Merge pull request #91 from AikidoSec/AIK-4059-3

AIK-4059 Add Javalin support

Author: willem-delbare

.github/workflows/end2end.yml

@@ -42,6 +42,7 @@ jobs:
           - { name: SpringWebfluxSampleApp, test_file: end2end/spring_webflux_postgres.py }
           - { name: SpringMVCPostgresKotlin, test_file: end2end/spring_mvc_postgres_kotlin.py }
           - { name: SpringMVCPostgresGroovy, test_file: end2end/spring_mvc_postgres_groovy.py }
+          - { name: JavalinPostgres, test_file: end2end/javalin_postgres.py }
         java-version: [17, 18, 19, 20, 21]
     steps:
       - name: Download build artifacts

agent/build.gradle

@@ -9,6 +9,7 @@ dependencies {
     // Compile only for interface types :
     compileOnly 'jakarta.servlet:jakarta.servlet-api:6.1.0' // For Context object (Spring Boot)
     compileOnly 'io.projectreactor.netty:reactor-netty-http:1.2.1' // For Spring Webflux
+    compileOnly 'io.javalin:javalin:6.4.0'
 }
 
 shadowJar {

agent/src/main/java/dev/aikido/agent/Wrappers.java

@@ -1,6 +1,7 @@
 package dev.aikido.agent;
 
 import dev.aikido.agent.wrappers.*;
+import dev.aikido.agent.wrappers.javalin.*;
 import dev.aikido.agent.wrappers.jdbc.MSSQLWrapper;
 import dev.aikido.agent.wrappers.jdbc.MariaDBWrapper;
 import dev.aikido.agent.wrappers.jdbc.MysqlCJWrapper;
@@ -30,6 +31,9 @@ private Wrappers() {}
             new ApacheHttpClientWrapper(),
             new PathWrapper(),
             new PathsWrapper(),
-            new NettyWrapper()
+            new NettyWrapper(),
+            new JavalinWrapper(),
+            new JavalinDataWrapper(),
+            new JavalinContextClearWrapper()
     );
 }

agent/src/main/java/dev/aikido/agent/wrappers/javalin/JavalinContextClearWrapper.java

@@ -0,0 +1,34 @@
+package dev.aikido.agent.wrappers.javalin;
+
+import dev.aikido.agent.wrappers.Wrapper;
+import dev.aikido.agent_api.context.Context;
+import net.bytebuddy.asm.Advice;
+import net.bytebuddy.description.method.MethodDescription;
+import net.bytebuddy.description.type.TypeDescription;
+import net.bytebuddy.matcher.ElementMatcher;
+import static net.bytebuddy.matcher.ElementMatchers.*;
+
+public class JavalinContextClearWrapper implements Wrapper {
+
+    @Override
+    public String getName() {
+        return JavalinContextClearAdvice.class.getName();
+    }
+
+    @Override
+    public ElementMatcher<? super MethodDescription> getMatcher() {
+        return isDeclaredBy(getTypeMatcher()).and(named("service"));
+    }
+
+    @Override
+    public ElementMatcher<? super TypeDescription> getTypeMatcher() {
+        return nameContains("io.javalin.jetty.JavalinJettyServlet");
+    }
+
+    public static class JavalinContextClearAdvice {
+        @Advice.OnMethodEnter
+        public static void before() {
+            Context.reset();
+        }
+    }
+}

agent/src/main/java/dev/aikido/agent/wrappers/javalin/JavalinDataWrapper.java

@@ -0,0 +1,79 @@
+package dev.aikido.agent.wrappers.javalin;
+
+import dev.aikido.agent.wrappers.Wrapper;
+import dev.aikido.agent_api.context.Context;
+import dev.aikido.agent_api.context.JavalinContextObject;
+import net.bytebuddy.asm.Advice;
+import net.bytebuddy.description.method.MethodDescription;
+import net.bytebuddy.description.type.TypeDescription;
+import net.bytebuddy.matcher.ElementMatcher;
+
+import java.lang.reflect.Executable;
+
+import static net.bytebuddy.matcher.ElementMatchers.*;
+
+/** JavalinDataWrapper
+ * Wraps multiple functions for both body, form & path variable data.
+ * https://github.com/javalin/javalin/blob/8b1dc1a55c28618df7f9f044aad4949d30a8cca8/javalin/src/main/java/io/javalin/http/Context.kt#L158
+ */
+public class JavalinDataWrapper implements Wrapper {
+    @Override
+    public String getName() {
+        return JavalinDataAdvice.class.getName();
+    }
+
+    @Override
+    public ElementMatcher<? super MethodDescription> getMatcher() {
+        return isDeclaredBy(getTypeMatcher()).and(namedOneOf(
+                // parse-able bodies :
+                "bodyAsClass",
+                // Form parameters :
+                "formParam", "formParamAsClass", "formParams", "formParamMap",
+                // Path parameters :
+                "pathParamMap", "pathParam", "pathParamAsClass"
+        ));
+    }
+
+    @Override
+    public ElementMatcher<? super TypeDescription> getTypeMatcher() {
+        return hasSuperType(nameContains("io.javalin.http.Context"));
+    }
+
+    public class JavalinDataAdvice {
+        @Advice.OnMethodExit(suppress = Throwable.class, onThrowable = Throwable.class)
+        public static void after(
+                @Advice.This io.javalin.http.Context ctx,
+                @Advice.Return Object data,
+                @Advice.Origin Executable method
+        ) {
+            String methodName = method.getName();
+            if (Context.get() instanceof JavalinContextObject context) {
+                if(methodName == "bodyAsClass") {
+                    // Body data via bodyAsClass, this overrides everything and is our preferred object :
+                    context.setBody(data);
+                }
+
+                if (methodName == "formParamMap") {
+                    // Form data, this can only override body if body does not yet exist :
+                    if (context.getBody() == null) {
+                        context.setBody(data);
+                    }
+                } else if(methodName.startsWith("form")) {
+                    // form functions that might not have used formParamMap, so we execute it here :
+                    ctx.formParamMap(); // This will fall through to the if-clause above.
+                }
+
+                if (methodName == "pathParamMap") {
+                    // We will now store the path parameters :
+                    context.setParams(data);
+                } else if(methodName.startsWith("path")) {
+                    // path functions that might not have used pathParamMap, so we execute pathParamMap here :
+                    ctx.pathParamMap(); // This will fall through to the if-clause above.
+                }
+
+                // Store changes :
+                Context.set(context);
+            }
+        }
+    }
+}

agent/src/main/java/dev/aikido/agent/wrappers/javalin/JavalinWrapper.java

@@ -0,0 +1,70 @@
+package dev.aikido.agent.wrappers.javalin;
+
+import dev.aikido.agent.wrappers.Wrapper;
+import dev.aikido.agent_api.collectors.WebRequestCollector;
+import dev.aikido.agent_api.collectors.WebResponseCollector;
+import dev.aikido.agent_api.context.Context;
+import dev.aikido.agent_api.context.ContextObject;
+import dev.aikido.agent_api.context.JavalinContextObject;
+import io.javalin.http.servlet.JavalinServletContext;
+import jakarta.servlet.http.HttpServletResponse;
+import net.bytebuddy.asm.Advice;
+import net.bytebuddy.description.method.MethodDescription;
+import net.bytebuddy.description.type.TypeDescription;
+import net.bytebuddy.matcher.*;
+
+import java.lang.reflect.Executable;
+
+import static net.bytebuddy.implementation.bytecode.assign.Assigner.Typing.DYNAMIC;
+import static net.bytebuddy.matcher.ElementMatchers.*;
+
+/** JavalinWrapper
+ * We're wrapping io.javalin.router.ParsedEndpoint's handle(JavalinServletContext, ...) function.
+ * See here: https://github.com/javalin/javalin/blob/8b1dc1a55c28618df7f9f044aad4949d30a8cca8/javalin/src/main/java/io/javalin/router/ParsedEndpoint.kt#L14
+ */
+public class JavalinWrapper implements Wrapper {
+    public String getName() {
+        return JavalinAdvice.class.getName();
+    }
+    public ElementMatcher<? super MethodDescription> getMatcher() {
+        return isDeclaredBy(getTypeMatcher()).and(named("handle"));
+    }
+    @Override
+    public ElementMatcher<? super TypeDescription> getTypeMatcher() {
+        return nameContains("io.javalin.router.ParsedEndpoint");
+    }
+    public class JavalinAdvice {
+        @Advice.OnMethodEnter(suppress = Throwable.class)
+        public static JavalinServletContext before(
+                @Advice.This(typing = DYNAMIC, optional = true) Object target,
+                @Advice.Origin Executable method,
+                @Advice.Argument(value = 0, typing = DYNAMIC, optional = true) JavalinServletContext ctx
+                ) {
+            if (Context.get() != null) {
+                return ctx; // Do not extract if context already exists.
+            }
+            // Create a context object :
+            ContextObject context = new JavalinContextObject(
+                    ctx.method().name(), ctx.url(), ctx.ip(),
+                    ctx.queryParamMap(), ctx.cookieMap(), ctx.headerMap()
+            );
+            WebRequestCollector.Res response = WebRequestCollector.report(context);
+
+            // Write a response if necessary :
+            if (response != null) {
+                ctx.result(response.msg());
+                ctx.status(response.status());
+                ctx.skipRemainingHandlers();
+            }
+
+            return ctx;
+        }
+        @Advice.OnMethodExit(suppress = Throwable.class, onThrowable = Throwable.class)
+        public static void after(
+                @Advice.Enter(typing = DYNAMIC) JavalinServletContext ctx
+        ) {
+            WebResponseCollector.report(ctx.statusCode());
+        }
+    }
+
+}

agent_api/src/main/java/dev/aikido/agent_api/context/JavalinContextObject.java

@@ -0,0 +1,51 @@
+package dev.aikido.agent_api.context;
+
+import java.util.*;
+
+import static dev.aikido.agent_api.helpers.net.ProxyForwardedParser.getIpFromRequest;
+import static dev.aikido.agent_api.helpers.url.BuildRouteFromUrl.buildRouteFromUrl;
+
+public class JavalinContextObject extends ContextObject {
+    // We use this map for when @RequestBody does not get used :
+    protected transient Map<String, Object> bodyMap = new HashMap<>();
+    public JavalinContextObject(
+            String method, String url, String rawIp, Map<String, List<String>> queryParams,
+            Map<String, String> cookies, Map<String, String> headers
+    ) {
+        this.method = method;
+        if (url != null) {
+            this.url = url.toString();
+        }
+        this.query = new HashMap<>(queryParams);
+        this.cookies = extractCookies(cookies);
+        this.headers = extractHeaders(headers);
+        this.route = buildRouteFromUrl(this.url);
+        this.remoteAddress = getIpFromRequest(rawIp, this.headers);
+        this.source = "Javalin";
+        this.redirectStartNodes = new ArrayList<>();
+
+        // We don't have access yet to the route parameters, will add once we have access.
+        this.params = null;
+    }
+    public void setParams(Object params) {
+        this.params = params;
+        this.cache.remove("routeParams"); // Reset cache
+    }
+
+    private static HashMap<String, List<String>> extractCookies(Map<String, String> cookieMap) {
+        HashMap<String, List<String>> cookies = new HashMap<>();
+
+        for (Map.Entry<String, String> entry : cookieMap.entrySet()) {
+            cookies.put(entry.getKey(), List.of(entry.getValue()));
+        }
+        return cookies;
+    }
+    private static HashMap<String, String> extractHeaders(Map<String, String> rawHeaders) {
+        HashMap<String, String> headers = new HashMap<>();
+        for (Map.Entry<String, String> entry: rawHeaders.entrySet()) {
+            // Lower-case keys :
+            headers.put(entry.getKey().toLowerCase(), entry.getValue());
+        }
+        return headers;
+    }
+}

agent_api/src/test/java/context/JavalinContextObjectTest.java

@@ -0,0 +1,112 @@
+package context;
+
+import dev.aikido.agent_api.context.JavalinContextObject;
+import dev.aikido.agent_api.context.RouteMetadata;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import java.util.*;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+class JavalinContextObjectTest {
+
+    private JavalinContextObject contextObject;
+
+    @BeforeEach
+    void setUp() {
+        String method = "GET";
+        String url = "http://example.com/api/resource";
+        String rawIp = "192.168.1.1";
+        Map<String, List<String>> queryParams = new HashMap<>();
+        queryParams.put("param1", List.of("value1"));
+        Map<String, String> cookies = new HashMap<>();
+        cookies.put("sessionId", "abc123");
+        Map<String, String> headers = new HashMap<>();
+        headers.put("Content-Type", "application/json");
+
+        contextObject = new JavalinContextObject(method, url, rawIp, queryParams, cookies, headers);
+    }
+
+    @Test
+    void testConstructor() {
+        assertEquals("GET", contextObject.getMethod());
+        assertEquals("http://example.com/api/resource", contextObject.getUrl());
+        assertEquals("192.168.1.1", contextObject.getRemoteAddress());
+        assertEquals("application/json", contextObject.getHeaders().get("content-type"));
+        assertEquals(1, contextObject.getQuery().size());
+        assertEquals("value1", contextObject.getQuery().get("param1").get(0));
+        assertEquals(1, contextObject.getCookies().size());
+        assertEquals("abc123", contextObject.getCookies().get("sessionId").get(0));
+    }
+
+    @Test
+    void testSetParams() {
+        Object params = new HashMap<String, String>() {{
+            put("key", "value");
+        }};
+        contextObject.setParams(params);
+        assertEquals(params, contextObject.getParams());
+    }
+
+    @Test
+    void testSetBody() {
+        Object body = new HashMap<String, String>() {{
+            put("field", "data");
+        }};
+        contextObject.setBody(body);
+        assertEquals(body, contextObject.getBody());
+    }
+
+    @Test
+    void testSetExecutedMiddleware() {
+        contextObject.setExecutedMiddleware(true);
+        assertTrue(contextObject.middlewareExecuted());
+    }
+
+    @Test
+    void testToJson() {
+        String json = contextObject.toJson();
+        assertNotNull(json);
+        assertTrue(json.contains("GET"));
+        assertTrue(json.contains("http://example.com/api/resource"));
+    }
+
+    @Test
+    void testGetRouteMetadata() {
+        RouteMetadata metadata = contextObject.getRouteMetadata();
+        assertNotNull(metadata);
+        assertEquals(contextObject.getRoute(), metadata.route());
+        assertEquals(contextObject.getUrl(), metadata.url());
+        assertEquals(contextObject.getMethod(), metadata.method());
+    }
+
+    @Test
+    void testHeadersExtraction() {
+        // Test headers extraction through the constructor
+        assertEquals("application/json", contextObject.getHeaders().get("content-type"));
+        assertEquals(1, contextObject.getHeaders().size());
+        assertTrue(contextObject.getHeaders().containsKey("content-type"));
+    }
+
+    @Test
+    void testCookiesExtraction() {
+        // Test cookies extraction through the constructor
+        assertEquals(1, contextObject.getCookies().size());
+        assertTrue(contextObject.getCookies().containsKey("sessionId"));
+        assertEquals("abc123", contextObject.getCookies().get("sessionId").get(0));
+    }
+
+    @Test
+    void testMultipleCookiesExtraction() {
+        // Test with multiple cookies
+        Map<String, String> cookies = new HashMap<>();
+        cookies.put("sessionId", "abc123");
+        cookies.put("userId", "user456");
+        contextObject = new JavalinContextObject("GET", "http://example.com", "192.168.1.1", new HashMap<>(), cookies, new HashMap<>());
+
+        assertEquals("abc123", contextObject.getCookies().get("sessionId").get(0));
+        assertEquals("user456", contextObject.getCookies().get("userId").get(0));
+        assertEquals(2, contextObject.getCookies().size());
+    }
+}