IAST: support webflux

Author: cataphract

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/Range.java

@@ -2,6 +2,7 @@
 
 import com.datadog.iast.model.json.SourceIndex;
 import java.util.Objects;
+import java.util.StringJoiner;
 import javax.annotation.Nonnegative;
 import javax.annotation.Nonnull;
 
@@ -36,6 +37,15 @@ public boolean equals(Object o) {
     return start == range.start && length == range.length && Objects.equals(source, range.source);
   }
 
+  @Override
+  public String toString() {
+    return new StringJoiner(", ", Range.class.getSimpleName() + "[", "]")
+        .add("start=" + start)
+        .add("length=" + length)
+        .add("source=" + source)
+        .toString();
+  }
+
   @Override
   public int hashCode() {
     return Objects.hash(start, length, source);

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/Source.java

@@ -1,8 +1,10 @@
 package com.datadog.iast.model;
 
 import com.datadog.iast.model.json.SourceTypeString;
+import datadog.trace.api.iast.SourceTypes;
 import datadog.trace.api.iast.Taintable;
 import java.util.Objects;
+import java.util.StringJoiner;
 
 public final class Source implements Taintable.Source {
   private final @SourceTypeString byte origin;
@@ -30,6 +32,15 @@ public String getValue() {
     return value;
   }
 
+  @Override
+  public String toString() {
+    return new StringJoiner(", ", Source.class.getSimpleName() + "[", "]")
+        .add("origin=" + SourceTypes.toString(origin))
+        .add("name='" + name + "'")
+        .add("value='" + value + "'")
+        .toString();
+  }
+
   @Override
   public boolean equals(Object o) {
     if (this == o) return true;

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/propagation/PropagationModuleImpl.java

@@ -96,6 +96,19 @@ public void taint(final byte origin, @Nullable final Object... toTaintArray) {
     }
   }
 
+  @Override
+  public boolean isTainted(@Nullable Object obj) {
+    final TaintedObjects taintedObjects = getTaintedObjects();
+    if (obj == null) {
+      return false;
+    }
+
+    if (taintedObjects == null) {
+      return false;
+    }
+    return taintedObjects.get(obj) != null;
+  }
+
   private static Source getFirstSource(final TaintedObjects taintedObjects, final Object object) {
     if (object instanceof Taintable) {
       return (Source) ((Taintable) object).$$DD$getSource();

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/SqlInjectionModuleTest.groovy

@@ -9,7 +9,7 @@ import datadog.trace.api.gateway.RequestContextSlot
 import datadog.trace.api.iast.sink.SqlInjectionModule
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan
 
-import static com.datadog.iast.IastAgentTestRunner.EMPTY_SOURCE
+import static com.datadog.iast.test.IastAgentTestRunner.EMPTY_SOURCE
 
 class SqlInjectionModuleTest extends IastModuleImplTestBase {
 

…/datadog/iast/IastAgentTestRunner.groovy …dog/iast/test/IastAgentTestRunner.groovydd-java-agent/agent-iast/src/testFixtures/groovy/com/datadog/iast/IastAgentTestRunner.groovy renamed to dd-java-agent/agent-iast/src/testFixtures/groovy/com/datadog/iast/test/IastAgentTestRunner.groovy dd-java-agent/agent-iast/src/testFixtures/groovy/com/datadog/iast/IastAgentTestRunner.groovy renamed to dd-java-agent/agent-iast/src/testFixtures/groovy/com/datadog/iast/test/IastAgentTestRunner.groovy

@@ -1,14 +1,13 @@
-package com.datadog.iast
+package com.datadog.iast.test
 
+import com.datadog.iast.IastRequestContext
 import com.datadog.iast.model.Source
 import com.datadog.iast.taint.TaintedObjects
-import com.datadog.iast.telemetry.NoOpTelemetry
 import datadog.trace.agent.test.AgentTestRunner
 import datadog.trace.api.gateway.CallbackProvider
 import datadog.trace.api.gateway.Events
 import datadog.trace.api.gateway.Flow
 import datadog.trace.api.gateway.RequestContextSlot
-import datadog.trace.api.iast.InstrumentationBridge
 import datadog.trace.api.iast.SourceTypes
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer
@@ -17,31 +16,32 @@ import datadog.trace.core.DDSpan
 
 import java.util.function.Supplier
 
-import static datadog.trace.bootstrap.instrumentation.api.AgentTracer.get
-
-class IastAgentTestRunner extends AgentTestRunner {
+class IastAgentTestRunner extends AgentTestRunner implements IastRequestContextPreparationTrait {
   public static final EMPTY_SOURCE = new Source(SourceTypes.NONE, '', '')
 
   void configurePreAgent() {
     super.configurePreAgent()
     injectSysConfig('dd.iast.enabled', 'true')
   }
 
+  protected Closure getRequestEndAction() { }
+
   void setupSpec() {
-    // Register the Instrumentation Gateway callbacks
-    def ss = AgentTracer.get().getSubscriptionService(RequestContextSlot.IAST)
-    IastSystem.start(ss, new NoopOverheadController(), new NoOpTelemetry())
+    iastSystemSetup(requestEndAction)
   }
 
   void cleanupSpec() {
-    get().getSubscriptionService(RequestContextSlot.IAST).reset()
-    InstrumentationBridge.clearIastModules()
+    iastSystemCleanup()
   }
 
-  protected TaintedObjects getTaintedObjects() {
+  protected TaintedObjects getLocalTaintedObjects() {
     IastRequestContext.get().taintedObjects
   }
 
+  protected TaintedObjectCollection getLocalTaintedObjectCollection() {
+    new TaintedObjectCollection(localTaintedObjects)
+  }
+
   protected DDSpan runUnderIastTrace(Closure cl) {
     CallbackProvider iastCbp = TEST_TRACER.getCallbackProvider(RequestContextSlot.IAST)
     Supplier<Flow<Object>> reqStartCb = iastCbp.getCallback(Events.EVENTS.requestStarted())

dd-java-agent/agent-iast/src/testFixtures/groovy/com/datadog/iast/test/IastRequestContextPreparationTrait.groovy

@@ -0,0 +1,102 @@
+package com.datadog.iast.test
+
+import com.datadog.iast.IastRequestContext
+import com.datadog.iast.IastSystem
+import com.datadog.iast.model.Range
+import com.datadog.iast.model.Source
+import com.datadog.iast.taint.TaintedMap
+import com.datadog.iast.taint.TaintedObject
+import com.datadog.iast.taint.TaintedObjects
+import com.datadog.iast.telemetry.NoOpTelemetry
+import datadog.trace.api.gateway.CallbackProvider
+import datadog.trace.api.gateway.EventType
+import datadog.trace.api.gateway.Events
+import datadog.trace.api.gateway.Flow
+import datadog.trace.api.gateway.IGSpanInfo
+import datadog.trace.api.gateway.RequestContext
+import datadog.trace.api.gateway.RequestContextSlot
+import datadog.trace.api.iast.InstrumentationBridge
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer
+
+import java.util.function.BiFunction
+import java.util.function.Supplier
+
+import static datadog.trace.bootstrap.instrumentation.api.AgentTracer.get
+
+trait IastRequestContextPreparationTrait {
+
+  static void iastSystemSetup(Closure reqEndAction = null) {
+    def ss = AgentTracer.get().getSubscriptionService(RequestContextSlot.IAST)
+    IastSystem.start(ss, new NoopOverheadController(), new NoOpTelemetry())
+
+    EventType<Supplier<Flow<Object>>> requestStarted = Events.get().requestStarted()
+    EventType<BiFunction<RequestContext, IGSpanInfo, Flow<Void>>> requestEnded =
+      Events.get().requestEnded()
+
+    // get original callbacks
+    CallbackProvider provider = AgentTracer.get().getCallbackProvider(RequestContextSlot.IAST)
+    def origRequestStarted = provider.getCallback(requestStarted)
+    def origRequestEnded = provider.getCallback(requestEnded)
+
+    // wrap the original IG callbacks
+    ss.reset()
+    ss.registerCallback(requestStarted, new TaintedMapSaveStrongRefsRequestStarted(orig: origRequestStarted))
+    if (reqEndAction != null) {
+      ss.registerCallback(requestEnded, new TaintedMapSavingRequestEnded(
+        original: origRequestEnded, beforeAction: reqEndAction))
+    }
+  }
+
+  static void iastSystemCleanup() {
+    get().getSubscriptionService(RequestContextSlot.IAST).reset()
+    InstrumentationBridge.clearIastModules()
+  }
+
+  static class TaintedMapSaveStrongRefsRequestStarted implements Supplier<Flow<Object>> {
+    Supplier<Flow<Object>> orig
+
+    @Override
+    Flow<Object> get() {
+      IastRequestContext reqCtx = orig.get().result
+      def taintedObjectWrapper = new TaintedObjectSaveStrongReference(delegate: reqCtx.taintedObjects)
+      new Flow.ResultFlow<>(new IastRequestContext(taintedObjectWrapper))
+    }
+
+    static class TaintedObjectSaveStrongReference implements TaintedObjects {
+      @Delegate
+      TaintedObjects delegate
+
+      List<Object> objects = []
+
+      TaintedMap getTaintedMap() {
+        delegate.map
+      }
+
+      TaintedObject taintInputString(String obj, Source source) {
+        objects << obj
+        this.delegate.taintInputString(obj, source)
+      }
+
+      TaintedObject taintInputObject(Object obj, Source source) {
+        objects << obj
+        this.delegate.taintInputObject(obj, source)
+      }
+
+      TaintedObject taint(Object obj, Range[] ranges) {
+        objects << obj
+        this.delegate.taintInputString(obj, ranges)
+      }
+    }
+  }
+
+  static class TaintedMapSavingRequestEnded implements BiFunction<RequestContext, IGSpanInfo, Flow<Void>> {
+    BiFunction<RequestContext, IGSpanInfo, Flow<Void>> original
+    Closure beforeAction
+
+    @Override
+    Flow<Void> apply(RequestContext requestContext, IGSpanInfo igSpanInfo) {
+      beforeAction.call(requestContext, igSpanInfo)
+      original.apply(requestContext, igSpanInfo)
+    }
+  }
+}

dd-java-agent/agent-iast/src/testFixtures/groovy/com/datadog/iast/test/IastRequestTestRunner.groovy

@@ -0,0 +1,34 @@
+package com.datadog.iast.test
+
+import com.datadog.iast.IastRequestContext
+import com.datadog.iast.taint.TaintedObjects
+import datadog.trace.api.gateway.IGSpanInfo
+import datadog.trace.api.gateway.RequestContext
+
+import java.util.concurrent.LinkedBlockingQueue
+import java.util.concurrent.TimeUnit
+
+class IastRequestTestRunner extends IastAgentTestRunner implements IastRequestContextPreparationTrait {
+
+  private static final LinkedBlockingQueue<TaintedObjectCollection> TAINTED_OBJECTS = new LinkedBlockingQueue<>()
+
+  @Override
+  protected Closure getRequestEndAction() {
+    { RequestContext requestContext, IGSpanInfo igSpanInfo ->
+      // request end action
+      IastRequestContext iastRequestContext = IastRequestContext.get(requestContext)
+      if (iastRequestContext) {
+        TaintedObjects taintedObjects = iastRequestContext.getTaintedObjects()
+        TAINTED_OBJECTS.offer(new TaintedObjectCollection(taintedObjects))
+      }
+    }
+  }
+
+  void cleanup() {
+    TAINTED_OBJECTS.clear()
+  }
+
+  protected TaintedObjectCollection getFinReqTaintedObjects() {
+    TAINTED_OBJECTS.poll(15, TimeUnit.SECONDS)
+  }
+}

…tadog/iast/NoopOverheadController.groovy …/iast/test/NoopOverheadController.groovydd-java-agent/agent-iast/src/testFixtures/groovy/com/datadog/iast/NoopOverheadController.groovy renamed to dd-java-agent/agent-iast/src/testFixtures/groovy/com/datadog/iast/test/NoopOverheadController.groovy dd-java-agent/agent-iast/src/testFixtures/groovy/com/datadog/iast/NoopOverheadController.groovy renamed to dd-java-agent/agent-iast/src/testFixtures/groovy/com/datadog/iast/test/NoopOverheadController.groovy

@@ -1,4 +1,4 @@
-package com.datadog.iast
+package com.datadog.iast.test
 
 import com.datadog.iast.overhead.Operation
 import com.datadog.iast.overhead.OverheadController