Home Original page

GitHub - Cryin/JavaID: java source code static code analysis and danger function identify prog

JavaID identify some dangerous functions in java source code by way of regular matching.

For further details, check out the source code on the main site, github.com/Cryin/JavaID.

XXE:
   "SAXReader",
   "DocumentBuilder",
   "XMLStreamReader",
   "SAXBuilder",
   "SAXParser",
   "XMLReader",
   "SAXSource",
   "TransformerFactory",
   "SAXTransformerFactory",
   "SchemaFactory",
   "Unmarshaller",
   "XPathExpression"

JavaObjectDeserialization:
   "readObject",
   "readUnshared",
   "Yaml.load",
   "fromXML",
   "ObjectMapper.readValue",
   "JSON.parseObject"
SSRF:
   "HttpClient",
   "Socket",
   "URL",
   "ImageIO",
   "HttpURLConnection",
   "OkHttpClient" 
   "SimpleDriverDataSource.getConnection"
   "DriverManager.getConnection"
FILE:
   "MultipartFile",
   "createNewFile",
   "FileInputStream"
SPelInjection:
   "SpelExpressionParser",
   "getValue"
Autobinding:
   "@SessionAttributes",
   "@ModelAttribute"
URL-Redirect:
   "sendRedirect",
   "forward",
   "setHeader"
EXEC:
   "getRuntime.exec",
   "ProcessBuilder.start",
   "GroovyShell.evaluate"

and so on...