Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add LFI exploit prevention support #7487

Merged
merged 20 commits into from
Sep 16, 2024
Merged

Conversation

jandro996
Copy link
Member

@jandro996 jandro996 commented Aug 22, 2024

What Does This Do

  • Gives support to LFI exploit prevention by updating IAST Path traversal callsites

Motivation

Additional Notes

Contributor Checklist

Jira ticket: APPSEC-46822

@pr-commenter
Copy link

pr-commenter bot commented Aug 22, 2024

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/rasp-fli
git_commit_date 1726472049 1726472074
git_commit_sha afdbcba b26c58d
release_version 1.40.0-SNAPSHOT~afdbcba335 1.40.0-SNAPSHOT~b26c58d0bb
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1726474355 1726474355
ci_job_id 640047674 640047674
ci_pipeline_id 44385414 44385414
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 3 performance improvements and 0 performance regressions! Performance is the same for 47 metrics, 13 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:startup:insecure-bank:tracing:Remote Config better
[-99.374µs; -46.546µs] or [-13.529%; -6.337%]
661.558µs 734.517µs
scenario:startup:petclinic:profiling:Remote Config better
[-58.151µs; -21.765µs] or [-8.173%; -3.059%]
671.535µs 711.493µs
scenario:startup:petclinic:tracing:Remote Config better
[-65.954µs; -17.627µs] or [-9.104%; -2.433%]
682.628µs 724.418µs
Startup time reports for insecure-bank
gantt
    title insecure-bank - global startup overhead: candidate=1.40.0-SNAPSHOT~b26c58d0bb, baseline=1.40.0-SNAPSHOT~afdbcba335

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.074 s) : 0, 1074029
Total [baseline] (8.601 s) : 0, 8601359
Agent [candidate] (1.072 s) : 0, 1071752
Total [candidate] (8.561 s) : 0, 8561353
section iast
Agent [baseline] (1.2 s) : 0, 1199710
Total [baseline] (8.992 s) : 0, 8992067
Agent [candidate] (1.192 s) : 0, 1191790
Total [candidate] (8.989 s) : 0, 8989275
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.19 s) : 0, 1190006
Total [baseline] (8.976 s) : 0, 8976441
Agent [candidate] (1.199 s) : 0, 1199466
Total [candidate] (8.985 s) : 0, 8985258
section iast_TELEMETRY_OFF
Agent [baseline] (1.199 s) : 0, 1199222
Total [baseline] (8.994 s) : 0, 8993912
Agent [candidate] (1.187 s) : 0, 1187082
Total [candidate] (8.963 s) : 0, 8962992
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.074 s -
Agent iast 1.2 s 125.681 ms (11.7%)
Agent iast_HARDCODED_SECRET_DISABLED 1.19 s 115.977 ms (10.8%)
Agent iast_TELEMETRY_OFF 1.199 s 125.193 ms (11.7%)
Total tracing 8.601 s -
Total iast 8.992 s 390.708 ms (4.5%)
Total iast_HARDCODED_SECRET_DISABLED 8.976 s 375.082 ms (4.4%)
Total iast_TELEMETRY_OFF 8.994 s 392.553 ms (4.6%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.072 s -
Agent iast 1.192 s 120.038 ms (11.2%)
Agent iast_HARDCODED_SECRET_DISABLED 1.199 s 127.713 ms (11.9%)
Agent iast_TELEMETRY_OFF 1.187 s 115.329 ms (10.8%)
Total tracing 8.561 s -
Total iast 8.989 s 427.922 ms (5.0%)
Total iast_HARDCODED_SECRET_DISABLED 8.985 s 423.905 ms (5.0%)
Total iast_TELEMETRY_OFF 8.963 s 401.639 ms (4.7%)
gantt
    title insecure-bank - break down per module: candidate=1.40.0-SNAPSHOT~b26c58d0bb, baseline=1.40.0-SNAPSHOT~afdbcba335

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (686.344 ms) : 0, 686344
BytebuddyAgent [candidate] (684.263 ms) : 0, 684263
GlobalTracer [baseline] (312.853 ms) : 0, 312853
GlobalTracer [candidate] (313.02 ms) : 0, 313020
AppSec [baseline] (52.612 ms) : 0, 52612
AppSec [candidate] (52.377 ms) : 0, 52377
Remote Config [baseline] (734.517 µs) : 0, 735
Remote Config [candidate] (661.558 µs) : 0, 662
Telemetry [baseline] (7.715 ms) : 0, 7715
Telemetry [candidate] (7.634 ms) : 0, 7634
section iast
BytebuddyAgent [baseline] (799.195 ms) : 0, 799195
BytebuddyAgent [candidate] (793.522 ms) : 0, 793522
GlobalTracer [baseline] (301.809 ms) : 0, 301809
GlobalTracer [candidate] (300.418 ms) : 0, 300418
AppSec [baseline] (53.21 ms) : 0, 53210
AppSec [candidate] (53.141 ms) : 0, 53141
Remote Config [baseline] (682.656 µs) : 0, 683
Remote Config [candidate] (632.266 µs) : 0, 632
Telemetry [baseline] (7.374 ms) : 0, 7374
Telemetry [candidate] (7.437 ms) : 0, 7437
IAST [baseline] (23.613 ms) : 0, 23613
IAST [candidate] (22.879 ms) : 0, 22879
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (791.856 ms) : 0, 791856
BytebuddyAgent [candidate] (797.616 ms) : 0, 797616
GlobalTracer [baseline] (299.502 ms) : 0, 299502
GlobalTracer [candidate] (302.176 ms) : 0, 302176
AppSec [baseline] (54.148 ms) : 0, 54148
AppSec [candidate] (54.702 ms) : 0, 54702
Remote Config [baseline] (613.811 µs) : 0, 614
Remote Config [candidate] (608.712 µs) : 0, 609
Telemetry [baseline] (7.395 ms) : 0, 7395
Telemetry [candidate] (8.294 ms) : 0, 8294
IAST [baseline] (22.774 ms) : 0, 22774
IAST [candidate] (22.214 ms) : 0, 22214
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (797.423 ms) : 0, 797423
BytebuddyAgent [candidate] (788.702 ms) : 0, 788702
GlobalTracer [baseline] (302.328 ms) : 0, 302328
GlobalTracer [candidate] (299.989 ms) : 0, 299989
AppSec [baseline] (52.126 ms) : 0, 52126
AppSec [candidate] (52.527 ms) : 0, 52527
Remote Config [baseline] (624.624 µs) : 0, 625
Remote Config [candidate] (605.79 µs) : 0, 606
Telemetry [baseline] (8.161 ms) : 0, 8161
Telemetry [candidate] (8.108 ms) : 0, 8108
IAST [baseline] (24.645 ms) : 0, 24645
IAST [candidate] (23.406 ms) : 0, 23406
Loading
Startup time reports for petclinic
gantt
    title petclinic - global startup overhead: candidate=1.40.0-SNAPSHOT~b26c58d0bb, baseline=1.40.0-SNAPSHOT~afdbcba335

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.068 s) : 0, 1067618
Total [baseline] (10.36 s) : 0, 10359578
Agent [candidate] (1.068 s) : 0, 1067715
Total [candidate] (10.415 s) : 0, 10414810
section appsec
Agent [baseline] (1.202 s) : 0, 1201867
Total [baseline] (10.627 s) : 0, 10626748
Agent [candidate] (1.205 s) : 0, 1205261
Total [candidate] (10.621 s) : 0, 10621352
section iast
Agent [baseline] (1.201 s) : 0, 1200751
Total [baseline] (10.846 s) : 0, 10846151
Agent [candidate] (1.202 s) : 0, 1202119
Total [candidate] (10.879 s) : 0, 10879465
section profiling
Agent [baseline] (1.266 s) : 0, 1265990
Total [baseline] (10.588 s) : 0, 10588477
Agent [candidate] (1.269 s) : 0, 1269337
Total [candidate] (10.601 s) : 0, 10601280
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.068 s -
Agent appsec 1.202 s 134.249 ms (12.6%)
Agent iast 1.201 s 133.133 ms (12.5%)
Agent profiling 1.266 s 198.372 ms (18.6%)
Total tracing 10.36 s -
Total appsec 10.627 s 267.169 ms (2.6%)
Total iast 10.846 s 486.573 ms (4.7%)
Total profiling 10.588 s 228.899 ms (2.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.068 s -
Agent appsec 1.205 s 137.546 ms (12.9%)
Agent iast 1.202 s 134.404 ms (12.6%)
Agent profiling 1.269 s 201.622 ms (18.9%)
Total tracing 10.415 s -
Total appsec 10.621 s 206.543 ms (2.0%)
Total iast 10.879 s 464.655 ms (4.5%)
Total profiling 10.601 s 186.47 ms (1.8%)
gantt
    title petclinic - break down per module: candidate=1.40.0-SNAPSHOT~b26c58d0bb, baseline=1.40.0-SNAPSHOT~afdbcba335

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (682.063 ms) : 0, 682063
BytebuddyAgent [candidate] (681.545 ms) : 0, 681545
GlobalTracer [baseline] (311.742 ms) : 0, 311742
GlobalTracer [candidate] (311.551 ms) : 0, 311551
AppSec [baseline] (51.798 ms) : 0, 51798
AppSec [candidate] (52.581 ms) : 0, 52581
Remote Config [baseline] (724.418 µs) : 0, 724
Remote Config [candidate] (682.628 µs) : 0, 683
Telemetry [baseline] (7.547 ms) : 0, 7547
Telemetry [candidate] (7.615 ms) : 0, 7615
section appsec
BytebuddyAgent [baseline] (702.33 ms) : 0, 702330
BytebuddyAgent [candidate] (705.777 ms) : 0, 705777
GlobalTracer [baseline] (304.396 ms) : 0, 304396
GlobalTracer [candidate] (305.053 ms) : 0, 305053
AppSec [baseline] (162.779 ms) : 0, 162779
AppSec [candidate] (161.499 ms) : 0, 161499
Remote Config [baseline] (641.966 µs) : 0, 642
Remote Config [candidate] (647.739 µs) : 0, 648
Telemetry [baseline] (8.282 ms) : 0, 8282
Telemetry [candidate] (8.832 ms) : 0, 8832
IAST [baseline] (19.406 ms) : 0, 19406
IAST [candidate] (19.395 ms) : 0, 19395
section iast
BytebuddyAgent [baseline] (798.71 ms) : 0, 798710
BytebuddyAgent [candidate] (798.616 ms) : 0, 798616
GlobalTracer [baseline] (302.395 ms) : 0, 302395
GlobalTracer [candidate] (303.448 ms) : 0, 303448
AppSec [baseline] (52.163 ms) : 0, 52163
AppSec [candidate] (54.045 ms) : 0, 54045
Remote Config [baseline] (614.296 µs) : 0, 614
Remote Config [candidate] (622.536 µs) : 0, 623
Telemetry [baseline] (7.341 ms) : 0, 7341
Telemetry [candidate] (7.483 ms) : 0, 7483
IAST [baseline] (25.669 ms) : 0, 25669
IAST [candidate] (24.048 ms) : 0, 24048
section profiling
BytebuddyAgent [baseline] (675.833 ms) : 0, 675833
BytebuddyAgent [candidate] (677.016 ms) : 0, 677016
GlobalTracer [baseline] (394.806 ms) : 0, 394806
GlobalTracer [candidate] (395.746 ms) : 0, 395746
AppSec [baseline] (52.575 ms) : 0, 52575
AppSec [candidate] (52.966 ms) : 0, 52966
Remote Config [baseline] (711.493 µs) : 0, 711
Remote Config [candidate] (671.535 µs) : 0, 672
Telemetry [baseline] (7.491 ms) : 0, 7491
Telemetry [candidate] (7.463 ms) : 0, 7463
ProfilingAgent [baseline] (96.369 ms) : 0, 96369
ProfilingAgent [candidate] (97.159 ms) : 0, 97159
Profiling [baseline] (96.392 ms) : 0, 96392
Profiling [candidate] (97.182 ms) : 0, 97182
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-09-16T07:43:18 2024-09-16T07:50:09
git_branch master alejandro.gonzalez/rasp-fli
git_commit_date 1726472049 1726472074
git_commit_sha afdbcba b26c58d
release_version 1.40.0-SNAPSHOT~afdbcba335 1.40.0-SNAPSHOT~b26c58d0bb
start_time 2024-09-16T07:43:05 2024-09-16T07:49:55
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1726473352 1726473352
ci_job_id 640047675 640047675
ci_pipeline_id 44385414 44385414
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 9 metrics, 18 unstable metrics.

scenario Δ mean http_req_duration Δ mean throughput candidate mean http_req_duration candidate mean throughput baseline mean http_req_duration baseline mean throughput
scenario:load:petclinic:profiling better
[-97.133µs; -46.322µs] or [-6.332%; -3.020%]
unstable
[-346.511op/s; +820.585op/s] or [-11.695%; +27.695%]
1.462ms 3200.000op/s 1.534ms 2962.963op/s
Request duration reports for petclinic
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.40.0-SNAPSHOT~b26c58d0bb, baseline=1.40.0-SNAPSHOT~afdbcba335
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.351 ms) : 1332, 1371
.   : milestone, 1351,
appsec (1.726 ms) : 1701, 1750
.   : milestone, 1726,
appsec_no_iast (1.7 ms) : 1675, 1725
.   : milestone, 1700,
iast (1.476 ms) : 1454, 1499
.   : milestone, 1476,
profiling (1.534 ms) : 1510, 1558
.   : milestone, 1534,
tracing (1.466 ms) : 1442, 1491
.   : milestone, 1466,
section candidate
no_agent (1.342 ms) : 1323, 1361
.   : milestone, 1342,
appsec (1.693 ms) : 1670, 1717
.   : milestone, 1693,
appsec_no_iast (1.725 ms) : 1701, 1749
.   : milestone, 1725,
iast (1.459 ms) : 1436, 1481
.   : milestone, 1459,
profiling (1.462 ms) : 1439, 1485
.   : milestone, 1462,
tracing (1.45 ms) : 1425, 1475
.   : milestone, 1450,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.351 ms [1.332 ms, 1.371 ms] -
appsec 1.726 ms [1.701 ms, 1.75 ms] 374.464 µs (27.7%)
appsec_no_iast 1.7 ms [1.675 ms, 1.725 ms] 348.448 µs (25.8%)
iast 1.476 ms [1.454 ms, 1.499 ms] 125.061 µs (9.3%)
profiling 1.534 ms [1.51 ms, 1.558 ms] 182.77 µs (13.5%)
tracing 1.466 ms [1.442 ms, 1.491 ms] 114.932 µs (8.5%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.342 ms [1.323 ms, 1.361 ms] -
appsec 1.693 ms [1.67 ms, 1.717 ms] 351.334 µs (26.2%)
appsec_no_iast 1.725 ms [1.701 ms, 1.749 ms] 382.935 µs (28.5%)
iast 1.459 ms [1.436 ms, 1.481 ms] 116.54 µs (8.7%)
profiling 1.462 ms [1.439 ms, 1.485 ms] 120.169 µs (9.0%)
tracing 1.45 ms [1.425 ms, 1.475 ms] 107.891 µs (8.0%)
Request duration reports for insecure-bank
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.40.0-SNAPSHOT~b26c58d0bb, baseline=1.40.0-SNAPSHOT~afdbcba335
    dateFormat X
    axisFormat %s
section baseline
no_agent (374.004 µs) : 355, 393
.   : milestone, 374,
iast (487.262 µs) : 465, 510
.   : milestone, 487,
iast_FULL (553.547 µs) : 532, 575
.   : milestone, 554,
iast_GLOBAL (515.243 µs) : 493, 537
.   : milestone, 515,
iast_HARDCODED_SECRET_DISABLED (485.391 µs) : 463, 507
.   : milestone, 485,
iast_INACTIVE (442.074 µs) : 421, 463
.   : milestone, 442,
iast_TELEMETRY_OFF (477.732 µs) : 454, 501
.   : milestone, 478,
tracing (454.675 µs) : 434, 475
.   : milestone, 455,
section candidate
no_agent (372.674 µs) : 352, 393
.   : milestone, 373,
iast (480.848 µs) : 459, 503
.   : milestone, 481,
iast_FULL (558.826 µs) : 538, 580
.   : milestone, 559,
iast_GLOBAL (498.568 µs) : 478, 520
.   : milestone, 499,
iast_HARDCODED_SECRET_DISABLED (486.226 µs) : 464, 508
.   : milestone, 486,
iast_INACTIVE (453.697 µs) : 432, 475
.   : milestone, 454,
iast_TELEMETRY_OFF (475.492 µs) : 453, 498
.   : milestone, 475,
tracing (444.107 µs) : 422, 466
.   : milestone, 444,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 374.004 µs [354.528 µs, 393.479 µs] -
iast 487.262 µs [464.737 µs, 509.788 µs] 113.259 µs (30.3%)
iast_FULL 553.547 µs [532.251 µs, 574.843 µs] 179.543 µs (48.0%)
iast_GLOBAL 515.243 µs [492.995 µs, 537.491 µs] 141.239 µs (37.8%)
iast_HARDCODED_SECRET_DISABLED 485.391 µs [463.449 µs, 507.334 µs] 111.388 µs (29.8%)
iast_INACTIVE 442.074 µs [421.296 µs, 462.852 µs] 68.07 µs (18.2%)
iast_TELEMETRY_OFF 477.732 µs [454.311 µs, 501.152 µs] 103.728 µs (27.7%)
tracing 454.675 µs [433.93 µs, 475.42 µs] 80.672 µs (21.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 372.674 µs [352.242 µs, 393.106 µs] -
iast 480.848 µs [459.042 µs, 502.653 µs] 108.173 µs (29.0%)
iast_FULL 558.826 µs [537.673 µs, 579.979 µs] 186.152 µs (50.0%)
iast_GLOBAL 498.568 µs [477.533 µs, 519.603 µs] 125.894 µs (33.8%)
iast_HARDCODED_SECRET_DISABLED 486.226 µs [464.08 µs, 508.372 µs] 113.552 µs (30.5%)
iast_INACTIVE 453.697 µs [432.464 µs, 474.929 µs] 81.023 µs (21.7%)
iast_TELEMETRY_OFF 475.492 µs [452.58 µs, 498.404 µs] 102.818 µs (27.6%)
tracing 444.107 µs [421.786 µs, 466.428 µs] 71.433 µs (19.2%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/rasp-fli
git_commit_date 1726472049 1726472074
git_commit_sha afdbcba b26c58d
release_version 1.40.0-SNAPSHOT~afdbcba335 1.40.0-SNAPSHOT~b26c58d0bb
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1726473847 1726473847
ci_job_id 640047676 640047676
ci_pipeline_id 44385414 44385414
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava
gantt
    title biojava - execution time [CI 0.99] : candidate=1.40.0-SNAPSHOT~b26c58d0bb, baseline=1.40.0-SNAPSHOT~afdbcba335
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.663 s) : 15663000, 15663000
.   : milestone, 15663000,
appsec (15.063 s) : 15063000, 15063000
.   : milestone, 15063000,
iast (19.038 s) : 19038000, 19038000
.   : milestone, 19038000,
iast_GLOBAL (18.032 s) : 18032000, 18032000
.   : milestone, 18032000,
profiling (15.678 s) : 15678000, 15678000
.   : milestone, 15678000,
tracing (15.153 s) : 15153000, 15153000
.   : milestone, 15153000,
section candidate
no_agent (15.074 s) : 15074000, 15074000
.   : milestone, 15074000,
appsec (15.212 s) : 15212000, 15212000
.   : milestone, 15212000,
iast (18.947 s) : 18947000, 18947000
.   : milestone, 18947000,
iast_GLOBAL (18.115 s) : 18115000, 18115000
.   : milestone, 18115000,
profiling (15.088 s) : 15088000, 15088000
.   : milestone, 15088000,
tracing (15.165 s) : 15165000, 15165000
.   : milestone, 15165000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.663 s [15.663 s, 15.663 s] -
appsec 15.063 s [15.063 s, 15.063 s] -600.0 ms (-3.8%)
iast 19.038 s [19.038 s, 19.038 s] 3.375 s (21.5%)
iast_GLOBAL 18.032 s [18.032 s, 18.032 s] 2.369 s (15.1%)
profiling 15.678 s [15.678 s, 15.678 s] 15.0 ms (0.1%)
tracing 15.153 s [15.153 s, 15.153 s] -510.0 ms (-3.3%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.074 s [15.074 s, 15.074 s] -
appsec 15.212 s [15.212 s, 15.212 s] 138.0 ms (0.9%)
iast 18.947 s [18.947 s, 18.947 s] 3.873 s (25.7%)
iast_GLOBAL 18.115 s [18.115 s, 18.115 s] 3.041 s (20.2%)
profiling 15.088 s [15.088 s, 15.088 s] 14.0 ms (0.1%)
tracing 15.165 s [15.165 s, 15.165 s] 91.0 ms (0.6%)
Execution time for tomcat
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.40.0-SNAPSHOT~b26c58d0bb, baseline=1.40.0-SNAPSHOT~afdbcba335
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.469 ms) : 1457, 1480
.   : milestone, 1469,
appsec (2.292 ms) : 2251, 2333
.   : milestone, 2292,
iast (2.042 ms) : 1993, 2090
.   : milestone, 2042,
iast_GLOBAL (2.092 ms) : 2042, 2142
.   : milestone, 2092,
profiling (1.922 ms) : 1881, 1964
.   : milestone, 1922,
tracing (1.908 ms) : 1870, 1947
.   : milestone, 1908,
section candidate
no_agent (1.465 ms) : 1454, 1477
.   : milestone, 1465,
appsec (2.285 ms) : 2244, 2325
.   : milestone, 2285,
iast (2.059 ms) : 2009, 2110
.   : milestone, 2059,
iast_GLOBAL (2.104 ms) : 2054, 2154
.   : milestone, 2104,
profiling (1.955 ms) : 1913, 1997
.   : milestone, 1955,
tracing (1.914 ms) : 1876, 1953
.   : milestone, 1914,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.469 ms [1.457 ms, 1.48 ms] -
appsec 2.292 ms [2.251 ms, 2.333 ms] 823.747 µs (56.1%)
iast 2.042 ms [1.993 ms, 2.09 ms] 573.299 µs (39.0%)
iast_GLOBAL 2.092 ms [2.042 ms, 2.142 ms] 623.275 µs (42.4%)
profiling 1.922 ms [1.881 ms, 1.964 ms] 453.629 µs (30.9%)
tracing 1.908 ms [1.87 ms, 1.947 ms] 439.75 µs (29.9%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.465 ms [1.454 ms, 1.477 ms] -
appsec 2.285 ms [2.244 ms, 2.325 ms] 819.508 µs (55.9%)
iast 2.059 ms [2.009 ms, 2.11 ms] 594.086 µs (40.5%)
iast_GLOBAL 2.104 ms [2.054 ms, 2.154 ms] 638.867 µs (43.6%)
profiling 1.955 ms [1.913 ms, 1.997 ms] 489.801 µs (33.4%)
tracing 1.914 ms [1.876 ms, 1.953 ms] 449.29 µs (30.7%)

@smola smola added the comp: asm waf Application Security Management (WAF) label Aug 22, 2024
@jandro996 jandro996 changed the title Add LFI exploit prevention support - Smoke test not working Add LFI exploit prevention support Aug 22, 2024
@jandro996 jandro996 force-pushed the alejandro.gonzalez/rasp-okhttp-ssrf branch from afe802c to 5b03afd Compare August 26, 2024 12:09
@jandro996 jandro996 force-pushed the alejandro.gonzalez/rasp-fli branch 2 times, most recently from c01fdaf to d6c3191 Compare August 28, 2024 07:15
@jandro996 jandro996 changed the base branch from alejandro.gonzalez/rasp-okhttp-ssrf to malvarez/blocking-exception-handler August 28, 2024 07:17
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/blocking-exception-handler branch 2 times, most recently from d10aca5 to fe72611 Compare August 28, 2024 11:39
@jandro996 jandro996 changed the base branch from malvarez/blocking-exception-handler to malvarez/rasp-call-sites-appsec-enabled August 28, 2024 13:22
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/rasp-call-sites-appsec-enabled branch from e4f07a8 to ee21476 Compare August 28, 2024 14:36
Base automatically changed from malvarez/rasp-call-sites-appsec-enabled to master August 28, 2024 17:56
@jandro996 jandro996 marked this pull request as ready for review August 30, 2024 14:38
@jandro996 jandro996 requested review from a team as code owners August 30, 2024 14:38
Copy link
Member

@smola smola left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs to announce RC capability.

@smola smola self-requested a review September 11, 2024 08:49
@@ -1,7 +1,7 @@
package datadog.trace.api.telemetry;

public enum RuleType {
LIF("lfi"),
LFI("lfi"),

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😆

@@ -248,6 +248,17 @@ public EventType<BiFunction<RequestContext, String, Flow<Void>>> networkConnecti
return (EventType<BiFunction<RequestContext, String, Flow<Void>>>) NETWORK_CONNECTION;
}

static final int FILE_LOADED_ID = 20;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might have some conflicts here with my PR

jandro996 and others added 3 commits September 11, 2024 13:23
…GatewayBridge.java

Co-authored-by: Manuel Álvarez Álvarez <[email protected]>
…y/GatewayBridgeSpecification.groovy

Co-authored-by: Manuel Álvarez Álvarez <[email protected]>
@jandro996 jandro996 merged commit 57d9846 into master Sep 16, 2024
98 checks passed
@jandro996 jandro996 deleted the alejandro.gonzalez/rasp-fli branch September 16, 2024 08:23
@github-actions github-actions bot added this to the 1.40.0 milestone Sep 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp: asm waf Application Security Management (WAF)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants