Merge pull request #107 from AikidoSec/AIK-4370

AIK-4370: Add general high level path variable wrapper

Author: willem-delbare

agent/src/main/java/dev/aikido/agent/Wrappers.java

@@ -14,9 +14,8 @@ public final class Wrappers {
     private Wrappers() {}
     public static final List<Wrapper> WRAPPERS = Arrays.asList(
             new PostgresWrapper(),
-            new SpringFrameworkWrapper(),
-            new SpringFrameworkBodyWrapper(),
-            new SpringFrameworkInvokeWrapper(),
+            new SpringMVCWrapper(),
+            new SpringControllerWrapper(),
             new FileWrapper(),
             new URLConnectionWrapper(),
             new InetAddressWrapper(),

agent/src/main/java/dev/aikido/agent/wrappers/SpringFrameworkBodyWrapper.java renamed to agent/src/main/java/dev/aikido/agent/wrappers/SpringControllerWrapper.java

@@ -1,6 +1,6 @@
 package dev.aikido.agent.wrappers;
 
-import dev.aikido.agent_api.collectors.RequestBodyCollector;
+import dev.aikido.agent_api.collectors.SpringAnnotationCollector;
 import net.bytebuddy.asm.Advice;
 import net.bytebuddy.description.method.MethodDescription;
 import net.bytebuddy.description.type.TypeDescription;
@@ -15,13 +15,12 @@
 import static net.bytebuddy.matcher.ElementMatchers.*;
 
 /* We wrap the controller functions annotated with an @RequestMapping
- * We check the input for @RequestBody and @RequestParam
- * @RequestPart currently not supported.
+ * We check the input for @RequestBody, @RequestParam, @PathVariable, ...
  */
-public class SpringFrameworkBodyWrapper implements Wrapper {
+public class SpringControllerWrapper implements Wrapper {
     @Override
     public String getName() {
-        return SpringFrameworkBodyWrapperAdvice.class.getName();
+        return SpringAnnotationWrapperAdvice.class.getName();
     }
 
     @Override
@@ -43,35 +42,17 @@ public ElementMatcher<? super TypeDescription> getTypeMatcher() {
         return hasSuperType(declaresMethod(getMatcher()));
     }
 
-    private static class SpringFrameworkBodyWrapperAdvice {
+    private static class SpringAnnotationWrapperAdvice {
         /* We intercept the call to the controller, arguments given to it contain user input
-         * We check if it's annotated by @RequestBody, ... and add it as a key to our body.
+         * We check if it's annotated by @RequestBody, @PathVariable, ... and add it as a key to our body.
          */
         @Advice.OnMethodEnter(suppress = Throwable.class)
         public static void before(
                 @Advice.Origin Executable method,
                 @Advice.AllArguments(readOnly = false, typing = DYNAMIC) Object[] args
-        ) {
+        ) throws Exception {
             Parameter[] parameters = method.getParameters();
-            for (int i = 0; i < parameters.length; i++) {
-                Parameter parameter = parameters[i];
-                for (Annotation annotation: parameter.getDeclaredAnnotations()) {
-                    String annotStr = annotation.toString();
-                    if (annotStr.contains("org.springframework.web.bind.annotation.RequestBody")) {
-                        // RequestBody includes all data so we report everything as one block:
-                        // Also important for API Discovery that we get the exact overview
-                        RequestBodyCollector.report(args[i]);
-                        return; // You can safely return here without missing more data
-                    }
-                    if (annotStr.contains("org.springframework.web.bind.annotation.RequestParam") ||
-                            annotStr.contains("org.springframework.web.bind.annotation.RequestPart")) {
-                        // RequestPart and RequestParam both contain partial data.
-                        String identifier = parameter.getName();
-                        RequestBodyCollector.report(identifier, args[i]);
-                        break; // You can safely exit for-loop, but we still want to scan other arguments.
-                    }
-                }
-            }
+            SpringAnnotationCollector.report(parameters, args);
         }
     }
 }

agent/src/main/java/dev/aikido/agent/wrappers/SpringFrameworkInvokeWrapper.java

@@ -3,7 +3,7 @@
 import dev.aikido.agent_api.collectors.WebRequestCollector;
 import dev.aikido.agent_api.collectors.WebResponseCollector;
 import dev.aikido.agent_api.context.ContextObject;
-import dev.aikido.agent_api.context.SpringContextObject;
+import dev.aikido.agent_api.context.SpringMVCContextObject;
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletResponse;
 import net.bytebuddy.asm.Advice;
@@ -23,16 +23,16 @@
 import static net.bytebuddy.implementation.bytecode.assign.Assigner.Typing.DYNAMIC;
 import static net.bytebuddy.matcher.ElementMatchers.nameContains;
 
-public class SpringFrameworkWrapper implements Wrapper {
-    public static final Logger logger = LogManager.getLogger(SpringFrameworkWrapper.class);
+public class SpringMVCWrapper implements Wrapper {
+    public static final Logger logger = LogManager.getLogger(SpringMVCWrapper.class);
 
     @Override
     public String getName() {
         // We wrap the function doFilterInternal which gets called with
         // HttpServletRequest request, HttpServletResponse response
         // And is part of org.springframework.web.filter.RequestContextFilter
         // See: https://github.com/spring-projects/spring-framework/blob/4749d810db0261ce16ae5f32da6d375bb8087430/spring-web/src/main/java/org/springframework/web/filter/RequestContextFilter.java#L92
-        return SpringFrameworkAdvice.class.getName();
+        return SpringMVCAdvice.class.getName();
     }
     @Override
     public ElementMatcher<? super MethodDescription> getMatcher() {
@@ -44,7 +44,7 @@ public ElementMatcher<? super TypeDescription> getTypeMatcher() {
         return nameContains("org.springframework.web.filter.RequestContextFilter");
     }
 
-    public static class SpringFrameworkAdvice {
+    public static class SpringMVCAdvice {
         // Wrapper to skip if it's inside this wrapper (i.e. our own response : )
         public record SkipOnWrapper(HttpServletResponse response) {};
         /**
@@ -76,7 +76,7 @@ public static Object interceptOnEnter(
                 }
             }
 
-            ContextObject contextObject = new SpringContextObject(
+            ContextObject contextObject = new SpringMVCContextObject(
                     request.getMethod(), request.getRequestURL(), request.getRemoteAddr(),
                     request.getParameterMap(), cookiesMap, headersMap
             );

agent/src/main/java/dev/aikido/agent/wrappers/SpringFrameworkWrapper.java renamed to agent/src/main/java/dev/aikido/agent/wrappers/SpringMVCWrapper.java

@@ -0,0 +1,73 @@
+package dev.aikido.agent_api.collectors;
+
+import dev.aikido.agent_api.context.Context;
+import dev.aikido.agent_api.context.NettyContext;
+import dev.aikido.agent_api.context.SpringContextObject;
+import dev.aikido.agent_api.context.SpringMVCContextObject;
+
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Parameter;
+import java.util.Map;
+import java.util.Optional;
+
+public final class SpringAnnotationCollector {
+    private SpringAnnotationCollector() {}
+    private static String REQUEST_BODY = "org.springframework.web.bind.annotation.RequestBody";
+    private static String REQUEST_PARAM = "org.springframework.web.bind.annotation.RequestParam";
+    private static String REQUEST_PART = "org.springframework.web.bind.annotation.RequestPart";
+    private static String PATH_VARIABLE = "org.springframework.web.bind.annotation.PathVariable";
+
+    /** report(...)
+     * Handles Springs parameters, can include @PathVariable, @RequestBody, ...
+     */
+    public static void report(Parameter[] parameters, Object[] values) throws Exception {
+        if (parameters.length != values.length) {
+            // This exception gets caught by Byte Buddy.
+            throw new Exception("Length of parameters and values should match!");
+        }
+        for (int i = 0; i < parameters.length; i++) {
+            report(parameters[i], values[i]);
+        }
+    }
+
+    public static void report(Parameter parameter, Object value) {
+        SpringContextObject context = (SpringContextObject) Context.get();
+        if (context == null) {
+            return;
+        }
+
+        for (Annotation annotation: parameter.getDeclaredAnnotations()) {
+            String annotStr = annotation.annotationType().getName();
+            if (annotStr.contains(REQUEST_BODY)) {
+                // RequestBody includes all data so we report everything as one block:
+                // Also important for API Discovery that we get the exact overview
+                context.setBody(value);
+                break;
+            } else if (annotStr.equals(REQUEST_PARAM) || annotStr.equals(REQUEST_PART)) {
+                // RequestPart and RequestParam both contain partial data.
+                String identifier = parameter.getName();
+                context.setBodyElement(identifier, value);
+                break;
+            } else if(annotStr.equals(PATH_VARIABLE)) {
+                String identifier = parameter.getName();
+                if (value instanceof Map<?, ?> paramsMap) {
+                    for (Map.Entry<?, ?> entry: paramsMap.entrySet()) {
+                        if (entry.getKey() instanceof String key && entry.getValue() instanceof String valueStr) {
+                            context.setParameter(key, valueStr);
+                        }
+                    }
+                } else if (value instanceof String valueStr) {
+                    context.setParameter(identifier, valueStr);
+                } else if (value instanceof Optional<?> valueOpt) {
+                    if(valueOpt.isPresent()) {
+                        if (valueOpt.get() instanceof String valueStr) {
+                            context.setParameter(identifier, valueStr);
+                        }
+                    }
+                }
+                break;
+            }
+        }
+        Context.set(context); // Store context.
+    }
+}

agent_api/src/main/java/dev/aikido/agent_api/collectors/RequestBodyCollector.java

@@ -9,7 +9,7 @@
 import static dev.aikido.agent_api.helpers.net.ProxyForwardedParser.getIpFromRequest;
 import static dev.aikido.agent_api.helpers.url.BuildRouteFromUrl.buildRouteFromUrl;
 
-public class NettyContext extends ContextObject {
+public class NettyContext extends SpringContextObject {
     public NettyContext(
             String method, String uri, InetSocketAddress rawIp,
             HashMap<String, List<String>> cookies,
@@ -27,9 +27,6 @@ public NettyContext(
         this.remoteAddress = getIpFromRequest(rawIp.getAddress().getHostAddress(), this.headers);
         this.source = "ReactorNetty";
         this.redirectStartNodes = new ArrayList<>();
-
-        // We don't have access yet to the route parameters.
-        this.params = null;
     }
 
     private static HashMap<String, String> extractHeaders(List<Map.Entry<String, String>> entries) {

agent_api/src/main/java/dev/aikido/agent_api/collectors/SpringAnnotationCollector.java

@@ -1,58 +1,29 @@
 package dev.aikido.agent_api.context;
 
-import java.util.*;
-
-import static dev.aikido.agent_api.helpers.net.ProxyForwardedParser.getIpFromRequest;
-import static dev.aikido.agent_api.helpers.url.BuildRouteFromUrl.buildRouteFromUrl;
+import java.util.HashMap;
+import java.util.Map;
 
 public class SpringContextObject extends ContextObject {
     // We use this map for when @RequestBody does not get used :
     protected transient Map<String, Object> bodyMap = new HashMap<>();
-    public SpringContextObject(
-            String method, StringBuffer url, String rawIp, Map<String, String[]> queryParams,
-            HashMap<String, List<String>> cookies, HashMap<String, String> headers
-    ) {
-        this.method = method;
-        if (url != null) {
-            this.url = url.toString();
-        }
-        this.query = extractQueryParameters(queryParams);
-        this.cookies = cookies;
-        this.headers = headers;
-        this.route = buildRouteFromUrl(this.url);
-        this.remoteAddress = getIpFromRequest(rawIp, this.headers);
-        this.source = "SpringFramework";
-        this.redirectStartNodes = new ArrayList<>();
 
-        // We don't have access yet to the route parameters: doFilter() is called before the Controller
-        // So the parameters will be set later.
-        this.params = null;
+    // We don't have access yet to the route parameters: doFilter() is called before the Controller
+    // So the parameters will be set later.
+    protected transient Map<String, String> params = new HashMap<>();
+
+    public void setParameter(String key, String value) {
+        this.params.put(key, value);
+        this.cache.remove("routeParams"); // Reset cache
     }
+
     @Override
-    public Object getBody() {
-        if (this.body != null) {
-            // @RequestBody was used, all data is available :
-            return this.body;
-        }
-        return this.bodyMap; // Use the selected fields that were extracted.
+    public Map<String, String> getParams() {
+        return params;
     }
+
     public void setBodyElement(String key, Object value) {
         bodyMap.put(key, value);
         cache.remove("body"); // Reset body cache.
     }
-    public void setParams(Object params) {
-        this.params = params;
-        this.cache.remove("routeParams"); // Reset cache
-    }
-
-    private static HashMap<String, List<String>> extractQueryParameters(Map<String, String[]> parameterMap) {
-        HashMap<String, List<String>> query = new HashMap<>();
-
-        for (Map.Entry<String, String[]> entry : parameterMap.entrySet()) {
-            // Convert String[] to List<String>
-            List<String> list = Arrays.asList(entry.getValue());
-            query.put(entry.getKey(), list);
-        }
-        return query;
-    }
 }
+