From 8874d32a986a021740f44718a15dc3565ac44d50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Fri, 12 May 2023 14:42:35 +0800 Subject: [PATCH 1/9] fix: custom model --- .../hookpoint/controller/impl/SourceImpl.java | 16 --- .../iast/core/utils/TaintPoolUtils.java | 39 ------ .../com.secnium.iast.resources/blacklist.txt | 128 ++++++++++-------- 3 files changed, 70 insertions(+), 113 deletions(-) diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/SourceImpl.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/SourceImpl.java index 33ace410e..34d6d215b 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/SourceImpl.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/SourceImpl.java @@ -82,25 +82,9 @@ private static boolean trackTarget(MethodEvent event, SourceNode sourceNode) { } TaintPoolUtils.trackObject(event, sourceNode, event.returnInstance, 0); - // @TODO: hook json serializer for custom model - handlerCustomModel(event, sourceNode); return true; } - /** - * todo: 处理过程和结果需要细化 - * - * @param event MethodEvent - */ - public static void handlerCustomModel(MethodEvent event, SourceNode sourceNode) { - if (!"getSession".equals(event.getMethodName())) { - Set modelValues = TaintPoolUtils.parseCustomModel(event.returnInstance); - for (Object modelValue : modelValues) { - TaintPoolUtils.trackObject(event, sourceNode, modelValue, 0); - } - } - } - private static boolean allowCall(MethodEvent event) { boolean allowed = true; if (METHOD_OF_GETATTRIBUTE.equals(event.getMethodName())) { diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java index 1561283b4..fc72e25a8 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java @@ -146,38 +146,6 @@ public static boolean isAllowTaintType(Object obj) { return isAllowTaintType(obj.getClass()); } - public static Set parseCustomModel(Object model) { - Set modelValues = new HashSet(); - try { - if (!TaintPoolUtils.isAllowTaintGetterModel(model)) { - return modelValues; - } - - // getter methods - Method[] methods = model.getClass().getMethods(); - Object itemValue = null; - for (Method method : methods) { - if (!TaintPoolUtils.isAllowTaintGetterMethod(method)) { - continue; - } - - try { - method.setAccessible(true); - itemValue = method.invoke(model); - if (!TaintPoolUtils.isNotEmpty(itemValue) || !TaintPoolUtils.isAllowTaintType(itemValue)) { - continue; - } - modelValues.add(itemValue); - } catch (Throwable e) { - DongTaiLog.error(ErrorCode.get("UTIL_TAINT_PARSE_CUSTOM_MODEL_FAILED"), - model.getClass().getName(), method.getName(), e); - } - } - } catch (Throwable ignore) { - } - return modelValues; - } - public static boolean isAllowTaintGetterModel(Object model) { if (!TaintPoolUtils.isNotEmpty(model)) { return false; @@ -309,13 +277,6 @@ public static void trackObject(MethodEvent event, PolicyNode policyNode, Object event.addTargetHash(hash); EngineManager.TAINT_RANGES_POOL.add(hash, tr); } else { - if (!(obj instanceof String)) { - Set modelValues = TaintPoolUtils.parseCustomModel(obj); - for (Object modelValue : modelValues) { - trackObject(event, policyNode, modelValue, depth + 1); - } - } - hash = System.identityHashCode(obj); if (EngineManager.TAINT_HASH_CODES.contains(hash)) { event.addSourceHash(hash); diff --git a/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt b/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt index 0cc7049b6..cdc7cd650 100644 --- a/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt +++ b/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt @@ -3583,6 +3583,7 @@ com/bea/security/xacml/target/TargetEvaluatorRegistry com/bea/sslplus/CerticomSSLContext com/bea/staxb/buildtime/internal/bts/BaseBindingLoader com/bea/staxb/buildtime/internal/bts/BindingFile +com/bea/staxb/buildtime/internal/bts.BindingFileInputStream com/bea/staxb/buildtime/internal/bts/BindingLoader com/bea/staxb/buildtime/internal/bts/BindingMappingFile com/bea/staxb/buildtime/internal/bts/BindingProperty @@ -4649,7 +4650,7 @@ com/fasterxml/jackson/databind/DeserializationContext com/fasterxml/jackson/databind/DeserializationFeature com/fasterxml/jackson/databind/InjectableValues com/fasterxml/jackson/databind/JavaType -com/fasterxml/jackson/databind/JsonDeserializer +# com/fasterxml/jackson/databind/JsonDeserializer com/fasterxml/jackson/databind/JsonMappingException com/fasterxml/jackson/databind/JsonSerializable com/fasterxml/jackson/databind/JsonSerializable$Base @@ -4734,61 +4735,61 @@ com/fasterxml/jackson/databind/deser/impl/PropertyBasedCreator$CaseInsensitiveMa com/fasterxml/jackson/databind/deser/impl/PropertyBasedObjectIdGenerator com/fasterxml/jackson/databind/deser/impl/SetterlessProperty com/fasterxml/jackson/databind/deser/impl/TypeWrappedDeserializer -com/fasterxml/jackson/databind/deser/std/ArrayBlockingQueueDeserializer -com/fasterxml/jackson/databind/deser/std/AtomicBooleanDeserializer -com/fasterxml/jackson/databind/deser/std/AtomicReferenceDeserializer -com/fasterxml/jackson/databind/deser/std/BaseNodeDeserializer -com/fasterxml/jackson/databind/deser/std/BaseNodeDeserializer$1 -com/fasterxml/jackson/databind/deser/std/ByteBufferDeserializer -com/fasterxml/jackson/databind/deser/std/CollectionDeserializer -com/fasterxml/jackson/databind/deser/std/ContainerDeserializerBase -com/fasterxml/jackson/databind/deser/std/EnumDeserializer -com/fasterxml/jackson/databind/deser/std/EnumMapDeserializer -com/fasterxml/jackson/databind/deser/std/EnumSetDeserializer -com/fasterxml/jackson/databind/deser/std/FromStringDeserializer -com/fasterxml/jackson/databind/deser/std/FromStringDeserializer$Std -com/fasterxml/jackson/databind/deser/std/JavaTypeDeserializer -com/fasterxml/jackson/databind/deser/std/JdkDeserializers -com/fasterxml/jackson/databind/deser/std/JsonLocationInstantiator -com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer -com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer$1 -com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer$ArrayDeserializer -com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer$ObjectDeserializer -com/fasterxml/jackson/databind/deser/std/MapDeserializer -com/fasterxml/jackson/databind/deser/std/MapEntryDeserializer -com/fasterxml/jackson/databind/deser/std/NullifyingDeserializer -com/fasterxml/jackson/databind/deser/std/ObjectArrayDeserializer -com/fasterxml/jackson/databind/deser/std/StackTraceElementDeserializer -com/fasterxml/jackson/databind/deser/std/StdDelegatingDeserializer -com/fasterxml/jackson/databind/deser/std/StdDeserializer -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$BoolKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$ByteKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$CalendarKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$CharKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$DateKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$DelegatingKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$DoubleKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$EnumKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$FloatKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$IntKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$LocaleKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$LongKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$ShortKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$StringCtorKeyDeserializer -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$StringFactoryKeyDeserializer -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$StringKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$UuidKD -com/fasterxml/jackson/databind/deser/std/StdKeyDeserializers -com/fasterxml/jackson/databind/deser/std/StdScalarDeserializer -com/fasterxml/jackson/databind/deser/std/StdValueInstantiator -com/fasterxml/jackson/databind/deser/std/StringArrayDeserializer -com/fasterxml/jackson/databind/deser/std/StringCollectionDeserializer -com/fasterxml/jackson/databind/deser/std/StringDeserializer -com/fasterxml/jackson/databind/deser/std/ThrowableDeserializer -com/fasterxml/jackson/databind/deser/std/TokenBufferDeserializer -com/fasterxml/jackson/databind/deser/std/UUIDDeserializer -com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer +# com/fasterxml/jackson/databind/deser/std/ArrayBlockingQueueDeserializer +# com/fasterxml/jackson/databind/deser/std/AtomicBooleanDeserializer +# com/fasterxml/jackson/databind/deser/std/AtomicReferenceDeserializer +# com/fasterxml/jackson/databind/deser/std/BaseNodeDeserializer +# com/fasterxml/jackson/databind/deser/std/BaseNodeDeserializer$1 +# com/fasterxml/jackson/databind/deser/std/ByteBufferDeserializer +# com/fasterxml/jackson/databind/deser/std/CollectionDeserializer +# com/fasterxml/jackson/databind/deser/std/ContainerDeserializerBase +# com/fasterxml/jackson/databind/deser/std/EnumDeserializer +# com/fasterxml/jackson/databind/deser/std/EnumMapDeserializer +# com/fasterxml/jackson/databind/deser/std/EnumSetDeserializer +# com/fasterxml/jackson/databind/deser/std/FromStringDeserializer +# com/fasterxml/jackson/databind/deser/std/FromStringDeserializer$Std +# com/fasterxml/jackson/databind/deser/std/JavaTypeDeserializer +# com/fasterxml/jackson/databind/deser/std/JdkDeserializers +# com/fasterxml/jackson/databind/deser/std/JsonLocationInstantiator +# com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer +# com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer$1 +# com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer$ArrayDeserializer +# com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer$ObjectDeserializer +# com/fasterxml/jackson/databind/deser/std/MapDeserializer +# com/fasterxml/jackson/databind/deser/std/MapEntryDeserializer +# com/fasterxml/jackson/databind/deser/std/NullifyingDeserializer +# com/fasterxml/jackson/databind/deser/std/ObjectArrayDeserializer +# com/fasterxml/jackson/databind/deser/std/StackTraceElementDeserializer +# com/fasterxml/jackson/databind/deser/std/StdDelegatingDeserializer +# com/fasterxml/jackson/databind/deser/std/StdDeserializer +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$BoolKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$ByteKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$CalendarKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$CharKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$DateKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$DelegatingKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$DoubleKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$EnumKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$FloatKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$IntKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$LocaleKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$LongKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$ShortKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$StringCtorKeyDeserializer +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$StringFactoryKeyDeserializer +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$StringKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$UuidKD +# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializers +# com/fasterxml/jackson/databind/deser/std/StdScalarDeserializer +# com/fasterxml/jackson/databind/deser/std/StdValueInstantiator +# com/fasterxml/jackson/databind/deser/std/StringArrayDeserializer +# com/fasterxml/jackson/databind/deser/std/StringCollectionDeserializer +# com/fasterxml/jackson/databind/deser/std/StringDeserializer +# com/fasterxml/jackson/databind/deser/std/ThrowableDeserializer +# com/fasterxml/jackson/databind/deser/std/TokenBufferDeserializer +# com/fasterxml/jackson/databind/deser/std/UUIDDeserializer +# com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer com/fasterxml/jackson/databind/exc/IgnoredPropertyException com/fasterxml/jackson/databind/exc/InvalidFormatException com/fasterxml/jackson/databind/exc/PropertyBindingException @@ -23724,7 +23725,7 @@ java/io/OutputStream java/io/OutputStreamWriter java/io/PipedOutputStream java/io/PrintStream -java/io/PushbackInputStream +# java/io/PushbackInputStream java/io/PushbackReader java/io/RandomAccessFile java/io/RandomAccessFile$1 @@ -24894,6 +24895,7 @@ java/util/StringTokenizer # java/util/stream/IntStream # java/util/stream/Stream java/util/zip/* +java/util/zip/CheckedInputStream javassist/ByteArrayClassPath javassist/CannotCompileException javassist/ClassClassPath @@ -27852,6 +27854,7 @@ javelin/jsp/JspTagLibraryFeature$1 javelin/jsp/JspTagLibraryFeature$2 javelin/jsp/JspTagLibraryFeature$TagLibraryContext javelin/jsp/JspTagLibraryFeature$TldChangeListener +javelin.jsp.JspTagLibraryFeature$UncloseableInputStream javelin/jsp/JspTagLibraryFeature$WebXmlChangeListener javelin/jsp/JspTagLibraryParser javelin/jsp/JspTagLibraryParser$JSPEntityResolver @@ -38053,6 +38056,7 @@ org/apache/xerces/impl/XMLEntityManager$EncodingInfo org/apache/xerces/impl/XMLEntityManager$Entity org/apache/xerces/impl/XMLEntityManager$ExternalEntity org/apache/xerces/impl/XMLEntityManager$InternalEntity +org/apache/xerces/impl/XMLEntityManager$RewindableInputStream org/apache/xerces/impl/XMLEntityManager$ScannedEntity org/apache/xerces/impl/XMLEntityScanner org/apache/xerces/impl/XMLEntityScanner$1 @@ -59960,7 +59964,7 @@ org/springframework/util/SerializationUtils org/springframework/util/StopWatch org/springframework/util/StopWatch$TaskInfo org/springframework/util/StreamUtils$NonClosingOutputStream -org/springframework/util/StringUtils +# org/springframework/util/StringUtils org/springframework/util/StringValueResolver org/springframework/util/SystemPropertyUtils org/springframework/util/SystemPropertyUtils$SystemPropertyPlaceholderResolver @@ -64568,6 +64572,7 @@ weblogic/common/internal/VersionInfoFactory$PEER_INFO_FOR_WIRE_SINGLETON weblogic/common/internal/VersionInfoFactory$PEER_INFO_SINGLETON weblogic/common/internal/VersionInfoFactory$VERSION_INFO_SINGLETON weblogic/common/internal/VersioningError +weblogic/common/internal/WLObjectInputStream weblogic/common/internal/WLObjectOutputStream weblogic/common/resourcepool/IPooledResourceLinkedList weblogic/common/resourcepool/ObjectLifeCycle @@ -65955,6 +65960,7 @@ weblogic/iiop/EndPointFactory weblogic/iiop/IDLUtils weblogic/iiop/IIOPClient weblogic/iiop/IIOPClientService +weblogic/iiop/IIOPInputStream weblogic/iiop/IIOPLogger weblogic/iiop/IIOPLogger$MessageLoggerInitializer weblogic/iiop/IIOPOutputStream @@ -70018,6 +70024,7 @@ weblogic/net/http/HttpsClient weblogic/net/http/HttpsURLConnection weblogic/net/http/KeepAliveCache weblogic/net/http/KeepAliveKey +weblogic/net/http/KeepAliveStream weblogic/net/http/MessageHeader weblogic/net/http/NETEnvironment weblogic/net/http/SOAPHttpURLConnection @@ -72305,6 +72312,7 @@ weblogic/utils/enumerations/LIFO_FileContainer weblogic/utils/expressions/ExpressionEvaluationException weblogic/utils/expressions/ExpressionMap weblogic/utils/http/BytesToString +weblogic/utils/http/HttpChunkInputStream weblogic/utils/http/HttpChunkOutputStream weblogic/utils/http/HttpConstants weblogic/utils/http/HttpParsing @@ -72318,6 +72326,7 @@ weblogic/utils/http/MaxRequestParameterExceedException weblogic/utils/io/ByteBufferDataInputStream weblogic/utils/io/ByteBufferDataOutputStream weblogic/utils/io/ByteBufferObjectInputStream +weblogic/utils/io/ByteBufferObjectInputStream$ContextObjectInputStream weblogic/utils/io/ByteBufferObjectOutputStream weblogic/utils/io/ByteBufferOutputStream weblogic/utils/io/Chunk @@ -72325,6 +72334,7 @@ weblogic/utils/io/ChunkInput weblogic/utils/io/ChunkInputStreamAccess weblogic/utils/io/ChunkOutput weblogic/utils/io/ChunkedDataOutputStream +weblogic/utils/io/ChunkedInputStream weblogic/utils/io/ChunkedObjectOutputStream weblogic/utils/io/ChunkedObjectOutputStream$NestedObjectOutputStream weblogic/utils/io/ChunkedOutputStream @@ -73559,6 +73569,7 @@ weblogic/xml/stream/events/SpaceEvent weblogic/xml/stream/events/StartDocumentEvent weblogic/xml/stream/events/StartElementEvent weblogic/xml/stream/util/RecyclingFactory +weblogic/xml/util/CachedInputStream weblogic/xml/util/Debug weblogic/xml/util/Debug$DebugFacility weblogic/xml/util/Debug$DebugFacility$DebugListener @@ -73628,6 +73639,7 @@ workshop/util/encoding/EncodingManager$EncodingProxy workshop/util/encoding/EncodingReader workshop/util/encoding/impl/PropertiesEncoding workshop/util/encoding/impl/TextEncoding +workshop/util/filesystem/util/InputStreamWrapper com/alibaba/druid/filter/logging/Log4jFilter # disable alibaba sandbox's class dongtai-001 com/alibaba/jvm/sandbox/* From 625f54208a4f0aa4bfa4c57f95a7469dd4497760 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Mon, 15 May 2023 17:52:36 +0800 Subject: [PATCH 2/9] fix: custom model --- .../main/resources/com.secnium.iast.resources/blacklist.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt b/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt index cdc7cd650..593c3646c 100644 --- a/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt +++ b/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt @@ -5513,7 +5513,7 @@ com/google/common/util/concurrent/ThreadFactoryBuilder$1 com/google/common/util/concurrent/UncheckedExecutionException com/google/common/util/concurrent/Uninterruptibles com/google/gson/FieldNamingPolicy* -com/google/gson/Gson* +# com/google/gson/Gson* com/google/gson/JsonArray com/google/gson/JsonElement com/google/gson/JsonIOException @@ -5523,7 +5523,7 @@ com/google/gson/JsonParseException com/google/gson/JsonPrimitive com/google/gson/JsonSyntaxException com/google/gson/LongSerializationPolicy* -com/google/gson/TypeAdapter* +# com/google/gson/TypeAdapter* com/google/gson/internal/* com/google/gson/reflect/TypeToken com/google/gson/stream/JsonReader From fa88990234ad468903817f04b86ae9914d8c9e7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Thu, 18 May 2023 15:26:29 +0800 Subject: [PATCH 3/9] fix: custom model --- .../hookpoint/controller/impl/DubboImpl.java | 5 +- .../hookpoint/controller/impl/SourceImpl.java | 2 +- .../hookpoint/service/trace/DubboService.java | 4 +- .../hookpoint/service/trace/FeignService.java | 2 +- .../dongtai/iast/core/utils/ReflectUtils.java | 53 ++++++- .../iast/core/utils/TaintPoolUtils.java | 147 ++++-------------- 6 files changed, 85 insertions(+), 128 deletions(-) diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/DubboImpl.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/DubboImpl.java index 5160b9fbf..a29d68022 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/DubboImpl.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/DubboImpl.java @@ -43,7 +43,6 @@ public static void solveDubboRequest(Object handler, Object channel, Object requ } - public static void collectDubboRequestSource(Object handler, Object invocation, String methodName, Object[] arguments, Map headers, String hookClass, String hookMethod, String hookSign, @@ -51,7 +50,7 @@ public static void collectDubboRequestSource(Object handler, Object invocation, if (arguments == null || arguments.length == 0) { return; } - Map requestMeta = EngineManager.REQUEST_CONTEXT.get(); + Map requestMeta = EngineManager.REQUEST_CONTEXT.get(); if (requestMeta == null) { return; } @@ -70,7 +69,7 @@ public static void collectDubboRequestSource(Object handler, Object invocation, tgt.add(new TaintPosition("P1")); SourceNode sourceNode = new SourceNode(src, tgt, null); - TaintPoolUtils.trackObject(event, sourceNode, arguments, 0); + TaintPoolUtils.trackObject(event, sourceNode, arguments, 0, true); Map sHeaders = new HashMap(); if (headers != null) { diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/SourceImpl.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/SourceImpl.java index 34d6d215b..60a169aaf 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/SourceImpl.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/SourceImpl.java @@ -81,7 +81,7 @@ private static boolean trackTarget(MethodEvent event, SourceNode sourceNode) { return false; } - TaintPoolUtils.trackObject(event, sourceNode, event.returnInstance, 0); + TaintPoolUtils.trackObject(event, sourceNode, event.returnInstance, 0, false); return true; } diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/DubboService.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/DubboService.java index 4bc4926b2..b791c8e45 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/DubboService.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/DubboService.java @@ -15,7 +15,7 @@ public class DubboService { public static void solveSyncInvoke(MethodEvent event, Object invocation, String url, Map headers, AtomicInteger invokeIdSequencer) { try { - TaintPoolUtils.trackObject(event, null, event.parameterInstances, 0); + TaintPoolUtils.trackObject(event, null, event.parameterInstances, 0, false); boolean hasTaint = false; int sourceLen = 0; if (!event.getSourceHashes().isEmpty()) { @@ -26,7 +26,7 @@ public static void solveSyncInvoke(MethodEvent event, Object invocation, String if (headers != null && headers.size() > 0) { hasTaint = false; - TaintPoolUtils.trackObject(event, null, headers, 0); + TaintPoolUtils.trackObject(event, null, headers, 0, false); if (event.getSourceHashes().size() > sourceLen) { hasTaint = true; } diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/FeignService.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/FeignService.java index 2d9e3e002..7a377a8da 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/FeignService.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/FeignService.java @@ -27,7 +27,7 @@ public static void solveSyncInvoke(MethodEvent event, AtomicInteger invokeIdSequ // get args Object args = event.parameterInstances[0]; - TaintPoolUtils.trackObject(event, null, args, 0); + TaintPoolUtils.trackObject(event, null, args, 0, true); boolean hasTaint = false; if (!event.getSourceHashes().isEmpty()) { diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/ReflectUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/ReflectUtils.java index 5eb69a1dc..710147886 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/ReflectUtils.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/ReflectUtils.java @@ -2,6 +2,8 @@ import java.lang.reflect.Field; import java.lang.reflect.Method; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.*; /** @@ -55,8 +57,18 @@ public static Method getPublicMethodFromClass(Class cls, String method) throw public static Method getPublicMethodFromClass(Class cls, String methodName, Class[] parameterTypes) throws NoSuchMethodException { Method method = cls.getMethod(methodName, parameterTypes); - method.setAccessible(true); - return method; + return getSecurityPublicMethod(method); + } + + public static Method getSecurityPublicMethod(Method method) throws NoSuchMethodException { + if (hasNotSecurityManager()) { + method.setAccessible(true); + return method; + } + return AccessController.doPrivileged((PrivilegedAction) () -> { + method.setAccessible(true); + return method; + }); } public static Method getDeclaredMethodFromClass(Class cls, String methodName, Class[] parameterTypes) { @@ -66,8 +78,11 @@ public static Method getDeclaredMethodFromClass(Class cls, String methodName, } for (Method method : methods) { if (methodName.equals(method.getName()) && Arrays.equals(parameterTypes, method.getParameterTypes())) { - method.setAccessible(true); - return method; + try { + return getSecurityPublicMethod(method); + } catch (NoSuchMethodException e) { + e.printStackTrace(); + } } } return null; @@ -137,13 +152,35 @@ public static List> getAllInterfaces(Class cls) { private static void getAllInterfaces(Class cls, List> interfaceList) { while (cls != null) { Class[] interfaces = cls.getInterfaces(); - for (int i = 0; i < interfaces.length; i++) { - if (!interfaceList.contains(interfaces[i])) { - interfaceList.add(interfaces[i]); - getAllInterfaces(interfaces[i], interfaceList); + for (Class anInterface : interfaces) { + if (!interfaceList.contains(anInterface)) { + interfaceList.add(anInterface); + getAllInterfaces(anInterface, interfaceList); } } cls = cls.getSuperclass(); } } + + public static Field[] getDeclaredFieldsSecurity(Class cls) { + Objects.requireNonNull(cls); + if (hasNotSecurityManager()) { + return getDeclaredFields(cls); + } + return (Field[]) AccessController.doPrivileged((PrivilegedAction) () -> { + return getDeclaredFields(cls); + }); + } + + private static Field[] getDeclaredFields(Class cls) { + Field[] declaredFields = cls.getDeclaredFields(); + for (Field field : declaredFields) { + field.setAccessible(true); + } + return declaredFields; + } + + private static boolean hasNotSecurityManager() { + return System.getSecurityManager() == null; + } } diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java index fc72e25a8..de240d0cc 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java @@ -6,10 +6,9 @@ import io.dongtai.iast.core.handler.hookpoint.models.policy.SourceNode; import io.dongtai.iast.core.handler.hookpoint.models.taint.range.*; import io.dongtai.log.DongTaiLog; -import io.dongtai.log.ErrorCode; import java.lang.reflect.Array; -import java.lang.reflect.Method; +import java.lang.reflect.Field; import java.math.BigDecimal; import java.util.*; @@ -24,16 +23,6 @@ public class TaintPoolUtils { private static final String VALUES_ENUMERATOR = " org.apache.tomcat.util.http.ValuesEnumerator".substring(1); private static final String SPRING_OBJECT = " org.springframework.".substring(1); - /** - * 判断 obj 对象是否为 java 的内置数据类型,包括:string、array、list、map、enum 等 - * - * @param obj Object - * @return boolean - */ - public static boolean isJdkType(Object obj) { - return obj instanceof String || obj instanceof Map || obj instanceof List; - } - public static boolean poolContains(Object obj, MethodEvent event) { if (obj == null) { return false; @@ -146,86 +135,7 @@ public static boolean isAllowTaintType(Object obj) { return isAllowTaintType(obj.getClass()); } - public static boolean isAllowTaintGetterModel(Object model) { - if (!TaintPoolUtils.isNotEmpty(model)) { - return false; - } - Class sourceClass = model.getClass(); - if (sourceClass.getClassLoader() == null) { - return false; - } - if (!TaintPoolUtils.isAllowTaintGetterClass(sourceClass)) { - return false; - } - return true; - } - - public static boolean isAllowTaintGetterClass(Class clazz) { - String className = clazz.getName(); - if (className.startsWith("cn.huoxian.iast.api.") || - className.startsWith("io.dongtai.api.") || - className.startsWith(" org.apache.tomcat".substring(1)) || - className.startsWith(" org.apache.catalina".substring(1)) || - className.startsWith(" org.apache.shiro.web.servlet".substring(1)) || - className.startsWith(" org.eclipse.jetty".substring(1)) || - VALUES_ENUMERATOR.equals(className) || - className.startsWith(SPRING_OBJECT) || - className.contains("RequestWrapper") || - className.contains("ResponseWrapper") - - ) { - return false; - } - - List> interfaces = ReflectUtils.getAllInterfaces(clazz); - for (Class inter : interfaces) { - if (inter.getName().endsWith(".servlet.ServletRequest") - || inter.getName().endsWith(".servlet.ServletResponse")) { - return false; - } - } - - return true; - } - - public static boolean isAllowTaintGetterMethod(Method method) { - String methodName = method.getName(); - if (!methodName.startsWith("get") - || "getClass".equals(methodName) - || "getParserForType".equals(methodName) - || "getDefaultInstance".equals(methodName) - || "getDefaultInstanceForType".equals(methodName) - || "getDescriptor".equals(methodName) - || "getDescriptorForType".equals(methodName) - || "getAllFields".equals(methodName) - || "getInitializationErrorString".equals(methodName) - || "getUnknownFields".equals(methodName) - || "getDetailOrBuilderList".equals(methodName) - || "getAllFieldsMutable".equals(methodName) - || "getAllFieldsRaw".equals(methodName) - || "getOneofFieldDescriptor".equals(methodName) - || "getField".equals(methodName) - || "getFieldRaw".equals(methodName) - || "getRepeatedFieldCount".equals(methodName) - || "getRepeatedField".equals(methodName) - || "getSerializedSize".equals(methodName) - || "getMethodOrDie".equals(methodName) - || "getReader".equals(methodName) - || "getInputStream".equals(methodName) - || "getWriter".equals(methodName) - || "getOutputStream".equals(methodName) - || "getParameterNames".equals(methodName) - || "getParameterMap".equals(methodName) - || "getHeaderNames".equals(methodName) - || methodName.endsWith("Bytes") - || method.getParameterCount() != 0) { - return false; - } - - return isAllowTaintType(method.getReturnType()); - } - - public static void trackObject(MethodEvent event, PolicyNode policyNode, Object obj, int depth) { + public static void trackObject(MethodEvent event, PolicyNode policyNode, Object obj, int depth, Boolean isMicroservice) { if (depth >= 10 || !TaintPoolUtils.isNotEmpty(obj) || !TaintPoolUtils.isAllowTaintType(obj)) { return; } @@ -241,21 +151,21 @@ public static void trackObject(MethodEvent event, PolicyNode policyNode, Object Class cls = obj.getClass(); if (cls.isArray() && !cls.getComponentType().isPrimitive()) { - trackArray(event, policyNode, obj, depth); + trackArray(event, policyNode, obj, depth, isMicroservice); } else if (obj instanceof Iterator && !(obj instanceof Enumeration)) { - trackIterator(event, policyNode, (Iterator) obj, depth); + trackIterator(event, policyNode, (Iterator) obj, depth, isMicroservice); } else if (obj instanceof Map) { - trackMap(event, policyNode, (Map) obj, depth); + trackMap(event, policyNode, (Map) obj, depth, isMicroservice); } else if (obj instanceof Map.Entry) { - trackMapEntry(event, policyNode, (Map.Entry) obj, depth); + trackMapEntry(event, policyNode, (Map.Entry) obj, depth, isMicroservice); } else if (obj instanceof Collection && !(obj instanceof Enumeration)) { if (obj instanceof List) { - trackList(event, policyNode, (List) obj, depth); + trackList(event, policyNode, (List) obj, depth, isMicroservice); } else { - trackIterator(event, policyNode, ((Collection) obj).iterator(), depth); + trackIterator(event, policyNode, ((Collection) obj).iterator(), depth, isMicroservice); } } else if ("java.util.Optional".equals(obj.getClass().getName())) { - trackOptional(event, policyNode, obj, depth); + trackOptional(event, policyNode, obj, depth, isMicroservice); } else { if (isSourceNode) { int len = TaintRangesBuilder.getLength(obj); @@ -276,6 +186,17 @@ public static void trackObject(MethodEvent event, PolicyNode policyNode, Object EngineManager.TAINT_HASH_CODES.add(hash); event.addTargetHash(hash); EngineManager.TAINT_RANGES_POOL.add(hash, tr); + if (isMicroservice && !(obj instanceof String)) { + try { + Field[] declaredFields = ReflectUtils.getDeclaredFieldsSecurity(cls); + for (Field field : declaredFields) { + trackObject(event, policyNode, field.get(obj), depth + 1, isMicroservice); + } + } catch (Throwable e) { + DongTaiLog.debug("solve model failed: {}, {}", + e.getMessage(), e.getCause() != null ? e.getCause().getMessage() : ""); + } + } } else { hash = System.identityHashCode(obj); if (EngineManager.TAINT_HASH_CODES.contains(hash)) { @@ -285,41 +206,41 @@ public static void trackObject(MethodEvent event, PolicyNode policyNode, Object } } - private static void trackArray(MethodEvent event, PolicyNode policyNode, Object arr, int depth) { + private static void trackArray(MethodEvent event, PolicyNode policyNode, Object arr, int depth, Boolean isMicroservice) { int length = Array.getLength(arr); for (int i = 0; i < length; i++) { - trackObject(event, policyNode, Array.get(arr, i), depth + 1); + trackObject(event, policyNode, Array.get(arr, i), depth + 1, isMicroservice); } } - private static void trackIterator(MethodEvent event, PolicyNode policyNode, Iterator it, int depth) { + private static void trackIterator(MethodEvent event, PolicyNode policyNode, Iterator it, int depth, Boolean isMicroservice) { while (it.hasNext()) { - trackObject(event, policyNode, it.next(), depth + 1); + trackObject(event, policyNode, it.next(), depth + 1, isMicroservice); } } - private static void trackMap(MethodEvent event, PolicyNode policyNode, Map map, int depth) { + private static void trackMap(MethodEvent event, PolicyNode policyNode, Map map, int depth, Boolean isMicroservice) { for (Object key : map.keySet()) { - trackObject(event, policyNode, key, depth + 1); - trackObject(event, policyNode, map.get(key), depth + 1); + trackObject(event, policyNode, key, depth + 1, isMicroservice); + trackObject(event, policyNode, map.get(key), depth + 1, isMicroservice); } } - private static void trackMapEntry(MethodEvent event, PolicyNode policyNode, Map.Entry entry, int depth) { - trackObject(event, policyNode, entry.getKey(), depth + 1); - trackObject(event, policyNode, entry.getValue(), depth + 1); + private static void trackMapEntry(MethodEvent event, PolicyNode policyNode, Map.Entry entry, int depth, Boolean isMicroservice) { + trackObject(event, policyNode, entry.getKey(), depth + 1, isMicroservice); + trackObject(event, policyNode, entry.getValue(), depth + 1, isMicroservice); } - private static void trackList(MethodEvent event, PolicyNode policyNode, List list, int depth) { + private static void trackList(MethodEvent event, PolicyNode policyNode, List list, int depth, Boolean isMicroservice) { for (Object obj : list) { - trackObject(event, policyNode, obj, depth + 1); + trackObject(event, policyNode, obj, depth + 1, isMicroservice); } } - private static void trackOptional(MethodEvent event, PolicyNode policyNode, Object obj, int depth) { + private static void trackOptional(MethodEvent event, PolicyNode policyNode, Object obj, int depth, Boolean isMicroservice) { try { Object v = ((Optional) obj).orElse(null); - trackObject(event, policyNode, v, depth + 1); + trackObject(event, policyNode, v, depth + 1, isMicroservice); } catch (Throwable ignore) { } } From 899c214197f93758cfc61224fc114869567c82f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Thu, 18 May 2023 18:05:42 +0800 Subject: [PATCH 4/9] fix: Doesn't work in Java 9+. --- .../dongtai/iast/core/utils/ReflectUtils.java | 24 +++++++++++++++---- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/ReflectUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/ReflectUtils.java index 710147886..a47cf3779 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/ReflectUtils.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/ReflectUtils.java @@ -1,5 +1,8 @@ package io.dongtai.iast.core.utils; +import io.dongtai.log.DongTaiLog; + +import java.lang.reflect.AccessibleObject; import java.lang.reflect.Field; import java.lang.reflect.Method; import java.security.AccessController; @@ -13,7 +16,7 @@ public class ReflectUtils { public static Field getFieldFromClass(Class cls, String fieldName) throws NoSuchFieldException { Field field = cls.getDeclaredField(fieldName); - field.setAccessible(true); + setAccessible(field); return field; } @@ -21,7 +24,7 @@ public static Field getDeclaredFieldFromClassByName(Class cls, String fieldNa Field[] declaredFields = cls.getDeclaredFields(); for (Field field : declaredFields) { if (fieldName.equals(field.getName())) { - field.setAccessible(true); + setAccessible(field); return field; } } @@ -62,11 +65,11 @@ public static Method getPublicMethodFromClass(Class cls, String methodName, C public static Method getSecurityPublicMethod(Method method) throws NoSuchMethodException { if (hasNotSecurityManager()) { - method.setAccessible(true); + setAccessible(method); return method; } return AccessController.doPrivileged((PrivilegedAction) () -> { - method.setAccessible(true); + setAccessible(method); return method; }); } @@ -175,7 +178,7 @@ public static Field[] getDeclaredFieldsSecurity(Class cls) { private static Field[] getDeclaredFields(Class cls) { Field[] declaredFields = cls.getDeclaredFields(); for (Field field : declaredFields) { - field.setAccessible(true); + setAccessible(field); } return declaredFields; } @@ -183,4 +186,15 @@ private static Field[] getDeclaredFields(Class cls) { private static boolean hasNotSecurityManager() { return System.getSecurityManager() == null; } + + private static void setAccessible(AccessibleObject accessibleObject) { + try{ + if (!accessibleObject.isAccessible()) { + accessibleObject.setAccessible(true); + } + } catch (Throwable e){ + DongTaiLog.debug(e.getMessage()); + } + + } } From 80b1c799b050e3c9326ad8a47caac2f0127e84b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Thu, 18 May 2023 18:24:00 +0800 Subject: [PATCH 5/9] fix: Doesn't work in Java 9+. --- .../src/main/java/io/dongtai/iast/core/utils/ReflectUtils.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/ReflectUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/ReflectUtils.java index a47cf3779..dc5ac369d 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/ReflectUtils.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/ReflectUtils.java @@ -193,7 +193,8 @@ private static void setAccessible(AccessibleObject accessibleObject) { accessibleObject.setAccessible(true); } } catch (Throwable e){ - DongTaiLog.debug(e.getMessage()); + DongTaiLog.debug("setAccessible failed: {}, {}", + e.getMessage(), e.getCause() != null ? e.getCause().getMessage() : ""); } } From 88a98397a084688ab5512c7ef670c0120dd9f809 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Fri, 19 May 2023 11:36:00 +0800 Subject: [PATCH 6/9] fix: method dubbo --- .../iast/core/handler/hookpoint/controller/impl/DubboImpl.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/DubboImpl.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/DubboImpl.java index a29d68022..09160c649 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/DubboImpl.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/DubboImpl.java @@ -27,7 +27,7 @@ public static void solveDubboRequest(Object handler, Object channel, Object requ put("requestURL", u.getScheme() + "://" + u.getAuthority() + u.getPath()); put("requestURI", u.getPath()); put("queryString", ""); - put("method", "DUBOO"); + put("method", "DUBBO"); put("protocol", "DUBBO"); put("scheme", u.getScheme()); put("contextPath", ""); From daacb1e80533ecc4c8d22abe5c8d0a5792a07525 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Fri, 19 May 2023 14:25:10 +0800 Subject: [PATCH 7/9] fix: Exclude static fields. --- .../main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java index de240d0cc..1d8998a6a 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java @@ -9,6 +9,7 @@ import java.lang.reflect.Array; import java.lang.reflect.Field; +import java.lang.reflect.Modifier; import java.math.BigDecimal; import java.util.*; @@ -190,7 +191,9 @@ public static void trackObject(MethodEvent event, PolicyNode policyNode, Object try { Field[] declaredFields = ReflectUtils.getDeclaredFieldsSecurity(cls); for (Field field : declaredFields) { - trackObject(event, policyNode, field.get(obj), depth + 1, isMicroservice); + if (!Modifier.isStatic(field.getModifiers())) { + trackObject(event, policyNode, field.get(obj), depth + 1, isMicroservice); + } } } catch (Throwable e) { DongTaiLog.debug("solve model failed: {}, {}", From 074954e0e757be4dcefc5adb3ca819d6b493bafd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Fri, 19 May 2023 18:09:08 +0800 Subject: [PATCH 8/9] fix: update blacklist.txt --- .../com.secnium.iast.resources/blacklist.txt | 106 +++++++++--------- 1 file changed, 53 insertions(+), 53 deletions(-) diff --git a/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt b/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt index 593c3646c..21c940be6 100644 --- a/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt +++ b/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt @@ -4735,61 +4735,61 @@ com/fasterxml/jackson/databind/deser/impl/PropertyBasedCreator$CaseInsensitiveMa com/fasterxml/jackson/databind/deser/impl/PropertyBasedObjectIdGenerator com/fasterxml/jackson/databind/deser/impl/SetterlessProperty com/fasterxml/jackson/databind/deser/impl/TypeWrappedDeserializer -# com/fasterxml/jackson/databind/deser/std/ArrayBlockingQueueDeserializer -# com/fasterxml/jackson/databind/deser/std/AtomicBooleanDeserializer -# com/fasterxml/jackson/databind/deser/std/AtomicReferenceDeserializer -# com/fasterxml/jackson/databind/deser/std/BaseNodeDeserializer -# com/fasterxml/jackson/databind/deser/std/BaseNodeDeserializer$1 -# com/fasterxml/jackson/databind/deser/std/ByteBufferDeserializer -# com/fasterxml/jackson/databind/deser/std/CollectionDeserializer -# com/fasterxml/jackson/databind/deser/std/ContainerDeserializerBase -# com/fasterxml/jackson/databind/deser/std/EnumDeserializer -# com/fasterxml/jackson/databind/deser/std/EnumMapDeserializer -# com/fasterxml/jackson/databind/deser/std/EnumSetDeserializer -# com/fasterxml/jackson/databind/deser/std/FromStringDeserializer -# com/fasterxml/jackson/databind/deser/std/FromStringDeserializer$Std -# com/fasterxml/jackson/databind/deser/std/JavaTypeDeserializer -# com/fasterxml/jackson/databind/deser/std/JdkDeserializers -# com/fasterxml/jackson/databind/deser/std/JsonLocationInstantiator -# com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer -# com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer$1 -# com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer$ArrayDeserializer -# com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer$ObjectDeserializer -# com/fasterxml/jackson/databind/deser/std/MapDeserializer -# com/fasterxml/jackson/databind/deser/std/MapEntryDeserializer -# com/fasterxml/jackson/databind/deser/std/NullifyingDeserializer -# com/fasterxml/jackson/databind/deser/std/ObjectArrayDeserializer -# com/fasterxml/jackson/databind/deser/std/StackTraceElementDeserializer -# com/fasterxml/jackson/databind/deser/std/StdDelegatingDeserializer -# com/fasterxml/jackson/databind/deser/std/StdDeserializer -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$BoolKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$ByteKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$CalendarKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$CharKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$DateKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$DelegatingKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$DoubleKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$EnumKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$FloatKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$IntKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$LocaleKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$LongKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$ShortKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$StringCtorKeyDeserializer -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$StringFactoryKeyDeserializer +com/fasterxml/jackson/databind/deser/std/ArrayBlockingQueueDeserializer +com/fasterxml/jackson/databind/deser/std/AtomicBooleanDeserializer +com/fasterxml/jackson/databind/deser/std/AtomicReferenceDeserializer +com/fasterxml/jackson/databind/deser/std/BaseNodeDeserializer +com/fasterxml/jackson/databind/deser/std/BaseNodeDeserializer$1 +com/fasterxml/jackson/databind/deser/std/ByteBufferDeserializer +com/fasterxml/jackson/databind/deser/std/CollectionDeserializer +com/fasterxml/jackson/databind/deser/std/ContainerDeserializerBase +com/fasterxml/jackson/databind/deser/std/EnumDeserializer +com/fasterxml/jackson/databind/deser/std/EnumMapDeserializer +com/fasterxml/jackson/databind/deser/std/EnumSetDeserializer +com/fasterxml/jackson/databind/deser/std/FromStringDeserializer +com/fasterxml/jackson/databind/deser/std/FromStringDeserializer$Std +com/fasterxml/jackson/databind/deser/std/JavaTypeDeserializer +com/fasterxml/jackson/databind/deser/std/JdkDeserializers +com/fasterxml/jackson/databind/deser/std/JsonLocationInstantiator +com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer +com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer$1 +com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer$ArrayDeserializer +com/fasterxml/jackson/databind/deser/std/JsonNodeDeserializer$ObjectDeserializer +com/fasterxml/jackson/databind/deser/std/MapDeserializer +com/fasterxml/jackson/databind/deser/std/MapEntryDeserializer +com/fasterxml/jackson/databind/deser/std/NullifyingDeserializer +com/fasterxml/jackson/databind/deser/std/ObjectArrayDeserializer +com/fasterxml/jackson/databind/deser/std/StackTraceElementDeserializer +com/fasterxml/jackson/databind/deser/std/StdDelegatingDeserializer +com/fasterxml/jackson/databind/deser/std/StdDeserializer +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$BoolKD +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$ByteKD +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$CalendarKD +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$CharKD +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$DateKD +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$DelegatingKD +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$DoubleKD +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$EnumKD +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$FloatKD +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$IntKD +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$LocaleKD +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$LongKD +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$ShortKD +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$StringCtorKeyDeserializer +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$StringFactoryKeyDeserializer # com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$StringKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$UuidKD -# com/fasterxml/jackson/databind/deser/std/StdKeyDeserializers -# com/fasterxml/jackson/databind/deser/std/StdScalarDeserializer -# com/fasterxml/jackson/databind/deser/std/StdValueInstantiator -# com/fasterxml/jackson/databind/deser/std/StringArrayDeserializer -# com/fasterxml/jackson/databind/deser/std/StringCollectionDeserializer +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer$UuidKD +com/fasterxml/jackson/databind/deser/std/StdKeyDeserializers +com/fasterxml/jackson/databind/deser/std/StdScalarDeserializer +com/fasterxml/jackson/databind/deser/std/StdValueInstantiator +com/fasterxml/jackson/databind/deser/std/StringArrayDeserializer +com/fasterxml/jackson/databind/deser/std/StringCollectionDeserializer # com/fasterxml/jackson/databind/deser/std/StringDeserializer -# com/fasterxml/jackson/databind/deser/std/ThrowableDeserializer -# com/fasterxml/jackson/databind/deser/std/TokenBufferDeserializer -# com/fasterxml/jackson/databind/deser/std/UUIDDeserializer -# com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer +com/fasterxml/jackson/databind/deser/std/ThrowableDeserializer +com/fasterxml/jackson/databind/deser/std/TokenBufferDeserializer +com/fasterxml/jackson/databind/deser/std/UUIDDeserializer +com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer com/fasterxml/jackson/databind/exc/IgnoredPropertyException com/fasterxml/jackson/databind/exc/InvalidFormatException com/fasterxml/jackson/databind/exc/PropertyBindingException From 67a115dd2ae5ff48df61bd654149decd9baed0b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Fri, 19 May 2023 18:57:25 +0800 Subject: [PATCH 9/9] fix: custom model addSourceHash. --- .../main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java | 4 ++++ .../main/resources/com.secnium.iast.resources/blacklist.txt | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java index 1d8998a6a..d6e1a6062 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java @@ -195,6 +195,10 @@ public static void trackObject(MethodEvent event, PolicyNode policyNode, Object trackObject(event, policyNode, field.get(obj), depth + 1, isMicroservice); } } + hash = System.identityHashCode(obj); + if (EngineManager.TAINT_HASH_CODES.contains(hash)) { + event.addSourceHash(hash); + } } catch (Throwable e) { DongTaiLog.debug("solve model failed: {}, {}", e.getMessage(), e.getCause() != null ? e.getCause().getMessage() : ""); diff --git a/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt b/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt index 21c940be6..d2641b091 100644 --- a/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt +++ b/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt @@ -4696,7 +4696,7 @@ com/fasterxml/jackson/databind/cfg/MapperConfigBase com/fasterxml/jackson/databind/cfg/SerializerFactoryConfig com/fasterxml/jackson/databind/deser/AbstractDeserializer com/fasterxml/jackson/databind/deser/BasicDeserializerFactory -com/fasterxml/jackson/databind/deser/BeanDeserializer +# com/fasterxml/jackson/databind/deser/BeanDeserializer com/fasterxml/jackson/databind/deser/BeanDeserializerBase com/fasterxml/jackson/databind/deser/BeanDeserializerBuilder com/fasterxml/jackson/databind/deser/BeanDeserializerModifier