fix: BlackUrl collect bypass.

Author: ‘niuerzhuang’

dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/asm/AsmMethods.java

@@ -255,6 +255,20 @@ static Method getAsmMethod(final Class<?> clazz,
             boolean.class
     );
 
+    Method SPY$skipCollect = InnerHelper.getAsmMethod(
+            SpyDispatcher.class,
+            "skipCollect",
+            Object.class,
+            Object[].class,
+            Object.class,
+            String.class,
+            String.class,
+            String.class,
+            String.class,
+            String.class,
+            boolean.class
+    );
+
     Method SPY$traceFeignInvoke = InnerHelper.getAsmMethod(
             SpyDispatcher.class,
             "traceFeignInvoke",

dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/plugin/AbstractAdviceAdapter.java

@@ -174,6 +174,32 @@ public void captureMethodState(
         pop();
     }
 
+    public void skipCollect(
+            final int opcode,
+            final PolicyNode policyNode,
+            final boolean captureRet
+    ) {
+        newLocal(ASM_TYPE_OBJECT);
+        if (captureRet && !isThrow(opcode)) {
+            loadReturn(opcode);
+        } else {
+            pushNull();
+        }
+        storeLocal(this.nextLocal - 1);
+        invokeStatic(ASM_TYPE_SPY_HANDLER, SPY_HANDLER$getDispatcher);
+        loadThisOrPushNullIfIsStatic();
+        loadArgArray();
+        loadLocal(this.nextLocal - 1);
+        push(policyNode.toString());
+        push(this.context.getClassName());
+        push(this.context.getMatchedClassName());
+        push(this.name);
+        push(this.signature);
+        push(Modifier.isStatic(this.access));
+        invokeInterface(ASM_TYPE_SPY_DISPATCHER, SPY$skipCollect);
+        pop();
+    }
+
     /**
      * 是否抛出异常返回(通过字节码判断)
      *

dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/plugin/core/adapter/SinkAdapter.java

@@ -15,6 +15,9 @@ public void onMethodEnter(MethodAdviceAdapter adapter, MethodVisitor mv, MethodC
             if (!(policyNode instanceof SinkNode)) {
                 continue;
             }
+            if ("ssrf".equals(((SinkNode) policyNode).getVulType())){
+                adapter.skipCollect(-1, policyNode, false);
+            }
 
             enterScope(adapter, policyNode);
 

dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/SpyDispatcherImpl.java

@@ -8,16 +8,15 @@
 import io.dongtai.iast.core.EngineManager;
 import io.dongtai.iast.core.bytecode.enhance.plugin.spring.SpringApplicationImpl;
 import io.dongtai.iast.core.handler.bypass.BlackUrlBypass;
-import io.dongtai.iast.core.handler.context.ContextManager;
 import io.dongtai.iast.core.handler.hookpoint.controller.HookType;
 import io.dongtai.iast.core.handler.hookpoint.controller.impl.*;
 import io.dongtai.iast.core.handler.hookpoint.graphy.GraphBuilder;
 import io.dongtai.iast.core.handler.hookpoint.models.MethodEvent;
 import io.dongtai.iast.core.handler.hookpoint.models.policy.*;
 import io.dongtai.iast.core.handler.hookpoint.service.trace.DubboService;
 import io.dongtai.iast.core.handler.hookpoint.service.trace.FeignService;
+import io.dongtai.iast.core.handler.hookpoint.service.trace.HttpService;
 import io.dongtai.iast.core.utils.StringUtils;
-import io.dongtai.iast.core.utils.TaintPoolUtils;
 import io.dongtai.iast.core.utils.matcher.ConfigMatcher;
 import io.dongtai.log.DongTaiLog;
 import io.dongtai.log.ErrorCode;
@@ -192,7 +191,7 @@ public void collectHttpRequest(Object obj, Object req, Object resp, StringBuffer
                 BlackUrlBypass.setIsBlackUrl(true);
                 return;
             }
-            if (null != headers.get(BlackUrlBypass.getHeaderKey()) && headers.get(BlackUrlBypass.getHeaderKey()).equals("true")){
+            if (null != headers.get(BlackUrlBypass.getHeaderKey()) && headers.get(BlackUrlBypass.getHeaderKey()).equals("true")) {
                 BlackUrlBypass.setIsBlackUrl(true);
                 return;
             }
@@ -607,6 +606,7 @@ public boolean isNotReplayRequest() {
 
     /**
      * mark for enter Source Entry Point
+     *
      * @since 1.3.1
      */
     @Override
@@ -714,7 +714,7 @@ public boolean traceDubboInvoke(Object instance, String url, Object invocation,
 
     @Override
     public boolean isSkipCollectDubbo(Object invocation) {
-        if (BlackUrlBypass.isBlackUrl()){
+        if (BlackUrlBypass.isBlackUrl()) {
             Method setAttachmentMethod = null;
             try {
                 setAttachmentMethod = invocation.getClass().getMethod("setAttachment", String.class, String.class);
@@ -729,20 +729,42 @@ public boolean isSkipCollectDubbo(Object invocation) {
 
     @Override
     public boolean isSkipCollectFeign(Object instance) {
-        Field metadataField = null;
-        try {
-            metadataField = instance.getClass().getDeclaredField("metadata");
-            metadataField.setAccessible(true);
-            Object metadata = metadataField.get(instance);
-            Method templateMethod = metadata.getClass().getMethod("template");
-            Object template = templateMethod.invoke(metadata);
-
-            Method addHeaderMethod = template.getClass().getDeclaredMethod("header", String.class, String[].class);
-            addHeaderMethod.setAccessible(true);
-            addHeaderMethod.invoke(template, BlackUrlBypass.getHeaderKey(), new String[]{});
-            addHeaderMethod.invoke(template, BlackUrlBypass.getHeaderKey(), new String[]{BlackUrlBypass.isBlackUrl().toString()});
-        } catch (NoSuchFieldException | NoSuchMethodException | InvocationTargetException | IllegalAccessException e) {
-            DongTaiLog.error(ErrorCode.get("BYPASS_FAILED_FEIGN"), e);
+        if (BlackUrlBypass.isBlackUrl()) {
+            Field metadataField = null;
+            try {
+                metadataField = instance.getClass().getDeclaredField("metadata");
+                metadataField.setAccessible(true);
+                Object metadata = metadataField.get(instance);
+                Method templateMethod = metadata.getClass().getMethod("template");
+                Object template = templateMethod.invoke(metadata);
+
+                Method addHeaderMethod = template.getClass().getDeclaredMethod("header", String.class, String[].class);
+                addHeaderMethod.setAccessible(true);
+                addHeaderMethod.invoke(template, BlackUrlBypass.getHeaderKey(), new String[]{});
+                addHeaderMethod.invoke(template, BlackUrlBypass.getHeaderKey(), new String[]{BlackUrlBypass.isBlackUrl().toString()});
+            } catch (NoSuchFieldException | NoSuchMethodException | InvocationTargetException | IllegalAccessException e) {
+                DongTaiLog.error(ErrorCode.get("BYPASS_FAILED_FEIGN"), e);
+            }
+        }
+        return false;
+    }
+
+    @Override
+    public boolean skipCollect(Object instance, Object[] parameters, Object retObject, String policyKey,
+                               String className, String matchedClassName, String methodName, String signature,
+                               boolean isStatic) {
+        if (BlackUrlBypass.isBlackUrl()) {
+            MethodEvent event = new MethodEvent(className, matchedClassName, methodName,
+                    signature, instance, parameters, retObject);
+            PolicyNode policyNode = getPolicyNode(policyKey);
+            if (policyNode == null) {
+                return false;
+            }
+            HttpService httpService = new HttpService();
+            if (httpService.match(event, policyNode)) {
+                httpService.addBypass(event);
+                return true;
+            }
         }
         return false;
     }

dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/HttpImpl.java

@@ -3,6 +3,7 @@
 import io.dongtai.iast.common.config.*;
 import io.dongtai.iast.common.constants.AgentConstant;
 import io.dongtai.iast.core.EngineManager;
+import io.dongtai.iast.core.handler.bypass.BlackUrlBypass;
 import io.dongtai.iast.core.handler.hookpoint.IastClassLoader;
 import io.dongtai.iast.core.utils.*;
 import io.dongtai.iast.core.utils.matcher.ConfigMatcher;
@@ -60,6 +61,7 @@ public static void solveHttpRequest(Object obj, Object req, Object resp, Map<Str
             String requestURL = ((StringBuffer) requestMeta.get("requestURL")).toString();
             Map<String, String> headers = (Map<String, String>) requestMeta.get("headers");
             if (requestDenyList.match(requestURL, headers)) {
+                BlackUrlBypass.setIsBlackUrl(true);
                 DongTaiLog.trace("HTTP Request {} deny to collect", requestURL);
                 return;
             }

dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/service/trace/HttpService.java

@@ -1,6 +1,7 @@
 package io.dongtai.iast.core.handler.hookpoint.service.trace;
 
 import io.dongtai.iast.core.EngineManager;
+import io.dongtai.iast.core.handler.bypass.BlackUrlBypass;
 import io.dongtai.iast.core.handler.context.ContextManager;
 import io.dongtai.iast.core.handler.hookpoint.models.MethodEvent;
 import io.dongtai.iast.core.handler.hookpoint.models.policy.PolicyNode;
@@ -12,6 +13,8 @@
 import java.lang.reflect.Field;
 import java.lang.reflect.Method;
 import java.net.HttpURLConnection;
+import java.util.HashMap;
+import java.util.Map;
 
 public class HttpService implements ServiceTrace {
     private String matchedSignature;
@@ -44,6 +47,21 @@ public void addTrace(MethodEvent event, PolicyNode policyNode) {
         }
     }
 
+    public void addBypass(MethodEvent event) {
+        HashMap<String, String> blackUrlHeaders = new HashMap<>();
+        blackUrlHeaders.put(BlackUrlBypass.getHeaderKey(), String.valueOf(BlackUrlBypass.isBlackUrl()));
+        if (HttpClient.matchJavaNetUrl(this.matchedSignature)) {
+            addHeaderToJavaNetURL(event, blackUrlHeaders);
+        } else if (HttpClient.matchApacheHttp4(this.matchedSignature)
+                || HttpClient.matchApacheHttp5(this.matchedSignature)) {
+            addHeaderToApacheHttpClient(event, blackUrlHeaders);
+        } else if (HttpClient.matchApacheHttp3(this.matchedSignature)) {
+            addHeaderToApacheHttpClientLegacy(event, blackUrlHeaders);
+        } else if (HttpClient.matchOkhttp(this.matchedSignature)) {
+            addHeaderToOkhttp(event, blackUrlHeaders);
+        }
+    }
+
     private String addTraceToJavaNetURL(MethodEvent event) {
         if (event.objectInstance == null) {
             return null;
@@ -65,6 +83,24 @@ private String addTraceToJavaNetURL(MethodEvent event) {
         return null;
     }
 
+    private void addHeaderToJavaNetURL(MethodEvent event, Map<String, String> headers) {
+        if (event.objectInstance == null) {
+            return;
+        }
+        try {
+            if (event.objectInstance instanceof HttpURLConnection) {
+                final HttpURLConnection connection = (HttpURLConnection) event.objectInstance;
+                for (Map.Entry<String, String> header : headers.entrySet()) {
+                    connection.setRequestProperty(header.getKey(), header.getValue());
+                }
+            }
+        } catch (IllegalStateException ignore) {
+        } catch (Throwable e) {
+            DongTaiLog.debug("add header to okhttp client failed: {}, {}",
+                    e.getMessage(), e.getCause() != null ? e.getCause().getMessage() : "");
+        }
+    }
+
     private String addTraceToApacheHttpClient(MethodEvent event) {
         if (event.parameterInstances.length < 2) {
             return null;
@@ -96,6 +132,38 @@ private String addTraceToApacheHttpClient(MethodEvent event) {
         return null;
     }
 
+    private void addHeaderToApacheHttpClient(MethodEvent event, Map<String, String> headers) {
+        if (headers == null) {
+            return;
+        }
+        if (event.parameterInstances.length < 2) {
+            return;
+        }
+        Object obj = event.parameterInstances[1];
+        if (obj == null) {
+            return;
+        }
+        try {
+            Method method;
+            if (HttpClient.matchApacheHttp5(this.matchedSignature)) {
+                method = ReflectUtils.getDeclaredMethodFromSuperClass(obj.getClass(),
+                        "addHeader", new Class[]{String.class, Object.class});
+            } else {
+                method = ReflectUtils.getDeclaredMethodFromSuperClass(obj.getClass(),
+                        "addHeader", new Class[]{String.class, String.class});
+            }
+            if (method == null) {
+                return;
+            }
+            for (Map.Entry<String, String> header : headers.entrySet()) {
+                method.invoke(obj, header.getKey(), header.getValue());
+            }
+        } catch (Throwable e) {
+            DongTaiLog.debug("add header to okhttp client failed: {}, {}",
+                    e.getMessage(), e.getCause() != null ? e.getCause().getMessage() : "");
+        }
+    }
+
     private String addTraceToApacheHttpClientLegacy(MethodEvent event) {
         Object obj = event.objectInstance;
         if (obj == null) {
@@ -118,6 +186,26 @@ private String addTraceToApacheHttpClientLegacy(MethodEvent event) {
         return null;
     }
 
+    private void addHeaderToApacheHttpClientLegacy(MethodEvent event, Map<String, String> headers) {
+        Object obj = event.objectInstance;
+        if (obj == null) {
+            return;
+        }
+        try {
+            Method method = ReflectUtils.getDeclaredMethodFromSuperClass(obj.getClass(),
+                    "setRequestHeader", new Class[]{String.class, String.class});
+            if (method == null) {
+                return;
+            }
+            for (Map.Entry<String, String> header : headers.entrySet()) {
+                method.invoke(obj, header.getKey(), header.getValue());
+            }
+        } catch (Throwable e) {
+            DongTaiLog.debug("add header to okhttp client failed: {}, {}"
+                    , e.getMessage(), e.getCause() != null ? e.getCause().getMessage() : "");
+        }
+    }
+
     private String addTraceToOkhttp(MethodEvent event) {
         Object obj = event.objectInstance;
         if (obj == null) {
@@ -153,6 +241,38 @@ private String addTraceToOkhttp(MethodEvent event) {
         return null;
     }
 
+    private void addHeaderToOkhttp(MethodEvent event, Map<String, String> headers) {
+        Object obj = event.objectInstance;
+        if (obj == null) {
+            return;
+        }
+        try {
+            String className = obj.getClass().getName();
+            if (!HttpClient.matchAllOkhttpCallClass(className)) {
+                return;
+            }
+
+            Field reqField = obj.getClass().getDeclaredField("originalRequest");
+            boolean accessible = reqField.isAccessible();
+            reqField.setAccessible(true);
+            Object req = reqField.get(obj);
+
+            Method methodNewBuilder = req.getClass().getMethod("newBuilder");
+            Object reqBuilder = methodNewBuilder.invoke(req);
+            Method methodAddHeader = reqBuilder.getClass().getMethod("addHeader", String.class, String.class);
+            for (Map.Entry<String, String> header : headers.entrySet()) {
+                methodAddHeader.invoke(reqBuilder, header.getKey(), header.getValue());
+            }
+            Method methodBuild = reqBuilder.getClass().getMethod("build");
+            Object newReq = methodBuild.invoke(reqBuilder);
+            reqField.set(obj, newReq);
+            reqField.setAccessible(accessible);
+        } catch (Throwable e) {
+            DongTaiLog.debug("add header to okhttp client failed: {}, {}",
+                    e.getMessage(), e.getCause() != null ? e.getCause().getMessage() : "");
+        }
+    }
+
     public static boolean validate(MethodEvent event) {
         if (HttpClient.matchJavaNetUrl(event.signature)) {
             return validateURLConnection(event);

dongtai-spy/src/main/java/java/lang/dongtai/NopSpy.java

@@ -272,4 +272,9 @@ public boolean isSkipCollectFeign(Object instance) {
         return false;
     }
 
+    @Override
+    public boolean skipCollect(Object instance, Object[] parameters, Object retObject, String methodMatcher, String className, String matchedClassName, String methodName, String signature, boolean isStatic) {
+        return false;
+    }
+
 }

dongtai-spy/src/main/java/java/lang/dongtai/SpyDispatcher.java

@@ -174,4 +174,8 @@ boolean traceDubboInvoke(Object instance, String url, Object invocation, Object[
     boolean isSkipCollectDubbo(Object invocation);
 
     boolean isSkipCollectFeign(Object instance);
+
+    boolean skipCollect(Object instance, Object[] parameters, Object retObject, String methodMatcher,
+                        String className, String matchedClassName, String methodName, String signature,
+                        boolean isStatic);
 }