Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add XSS support for Freemarker prior 2.3.24-incubating #7497

Merged
merged 21 commits into from
Sep 9, 2024

Conversation

Mariovido
Copy link
Contributor

@Mariovido Mariovido commented Aug 23, 2024

What Does This Do

Adds support to the detection of XSS in the Freemarker library prior to the 2.3.24-incubating version

Motivation

Being able to detect XSS in the library of Freemarker

Additional Notes

The PR that adds support to newer versions is this one --> #7532

Contributor Checklist

Jira ticket: APPSEC-11285

@Mariovido Mariovido added the comp: asm iast Application Security Management (IAST) label Aug 23, 2024
@Mariovido Mariovido added this to the 1.39.0 milestone Aug 23, 2024
@pr-commenter
Copy link

pr-commenter bot commented Aug 23, 2024

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master mario.vidal/xss_freemarker
git_commit_date 1725884741 1725884777
git_commit_sha 5ddb19d e955dad
release_version 1.40.0-SNAPSHOT~5ddb19db3a 1.40.0-SNAPSHOT~e955dade54
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1725887254 1725887254
ci_job_id 631809878 631809878
ci_pipeline_id 43846561 43846561
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 48 metrics, 15 unstable metrics.

Startup time reports for petclinic
gantt
    title petclinic - global startup overhead: candidate=1.40.0-SNAPSHOT~e955dade54, baseline=1.40.0-SNAPSHOT~5ddb19db3a

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.05 s) : 0, 1049646
Total [baseline] (10.385 s) : 0, 10385450
Agent [candidate] (1.052 s) : 0, 1052056
Total [candidate] (10.365 s) : 0, 10365321
section appsec
Agent [baseline] (1.181 s) : 0, 1181397
Total [baseline] (10.565 s) : 0, 10565404
Agent [candidate] (1.185 s) : 0, 1184653
Total [candidate] (10.589 s) : 0, 10588723
section iast
Agent [baseline] (1.173 s) : 0, 1172574
Total [baseline] (10.79 s) : 0, 10789761
Agent [candidate] (1.184 s) : 0, 1183647
Total [candidate] (10.827 s) : 0, 10827261
section profiling
Agent [baseline] (1.246 s) : 0, 1246387
Total [baseline] (10.635 s) : 0, 10634831
Agent [candidate] (1.246 s) : 0, 1246116
Total [candidate] (10.539 s) : 0, 10538650
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.05 s -
Agent appsec 1.181 s 131.751 ms (12.6%)
Agent iast 1.173 s 122.928 ms (11.7%)
Agent profiling 1.246 s 196.741 ms (18.7%)
Total tracing 10.385 s -
Total appsec 10.565 s 179.954 ms (1.7%)
Total iast 10.79 s 404.311 ms (3.9%)
Total profiling 10.635 s 249.381 ms (2.4%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.052 s -
Agent appsec 1.185 s 132.597 ms (12.6%)
Agent iast 1.184 s 131.591 ms (12.5%)
Agent profiling 1.246 s 194.06 ms (18.4%)
Total tracing 10.365 s -
Total appsec 10.589 s 223.402 ms (2.2%)
Total iast 10.827 s 461.939 ms (4.5%)
Total profiling 10.539 s 173.328 ms (1.7%)
gantt
    title petclinic - break down per module: candidate=1.40.0-SNAPSHOT~e955dade54, baseline=1.40.0-SNAPSHOT~5ddb19db3a

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (669.919 ms) : 0, 669919
BytebuddyAgent [candidate] (670.918 ms) : 0, 670918
GlobalTracer [baseline] (306.793 ms) : 0, 306793
GlobalTracer [candidate] (307.882 ms) : 0, 307882
AppSec [baseline] (51.256 ms) : 0, 51256
AppSec [candidate] (51.524 ms) : 0, 51524
Remote Config [baseline] (678.691 µs) : 0, 679
Remote Config [candidate] (688.121 µs) : 0, 688
Telemetry [baseline] (7.444 ms) : 0, 7444
Telemetry [candidate] (7.46 ms) : 0, 7460
section appsec
BytebuddyAgent [baseline] (688.572 ms) : 0, 688572
BytebuddyAgent [candidate] (691.46 ms) : 0, 691460
GlobalTracer [baseline] (299.303 ms) : 0, 299303
GlobalTracer [candidate] (300.843 ms) : 0, 300843
AppSec [baseline] (159.772 ms) : 0, 159772
AppSec [candidate] (159.525 ms) : 0, 159525
IAST [baseline] (21.338 ms) : 0, 21338
IAST [candidate] (20.079 ms) : 0, 20079
Remote Config [baseline] (628.143 µs) : 0, 628
Remote Config [candidate] (631.665 µs) : 0, 632
Telemetry [baseline] (8.919 ms) : 0, 8919
Telemetry [candidate] (8.552 ms) : 0, 8552
section iast
BytebuddyAgent [baseline] (780.211 ms) : 0, 780211
BytebuddyAgent [candidate] (787.265 ms) : 0, 787265
GlobalTracer [baseline] (295.451 ms) : 0, 295451
GlobalTracer [candidate] (298.092 ms) : 0, 298092
AppSec [baseline] (54.678 ms) : 0, 54678
AppSec [candidate] (53.751 ms) : 0, 53751
IAST [baseline] (20.793 ms) : 0, 20793
IAST [candidate] (22.927 ms) : 0, 22927
Remote Config [baseline] (600.73 µs) : 0, 601
Remote Config [candidate] (591.621 µs) : 0, 592
Telemetry [baseline] (7.279 ms) : 0, 7279
Telemetry [candidate] (7.323 ms) : 0, 7323
section profiling
BytebuddyAgent [baseline] (664.03 ms) : 0, 664030
BytebuddyAgent [candidate] (663.752 ms) : 0, 663752
GlobalTracer [baseline] (387.868 ms) : 0, 387868
GlobalTracer [candidate] (388.739 ms) : 0, 388739
AppSec [baseline] (52.399 ms) : 0, 52399
AppSec [candidate] (52.04 ms) : 0, 52040
Remote Config [baseline] (692.246 µs) : 0, 692
Remote Config [candidate] (680.614 µs) : 0, 681
Telemetry [baseline] (7.394 ms) : 0, 7394
Telemetry [candidate] (7.302 ms) : 0, 7302
ProfilingAgent [baseline] (96.238 ms) : 0, 96238
ProfilingAgent [candidate] (95.9 ms) : 0, 95900
Profiling [baseline] (96.262 ms) : 0, 96262
Profiling [candidate] (95.923 ms) : 0, 95923
Loading
Startup time reports for insecure-bank
gantt
    title insecure-bank - global startup overhead: candidate=1.40.0-SNAPSHOT~e955dade54, baseline=1.40.0-SNAPSHOT~5ddb19db3a

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.048 s) : 0, 1048392
Total [baseline] (8.501 s) : 0, 8501328
Agent [candidate] (1.05 s) : 0, 1050427
Total [candidate] (8.493 s) : 0, 8493480
section iast
Agent [baseline] (1.173 s) : 0, 1173198
Total [baseline] (8.958 s) : 0, 8957842
Agent [candidate] (1.183 s) : 0, 1182943
Total [candidate] (8.961 s) : 0, 8961339
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.173 s) : 0, 1172722
Total [baseline] (8.953 s) : 0, 8952787
Agent [candidate] (1.174 s) : 0, 1174385
Total [candidate] (8.933 s) : 0, 8933498
section iast_TELEMETRY_OFF
Agent [baseline] (1.169 s) : 0, 1168641
Total [baseline] (8.942 s) : 0, 8941660
Agent [candidate] (1.18 s) : 0, 1180030
Total [candidate] (8.973 s) : 0, 8973067
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.048 s -
Agent iast 1.173 s 124.806 ms (11.9%)
Agent iast_HARDCODED_SECRET_DISABLED 1.173 s 124.329 ms (11.9%)
Agent iast_TELEMETRY_OFF 1.169 s 120.249 ms (11.5%)
Total tracing 8.501 s -
Total iast 8.958 s 456.514 ms (5.4%)
Total iast_HARDCODED_SECRET_DISABLED 8.953 s 451.459 ms (5.3%)
Total iast_TELEMETRY_OFF 8.942 s 440.332 ms (5.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.05 s -
Agent iast 1.183 s 132.516 ms (12.6%)
Agent iast_HARDCODED_SECRET_DISABLED 1.174 s 123.958 ms (11.8%)
Agent iast_TELEMETRY_OFF 1.18 s 129.603 ms (12.3%)
Total tracing 8.493 s -
Total iast 8.961 s 467.859 ms (5.5%)
Total iast_HARDCODED_SECRET_DISABLED 8.933 s 440.018 ms (5.2%)
Total iast_TELEMETRY_OFF 8.973 s 479.588 ms (5.6%)
gantt
    title insecure-bank - break down per module: candidate=1.40.0-SNAPSHOT~e955dade54, baseline=1.40.0-SNAPSHOT~5ddb19db3a

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (669.3 ms) : 0, 669300
BytebuddyAgent [candidate] (669.773 ms) : 0, 669773
GlobalTracer [baseline] (306.176 ms) : 0, 306176
GlobalTracer [candidate] (307.395 ms) : 0, 307395
AppSec [baseline] (51.255 ms) : 0, 51255
AppSec [candidate] (51.463 ms) : 0, 51463
Remote Config [baseline] (681.422 µs) : 0, 681
Remote Config [candidate] (701.304 µs) : 0, 701
Telemetry [baseline] (7.437 ms) : 0, 7437
Telemetry [candidate] (7.524 ms) : 0, 7524
section iast
BytebuddyAgent [baseline] (780.451 ms) : 0, 780451
BytebuddyAgent [candidate] (787.106 ms) : 0, 787106
GlobalTracer [baseline] (295.219 ms) : 0, 295219
GlobalTracer [candidate] (297.83 ms) : 0, 297830
AppSec [baseline] (52.71 ms) : 0, 52710
AppSec [candidate] (53.021 ms) : 0, 53021
IAST [baseline] (23.335 ms) : 0, 23335
IAST [candidate] (23.442 ms) : 0, 23442
Remote Config [baseline] (620.89 µs) : 0, 621
Remote Config [candidate] (591.904 µs) : 0, 592
Telemetry [baseline] (7.301 ms) : 0, 7301
Telemetry [candidate] (7.261 ms) : 0, 7261
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (779.63 ms) : 0, 779630
BytebuddyAgent [candidate] (780.199 ms) : 0, 780199
GlobalTracer [baseline] (295.481 ms) : 0, 295481
GlobalTracer [candidate] (296.223 ms) : 0, 296223
AppSec [baseline] (51.885 ms) : 0, 51885
AppSec [candidate] (52.176 ms) : 0, 52176
IAST [baseline] (23.46 ms) : 0, 23460
IAST [candidate] (23.523 ms) : 0, 23523
Remote Config [baseline] (599.644 µs) : 0, 600
Remote Config [candidate] (603.28 µs) : 0, 603
Telemetry [baseline] (8.075 ms) : 0, 8075
Telemetry [candidate] (8.056 ms) : 0, 8056
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (775.921 ms) : 0, 775921
BytebuddyAgent [candidate] (784.184 ms) : 0, 784184
GlobalTracer [baseline] (295.385 ms) : 0, 295385
GlobalTracer [candidate] (298.2 ms) : 0, 298200
AppSec [baseline] (51.758 ms) : 0, 51758
AppSec [candidate] (51.873 ms) : 0, 51873
IAST [baseline] (23.27 ms) : 0, 23270
IAST [candidate] (24.22 ms) : 0, 24220
Remote Config [baseline] (599.853 µs) : 0, 600
Remote Config [candidate] (606.47 µs) : 0, 606
Telemetry [baseline] (8.115 ms) : 0, 8115
Telemetry [candidate] (7.254 ms) : 0, 7254
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-09-09T12:38:08 2024-09-09T12:45:00
git_branch master mario.vidal/xss_freemarker
git_commit_date 1725884741 1725884777
git_commit_sha 5ddb19d e955dad
release_version 1.40.0-SNAPSHOT~5ddb19db3a 1.40.0-SNAPSHOT~e955dade54
start_time 2024-09-09T12:37:55 2024-09-09T12:44:46
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1725886247 1725886247
ci_job_id 631809879 631809879
ci_pipeline_id 43846561 43846561
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 9 metrics, 18 unstable metrics.

scenario Δ mean http_req_duration Δ mean throughput candidate mean http_req_duration candidate mean throughput baseline mean http_req_duration baseline mean throughput
scenario:load:insecure-bank:iast_FULL better
[-81.127µs; -35.674µs] or [-13.266%; -5.834%]
unstable
[-1308.798op/s; +2191.151op/s] or [-18.541%; +31.041%]
553.115µs 7500.000op/s 611.515µs 7058.824op/s
Request duration reports for petclinic
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.40.0-SNAPSHOT~e955dade54, baseline=1.40.0-SNAPSHOT~5ddb19db3a
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.338 ms) : 1318, 1358
.   : milestone, 1338,
appsec (1.711 ms) : 1688, 1735
.   : milestone, 1711,
appsec_no_iast (1.73 ms) : 1706, 1755
.   : milestone, 1730,
iast (1.488 ms) : 1465, 1511
.   : milestone, 1488,
profiling (1.489 ms) : 1465, 1512
.   : milestone, 1489,
tracing (1.462 ms) : 1438, 1486
.   : milestone, 1462,
section candidate
no_agent (1.351 ms) : 1332, 1370
.   : milestone, 1351,
appsec (1.737 ms) : 1714, 1761
.   : milestone, 1737,
appsec_no_iast (1.73 ms) : 1706, 1754
.   : milestone, 1730,
iast (1.486 ms) : 1463, 1508
.   : milestone, 1486,
profiling (1.522 ms) : 1497, 1547
.   : milestone, 1522,
tracing (1.481 ms) : 1457, 1504
.   : milestone, 1481,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.338 ms [1.318 ms, 1.358 ms] -
appsec 1.711 ms [1.688 ms, 1.735 ms] 373.019 µs (27.9%)
appsec_no_iast 1.73 ms [1.706 ms, 1.755 ms] 391.976 µs (29.3%)
iast 1.488 ms [1.465 ms, 1.511 ms] 149.851 µs (11.2%)
profiling 1.489 ms [1.465 ms, 1.512 ms] 150.241 µs (11.2%)
tracing 1.462 ms [1.438 ms, 1.486 ms] 123.351 µs (9.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.351 ms [1.332 ms, 1.37 ms] -
appsec 1.737 ms [1.714 ms, 1.761 ms] 386.104 µs (28.6%)
appsec_no_iast 1.73 ms [1.706 ms, 1.754 ms] 378.458 µs (28.0%)
iast 1.486 ms [1.463 ms, 1.508 ms] 134.269 µs (9.9%)
profiling 1.522 ms [1.497 ms, 1.547 ms] 170.78 µs (12.6%)
tracing 1.481 ms [1.457 ms, 1.504 ms] 129.274 µs (9.6%)
Request duration reports for insecure-bank
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.40.0-SNAPSHOT~e955dade54, baseline=1.40.0-SNAPSHOT~5ddb19db3a
    dateFormat X
    axisFormat %s
section baseline
no_agent (367.993 µs) : 348, 388
.   : milestone, 368,
iast (483.692 µs) : 462, 505
.   : milestone, 484,
iast_FULL (611.515 µs) : 590, 633
.   : milestone, 612,
iast_GLOBAL (512.739 µs) : 491, 535
.   : milestone, 513,
iast_HARDCODED_SECRET_DISABLED (485.064 µs) : 463, 507
.   : milestone, 485,
iast_INACTIVE (448.708 µs) : 428, 470
.   : milestone, 449,
iast_TELEMETRY_OFF (480.594 µs) : 457, 504
.   : milestone, 481,
tracing (441.431 µs) : 421, 462
.   : milestone, 441,
section candidate
no_agent (376.455 µs) : 357, 396
.   : milestone, 376,
iast (484.9 µs) : 463, 507
.   : milestone, 485,
iast_FULL (553.115 µs) : 532, 574
.   : milestone, 553,
iast_GLOBAL (525.473 µs) : 504, 546
.   : milestone, 525,
iast_HARDCODED_SECRET_DISABLED (492.66 µs) : 471, 514
.   : milestone, 493,
iast_INACTIVE (446.897 µs) : 426, 468
.   : milestone, 447,
iast_TELEMETRY_OFF (478.536 µs) : 455, 502
.   : milestone, 479,
tracing (448.331 µs) : 428, 469
.   : milestone, 448,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 367.993 µs [348.032 µs, 387.954 µs] -
iast 483.692 µs [462.05 µs, 505.335 µs] 115.7 µs (31.4%)
iast_FULL 611.515 µs [590.358 µs, 632.672 µs] 243.522 µs (66.2%)
iast_GLOBAL 512.739 µs [490.571 µs, 534.906 µs] 144.746 µs (39.3%)
iast_HARDCODED_SECRET_DISABLED 485.064 µs [463.145 µs, 506.983 µs] 117.071 µs (31.8%)
iast_INACTIVE 448.708 µs [427.571 µs, 469.844 µs] 80.715 µs (21.9%)
iast_TELEMETRY_OFF 480.594 µs [457.386 µs, 503.802 µs] 112.601 µs (30.6%)
tracing 441.431 µs [420.647 µs, 462.215 µs] 73.438 µs (20.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 376.455 µs [356.683 µs, 396.227 µs] -
iast 484.9 µs [463.208 µs, 506.591 µs] 108.445 µs (28.8%)
iast_FULL 553.115 µs [532.033 µs, 574.197 µs] 176.66 µs (46.9%)
iast_GLOBAL 525.473 µs [504.472 µs, 546.474 µs] 149.018 µs (39.6%)
iast_HARDCODED_SECRET_DISABLED 492.66 µs [470.96 µs, 514.361 µs] 116.205 µs (30.9%)
iast_INACTIVE 446.897 µs [426.078 µs, 467.715 µs] 70.442 µs (18.7%)
iast_TELEMETRY_OFF 478.536 µs [455.495 µs, 501.578 µs] 102.081 µs (27.1%)
tracing 448.331 µs [427.585 µs, 469.076 µs] 71.876 µs (19.1%)

Dacapo

@Mariovido Mariovido marked this pull request as ready for review August 29, 2024 15:37
@Mariovido Mariovido requested review from a team as code owners August 29, 2024 15:37
@Mariovido Mariovido removed this from the 1.39.0 milestone Aug 29, 2024
@Mariovido Mariovido changed the title Add XSS support for Freemarker Add XSS support for Freemarker prior 2.3.24-incubating Aug 30, 2024
@@ -0,0 +1,11 @@
<#ftl output_format="HTML" auto_esc=false>

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a test with auto_esc=true and validate that we do not trigger the vuln?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in this PR #7532

@@ -0,0 +1,8 @@
<html>

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some directives for escaping in freemarker prior to 2.3.24, it might be interesting to try them

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above #7532

@@ -226,6 +226,7 @@ include ':dd-java-agent:instrumentation:elasticsearch:transport-7.3'
include ':dd-java-agent:instrumentation:enable-wallclock-profiling'
include ':dd-java-agent:instrumentation:exception-profiling'
include ':dd-java-agent:instrumentation:finatra-2.9'
include ':dd-java-agent:instrumentation:freemarker-2.3.9'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when multiple version of the same instrumentation exists we tent to group them under a top folder (i.e. freemarker) (see conventions)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is being done in the following PR #7579. Once merged I'll do the change in this one

@@ -226,6 +226,7 @@ include ':dd-java-agent:instrumentation:elasticsearch:transport-7.3'
include ':dd-java-agent:instrumentation:enable-wallclock-profiling'
include ':dd-java-agent:instrumentation:exception-profiling'
include ':dd-java-agent:instrumentation:finatra-2.9'
include ':dd-java-agent:instrumentation:freemarker-2.3.9'
include ':dd-java-agent:instrumentation:freemarker-2.3.24'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would have added the freemarker-2.3.9 module as a test implementation of this one in order to test that only one instrumentation applies as expected. Even if muzzle checks that, adding this is a good practice

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Already added :)

@Mariovido Mariovido merged commit 3fd4174 into master Sep 9, 2024
98 checks passed
@Mariovido Mariovido deleted the mario.vidal/xss_freemarker branch September 9, 2024 13:13
@github-actions github-actions bot added this to the 1.40.0 milestone Sep 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp: asm iast Application Security Management (IAST)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants