From 3655ef6df39ad43e8e39174cd0f80bdeb3c8ea34 Mon Sep 17 00:00:00 2001 From: owefsad Date: Sat, 8 Jan 2022 13:44:38 +0800 Subject: [PATCH 1/3] Fix: codeql notify --- .../java/cn/huoxian/iast/api/HttpRequest.java | 2 ++ .../com/secnium/iast/agent/IastClassLoader.java | 15 ++++++++------- .../secnium/iast/agent/manager/EngineManager.java | 1 + .../iast/agent/util/http/HttpClientUtils.java | 5 ++--- .../java/com/secnium/iast/core/PropertyUtils.java | 4 +++- .../secnium/iast/core/enhance/sca/ScaScanner.java | 5 +++-- .../vulscan/normal/CryptoBadMacVulScan.java | 2 +- .../secnium/iast/core/util/HttpClientUtils.java | 2 ++ .../com.secnium.iast.resources/blacklist.txt | 1 - 9 files changed, 22 insertions(+), 15 deletions(-) diff --git a/dongtai-servlet-api/src/main/java/cn/huoxian/iast/api/HttpRequest.java b/dongtai-servlet-api/src/main/java/cn/huoxian/iast/api/HttpRequest.java index 34628bacd..853017a37 100644 --- a/dongtai-servlet-api/src/main/java/cn/huoxian/iast/api/HttpRequest.java +++ b/dongtai-servlet-api/src/main/java/cn/huoxian/iast/api/HttpRequest.java @@ -71,6 +71,8 @@ private static String getPostBody(HttpServletRequest request) { while ((str = reader.readLine()) != null) { postBody.append(str); } + inputStream.close(); + reader.close(); return postBody.toString(); } else { request.setCharacterEncoding("UTF-8"); diff --git a/iast-agent/src/main/java/com/secnium/iast/agent/IastClassLoader.java b/iast-agent/src/main/java/com/secnium/iast/agent/IastClassLoader.java index ed75664c8..7e23d9355 100755 --- a/iast-agent/src/main/java/com/secnium/iast/agent/IastClassLoader.java +++ b/iast-agent/src/main/java/com/secnium/iast/agent/IastClassLoader.java @@ -22,7 +22,7 @@ public class IastClassLoader extends URLClassLoader { private final String path; public IastClassLoader(final String namespace, - final String jarFilePath) throws MalformedURLException { + final String jarFilePath) throws MalformedURLException { super(new URL[]{new URL("file:" + jarFilePath)}); this.path = jarFilePath; this.toString = String.format("IastClassLoader[namespace=%s;path=%s;]", namespace, path); @@ -55,7 +55,6 @@ protected synchronized Class loadClass(String name, boolean resolve) throws C return loadedClass; } - try { Class aClass = findClass(name); if (resolve) { @@ -75,7 +74,7 @@ public String toString() { @SuppressWarnings("unused") public void closeIfPossible() { - + // JDK6版本的 URLClassLoader 未继承Closeable接口,无法自动关闭,需要手动释放 if (this instanceof Closeable) { try { ((Closeable) this).close(); @@ -84,17 +83,18 @@ public void closeIfPossible() { return; } - // 对于JDK6的版本,URLClassLoader要关闭起来就显得有点麻烦,这里弄了一大段代码来稍微处理下 // 而且还不能保证一定释放干净了,至少释放JAR文件句柄是没有什么问题了 try { final Object sun_misc_URLClassPath = forceGetDeclaredFieldValue(URLClassLoader.class, "ucp", this); - final Object java_util_Collection = forceGetDeclaredFieldValue(sun_misc_URLClassPath.getClass(), "loaders", sun_misc_URLClassPath); + final Object java_util_Collection = forceGetDeclaredFieldValue(sun_misc_URLClassPath.getClass(), "loaders", + sun_misc_URLClassPath); for (final Object sun_misc_URLClassPath_JarLoader : ((Collection) java_util_Collection).toArray()) { try { - final JarFile java_util_jar_JarFile = forceGetDeclaredFieldValue(sun_misc_URLClassPath_JarLoader.getClass(), "jar", sun_misc_URLClassPath_JarLoader); + final JarFile java_util_jar_JarFile = forceGetDeclaredFieldValue( + sun_misc_URLClassPath_JarLoader.getClass(), "jar", sun_misc_URLClassPath_JarLoader); java_util_jar_JarFile.close(); } catch (Throwable t) { // if we got this far, this is probably not a JAR loader so skip it @@ -107,7 +107,8 @@ public void closeIfPossible() { } - private T forceGetDeclaredFieldValue(Class clazz, String name, Object target) throws NoSuchFieldException, IllegalAccessException { + private T forceGetDeclaredFieldValue(Class clazz, String name, Object target) + throws NoSuchFieldException, IllegalAccessException { final Field field = clazz.getDeclaredField(name); field.setAccessible(true); return (T) field.get(target); diff --git a/iast-agent/src/main/java/com/secnium/iast/agent/manager/EngineManager.java b/iast-agent/src/main/java/com/secnium/iast/agent/manager/EngineManager.java index d299b5c1b..778dc3f39 100644 --- a/iast-agent/src/main/java/com/secnium/iast/agent/manager/EngineManager.java +++ b/iast-agent/src/main/java/com/secnium/iast/agent/manager/EngineManager.java @@ -143,6 +143,7 @@ private boolean downloadJarPackageToCacheFromUrl(String fileUrl, String fileName fileOutputStream.write(dataBuffer, 0, bytesRead); } DongTaiLog.info("The remote file " + fileUrl + " was successfully written to the local cache."); + fileOutputStream.close(); status = true; } catch (Exception ignore) { DongTaiLog.error("The remote file " + fileUrl + " download failure, please check the iast-token."); diff --git a/iast-agent/src/main/java/com/secnium/iast/agent/util/http/HttpClientUtils.java b/iast-agent/src/main/java/com/secnium/iast/agent/util/http/HttpClientUtils.java index 545c71045..4a27b0e1c 100644 --- a/iast-agent/src/main/java/com/secnium/iast/agent/util/http/HttpClientUtils.java +++ b/iast-agent/src/main/java/com/secnium/iast/agent/util/http/HttpClientUtils.java @@ -34,7 +34,6 @@ public class HttpClientUtils { private final static IastProperties PROPERTIES = IastProperties.getInstance(); private final static Proxy PROXY = loadProxy(); -// private static final Logger logger = LogUtils.getLogger(HttpClientUtils.class); public static StringBuilder sendGet(String uri, String arg, String value) { try { @@ -73,8 +72,8 @@ private static StringBuilder sendRequest(HttpMethods method, String baseUrl, Str connection = proxy == null ? (HttpURLConnection) url.openConnection() : (HttpURLConnection) url.openConnection(proxy); } - connection.setReadTimeout(10*1000); - connection.setConnectTimeout(10*1000); + connection.setReadTimeout(10 * 1000); + connection.setConnectTimeout(10 * 1000); connection.setRequestMethod(method.name()); if (HttpMethods.POST.equals(method)) { diff --git a/iast-core/src/main/java/com/secnium/iast/core/PropertyUtils.java b/iast-core/src/main/java/com/secnium/iast/core/PropertyUtils.java index e259fea1a..1b57d8295 100644 --- a/iast-core/src/main/java/com/secnium/iast/core/PropertyUtils.java +++ b/iast-core/src/main/java/com/secnium/iast/core/PropertyUtils.java @@ -57,7 +57,9 @@ private void init() { File propertiesFile = new File(propertiesFilePath); if (propertiesFile.exists()) { cfg = new Properties(); - cfg.load(new FileInputStream(propertiesFile)); + FileInputStream fis = new FileInputStream(propertiesFile); + cfg.load(fis); + fis.close(); } } catch (FileNotFoundException e) { e.printStackTrace(); diff --git a/iast-core/src/main/java/com/secnium/iast/core/enhance/sca/ScaScanner.java b/iast-core/src/main/java/com/secnium/iast/core/enhance/sca/ScaScanner.java index e5af5da3e..b25fd695d 100644 --- a/iast-core/src/main/java/com/secnium/iast/core/enhance/sca/ScaScanner.java +++ b/iast-core/src/main/java/com/secnium/iast/core/enhance/sca/ScaScanner.java @@ -133,9 +133,9 @@ public InputStream getJarInputStream(String filePath, String name) throws Except public void scanClassPath(String packagesPath) { String osName = System.getProperty("os.name").toLowerCase(); String[] packages; - if (osName.contains("windows")){ + if (osName.contains("windows")) { packages = packagesPath.split(";"); - }else { + } else { packages = packagesPath.split(":"); } for (String packagePath : packages) { @@ -165,6 +165,7 @@ private void scanJarLib(String packagePath) { try { JarFile file = new JarFile(packagePath); Enumeration entries = file.entries(); + file.close(); String entryName; while (entries.hasMoreElements()) { JarEntry entry = entries.nextElement(); diff --git a/iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CryptoBadMacVulScan.java b/iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CryptoBadMacVulScan.java index 737040899..22b8334e0 100644 --- a/iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CryptoBadMacVulScan.java +++ b/iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CryptoBadMacVulScan.java @@ -23,7 +23,7 @@ public void scan(IastSinkModel sink, MethodEvent event) { Asserts.NOT_NULL("sink.mac.params", arguments); Matcher matcher; - for (Integer pos : taintPos) { + for (int pos : taintPos) { try { matcher = GOOD_MAC_PAT.matcher((CharSequence) arguments[pos]); if (matcher.find()) { diff --git a/iast-core/src/main/java/com/secnium/iast/core/util/HttpClientUtils.java b/iast-core/src/main/java/com/secnium/iast/core/util/HttpClientUtils.java index 77314fd9c..185908f8f 100644 --- a/iast-core/src/main/java/com/secnium/iast/core/util/HttpClientUtils.java +++ b/iast-core/src/main/java/com/secnium/iast/core/util/HttpClientUtils.java @@ -157,6 +157,8 @@ public static void downloadRemoteJar(String fileURI, String fileName) { while ((bytesRead = in.read(dataBuffer, 0, 1024)) != -1) { fileOutputStream.write(dataBuffer, 0, bytesRead); } + in.close(); + fileOutputStream.close(); DongTaiLog.info("The remote file {} was successfully written to the local cache", fileURI); } catch (Exception ignore) { DongTaiLog.error("The remote file {} download failure, please check the iast-token", fileURI); diff --git a/iast-core/src/main/resources/com.secnium.iast.resources/blacklist.txt b/iast-core/src/main/resources/com.secnium.iast.resources/blacklist.txt index 18c06e88c..47f832035 100644 --- a/iast-core/src/main/resources/com.secnium.iast.resources/blacklist.txt +++ b/iast-core/src/main/resources/com.secnium.iast.resources/blacklist.txt @@ -26368,7 +26368,6 @@ javax/naming/CompoundName javax/naming/ConfigurationException javax/naming/Context javax/naming/ContextNotEmptyException -javax/naming/InitialContext javax/naming/InvalidNameException javax/naming/LinkException javax/naming/LinkRef From 944bc7f0895ffd71f41ee148c134e3b607f47ea6 Mon Sep 17 00:00:00 2001 From: owefsad Date: Sat, 8 Jan 2022 13:54:07 +0800 Subject: [PATCH 2/3] Fix codeql: Cast from abstract to concrete collection --- .../com/secnium/iast/core/enhance/IastClassAncestorQuery.java | 4 ++-- .../secnium/iast/core/enhance/IastClassFileTransformer.java | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/iast-core/src/main/java/com/secnium/iast/core/enhance/IastClassAncestorQuery.java b/iast-core/src/main/java/com/secnium/iast/core/enhance/IastClassAncestorQuery.java index ced94e202..4df4e8724 100644 --- a/iast-core/src/main/java/com/secnium/iast/core/enhance/IastClassAncestorQuery.java +++ b/iast-core/src/main/java/com/secnium/iast/core/enhance/IastClassAncestorQuery.java @@ -66,8 +66,8 @@ public synchronized void saveAncestors(String className, String superName, Strin * @param interfaces 当前类实现的接口列表 * @return 当前类的类族 */ - public synchronized HashSet getAncestors(String className, String superClassName, String[] interfaces) { - HashSet ancestors = (HashSet) this.classAncestorMap.get(className); + public synchronized Set getAncestors(String className, String superClassName, String[] interfaces) { + Set ancestors = this.classAncestorMap.get(className); if (!isNullOrEmpty(superClassName) && !BASE_CLASS.equals(superClassName)) { addClassToAncestor(superClassName, ancestors); diff --git a/iast-core/src/main/java/com/secnium/iast/core/enhance/IastClassFileTransformer.java b/iast-core/src/main/java/com/secnium/iast/core/enhance/IastClassFileTransformer.java index 4fad5490d..e21cf0c7e 100755 --- a/iast-core/src/main/java/com/secnium/iast/core/enhance/IastClassFileTransformer.java +++ b/iast-core/src/main/java/com/secnium/iast/core/enhance/IastClassFileTransformer.java @@ -23,6 +23,7 @@ import java.util.HashSet; import java.util.List; +import java.util.Set; import org.apache.commons.lang3.time.StopWatch; import org.objectweb.asm.ClassReader; import org.objectweb.asm.ClassVisitor; @@ -102,7 +103,7 @@ public byte[] transform(final ClassLoader loader, final String className = cr.getClassName(); COMMON_UTILS.setLoader(loader); COMMON_UTILS.saveAncestors(className, superName, interfaces); - HashSet ancestors = COMMON_UTILS.getAncestors(className, superName, interfaces); + Set ancestors = COMMON_UTILS.getAncestors(className, superName, interfaces); final ClassWriter cw = createClassWriter(loader, cr); ClassVisitor cv = plugins.initial(cw, IastContext.build(className, ancestors, interfaces, From d93bc318b3c37f319bdc580cb5a69ea011ecd6d1 Mon Sep 17 00:00:00 2001 From: owefsad Date: Sat, 8 Jan 2022 13:56:19 +0800 Subject: [PATCH 3/3] Fix codeql: Boxed variable is never null --- .../core/handler/vulscan/normal/CookieFlagsMissingVulScan.java | 2 +- .../core/handler/vulscan/normal/CryptoBacCiphersVulScan.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CookieFlagsMissingVulScan.java b/iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CookieFlagsMissingVulScan.java index aa9d81780..cf8abdcd2 100644 --- a/iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CookieFlagsMissingVulScan.java +++ b/iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CookieFlagsMissingVulScan.java @@ -15,7 +15,7 @@ public void scan(IastSinkModel sink, MethodEvent event) { Asserts.NOT_NULL("sink.params.position", sink.getPos()); Asserts.NOT_NULL("sink.params.value", event.argumentArray); - for (Integer pos : taintPos) { + for (int pos : taintPos) { try { Boolean flag = (Boolean) arguments[pos]; if (flag) { diff --git a/iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CryptoBacCiphersVulScan.java b/iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CryptoBacCiphersVulScan.java index e442b3c2d..98ae4e876 100644 --- a/iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CryptoBacCiphersVulScan.java +++ b/iast-core/src/main/java/com/secnium/iast/core/handler/vulscan/normal/CryptoBacCiphersVulScan.java @@ -23,7 +23,7 @@ public void scan(IastSinkModel sink, MethodEvent event) { Asserts.NOT_NULL("sink.params.value", arguments); Matcher matcher; - for (Integer pos : taintPos) { + for (int pos : taintPos) { try { matcher = GOOD_CIPHERS.matcher((CharSequence) arguments[pos]); if (matcher.find()) {