Skip to content

Commit

Permalink
Merge branch '1.2.2'
Browse files Browse the repository at this point in the history
  • Loading branch information
Aaron Lewis committed Nov 28, 2019
2 parents 4e4dcf1 + a99da4c commit ede28ac
Show file tree
Hide file tree
Showing 14 changed files with 299 additions and 86 deletions.
108 changes: 94 additions & 14 deletions agent/java/engine/src/main/java/com/baidu/openrasp/config/Config.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import com.baidu.openrasp.plugin.checker.local.ConfigurableChecker;
import com.baidu.openrasp.tool.FileUtil;
import com.baidu.openrasp.tool.LRUCache;
import com.baidu.openrasp.tool.Reflection;
import com.baidu.openrasp.tool.cpumonitor.CpuMonitorManager;
import com.baidu.openrasp.tool.filemonitor.FileScanListener;
import com.baidu.openrasp.tool.filemonitor.FileScanMonitor;
Expand Down Expand Up @@ -88,7 +89,9 @@ public enum Item {
CPU_USAGE_PERCENT("cpu.usage.percent", "90"),
CPU_USAGE_ENABLE("cpu.usage.enable", "false"),
CPU_USAGE_INTERVAL("cpu.usage.interval", "5"),
HTTPS_VERIFY_SSL("openrasp.ssl_verifypeer", "false");
HTTPS_VERIFY_SSL("openrasp.ssl_verifypeer", "false"),
LRU_COMPARE_ENABLE("lru.compare_enable", "false"),
LRU_COMPARE_LIMIT("lru.compare_limit", "10240");


Item(String key, String defaultValue) {
Expand Down Expand Up @@ -166,6 +169,8 @@ public String toString() {
private boolean isHttpsVerifyPeer;
private String raspId;
private HashSet<Integer> sqlErrorCodes = new HashSet<Integer>();
private boolean lruCompareEnable;
private int lruCompareLimit;


static {
Expand Down Expand Up @@ -475,7 +480,7 @@ public long getPluginTimeout() {
public synchronized void setPluginTimeout(String pluginTimeout) {
long value = Long.parseLong(pluginTimeout);
if (value <= 0) {
throw new ConfigLoadException(Item.PLUGIN_TIMEOUT_MILLIS.name() + " must be greater than 0");
throw new ConfigLoadException(Item.PLUGIN_TIMEOUT_MILLIS.toString() + " must be greater than 0");
}
this.pluginTimeout = value;
}
Expand Down Expand Up @@ -519,7 +524,7 @@ public int getBodyMaxBytes() {
public synchronized void setBodyMaxBytes(String bodyMaxBytes) {
int value = Integer.parseInt(bodyMaxBytes);
if (value <= 0) {
throw new ConfigLoadException(Item.BODY_MAX_BYTES.name() + " must be greater than 0");
throw new ConfigLoadException(Item.BODY_MAX_BYTES.toString() + " must be greater than 0");
}
this.bodyMaxBytes = value;
}
Expand All @@ -531,7 +536,7 @@ public int getSqlSlowQueryMinCount() {
public synchronized void setSqlSlowQueryMinCount(String sqlSlowQueryMinCount) {
int value = Integer.parseInt(sqlSlowQueryMinCount);
if (value < 0) {
throw new ConfigLoadException(Item.SQL_SLOW_QUERY_MIN_ROWS.name() + " can not be less than 0");
throw new ConfigLoadException(Item.SQL_SLOW_QUERY_MIN_ROWS.toString() + " can not be less than 0");
}
this.sqlSlowQueryMinCount = value;
}
Expand Down Expand Up @@ -571,7 +576,7 @@ public int getPluginMaxStack() {
public synchronized void setPluginMaxStack(String pluginMaxStack) {
int value = Integer.parseInt(pluginMaxStack);
if (value < 0) {
throw new ConfigLoadException(Item.PLUGIN_MAX_STACK.name() + " can not be less than 0");
throw new ConfigLoadException(Item.PLUGIN_MAX_STACK.toString() + " can not be less than 0");
}
this.pluginMaxStack = value;
}
Expand Down Expand Up @@ -647,7 +652,7 @@ public int getOgnlMinLength() {
public synchronized void setOgnlMinLength(String ognlMinLength) {
int value = Integer.parseInt(ognlMinLength);
if (value <= 0) {
throw new ConfigLoadException(Item.OGNL_EXPRESSION_MIN_LENGTH.name() + " must be greater than 0");
throw new ConfigLoadException(Item.OGNL_EXPRESSION_MIN_LENGTH.toString() + " must be greater than 0");
}
this.ognlMinLength = value;
}
Expand All @@ -669,7 +674,7 @@ public int getBlockStatusCode() {
public synchronized void setBlockStatusCode(String blockStatusCode) {
int value = Integer.parseInt(blockStatusCode);
if (value < 100 || value > 999) {
throw new ConfigLoadException(Item.BLOCK_STATUS_CODE.name() + " must be between [100,999]");
throw new ConfigLoadException(Item.BLOCK_STATUS_CODE.toString() + " must be between [100,999]");
}
this.blockStatusCode = value;
}
Expand All @@ -684,6 +689,53 @@ public int getDebugLevel() {
return debugLevel;
}

/**
* 设置 LRU 内容匹配开关
*
* @param lruCompareEnable lru 匹配开关
*/
public synchronized void setLruCompareEnable(String lruCompareEnable) {
boolean value = Boolean.parseBoolean(lruCompareEnable);
if (value != this.lruCompareEnable) {
this.lruCompareEnable = value;
commonLRUCache.clear();
}
}

/**
* 获取 LRU 内容匹配开关
*
* @return LRU 内容匹配开关
*/
public boolean getLruCompareEnable() {
return lruCompareEnable;
}

/**
* 设置 LRU 匹配最长字节
*
* @param lruCompareLimit LRU 匹配最长字节
*/
public synchronized void setLruCompareLimit(String lruCompareLimit) {
int value = Integer.parseInt(lruCompareLimit);
if (value <= 0 || value > 102400) {
throw new ConfigLoadException(Item.LRU_COMPARE_LIMIT.toString() + " must be between [1,102400]");
}
if (value < this.lruCompareLimit) {
commonLRUCache.clear();
}
this.lruCompareLimit = value;
}

/**
* 获取 LRU 匹配最长字节
*
* @return LRU 匹配最长字节
*/
public int getLruCompareLimit() {
return lruCompareLimit;
}

/**
* 是否开启调试
*
Expand Down Expand Up @@ -900,7 +952,7 @@ public int getSqlCacheCapacity() {
public synchronized void setSqlCacheCapacity(String sqlCacheCapacity) {
int value = Integer.parseInt(sqlCacheCapacity);
if (value < 0) {
throw new ConfigLoadException(Item.SQL_CACHE_CAPACITY.name() + " can not be less than 0");
throw new ConfigLoadException(Item.SQL_CACHE_CAPACITY.toString() + " can not be less than 0");
}
this.sqlCacheCapacity = value;
if (Config.commonLRUCache == null || Config.commonLRUCache.maxSize() != this.sqlCacheCapacity) {
Expand Down Expand Up @@ -984,7 +1036,7 @@ public int getSyslogFacility() {
public synchronized void setSyslogFacility(String syslogFacility) {
int value = Integer.parseInt(syslogFacility);
if (!(value >= 0 && value <= 23)) {
throw new ConfigLoadException(Item.SYSLOG_FACILITY.name() + " must be between [0,23]");
throw new ConfigLoadException(Item.SYSLOG_FACILITY.toString() + " must be between [0,23]");
}
this.syslogFacility = value;
}
Expand All @@ -1006,7 +1058,7 @@ public int getSyslogReconnectInterval() {
public synchronized void setSyslogReconnectInterval(String syslogReconnectInterval) {
int value = Integer.parseInt(syslogReconnectInterval);
if (value <= 0) {
throw new ConfigLoadException(Item.SYSLOG_RECONNECT_INTERVAL.name() + " must be greater than 0");
throw new ConfigLoadException(Item.SYSLOG_RECONNECT_INTERVAL.toString() + " must be greater than 0");
}
this.syslogReconnectInterval = value;
}
Expand All @@ -1028,7 +1080,7 @@ public int getLogMaxBurst() {
public synchronized void setLogMaxBurst(String logMaxBurst) {
int value = Integer.parseInt(logMaxBurst);
if (value < 0) {
throw new ConfigLoadException(Item.LOG_MAXBURST.name() + " can not be less than 0");
throw new ConfigLoadException(Item.LOG_MAXBURST.toString() + " can not be less than 0");
}
this.logMaxBurst = value;
}
Expand Down Expand Up @@ -1158,7 +1210,7 @@ public int getHeartbeatInterval() {
public synchronized void setHeartbeatInterval(String heartbeatInterval) {
int value = Integer.parseInt(heartbeatInterval);
if (!(value >= 10 && value <= 1800)) {
throw new ConfigLoadException(Item.HEARTBEAT_INTERVAL.name() + " must be between [10,1800]");
throw new ConfigLoadException(Item.HEARTBEAT_INTERVAL.toString() + " must be between [10,1800]");
}
this.heartbeatInterval = value;
}
Expand Down Expand Up @@ -1196,6 +1248,28 @@ public Map<Object, Object> getResponseHeaders() {
* @param responseHeaders 待设置response header数组
*/
public synchronized void setResponseHeaders(Map<Object, Object> responseHeaders) {
for (Map.Entry<Object, Object> entry : responseHeaders.entrySet()) {
Object k = entry.getKey();
Object v = entry.getValue();
if (k == null || v == null) {
throw new ConfigLoadException("the value of " + Item.RESPONSE_HEADERS.toString() +
"'s key and value can not be null");
}
if (!Reflection.isPrimitiveType(v) && !(v instanceof String)) {
throw new ConfigLoadException("the type of " + Item.RESPONSE_HEADERS.toString() +
"'s value must be primitive type or String, can not be " + v.getClass().getName());
}
String key = v.toString();
String value = v.toString();
if (key.length() == 0 || key.length() > 200) {
throw new ConfigLoadException("the length of " + Item.RESPONSE_HEADERS.toString() +
"'s key must be between [1,200]");
}
if (value.length() == 0 || value.length() > 200) {
throw new ConfigLoadException("the length of " + Item.RESPONSE_HEADERS.toString() +
"'s value must be between [1,200]");
}
}
this.responseHeaders = responseHeaders;
LOGGER.info(RESPONSE_HEADERS + ": " + responseHeaders);
}
Expand All @@ -1222,7 +1296,7 @@ public int getLogMaxBackUp() {
public synchronized void setLogMaxBackUp(String logMaxBackUp) {
int value = Integer.parseInt(logMaxBackUp) + 1;
if (value <= 0) {
throw new ConfigLoadException(Item.LOG_MAX_BACKUP.name() + " can not be less than 0");
throw new ConfigLoadException(Item.LOG_MAX_BACKUP.toString() + " can not be less than 0");
}
this.logMaxBackUp = value;
}
Expand Down Expand Up @@ -1289,7 +1363,7 @@ public int getCpuUsagePercent() {
public void setCpuUsagePercent(String cpuUsagePercent) {
int value = Integer.parseInt(cpuUsagePercent);
if (!(value >= 30 && value <= 100)) {
throw new ConfigLoadException(Item.CPU_USAGE_PERCENT.name() + " must be between [30,100]");
throw new ConfigLoadException(Item.CPU_USAGE_PERCENT.toString() + " must be between [30,100]");
}
this.cpuUsagePercent = value;
}
Expand Down Expand Up @@ -1437,6 +1511,12 @@ public boolean setConfig(String key, String value, boolean isInit) throws Except
} else if (Item.CPU_USAGE_INTERVAL.key.equals(key)) {
setCpuUsageCheckInterval(value);
currentValue = getCpuUsageCheckInterval();
} else if (Item.LRU_COMPARE_ENABLE.key.equals(key)) {
setLruCompareEnable(value);
currentValue = getLruCompareEnable();
} else if (Item.LRU_COMPARE_LIMIT.key.equals(key)) {
setLruCompareLimit(value);
currentValue = getLruCompareLimit();
} else {
isHit = false;
}
Expand Down
18 changes: 17 additions & 1 deletion agent/java/engine/src/main/java/com/baidu/openrasp/plugin/js/Context.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
import com.baidu.openrasp.v8.ByteArrayOutputStream;
import com.jsoniter.output.JsonStream;

import java.io.UnsupportedEncodingException;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
Expand Down Expand Up @@ -164,7 +165,7 @@ public String getRequestId() {
// TODO: update openrasp-v8, accept string body
public byte[] getBody() {
try {
return request.getStringBody().getBytes("UTF-8");
return escape(request.getStringBody());
} catch (Exception e) {
return null;
}
Expand All @@ -182,6 +183,21 @@ public byte[] getJson() {
}
}

public byte[] escape(String src) throws UnsupportedEncodingException {
char j;
StringBuilder tmp = new StringBuilder();
for (int i = 0; i < src.length(); i++) {
j = src.charAt(i);
if (j < 256)
tmp.append(j);
else {
tmp.append("\\u");
tmp.append(Integer.toString(j, 16));
}
}
return tmp.toString().getBytes("UTF-8");
}

public byte[] getHeader() {
try {
Enumeration<String> headerNames = request.getHeaderNames();
Expand Down
17 changes: 10 additions & 7 deletions agent/java/engine/src/main/java/com/baidu/openrasp/plugin/js/JS.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,12 +106,15 @@ public static List<EventInfo> Check(CheckParameter checkParameter) {
ByteArrayOutputStream params = new ByteArrayOutputStream();
JsonStream.serialize(checkParameter.getParams(), params);

int hashcode = 0;
Object hashData = null;
if (type == Type.DIRECTORY || type == Type.READFILE || type == Type.WRITEFILE || type == Type.SQL || type == Type.SSRF) {
hashcode = ByteBuffer.wrap(params.getByteArray()).hashCode();
}
if (hashcode != 0) {
if (Config.commonLRUCache.isContainsKey(hashcode)) {
byte[] paramData = params.getByteArray();
if (!Config.getConfig().getLruCompareEnable()) {
hashData = ByteBuffer.wrap(paramData).hashCode();
} else if (paramData.length <= Config.getConfig().getLruCompareLimit()) {
hashData = ByteBuffer.wrap(paramData);
}
if (Config.commonLRUCache.isContainsKey(hashData)) {
return null;
}
}
Expand All @@ -126,8 +129,8 @@ public static List<EventInfo> Check(CheckParameter checkParameter) {
}

if (results == null) {
if (hashcode != 0 && Config.commonLRUCache.maxSize() != 0) {
Config.commonLRUCache.put(hashcode, null);
if (hashData != null && Config.commonLRUCache.maxSize() != 0) {
Config.commonLRUCache.put(hashData, null);
}
return null;
}
Expand Down
9 changes: 9 additions & 0 deletions agent/java/engine/src/main/java/com/baidu/openrasp/tool/Reflection.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,4 +125,13 @@ public static Object invokeMethod(Object object, Class clazz, String methodName,
return null;
}
}

public static boolean isPrimitiveType(Object object) {
try {
return ((Class<?>) object.getClass().getField("TYPE").get(null)).isPrimitive();
} catch (Exception e) {
return false;
}
}

}
9 changes: 6 additions & 3 deletions agent/php5/openrasp_config_block.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,10 +114,13 @@ void InjectBlock::update(BaseReader *reader)
headers.clear();
for (const auto &key : custom_headers_keys)
{
if (!key.empty())
if (!key.empty() && key.length() <= 200)
{
const auto &value = reader->fetch_string({"inject.custom_headers", key});
headers.emplace_back(key + ": " + value);
const std::string value = reader->fetch_string({"inject.custom_headers", key});
if (!value.empty() && value.length() <= 200)
{
headers.emplace_back(key + ": " + value);
}
}
}
};
Expand Down
Loading

0 comments on commit ede28ac

Please sign in to comment.