OpenRASP支持InforSuiteAS V10.0代码提交

agent/java/engine/src/main/java/com/baidu/openrasp/detector/InforSuiteDetector.java

@@ -0,0 +1,72 @@
+/*
+ * Copyright 2017-2022 Baidu Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.baidu.openrasp.detector;
+
+import com.baidu.openrasp.tool.Reflection;
+import com.baidu.openrasp.tool.model.ApplicationModel;
+
+import java.lang.reflect.Method;
+import java.security.ProtectionDomain;
+
+/**
+ * Created by inforsuite on 22-2-12.
+ */
+public class InforSuiteDetector extends ServerDetector {
+
+ @Override
+ public boolean isClassMatched(String className) {
+ return "com/cvicse/loong/enterprise/inforsuite/bootstrap/ASMain".equals(className);
+ }
+
+ @Override
+ public boolean handleServerInfo(ClassLoader classLoader, ProtectionDomain domain) {
+ String version = "";
+ try {
+ classLoader = Thread.currentThread().getContextClassLoader();
+ Class clazz = classLoader.loadClass("com.cvicse.loong.appserv.server.util.Version");
+ if (!isJboss(classLoader)) {
+ version = (String) Reflection.invokeMethod(null, clazz, "getFullVersion", new Class[]{});
+ }
+ } catch (Throwable t) {
+ logDetectError("handle inforsuite startup failed", t);
+ }
+ if (!isJboss(classLoader)) {
+ if (version != null) {
+ ApplicationModel.setServerInfo("inforsuite", version);
+ return true;
+ }
+ return false;
+ }
+ return false;
+ }
+
+ private boolean isJboss(ClassLoader classLoader) {
+ Package jbossBootPackage = null;
+ try {
+ Method getPackageMethod = ClassLoader.class.getDeclaredMethod("getPackage", String.class);
+ getPackageMethod.setAccessible(true);
+ jbossBootPackage = (Package) getPackageMethod.invoke(classLoader, "org.jboss");
+ if (jbossBootPackage == null) {
+ jbossBootPackage = (Package) getPackageMethod.invoke(classLoader, "org.jboss.modules");
+ }
+ } catch (Throwable e) {
+ // ignore
+ }
+ return jbossBootPackage != null;
+ }
+
+}

agent/java/engine/src/main/java/com/baidu/openrasp/detector/ServerDetector.java

@@ -112,7 +112,10 @@ public synchronized static void checkServerPolicy() {
  HookHandler.doRealCheckWithoutRequest(CheckParameter.Type.POLICY_SERVER_BES, CheckParameter.EMPTY_MAP);
  } else if ("TongWeb8".equals(serverName)) {
  HookHandler.doRealCheckWithoutRequest(CheckParameter.Type.POLICY_SERVER_TONGWEB8, CheckParameter.EMPTY_MAP);
+ } else if ("inforsuite".equals(serverName)) {
+ HookHandler.doRealCheckWithoutRequest(CheckParameter.Type.POLICY_SERVER_INFORSUITE,CheckParameter.EMPTY_MAP);
  }
+
  } catch (Throwable t) {
  LogTool.warn(ErrorType.HOOK_ERROR, "failed to do server policy checking: " + t.getMessage(), t);
  }

agent/java/engine/src/main/java/com/baidu/openrasp/detector/ServerDetectorManager.java

@@ -47,7 +47,7 @@ private ServerDetectorManager() {
  detectors.add(new TongWeb7Detector());
  detectors.add(new TongWeb8Detector());
  detectors.add(new BESDetector());
-
+ detectors.add(new InforSuiteDetector());
  }
 
  public static ServerDetectorManager getInstance() {
@@ -61,10 +61,16 @@ public static ServerDetectorManager getInstance() {
  * @param classLoader 该类的加载器
  */
  public void detectServer(String className, ClassLoader classLoader, ProtectionDomain domain) {
-  try {
+  try {
  for (ServerDetector detector : detectors) {
  if (detector.isClassMatched(className) && detector.handleServer(className, classLoader, domain)) {
- HookHandler.LOGGER.info("detect server class: " + className);
+ if (className.equals("com/cvicse/loong/enterprise/inforsuite/bootstrap/ASMain")) {
+ detectors.subList(0,detectors.size()-1).clear();
+ HookHandler.LOGGER.info("detect server class: " + className);
+ break;
+ } else { 
+ HookHandler.LOGGER.info("detect server class: " + className);
+ }
  }
  }
  } catch (Throwable e) {

agent/java/engine/src/main/java/com/baidu/openrasp/detector/TomcatDetector.java

@@ -46,7 +46,7 @@ public boolean handleServerInfo(ClassLoader classLoader, ProtectionDomain domain
  } catch (Throwable t) {
  logDetectError("handle tomcat startup failed", t);
  }
- if (!isJboss(classLoader)) {
+ if (!isJboss(classLoader) && version != null) {
  ApplicationModel.setServerInfo("tomcat", version);
  return true;
  }

agent/java/engine/src/main/java/com/baidu/openrasp/hook/server/ServerOutputCloseHook.java

@@ -19,6 +19,7 @@
 import com.baidu.openrasp.HookHandler;
 import com.baidu.openrasp.config.Config;
 import com.baidu.openrasp.hook.AbstractClassHook;
+import com.baidu.openrasp.hook.server.inforsuite.InforSuiteHttpResponseHook;
 import com.baidu.openrasp.hook.server.weblogic.WeblogicHttpOutputHook;
 import com.baidu.openrasp.hook.server.websphere.WebsphereHttpOutputHook;
 import com.baidu.openrasp.messaging.LogTool;
@@ -89,6 +90,8 @@ public static void appendResponseData(Object output) {
  Object outputStream = Reflection.getField(output, "outputStream");
  int flag = (Integer) Reflection.getField(outputStream, "state");
  isClosed = flag == 1;
+ } else if ("com/cvicse/inforsuite/grizzly/http/io/OutputBuffer".equals(InforSuiteHttpResponseHook.clazzName)) {
+ isClosed = (Boolean) Reflection.getSuperField(output, "closed");
  } else {
  if (serverName.equals("tomcat") && ApplicationModel.getVersion().compareTo("6") < 0) {
  isClosed = (Boolean) Reflection.getField(output, "closed");

agent/java/engine/src/main/java/com/baidu/openrasp/hook/server/inforsuite/InforSuiteApplicationFilterHook.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright 2017-2022 Baidu Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.baidu.openrasp.hook.server.inforsuite;
+
+import com.baidu.openrasp.hook.server.ServerRequestHook;
+import com.baidu.openrasp.tool.annotation.HookAnnotation;
+import javassist.CannotCompileException;
+import javassist.CtClass;
+import javassist.NotFoundException;
+
+import java.io.IOException;
+
+/**
+ * @description: inforsuite applicationFilter hook
+ * @author: inforsuite
+ * @create: 2022/05/20
+ */
+@HookAnnotation
+public class InforSuiteApplicationFilterHook extends ServerRequestHook {
+
+ /**
+ * (none-javadoc)
+ *
+ * @see com.baidu.openrasp.hook.AbstractClassHook#isClassMatched(String)
+ */
+ @Override
+ public boolean isClassMatched(String className) {
+ return className.endsWith("apache/catalina/core/ApplicationFilterChain");
+ }
+
+ /**
+ * (none-javadoc)
+ *
+ * @see com.baidu.openrasp.hook.AbstractClassHook#hookMethod(CtClass)
+ */
+ @Override
+ protected void hookMethod(CtClass ctClass) throws IOException, CannotCompileException, NotFoundException {
+ String src = getInvokeStaticSrc(ServerRequestHook.class, "checkRequest",
+ "$0,$1,$2", Object.class, Object.class, Object.class);
+ insertBefore(ctClass, "doFilter", null, src);
+ }
+
+}

agent/java/engine/src/main/java/com/baidu/openrasp/hook/server/inforsuite/InforSuiteHttpResponseHook.java

@@ -0,0 +1,32 @@
+package com.baidu.openrasp.hook.server.inforsuite;
+
+import com.baidu.openrasp.hook.server.ServerOutputCloseHook;
+import com.baidu.openrasp.tool.annotation.HookAnnotation;
+import javassist.CannotCompileException;
+import javassist.CtClass;
+import javassist.NotFoundException;
+
+/**
+ * @description: inforsuite output close hook
+ * @author: inforsuite
+ * @create: 2022/05/20
+ */
+@HookAnnotation
+public class InforSuiteHttpResponseHook extends ServerOutputCloseHook {
+
+ public static String clazzName = null;
+ @Override
+ public boolean isClassMatched(String className) {
+ if ("com/cvicse/inforsuite/grizzly/http/io/OutputBuffer".equals(className)) {
+ clazzName = className;
+ return true;
+ }
+ return false;
+ }
+
+ @Override
+ protected void hookMethod(CtClass ctClass, String src) throws NotFoundException, CannotCompileException {
+ insertBefore(ctClass, "close", "()V", src);
+ }
+
+}

agent/java/engine/src/main/java/com/baidu/openrasp/hook/server/inforsuite/InforSuiteInputBufferHook.java

@@ -0,0 +1,77 @@
+package com.baidu.openrasp.hook.server.inforsuite;
+
+import com.baidu.openrasp.HookHandler;
+import com.baidu.openrasp.hook.server.ServerInputHook;
+import com.baidu.openrasp.messaging.LogTool;
+import com.baidu.openrasp.request.AbstractRequest;
+import com.baidu.openrasp.tool.Reflection;
+import com.baidu.openrasp.tool.annotation.HookAnnotation;
+import com.baidu.openrasp.tool.model.ApplicationModel;
+
+import javassist.CannotCompileException;
+import javassist.CtClass;
+import javassist.NotFoundException;
+
+import java.io.IOException;
+
+/**
+ * @description: inforsuite input buffer hook,将得到的buffer信息在本类中处理
+ * @author: inforsuite
+ * @create: 2022/05/20
+ */
+@HookAnnotation
+public class InforSuiteInputBufferHook extends ServerInputHook {
+
+ /**
+ * (none-javadoc)
+ *
+ * @see com.baidu.openrasp.hook.AbstractClassHook#isClassMatched(String)
+ */
+ @Override
+ public boolean isClassMatched(String className) {
+
+ if ("com/cvicse/inforsuite/grizzly/http/io/InputBuffer".equals(className)){
+ return true;
+ }
+ return false;
+
+ }
+
+ /**
+ * (none-javadoc)
+ *
+ * @see com.baidu.openrasp.hook.AbstractClassHook#hookMethod(CtClass)
+ */
+ @Override
+ protected void hookMethod(CtClass ctClass) throws IOException, CannotCompileException, NotFoundException {
+ String bufferSrc = getInvokeStaticSrc(InforSuiteInputBufferHook.class, "onInputStreamRead",
+ "$_", Object.class);
+ insertAfter(ctClass, "getBuffer",null, bufferSrc); 
+ String readSrc = getInvokeStaticSrc(ServerInputHook.class, "onInputStreamRead",
+ "$_,$0,$1,$2", int.class, Object.class, byte[].class, int.class);
+ insertAfter(ctClass, "read", "([BII)I", readSrc);
+ }
+
+ //handle inputStream
+ public static void onInputStreamRead(Object inputStream) {
+ if (HookHandler.requestCache.get() != null) {
+ AbstractRequest request = HookHandler.requestCache.get();
+
+ if (request.getInputStream() == null) {
+ request.setInputStream(inputStream);
+ }
+ if (request.getInputStream() == inputStream) {
+ try {
+ byte[] heap = (byte[])Reflection.getSuperField(inputStream, "heap");
+ Integer offset = (Integer) Reflection.getSuperField(inputStream, "offset");
+ Integer cap = (Integer) Reflection.getSuperField(inputStream, "cap"); 
+ request.appendBody(heap, offset, cap);
+ } catch (Exception e) {
+ LogTool.traceHookWarn(ApplicationModel.getServerName() + " get request body failed: " +
+ e.getMessage(), e);
+ } 
+ }
+ }
+ }
+ // end
+}

agent/java/engine/src/main/java/com/baidu/openrasp/hook/server/inforsuite/InforSuitePreRequestHook.java

@@ -0,0 +1,37 @@
+package com.baidu.openrasp.hook.server.inforsuite;
+
+import com.baidu.openrasp.hook.server.ServerPreRequestHook;
+import com.baidu.openrasp.tool.annotation.HookAnnotation;
+import javassist.CannotCompileException;
+import javassist.CtClass;
+import javassist.NotFoundException;
+
+/**
+ * @description: inforsuite pre-request hook
+ * @author: inforsuite
+ * @create: 2022/05/20
+ */
+@HookAnnotation
+public class InforSuitePreRequestHook extends ServerPreRequestHook {
+
+ /**
+ * (none-javadoc)
+ *
+ * @see com.baidu.openrasp.hook.AbstractClassHook#isClassMatched(String)
+ */
+ @Override
+ public boolean isClassMatched(String className) {
+ return className.endsWith("org/apache/catalina/connector/CoyoteAdapter");
+ }
+
+ /**
+ * (none-javadoc)
+ *
+ * @see ServerPreRequestHook#hookMethod(CtClass, String)
+ */
+ @Override
+ protected void hookMethod(CtClass ctClass, String src) throws NotFoundException, CannotCompileException {
+ insertBefore(ctClass, "service", null, src);
+ }
+
+}

agent/java/engine/src/main/java/com/baidu/openrasp/hook/server/inforsuite/InforSuiteRequestEndHook.java

@@ -0,0 +1,35 @@
+package com.baidu.openrasp.hook.server.inforsuite;
+
+import com.baidu.openrasp.hook.server.ServerRequestEndHook;
+import com.baidu.openrasp.tool.annotation.HookAnnotation;
+import javassist.CannotCompileException;
+import javassist.CtClass;
+import javassist.NotFoundException;
+
+import java.io.IOException;
+
+/**
+ * @description: inforsuite response end hook
+ * @author: inforsuite
+ * @create: 2022/05/20
+ */
+@HookAnnotation
+public class InforSuiteRequestEndHook extends ServerRequestEndHook {
+
+ /**
+ * (none-javadoc)
+ *
+ * @see com.baidu.openrasp.hook.AbstractClassHook#isClassMatched(String)
+ */
+ @Override
+ public boolean isClassMatched(String className) { 
+ return className.endsWith("org/apache/catalina/core/ApplicationFilterChain");
+ }
+
+ @Override
+ protected void hookMethod(CtClass ctClass) throws IOException, CannotCompileException, NotFoundException {
+ String requestEndSrc = getInvokeStaticSrc(ServerRequestEndHook.class, "checkRequestEnd", "");
+ insertAfter(ctClass, "doFilter", null, requestEndSrc, true);
+ }
+
+}