From 924bdf96b1fefeaf4eae2b80cc1180bc695199c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Wed, 12 Jul 2023 17:37:00 +0800 Subject: [PATCH 1/2] fix: Custom model field adds ignore conditions: field.isSynthetic(),field.isEnumConstant(),obj instanceof Enumeration --- .../iast/core/utils/TaintPoolUtils.java | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java index 465496eed..46abaeadd 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java @@ -131,7 +131,7 @@ public static boolean isAllowTaintType(Class objType) { } public static boolean isAllowTaintType(Object obj) { - if (obj == null) { + if (obj == null || obj instanceof Enumeration) { return false; } return isAllowTaintType(obj.getClass()); @@ -146,10 +146,10 @@ public static void trackObject(MethodEvent event, PolicyNode policyNode, Object long identityHash = 0; boolean isSourceNode = policyNode instanceof SourceNode; if (isSourceNode) { - if (obj instanceof String){ + if (obj instanceof String) { identityHash = System.identityHashCode(obj); - hash = toStringHash(obj.hashCode(),identityHash); - }else { + hash = toStringHash(obj.hashCode(), identityHash); + } else { hash = System.identityHashCode(obj); identityHash = hash; } @@ -195,7 +195,7 @@ public static void trackObject(MethodEvent event, PolicyNode policyNode, Object EngineManager.TAINT_HASH_CODES.add(hash); event.addTargetHash(hash); EngineManager.TAINT_RANGES_POOL.add(hash, tr); - TaintPoolUtils.customModel(isMicroservice,obj,cls,event,policyNode,depth); + TaintPoolUtils.customModel(isMicroservice, obj, cls, event, policyNode, depth); } else { hash = getStringHash(obj); if (EngineManager.TAINT_HASH_CODES.contains(hash)) { @@ -205,12 +205,12 @@ public static void trackObject(MethodEvent event, PolicyNode policyNode, Object } } - private static void customModel(Boolean isMicroservice, Object obj, Class cls, MethodEvent event,PolicyNode policyNode,int depth) { + private static void customModel(Boolean isMicroservice, Object obj, Class cls, MethodEvent event, PolicyNode policyNode, int depth) { if (isMicroservice && !(obj instanceof String) && !PropertyUtils.isDisabledCustomModel()) { try { Field[] declaredFields = ReflectUtils.getDeclaredFieldsSecurity(cls); for (Field field : declaredFields) { - if (!Modifier.isStatic(field.getModifiers())) { + if (!Modifier.isStatic(field.getModifiers()) && !field.isSynthetic() && !field.isEnumConstant()) { trackObject(event, policyNode, field.get(obj), depth + 1, isMicroservice); } } @@ -264,15 +264,15 @@ private static void trackOptional(MethodEvent event, PolicyNode policyNode, Obje } } - public static Long toStringHash(long objectHashCode,long identityHashCode) { + public static Long toStringHash(long objectHashCode, long identityHashCode) { return (objectHashCode << 32) | (identityHashCode & 0xFFFFFFFFL); } public static Long getStringHash(Object obj) { long hash; - if (obj instanceof String){ - hash = TaintPoolUtils.toStringHash(obj.hashCode(),System.identityHashCode(obj)); - }else { + if (obj instanceof String) { + hash = TaintPoolUtils.toStringHash(obj.hashCode(), System.identityHashCode(obj)); + } else { hash = System.identityHashCode(obj); } return hash; From 07caac7eaf21d31bd502d6f8c9962602417eb62d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=98niuerzhuang=E2=80=99?= <‘niuerzhuang@huoxian.cn’> Date: Wed, 12 Jul 2023 17:47:42 +0800 Subject: [PATCH 2/2] fix: Custom model field adds ignore conditions: field.isSynthetic(),field.isEnumConstant(),obj instanceof Enumeration --- .../main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java index 46abaeadd..548e93eea 100644 --- a/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java +++ b/dongtai-core/src/main/java/io/dongtai/iast/core/utils/TaintPoolUtils.java @@ -131,7 +131,7 @@ public static boolean isAllowTaintType(Class objType) { } public static boolean isAllowTaintType(Object obj) { - if (obj == null || obj instanceof Enumeration) { + if (obj == null) { return false; } return isAllowTaintType(obj.getClass()); @@ -210,7 +210,7 @@ private static void customModel(Boolean isMicroservice, Object obj, Class cls try { Field[] declaredFields = ReflectUtils.getDeclaredFieldsSecurity(cls); for (Field field : declaredFields) { - if (!Modifier.isStatic(field.getModifiers()) && !field.isSynthetic() && !field.isEnumConstant()) { + if (!Modifier.isStatic(field.getModifiers()) && !field.isSynthetic() && !field.isEnumConstant() && !(field.get(obj) instanceof Enumeration)) { trackObject(event, policyNode, field.get(obj), depth + 1, isMicroservice); } }