-
Notifications
You must be signed in to change notification settings - Fork 291
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IAST security controls: handling custom validation and sanitization methods #7997
Conversation
internal-api/src/main/java/datadog/trace/api/iast/securitycontrol/SecurityControl.java
Show resolved
Hide resolved
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 58 metrics, 5 unstable metrics. Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.111 s) : 0, 1110839
Total [baseline] (8.655 s) : 0, 8654912
Agent [candidate] (1.111 s) : 0, 1111440
Total [candidate] (8.684 s) : 0, 8684007
section iast
Agent [baseline] (1.25 s) : 0, 1250128
Total [baseline] (9.338 s) : 0, 9338329
Agent [candidate] (1.242 s) : 0, 1241781
Total [candidate] (9.27 s) : 0, 9269601
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.249 s) : 0, 1248897
Total [baseline] (9.23 s) : 0, 9230333
Agent [candidate] (1.238 s) : 0, 1238278
Total [candidate] (9.225 s) : 0, 9225454
section iast_TELEMETRY_OFF
Agent [baseline] (1.238 s) : 0, 1237847
Total [baseline] (9.248 s) : 0, 9247518
Agent [candidate] (1.238 s) : 0, 1238461
Total [candidate] (9.215 s) : 0, 9215340
gantt
title insecure-bank - break down per module: candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (712.338 ms) : 0, 712338
BytebuddyAgent [candidate] (712.721 ms) : 0, 712721
GlobalTracer [baseline] (318.887 ms) : 0, 318887
GlobalTracer [candidate] (318.964 ms) : 0, 318964
AppSec [baseline] (55.122 ms) : 0, 55122
AppSec [candidate] (55.255 ms) : 0, 55255
Remote Config [baseline] (664.925 µs) : 0, 665
Remote Config [candidate] (663.514 µs) : 0, 664
Telemetry [baseline] (8.887 ms) : 0, 8887
Telemetry [candidate] (8.891 ms) : 0, 8891
section iast
BytebuddyAgent [baseline] (836.198 ms) : 0, 836198
BytebuddyAgent [candidate] (830.355 ms) : 0, 830355
GlobalTracer [baseline] (313.276 ms) : 0, 313276
GlobalTracer [candidate] (310.798 ms) : 0, 310798
AppSec [baseline] (55.611 ms) : 0, 55611
AppSec [candidate] (56.083 ms) : 0, 56083
IAST [baseline] (21.134 ms) : 0, 21134
IAST [candidate] (20.771 ms) : 0, 20771
Remote Config [baseline] (595.904 µs) : 0, 596
Remote Config [candidate] (599.334 µs) : 0, 599
Telemetry [baseline] (8.312 ms) : 0, 8312
Telemetry [candidate] (8.23 ms) : 0, 8230
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (834.593 ms) : 0, 834593
BytebuddyAgent [candidate] (826.871 ms) : 0, 826871
GlobalTracer [baseline] (311.437 ms) : 0, 311437
GlobalTracer [candidate] (309.676 ms) : 0, 309676
AppSec [baseline] (57.901 ms) : 0, 57901
AppSec [candidate] (56.708 ms) : 0, 56708
IAST [baseline] (21.113 ms) : 0, 21113
IAST [candidate] (21.193 ms) : 0, 21193
Remote Config [baseline] (631.23 µs) : 0, 631
Remote Config [candidate] (618.467 µs) : 0, 618
Telemetry [baseline] (8.25 ms) : 0, 8250
Telemetry [candidate] (8.323 ms) : 0, 8323
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (827.574 ms) : 0, 827574
BytebuddyAgent [candidate] (826.755 ms) : 0, 826755
GlobalTracer [baseline] (307.922 ms) : 0, 307922
GlobalTracer [candidate] (309.195 ms) : 0, 309195
AppSec [baseline] (58.206 ms) : 0, 58206
AppSec [candidate] (58.192 ms) : 0, 58192
IAST [baseline] (20.583 ms) : 0, 20583
IAST [candidate] (20.638 ms) : 0, 20638
Remote Config [baseline] (581.448 µs) : 0, 581
Remote Config [candidate] (589.082 µs) : 0, 589
Telemetry [baseline] (8.081 ms) : 0, 8081
Telemetry [candidate] (8.136 ms) : 0, 8136
Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.109 s) : 0, 1109242
Total [baseline] (10.453 s) : 0, 10452953
Agent [candidate] (1.113 s) : 0, 1113073
Total [candidate] (10.55 s) : 0, 10550310
section appsec
Agent [baseline] (1.25 s) : 0, 1249572
Total [baseline] (10.806 s) : 0, 10806251
Agent [candidate] (1.25 s) : 0, 1249828
Total [candidate] (10.7 s) : 0, 10699851
section iast
Agent [baseline] (1.248 s) : 0, 1247750
Total [baseline] (10.971 s) : 0, 10970573
Agent [candidate] (1.256 s) : 0, 1256252
Total [candidate] (10.995 s) : 0, 10995337
section profiling
Agent [baseline] (1.34 s) : 0, 1339790
Total [baseline] (10.859 s) : 0, 10859108
Agent [candidate] (1.341 s) : 0, 1341475
Total [candidate] (10.89 s) : 0, 10889741
gantt
title petclinic - break down per module: candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (711.919 ms) : 0, 711919
BytebuddyAgent [candidate] (713.789 ms) : 0, 713789
GlobalTracer [baseline] (317.77 ms) : 0, 317770
GlobalTracer [candidate] (319.329 ms) : 0, 319329
AppSec [baseline] (55.127 ms) : 0, 55127
AppSec [candidate] (55.288 ms) : 0, 55288
Remote Config [baseline] (676.434 µs) : 0, 676
Remote Config [candidate] (695.855 µs) : 0, 696
Telemetry [baseline] (8.849 ms) : 0, 8849
Telemetry [candidate] (8.928 ms) : 0, 8928
section appsec
BytebuddyAgent [baseline] (730.408 ms) : 0, 730408
BytebuddyAgent [candidate] (730.438 ms) : 0, 730438
GlobalTracer [baseline] (316.158 ms) : 0, 316158
GlobalTracer [candidate] (316.701 ms) : 0, 316701
AppSec [baseline] (168.85 ms) : 0, 168850
AppSec [candidate] (168.843 ms) : 0, 168843
Remote Config [baseline] (645.18 µs) : 0, 645
Remote Config [candidate] (644.629 µs) : 0, 645
Telemetry [baseline] (8.253 ms) : 0, 8253
Telemetry [candidate] (7.95 ms) : 0, 7950
IAST [baseline] (20.571 ms) : 0, 20571
IAST [candidate] (20.566 ms) : 0, 20566
section iast
BytebuddyAgent [baseline] (834.605 ms) : 0, 834605
BytebuddyAgent [candidate] (840.515 ms) : 0, 840515
GlobalTracer [baseline] (310.292 ms) : 0, 310292
GlobalTracer [candidate] (312.044 ms) : 0, 312044
AppSec [baseline] (58.255 ms) : 0, 58255
AppSec [candidate] (58.759 ms) : 0, 58759
Remote Config [baseline] (601.245 µs) : 0, 601
Remote Config [candidate] (611.089 µs) : 0, 611
Telemetry [baseline] (8.189 ms) : 0, 8189
Telemetry [candidate] (8.238 ms) : 0, 8238
IAST [baseline] (20.819 ms) : 0, 20819
IAST [candidate] (20.977 ms) : 0, 20977
section profiling
ProfilingAgent [baseline] (94.885 ms) : 0, 94885
ProfilingAgent [candidate] (94.68 ms) : 0, 94680
BytebuddyAgent [baseline] (701.89 ms) : 0, 701890
BytebuddyAgent [candidate] (701.625 ms) : 0, 701625
GlobalTracer [baseline] (439.013 ms) : 0, 439013
GlobalTracer [candidate] (440.791 ms) : 0, 440791
AppSec [baseline] (53.827 ms) : 0, 53827
AppSec [candidate] (54.207 ms) : 0, 54207
Remote Config [baseline] (643.443 µs) : 0, 643
Remote Config [candidate] (660.882 µs) : 0, 661
Telemetry [baseline] (7.889 ms) : 0, 7889
Telemetry [candidate] (7.826 ms) : 0, 7826
Profiling [baseline] (94.911 ms) : 0, 94911
Profiling [candidate] (94.706 ms) : 0, 94706
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics. Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56
dateFormat X
axisFormat %s
section baseline
no_agent (1.354 ms) : 1334, 1374
. : milestone, 1354,
appsec (1.745 ms) : 1721, 1769
. : milestone, 1745,
appsec_no_iast (1.736 ms) : 1711, 1761
. : milestone, 1736,
iast (1.502 ms) : 1479, 1525
. : milestone, 1502,
profiling (1.555 ms) : 1529, 1580
. : milestone, 1555,
tracing (1.47 ms) : 1445, 1495
. : milestone, 1470,
section candidate
no_agent (1.353 ms) : 1332, 1374
. : milestone, 1353,
appsec (1.727 ms) : 1703, 1751
. : milestone, 1727,
appsec_no_iast (1.769 ms) : 1745, 1794
. : milestone, 1769,
iast (1.506 ms) : 1483, 1529
. : milestone, 1506,
profiling (1.52 ms) : 1496, 1544
. : milestone, 1520,
tracing (1.501 ms) : 1477, 1525
. : milestone, 1501,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56
dateFormat X
axisFormat %s
section baseline
no_agent (378.209 µs) : 357, 399
. : milestone, 378,
iast (497.351 µs) : 476, 519
. : milestone, 497,
iast_FULL (653.514 µs) : 632, 675
. : milestone, 654,
iast_GLOBAL (521.306 µs) : 499, 544
. : milestone, 521,
iast_HARDCODED_SECRET_DISABLED (490.862 µs) : 470, 512
. : milestone, 491,
iast_INACTIVE (451.53 µs) : 431, 473
. : milestone, 452,
iast_TELEMETRY_OFF (479.095 µs) : 458, 500
. : milestone, 479,
tracing (449.77 µs) : 429, 471
. : milestone, 450,
section candidate
no_agent (374.988 µs) : 355, 395
. : milestone, 375,
iast (494.859 µs) : 473, 517
. : milestone, 495,
iast_FULL (651.524 µs) : 630, 673
. : milestone, 652,
iast_GLOBAL (523.028 µs) : 500, 546
. : milestone, 523,
iast_HARDCODED_SECRET_DISABLED (496.307 µs) : 475, 518
. : milestone, 496,
iast_INACTIVE (453.791 µs) : 432, 475
. : milestone, 454,
iast_TELEMETRY_OFF (485.861 µs) : 464, 508
. : milestone, 486,
tracing (452.306 µs) : 431, 473
. : milestone, 452,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics. Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56
dateFormat X
axisFormat %s
section baseline
no_agent (1.472 ms) : 1460, 1483
. : milestone, 1472,
appsec (2.339 ms) : 2297, 2381
. : milestone, 2339,
iast (2.09 ms) : 2037, 2143
. : milestone, 2090,
iast_GLOBAL (2.133 ms) : 2079, 2186
. : milestone, 2133,
profiling (1.969 ms) : 1925, 2013
. : milestone, 1969,
tracing (1.94 ms) : 1899, 1981
. : milestone, 1940,
section candidate
no_agent (1.47 ms) : 1459, 1482
. : milestone, 1470,
appsec (2.341 ms) : 2299, 2382
. : milestone, 2341,
iast (2.092 ms) : 2039, 2145
. : milestone, 2092,
iast_GLOBAL (2.137 ms) : 2083, 2190
. : milestone, 2137,
profiling (2.426 ms) : 2184, 2667
. : milestone, 2426,
tracing (1.936 ms) : 1896, 1977
. : milestone, 1936,
Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.45.0-SNAPSHOT~de8c19855d, baseline=1.45.0-SNAPSHOT~ab205f6a56
dateFormat X
axisFormat %s
section baseline
no_agent (14.885 s) : 14885000, 14885000
. : milestone, 14885000,
appsec (15.001 s) : 15001000, 15001000
. : milestone, 15001000,
iast (18.812 s) : 18812000, 18812000
. : milestone, 18812000,
iast_GLOBAL (17.834 s) : 17834000, 17834000
. : milestone, 17834000,
profiling (14.903 s) : 14903000, 14903000
. : milestone, 14903000,
tracing (14.94 s) : 14940000, 14940000
. : milestone, 14940000,
section candidate
no_agent (14.926 s) : 14926000, 14926000
. : milestone, 14926000,
appsec (15.077 s) : 15077000, 15077000
. : milestone, 15077000,
iast (18.43 s) : 18430000, 18430000
. : milestone, 18430000,
iast_GLOBAL (17.886 s) : 17886000, 17886000
. : milestone, 17886000,
profiling (15.069 s) : 15069000, 15069000
. : milestone, 15069000,
tracing (15.14 s) : 15140000, 15140000
. : milestone, 15140000,
|
43c6e55
to
7362963
Compare
|
||
public SecurityControlMethodAdapter( | ||
final MethodVisitor mv, final SecurityControl securityControl, final String desc) { | ||
super(Opcodes.ASM8, mv); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is possibly not valid if the method uses newer Java?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i've updated it to ASM9, that is the most higher version that our library version supports (there is an experimental ASM10). I think that this cover new bytecode introduced until java 17
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, Santi, my previous comment wasn’t accurate. Let me provide some additional context with this response.
First of all, when we instantiate a new org.objectweb.asm.ClassReader
, it internally checks whether the class version is supported by the ASM version. If it isn’t, an IllegalArgumentException
is thrown. To handle this, I’ve added a safeguard to log that exception and avoid breaking the code.
Secondly, my earlier explanation about the opcode was incorrect. In this case, the opcode represents the ASM API version and, for the MethodVisitor
, it determines the functionalities available for that specific API version.
To confirm, the entire tracer uses ASM version 9.7, which can be verified in the libs.versions.toml
file.
dd-java-agent/agent-iast/src/test/java/foo/bar/securitycontrol/SecurityControlTestSuite.java
Outdated
Show resolved
Hide resolved
...-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastSpringBootTest.groovy
Outdated
Show resolved
Hide resolved
...oke-tests/iast-util/src/main/java/datadog/smoketest/springboot/controller/XssController.java
Show resolved
Hide resolved
.../agent-iast/src/main/java/com/datadog/iast/securitycontrol/SecurityControlMethodAdapter.java
Outdated
Show resolved
Hide resolved
Hi! 👋 Thanks for your pull request! 🎉 To help us review it, please make sure to:
If you need help, please check our contributing guidelines. |
.../java-lang/src/main/java/datadog/trace/instrumentation/java/lang/RuntimeInstrumentation.java
Outdated
Show resolved
Hide resolved
ee746f9
to
dee1faf
Compare
...gent-iast/src/main/java/com/datadog/iast/securitycontrol/IastSecurityControlTransformer.java
Outdated
Show resolved
Hide resolved
...gent-iast/src/main/java/com/datadog/iast/securitycontrol/IastSecurityControlTransformer.java
Outdated
Show resolved
Hide resolved
internal-api/src/main/java/datadog/trace/api/iast/securitycontrol/SecurityControl.java
Outdated
Show resolved
Hide resolved
.../agent-iast/src/main/java/com/datadog/iast/securitycontrol/SecurityControlMethodAdapter.java
Outdated
Show resolved
Hide resolved
.../agent-iast/src/main/java/com/datadog/iast/securitycontrol/SecurityControlMethodAdapter.java
Outdated
Show resolved
Hide resolved
dd-java-agent/agent-iast/src/test/java/foo/bar/securitycontrol/SecurityControlTestSuite.java
Outdated
Show resolved
Hide resolved
Hey @manuel-alvarez-alvarez thanks a lot for your review of the SecurtyControl instrumentation, I've made all your suggested changes and added more tests. you can check them in my last commit. |
...gent-iast/src/main/java/com/datadog/iast/securitycontrol/IastSecurityControlTransformer.java
Outdated
Show resolved
Hide resolved
...t-iast/src/main/java/com/datadog/iast/securitycontrol/SecurityControlMethodClassVisitor.java
Outdated
Show resolved
Hide resolved
…tycontrol/SecurityControlMethodClassVisitor.java Co-authored-by: Manuel Álvarez Álvarez <[email protected]>
What Does This Do
Add secure marks to custom input validators and sanitisers via env variable
RFC (Milestone 0)
Motivation
IAST frequently identifies vulnerabilities that are reported despite the fact that the application executes custom validation mechanisms before reaching those points, effectively preventing any exploitation. As a result, security teams receive unnecessary alerts about potential vulnerabilities that are not actually exploitable.
There is a need for a mechanism to recognise when these custom validation methods are in place, to avoid false positives.
Additional Notes
Security Control Configuration Format
To configure a list of security controls, follow the format and field specifications below. This format uses specific separators to structure each security control entry.
Field Specifications:
Security Control Type: Defines the type of control
Accepted values: INPUT_VALIDATOR or SANITIZER
Secure Marks: List of vulnerability types to apply. Possible values are defined in vulnerability_schema. Optionally, use * to indicate applicability to all types.
Class/File: Fully qualified class or file implementing the security control.
Method: Name of the method implementing the security control.
Parameters(Optional): Fully qualified class parameters. Is used to discern between overloaded methods. If it’s not used and we have overloading security control will be applied to all the methods
Parameters to Validate (Optional): Zero-based list of parameter positions to validate, where the first parameter is position 0. This field applies only to INPUT_VALIDATOR types and is used when not all parameters require validation.
Separators:
; (Semicolon) - Separates each security control.
: (Colon) - Separates each field within a security control.
, (Comma) - Separates items within a field that accepts a list.
Note: Each security control is separated by ;, each field within a security control is separated by :, and items in lists (e.g., Secure Marks or Parameters to Validate) are separated by ,.
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: APPSEC-55329