-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add XSS support for Freemarker post 2.3.24-incubating #7532
Conversation
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 49 metrics, 14 unstable metrics. Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.39.0-SNAPSHOT~bdb2f47318, baseline=1.40.0-SNAPSHOT~7f8886bbc2
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.047 s) : 0, 1046927
Total [baseline] (8.512 s) : 0, 8512310
Agent [candidate] (1.049 s) : 0, 1049183
Total [candidate] (8.483 s) : 0, 8483020
section iast
Agent [baseline] (1.179 s) : 0, 1179368
Total [baseline] (8.978 s) : 0, 8978294
Agent [candidate] (1.171 s) : 0, 1171325
Total [candidate] (8.956 s) : 0, 8955956
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.173 s) : 0, 1173083
Total [baseline] (8.93 s) : 0, 8930196
Agent [candidate] (1.181 s) : 0, 1180815
Total [candidate] (8.975 s) : 0, 8975146
section iast_TELEMETRY_OFF
Agent [baseline] (1.171 s) : 0, 1171223
Total [baseline] (8.979 s) : 0, 8978892
Agent [candidate] (1.179 s) : 0, 1179282
Total [candidate] (9.0 s) : 0, 8999825
gantt
title insecure-bank - break down per module: candidate=1.39.0-SNAPSHOT~bdb2f47318, baseline=1.40.0-SNAPSHOT~7f8886bbc2
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (667.963 ms) : 0, 667963
BytebuddyAgent [candidate] (669.379 ms) : 0, 669379
GlobalTracer [baseline] (306.002 ms) : 0, 306002
GlobalTracer [candidate] (306.671 ms) : 0, 306671
AppSec [baseline] (51.369 ms) : 0, 51369
AppSec [candidate] (51.408 ms) : 0, 51408
Remote Config [baseline] (662.42 µs) : 0, 662
Remote Config [candidate] (667.248 µs) : 0, 667
Telemetry [baseline] (7.373 ms) : 0, 7373
Telemetry [candidate] (7.451 ms) : 0, 7451
section iast
BytebuddyAgent [baseline] (784.935 ms) : 0, 784935
BytebuddyAgent [candidate] (778.874 ms) : 0, 778874
GlobalTracer [baseline] (296.401 ms) : 0, 296401
GlobalTracer [candidate] (295.65 ms) : 0, 295650
AppSec [baseline] (52.944 ms) : 0, 52944
AppSec [candidate] (52.478 ms) : 0, 52478
IAST [baseline] (21.985 ms) : 0, 21985
IAST [candidate] (22.882 ms) : 0, 22882
Remote Config [baseline] (586.222 µs) : 0, 586
Remote Config [candidate] (580.371 µs) : 0, 580
Telemetry [baseline] (8.818 ms) : 0, 8818
Telemetry [candidate] (7.303 ms) : 0, 7303
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (779.402 ms) : 0, 779402
BytebuddyAgent [candidate] (785.152 ms) : 0, 785152
GlobalTracer [baseline] (295.858 ms) : 0, 295858
GlobalTracer [candidate] (297.611 ms) : 0, 297611
AppSec [baseline] (51.214 ms) : 0, 51214
AppSec [candidate] (51.173 ms) : 0, 51173
IAST [baseline] (24.22 ms) : 0, 24220
IAST [candidate] (24.391 ms) : 0, 24391
Remote Config [baseline] (584.411 µs) : 0, 584
Remote Config [candidate] (593.282 µs) : 0, 593
Telemetry [baseline] (8.165 ms) : 0, 8165
Telemetry [candidate] (8.192 ms) : 0, 8192
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (777.709 ms) : 0, 777709
BytebuddyAgent [candidate] (783.387 ms) : 0, 783387
GlobalTracer [baseline] (296.05 ms) : 0, 296050
GlobalTracer [candidate] (298.26 ms) : 0, 298260
AppSec [baseline] (52.198 ms) : 0, 52198
AppSec [candidate] (50.542 ms) : 0, 50542
IAST [baseline] (23.044 ms) : 0, 23044
IAST [candidate] (25.509 ms) : 0, 25509
Remote Config [baseline] (583.083 µs) : 0, 583
Remote Config [candidate] (584.001 µs) : 0, 584
Telemetry [baseline] (7.982 ms) : 0, 7982
Telemetry [candidate] (7.283 ms) : 0, 7283
Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.39.0-SNAPSHOT~bdb2f47318, baseline=1.40.0-SNAPSHOT~7f8886bbc2
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.06 s) : 0, 1060193
Total [baseline] (10.46 s) : 0, 10460352
Agent [candidate] (1.054 s) : 0, 1053759
Total [candidate] (10.395 s) : 0, 10394548
section appsec
Agent [baseline] (1.183 s) : 0, 1182858
Total [baseline] (10.59 s) : 0, 10589637
Agent [candidate] (1.183 s) : 0, 1182674
Total [candidate] (10.551 s) : 0, 10551282
section iast
Agent [baseline] (1.173 s) : 0, 1172959
Total [baseline] (10.814 s) : 0, 10813813
Agent [candidate] (1.18 s) : 0, 1180288
Total [candidate] (10.851 s) : 0, 10850511
section profiling
Agent [baseline] (1.249 s) : 0, 1248942
Total [baseline] (10.626 s) : 0, 10626247
Agent [candidate] (1.245 s) : 0, 1244648
Total [candidate] (10.55 s) : 0, 10550306
gantt
title petclinic - break down per module: candidate=1.39.0-SNAPSHOT~bdb2f47318, baseline=1.40.0-SNAPSHOT~7f8886bbc2
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (677.835 ms) : 0, 677835
BytebuddyAgent [candidate] (672.069 ms) : 0, 672069
GlobalTracer [baseline] (308.628 ms) : 0, 308628
GlobalTracer [candidate] (308.213 ms) : 0, 308213
AppSec [baseline] (51.762 ms) : 0, 51762
AppSec [candidate] (51.612 ms) : 0, 51612
Remote Config [baseline] (672.685 µs) : 0, 673
Remote Config [candidate] (674.737 µs) : 0, 675
Telemetry [baseline] (7.545 ms) : 0, 7545
Telemetry [candidate] (7.566 ms) : 0, 7566
section appsec
BytebuddyAgent [baseline] (689.272 ms) : 0, 689272
BytebuddyAgent [candidate] (689.846 ms) : 0, 689846
GlobalTracer [baseline] (300.687 ms) : 0, 300687
GlobalTracer [candidate] (301.097 ms) : 0, 301097
AppSec [baseline] (159.327 ms) : 0, 159327
AppSec [candidate] (159.157 ms) : 0, 159157
Remote Config [baseline] (605.083 µs) : 0, 605
Remote Config [candidate] (621.861 µs) : 0, 622
Telemetry [baseline] (8.213 ms) : 0, 8213
Telemetry [candidate] (8.179 ms) : 0, 8179
IAST [baseline] (22.36 ms) : 0, 22360
IAST [candidate] (20.376 ms) : 0, 20376
section iast
BytebuddyAgent [baseline] (779.236 ms) : 0, 779236
BytebuddyAgent [candidate] (784.809 ms) : 0, 784809
GlobalTracer [baseline] (295.643 ms) : 0, 295643
GlobalTracer [candidate] (297.681 ms) : 0, 297681
AppSec [baseline] (52.224 ms) : 0, 52224
AppSec [candidate] (54.304 ms) : 0, 54304
Remote Config [baseline] (599.357 µs) : 0, 599
Remote Config [candidate] (579.49 µs) : 0, 579
Telemetry [baseline] (8.773 ms) : 0, 8773
Telemetry [candidate] (8.061 ms) : 0, 8061
IAST [baseline] (22.909 ms) : 0, 22909
IAST [candidate] (21.164 ms) : 0, 21164
section profiling
ProfilingAgent [baseline] (96.437 ms) : 0, 96437
ProfilingAgent [candidate] (95.989 ms) : 0, 95989
BytebuddyAgent [baseline] (664.98 ms) : 0, 664980
BytebuddyAgent [candidate] (662.724 ms) : 0, 662724
GlobalTracer [baseline] (389.474 ms) : 0, 389474
GlobalTracer [candidate] (388.278 ms) : 0, 388278
AppSec [baseline] (52.054 ms) : 0, 52054
AppSec [candidate] (51.986 ms) : 0, 51986
Remote Config [baseline] (691.457 µs) : 0, 691
Remote Config [candidate] (682.114 µs) : 0, 682
Telemetry [baseline] (7.411 ms) : 0, 7411
Telemetry [candidate] (7.321 ms) : 0, 7321
Profiling [baseline] (96.461 ms) : 0, 96461
Profiling [candidate] (96.013 ms) : 0, 96013
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 18 unstable metrics. Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.39.0-SNAPSHOT~bdb2f47318, baseline=1.40.0-SNAPSHOT~7f8886bbc2
dateFormat X
axisFormat %s
section baseline
no_agent (367.179 µs) : 348, 387
. : milestone, 367,
iast (476.872 µs) : 455, 498
. : milestone, 477,
iast_FULL (546.188 µs) : 525, 567
. : milestone, 546,
iast_GLOBAL (501.645 µs) : 480, 523
. : milestone, 502,
iast_HARDCODED_SECRET_DISABLED (475.776 µs) : 454, 498
. : milestone, 476,
iast_INACTIVE (441.007 µs) : 420, 462
. : milestone, 441,
iast_TELEMETRY_OFF (474.472 µs) : 451, 498
. : milestone, 474,
tracing (433.974 µs) : 414, 454
. : milestone, 434,
section candidate
no_agent (364.428 µs) : 345, 384
. : milestone, 364,
iast (480.574 µs) : 459, 502
. : milestone, 481,
iast_FULL (545.77 µs) : 525, 567
. : milestone, 546,
iast_GLOBAL (508.194 µs) : 486, 530
. : milestone, 508,
iast_HARDCODED_SECRET_DISABLED (487.54 µs) : 466, 509
. : milestone, 488,
iast_INACTIVE (441.349 µs) : 421, 462
. : milestone, 441,
iast_TELEMETRY_OFF (477.271 µs) : 454, 500
. : milestone, 477,
tracing (433.701 µs) : 413, 454
. : milestone, 434,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.39.0-SNAPSHOT~bdb2f47318, baseline=1.40.0-SNAPSHOT~7f8886bbc2
dateFormat X
axisFormat %s
section baseline
no_agent (1.362 ms) : 1343, 1382
. : milestone, 1362,
appsec (1.721 ms) : 1697, 1745
. : milestone, 1721,
appsec_no_iast (1.715 ms) : 1690, 1740
. : milestone, 1715,
iast (1.478 ms) : 1455, 1500
. : milestone, 1478,
profiling (1.488 ms) : 1466, 1510
. : milestone, 1488,
tracing (1.454 ms) : 1429, 1480
. : milestone, 1454,
section candidate
no_agent (1.334 ms) : 1315, 1353
. : milestone, 1334,
appsec (1.731 ms) : 1707, 1754
. : milestone, 1731,
appsec_no_iast (1.736 ms) : 1712, 1759
. : milestone, 1736,
iast (1.464 ms) : 1442, 1486
. : milestone, 1464,
profiling (1.46 ms) : 1437, 1483
. : milestone, 1460,
tracing (1.459 ms) : 1435, 1483
. : milestone, 1459,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics. Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.39.0-SNAPSHOT~bdb2f47318, baseline=1.40.0-SNAPSHOT~7f8886bbc2
dateFormat X
axisFormat %s
section baseline
no_agent (1.458 ms) : 1447, 1469
. : milestone, 1458,
appsec (2.216 ms) : 2181, 2251
. : milestone, 2216,
iast (1.956 ms) : 1914, 1999
. : milestone, 1956,
iast_GLOBAL (2.003 ms) : 1959, 2046
. : milestone, 2003,
profiling (1.858 ms) : 1823, 1892
. : milestone, 1858,
tracing (1.836 ms) : 1804, 1869
. : milestone, 1836,
section candidate
no_agent (1.456 ms) : 1444, 1467
. : milestone, 1456,
appsec (2.219 ms) : 2184, 2254
. : milestone, 2219,
iast (1.962 ms) : 1919, 2004
. : milestone, 1962,
iast_GLOBAL (2.022 ms) : 1978, 2066
. : milestone, 2022,
profiling (2.342 ms) : 2154, 2529
. : milestone, 2342,
tracing (1.829 ms) : 1796, 1862
. : milestone, 1829,
Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.39.0-SNAPSHOT~bdb2f47318, baseline=1.40.0-SNAPSHOT~7f8886bbc2
dateFormat X
axisFormat %s
section baseline
no_agent (14.863 s) : 14863000, 14863000
. : milestone, 14863000,
appsec (15.154 s) : 15154000, 15154000
. : milestone, 15154000,
iast (18.678 s) : 18678000, 18678000
. : milestone, 18678000,
iast_GLOBAL (17.92 s) : 17920000, 17920000
. : milestone, 17920000,
profiling (15.714 s) : 15714000, 15714000
. : milestone, 15714000,
tracing (15.125 s) : 15125000, 15125000
. : milestone, 15125000,
section candidate
no_agent (14.978 s) : 14978000, 14978000
. : milestone, 14978000,
appsec (15.463 s) : 15463000, 15463000
. : milestone, 15463000,
iast (18.395 s) : 18395000, 18395000
. : milestone, 18395000,
iast_GLOBAL (17.867 s) : 17867000, 17867000
. : milestone, 17867000,
profiling (15.197 s) : 15197000, 15197000
. : milestone, 15197000,
tracing (15.082 s) : 15082000, 15082000
. : milestone, 15082000,
|
...24/src/main/java/datadog/trace/instrumentation/freemarker24/DollarVariableDatadogAdvice.java
Outdated
Show resolved
Hide resolved
dd-smoke-tests/springboot-freemarker/src/main/resources/templates/freemarker-2.3.9.ftlh
Outdated
Show resolved
Hide resolved
dd-smoke-tests/springboot-freemarker/src/main/resources/templates/freemarker-2.3.24.ftlh
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, good job!
What Does This Do
Adds support to the detection of XSS in the Freemarker library from the 2.3.24-incubating version
Motivation
Being able to detect XSS in the library of Freemarker
Additional Notes
The PR that adds support to oldest versions is this one --> #7497
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: APPSEC-11285