IAST support for akka-http #5019
Conversation
cataphract
force-pushed
the
glopes/iast-akka-http
branch
3 times, most recently
from
dc4e34f
to
a92763d
Compare
cataphract
force-pushed
the
glopes/iast-akka-http
branch
from
a92763d
to
b049496
Compare
cataphract
force-pushed
the
glopes/iast-spring-webflux
branch
2 times, most recently
from
ddb1169
to
2bb1cce
Compare
cataphract
force-pushed
the
glopes/iast-spring-webflux
branch
from
2bb1cce
to
fb93b2a
Compare
cataphract
force-pushed
the
glopes/iast-akka-http
branch
from
b049496
to
55cc1b9
Compare
cataphract
force-pushed
the
glopes/iast-spring-webflux
branch
from
fb93b2a
to
4125a56
Compare
cataphract
force-pushed
the
glopes/iast-akka-http
branch
from
55cc1b9
to
d091da6
Compare
cataphract
force-pushed
the
glopes/iast-akka-http
branch
from
d091da6
to
f301ff0
Compare
| @@ -73,6 +84,15 @@ muzzle { | |||
|
|
|||
| configurations { | |||
| testArtifacts | |||
|
|
|||
| iastTestImplemnentation.extendsFrom(baseTestImplementation) | |||
There was a problem hiding this comment.
Nice!, I did struggle with something similar in vert.x 3 and this solution is quite clean
|
|
||
| static class TaintQueryStringAdvice { | ||
| @Advice.OnMethodExit(suppress = Throwable.class) | ||
| static void after(@Advice.This Uri uri, @Advice.Return scala.Option<String> ret) { |
There was a problem hiding this comment.
Why do you use the actual Uri type here and on TaintQueryAdvice it's an Object? I always got the impression that if you want to use the actual instrumented type you should extract the advice class to a separate one (but it might be wrong)
There was a problem hiding this comment.
The explanation is in the comment for TaintQueryAdvice. I reuse the advice for a method in another class that also returns a Uri$Query. We only care if this is tainted. We can bind the arguments to the advice to a reference of any supertype of the formal type of the method argument/this. We can even do a downcast with typing = DYNAMIC
There was a problem hiding this comment.
I wasn't aware about the dynamic typing, thanks!
cataphract
force-pushed
the
glopes/iast-akka-http
branch
from
f301ff0
to
5e428a8
Compare
| @@ -33,6 +33,8 @@ public interface WebModule extends IastModule { | |||
|
|
|||
| void onQueryString(@Nullable String queryString); | |||
|
|
|||
| void onCookieNames(@Nullable Iterable<String> cookieNames); | |||
There was a problem hiding this comment.
So far I tried to use interfaces like Collection that are more explicit about the capability of being iterated more than once. But this is ok as long as the places where we call this are checked for types that are capable of multiple iterations.
There was a problem hiding this comment.
I did this to avoid having to some scala objects
No description provided.