Merge pull request #283 from AikidoSec/dangerous-bodies-update

draft: add DangerousBodyException

Author: bitterpanda63

agent_api/src/main/java/dev/aikido/agent_api/helpers/extraction/StringExtractor.java

@@ -1,6 +1,7 @@
 package dev.aikido.agent_api.helpers.extraction;
 
 import dev.aikido.agent_api.helpers.patterns.LooksLikeJWT;
+import dev.aikido.agent_api.vulnerabilities.DangerousBodyException;
 import java.lang.reflect.Field;
 import java.lang.reflect.Modifier;
 import java.util.*;
@@ -9,31 +10,35 @@
 import static dev.aikido.agent_api.helpers.patterns.PrimitiveType.isPrimitiveType;
 
 public class StringExtractor {
+    private static final int MAX_DEPTH = 1024;
     // Ensures that we don't get recursion :
     Set<Object> scanned = new HashSet<>();
     public static Map<String, String> extractStringsFromObject(Object obj) {
-        return new StringExtractor().extractStringsRecursive(obj, new ArrayList<>());
+        return new StringExtractor().extractStringsRecursive(obj, new ArrayList<>(), 0);
     }
-    private Map<String, String> extractStringsRecursive(Object target, ArrayList<PathBuilder.PathPart> pathToPayload) {
+    private Map<String, String> extractStringsRecursive(Object target, ArrayList<PathBuilder.PathPart> pathToPayload, int depth) {
+        if (depth > MAX_DEPTH) {
+            throw DangerousBodyException.bodyTooDeep();
+        }
         HashMap<String, String> result = new HashMap<>();
         if (target == null || scanned.contains(target)) {
             return Map.of(); // Do not rescan objects, because this might lead to recursion.
         }
         scanned.add(target);
 
         if (target instanceof String targetString) {
-            result.putAll(extractStringsFromString(targetString, pathToPayload));
+            result.putAll(extractStringsFromString(targetString, pathToPayload, depth));
         } else if (target instanceof Collection<?> || target.getClass().isArray()) {
-            result.putAll(extractStringsFromArray(target, pathToPayload));
+            result.putAll(extractStringsFromArray(target, pathToPayload, depth));
         } else if (target instanceof Map<?, ?> targetMap) {
-            result.putAll(extractStringsFromMap(targetMap, pathToPayload));
+            result.putAll(extractStringsFromMap(targetMap, pathToPayload, depth));
         } else if (!isPrimitiveType(target)) { // Stop algorithm if it's a primitive type.
-            result.putAll(extractStringsFromStructure(target, pathToPayload));
+            result.putAll(extractStringsFromStructure(target, pathToPayload, depth));
         }
         return result;
     }
 
-    private Map<String, String> extractStringsFromString(String target, ArrayList<PathBuilder.PathPart> pathToPayload) {
+    private Map<String, String> extractStringsFromString(String target, ArrayList<PathBuilder.PathPart> pathToPayload, int depth) {
         HashMap<String, String> result = new HashMap<>();
         result.put(target, buildPathToPayload(pathToPayload));
 
@@ -42,7 +47,7 @@ private Map<String, String> extractStringsFromString(String target, ArrayList<Pa
         if (jwtResult.success()) {
             ArrayList<PathBuilder.PathPart> newPathToPayload = new ArrayList<>(pathToPayload);
             newPathToPayload.add(new PathBuilder.PathPart("jwt"));
-            Map<String, String> resultsFromJWT = extractStringsRecursive(jwtResult.payload(), newPathToPayload);
+            Map<String, String> resultsFromJWT = extractStringsRecursive(jwtResult.payload(), newPathToPayload, depth + 1);
             for (Map.Entry<String, String> entry : resultsFromJWT.entrySet()) {
                 String key = entry.getKey();
                 String value = entry.getValue();
@@ -57,27 +62,27 @@ private Map<String, String> extractStringsFromString(String target, ArrayList<Pa
         return result;
     }
 
-    private Map<String, String> extractStringsFromArray(Object target, ArrayList<PathBuilder.PathPart> pathToPayload) {
+    private Map<String, String> extractStringsFromArray(Object target, ArrayList<PathBuilder.PathPart> pathToPayload, int depth) {
         HashMap<String, String> result = new HashMap<>();
         if (target instanceof Collection<?> targetCollection) {
             int index = 0;
             for (Object element : (Collection<?>) targetCollection) {
                 ArrayList<PathBuilder.PathPart> newPathToPayload = new ArrayList<>(pathToPayload);
                 newPathToPayload.add(new PathBuilder.PathPart("array", index));
-                result.putAll(extractStringsRecursive(element, newPathToPayload));
+                result.putAll(extractStringsRecursive(element, newPathToPayload, depth + 1));
                 index++;
             }
         } else if (target instanceof Object[] targetArray) {
             for (int i = 0; i < targetArray.length; i++) {
                 ArrayList<PathBuilder.PathPart> newPathToPayload = new ArrayList<>(pathToPayload);
                 newPathToPayload.add(new PathBuilder.PathPart("array", i));
-                result.putAll(extractStringsRecursive(targetArray[i], newPathToPayload));
+                result.putAll(extractStringsRecursive(targetArray[i], newPathToPayload, depth + 1));
             }
         }
         return result;
     }
 
-    private Map<String, String> extractStringsFromMap(Map<?, ?> target, ArrayList<PathBuilder.PathPart> pathToPayload) {
+    private Map<String, String> extractStringsFromMap(Map<?, ?> target, ArrayList<PathBuilder.PathPart> pathToPayload, int depth) {
         HashMap<String, String> result = new HashMap<>();
         for (Object key : target.keySet()) {
             if (key instanceof String stringKey) {
@@ -89,12 +94,12 @@ private Map<String, String> extractStringsFromMap(Map<?, ?> target, ArrayList<Pa
             } else {
                 newPathToPayload.add(new PathBuilder.PathPart("object", key.toString()));
             }
-            result.putAll(extractStringsRecursive(target.get(key), newPathToPayload));
+            result.putAll(extractStringsRecursive(target.get(key), newPathToPayload, depth + 1));
         }
         return result;
     }
 
-    private Map<String, String> extractStringsFromStructure(Object target, ArrayList<PathBuilder.PathPart> pathToPayload) {
+    private Map<String, String> extractStringsFromStructure(Object target, ArrayList<PathBuilder.PathPart> pathToPayload, int depth) {
         HashMap<String, String> result = new HashMap<>();
         Field[] fields = target.getClass().getDeclaredFields();
         for (Field field : fields) {
@@ -106,7 +111,9 @@ private Map<String, String> extractStringsFromStructure(Object target, ArrayList
                 Object fieldValue = field.get(target);
                 ArrayList<PathBuilder.PathPart> newPathToPayload = new ArrayList<>(pathToPayload);
                 newPathToPayload.add(new PathBuilder.PathPart("object", field.getName()));
-                result.putAll(extractStringsRecursive(fieldValue, newPathToPayload));
+                result.putAll(extractStringsRecursive(fieldValue, newPathToPayload, depth + 1));
+            } catch (DangerousBodyException e) {
+                throw e;
             } catch (IllegalAccessException | RuntimeException e) {
                 // pass-through
             }

agent_api/src/main/java/dev/aikido/agent_api/helpers/patterns/LooksLikeJWT.java

@@ -4,12 +4,16 @@
 import com.google.gson.Gson;
 import com.google.gson.reflect.TypeToken;
 
+import dev.aikido.agent_api.vulnerabilities.DangerousBodyException;
+
 import java.util.Map;
 import java.util.Objects;
 
 public final class LooksLikeJWT {
     private LooksLikeJWT() {}
 
+    public static final int MAX_JWT_PAYLOAD_BYTES = 8 * 1024;
+
     public static Result tryDecodeAsJwt(String jwt) {
         // Check if the JWT contains the required parts
         if (jwt == null || !jwt.contains(".")) {
@@ -23,14 +27,24 @@ public static Result tryDecodeAsJwt(String jwt) {
             return new Result(false, null);
         }
 
+        byte[] decoded;
         try {
-            // Decode the middle part (payload) of the JWT
-            String payload = new String(Base64.getUrlDecoder().decode(parts[1]));
+            decoded = Base64.getUrlDecoder().decode(parts[1]);
+        } catch (IllegalArgumentException ignored) {
+            return new Result(false, null);
+        }
 
+        if (decoded.length > MAX_JWT_PAYLOAD_BYTES) {
+            throw DangerousBodyException.jwtTooLarge();
+        }
+
+        String payload = new String(decoded);
+        try {
             Gson gson = new Gson();
             Map<String, Object> jwtPayload = gson.fromJson(payload, new TypeToken<Map<String, Object>>(){}.getType());
-
             return new Result(true, jwtPayload);
+        } catch (StackOverflowError soe) {
+            throw DangerousBodyException.jwtTooLarge();
         } catch (Exception ignored) {
             return new Result(false, null);
         }

agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/DangerousBodyException.java

@@ -0,0 +1,15 @@
+package dev.aikido.agent_api.vulnerabilities;
+
+public class DangerousBodyException extends AikidoException {
+    public DangerousBodyException(String reason) {
+        super(generateDefaultMessage("Dangerous Body") + ": " + reason);
+    }
+
+    public static DangerousBodyException jwtTooLarge() {
+        return new DangerousBodyException("JWT payload too large");
+    }
+
+    public static DangerousBodyException bodyTooDeep() {
+        return new DangerousBodyException("Body is too deeply nested to scan");
+    }
+}

agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/Scanner.java

@@ -50,6 +50,8 @@ public static void scanForGivenVulnerability(Vulnerabilities.Vulnerability vulne
                     break;
                 }
             }
+        } catch (AikidoException ae) {
+            exception = Optional.of(ae);
         } catch (Throwable e) {
             logger.debug(e);
         }

agent_api/src/test/java/helpers/LooksLikeJWTTest.java

@@ -1,12 +1,15 @@
 package helpers;
 
 import dev.aikido.agent_api.helpers.patterns.LooksLikeJWT;
+import dev.aikido.agent_api.vulnerabilities.DangerousBodyException;
 import org.junit.jupiter.api.Test;
 
+import java.util.Base64;
 import java.util.HashMap;
 import java.util.Map;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 public class LooksLikeJWTTest {
 
@@ -52,4 +55,35 @@ void testReturnsDecodedJwtForValidJwtWithBearerPrefix() {
         expectedPayload.put("iat", 1.516239022E9);
         assertEquals(new LooksLikeJWT.Result(true, expectedPayload), LooksLikeJWT.tryDecodeAsJwt(validJwtWithBearer));
     }
+
+    private static String buildJwt(String payloadJson) {
+        String payloadB64 = Base64.getUrlEncoder().withoutPadding()
+                .encodeToString(payloadJson.getBytes());
+        return "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." + payloadB64 + ".sig";
+    }
+
+    @Test
+    void testThrowsDangerousBodyExceptionForOversizedPayload() {
+        StringBuilder sb = new StringBuilder("{\"k\":\"");
+        for (int i = 0; i < LooksLikeJWT.MAX_JWT_PAYLOAD_BYTES + 10; i++) {
+            sb.append('a');
+        }
+        sb.append("\"}");
+        String jwt = buildJwt(sb.toString());
+        assertThrows(DangerousBodyException.class, () -> LooksLikeJWT.tryDecodeAsJwt(jwt));
+    }
+
+    @Test
+    void testThrowsDangerousBodyExceptionForDeeplyNestedPayload() {
+        int depth = 7000;
+        StringBuilder open = new StringBuilder();
+        StringBuilder close = new StringBuilder();
+        for (int i = 0; i < depth; i++) {
+            open.append("{\"a\":");
+            close.append("}");
+        }
+        String payload = open.toString() + "1" + close.toString();
+        String jwt = buildJwt(payload);
+        assertThrows(DangerousBodyException.class, () -> LooksLikeJWT.tryDecodeAsJwt(jwt));
+    }
 }

agent_api/src/test/java/helpers/StringExtractorTest.java

@@ -4,6 +4,7 @@
 import dev.aikido.agent_api.api_discovery.DataSchemaGenerator;
 import dev.aikido.agent_api.api_discovery.DataSchemaItem;
 import dev.aikido.agent_api.api_discovery.DataSchemaType;
+import dev.aikido.agent_api.vulnerabilities.DangerousBodyException;
 import org.junit.jupiter.api.Test;
 
 import static dev.aikido.agent_api.helpers.extraction.StringExtractor.extractStringsFromObject;
@@ -407,6 +408,42 @@ public void testItChecksScannedClasses() {
         assertEquals(".important_record.a", result.get("Hello World"));
     }
 
+    @Test
+    public void testThrowsDangerousBodyExceptionForTooDeepNesting() {
+        Map<String, Object> root = new HashMap<>();
+        Map<String, Object> current = root;
+        for (int i = 0; i < 1100; i++) {
+            Map<String, Object> next = new HashMap<>();
+            current.put("a", next);
+            current = next;
+        }
+        current.put("leaf", "x");
+        assertThrows(DangerousBodyException.class, () -> extractStringsFromObject(root));
+    }
+
+    @Test
+    public void testDoesNotThrowForModestNesting() {
+        Map<String, Object> root = new HashMap<>();
+        Map<String, Object> current = root;
+        for (int i = 0; i < 500; i++) {
+            Map<String, Object> next = new HashMap<>();
+            current.put("a", next);
+            current = next;
+        }
+        current.put("leaf", "x");
+        Map<String, String> result = extractStringsFromObject(root);
+        assertEquals("x", findKeyEndingWithLeafValue(result));
+    }
+
+    private static String findKeyEndingWithLeafValue(Map<String, String> result) {
+        for (Map.Entry<String, String> e : result.entrySet()) {
+            if ("x".equals(e.getKey())) {
+                return e.getKey();
+            }
+        }
+        return null;
+    }
+
     @Test
     public void testItChecksScannedObjects() {
         Map<String, Object> input = new HashMap<>();