Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: 漏洞检测-新增QLExpress表达式注入检测时判断安全配置是否开启 #596

Merged
merged 4 commits into from
Nov 7, 2023
Merged

feat: 漏洞检测-新增QLExpress表达式注入检测时判断安全配置是否开启 #596

merged 4 commits into from
Nov 7, 2023
+109 −2

Conversation

UzJu
Copy link
Member

@UzJu UzJu commented Oct 24, 2023

No description provided.

@CC11001100 CC11001100 requested a review from a team October 24, 2023 08:57
Nizernizer
Nizernizer reviewed Oct 25, 2023
View reviewed changes
dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/IastClassFileTransformer.java Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

卸载时把 QLExpressCheck.setQLClassLoader 置空,如果loader还在那么这个引用还在,会导致该类卸载不掉

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

如果不是用SetQLClassLoader 直接使用Class.forName 会存在该情况吗
我看FastJSONCheck也没有做这些处理

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

如果不是用SetQLClassLoader 直接使用Class.forName 会存在该情况吗 我看FastJSONCheck也没有做这些处理

底层原理是:类成员变量尽量不要引用被插桩程序对象,若必须引用情况的下,要在卸载时将其置空取消引用。类成员变量随着对象的建立而建立,随着对象的消失而消失,存在于对象所在的堆内存中,所以如果不把其置为空,单卸载iastclassloader是没办法将该引用取消的。

Class.forName 也分情况,若有对被插桩应用的引用,就会存在这种情况。

FastJSONCheck 同样需要置空

@15911075183ma 15911075183ma requested a review from a team November 2, 2023 06:22
15911075183ma
15911075183ma approved these changes Nov 7, 2023
View reviewed changes
...ore/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/QLExpressCheck.java Outdated
return true;
}
}catch (Throwable e){
DongTaiLog.debug("Beim Abrufen der Felder der QLExpress-Komponente ist ein Fehler aufgetreten.: {}, {}",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

哥,这是德文不是英文啊 @UzJu

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

。。。后面的commit改了

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

df5314d

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

笑死我了

@15911075183ma 15911075183ma merged commit 4917fba into HXSecurity:beta Nov 7, 2023
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Nizernizer Nizernizer Nizernizer left review comments

@allen07sec allen07sec allen07sec left review comments

@15911075183ma 15911075183ma 15911075183ma approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@UzJu @Nizernizer @allen07sec @15911075183ma