OpenRASP支持InforSuiteAS V10.0代码提交

agent/java/engine/src/main/java/com/baidu/openrasp/detector/InforSuiteDetector.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright 2017-2022 Baidu Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.baidu.openrasp.detector;
+
+import com.baidu.openrasp.tool.Reflection;
+import com.baidu.openrasp.tool.model.ApplicationModel;
+
+import java.lang.reflect.Method;
+import java.security.ProtectionDomain;
+
+/**
+ * Created by inforsuite on 22-2-12.
+ */
+public class InforSuiteDetector extends ServerDetector {
+
+    @Override
+    public boolean isClassMatched(String className) {
+        return "com/cvicse/loong/enterprise/inforsuite/bootstrap/ASMain".equals(className);
+    }
+
+    @Override
+    public boolean handleServerInfo(ClassLoader classLoader, ProtectionDomain domain) {
+        String version = "";
+        try {
+//            if (classLoader == null) {
+//                classLoader = ClassLoader.getSystemClassLoader();
+//            }
+            classLoader = Thread.currentThread().getContextClassLoader();
+            Class clazz = classLoader.loadClass("com.cvicse.loong.appserv.server.util.Version");
+            if (!isJboss(classLoader)) {
+                version = (String) Reflection.invokeMethod(null, clazz, "getFullVersion", new Class[]{});
+            }
+        } catch (Throwable t) {
+            logDetectError("handle inforsuite startup failed", t);
+        }
+        if (!isJboss(classLoader)) {
+            if(version != null){
+                ApplicationModel.setServerInfo("inforsuite", version);
+                return true;
+            }
+            return false;
+        }
+        return false;
+    }
+
+    private boolean isJboss(ClassLoader classLoader) {
+        Package jbossBootPackage = null;
+        try {
+            Method getPackageMethod = ClassLoader.class.getDeclaredMethod("getPackage", String.class);
+            getPackageMethod.setAccessible(true);
+            jbossBootPackage = (Package) getPackageMethod.invoke(classLoader, "org.jboss");
+            if (jbossBootPackage == null) {
+                jbossBootPackage = (Package) getPackageMethod.invoke(classLoader, "org.jboss.modules");
+            }
+        } catch (Throwable e) {
+            // ignore
+        }
+        return jbossBootPackage != null;
+    }
+
+}

agent/java/engine/src/main/java/com/baidu/openrasp/detector/ServerDetector.java

@@ -112,7 +112,10 @@ public synchronized static void checkServerPolicy() {
                 HookHandler.doRealCheckWithoutRequest(CheckParameter.Type.POLICY_SERVER_BES, CheckParameter.EMPTY_MAP);
             } else if ("TongWeb8".equals(serverName)) {
                 HookHandler.doRealCheckWithoutRequest(CheckParameter.Type.POLICY_SERVER_TONGWEB8, CheckParameter.EMPTY_MAP);
+            }else if ("inforsuite".equals(serverName)){
+            	HookHandler.doRealCheckWithoutRequest(CheckParameter.Type.POLICY_SERVER_INFORSUITE,CheckParameter.EMPTY_MAP);
             }
+
         } catch (Throwable t) {
             LogTool.warn(ErrorType.HOOK_ERROR, "failed to do server policy checking: " + t.getMessage(), t);
         }

agent/java/engine/src/main/java/com/baidu/openrasp/detector/ServerDetectorManager.java

@@ -47,7 +47,7 @@ private ServerDetectorManager() {
         detectors.add(new TongWeb7Detector());
         detectors.add(new TongWeb8Detector());
         detectors.add(new BESDetector());
-
+        detectors.add(new InforSuiteDetector());
     }
 
     public static ServerDetectorManager getInstance() {
@@ -61,10 +61,16 @@ public static ServerDetectorManager getInstance() {
      * @param classLoader 该类的加载器
      */
     public void detectServer(String className, ClassLoader classLoader, ProtectionDomain domain) {
-        try {
+    	try {
             for (ServerDetector detector : detectors) {
                 if (detector.isClassMatched(className) && detector.handleServer(className, classLoader, domain)) {
-                    HookHandler.LOGGER.info("detect server class: " + className);
+                    if(className.equals("com/cvicse/loong/enterprise/inforsuite/bootstrap/ASMain")){
+                        detectors.subList(0,13).clear();
+                        HookHandler.LOGGER.info("detect server class: " + className);
+                        break;
+                    }else{    	
+                    	HookHandler.LOGGER.info("detect server class: " + className);
+                    }
                 }
             }
         } catch (Throwable e) {

agent/java/engine/src/main/java/com/baidu/openrasp/hook/server/ServerOutputCloseHook.java

@@ -19,6 +19,7 @@
 import com.baidu.openrasp.HookHandler;
 import com.baidu.openrasp.config.Config;
 import com.baidu.openrasp.hook.AbstractClassHook;
+import com.baidu.openrasp.hook.server.inforsuite.InforSuiteHttpResponseHook;
 import com.baidu.openrasp.hook.server.weblogic.WeblogicHttpOutputHook;
 import com.baidu.openrasp.hook.server.websphere.WebsphereHttpOutputHook;
 import com.baidu.openrasp.messaging.LogTool;
@@ -89,6 +90,8 @@ public static void appendResponseData(Object output) {
                     Object outputStream = Reflection.getField(output, "outputStream");
                     int flag = (Integer) Reflection.getField(outputStream, "state");
                     isClosed = flag == 1;
+                }else if("com/cvicse/inforsuite/grizzly/http/io/OutputBuffer".equals(InforSuiteHttpResponseHook.clazzName)){
+                	isClosed = (Boolean) Reflection.getSuperField(output, "closed");
                 } else {
                     if (serverName.equals("tomcat") && ApplicationModel.getVersion().compareTo("6") < 0) {
                         isClosed = (Boolean) Reflection.getField(output, "closed");

agent/java/engine/src/main/java/com/baidu/openrasp/hook/server/inforsuite/InforSuiteApplicationFilterHook.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright 2017-2022 Baidu Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.baidu.openrasp.hook.server.inforsuite;
+
+import com.baidu.openrasp.hook.server.ServerRequestHook;
+import com.baidu.openrasp.tool.annotation.HookAnnotation;
+import javassist.CannotCompileException;
+import javassist.CtClass;
+import javassist.NotFoundException;
+
+import java.io.IOException;
+
+/**
+ * @description: inforsuite applicationFilter hook
+ * @author: inforsuite
+ * @create: 2022/05/20
+ */
+@HookAnnotation
+public class InforSuiteApplicationFilterHook extends ServerRequestHook {
+
+    /**
+     * (none-javadoc)
+     *
+     * @see com.baidu.openrasp.hook.AbstractClassHook#isClassMatched(String)
+     */
+    @Override
+    public boolean isClassMatched(String className) {
+        return className.endsWith("apache/catalina/core/ApplicationFilterChain");
+    }
+
+    /**
+     * (none-javadoc)
+     *
+     * @see com.baidu.openrasp.hook.AbstractClassHook#hookMethod(CtClass)
+     */
+    @Override
+    protected void hookMethod(CtClass ctClass) throws IOException, CannotCompileException, NotFoundException {
+        String src = getInvokeStaticSrc(ServerRequestHook.class, "checkRequest",
+                "$0,$1,$2", Object.class, Object.class, Object.class);
+        insertBefore(ctClass, "doFilter", null, src);
+    }
+
+}

agent/java/engine/src/main/java/com/baidu/openrasp/hook/server/inforsuite/InforSuiteHttpResponseHook.java

@@ -0,0 +1,32 @@
+package com.baidu.openrasp.hook.server.inforsuite;
+
+import com.baidu.openrasp.hook.server.ServerOutputCloseHook;
+import com.baidu.openrasp.tool.annotation.HookAnnotation;
+import javassist.CannotCompileException;
+import javassist.CtClass;
+import javassist.NotFoundException;
+
+/**
+ * @description: inforsuite output close hook
+ * @author: inforsuite
+ * @create: 2022/05/20
+ */
+@HookAnnotation
+public class InforSuiteHttpResponseHook extends ServerOutputCloseHook {
+
+	public static String clazzName = null;
+    @Override
+    public boolean isClassMatched(String className) {
+        if ("com/cvicse/inforsuite/grizzly/http/io/OutputBuffer".equals(className)) {
+        	clazzName = className;
+            return true;
+        }
+        return false;
+    }
+
+    @Override
+    protected void hookMethod(CtClass ctClass, String src) throws NotFoundException, CannotCompileException {
+        insertBefore(ctClass, "close", "()V", src);
+    }
+
+}

agent/java/engine/src/main/java/com/baidu/openrasp/hook/server/inforsuite/InforSuiteInputBufferHook.java

@@ -0,0 +1,77 @@
+package com.baidu.openrasp.hook.server.inforsuite;
+
+import com.baidu.openrasp.HookHandler;
+import com.baidu.openrasp.hook.server.ServerInputHook;
+import com.baidu.openrasp.messaging.LogTool;
+import com.baidu.openrasp.request.AbstractRequest;
+import com.baidu.openrasp.tool.Reflection;
+import com.baidu.openrasp.tool.annotation.HookAnnotation;
+import com.baidu.openrasp.tool.model.ApplicationModel;
+
+import javassist.CannotCompileException;
+import javassist.CtClass;
+import javassist.NotFoundException;
+
+import java.io.IOException;
+
+/**
+ * @description: inforsuite input buffer hook,将得到的buffer信息在本类中处理
+ * @author: inforsuite
+ * @create: 2022/05/20
+ */
+@HookAnnotation
+public class InforSuiteInputBufferHook extends ServerInputHook {
+
+    /**
+     * (none-javadoc)
+     *
+     * @see com.baidu.openrasp.hook.AbstractClassHook#isClassMatched(String)
+     */
+    @Override
+    public boolean isClassMatched(String className) {
+
+        if ("com/cvicse/inforsuite/grizzly/http/io/InputBuffer".equals(className)){
+            return true;
+        }
+        return false;
+
+    }
+
+    /**
+     * (none-javadoc)
+     *
+     * @see com.baidu.openrasp.hook.AbstractClassHook#hookMethod(CtClass)
+     */
+    @Override
+    protected void hookMethod(CtClass ctClass) throws IOException, CannotCompileException, NotFoundException {
+        String bufferSrc = getInvokeStaticSrc(InforSuiteInputBufferHook.class, "onInputStreamRead",
+                "$_", Object.class);
+        insertAfter(ctClass, "getBuffer",null, bufferSrc);      
+        String readSrc = getInvokeStaticSrc(ServerInputHook.class, "onInputStreamRead",
+                "$_,$0,$1,$2", int.class, Object.class, byte[].class, int.class);
+        insertAfter(ctClass, "read", "([BII)I", readSrc);
+    }
+
+    //handle inputStream
+    public static void onInputStreamRead(Object inputStream) {
+        if (HookHandler.requestCache.get() != null) {
+            AbstractRequest request = HookHandler.requestCache.get();
+
+            if (request.getInputStream() == null) {
+                request.setInputStream(inputStream);
+            }
+            if (request.getInputStream() == inputStream) {
+            	try {
+            		byte[] heap = (byte[])Reflection.getSuperField(inputStream, "heap");
+            		Integer offset = (Integer) Reflection.getSuperField(inputStream, "offset");
+            		Integer cap = (Integer) Reflection.getSuperField(inputStream, "cap");           		
+					request.appendBody(heap, offset, cap);
+				} catch (Exception e) {
+					LogTool.traceHookWarn(ApplicationModel.getServerName() + " get request body failed: " +
+	                        e.getMessage(), e);
+				} 
+            }
+        }
+    }
+   // end
+}

agent/java/engine/src/main/java/com/baidu/openrasp/hook/server/inforsuite/InforSuitePreRequestHook.java

@@ -0,0 +1,37 @@
+package com.baidu.openrasp.hook.server.inforsuite;
+
+import com.baidu.openrasp.hook.server.ServerPreRequestHook;
+import com.baidu.openrasp.tool.annotation.HookAnnotation;
+import javassist.CannotCompileException;
+import javassist.CtClass;
+import javassist.NotFoundException;
+
+/**
+ * @description: inforsuite pre-request hook
+ * @author: inforsuite
+ * @create: 2022/05/20
+ */
+@HookAnnotation
+public class InforSuitePreRequestHook extends ServerPreRequestHook {
+
+    /**
+     * (none-javadoc)
+     *
+     * @see com.baidu.openrasp.hook.AbstractClassHook#isClassMatched(String)
+     */
+    @Override
+    public boolean isClassMatched(String className) {
+        return className.endsWith("org/apache/catalina/connector/CoyoteAdapter");
+    }
+
+    /**
+     * (none-javadoc)
+     *
+     * @see ServerPreRequestHook#hookMethod(CtClass, String)
+     */
+    @Override
+    protected void hookMethod(CtClass ctClass, String src) throws NotFoundException, CannotCompileException {
+        insertBefore(ctClass, "service", null, src);
+    }
+
+}

agent/java/engine/src/main/java/com/baidu/openrasp/hook/server/inforsuite/InforSuiteRequestEndHook.java

@@ -0,0 +1,35 @@
+package com.baidu.openrasp.hook.server.inforsuite;
+
+import com.baidu.openrasp.hook.server.ServerRequestEndHook;
+import com.baidu.openrasp.tool.annotation.HookAnnotation;
+import javassist.CannotCompileException;
+import javassist.CtClass;
+import javassist.NotFoundException;
+
+import java.io.IOException;
+
+/**
+ * @description: inforsuite response end hook
+ * @author: inforsuite
+ * @create: 2022/05/20
+ */
+@HookAnnotation
+public class InforSuiteRequestEndHook extends ServerRequestEndHook {
+
+    /**
+     * (none-javadoc)
+     *
+     * @see com.baidu.openrasp.hook.AbstractClassHook#isClassMatched(String)
+     */
+    @Override
+    public boolean isClassMatched(String className) {    	
+    	return className.endsWith("org/apache/catalina/core/ApplicationFilterChain");
+    }
+
+    @Override
+    protected void hookMethod(CtClass ctClass) throws IOException, CannotCompileException, NotFoundException {
+        String requestEndSrc = getInvokeStaticSrc(ServerRequestEndHook.class, "checkRequestEnd", "");
+        insertAfter(ctClass, "doFilter", null, requestEndSrc, true);
+    }
+
+}