Merge pull request HXSecurity#575 from Nizernizer/fix/taint_max_value

Fix/taint max value
Nizernizer · Aug 29, 2023 · eb6e05e · eb6e05e
2 parents c5c7a47 + f065631
commit eb6e05e
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 23 deletions.
diff --git a/dongtai-common/src/main/java/io/dongtai/iast/common/constants/PropertyConstant.java b/dongtai-common/src/main/java/io/dongtai/iast/common/constants/PropertyConstant.java
@@ -32,4 +32,5 @@ public class PropertyConstant {
     public static final String PROPERTY_UUID_PATH = "dongtai.uuid.path";
     public static final String PROPERTY_DISABLED_PLUGINS = "dongtai.disabled.plugins";
     public static final String PROPERTY_DISABLED_FEATURES = "dongtai.disabled.features";
+    public static final String PROPERTY_TAINT_LENGTH = "dongtai.taint.length";
 }
diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java
@@ -3,6 +3,7 @@
 import com.alibaba.fastjson2.JSONObject;
 import io.dongtai.iast.core.handler.hookpoint.models.policy.TaintPosition;
 import io.dongtai.iast.core.handler.hookpoint.models.taint.range.TaintRanges;
+import io.dongtai.iast.core.utils.PropertyUtils;
 import io.dongtai.iast.core.utils.StringUtils;
 
 import java.io.StringWriter;
@@ -75,7 +76,7 @@ public class MethodEvent {
     /**
      * method all parameters string value
      */
-    public List<Parameter> parameterValues = new ArrayList<Parameter>();
+    public List<Parameter> parameterValues = new ArrayList<>();
 
     /**
      * method return instance
@@ -87,13 +88,13 @@ public class MethodEvent {
      */
     public String returnValue;
 
-    private final Set<Long> sourceHashes = new HashSet<Long>();
+    private final Set<Long> sourceHashes = new HashSet<>();
 
-    private final Set<Long> targetHashes = new HashSet<Long>();
+    private final Set<Long> targetHashes = new HashSet<>();
 
-    public List<MethodEventTargetRange> targetRanges = new ArrayList<MethodEventTargetRange>();
+    public List<MethodEventTargetRange> targetRanges = new ArrayList<>();
 
-    public List<MethodEventTargetRange> sourceRanges = new ArrayList<MethodEventTargetRange>();
+    public List<MethodEventTargetRange> sourceRanges = new ArrayList<>();
 
     public List<MethodEventSourceType> sourceTypes;
 
@@ -231,7 +232,7 @@ public void addParameterValue(int index, Object param, boolean hasTaint) {
         if (param == null) {
             return;
         }
-        String indexString = "P" + String.valueOf(index + 1);
+        String indexString = "P" + (index + 1);
         Parameter parameter = new Parameter(indexString, formatValue(param, hasTaint));
         this.parameterValues.add(parameter);
     }
@@ -246,7 +247,7 @@ public void setReturnValue(Object ret, boolean hasTaint) {
     private String formatValue(Object val, boolean hasTaint) {
         String str = obj2String(val);
         return "[" + StringUtils.normalize(str, MAX_VALUE_LENGTH) + "]"
-                + (hasTaint ? "*" : "") + String.valueOf(str.length());
+                + (hasTaint ? "*" : "") + str.length();
     }
 
     public Set<Long> getSourceHashes() {
@@ -286,6 +287,7 @@ public void setCallStack(StackTraceElement callStack) {
     }
 
     public String obj2String(Object value) {
+        int taintValueLength = PropertyUtils.getInstance().getTaintValueLength();
         StringBuilder sb = new StringBuilder();
         if (null == value) {
             return "";
@@ -299,27 +301,37 @@ public String obj2String(Object value) {
                         if (taint.getClass().isArray() && !taint.getClass().getComponentType().isPrimitive()) {
                             Object[] subTaints = (Object[]) taint;
                             for (Object subTaint : subTaints) {
-                                sb.append(subTaint.toString()).append(" ");
+                                appendWithMaxLength(sb, subTaint.toString() + " ", taintValueLength);
                             }
                         } else {
-                            sb.append(taint.toString()).append(" ");
+                            appendWithMaxLength(sb, taint.toString() + " ", taintValueLength);
                         }
                     }
                 }
             } else if (value instanceof StringWriter) {
-                sb.append(((StringWriter) value).getBuffer().toString());
+                appendWithMaxLength(sb, ((StringWriter) value).getBuffer().toString(), taintValueLength);
             } else {
-                sb.append(value.toString());
+                appendWithMaxLength(sb, value.toString(), taintValueLength);
             }
         } catch (Throwable e) {
             // org.jruby.RubyBasicObject.hashCode() may cause NullPointerException when RubyBasicObject.metaClass is null
-            sb.append(value.getClass().getName())
-                    .append("@")
-                    .append(Integer.toHexString(System.identityHashCode(value)));
+            String typeName = value.getClass().getName() + "@" + Integer.toHexString(System.identityHashCode(value));
+            appendWithMaxLength(sb, typeName, taintValueLength);
         }
         return sb.toString();
     }
 
+    private void appendWithMaxLength(StringBuilder sb, String content, int maxLength) {
+        if (sb.length() + content.length() > maxLength) {
+            int remainingSpace = maxLength - sb.length();
+            if (remainingSpace > 0) {
+                sb.append(content, 0, remainingSpace);
+            }
+        } else {
+            sb.append(content);
+        }
+    }
+
     public List<Object> getStacks() {
         return stacks;
     }

diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java
@@ -23,18 +23,19 @@ public class PropertyUtils {
     private String iastDumpPath;
     private Long heartBeatInterval = -1L;
     private String serverUrl;
-    private String serverMode;
     private String proxyEnableStatus;
     private String proxyHost;
     private int proxyPort = -1;
-    private String debugFlag;
     private Integer responseLength;
     private String policyPath;
     private static List<String> disabledFeatureList;
     private static Boolean isDisabledCustomModel;
 
     private final String propertiesFilePath;
 
+    private int taintValueLength = -1;
+
+
     public static PropertyUtils getInstance(String propertiesFilePath) {
         if (null == instance) {
             instance = new PropertyUtils(propertiesFilePath);
@@ -180,13 +181,6 @@ public int getProxyPort() {
         return proxyPort;
     }
 
-    private String getDebugFlag() {
-        if (debugFlag == null) {
-            debugFlag = System.getProperty(PropertyConstant.PROPERTY_DEBUG, "false");
-        }
-        return debugFlag;
-    }
-
     public Integer getResponseLength() {
         if (responseLength == null) {
             responseLength = Integer.parseInt(System.getProperty(PropertyConstant.PROPERTY_RESPONSE_LENGTH,
@@ -229,4 +223,13 @@ public static Boolean isDisabledCustomModel() {
     public static Boolean validatedSink() {
         return ConfigBuilder.getInstance().get(ConfigKey.VALIDATED_SINK);
     }
+
+    public int getTaintValueLength() {
+        if (-1 == taintValueLength) {
+            taintValueLength = Integer
+                    .parseInt(System.getProperty(PropertyConstant.PROPERTY_TAINT_LENGTH,
+                            cfg.getProperty(PropertyConstant.PROPERTY_TAINT_LENGTH, "1024")));
+        }
+        return taintValueLength;
+    }
 }