From ac33750d652e3bcd86f70a177acebad16127ca3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Tue, 1 Aug 2023 10:39:39 +0800 Subject: [PATCH 1/8] feature: add validator handler. --- .../common/constants/PropertyConstant.java | 2 +- .../core/bytecode/enhance/asm/AsmMethods.java | 6 ++ .../plugin/core/DispatchClassPlugin.java | 1 + .../plugin/core/adapter/ValidatorAdapter.java | 54 ++++++++++++ .../handler/hookpoint/SpyDispatcherImpl.java | 21 ++++- .../hookpoint/controller/impl/DubboImpl.java | 2 + .../controller/impl/PropagatorImpl.java | 2 + .../hookpoint/controller/impl/SourceImpl.java | 2 + .../controller/impl/ValidatorImpl.java | 86 +++++++++++++++++++ .../hookpoint/graphy/GraphBuilder.java | 9 ++ .../handler/hookpoint/models/MethodEvent.java | 15 ++++ .../hookpoint/models/policy/Policy.java | 6 ++ .../models/policy/PolicyBuilder.java | 25 ++++-- .../models/policy/PolicyNodeType.java | 2 +- .../models/policy/ValidatorNode.java | 59 +++++++++++++ .../models/taint/range/TaintRanges.java | 14 ++- .../hookpoint/models/taint/tag/TaintTag.java | 1 + .../hookpoint/service/trace/DubboService.java | 2 + .../hookpoint/service/trace/FeignService.java | 2 + .../dynamic/DynamicPropagatorScanner.java | 11 ++- .../iast/core/utils/PropertyUtils.java | 8 ++ .../main/java/java/lang/dongtai/NopSpy.java | 8 ++ .../java/java/lang/dongtai/SpyDispatcher.java | 2 + 23 files changed, 325 insertions(+), 15 deletions(-) create mode 100644 dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/plugin/core/adapter/ValidatorAdapter.java create mode 100644 dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java create mode 100644 dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/ValidatorNode.java diff --git a/dongtai-common/src/main/java/io/dongtai/iast/common/constants/PropertyConstant.java b/dongtai-common/src/main/java/io/dongtai/iast/common/constants/PropertyConstant.java index b7e54b30a..69007e2c7 100644 --- a/dongtai-common/src/main/java/io/dongtai/iast/common/constants/PropertyConstant.java +++ b/dongtai-common/src/main/java/io/dongtai/iast/common/constants/PropertyConstant.java @@ -32,5 +32,5 @@ public class PropertyConstant { public static final String PROPERTY_POLICY_PATH = "dongtai.policy.path"; public static final String PROPERTY_UUID_PATH = "dongtai.uuid.path"; public static final String PROPERTY_DISABLED_PLUGINS = "dongtai.disabled.plugins"; - public static final String PROPERTY_DISABLED_FEATURES = "dongtai.disabled_features"; + public static final String PROPERTY_DISABLED_FEATURES = "dongtai.disabled.features"; } diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/asm/AsmMethods.java b/dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/asm/AsmMethods.java index 140c3541c..70893d37c 100755 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/asm/AsmMethods.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/asm/AsmMethods.java @@ -219,6 +219,12 @@ static Method getAsmMethod(final Class clazz, SpyDispatcher.class, "isFirstLevelSink" ); + + Method SPY$enterValidator = InnerHelper.getAsmMethod( + SpyDispatcher.class, + "enterValidator" + ); + Method SPY$enterIgnoreInternal = InnerHelper.getAsmMethod( SpyDispatcher.class, "enterIgnoreInternal" diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/plugin/core/DispatchClassPlugin.java b/dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/plugin/core/DispatchClassPlugin.java index 184573b53..dd8794487 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/plugin/core/DispatchClassPlugin.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/plugin/core/DispatchClassPlugin.java @@ -54,6 +54,7 @@ public class ClassVisit extends AbstractClassVisitor { new SourceAdapter(), new PropagatorAdapter(), new SinkAdapter(), + new ValidatorAdapter(), }; } diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/plugin/core/adapter/ValidatorAdapter.java b/dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/plugin/core/adapter/ValidatorAdapter.java new file mode 100644 index 000000000..991028a88 --- /dev/null +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/plugin/core/adapter/ValidatorAdapter.java @@ -0,0 +1,54 @@ +package io.dongtai.iast.core.bytecode.enhance.plugin.core.adapter; + +import io.dongtai.iast.core.bytecode.enhance.MethodContext; +import io.dongtai.iast.core.handler.hookpoint.models.policy.PolicyNode; +import io.dongtai.iast.core.handler.hookpoint.models.policy.ValidatorNode; +import org.objectweb.asm.Label; +import org.objectweb.asm.MethodVisitor; +import org.objectweb.asm.Opcodes; + +import java.util.Set; + +public class ValidatorAdapter extends MethodAdapter { + /** + * @param adapter + * @param mv + * @param context + * @param policyNodes + */ + @Override + public void onMethodEnter(MethodAdviceAdapter adapter, MethodVisitor mv, MethodContext context, Set policyNodes) { + } + + /** + * @param adapter + * @param mv + * @param opcode + * @param context + * @param policyNodes + */ + @Override + public void onMethodExit(MethodAdviceAdapter adapter, MethodVisitor mv, int opcode, MethodContext context, Set policyNodes) { + for (PolicyNode policyNode : policyNodes) { + if (!(policyNode instanceof ValidatorNode)) { + continue; + } + + Label elseLabel = new Label(); + Label endLabel = new Label(); + + isEnterScope(adapter); + mv.visitJumpInsn(Opcodes.IFEQ, elseLabel); + + adapter.trackMethod(opcode, policyNode, true); + + adapter.mark(elseLabel); + adapter.mark(endLabel); + } + } + + private void isEnterScope(MethodAdviceAdapter adapter) { + adapter.invokeStatic(ASM_TYPE_SPY_HANDLER, SPY_HANDLER$getDispatcher); + adapter.invokeInterface(ASM_TYPE_SPY_DISPATCHER, SPY$enterValidator); + } +} diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/SpyDispatcherImpl.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/SpyDispatcherImpl.java index 081c97336..40877056a 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/SpyDispatcherImpl.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/SpyDispatcherImpl.java @@ -394,7 +394,8 @@ public void collectDubboResponse(Object result, byte status) { } if (!ScopeManager.SCOPE_TRACKER.getScope(Scope.DUBBO_REQUEST).isFirst() - || !ScopeManager.SCOPE_TRACKER.getScope(Scope.DUBBO_ENTRY).in()) { + || !ScopeManager.SCOPE_TRACKER.getScope(Scope.DUBBO_ENTRY).in() + || ScopeManager.SCOPE_TRACKER.getScope(Scope.HTTP_REQUEST).in()) { return; } @@ -558,6 +559,17 @@ public void leaveSink() { } } + /** + * mark for enter validator entry point + */ + @Override + public boolean enterValidator() { + if (!EngineManager.isEngineRunning()) { + return false; + } + return !ScopeManager.SCOPE_TRACKER.inAgent() && ScopeManager.SCOPE_TRACKER.inEnterEntry(); + } + /** * Determines whether it is a layer 1 Sink entry * @@ -674,6 +686,9 @@ public boolean collectMethod(Object instance, Object[] parameters, Object retObj } else if ((policyNode instanceof SinkNode)) { SinkImpl.solveSink(event, (SinkNode) policyNode); return true; + } else if ((policyNode instanceof ValidatorNode)) { + ValidatorImpl.solveValidator(event,(ValidatorNode)policyNode, INVOKE_ID_SEQUENCER); + return true; } return false; @@ -731,7 +746,7 @@ public boolean traceDubboInvoke(Object instance, String url, Object invocation, @Override public boolean isSkipCollectDubbo(Object invocation) { if (BlackUrlBypass.isBlackUrl()) { - Method setAttachmentMethod = null; + Method setAttachmentMethod; try { setAttachmentMethod = invocation.getClass().getMethod("setAttachment", String.class, String.class); setAttachmentMethod.setAccessible(true); @@ -746,7 +761,7 @@ public boolean isSkipCollectDubbo(Object invocation) { @Override public boolean isSkipCollectFeign(Object instance) { if (BlackUrlBypass.isBlackUrl()) { - Field metadataField = null; + Field metadataField; try { metadataField = instance.getClass().getDeclaredField("metadata"); metadataField.setAccessible(true); diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/DubboImpl.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/DubboImpl.java index b6b6496c7..8c512c239 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/DubboImpl.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/DubboImpl.java @@ -8,6 +8,7 @@ import io.dongtai.iast.core.handler.context.ContextManager; import io.dongtai.iast.core.handler.hookpoint.IastClassLoader; import io.dongtai.iast.core.handler.hookpoint.models.MethodEvent; +import io.dongtai.iast.core.handler.hookpoint.models.policy.PolicyNodeType; import io.dongtai.iast.core.handler.hookpoint.models.policy.SourceNode; import io.dongtai.iast.core.handler.hookpoint.models.policy.TaintPosition; import io.dongtai.iast.core.handler.hookpoint.models.taint.range.TaintRange; @@ -178,6 +179,7 @@ public static void collectDubboRequestSource(Object handler, Object invocation, int invokeId = invokeIdSequencer.getAndIncrement(); event.setInvokeId(invokeId); + event.setPolicyType(PolicyNodeType.SOURCE.getName()); event.source = true; event.setCallStacks(StackUtils.createCallStack(4)); diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/PropagatorImpl.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/PropagatorImpl.java index 33168fe7c..0abf9e8c5 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/PropagatorImpl.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/PropagatorImpl.java @@ -2,6 +2,7 @@ import io.dongtai.iast.core.EngineManager; import io.dongtai.iast.core.handler.hookpoint.models.MethodEvent; +import io.dongtai.iast.core.handler.hookpoint.models.policy.PolicyNodeType; import io.dongtai.iast.core.handler.hookpoint.models.policy.PropagatorNode; import io.dongtai.iast.core.handler.hookpoint.models.policy.TaintPosition; import io.dongtai.iast.core.handler.hookpoint.models.taint.range.*; @@ -63,6 +64,7 @@ private static void addPropagator(PropagatorNode propagatorNode, MethodEvent eve event.setCallStacks(StackUtils.createCallStack(6)); int invokeId = invokeIdSequencer.getAndIncrement(); event.setInvokeId(invokeId); + event.setPolicyType(PolicyNodeType.PROPAGATOR.getName()); EngineManager.TRACK_MAP.get().put(invokeId, event); } diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/SourceImpl.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/SourceImpl.java index 60a169aaf..837298265 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/SourceImpl.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/SourceImpl.java @@ -2,6 +2,7 @@ import io.dongtai.iast.core.EngineManager; import io.dongtai.iast.core.handler.hookpoint.models.MethodEvent; +import io.dongtai.iast.core.handler.hookpoint.models.policy.PolicyNodeType; import io.dongtai.iast.core.handler.hookpoint.models.policy.SourceNode; import io.dongtai.iast.core.handler.hookpoint.models.policy.TaintPosition; import io.dongtai.iast.core.handler.hookpoint.models.taint.range.TaintRangesBuilder; @@ -37,6 +38,7 @@ public static void solveSource(MethodEvent event, SourceNode sourceNode, AtomicI int invokeId = invokeIdSequencer.getAndIncrement(); event.setInvokeId(invokeId); + event.setPolicyType(PolicyNodeType.SOURCE.getName()); boolean valid = trackTarget(event, sourceNode); if (!valid) { diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java new file mode 100644 index 000000000..c1b045bc7 --- /dev/null +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java @@ -0,0 +1,86 @@ +package io.dongtai.iast.core.handler.hookpoint.controller.impl; + +import io.dongtai.iast.core.EngineManager; +import io.dongtai.iast.core.handler.hookpoint.models.MethodEvent; +import io.dongtai.iast.core.handler.hookpoint.models.policy.PolicyNodeType; +import io.dongtai.iast.core.handler.hookpoint.models.policy.TaintPosition; +import io.dongtai.iast.core.handler.hookpoint.models.policy.ValidatorNode; +import io.dongtai.iast.core.handler.hookpoint.models.taint.range.TaintRange; +import io.dongtai.iast.core.handler.hookpoint.models.taint.range.TaintRanges; +import io.dongtai.iast.core.handler.hookpoint.models.taint.range.TaintRangesBuilder; +import io.dongtai.iast.core.utils.StackUtils; +import io.dongtai.iast.core.utils.TaintPoolUtils; + +import java.util.Set; +import java.util.concurrent.atomic.AtomicInteger; + +import static io.dongtai.iast.core.utils.TaintPoolUtils.getStringHash; + +public class ValidatorImpl { + + /** + * 处理 Validator 点的事件 + * + * @param event Validator 点事件 + */ + public static void solveValidator(MethodEvent event, ValidatorNode validatorNode, AtomicInteger invokeIdSequencer) { + if (EngineManager.TAINT_HASH_CODES.isEmpty()) { + return; + } + Set sources = validatorNode.getSources(); + if (sources.isEmpty()) { + return; + } + + for (TaintPosition position : sources) { + Long hash = null; + Integer len = null; + if (position.isObject()) { + if (TaintPoolUtils.isNotEmpty(event.objectInstance) + && TaintPoolUtils.isAllowTaintType(event.objectInstance) + && TaintPoolUtils.poolContains(event.objectInstance, event)) { + hash = getStringHash(event.objectInstance); + len = TaintRangesBuilder.getLength(event.objectInstance); + } + } else if (position.isParameter()) { + int parameterIndex = position.getParameterIndex(); + if (parameterIndex >= event.parameterInstances.length) { + continue; + } + Object parameter = event.parameterInstances[parameterIndex]; + if (TaintPoolUtils.isNotEmpty(parameter) + && TaintPoolUtils.isAllowTaintType(parameter) + && TaintPoolUtils.poolContains(parameter, event)) { + hash = getStringHash(parameter); + len = TaintRangesBuilder.getLength(parameter); + } + } + + if (null != len && null != hash){ + TaintRanges tr = new TaintRanges(new TaintRange("validated", 0, len)); + if (validatorNode.hasTags()) { + String[] tags = validatorNode.getTags(); + for (String tag : tags) { + tr.add(new TaintRange(tag, 0, len)); + } + } + event.sourceRanges.add(new MethodEvent.MethodEventTargetRange(hash, tr)); + TaintRanges taintRanges = EngineManager.TAINT_RANGES_POOL.get().get(hash); + if (null == taintRanges){ + EngineManager.TAINT_RANGES_POOL.add(hash, tr); + }else { + taintRanges.addAll(tr); + } + } + } + + event.source = false; + event.setCallStacks(StackUtils.createCallStack(4)); + + int invokeId = invokeIdSequencer.getAndIncrement(); + event.setInvokeId(invokeId); + event.setPolicyType(PolicyNodeType.VALIDATOR.getName()); + EngineManager.TRACK_MAP.addTrackMethod(invokeId, event); + } + +} diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/graphy/GraphBuilder.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/graphy/GraphBuilder.java index 7d64f461c..391d74b15 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/graphy/GraphBuilder.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/graphy/GraphBuilder.java @@ -110,6 +110,7 @@ public static JSONObject toJson(MethodEvent event) { List targetPositions = new ArrayList(); value.put("invokeId", event.getInvokeId()); + value.put("policyType", event.getPolicyType()); value.put("source", event.isSource()); value.put("originClassName", event.getOriginClassName()); value.put("className", event.getMatchedClassName()); @@ -167,6 +168,14 @@ public static JSONObject toJson(MethodEvent event) { } } + if (event.sourceRanges.size() > 0) { + JSONArray tr = new JSONArray(); + value.put("sourceRange", tr); + for (MethodEvent.MethodEventTargetRange range : event.sourceRanges) { + tr.add(range.toJson()); + } + } + if (event.sourceTypes != null && event.sourceTypes.size() > 0) { JSONArray st = new JSONArray(); value.put("sourceType", st); diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java index 7a3eb43e0..eb8009aab 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java @@ -24,6 +24,11 @@ public class MethodEvent { */ private int invokeId; + /** + * policy type + */ + private String policyType; + /** * is source policy node */ @@ -88,6 +93,8 @@ public class MethodEvent { public List targetRanges = new ArrayList(); + public List sourceRanges = new ArrayList(); + public List sourceTypes; private StackTraceElement callStack; @@ -172,6 +179,14 @@ public void setInvokeId(int invokeId) { this.invokeId = invokeId; } + public String getPolicyType() { + return policyType; + } + + public void setPolicyType(String policyType) { + this.policyType = policyType; + } + public boolean isSource() { return source; } diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/Policy.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/Policy.java index a6a753d0e..ffadfc5fa 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/Policy.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/Policy.java @@ -8,6 +8,7 @@ public class Policy { private final List sources = new ArrayList(); private final List propagators = new ArrayList(); private final List sinks = new ArrayList(); + private final List validators = new ArrayList(); private final Map policyNodesMap = new HashMap(); private final Set classHooks = new HashSet(); private final Set ancestorClassHooks = new HashSet(); @@ -43,6 +44,11 @@ public void addSink(SinkNode sink) { addPolicyNode(sink); } + public void addValidator(ValidatorNode validator) { + this.validators.add(validator); + addPolicyNode(validator); + } + public PolicyNode getPolicyNode(String policyKey) { return this.policyNodesMap.get(policyKey); } diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyBuilder.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyBuilder.java index 6d0f1f7df..ac810cd1a 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyBuilder.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyBuilder.java @@ -71,6 +71,7 @@ public static Policy build(JSONArray policyConfig) throws PolicyException { buildSource(policy, nodeType, node); buildPropagator(policy, nodeType, node); buildSink(policy, nodeType, node); + buildValidator(policy, nodeType, node); } catch (PolicyException e) { DongTaiLog.warn(ErrorCode.get("POLICY_CONFIG_INVALID"), e); } @@ -132,6 +133,21 @@ public static void buildSink(Policy policy, PolicyNodeType type, JSONObject node policy.addSink(sinkNode); } + public static void buildValidator(Policy policy, PolicyNodeType type, JSONObject node) throws PolicyException { + if (!PolicyNodeType.VALIDATOR.equals(type)) { + return; + } + + Set sources = parseSource(node, type); + MethodMatcher methodMatcher = buildMethodMatcher(node); + ValidatorNode validatorNode = new ValidatorNode(sources, methodMatcher); + setInheritable(node, validatorNode); + List tags = parseTags(node, validatorNode); + validatorNode.setTags(tags.get(0)); + validatorNode.setUntags(tags.get(1)); + policy.addValidator(validatorNode); + } + private static PolicyNodeType parseNodeType(JSONObject node) throws PolicyException { try { int type = node.getInt(KEY_TYPE); @@ -149,11 +165,11 @@ private static Set parseSource(JSONObject node, PolicyNodeType ty try { return TaintPosition.parse(node.getString(KEY_SOURCE)); } catch (JSONException e) { - if (!PolicyNodeType.SOURCE.equals(type) && !PolicyNodeType.FILTER.equals(type)) { + if (!PolicyNodeType.SOURCE.equals(type)) { throw new PolicyException(PolicyException.ERR_POLICY_NODE_SOURCE_INVALID + ": " + node.toString(), e); } } catch (TaintPositionException e) { - if (!PolicyNodeType.SOURCE.equals(type) && !PolicyNodeType.FILTER.equals(type)) { + if (!PolicyNodeType.SOURCE.equals(type)) { throw new PolicyException(PolicyException.ERR_POLICY_NODE_SOURCE_INVALID + ": " + node.toString(), e); } } @@ -164,15 +180,10 @@ private static Set parseTarget(JSONObject node, PolicyNodeType ty try { return TaintPosition.parse(node.getString(KEY_TARGET)); } catch (JSONException e) { - if (!PolicyNodeType.FILTER.equals(type)) { throw new PolicyException(PolicyException.ERR_POLICY_NODE_TARGET_INVALID + ": " + node.toString(), e); - } } catch (TaintPositionException e) { - if (!PolicyNodeType.FILTER.equals(type)) { throw new PolicyException(PolicyException.ERR_POLICY_NODE_TARGET_INVALID + ": " + node.toString(), e); - } } - return new HashSet(); } private static void setInheritable(JSONObject node, PolicyNode policyNode) throws PolicyException { diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyNodeType.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyNodeType.java index 41f23c503..f6aee387c 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyNodeType.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyNodeType.java @@ -3,7 +3,7 @@ public enum PolicyNodeType { SOURCE(2, "source"), PROPAGATOR(1, "propagator"), - FILTER(3, "filter"), + VALIDATOR(3, "validator"), SINK(4, "sink"), ; diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/ValidatorNode.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/ValidatorNode.java new file mode 100644 index 000000000..ee0629801 --- /dev/null +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/ValidatorNode.java @@ -0,0 +1,59 @@ +package io.dongtai.iast.core.handler.hookpoint.models.policy; + +import io.dongtai.iast.core.handler.hookpoint.models.taint.range.TaintCommandRunner; + +import java.util.Set; + +public class ValidatorNode extends PolicyNode { + + private Set sources; + private TaintCommandRunner commandRunner; + private String[] tags; + private String[] untags; + + public ValidatorNode(Set sources, MethodMatcher methodMatcher) { + super(methodMatcher); + this.sources = sources; + } + + @Override + public PolicyNodeType getType() { + return PolicyNodeType.VALIDATOR; + } + + public Set getSources() { + return this.sources; + } + + public void setSources(Set sources) { + this.sources = sources; + } + + public String[] getTags() { + return this.tags; + } + + public boolean hasTags() { + return this.tags != null && this.tags.length > 0; + } + + public void setTags(String[] tags) { + this.tags = tags; + } + + public String[] getUntags() { + return this.untags; + } + + public void setUntags(String[] untags) { + this.untags = untags; + } + + public TaintCommandRunner getCommandRunner() { + return this.commandRunner; + } + + public void setCommandRunner(TaintCommandRunner r) { + this.commandRunner = r; + } +} diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/taint/range/TaintRanges.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/taint/range/TaintRanges.java index 287998967..1f1fcc1e8 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/taint/range/TaintRanges.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/taint/range/TaintRanges.java @@ -17,7 +17,7 @@ public TaintRanges(ArrayList taintRanges) { this.taintRanges = taintRanges; } - public TaintRanges(TaintRange ...taintRanges) { + public TaintRanges(TaintRange... taintRanges) { this.taintRanges = new ArrayList(Arrays.asList(taintRanges)); } @@ -87,6 +87,18 @@ public boolean hasDisallowedTaintTags(TaintTag[] tags) { return false; } + public boolean hasValidatedTags(TaintTag[] tags) { + if (tags == null) { + return false; + } + for (TaintTag tag : tags) { + if (tag.equals(TaintTag.VALIDATED.getKey())) { + return true; + } + } + return false; + } + public TaintRanges clone() { TaintRanges taintRanges = new TaintRanges(); int size = this.taintRanges.size(); diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/taint/tag/TaintTag.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/taint/tag/TaintTag.java index 729e88b49..8ede07e7a 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/taint/tag/TaintTag.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/taint/tag/TaintTag.java @@ -34,6 +34,7 @@ public enum TaintTag { VBSCRIPT_ENCODED("vbscript-encoded"), HTTP_TOKEN_LIMITED_CHARS("http-token-limited-chars"), NUMERIC_LIMITED_CHARS("numeric-limited-chars"), + VALIDATED("validated"), ; private final String key; diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/DubboService.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/DubboService.java index b791c8e45..83e3c0657 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/DubboService.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/DubboService.java @@ -3,6 +3,7 @@ import io.dongtai.iast.core.EngineManager; import io.dongtai.iast.core.handler.context.ContextManager; import io.dongtai.iast.core.handler.hookpoint.models.MethodEvent; +import io.dongtai.iast.core.handler.hookpoint.models.policy.PolicyNodeType; import io.dongtai.iast.core.utils.StackUtils; import io.dongtai.iast.core.utils.TaintPoolUtils; import io.dongtai.log.DongTaiLog; @@ -44,6 +45,7 @@ public static void solveSyncInvoke(MethodEvent event, Object invocation, String event.setCallStacks(StackUtils.createCallStack(4)); int invokeId = invokeIdSequencer.getAndIncrement(); event.setInvokeId(invokeId); + event.setPolicyType(PolicyNodeType.PROPAGATOR.getName()); EngineManager.TRACK_MAP.get().put(invokeId, event); } catch (NoSuchMethodException ignore) { } catch (Throwable e) { diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/FeignService.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/FeignService.java index 7a377a8da..e163b66ea 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/FeignService.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/FeignService.java @@ -3,6 +3,7 @@ import io.dongtai.iast.core.EngineManager; import io.dongtai.iast.core.handler.context.ContextManager; import io.dongtai.iast.core.handler.hookpoint.models.MethodEvent; +import io.dongtai.iast.core.handler.hookpoint.models.policy.PolicyNodeType; import io.dongtai.iast.core.utils.StackUtils; import io.dongtai.iast.core.utils.TaintPoolUtils; import io.dongtai.log.DongTaiLog; @@ -51,6 +52,7 @@ public static void solveSyncInvoke(MethodEvent event, AtomicInteger invokeIdSequ event.setCallStacks(StackUtils.createCallStack(4)); int invokeId = invokeIdSequencer.getAndIncrement(); event.setInvokeId(invokeId); + event.setPolicyType(PolicyNodeType.PROPAGATOR.getName()); EngineManager.TRACK_MAP.get().put(invokeId, event); } catch (NoSuchFieldException ignore) { } catch (NoSuchMethodException ignore) { diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/DynamicPropagatorScanner.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/DynamicPropagatorScanner.java index 3104929a2..74d9301a0 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/DynamicPropagatorScanner.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/DynamicPropagatorScanner.java @@ -3,6 +3,7 @@ import io.dongtai.iast.core.EngineManager; import io.dongtai.iast.core.handler.hookpoint.SpyDispatcherImpl; import io.dongtai.iast.core.handler.hookpoint.models.MethodEvent; +import io.dongtai.iast.core.handler.hookpoint.models.policy.PolicyNodeType; import io.dongtai.iast.core.handler.hookpoint.models.policy.SinkNode; import io.dongtai.iast.core.handler.hookpoint.models.policy.TaintPosition; import io.dongtai.iast.core.handler.hookpoint.models.taint.range.TaintRanges; @@ -12,6 +13,7 @@ import io.dongtai.iast.core.handler.hookpoint.vulscan.IVulScan; import io.dongtai.iast.core.handler.hookpoint.vulscan.VulnType; import io.dongtai.iast.core.handler.hookpoint.vulscan.dynamic.xxe.XXECheck; +import io.dongtai.iast.core.utils.PropertyUtils; import io.dongtai.iast.core.utils.StackUtils; import io.dongtai.iast.core.utils.TaintPoolUtils; @@ -109,6 +111,7 @@ public void scan(MethodEvent event, SinkNode sinkNode) { event.setCallStacks(stackTraceElements); int invokeId = SpyDispatcherImpl.INVOKE_ID_SEQUENCER.getAndIncrement(); event.setInvokeId(invokeId); + event.setPolicyType(PolicyNodeType.SINK.getName()); event.setTaintPositions(sinkNode.getSources(), null); event.setStacks(stackTraceElements); @@ -175,9 +178,13 @@ private boolean sinkSourceHitTaintPool(MethodEvent event, SinkNode sinkNode) { if (tr == null || tr.isEmpty()) { continue; } + + boolean commonCondition = tr.hasRequiredTaintTags(required) && !tr.hasDisallowedTaintTags(disallowed); - if (tr.hasRequiredTaintTags(required) && !tr.hasDisallowedTaintTags(disallowed)) { - tagsHit = true; + if (PropertyUtils.isDisabledValidated()) { + tagsHit = commonCondition && !tr.hasValidatedTags(disallowed); + } else { + tagsHit = commonCondition; } } if (!tagsHit) { diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java index 6ee3c2e7a..a258d0e06 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java @@ -223,4 +223,12 @@ public static Boolean isDisabledCustomModel() { } return isDisabledCustomModel; } + + public static Boolean isDisabledValidated() { + if (null == isDisabledCustomModel){ + List disabledFeatures = getDisabledFeatures(); + isDisabledCustomModel = disabledFeatures.contains("validated"); + } + return isDisabledCustomModel; + } } diff --git a/dongtai-spy/src/main/java/java/lang/dongtai/NopSpy.java b/dongtai-spy/src/main/java/java/lang/dongtai/NopSpy.java index 8866b53cb..997374db4 100644 --- a/dongtai-spy/src/main/java/java/lang/dongtai/NopSpy.java +++ b/dongtai-spy/src/main/java/java/lang/dongtai/NopSpy.java @@ -187,6 +187,14 @@ public void leaveSink() { } + /** + * + */ + @Override + public boolean enterValidator() { + return false; + } + /** * Determines whether it is a layer 1 Sink entry * diff --git a/dongtai-spy/src/main/java/java/lang/dongtai/SpyDispatcher.java b/dongtai-spy/src/main/java/java/lang/dongtai/SpyDispatcher.java index 1eb0746ae..b02fbe0ed 100644 --- a/dongtai-spy/src/main/java/java/lang/dongtai/SpyDispatcher.java +++ b/dongtai-spy/src/main/java/java/lang/dongtai/SpyDispatcher.java @@ -123,6 +123,8 @@ void collectDubboRequestSource(Object handler, Object invocation, String methodN */ void leaveSink(); + boolean enterValidator(); + /** * Determines whether it is a layer 1 Sink entry * From 710cfb52f39295832f27a7b8ff427cf3efdb8d85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Tue, 1 Aug 2023 10:47:55 +0800 Subject: [PATCH 2/8] feature: add validator handler. --- .../core/handler/hookpoint/controller/impl/ValidatorImpl.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java index c1b045bc7..7b55a78a4 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java @@ -8,6 +8,7 @@ import io.dongtai.iast.core.handler.hookpoint.models.taint.range.TaintRange; import io.dongtai.iast.core.handler.hookpoint.models.taint.range.TaintRanges; import io.dongtai.iast.core.handler.hookpoint.models.taint.range.TaintRangesBuilder; +import io.dongtai.iast.core.handler.hookpoint.models.taint.tag.TaintTag; import io.dongtai.iast.core.utils.StackUtils; import io.dongtai.iast.core.utils.TaintPoolUtils; @@ -57,7 +58,7 @@ public static void solveValidator(MethodEvent event, ValidatorNode validatorNode } if (null != len && null != hash){ - TaintRanges tr = new TaintRanges(new TaintRange("validated", 0, len)); + TaintRanges tr = new TaintRanges(new TaintRange(TaintTag.VALIDATED.getKey(), 0, len)); if (validatorNode.hasTags()) { String[] tags = validatorNode.getTags(); for (String tag : tags) { From 87a3cab9902a09f1d74451bd361b2579e526fd94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Tue, 1 Aug 2023 10:53:19 +0800 Subject: [PATCH 3/8] feature: add validator handler. --- .../handler/hookpoint/models/policy/PolicyNodeTypeTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dongtai-core/src/test/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyNodeTypeTest.java b/dongtai-core/src/test/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyNodeTypeTest.java index fd9316783..b4c4e1a4b 100644 --- a/dongtai-core/src/test/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyNodeTypeTest.java +++ b/dongtai-core/src/test/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyNodeTypeTest.java @@ -14,7 +14,7 @@ public void testGet() { put(0, null); put(1, PolicyNodeType.PROPAGATOR); put(2, PolicyNodeType.SOURCE); - put(3, PolicyNodeType.FILTER); + put(3, PolicyNodeType.VALIDATOR); put(4, PolicyNodeType.SINK); put(5, null); }}; From 6f23a4443c3e04b42bc6df6da22102f0a59586fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Tue, 1 Aug 2023 11:21:22 +0800 Subject: [PATCH 4/8] feature: add validator handler. --- .../controller/impl/ValidatorImpl.java | 4 ++-- .../hookpoint/models/policy/PolicyBuilder.java | 3 +-- .../hookpoint/models/policy/ValidatorNode.java | 18 ------------------ 3 files changed, 3 insertions(+), 22 deletions(-) diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java index 7b55a78a4..feb35f6a3 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java @@ -55,7 +55,7 @@ public static void solveValidator(MethodEvent event, ValidatorNode validatorNode hash = getStringHash(parameter); len = TaintRangesBuilder.getLength(parameter); } - } + } else return; if (null != len && null != hash){ TaintRanges tr = new TaintRanges(new TaintRange(TaintTag.VALIDATED.getKey(), 0, len)); @@ -72,7 +72,7 @@ public static void solveValidator(MethodEvent event, ValidatorNode validatorNode }else { taintRanges.addAll(tr); } - } + }else return; } event.source = false; diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyBuilder.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyBuilder.java index ac810cd1a..dec181946 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyBuilder.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/PolicyBuilder.java @@ -144,7 +144,6 @@ public static void buildValidator(Policy policy, PolicyNodeType type, JSONObject setInheritable(node, validatorNode); List tags = parseTags(node, validatorNode); validatorNode.setTags(tags.get(0)); - validatorNode.setUntags(tags.get(1)); policy.addValidator(validatorNode); } @@ -273,7 +272,7 @@ private static List parseTags(JSONObject node, PolicyNode policyNode) } try { - if (node.has(KEY_TAGS)) { + if (node.has(KEY_UNTAGS)) { JSONArray uts = node.getJSONArray(KEY_UNTAGS); for (Object o : uts) { String ut = (String) o; diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/ValidatorNode.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/ValidatorNode.java index ee0629801..1527576a2 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/ValidatorNode.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/policy/ValidatorNode.java @@ -7,9 +7,7 @@ public class ValidatorNode extends PolicyNode { private Set sources; - private TaintCommandRunner commandRunner; private String[] tags; - private String[] untags; public ValidatorNode(Set sources, MethodMatcher methodMatcher) { super(methodMatcher); @@ -40,20 +38,4 @@ public boolean hasTags() { public void setTags(String[] tags) { this.tags = tags; } - - public String[] getUntags() { - return this.untags; - } - - public void setUntags(String[] untags) { - this.untags = untags; - } - - public TaintCommandRunner getCommandRunner() { - return this.commandRunner; - } - - public void setCommandRunner(TaintCommandRunner r) { - this.commandRunner = r; - } } From 131fefac3346c856a0b08646a4ef99f5aa85e195 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Mon, 7 Aug 2023 16:42:35 +0800 Subject: [PATCH 5/8] feature: add validator handler. --- .../java/io/dongtai/iast/common/config/ConfigBuilder.java | 3 +++ .../main/java/io/dongtai/iast/common/config/ConfigKey.java | 2 ++ .../handler/hookpoint/controller/impl/ValidatorImpl.java | 2 ++ .../vulscan/dynamic/DynamicPropagatorScanner.java | 2 +- .../java/io/dongtai/iast/core/utils/PropertyUtils.java | 7 ++++--- 5 files changed, 12 insertions(+), 4 deletions(-) diff --git a/dongtai-common/src/main/java/io/dongtai/iast/common/config/ConfigBuilder.java b/dongtai-common/src/main/java/io/dongtai/iast/common/config/ConfigBuilder.java index 39a3ff44a..73a81933d 100644 --- a/dongtai-common/src/main/java/io/dongtai/iast/common/config/ConfigBuilder.java +++ b/dongtai-common/src/main/java/io/dongtai/iast/common/config/ConfigBuilder.java @@ -24,6 +24,8 @@ private ConfigBuilder() { Config.create(ConfigKey.ENABLE_LOGGER)); this.configMap.put(ConfigKey.LOGGER_LEVEL, Config.create(ConfigKey.LOGGER_LEVEL)); + this.configMap.put(ConfigKey.VALIDATED_SINK, + Config.create(ConfigKey.VALIDATED_SINK).setDefaultValue(false)); } public static ConfigBuilder getInstance() { @@ -62,6 +64,7 @@ public void update(JSONObject config) { updateString(config, ConfigKey.JsonKey.JSON_VERSION_HEADER_KEY); updateBool(config, ConfigKey.JsonKey.JSON_ENABLE_LOGGER); updateString(config, ConfigKey.JsonKey.JSON_LOGGER_LEVEL); + updateBool(config, ConfigKey.JsonKey.JSON_VALIDATED_SINK); updateRequestDenyList(config); } diff --git a/dongtai-common/src/main/java/io/dongtai/iast/common/config/ConfigKey.java b/dongtai-common/src/main/java/io/dongtai/iast/common/config/ConfigKey.java index 809f98778..92ffa4626 100644 --- a/dongtai-common/src/main/java/io/dongtai/iast/common/config/ConfigKey.java +++ b/dongtai-common/src/main/java/io/dongtai/iast/common/config/ConfigKey.java @@ -8,6 +8,7 @@ public enum ConfigKey { VERSION_HEADER_KEY, ENABLE_LOGGER, LOGGER_LEVEL, + VALIDATED_SINK, ; public enum JsonKey { @@ -18,6 +19,7 @@ public enum JsonKey { JSON_VERSION_HEADER_KEY("version_header_name", VERSION_HEADER_KEY), JSON_ENABLE_LOGGER("enable_log", ENABLE_LOGGER), JSON_LOGGER_LEVEL("log_level", LOGGER_LEVEL), + JSON_VALIDATED_SINK("report_validated_sink", LOGGER_LEVEL), ; private final String key; diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java index feb35f6a3..d42d56ca6 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java @@ -42,6 +42,7 @@ public static void solveValidator(MethodEvent event, ValidatorNode validatorNode && TaintPoolUtils.poolContains(event.objectInstance, event)) { hash = getStringHash(event.objectInstance); len = TaintRangesBuilder.getLength(event.objectInstance); + event.setObjectValue(event.objectInstance, true); } } else if (position.isParameter()) { int parameterIndex = position.getParameterIndex(); @@ -54,6 +55,7 @@ public static void solveValidator(MethodEvent event, ValidatorNode validatorNode && TaintPoolUtils.poolContains(parameter, event)) { hash = getStringHash(parameter); len = TaintRangesBuilder.getLength(parameter); + event.addParameterValue(parameterIndex, parameter, true); } } else return; diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/DynamicPropagatorScanner.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/DynamicPropagatorScanner.java index 74d9301a0..a5d19e210 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/DynamicPropagatorScanner.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/DynamicPropagatorScanner.java @@ -181,7 +181,7 @@ private boolean sinkSourceHitTaintPool(MethodEvent event, SinkNode sinkNode) { boolean commonCondition = tr.hasRequiredTaintTags(required) && !tr.hasDisallowedTaintTags(disallowed); - if (PropertyUtils.isDisabledValidated()) { + if (PropertyUtils.validatedSink()) { tagsHit = commonCondition && !tr.hasValidatedTags(disallowed); } else { tagsHit = commonCondition; diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java index a258d0e06..401aa3a6f 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java @@ -1,5 +1,7 @@ package io.dongtai.iast.core.utils; +import io.dongtai.iast.common.config.ConfigBuilder; +import io.dongtai.iast.common.config.ConfigKey; import io.dongtai.iast.common.constants.PropertyConstant; import io.dongtai.log.DongTaiLog; import io.dongtai.log.ErrorCode; @@ -224,10 +226,9 @@ public static Boolean isDisabledCustomModel() { return isDisabledCustomModel; } - public static Boolean isDisabledValidated() { + public static Boolean validatedSink() { if (null == isDisabledCustomModel){ - List disabledFeatures = getDisabledFeatures(); - isDisabledCustomModel = disabledFeatures.contains("validated"); + isDisabledCustomModel = ConfigBuilder.getInstance().get(ConfigKey.VALIDATED_SINK); } return isDisabledCustomModel; } From fb061cdad7da9329864b1225cbb5b13fbacc1cb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Mon, 7 Aug 2023 18:50:28 +0800 Subject: [PATCH 6/8] feature: add validator handler. --- .../java/io/dongtai/iast/core/utils/PropertyUtils.java | 9 +++------ .../resources/com.secnium.iast.resources/blacklist.txt | 2 +- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java index 401aa3a6f..f2ca1ffea 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java @@ -210,7 +210,7 @@ public static List getDisabledPlugins() { } public static List getDisabledFeatures() { - if (null == disabledFeatureList){ + if (null == disabledFeatureList) { disabledFeatureList = Optional.ofNullable(System.getProperty("dongtai.disabled.features")) .map(s -> Arrays.asList(s.split(","))) .orElse(new ArrayList<>()); @@ -219,7 +219,7 @@ public static List getDisabledFeatures() { } public static Boolean isDisabledCustomModel() { - if (null == isDisabledCustomModel){ + if (null == isDisabledCustomModel) { List disabledFeatures = getDisabledFeatures(); isDisabledCustomModel = disabledFeatures.contains("custom-model-collection"); } @@ -227,9 +227,6 @@ public static Boolean isDisabledCustomModel() { } public static Boolean validatedSink() { - if (null == isDisabledCustomModel){ - isDisabledCustomModel = ConfigBuilder.getInstance().get(ConfigKey.VALIDATED_SINK); - } - return isDisabledCustomModel; + return ConfigBuilder.getInstance().get(ConfigKey.VALIDATED_SINK); } } diff --git a/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt b/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt index b00d6f18c..07a86e277 100644 --- a/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt +++ b/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt @@ -29979,7 +29979,7 @@ org/apache/catalina/connector/CoyoteAdapter$CatalinaAfterServiceListener org/apache/catalina/connector/CoyoteAdapter$RecycleRequiredException #org/apache/catalina/connector/CoyoteOutputStream #org/apache/catalina/connector/CoyoteInputStream -org/apache/catalina/connector/CoyoteReader +#org/apache/catalina/connector/CoyoteReader org/apache/catalina/connector/InputBuffer org/apache/catalina/connector/MapperListener #org/apache/catalina/connector/OutputBuffer From 6818bdd57f78ca28efcd4c3930a5ce905f5fc28d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Tue, 8 Aug 2023 12:13:20 +0800 Subject: [PATCH 7/8] feature: add validator handler. --- .../core/handler/hookpoint/controller/impl/ValidatorImpl.java | 1 + .../src/main/resources/com.secnium.iast.resources/blacklist.txt | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java index d42d56ca6..1e76b0aad 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/ValidatorImpl.java @@ -79,6 +79,7 @@ public static void solveValidator(MethodEvent event, ValidatorNode validatorNode event.source = false; event.setCallStacks(StackUtils.createCallStack(4)); + event.setTaintPositions(validatorNode.getSources(), null); int invokeId = invokeIdSequencer.getAndIncrement(); event.setInvokeId(invokeId); diff --git a/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt b/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt index 07a86e277..54aaf120e 100644 --- a/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt +++ b/dongtai-core/src/main/resources/com.secnium.iast.resources/blacklist.txt @@ -58862,7 +58862,7 @@ org/springframework/http/converter/feed/AbstractWireFeedHttpMessageConverter org/springframework/http/converter/feed/AtomFeedHttpMessageConverter org/springframework/http/converter/feed/RssChannelHttpMessageConverter org/springframework/http/converter/feed/package-info -org/springframework/http/converter/json/AbstractJackson2HttpMessageConverter +# org/springframework/http/converter/json/AbstractJackson2HttpMessageConverter org/springframework/http/converter/json/Jackson2ObjectMapperBuilder org/springframework/http/converter/json/MappingJackson2HttpMessageConverter org/springframework/http/converter/json/MappingJacksonHttpMessageConverter From 2b78daed98c6f5c67ab5db095ecfb2f9437ab327 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Tue, 8 Aug 2023 15:58:43 +0800 Subject: [PATCH 8/8] fix: validated sink. --- .../src/main/java/io/dongtai/iast/common/config/ConfigKey.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dongtai-common/src/main/java/io/dongtai/iast/common/config/ConfigKey.java b/dongtai-common/src/main/java/io/dongtai/iast/common/config/ConfigKey.java index 92ffa4626..020261ef4 100644 --- a/dongtai-common/src/main/java/io/dongtai/iast/common/config/ConfigKey.java +++ b/dongtai-common/src/main/java/io/dongtai/iast/common/config/ConfigKey.java @@ -19,7 +19,7 @@ public enum JsonKey { JSON_VERSION_HEADER_KEY("version_header_name", VERSION_HEADER_KEY), JSON_ENABLE_LOGGER("enable_log", ENABLE_LOGGER), JSON_LOGGER_LEVEL("log_level", LOGGER_LEVEL), - JSON_VALIDATED_SINK("report_validated_sink", LOGGER_LEVEL), + JSON_VALIDATED_SINK("report_validated_sink", VALIDATED_SINK), ; private final String key;