Merge pull request #534 from Nizernizer/fix/shade-com-alibaba

lostsnow · web-flow · commit e7ffdf3e0cf3 · 2023-06-12T15:54:30.000+08:00
fix: shade com.alibaba.*
diff --git a/dongtai-agent/src/main/java/io/dongtai/iast/agent/middlewarerecognition/dubbo/DubboService.java b/dongtai-agent/src/main/java/io/dongtai/iast/agent/middlewarerecognition/dubbo/DubboService.java
@@ -13,7 +13,7 @@ public boolean isMatch(RuntimeMXBean paramRuntimeMXBean, ClassLoader loader) {
         } catch (Throwable ignored) {
         }
         try {
-            loader.loadClass("com.alibaba.dubbo.monitor.support.MonitorFilter");
+            loader.loadClass(" com.alibaba.dubbo.monitor.support.MonitorFilter".substring(1));
             return true;
         } catch (Throwable ignored) {
         }
diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/FastjsonCheck.java b/dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/vulscan/dynamic/FastjsonCheck.java
@@ -12,9 +12,9 @@
 
 public class FastjsonCheck implements SinkSafeChecker {
     public static List<String> FASTJSON_SINK_METHODS = Arrays.asList(
-            "com.alibaba.fastjson.JSON.parseObject(java.lang.String)",
-            "com.alibaba.fastjson.JSON.parse(java.lang.String,int)",
-            "com.alibaba.fastjson.JSON.parse(java.lang.String)"
+            " com.alibaba.fastjson.JSON.parseObject(java.lang.String)".substring(1),
+            " com.alibaba.fastjson.JSON.parse(java.lang.String,int)".substring(1),
+            " com.alibaba.fastjson.JSON.parse(java.lang.String)".substring(1)
     );
 
     private String policySignature;
@@ -36,9 +36,9 @@ public boolean isSafe(MethodEvent event, SinkNode sinkNode) {
         try {
             Class<?> cls;
             if (JSON_CLASS_LOADER == null) {
-                cls = Class.forName("com.alibaba.fastjson.JSON");
+                cls = Class.forName(" com.alibaba.fastjson.JSON".substring(1));
             } else {
-                cls = Class.forName("com.alibaba.fastjson.JSON", false, JSON_CLASS_LOADER);
+                cls = Class.forName(" com.alibaba.fastjson.JSON".substring(1), false, JSON_CLASS_LOADER);
             }
             Field f = cls.getDeclaredField("VERSION");
             Class<?> t = f.getType();
@@ -61,9 +61,9 @@ public boolean isSafe(MethodEvent event, SinkNode sinkNode) {
             // https://github.com/alibaba/fastjson/wiki/fastjson_safemode
             Class<?> cfgClass;
             if (PARSE_CONFIG_CLASS_LOADER == null) {
-                cfgClass = Class.forName("com.alibaba.fastjson.parser.ParserConfig");
+                cfgClass = Class.forName(" com.alibaba.fastjson.parser.ParserConfig".substring(1));
             } else {
-                cfgClass = Class.forName("com.alibaba.fastjson.parser.ParserConfig", false, PARSE_CONFIG_CLASS_LOADER);
+                cfgClass = Class.forName(" com.alibaba.fastjson.parser.ParserConfig".substring(1), false, PARSE_CONFIG_CLASS_LOADER);
             }
             Object cfg = cfgClass.getMethod("getGlobalInstance").invoke(null);
             Object isSafeMode = cfg.getClass().getMethod("isSafeMode").invoke(cfg);

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ public boolean isMatch(RuntimeMXBean paramRuntimeMXBean, ClassLoader loader) {`
`13`	`13`	`} catch (Throwable ignored) {`
`14`	`14`	`}`
`15`	`15`	`try {`
`16`		`- loader.loadClass("com.alibaba.dubbo.monitor.support.MonitorFilter");`
	`16`	`+ loader.loadClass(" com.alibaba.dubbo.monitor.support.MonitorFilter".substring(1));`
`17`	`17`	`return true;`
`18`	`18`	`} catch (Throwable ignored) {`
`19`	`19`	`}`