Deserialization POC without reflection

newrelic · Jan 15, 2025 · 12559be · 12559be
1 parent 93d10f0
commit 12559be
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 8 deletions.
diff --git a/...agent/src/main/java/com/newrelic/agent/security/instrumentator/dispatcher/Dispatcher.java b/...agent/src/main/java/com/newrelic/agent/security/instrumentator/dispatcher/Dispatcher.java
@@ -657,7 +657,12 @@ private static JavaAgentEventBean prepareSSRFEvent(JavaAgentEventBean eventBean,
 
     private static JavaAgentEventBean prepareDeserializationEvent(JavaAgentEventBean eventBean,
                                                        DeserialisationOperation deserialisationOperation) {
+        DeserializationInfo rootDeserializationInfo = deserialisationOperation.getRootDeserializationInfo();
         JSONArray params = new JSONArray();
+        if(rootDeserializationInfo != null) {
+            eventBean.getMetaData().setDeserializationInfo(rootDeserializationInfo);
+            params.add(GsonUtil.toJson(rootDeserializationInfo.getInstance()));
+        }
         eventBean.setParameters(params);
         return eventBean;
     }

diff --git a/...-security-api/src/main/java/com/newrelic/api/agent/security/schema/AbstractOperation.java b/...-security-api/src/main/java/com/newrelic/api/agent/security/schema/AbstractOperation.java
@@ -48,7 +48,7 @@ public AbstractOperation(String className, String methodName){
                     NewRelicSecurity.getAgent().getSecurityMetaData().peekDeserializationRoot() != null) {
                 this.deserializationInfo = NewRelicSecurity.getAgent().getSecurityMetaData()
                         .peekDeserializationRoot();
-                this.deserializationInfo.computeObjectMap();
+//                this.deserializationInfo.computeObjectMap();
             }
     }
 

diff --git a/...ecurity-api/src/main/java/com/newrelic/api/agent/security/schema/DeserializationInfo.java b/...ecurity-api/src/main/java/com/newrelic/api/agent/security/schema/DeserializationInfo.java
@@ -1,5 +1,7 @@
 package com.newrelic.api.agent.security.schema;
 
+import com.newrelic.api.agent.security.NewRelicSecurity;
+
 import java.io.Serializable;
 import java.lang.reflect.Field;
 import java.util.*;
@@ -68,10 +70,10 @@ public DeserializationInfo(DeserializationInfo instance) {
                 this.value.put(entry.getKey(), new DeserializationInfo(entry.getValue()));
             }
         }
-        for(DeserializationInfo value: instance.unlinkedChildren){
-            value.computeObjectMap();
-            this.unlinkedChildren.add(new DeserializationInfo(value));
-        }
+//        for(DeserializationInfo value: instance.unlinkedChildren){
+//            value.computeObjectMap();
+//            this.unlinkedChildren.add(new DeserializationInfo(value));
+//        }
     }
 
     public DeserializationInfo() {
@@ -98,6 +100,7 @@ private Map<String, DeserializationInfo> computeKeyValueMappingOnObject(Object o
         if (depth > MAX_DEPTH_POPULATION){
             return new HashMap<>();
         }
+
         // TODO: Update this to ObjectMapper.readObject to parse complete deseriaized object and return json str.
         try {
             Field[] fields = obj.getClass().getFields();

diff --git a/.../main/java/com/newrelic/api/agent/security/schema/operation/DeserialisationOperation.java b/.../main/java/com/newrelic/api/agent/security/schema/operation/DeserialisationOperation.java
@@ -12,6 +12,7 @@ public class DeserialisationOperation extends AbstractOperation {
 
     private String entityName;
     private Map<String, DeserializationInfo> params;
+    private DeserializationInfo rootDeserializationInfo;
 
 
     public DeserialisationOperation(String className, String methodName) {
@@ -20,15 +21,17 @@ public DeserialisationOperation(String className, String methodName) {
                 NewRelicSecurity.getAgent().getSecurityMetaData().peekDeserializationRoot()!=null) {
             this.entityName = NewRelicSecurity.getAgent().getSecurityMetaData()
                     .peekDeserializationRoot().getType();
-            this.params = NewRelicSecurity.getAgent().getSecurityMetaData()
-                    .peekDeserializationRoot().computeObjectMap();
+//            this.params = NewRelicSecurity.getAgent().getSecurityMetaData()
+//                    .peekDeserializationRoot().computeObjectMap();
+            this.rootDeserializationInfo = NewRelicSecurity.getAgent().getSecurityMetaData()
+                    .peekDeserializationRoot();
         }
         this.setCaseType(VulnerabilityCaseType.UNSAFE_DESERIALIZATION);
     }
 
     @Override
     public boolean isEmpty() {
-        return this.params==null || this.params.isEmpty() || StringUtils.isEmpty(this.entityName);
+        return this.rootDeserializationInfo==null || StringUtils.isEmpty(this.entityName);
     }
 
     public String getEntityName() {
@@ -46,4 +49,12 @@ public Map<String, DeserializationInfo> getParams() {
     public void setParams(Map<String, DeserializationInfo> params) {
         this.params = params;
     }
+
+    public DeserializationInfo getRootDeserializationInfo() {
+        return rootDeserializationInfo;
+    }
+
+    public void setRootDeserializationInfo(DeserializationInfo rootDeserializationInfo) {
+        this.rootDeserializationInfo = rootDeserializationInfo;
+    }
 }