according to the parameter analysis result, and acquiring all SQL mapping files in the target persistent layer mapping file according to the judgment result; analyzing all the SQL mapping files, acquiring element attributes of the SQL mapping files according to analysis results, and taking the element attributes as tree structure nodes corresponding to the SQL mapping files; and constructing association relations between all SQL mapping files and the target persistent layer mapping files, and generating a tree structure framework of the given item by combining tree structure nodes of each SQL mapping file.
5. The analysis method of SQL injection holes based on the ORM framework according to claim 1, wherein the data flow analysis of SQL injection holes is performed on the data flow Sink rule to obtain SQL injection hole data of the data flow Sink rule, specifically comprising: carrying out data flow analysis on the data flow Sink rule to obtain a function tag parameter corresponding to the data flow Sink rule; performing SQL injection vulnerability detection processing on the function tag parameters, and acquiring a complete call link of the SQL injection vulnerability according to a vulnerability detection result; judging whether SQL injection vulnerability risks exist in the persistent layer mapping file corresponding to the data stream Sink rule according to the complete call link; if yes, summarizing the complete call link of the SQL injection vulnerability and the corresponding SQL injection vulnerability analysis record to the same result set, and generating SQL injection vulnerability data containing an SQL injection vulnerability tracking process.
6. An analysis device for SQL injection vulnerabilities based on an ORM framework, comprising: the data acquisition module is used for acquiring SQL mapping labels of all binding external data sources in the persistent layer mapping file of the ORM framework and root labels of the persistent layer mapping file; the data association module is used for carrying out label association on the SQL mapping label and the root label, and setting up a data stream Sink rule of the persistent layer mapping file according to the attribute parameters after the association is called according to a label association result; the data analysis module is used for carrying out data flow analysis of SQL injection holes on the data flow Sink rule to obtain SQL injection hole data of the data flow Sink rule; the data tracking module is used for carrying out cross-layer data association on the SQL injection vulnerability data and the persistent layer mapping file, and carrying out vulnerability tracking processing according to a cross-layer data association result to obtain vulnerability analysis data of the persistent layer mapping file;
performing cross-layer data association on the SQL injection vulnerability data and the persistent layer mapping file, and performing vulnerability tracking processing according to a cross-layer data association result to obtain vulnerability analysis data of the persistent layer mapping file, wherein the vulnerability analysis data specifically comprises: acquiring an SQL mapping path and an SQL mapping line number of the persistent layer mapping file; performing cross-layer data association on the SQL injection vulnerability data and the SQL mapping path and the SQL mapping line number respectively to obtain a cross-layer data association result of the SQL injection vulnerability; performing vulnerability construction path analysis on the SQL injection vulnerability according to the cross-layer data association result to obtain a vulnerability injection analysis result; performing path tracking processing on the SQL injection vulnerability according to the vulnerability injection analysis result to obtain vulnerability analysis data of the persistent layer mapping file;
And performing path tracking processing on the SQL injection vulnerability according to the vulnerability injection analysis result to obtain vulnerability analysis data of the persistent layer mapping file, wherein the vulnerability analysis data specifically comprises: according to the vulnerability injection analysis result, acquiring SQL call information of a target SQL statement corresponding to the SQL injection vulnerability; performing row number splicing on all SQL call information of the persistent layer mapping file and the SQL injection vulnerability data to obtain an injection vulnerability construction path of the SQL injection vulnerability in the persistent layer mapping file; and performing cross-layer analysis on all SQL injection vulnerabilities of the persistent layer mapping file according to the injection vulnerability construction path to obtain vulnerability analysis data of the persistent layer mapping file.
7. Computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the ORM framework based SQL injection vulnerability analysis method according to any of claims 1 to 6 when the computer program is executed.
8. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the steps of the ORM framework-based SQL injection vulnerability analysis method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311146704.5A CN116881930B (en) | 2023-09-07 | 2023-09-07 | Analysis method and device for SQL injection loopholes based on ORM framework |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311146704.5A CN116881930B (en) | 2023-09-07 | 2023-09-07 | Analysis method and device for SQL injection loopholes based on ORM framework |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116881930A CN116881930A (en) | 2023-10-13 |
| CN116881930B true CN116881930B (en) | 2023-11-21 |
Family
ID=88255433
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311146704.5A Active CN116881930B (en) | 2023-09-07 | 2023-09-07 | Analysis method and device for SQL injection loopholes based on ORM framework |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116881930B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114021130A (en) * | 2021-10-12 | 2022-02-08 | 深圳开源互联网安全技术有限公司 | Compiling-independent vulnerability scanning method and device and storage medium |
| CN114282221A (en) * | 2021-12-09 | 2022-04-05 | 苏州浪潮智能科技有限公司 | Injection vulnerability detection method, system, terminal and storage medium |
| CN115269427A (en) * | 2022-08-03 | 2022-11-01 | 沈阳航空航天大学 | Intermediate language representation method and system for WEB injection vulnerability |
| CN115809290A (en) * | 2022-09-15 | 2023-03-17 | 平安付科技服务有限公司 | Generate data persistence layer input method, device, equipment and medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7860842B2 (en) * | 2005-03-16 | 2010-12-28 | Oracle International Corporation | Mechanism to detect and analyze SQL injection threats |
-
2023
- 2023-09-07 CN CN202311146704.5A patent/CN116881930B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114021130A (en) * | 2021-10-12 | 2022-02-08 | 深圳开源互联网安全技术有限公司 | Compiling-independent vulnerability scanning method and device and storage medium |
| CN114282221A (en) * | 2021-12-09 | 2022-04-05 | 苏州浪潮智能科技有限公司 | Injection vulnerability detection method, system, terminal and storage medium |
| CN115269427A (en) * | 2022-08-03 | 2022-11-01 | 沈阳航空航天大学 | Intermediate language representation method and system for WEB injection vulnerability |
| CN115809290A (en) * | 2022-09-15 | 2023-03-17 | 平安付科技服务有限公司 | Generate data persistence layer input method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116881930A (en) | 2023-10-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8782609B2 (en) | Test failure bucketing | |
| CN112131882A (en) | Multi-source heterogeneous network security knowledge graph construction method and device | |
| CN110059006B (en) | Code auditing method and device | |
| Alhuzali et al. | Chainsaw: Chained automated workflow-based exploit generation | |
| US20120158625A1 (en) | Creating and Processing a Data Rule | |
| KR101696694B1 (en) | Method And Apparatus For Analysing Source Code Vulnerability By Using TraceBack | |
| CN108459954B (en) | Application program vulnerability detection method and device | |
| CN116383833A (en) | Method and device for testing software program code, electronic equipment and storage medium | |
| Tsuchiya et al. | Recovering traceability links between requirements and source code in the same series of software products | |
| CN110134397A (en) | Code segment translation method, device, computer equipment and storage medium | |
| CN116578980A (en) | Code analysis method and device based on neural network and electronic equipment | |
| CN111026663B (en) | Software defect detection method, device, computer equipment and storage medium | |
| CN113961930B (en) | SQL injection vulnerability detection method, device and electronic device | |
| CN111709026B (en) | Static security detection method, device, computer equipment and storage medium | |
| CN113778852A (en) | Code analysis method based on regular expression | |
| Jaeger et al. | Normalizing security events with a hierarchical knowledge base | |
| CN116881930B (en) | Analysis method and device for SQL injection loopholes based on ORM framework | |
| Cheng et al. | Revisiting knowledge-based inference of python runtime environments: A realistic and adaptive approach | |
| Gladkikh et al. | Approach to Forming Vulnerability Datasets for Fine-Tuning AI Agents | |
| CN118585544A (en) | A method and device for querying blood relationship data | |
| CN120744942B (en) | Automatic vulnerability detection method based on public vulnerability data | |
| Knežev et al. | Identifying Security Issues in Elixir Web Applications | |
| CN113033149B (en) | User story document quality inspection method, device, equipment and storage medium | |
| Liu et al. | PTV: Scalable Version Detection of Web Libraries and its Security Application | |
| CN121009550A (en) | Automatic code auditing method, device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |