Skip to content

Attach values to sources coming from non char sequences #6675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
manuel-alvarez-alvarez merged 1 commit into from
Feb 19, 2024
Merged

Attach values to sources coming from non char sequences #6675

manuel-alvarez-alvarez merged 1 commit into from
Feb 19, 2024
+207 −214

Conversation

@manuel-alvarez-alvarez
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez commented Feb 12, 2024
edited
Loading

What Does This Do

The first time a tainted object is propagated where the original value comes from an object (e.g. the input stream of the body of a request), a new source is generated using the new char sequence as value.

Motivation

When tainting a non char sequence object (e.g. the InputStream of the body of a request), we set null as the value in the source, this null gets propagated with every taint operation resulting in an evidence with a null source value. This PR prevents the null from being propagated.

Additional Notes

Jira ticket: [PROJ-IDENT]

@pr-commenter
Copy link

pr-commenter bot commented Feb 12, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/iast-taint-propagation-object
git_commit_date 1708197723 1708330578
git_commit_sha 1c33411 2222bf1
release_version 1.31.0-SNAPSHOT~1c33411256 1.31.0-SNAPSHOT~2222bf1dfa
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1708333382 1708333382
ci_job_id 436974549 436974549
ci_pipeline_id 28495998 28495998
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 47 metrics, 7 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.31.0-SNAPSHOT~2222bf1dfa, baseline=1.31.0-SNAPSHOT~1c33411256

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.087 s) : 0, 1086833
Total [baseline] (9.267 s) : 0, 9266937
Agent [candidate] (1.082 s) : 0, 1081728
Total [candidate] (9.209 s) : 0, 9209029
section appsec
Agent [baseline] (1.175 s) : 0, 1175336
Total [baseline] (9.307 s) : 0, 9307136
Agent [candidate] (1.181 s) : 0, 1181081
Total [candidate] (9.328 s) : 0, 9328447
section iast
Agent [baseline] (1.211 s) : 0, 1211078
Total [baseline] (9.409 s) : 0, 9409011
Agent [candidate] (1.215 s) : 0, 1215311
Total [candidate] (9.414 s) : 0, 9413657
section profiling
Agent [baseline] (1.306 s) : 0, 1305645
Total [baseline] (9.484 s) : 0, 9484090
Agent [candidate] (1.308 s) : 0, 1308296
Total [candidate] (9.391 s) : 0, 9390994
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.087 s -
Agent appsec 1.175 s 88.504 ms (8.1%)
Agent iast 1.211 s 124.245 ms (11.4%)
Agent profiling 1.306 s 218.812 ms (20.1%)
Total tracing 9.267 s -
Total appsec 9.307 s 40.199 ms (0.4%)
Total iast 9.409 s 142.073 ms (1.5%)
Total profiling 9.484 s 217.153 ms (2.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.082 s -
Agent appsec 1.181 s 99.353 ms (9.2%)
Agent iast 1.215 s 133.583 ms (12.3%)
Agent profiling 1.308 s 226.568 ms (20.9%)
Total tracing 9.209 s -
Total appsec 9.328 s 119.418 ms (1.3%)
Total iast 9.414 s 204.628 ms (2.2%)
Total profiling 9.391 s 181.966 ms (2.0%) 
gantt
    title petclinic - break down per module: candidate=1.31.0-SNAPSHOT~2222bf1dfa, baseline=1.31.0-SNAPSHOT~1c33411256

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (692.009 ms) : 0, 692009
BytebuddyAgent [candidate] (688.116 ms) : 0, 688116
GlobalTracer [baseline] (299.89 ms) : 0, 299890
GlobalTracer [candidate] (299.196 ms) : 0, 299196
AppSec [baseline] (51.852 ms) : 0, 51852
AppSec [candidate] (51.479 ms) : 0, 51479
Remote Config [baseline] (709.46 µs) : 0, 709
Remote Config [candidate] (704.06 µs) : 0, 704
Telemetry [baseline] (7.838 ms) : 0, 7838
Telemetry [candidate] (7.809 ms) : 0, 7809
section appsec
BytebuddyAgent [baseline] (685.164 ms) : 0, 685164
BytebuddyAgent [candidate] (688.57 ms) : 0, 688570
GlobalTracer [baseline] (296.898 ms) : 0, 296898
GlobalTracer [candidate] (298.85 ms) : 0, 298850
AppSec [baseline] (151.538 ms) : 0, 151538
AppSec [candidate] (151.731 ms) : 0, 151731
Remote Config [baseline] (632.19 µs) : 0, 632
Remote Config [candidate] (638.917 µs) : 0, 639
Telemetry [baseline] (6.899 ms) : 0, 6899
Telemetry [candidate] (6.932 ms) : 0, 6932
section iast
BytebuddyAgent [baseline] (802.098 ms) : 0, 802098
BytebuddyAgent [candidate] (805.1 ms) : 0, 805100
GlobalTracer [baseline] (290.108 ms) : 0, 290108
GlobalTracer [candidate] (291.254 ms) : 0, 291254
AppSec [baseline] (55.553 ms) : 0, 55553
AppSec [candidate] (57.789 ms) : 0, 57789
Remote Config [baseline] (622.212 µs) : 0, 622
Remote Config [candidate] (617.6 µs) : 0, 618
Telemetry [baseline] (6.585 ms) : 0, 6585
Telemetry [candidate] (6.614 ms) : 0, 6614
IAST [baseline] (21.479 ms) : 0, 21479
IAST [candidate] (19.349 ms) : 0, 19349
section profiling
BytebuddyAgent [baseline] (686.462 ms) : 0, 686462
BytebuddyAgent [candidate] (688.491 ms) : 0, 688491
GlobalTracer [baseline] (383.678 ms) : 0, 383678
GlobalTracer [candidate] (385.668 ms) : 0, 385668
AppSec [baseline] (53.48 ms) : 0, 53480
AppSec [candidate] (53.188 ms) : 0, 53188
Remote Config [baseline] (813.34 µs) : 0, 813
Remote Config [candidate] (744.253 µs) : 0, 744
Telemetry [baseline] (7.741 ms) : 0, 7741
Telemetry [candidate] (9.134 ms) : 0, 9134
ProfilingAgent [baseline] (116.786 ms) : 0, 116786
ProfilingAgent [candidate] (114.442 ms) : 0, 114442
Profiling [baseline] (116.81 ms) : 0, 116810
Profiling [candidate] (114.467 ms) : 0, 114467
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-02-19T08:39:21 2024-02-19T08:58:00
git_branch master malvarez/iast-taint-propagation-object
git_commit_date 1708197723 1708330578
git_commit_sha 1c33411 2222bf1
release_version 1.31.0-SNAPSHOT~1c33411256 1.31.0-SNAPSHOT~2222bf1dfa
start_time 2024-02-19T08:39:08 2024-02-19T08:57:46
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1708333382 1708333382
ci_job_id 436974549 436974549
ci_pipeline_id 28495998 28495998
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 14 unstable metrics.

Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.31.0-SNAPSHOT~2222bf1dfa, baseline=1.31.0-SNAPSHOT~1c33411256
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.368 ms) : 1349, 1387
.   : milestone, 1368,
appsec (1.795 ms) : 1772, 1819
.   : milestone, 1795,
iast (1.555 ms) : 1531, 1578
.   : milestone, 1555,
profiling (1.531 ms) : 1507, 1555
.   : milestone, 1531,
tracing (1.495 ms) : 1472, 1518
.   : milestone, 1495,
section candidate
no_agent (1.35 ms) : 1332, 1369
.   : milestone, 1350,
appsec (1.804 ms) : 1781, 1828
.   : milestone, 1804,
iast (1.539 ms) : 1515, 1562
.   : milestone, 1539,
profiling (1.539 ms) : 1516, 1563
.   : milestone, 1539,
tracing (1.527 ms) : 1503, 1552
.   : milestone, 1527,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.368 ms [1.349 ms, 1.387 ms] -
appsec 1.795 ms [1.772 ms, 1.819 ms] 427.313 µs (31.2%)
iast 1.555 ms [1.531 ms, 1.578 ms] 186.853 µs (13.7%)
profiling 1.531 ms [1.507 ms, 1.555 ms] 163.279 µs (11.9%)
tracing 1.495 ms [1.472 ms, 1.518 ms] 127.126 µs (9.3%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.35 ms [1.332 ms, 1.369 ms] -
appsec 1.804 ms [1.781 ms, 1.828 ms] 453.953 µs (33.6%)
iast 1.539 ms [1.515 ms, 1.562 ms] 188.02 µs (13.9%)
profiling 1.539 ms [1.516 ms, 1.563 ms] 188.968 µs (14.0%)
tracing 1.527 ms [1.503 ms, 1.552 ms] 176.911 µs (13.1%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.31.0-SNAPSHOT~2222bf1dfa, baseline=1.31.0-SNAPSHOT~1c33411256
    dateFormat X
    axisFormat %s
section baseline
no_agent (376.214 µs) : 355, 398
.   : milestone, 376,
iast (480.938 µs) : 461, 501
.   : milestone, 481,
iast_FULL (540.9 µs) : 521, 561
.   : milestone, 541,
iast_GLOBAL (514.812 µs) : 493, 537
.   : milestone, 515,
iast_HARDCODED_SECRET_DISABLED (482.996 µs) : 463, 503
.   : milestone, 483,
iast_INACTIVE (454.337 µs) : 433, 476
.   : milestone, 454,
iast_TELEMETRY_OFF (480.509 µs) : 460, 501
.   : milestone, 481,
tracing (453.895 µs) : 433, 475
.   : milestone, 454,
section candidate
no_agent (370.347 µs) : 350, 391
.   : milestone, 370,
iast (478.793 µs) : 458, 499
.   : milestone, 479,
iast_FULL (545.023 µs) : 525, 566
.   : milestone, 545,
iast_GLOBAL (508.928 µs) : 487, 530
.   : milestone, 509,
iast_HARDCODED_SECRET_DISABLED (483.419 µs) : 462, 504
.   : milestone, 483,
iast_INACTIVE (452.961 µs) : 432, 473
.   : milestone, 453,
iast_TELEMETRY_OFF (482.748 µs) : 461, 504
.   : milestone, 483,
tracing (446.794 µs) : 426, 467
.   : milestone, 447,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 376.214 µs [354.683 µs, 397.745 µs] -
iast 480.938 µs [460.529 µs, 501.348 µs] 104.724 µs (27.8%)
iast_FULL 540.9 µs [520.674 µs, 561.125 µs] 164.685 µs (43.8%)
iast_GLOBAL 514.812 µs [492.966 µs, 536.659 µs] 138.598 µs (36.8%)
iast_HARDCODED_SECRET_DISABLED 482.996 µs [462.532 µs, 503.46 µs] 106.781 µs (28.4%)
iast_INACTIVE 454.337 µs [433.163 µs, 475.512 µs] 78.123 µs (20.8%)
iast_TELEMETRY_OFF 480.509 µs [459.609 µs, 501.408 µs] 104.294 µs (27.7%)
tracing 453.895 µs [433.148 µs, 474.641 µs] 77.68 µs (20.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 370.347 µs [350.151 µs, 390.544 µs] -
iast 478.793 µs [458.49 µs, 499.095 µs] 108.445 µs (29.3%)
iast_FULL 545.023 µs [524.519 µs, 565.528 µs] 174.676 µs (47.2%)
iast_GLOBAL 508.928 µs [487.426 µs, 530.43 µs] 138.581 µs (37.4%)
iast_HARDCODED_SECRET_DISABLED 483.419 µs [462.436 µs, 504.402 µs] 113.072 µs (30.5%)
iast_INACTIVE 452.961 µs [432.429 µs, 473.493 µs] 82.614 µs (22.3%)
iast_TELEMETRY_OFF 482.748 µs [461.206 µs, 504.29 µs] 112.401 µs (30.4%)
tracing 446.794 µs [426.244 µs, 467.343 µs] 76.446 µs (20.6%)

@manuel-alvarez-alvarez manuel-alvarez-alvarez added the comp: asm iast Application Security Management (IAST) label Feb 12, 2024
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-taint-propagation-object branch from fd02c60 to 11d6e36 Compare February 14, 2024 08:49
@manuel-alvarez-alvarez manuel-alvarez-alvarez marked this pull request as ready for review February 14, 2024 20:11
@manuel-alvarez-alvarez manuel-alvarez-alvarez requested a review from a team as a code owner February 14, 2024 20:11
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-taint-propagation-object branch from 11d6e36 to 5acecd5 Compare February 16, 2024 08:44
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-taint-propagation-object branch from 5acecd5 to 2222bf1 Compare February 19, 2024 08:16
@manuel-alvarez-alvarez manuel-alvarez-alvarez merged commit b7f3d8e into master Feb 19, 2024
@manuel-alvarez-alvarez manuel-alvarez-alvarez deleted the malvarez/iast-taint-propagation-object branch February 19, 2024 13:07
@github-actions github-actions bot added this to the 1.31.0 milestone Feb 19, 2024
@smola smola mentioned this pull request Feb 19, 2024
Merged
@manuel-alvarez-alvarez manuel-alvarez-alvarez mentioned this pull request Feb 19, 2024
Merged
jandro996 pushed a commit that referenced this pull request Feb 29, 2024
@manuel-alvarez-alvarez @jandro996
Attach values to sources coming from non char sequences (#6675)
32a1840
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jandro996 jandro996 jandro996 approved these changes

@anderruiz anderruiz Awaiting requested review from anderruiz anderruiz is a code owner automatically assigned from DataDog/asm-java

Assignees

No one assigned

Labels

comp: asm iast Application Security Management (IAST)

Projects

None yet

Milestone

1.31.0

Development

Successfully merging this pull request may close these issues.

3 participants

@manuel-alvarez-alvarez @jandro996