From 79abb8d7eb9180c1a446f226b02994597d39b0ba Mon Sep 17 00:00:00 2001
From: "rick.parker" <rick.parker@r3cev.com>
Date: Thu, 6 Apr 2023 14:46:42 +0100
Subject: [PATCH] Fix netty-codec-http

---
 tools/aegis4j/build.gradle                    |  1 +
 .../net/gredler/aegis4j/CVE_2019_16869.java   | 31 +++++++++++++++++++
 .../src/test/resources/netty-mods.properties  |  3 ++
 3 files changed, 35 insertions(+)
 create mode 100644 tools/aegis4j/src/test/java/net/gredler/aegis4j/CVE_2019_16869.java
 create mode 100644 tools/aegis4j/src/test/resources/netty-mods.properties

diff --git a/tools/aegis4j/build.gradle b/tools/aegis4j/build.gradle
index 411e4517c8..3159f96a20 100644
--- a/tools/aegis4j/build.gradle
+++ b/tools/aegis4j/build.gradle
@@ -34,6 +34,7 @@ dependencies {
     testImplementation "com.google.guava:guava:$guava_version"
     testImplementation "org.yaml:snakeyaml:1.33"
     testImplementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version"
+    testImplementation "io.netty:netty:3.10.5.Final"
 }
 
 sourceCompatibility = 8
diff --git a/tools/aegis4j/src/test/java/net/gredler/aegis4j/CVE_2019_16869.java b/tools/aegis4j/src/test/java/net/gredler/aegis4j/CVE_2019_16869.java
new file mode 100644
index 0000000000..085af8914c
--- /dev/null
+++ b/tools/aegis4j/src/test/java/net/gredler/aegis4j/CVE_2019_16869.java
@@ -0,0 +1,31 @@
+/* Copyright (c) 2022, Daniel Gredler. All rights reserved. */
+
+package net.gredler.aegis4j;
+
+import org.jboss.netty.handler.codec.http.HttpRequestDecoder;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * Tests netty-codec-http blocking.
+ */
+public class CVE_2019_16869 {
+    @AfterAll
+    public static void uninstallAgent() throws Exception {
+        System.clearProperty("aegis4j.additional.args");
+    }
+
+    @Test
+    public void test() throws Exception {
+        TestUtils.installAgent("path=../resources/test/netty-mods.properties");
+        try {
+            new HttpRequestDecoder();
+            fail("Exception expected");
+        } catch (RuntimeException e) {
+            assertEquals("netty-codec-http HttpMessageDecoder blocked by aegis4j", e.getMessage());
+        }
+    }
+}
diff --git a/tools/aegis4j/src/test/resources/netty-mods.properties b/tools/aegis4j/src/test/resources/netty-mods.properties
new file mode 100644
index 0000000000..d5e6fec452
--- /dev/null
+++ b/tools/aegis4j/src/test/resources/netty-mods.properties
@@ -0,0 +1,3 @@
+# format: <feature>.<class-name>.<method-name>=<replacement-code>
+# CVE-2019-16869 - HttpObjectDecoder was called HttpMessageDecoder back then
+NETTYHTTP.org.jboss.netty.handler.codec.http.HttpMessageDecoder.HttpMessageDecoder=throw new java.lang.RuntimeException("netty-codec-http HttpMessageDecoder blocked by aegis4j");