Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/main'
Browse files Browse the repository at this point in the history
  • Loading branch information
‘niuerzhuang’ committed Sep 9, 2022
2 parents a616dd5 + d9c2c0f commit b376e28
Show file tree
Hide file tree
Showing 31 changed files with 2,426 additions and 120 deletions.
11 changes: 5 additions & 6 deletions dongtai-core/src/main/java/io/dongtai/iast/core/EngineManager.java
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,18 @@
package io.dongtai.iast.core;

import io.dongtai.iast.core.bytecode.enhance.plugin.fallback.FallbackManager;
import io.dongtai.iast.core.bytecode.enhance.plugin.fallback.report.HookPointRateLimitReport;
import io.dongtai.iast.core.bytecode.enhance.plugin.fallback.FallbackSwitch;
import io.dongtai.iast.core.handler.context.ContextManager;
import io.dongtai.iast.core.handler.hookpoint.IastServer;
import io.dongtai.iast.core.handler.hookpoint.models.MethodEvent;
import io.dongtai.iast.core.service.ServerAddressReport;
import io.dongtai.iast.core.utils.config.RemoteConfigUtils;
import io.dongtai.iast.core.utils.threadlocal.*;
import io.dongtai.iast.core.service.ServiceFactory;
import io.dongtai.iast.core.utils.PropertyUtils;
import io.dongtai.iast.core.utils.config.RemoteConfigUtils;
import io.dongtai.iast.core.utils.threadlocal.*;
import io.dongtai.log.DongTaiLog;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.*;
import java.util.concurrent.atomic.AtomicInteger;

/**
Expand All @@ -35,6 +32,7 @@ public class EngineManager {
public static final IastTrackMap TRACK_MAP = new IastTrackMap();
public static final IastTaintPool TAINT_POOL = new IastTaintPool();
public static final IastTaintHashCodes TAINT_HASH_CODES = new IastTaintHashCodes();
public static final TaintRangesPool TAINT_RANGES_POOL = new TaintRangesPool();
public static final IastScopeTracker SCOPE_TRACKER = new IastScopeTracker();
private static final IastServerPort LOGIN_LOGIC_WEIGHT = new IastServerPort();
/**
Expand Down Expand Up @@ -138,6 +136,7 @@ public static void cleanThreadState() {
EngineManager.TRACK_MAP.remove();
EngineManager.TAINT_POOL.remove();
EngineManager.TAINT_HASH_CODES.remove();
EngineManager.TAINT_RANGES_POOL.remove();
EngineManager.SCOPE_TRACKER.remove();
FallbackSwitch.clearHeavyHookFallback();
EngineManager.getFallbackManager().getHookRateLimiter().remove();
Expand Down
2 changes: 1 addition & 1 deletion dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/SpyDispatcherImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -501,7 +501,7 @@ public boolean collectMethodPool(Object instance, Object[] argumentArray, Object
}
}
} catch (Exception e) {
DongTaiLog.error(e);
DongTaiLog.error("collect method pool failed: " + e.toString(), e);
} finally {
EngineManager.turnOnDongTai();
}
Expand Down
8 changes: 6 additions & 2 deletions dongtai-core/src/main/java/io/dongtai/iast/core/handler/hookpoint/api/GetApiThread.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import io.dongtai.iast.core.bytecode.enhance.plugin.spring.SpringApplicationImpl;
import io.dongtai.log.DongTaiLog;

import java.lang.reflect.InvocationTargetException;
import java.util.Map;

Expand All @@ -15,14 +16,17 @@ public GetApiThread(Object applicationContext) {

@Override
public void run() {
if (SpringApplicationImpl.getAPI == null) {
return;
}
Map<String, Object> invoke = null;
try {
invoke = (Map<String, Object>) SpringApplicationImpl.getAPI.invoke(null, applicationContext);
ApiReport.sendReport(invoke);
} catch (IllegalAccessException e) {
DongTaiLog.error(e);
DongTaiLog.error("GetApiThread failed: " + e.toString(), e);
} catch (InvocationTargetException e) {
DongTaiLog.error(e);
DongTaiLog.error("GetApiThread failed: " + e.toString(), e);
} finally {
SpringApplicationImpl.isSend = true;
}
Expand Down
110 changes: 102 additions & 8 deletions .../src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/PropagatorImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import io.dongtai.iast.core.EngineManager;
import io.dongtai.iast.core.handler.hookpoint.models.*;
import io.dongtai.iast.core.handler.hookpoint.vulscan.dynamic.TrackUtils;
import io.dongtai.iast.core.handler.hookpoint.vulscan.taintrange.*;
import io.dongtai.iast.core.utils.StackUtils;
import io.dongtai.iast.core.utils.TaintPoolUtils;

Expand Down Expand Up @@ -54,7 +55,7 @@ private static void auxiliaryPropagator(IastPropagatorModel propagator, AtomicIn
return;
}

event.inValue = event.object;
event.setInValue(event.object);
setTarget(propagator, event);
addPropagator(event, invokeIdSequencer);
} else if (sourceString.startsWith(PARAMS_PARAM)) {
Expand All @@ -74,7 +75,7 @@ private static void auxiliaryPropagator(IastPropagatorModel propagator, AtomicIn
inValues.add(tempObj);
}
if (!inValues.isEmpty()) {
event.inValue = inValues.toArray();
event.setInValue(inValues.toArray());
setTarget(propagator, event);
addPropagator(event, invokeIdSequencer);
}
Expand All @@ -95,7 +96,7 @@ private static void auxiliaryPropagator(IastPropagatorModel propagator, AtomicIn
if (event.returnValue == null) {
break;
}
inValues.add(event.returnValue);
event.setInValue(event.returnValue);
} else if (source.startsWith(PARAMS_PARAM)) {
int[] positions = (int[]) propagator.getSourcePosition();
for (int pos : positions) {
Expand All @@ -116,7 +117,7 @@ private static void auxiliaryPropagator(IastPropagatorModel propagator, AtomicIn
}
}
if (condition > 0 && (!andCondition || conditionSources.length == condition)) {
event.inValue = inValues.toArray();
event.setInValue(inValues.toArray());
setTarget(propagator, event);
addPropagator(event, invokeIdSequencer);
}
Expand All @@ -127,21 +128,25 @@ private static void auxiliaryPropagator(IastPropagatorModel propagator, AtomicIn
private static void setTarget(IastPropagatorModel propagator, MethodEvent event) {
String target = propagator.getTarget();
if (PARAMS_OBJECT.equals(target)) {
event.outValue = event.object;
event.setOutValue(event.object);
trackTaintRange(propagator, event);
} else if (PARAMS_RETURN.equals(target)) {
event.outValue = event.returnValue;
event.setOutValue(event.returnValue);
trackTaintRange(propagator, event);
} else if (target.startsWith(PARAMS_PARAM)) {
ArrayList<Object> outValues = new ArrayList<Object>();
Object tempPositions = propagator.getTargetPosition();
int[] positions = (int[]) tempPositions;
if (positions.length == 1) {
event.outValue = event.argumentArray[positions[0]];
event.setOutValue(event.argumentArray[positions[0]]);
trackTaintRange(propagator, event);
} else {
for (int pos : positions) {
outValues.add(event.argumentArray[pos]);
trackTaintRange(propagator, event);
}
if (!outValues.isEmpty()) {
event.outValue = outValues.toArray();
event.setOutValue(outValues.toArray());
}
}
}
Expand All @@ -150,6 +155,95 @@ private static void setTarget(IastPropagatorModel propagator, MethodEvent event)
}
}

private static TaintRanges getTaintRanges(Object obj) {
int hash = System.identityHashCode(obj);
TaintRanges tr = EngineManager.TAINT_RANGES_POOL.get(hash);
if (tr == null) {
tr = new TaintRanges();
} else {
tr = tr.clone();
}
return tr;
}

private static void trackTaintRange(IastPropagatorModel propagator, MethodEvent event) {
TaintCommandRunner r = TaintCommandRunner.getCommandRunner(event.signature);

TaintRanges oldTaintRanges = new TaintRanges();
TaintRanges srcTaintRanges = new TaintRanges();

String srcValue = null;
if (r != null) {
String srcLoc = propagator.getSource();
if (PARAMS_OBJECT.equals(srcLoc)) {
srcTaintRanges = getTaintRanges(event.object);
srcValue = TaintRangesBuilder.obj2String(event.object);
} else if (srcLoc.startsWith("O|P")) {
oldTaintRanges = getTaintRanges(event.object);
int[] positions = (int[]) propagator.getSourcePosition();
if (positions.length == 1 && event.argumentArray.length >= positions[0]) {
srcTaintRanges = getTaintRanges(event.argumentArray[positions[0]]);
srcValue = TaintRangesBuilder.obj2String(event.argumentArray[positions[0]]);
}
} else if (srcLoc.startsWith(PARAMS_PARAM)) {
// invalid policy
if (srcLoc.contains(CONDITION_OR) || srcLoc.contains(CONDITION_AND)) {
return;
}
int[] positions = (int[]) propagator.getSourcePosition();
if (positions.length == 1 && event.argumentArray.length >= positions[0]) {
srcTaintRanges = getTaintRanges(event.argumentArray[positions[0]]);
srcValue = TaintRangesBuilder.obj2String(event.argumentArray[positions[0]]);
}
}
}

int tgtHash;
String tgtValue;
Object tgt;
String tgtLoc = propagator.getTarget();
if (PARAMS_OBJECT.equals(tgtLoc)) {
tgt = event.object;
tgtHash = System.identityHashCode(tgt);
tgtValue = TaintRangesBuilder.obj2String(tgt);
oldTaintRanges = getTaintRanges(tgt);
} else if (PARAMS_RETURN.equals(tgtLoc)) {
tgt = event.returnValue;
tgtHash = System.identityHashCode(tgt);
tgtValue = TaintRangesBuilder.obj2String(tgt);
} else if (tgtLoc.startsWith(PARAMS_PARAM)) {
// invalid policy
if (tgtLoc.contains(CONDITION_OR) || tgtLoc.contains(CONDITION_AND)) {
return;
}
int[] positions = (int[]) propagator.getTargetPosition();
if (positions.length != 1 || event.argumentArray.length < positions[0]) {
// target can only have one parameter
return;
}
tgt = event.argumentArray[positions[0]];
tgtHash = System.identityHashCode(tgt);
tgtValue = TaintRangesBuilder.obj2String(tgt);
oldTaintRanges = getTaintRanges(tgt);
} else {
// invalid policy
return;
}

if (!TaintPoolUtils.isNotEmpty(tgt)) {
return;
}

TaintRanges tr;
if (r != null && srcValue != null) {
tr = r.run(srcValue, tgtValue, event.argumentArray, oldTaintRanges, srcTaintRanges);
} else {
tr = new TaintRanges(new TaintRange(0, TaintRangesBuilder.getLength(tgt)));
}
event.targetRanges.add(new MethodEvent.MethodEventTargetRange(tgtHash, tgtValue, tr));
EngineManager.TAINT_RANGES_POOL.add(tgtHash, tr);
}

private static void autoPropagator(AtomicInteger invokeIdSequence, MethodEvent event) {
// 处理自动传播问题
// 检查污点池,判断是否存在命中的污点
Expand Down
104 changes: 99 additions & 5 deletions ...core/src/main/java/io/dongtai/iast/core/handler/hookpoint/controller/impl/SourceImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,12 @@

import io.dongtai.iast.core.EngineManager;
import io.dongtai.iast.core.handler.hookpoint.models.MethodEvent;
import io.dongtai.iast.core.handler.hookpoint.vulscan.taintrange.*;
import io.dongtai.iast.core.utils.StackUtils;
import io.dongtai.iast.core.utils.TaintPoolUtils;
import io.dongtai.log.DongTaiLog;

import java.lang.reflect.Array;
import java.lang.reflect.Method;
import java.util.*;
import java.util.concurrent.atomic.AtomicInteger;
Expand Down Expand Up @@ -37,14 +39,106 @@ public static void solveSource(MethodEvent event, AtomicInteger invokeIdSequence

int invokeId = invokeIdSequencer.getAndIncrement();
event.setInvokeId(invokeId);
event.inValue = event.argumentArray;
event.outValue = event.returnValue;
event.setInValue(event.argumentArray);
event.setOutValue(event.returnValue);

handlerCustomModel(event);
EngineManager.TRACK_MAP.addTrackMethod(invokeId, event);
EngineManager.TAINT_POOL.addTaintToPool(event.returnValue, event, true);
trackTarget(event);
}

private static void trackTarget(MethodEvent event) {
int length = TaintRangesBuilder.getLength(event.returnValue);
if (length == 0) {
return;
}

trackObject(event, event.returnValue, 0);
// @TODO: hook json serializer for custom model
handlerCustomModel(event);
}

private static void trackObject(MethodEvent event, Object obj, int depth) {
if (depth >= 10 || !TaintPoolUtils.isNotEmpty(obj) || !TaintPoolUtils.isAllowTaintType(obj)) {
return;
}

int hash = System.identityHashCode(obj);
if (EngineManager.TAINT_HASH_CODES.get().contains(hash)) {
return;
}

Class<?> cls = obj.getClass();
if (cls.isArray() && !cls.getComponentType().isPrimitive()) {
trackArray(event, obj, depth);
} else if (obj instanceof Iterator) {
trackIterator(event, (Iterator<?>) obj, depth);
} else if (obj instanceof Map) {
trackMap(event, (Map<?, ?>) obj, depth);
} else if (obj instanceof Map.Entry) {
trackMapEntry(event, (Map.Entry<?, ?>) obj, depth);
} else if (obj instanceof Collection) {
if (obj instanceof List) {
trackList(event, (List<?>) obj, depth);
} else {
trackIterator(event, ((Collection<?>) obj).iterator(), depth);
}
} else if ("java.util.Optional".equals(obj.getClass().getName())) {
trackOptional(event, obj, depth);
} else {
int len = TaintRangesBuilder.getLength(obj);
if (len == 0) {
return;
}

TaintRanges tr = new TaintRanges(new TaintRange(0, len));
event.targetRanges.add(new MethodEvent.MethodEventTargetRange(hash, TaintRangesBuilder.obj2String(obj), tr));
EngineManager.TAINT_HASH_CODES.get().add(hash);
event.addTargetHash(hash);
event.addTargetHashForRpc(obj.hashCode());
EngineManager.TAINT_POOL.get().add(obj);
EngineManager.TAINT_RANGES_POOL.add(hash, tr);
}
}

private static void trackArray(MethodEvent event, Object arr, int depth) {
int length = Array.getLength(arr);
for (int i = 0; i < length; i++) {
trackObject(event, Array.get(arr, i), depth);
}
}

private static void trackIterator(MethodEvent event, Iterator<?> it, int depth) {
while (it.hasNext()) {
trackObject(event, it.next(), depth + 1);
}
}

private static void trackMap(MethodEvent event, Map<?, ?> map, int depth) {
for (Object key : map.keySet()) {
trackObject(event, key, depth);
trackObject(event, map.get(key), depth);
}
}

private static void trackMapEntry(MethodEvent event, Map.Entry<?, ?> entry, int depth) {
trackObject(event, entry.getKey(), depth + 1);
trackObject(event, entry.getValue(), depth + 1);
}

private static void trackList(MethodEvent event, List<?> list, int depth) {
for (Object obj : list) {
trackObject(event, obj, depth);
}
}

private static void trackOptional(MethodEvent event, Object obj, int depth) {
try {
Object v = ((Optional<?>) obj).orElse(null);
trackObject(event, v, depth);
} catch (Exception e) {
DongTaiLog.warn("track optional object failed: " + e.getMessage());
}
}

/**
* todo: 处理过程和结果需要细化
Expand All @@ -55,7 +149,7 @@ public static void handlerCustomModel(MethodEvent event) {
if (!event.getMethodName().equals("getSession")) {
Set<Object> modelValues = parseCustomModel(event.returnValue);
for (Object modelValue : modelValues) {
EngineManager.TAINT_POOL.addTaintToPool(modelValue, event, true);
trackObject(event, modelValue, 0);
}
}
}
Expand Down
4 changes: 2 additions & 2 deletions ...re/src/main/java/io/dongtai/iast/core/handler/hookpoint/framework/dubbo/DubboHandler.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ public static void solveDubbo(MethodEvent event, AtomicInteger invokeIdSequencer
int invokeId = invokeIdSequencer.getAndIncrement();
event.setInvokeId(invokeId);
event.inValue = "";
event.outValue = verifiedArguments;
event.setOutValue(verifiedArguments);

EngineManager.TRACK_MAP.addTrackMethod(invokeId, event);
EngineManager.TAINT_POOL.addTaintToPool(verifiedArguments, event, true);
Expand Down Expand Up @@ -223,7 +223,7 @@ public static void solveClientExit(Object invocation, Object rpcResult) {
EngineManager.TAINT_HASH_CODES.get().add(identityHashCode);
}
}
event.outValue = resModelSet;
event.setOutValue(resModelSet);
}
}

Expand Down
Loading

0 comments on commit b376e28

Please sign in to comment.