newrelic · lovesh-ap · Oct 11, 2023 · Jul 11, 2023 · Sep 21, 2023 · Oct 9, 2023
diff --git a/instrumentation-security/httpclient-5.0/build.gradle b/instrumentation-security/httpclient-5.0/build.gradle
@@ -0,0 +1,22 @@
+
+dependencies {
+    implementation(project(":newrelic-security-api"))
+    implementation("com.newrelic.agent.java:newrelic-api:${nrAPIVersion}")
+    implementation("com.newrelic.agent.java:newrelic-weaver-api:${nrAPIVersion}")
+    implementation("org.apache.httpcomponents.client5:httpclient5:5.2.1")
+}
+
+jar {
+    manifest { attributes 'Implementation-Title': 'com.newrelic.instrumentation.security.httpclient-5.0' }
+}
+
+verifyInstrumentation {
+    passesOnly ('org.apache.httpcomponents.client5:httpclient5:[5.0,)')
+    excludeRegex '.*alpha.*'
+    excludeRegex '.*beta.*'
+}
+
+site {
+    title 'Apache Httpclient'
+    type 'Messaging'
+}
diff --git a/.../com/newrelic/agent/security/instrumentation/httpclient50/HttpClient_Instrumentation.java b/.../com/newrelic/agent/security/instrumentation/httpclient50/HttpClient_Instrumentation.java
@@ -0,0 +1,218 @@
+/*
+ *
+ *  * Copyright 2023 New Relic Corporation. All rights reserved.
+ *  * SPDX-License-Identifier: Apache-2.0
+ *
+ */
+
+package com.newrelic.agent.security.instrumentation.httpclient50;
+
+import com.newrelic.api.agent.security.instrumentation.helpers.GenericHelper;
+import com.newrelic.api.agent.security.schema.AbstractOperation;
+import com.newrelic.api.agent.weaver.MatchType;
+import com.newrelic.api.agent.weaver.Weave;
+import com.newrelic.api.agent.weaver.Weaver;
+import org.apache.hc.core5.http.ClassicHttpRequest;
+import org.apache.hc.core5.http.ClassicHttpResponse;
+import org.apache.hc.core5.http.HttpHost;
+import org.apache.hc.core5.http.HttpRequest;
+import org.apache.hc.core5.http.HttpResponse;
+import org.apache.hc.core5.http.io.HttpClientResponseHandler;
+import org.apache.hc.core5.http.protocol.HttpContext;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+@Weave(type = MatchType.Interface, originalName = "org.apache.hc.client5.http.classic.HttpClient")
+public class HttpClient_Instrumentation {
+
+    public HttpResponse execute(ClassicHttpRequest request) throws Exception {
+        boolean isLockAcquired = acquireLockIfPossible();
+        AbstractOperation operation = null;
+        // Preprocess Phase
+        if (isLockAcquired) {
+            operation = SecurityHelper.preprocessSecurityHook(request, request.getUri().toString(), this.getClass().getName(), SecurityHelper.METHOD_NAME_EXECUTE);
+        }
+        HttpResponse returnObj = null;
+        // Actual Call
+        try {
+            returnObj = Weaver.callOriginal();
+        } finally {
+            if (isLockAcquired) {
+                releaseLock();
+            }
+        }
+        SecurityHelper.registerExitOperation(isLockAcquired, operation);
+        return returnObj;
+    }
+
+    public HttpResponse execute(ClassicHttpRequest request, HttpContext context) throws Exception {
+        boolean isLockAcquired = acquireLockIfPossible();
+        AbstractOperation operation = null;
+        // Preprocess Phase
+        if (isLockAcquired) {
+            operation = SecurityHelper.preprocessSecurityHook(request, request.getUri().toString(), this.getClass().getName(), SecurityHelper.METHOD_NAME_EXECUTE);
+        }
+        HttpResponse returnObj = null;
+        // Actual Call
+        try {
+            returnObj = Weaver.callOriginal();
+        } finally {
+            if (isLockAcquired) {
+                releaseLock();
+            }
+        }
+        SecurityHelper.registerExitOperation(isLockAcquired, operation);
+        return returnObj;
+    }
+
+    public ClassicHttpResponse execute(HttpHost target, ClassicHttpRequest request) throws Exception {
+        boolean isLockAcquired = acquireLockIfPossible();
+        AbstractOperation operation = null;
+        // Preprocess Phase
+        if (isLockAcquired) {
+            String actualURI = getUri(target, request).toString();
+            operation = SecurityHelper.preprocessSecurityHook(request, actualURI, this.getClass().getName(), SecurityHelper.METHOD_NAME_EXECUTE);
+        }
+        ClassicHttpResponse returnObj = null;
+        // Actual Call
+        try {
+            returnObj = Weaver.callOriginal();
+        } finally {
+            if (isLockAcquired) {
+                releaseLock();
+            }
+        }
+        SecurityHelper.registerExitOperation(isLockAcquired, operation);
+        return returnObj;
+    }
+
+    public HttpResponse execute(HttpHost target, ClassicHttpRequest request, HttpContext context) throws Exception {
+        boolean isLockAcquired = acquireLockIfPossible();
+        AbstractOperation operation = null;
+        // Preprocess Phase
+        if (isLockAcquired) {
+            String actualURI = getUri(target, request).toString();
+            operation = SecurityHelper.preprocessSecurityHook(request, actualURI, this.getClass().getName(), SecurityHelper.METHOD_NAME_EXECUTE);
+        }
+        HttpResponse returnObj = null;
+        // Actual Call
+        try {
+            returnObj = Weaver.callOriginal();
+        } finally {
+            if (isLockAcquired) {
+                releaseLock();
+            }
+        }
+        SecurityHelper.registerExitOperation(isLockAcquired, operation);
+        return returnObj;
+    }
+
+    public <T> T execute(ClassicHttpRequest request, HttpClientResponseHandler<? extends T> responseHandler)
+            throws Exception {
+        boolean isLockAcquired = acquireLockIfPossible();
+        AbstractOperation operation = null;
+        // Preprocess Phase
+        if (isLockAcquired) {
+            operation = SecurityHelper.preprocessSecurityHook(request, request.getUri().toString(), this.getClass().getName(), SecurityHelper.METHOD_NAME_EXECUTE);
+        }
+        T returnObj = null;
+        // Actual Call
+        try {
+            returnObj = Weaver.callOriginal();
+        } finally {
+            if (isLockAcquired) {
+                releaseLock();
+            }
+        }
+        SecurityHelper.registerExitOperation(isLockAcquired, operation);
+        return returnObj;
+    }
+
+    public <T> T execute(ClassicHttpRequest request, HttpContext context, HttpClientResponseHandler<? extends T> responseHandler)
+            throws Exception {
+        boolean isLockAcquired = acquireLockIfPossible();
+        AbstractOperation operation = null;
+        // Preprocess Phase
+        if (isLockAcquired) {
+            operation = SecurityHelper.preprocessSecurityHook(request, request.getUri().toString(), this.getClass().getName(), SecurityHelper.METHOD_NAME_EXECUTE);
+        }
+        T returnObj = null;
+        // Actual Call
+        try {
+            returnObj = Weaver.callOriginal();
+        } finally {
+            if (isLockAcquired) {
+                releaseLock();
+            }
+        }
+        SecurityHelper.registerExitOperation(isLockAcquired, operation);
+        return returnObj;
+    }
+
+    public <T> T execute(HttpHost target, ClassicHttpRequest request, HttpClientResponseHandler<? extends T> responseHandler)
+            throws Exception {
+        boolean isLockAcquired = acquireLockIfPossible();
+        AbstractOperation operation = null;
+        // Preprocess Phase
+        if (isLockAcquired) {
+            String actualURI = getUri(target, request).toString();
+            operation = SecurityHelper.preprocessSecurityHook(request, actualURI, this.getClass().getName(), SecurityHelper.METHOD_NAME_EXECUTE);
+        }
+        T returnObj = null;
+        // Actual Call
+        try {
+            returnObj = Weaver.callOriginal();
+        } finally {
+            if (isLockAcquired) {
+                releaseLock();
+            }
+        }
+        SecurityHelper.registerExitOperation(isLockAcquired, operation);
+        return returnObj;
+    }
+
+    public <T> T execute(HttpHost target, ClassicHttpRequest request, HttpContext context,
+            HttpClientResponseHandler<? extends T> responseHandler) throws Exception {
+        boolean isLockAcquired = acquireLockIfPossible();
+        AbstractOperation operation = null;
+        // Preprocess Phase
+        if (isLockAcquired) {
+            String actualURI = getUri(target, request).toString();
+            operation = SecurityHelper.preprocessSecurityHook(request, actualURI, this.getClass().getName(), SecurityHelper.METHOD_NAME_EXECUTE);
+        }
+        T returnObj = null;
+        // Actual Call
+        try {
+            returnObj = Weaver.callOriginal();
+        } finally {
+            if (isLockAcquired) {
+                releaseLock();
+            }
+        }
+        SecurityHelper.registerExitOperation(isLockAcquired, operation);
+        return returnObj;
+    }
+
+    private static URI getUri(HttpHost target, HttpRequest request) throws URISyntaxException {
+        URI requestURI = new URI(request.getRequestUri());
+        String scheme = requestURI.getScheme() == null ? target.getSchemeName() : requestURI.getScheme();
+        return new URI(scheme, null, target.getHostName(), target.getPort(), requestURI.getPath(), null, null);
+    }
+
+    private void releaseLock() {
+        try {
+            GenericHelper.releaseLock(SecurityHelper.NR_SEC_CUSTOM_ATTRIB_NAME, this.hashCode());
+        } catch (Throwable ignored) {
+        }
+    }
+
+    private boolean acquireLockIfPossible() {
+        try {
+            return GenericHelper.acquireLockIfPossible(SecurityHelper.NR_SEC_CUSTOM_ATTRIB_NAME, this.hashCode());
+        } catch (Throwable ignored) {
+        }
+        return false;
+    }
+
+}
diff --git a/...rc/main/java/com/newrelic/agent/security/instrumentation/httpclient50/SecurityHelper.java b/...rc/main/java/com/newrelic/agent/security/instrumentation/httpclient50/SecurityHelper.java
@@ -0,0 +1,72 @@
+package com.newrelic.agent.security.instrumentation.httpclient50;
+
+import com.newrelic.api.agent.security.NewRelicSecurity;
+import com.newrelic.api.agent.security.instrumentation.helpers.GenericHelper;
+import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper;
+import com.newrelic.api.agent.security.schema.AbstractOperation;
+import com.newrelic.api.agent.security.schema.SecurityMetaData;
+import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException;
+import com.newrelic.api.agent.security.schema.operation.SSRFOperation;
+import com.newrelic.api.agent.security.utils.SSRFUtils;
+import org.apache.hc.core5.http.HttpRequest;
+
+public class SecurityHelper {
+
+    public static final String METHOD_NAME_EXECUTE = "execute";
+
+    public static final String NR_SEC_CUSTOM_ATTRIB_NAME = "SSRF_OPERATION_LOCK_APACHE5-";
+
+    public static void registerExitOperation(boolean isProcessingAllowed, AbstractOperation operation) {
+        try {
+            if (operation == null || !isProcessingAllowed || !NewRelicSecurity.isHookProcessingActive() || NewRelicSecurity.getAgent().getSecurityMetaData().getRequest().isEmpty()
+            ) {
+                return;
+            }
+            NewRelicSecurity.getAgent().registerExitEvent(operation);
+        } catch (Throwable ignored) {
+        }
+    }
+
+    public static AbstractOperation preprocessSecurityHook(HttpRequest request, String uri, String className, String methodName) {
+        try {
+            SecurityMetaData securityMetaData = NewRelicSecurity.getAgent().getSecurityMetaData();
+            if (!NewRelicSecurity.isHookProcessingActive() || securityMetaData.getRequest().isEmpty()
+            ) {
+                return null;
+            }
+
+            // Add Security IAST header
+            String iastHeader = NewRelicSecurity.getAgent().getSecurityMetaData().getFuzzRequestIdentifier().getRaw();
+            if (iastHeader != null && !iastHeader.trim().isEmpty()) {
+                request.setHeader(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID, iastHeader);
+            }
+
+            String csecParentId = getParentId();
+            if(csecParentId!= null && !csecParentId.isEmpty()){
+                request.setHeader(GenericHelper.CSEC_PARENT_ID, csecParentId);
+            }
+
+            SSRFOperation operation = new SSRFOperation(uri, className, methodName);
+            try {
+                NewRelicSecurity.getAgent().registerOperation(operation);
+            } finally {
+                if (operation.getApiID() != null && !operation.getApiID().trim().isEmpty() &&
+                        operation.getExecutionId() != null && !operation.getExecutionId().trim().isEmpty()) {
+                    // Add Security distributed tracing header
+                    request.setHeader(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER, SSRFUtils.generateTracingHeaderValue(securityMetaData.getTracingHeaderValue(), operation.getApiID(), operation.getExecutionId(), NewRelicSecurity.getAgent().getAgentUUID()));
+                }
+            }
+            return operation;
+        } catch (Throwable e) {
+            if (e instanceof NewRelicSecurityException) {
+                e.printStackTrace();
+                throw e;
+            }
+        }
+        return null;
+    }
+
+    public static String getParentId(){
+        return NewRelicSecurity.getAgent().getSecurityMetaData().getCustomAttribute(GenericHelper.CSEC_PARENT_ID, String.class);
+    }
+}
diff --git a/settings.gradle b/settings.gradle
@@ -50,6 +50,7 @@ include 'instrumentation:jsp-3'
 include 'instrumentation:urlconnection'
 include 'instrumentation:httpclient-3'
 include 'instrumentation:httpclient-4.0'
+include 'instrumentation:httpclient-5.0'
 include 'instrumentation:httpclient-jdk11'
 include 'instrumentation:jdbc-generic'
 include 'instrumentation:jdbc-db2'