基于CodeQL的NewBee-Mall漏洞挖掘技术文档<\/h1>

一、项目背景<\/h2>
NewBee-Mall是一个拥有11.4k star的开源商城项目（GitHub地址：https:\/\/github.com\/newbee-ltd\/newbee-mall）。本文重点介绍如何使用CodeQL自动化挖掘其ABAC权限漏洞。<\/p>

二、垂直权限管理分析<\/h2>

2.1 配置机制<\/h3>

项目采用SpringMVC拦截器实现垂直权限管理，核心配置位于：<\/p>

public<\/span> void<\/span> addInterceptors<\/span>(<\/span>InterceptorRegistry registry)<\/span> {<\/span>
<\/span><\/span>    registry.<\/span>addInterceptor<\/span>(<\/span>adminLoginInterceptor)<\/span>
<\/span><\/span>            .<\/span>addPathPatterns<\/span>(<\/span>"\/admin\/**"<\/span>)<\/span>
<\/span><\/span>            .<\/span>excludePathPatterns<\/span>(<\/span>"\/admin\/login"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2 历史漏洞CVE-2020-23448<\/h3>
漏洞成因<\/strong>：<\/p>

原始代码使用uri.startsWith("\/admin")<\/code>进行路径匹配<\/li>
可通过\/\/admin<\/code>进行路径解析绕过（利用HTTP解析特性）<\/li>
<\/ul>
修复方案<\/strong>：<\/p>
\/\/ 修复前：存在绕过风险
<\/span><\/span><\/span><\/span>uri.<\/span>startsWith<\/span>(<\/span>"\/admin"<\/span>)<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 修复后：使用servlet路径判断
<\/span><\/span><\/span><\/span>request.<\/span>getServletPath<\/span>().<\/span>startsWith<\/span>(<\/span>"\/admin"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>三、水平权限管理分析<\/h2>
3.1 鉴权机制特征<\/h3>
典型水平权限判断代码模式：<\/p>
\/\/ 从session获取用户身份
<\/span><\/span><\/span><\/span>Long userId =<\/span> (<\/span>Long)<\/span> httpSession.<\/span>getAttribute<\/span>(<\/span>Constants.<\/span>MALL_USER_SESSION_KEY<\/span>);<\/span>
<\/span><\/span>\/\/ 传入服务层进行ABAC比较
<\/span><\/span><\/span><\/span>newBeeMallShoppingCartService.<\/span>updateNewBeeMallCartItem<\/span>(<\/span>cartItem,<\/span> userId);<\/span>
<\/span><\/span><\/code><\/pre>3.2 CodeQL检测策略<\/h3>
3.2.1 核心检测逻辑<\/h4>
\/\/ 检测调用httpSession.getAttribute的方法
predicate callsHttpSessionGetAttribute(Method m) {
    exists(MethodAccess call |
        call.getMethod().getName() = "getAttribute" and
        call.getQualifier().getType().getName() = "HttpSession" and
        call.getEnclosingCallable() = m
    )
}

\/\/ 判断是否为控制器方法
predicate isController(Method m) {
    exists(Annotation a | 
        a.getType().getName() = "RequestMapping" and
        m.getAnAnnotation() = a
    )
}
<\/code><\/pre>
3.2.2 过滤规则<\/h4>
需要排除以下情况：<\/p>

Admin控制器：类包含@RequestMapping("\/admin")<\/code>注解<\/li>
VO层方法：仅负责渲染，不处理业务逻辑<\/li>
GET请求路由：渲染模板的方法<\/li>
<\/ol>
3.2.3 完整QL查询<\/h4>
from Method m
where 
    isController(m) and
    not callsHttpSessionGetAttribute(m) and
    not m.getDeclaringType().getAnAnnotation().getType().getName() = "RequestMapping" and
    not m.getName().matches("%GET%")
select m
<\/code><\/pre>
四、漏洞实例分析<\/h2>
4.1 支付漏洞+水平越权（paySuccess方法）<\/h3>
漏洞位置<\/strong>：MallOrderController.paySuccess<\/code><\/p>
@PostMapping<\/span>(<\/span>value =<\/span> "\/paySuccess"<\/span>)<\/span>
<\/span><\/span>public<\/span> Result paySuccess<\/span>(<\/span>@RequestBody<\/span> PaySuccessVO paySuccessVO,<\/span> HttpSession httpSession)<\/span> {<\/span>
<\/span><\/span>    \/\/ 缺失用户身份验证
<\/span><\/span><\/span><\/span>    String payResult =<\/span> newBeeMallOrderService.<\/span>paySuccess<\/span>(<\/span>paySuccessVO);<\/span>
<\/span><\/span>    return<\/span> ResultGenerator.<\/span>genSuccessResult<\/span>(<\/span>payResult);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>服务层代码<\/strong>：<\/p>
public<\/span> String paySuccess<\/span>(<\/span>PaySuccessVO paySuccessVO)<\/span> {<\/span>
<\/span><\/span>    NewBeeMallOrder order =<\/span> newBeeMallOrderMapper.<\/span>selectByOrderNo<\/span>(<\/span>paySuccessVO.<\/span>getOrderNo<\/span>());<\/span>
<\/span><\/span>    \/\/ 直接修改订单状态，无用户权限校验
<\/span><\/span><\/span><\/span>    order.<\/span>setOrderStatus<\/span>((<\/span>byte<\/span>)<\/span> 1<\/span>);<\/span>
<\/span><\/span>    newBeeMallOrderMapper.<\/span>updateByPrimaryKey<\/span>(<\/span>order);<\/span>
<\/span><\/span>    return<\/span> "success"<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用方式<\/strong>：<\/p>

任意用户可通过传入他人订单号修改订单状态为"已支付"<\/li>
数据库验证确认漏洞存在<\/li>
<\/ul>
4.2 用户信息修改漏洞（CVE-2023-30216）<\/h3>
漏洞位置<\/strong>：updateInfo<\/code>方法<\/p>
@PostMapping<\/span>(<\/span>"\/updateInfo"<\/span>)<\/span>
<\/span><\/span>public<\/span> Result updateInfo<\/span>(<\/span>@RequestBody<\/span> MallUserVO mallUserVO,<\/span> HttpSession httpSession)<\/span> {<\/span>
<\/span><\/span>    \/\/ 缺失用户身份验证
<\/span><\/span><\/span><\/span>    String updateResult =<\/span> newBeeMallUserService.<\/span>updateUserInfo<\/span>(<\/span>mallUserVO);<\/span>
<\/span><\/span>    return<\/span> ResultGenerator.<\/span>genSuccessResult<\/span>(<\/span>updateResult);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>服务层代码<\/strong>：<\/p>
public<\/span> String updateUserInfo<\/span>(<\/span>MallUserVO mallUserVO)<\/span> {<\/span>
<\/span><\/span>    NewBeeMallUser user =<\/span> new<\/span> NewBeeMallUser();<\/span>
<\/span><\/span>    \/\/ 直接根据传入JSON中的ID修改用户信息
<\/span><\/span><\/span><\/span>    user.<\/span>setUserId<\/span>(<\/span>mallUserVO.<\/span>getUserId<\/span>());<\/span>
<\/span><\/span>    user.<\/span>setNickName<\/span>(<\/span>mallUserVO.<\/span>getNickName<\/span>());<\/span>
<\/span><\/span>    newBeeMallUserMapper.<\/span>updateByPrimaryKeySelective<\/span>(<\/span>user);<\/span>
<\/span><\/span>    return<\/span> "success"<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞影响<\/strong>：<\/p>

可通过修改JSON中的userId参数任意修改用户信息<\/li>
已获得CVE-2023-30216编号<\/li>
<\/ul>
4.3 验证码爆破漏洞<\/h3>
漏洞机理<\/strong>：<\/p>
@GetMapping<\/span>(<\/span>"\/kaptcha"<\/span>)<\/span>
<\/span><\/span>public<\/span> void<\/span> defaultKaptcha<\/span>(<\/span>HttpSession httpSession)<\/span> {<\/span>
<\/span><\/span>    \/\/ 生成验证码存入session
<\/span><\/span><\/span><\/span>    String verifyCode =<\/span> producer.<\/span>createText<\/span>();<\/span>
<\/span><\/span>    BufferedImage image =<\/span> producer.<\/span>createImage<\/span>(<\/span>verifyCode);<\/span>
<\/span><\/span>    httpSession.<\/span>setAttribute<\/span>(<\/span>"verifyCode"<\/span>,<\/span> verifyCode);<\/span>
<\/span><\/span>    \/\/ 但验证码更换依赖前端访问此路由
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞特征<\/strong>：<\/p>

验证码生成后存储于Session<\/li>
但验证码更换需要前端主动访问\/kaptcha<\/code>路由<\/li>
攻击者可重复使用同一验证码进行爆破<\/li>
<\/ul>
五、CodeQL实战技巧<\/h2>
5.1 精确方法过滤<\/h3>
\/\/ 排除Admin控制器
not m.getDeclaringType().getAnAnnotation().getType().getName() = "RequestMapping"

\/\/ 排除GET方法
not m.getName().matches("%GET%")

\/\/ 排除VO层方法
not m.getDeclaringType().getName().matches("%VO%")
<\/code><\/pre>
5.2 结果优化策略<\/h3>

初始检测55个结果，经过滤后聚焦关键漏洞点<\/li>
需结合业务逻辑理解排除误报<\/li>
<\/ul>
六、总结与建议<\/h2>
6.1 漏洞挖掘经验<\/h3>

不同项目权限实现方式各异，需定制化分析<\/li>
CodeQL可显著降低人工审计复杂度<\/li>
需结合业务逻辑理解优化检测规则<\/li>
<\/ol>
6.2 修复建议<\/h3>

所有操作需进行用户身份验证<\/li>
验证码应设置有效期和强制更新机制<\/li>
建议采用统一的权限校验框架<\/li>
<\/ol>
6.3 参考资源<\/h3>

https:\/\/github.com\/newbee-ltd\/newbee-mall\/issues\/100<\/li>
https:\/\/github.com\/newbee-ltd\/newbee-mall\/issues\/101<\/li>
<\/ol>

本文档基于实际漏洞挖掘经验整理，所有漏洞均已提交至VulDB。希望为业务安全漏洞挖掘提供有效技术参考。<\/em><\/p>

基于CodeQL的NewBee-Mall漏洞挖掘技术文档<\/h1>

一、项目背景<\/h2> NewBee-Mall是一个拥有11.4k star的开源商城项目（GitHub地址：https:\/\/github.com\/newbee-ltd\/newbee-mall）。本文重点介绍如何使用CodeQL自动化挖掘其ABAC权限漏洞。<\/p>

二、垂直权限管理分析<\/h2>

三、水平权限管理分析<\/h2>

3.2 CodeQL检测策略<\/h3>

四、漏洞实例分析<\/h2>

五、CodeQL实战技巧<\/h2>

六、总结与建议<\/h2>

一、项目背景<\/h2>
NewBee-Mall是一个拥有11.4k star的开源商城项目（GitHub地址：https:\/\/github.com\/newbee-ltd\/newbee-mall）。本文重点介绍如何使用CodeQL自动化挖掘其ABAC权限漏洞。<\/p>