Add SWAN plugin directory

Author: oshando

.gitignore

@@ -0,0 +1,106 @@
+# Created by https://www.gitignore.io/api/java,maven,intellij
+
+### Intellij ###
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff:
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/dictionaries
+
+# Sensitive or high-churn files:
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.xml
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+
+# Gradle:
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# CMake
+cmake-build-debug/
+
+# Mongo Explorer plugin:
+.idea/**/mongoSettings.xml
+
+## File-based project format:
+*.iws
+
+## Plugin-specific files:
+
+# IntelliJ
+/out/
+/.idea/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Ruby plugin and RubyMine
+/.rakeTasks
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+### Intellij Patch ###
+# Comment Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-215987721
+
+*.iml
+# modules.xml
+# .idea/misc.xml
+# *.ipr
+
+# Sonarlint plugin
+.idea/sonarlint
+
+### Java ###
+# Compiled class file
+*.class
+
+# Log file
+*.log
+
+# BlueJ files
+*.ctxt
+
+# Mobile Tools for Java (J2ME)
+.mtj.tmp/
+
+# Package Files #
+*.war
+*.ear
+*.zip
+*.tar.gz
+*.rar
+
+# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
+hs_err_pid*
+
+### Maven ###
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+pom.xml.next
+release.properties
+dependency-reduced-pom.xml
+buildNumber.properties
+.mvn/timing.properties
+
+# Avoid ignoring Maven wrapper jar file (.jar files are usually ignored)
+!/.mvn/wrapper/maven-wrapper.jar
+
+# End of https://www.gitignore.io/api/java,maven,intellij

swan_assist/LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2018, Fraunhofer IEM
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

swan_assist/README.md

@@ -0,0 +1,51 @@
+# SWAN_Assist
+IntelliJ IDEA Plug-in for the Security methods for WeAkNess detection (SWAN) tool.
+
+Description: 
+-------------
+SWAN is a machine-learning approach for detection of methods of interest for security in Java libraries. 
+SWAN should be used in combination with other static analyses tools. It helps the users to create a set of relevant methods required as an input for static analyses, e.g. taint- and type-state analysis. 
+SWAN detects four types of methods: source, sink, sanitizer, and authentication method. 
+The found methods are further cathegorized according to relevant vulnerabilities (Common Weakness Enummeration  - CWE). Curretntly SWAN supports the following CWEs: CWE89, CWE79, CWE306, CWE862, and CWE863. 
+
+SWAN_Assist provides a GUI support for SWAN. The user is able to interact with the learning process by giving feedback on the methods of interest. 
+The tool helps users that write static analyses to create list of SWAN for their specific Java libraries. 
+Moreover, users can manually inspect the proper usage of the methods detected by SWAN. 
+
+Contributors:
+* Goran Piskachev (goran.piskachev@iem.fraunhofer.de)
+* Oshando Johnson (oshando@campus.uni-paderborn.de)
+* Lisa Nguyen (lisa.nguyen@uni-paderborn.de)
+
+## Setting Up the Plugin
+
+Import the project using either of the following methods:
+##### Cloning Project from the Repository
+1) Select the *File>Project from Version Control>Git* option, enter the repository’s URL and then select *Clone* to import the project.
+2) Go to *File>Project Structure* to edit the project settings. 
+    3) For the project's SDK, select the *IntelliJ IDEA IU-** option.
+    4) Select *Modules* from the left panel and use the *Add* button to add a new project module. In the window that appears, select *IntelliJ Platform Plugin* from the left panel and select *OK*. Select a name for the module and ensure that the *Content Root* and *Module File Location* point to the project's root folder and select *Finish*. If a default module was generated while importing the project, you can remove it.
+    5) Select Libraries from the left panel, select the *Add* button and select Java. Select the ``/libs`` folder in the window that appears and select *Open*.
+
+##### Downloading and Importing Project
+1) Download the project from Github and then use the *File>Project from Existing Resources* from the menu to import the project. Select the downloaded project's root folder and select *Open*.
+2) Select the option to *Create Project from existing sources* and then proceed.
+3) At the step to select the project's source files, deselect the ``test-project/src`` entry, if it was automatically selected. The project libraries will be automatically detected and a module will also be created.
+4) Validate that the project was imported correctly and the module was correctly created. If there are issues, follow the steps in step 2 in the above section.
+
+## Running the Plugin
+To run the plugin, select the *Run Configuration* drop down menu and select *Edit Configurations*. Ensure that the module that was created previously is selected and press Ok. You should now be able to run the project.
+
+A separate instance of IntelliJ will be launched. Use the open option to select the project found in ``/example-project`` directory. You may need to setup a project SDK for the project if one isn’t automatically configured. You should then be able to run the test project.
+
+Logs for the plugin will appear in the initial instance of IntelliJ.
+
+## Building the Plugin
+To build the plugin, select the  "Prepare Plugin Module '...' For Deployment" option from the Build menu. This will generate the a zip file that contains the plugin's jars and resources in the project's root directory.
+
+## Installing the Plugin
+To install the plugin, go Preferences and select "Plugins" from the sidebar. Select the "Install Plugin from disk" button, locate the plugin file and select it. You will need to restart IntelliJ for the plugin to work. 
+
+Contact: 
+-------------
+Goran Piskachev (Fraunhofer IEM, Zukunftsmeile 1, 33102 Paderborn, Office: 02-13)

swan_assist/docs/Feature List.docx

@@ -0,0 +1,73 @@
+package de.fraunhofer.iem.swan.example;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+import com.mysql.jdbc.Connection;
+import com.mysql.jdbc.ResultSet;
+import com.mysql.jdbc.Statement;
+
+
+public class ExampleSQLiOpenRedirect {
+
+    private Connection conn;
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+
+        try {
+            String userId = request.getParameter("userId");
+            userId = encode(userId);
+
+            Statement st = (Statement) conn.createStatement();
+            String query = "SELECT * FROM User WHERE userId=’" + userId + "’;";
+            ResultSet res = (ResultSet) st.executeQuery(query);
+            String url = "https://" + userId + ".company.com";
+            response.sendRedirect(url);
+        } catch (Exception e) {
+        }
+
+    }
+
+    private String encode(String userId) {
+        HttpServletResponseWrapper encoder = new HttpServletResponseWrapper(null);
+        String result = encoder.encodeRedirectURL(userId);
+        return result;
+    }
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

swan_assist/docs/MOIS-Assist SDD.docx

@@ -0,0 +1,34 @@
+package de.fraunhofer.iem.swan.example.api;
+
+import de.fraunhofer.iem.swan.example.api.comm.EmailClient;
+import de.fraunhofer.iem.swan.example.api.data.Customer;
+import de.fraunhofer.iem.swan.example.api.data.TravelOffer;
+import de.fraunhofer.iem.swan.example.api.util.UserManagement;
+
+public class TravelWishlist {
+
+    public static void main(String[] args) {
+
+        //create new customer
+        Customer customer = new Customer("Daniel Bruns", "1454876798761237",  3456.89);
+
+        //set password and email
+        customer.setPassword("password");
+        customer.setEmail("daniel.bruns@gmail.com");
+
+        //send confirmation email
+        EmailClient confirmationEmail = new EmailClient();
+
+        String []addresses = new String[]{customer.getEmail(), "user@verification@travelwishlist.com"};
+        String subject = "Account Confirmation";
+        String emailBody = "Hello " + customer.getName() + ", \nPlease confirm your email and credit card details. " + UserManagement.maskCreditCard(customer.getCreditCard());
+
+        if(confirmationEmail.sendEmail(addresses, subject, emailBody))
+            System.out.println("Account verification e-mail was successfully sent.");
+        else
+            System.out.println("An error occured.");
+
+        TravelOffer offer = new TravelOffer();
+    }
+
+}

swan_assist/docs/MOIS-Assist SDD.pdf

@@ -0,0 +1,9 @@
+package de.fraunhofer.iem.swan.example.api.comm;
+
+public class EmailClient {
+
+    public boolean sendEmail(String [] addresses, String subject, String body){
+
+        return true;
+    }
+}

swan_assist/example-project/src/de/fraunhofer/iem/swan/example/ExampleSQLiOpenRedirect.java

@@ -0,0 +1,63 @@
+package de.fraunhofer.iem.swan.example.api.data;
+
+import de.fraunhofer.iem.swan.example.api.util.UserManagement;
+
+public class Customer {
+
+    private String name;
+    String creditCard;
+    String password;
+    String email;
+    double budget;
+
+
+    public Customer(String customerName, String creditCard, double budget) {
+
+        setName(customerName);
+        setCreditCard(creditCard);
+        setBudget(budget);
+    }
+
+    public String getPassword() {
+        return password;
+    }
+
+    public void setPassword(String password) {
+        this.password = UserManagement.hashPassword(password, "SHA-256");
+    }
+
+    public String getEmail() {
+        return email;
+    }
+
+    public void setEmail(String email) {
+        if (UserManagement.validateEmail(email))
+            this.email = email;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getCreditCard() {
+        return creditCard;
+    }
+
+    public void setCreditCard(String creditCard) {
+        this.creditCard = creditCard;
+    }
+
+    public double getBudget() {
+        return budget;
+    }
+
+    public void setBudget(double budget) {
+        this.budget = budget;
+    }
+
+
+}