HXSecurity · Nizernizer · Jan 7, 2022 · Jan 7, 2022 · Jan 7, 2022 · Jan 7, 2022
diff --git a/dongtai-jakarta-api/src/main/java/cn/huoxian/iast/api/HttpRequest.java b/dongtai-jakarta-api/src/main/java/cn/huoxian/iast/api/HttpRequest.java
@@ -17,11 +17,7 @@ public class HttpRequest {
 
     public static Map<String, Object> getRequest(Object req) {
         HttpServletRequest request = (HttpServletRequest) req;
-        try {
-            request.setCharacterEncoding("UTF-8");
-        } catch (Throwable ignored) {
 
-        }
         Map<String, Object> requestMeta = new HashMap<String, Object>(16);
         requestMeta.put("contextPath", request.getContextPath());
         requestMeta.put("servletPath", request.getServletPath());
@@ -44,7 +40,7 @@ public static Map<String, Object> getRequest(Object req) {
 
     private static Map<String, String> getHeaders(HttpServletRequest request) {
         Enumeration<?> headerNames = request.getHeaderNames();
-        Map<String, String> headers = new HashMap<>();
+        Map<String, String> headers = new HashMap<>(32);
         while (headerNames.hasMoreElements()) {
             String name = (String) headerNames.nextElement();
             String value = request.getHeader(name);
@@ -78,6 +74,8 @@ private static String getPostBody(HttpServletRequest request) {
                     }
                     return postBody.toString();
                 } else {
+                    // fixme: 此处导致中文乱码
+                    request.setCharacterEncoding("UTF-8");
                     Enumeration<?> parameterNames = request.getParameterNames();
                     String param;
                     boolean first = true;

diff --git a/dongtai-jakarta-api/src/main/java/cn/huoxian/iast/api/HttpResponse.java b/dongtai-jakarta-api/src/main/java/cn/huoxian/iast/api/HttpResponse.java
@@ -18,7 +18,7 @@ public static Map<String, Object> getResponse(Object res) {
         HttpServletResponse response = (HttpServletResponse) res;
         Map<String, Object> responseMeta = new HashMap<String, Object>(2);
         responseMeta.put("headers", getHeaders(response));
-        responseMeta.put("body", getBody(response));
+        responseMeta.put("body", getResponseData(response));
         return responseMeta;
     }
 
@@ -48,6 +48,25 @@ private static String getHeaders(HttpServletResponse response) {
         return header.toString();
     }
 
+    private static byte[] getResponseData(HttpServletResponse response) {
+        if (response instanceof ResponseWrapper) {
+            try {
+                byte[] responseData = ((ResponseWrapper) response).getResponseData();
+                if (responseBodyLength == null || responseBodyLength > responseData.length) {
+                    return responseData;
+                }
+
+                byte[] copiedData = new byte[responseBodyLength];
+                System.arraycopy(responseData, 0, copiedData, 0, responseBodyLength);
+                return copiedData;
+            } catch (Exception ignored) {
+
+            }
+        }
+        return new byte[0];
+    }
+
+
     /**
      * 获取响应体
      *
@@ -70,20 +89,21 @@ private static String getBody(HttpServletResponse response) {
                     }
                 }
                 try {
-                    if (responseBodyLength == null){
+                    if (responseBodyLength == null) {
                         responseStr = new String(responseData, charSet);
-                    }else {
+                    } else {
                         responseStr = new String(responseData, 0, responseBodyLength, charSet);
                     }
                 } catch (UnsupportedEncodingException e) {
-                    if (responseBodyLength == null){
+                    if (responseBodyLength == null) {
                         responseStr = new String(responseData);
-                    }else {
+                    } else {
                         responseStr = new String(responseData, 0, responseBodyLength);
                     }
                 }
 
-            } catch (Exception ignored) {}
+            } catch (Exception ignored) {
+            }
 
         }
         return responseStr;

diff --git a/dongtai-servlet-api/src/main/java/cn/huoxian/iast/api/HttpRequest.java b/dongtai-servlet-api/src/main/java/cn/huoxian/iast/api/HttpRequest.java
@@ -17,11 +17,6 @@ public class HttpRequest {
 
     public static Map<String, Object> getRequest(Object req) {
         HttpServletRequest request = (HttpServletRequest) req;
-        try {
-            request.setCharacterEncoding("UTF-8");
-        } catch (Throwable ignored) {
-
-        }
         Map<String, Object> requestMeta = new HashMap<String, Object>(16);
         requestMeta.put("contextPath", request.getContextPath());
         requestMeta.put("servletPath", request.getServletPath());
@@ -78,6 +73,7 @@ private static String getPostBody(HttpServletRequest request) {
                     }
                     return postBody.toString();
                 } else {
+                    request.setCharacterEncoding("UTF-8");
                     Enumeration<?> parameterNames = request.getParameterNames();
                     String param;
                     boolean first = true;

diff --git a/dongtai-servlet-api/src/main/java/cn/huoxian/iast/api/HttpResponse.java b/dongtai-servlet-api/src/main/java/cn/huoxian/iast/api/HttpResponse.java
@@ -18,7 +18,7 @@ public static Map<String, Object> getResponse(Object res) {
         HttpServletResponse response = (HttpServletResponse) res;
         Map<String, Object> responseMeta = new HashMap<String, Object>(2);
         responseMeta.put("headers", getHeaders(response));
-        responseMeta.put("body", getBody(response));
+        responseMeta.put("body", getResponseData(response));
         return responseMeta;
     }
 
@@ -48,6 +48,24 @@ private static String getHeaders(HttpServletResponse response) {
         return header.toString();
     }
 
+    private static byte[] getResponseData(HttpServletResponse response) {
+        if (response instanceof ResponseWrapper) {
+            try {
+                byte[] responseData = ((ResponseWrapper) response).getResponseData();
+                if (responseBodyLength == null || responseBodyLength > responseData.length) {
+                    return responseData;
+                }
+
+                byte[] copiedData = new byte[responseBodyLength];
+                System.arraycopy(responseData, 0, copiedData, 0, responseBodyLength);
+                return copiedData;
+            } catch (Exception ignored) {
+
+            }
+        }
+        return new byte[0];
+    }
+
     /**
      * 获取响应体
      *
@@ -70,20 +88,21 @@ private static String getBody(HttpServletResponse response) {
                     }
                 }
                 try {
-                    if (responseBodyLength == null){
+                    if (responseBodyLength == null) {
                         responseStr = new String(responseData, charSet);
-                    }else {
+                    } else {
                         responseStr = new String(responseData, 0, responseBodyLength, charSet);
                     }
                 } catch (UnsupportedEncodingException e) {
-                    if (responseBodyLength == null){
+                    if (responseBodyLength == null) {
                         responseStr = new String(responseData);
-                    }else {
+                    } else {
                         responseStr = new String(responseData, 0, responseBodyLength);
                     }
                 }
 
-            } catch (Exception ignored) {}
+            } catch (Exception ignored) {
+            }
 
         }
         return responseStr;

diff --git a/iast-agent/src/main/java/com/secnium/iast/agent/IastProperties.java b/iast-agent/src/main/java/com/secnium/iast/agent/IastProperties.java
@@ -100,15 +100,15 @@ public String getPropertiesFilePath() {
 
     public String getIastServerToken() {
         if (null == iastServerToken) {
-            iastServerToken = cfg.getProperty("iast.server.token");
+            iastServerToken = System.getProperty("dongtai.server.token", cfg.getProperty("iast.server.token"));
         }
         return iastServerToken;
     }
 
 
     public String getBaseUrl() {
         if (null == serverUrl) {
-            serverUrl = System.getProperty("iast.server.url", cfg.getProperty("iast.server.url"));
+            serverUrl = System.getProperty("dongtai.server.url", cfg.getProperty("iast.server.url"));
         }
         return serverUrl;
     }
@@ -123,16 +123,21 @@ public String getEngineName() {
     public String getProjectName() {
         if (null == projectName) {
             projectName = System.getProperty(
-                    "project.name",
+                    "dongtai.app.name",
                     System.getProperty(
                             "mse.appName",
                             System.getProperty(
                                     "arms.appName",
                                     System.getProperty(
                                             "service.name",
-                                            cfg.getProperty("project.name", "Demo Project")
+                                            System.getProperty("app.name",
+                                                    System.getProperty("projgect.name",
+                                                            cfg.getProperty("project.name", "Demo Project"))
+                                            )
+
                                     )
-                            ))
+                            )
+                    )
             );
         }
         return projectName;

diff --git a/iast-core/src/main/java/com/secnium/iast/core/EngineManager.java b/iast-core/src/main/java/com/secnium/iast/core/EngineManager.java
@@ -13,7 +13,6 @@
 import com.secnium.iast.core.threadlocalpool.RequestContext;
 import com.secnium.iast.core.util.LogUtils;
 import java.io.File;
-import java.lang.instrument.Instrumentation;
 import java.lang.reflect.Method;
 import java.net.URL;
 import java.util.HashMap;
@@ -29,14 +28,12 @@
  */
 public class EngineManager {
 
-    private static final Logger logger = LogUtils.getLogger(EngineManager.class);
     private static EngineManager instance;
     private final PropertyUtils cfg;
     public static Integer AGENT_ID;
     public static String AGENT_PATH;
 
     private static final BooleanThreadLocal AGENT_STATUS = new BooleanThreadLocal(false);
-    private static final BooleanThreadLocal TRANSFORM_STATE = new BooleanThreadLocal(false);
     private static final BooleanThreadLocal ENTER_HTTP_ENTRYPOINT = new BooleanThreadLocal(false);
     public static final RequestContext REQUEST_CONTEXT = new RequestContext();
     public static final IastTrackMap TRACK_MAP = new IastTrackMap();
@@ -58,14 +55,6 @@ public static void agentStarted() {
         AGENT_STATUS.set(true);
     }
 
-    public static void enterTransform() {
-        TRANSFORM_STATE.set(true);
-    }
-
-    public static void leaveTransform() {
-        TRANSFORM_STATE.set(false);
-    }
-
     public static void turnOnLingzhi() {
         LINGZHI_RUNNING.set(true);
     }
@@ -88,12 +77,12 @@ public static EngineManager getInstance() {
         return instance;
     }
 
-    public static EngineManager getInstance(PropertyUtils cfg, Instrumentation inst) {
+    public static EngineManager getInstance(PropertyUtils cfg) {
         if (instance == null) {
-            if (cfg == null || inst == null) {
+            if (cfg == null) {
                 return null;
             }
-            instance = new EngineManager(cfg, inst);
+            instance = new EngineManager(cfg);
         }
         return instance;
     }
@@ -102,8 +91,7 @@ public static void setInstance() {
         instance = null;
     }
 
-    private EngineManager(final PropertyUtils cfg,
-            final Instrumentation inst) {
+    private EngineManager(final PropertyUtils cfg) {
         this.cfg = cfg;
     }
 

diff --git a/iast-core/src/main/java/com/secnium/iast/core/PropertyUtils.java b/iast-core/src/main/java/com/secnium/iast/core/PropertyUtils.java
@@ -94,7 +94,7 @@ public String getIastResponseFlagValue() {
 
     public String getIastServerToken() {
         if (null == iastServerToken) {
-            iastServerToken = cfg.getProperty("iast.server.token");
+            iastServerToken = System.getProperty("dongtai.server.token", cfg.getProperty("dongtai.server.token"));
         }
         return iastServerToken;
     }
@@ -202,7 +202,7 @@ public long getHeartBeatInterval() {
      */
     public String getBaseUrl() {
         if (null == serverUrl) {
-            serverUrl = System.getProperty("iast.server.url", cfg.getProperty("iast.server.url"));
+            serverUrl = System.getProperty("dongtai.server.url", cfg.getProperty("dongtai.server.url"));
         }
         return serverUrl;
     }

diff --git a/iast-core/src/main/java/com/secnium/iast/core/engines/impl/SandboxEngine.java b/iast-core/src/main/java/com/secnium/iast/core/engines/impl/SandboxEngine.java
@@ -3,31 +3,29 @@
 import com.secnium.iast.core.EngineManager;
 import com.secnium.iast.core.PropertyUtils;
 import com.secnium.iast.core.engines.IEngine;
-import org.slf4j.Logger;
 import com.secnium.iast.core.util.LogUtils;
-
 import java.lang.instrument.Instrumentation;
+import org.slf4j.Logger;
 
 /**
  * @author dongzhiyong@huoxian.cn
  */
 public class SandboxEngine implements IEngine {
+
     private final Logger logger = LogUtils.getLogger(getClass());
-    private Instrumentation inst;
     private PropertyUtils cfg;
 
     @Override
     public void init(PropertyUtils cfg, Instrumentation inst) {
         this.cfg = cfg;
-        this.inst = inst;
     }
 
     @Override
     public void start() {
         if (logger.isDebugEnabled()) {
             logger.debug("initing global control instance");
         }
-        EngineManager.getInstance(cfg, inst);
+        EngineManager.getInstance(cfg);
         if (logger.isDebugEnabled()) {
             logger.debug("inited global control instance");
         }

diff --git a/iast-core/src/main/java/com/secnium/iast/core/enhance/IastClassFileTransformer.java b/iast-core/src/main/java/com/secnium/iast/core/enhance/IastClassFileTransformer.java
@@ -17,6 +17,7 @@
 import java.io.IOException;
 import java.lang.instrument.ClassFileTransformer;
 import java.lang.instrument.Instrumentation;
+import java.net.URL;
 import java.security.CodeSource;
 import java.security.ProtectionDomain;
 import java.util.HashSet;
@@ -67,7 +68,11 @@ public byte[] transform(final ClassLoader loader,
             final Class<?> classBeingRedefined,
             final ProtectionDomain protectionDomain,
             final byte[] srcByteCodeArray) {
-        EngineManager.enterTransform();
+        // if className is null, then, skip
+        if (internalClassName == null) {
+            return null;
+        }
+
         boolean isRunning = EngineManager.isLingzhiRunning();
         if (isRunning) {
             EngineManager.turnOffLingzhi();
@@ -80,10 +85,11 @@ public byte[] transform(final ClassLoader loader,
         }
 
         try {
-            if (loader != null) {
-                final CodeSource codeSource = (protectionDomain != null) ? protectionDomain.getCodeSource() : null;
-                if (codeSource != null && codeSource.getLocation() != null) {
-                    ScaScanner.scanForSCA(codeSource.getLocation().getFile(), internalClassName);
+            if (loader != null && protectionDomain != null) {
+                final CodeSource codeSource = protectionDomain.getCodeSource();
+                URL location = codeSource.getLocation();
+                if (location != null) {
+                    ScaScanner.scanForSCA(location.getFile(), internalClassName);
                 }
             }
 
@@ -129,10 +135,9 @@ public byte[] transform(final ClassLoader loader,
             if (isRunning) {
                 EngineManager.turnOnLingzhi();
             }
-            EngineManager.leaveTransform();
         }
 
-        return srcByteCodeArray;
+        return null;
     }
 
     /**