Merge pull request #218 from exexute/main

Fix: codeql notify

dongtai-servlet-api/src/main/java/cn/huoxian/iast/api/HttpRequest.java

@@ -71,6 +71,8 @@ private static String getPostBody(HttpServletRequest request) {
                     while ((str = reader.readLine()) != null) {
                         postBody.append(str);
                     }
+                    inputStream.close();
+                    reader.close();
                     return postBody.toString();
                 } else {
                     request.setCharacterEncoding("UTF-8");

iast-agent/src/main/java/com/secnium/iast/agent/IastClassLoader.java

@@ -22,7 +22,7 @@ public class IastClassLoader extends URLClassLoader {
     private final String path;
 
     public IastClassLoader(final String namespace,
-                           final String jarFilePath) throws MalformedURLException {
+            final String jarFilePath) throws MalformedURLException {
         super(new URL[]{new URL("file:" + jarFilePath)});
         this.path = jarFilePath;
         this.toString = String.format("IastClassLoader[namespace=%s;path=%s;]", namespace, path);
@@ -55,7 +55,6 @@ protected synchronized Class<?> loadClass(String name, boolean resolve) throws C
             return loadedClass;
         }
 
-
         try {
             Class<?> aClass = findClass(name);
             if (resolve) {
@@ -75,7 +74,7 @@ public String toString() {
 
     @SuppressWarnings("unused")
     public void closeIfPossible() {
-
+        // JDK6版本的 URLClassLoader 未继承Closeable接口，无法自动关闭，需要手动释放
         if (this instanceof Closeable) {
             try {
                 ((Closeable) this).close();
@@ -84,17 +83,18 @@ public void closeIfPossible() {
             return;
         }
 
-
         // 对于JDK6的版本，URLClassLoader要关闭起来就显得有点麻烦，这里弄了一大段代码来稍微处理下
         // 而且还不能保证一定释放干净了，至少释放JAR文件句柄是没有什么问题了
         try {
             final Object sun_misc_URLClassPath = forceGetDeclaredFieldValue(URLClassLoader.class, "ucp", this);
-            final Object java_util_Collection = forceGetDeclaredFieldValue(sun_misc_URLClassPath.getClass(), "loaders", sun_misc_URLClassPath);
+            final Object java_util_Collection = forceGetDeclaredFieldValue(sun_misc_URLClassPath.getClass(), "loaders",
+                    sun_misc_URLClassPath);
 
             for (final Object sun_misc_URLClassPath_JarLoader :
                     ((Collection) java_util_Collection).toArray()) {
                 try {
-                    final JarFile java_util_jar_JarFile = forceGetDeclaredFieldValue(sun_misc_URLClassPath_JarLoader.getClass(), "jar", sun_misc_URLClassPath_JarLoader);
+                    final JarFile java_util_jar_JarFile = forceGetDeclaredFieldValue(
+                            sun_misc_URLClassPath_JarLoader.getClass(), "jar", sun_misc_URLClassPath_JarLoader);
                     java_util_jar_JarFile.close();
                 } catch (Throwable t) {
                     // if we got this far, this is probably not a JAR loader so skip it
@@ -107,7 +107,8 @@ public void closeIfPossible() {
 
     }
 
-    private <T> T forceGetDeclaredFieldValue(Class<?> clazz, String name, Object target) throws NoSuchFieldException, IllegalAccessException {
+    private <T> T forceGetDeclaredFieldValue(Class<?> clazz, String name, Object target)
+            throws NoSuchFieldException, IllegalAccessException {
         final Field field = clazz.getDeclaredField(name);
         field.setAccessible(true);
         return (T) field.get(target);

iast-agent/src/main/java/com/secnium/iast/agent/manager/EngineManager.java

@@ -143,6 +143,7 @@ private boolean downloadJarPackageToCacheFromUrl(String fileUrl, String fileName
                 fileOutputStream.write(dataBuffer, 0, bytesRead);
             }
             DongTaiLog.info("The remote file " + fileUrl + " was successfully written to the local cache.");
+            fileOutputStream.close();
             status = true;
         } catch (Exception ignore) {
             DongTaiLog.error("The remote file " + fileUrl + " download failure, please check the iast-token.");

iast-agent/src/main/java/com/secnium/iast/agent/util/http/HttpClientUtils.java

@@ -34,7 +34,6 @@ public class HttpClientUtils {
     private final static IastProperties PROPERTIES = IastProperties.getInstance();
     private final static Proxy PROXY = loadProxy();
 
-//    private static final Logger logger = LogUtils.getLogger(HttpClientUtils.class);
 
     public static StringBuilder sendGet(String uri, String arg, String value) {
         try {
@@ -73,8 +72,8 @@ private static StringBuilder sendRequest(HttpMethods method, String baseUrl, Str
                 connection = proxy == null ? (HttpURLConnection) url.openConnection()
                         : (HttpURLConnection) url.openConnection(proxy);
             }
-            connection.setReadTimeout(10*1000);
-            connection.setConnectTimeout(10*1000);
+            connection.setReadTimeout(10 * 1000);
+            connection.setConnectTimeout(10 * 1000);
 
             connection.setRequestMethod(method.name());
             if (HttpMethods.POST.equals(method)) {

iast-core/src/main/java/com/secnium/iast/core/PropertyUtils.java

@@ -57,7 +57,9 @@ private void init() {
             File propertiesFile = new File(propertiesFilePath);
             if (propertiesFile.exists()) {
                 cfg = new Properties();
-                cfg.load(new FileInputStream(propertiesFile));
+                FileInputStream fis = new FileInputStream(propertiesFile);
+                cfg.load(fis);
+                fis.close();
             }
         } catch (FileNotFoundException e) {
             e.printStackTrace();

iast-core/src/main/java/com/secnium/iast/core/enhance/IastClassAncestorQuery.java

@@ -66,8 +66,8 @@ public synchronized void saveAncestors(String className, String superName, Strin
      * @param interfaces     当前类实现的接口列表
      * @return 当前类的类族
      */
-    public synchronized HashSet<String> getAncestors(String className, String superClassName, String[] interfaces) {
-        HashSet<String> ancestors = (HashSet<String>) this.classAncestorMap.get(className);
+    public synchronized Set<String> getAncestors(String className, String superClassName, String[] interfaces) {
+        Set<String> ancestors = this.classAncestorMap.get(className);
 
         if (!isNullOrEmpty(superClassName) && !BASE_CLASS.equals(superClassName)) {
             addClassToAncestor(superClassName, ancestors);

iast-core/src/main/java/com/secnium/iast/core/enhance/IastClassFileTransformer.java

@@ -23,6 +23,7 @@
 import java.util.HashSet;
 import java.util.List;
 
+import java.util.Set;
 import org.apache.commons.lang3.time.StopWatch;
 import org.objectweb.asm.ClassReader;
 import org.objectweb.asm.ClassVisitor;
@@ -102,7 +103,7 @@ public byte[] transform(final ClassLoader loader,
                 final String className = cr.getClassName();
                 COMMON_UTILS.setLoader(loader);
                 COMMON_UTILS.saveAncestors(className, superName, interfaces);
-                HashSet<String> ancestors = COMMON_UTILS.getAncestors(className, superName, interfaces);
+                Set<String> ancestors = COMMON_UTILS.getAncestors(className, superName, interfaces);
 
                 final ClassWriter cw = createClassWriter(loader, cr);
                 ClassVisitor cv = plugins.initial(cw, IastContext.build(className, ancestors, interfaces,

iast-core/src/main/java/com/secnium/iast/core/enhance/sca/ScaScanner.java

@@ -133,9 +133,9 @@ public InputStream getJarInputStream(String filePath, String name) throws Except
         public void scanClassPath(String packagesPath) {
             String osName = System.getProperty("os.name").toLowerCase();
             String[] packages;
-            if (osName.contains("windows")){
+            if (osName.contains("windows")) {
                 packages = packagesPath.split(";");
-            }else {
+            } else {
                 packages = packagesPath.split(":");
             }
             for (String packagePath : packages) {
@@ -165,6 +165,7 @@ private void scanJarLib(String packagePath) {
             try {
                 JarFile file = new JarFile(packagePath);
                 Enumeration<JarEntry> entries = file.entries();
+                file.close();
                 String entryName;
                 while (entries.hasMoreElements()) {
                     JarEntry entry = entries.nextElement();

iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CookieFlagsMissingVulScan.java

@@ -15,7 +15,7 @@ public void scan(IastSinkModel sink, MethodEvent event) {
         Asserts.NOT_NULL("sink.params.position", sink.getPos());
         Asserts.NOT_NULL("sink.params.value", event.argumentArray);
 
-        for (Integer pos : taintPos) {
+        for (int pos : taintPos) {
             try {
                 Boolean flag = (Boolean) arguments[pos];
                 if (flag) {

iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CryptoBacCiphersVulScan.java

@@ -23,7 +23,7 @@ public void scan(IastSinkModel sink, MethodEvent event) {
         Asserts.NOT_NULL("sink.params.value", arguments);
 
         Matcher matcher;
-        for (Integer pos : taintPos) {
+        for (int pos : taintPos) {
             try {
                 matcher = GOOD_CIPHERS.matcher((CharSequence) arguments[pos]);
                 if (matcher.find()) {

iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CryptoBadMacVulScan.java

@@ -23,7 +23,7 @@ public void scan(IastSinkModel sink, MethodEvent event) {
         Asserts.NOT_NULL("sink.mac.params", arguments);
 
         Matcher matcher;
-        for (Integer pos : taintPos) {
+        for (int pos : taintPos) {
             try {
                 matcher = GOOD_MAC_PAT.matcher((CharSequence) arguments[pos]);
                 if (matcher.find()) {

iast-core/src/main/java/com/secnium/iast/core/util/HttpClientUtils.java

@@ -157,6 +157,8 @@ public static void downloadRemoteJar(String fileURI, String fileName) {
             while ((bytesRead = in.read(dataBuffer, 0, 1024)) != -1) {
                 fileOutputStream.write(dataBuffer, 0, bytesRead);
             }
+            in.close();
+            fileOutputStream.close();
             DongTaiLog.info("The remote file {} was successfully written to the local cache", fileURI);
         } catch (Exception ignore) {
             DongTaiLog.error("The remote file {} download failure, please check the iast-token", fileURI);

iast-core/src/main/resources/com.secnium.iast.resources/blacklist.txt

@@ -26368,7 +26368,6 @@ javax/naming/CompoundName
 javax/naming/ConfigurationException
 javax/naming/Context
 javax/naming/ContextNotEmptyException
-javax/naming/InitialContext
 javax/naming/InvalidNameException
 javax/naming/LinkException
 javax/naming/LinkRef