From a1c863eadf5db13a6eab3dcd8667466c95ebc491 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?=
 <‘niuerzhuang@huoxian.cn’>
Date: Tue, 29 Aug 2023 10:21:34 +0800
Subject: [PATCH 1/2] fix: taint max length.

---
 .../common/constants/PropertyConstant.java    |  1 +
 .../handler/hookpoint/models/MethodEvent.java | 26 ++++++++++++++-----
 .../iast/core/utils/PropertyUtils.java        | 12 +++++++++
 3 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/dongtai-common/src/main/java/io/dongtai/iast/common/constants/PropertyConstant.java b/dongtai-common/src/main/java/io/dongtai/iast/common/constants/PropertyConstant.java
index 281319bed..31b9e1b4a 100644
--- a/dongtai-common/src/main/java/io/dongtai/iast/common/constants/PropertyConstant.java
+++ b/dongtai-common/src/main/java/io/dongtai/iast/common/constants/PropertyConstant.java
@@ -32,4 +32,5 @@ public class PropertyConstant {
     public static final String PROPERTY_UUID_PATH = "dongtai.uuid.path";
     public static final String PROPERTY_DISABLED_PLUGINS = "dongtai.disabled.plugins";
     public static final String PROPERTY_DISABLED_FEATURES = "dongtai.disabled.features";
+    public static final String PROPERTY_TAINT_LENGTH = "dongtai.taint.length";
 }
diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java
index eb8009aab..7ee75dd02 100644
--- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java
+++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java
@@ -3,6 +3,7 @@
 import com.alibaba.fastjson2.JSONObject;
 import io.dongtai.iast.core.handler.hookpoint.models.policy.TaintPosition;
 import io.dongtai.iast.core.handler.hookpoint.models.taint.range.TaintRanges;
+import io.dongtai.iast.core.utils.PropertyUtils;
 import io.dongtai.iast.core.utils.StringUtils;
 
 import java.io.StringWriter;
@@ -286,6 +287,7 @@ public void setCallStack(StackTraceElement callStack) {
     }
 
     public String obj2String(Object value) {
+        int taintValueLength = PropertyUtils.getInstance().getTaintValueLength();
         StringBuilder sb = new StringBuilder();
         if (null == value) {
             return "";
@@ -299,27 +301,37 @@ public String obj2String(Object value) {
                         if (taint.getClass().isArray() && !taint.getClass().getComponentType().isPrimitive()) {
                             Object[] subTaints = (Object[]) taint;
                             for (Object subTaint : subTaints) {
-                                sb.append(subTaint.toString()).append(" ");
+                                appendWithMaxLength(sb, subTaint.toString() + " ", taintValueLength);
                             }
                         } else {
-                            sb.append(taint.toString()).append(" ");
+                            appendWithMaxLength(sb, taint.toString() + " ", taintValueLength);
                         }
                     }
                 }
             } else if (value instanceof StringWriter) {
-                sb.append(((StringWriter) value).getBuffer().toString());
+                appendWithMaxLength(sb, ((StringWriter) value).getBuffer().toString(), taintValueLength);
             } else {
-                sb.append(value.toString());
+                appendWithMaxLength(sb, value.toString(), taintValueLength);
             }
         } catch (Throwable e) {
             // org.jruby.RubyBasicObject.hashCode() may cause NullPointerException when RubyBasicObject.metaClass is null
-            sb.append(value.getClass().getName())
-                    .append("@")
-                    .append(Integer.toHexString(System.identityHashCode(value)));
+            String typeName = value.getClass().getName() + "@" + Integer.toHexString(System.identityHashCode(value));
+            appendWithMaxLength(sb, typeName, taintValueLength);
         }
         return sb.toString();
     }
 
+    private void appendWithMaxLength(StringBuilder sb, String content, int maxLength) {
+        if (sb.length() + content.length() > maxLength) {
+            int remainingSpace = maxLength - sb.length();
+            if (remainingSpace > 0) {
+                sb.append(content, 0, remainingSpace);
+            }
+        } else {
+            sb.append(content);
+        }
+    }
+
     public List<Object> getStacks() {
         return stacks;
     }
diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java
index f2ca1ffea..6527a029d 100644
--- a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java
+++ b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java
@@ -35,6 +35,9 @@ public class PropertyUtils {
 
     private final String propertiesFilePath;
 
+    private int taintValueLength = -1;
+
+
     public static PropertyUtils getInstance(String propertiesFilePath) {
         if (null == instance) {
             instance = new PropertyUtils(propertiesFilePath);
@@ -229,4 +232,13 @@ public static Boolean isDisabledCustomModel() {
     public static Boolean validatedSink() {
         return ConfigBuilder.getInstance().get(ConfigKey.VALIDATED_SINK);
     }
+
+    public int getTaintValueLength() {
+        if (-1 == taintValueLength) {
+            taintValueLength = Integer
+                    .parseInt(System.getProperty(PropertyConstant.PROPERTY_TAINT_LENGTH,
+                            cfg.getProperty(PropertyConstant.PROPERTY_TAINT_LENGTH, "1024")));
+        }
+        return taintValueLength;
+    }
 }

From f06563130e78d271c9a5e328c3252023f8cfb6b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?=
 <‘niuerzhuang@huoxian.cn’>
Date: Tue, 29 Aug 2023 10:26:21 +0800
Subject: [PATCH 2/2] fix: taint max length.

---
 .../core/handler/hookpoint/models/MethodEvent.java | 14 +++++++-------
 .../io/dongtai/iast/core/utils/PropertyUtils.java  |  9 ---------
 2 files changed, 7 insertions(+), 16 deletions(-)

diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java
index 7ee75dd02..08d4be826 100644
--- a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java
+++ b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/models/MethodEvent.java
@@ -76,7 +76,7 @@ public class MethodEvent {
     /**
      * method all parameters string value
      */
-    public List<Parameter> parameterValues = new ArrayList<Parameter>();
+    public List<Parameter> parameterValues = new ArrayList<>();
 
     /**
      * method return instance
@@ -88,13 +88,13 @@ public class MethodEvent {
      */
     public String returnValue;
 
-    private final Set<Long> sourceHashes = new HashSet<Long>();
+    private final Set<Long> sourceHashes = new HashSet<>();
 
-    private final Set<Long> targetHashes = new HashSet<Long>();
+    private final Set<Long> targetHashes = new HashSet<>();
 
-    public List<MethodEventTargetRange> targetRanges = new ArrayList<MethodEventTargetRange>();
+    public List<MethodEventTargetRange> targetRanges = new ArrayList<>();
 
-    public List<MethodEventTargetRange> sourceRanges = new ArrayList<MethodEventTargetRange>();
+    public List<MethodEventTargetRange> sourceRanges = new ArrayList<>();
 
     public List<MethodEventSourceType> sourceTypes;
 
@@ -232,7 +232,7 @@ public void addParameterValue(int index, Object param, boolean hasTaint) {
         if (param == null) {
             return;
         }
-        String indexString = "P" + String.valueOf(index + 1);
+        String indexString = "P" + (index + 1);
         Parameter parameter = new Parameter(indexString, formatValue(param, hasTaint));
         this.parameterValues.add(parameter);
     }
@@ -247,7 +247,7 @@ public void setReturnValue(Object ret, boolean hasTaint) {
     private String formatValue(Object val, boolean hasTaint) {
         String str = obj2String(val);
         return "[" + StringUtils.normalize(str, MAX_VALUE_LENGTH) + "]"
-                + (hasTaint ? "*" : "") + String.valueOf(str.length());
+                + (hasTaint ? "*" : "") + str.length();
     }
 
     public Set<Long> getSourceHashes() {
diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java
index 6527a029d..116d2b966 100644
--- a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java
+++ b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/PropertyUtils.java
@@ -23,11 +23,9 @@ public class PropertyUtils {
     private String iastDumpPath;
     private Long heartBeatInterval = -1L;
     private String serverUrl;
-    private String serverMode;
     private String proxyEnableStatus;
     private String proxyHost;
     private int proxyPort = -1;
-    private String debugFlag;
     private Integer responseLength;
     private String policyPath;
     private static List<String> disabledFeatureList;
@@ -183,13 +181,6 @@ public int getProxyPort() {
         return proxyPort;
     }
 
-    private String getDebugFlag() {
-        if (debugFlag == null) {
-            debugFlag = System.getProperty(PropertyConstant.PROPERTY_DEBUG, "false");
-        }
-        return debugFlag;
-    }
-
     public Integer getResponseLength() {
         if (responseLength == null) {
             responseLength = Integer.parseInt(System.getProperty(PropertyConstant.PROPERTY_RESPONSE_LENGTH,