Merge pull request #472 from lostsnow/fix/xxe-check-reflect-exception-catch

lostsnow · web-flow · commit acd02a79ec99 · 2023-02-23T10:23:00.000+08:00
fixes xxe check reflect exception catch
diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/xxe/XMLInputFactoryCheck.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/xxe/XMLInputFactoryCheck.java
@@ -22,9 +22,10 @@ && getParentObjectHasSuffix(normalizeWrapper, ".DisallowDoctypeDeclInputFactoryW
             }
             return Support.ALLOWED;
         }
-        Method isPropertySupportedMethod = ReflectUtils.getDeclaredMethodFromClass(cls, "isPropertySupported", new Class[]{String.class});
-        Method getPropertyMethod = ReflectUtils.getDeclaredMethodFromClass(cls, "getProperty", new Class[]{String.class});
         try {
+            Method isPropertySupportedMethod = ReflectUtils.getDeclaredMethodFromClass(cls, "isPropertySupported", new Class[]{String.class});
+            Method getPropertyMethod = ReflectUtils.getDeclaredMethodFromClass(cls, "getProperty", new Class[]{String.class});
+
             boolean supportDTD = invokeXMLInputFactoryMethod(isPropertySupportedMethod, getPropertyMethod, obj,
                     " javax.xml.stream.supportDTD".substring(1));
             if (!supportDTD) {
diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/xxe/XMLStreamReaderCheck.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/xxe/XMLStreamReaderCheck.java
@@ -32,11 +32,13 @@ public Support getSupport(Object obj) {
                 return Support.DISALLOWED;
             }
         }
-        Field fPropertyManagerField = ReflectUtils.getDeclaredFieldFromClassByName(obj.getClass(), "fPropertyManager");
-        if (fPropertyManagerField == null) {
-            return Support.ALLOWED;
-        }
+
         try {
+            Field fPropertyManagerField = ReflectUtils.getDeclaredFieldFromClassByName(obj.getClass(), "fPropertyManager");
+            if (fPropertyManagerField == null) {
+                return Support.ALLOWED;
+            }
+
             return getPropertySupport(fPropertyManagerField.get(obj));
         } catch (IllegalAccessException e) {
             DongTaiLog.debug("Failed to access fPropertyManager {}", e);

Original file line number	Diff line number	Diff line change
`@@ -22,9 +22,10 @@ && getParentObjectHasSuffix(normalizeWrapper, ".DisallowDoctypeDeclInputFactoryW`
`22`	`22`	`}`
`23`	`23`	`return Support.ALLOWED;`
`24`	`24`	`}`
`25`		`- Method isPropertySupportedMethod = ReflectUtils.getDeclaredMethodFromClass(cls, "isPropertySupported", new Class[]{String.class});`
`26`		`- Method getPropertyMethod = ReflectUtils.getDeclaredMethodFromClass(cls, "getProperty", new Class[]{String.class});`
`27`	`25`	`try {`
	`26`	`+ Method isPropertySupportedMethod = ReflectUtils.getDeclaredMethodFromClass(cls, "isPropertySupported", new Class[]{String.class});`
	`27`	`+ Method getPropertyMethod = ReflectUtils.getDeclaredMethodFromClass(cls, "getProperty", new Class[]{String.class});`
	`28`	`+`
`28`	`29`	`boolean supportDTD = invokeXMLInputFactoryMethod(isPropertySupportedMethod, getPropertyMethod, obj,`
`29`	`30`	`" javax.xml.stream.supportDTD".substring(1));`
`30`	`31`	`if (!supportDTD) {`