Skip to content

Commit

Permalink
feature API
Browse files Browse the repository at this point in the history
  • Loading branch information
‘niuerzhuang’ committed Aug 24, 2021
1 parent f0954b7 commit c286031
Show file tree
Hide file tree
Showing 14 changed files with 257 additions and 4,013 deletions.
32 changes: 32 additions & 0 deletions iast-core/dependency-reduced-pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,38 @@
<version>0.6.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>5.2.8.RELEASE</version>
<scope>provided</scope>
<exclusions>
<exclusion>
<artifactId>spring-aop</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-beans</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-context</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-core</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-expression</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-web</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<properties>
<jdk.version.level>2</jdk.version.level>
Expand Down
7 changes: 7 additions & 0 deletions iast-core/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,13 @@
<artifactId>json</artifactId>
<version>${json.version}</version>
</dependency>

<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>5.2.8.RELEASE</version>
<scope>provided</scope>
</dependency>
</dependencies>

</project>
4 changes: 4 additions & 0 deletions iast-core/src/main/java/com/secnium/iast/core/enhance/IastClassFileTransformer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,10 @@ public byte[] transform(final ClassLoader loader,
EngineManager.turnOffLingzhi();
}

if (internalClassName.equals("org/springframework/web/servlet/DispatcherServlet")){
System.out.println("a");
}

StopWatch clock = null;
if (logger.isDebugEnabled()) {
clock = new StopWatch();
Expand Down
2 changes: 1 addition & 1 deletion iast-core/src/main/java/com/secnium/iast/core/enhance/plugins/PluginRegister.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,13 +33,13 @@ public ClassVisitor initial(ClassVisitor classVisitor, IastContext context) {

static {
PLUGINS = new ArrayList<DispatchPlugin>();
PLUGINS.add(new DispatchSpringApplication());
//PLUGINS.add(new DispatchTechnologyPlugin());
PLUGINS.add(new DispatchJ2ee());
//PLUGINS.add(new DispatchJsp());
PLUGINS.add(new DispatchCookie());
//PLUGINS.add(new DispatchSpringAutoBinding());
PLUGINS.add(new DispatchClassPlugin());
//PLUGINS.add()
PLUGINS.add(new DispatchSpringApplication());
}
}
4 changes: 2 additions & 2 deletions ...re/src/main/java/com/secnium/iast/core/enhance/plugins/api/DispatchSpringApplication.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@

public class DispatchSpringApplication implements DispatchPlugin {

static String autoBindClassname = " org.springframework.boot.SpringApplication".substring(1);
static String autoBindClassname = " org.springframework.web.servlet.FrameworkServlet".substring(1);

private String classname;

@Override
public ClassVisitor dispatch(ClassVisitor classVisitor, IastContext context) {
classname = context.getClassName();

System.out.println(classname);
if (autoBindClassname.equals(classname)) {
classVisitor = new SpringApplicationAdapter(classVisitor, context);
Expand Down
16 changes: 2 additions & 14 deletions ...ore/src/main/java/com/secnium/iast/core/enhance/plugins/api/SpringApplicationAdapter.java
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,9 @@
package com.secnium.iast.core.enhance.plugins.api;

import com.secnium.iast.core.enhance.IastContext;
import com.secnium.iast.core.enhance.plugins.AbstractAdviceAdapter;
import com.secnium.iast.core.enhance.plugins.AbstractClassVisitor;
import com.secnium.iast.core.enhance.plugins.core.adapter.PropagateAdviceAdapter;
import com.secnium.iast.core.handler.controller.HookType;
import org.objectweb.asm.ClassVisitor;
import org.objectweb.asm.MethodVisitor;
import org.objectweb.asm.Type;

public class SpringApplicationAdapter extends AbstractClassVisitor {

Expand All @@ -28,16 +24,8 @@ public MethodVisitor visitMethod(int access, String name, String descriptor, Str
descriptor,
signature,
exceptions);
if ("run".equals(name) && Type.getArgumentTypes(descriptor).length == 1) {
System.out.println(context.getClassName());
// methodVisitor = new SpringApplicationAdviceAdapter(methodVisitor,
// access,
// name,
// descriptor,
// context,
// "spring",
// "signature"
// );
if ("getWebApplicationContext".equals(name)) {
// System.out.println(context.getClassName());
methodVisitor = new SpringApplicationAdviceAdapter(
methodVisitor,
access,
Expand Down
140 changes: 140 additions & 0 deletions iast-core/src/main/java/com/secnium/iast/core/enhance/plugins/api/SpringApplicationImpl.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
package com.secnium.iast.core.enhance.plugins.api;

import com.secnium.iast.core.handler.models.ApiDataModel;
import com.secnium.iast.core.handler.models.MethodEvent;
import org.springframework.aop.support.AopUtils;
import org.springframework.context.ApplicationContext;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;

import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.lang.reflect.Parameter;
import java.util.*;
import java.util.concurrent.atomic.AtomicInteger;

import static com.secnium.iast.core.report.ApiReport.sendReport;

/**
* [email protected]
*/
public class SpringApplicationImpl {

public static boolean isSend;

public static void getWebApplicationContext(MethodEvent event, AtomicInteger invokeIdSequencer) {
ApplicationContext applicationContext = (ApplicationContext) event.returnValue;
if(!isSend) {
List<ApiDataModel> api = getAPI(applicationContext);
sendReport(api);
isSend = true;
}
}

public static List<ApiDataModel> getAPI(ApplicationContext applicationContext) {
RequestMappingHandlerMapping mapping = applicationContext.getBean(RequestMappingHandlerMapping.class);
Map<RequestMappingInfo, HandlerMethod> methodMap = mapping.getHandlerMethods();
List<ApiDataModel> apiList = new ArrayList<>();
for (RequestMappingInfo info : methodMap.keySet()) {
ApiDataModel apiDataModel = new ApiDataModel();
HandlerMethod handlerMethod = methodMap.get(info);
String clazz = handlerMethod.getBeanType().toString().substring(6);
apiDataModel.setClazz(clazz);
String method = info.getMethodsCondition().toString().replace("[", "").replace("]", "");
String[] methods;
if ("".equals(method)) {
methods = new String[2];
methods[0] = "GET";
methods[1] = "POST";
}else {
methods = new String[1];
methods[0] = method;
}
apiDataModel.setMethod(methods);
Method declaredMethod = null;
try {
HandlerMethod handlerMethodData = methodMap.get(info);
String beanType = handlerMethodData.getBeanType().toString().substring(6);
apiDataModel.setController(beanType);
Method methodData = handlerMethodData.getMethod();
String methodName = methodData.getName();
Parameter[] parameters = methodData.getParameters();
List<Class<?>> parameterList = new ArrayList<>();
for (Parameter parameter : parameters
) {
parameterList.add(parameter.getType());
}
int parameterListSize = parameterList.size();
Class<?>[] classes = new Class[parameterListSize];
for (int i = 0; i < parameterListSize; i++) {
classes[i] = parameterList.get(i);
}
declaredMethod = AopUtils.getTargetClass(applicationContext.getBean(handlerMethod.getBean().toString())).getDeclaredMethod(methodName, classes);
parameters = declaredMethod.getParameters();
List<Map<String, String>> parameterMaps = new ArrayList<>();
for (Parameter parameter : parameters
) {
Map<String, String> parameterMap = new HashMap<>();
String className = parameter.getName();
String classType = parameter.getType().toString();
if (classType.contains(" ")) {
classType = classType.substring(classType.indexOf(" ") + 1);
}
Annotation[] declaredAnnotations = parameter.getDeclaredAnnotations();
StringBuilder annos = new StringBuilder();
for (Annotation annotation : declaredAnnotations
) {
String anno = annotation.annotationType().toString();
anno = anno.substring(anno.lastIndexOf(".")+1);
if ("PathVariable".equals(anno)){
anno = "restful访问参数";
}else if ("RequestHeader".equals(anno)){
anno = "Header参数";
}else if ("CookieValue".equals(anno)){
anno = "Cookie参数";
}else if ("RequestParam".equals(anno)){
anno = "GET请求参数";
}else if ("RequestBody".equals(anno)){
anno = "POST请求的body参数";
}else if ("Validated".equals(anno)){
anno = "GET请求参数对象";
}
annos.append(anno);
}
parameterMap.put("name", className);
parameterMap.put("type", classType);
parameterMap.put("annotation", String.valueOf(annos));
parameterMaps.add(parameterMap);
}
apiDataModel.setParameters(parameterMaps);
String returnType = declaredMethod.getReturnType().toString();
if (returnType.contains("class ")) {
returnType = declaredMethod.getReturnType().toString().substring(6);
}
apiDataModel.setReturnType(returnType);
} catch (NoSuchMethodException ignore) {
}


PatternsRequestCondition patternsCondition = info.getPatternsCondition();
Set<String> patterns = patternsCondition.getPatterns();
if (patterns.size()>1){
for (String s:patterns
) {
String uri = s.replace("[", "").replace("]", "");
apiDataModel.setUrl(uri);
apiList.add(apiDataModel);
}
}else {
String uri = info.getPatternsCondition().toString().replace("[", "").replace("]", "");
apiDataModel.setUrl(uri);
apiList.add(apiDataModel);
}
}
return apiList;
}


}
3 changes: 2 additions & 1 deletion iast-core/src/main/java/com/secnium/iast/core/handler/EventListenerHandlers.java
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package com.secnium.iast.core.handler;

import com.secnium.iast.core.EngineManager;
import com.secnium.iast.core.enhance.plugins.api.SpringApplicationImpl;
import com.secnium.iast.core.handler.controller.HookType;
import com.secnium.iast.core.handler.controller.impl.HttpImpl;
import com.secnium.iast.core.handler.controller.impl.PropagatorImpl;
Expand Down Expand Up @@ -61,7 +62,7 @@ public static void onBefore(final String framework,
SinkImpl.solveSink(event, INVOKE_ID_SEQUENCER);
} else if (HookType.SPRINGAPPLICATION.equals(hookType)) {
// todo
System.out.println("a");
SpringApplicationImpl.getWebApplicationContext(event,INVOKE_ID_SEQUENCER);
}
}
}
Expand Down
32 changes: 24 additions & 8 deletions iast-core/src/main/java/com/secnium/iast/core/handler/models/ApiDataModel.java
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package com.secnium.iast.core.handler.models;

import java.util.List;
import java.util.Map;

/**
Expand All @@ -10,25 +11,37 @@
public class ApiDataModel {

private String url;
private String method;
private String[] method;
private String clazz;
private Map<String,String>[] parameters;
List<Map<String, String>> parameters;
private String returnType;
private String file;
private String controller;
private String description;

public ApiDataModel() {
}


public ApiDataModel(String url, String method, String clazz, Map<String, String>[] parameters, String returnType, String file, String controller) {
public ApiDataModel(String url, String[] method, String clazz, List<Map<String, String>> parameters, String returnType, String file, String controller, String description) {
this.url = url;
this.method = method;
this.clazz = clazz;
this.parameters = parameters;
this.returnType = returnType;
this.file = file;
this.controller = controller;
this.description = description;
}

public String getDescription() {
if (description == null) {
description = "";
}
return description;
}

public void setDescription(String description) {
this.description = description;
}

public String getClazz() {
Expand All @@ -47,19 +60,19 @@ public void setUrl(String url) {
this.url = url;
}

public String getMethod() {
public String[] getMethod() {
return method;
}

public void setMethod(String method) {
public void setMethod(String[] method) {
this.method = method;
}

public Map<String, String>[] getParameters() {
public List<Map<String, String>> getParameters() {
return parameters;
}

public void setParameters(Map<String, String>[] parameters) {
public void setParameters(List<Map<String, String>> parameters) {
this.parameters = parameters;
}

Expand All @@ -72,6 +85,9 @@ public void setReturnType(String returnType) {
}

public String getFile() {
if (file == null) {
file = "";
}
return file;
}

Expand Down
2 changes: 2 additions & 0 deletions iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/ReportConstant.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,10 +92,12 @@ public class ReportConstant {
public static final String API_DATA_URI = "uri";
public static final String API_DATA_METHOD = "method";
public static final String API_DATA_CLASS = "class";
public static final String API_DATA_PARAMETERS = "parameters";
public static final String API_DATA_PARAMETER_NAME = "name";
public static final String API_DATA_PARAMETER_TYPE = "type";
public static final String API_DATA_PARAMETER_ANNOTATION = "annotation";
public static final String API_DATA_RETURN = "return_type";
public static final String API_DATA_FILE = "file";
public static final String API_DATA_CONTROLLER = "controller";
public static final String API_DATA_DESCRIPTION = "description";
}
Loading

0 comments on commit c286031

Please sign in to comment.