HXSecurity · Nizernizer · Nov 5, 2021 · Nov 5, 2021 · Nov 5, 2021
diff --git a/.github/workflows/code-check.yml b/.github/workflows/code-check.yml
@@ -98,7 +98,7 @@ jobs:
           mysql -uroot -pyuhjnbGYUI -h127.0.0.1 -e 'show DATABASES;'
 
           echo "start catalina and waitting 30s..."
-          export JAVA_TOOL_OPTIONS="-Dproject.create=true"
+          export JAVA_TOOL_OPTIONS="-Dproject.create=true -Dproject.version=${{ github.event_name }}-${{ github.run_number }}"
           ./bin/startup.sh 2>/dev/null
           sleep 30
 

diff --git a/iast-agent/src/main/resources/iast.properties b/iast-agent/src/main/resources/iast.properties
@@ -1,5 +1,4 @@
 iast.name=dongtai-Enterprise 1.0.6
-iast.version=1.0.6
 iast.response.name=dongtai
 iast.response.value=1.0.6
 iast.server.url=http://a28754cd66991441d8d682808caecead-626172336.cn-north-1.elb.amazonaws.com.cn:8000

diff --git a/iast-core/src/main/java/com/secnium/iast/core/PropertyUtils.java b/iast-core/src/main/java/com/secnium/iast/core/PropertyUtils.java
@@ -13,7 +13,6 @@ public class PropertyUtils {
     private static PropertyUtils instance;
     public Properties cfg = null;
     private String iastName;
-    private String iastVersion;
     private String iastResponseName;
     private String iastResponseValue;
     private String iastServerToken;
@@ -78,13 +77,6 @@ public String getIastName() {
         return iastName;
     }
 
-    public String getIastVersion() {
-        if (null == iastVersion) {
-            iastVersion = cfg.getProperty("iast.version");
-        }
-        return iastVersion;
-    }
-
     public String getIastResponseFlagName() {
         if (null == iastResponseName) {
             iastResponseName = cfg.getProperty("iast.response.name");
@@ -109,7 +101,6 @@ public String getIastServerToken() {
     @Override
     public String toString() {
         return "[IastName=" + getIastName() +
-                ", IastVersion=" + getIastVersion() +
                 ", IastResponseName=" + getIastResponseFlagName() +
                 "，IastResponseVersion=" + getIastResponseFlagValue() +
                 "，IastServerUrl=" + getBaseUrl() +

diff --git a/iast-core/src/main/java/com/secnium/iast/core/enhance/plugins/PluginRegister.java b/iast-core/src/main/java/com/secnium/iast/core/enhance/plugins/PluginRegister.java
@@ -2,13 +2,13 @@
 
 import com.secnium.iast.core.enhance.IastContext;
 import com.secnium.iast.core.enhance.plugins.api.spring.DispatchSpringApplication;
+import com.secnium.iast.core.enhance.plugins.autobinding.DispatchSpringAutoBinding;
 import com.secnium.iast.core.enhance.plugins.cookie.DispatchCookie;
 import com.secnium.iast.core.enhance.plugins.core.DispatchClassPlugin;
 import com.secnium.iast.core.enhance.plugins.framework.dubbo.DispatchDubbo;
 import com.secnium.iast.core.enhance.plugins.framework.j2ee.dispatch.DispatchJ2ee;
-import org.objectweb.asm.ClassVisitor;
-
 import java.util.ArrayList;
+import org.objectweb.asm.ClassVisitor;
 
 /**
  * @author dongzhiyong@huoxian.cn

diff --git a/iast-core/src/main/java/com/secnium/iast/core/enhance/plugins/core/DispatchClassPlugin.java b/iast-core/src/main/java/com/secnium/iast/core/enhance/plugins/core/DispatchClassPlugin.java
@@ -14,7 +14,6 @@
 import com.secnium.iast.core.handler.vulscan.VulnType;
 import com.secnium.iast.core.util.AsmUtils;
 import com.secnium.iast.core.util.LogUtils;
-import com.secnium.iast.core.util.SandboxStringUtils;
 import com.secnium.iast.core.util.matcher.ConfigMatcher;
 import com.secnium.iast.core.util.matcher.Method;
 import java.lang.reflect.Modifier;
@@ -35,7 +34,7 @@ public class DispatchClassPlugin implements DispatchPlugin {
     private final Logger logger;
     private final boolean enableAllHook;
     private Set<String> ancestors;
-    private String classname;
+    private String className;
 
     public DispatchClassPlugin() {
         this.enableAllHook = PROPERTIES_UTILS.isEnableAllHook();
@@ -46,18 +45,18 @@ public DispatchClassPlugin() {
     public ClassVisitor dispatch(ClassVisitor classVisitor, IastContext context) {
         ClassVisit modifiedClassVisitor = null;
         ancestors = context.getAncestors();
-        classname = context.getClassName();
-        String matchClassname = isMatch();
+        className = context.getClassName();
+        String matchClassName = isMatch();
 
-        if (null != matchClassname) {
+        if (null != matchClassName) {
             if (logger.isDebugEnabled()) {
-                logger.debug("class {} hit rule {}, class diagrams: {}", classname, matchClassname,
+                logger.debug("class {} hit rule {}, class diagrams: {}", className, matchClassName,
                         Arrays.toString(ancestors.toArray()));
             }
-            context.setMatchClassname(matchClassname);
+            context.setMatchClassname(matchClassName);
             modifiedClassVisitor = new ClassVisit(classVisitor, context);
         } else if (enableAllHook && !context.isBootstrapClassLoader()) {
-            context.setMatchClassname(classname);
+            context.setMatchClassname(className);
             modifiedClassVisitor = new ClassVisit(classVisitor, context);
         }
 
@@ -66,20 +65,16 @@ public ClassVisitor dispatch(ClassVisitor classVisitor, IastContext context) {
 
     @Override
     public String isMatch() {
-        String javaClassname = SandboxStringUtils.toJavaClassName(classname);
-        if (IastHookRuleModel.classIsNeededHookByName(javaClassname)) {
-            return javaClassname;
+        if (IastHookRuleModel.classIsNeededHookByName(className)) {
+            return className;
         }
 
-        boolean supportsSuper = false;
-        for (String superClass : ancestors) {
-            javaClassname = SandboxStringUtils.toJavaClassName(superClass);
-            if (IastHookRuleModel.classIsNeededHookBySuperClassName(javaClassname)) {
-                supportsSuper = true;
-                break;
+        for (String superClassName : ancestors) {
+            if (IastHookRuleModel.classIsNeededHookBySuperClassName(superClassName)) {
+                return superClassName;
             }
         }
-        return supportsSuper ? javaClassname : null;
+        return null;
     }
 
     public class ClassVisit extends AbstractClassVisitor {
@@ -89,8 +84,8 @@ public class ClassVisit extends AbstractClassVisitor {
 
         ClassVisit(ClassVisitor classVisitor, IastContext context) {
             super(classVisitor, context);
-            String classname = context.getClassName();
-            this.isAppClass = ConfigMatcher.isAppClass(classname);
+            String className = context.getClassName();
+            this.isAppClass = ConfigMatcher.isAppClass(className);
         }
 
         @Override
@@ -146,7 +141,7 @@ private MethodVisitor greedyAop(MethodVisitor mv, int access, String name, Strin
             if (null != framework) {
                 mv = new PropagateAdviceAdapter(mv, access, name, desc, context, framework, signature);
             } else if (isAppClass && Method.hook(access, name, desc, signature)) {
-                mv = new PropagateAdviceAdapter(mv, access, name, desc, context, framework, signature);
+                mv = new PropagateAdviceAdapter(mv, access, name, desc, context, null, signature);
             }
             transformed = true;
             return mv;

diff --git a/...rc/main/java/com/secnium/iast/core/enhance/plugins/hardcoded/DispatchHardcodedPlugin.java b/...rc/main/java/com/secnium/iast/core/enhance/plugins/hardcoded/DispatchHardcodedPlugin.java
@@ -3,21 +3,21 @@
 import com.secnium.iast.core.enhance.IastContext;
 import com.secnium.iast.core.enhance.plugins.DispatchPlugin;
 import com.secnium.iast.core.util.AsmUtils;
+import com.secnium.iast.core.util.LogUtils;
 import com.secnium.iast.core.util.commonUtils;
+import java.lang.reflect.Modifier;
+import java.util.regex.Pattern;
 import org.objectweb.asm.ClassVisitor;
 import org.objectweb.asm.FieldVisitor;
 import org.slf4j.Logger;
-import com.secnium.iast.core.util.LogUtils;
-
-import java.lang.reflect.Modifier;
-import java.util.regex.Pattern;
 
 /**
  * 检测字节码中使用硬编码的转换类
  *
  * @author dongzhiyong@huoxian.cn
  */
 public class DispatchHardcodedPlugin implements DispatchPlugin {
+
     private final Logger logger = LogUtils.getLogger(getClass());
 
     @Override
@@ -33,7 +33,6 @@ public String isMatch() {
 
     private class ExtractClassContent extends ClassVisitor {
 
-        // 额外字段
         private String source;
 
         public ExtractClassContent(ClassVisitor classVisitor) {
@@ -46,13 +45,13 @@ public void visitSource(String source, String debug) {
             this.source = source;
         }
 
-        // 查看字段
         @Override
         public FieldVisitor visitField(int access, String name, String desc, String signature, Object value) {
             FieldVisitor fieldVisitor = super.visitField(access, name, desc, signature, value);
             if ("[B".equals(desc) && isKeysField(name)) {
                 logger.trace("Source is {}" + this.source);
-            } else if ("Ljava/lang/String;".equals(desc) && isStaticAndFinal(access) && isPassField(name) && !isWrongPrefix(name) && value instanceof String) {
+            } else if ("Ljava/lang/String;".equals(desc) && isStaticAndFinal(access) && isPassField(name)
+                    && !isWrongPrefix(name) && value instanceof String) {
                 String fieldName = (String) value;
                 if (!commonUtils.isEmpty(fieldName) && !valueMatcher(fieldName)) {
                     logger.trace("Source is " + this.source);
@@ -96,7 +95,8 @@ private boolean valueMatcher(String value) {
 
         private final String[] keyArray = {"key", "aes", "des", "iv", "secret", "blowfish"};
         private final String[] passArray = {"password", "passkey", "passphrase", "secret"};
-        private final String[] notPrefixes = {"date", "forgot", "form", "encode", "pattern", "prefix", "prop", "suffix", "url"};
+        private final String[] notPrefixes = {"date", "forgot", "form", "encode", "pattern", "prefix", "prop", "suffix",
+                "url"};
 
     }
 }
diff --git a/iast-core/src/main/java/com/secnium/iast/core/util/matcher/ConfigMatcher.java b/iast-core/src/main/java/com/secnium/iast/core/util/matcher/ConfigMatcher.java
@@ -3,11 +3,10 @@
 import com.secnium.iast.core.PropertyUtils;
 import com.secnium.iast.core.util.ConfigUtils;
 import com.secnium.iast.core.util.LogUtils;
-import org.apache.commons.lang3.StringUtils;
-import org.slf4j.Logger;
-
 import java.util.HashSet;
 import java.util.Set;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
 
 /**
  * 各种匹配方法（通过配置文件匹配）
@@ -18,18 +17,17 @@ public class ConfigMatcher {
 
     private final static Logger logger = LogUtils.getLogger(ConfigMatcher.class);
 
-    public final static HashSet<String> SOURCES;
-    private final static HashSet<String> BLACKS;
+    public final static Set<String> SOURCES;
+    private final static Set<String> BLACKS;
     private final static String[] START_WITH_BLACKS;
     private final static String[] END_WITH_BLACKS;
     private final static Set<String> BLACKS_SET;
     private final static String[] START_ARRAY;
     private final static String[] END_ARRAY;
-    private final static HashSet<String> internalWhiteList;
-    private final static String[] disableExt;
-    private final static AbstractMatcher internalClass = new InternalClass();
-    private final static AbstractMatcher frameworkClass = new FrameworkClass();
-    private final static AbstractMatcher serverClass = new ServerClass();
+    private final static String[] DISABLE_EXT;
+    private final static AbstractMatcher INTERNAL_CLASS = new InternalClass();
+    private final static AbstractMatcher FRAMEWORK_CLASS = new FrameworkClass();
+    private final static AbstractMatcher SERVER_CLASS = new ServerClass();
 
 
     /**
@@ -42,7 +40,7 @@ public static boolean disableExtension(String uri) {
         if (uri == null || uri.isEmpty()) {
             return false;
         }
-        return StringUtils.endsWithAny(uri, disableExt);
+        return StringUtils.endsWithAny(uri, DISABLE_EXT);
     }
 
     private static boolean inHookBlacklist(String className) {
@@ -62,12 +60,7 @@ public static PropagatorType blackFunc(final String signature) {
     }
 
     /**
-     * 判断当前类是否在hook点黑名单。hook黑名单：
-     * 1.agent自身的类；
-     * 2.已知的框架类、中间件类；
-     * 3.类名为null；
-     * 4.JDK内部类且不在hook点配置白名单中；
-     * 5.接口
+     * 判断当前类是否在hook点黑名单。hook黑名单： 1.agent自身的类； 2.已知的框架类、中间件类； 3.类名为null； 4.JDK内部类且不在hook点配置白名单中； 5.接口
      *
      * @param className jvm内部类名，如：java/lang/Runtime
      * @param loader    当前类的classLoader
@@ -83,17 +76,20 @@ public static boolean isHookPoint(String className, ClassLoader loader) {
                 || className.startsWith("java/lang/iast/")
                 || className.startsWith("cn/huoxian/iast/")
         ) {
-            logger.trace("ignore transform {} in loader={}. Reason: classname is startswith com/secnium/iast/", className, loader);
+            logger.trace("ignore transform {} in loader={}. Reason: classname is startswith com/secnium/iast/",
+                    className, loader);
             return false;
         }
 
         if (className.contains("CGLIB$$")) {
-            logger.trace("ignore transform {} in loader={}. Reason: classname is a aop class by CGLIB", className, loader);
+            logger.trace("ignore transform {} in loader={}. Reason: classname is a aop class by CGLIB", className,
+                    loader);
             return false;
         }
 
         if (className.contains("$$Lambda$")) {
-            logger.trace("ignore transform {} in loader={}. Reason: classname is a aop class by Lambda", className, loader);
+            logger.trace("ignore transform {} in loader={}. Reason: classname is a aop class by Lambda", className,
+                    loader);
             return false;
         }
 
@@ -109,16 +105,15 @@ public static boolean isHookPoint(String className, ClassLoader loader) {
         return true;
     }
 
-    public static boolean isAppClass(String classname) {
-        return !(internalClass.match(classname) || frameworkClass.match(classname) || serverClass.match(classname));
+    public static boolean isAppClass(String className) {
+        return !(INTERNAL_CLASS.match(className) || FRAMEWORK_CLASS.match(className) || SERVER_CLASS.match(className));
     }
 
     static {
         final PropertyUtils cfg = PropertyUtils.getInstance();
         String sourcesFile = cfg.getSourceFilePath();
         String blackListFuncFile = cfg.getBlackFunctionFilePath();
         String blackList = cfg.getBlackClassFilePath();
-        String whiteList = cfg.getWhiteClassFilePath();
         String disableExtList = cfg.getBlackExtFilePath();
 
         SOURCES = ConfigUtils.loadConfigFromFile(sourcesFile)[0];
@@ -133,10 +128,7 @@ public static boolean isAppClass(String classname) {
         END_ARRAY = items[2].toArray(new String[0]);
         BLACKS_SET = items[0];
 
-        items = ConfigUtils.loadConfigFromFile(whiteList);
-        internalWhiteList = items[0];
-
-        disableExt = ConfigUtils.loadExtConfigFromFile(disableExtList);
+        DISABLE_EXT = ConfigUtils.loadExtConfigFromFile(disableExtList);
 
     }