Merge pull request HXSecurity#526 from HXSecurity/beta

bump version to v1.10.0

Author: lostsnow

.github/workflows/codeql-analysis.yml

@@ -61,7 +61,7 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
         with:
           languages: ${{ matrix.language }}
 
@@ -76,7 +76,7 @@ jobs:
           maven-version: 3.2.5
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@v2
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2

dongtai-agent/pom.xml

@@ -84,6 +84,11 @@
             <artifactId>gson</artifactId>
             <version>${gson.version}</version>
         </dependency>
+        <dependency>
+            <groupId>com.alibaba.fastjson2</groupId>
+            <artifactId>fastjson2</artifactId>
+            <version>${fastjson2.version}</version>
+        </dependency>
     </dependencies>
 
     <build>
@@ -176,6 +181,10 @@
                                     <pattern>com.google</pattern>
                                     <shadedPattern>${shade-prefix}.com.google</shadedPattern>
                                 </relocation>
+                                <relocation>
+                                    <pattern>com.alibaba</pattern>
+                                    <shadedPattern>${shade-prefix}.com.alibaba</shadedPattern>
+                                </relocation>
                             </relocations>
                         </configuration>
                     </execution>

dongtai-agent/src/main/java/io/dongtai/iast/agent/Agent.java

@@ -38,6 +38,7 @@ private static String[] parseAgentArgs(String[] args) throws ParseException {
         attachOptions.addOption(build("log_level", "log_level", "optional: DongTai agent log print level."));
         attachOptions.addOption(build("log_path", "log_path", "optional: DongTai agent log print path."));
         attachOptions.addOption(build("log_disable_collector", "log_disable_collector", "optional: DongTai agent disable log collector."));
+        attachOptions.addOption(build("disabled_plugins", "disabled_plugins", "optional: DongTai agent disable plugins."));
 
         CommandLineParser parser = new DefaultParser();
         HelpFormatter formatter = new HelpFormatter();

dongtai-agent/src/main/java/io/dongtai/iast/agent/AgentLauncher.java

@@ -2,7 +2,6 @@
 
 import io.dongtai.iast.agent.manager.EngineManager;
 import io.dongtai.iast.agent.monitor.MonitorDaemonThread;
-import io.dongtai.iast.agent.monitor.impl.AgentStateMonitor;
 import io.dongtai.iast.agent.report.AgentRegisterReport;
 import io.dongtai.iast.common.constants.AgentConstant;
 import io.dongtai.iast.common.scope.ScopeManager;
@@ -164,13 +163,6 @@ private static void install(final Instrumentation inst) {
         if (send) {
             LogCollector.extractFluent();
             DongTaiLog.info("Agent registered successfully.");
-            Boolean agentStat = AgentRegisterReport.agentStat();
-            if (!agentStat) {
-                AgentStateMonitor.isCoreRegisterStart = false;
-                DongTaiLog.info("Detection engine not started, agent waiting to be audited.");
-            } else {
-                AgentStateMonitor.isCoreRegisterStart = true;
-            }
             shutdownHook = new ShutdownThread();
             Runtime.getRuntime().addShutdownHook(shutdownHook);
             loadEngine(inst);
@@ -187,7 +179,7 @@ private static void install(final Instrumentation inst) {
     private static void loadEngine(final Instrumentation inst) {
         EngineManager engineManager = EngineManager.getInstance(inst, LAUNCH_MODE, EngineManager.getPID(), AGENT_STATE);
         MonitorDaemonThread daemonThread = MonitorDaemonThread.getInstance(engineManager);
-        if (MonitorDaemonThread.delayTime <= 0 && AgentStateMonitor.isCoreRegisterStart) {
+        if (MonitorDaemonThread.delayTime <= 0) {
             daemonThread.startEngine();
         }
 

dongtai-agent/src/main/java/io/dongtai/iast/agent/IastProperties.java

@@ -33,6 +33,7 @@ public class IastProperties {
         put("log_path", PropertyConstant.PROPERTY_LOG_PATH);
         put("log_disable_collector", PropertyConstant.PROPERTY_LOG_DISABLE_COLLECTOR);
         put("uuid_path", PropertyConstant.PROPERTY_UUID_PATH);
+        put("disabled_plugins", PropertyConstant.PROPERTY_DISABLED_PLUGINS);
     }};
 
     private static IastProperties instance;
@@ -223,7 +224,7 @@ public String getServerToken() {
     public String getIsDownloadPackage() {
         if (null == isDownloadPackage) {
             isDownloadPackage = System.getProperty(PropertyConstant.PROPERTY_SERVER_PACKAGE,
-                    cfg.getProperty(PropertyConstant.PROPERTY_SERVER_PACKAGE, "true"));
+                    cfg.getProperty(PropertyConstant.PROPERTY_SERVER_PACKAGE, "false"));
         }
         return isDownloadPackage;
     }

dongtai-agent/src/main/java/io/dongtai/iast/agent/fallback/FallbackConfig.java

@@ -1,5 +1,6 @@
 package io.dongtai.iast.agent.fallback;
 
+import com.alibaba.fastjson2.JSONObject;
 import com.google.gson.reflect.TypeToken;
 import io.dongtai.iast.agent.IastProperties;
 import io.dongtai.iast.agent.fallback.entity.*;
@@ -15,7 +16,7 @@
 import io.dongtai.iast.common.state.State;
 import io.dongtai.log.DongTaiLog;
 import io.dongtai.log.ErrorCode;
-import org.json.JSONObject;
+
 
 import java.lang.reflect.Field;
 import java.util.*;
@@ -111,7 +112,7 @@ private static FallbackConfigEntity parseRemoteConfigResponseV2(String remoteRes
         try {
             // 默认响应标识调用失败
             if (REMOTE_CONFIG_DEFAULT_META.equals(remoteResponse)
-                    || REMOTE_CONFIG_DEFAULT_META.equals(new JSONObject(remoteResponse).get("data").toString())) {
+                    || REMOTE_CONFIG_DEFAULT_META.equals(JSONObject.parseObject(remoteResponse).get("data").toString())) {
                 FallbackConfig.enableAutoFallback = false;
                 if (AgentState.getInstance().isFallback()) {
                     DongTaiLog.info("fallback remote config empty, auto fallback closed, starting agent");

dongtai-agent/src/main/java/io/dongtai/iast/agent/manager/EngineManager.java

@@ -2,6 +2,7 @@
 
 import io.dongtai.iast.agent.*;
 import io.dongtai.iast.agent.fallback.FallbackManager;
+import io.dongtai.iast.agent.monitor.MonitorDaemonThread;
 import io.dongtai.iast.agent.report.AgentRegisterReport;
 import io.dongtai.iast.agent.util.*;
 import io.dongtai.iast.common.state.AgentState;
@@ -36,7 +37,7 @@ public class EngineManager {
     private final IastProperties properties;
     private final String launchMode;
     private Class<?> classOfEngine;
-    private FallbackManager fallbackManager;
+    private final FallbackManager fallbackManager;
     private final AgentState agentState;
 
     /**

dongtai-agent/src/main/java/io/dongtai/iast/agent/monitor/MonitorDaemonThread.java

@@ -55,10 +55,8 @@ public void run() {
         if (MonitorDaemonThread.delayTime > 0) {
             try {
                 Thread.sleep(delayTime);
-            } catch (InterruptedException ignore) {
-            }
-            if (AgentStateMonitor.isCoreRegisterStart) {
                 startEngine();
+            } catch (InterruptedException ignore) {
             }
         }
         // 引擎启动成功后，创建子线程执行monitor任务
@@ -81,7 +79,6 @@ public void startEngine() {
             // jdk8以上
             status = engineManager.extractPackage();
             status = status && engineManager.install();
-            status = status && engineManager.start();
         }
         if (!status) {
             DongTaiLog.info("DongTai IAST started failure");

dongtai-agent/src/main/java/io/dongtai/iast/agent/monitor/impl/AgentStateMonitor.java

@@ -1,5 +1,7 @@
 package io.dongtai.iast.agent.monitor.impl;
 
+import com.alibaba.fastjson2.JSON;
+import com.alibaba.fastjson2.JSONObject;
 import io.dongtai.iast.agent.manager.EngineManager;
 import io.dongtai.iast.agent.monitor.IMonitor;
 import io.dongtai.iast.agent.monitor.MonitorDaemonThread;
@@ -9,11 +11,11 @@
 import io.dongtai.iast.agent.util.ThreadUtils;
 import io.dongtai.iast.common.constants.AgentConstant;
 import io.dongtai.iast.common.constants.ApiPath;
+import io.dongtai.iast.common.state.AgentState;
 import io.dongtai.iast.common.state.State;
 import io.dongtai.iast.common.state.StateCause;
 import io.dongtai.log.DongTaiLog;
 import io.dongtai.log.ErrorCode;
-import org.json.JSONObject;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -23,7 +25,6 @@
  */
 public class AgentStateMonitor implements IMonitor {
     private final EngineManager engineManager;
-    public static Boolean isCoreRegisterStart = false;
     private static final String NAME = "AgentStateMonitor";
 
     public AgentStateMonitor(EngineManager engineManager) {
@@ -37,50 +38,73 @@ public String getName() {
 
     @Override
     public void check() {
+        AgentState agentState = this.engineManager.getAgentState();
         try {
-            if (this.engineManager.getAgentState().getState() == null) {
+            if (agentState.getState() == null) {
                 return;
             }
 
-            if (this.engineManager.getAgentState().isUninstalledByCli()) {
+            if (agentState.isUninstalledByCli()) {
                 HttpClientUtils.sendPost(ApiPath.ACTUAL_ACTION,
-                        HeartBeatReport.generateAgentActualActionMsg(this.engineManager.getAgentState()));
+                        HeartBeatReport.generateAgentActualActionMsg(agentState));
                 return;
             }
 
-            if (!this.engineManager.getAgentState().isFallback() && !this.engineManager.getAgentState().isException()) {
-                String expectState = checkExpectState();
-                if (State.RUNNING.equals(expectState) && this.engineManager.getAgentState().isPaused()) {
+            Map<String, Object> stringStringMap = checkExpectState();
+            // 默认值
+            String expectState = "other";
+            boolean allowReport = true;
+
+            if (stringStringMap != null) {
+                expectState = stringStringMap.get("exceptRunningStatus").toString();
+                if (null != stringStringMap.get("allowReport")) {
+                    allowReport = !"0".equals(stringStringMap.get("allowReport").toString());
+                }
+            }
+
+            if (allowReport && !agentState.isAllowReport()) {
+                DongTaiLog.info("engine is allowed to report data");
+                agentState.setAllowReport(allowReport);
+            } else if (!allowReport && agentState.isAllowReport()) {
+                DongTaiLog.info("engine is not allowed to report data");
+                agentState.setAllowReport(allowReport);
+            }
+
+            if (!agentState.isFallback() && !agentState.isException() && agentState.isAllowReport() && agentState.isAllowReport()) {
+                if (State.RUNNING.equals(expectState) && agentState.isPaused()) {
                     DongTaiLog.info("engine start by server expect state");
                     engineManager.start();
-                    engineManager.getAgentState().setState(State.RUNNING).setCause(StateCause.RUNNING_BY_SERVER);
-                } else if (State.PAUSED.equals(expectState) && this.engineManager.getAgentState().isRunning()) {
+                    agentState.setState(State.RUNNING).setCause(StateCause.RUNNING_BY_SERVER);
+                } else if (State.PAUSED.equals(expectState) && agentState.isRunning()) {
                     DongTaiLog.info("engine stop by server expect state");
                     engineManager.stop();
-                    engineManager.getAgentState().setState(State.PAUSED).setCause(StateCause.PAUSE_BY_SERVER);
+                    agentState.setState(State.PAUSED).setCause(StateCause.PAUSE_BY_SERVER);
                 }
             }
             HttpClientUtils.sendPost(ApiPath.ACTUAL_ACTION,
-                    HeartBeatReport.generateAgentActualActionMsg(this.engineManager.getAgentState()));
+                    HeartBeatReport.generateAgentActualActionMsg(agentState));
         } catch (Throwable t) {
             DongTaiLog.warn(ErrorCode.AGENT_MONITOR_THREAD_CHECK_FAILED, getName(), t);
         }
     }
 
-    private String checkExpectState() {
+    private Map<String, Object> checkExpectState() {
         try {
-            Map<String, String> parameters = new HashMap<String, String>();
+            Map<String, String> parameters = new HashMap<>();
             parameters.put("agentId", String.valueOf(AgentRegisterReport.getAgentId()));
             String respRaw = HttpClientUtils.sendGet(ApiPath.EXCEPT_ACTION, parameters).toString();
             if (!respRaw.isEmpty()) {
-                JSONObject resp = new JSONObject(respRaw);
+                JSONObject resp = JSON.parseObject(respRaw);
                 JSONObject data = (JSONObject) resp.get("data");
-                return data.get("exceptRunningStatus").toString();
+                Map<String, Object> objectObjectHashMap = new HashMap<>(2);
+                String s = data.toJSONString();
+                objectObjectHashMap = JSON.parseObject(s, Map.class);
+                return objectObjectHashMap;
             }
         } catch (Throwable e) {
-            return "other";
+            return null;
         }
-        return "other";
+        return null;
     }
 
     @Override

dongtai-agent/src/main/java/io/dongtai/iast/agent/report/AgentRegisterReport.java

@@ -1,5 +1,8 @@
 package io.dongtai.iast.agent.report;
 
+import com.alibaba.fastjson2.JSON;
+import com.alibaba.fastjson2.JSONArray;
+import com.alibaba.fastjson2.JSONObject;
 import io.dongtai.iast.agent.IastProperties;
 import io.dongtai.iast.agent.manager.EngineManager;
 import io.dongtai.iast.agent.middlewarerecognition.IServer;
@@ -10,8 +13,7 @@
 import io.dongtai.iast.common.utils.base64.Base64Encoder;
 import io.dongtai.log.DongTaiLog;
 import io.dongtai.log.ErrorCode;
-import org.json.JSONArray;
-import org.json.JSONObject;
+
 
 import java.io.*;
 import java.net.*;
@@ -27,7 +29,6 @@ public class AgentRegisterReport {
     public static AgentRegisterReport INSTANCE;
     private String projectName = null;
     private static Integer agentId = -1;
-    private static Integer coreRegisterStart = 1;
     final IServer server = ServerDetect.getWebserver();
     private static String AGENT_NAME = null;
     private static String HOST_NAME = null;
@@ -211,7 +212,7 @@ private String readIpInfo() {
                     } else {
                         jsonObject.put("isAddress", "0");
                     }
-                    network.put(jsonObject);
+                    network.add(jsonObject);
                 }
             }
             return network.toString();
@@ -258,12 +259,11 @@ public static Boolean send() {
      */
     private void setAgentData(StringBuilder responseRaw) {
         try {
-            JSONObject responseObj = new JSONObject(responseRaw.toString());
+            JSONObject responseObj = JSON.parseObject(responseRaw.toString());
             Integer status = (Integer) responseObj.get("status");
             if (status == 201) {
                 JSONObject data = (JSONObject) responseObj.get("data");
                 agentId = (Integer) data.get("id");
-                coreRegisterStart = (Integer) data.get("coreAutoStart");
             } else {
                 DongTaiLog.error(ErrorCode.AGENT_REGISTER_RESPONSE_CODE_INVALID, responseRaw);
             }
@@ -273,10 +273,6 @@ private void setAgentData(StringBuilder responseRaw) {
         }
     }
 
-    public static Boolean agentStat() {
-        return coreRegisterStart == 1;
-    }
-
     private static String generateUUID() {
         String uuidPath = IastProperties.getInstance().getUUIDPath();
         if (uuidPath == null || uuidPath.isEmpty()) {