fix fastjson class fetch by class loader

Author: lostsnow

dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/IastClassFileTransformer.java

@@ -9,6 +9,7 @@
 import io.dongtai.iast.core.bytecode.sca.ScaScanner;
 import io.dongtai.iast.core.handler.hookpoint.SpyDispatcherImpl;
 import io.dongtai.iast.core.handler.hookpoint.models.policy.PolicyManager;
+import io.dongtai.iast.core.handler.hookpoint.vulscan.dynamic.FastjsonCheck;
 import io.dongtai.iast.core.utils.AsmUtils;
 import io.dongtai.iast.core.utils.PropertyUtils;
 import io.dongtai.iast.core.utils.matcher.ConfigMatcher;
@@ -122,6 +123,12 @@ public byte[] transform(final ClassLoader loader,
                 return null;
             }
 
+            if (" com/alibaba/fastjson/JSON".substring(1).equals(internalClassName)) {
+                FastjsonCheck.setJsonClassLoader(loader);
+            } else if (" com/alibaba/fastjson/parser/ParserConfig".substring(1).equals(internalClassName)) {
+                FastjsonCheck.setParseConfigClassLoader(loader);
+            }
+
             if (null != loader && loader.toString().toLowerCase().contains("rasp")) {
                 return null;
             }

dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/FastjsonCheck.java

@@ -19,6 +19,9 @@ public class FastjsonCheck implements SinkSafeChecker {
 
     private String policySignature;
 
+    private static ClassLoader JSON_CLASS_LOADER;
+    private static ClassLoader PARSE_CONFIG_CLASS_LOADER;
+
     @Override
     public boolean match(MethodEvent event, SinkNode sinkNode) {
         if (sinkNode.getMethodMatcher() instanceof SignatureMethodMatcher) {
@@ -31,7 +34,12 @@ public boolean match(MethodEvent event, SinkNode sinkNode) {
     @Override
     public boolean isSafe(MethodEvent event, SinkNode sinkNode) {
         try {
-            Class<?> cls = Class.forName("com.alibaba.fastjson.JSON");
+            Class<?> cls;
+            if (JSON_CLASS_LOADER == null) {
+                cls = Class.forName("com.alibaba.fastjson.JSON");
+            } else {
+                cls = Class.forName("com.alibaba.fastjson.JSON", false, JSON_CLASS_LOADER);
+            }
             Field f = cls.getDeclaredField("VERSION");
             Class<?> t = f.getType();
             if (t != String.class) {
@@ -51,14 +59,28 @@ public boolean isSafe(MethodEvent event, SinkNode sinkNode) {
             }
 
             // https://github.com/alibaba/fastjson/wiki/fastjson_safemode
-            Class<?> cfgClass = Class.forName("com.alibaba.fastjson.parser.ParserConfig");
+            Class<?> cfgClass;
+            if (PARSE_CONFIG_CLASS_LOADER == null) {
+                cfgClass = Class.forName("com.alibaba.fastjson.parser.ParserConfig");
+            } else {
+                cfgClass = Class.forName("com.alibaba.fastjson.parser.ParserConfig", false, PARSE_CONFIG_CLASS_LOADER);
+            }
             Object cfg = cfgClass.getMethod("getGlobalInstance").invoke(null);
             Object isSafeMode = cfg.getClass().getMethod("isSafeMode").invoke(cfg);
             return isSafeMode != null && (Boolean) isSafeMode;
         } catch (Throwable e) {
             DongTaiLog.debug("fastjson version and safe mode check failed: {}, {}",
-                    e.getMessage(), e.getCause() != null ? e.getCause().getMessage() : "");
+                    e.getClass().getName() + ": " + e.getMessage(),
+                    e.getCause() != null ? e.getCause().getMessage() : "");
             return true;
         }
     }
+
+    public static void setJsonClassLoader(ClassLoader jsonClassLoader) {
+        JSON_CLASS_LOADER = jsonClassLoader;
+    }
+
+    public static void setParseConfigClassLoader(ClassLoader parseConfigClassLoader) {
+        PARSE_CONFIG_CLASS_LOADER = parseConfigClassLoader;
+    }
 }