From 530ef1b75a9452d25035a196ec09fa200be69884 Mon Sep 17 00:00:00 2001 From: idawda Date: Fri, 7 Jun 2024 11:58:53 +0530 Subject: [PATCH 01/14] API Endpoint Phase 2: Add Endpoint route in Servlet Framework --- .../security/instrumentation/jetty11/HttpServletHelper.java | 4 ++++ .../security/instrumentation/jetty9/HttpServletHelper.java | 4 ++++ .../main/java/javax/servlet/FilterChain_Instrumentation.java | 4 ++++ .../src/main/java/javax/servlet/Filter_Instrumentation.java | 4 ++++ .../src/main/java/javax/servlet/Servlet_Instrumentation.java | 4 ++++ .../java/jakarta/servlet/FilterChain_Instrumentation.java | 4 ++++ .../src/main/java/jakarta/servlet/Filter_Instrumentation.java | 4 ++++ .../main/java/jakarta/servlet/Servlet_Instrumentation.java | 4 ++++ .../java/jakarta/servlet/FilterChain_Instrumentation.java | 4 ++++ .../src/main/java/jakarta/servlet/Filter_Instrumentation.java | 4 ++++ .../main/java/jakarta/servlet/Servlet_Instrumentation.java | 4 ++++ 11 files changed, 44 insertions(+) diff --git a/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java b/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java index 00c729bec..8da9cdf56 100644 --- a/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java +++ b/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java @@ -4,6 +4,7 @@ import com.newrelic.api.agent.security.instrumentation.helpers.*; import com.newrelic.api.agent.security.schema.AgentMetaData; import com.newrelic.api.agent.security.schema.ApplicationURLMapping; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -151,6 +152,9 @@ public static void preprocessSecurityHook(HttpServletRequest httpServletRequest) securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } + // route detection + securityAgentMetaData.setFramework(Framework.SERVLET); + securityRequest.setRoute(httpServletRequest.getServletPath()); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java b/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java index dd3d81697..2c3ca53bc 100644 --- a/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java +++ b/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java @@ -4,6 +4,7 @@ import com.newrelic.api.agent.security.instrumentation.helpers.*; import com.newrelic.api.agent.security.schema.AgentMetaData; import com.newrelic.api.agent.security.schema.ApplicationURLMapping; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -152,6 +153,9 @@ public static void preprocessSecurityHook(HttpServletRequest httpServletRequest) securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } + // route detection + securityAgentMetaData.setFramework(Framework.SERVLET); + securityRequest.setRoute(httpServletRequest.getServletPath()); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java index 2e25a599f..fdfa5e45f 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java @@ -5,6 +5,7 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -64,6 +65,9 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } + // route detection + securityAgentMetaData.setFramework(Framework.SERVLET); + securityRequest.setRoute(httpServletRequest.getServletPath()); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java index 6acac817c..4a8c2a641 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java @@ -5,6 +5,7 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -66,6 +67,9 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } + // route detection + securityAgentMetaData.setFramework(Framework.SERVLET); + securityRequest.setRoute(httpServletRequest.getServletPath()); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java index 98f957d36..fb06328c3 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java @@ -12,6 +12,7 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -70,6 +71,9 @@ private void preprocessSecurityHook(ServletRequest_Instrumentation request, Serv securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } + // route detection + securityAgentMetaData.setFramework(Framework.SERVLET); + securityRequest.setRoute(httpServletRequest.getServletPath()); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java index 9893b7ccf..89f1d3119 100644 --- a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java +++ b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java @@ -5,6 +5,7 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -64,6 +65,9 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } + // route detection + securityAgentMetaData.setFramework(Framework.SERVLET); + securityRequest.setRoute(httpServletRequest.getServletPath()); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java index cf4ddbeb9..8d2f0f4b9 100644 --- a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java +++ b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java @@ -5,6 +5,7 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -65,6 +66,9 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } + // route detection + securityAgentMetaData.setFramework(Framework.SERVLET); + securityRequest.setRoute(httpServletRequest.getServletPath()); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java index 01da21d98..cdfacd5a9 100644 --- a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java +++ b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java @@ -12,6 +12,7 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -70,6 +71,9 @@ private void preprocessSecurityHook(ServletRequest_Instrumentation request, Serv securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } + // route detection + securityAgentMetaData.setFramework(Framework.SERVLET); + securityRequest.setRoute(httpServletRequest.getServletPath()); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java index c7f7a3c45..6527bf1bd 100644 --- a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java +++ b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java @@ -5,6 +5,7 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -64,6 +65,9 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } + // route detection + securityAgentMetaData.setFramework(Framework.SERVLET); + securityRequest.setRoute(httpServletRequest.getServletPath()); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java index d1d36a341..787f30aaf 100644 --- a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java +++ b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java @@ -5,6 +5,7 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -65,6 +66,9 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } + // route detection + securityAgentMetaData.setFramework(Framework.SERVLET); + securityRequest.setRoute(httpServletRequest.getServletPath()); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java index cc01075f3..a474c6277 100644 --- a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java +++ b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java @@ -12,6 +12,7 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -70,6 +71,9 @@ private void preprocessSecurityHook(ServletRequest_Instrumentation request, Serv securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } + // route detection + securityAgentMetaData.setFramework(Framework.SERVLET); + securityRequest.setRoute(httpServletRequest.getServletPath()); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); From b842390c15ff4c4cdbcb36fafc1862975b41549b Mon Sep 17 00:00:00 2001 From: idawda Date: Fri, 7 Jun 2024 13:56:49 +0530 Subject: [PATCH 02/14] API Endpoint Phase 2: Add Endpoint route in Servlet Framework --- .../instrumentation/jetty11/HttpServletHelper.java | 14 ++++++++++++-- .../servlet5/HttpServletHelper.java | 13 ++++++++++++- .../servlet/FilterChain_Instrumentation.java | 3 +-- .../jakarta/servlet/Filter_Instrumentation.java | 3 +-- .../jakarta/servlet/Servlet_Instrumentation.java | 3 +-- .../servlet6/HttpServletHelper.java | 13 ++++++++++++- .../servlet/FilterChain_Instrumentation.java | 3 +-- .../jakarta/servlet/Filter_Instrumentation.java | 3 +-- .../jakarta/servlet/Servlet_Instrumentation.java | 3 +-- 9 files changed, 42 insertions(+), 16 deletions(-) diff --git a/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java b/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java index 8da9cdf56..7d314aa58 100644 --- a/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java +++ b/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java @@ -13,8 +13,10 @@ import com.newrelic.api.agent.security.utils.logging.LogLevel; import jakarta.servlet.ServletContext; import jakarta.servlet.ServletRegistration; +import jakarta.servlet.http.HttpServletMapping; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; +import jakarta.servlet.http.MappingMatch; import java.util.Arrays; import java.util.Collection; @@ -153,8 +155,7 @@ public static void preprocessSecurityHook(HttpServletRequest httpServletRequest) securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } // route detection - securityAgentMetaData.setFramework(Framework.SERVLET); - securityRequest.setRoute(httpServletRequest.getServletPath()); + HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); @@ -236,4 +237,13 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, JETTY_11, e.getMessage()), e, HttpServletHelper.class.getName()); } } + public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData){ + HttpServletMapping mapping = request.getHttpServletMapping(); + if (!mapping.getMappingMatch().equals(MappingMatch.EXTENSION)){ + securityRequest.setRoute(mapping.getPattern()); + } else { + securityRequest.setRoute(request.getServletPath()); + } + metaData.setFramework(Framework.SERVLET); + } } diff --git a/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java b/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java index 24c53074c..e8583132d 100644 --- a/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java +++ b/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java @@ -4,16 +4,18 @@ import com.newrelic.api.agent.security.instrumentation.helpers.*; import com.newrelic.api.agent.security.schema.AgentMetaData; import com.newrelic.api.agent.security.schema.ApplicationURLMapping; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.policy.AgentPolicy; import com.newrelic.api.agent.security.utils.logging.LogLevel; import jakarta.servlet.ServletContext; import jakarta.servlet.ServletRegistration; +import jakarta.servlet.http.HttpServletMapping; import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.MappingMatch; import java.util.Collection; import java.util.Enumeration; -import java.util.Iterator; import java.util.Map; public class HttpServletHelper { @@ -154,4 +156,13 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, SERVLET_5_0, e.getMessage()), e, HttpServletHelper.class.getName()); } } + public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData){ + HttpServletMapping mapping = request.getHttpServletMapping(); + if (!mapping.getMappingMatch().equals(MappingMatch.EXTENSION)){ + securityRequest.setRoute(mapping.getPattern()); + } else { + securityRequest.setRoute(request.getServletPath()); + } + metaData.setFramework(Framework.SERVLET); + } } diff --git a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java index 89f1d3119..a21d712d8 100644 --- a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java +++ b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java @@ -66,8 +66,7 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } // route detection - securityAgentMetaData.setFramework(Framework.SERVLET); - securityRequest.setRoute(httpServletRequest.getServletPath()); + HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java index 8d2f0f4b9..f63ffd9bd 100644 --- a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java +++ b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java @@ -67,8 +67,7 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } // route detection - securityAgentMetaData.setFramework(Framework.SERVLET); - securityRequest.setRoute(httpServletRequest.getServletPath()); + HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java index cdfacd5a9..f85cc380a 100644 --- a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java +++ b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java @@ -72,8 +72,7 @@ private void preprocessSecurityHook(ServletRequest_Instrumentation request, Serv securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } // route detection - securityAgentMetaData.setFramework(Framework.SERVLET); - securityRequest.setRoute(httpServletRequest.getServletPath()); + HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java b/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java index 847d8e440..08c11e96b 100644 --- a/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java +++ b/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java @@ -4,16 +4,18 @@ import com.newrelic.api.agent.security.instrumentation.helpers.*; import com.newrelic.api.agent.security.schema.AgentMetaData; import com.newrelic.api.agent.security.schema.ApplicationURLMapping; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.policy.AgentPolicy; import com.newrelic.api.agent.security.utils.logging.LogLevel; import jakarta.servlet.ServletContext; import jakarta.servlet.ServletRegistration; +import jakarta.servlet.http.HttpServletMapping; import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.MappingMatch; import java.util.Collection; import java.util.Enumeration; -import java.util.Iterator; import java.util.Map; public class HttpServletHelper { @@ -154,4 +156,13 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, SERVLET_6_0, e.getMessage()), e, HttpServletHelper.class.getName()); } } + public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData){ + HttpServletMapping mapping = request.getHttpServletMapping(); + if (!mapping.getMappingMatch().equals(MappingMatch.EXTENSION)){ + securityRequest.setRoute(mapping.getPattern()); + } else { + securityRequest.setRoute(request.getServletPath()); + } + metaData.setFramework(Framework.SERVLET); + } } diff --git a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java index 6527bf1bd..1ef5fa7ac 100644 --- a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java +++ b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java @@ -66,8 +66,7 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } // route detection - securityAgentMetaData.setFramework(Framework.SERVLET); - securityRequest.setRoute(httpServletRequest.getServletPath()); + HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java index 787f30aaf..c1d7551ce 100644 --- a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java +++ b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java @@ -67,8 +67,7 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } // route detection - securityAgentMetaData.setFramework(Framework.SERVLET); - securityRequest.setRoute(httpServletRequest.getServletPath()); + HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java index a474c6277..5f04173d6 100644 --- a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java +++ b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java @@ -72,8 +72,7 @@ private void preprocessSecurityHook(ServletRequest_Instrumentation request, Serv securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } // route detection - securityAgentMetaData.setFramework(Framework.SERVLET); - securityRequest.setRoute(httpServletRequest.getServletPath()); + HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); From 0576b23bab32a2263ae61d47045446b310b8db87 Mon Sep 17 00:00:00 2001 From: idawda Date: Fri, 7 Jun 2024 14:15:46 +0530 Subject: [PATCH 03/14] Add Unit tests for route detection for Servlet Framework --- .../servlet5/HttpServletTest.java | 10 +++++++++ .../servlet5/HttpSessionTest.java | 4 ++++ .../servlet5/ServletInputStreamTest.java | 3 +++ .../servlet5/ServletOutputStreamTest.java | 22 +++++++++++++++++-- .../servlet5/ServletRequestTest.java | 8 ++++--- .../servlet5/ServletResponseTest.java | 2 ++ .../instrumentation/servlet5/ServletTest.java | 1 + .../servlet5/WebServletTest.java | 1 + .../servlet6/HttpServletTest.java | 5 +++++ .../servlet6/HttpSessionTest.java | 3 +++ .../servlet6/ServletInputStreamTest.java | 3 +++ .../servlet6/ServletOutputStreamTest.java | 16 ++++++++++++++ .../servlet6/ServletRequestTest.java | 9 ++++---- .../servlet6/ServletResponseTest.java | 2 ++ .../instrumentation/servlet6/ServletTest.java | 1 + .../servlet6/WebServletTest.java | 1 + 16 files changed, 82 insertions(+), 9 deletions(-) diff --git a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/HttpServletTest.java b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/HttpServletTest.java index f7bbdc6f2..748e02130 100644 --- a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/HttpServletTest.java +++ b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/HttpServletTest.java @@ -32,6 +32,8 @@ public void testPost() throws Exception { AgentMetaData metaData = introspector.getSecurityMetaData().getMetaData(); Assert.assertTrue(metaData.isUserLevelServiceMethodEncountered()); Assert.assertNotNull(metaData.getServiceTrace()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); + } @Test public void testDelete() throws Exception { @@ -41,6 +43,8 @@ public void testDelete() throws Exception { AgentMetaData metaData = introspector.getSecurityMetaData().getMetaData(); Assert.assertTrue(metaData.isUserLevelServiceMethodEncountered()); Assert.assertNotNull(metaData.getServiceTrace()); + + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test public void testPUT() throws Exception { @@ -50,6 +54,8 @@ public void testPUT() throws Exception { AgentMetaData metaData = introspector.getSecurityMetaData().getMetaData(); Assert.assertTrue(metaData.isUserLevelServiceMethodEncountered()); Assert.assertNotNull(metaData.getServiceTrace()); + + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -60,6 +66,8 @@ public void testHEAD() throws Exception { AgentMetaData metaData = introspector.getSecurityMetaData().getMetaData(); Assert.assertTrue(metaData.isUserLevelServiceMethodEncountered()); Assert.assertNotNull(metaData.getServiceTrace()); + + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test public void testGET() throws Exception { @@ -69,6 +77,8 @@ public void testGET() throws Exception { AgentMetaData metaData = introspector.getSecurityMetaData().getMetaData(); Assert.assertTrue(metaData.isUserLevelServiceMethodEncountered()); Assert.assertNotNull(metaData.getServiceTrace()); + + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Trace(dispatcher = true) diff --git a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/HttpSessionTest.java b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/HttpSessionTest.java index 95f12ce0f..ae87032a5 100644 --- a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/HttpSessionTest.java +++ b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/HttpSessionTest.java @@ -57,6 +57,7 @@ else if(i==1){ i++; } } + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -79,6 +80,7 @@ public void testSessionPutValue() throws IOException, URISyntaxException { Assert.assertEquals("Wrong key detected", "key1", targetOperation.getKey()); Assert.assertEquals("Wrong value detected", "value1", targetOperation.getValue()); } + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -99,6 +101,7 @@ public void testAddCookie() throws IOException, URISyntaxException { Assert.assertNotNull("No target operation detected", targetOperation); Assert.assertEquals("Wrong case-type detected", VulnerabilityCaseType.SECURE_COOKIE, targetOperation.getCaseType()); Assert.assertEquals("Wrong key detected", "false", targetOperation.getValue()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -119,6 +122,7 @@ public void testAddCookie1() throws IOException, URISyntaxException { Assert.assertNotNull("No target operation detected", targetOperation); Assert.assertEquals("Wrong case-type detected", VulnerabilityCaseType.SECURE_COOKIE, targetOperation.getCaseType()); Assert.assertEquals("Wrong key detected", "true", targetOperation.getValue()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } private void makeRequest( String Method, final String POST_PARAMS, String path) throws URISyntaxException, IOException{ diff --git a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletInputStreamTest.java b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletInputStreamTest.java index 631656dff..56f4e9cf9 100644 --- a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletInputStreamTest.java +++ b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletInputStreamTest.java @@ -47,6 +47,7 @@ public void testRead() throws Exception { Assert.assertEquals("Wrong Content-type detected", "multipart/form-data", targetOperation.getRequest().getContentType()); Assert.assertEquals("Wrong data detected", expected, targetOperation.getRequest().getBody().toString()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @@ -67,6 +68,7 @@ public void testReadLine() throws Exception { Assert.assertEquals("Wrong Content-type detected", "multipart/form-data", targetOperation.getRequest().getContentType()); Assert.assertEquals("Wrong data detected", expected, targetOperation.getRequest().getBody().toString()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -86,6 +88,7 @@ public void testReadLineWithOff() throws Exception { Assert.assertEquals("Wrong Content-type detected", "multipart/form-data", targetOperation.getRequest().getContentType()); Assert.assertEquals("Wrong data detected", expected, targetOperation.getRequest().getBody().toString()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Trace(dispatcher = true) diff --git a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletOutputStreamTest.java b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletOutputStreamTest.java index 7b9070168..b7f310952 100644 --- a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletOutputStreamTest.java +++ b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletOutputStreamTest.java @@ -54,6 +54,7 @@ public void testWrite() throws URISyntaxException, IOException { Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); Assert.assertEquals("Wrong Response Content-type detected", "multipart/form-data", targetOperation.getResponse().getResponseContentType()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -76,6 +77,7 @@ public void testPrintString() throws URISyntaxException, IOException { Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -95,10 +97,11 @@ public void testPrintBoolean() throws URISyntaxException, IOException { Assert.assertEquals("Wrong port detected", servlet.getEndPoint("outputStream/print").getPort(), targetOperation.getRequest().getServerPort()); Assert.assertEquals("Wrong method name detected", "service", targetOperation.getMethodName()); Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); - boolean resBody = Boolean.parseBoolean(String.valueOf(targetOperation.getResponse().getResponseBody())); Assert.assertEquals("Wrong response detected", expected, resBody); + + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -118,11 +121,11 @@ public void testPrintChar() throws URISyntaxException, IOException { Assert.assertEquals("Wrong port detected", servlet.getEndPoint("outputStream/print").getPort(), targetOperation.getRequest().getServerPort()); Assert.assertEquals("Wrong method name detected", "service", targetOperation.getMethodName()); Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); - char resBody = String.valueOf(targetOperation.getResponse().getResponseBody()).charAt(0); Assert.assertEquals("Wrong response detected", expected, resBody); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -146,6 +149,8 @@ public void testPrintInt() throws URISyntaxException, IOException { int resBody = Integer.parseInt(String.valueOf(targetOperation.getResponse().getResponseBody())); Assert.assertEquals("Wrong response detected", expected, resBody); + + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -169,6 +174,8 @@ public void testPrintLong() throws URISyntaxException, IOException { long resBody = Long.parseLong(String.valueOf(targetOperation.getResponse().getResponseBody())); Assert.assertEquals("Wrong response detected", expected, resBody); + + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -192,6 +199,8 @@ public void testPrintFloat() throws URISyntaxException, IOException { float resBody = Float.parseFloat(String.valueOf(targetOperation.getResponse().getResponseBody())); Assert.assertEquals("Wrong response detected",expected, resBody, 0.0f); + + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -215,6 +224,7 @@ public void testPrintDouble() throws URISyntaxException, IOException { double resBody = Double.parseDouble(String.valueOf(targetOperation.getResponse().getResponseBody())); Assert.assertEquals("Wrong response detected", expected, resBody, 0.0d); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -237,6 +247,7 @@ public void testPrintln() throws URISyntaxException, IOException { Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -259,6 +270,7 @@ public void testPrintlnString() throws URISyntaxException, IOException { Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -281,6 +293,7 @@ public void testPrintlnBoolean() throws URISyntaxException, IOException { Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -303,6 +316,7 @@ public void testPrintlnChar() throws URISyntaxException, IOException { Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -325,6 +339,7 @@ public void testPrintlnInt() throws URISyntaxException, IOException { Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -346,6 +361,7 @@ public void testPrintlnLong() throws URISyntaxException, IOException { Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -367,6 +383,7 @@ public void testPrintlnFloat() throws URISyntaxException, IOException { Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -388,6 +405,7 @@ public void testPrintlnDouble() throws URISyntaxException, IOException { Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Trace(dispatcher = true) private String write() throws URISyntaxException, IOException { diff --git a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletRequestTest.java b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletRequestTest.java index b3f934cef..2c0c34c7f 100644 --- a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletRequestTest.java +++ b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletRequestTest.java @@ -59,6 +59,7 @@ public void testGetInputStream() throws Exception { Assert.assertEquals("Wrong hashcode detected", Collections.singleton(expectedHash), introspector.getRequestInStreamHash()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -80,6 +81,7 @@ public void testGetReader() throws Exception { Assert.assertEquals("Wrong hashcode detected", Collections.singleton(expectedHash), introspector.getRequestReaderHash()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -100,8 +102,8 @@ public void testGetParameter() throws Exception { Assert.assertEquals("Wrong Param detected", expectedParam, new ObjectMapper().writeValueAsString(targetOperation.getRequest().getParameterMap())); Assert.assertEquals("Wrong method name detected", "service", targetOperation.getMethodName()); Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); - + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -122,8 +124,8 @@ public void testGetParameterValues() throws Exception { Assert.assertEquals("Wrong Param detected", expectedParam, new ObjectMapper().writeValueAsString(targetOperation.getRequest().getParameterMap())); Assert.assertEquals("Wrong method name detected", "service", targetOperation.getMethodName()); Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); - + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -144,8 +146,8 @@ public void testGetParameterMap() throws Exception { Assert.assertEquals("Wrong Param detected", expectedParam, new ObjectMapper().writeValueAsString(targetOperation.getRequest().getParameterMap())); Assert.assertEquals("Wrong method name detected", "service", targetOperation.getMethodName()); Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); - + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Trace(dispatcher = true) diff --git a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletResponseTest.java b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletResponseTest.java index b334a287e..336a6f26f 100644 --- a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletResponseTest.java +++ b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletResponseTest.java @@ -51,6 +51,7 @@ public void testGetOutputStream() throws Exception { Assert.assertEquals("Wrong hashcode detected", Collections.singleton(expectedHash), introspector.getResponseOutStreamHash()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -71,6 +72,7 @@ public void testGetWriter() throws Exception { Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); Assert.assertEquals("Wrong hashcode detected", Collections.singleton(expectedHash), introspector.getResponseWriterHash()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Trace(dispatcher = true) diff --git a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletTest.java b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletTest.java index bd9ed014b..a874de4d6 100644 --- a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletTest.java +++ b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/ServletTest.java @@ -46,6 +46,7 @@ public void testService() throws Exception { Assert.assertEquals("Wrong port detected", server.getEndPoint("").getPort(), targetOperation.getRequest().getServerPort()); Assert.assertEquals("Wrong method name detected", "service", targetOperation.getMethodName()); Assert.assertEquals("Wrong Content-type detected", "text/plain", targetOperation.getRequest().getContentType()); + Assert.assertEquals("Incorrect route detected", "/test", introspector.getSecurityMetaData().getRequest().getRoute()); } @Trace(dispatcher = true) diff --git a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/WebServletTest.java b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/WebServletTest.java index d9ddac7c8..106702b50 100644 --- a/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/WebServletTest.java +++ b/instrumentation-security/servlet-5.0/src/test/java/com/nr/agent/security/instrumentation/servlet5/WebServletTest.java @@ -30,6 +30,7 @@ public void testAnnotation() throws Exception { AgentMetaData metaData = introspector.getSecurityMetaData().getMetaData(); Assert.assertTrue(metaData.isUserLevelServiceMethodEncountered()); Assert.assertNotNull(metaData.getServiceTrace()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Trace(dispatcher = true) diff --git a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/HttpServletTest.java b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/HttpServletTest.java index 4b41ca20a..344553238 100644 --- a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/HttpServletTest.java +++ b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/HttpServletTest.java @@ -32,6 +32,7 @@ public void testPost() throws Exception { AgentMetaData metaData = introspector.getSecurityMetaData().getMetaData(); Assert.assertTrue(metaData.isUserLevelServiceMethodEncountered()); Assert.assertNotNull(metaData.getServiceTrace()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test public void testDelete() throws Exception { @@ -41,6 +42,7 @@ public void testDelete() throws Exception { AgentMetaData metaData = introspector.getSecurityMetaData().getMetaData(); Assert.assertTrue(metaData.isUserLevelServiceMethodEncountered()); Assert.assertNotNull(metaData.getServiceTrace()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test public void testPUT() throws Exception { @@ -50,6 +52,7 @@ public void testPUT() throws Exception { AgentMetaData metaData = introspector.getSecurityMetaData().getMetaData(); Assert.assertTrue(metaData.isUserLevelServiceMethodEncountered()); Assert.assertNotNull(metaData.getServiceTrace()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -60,6 +63,7 @@ public void testHEAD() throws Exception { AgentMetaData metaData = introspector.getSecurityMetaData().getMetaData(); Assert.assertTrue(metaData.isUserLevelServiceMethodEncountered()); Assert.assertNotNull(metaData.getServiceTrace()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test public void testGET() throws Exception { @@ -69,6 +73,7 @@ public void testGET() throws Exception { AgentMetaData metaData = introspector.getSecurityMetaData().getMetaData(); Assert.assertTrue(metaData.isUserLevelServiceMethodEncountered()); Assert.assertNotNull(metaData.getServiceTrace()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Trace(dispatcher = true) diff --git a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/HttpSessionTest.java b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/HttpSessionTest.java index 5cfb1b016..3076d694a 100644 --- a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/HttpSessionTest.java +++ b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/HttpSessionTest.java @@ -57,6 +57,7 @@ else if(i==1){ i++; } } + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -77,6 +78,7 @@ public void testAddCookie() throws IOException, URISyntaxException { Assert.assertNotNull("No target operation detected", targetOperation); Assert.assertEquals("Wrong case-type detected", VulnerabilityCaseType.SECURE_COOKIE, targetOperation.getCaseType()); Assert.assertEquals("Wrong key detected", "false", targetOperation.getValue()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -97,6 +99,7 @@ public void testAddCookie1() throws IOException, URISyntaxException { Assert.assertNotNull("No target operation detected", targetOperation); Assert.assertEquals("Wrong case-type detected", VulnerabilityCaseType.SECURE_COOKIE, targetOperation.getCaseType()); Assert.assertEquals("Wrong key detected", "true", targetOperation.getValue()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } private void makeRequest( String Method, final String POST_PARAMS, String path) throws URISyntaxException, IOException{ diff --git a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletInputStreamTest.java b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletInputStreamTest.java index d234d30be..c364dcd5a 100644 --- a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletInputStreamTest.java +++ b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletInputStreamTest.java @@ -47,6 +47,7 @@ public void testRead() throws Exception { Assert.assertEquals("Wrong Content-type detected", "multipart/form-data", targetOperation.getRequest().getContentType()); Assert.assertEquals("Wrong data detected", expected, targetOperation.getRequest().getBody().toString()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @@ -67,6 +68,7 @@ public void testReadLine() throws Exception { Assert.assertEquals("Wrong Content-type detected", "multipart/form-data", targetOperation.getRequest().getContentType()); Assert.assertEquals("Wrong data detected", expected, targetOperation.getRequest().getBody().toString()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -86,6 +88,7 @@ public void testReadLineWithOff() throws Exception { Assert.assertEquals("Wrong Content-type detected", "multipart/form-data", targetOperation.getRequest().getContentType()); Assert.assertEquals("Wrong data detected", expected, targetOperation.getRequest().getBody().toString()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Trace(dispatcher = true) diff --git a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletOutputStreamTest.java b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletOutputStreamTest.java index d417c55b3..77c2b8834 100644 --- a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletOutputStreamTest.java +++ b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletOutputStreamTest.java @@ -53,6 +53,7 @@ public void testWrite() throws URISyntaxException, IOException { Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); Assert.assertEquals("Wrong Response Content-type detected", "multipart/form-data", targetOperation.getResponse().getResponseContentType()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -75,6 +76,7 @@ public void testPrintString() throws URISyntaxException, IOException { Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -98,6 +100,7 @@ public void testPrintBoolean() throws URISyntaxException, IOException { boolean resBody = Boolean.parseBoolean(String.valueOf(targetOperation.getResponse().getResponseBody())); Assert.assertEquals("Wrong response detected", expected, resBody); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -122,6 +125,7 @@ public void testPrintChar() throws URISyntaxException, IOException { char resBody = String.valueOf(targetOperation.getResponse().getResponseBody()).charAt(0); Assert.assertEquals("Wrong response detected", expected, resBody); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -145,6 +149,7 @@ public void testPrintInt() throws URISyntaxException, IOException { int resBody = Integer.parseInt(String.valueOf(targetOperation.getResponse().getResponseBody())); Assert.assertEquals("Wrong response detected", expected, resBody); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -168,6 +173,7 @@ public void testPrintLong() throws URISyntaxException, IOException { long resBody = Long.parseLong(String.valueOf(targetOperation.getResponse().getResponseBody())); Assert.assertEquals("Wrong response detected", expected, resBody); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -191,6 +197,7 @@ public void testPrintFloat() throws URISyntaxException, IOException { float resBody = Float.parseFloat(String.valueOf(targetOperation.getResponse().getResponseBody())); Assert.assertEquals("Wrong response detected",expected, resBody, 0.0f); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -214,6 +221,7 @@ public void testPrintDouble() throws URISyntaxException, IOException { double resBody = Double.parseDouble(String.valueOf(targetOperation.getResponse().getResponseBody())); Assert.assertEquals("Wrong response detected", expected, resBody, 0.0d); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -236,6 +244,7 @@ public void testPrintln() throws URISyntaxException, IOException { Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -258,6 +267,7 @@ public void testPrintlnString() throws URISyntaxException, IOException { Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -280,6 +290,7 @@ public void testPrintlnBoolean() throws URISyntaxException, IOException { Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -302,6 +313,7 @@ public void testPrintlnChar() throws URISyntaxException, IOException { Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -324,6 +336,7 @@ public void testPrintlnInt() throws URISyntaxException, IOException { Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -345,6 +358,7 @@ public void testPrintlnLong() throws URISyntaxException, IOException { Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -366,6 +380,7 @@ public void testPrintlnFloat() throws URISyntaxException, IOException { Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -387,6 +402,7 @@ public void testPrintlnDouble() throws URISyntaxException, IOException { Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); Assert.assertEquals("Wrong response detected", expected, String.valueOf(targetOperation.getResponse().getResponseBody())); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Trace(dispatcher = true) private String write() throws URISyntaxException, IOException { diff --git a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletRequestTest.java b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletRequestTest.java index 64035182d..c8db4d79c 100644 --- a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletRequestTest.java +++ b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletRequestTest.java @@ -59,6 +59,7 @@ public void testGetInputStream() throws Exception { Assert.assertEquals("Wrong hashcode detected", Collections.singleton(expectedHash), introspector.getRequestInStreamHash()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -80,6 +81,7 @@ public void testGetReader() throws Exception { Assert.assertEquals("Wrong hashcode detected", Collections.singleton(expectedHash), introspector.getRequestReaderHash()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -100,8 +102,8 @@ public void testGetParameter() throws Exception { Assert.assertEquals("Wrong Param detected", expectedParam, new ObjectMapper().writeValueAsString(targetOperation.getRequest().getParameterMap())); Assert.assertEquals("Wrong method name detected", "service", targetOperation.getMethodName()); Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); - + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -122,8 +124,7 @@ public void testGetParameterValues() throws Exception { Assert.assertEquals("Wrong Param detected", expectedParam, new ObjectMapper().writeValueAsString(targetOperation.getRequest().getParameterMap())); Assert.assertEquals("Wrong method name detected", "service", targetOperation.getMethodName()); Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); - - + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -144,8 +145,8 @@ public void testGetParameterMap() throws Exception { Assert.assertEquals("Wrong Param detected", expectedParam, new ObjectMapper().writeValueAsString(targetOperation.getRequest().getParameterMap())); Assert.assertEquals("Wrong method name detected", "service", targetOperation.getMethodName()); Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); - + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Trace(dispatcher = true) diff --git a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletResponseTest.java b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletResponseTest.java index e069ba5fb..3894819d2 100644 --- a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletResponseTest.java +++ b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletResponseTest.java @@ -51,6 +51,7 @@ public void testGetOutputStream() throws Exception { Assert.assertEquals("Wrong hashcode detected", Collections.singleton(expectedHash), introspector.getResponseOutStreamHash()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Test @@ -71,6 +72,7 @@ public void testGetWriter() throws Exception { Assert.assertEquals("Wrong Content-type detected", "application/x-www-form-urlencoded", targetOperation.getRequest().getContentType()); Assert.assertEquals("Wrong hashcode detected", Collections.singleton(expectedHash), introspector.getResponseWriterHash()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Trace(dispatcher = true) diff --git a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletTest.java b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletTest.java index 8e0124b82..bac5d64c7 100644 --- a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletTest.java +++ b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/ServletTest.java @@ -48,6 +48,7 @@ public void testService() throws Exception { Assert.assertEquals("Wrong port detected", server.getEndPoint("").getPort(), targetOperation.getRequest().getServerPort()); Assert.assertEquals("Wrong method name detected", "service", targetOperation.getMethodName()); Assert.assertEquals("Wrong Content-type detected", "text/plain", targetOperation.getRequest().getContentType()); + Assert.assertEquals("Incorrect route detected", "/test", introspector.getSecurityMetaData().getRequest().getRoute()); } @Trace(dispatcher = true) diff --git a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/WebServletTest.java b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/WebServletTest.java index cab44e521..c6214e032 100644 --- a/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/WebServletTest.java +++ b/instrumentation-security/servlet-6.0/src/test/java/com/nr/agent/security/instrumentation/servlet6/WebServletTest.java @@ -30,6 +30,7 @@ public void testAnnotation() throws Exception { AgentMetaData metaData = introspector.getSecurityMetaData().getMetaData(); Assert.assertTrue(metaData.isUserLevelServiceMethodEncountered()); Assert.assertNotNull(metaData.getServiceTrace()); + Assert.assertEquals("Incorrect route detected", "/*", introspector.getSecurityMetaData().getRequest().getRoute()); } @Trace(dispatcher = true) From b823e8dc01a8e4c9690ab856548b1a8433488bbc Mon Sep 17 00:00:00 2001 From: idawda Date: Fri, 7 Jun 2024 15:12:39 +0530 Subject: [PATCH 04/14] Add Endpoint route in Servlet-3.0 Framework --- .../servlet/FilterChain_Instrumentation.java | 3 --- .../javax/servlet/Filter_Instrumentation.java | 3 --- .../servlet/Servlet_Instrumentation.java | 3 --- .../servlet30/HttpServletHelper.java | 15 +++++++++++++ .../servlet/Servlet_Instrumentation.java | 21 +++++++++++++++++++ 5 files changed, 36 insertions(+), 9 deletions(-) create mode 100644 instrumentation-security/servlet-3.0/src/main/java/javax/servlet/Servlet_Instrumentation.java diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java index fdfa5e45f..60989cca0 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java @@ -65,9 +65,6 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } - // route detection - securityAgentMetaData.setFramework(Framework.SERVLET); - securityRequest.setRoute(httpServletRequest.getServletPath()); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java index 4a8c2a641..69d23f0e5 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java @@ -67,9 +67,6 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } - // route detection - securityAgentMetaData.setFramework(Framework.SERVLET); - securityRequest.setRoute(httpServletRequest.getServletPath()); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java index fb06328c3..2ad0dab08 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java @@ -71,9 +71,6 @@ private void preprocessSecurityHook(ServletRequest_Instrumentation request, Serv securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } - // route detection - securityAgentMetaData.setFramework(Framework.SERVLET); - securityRequest.setRoute(httpServletRequest.getServletPath()); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java b/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java index 5084a7634..8680fbc6d 100644 --- a/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java +++ b/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java @@ -4,11 +4,17 @@ import com.newrelic.api.agent.security.NewRelicSecurity; import com.newrelic.api.agent.security.instrumentation.helpers.GenericHelper; import com.newrelic.api.agent.security.instrumentation.helpers.URLMappingsHelper; +import com.newrelic.api.agent.security.schema.AgentMetaData; import com.newrelic.api.agent.security.schema.ApplicationURLMapping; +import com.newrelic.api.agent.security.schema.Framework; +import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.utils.logging.LogLevel; import javax.servlet.ServletContext; import javax.servlet.ServletRegistration; +import javax.servlet.http.HttpServletMapping; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.MappingMatch; import java.util.Collection; import java.util.Map; @@ -48,4 +54,13 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, SERVLET_3_0, e.getMessage()), e, HttpServletHelper.class.getName()); } } + public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData){ + HttpServletMapping mapping = request.getHttpServletMapping(); + if (!mapping.getMappingMatch().equals(MappingMatch.EXTENSION)){ + securityRequest.setRoute(mapping.getPattern()); + } else { + securityRequest.setRoute(request.getServletPath()); + } + metaData.setFramework(Framework.SERVLET); + } } diff --git a/instrumentation-security/servlet-3.0/src/main/java/javax/servlet/Servlet_Instrumentation.java b/instrumentation-security/servlet-3.0/src/main/java/javax/servlet/Servlet_Instrumentation.java new file mode 100644 index 000000000..1165e9bc0 --- /dev/null +++ b/instrumentation-security/servlet-3.0/src/main/java/javax/servlet/Servlet_Instrumentation.java @@ -0,0 +1,21 @@ +package javax.servlet; + +import com.newrelic.agent.security.instrumentation.servlet30.HttpServletHelper; +import com.newrelic.api.agent.security.NewRelicSecurity; +import com.newrelic.api.agent.security.schema.SecurityMetaData; +import com.newrelic.api.agent.weaver.MatchType; +import com.newrelic.api.agent.weaver.Weave; +import com.newrelic.api.agent.weaver.Weaver; + +import javax.servlet.http.HttpServletRequest; + +@Weave(type = MatchType.Interface, originalName = "javax.servlet.Servlet") +public class Servlet_Instrumentation { + public void service(ServletRequest req, ServletResponse res){ + if (NewRelicSecurity.isHookProcessingActive() && req instanceof HttpServletRequest){ + SecurityMetaData metaData = NewRelicSecurity.getAgent().getSecurityMetaData(); + HttpServletHelper.setRoute((HttpServletRequest) req, metaData.getRequest(), metaData.getMetaData()); + } + Weaver.callOriginal(); + } +} From 5f3301b811ac96f75ebd94cbaa886f37ad862f4d Mon Sep 17 00:00:00 2001 From: idawda Date: Fri, 7 Jun 2024 15:26:46 +0530 Subject: [PATCH 05/14] Add Unit tests for route detection for Servlet-3.0 --- .../servlet30/ApiEndpointTest.java | 25 ++++++++++++++++++- .../servlet30/HttpServletServer.java | 7 +++++- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/instrumentation-security/servlet-3.0/src/test/java/com/nr/agent/security/instrumentation/servlet30/ApiEndpointTest.java b/instrumentation-security/servlet-3.0/src/test/java/com/nr/agent/security/instrumentation/servlet30/ApiEndpointTest.java index ee2b16e78..f7e586c15 100644 --- a/instrumentation-security/servlet-3.0/src/test/java/com/nr/agent/security/instrumentation/servlet30/ApiEndpointTest.java +++ b/instrumentation-security/servlet-3.0/src/test/java/com/nr/agent/security/instrumentation/servlet30/ApiEndpointTest.java @@ -2,14 +2,20 @@ import com.newrelic.agent.security.introspec.InstrumentationTestConfig; import com.newrelic.agent.security.introspec.SecurityInstrumentationTestRunner; +import com.newrelic.api.agent.Trace; import com.newrelic.api.agent.security.instrumentation.helpers.URLMappingsHelper; import com.newrelic.api.agent.security.schema.ApplicationURLMapping; -import org.apache.catalina.servlets.DefaultServlet; +import com.newrelic.api.agent.security.schema.Framework; +import com.newrelic.api.agent.security.schema.SecurityMetaData; import org.junit.Assert; import org.junit.ClassRule; import org.junit.Test; import org.junit.runner.RunWith; +import java.io.IOException; +import java.net.HttpURLConnection; +import java.net.URISyntaxException; +import java.net.URL; import java.util.Iterator; @RunWith(SecurityInstrumentationTestRunner.class) @@ -32,4 +38,21 @@ public void testURLMappings() { ApplicationURLMapping mapping2 = mappings.next(); Assert.assertEquals("URL Mappings", new ApplicationURLMapping(method, "/test", handler), mapping2); } + + @Test + public void testRoute() throws IOException, URISyntaxException { + connect(); + SecurityMetaData metaData = SecurityInstrumentationTestRunner.getIntrospector().getSecurityMetaData(); + Assert.assertEquals( "Incorrect Route Detected","/test", metaData.getRequest().getRoute()); + Assert.assertEquals("Incorrect Framework detected", Framework.SERVLET.name(), metaData.getMetaData().getFramework()); + } + + @Trace(dispatcher = true) + private void connect() throws IOException, URISyntaxException { + URL u = server.getEndPoint().toURL(); + HttpURLConnection conn = (HttpURLConnection) u.openConnection(); + conn.setRequestProperty("content-type", "text/plain; charset=utf-8"); + conn.connect(); + conn.getResponseCode(); + } } diff --git a/instrumentation-security/servlet-3.0/src/test/java/com/nr/agent/security/instrumentation/servlet30/HttpServletServer.java b/instrumentation-security/servlet-3.0/src/test/java/com/nr/agent/security/instrumentation/servlet30/HttpServletServer.java index c577787a3..5a137d4b3 100644 --- a/instrumentation-security/servlet-3.0/src/test/java/com/nr/agent/security/instrumentation/servlet30/HttpServletServer.java +++ b/instrumentation-security/servlet-3.0/src/test/java/com/nr/agent/security/instrumentation/servlet30/HttpServletServer.java @@ -3,7 +3,6 @@ import org.apache.catalina.Context; import org.apache.catalina.LifecycleState; import org.apache.catalina.connector.Connector; -import org.apache.catalina.servlets.DefaultServlet; import org.apache.catalina.startup.Tomcat; import org.apache.catalina.webresources.TomcatURLStreamHandlerFactory; import org.apache.tomcat.util.http.fileupload.FileUtils; @@ -19,6 +18,8 @@ import java.io.File; import java.io.IOException; import java.net.ServerSocket; +import java.net.URI; +import java.net.URISyntaxException; import java.util.Collections; import java.util.Set; @@ -91,6 +92,10 @@ private void stop() { } } } + + public URI getEndPoint() throws URISyntaxException { + return new URI("http://localhost:" + port + "/test"); + } } class MyServlet extends HttpServlet { @Override From c40ee48f25f6190bef5266b4ae240d7ab16be0dc Mon Sep 17 00:00:00 2001 From: idawda Date: Thu, 13 Jun 2024 10:52:40 +0530 Subject: [PATCH 06/14] API Endpoint Phase 2: Add Endpoint route in Servlet Framework --- .../instrumentation/servlet24/HttpServletHelper.java | 10 ++++++++++ .../javax/servlet/FilterChain_Instrumentation.java | 2 +- .../java/javax/servlet/Filter_Instrumentation.java | 1 + .../java/javax/servlet/Servlet_Instrumentation.java | 1 + 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java b/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java index aa6ceacd9..4a3d92bc3 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java +++ b/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java @@ -4,7 +4,9 @@ import com.newrelic.api.agent.security.instrumentation.helpers.*; import com.newrelic.api.agent.security.schema.AgentMetaData; import com.newrelic.api.agent.security.schema.ApplicationURLMapping; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; +import com.newrelic.api.agent.security.schema.StringUtils; import com.newrelic.api.agent.security.schema.policy.AgentPolicy; import com.newrelic.api.agent.security.utils.logging.LogLevel; @@ -154,4 +156,12 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, SERVLET_2_4, e.getMessage()), e, HttpServletHelper.class.getName()); } } + public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData) { + if (StringUtils.isNotBlank(securityRequest.getRoute())){ + return; + } + // TODO verify if request.getServletPath() present in detected API Endpoints then simply set Route else add /* to ServletPath + securityRequest.setRoute(request.getServletPath()); + metaData.setFramework(Framework.SERVLET); + } } diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java index 60989cca0..ec3621cab 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java @@ -67,7 +67,7 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp } HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); - + HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); securityMetaData.setTracingHeaderValue(HttpServletHelper.getTraceHeader(securityRequest.getHeaders())); securityRequest.setProtocol(httpServletRequest.getScheme()); diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java index 69d23f0e5..22b2cefb1 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java @@ -69,6 +69,7 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp } HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); + HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); securityMetaData.setTracingHeaderValue(HttpServletHelper.getTraceHeader(securityRequest.getHeaders())); diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java index 2ad0dab08..017022b38 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java @@ -73,6 +73,7 @@ private void preprocessSecurityHook(ServletRequest_Instrumentation request, Serv } HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); + HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); securityMetaData.setTracingHeaderValue(HttpServletHelper.getTraceHeader(securityRequest.getHeaders())); From 5ca698467c78d74ae10821ed10d1c91766d31234 Mon Sep 17 00:00:00 2001 From: idawda Date: Fri, 14 Jun 2024 09:53:39 +0530 Subject: [PATCH 07/14] Fix for NR-280811 Fix for NoSuchMethodError observed in servlet-3.0 route detection --- .../instrumentation/jetty9/HttpServletHelper.java | 13 +++++++++++-- .../servlet30/HttpServletHelper.java | 14 ++++++-------- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java b/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java index 2c3ca53bc..652c3bbc0 100644 --- a/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java +++ b/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java @@ -7,6 +7,7 @@ import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; +import com.newrelic.api.agent.security.schema.StringUtils; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; import com.newrelic.api.agent.security.schema.operation.RXSSOperation; import com.newrelic.api.agent.security.schema.policy.AgentPolicy; @@ -154,8 +155,7 @@ public static void preprocessSecurityHook(HttpServletRequest httpServletRequest) securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } // route detection - securityAgentMetaData.setFramework(Framework.SERVLET); - securityRequest.setRoute(httpServletRequest.getServletPath()); + setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); @@ -238,4 +238,13 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, JETTY_9, e.getMessage()), e, HttpServletHelper.class.getName()); } } + + private static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData) { + if (StringUtils.isNotBlank(securityRequest.getRoute())){ + return; + } + // TODO verify if request.getServletPath() present in detected API Endpoints then simply set Route else add /* to ServletPath + securityRequest.setRoute(request.getServletPath()); + metaData.setFramework(Framework.SERVLET); + } } diff --git a/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java b/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java index 8680fbc6d..ff5700224 100644 --- a/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java +++ b/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java @@ -8,13 +8,12 @@ import com.newrelic.api.agent.security.schema.ApplicationURLMapping; import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; +import com.newrelic.api.agent.security.schema.StringUtils; import com.newrelic.api.agent.security.utils.logging.LogLevel; import javax.servlet.ServletContext; import javax.servlet.ServletRegistration; -import javax.servlet.http.HttpServletMapping; import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.MappingMatch; import java.util.Collection; import java.util.Map; @@ -54,13 +53,12 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, SERVLET_3_0, e.getMessage()), e, HttpServletHelper.class.getName()); } } - public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData){ - HttpServletMapping mapping = request.getHttpServletMapping(); - if (!mapping.getMappingMatch().equals(MappingMatch.EXTENSION)){ - securityRequest.setRoute(mapping.getPattern()); - } else { - securityRequest.setRoute(request.getServletPath()); + public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData) { + if (StringUtils.isNotBlank(securityRequest.getRoute())){ + return; } + // TODO verify if request.getServletPath() present in detected API Endpoints then simply set Route else add /* to ServletPath + securityRequest.setRoute(request.getServletPath()); metaData.setFramework(Framework.SERVLET); } } From 7960d89f4392fc06375fcfeae9de15bd54fb5921 Mon Sep 17 00:00:00 2001 From: idawda Date: Tue, 16 Jul 2024 19:33:45 +0530 Subject: [PATCH 08/14] Consider corner cases for servlet route detection --- .../servlet24/HttpServletHelper.java | 21 ++++++++++++------- .../servlet30/HttpServletHelper.java | 20 ++++++++++++------ .../servlet5/HttpServletHelper.java | 20 ++++++++++++------ .../servlet6/HttpServletHelper.java | 20 ++++++++++++------ 4 files changed, 56 insertions(+), 25 deletions(-) diff --git a/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java b/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java index 4a3d92bc3..4b8ed9412 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java +++ b/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java @@ -6,7 +6,6 @@ import com.newrelic.api.agent.security.schema.ApplicationURLMapping; import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; -import com.newrelic.api.agent.security.schema.StringUtils; import com.newrelic.api.agent.security.schema.policy.AgentPolicy; import com.newrelic.api.agent.security.utils.logging.LogLevel; @@ -15,7 +14,6 @@ import javax.servlet.http.HttpServletRequest; import java.util.Collection; import java.util.Enumeration; -import java.util.Iterator; import java.util.Map; public class HttpServletHelper { @@ -156,12 +154,21 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, SERVLET_2_4, e.getMessage()), e, HttpServletHelper.class.getName()); } } + public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData) { - if (StringUtils.isNotBlank(securityRequest.getRoute())){ - return; + try { + if (URLMappingsHelper.getApplicationURLMappings().isEmpty()){ + return; + } + String route = request.getServletPath(); + if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, route))) { + securityRequest.setRoute(route); + } else if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, route+URLMappingsHelper.subResourceSegment))) { + securityRequest.setRoute(route + URLMappingsHelper.subResourceSegment); + } + metaData.setFramework(Framework.SERVLET); + } catch (Exception e){ + NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_ROUTE_FOR_INCOMING_REQUEST, SERVLET_2_4, e.getMessage()), e, HttpServletHelper.class.getName()); } - // TODO verify if request.getServletPath() present in detected API Endpoints then simply set Route else add /* to ServletPath - securityRequest.setRoute(request.getServletPath()); - metaData.setFramework(Framework.SERVLET); } } diff --git a/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java b/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java index ff5700224..077aed243 100644 --- a/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java +++ b/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java @@ -8,7 +8,6 @@ import com.newrelic.api.agent.security.schema.ApplicationURLMapping; import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; -import com.newrelic.api.agent.security.schema.StringUtils; import com.newrelic.api.agent.security.utils.logging.LogLevel; import javax.servlet.ServletContext; @@ -53,12 +52,21 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, SERVLET_3_0, e.getMessage()), e, HttpServletHelper.class.getName()); } } + public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData) { - if (StringUtils.isNotBlank(securityRequest.getRoute())){ - return; + try { + if (URLMappingsHelper.getApplicationURLMappings().isEmpty()){ + return; + } + String route = request.getServletPath(); + if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, route))) { + securityRequest.setRoute(route); + } else if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, route+URLMappingsHelper.subResourceSegment))) { + securityRequest.setRoute(route + URLMappingsHelper.subResourceSegment); + } + metaData.setFramework(Framework.SERVLET); + } catch (Exception e){ + NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_ROUTE_FOR_INCOMING_REQUEST, SERVLET_3_0, e.getMessage()), e, HttpServletHelper.class.getName()); } - // TODO verify if request.getServletPath() present in detected API Endpoints then simply set Route else add /* to ServletPath - securityRequest.setRoute(request.getServletPath()); - metaData.setFramework(Framework.SERVLET); } } diff --git a/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java b/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java index e8583132d..73f3c636b 100644 --- a/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java +++ b/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java @@ -156,13 +156,21 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, SERVLET_5_0, e.getMessage()), e, HttpServletHelper.class.getName()); } } + public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData){ - HttpServletMapping mapping = request.getHttpServletMapping(); - if (!mapping.getMappingMatch().equals(MappingMatch.EXTENSION)){ - securityRequest.setRoute(mapping.getPattern()); - } else { - securityRequest.setRoute(request.getServletPath()); + try { + if (URLMappingsHelper.getApplicationURLMappings().isEmpty()){ + return; + } + HttpServletMapping mapping = request.getHttpServletMapping(); + if (!mapping.getMappingMatch().equals(MappingMatch.EXTENSION) && URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, mapping.getPattern()))){ + securityRequest.setRoute(mapping.getPattern()); + } else if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, mapping.getPattern()))) { + securityRequest.setRoute(request.getServletPath()); + } + metaData.setFramework(Framework.SERVLET); + } catch (Exception e){ + NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_ROUTE_FOR_INCOMING_REQUEST, SERVLET_5_0, e.getMessage()), e, HttpServletHelper.class.getName()); } - metaData.setFramework(Framework.SERVLET); } } diff --git a/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java b/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java index 08c11e96b..a24ae57bd 100644 --- a/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java +++ b/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java @@ -156,13 +156,21 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, SERVLET_6_0, e.getMessage()), e, HttpServletHelper.class.getName()); } } + public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData){ - HttpServletMapping mapping = request.getHttpServletMapping(); - if (!mapping.getMappingMatch().equals(MappingMatch.EXTENSION)){ - securityRequest.setRoute(mapping.getPattern()); - } else { - securityRequest.setRoute(request.getServletPath()); + try { + if (URLMappingsHelper.getApplicationURLMappings().isEmpty()){ + return; + } + HttpServletMapping mapping = request.getHttpServletMapping(); + if (!mapping.getMappingMatch().equals(MappingMatch.EXTENSION) && URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, mapping.getPattern()))){ + securityRequest.setRoute(mapping.getPattern()); + } else if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, mapping.getPattern()))) { + securityRequest.setRoute(request.getServletPath()); + } + metaData.setFramework(Framework.SERVLET); + } catch (Exception e){ + NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_ROUTE_FOR_INCOMING_REQUEST, SERVLET_6_0, e.getMessage()), e, HttpServletHelper.class.getName()); } - metaData.setFramework(Framework.SERVLET); } } From d1a2e22f3962f405cb9905971d00500e7d196f84 Mon Sep 17 00:00:00 2001 From: idawda Date: Thu, 25 Jul 2024 12:47:35 +0530 Subject: [PATCH 09/14] Fix for NR-286896, where incorrect route calculated when empty route detected --- .../com/newrelic/api/agent/security/Agent.java | 16 ++++++++++------ .../api/agent/security/schema/HttpRequest.java | 2 +- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/newrelic-security-agent/src/main/java/com/newrelic/api/agent/security/Agent.java b/newrelic-security-agent/src/main/java/com/newrelic/api/agent/security/Agent.java index da910b3dd..10b224ac4 100644 --- a/newrelic-security-agent/src/main/java/com/newrelic/api/agent/security/Agent.java +++ b/newrelic-security-agent/src/main/java/com/newrelic/api/agent/security/Agent.java @@ -317,17 +317,21 @@ public void registerOperation(AbstractOperation operation) { processStackTrace(operation); // boolean blockNeeded = checkIfBlockingNeeded(operation.getApiID()); // securityMetaData.getMetaData().setApiBlocked(blockNeeded); - HttpRequest request = securityMetaData.getRequest(); -// if (StringUtils.isEmpty(request.getRoute())){ + + // fallback mechanism for route detection Framework frameWork = Framework.UNKNOWN; - if(!securityMetaData.getFuzzRequestIdentifier().getK2Request() && StringUtils.isNotBlank(securityMetaData.getMetaData().getFramework())) { + if(StringUtils.isNotBlank(securityMetaData.getMetaData().getFramework())) { frameWork = Framework.valueOf(securityMetaData.getMetaData().getFramework()); } + HttpRequest request = securityMetaData.getRequest(); if (!securityMetaData.getFuzzRequestIdentifier().getK2Request() && StringUtils.isEmpty(request.getRoute())){ - request.setRoute(getEndpointRoute(StringUtils.substringBefore(request.getUrl(), "?"), frameWork), true); + String route = getEndpointRoute(StringUtils.substringBefore(request.getUrl(), "?"), frameWork); + if( route != null){ + request.setRoute(route); + } logger.log(LogLevel.FINEST,"Route detection using Application Endpoint", this.getClass().getName()); } -// } + if (needToGenerateEvent(operation.getApiID())) { DispatcherPool.getInstance().dispatchEvent(operation, securityMetaData); if (!firstEventProcessed.get()) { @@ -379,7 +383,7 @@ private String getEndpointRoute(String uri) { } } } - return StringUtils.EMPTY; + return null; } private int jumpRoute(List value, int i1, List uriSegments, int i) { diff --git a/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/HttpRequest.java b/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/HttpRequest.java index 5b65ef0f6..1f41add29 100644 --- a/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/HttpRequest.java +++ b/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/HttpRequest.java @@ -216,7 +216,7 @@ public String getRoute() { } public void setRoute(String route){ - this.route = StringUtils.removeEnd(StringUtils.prependIfMissing(route, StringUtils.SEPARATOR), StringUtils.SEPARATOR); + this.route = StringUtils.prependIfMissing(StringUtils.removeEnd(route, StringUtils.SEPARATOR), StringUtils.SEPARATOR); } public void setRoute(String segment, boolean isAlreadyServlet) { From a4bc3ce50da9a6efa09954648c9ba22b26452a6f Mon Sep 17 00:00:00 2001 From: idawda Date: Fri, 20 Sep 2024 13:06:34 +0530 Subject: [PATCH 10/14] Route detection support for servlet framework * Detecting route servlet registration or servlet mapping --- .../jetty11/HttpServletHelper.java | 14 ------- .../jetty9/HttpServletHelper.java | 13 ------ .../servlet24/HttpServletHelper.java | 28 +++++++++---- .../servlet/FilterChain_Instrumentation.java | 4 +- .../javax/servlet/Filter_Instrumentation.java | 4 +- .../servlet/Servlet_Instrumentation.java | 7 +++- .../servlet30/HttpServletHelper.java | 29 +++++++++---- .../servlet/Servlet_Instrumentation.java | 9 ++-- .../servlet5/HttpServletHelper.java | 13 +++--- .../servlet/FilterChain_Instrumentation.java | 6 +-- .../servlet/Filter_Instrumentation.java | 6 +-- .../servlet/Servlet_Instrumentation.java | 6 +-- .../servlet6/HttpServletHelper.java | 12 +++--- .../servlet/FilterChain_Instrumentation.java | 5 ++- .../servlet/Filter_Instrumentation.java | 5 ++- .../servlet/Servlet_Instrumentation.java | 6 +-- .../newrelic/api/agent/security/Agent.java | 42 +++++++++++-------- .../agent/security/schema/HttpRequest.java | 8 +++- 18 files changed, 117 insertions(+), 100 deletions(-) diff --git a/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java b/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java index 700787003..e0528d9e7 100644 --- a/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java +++ b/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java @@ -4,7 +4,6 @@ import com.newrelic.api.agent.security.instrumentation.helpers.*; import com.newrelic.api.agent.security.schema.AgentMetaData; import com.newrelic.api.agent.security.schema.ApplicationURLMapping; -import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -13,10 +12,8 @@ import com.newrelic.api.agent.security.utils.logging.LogLevel; import jakarta.servlet.ServletContext; import jakarta.servlet.ServletRegistration; -import jakarta.servlet.http.HttpServletMapping; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; -import jakarta.servlet.http.MappingMatch; import java.util.Arrays; import java.util.Collection; @@ -154,8 +151,6 @@ public static void preprocessSecurityHook(HttpServletRequest httpServletRequest) securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } - // route detection - HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); @@ -239,13 +234,4 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, JETTY_11, e.getMessage()), e, HttpServletHelper.class.getName()); } } - public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData){ - HttpServletMapping mapping = request.getHttpServletMapping(); - if (!mapping.getMappingMatch().equals(MappingMatch.EXTENSION)){ - securityRequest.setRoute(mapping.getPattern()); - } else { - securityRequest.setRoute(request.getServletPath()); - } - metaData.setFramework(Framework.SERVLET); - } } diff --git a/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java b/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java index 0986862d0..07b87e142 100644 --- a/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java +++ b/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java @@ -4,10 +4,8 @@ import com.newrelic.api.agent.security.instrumentation.helpers.*; import com.newrelic.api.agent.security.schema.AgentMetaData; import com.newrelic.api.agent.security.schema.ApplicationURLMapping; -import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; -import com.newrelic.api.agent.security.schema.StringUtils; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; import com.newrelic.api.agent.security.schema.operation.RXSSOperation; import com.newrelic.api.agent.security.schema.policy.AgentPolicy; @@ -154,8 +152,6 @@ public static void preprocessSecurityHook(HttpServletRequest httpServletRequest) securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } - // route detection - setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); @@ -240,13 +236,4 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, JETTY_9, e.getMessage()), e, HttpServletHelper.class.getName()); } } - - private static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData) { - if (StringUtils.isNotBlank(securityRequest.getRoute())){ - return; - } - // TODO verify if request.getServletPath() present in detected API Endpoints then simply set Route else add /* to ServletPath - securityRequest.setRoute(request.getServletPath()); - metaData.setFramework(Framework.SERVLET); - } } diff --git a/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java b/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java index 4b8ed9412..3918dd1e6 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java +++ b/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java @@ -6,15 +6,19 @@ import com.newrelic.api.agent.security.schema.ApplicationURLMapping; import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; +import com.newrelic.api.agent.security.schema.StringUtils; import com.newrelic.api.agent.security.schema.policy.AgentPolicy; import com.newrelic.api.agent.security.utils.logging.LogLevel; +import javax.servlet.ServletConfig; import javax.servlet.ServletContext; import javax.servlet.ServletRegistration; import javax.servlet.http.HttpServletRequest; import java.util.Collection; import java.util.Enumeration; import java.util.Map; +import java.util.regex.Matcher; +import java.util.regex.Pattern; public class HttpServletHelper { @@ -155,18 +159,28 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") } } - public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData) { + public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, ServletConfig servletConfig) { try { if (URLMappingsHelper.getApplicationURLMappings().isEmpty()){ return; } - String route = request.getServletPath(); - if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, route))) { - securityRequest.setRoute(route); - } else if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, route+URLMappingsHelper.subResourceSegment))) { - securityRequest.setRoute(route + URLMappingsHelper.subResourceSegment); + String servletPath = request.getServletPath(); + if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, servletPath))) { + securityRequest.setRoute(servletPath); + } else if (servletConfig != null) { + ServletRegistration registration = servletConfig.getServletContext().getServletRegistration(servletConfig.getServletName()); + if (registration != null && registration.getMappings() != null && !registration.getMappings().isEmpty()) { + for (String mapping : registration.getMappings()) { + Pattern pattern = Pattern.compile(StringUtils.replace(mapping, URLMappingsHelper.WILDCARD, ".*")); + Matcher matcher = pattern.matcher(servletPath); + if (matcher.matches()) { + securityRequest.setRoute(mapping); + break; + } + } + } } - metaData.setFramework(Framework.SERVLET); + NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().setFramework(Framework.SERVLET); } catch (Exception e){ NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_ROUTE_FOR_INCOMING_REQUEST, SERVLET_2_4, e.getMessage()), e, HttpServletHelper.class.getName()); } diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java index abe21ef02..40892bb76 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java @@ -27,6 +27,9 @@ public abstract class FilterChain_Instrumentation { public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { boolean isServletLockAcquired = acquireServletLockIfPossible(); + if (NewRelicSecurity.isHookProcessingActive() && request instanceof HttpServletRequest){ + HttpServletHelper.setRoute((HttpServletRequest) request, NewRelicSecurity.getAgent().getSecurityMetaData().getRequest(), null); + } if(isServletLockAcquired) { preprocessSecurityHook(request, response); } @@ -69,7 +72,6 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp } HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); - HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); securityMetaData.setTracingHeaderValue(HttpServletHelper.getTraceHeader(securityRequest.getHeaders())); securityRequest.setProtocol(httpServletRequest.getScheme()); diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java index 5699551ee..e12d0e987 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java @@ -29,6 +29,9 @@ public abstract class Filter_Instrumentation { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { boolean isServletLockAcquired = acquireServletLockIfPossible(); + if (NewRelicSecurity.isHookProcessingActive() && request instanceof HttpServletRequest){ + HttpServletHelper.setRoute((HttpServletRequest) request, NewRelicSecurity.getAgent().getSecurityMetaData().getRequest(), null); + } if(isServletLockAcquired) { preprocessSecurityHook(request, response); } @@ -71,7 +74,6 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp } HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); - HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); securityMetaData.setTracingHeaderValue(HttpServletHelper.getTraceHeader(securityRequest.getHeaders())); diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java index 3a56eb97a..b8d729783 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java @@ -13,7 +13,6 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; -import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -33,6 +32,9 @@ public abstract class Servlet_Instrumentation { public void service(ServletRequest_Instrumentation request, ServletResponse_Instrumentation response) { boolean isServletLockAcquired = acquireServletLockIfPossible(); + if (NewRelicSecurity.isHookProcessingActive() && request instanceof HttpServletRequest){ + HttpServletHelper.setRoute((HttpServletRequest) request, NewRelicSecurity.getAgent().getSecurityMetaData().getRequest(), getServletConfig()); + } if(isServletLockAcquired) { preprocessSecurityHook(request, response); } @@ -75,7 +77,6 @@ private void preprocessSecurityHook(ServletRequest_Instrumentation request, Serv } HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); - HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); securityMetaData.setTracingHeaderValue(HttpServletHelper.getTraceHeader(securityRequest.getHeaders())); @@ -142,4 +143,6 @@ private void releaseServletLock() { HttpServletHelper.releaseServletLock(); } catch (Throwable e) {} } + + public abstract ServletConfig getServletConfig(); } diff --git a/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java b/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java index 077aed243..d71eb6d56 100644 --- a/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java +++ b/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java @@ -4,17 +4,20 @@ import com.newrelic.api.agent.security.NewRelicSecurity; import com.newrelic.api.agent.security.instrumentation.helpers.GenericHelper; import com.newrelic.api.agent.security.instrumentation.helpers.URLMappingsHelper; -import com.newrelic.api.agent.security.schema.AgentMetaData; import com.newrelic.api.agent.security.schema.ApplicationURLMapping; import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; +import com.newrelic.api.agent.security.schema.StringUtils; import com.newrelic.api.agent.security.utils.logging.LogLevel; +import javax.servlet.ServletConfig; import javax.servlet.ServletContext; import javax.servlet.ServletRegistration; import javax.servlet.http.HttpServletRequest; import java.util.Collection; import java.util.Map; +import java.util.regex.Matcher; +import java.util.regex.Pattern; public class HttpServletHelper { private static final String WILDCARD = "*"; @@ -53,18 +56,28 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") } } - public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData) { + public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, ServletConfig servletConfig) { try { if (URLMappingsHelper.getApplicationURLMappings().isEmpty()){ return; } - String route = request.getServletPath(); - if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, route))) { - securityRequest.setRoute(route); - } else if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, route+URLMappingsHelper.subResourceSegment))) { - securityRequest.setRoute(route + URLMappingsHelper.subResourceSegment); + String servletPath = request.getServletPath(); + if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, servletPath))) { + securityRequest.setRoute(servletPath); + } else if (servletConfig != null) { + ServletRegistration registration = servletConfig.getServletContext().getServletRegistration(servletConfig.getServletName()); + if (registration != null && registration.getMappings() != null && !registration.getMappings().isEmpty()) { + for (String mapping : registration.getMappings()) { + Pattern pattern = Pattern.compile(StringUtils.replace(mapping, URLMappingsHelper.WILDCARD, ".*")); + Matcher matcher = pattern.matcher(servletPath); + if (matcher.matches()) { + securityRequest.setRoute(mapping); + break; + } + } + } } - metaData.setFramework(Framework.SERVLET); + NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().setFramework(Framework.SERVLET); } catch (Exception e){ NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_ROUTE_FOR_INCOMING_REQUEST, SERVLET_3_0, e.getMessage()), e, HttpServletHelper.class.getName()); } diff --git a/instrumentation-security/servlet-3.0/src/main/java/javax/servlet/Servlet_Instrumentation.java b/instrumentation-security/servlet-3.0/src/main/java/javax/servlet/Servlet_Instrumentation.java index 1165e9bc0..7397d6960 100644 --- a/instrumentation-security/servlet-3.0/src/main/java/javax/servlet/Servlet_Instrumentation.java +++ b/instrumentation-security/servlet-3.0/src/main/java/javax/servlet/Servlet_Instrumentation.java @@ -10,12 +10,15 @@ import javax.servlet.http.HttpServletRequest; @Weave(type = MatchType.Interface, originalName = "javax.servlet.Servlet") -public class Servlet_Instrumentation { +public abstract class Servlet_Instrumentation { + public void service(ServletRequest req, ServletResponse res){ if (NewRelicSecurity.isHookProcessingActive() && req instanceof HttpServletRequest){ - SecurityMetaData metaData = NewRelicSecurity.getAgent().getSecurityMetaData(); - HttpServletHelper.setRoute((HttpServletRequest) req, metaData.getRequest(), metaData.getMetaData()); + HttpServletHelper.setRoute((HttpServletRequest) req, NewRelicSecurity.getAgent().getSecurityMetaData().getRequest(), getServletConfig()); } Weaver.callOriginal(); } + + public abstract ServletConfig getServletConfig(); + } diff --git a/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java b/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java index 73f3c636b..a05f32117 100644 --- a/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java +++ b/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java @@ -12,7 +12,6 @@ import jakarta.servlet.ServletRegistration; import jakarta.servlet.http.HttpServletMapping; import jakarta.servlet.http.HttpServletRequest; -import jakarta.servlet.http.MappingMatch; import java.util.Collection; import java.util.Enumeration; @@ -157,18 +156,16 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") } } - public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData){ + public static void setRoute(HttpServletRequest request){ try { - if (URLMappingsHelper.getApplicationURLMappings().isEmpty()){ + if (!NewRelicSecurity.isHookProcessingActive() || URLMappingsHelper.getApplicationURLMappings().isEmpty() || (!NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().getFramework().isEmpty() && !NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().getFramework().equals(Framework.SERVLET.name()))){ return; } HttpServletMapping mapping = request.getHttpServletMapping(); - if (!mapping.getMappingMatch().equals(MappingMatch.EXTENSION) && URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, mapping.getPattern()))){ - securityRequest.setRoute(mapping.getPattern()); - } else if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, mapping.getPattern()))) { - securityRequest.setRoute(request.getServletPath()); + if (mapping != null) { + NewRelicSecurity.getAgent().getSecurityMetaData().getRequest().setRoute(mapping.getPattern()); } - metaData.setFramework(Framework.SERVLET); + NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().setFramework(Framework.SERVLET); } catch (Exception e){ NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_ROUTE_FOR_INCOMING_REQUEST, SERVLET_5_0, e.getMessage()), e, HttpServletHelper.class.getName()); } diff --git a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java index 7a4d8bba6..499b41448 100644 --- a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java +++ b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java @@ -6,7 +6,6 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; -import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -27,6 +26,9 @@ public abstract class FilterChain_Instrumentation { public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { boolean isServletLockAcquired = acquireServletLockIfPossible(); + if (request instanceof HttpServletRequest) { + HttpServletHelper.setRoute((HttpServletRequest)request); + } if(isServletLockAcquired) { preprocessSecurityHook(request, response); } @@ -67,8 +69,6 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } - // route detection - HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java index 85732dd49..ab3335e1a 100644 --- a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java +++ b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java @@ -6,7 +6,6 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; -import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -28,6 +27,9 @@ public abstract class Filter_Instrumentation { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { boolean isServletLockAcquired = acquireServletLockIfPossible(); + if (request instanceof HttpServletRequest) { + HttpServletHelper.setRoute((HttpServletRequest)request); + } if(isServletLockAcquired) { preprocessSecurityHook(request, response); } @@ -68,8 +70,6 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } - // route detection - HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java index 8d44a5a7b..964b14950 100644 --- a/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java +++ b/instrumentation-security/servlet-5.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java @@ -13,7 +13,6 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; -import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -33,6 +32,9 @@ public abstract class Servlet_Instrumentation { public void service(ServletRequest_Instrumentation request, ServletResponse_Instrumentation response) { boolean isServletLockAcquired = acquireServletLockIfPossible(); + if (request instanceof HttpServletRequest) { + HttpServletHelper.setRoute((HttpServletRequest)request); + } if(isServletLockAcquired) { preprocessSecurityHook(request, response); } @@ -73,8 +75,6 @@ private void preprocessSecurityHook(ServletRequest_Instrumentation request, Serv securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } - // route detection - HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java b/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java index a24ae57bd..93f57556e 100644 --- a/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java +++ b/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java @@ -157,18 +157,16 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") } } - public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, AgentMetaData metaData){ + public static void setRoute(HttpServletRequest request){ try { - if (URLMappingsHelper.getApplicationURLMappings().isEmpty()){ + if (!NewRelicSecurity.isHookProcessingActive() || URLMappingsHelper.getApplicationURLMappings().isEmpty() || (!NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().getFramework().isEmpty() && !NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().getFramework().equals(Framework.SERVLET.name()))){ return; } HttpServletMapping mapping = request.getHttpServletMapping(); - if (!mapping.getMappingMatch().equals(MappingMatch.EXTENSION) && URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, mapping.getPattern()))){ - securityRequest.setRoute(mapping.getPattern()); - } else if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, mapping.getPattern()))) { - securityRequest.setRoute(request.getServletPath()); + if (mapping != null) { + NewRelicSecurity.getAgent().getSecurityMetaData().getRequest().setRoute(mapping.getPattern()); } - metaData.setFramework(Framework.SERVLET); + NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().setFramework(Framework.SERVLET); } catch (Exception e){ NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_ROUTE_FOR_INCOMING_REQUEST, SERVLET_6_0, e.getMessage()), e, HttpServletHelper.class.getName()); } diff --git a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java index f5191f89e..78c07636f 100644 --- a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java +++ b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/FilterChain_Instrumentation.java @@ -27,6 +27,9 @@ public abstract class FilterChain_Instrumentation { public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { boolean isServletLockAcquired = acquireServletLockIfPossible(); + if (request instanceof HttpServletRequest) { + HttpServletHelper.setRoute((HttpServletRequest)request); + } if(isServletLockAcquired) { preprocessSecurityHook(request, response); } @@ -67,8 +70,6 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } - // route detection - HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java index c97bdf03f..f8644b268 100644 --- a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java +++ b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Filter_Instrumentation.java @@ -28,6 +28,9 @@ public abstract class Filter_Instrumentation { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { boolean isServletLockAcquired = acquireServletLockIfPossible(); + if (request instanceof HttpServletRequest) { + HttpServletHelper.setRoute((HttpServletRequest)request); + } if(isServletLockAcquired) { preprocessSecurityHook(request, response); } @@ -68,8 +71,6 @@ private void preprocessSecurityHook(ServletRequest request, ServletResponse resp securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } - // route detection - HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java index 71cb189e4..c119c6204 100644 --- a/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java +++ b/instrumentation-security/servlet-6.0/src/main/java/jakarta/servlet/Servlet_Instrumentation.java @@ -13,7 +13,6 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; -import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -33,6 +32,9 @@ public abstract class Servlet_Instrumentation { public void service(ServletRequest_Instrumentation request, ServletResponse_Instrumentation response) { boolean isServletLockAcquired = acquireServletLockIfPossible(); + if (request instanceof HttpServletRequest) { + HttpServletHelper.setRoute((HttpServletRequest)request); + } if(isServletLockAcquired) { preprocessSecurityHook(request, response); } @@ -73,8 +75,6 @@ private void preprocessSecurityHook(ServletRequest_Instrumentation request, Serv securityAgentMetaData.getIps().add(securityRequest.getClientIP()); securityRequest.setClientPort(String.valueOf(httpServletRequest.getRemotePort())); } - // route detection - HttpServletHelper.setRoute(httpServletRequest, securityRequest, securityAgentMetaData); HttpServletHelper.processHttpRequestHeader(httpServletRequest, securityRequest); diff --git a/newrelic-security-agent/src/main/java/com/newrelic/api/agent/security/Agent.java b/newrelic-security-agent/src/main/java/com/newrelic/api/agent/security/Agent.java index 10b224ac4..81928300e 100644 --- a/newrelic-security-agent/src/main/java/com/newrelic/api/agent/security/Agent.java +++ b/newrelic-security-agent/src/main/java/com/newrelic/api/agent/security/Agent.java @@ -29,8 +29,6 @@ import com.newrelic.api.agent.security.schema.operation.RXSSOperation; import com.newrelic.api.agent.security.schema.policy.AgentPolicy; import org.apache.commons.lang3.StringUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import java.io.File; import java.io.IOException; @@ -318,19 +316,7 @@ public void registerOperation(AbstractOperation operation) { // boolean blockNeeded = checkIfBlockingNeeded(operation.getApiID()); // securityMetaData.getMetaData().setApiBlocked(blockNeeded); - // fallback mechanism for route detection - Framework frameWork = Framework.UNKNOWN; - if(StringUtils.isNotBlank(securityMetaData.getMetaData().getFramework())) { - frameWork = Framework.valueOf(securityMetaData.getMetaData().getFramework()); - } - HttpRequest request = securityMetaData.getRequest(); - if (!securityMetaData.getFuzzRequestIdentifier().getK2Request() && StringUtils.isEmpty(request.getRoute())){ - String route = getEndpointRoute(StringUtils.substringBefore(request.getUrl(), "?"), frameWork); - if( route != null){ - request.setRoute(route); - } - logger.log(LogLevel.FINEST,"Route detection using Application Endpoint", this.getClass().getName()); - } + setRouteIfNotPresent(); if (needToGenerateEvent(operation.getApiID())) { DispatcherPool.getInstance().dispatchEvent(operation, securityMetaData); @@ -348,9 +334,29 @@ public void registerOperation(AbstractOperation operation) { } } } - private String getEndpointRoute(String uri, Framework framework){ - switch (framework){ - default: return getEndpointRoute(uri); + + // fallback mechanism for route detection + private void setRouteIfNotPresent() { + HttpRequest request = getSecurityMetaData().getRequest(); + if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(request.getMethod(), request.getRoute())) || + URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, request.getRoute()))){ + return; + } + request.setRoute("", null); + Framework frameWork = Framework.UNKNOWN; + if(StringUtils.isNotBlank(getSecurityMetaData().getMetaData().getFramework())) { + frameWork = Framework.valueOf(getSecurityMetaData().getMetaData().getFramework()); + } + if (!getSecurityMetaData().getFuzzRequestIdentifier().getK2Request()){ + String route; + switch (frameWork){ + default: route = getEndpointRoute(StringUtils.substringBefore(request.getUrl(), "?")); + } + if(route != null && !route.isEmpty()){ + request.setRoute(route); + getSecurityMetaData().getMetaData().setFramework(Framework.SERVLET); + logger.log(LogLevel.FINEST,"Route detection using Application Endpoint", this.getClass().getName()); + } } } diff --git a/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/HttpRequest.java b/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/HttpRequest.java index 1f41add29..fbd5c8b66 100644 --- a/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/HttpRequest.java +++ b/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/HttpRequest.java @@ -216,10 +216,14 @@ public String getRoute() { } public void setRoute(String route){ - this.route = StringUtils.prependIfMissing(StringUtils.removeEnd(route, StringUtils.SEPARATOR), StringUtils.SEPARATOR); + setRoute(route, true); } - public void setRoute(String segment, boolean isAlreadyServlet) { + public void setRoute(String segment, Boolean isAlreadyServlet) { + if (isAlreadyServlet == null){ + this.route = StringUtils.EMPTY; + return; + } // remove servlet detected route if another framework detected; if (isAlreadyServlet) { this.route = StringUtils.EMPTY; From b69814ba70829e90714750360823f12f892387b0 Mon Sep 17 00:00:00 2001 From: idawda Date: Fri, 20 Sep 2024 19:21:32 +0530 Subject: [PATCH 11/14] Fix for extension based endpoints present in servlet --- .../instrumentation/servlet5/HttpServletHelper.java | 6 ++++-- .../instrumentation/servlet6/HttpServletHelper.java | 6 ++++-- .../com/newrelic/api/agent/security/schema/HttpRequest.java | 5 +++++ 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java b/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java index bda450aeb..3039e4012 100644 --- a/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java +++ b/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java @@ -163,11 +163,13 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") public static void setRoute(HttpServletRequest request){ try { - if (!NewRelicSecurity.isHookProcessingActive() || URLMappingsHelper.getApplicationURLMappings().isEmpty() || (!NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().getFramework().isEmpty() && !NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().getFramework().equals(Framework.SERVLET.name()))){ + if (!NewRelicSecurity.isHookProcessingActive() || URLMappingsHelper.getApplicationURLMappings().isEmpty()){ return; } HttpServletMapping mapping = request.getHttpServletMapping(); - if (mapping != null) { + if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, request.getServletPath()))) { + NewRelicSecurity.getAgent().getSecurityMetaData().getRequest().setRoute(request.getServletPath()); + } else if (mapping != null) { NewRelicSecurity.getAgent().getSecurityMetaData().getRequest().setRoute(mapping.getPattern()); } NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().setFramework(Framework.SERVLET); diff --git a/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java b/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java index f70fab76a..b21aae95f 100644 --- a/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java +++ b/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java @@ -164,11 +164,13 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") public static void setRoute(HttpServletRequest request){ try { - if (!NewRelicSecurity.isHookProcessingActive() || URLMappingsHelper.getApplicationURLMappings().isEmpty() || (!NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().getFramework().isEmpty() && !NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().getFramework().equals(Framework.SERVLET.name()))){ + if (!NewRelicSecurity.isHookProcessingActive() || URLMappingsHelper.getApplicationURLMappings().isEmpty()){ return; } HttpServletMapping mapping = request.getHttpServletMapping(); - if (mapping != null) { + if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, request.getServletPath()))) { + NewRelicSecurity.getAgent().getSecurityMetaData().getRequest().setRoute(request.getServletPath()); + } else if (mapping != null) { NewRelicSecurity.getAgent().getSecurityMetaData().getRequest().setRoute(mapping.getPattern()); } NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().setFramework(Framework.SERVLET); diff --git a/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/HttpRequest.java b/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/HttpRequest.java index 73fc0b590..70f726689 100644 --- a/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/HttpRequest.java +++ b/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/schema/HttpRequest.java @@ -1,5 +1,6 @@ package com.newrelic.api.agent.security.schema; +import com.newrelic.api.agent.security.NewRelicSecurity; import com.newrelic.api.agent.security.schema.annotations.JsonIgnore; import java.nio.file.Paths; @@ -241,6 +242,10 @@ public String getRoute() { } public void setRoute(String route){ + if(!NewRelicSecurity.isHookProcessingActive() || + (!NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().getFramework().isEmpty() && !NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().getFramework().equals(Framework.SERVLET.name()))){ + return; + } setRoute(route, true); } From f2b3fb22c8934ef7591efae430d5cf310ad9a2f8 Mon Sep 17 00:00:00 2001 From: idawda Date: Thu, 21 Nov 2024 15:02:40 +0530 Subject: [PATCH 12/14] NR-338563: Fix for NR-282698 where route not detected for diff. mapping patterns --- .../servlet24/HttpServletHelper.java | 64 ------------------- .../servlet/FilterChain_Instrumentation.java | 4 -- .../javax/servlet/Filter_Instrumentation.java | 4 -- .../servlet/Servlet_Instrumentation.java | 35 +++++++++- .../servlet30/HttpServletHelper.java | 50 +++------------ .../servlet/Servlet_Instrumentation.java | 24 ------- 6 files changed, 42 insertions(+), 139 deletions(-) delete mode 100644 instrumentation-security/servlet-3.0/src/main/java/javax/servlet/Servlet_Instrumentation.java diff --git a/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java b/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java index 98da1d271..7127f2ebf 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java +++ b/instrumentation-security/servlet-2.4/src/main/java/com/newrelic/agent/security/instrumentation/servlet24/HttpServletHelper.java @@ -125,68 +125,4 @@ public static void releaseServletLock() { private static String getNrSecCustomAttribName() { return NR_SEC_CUSTOM_ATTRIB_NAME + Thread.currentThread().getId(); } - - public static void gatherURLMappings(ServletContext servletContext) { - try { - Map servletRegistrations = servletContext.getServletRegistrations(); - getJSPMappings(servletContext, SEPARATOR); - - for (ServletRegistration servletRegistration : servletRegistrations.values()) { - for (String s : servletRegistration.getMappings()) { - URLMappingsHelper.addApplicationURLMapping(new ApplicationURLMapping(WILDCARD, s, servletRegistration.getClassName())); - } - } - } catch (Exception e){ - NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, SERVLET_2_4, e.getMessage()), e, HttpServletHelper.class.getName()); - } - } - - public static void getJSPMappings(ServletContext servletContext, String dir) { - try { - if(dir.endsWith(SEPARATOR)){ - Collection resourcePaths = servletContext.getResourcePaths(dir); - for (String path : resourcePaths) { - String entry = StringUtils.removeStart(StringUtils.removeEnd(path, SEPARATOR), StringUtils.SEPARATOR); - if ( StringUtils.equalsAny(entry, "META-INF", "WEB-INF")) { - continue; - } - if(path.endsWith(SEPARATOR)) { - getJSPMappings(servletContext, path); - } - else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") || path.endsWith(".JSPX")) { - URLMappingsHelper.addApplicationURLMapping(new ApplicationURLMapping(WILDCARD, path)); - } - } - } - } catch (Exception e){ - NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_APP_ENDPOINTS, SERVLET_2_4, e.getMessage()), e, HttpServletHelper.class.getName()); - } - } - - public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, ServletConfig servletConfig) { - try { - if (URLMappingsHelper.getApplicationURLMappings().isEmpty()){ - return; - } - String servletPath = request.getServletPath(); - if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, servletPath))) { - securityRequest.setRoute(servletPath); - } else if (servletConfig != null) { - ServletRegistration registration = servletConfig.getServletContext().getServletRegistration(servletConfig.getServletName()); - if (registration != null && registration.getMappings() != null && !registration.getMappings().isEmpty()) { - for (String mapping : registration.getMappings()) { - Pattern pattern = Pattern.compile(StringUtils.replace(mapping, URLMappingsHelper.WILDCARD, ".*")); - Matcher matcher = pattern.matcher(servletPath); - if (matcher.matches()) { - securityRequest.setRoute(mapping); - break; - } - } - } - } - NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().setFramework(Framework.SERVLET); - } catch (Exception e){ - NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_ROUTE_FOR_INCOMING_REQUEST, SERVLET_2_4, e.getMessage()), e, HttpServletHelper.class.getName()); - } - } } diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java index d31e5350b..1f9acc318 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/FilterChain_Instrumentation.java @@ -6,7 +6,6 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; -import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -27,9 +26,6 @@ public abstract class FilterChain_Instrumentation { public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { boolean isServletLockAcquired = acquireServletLockIfPossible(); - if (NewRelicSecurity.isHookProcessingActive() && request instanceof HttpServletRequest){ - HttpServletHelper.setRoute((HttpServletRequest) request, NewRelicSecurity.getAgent().getSecurityMetaData().getRequest(), null); - } if(isServletLockAcquired) { preprocessSecurityHook(request, response); } diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java index a12e5abd9..e4cdc168d 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Filter_Instrumentation.java @@ -6,7 +6,6 @@ import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; -import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; @@ -29,9 +28,6 @@ public abstract class Filter_Instrumentation { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { boolean isServletLockAcquired = acquireServletLockIfPossible(); - if (NewRelicSecurity.isHookProcessingActive() && request instanceof HttpServletRequest){ - HttpServletHelper.setRoute((HttpServletRequest) request, NewRelicSecurity.getAgent().getSecurityMetaData().getRequest(), null); - } if(isServletLockAcquired) { preprocessSecurityHook(request, response); } diff --git a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java index f2c14a895..1f60b11a0 100644 --- a/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java +++ b/instrumentation-security/servlet-2.4/src/main/java/javax/servlet/Servlet_Instrumentation.java @@ -12,9 +12,13 @@ import com.newrelic.api.agent.security.instrumentation.helpers.GenericHelper; import com.newrelic.api.agent.security.instrumentation.helpers.LowSeverityHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; +import com.newrelic.api.agent.security.instrumentation.helpers.URLMappingsHelper; import com.newrelic.api.agent.security.schema.AgentMetaData; +import com.newrelic.api.agent.security.schema.ApplicationURLMapping; +import com.newrelic.api.agent.security.schema.Framework; import com.newrelic.api.agent.security.schema.HttpRequest; import com.newrelic.api.agent.security.schema.SecurityMetaData; +import com.newrelic.api.agent.security.schema.StringUtils; import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException; import com.newrelic.api.agent.security.schema.operation.RXSSOperation; import com.newrelic.api.agent.security.utils.logging.LogLevel; @@ -26,6 +30,8 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.util.Arrays; +import java.util.regex.Matcher; +import java.util.regex.Pattern; @Weave(type = MatchType.Interface, originalName = "javax.servlet.Servlet") public abstract class Servlet_Instrumentation { @@ -33,7 +39,7 @@ public abstract class Servlet_Instrumentation { public void service(ServletRequest_Instrumentation request, ServletResponse_Instrumentation response) { boolean isServletLockAcquired = acquireServletLockIfPossible(); if (NewRelicSecurity.isHookProcessingActive() && request instanceof HttpServletRequest){ - HttpServletHelper.setRoute((HttpServletRequest) request, NewRelicSecurity.getAgent().getSecurityMetaData().getRequest(), getServletConfig()); + setRoute((HttpServletRequest) request, NewRelicSecurity.getAgent().getSecurityMetaData().getRequest(), getServletConfig()); } if(isServletLockAcquired) { preprocessSecurityHook(request, response); @@ -148,4 +154,31 @@ private void releaseServletLock() { } public abstract ServletConfig getServletConfig(); + + private void setRoute(HttpServletRequest request, HttpRequest securityRequest, ServletConfig servletConfig) { + try { + if (URLMappingsHelper.getApplicationURLMappings().isEmpty()){ + return; + } + String servletPath = request.getServletPath(); + if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, servletPath))) { + securityRequest.setRoute(servletPath); + } else if (servletConfig != null) { + ServletRegistration registration = servletConfig.getServletContext().getServletRegistration(servletConfig.getServletName()); + if (registration != null && registration.getMappings() != null && !registration.getMappings().isEmpty()) { + for (String mapping : registration.getMappings()) { + Pattern pattern = Pattern.compile(StringUtils.replace(mapping, URLMappingsHelper.subResourceSegment, ".*")); + Matcher matcher = pattern.matcher(servletPath); + if (matcher.matches()) { + securityRequest.setRoute(mapping); + break; + } + } + } + } + NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().setFramework(Framework.SERVLET); + } catch (Exception e){ + NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_ROUTE_FOR_INCOMING_REQUEST, HttpServletHelper.SERVLET_2_4, e.getMessage()), e, this.getClass().getName()); + } + } } diff --git a/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java b/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java index dd52c6e06..0430fe926 100644 --- a/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java +++ b/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java @@ -6,32 +6,24 @@ import com.newrelic.api.agent.security.instrumentation.helpers.URLMappingsHelper; import com.newrelic.api.agent.security.schema.ApplicationURLMapping; import com.newrelic.api.agent.security.schema.StringUtils; -import com.newrelic.api.agent.security.schema.Framework; -import com.newrelic.api.agent.security.schema.HttpRequest; -import com.newrelic.api.agent.security.schema.StringUtils; import com.newrelic.api.agent.security.utils.logging.LogLevel; -import javax.servlet.ServletConfig; import javax.servlet.ServletContext; import javax.servlet.ServletRegistration; -import javax.servlet.http.HttpServletRequest; import java.util.Collection; import java.util.Map; -import java.util.regex.Matcher; -import java.util.regex.Pattern; public class HttpServletHelper { - private static final String WILDCARD = "*"; - private static final String SEPARATOR = "/"; - public static final String SERVLET_3_0 = "SERVLET-3.0"; + + private static final String SERVLET_3_0 = "SERVLET-3.0"; public static void gatherURLMappings(ServletContext servletContext) { try { Map servletRegistrations = servletContext.getServletRegistrations(); - getJSPMappings(servletContext, SEPARATOR); + getJSPMappings(servletContext, URLMappingsHelper.SEPARATOR); for (ServletRegistration servletRegistration : servletRegistrations.values()) { for (String s : servletRegistration.getMappings()) { - URLMappingsHelper.addApplicationURLMapping(new ApplicationURLMapping(WILDCARD, s, servletRegistration.getClassName())); + URLMappingsHelper.addApplicationURLMapping(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, s, servletRegistration.getClassName())); } } } catch (Exception e){ @@ -41,18 +33,18 @@ public static void gatherURLMappings(ServletContext servletContext) { public static void getJSPMappings(ServletContext servletContext, String dir) { try { - if(dir.endsWith(SEPARATOR)){ + if(dir.endsWith(URLMappingsHelper.SEPARATOR)){ Collection resourcePaths = servletContext.getResourcePaths(dir); for (String path : resourcePaths) { - String entry = StringUtils.removeStart(StringUtils.removeEnd(path, SEPARATOR), StringUtils.SEPARATOR); + String entry = StringUtils.removeStart(StringUtils.removeEnd(path, URLMappingsHelper.SEPARATOR), StringUtils.SEPARATOR); if ( StringUtils.equalsAny(entry, "META-INF", "WEB-INF")) { continue; } - if(path.endsWith(SEPARATOR)) { + if(path.endsWith(URLMappingsHelper.SEPARATOR)) { getJSPMappings(servletContext, path); } else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") || path.endsWith(".JSPX")) { - URLMappingsHelper.addApplicationURLMapping(new ApplicationURLMapping(WILDCARD, path)); + URLMappingsHelper.addApplicationURLMapping(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, path)); } } } @@ -61,30 +53,4 @@ else if(path.endsWith(".jsp") || path.endsWith(".jspx") || path.endsWith(".JSP") } } - public static void setRoute(HttpServletRequest request, HttpRequest securityRequest, ServletConfig servletConfig) { - try { - if (URLMappingsHelper.getApplicationURLMappings().isEmpty()){ - return; - } - String servletPath = request.getServletPath(); - if (URLMappingsHelper.getApplicationURLMappings().contains(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, servletPath))) { - securityRequest.setRoute(servletPath); - } else if (servletConfig != null) { - ServletRegistration registration = servletConfig.getServletContext().getServletRegistration(servletConfig.getServletName()); - if (registration != null && registration.getMappings() != null && !registration.getMappings().isEmpty()) { - for (String mapping : registration.getMappings()) { - Pattern pattern = Pattern.compile(StringUtils.replace(mapping, URLMappingsHelper.WILDCARD, ".*")); - Matcher matcher = pattern.matcher(servletPath); - if (matcher.matches()) { - securityRequest.setRoute(mapping); - break; - } - } - } - } - NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().setFramework(Framework.SERVLET); - } catch (Exception e){ - NewRelicSecurity.getAgent().log(LogLevel.WARNING, String.format(GenericHelper.ERROR_WHILE_GETTING_ROUTE_FOR_INCOMING_REQUEST, SERVLET_3_0, e.getMessage()), e, HttpServletHelper.class.getName()); - } - } } diff --git a/instrumentation-security/servlet-3.0/src/main/java/javax/servlet/Servlet_Instrumentation.java b/instrumentation-security/servlet-3.0/src/main/java/javax/servlet/Servlet_Instrumentation.java deleted file mode 100644 index 7397d6960..000000000 --- a/instrumentation-security/servlet-3.0/src/main/java/javax/servlet/Servlet_Instrumentation.java +++ /dev/null @@ -1,24 +0,0 @@ -package javax.servlet; - -import com.newrelic.agent.security.instrumentation.servlet30.HttpServletHelper; -import com.newrelic.api.agent.security.NewRelicSecurity; -import com.newrelic.api.agent.security.schema.SecurityMetaData; -import com.newrelic.api.agent.weaver.MatchType; -import com.newrelic.api.agent.weaver.Weave; -import com.newrelic.api.agent.weaver.Weaver; - -import javax.servlet.http.HttpServletRequest; - -@Weave(type = MatchType.Interface, originalName = "javax.servlet.Servlet") -public abstract class Servlet_Instrumentation { - - public void service(ServletRequest req, ServletResponse res){ - if (NewRelicSecurity.isHookProcessingActive() && req instanceof HttpServletRequest){ - HttpServletHelper.setRoute((HttpServletRequest) req, NewRelicSecurity.getAgent().getSecurityMetaData().getRequest(), getServletConfig()); - } - Weaver.callOriginal(); - } - - public abstract ServletConfig getServletConfig(); - -} From b6443b76f58e12b24d67ba1a2e7df0f2c2ee59ae Mon Sep 17 00:00:00 2001 From: idawda Date: Fri, 22 Nov 2024 16:36:11 +0530 Subject: [PATCH 13/14] Fix for NR-266822 where false APIs reported for servlet using applications --- .../apache/tomcat7/HttpServletHelper.java | 5 ++++- .../instrumentation/jetty11/HttpServletHelper.java | 4 ++++ .../instrumentation/jetty9/HttpServletHelper.java | 5 ++++- .../instrumentation/servlet30/HttpServletHelper.java | 6 ++++-- .../instrumentation/servlet5/HttpServletHelper.java | 6 ++++-- .../instrumentation/servlet6/HttpServletHelper.java | 6 ++++-- .../instrumentation/helpers/URLMappingsHelper.java | 10 ++++++---- 7 files changed, 30 insertions(+), 12 deletions(-) diff --git a/instrumentation-security/apache-tomcat-7/src/main/java/com/newrelic/agent/security/instrumentation/apache/tomcat7/HttpServletHelper.java b/instrumentation-security/apache-tomcat-7/src/main/java/com/newrelic/agent/security/instrumentation/apache/tomcat7/HttpServletHelper.java index c585c7b6c..21383108e 100644 --- a/instrumentation-security/apache-tomcat-7/src/main/java/com/newrelic/agent/security/instrumentation/apache/tomcat7/HttpServletHelper.java +++ b/instrumentation-security/apache-tomcat-7/src/main/java/com/newrelic/agent/security/instrumentation/apache/tomcat7/HttpServletHelper.java @@ -20,7 +20,10 @@ public class HttpServletHelper { public static void gatherURLMappings(ServletContext servletContext) { try { Map servletRegistrations = servletContext.getServletRegistrations(); - getJSPMappings(servletContext, SEPARATOR); + String contextPath = StringUtils.removeStart(StringUtils.removeEnd(servletContext.getContextPath(), SEPARATOR), StringUtils.SEPARATOR); + if (!StringUtils.equalsAny(contextPath, "docs", "examples")) { + getJSPMappings(servletContext, SEPARATOR); + } for (ServletRegistration servletRegistration : servletRegistrations.values()) { for (String mapping : servletRegistration.getMappings()) { diff --git a/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java b/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java index bd8ca5aed..288bd5e79 100644 --- a/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java +++ b/instrumentation-security/jetty-11/src/main/java/com/newrelic/agent/security/instrumentation/jetty11/HttpServletHelper.java @@ -207,6 +207,10 @@ public static void postProcessSecurityHook(HttpServletRequest request, HttpServl } public static void gatherURLMappings(ServletContext servletContext) { try { + String contextPath = StringUtils.removeStart(StringUtils.removeEnd(servletContext.getContextPath(), SEPARATOR), StringUtils.SEPARATOR); + if (StringUtils.equalsAny(contextPath, "docs", "examples")) { + return; + } Map servletRegistrations = servletContext.getServletRegistrations(); getJSPMappings(servletContext, SEPARATOR); diff --git a/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java b/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java index 685b15fbf..23f72475d 100644 --- a/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java +++ b/instrumentation-security/jetty-9/src/main/java/com/newrelic/agent/security/instrumentation/jetty9/HttpServletHelper.java @@ -210,7 +210,10 @@ public static void postProcessSecurityHook(HttpServletRequest request, HttpServl public static void gatherURLMappings(ServletContext servletContext) { try { Map servletRegistrations = servletContext.getServletRegistrations(); - getJSPMappings(servletContext, SEPARATOR); + String contextPath = StringUtils.removeStart(StringUtils.removeEnd(servletContext.getContextPath(), SEPARATOR), StringUtils.SEPARATOR); + if (!StringUtils.equalsAny(contextPath, "docs", "examples")) { + getJSPMappings(servletContext, SEPARATOR); + } for (ServletRegistration servletReg : servletRegistrations.values()) { for (String mapping : servletReg.getMappings()) { diff --git a/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java b/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java index 0430fe926..f7c118a7c 100644 --- a/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java +++ b/instrumentation-security/servlet-3.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet30/HttpServletHelper.java @@ -19,8 +19,10 @@ public class HttpServletHelper { public static void gatherURLMappings(ServletContext servletContext) { try { Map servletRegistrations = servletContext.getServletRegistrations(); - getJSPMappings(servletContext, URLMappingsHelper.SEPARATOR); - + String contextPath = StringUtils.removeStart(StringUtils.removeEnd(servletContext.getContextPath(), URLMappingsHelper.SEPARATOR), StringUtils.SEPARATOR); + if (!StringUtils.equalsAny(contextPath, "docs", "examples")) { + getJSPMappings(servletContext, URLMappingsHelper.SEPARATOR); + } for (ServletRegistration servletRegistration : servletRegistrations.values()) { for (String s : servletRegistration.getMappings()) { URLMappingsHelper.addApplicationURLMapping(new ApplicationURLMapping(URLMappingsHelper.WILDCARD, s, servletRegistration.getClassName())); diff --git a/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java b/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java index 3039e4012..85fc53606 100644 --- a/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java +++ b/instrumentation-security/servlet-5.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet5/HttpServletHelper.java @@ -127,8 +127,10 @@ private static String getNrSecCustomAttribName() { public static void gatherURLMappings(ServletContext servletContext) { try { Map servletRegistrations = servletContext.getServletRegistrations(); - getJSPMappings(servletContext, SEPARATOR); - + String contextPath = StringUtils.removeStart(StringUtils.removeEnd(servletContext.getContextPath(), SEPARATOR), StringUtils.SEPARATOR); + if (!StringUtils.equalsAny(contextPath, "docs", "examples")) { + getJSPMappings(servletContext, SEPARATOR); + } for (ServletRegistration servletRegistration : servletRegistrations.values()) { for (String s : servletRegistration.getMappings()) { URLMappingsHelper.addApplicationURLMapping(new ApplicationURLMapping(WILDCARD, s, servletRegistration.getClassName())); diff --git a/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java b/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java index b21aae95f..a6fa56a9d 100644 --- a/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java +++ b/instrumentation-security/servlet-6.0/src/main/java/com/newrelic/agent/security/instrumentation/servlet6/HttpServletHelper.java @@ -128,8 +128,10 @@ private static String getNrSecCustomAttribName() { public static void gatherURLMappings(ServletContext servletContext) { try { Map servletRegistrations = servletContext.getServletRegistrations(); - getJSPMappings(servletContext, SEPARATOR); - + String contextPath = StringUtils.removeStart(StringUtils.removeEnd(servletContext.getContextPath(), SEPARATOR), StringUtils.SEPARATOR); + if (!StringUtils.equalsAny(contextPath, "docs", "examples")) { + getJSPMappings(servletContext, SEPARATOR); + } for (ServletRegistration servletRegistration : servletRegistrations.values()) { for (String s : servletRegistration.getMappings()) { URLMappingsHelper.addApplicationURLMapping(new ApplicationURLMapping(WILDCARD, s, servletRegistration.getClassName())); diff --git a/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/instrumentation/helpers/URLMappingsHelper.java b/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/instrumentation/helpers/URLMappingsHelper.java index d38c4c8f7..b470c161b 100644 --- a/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/instrumentation/helpers/URLMappingsHelper.java +++ b/newrelic-security-api/src/main/java/com/newrelic/api/agent/security/instrumentation/helpers/URLMappingsHelper.java @@ -47,6 +47,7 @@ public class URLMappingsHelper { add("org.codehaus.groovy.grails.web.servlet.GrailsDispatcherServlet"); add("org.codehaus.groovy.grails.web.pages.GroovyPagesServlet"); add("org.codehaus.groovy.grails.web.servlet.ErrorHandlingServlet"); + add("org.jboss.resteasy.plugins.server.servlet.HttpServlet30Dispatcher"); }}; public static Set getApplicationURLMappings() { @@ -66,11 +67,12 @@ public static Set getRouteSegments() { } public static void addApplicationURLMapping(ApplicationURLMapping mapping) { - if (mapping.getHandler() == null || (mapping.getHandler() != null && !defaultHandlers.contains(mapping.getHandler()))) { - mappings.add(mapping); - generateRouteSegments(mapping.getPath()); + if (mapping.getHandler() != null && defaultHandlers.contains(mapping.getHandler())){ + return; } - if (mapping.getHandler() != null){ + mappings.add(mapping); + generateRouteSegments(mapping.getPath()); + if (mapping.getHandler() != null && StringUtils.isNotBlank(mapping.getHandler())){ handlers.add(mapping.getHandler().hashCode()); } NewRelicSecurity.getAgent().reportURLMapping(); From df473df5c757e37666cc2804422c196f9174c954 Mon Sep 17 00:00:00 2001 From: idawda Date: Fri, 22 Nov 2024 16:36:20 +0530 Subject: [PATCH 14/14] Fix for NR-266822 where false APIs reported for servlet using applications --- .../instrumentation/apache/tomcat10/HttpServletHelper.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/instrumentation-security/apache-tomcat-10/src/main/java/com/newrelic/agent/security/instrumentation/apache/tomcat10/HttpServletHelper.java b/instrumentation-security/apache-tomcat-10/src/main/java/com/newrelic/agent/security/instrumentation/apache/tomcat10/HttpServletHelper.java index f27ae5e0c..7f17bf409 100644 --- a/instrumentation-security/apache-tomcat-10/src/main/java/com/newrelic/agent/security/instrumentation/apache/tomcat10/HttpServletHelper.java +++ b/instrumentation-security/apache-tomcat-10/src/main/java/com/newrelic/agent/security/instrumentation/apache/tomcat10/HttpServletHelper.java @@ -21,8 +21,10 @@ public class HttpServletHelper { public static void gatherURLMappings(ServletContext servletContext) { try { Map servletRegistrations = servletContext.getServletRegistrations(); - getJSPMappings(servletContext, SEPARATOR); - + String contextPath = StringUtils.removeStart(StringUtils.removeEnd(servletContext.getContextPath(), SEPARATOR), StringUtils.SEPARATOR); + if (!StringUtils.equalsAny(contextPath, "docs", "examples")) { + getJSPMappings(servletContext, SEPARATOR); + } for (ServletRegistration servletRegistration : servletRegistrations.values()) { for (String mapping : servletRegistration.getMappings()) { URLMappingsHelper.addApplicationURLMapping(new ApplicationURLMapping(WILDCARD, mapping, servletRegistration.getClassName()));