We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
这里会匹配org.dom4j.io.SAXReader#read包括下面的8个,仅方法参数不一样
org.dom4j.io.SAXReader#read
查看dom4j源码可知,前面的1~7个方法都会调用第8个方法(下面的红色框),列举其中一个的调用关系如下(其他6个都会调用方法8)
反编译hook后的类字节码,1-8方法均被插桩:
由于1-7方法都会调用方法8,并且真正处理xml的逻辑在方法8中,仅hook方法8即可,这样可以减少字节码、避免插桩代码2次调用。 (下图为方法8代码)
@Override protected void hookMethod(CtClass ctClass) throws IOException, CannotCompileException, NotFoundException { String src = getInvokeStaticSrc(DisableDom4jXxeEntity.class, "setFeature", "$0", Object.class); // insertBefore(ctClass, "read", null, src); // 仅匹配指定方法 insertBefore(ctClass, "read", "(Lorg/xml/sax/InputSource;)Lorg/dom4j/Document;" , src); }
源码位置:DisableDom4jXxeEntity.java#L44
如果错误,欢迎指正~~
The text was updated successfully, but these errors were encountered:
厉害了!
Sorry, something went wrong.
@xl1605368195 你好,我看了下dom4j 1.X、2.X的代码,你这个修改应该没啥问题,可以提交个补丁
No branches or pull requests
问题描述:
这里会匹配
org.dom4j.io.SAXReader#read包括下面的8个,仅方法参数不一样查看dom4j源码可知,前面的1~7个方法都会调用第8个方法(下面的红色框),列举其中一个的调用关系如下(其他6个都会调用方法8)
反编译hook后的类字节码,1-8方法均被插桩:
优化:
由于1-7方法都会调用方法8,并且真正处理xml的逻辑在方法8中,仅hook方法8即可,这样可以减少字节码、避免插桩代码2次调用。
(下图为方法8代码)
优化后代码:
源码位置:DisableDom4jXxeEntity.java#L44
如果错误,欢迎指正~~
The text was updated successfully, but these errors were encountered: