Merge branches '1.1' and '1.1' of github.com:baidu/openrasp into 1.1

agent/php5/openrasp_log.cc

@@ -204,8 +204,7 @@ static void migrate_hash_values(zval *dest, const zval *src, std::vector<keys_fi
     {
         char *tmp_clientip_header = estrdup(OPENRASP_CONFIG(clientip.header).c_str());
         char *uch = php_strtoupper(tmp_clientip_header, strlen(tmp_clientip_header));
-        const char *server_global_hey = ("HTTP_" + std::string(uch)).c_str();
-        total_filters.push_back({server_global_hey, "client_ip", nullptr});
+        total_filters.push_back({("HTTP_" + std::string(uch)), "client_ip", nullptr});
         efree(tmp_clientip_header);
     }
     zval **origin_zv;

agent/php7/openrasp_log.cc

@@ -206,8 +206,7 @@ static void migrate_hash_values(zval *dest, const zval *src, std::vector<keys_fi
     {
         char *tmp_clientip_header = estrdup(OPENRASP_CONFIG(clientip.header).c_str());
         char *uch = php_strtoupper(tmp_clientip_header, strlen(tmp_clientip_header));
-        const char *server_global_hey = ("HTTP_" + std::string(uch)).c_str();
-        total_filters.push_back({server_global_hey, "client_ip", nullptr});
+        total_filters.push_back({("HTTP_" + std::string(uch)), "client_ip", nullptr});
         efree(tmp_clientip_header);
     }
     zval *origin_zv;

plugins/official/plugin.js

@@ -226,7 +226,7 @@ var algorithmConfig = {
     // 写文件操作 - 脚本文件
     // https://rasp.baidu.com/doc/dev/official.html#case-file-write
     writeFile_script: {
-        name:      '算法2 - 拦截所有 php/jsp 等脚本文件的写入操作',
+        name:      '算法2 - 拦截 php/jsp 等脚本文件的写入操作',
         reference: 'https://rasp.baidu.com/doc/dev/official.html#case-file-write',
         action:    'ignore'
     },
@@ -293,7 +293,7 @@ var algorithmConfig = {
 
     // XXE - 代码安全开关，通过调用相关函数直接禁止外部实体
     xxe_disable_entity: {
-        name:   '算法1 - 代码安全开关，开启后直接禁止外部实体',
+        name:   '算法1 - 禁止外部实体加载（记录日志等同于完全忽略）',
         action: 'ignore',
         clazz:  {
             // com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderFactoryImpl
@@ -527,6 +527,12 @@ if (! RASP.is_unittest)
    if (algorithmConfig.meta.all_log)
    {
         Object.keys(algorithmConfig).forEach(function (name) {
+            // XXE 外部实体开关不受影响
+            if (name == 'xxe_disable_entity')
+            {
+                continue
+            }
+
             if (algorithmConfig[name].action == 'block') 
             {
                algorithmConfig[name].action = 'log'

rasp-vue/src/components/pages/baseline_params.vue

@@ -74,7 +74,7 @@
                 </p>
             </div>
 
-            <div  v-if="data.policy_params.hostname && data.policy_params.port">
+            <div v-if="data.policy_params.hostname && data.policy_params.port">
                 <div class="h6">
                     服务器信息
                 </div>
@@ -98,7 +98,7 @@
             <p>
                 {{ data.policy_params.username }}:{{ data.policy_params.password }}
             </p>
-            
+
             <div class="h6">
                 问题描述
             </div>
@@ -240,6 +240,11 @@ export default {
     methods: {
         setData: function (data) {
             this.data = data
+
+            // v1.0 版本，weblogic 忘记增加 policy_params 字段，简单修复
+            if (! data['policy_params']) {
+                data['policy_params'] = {}
+            }
         }
     }
 }

rasp-vue/src/components/pages/settings/algorithm.vue

@@ -26,7 +26,7 @@
             >
             <span class="custom-switch-indicator" />
             <span class="custom-switch-description">
-              将所有算法设置为「记录日志」模式
+              将所有算法设置为「记录日志」模式（"XXE 禁止外部实体加载" 算法除外）
             </span>
           </label>
           <br>