-
Notifications
You must be signed in to change notification settings - Fork 291
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expand SSRF support in IAST to apache-httpclient-5 and apache-httpasyncclient-4 #7920
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BenchmarksStartupParameters
See matching parameters
SummaryFound 1 performance improvements and 0 performance regressions! Performance is the same for 53 metrics, 9 unstable metrics.
Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.103 s) : 0, 1102955
Total [baseline] (10.465 s) : 0, 10465147
Agent [candidate] (1.099 s) : 0, 1099172
Total [candidate] (10.463 s) : 0, 10463228
section appsec
Agent [baseline] (1.227 s) : 0, 1227400
Total [baseline] (10.733 s) : 0, 10733292
Agent [candidate] (1.227 s) : 0, 1227217
Total [candidate] (10.764 s) : 0, 10763823
section iast
Agent [baseline] (1.227 s) : 0, 1227176
Total [baseline] (11.022 s) : 0, 11021666
Agent [candidate] (1.219 s) : 0, 1219083
Total [candidate] (10.908 s) : 0, 10907674
section profiling
Agent [baseline] (1.32 s) : 0, 1319749
Total [baseline] (10.805 s) : 0, 10804539
Agent [candidate] (1.321 s) : 0, 1321359
Total [candidate] (10.807 s) : 0, 10806773
gantt
title petclinic - break down per module: candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (699.602 ms) : 0, 699602
BytebuddyAgent [candidate] (700.13 ms) : 0, 700130
GlobalTracer [baseline] (322.045 ms) : 0, 322045
GlobalTracer [candidate] (319.236 ms) : 0, 319236
AppSec [baseline] (55.268 ms) : 0, 55268
AppSec [candidate] (54.699 ms) : 0, 54699
Remote Config [baseline] (700.174 µs) : 0, 700
Remote Config [candidate] (669.804 µs) : 0, 670
Telemetry [baseline] (11.426 ms) : 0, 11426
Telemetry [candidate] (10.577 ms) : 0, 10577
section appsec
BytebuddyAgent [baseline] (713.662 ms) : 0, 713662
BytebuddyAgent [candidate] (712.738 ms) : 0, 712738
GlobalTracer [baseline] (315.049 ms) : 0, 315049
GlobalTracer [candidate] (315.411 ms) : 0, 315411
AppSec [baseline] (167.052 ms) : 0, 167052
AppSec [candidate] (167.023 ms) : 0, 167023
Remote Config [baseline] (638.473 µs) : 0, 638
Remote Config [candidate] (665.26 µs) : 0, 665
Telemetry [baseline] (7.803 ms) : 0, 7803
Telemetry [candidate] (7.734 ms) : 0, 7734
IAST [baseline] (18.835 ms) : 0, 18835
IAST [candidate] (19.76 ms) : 0, 19760
section iast
BytebuddyAgent [baseline] (818.003 ms) : 0, 818003
BytebuddyAgent [candidate] (811.761 ms) : 0, 811761
GlobalTracer [baseline] (307.72 ms) : 0, 307720
GlobalTracer [candidate] (306.404 ms) : 0, 306404
AppSec [baseline] (57.313 ms) : 0, 57313
AppSec [candidate] (58.1 ms) : 0, 58100
Remote Config [baseline] (639.322 µs) : 0, 639
Remote Config [candidate] (638.004 µs) : 0, 638
Telemetry [baseline] (7.572 ms) : 0, 7572
Telemetry [candidate] (7.52 ms) : 0, 7520
IAST [baseline] (22.064 ms) : 0, 22064
IAST [candidate] (20.909 ms) : 0, 20909
section profiling
ProfilingAgent [baseline] (94.364 ms) : 0, 94364
ProfilingAgent [candidate] (93.469 ms) : 0, 93469
BytebuddyAgent [baseline] (689.59 ms) : 0, 689590
BytebuddyAgent [candidate] (693.109 ms) : 0, 693109
GlobalTracer [baseline] (434.365 ms) : 0, 434365
GlobalTracer [candidate] (433.47 ms) : 0, 433470
AppSec [baseline] (53.899 ms) : 0, 53899
AppSec [candidate] (53.599 ms) : 0, 53599
Remote Config [baseline] (710.647 µs) : 0, 711
Remote Config [candidate] (677.56 µs) : 0, 678
Telemetry [baseline] (7.699 ms) : 0, 7699
Telemetry [candidate] (7.608 ms) : 0, 7608
Profiling [baseline] (94.388 ms) : 0, 94388
Profiling [candidate] (93.493 ms) : 0, 93493
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.106 s) : 0, 1105959
Total [baseline] (8.691 s) : 0, 8690730
Agent [candidate] (1.093 s) : 0, 1092575
Total [candidate] (8.709 s) : 0, 8709201
section iast
Agent [baseline] (1.223 s) : 0, 1222830
Total [baseline] (9.241 s) : 0, 9241438
Agent [candidate] (1.22 s) : 0, 1220245
Total [candidate] (9.233 s) : 0, 9232677
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.218 s) : 0, 1218492
Total [baseline] (9.188 s) : 0, 9188317
Agent [candidate] (1.232 s) : 0, 1231870
Total [candidate] (9.206 s) : 0, 9206404
section iast_TELEMETRY_OFF
Agent [baseline] (1.221 s) : 0, 1220712
Total [baseline] (9.183 s) : 0, 9182964
Agent [candidate] (1.218 s) : 0, 1218158
Total [candidate] (9.235 s) : 0, 9235291
gantt
title insecure-bank - break down per module: candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (704.996 ms) : 0, 704996
BytebuddyAgent [candidate] (695.444 ms) : 0, 695444
GlobalTracer [baseline] (321.064 ms) : 0, 321064
GlobalTracer [candidate] (318.198 ms) : 0, 318198
AppSec [baseline] (54.711 ms) : 0, 54711
AppSec [candidate] (54.632 ms) : 0, 54632
Remote Config [baseline] (703.726 µs) : 0, 704
Remote Config [candidate] (682.811 µs) : 0, 683
Telemetry [baseline] (10.52 ms) : 0, 10520
Telemetry [candidate] (9.833 ms) : 0, 9833
section iast
BytebuddyAgent [baseline] (813.848 ms) : 0, 813848
BytebuddyAgent [candidate] (811.594 ms) : 0, 811594
GlobalTracer [baseline] (307.824 ms) : 0, 307824
GlobalTracer [candidate] (307.66 ms) : 0, 307660
AppSec [baseline] (57.465 ms) : 0, 57465
AppSec [candidate] (57.206 ms) : 0, 57206
Remote Config [baseline] (627.321 µs) : 0, 627
Remote Config [candidate] (638.264 µs) : 0, 638
Telemetry [baseline] (7.533 ms) : 0, 7533
Telemetry [candidate] (7.548 ms) : 0, 7548
IAST [baseline] (21.796 ms) : 0, 21796
IAST [candidate] (21.8 ms) : 0, 21800
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (812.009 ms) : 0, 812009
BytebuddyAgent [candidate] (822.257 ms) : 0, 822257
GlobalTracer [baseline] (305.357 ms) : 0, 305357
GlobalTracer [candidate] (308.048 ms) : 0, 308048
AppSec [baseline] (57.26 ms) : 0, 57260
AppSec [candidate] (57.311 ms) : 0, 57311
Remote Config [baseline] (685.618 µs) : 0, 686
Remote Config [candidate] (648.599 µs) : 0, 649
Telemetry [baseline] (7.568 ms) : 0, 7568
Telemetry [candidate] (7.612 ms) : 0, 7612
IAST [baseline] (21.878 ms) : 0, 21878
IAST [candidate] (22.019 ms) : 0, 22019
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (814.131 ms) : 0, 814131
BytebuddyAgent [candidate] (810.293 ms) : 0, 810293
GlobalTracer [baseline] (306.181 ms) : 0, 306181
GlobalTracer [candidate] (306.692 ms) : 0, 306692
AppSec [baseline] (57.791 ms) : 0, 57791
AppSec [candidate] (58.789 ms) : 0, 58789
Remote Config [baseline] (641.387 µs) : 0, 641
Remote Config [candidate] (623.073 µs) : 0, 623
Telemetry [baseline] (7.519 ms) : 0, 7519
Telemetry [candidate] (7.461 ms) : 0, 7461
IAST [baseline] (20.579 ms) : 0, 20579
IAST [candidate] (20.476 ms) : 0, 20476
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics. Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668
dateFormat X
axisFormat %s
section baseline
no_agent (377.969 µs) : 357, 399
. : milestone, 378,
iast (498.021 µs) : 476, 520
. : milestone, 498,
iast_FULL (650.508 µs) : 629, 672
. : milestone, 651,
iast_GLOBAL (520.619 µs) : 499, 542
. : milestone, 521,
iast_HARDCODED_SECRET_DISABLED (487.286 µs) : 466, 508
. : milestone, 487,
iast_INACTIVE (453.632 µs) : 433, 475
. : milestone, 454,
iast_TELEMETRY_OFF (484.523 µs) : 463, 506
. : milestone, 485,
tracing (439.782 µs) : 419, 460
. : milestone, 440,
section candidate
no_agent (374.614 µs) : 355, 394
. : milestone, 375,
iast (495.338 µs) : 473, 518
. : milestone, 495,
iast_FULL (650.621 µs) : 629, 672
. : milestone, 651,
iast_GLOBAL (518.066 µs) : 496, 540
. : milestone, 518,
iast_HARDCODED_SECRET_DISABLED (487.847 µs) : 467, 509
. : milestone, 488,
iast_INACTIVE (450.834 µs) : 430, 472
. : milestone, 451,
iast_TELEMETRY_OFF (480.786 µs) : 459, 502
. : milestone, 481,
tracing (447.465 µs) : 427, 468
. : milestone, 447,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668
dateFormat X
axisFormat %s
section baseline
no_agent (1.338 ms) : 1319, 1357
. : milestone, 1338,
appsec (1.741 ms) : 1716, 1766
. : milestone, 1741,
appsec_no_iast (1.762 ms) : 1738, 1785
. : milestone, 1762,
iast (1.497 ms) : 1474, 1520
. : milestone, 1497,
profiling (1.5 ms) : 1476, 1524
. : milestone, 1500,
tracing (1.5 ms) : 1474, 1525
. : milestone, 1500,
section candidate
no_agent (1.352 ms) : 1332, 1371
. : milestone, 1352,
appsec (1.738 ms) : 1714, 1762
. : milestone, 1738,
appsec_no_iast (1.759 ms) : 1734, 1784
. : milestone, 1759,
iast (1.497 ms) : 1474, 1520
. : milestone, 1497,
profiling (1.516 ms) : 1493, 1539
. : milestone, 1516,
tracing (1.48 ms) : 1456, 1505
. : milestone, 1480,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668
dateFormat X
axisFormat %s
section baseline
no_agent (14.936 s) : 14936000, 14936000
. : milestone, 14936000,
appsec (15.109 s) : 15109000, 15109000
. : milestone, 15109000,
iast (19.094 s) : 19094000, 19094000
. : milestone, 19094000,
iast_GLOBAL (17.76 s) : 17760000, 17760000
. : milestone, 17760000,
profiling (15.419 s) : 15419000, 15419000
. : milestone, 15419000,
tracing (14.855 s) : 14855000, 14855000
. : milestone, 14855000,
section candidate
no_agent (15.411 s) : 15411000, 15411000
. : milestone, 15411000,
appsec (15.082 s) : 15082000, 15082000
. : milestone, 15082000,
iast (18.859 s) : 18859000, 18859000
. : milestone, 18859000,
iast_GLOBAL (18.344 s) : 18344000, 18344000
. : milestone, 18344000,
profiling (15.087 s) : 15087000, 15087000
. : milestone, 15087000,
tracing (15.128 s) : 15128000, 15128000
. : milestone, 15128000,
Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.44.0-SNAPSHOT~d7ed872055, baseline=1.44.0-SNAPSHOT~4df0a01668
dateFormat X
axisFormat %s
section baseline
no_agent (1.466 ms) : 1454, 1477
. : milestone, 1466,
appsec (2.337 ms) : 2296, 2379
. : milestone, 2337,
iast (2.079 ms) : 2026, 2131
. : milestone, 2079,
iast_GLOBAL (2.127 ms) : 2075, 2180
. : milestone, 2127,
profiling (1.966 ms) : 1923, 2008
. : milestone, 1966,
tracing (1.926 ms) : 1886, 1966
. : milestone, 1926,
section candidate
no_agent (1.465 ms) : 1453, 1476
. : milestone, 1465,
appsec (2.344 ms) : 2303, 2385
. : milestone, 2344,
iast (2.095 ms) : 2042, 2148
. : milestone, 2095,
iast_GLOBAL (2.132 ms) : 2079, 2185
. : milestone, 2132,
profiling (1.947 ms) : 1905, 1989
. : milestone, 1947,
tracing (1.926 ms) : 1885, 1966
. : milestone, 1926,
|
Mariovido
added
type: enhancement
comp: asm iast
Application Security Management (IAST)
inst: java
Core Java language instrumentation
labels
Nov 14, 2024
Mariovido
changed the title
Expand SSRF support in IAST to apache-httpclient5
Expand SSRF support in IAST to apache-httpclient-5 and apache-httpasyncclient-4
Nov 14, 2024
PerfectSlayer
added
inst: apache httpcomponents
Apache HttpComponents
and removed
inst: java
Core Java language instrumentation
labels
Nov 14, 2024
manuel-alvarez-alvarez
approved these changes
Dec 5, 2024
amarziali
reviewed
Dec 5, 2024
...src/main/java/datadog/trace/instrumentation/apachehttpcore5/IastHttpHostInstrumentation.java
Outdated
Show resolved
Hide resolved
amarziali
approved these changes
Dec 5, 2024
svc-squareup-copybara
pushed a commit
to cashapp/misk
that referenced
this pull request
Dec 16, 2024
| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.api.grpc:proto-google-common-protos](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.49.0` -> `2.50.0` | | [com.google.cloud:google-cloud-core-http](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.48.0` -> `2.49.0` | | [com.google.cloud:google-cloud-spanner](https://github.com/googleapis/java-spanner) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `6.82.0` -> `6.83.0` | | [com.google.cloud:google-cloud-logging](https://github.com/googleapis/java-logging) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `3.20.7` -> `3.21.0` | | [com.google.cloud:google-cloud-datastore](https://github.com/googleapis/java-datastore) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.24.3` -> `2.25.1` | | [com.google.cloud:google-cloud-core](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.48.0` -> `2.49.0` | | [com.google.api:gax](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.58.0` -> `2.59.0` | | [com.autonomousapps.dependency-analysis](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin) | plugin | misk/gradle/libs.versions.toml | gradle | patch | `2.6.0` -> `2.6.1` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.43.0` -> `1.44.1` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.43.0` -> `1.44.1` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.32` -> `2.29.34` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.32` -> `2.29.34` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.32` -> `2.29.34` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.32` -> `2.29.34` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.32` -> `2.29.34` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.32` -> `2.29.34` | | [com.amazonaws:aws-java-sdk-sqs](https://aws.amazon.com/sdkforjava) ([source](https://github.com/aws/aws-sdk-java)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.12.779` -> `1.12.780` | | [com.amazonaws:aws-java-sdk-s3](https://aws.amazon.com/sdkforjava) ([source](https://github.com/aws/aws-sdk-java)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.12.779` -> `1.12.780` | | [com.amazonaws:aws-java-sdk-dynamodb](https://aws.amazon.com/sdkforjava) ([source](https://github.com/aws/aws-sdk-java)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.12.779` -> `1.12.780` | | [com.amazonaws:aws-java-sdk-core](https://aws.amazon.com/sdkforjava) ([source](https://github.com/aws/aws-sdk-java)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.12.779` -> `1.12.780` | --- ### Release Notes <details> <summary>googleapis/sdk-platform-java (com.google.api.grpc:proto-google-common-protos)</summary> ### [`v2.50.0`](https://github.com/googleapis/sdk-platform-java/blob/HEAD/CHANGELOG.md#2500-2024-11-14) ##### Features - Add experimental S2A integration in client libraries grpc transport ([#​3326](googleapis/sdk-platform-java#3326)) ([1138ca6](googleapis/sdk-platform-java@1138ca6)) - enable selective generation based on service config include list ([#​3323](googleapis/sdk-platform-java#3323)) ([0cddadb](googleapis/sdk-platform-java@0cddadb)) - introduce `java.time` to java-core ([#​3330](googleapis/sdk-platform-java#3330)) ([f202c3b](googleapis/sdk-platform-java@f202c3b)) - Update Gapic-Generator to generate libraries using `java.time` methods ([#​3321](googleapis/sdk-platform-java#3321)) ([b21c9a4](googleapis/sdk-platform-java@b21c9a4)) ##### Bug Fixes - Fix flaky test ScheduledRetryingExecutorTest.testCancelOuterFutureAfterStart ([#​3335](googleapis/sdk-platform-java#3335)) ([e73740d](googleapis/sdk-platform-java@e73740d)) - httpjson callables to trace attempts (started, failed) ([#​3300](googleapis/sdk-platform-java#3300)) ([15a64ee](googleapis/sdk-platform-java@15a64ee)) - instantiate GaxProperties at build time to ensure we get the protobuf version ([#​3365](googleapis/sdk-platform-java#3365)) ([bb2a3be](googleapis/sdk-platform-java@bb2a3be)) - protobuf version not always getting set in headers ([#​3322](googleapis/sdk-platform-java#3322)) ([7f6e470](googleapis/sdk-platform-java@7f6e470)) - use BuildKit instead of legacy builder to build the Hermetic Build images ([#​3338](googleapis/sdk-platform-java#3338)) ([222fb45](googleapis/sdk-platform-java@222fb45)) ##### Dependencies - update google auth library dependencies to v1.30.0 ([#​3367](googleapis/sdk-platform-java#3367)) ([a31c682](googleapis/sdk-platform-java@a31c682)) - update grpc dependencies to v1.68.1 ([#​3240](googleapis/sdk-platform-java#3240)) ([c8e3941](googleapis/sdk-platform-java@c8e3941)) ##### Documentation - fix list num ([#​3356](googleapis/sdk-platform-java#3356)) ([b7d6296](googleapis/sdk-platform-java@b7d6296)) - **hermetic-build:** indicate usage of Docker Buildkit in development guide ([#​3337](googleapis/sdk-platform-java#3337)) ([01e742d](googleapis/sdk-platform-java@01e742d)) - modify hermetic build docs ([#​3331](googleapis/sdk-platform-java#3331)) ([25023af](googleapis/sdk-platform-java@25023af)) </details> <details> <summary>googleapis/java-spanner (com.google.cloud:google-cloud-spanner)</summary> ### [`v6.83.0`](https://github.com/googleapis/java-spanner/blob/HEAD/CHANGELOG.md#6830-2024-12-13) ##### Features - Add Metrics host for built in metrics ([#​3519](googleapis/java-spanner#3519)) ([4ed455a](googleapis/java-spanner@4ed455a)) - Add opt-in for using multiplexed sessions for blind writes ([#​3540](googleapis/java-spanner#3540)) ([216f53e](googleapis/java-spanner@216f53e)) - Add UUID in Spanner TypeCode enum ([41f83dc](googleapis/java-spanner@41f83dc)) - Introduce java.time variables and methods ([#​3495](googleapis/java-spanner#3495)) ([8a7d533](googleapis/java-spanner@8a7d533)) - **spanner:** Support multiplexed session for Partitioned operations ([#​3231](googleapis/java-spanner#3231)) ([4501a3e](googleapis/java-spanner@4501a3e)) - Support 'set local' for retry_aborts_internally ([#​3532](googleapis/java-spanner#3532)) ([331942f](googleapis/java-spanner@331942f)) ##### Bug Fixes - **deps:** Update the Java code generator (gapic-generator-java) to 2.51.0 ([41f83dc](googleapis/java-spanner@41f83dc)) ##### Dependencies - Update sdk platform java dependencies ([#​3549](googleapis/java-spanner#3549)) ([6235f0f](googleapis/java-spanner@6235f0f)) </details> <details> <summary>googleapis/java-logging (com.google.cloud:google-cloud-logging)</summary> ### [`v3.21.0`](https://github.com/googleapis/java-logging/blob/HEAD/CHANGELOG.md#3210-2024-12-13) ##### Features - Introduce `java.time` methods ([#​1729](googleapis/java-logging#1729)) ([323eb33](googleapis/java-logging@323eb33)) ##### Bug Fixes - **deps:** Update the Java code generator (gapic-generator-java) to 2.51.0 ([04d8868](googleapis/java-logging@04d8868)) ##### Dependencies - Update dependency io.opentelemetry:opentelemetry-bom to v1.45.0 ([#​1638](googleapis/java-logging#1638)) ([7e007d4](googleapis/java-logging@7e007d4)) - Update sdk platform java dependencies ([#​1736](googleapis/java-logging#1736)) ([88b4cdf](googleapis/java-logging@88b4cdf)) </details> <details> <summary>googleapis/java-datastore (com.google.cloud:google-cloud-datastore)</summary> ### [`v2.25.1`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2251-2024-12-13) ##### Bug Fixes - **deps:** Update the Java code generator (gapic-generator-java) to 2.51.0 ([106ee4d](googleapis/java-datastore@106ee4d)) ##### Dependencies - Update sdk platform java dependencies ([#​1685](googleapis/java-datastore#1685)) ([4372350](googleapis/java-datastore@4372350)) ### [`v2.25.0`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2250-2024-12-11) ##### Features - Introduce `java.time` methods and variables ([#​1671](googleapis/java-datastore#1671)) ([5a78a80](googleapis/java-datastore@5a78a80)) ##### Dependencies - Update dependency com.google.cloud:gapic-libraries-bom to v1.48.0 ([#​1605](googleapis/java-datastore#1605)) ([5c6a678](googleapis/java-datastore@5c6a678)) ##### Documentation - Update gapic upgrade installation instructions ([#​1677](googleapis/java-datastore#1677)) ([b3fbfcc](googleapis/java-datastore@b3fbfcc)) </details> <details> <summary>autonomousapps/dependency-analysis-android-gradle-plugin (com.autonomousapps.dependency-analysis)</summary> ### [`v2.6.1`](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin/blob/HEAD/CHANGELOG.md#Version-261) - \[Fix]: `superClassName` can be null (Object has no superclass). </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.44.1`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.44.1): 1.44.1 ##### Components ##### Continuous Integration Visibility - 🐛 Fix tracing JUnit5 tests in Maven projects with multiple forks ([#​8089](DataDog/dd-trace-java#8089) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) ### [`v1.44.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.44.0): 1.44.0 ##### Known Issues > \[!WARNING]\ > This release contains a known issue that causes failures when using Test Optimization to trace JUnit 5 tests in a Maven project where Maven Surefire is configured with `forkCount` > 1. > The issue is fixed in v1.44.1 ##### Breaking Changes > \[!WARNING]\ > Support for `X-Forwarded` header is dropped from default client IP resolution. > It can still be re-activated using the `dd.trace.client-ip-header=x-forwarded` system property, or the `DD_TRACE_CLIENT_IP_HEADER=x-forwarded` environment variable. See [#​7946](DataDog/dd-trace-java#7946). ##### Components ##### Application Security Management (IAST) - ✨ Set unexpected IAST exceptions to debug log level ([#​8044](DataDog/dd-trace-java#8044) - [@​smola](https://github.com/smola)) - ✨ Increase IAST propagation to StringBuffer subSequence ([#​8038](DataDog/dd-trace-java#8038) - [@​Mariovido](https://github.com/Mariovido)) - ✨ Increase IAST propagation to StringBuilder subSequence ([#​8026](DataDog/dd-trace-java#8026) - [@​Mariovido](https://github.com/Mariovido)) - ✨ Add IAST propagation to String valueOf ([#​8013](DataDog/dd-trace-java#8013) - [@​Mariovido](https://github.com/Mariovido)) - ✨ Increase IAST propagation to StringBuilder append ([#​8010](DataDog/dd-trace-java#8010) - [@​Mariovido](https://github.com/Mariovido)) - ✨ Expand SSRF support in IAST to apache-httpclient-5 and apache-httpasyncclient-4 ([#​7920](DataDog/dd-trace-java#7920) - [@​Mariovido](https://github.com/Mariovido)) ##### Build & Tooling - ✨ Generate Muzzle classes for Groovy instrumentations ([#​8004](DataDog/dd-trace-java#8004) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) ##### Continuous Integration Visibility - ✨ Support distributed traces in tests ([#​8078](DataDog/dd-trace-java#8078) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement fail-fast tests ordering for JUnit 5 ([#​8055](DataDog/dd-trace-java#8055) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Mark JUnit 5 setup and teardown action spans as failed if there is an error ([#​8033](DataDog/dd-trace-java#8033) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add tracing of setup and teardown actions in JUnit 4 ([#​8030](DataDog/dd-trace-java#8030) - [@​daniel-mohedano](https://github.com/daniel-mohedano)) ##### Crash tracking - ✨ Improve crash tracking install logging ([#​8045](DataDog/dd-trace-java#8045) - [@​PerfectSlayer](https://github.com/PerfectSlayer)) ##### Data Streams Monitoring - 🐛 Add Data Streams support in AWS SQS without raw message delivery ([#​8071](DataDog/dd-trace-java#8071) - [@​piochelepiotr](https://github.com/piochelepiotr)) - ✨ Add new tag for enabled products / features to DSM checkpoints ([#​8051](DataDog/dd-trace-java#8051) - [@​kr-igor](https://github.com/kr-igor)) - 💡 Instrument self hosted Kafka connectors ([#​7959](DataDog/dd-trace-java#7959) - [@​piochelepiotr](https://github.com/piochelepiotr)) ##### Dynamic Instrumentation - ✨ Add Micronaut 4 support for code origin for spans ([#​8039](DataDog/dd-trace-java#8039) - [@​jpbempel](https://github.com/jpbempel)) - ✨ Refactor probe matching for methods ([#​8021](DataDog/dd-trace-java#8021) - [@​jpbempel](https://github.com/jpbempel)) - ✨ Update the CodeOriginProbe fingerprint to not rely on a stack walk ([#​8016](DataDog/dd-trace-java#8016) - [@​evanchooly](https://github.com/evanchooly)) - ✨ Implement code origin support for grpc server entry spans ([#​7942](DataDog/dd-trace-java#7942) - [@​evanchooly](https://github.com/evanchooly)) ##### GraalVM native-image - 🐛 Update Graal build-time instrumentation config for TracePropagationStyle ([#​8065](DataDog/dd-trace-java#8065) - [@​MattAlp](https://github.com/MattAlp)) - 🐛 Fix NoClassDefFoundError: Could not initialize class DDSpanLink$EncoderHolder in Graal native-image ([#​8036](DataDog/dd-trace-java#8036) - [@​mcculls](https://github.com/mcculls)) - 🐛🧹 Fix native-image generation of reactive applications ([#​8012](DataDog/dd-trace-java#8012) - [@​mcculls](https://github.com/mcculls)) ##### OpenTracing - 🧹 Custom ScopeManagers are deprecated and will be removed in a future release of dd-trace-ot ([#​8058](DataDog/dd-trace-java#8058) - [@​mcculls](https://github.com/mcculls)) ##### Tracer core - ✨🧪 Service naming: split by jee deployment ([#​8064](DataDog/dd-trace-java#8064) - [@​amarziali](https://github.com/amarziali)) - ✨ Exclude jboss mdb proxies from instrumenting ([#​8061](DataDog/dd-trace-java#8061) - [@​amarziali](https://github.com/amarziali)) - ✨ Add a built-in trace interceptor for keeping traces depending of their latency ([#​8040](DataDog/dd-trace-java#8040) - [@​cecile75](https://github.com/cecile75)) - 💡 Introduce marker mechanism for eagerly initializing helpers ([#​8028](DataDog/dd-trace-java#8028) - [@​mcculls](https://github.com/mcculls)) - 💡 Add JSON component ([#​7973](DataDog/dd-trace-java#7973) - [@​PerfectSlayer](https://github.com/PerfectSlayer)) - ✨⚠️ Remove support for X-Forwarded in client IP resolution ([#​7946](DataDog/dd-trace-java#7946) - [@​smola](https://github.com/smola)) ##### Instrumentations ##### Apache HttpComponents - ✨ Expand SSRF support in IAST to apache-httpclient-5 and apache-httpasyncclient-4 ([#​7920](DataDog/dd-trace-java#7920) - [@​Mariovido](https://github.com/Mariovido)) ##### gRPC instrumentation - 🐛 Use lower priorities for grpc server errors ([#​8043](DataDog/dd-trace-java#8043) - [@​amarziali](https://github.com/amarziali)) ##### JDBC instrumentation - ✨ Add trace injection for prepared statements in Postgres ([#​7940](DataDog/dd-trace-java#7940) - [@​nenadnoveljic](https://github.com/nenadnoveljic)) ##### JMS instrumentation - 🐛 Protect mdb from instrumenting multiple time the same event ([#​8062](DataDog/dd-trace-java#8062) - [@​amarziali](https://github.com/amarziali)) ##### Kafka instrumentation - 💡 Instrument self hosted Kafka connectors ([#​7959](DataDog/dd-trace-java#7959) - [@​piochelepiotr](https://github.com/piochelepiotr)) ##### OpenTelemetry instrumentation - 🐛 Support using OpenTelemetry Event API inside `@WithSpan` annotated method ([#​8019](DataDog/dd-trace-java#8019) - [@​mcculls](https://github.com/mcculls)) ##### Reactor instrumentation - 🐛🧹 Fix native-image generation of reactive applications ([#​8012](DataDog/dd-trace-java#8012) - [@​mcculls](https://github.com/mcculls)) ##### Spring instrumentation - 🐛 Avoid double instrumenting lambdas on latest spring scheduling ([#​8005](DataDog/dd-trace-java#8005) - [@​amarziali](https://github.com/amarziali)) ##### All other instrumentations - 🐛 Twilio: allow service name flattening ([#​8025](DataDog/dd-trace-java#8025) - [@​amarziali](https://github.com/amarziali)) - ✨ Instrument Mulesoft 4.5.0+ ([#​7981](DataDog/dd-trace-java#7981) - [@​amarziali](https://github.com/amarziali)) </details> <details> <summary>aws/aws-sdk-java (com.amazonaws:aws-java-sdk-sqs)</summary> ### [`v1.12.780`](https://github.com/aws/aws-sdk-java/blob/HEAD/CHANGELOG.md#112780-2024-12-11) [Compare Source](aws/aws-sdk-java@1.12.779...1.12.780) #### **Amazon Simple Storage Service** - ### Bugfixes - AWS SDK for Java 1.x now includes additional validation for Amazon S3 client APIs to handle scenarios where an empty string ('') is passed as the key argument to the following operations: PutObject, DeleteObject, ListObjects, GetObjectMetaData, ListObjectsV2, SetObjectTagging, GetObjectTagging, SetObjectAcl, GetObjectAcl, SetObjectLegalHold, GetObjectLegalHold, CopyObject, CopyPart, SelectObjectContent, SetObjectRetention, GetObjectRetention, AbortMultipartUpload, CompleteMultipartUpload, InitiateMultipartUpload, ListParts, UploadPart, RestoreObjectV2, and RestoreObject. The SDK will validate the key argument and throw an exception if it is an empty string, ensuring correct and expected behavior. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 69831bc62ea4d80cdcd42cef2aa9bd8eda28ae8c
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
comp: asm iast
Application Security Management (IAST)
inst: apache httpcomponents
Apache HttpComponents
type: enhancement
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What Does This Do
Add support for the
apache-httpclient-5
andapache-httpasyncclient-4
client libraries to detect SSRF. This is done by detecting the vulnerability using theHttpClientDecorator
.The new
HttpClient
(apache-httpclient-5
) methods that will be supported are:execute(ClassicHttpRequest)
execute(ClassicHttpRequest, HttpClientResponseHandler<? extends T>
execute(ClassicHttpRequest, HttpContext)
execute(ClassicHttpRequest, HttpContext, HttpClientResponseHandler<? extends T>
execute(HttpHost, ClassicHttpRequest)
execute(HttpHost, ClassicHttpRequest, HttpClientResponseHandler<? extends T>
execute(HttpHost, ClassicHttpRequest, HttpContext)
execute(HttpHost, ClassicHttpRequest, HttpContext, HttpClientResponseHandler<? extends T>
The new
HttpAsyncClient
(apache-httpasyncclient-4
) methods that will be supported are:execute(HttpAsyncRequestProducer, HttpAsyncResponseConsumer<T>, FutureCallback<T>)
execute(HttpAsyncRequestProducer, HttpAsyncResponseConsumer<T>, HttpContext, FutureCallback<T>)
execute(HttpHost, HttpRequest)
execute(HttpHost, HttpRequest, HttpContext, FutureCallback<HttpResponse>)
execute(HttpUriRequest, FutureCallback<HttpResponse>)
execute(HttpUriRequest, HttpContext, FutureCallback<HttpResponse>)
Motivation
With this change we want to expand the support for SSRF in the different clients supported by the
HttpClientDecorator
.Additional Notes
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: APPSEC-55635