Merge pull request #540 from Nizernizer/fix/jdk-module

Fix/collection bypass and jdk9+ module inject

Author: lostsnow

dongtai-core/src/main/java/com/secnium/iast/core/AgentEngine.java

@@ -16,8 +16,7 @@
 
 import java.lang.dongtai.SpyDispatcherHandler;
 import java.lang.instrument.Instrumentation;
-import java.util.ArrayList;
-import java.util.ListIterator;
+import java.util.*;
 
 /**
  * @author [email protected]
@@ -71,6 +70,7 @@ public static void install(String mode, String propertiesFilePath, Integer agent
             DongTaiLog.info("DongTai Engine is successfully installed to the JVM, and it takes {} s",
                     stopWatch.getTime() / 1000);
             DongTaiLog.info("DongTai Agent Version: {}, DongTai Server: {}", AgentConstant.VERSION_VALUE, cfg.getBaseUrl());
+            inject(inst);
             new ServiceDirReport().send();
         } catch (Throwable e) {
             DongTaiLog.error(ErrorCode.get("ENGINE_INSTALL_FAILED"), e);
@@ -134,4 +134,37 @@ private void destroy() {
         }
     }
 
+
+    private static void redefineJavaBaseModule(Instrumentation instrumentation) {
+        if (doesSupportModules()) {
+            try {
+                Instrumentation.class.getMethod("redefineModule", Class.forName("java.lang.Module"), Set.class, Map.class, Map.class, Set.class, Map.class).invoke(instrumentation, getModule(Object.class), Collections.emptySet(), Collections.emptyMap(), Collections.singletonMap("java.lang", Collections.singleton(getModule(EngineManager.class))), Collections.emptySet(), Collections.emptyMap());
+            } catch (Exception e) {
+                DongTaiLog.error(ErrorCode.REDEFINE_MODULE_FAILED,e);
+            }
+        }
+    }
+
+    public static boolean doesSupportModules() {
+        try {
+            Class.forName("java.lang.Module");
+            return true;
+        } catch (ClassNotFoundException e) {
+            return false;
+        }
+    }
+
+    private static Object getModule(Class<?> clazz) {
+        try {
+            return Class.class.getMethod("getModule", new Class[0]).invoke(clazz, new Object[0]);
+        } catch (Exception e) {
+            throw new IllegalStateException("There was a problem while getting the module of the class", e);
+        }
+    }
+    public static void inject(Instrumentation inst) {
+        if (doesSupportModules()) {
+            redefineJavaBaseModule(inst);
+        }
+    }
+
 }

dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/asm/AsmMethods.java

@@ -256,6 +256,20 @@ static Method getAsmMethod(final Class<?> clazz,
             boolean.class
     );
 
+    Method SPY$skipCollect = InnerHelper.getAsmMethod(
+            SpyDispatcher.class,
+            "skipCollect",
+            Object.class,
+            Object[].class,
+            Object.class,
+            String.class,
+            String.class,
+            String.class,
+            String.class,
+            String.class,
+            boolean.class
+    );
+
     Method SPY$traceFeignInvoke = InnerHelper.getAsmMethod(
             SpyDispatcher.class,
             "traceFeignInvoke",
@@ -279,6 +293,18 @@ static Method getAsmMethod(final Class<?> clazz,
             String.class
     );
 
+    Method SPY$isSkipCollectDubbo = InnerHelper.getAsmMethod(
+            SpyDispatcher.class,
+            "isSkipCollectDubbo",
+            Object.class
+    );
+
+    Method SPY$isSkipCollectFeign = InnerHelper.getAsmMethod(
+            SpyDispatcher.class,
+            "isSkipCollectFeign",
+            Object.class
+    );
+
     Method SPY$reportService = InnerHelper.getAsmMethod(
             SpyDispatcher.class,
             "reportService",

dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/plugin/AbstractAdviceAdapter.java

@@ -174,6 +174,32 @@ public void captureMethodState(
         pop();
     }
 
+    public void skipCollect(
+            final int opcode,
+            final PolicyNode policyNode,
+            final boolean captureRet
+    ) {
+        newLocal(ASM_TYPE_OBJECT);
+        if (captureRet && !isThrow(opcode)) {
+            loadReturn(opcode);
+        } else {
+            pushNull();
+        }
+        storeLocal(this.nextLocal - 1);
+        invokeStatic(ASM_TYPE_SPY_HANDLER, SPY_HANDLER$getDispatcher);
+        loadThisOrPushNullIfIsStatic();
+        loadArgArray();
+        loadLocal(this.nextLocal - 1);
+        push(policyNode.toString());
+        push(this.context.getClassName());
+        push(this.context.getMatchedClassName());
+        push(this.name);
+        push(this.signature);
+        push(Modifier.isStatic(this.access));
+        invokeInterface(ASM_TYPE_SPY_DISPATCHER, SPY$skipCollect);
+        pop();
+    }
+
     /**
      * 是否抛出异常返回(通过字节码判断)
      *

dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/plugin/core/adapter/SinkAdapter.java

@@ -15,6 +15,9 @@ public void onMethodEnter(MethodAdviceAdapter adapter, MethodVisitor mv, MethodC
             if (!(policyNode instanceof SinkNode)) {
                 continue;
             }
+            if ("ssrf".equals(((SinkNode) policyNode).getVulType())){
+                adapter.skipCollect(-1, policyNode, false);
+            }
 
             enterScope(adapter, policyNode);
 

dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/plugin/framework/dubbo/DubboSyncHandlerInvokeAdviceAdapter.java

@@ -61,6 +61,7 @@ public void visitMaxs(int maxStack, int maxLocals) {
     }
 
     private void enterMethod() {
+        skipCollect();
         enterScope();
 
         Label elseLabel = new Label();
@@ -113,4 +114,11 @@ private void traceMethod() {
         invokeInterface(ASM_TYPE_SPY_DISPATCHER, SPY$traceDubboInvoke);
         pop();
     }
+
+    private void skipCollect() {
+        invokeStatic(ASM_TYPE_SPY_HANDLER, SPY_HANDLER$getDispatcher);
+        loadArg(0);
+        invokeInterface(ASM_TYPE_SPY_DISPATCHER,SPY$isSkipCollectDubbo);
+        pop();
+    }
 }

dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/plugin/framework/feign/FeignSyncHandlerInvokeAdviceAdapter.java

@@ -44,6 +44,7 @@ public void visitMaxs(int maxStack, int maxLocals) {
     }
 
     private void enterMethod() {
+        skipCollect();
         enterScope();
 
         Label elseLabel = new Label();
@@ -89,4 +90,11 @@ private void traceMethod() {
         invokeInterface(ASM_TYPE_SPY_DISPATCHER, SPY$traceFeignInvoke);
         pop();
     }
+
+    private void skipCollect() {
+        invokeStatic(ASM_TYPE_SPY_HANDLER, SPY_HANDLER$getDispatcher);
+        loadThisOrPushNullIfIsStatic();
+        invokeInterface(ASM_TYPE_SPY_DISPATCHER,SPY$isSkipCollectFeign);
+        pop();
+    }
 }

dongtai-core/src/main/java/io/dongtai/iast/core/handler/bypass/BlackUrlBypass.java

@@ -0,0 +1,20 @@
+package io.dongtai.iast.core.handler.bypass;
+
+import io.dongtai.iast.core.utils.threadlocal.BooleanThreadLocal;
+
+public class BlackUrlBypass {
+
+    private static BooleanThreadLocal isBlackUrl = new BooleanThreadLocal(false);
+
+    public static Boolean isBlackUrl() {
+        return isBlackUrl.get();
+    }
+
+    public static void setIsBlackUrl(Boolean isBlackUrl) {
+        BlackUrlBypass.isBlackUrl.set(isBlackUrl);
+    }
+
+    public static String getHeaderKey() {
+        return "dt-collect-skip";
+    }
+}

dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/SpyDispatcherImpl.java

@@ -6,6 +6,7 @@
 import io.dongtai.iast.common.scope.Scope;
 import io.dongtai.iast.common.scope.ScopeManager;
 import io.dongtai.iast.core.EngineManager;
+import io.dongtai.iast.core.handler.bypass.BlackUrlBypass;
 import io.dongtai.iast.core.handler.hookpoint.api.DubboApiGatherThread;
 import io.dongtai.iast.core.handler.hookpoint.api.SpringGatherApiThread;
 import io.dongtai.iast.core.handler.hookpoint.controller.HookType;
@@ -15,11 +16,16 @@
 import io.dongtai.iast.core.handler.hookpoint.models.policy.*;
 import io.dongtai.iast.core.handler.hookpoint.service.trace.DubboService;
 import io.dongtai.iast.core.handler.hookpoint.service.trace.FeignService;
+import io.dongtai.iast.core.handler.hookpoint.service.trace.HttpService;
 import io.dongtai.iast.core.utils.StringUtils;
+import io.dongtai.iast.core.utils.matcher.ConfigMatcher;
 import io.dongtai.log.DongTaiLog;
 import io.dongtai.log.ErrorCode;
 
 import java.lang.dongtai.SpyDispatcher;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
 import java.net.InetSocketAddress;
 import java.util.Collection;
 import java.util.Enumeration;
@@ -185,6 +191,14 @@ public void collectHttpRequest(Object obj, Object req, Object resp, StringBuffer
                 put("headers", headers);
                 put("replay-request", !StringUtils.isEmpty(headers.get("dongtai-replay-id")));
             }};
+            if (ConfigMatcher.getInstance().getBlackUrl(requestMeta)) {
+                BlackUrlBypass.setIsBlackUrl(true);
+                return;
+            }
+            if (null != headers.get(BlackUrlBypass.getHeaderKey()) && headers.get(BlackUrlBypass.getHeaderKey()).equals("true")) {
+                BlackUrlBypass.setIsBlackUrl(true);
+                return;
+            }
             HttpImpl.solveHttpRequest(obj, req, resp, requestMeta);
         } catch (Throwable e) {
             DongTaiLog.warn(ErrorCode.get("SPY_COLLECT_HTTP_FAILED"), "request", e);
@@ -714,6 +728,63 @@ public boolean traceDubboInvoke(Object instance, String url, Object invocation,
         return false;
     }
 
+    @Override
+    public boolean isSkipCollectDubbo(Object invocation) {
+        if (BlackUrlBypass.isBlackUrl()) {
+            Method setAttachmentMethod = null;
+            try {
+                setAttachmentMethod = invocation.getClass().getMethod("setAttachment", String.class, String.class);
+                setAttachmentMethod.setAccessible(true);
+                setAttachmentMethod.invoke(invocation, BlackUrlBypass.getHeaderKey(), BlackUrlBypass.isBlackUrl().toString());
+            } catch (NoSuchMethodException | InvocationTargetException | IllegalAccessException e) {
+                DongTaiLog.error(ErrorCode.get("BYPASS_FAILED_DUBBO"), e);
+            }
+        }
+        return false;
+    }
+
+    @Override
+    public boolean isSkipCollectFeign(Object instance) {
+        if (BlackUrlBypass.isBlackUrl()) {
+            Field metadataField = null;
+            try {
+                metadataField = instance.getClass().getDeclaredField("metadata");
+                metadataField.setAccessible(true);
+                Object metadata = metadataField.get(instance);
+                Method templateMethod = metadata.getClass().getMethod("template");
+                Object template = templateMethod.invoke(metadata);
+
+                Method addHeaderMethod = template.getClass().getDeclaredMethod("header", String.class, String[].class);
+                addHeaderMethod.setAccessible(true);
+                addHeaderMethod.invoke(template, BlackUrlBypass.getHeaderKey(), new String[]{});
+                addHeaderMethod.invoke(template, BlackUrlBypass.getHeaderKey(), new String[]{BlackUrlBypass.isBlackUrl().toString()});
+            } catch (NoSuchFieldException | NoSuchMethodException | InvocationTargetException | IllegalAccessException e) {
+                DongTaiLog.error(ErrorCode.get("BYPASS_FAILED_FEIGN"), e);
+            }
+        }
+        return false;
+    }
+
+    @Override
+    public boolean skipCollect(Object instance, Object[] parameters, Object retObject, String policyKey,
+                               String className, String matchedClassName, String methodName, String signature,
+                               boolean isStatic) {
+        if (BlackUrlBypass.isBlackUrl()) {
+            MethodEvent event = new MethodEvent(className, matchedClassName, methodName,
+                    signature, instance, parameters, retObject);
+            PolicyNode policyNode = getPolicyNode(policyKey);
+            if (policyNode == null) {
+                return false;
+            }
+            HttpService httpService = new HttpService();
+            if (httpService.match(event, policyNode)) {
+                httpService.addBypass(event);
+                return true;
+            }
+        }
+        return false;
+    }
+
     private boolean isCollectAllowed(boolean isEnterEntry) {
         if (!EngineManager.isEngineRunning()) {
             return false;

dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/DubboImpl.java

@@ -4,6 +4,7 @@
 import io.dongtai.iast.common.config.ConfigBuilder;
 import io.dongtai.iast.common.config.ConfigKey;
 import io.dongtai.iast.core.EngineManager;
+import io.dongtai.iast.core.handler.bypass.BlackUrlBypass;
 import io.dongtai.iast.core.handler.context.ContextManager;
 import io.dongtai.iast.core.handler.hookpoint.IastClassLoader;
 import io.dongtai.iast.core.handler.hookpoint.models.MethodEvent;
@@ -94,6 +95,10 @@ public static void collectDubboRequestSource(Object handler, Object invocation,
         if (requestMeta == null) {
             return;
         }
+        if (null != headers.get(BlackUrlBypass.getHeaderKey()) && headers.get(BlackUrlBypass.getHeaderKey()).equals("true")){
+            BlackUrlBypass.setIsBlackUrl(true);
+            return;
+        }
 
         String url = (String) requestMeta.get("requestURL") + "/" + methodName;
         String uri = (String) requestMeta.get("requestURI") + "/" + methodName;

dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/HttpImpl.java

@@ -3,6 +3,7 @@
 import io.dongtai.iast.common.config.*;
 import io.dongtai.iast.common.constants.AgentConstant;
 import io.dongtai.iast.core.EngineManager;
+import io.dongtai.iast.core.handler.bypass.BlackUrlBypass;
 import io.dongtai.iast.core.handler.hookpoint.IastClassLoader;
 import io.dongtai.iast.core.utils.*;
 import io.dongtai.iast.core.utils.matcher.ConfigMatcher;
@@ -60,6 +61,7 @@ public static void solveHttpRequest(Object obj, Object req, Object resp, Map<Str
             String requestURL = ((StringBuffer) requestMeta.get("requestURL")).toString();
             Map<String, String> headers = (Map<String, String>) requestMeta.get("headers");
             if (requestDenyList.match(requestURL, headers)) {
+                BlackUrlBypass.setIsBlackUrl(true);
                 DongTaiLog.trace("HTTP Request {} deny to collect", requestURL);
                 return;
             }
@@ -73,9 +75,6 @@ public static void solveHttpRequest(Object obj, Object req, Object resp, Map<Str
         if (ConfigMatcher.getInstance().disableExtension((String) requestMeta.get("requestURI"))) {
             return;
         }
-        if (ConfigMatcher.getInstance().getBlackUrl(requestMeta)) {
-            return;
-        }
 
         try {
             boolean enableVersionHeader = ConfigBuilder.getInstance().get(ConfigKey.ENABLE_VERSION_HEADER);