ssrf sink点缺失

[mdkk]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Version

1.9.1

Installation Type

Official SaaS Service

Service Name

DongTai-agent-java

Describe the details of the bug and the steps to reproduce it

昨天提了 SSRFSourceCheck的addSourceType方法只会返回false 的问题

今天看代码有个新的疑问
在 DynamicPropagatorScanner scan 函数里
boolean serviceCall = false;
for (ServiceTrace serviceTrace : SERVICE_TRACES) { // HttpService()
if (serviceTrace.match(event, sinkNode)) {
serviceCall = true;
serviceTrace.addTrace(event, sinkNode);
}
}
boolean hit = sinkSourceHitTaintPool(event, sinkNode);
if (serviceCall || hit) {
....
EngineManager.TRACK_MAP.addTrackMethod(invokeId, event)
}
由于SSRFSourceCheck addSourceType方法只会返回false, SERVICE_TRACES 只有 httpService match,
如果ssrf发起的不是http请求(如ftp或其它请求), TRACK_MAP 就不会记录 methodEvent, 服务端就拿不到 sink点的 methodEvent

于是进行了测试, 但发现 当location 是ftp协议url时, sink点会匹配不到

protected String ssrf(String location) {
try {
URL url = new URL(location);
URLConnection connection = url.openConnection();
BufferedReader reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));
System.out.println("ssrf " + location);
String body = reader.lines().collect(Collectors.joining());
return location;
}catch (Exception e){

    }

    return location;
}

在 location 传入 http链接时, sinkPolicy 会命中sun.net.www.protocol.http.HttpURLConnection.getInputStream
传入 ftp链接时，sinkPolicy无法命中 sun.net.www.protocol.ftp.FtpURLConnection.getInputStream

Additional Information

No response

Logs

No response

[lostsnow]

This case requires adding relevant methods like connect or getInputStream in the class sun.net.www.protocol.ftp.FtpURLConnection to the constant io.dongtai.iast.core.handler.hookpoint.service.HttpClient.JAVA_NET_URL_SIGNATURE, and also adding corresponding methods to the custom hook rules on the server side.

We need to perform the fix after completing comprehensive testing. If possible, you can try to modify and validate it yourself first.