CN112965749B - Request path acquisition method, apparatus, computer device and storage medium - Google Patents

Request path acquisition method, apparatus, computer device and storage medium Download PDF

Info

Publication number
CN112965749B
CN112965749B CN202110142093.1A CN202110142093A CN112965749B CN 112965749 B CN112965749 B CN 112965749B CN 202110142093 A CN202110142093 A CN 202110142093A CN 112965749 B CN112965749 B CN 112965749B
Authority
CN
China
Prior art keywords
request
annotation
file
identified
name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110142093.1A
Other languages
Chinese (zh)
Other versions
CN112965749A (en
Inventor
金成强
范渊
吴卓群
王欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202110142093.1A priority Critical patent/CN112965749B/en
Publication of CN112965749A publication Critical patent/CN112965749A/en
Application granted granted Critical
Publication of CN112965749B publication Critical patent/CN112965749B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/75Structural analysis for program understanding
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/74Reverse engineering; Extracting design information from source code
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Stored Programmes (AREA)

Abstract

The application relates to a request path acquisition method, a device, a computer device and a storage medium, wherein the request path acquisition method comprises the following steps: obtaining a target annotation name, wherein the target annotation name at least comprises a controller class annotation name, and the controller class annotation name is the identification of a request interface class file; acquiring an original file and reading an annotation name to be identified in the original file; comparing the annotation name to be identified in the original file with the target annotation name, and marking the original file as a target file if at least one same annotation name exists in the annotation name to be identified and the target annotation name; and reading annotation content in the target file, and acquiring a request path according to the annotation content. By the method and the device, the problem of low accuracy in acquiring the request path is solved, and the technical effect of accurately acquiring the request path is achieved.

Description

Request path acquisition method, apparatus, computer device and storage medium
Technical Field
The present invention relates to the field of java data auditing, and in particular, to a request path method, a device, a computer device, and a storage medium.
Background
Web applications are an important form of internet applications, and are the portal application preferences of social key information systems such as finance, operators, government departments, education departments, and the like. With the release of various security events and security holes with huge harm, people are also paying more attention to security of website applications, and more requirements for security hole detection of website applications are met. Java Web development has undergone a recent 20 years history from 1999, and a framework based on business or databases such as Spring, struts, hibernate and labtis is proposed, and many dies have the function of protecting Java Web applications from application layer vulnerabilities. However, due to the weakness of security awareness of developers, rapid flow of the developers and loopholes existing in the Java Web framework, loopholes in SQL injection, command injection, file uploading or business layer logic are often generated due to pollution of parameters. Static scanning tools for the Java Web are numerous, such as the commercial tool Fortify or the open source tool Findbugs. But the various tools do not achieve a greater degree of inspection coverage. Because the auditing tool generally adopts an automatic crawler and manual clicking, the auditing tool can only scan according to the existing request address on the interaction page, and the request address hidden in the Java package in the underlying structure is difficult to acquire.
In the related art, a source code of a java file is read through a FileReader, a specified character segment in the java file is obtained by using a regular matching method, and then a request path is obtained; however, since the designated character segment is designated by the auditor, the accuracy of the character segment is related to the level of the auditor, so that the accuracy of acquiring the request path by the regular matching method is low, and the request path has a false alarm condition.
At present, no effective solution is proposed for the technical problem of low accuracy of the request path acquired in the related technology.
Disclosure of Invention
The embodiment of the application provides a request path acquisition method, a request path acquisition device, computer equipment and a storage medium, which are used for at least solving the technical problem of low accuracy of a request path acquired in the related technology.
In a first aspect, an embodiment of the present application provides a request path acquisition method, including:
obtaining a target annotation name, wherein the target annotation name at least comprises a controller class annotation name, and the controller class annotation name is the identification of a request interface class file;
acquiring an original file and reading an annotation name to be identified in the original file;
comparing the annotation name to be identified in the original file with the target annotation name, and marking the original file as a target file if at least one same annotation name exists in the annotation name to be identified and the target annotation name;
and reading annotation content in the target file, and acquiring a request path according to the annotation content.
In one embodiment, the obtaining the original file includes: acquiring a preset directory structure, wherein the preset directory structure comprises a file directory structure of a SpringBoot frame; acquiring an initial file and reading a directory structure to be identified in the initial file; and comparing the directory structure to be identified with the preset directory structure, and taking the initial file as an original file if the directory structure to be identified is consistent with the preset directory structure.
In one embodiment, the reading the name of the annotation to be identified in the original file includes: based on a parent delegation mechanism, loading the resource library data in the original file into a virtual machine through a class loader, so that the virtual machine reads a source code file in the original file according to the resource library data and a reflection mechanism to obtain the annotation name to be identified; and receiving the annotation name to be identified, which is sent by the virtual machine.
In one embodiment, the acquiring the request path according to the annotation content includes: acquiring a request mode and request parameters, wherein the request parameters comprise assignment parameters and non-assignment parameters, and the assignment parameters comprise basic type parameters and determined object parameters; and if the request parameters are non-assignment parameters, generating request information according to the request path and the request mode and sending the request information.
In one embodiment, the acquiring the request mode and the request parameters further includes: if the request parameter is an assigned parameter, judging whether the request parameter is a basic type parameter or not; if the request parameters are basic type parameters, assigning values to the request parameters according to the annotation content; and generating and sending request information based on the request path, the request mode and the assigned request parameters.
In one embodiment, the acquiring the request mode and the request parameters further includes: if the request parameter is an assignment parameter, judging whether the request parameter is a determination object parameter, and if the request parameter is a determination object parameter, analyzing the determination object parameter into a basic type parameter; assigning a value to the basic type parameter according to the annotation content; and generating request information and sending the request information based on the request path, the request mode and the assigned basic type parameter.
In one embodiment, the Controller class annotation names include at least @ Controller and @ RsetController.
In a second aspect, an embodiment of the present application provides a request path obtaining apparatus, including:
the target acquisition module: the method comprises the steps that a target annotation name is obtained, wherein the target annotation name at least comprises a controller class annotation name, and the controller class annotation name is an identifier of a request interface class file;
an annotation acquisition module: the method comprises the steps of obtaining an original file and reading an annotation name to be identified in the original file;
and an identification module: the method comprises the steps of comparing an annotation name to be identified in an original file with a target annotation name, and marking the original file as a target file if at least one same annotation name exists in the annotation name to be identified and the target annotation name;
and a path acquisition module: and the method is used for reading the annotation content in the target file and acquiring a request path according to the annotation content.
In a third aspect, an embodiment of the present application provides a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the request path acquisition method according to the first aspect described above when executing the computer program.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a request path acquisition method as described in the first aspect above.
Compared with the related art, the method, the device, the computer equipment and the storage medium for acquiring the request path are provided, and the target annotation name at least comprises a controller class annotation name which is the identification of the request interface class file; acquiring an original file and reading an annotation name to be identified in the original file; comparing the annotation name to be identified in the original file with the target annotation name, and marking the original file as a target file if at least one same annotation name exists in the annotation name to be identified and the target annotation name; and reading annotation content in the target file, and acquiring a request path according to the annotation content. Whether the file is the request interface type file is judged based on the annotation information in the original file, and the request path is acquired based on the annotation information in the interface type file, so that the problem of low accuracy in acquiring the request path is solved, and the technical effect of accurately acquiring the request path is realized.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the other features, objects, and advantages of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a flow chart of a request path acquisition method according to an embodiment of the present application;
FIG. 2 is a flow chart of a request path acquisition method according to another embodiment of the present application;
FIG. 3 is a block diagram of a request path acquisition device according to an embodiment of the present application;
fig. 4 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described and illustrated below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden on the person of ordinary skill in the art based on the embodiments provided herein, are intended to be within the scope of the present application.
It is apparent that the drawings in the following description are only some examples or embodiments of the present application, and it is possible for those of ordinary skill in the art to apply the present application to other similar situations according to these drawings without inventive effort. Moreover, it should be appreciated that while such a development effort might be complex and lengthy, it would nevertheless be a routine undertaking of design, fabrication, or manufacture for those of ordinary skill having the benefit of this disclosure, and thus should not be construed as having the benefit of this disclosure.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly and implicitly understood by those of ordinary skill in the art that the embodiments described herein can be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar terms herein do not denote a limitation of quantity, but rather denote the singular or plural. The terms "comprising," "including," "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to only those steps or elements but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The terms "connected," "coupled," and the like in this application are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as used herein refers to two or more. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., "a and/or B" may mean: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. The terms "first," "second," "third," and the like, as used herein, are merely distinguishing between similar objects and not representing a particular ordering of objects.
Because of the weakness of security consciousness of developers, the rapid flow of the developers and the loopholes existing in the Java Web framework, various Web security loopholes are often generated due to the pollution of parameters. The security of the Web application is not light. With the continuous rich changes of component technologies and supporting means of Web applications, the problem of the security layer exposed by Web applications under internet security is also layering. A hacker can obtain the authority of a background manager of the Web application or the authority of a server system where the Web application is located by carrying out vulnerability attack on the Web application or the server exposed on a public network or in an unauthorized intranet environment which can be directly connected, on one hand, the information such as sensitive files and sensitive data on the Web application or the server can be directly obtained, on the other hand, the server can be used as a springboard to permeate an intranet network segment where the server is located, other servers or other more intelligent devices in the intranet network segment can be attacked, a large amount of intranet sensitive information is obtained, and the authority of the server is obtained. When white box auditing is performed on Web application source codes, various auditing tools cannot achieve higher code coverage rate, because many interface addresses are not necessarily displayed on a page or directly opened for users, the auditing tools generally adopt automatic crawlers and manual clicking to scan existing links on an interactive interface, and when the auditing is performed, all request addresses need to be traversed, and many hidden interface addresses and interface addresses which cannot be interacted by the users are required to be obtained. In addition, the analysis tool is adopted for auditing, and the generated analysis result can have the problem of misjudgment or missed judgment. In another solution, security personnel manually obtain all request addresses in the process of source code audit, and great labor cost and time cost are required, so that audit efficiency is greatly reduced. Therefore, there is a need for accurately acquiring a request path to solve the problem of insufficient code coverage in white-box auditing.
The embodiment also provides a request path acquisition method. Fig. 1 is a flowchart of a request path acquisition method according to an embodiment of the present application, and as shown in the figure, the flowchart includes the following steps:
step S101, a target annotation name is obtained, wherein the target annotation name at least comprises a controller class annotation name, and the controller class annotation name is the identification of a request interface class file.
Specifically, the target annotation names are Controller class annotation names, including, but not limited to @ Controller and @ RsetController. The file with the annotation name of the controller class belongs to the file with the request interface class, and the file with the annotation belongs to the file with the request interface address based on the characteristics of the SpringBoot framework and can be analyzed by the program. Files that do not include such annotations do not have a request interface address and cannot be parsed. Annotations, also called metadata, are descriptions of the code level at the same level as classes, interfaces, and enumerations. Annotations may be placed in front of packages, classes, fields, methods, local variables, and method parameters, etc., to describe and annotate these elements. The roles of the notes include: writing a document, namely generating the document through metadata identified in the code; code analysis, namely analyzing the code through metadata identified in the code; the compilation check, i.e. the compiler is enabled to implement the basic compilation check by means of the metadata identified in the code.
In one embodiment, the obtaining the original file includes: acquiring a preset directory structure, wherein the preset directory structure comprises a file directory structure of a SpringBoot frame; acquiring an initial file and reading a directory structure to be identified in the initial file; and comparing the directory structure to be identified with the preset directory structure, and taking the initial file as an original file if the directory structure to be identified is consistent with the preset directory structure. Specifically, a file in a specified jar format, namely a Java file package, is read by acquiring the file format. The Java package is the initial file. And reading the Java file package, identifying whether the file structure of the Java file package accords with the packaging file structure of the SpringBoot frame, and taking the Java file package as an original file if the Java file package accords with the packaging file structure of the SpringBoot frame. The package file structure is the preset catalog. In one embodiment, the preset directory is:
|--BOOT-INF
|--classes
|--lib
|--META-INF
step S102, an original file is obtained, and the name of the annotation to be identified in the original file is read.
In one embodiment, the reading the name of the annotation to be identified in the original file includes: based on a parent delegation mechanism, loading the resource library data in the original file into a virtual machine through a class loader, so that the virtual machine reads a source code file in the original file according to the resource library data and a reflection mechanism to obtain the annotation name to be identified; and receiving the annotation name to be identified, which is sent by the virtual machine. Specifically, the parent delegation mechanism belongs to the underlying mechanism of Java programming language, which means that when a class loader receives a class loading request, the class loader will delegate the request to the parent class loader first. This is true for each class loader. The child loader will attempt to reload itself only if the parent loader cannot find the specified class within its search scope. The Java reflection mechanism is a feature of Java itself. The Java reflection mechanism is that in the running state of the program, an object of any one class can be constructed, the class to which any one object belongs can be known, the member variable and method of any one class can be known, and the attribute and method of any one object can be called. This function of dynamically acquiring program information and dynamically calling an object becomes a reflection mechanism of the Java language. Reflection is considered critical to dynamic language. The reflection may be achieved by a getAnaction or the like function. When the annotation names in the Java packets are read, all jar under the lib directory of the Java packets are read, and the JVM, namely the Java virtual machine, is loaded through a classloader. jar refers to the Java resource library referenced in the Java package. When the Java program is in operation, the main program code and the externally referenced Java resource library are required to be acquired, wherein the main program code is the source code, and the externally referenced Java resource library is stored under the lib directory in the form of jar package when the Java software is released. And the virtual machine reads all the source code files through a reflection mechanism and acquires annotation names in the source code files.
Step S103, comparing the annotation name to be identified in the original file with the target annotation name, and marking the original file as the target file if at least one same annotation name exists in the annotation name to be identified and the target annotation name.
In one embodiment, it is identified whether at least one controller class annotation is included in the source code file, and if so, the source code file is marked as a target file. Preferably, all source code files are read through a reflection mechanism, and the file with the annotation name of the controller class is marked as a target file.
And step S104, reading annotation content in the target file, and acquiring a request path according to the annotation content.
Specifically, annotation contents such as RestMapping, @ GetMapping and @ PostMapping in the target file are read, and a URL path is acquired according to the annotation contents. The URL is the request path, but the URL path does not include the request parameters. The URL is a uniform resource locator, which is the address of a standard resource on the internet. And each file on the internet has a unique URL containing information indicating the location of the file and how the browser should handle the file. The basic URL contains: protocol, IP address, path, and filename.
The acquiring the request path according to the annotation content comprises the following steps: acquiring a request mode and request parameters, wherein the request parameters comprise assignment parameters and non-assignment parameters, and the assignment parameters comprise basic type parameters and determined object parameters; and if the request parameters are non-assignment parameters, generating request information according to the request path and the request mode and sending the request information. Specifically, a request mode, such as a post mode, a get mode, and the like, can be obtained by analyzing Java codes in the target file. In addition, the request parameters can be obtained by analyzing the functions in the Java code, and the parameter types can be obtained according to the request parameters. If the parameter type is HttpServletRequest or HttpServletPesponse, the corresponding request parameter is a non-assignment parameter, which indicates that the request does not need to assign a value to the request parameter. And generating a corresponding http request according to the request path and the request parameters which are acquired before. The corresponding http request is sent via httprequest.
In one embodiment, the acquiring the request mode and the request parameters further includes: if the request parameter is an assigned parameter, judging whether the request parameter is a basic type parameter or not; if the request parameters are basic type parameters, assigning values to the request parameters according to the annotation content; and generating and sending request information based on the request path, the request mode and the assigned request parameters. Specifically, if the parameter type of the request parameter is String, int, integeter, long, long, date, string [ ] and the basic parameter type in Java programming such as bootan, the request parameter is assigned according to the annotation content, and a corresponding http request is generated according to the request path, the request mode and the assigned request parameter. The corresponding http request is sent via httprequest. For example, in the following program code:
in the above code, @ GetMapping is the annotation name, (value= "/{ id }) is the annotation content, where value is the value to be given to the parameter id. As known from getCpe (@ PathVariable int id, string token), both int and String are basic parameters, and the value of value is assigned to id, i.e. the assignment of the parameter id is completed, for example, value=0001, and according to the above procedure, the result after the assignment is parameter id=0001.
In one embodiment, the acquiring the request mode and the request parameters further includes: if the request parameter is an assignment parameter, judging whether the request parameter is a determination object parameter, and if the request parameter is a determination object parameter, analyzing the determination object parameter into a basic type parameter; assigning a value to the basic type parameter according to the annotation content; and generating request information and sending the request information based on the request path, the request mode and the assigned basic type parameter. Specifically, if the parameter type of the request parameter is the determination object parameter, the determination object parameter is continuously analyzed until the parameter types of all the request parameters are String, int, integeter, long, long, date, string [ ] and basic parameter types in Java programming such as bootean. Wherein determining the Object parameter indicates that the class in the source code file inherits from the Object class. For example: the determining object parameter a includes determining object parameters A1 and A2 and further includes a plurality of basic type parameters B1 and B2 … Bn, and then the analyzing of the parameters A1 and A2 is continued until all the parameters are basic type parameters and the parameter types of all the parameters are basic type parameters.
In one embodiment, the Controller class annotation names include at least @ Controller and @ RsetController.
In one embodiment, fig. 2 is a flowchart of a request path obtaining method according to another embodiment of the present application, as shown in fig. 2, an original file is first obtained, where the original file is a Java package in jar format. Judging whether the file directory structure of the original file packet accords with the file directory structure of the SpringBoot frame; if yes, loading all jar packets under the lib directory in the original file through a classloader, if loading is successful, reading the jar packets, acquiring annotation information in the original file through a reflection mechanism, and marking all source files comprising @ Controller and @ Rsetcontroller in the original file as a route file, wherein the route file is the target file. And acquiring a request path of the routing file according to the annotation content. And obtaining a request mode and request parameters by reading the source file. And analyzing the request parameters, and determining whether to assign a value to the request parameters according to the parameter types of the request parameters. Finally, generating an http request according to the request path, the request mode and the request parameters, and sending the request by using the httprequest. The embodiment can traverse the request path of all Web programs developed based on the SpringBoot framework, and can also configure corresponding parameters in httprequest to realize the effects of forwarding and proxy. Preferably, the request acquisition method of the embodiment can be combined with various scanning attacks, so that the working efficiency of security testers and the coverage rate of code testing are improved.
Through the steps, the content in the jar packet is loaded by loading the classloader based on the parent delegation mechanism, the class object is directly obtained through the Java reflection mechanism and further analyzed, and the source file is not required to be decompiled again. And the annotation information in the source file is directly acquired in a reflection mode, and the request path is directly acquired by analyzing parameters in the annotation content, so that the request path can be acquired more accurately compared with the method for acquiring the request path through regular matching in the related art. In addition, if the acquired request parameters are known objects, recursion analysis is further carried out, and finally, http requests with parameters or without parameters are generated according to the request paths, the request modes and the request parameters and are directly sent, so that an audit tool is assisted to conduct white box audit, and the code coverage rate and the audit efficiency of the white box audit are greatly improved.
It should be noted that the steps illustrated in the above-described flow or flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order other than that illustrated herein.
The embodiment also provides a request path obtaining device, which is used for implementing the foregoing embodiments and preferred embodiments, and is not described in detail. As used below, the terms "module," "unit," "sub-unit," and the like may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 3 is a block diagram of a request path acquisition apparatus according to an embodiment of the present application, as shown in fig. 3, the apparatus includes:
the target acquisition module 10: the method is used for acquiring a target annotation name, wherein the target annotation name at least comprises a controller class annotation name, and the controller class annotation name is the identification of the request interface class file.
Annotation acquisition module 20: and the method is used for acquiring the original file and reading the name of the annotation to be identified in the original file.
The identification module 30: and the method is used for comparing the annotation name to be identified in the original file with the target annotation name, and if at least one same annotation name exists in the annotation name to be identified and the target annotation name, the original file is marked as the target file.
Path acquisition module 40: and the method is used for reading the annotation content in the target file and acquiring a request path according to the annotation content.
The target obtaining module 10 is further configured to obtain a preset directory structure, where the preset directory structure includes a file directory structure of a SpringBoot frame; acquiring an initial file and reading a directory structure to be identified in the initial file; and comparing the directory structure to be identified with the preset directory structure, and taking the initial file as an original file if the directory structure to be identified is consistent with the preset directory structure.
The annotation obtaining module 20 is further configured to load, based on a parent delegation mechanism, the resource library data in the original file into a virtual machine through a class loader, so that the virtual machine reads a source code file in the original file according to the resource library data and a reflection mechanism, and obtains the annotation name to be identified; and receiving the annotation name to be identified, which is sent by the virtual machine.
The path obtaining module 40 is further configured to obtain a request mode and a request parameter, where the request parameter includes an assignment parameter and a non-assignment parameter, and the assignment parameter includes a basic type parameter and a determined object parameter; and if the request parameters are non-assignment parameters, generating request information according to the request path and the request mode and sending the request information.
The path obtaining module 40 is further configured to determine whether the request parameter is a basic type parameter if the request parameter is an assigned parameter; if the request parameters are basic type parameters, assigning values to the request parameters according to the annotation content; and generating and sending request information based on the request path, the request mode and the assigned request parameters.
The path obtaining module 40 is further configured to determine whether the request parameter is a determination object parameter if the request parameter is an assignment parameter, and if the request parameter is a determination object parameter, parse the determination object parameter into a basic type parameter; assigning a value to the basic type parameter according to the annotation content; and generating request information and sending the request information based on the request path, the request mode and the assigned basic type parameter.
The target obtaining module 10 is further configured to obtain a Controller class annotation name, where the Controller class annotation name at least includes @ Controller and @ RsetController.
The above-described respective modules may be functional modules or program modules, and may be implemented by software or hardware. For modules implemented in hardware, the various modules described above may be located in the same processor; or the above modules may be located in different processors in any combination.
In addition, the request path acquisition method of the embodiment of the present application described in connection with fig. 1 may be implemented by a computer device. Fig. 4 is a schematic hardware structure of a computer device according to an embodiment of the present application.
The computer device may include a processor 51 and a memory 52 storing computer program instructions.
In particular, the processor 51 may include a Central Processing Unit (CPU), or an application specific integrated circuit (Application Specific Integrated Circuit, abbreviated as ASIC), or may be configured to implement one or more integrated circuits of embodiments of the present application.
Memory 52 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 52 may comprise a Hard Disk Drive (HDD), floppy Disk Drive, solid state Drive (Solid State Drive, SSD), flash memory, optical Disk, magneto-optical Disk, tape, or universal serial bus (Universal Serial Bus, USB) Drive, or a combination of two or more of the foregoing. Memory 52 may include removable or non-removable (or fixed) media, where appropriate. The memory 52 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 52 is a Non-Volatile memory. In particular embodiments, memory 52 includes Read-Only Memory (ROM) and random access Memory (Random Access Memory, RAM). Where appropriate, the ROM may be a mask-programmed ROM, a programmable ROM (Programmable Read-Only Memory, abbreviated PROM), an erasable PROM (Erasable Programmable Read-Only Memory, abbreviated EPROM), an electrically erasable PROM (Electrically Erasable Programmable Read-Only Memory, abbreviated EEPROM), an electrically rewritable ROM (Electrically Alterable Read-Only Memory, abbreviated EAROM), or a FLASH Memory (FLASH), or a combination of two or more of these. The RAM may be Static Random-Access Memory (SRAM) or dynamic Random-Access Memory (Dynamic Random Access Memory DRAM), where the DRAM may be a fast page mode dynamic Random-Access Memory (Fast Page Mode Dynamic Random Access Memory FPMDRAM), extended data output dynamic Random-Access Memory (Extended Date Out Dynamic Random Access Memory EDODRAM), synchronous dynamic Random-Access Memory (Synchronous Dynamic Random-Access Memory SDRAM), or the like, as appropriate.
Memory 52 may be used to store or cache various data files that need to be processed and/or communicated, as well as possible computer program instructions for execution by processor 51.
The processor 51 implements any one of the request path acquisition methods of the above-described embodiments by reading and executing the computer program instructions stored in the memory 52.
In some of these embodiments, the computer device may also include a communication interface 53 and a bus 50. As shown in fig. 4, the processor 51, the memory 52, and the communication interface 53 are connected to each other through the bus 50 and perform communication with each other.
The communication interface 53 is used to implement communication between modules, devices, units, and/or units in the embodiments of the present application. The communication port 53 may also enable communication with other components such as: and the external equipment, the image/data acquisition equipment, the database, the external storage, the image/data processing workstation and the like are used for data communication.
Bus 50 includes hardware, software, or both, that couple components of the computer device to one another. Bus 50 includes, but is not limited to, at least one of: data Bus (Data Bus), address Bus (Address Bus), control Bus (Control Bus), expansion Bus (Expansion Bus), local Bus (Local Bus). By way of example, and not limitation, bus 50 may include a graphics acceleration interface (Accelerated Graphics Port), abbreviated AGP, or other graphics Bus, an enhanced industry standard architecture (Extended Industry Standard Architecture, abbreviated EISA) Bus, a Front Side Bus (FSB), a HyperTransport (HT) interconnect, an industry standard architecture (Industry Standard Architecture, ISA) Bus, a wireless bandwidth (InfiniBand) interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a micro channel architecture (Micro Channel Architecture, abbreviated MCa) Bus, a peripheral component interconnect (Peripheral Component Interconnect, abbreviated PCI) Bus, a PCI-Express (PCI-X) Bus, a serial advanced technology attachment (Serial Advanced Technology Attachment, abbreviated SATA) Bus, a video electronics standards association local (Video Electronics Standards Association Local Bus, abbreviated VLB) Bus, or other suitable Bus, or a combination of two or more of the foregoing. Bus 50 may include one or more buses, where appropriate. Although embodiments of the present application describe and illustrate a particular bus, the present application contemplates any suitable bus or interconnect.
The computer device may execute the request path acquisition method in the embodiment of the present application based on the acquired computer program instructions, thereby implementing the request path acquisition method described in connection with fig. 1.
In addition, in combination with the request path acquisition method in the above embodiment, the embodiment of the application may be implemented by providing a computer readable storage medium. The computer readable storage medium has stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the request path acquisition methods of the embodiments described above.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.

Claims (8)

1. A request path acquisition method, comprising:
obtaining a target annotation name, wherein the target annotation name at least comprises a controller class annotation name, and the controller class annotation name is the identification of a request interface class file;
acquiring an original file and reading an annotation name to be identified in the original file;
comparing the annotation name to be identified in the original file with the target annotation name, and marking the original file as a target file if at least one same annotation name exists in the annotation name to be identified and the target annotation name;
reading annotation content in the target file, and acquiring a request path according to the annotation content;
the obtaining the original file comprises the following steps:
acquiring a preset directory structure, wherein the preset directory structure comprises a file directory structure of a SpringBoot frame;
acquiring an initial file and reading a directory structure to be identified in the initial file;
comparing the directory structure to be identified with the preset directory structure, and taking the initial file as an original file if the directory structure to be identified is consistent with the preset directory structure;
the reading of the annotation name to be identified in the original file comprises the following steps:
based on a parent delegation mechanism, loading the resource library data in the original file into a virtual machine through a class loader, so that the virtual machine reads a source code file in the original file according to the resource library data and a reflection mechanism to obtain the annotation name to be identified;
and receiving the annotation name to be identified, which is sent by the virtual machine.
2. The request path acquisition method according to claim 1, wherein the acquiring the request path from the annotation content, after that, comprises:
acquiring a request mode and request parameters, wherein the request parameters comprise assignment parameters and non-assignment parameters, and the assignment parameters comprise basic type parameters and determined object parameters;
and if the request parameters are non-assignment parameters, generating request information according to the request path and the request mode and sending the request information.
3. The request path acquisition method according to claim 2, wherein the acquiring the request manner and the request parameters further comprises:
if the request parameter is an assigned parameter, judging whether the request parameter is a basic type parameter or not;
if the request parameters are basic type parameters, assigning values to the request parameters according to the annotation content;
and generating and sending request information based on the request path, the request mode and the assigned request parameters.
4. The request path acquisition method according to claim 2, wherein the acquiring the request manner and the request parameters further comprises:
if the request parameter is an assigned parameter, judging whether the request parameter is a determined object parameter,
if the request parameter is a determined object parameter, analyzing the determined object parameter into a basic type parameter;
assigning a value to the basic type parameter according to the annotation content;
and generating request information and sending the request information based on the request path, the request mode and the assigned basic type parameter.
5. The request path acquisition method according to claim 1, wherein the Controller class annotation names include at least @ Controller and @ RsetController.
6. A request path acquisition apparatus, comprising:
the target acquisition module: the method comprises the steps that a target annotation name is obtained, wherein the target annotation name at least comprises a controller class annotation name, and the controller class annotation name is an identifier of a request interface class file;
an annotation acquisition module: the method comprises the steps of obtaining an original file and reading an annotation name to be identified in the original file;
and an identification module: the method comprises the steps of comparing an annotation name to be identified in an original file with a target annotation name, and marking the original file as a target file if at least one same annotation name exists in the annotation name to be identified and the target annotation name;
and a path acquisition module: the method comprises the steps of reading annotation content in the target file, and acquiring a request path according to the annotation content;
the annotation acquisition module: the method is also used for acquiring a preset directory structure, wherein the preset directory structure comprises a file directory structure of a SpringBoot frame; acquiring an initial file and reading a directory structure to be identified in the initial file; comparing the directory structure to be identified with the preset directory structure, and taking the initial file as an original file if the directory structure to be identified is consistent with the preset directory structure;
the annotation acquisition module: the method is also used for loading the resource library data in the original file into the virtual machine through the class loader based on the parent delegation mechanism, so that the virtual machine reads the source code file in the original file according to the resource library data and the reflection mechanism to obtain the annotation name to be identified; and receiving the annotation name to be identified, which is sent by the virtual machine.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the request path acquisition method according to any one of claims 1 to 5 when executing the computer program.
8. A computer-readable storage medium, on which a computer program is stored, characterized in that the program, when executed by a processor, implements the request path acquisition method according to any one of claims 1 to 5.
CN202110142093.1A 2021-02-02 2021-02-02 Request path acquisition method, apparatus, computer device and storage medium Active CN112965749B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110142093.1A CN112965749B (en) 2021-02-02 2021-02-02 Request path acquisition method, apparatus, computer device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110142093.1A CN112965749B (en) 2021-02-02 2021-02-02 Request path acquisition method, apparatus, computer device and storage medium

Publications (2)

Publication Number Publication Date
CN112965749A CN112965749A (en) 2021-06-15
CN112965749B true CN112965749B (en) 2024-03-19

Family

ID=76271810

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110142093.1A Active CN112965749B (en) 2021-02-02 2021-02-02 Request path acquisition method, apparatus, computer device and storage medium

Country Status (1)

Country Link
CN (1) CN112965749B (en)

Also Published As

Publication number Publication date
CN112965749A (en) 2021-06-15

Similar Documents

Publication Publication Date Title
CN108763928B (en) Open source software vulnerability analysis method and device and storage medium
TWI603600B (en) Determine vulnerability using runtime agent and network sniffer
US6665634B2 (en) Test system for testing dynamic information returned by a web server
EP1576487B1 (en) Web server hit multiplier and redirector
US8387017B2 (en) Black box testing optimization using information from white box testing
US10158660B1 (en) Dynamic vulnerability correlation
CN110888838B (en) Request processing method, device, equipment and storage medium based on object storage
KR20160140316A (en) Method and system for detecting a malicious code
US10310956B2 (en) Techniques for web service black box testing
CN113518077A (en) Malicious web crawler detection method, device, equipment and storage medium
US20190138433A1 (en) Evaluation of library test suites using mutation testing
US20220329565A1 (en) Increased coverage of application-based traffic classification with local and cloud classification services
CN114491560A (en) Vulnerability detection method and device, storage medium and electronic equipment
CN112866279A (en) Webpage security detection method, device, equipment and medium
CN111314326B (en) Method, device, equipment and medium for confirming HTTP vulnerability scanning host
CN113206850A (en) Malicious sample message information acquisition method, device, equipment and storage medium
CN112965749B (en) Request path acquisition method, apparatus, computer device and storage medium
KR102411383B1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
Ma et al. Code analysis with static application security testing for python program
CN115941337A (en) Data analysis method and device, electronic equipment and storage medium
Mostafa et al. Netdroid: Summarizing network behavior of android apps for network code maintenance
CN114943024B (en) Fingerprint acquisition method and device based on browser
CN116167048B (en) Webshell detection method and device for EL expression
US11949658B2 (en) Increased coverage of application-based traffic classification with local and cloud classification services
CN112437036B (en) Data analysis method and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant