Merge pull request #502 from HXSecurity/beta

release v1.9.2-beta2

Author: lostsnow

dongtai-agent/src/main/java/io/dongtai/iast/agent/monitor/impl/AgentStateMonitor.java

@@ -43,6 +43,8 @@ public void check() {
             }
 
             if (this.engineManager.getAgentState().isUninstalledByCli()) {
+                HttpClientUtils.sendPost(ApiPath.ACTUAL_ACTION,
+                        HeartBeatReport.generateAgentActualActionMsg(this.engineManager.getAgentState()));
                 return;
             }
 

dongtai-agent/src/main/java/io/dongtai/iast/agent/monitor/impl/ConfigMonitor.java

@@ -6,6 +6,7 @@
 import io.dongtai.iast.agent.util.HttpClientUtils;
 import io.dongtai.iast.agent.util.ThreadUtils;
 import io.dongtai.iast.common.config.ConfigBuilder;
+import io.dongtai.iast.common.config.ConfigKey;
 import io.dongtai.iast.common.constants.AgentConstant;
 import io.dongtai.iast.common.constants.ApiPath;
 import io.dongtai.log.DongTaiLog;
@@ -30,11 +31,25 @@ public void check() {
 
             StringBuilder response = HttpClientUtils.sendGet(ApiPath.AGENT_CONFIG, parameters);
             ConfigBuilder.getInstance().updateFromRemote(response.toString());
+
+            updateConfig();
         } catch (Throwable t) {
             DongTaiLog.warn(ErrorCode.AGENT_MONITOR_THREAD_CHECK_FAILED, t);
         }
     }
 
+    private void updateConfig() {
+        Boolean enableLog = ConfigBuilder.getInstance().get(ConfigKey.ENABLE_LOGGER);
+        if (enableLog != null) {
+            DongTaiLog.ENABLED = enableLog;
+        }
+
+        String logLevel = ConfigBuilder.getInstance().get(ConfigKey.LOGGER_LEVEL);
+        if (logLevel != null) {
+            DongTaiLog.setLevel(DongTaiLog.parseLevel(logLevel));
+        }
+    }
+
     @Override
     public void run() {
         try {

dongtai-common/src/main/java/io/dongtai/iast/common/config/ConfigBuilder.java

@@ -15,11 +15,15 @@ private ConfigBuilder() {
         this.configMap.put(ConfigKey.REPORT_RESPONSE_BODY,
                 Config.<Boolean>create(ConfigKey.REPORT_RESPONSE_BODY).setDefaultValue(true));
         this.configMap.put(ConfigKey.REQUEST_DENY_LIST,
-                Config.<RequestDenyList>create(ConfigKey.REQUEST_DENY_LIST).setDefaultValue(null));
+                Config.<RequestDenyList>create(ConfigKey.REQUEST_DENY_LIST));
         this.configMap.put(ConfigKey.ENABLE_VERSION_HEADER,
                 Config.<Boolean>create(ConfigKey.VERSION_HEADER_KEY).setDefaultValue(true));
         this.configMap.put(ConfigKey.VERSION_HEADER_KEY,
                 Config.<String>create(ConfigKey.VERSION_HEADER_KEY).setDefaultValue("DongTai"));
+        this.configMap.put(ConfigKey.ENABLE_LOGGER,
+                Config.<Boolean>create(ConfigKey.ENABLE_LOGGER));
+        this.configMap.put(ConfigKey.LOGGER_LEVEL,
+                Config.<String>create(ConfigKey.LOGGER_LEVEL));
     }
 
     public static ConfigBuilder getInstance() {
@@ -56,9 +60,20 @@ public void update(JSONObject config) {
         updateInt(config, ConfigKey.JsonKey.JSON_REPORT_MAX_METHOD_POOL_SIZE);
         updateBool(config, ConfigKey.JsonKey.JSON_ENABLE_VERSION_HEADER);
         updateString(config, ConfigKey.JsonKey.JSON_VERSION_HEADER_KEY);
+        updateBool(config, ConfigKey.JsonKey.JSON_ENABLE_LOGGER);
+        updateString(config, ConfigKey.JsonKey.JSON_LOGGER_LEVEL);
         updateRequestDenyList(config);
     }
 
+    @SuppressWarnings("unchecked")
+    public <T> T get(ConfigKey key) {
+        try {
+            return ((Config<T>) getConfig(key)).get();
+        } catch (Throwable ignore) {
+            return null;
+        }
+    }
+
     @SuppressWarnings("unchecked")
     private void updateBool(JSONObject config, ConfigKey.JsonKey jsonKey) {
         try {
@@ -89,7 +104,7 @@ private void updateString(JSONObject config, ConfigKey.JsonKey jsonKey) {
             Config<String> conf = (Config<String>) getConfig(jsonKey.getConfigKey());
             if (conf != null) {
                 String value = config.getString(jsonKey.getKey());
-                if (value != null || !value.isEmpty()) {
+                if (value != null && !value.isEmpty()) {
                     conf.setValue(value);
                 }
             }

dongtai-common/src/main/java/io/dongtai/iast/common/config/ConfigKey.java

@@ -6,6 +6,8 @@ public enum ConfigKey {
     REQUEST_DENY_LIST,
     ENABLE_VERSION_HEADER,
     VERSION_HEADER_KEY,
+    ENABLE_LOGGER,
+    LOGGER_LEVEL,
     ;
 
     public enum JsonKey {
@@ -14,6 +16,8 @@ public enum JsonKey {
         JSON_REQUEST_DENY_LIST("blacklist_rules", REQUEST_DENY_LIST),
         JSON_ENABLE_VERSION_HEADER("enable_version_header", ENABLE_VERSION_HEADER),
         JSON_VERSION_HEADER_KEY("version_header_name", VERSION_HEADER_KEY),
+        JSON_ENABLE_LOGGER("enable_log", ENABLE_LOGGER),
+        JSON_LOGGER_LEVEL("log_level", LOGGER_LEVEL),
         ;
 
         private final String key;

dongtai-common/src/main/java/io/dongtai/iast/common/constants/AgentConstant.java

@@ -1,7 +1,7 @@
 package io.dongtai.iast.common.constants;
 
 public class AgentConstant {
-    public static final String VERSION_VALUE = "v1.9.0-beta1";
+    public static final String VERSION_VALUE = "v1.9.0-beta2";
     public static final String LANGUAGE = "JAVA";
     public static final String THREAD_NAME_PREFIX = "DongTai-IAST-";
     public static final String THREAD_NAME_PREFIX_CORE = "DongTai-IAST-Core-";

dongtai-common/src/main/java/io/dongtai/iast/common/scope/PolicyScope.java

@@ -6,6 +6,7 @@ public class PolicyScope {
     private int propagatorLevel;
     private int propagatorSkipDepth;
     private int sinkLevel;
+    private int ignoreInternalLevel;
     /**
      * over max method pool size
      */
@@ -29,7 +30,8 @@ public void enterSource() {
     }
 
     public boolean isValidSource() {
-        return this.agentLevel == 0 && !this.overCapacity
+        return this.agentLevel == 0
+                && this.ignoreInternalLevel == 0 && !this.overCapacity
                 && this.sourceLevel == 1;
     }
 
@@ -45,7 +47,8 @@ public void enterPropagator(boolean skipScope) {
     }
 
     public boolean isValidPropagator() {
-        return this.agentLevel == 0 && !this.overCapacity && this.sourceLevel == 0
+        return this.agentLevel == 0
+                && this.ignoreInternalLevel == 0 && !this.overCapacity && this.sourceLevel == 0
                 && (this.propagatorLevel == 1 || this.propagatorSkipDepth > 0);
     }
 
@@ -61,14 +64,23 @@ public void enterSink() {
     }
 
     public boolean isValidSink() {
-        return this.agentLevel == 0 && !this.overCapacity && this.sourceLevel == 0
+        return this.agentLevel == 0
+                && this.ignoreInternalLevel == 0 && !this.overCapacity && this.sourceLevel == 0
                 && this.sinkLevel == 1;
     }
 
     public void leaveSink() {
         this.sinkLevel = decrement(this.sinkLevel);
     }
 
+    public void enterIgnoreInternal() {
+        this.ignoreInternalLevel++;
+    }
+
+    public void leaveIgnoreInternal() {
+        this.ignoreInternalLevel = decrement(this.ignoreInternalLevel);
+    }
+
     public boolean isOverCapacity() {
         return this.overCapacity;
     }

dongtai-common/src/test/java/io/dongtai/iast/common/config/ConfigBuilderTest.java

@@ -13,16 +13,19 @@ public void testGetConfigAndUpdate() {
         JSONObject configJson;
         String configString;
         ConfigBuilder builder = ConfigBuilder.getInstance();
-        boolean reportResponseBody;
-        int reportMaxMethodPoolSize;
+        Boolean reportResponseBody;
+        Integer reportMaxMethodPoolSize;
+        String versionHeaderKey;
         RequestDenyList requestDenyList;
 
         // default
-        reportResponseBody = ((Config<Boolean>)builder.getConfig(ConfigKey.REPORT_RESPONSE_BODY)).get();
+        reportResponseBody = builder.get(ConfigKey.REPORT_RESPONSE_BODY);
         Assert.assertTrue("REPORT_RESPONSE_BODY default", reportResponseBody);
-        reportMaxMethodPoolSize = ((Config<Integer>)builder.getConfig(ConfigKey.REPORT_MAX_METHOD_POOL_SIZE)).get();
-        Assert.assertEquals("REPORT_MAX_METHOD_POOL_SIZE default", 5000, reportMaxMethodPoolSize);
-        requestDenyList = ((Config<RequestDenyList>)builder.getConfig(ConfigKey.REQUEST_DENY_LIST)).get();
+        reportMaxMethodPoolSize = builder.get(ConfigKey.REPORT_MAX_METHOD_POOL_SIZE);
+        Assert.assertEquals("REPORT_MAX_METHOD_POOL_SIZE default", new Integer(5000), reportMaxMethodPoolSize);
+        versionHeaderKey = builder.get(ConfigKey.VERSION_HEADER_KEY);
+        Assert.assertEquals("VERSION_HEADER_KEY default", "DongTai", versionHeaderKey);
+        requestDenyList = builder.get(ConfigKey.REQUEST_DENY_LIST);
         Assert.assertNull("REQUEST_DENY_LIST default", requestDenyList);
 
         // update
@@ -41,11 +44,11 @@ public void testGetConfigAndUpdate() {
                 RequestDeny.Operator.EXISTS, "key1");
         expectRequestDenyList.addRule(Collections.singletonList(headerKeyMatch));
 
-        reportResponseBody = ((Config<Boolean>)builder.getConfig(ConfigKey.REPORT_RESPONSE_BODY)).get();
+        reportResponseBody = builder.get(ConfigKey.REPORT_RESPONSE_BODY);
         Assert.assertFalse("REPORT_RESPONSE_BODY updated", reportResponseBody);
-        reportMaxMethodPoolSize = ((Config<Integer>)builder.getConfig(ConfigKey.REPORT_MAX_METHOD_POOL_SIZE)).get();
-        Assert.assertEquals("REPORT_MAX_METHOD_POOL_SIZE updated", 1000, reportMaxMethodPoolSize);
-        requestDenyList = ((Config<RequestDenyList>)builder.getConfig(ConfigKey.REQUEST_DENY_LIST)).get();
+        reportMaxMethodPoolSize = builder.get(ConfigKey.REPORT_MAX_METHOD_POOL_SIZE);
+        Assert.assertEquals("REPORT_MAX_METHOD_POOL_SIZE updated", new Integer(1000), reportMaxMethodPoolSize);
+        requestDenyList = builder.get(ConfigKey.REQUEST_DENY_LIST);
         Assert.assertEquals("REQUEST_DENY_LIST updated", expectRequestDenyList, requestDenyList);
 
         // update invalid
@@ -62,11 +65,11 @@ public void testGetConfigAndUpdate() {
         configJson = new JSONObject(configString);
         builder.update(configJson);
 
-        reportResponseBody = ((Config<Boolean>)builder.getConfig(ConfigKey.REPORT_RESPONSE_BODY)).get();
+        reportResponseBody = builder.get(ConfigKey.REPORT_RESPONSE_BODY);
         Assert.assertFalse("REPORT_RESPONSE_BODY not updated", reportResponseBody);
-        reportMaxMethodPoolSize = ((Config<Integer>)builder.getConfig(ConfigKey.REPORT_MAX_METHOD_POOL_SIZE)).get();
-        Assert.assertEquals("REPORT_MAX_METHOD_POOL_SIZE not updated", 1000, reportMaxMethodPoolSize);
-        requestDenyList = ((Config<RequestDenyList>)builder.getConfig(ConfigKey.REQUEST_DENY_LIST)).get();
+        reportMaxMethodPoolSize = builder.get(ConfigKey.REPORT_MAX_METHOD_POOL_SIZE);
+        Assert.assertEquals("REPORT_MAX_METHOD_POOL_SIZE not updated", new Integer(1000), reportMaxMethodPoolSize);
+        requestDenyList = builder.get(ConfigKey.REQUEST_DENY_LIST);
         Assert.assertEquals("REQUEST_DENY_LIST not updated", expectRequestDenyList, requestDenyList);
 
         ConfigBuilder.clear();

dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/IastClassFileTransformer.java

@@ -9,6 +9,7 @@
 import io.dongtai.iast.core.bytecode.sca.ScaScanner;
 import io.dongtai.iast.core.handler.hookpoint.SpyDispatcherImpl;
 import io.dongtai.iast.core.handler.hookpoint.models.policy.PolicyManager;
+import io.dongtai.iast.core.handler.hookpoint.vulscan.dynamic.FastjsonCheck;
 import io.dongtai.iast.core.utils.AsmUtils;
 import io.dongtai.iast.core.utils.PropertyUtils;
 import io.dongtai.iast.core.utils.matcher.ConfigMatcher;
@@ -122,6 +123,12 @@ public byte[] transform(final ClassLoader loader,
                 return null;
             }
 
+            if (" com/alibaba/fastjson/JSON".substring(1).equals(internalClassName)) {
+                FastjsonCheck.setJsonClassLoader(loader);
+            } else if (" com/alibaba/fastjson/parser/ParserConfig".substring(1).equals(internalClassName)) {
+                FastjsonCheck.setParseConfigClassLoader(loader);
+            }
+
             if (null != loader && loader.toString().toLowerCase().contains("rasp")) {
                 return null;
             }
@@ -137,45 +144,47 @@ public byte[] transform(final ClassLoader loader,
                 }
             }
 
-            if (null != classBeingRedefined || configMatcher.canHook(internalClassName)) {
-                byte[] sourceCodeBak = new byte[srcByteCodeArray.length];
-                System.arraycopy(srcByteCodeArray, 0, sourceCodeBak, 0, srcByteCodeArray.length);
-                final ClassReader cr = new ClassReader(sourceCodeBak);
+            if (null == classBeingRedefined && !configMatcher.canHook(internalClassName, this.policyManager)) {
+                return null;
+            }
 
-                ClassContext classContext = new ClassContext(cr, loader);
-                if (Modifier.isInterface(classContext.getModifier())) {
-                    sourceCodeBak = null;
-                    return null;
-                }
-                final String className = classContext.getClassName();
-
-                Set<String> ancestors = classDiagram.getDiagram(className);
-                if (ancestors == null) {
-                    classDiagram.setLoader(loader);
-                    classDiagram.saveAncestors(className, classContext.getSuperClassName(), classContext.getInterfaces());
-                    ancestors = classDiagram.getAncestors(className, classContext.getSuperClassName(),
-                            classContext.getInterfaces());
-                }
-                classContext.setAncestors(ancestors);
-
-                final ClassWriter cw = createClassWriter(loader, cr);
-                ClassVisitor cv = plugins.initial(cw, classContext, policyManager);
-
-                if (cv instanceof AbstractClassVisitor) {
-                    cr.accept(cv, ClassReader.EXPAND_FRAMES);
-                    AbstractClassVisitor dumpClassVisitor = (AbstractClassVisitor) cv;
-                    if (dumpClassVisitor.hasTransformed()) {
-                        if (null == classBeingRedefined) {
-                            transformMap.put(className, srcByteCodeArray);
-                        } else {
-                            transformMap.put(classBeingRedefined, srcByteCodeArray);
-                        }
-                        transformCount++;
-                        return dumpClassIfNecessary(cr.getClassName(), cw.toByteArray(), srcByteCodeArray);
+            byte[] sourceCodeBak = new byte[srcByteCodeArray.length];
+            System.arraycopy(srcByteCodeArray, 0, sourceCodeBak, 0, srcByteCodeArray.length);
+            final ClassReader cr = new ClassReader(sourceCodeBak);
+
+            ClassContext classContext = new ClassContext(cr, loader);
+            if (Modifier.isInterface(classContext.getModifier())) {
+                sourceCodeBak = null;
+                return null;
+            }
+            final String className = classContext.getClassName();
+
+            Set<String> ancestors = classDiagram.getDiagram(className);
+            if (ancestors == null) {
+                classDiagram.setLoader(loader);
+                classDiagram.saveAncestors(className, classContext.getSuperClassName(), classContext.getInterfaces());
+                ancestors = classDiagram.getAncestors(className, classContext.getSuperClassName(),
+                        classContext.getInterfaces());
+            }
+            classContext.setAncestors(ancestors);
+
+            final ClassWriter cw = createClassWriter(loader, cr);
+            ClassVisitor cv = plugins.initial(cw, classContext, policyManager);
+
+            if (cv instanceof AbstractClassVisitor) {
+                cr.accept(cv, ClassReader.EXPAND_FRAMES);
+                AbstractClassVisitor dumpClassVisitor = (AbstractClassVisitor) cv;
+                if (dumpClassVisitor.hasTransformed()) {
+                    if (null == classBeingRedefined) {
+                        transformMap.put(className, srcByteCodeArray);
+                    } else {
+                        transformMap.put(classBeingRedefined, srcByteCodeArray);
                     }
+                    transformCount++;
+                    return dumpClassIfNecessary(cr.getClassName(), cw.toByteArray(), srcByteCodeArray);
                 }
-                sourceCodeBak = null;
             }
+            sourceCodeBak = null;
         } catch (Throwable throwable) {
             DongTaiLog.warn(ErrorCode.TRANSFORM_CLASS_FAILED, internalClassName, throwable);
         } finally {
@@ -264,7 +273,7 @@ public Class<?>[] findForRetransform() {
                 continue;
             }
             try {
-                if (!configMatcher.canHook(clazz)) {
+                if (!configMatcher.canHook(clazz, this.policyManager)) {
                     continue;
                 }
                 String className = clazz.getName();
@@ -288,7 +297,7 @@ public Class<?>[] findForRetransform() {
                     classDiagram.setDiagram(className, diagram);
                 }
                 for (String clazzName : diagram) {
-                    if (PolicyManager.isHookClass(clazzName) ||
+                    if (this.policyManager.isHookClass(clazzName) ||
                             (this.policyManager.getPolicy() != null && this.policyManager.getPolicy().isMatchClass(clazzName))) {
                         enhanceClasses[enhanceClassSize++] = clazz;
                         break;

dongtai-core/src/main/java/io/dongtai/iast/core/bytecode/enhance/asm/AsmMethods.java

@@ -218,6 +218,14 @@ static Method getAsmMethod(final Class<?> clazz,
             SpyDispatcher.class,
             "isFirstLevelSink"
     );
+    Method SPY$enterIgnoreInternal = InnerHelper.getAsmMethod(
+            SpyDispatcher.class,
+            "enterIgnoreInternal"
+    );
+    Method SPY$leaveIgnoreInternal = InnerHelper.getAsmMethod(
+            SpyDispatcher.class,
+            "leaveIgnoreInternal"
+    );
     Method SPY$collectMethodPool = InnerHelper.getAsmMethod(
             SpyDispatcher.class,
             "collectMethodPool",