Closed RacerZ-fighting closed 2 months ago
jon-bell
commented
2 months ago I can take some time to look at this and attempt to reproduce and debug it - it should be fixable on Java 8u192, at least. Could you please share:
demo.jar fileThanks!
RacerZ-fighting
commented
2 months ago I can take some time to look at this and attempt to reproduce and debug it - it should be fixable on Java 8u192, at least. Could you please share:
- The
demo.jarfile- The exact version of Phosphor that you are using (Git SHA)?
Thanks!
Alright, the specific version of Phosphor I tested is branch phosphor-0.0.5-dev (i.e. SHA: abced3f3059b82482c26216b66e7b84175fb6416) demo.jar is attached below. Thanks! AuthDemo.zip
jon-bell
commented
2 months ago I had the same error when running on Phosphor 0.0.5. However, when I tried to run this using the most recent revision of the master branch, it succeeded. I used OpenJDK 1.8.0_102, and did not pre-instrument the Spring Boot app.
To get an instrumented Java 8 JDK on the master branch, the approach that I use is:
mvn installThen, I ran the non-instrumented app with:
../integration-tests/target/phosphor/data/java/bin/java -Xbootclasspath/a:../Phosphor/target/Phosphor-0.1.0-SNAPSHOT.jar -javaagent:../Phosphor/target/Phosphor-0.1.0-SNAPSHOT.jar=enum,acmpeq -jar springdemo/target/springdemo-1.0-SNAPSHOT.jar
I did not know what sources or sinks you were using, so was unable to test it with them. However, the servlet ran, and when I requested /api/index I got a (perhaps expected because there were no sources set) message: "Expected non-null taint "
RacerZ-fighting
commented
2 months ago Thank you for helping to reproduce the issue. I will try again later. In my configuration, the 'sources' specified is the API within springboot, e.g. HTTPServletRequest.getRequestURI. If we do not pre-instrument the app, will it still detect calls to 'sources' during runtime?
jon-bell
commented
2 months ago If we do not pre-instrument the app, will it still detect calls to 'sources' during runtime?
The JavaAgent adds all of the instrumentation at runtime (including for detecting calls to sources). The "pre-instrumentation" is necessary for the JDK itself (because otherwise there are circular dependencies). For applications that have complex nested archives in archives (as with Spring boot apps, which can be a jar with a zip inside of it with a jar inside of that zip, and similar kinds of structures) it is easier to let the JVM load the classes itself, and then we instrument them.
Adding the source javax/servlet/http/HttpServletRequest.getRequestURI()Ljava/lang/String; resulted in the following output when running your example:
AutoTaintLabel [source=javax/servlet/http/HttpServletRequest.getRequestURI()Ljava/lang/String;, trace=[java.base/edu.columbia.cs.psl.phosphor.runtime.TaintSourceWrapper.autoTaint(TaintSourceWrapper.java:102), org.apache.catalina.connector.RequestFacade.getRequestURI(RequestFacade.java:868), org.example.UserController.index(UserController.java:20), java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method), java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java), java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:78), java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43), java.base/java.lang.reflect.Method.invoke(Method.java:567), org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190), org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138), org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105), org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:879), org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:793), org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87), org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040), org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943), org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006), org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898), javax.servlet.http.HttpServlet.service(HttpServlet.java:634), org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883), javax.servlet.http.HttpServlet.service(HttpServlet.java:741), org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231), org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166), org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53), org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193), org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166), org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100), org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119), org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193), org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166), org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93), org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119), org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193), org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166), org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201), org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119), org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193), org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166), org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202), org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96), org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541), org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139), org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92), org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74), org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343), org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373), org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65), org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868), org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590), org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49), java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130), java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630), org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61), java.base/java.lang.Thread.run(Thread.java:831), java.base/java.lang.Thread.run(Thread.java)]]
RacerZ-fighting
commented
2 months ago OK, I get it. Thanks!
I attempted to conduct a taint analysis test on a Spring Boot web demo (version 2.3.1). However, I encountered difficulty when trying to instrument the JAR with Phosphor.
Some exceptions were thrown as below:
And when the time I ran the instrumented demo jar with phospher agent:
The error was like(openjdk 8u192 instrumented):
Or like(openjdk 8u311 instrumented):
I wonder if there's any solution to fix it? thanks.