DataDog · daniel-romano-DD · Sep 25, 2024 · Sep 20, 2024 · Sep 20, 2024 · Sep 20, 2024
@@ -101,6 +101,7 @@ AspectsDefinitions.g.cs 				@DataDog/asm-dotnet
 /tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/HashAlgorithm/  @DataDog/asm-dotnet
 /tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/Process/  @DataDog/asm-dotnet
 /tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/StackTraceLeak/  @DataDog/asm-dotnet
+/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/RestSharp/  @DataDog/asm-dotnet
 /tracer/test/test-applications/integrations/Samples.ProcessStart  @DataDog/asm-dotnet
 
 # Profiler

@@ -576,6 +576,13 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "RuntimeMetricsShutdown", "t
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Samples.Debugger.AspNetCore5", "tracer\test\test-applications\debugger\Samples.Debugger.AspNetCore5\Samples.Debugger.AspNetCore5.csproj", "{3978A7D5-7B6E-4152-9C3A-5852F1F6E223}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Generated", "Generated", "{E1B0F72C-991A-409D-9266-DE5ED1BD940E}"
+	ProjectSection(SolutionItems) = preProject
+		tracer\build\PackageVersionsLatestMajors.g.props = tracer\build\PackageVersionsLatestMajors.g.props
+		tracer\build\PackageVersionsLatestMinors.g.props = tracer\build\PackageVersionsLatestMinors.g.props
+		tracer\build\PackageVersionsLatestSpecific.g.props = tracer\build\PackageVersionsLatestSpecific.g.props
+	EndProjectSection
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -1609,6 +1616,7 @@ Global
 		{0D996EEE-7C04-4888-AF48-9C1E2F261A00} = {BAF8F246-3645-42AD-B1D0-0F7EAFBAB34A}
 		{C4ABF344-3263-45D5-A074-03FB206FF309} = {498A300E-D036-49B7-A43D-821D1CAF11A5}
 		{3978A7D5-7B6E-4152-9C3A-5852F1F6E223} = {16427BFB-B4C6-46A9-A290-8EA51FF73FEA}
+		{E1B0F72C-991A-409D-9266-DE5ED1BD940E} = {A0C5FBBB-CFB2-4FB9-B8F0-55676E9DCF06}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {160A1D00-1F5B-40F8-A155-621B4459D78F}
@@ -1661,7 +1669,6 @@ Global
 		tracer\test\test-applications\Samples.Shared\Samples.Shared.projitems*{536f1d82-d40c-4e33-b7fa-76a0f17bf672}*SharedItemsImports = 5
 		tracer\test\test-applications\Samples.Shared\Samples.Shared.projitems*{560e1104-9a6e-41e7-ab3d-85ba2740a0f7}*SharedItemsImports = 5
 		tracer\test\test-applications\Samples.Shared\Samples.Shared.projitems*{56de0d44-e9e5-48da-baea-2934b1e28d4e}*SharedItemsImports = 5
-		tracer\test\test-applications\Samples.Shared\Samples.Shared.projitems*{5a806f4b-39e7-4f38-b36f-f5cfc4f8760a}*SharedItemsImports = 13
 		tracer\test\test-applications\Samples.Shared\Samples.Shared.projitems*{5c2829c2-ed0d-414c-b5a0-2bfdca07b493}*SharedItemsImports = 5
 		tracer\test\test-applications\Samples.Shared\Samples.Shared.projitems*{5e290fa1-e87b-4782-b977-eb5fa6c96efe}*SharedItemsImports = 5
 		tracer\test\test-applications\Samples.Shared\Samples.Shared.projitems*{5ee6b6eb-b768-47ec-882b-8dcaca2b1360}*SharedItemsImports = 5

@@ -110,6 +110,7 @@ static IntegrationMap()
             NugetPackages.Add("Microsoft.AspNetCore.Session", new [] { "Microsoft.AspNetCore.Session" });
             NugetPackages.Add("Microsoft.TestPlatform.PlatformAbstractions", Array.Empty<string>());
             NugetPackages.Add("Microsoft.VisualStudio.TraceDataCollector", Array.Empty<string>());
+            NugetPackages.Add("RestSharp", Array.Empty<string>());
 
             // Manual instrumentation
             NugetPackages.Add("Datadog.Trace.Manual", new string[] { });

@@ -1141,6 +1141,13 @@
       }
     ]
   },
+  {
+    "integrationName": "Ssrf",
+    "assemblyName": "RestSharp",
+    "minAssemblyVersionInclusive": "104.0.0",
+    "maxAssemblyVersionInclusive": "112.65535.65535",
+    "packages": []
+  },
   {
     "integrationName": "StackExchangeRedis",
     "assemblyName": "StackExchange.Redis",
@@ -1284,4 +1291,4 @@
       }
     ]
   }
-]
+]
@@ -120,6 +120,7 @@
    <assembly fullname="Oracle.DataAccess" />
    <assembly fullname="Oracle.ManagedDataAccess" />
    <assembly fullname="RabbitMQ.Client" />
+   <assembly fullname="RestSharp" />
    <assembly fullname="Serilog" />
    <assembly fullname="ServiceStack.Redis" />
    <assembly fullname="StackExchange.Redis" />

@@ -0,0 +1,82 @@
+// <copyright file="UrlEncode2Integration.cs" company="Datadog">
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
+// </copyright>
+
+#nullable enable
+
+using System;
+using System.ComponentModel;
+using Datadog.Trace.ClrProfiler.CallTarget;
+using Datadog.Trace.Iast;
+using Datadog.Trace.Vendors.Serilog;
+
+namespace Datadog.Trace.ClrProfiler.AutoInstrumentation.RestSharp;
+
+/// <summary>
+/// System.Security.Cryptography.HashAlgorithm instrumentation
+/// </summary>
+[InstrumentMethod(
+    AssemblyName = "RestSharp",
+    TypeName = "RestSharp.Extensions.StringExtensions",
+    MethodName = "UrlEncode",
+    ReturnTypeName = ClrNames.String,
+    ParameterTypeNames = new[] { ClrNames.String, "System.Text.Encoding" },
+    MinimumVersion = "104.0.0",
+    MaximumVersion = "112.*.*",
+    InstrumentationCategory = InstrumentationCategory.Iast,
+    IntegrationName = nameof(Configuration.IntegrationId.Ssrf))]
+[Browsable(false)]
+[EditorBrowsable(EditorBrowsableState.Never)]
+public class UrlEncode2Integration
+{
+    private static bool errorLogged = false;
+
+    /// <summary>
+    /// OnMethodBegin callback
+    /// </summary>
+    /// <param name="value">String being escaped.</param>
+    /// <param name="encoding">Encoding being used.</param>
+    /// <returns>Calltarget state value</returns>
+    internal static CallTargetState OnMethodBegin<TTarget>(string value, System.Text.Encoding encoding)
+    {
+        return new CallTargetState(null, value);
+    }
+
+    /// <summary>
+    /// OnMethodEnd callback
+    /// </summary>
+    /// <typeparam name="TTarget">Type of the target</typeparam>
+    /// <typeparam name="TReturn">Type of the return value</typeparam>
+    /// <param name="returnValue">Return value.</param>
+    /// <param name="exception">Exception instance in case the original code threw an exception.</param>
+    /// <param name="state">Calltarget state value</param>
+    /// <returns>CallTargetReturn</returns>
+    internal static CallTargetReturn<TReturn> OnMethodEnd<TTarget, TReturn>(TReturn returnValue, Exception exception, CallTargetState state)
+    {
+        try
+        {
+            if (exception is null && returnValue is string value)
+            {
+                if (state.State is string input)
+                {
+                    var newValue = IastModule.OnSsrfEscape(input, value);
+                    if (newValue is not null)
+                    {
+                        returnValue = (TReturn)(object)newValue;
+                    }
+                }
+            }
+        }
+        catch (Exception e)
+        {
+            if (!errorLogged)
+            {
+                Log.Error(e, "Error escaping Url with encoding");
+                errorLogged = true;
+            }
+        }
+
+        return new CallTargetReturn<TReturn>(returnValue);
+    }
+}
@@ -0,0 +1,81 @@
+// <copyright file="UrlEncodeIntegration.cs" company="Datadog">
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
+// </copyright>
+
+#nullable enable
+
+using System;
+using System.ComponentModel;
+using Datadog.Trace.ClrProfiler.CallTarget;
+using Datadog.Trace.Iast;
+using Datadog.Trace.Vendors.Serilog;
+
+namespace Datadog.Trace.ClrProfiler.AutoInstrumentation.RestSharp;
+
+/// <summary>
+/// System.Security.Cryptography.HashAlgorithm instrumentation
+/// </summary>
+[InstrumentMethod(
+    AssemblyName = "RestSharp",
+    TypeName = "RestSharp.Extensions.StringExtensions",
+    MethodName = "UrlEncode",
+    ReturnTypeName = ClrNames.String,
+    ParameterTypeNames = new[] { ClrNames.String },
+    MinimumVersion = "104.0.0",
+    MaximumVersion = "112.*.*",
+    InstrumentationCategory = InstrumentationCategory.Iast,
+    IntegrationName = nameof(Configuration.IntegrationId.Ssrf))]
+[Browsable(false)]
+[EditorBrowsable(EditorBrowsableState.Never)]
+public class UrlEncodeIntegration
+{
+    private static bool errorLogged = false;
+
+    /// <summary>
+    /// OnMethodBegin callback
+    /// </summary>
+    /// <param name="value">String being escaped.</param>
+    /// <returns>Calltarget state value</returns>
+    internal static CallTargetState OnMethodBegin<TTarget>(string value)
+    {
+        return new CallTargetState(null, value);
+    }
+
+    /// <summary>
+    /// OnMethodEnd callback
+    /// </summary>
+    /// <typeparam name="TTarget">Type of the target</typeparam>
+    /// <typeparam name="TReturn">Type of the return value</typeparam>
+    /// <param name="returnValue">Return value.</param>
+    /// <param name="exception">Exception instance in case the original code threw an exception.</param>
+    /// <param name="state">Calltarget state value</param>
+    /// <returns>CallTargetReturn</returns>
+    internal static CallTargetReturn<TReturn> OnMethodEnd<TTarget, TReturn>(TReturn returnValue, Exception exception, CallTargetState state)
+    {
+        try
+        {
+            if (exception is null && returnValue is string value)
+            {
+                if (state.State is string input)
+                {
+                    var newValue = IastModule.OnSsrfEscape(input, value);
+                    if (newValue is not null)
+                    {
+                        returnValue = (TReturn)(object)newValue;
+                    }
+                }
+            }
+        }
+        catch (Exception e)
+        {
+            if (!errorLogged)
+            {
+                Log.Error(e, "Error escaping Url");
+                errorLogged = true;
+            }
+        }
+
+        return new CallTargetReturn<TReturn>(returnValue);
+    }
+}
@@ -237,7 +237,8 @@ internal static partial class AspectDefinitions
 "  [AspectMethodInsertBefore(\"System.Net.WebClient::UploadValuesTaskAsync(System.Uri,System.Collections.Specialized.NameValueCollection)\",\"\",[1],[False],[None],Default,[])] ReviewUri(System.Uri)",
 "  [AspectMethodInsertBefore(\"System.Net.WebClient::UploadValuesTaskAsync(System.Uri,System.String,System.Collections.Specialized.NameValueCollection)\",\"\",[2],[False],[None],Default,[])] ReviewUri(System.Uri)",
 "[AspectClass(\"System.Private.Corelib;System.Runtime\",[None],Sink,[Ssrf])] Datadog.Trace.Iast.Aspects.System.Net.WebUtilityAspect",
-"  [AspectMethodReplace(\"System.Net.WebUtility::HtmlEncode(System.String)\",\"\",[0],[False],[None],Default,[])] Review(System.String)",
+"  [AspectMethodReplace(\"System.Net.WebUtility::HtmlEncode(System.String)\",\"\",[0],[False],[None],Default,[])] XssEscape(System.String)",
+"  [AspectMethodReplace(\"System.Net.WebUtility::UrlEncode(System.String)\",\"\",[0],[False],[None],Default,[])] SsrfEscape(System.String)",
 "[AspectClass(\"System.Web\",[None],Propagation,[])] Datadog.Trace.Iast.Aspects.System.Web.HttpCookieAspect",
 "  [AspectMethodReplace(\"System.Web.HttpCookie::get_Value()\",\"\",[0],[False],[None],Default,[])] GetValue(System.Web.HttpCookie)",
 "[AspectClass(\"System.Web\",[None],Sink,[TrustBoundaryViolation])] Datadog.Trace.Iast.Aspects.System.Web.SessionState.HttpSessionStateBaseAspect",
@@ -256,7 +257,9 @@ internal static partial class AspectDefinitions
 "  [AspectMethodInsertBefore(\"System.Web.Mvc.Controller::Redirect(System.String)\",\"\",[0],[False],[None],Default,[])] Redirect(System.String)",
 "  [AspectMethodInsertBefore(\"System.Web.Mvc.Controller::RedirectPermanent(System.String)\",\"\",[0],[False],[None],Default,[])] Redirect(System.String)",
 "[AspectClass(\"System.Web;System.Runtime.Extensions;System.Web.HttpUtility\",[None],Sink,[Ssrf])] Datadog.Trace.Iast.Aspects.System.Net.HttpUtilityAspect",
-"  [AspectMethodReplace(\"System.Web.HttpUtility::HtmlEncode(System.String)\",\"\",[0],[False],[None],Default,[])] Review(System.String)",
+"  [AspectMethodReplace(\"System.Web.HttpUtility::HtmlEncode(System.String)\",\"\",[0],[False],[None],Default,[])] XssEscape(System.String)",
+"  [AspectMethodReplace(\"System.Web.HttpUtility::UrlEncode(System.String)\",\"\",[0],[False],[None],Default,[])] SsrfEscape(System.String)",
+"  [AspectMethodReplace(\"System.Web.HttpUtility::UrlEncode(System.String,System.Text.Encoding)\",\"\",[0],[False],[None],Default,[])] SsrfEscape(System.String,System.Text.Encoding)",
 "[AspectClass(\"System.Xml,System.Xml.ReaderWriter,System.Xml.XPath.XDocument\",[None],Sink,[XPathInjection])] Datadog.Trace.Iast.Aspects.SystemXmlAspect",
 "  [AspectMethodInsertBefore(\"System.Xml.XmlNode::SelectNodes(System.String)\",\"\",[0],[False],[None],Default,[])] ReviewPath(System.String)",
 "  [AspectMethodInsertBefore(\"System.Xml.XmlNode::SelectNodes(System.String,System.Xml.XmlNamespaceManager)\",\"\",[1],[False],[None],Default,[])] ReviewPath(System.String)",

@@ -602,6 +602,10 @@ static InstrumentationDefinitions()
                 new (NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("System.Data.SQLite"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("System.Data.SQLite.SQLiteCommand"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("ExecuteScalar"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16StringArray("System.Object"), 1, 1, 0, 0, 2, 65535, 65535, NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String(assemblyFullName), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("Datadog.Trace.ClrProfiler.AutoInstrumentation.AdoNet.CommandExecuteScalarIntegration"), 0, 1),
                 new (NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("System.Data.SQLite"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("System.Data.SQLite.SQLiteCommand"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("ExecuteScalar"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16StringArray("System.Object", "System.Data.CommandBehavior"), 2, 1, 0, 0, 2, 65535, 65535, NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String(assemblyFullName), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("Datadog.Trace.ClrProfiler.AutoInstrumentation.AdoNet.CommandExecuteScalarWithBehaviorIntegration"), 0, 1),
 
+                // Ssrf
+                new (NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("RestSharp"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("RestSharp.Extensions.StringExtensions"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("UrlEncode"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16StringArray("System.String", "System.String", "System.Text.Encoding"), 3, 104, 0, 0, 112, 65535, 65535, NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String(assemblyFullName), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("Datadog.Trace.ClrProfiler.AutoInstrumentation.RestSharp.UrlEncode2Integration"), 0, 4),
+                new (NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("RestSharp"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("RestSharp.Extensions.StringExtensions"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("UrlEncode"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16StringArray("System.String", "System.String"), 2, 104, 0, 0, 112, 65535, 65535, NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String(assemblyFullName), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("Datadog.Trace.ClrProfiler.AutoInstrumentation.RestSharp.UrlEncodeIntegration"), 0, 4),
+
                 // StackExchangeRedis
                 new (NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("StackExchange.Redis"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("StackExchange.Redis.ConnectionMultiplexer"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("ExecuteAsyncImpl"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16StringArray("System.Threading.Tasks.Task`1[!!0]", "StackExchange.Redis.Message", "StackExchange.Redis.ResultProcessor`1[!!0]", "System.Object", "StackExchange.Redis.ServerEndPoint"), 5, 1, 0, 0, 2, 65535, 65535, NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String(assemblyFullName), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("Datadog.Trace.ClrProfiler.AutoInstrumentation.Redis.StackExchange.ConnectionMultiplexerExecuteAsyncImplIntegration"), 0, 1),
                 new (NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("StackExchange.Redis"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("StackExchange.Redis.ConnectionMultiplexer"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("ExecuteAsyncImpl"), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16StringArray("System.Threading.Tasks.Task`1[!!0]", "StackExchange.Redis.Message", "StackExchange.Redis.ResultProcessor`1[!!0]", "System.Object", "StackExchange.Redis.ServerEndPoint", "!!0"), 6, 2, 0, 0, 2, 65535, 65535, NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String(assemblyFullName), NativeCallTargetUnmanagedMemoryHelper.AllocateAndWriteUtf16String("Datadog.Trace.ClrProfiler.AutoInstrumentation.Redis.StackExchange.ConnectionMultiplexerExecuteAsyncImplIntegration_2_6_45"), 0, 1),
@@ -705,6 +709,7 @@ internal static bool IsInstrumentedAssembly(string assemblyName)
             || assemblyName.StartsWith("Oracle.DataAccess,", StringComparison.Ordinal)
             || assemblyName.StartsWith("Oracle.ManagedDataAccess,", StringComparison.Ordinal)
             || assemblyName.StartsWith("RabbitMQ.Client,", StringComparison.Ordinal)
+            || assemblyName.StartsWith("RestSharp,", StringComparison.Ordinal)
             || assemblyName.StartsWith("Serilog,", StringComparison.Ordinal)
             || assemblyName.StartsWith("ServiceStack.Redis,", StringComparison.Ordinal)
             || assemblyName.StartsWith("StackExchange.Redis,", StringComparison.Ordinal)
@@ -1091,6 +1096,9 @@ internal static bool IsInstrumentedAssembly(string assemblyName)
                 "Datadog.Trace.ClrProfiler.AutoInstrumentation.Redis.ServiceStack.RedisNativeClientSendReceiveIntegration"
                     or "Datadog.Trace.ClrProfiler.AutoInstrumentation.Redis.ServiceStack.RedisNativeClientSendReceiveIntegration_6_2_0"
                     => Datadog.Trace.Configuration.IntegrationId.ServiceStackRedis,
+                "Datadog.Trace.ClrProfiler.AutoInstrumentation.RestSharp.UrlEncode2Integration"
+                    or "Datadog.Trace.ClrProfiler.AutoInstrumentation.RestSharp.UrlEncodeIntegration"
+                    => Datadog.Trace.Configuration.IntegrationId.Ssrf,
                 "Datadog.Trace.ClrProfiler.AutoInstrumentation.Redis.StackExchange.ConnectionMultiplexerExecuteAsyncImplIntegration"
                     or "Datadog.Trace.ClrProfiler.AutoInstrumentation.Redis.StackExchange.ConnectionMultiplexerExecuteAsyncImplIntegration_2_6_45"
                     or "Datadog.Trace.ClrProfiler.AutoInstrumentation.Redis.StackExchange.ConnectionMultiplexerExecuteSyncImplIntegration"