diff --git a/newrelic-security-agent/src/main/java/com/newrelic/agent/security/instrumentator/dispatcher/Dispatcher.java b/newrelic-security-agent/src/main/java/com/newrelic/agent/security/instrumentator/dispatcher/Dispatcher.java index 290996f13..f0275b75e 100644 --- a/newrelic-security-agent/src/main/java/com/newrelic/agent/security/instrumentator/dispatcher/Dispatcher.java +++ b/newrelic-security-agent/src/main/java/com/newrelic/agent/security/instrumentator/dispatcher/Dispatcher.java @@ -657,7 +657,12 @@ private static JavaAgentEventBean prepareSSRFEvent(JavaAgentEventBean eventBean, private static JavaAgentEventBean prepareDeserializationEvent(JavaAgentEventBean eventBean, DeserialisationOperation deserialisationOperation) { + DeserializationInfo rootDeserializationInfo = deserialisationOperation.getRootDeserializationInfo(); JSONArray params = new JSONArray(); + if(rootDeserializationInfo != null) { + eventBean.getMetaData().setDeserializationInfo(rootDeserializationInfo); + params.add(GsonUtil.toJson(rootDeserializationInfo.getInstance())); + } eventBean.setParameters(params); return eventBean; } diff --git a/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/AbstractOperation.java b/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/AbstractOperation.java index c32f7d63e..abf87b4ba 100644 --- a/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/AbstractOperation.java +++ b/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/AbstractOperation.java @@ -48,7 +48,7 @@ public AbstractOperation(String className, String methodName){ NewRelicSecurity.getAgent().getSecurityMetaData().peekDeserializationRoot() != null) { this.deserializationInfo = NewRelicSecurity.getAgent().getSecurityMetaData() .peekDeserializationRoot(); - this.deserializationInfo.computeObjectMap(); +// this.deserializationInfo.computeObjectMap(); } } diff --git a/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/DeserializationInfo.java b/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/DeserializationInfo.java index c34ecd02f..c70583d45 100644 --- a/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/DeserializationInfo.java +++ b/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/DeserializationInfo.java @@ -1,5 +1,7 @@ package com.newrelic.api.agent.security.schema; +import com.newrelic.api.agent.security.NewRelicSecurity; + import java.io.Serializable; import java.lang.reflect.Field; import java.util.*; @@ -68,10 +70,10 @@ public DeserializationInfo(DeserializationInfo instance) { this.value.put(entry.getKey(), new DeserializationInfo(entry.getValue())); } } - for(DeserializationInfo value: instance.unlinkedChildren){ - value.computeObjectMap(); - this.unlinkedChildren.add(new DeserializationInfo(value)); - } +// for(DeserializationInfo value: instance.unlinkedChildren){ +// value.computeObjectMap(); +// this.unlinkedChildren.add(new DeserializationInfo(value)); +// } } public DeserializationInfo() { @@ -98,6 +100,7 @@ private Map computeKeyValueMappingOnObject(Object o if (depth > MAX_DEPTH_POPULATION){ return new HashMap<>(); } + // TODO: Update this to ObjectMapper.readObject to parse complete deseriaized object and return json str. try { Field[] fields = obj.getClass().getFields(); diff --git a/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/operation/DeserialisationOperation.java b/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/operation/DeserialisationOperation.java index da35c5529..901c48475 100644 --- a/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/operation/DeserialisationOperation.java +++ b/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/operation/DeserialisationOperation.java @@ -12,6 +12,7 @@ public class DeserialisationOperation extends AbstractOperation { private String entityName; private Map params; + private DeserializationInfo rootDeserializationInfo; public DeserialisationOperation(String className, String methodName) { @@ -20,15 +21,17 @@ public DeserialisationOperation(String className, String methodName) { NewRelicSecurity.getAgent().getSecurityMetaData().peekDeserializationRoot()!=null) { this.entityName = NewRelicSecurity.getAgent().getSecurityMetaData() .peekDeserializationRoot().getType(); - this.params = NewRelicSecurity.getAgent().getSecurityMetaData() - .peekDeserializationRoot().computeObjectMap(); +// this.params = NewRelicSecurity.getAgent().getSecurityMetaData() +// .peekDeserializationRoot().computeObjectMap(); + this.rootDeserializationInfo = NewRelicSecurity.getAgent().getSecurityMetaData() + .peekDeserializationRoot(); } this.setCaseType(VulnerabilityCaseType.UNSAFE_DESERIALIZATION); } @Override public boolean isEmpty() { - return this.params==null || this.params.isEmpty() || StringUtils.isEmpty(this.entityName); + return this.rootDeserializationInfo==null || StringUtils.isEmpty(this.entityName); } public String getEntityName() { @@ -46,4 +49,12 @@ public Map getParams() { public void setParams(Map params) { this.params = params; } + + public DeserializationInfo getRootDeserializationInfo() { + return rootDeserializationInfo; + } + + public void setRootDeserializationInfo(DeserializationInfo rootDeserializationInfo) { + this.rootDeserializationInfo = rootDeserializationInfo; + } }