-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add XSS support for Velocity #7546
Conversation
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 49 metrics, 14 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.40.0-SNAPSHOT~d0a640a504, baseline=1.40.0-SNAPSHOT~d2ff624132
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.061 s) : 0, 1061397
Total [baseline] (10.379 s) : 0, 10378810
Agent [candidate] (1.072 s) : 0, 1072133
Total [candidate] (10.407 s) : 0, 10407325
section appsec
Agent [baseline] (1.193 s) : 0, 1192720
Total [baseline] (10.573 s) : 0, 10573184
Agent [candidate] (1.197 s) : 0, 1197115
Total [candidate] (10.572 s) : 0, 10571881
section iast
Agent [baseline] (1.187 s) : 0, 1186604
Total [baseline] (10.851 s) : 0, 10851074
Agent [candidate] (1.189 s) : 0, 1188911
Total [candidate] (10.893 s) : 0, 10893342
section profiling
Agent [baseline] (1.267 s) : 0, 1266614
Total [baseline] (10.549 s) : 0, 10549383
Agent [candidate] (1.261 s) : 0, 1261398
Total [candidate] (10.559 s) : 0, 10558893
gantt
title petclinic - break down per module: candidate=1.40.0-SNAPSHOT~d0a640a504, baseline=1.40.0-SNAPSHOT~d2ff624132
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (677.763 ms) : 0, 677763
BytebuddyAgent [candidate] (684.231 ms) : 0, 684231
GlobalTracer [baseline] (310.006 ms) : 0, 310006
GlobalTracer [candidate] (313.927 ms) : 0, 313927
AppSec [baseline] (51.861 ms) : 0, 51861
AppSec [candidate] (52.148 ms) : 0, 52148
Remote Config [baseline] (710.38 µs) : 0, 710
Remote Config [candidate] (687.184 µs) : 0, 687
Telemetry [baseline] (7.512 ms) : 0, 7512
Telemetry [candidate] (7.447 ms) : 0, 7447
section appsec
BytebuddyAgent [baseline] (697.433 ms) : 0, 697433
BytebuddyAgent [candidate] (699.012 ms) : 0, 699012
GlobalTracer [baseline] (302.165 ms) : 0, 302165
GlobalTracer [candidate] (303.978 ms) : 0, 303978
AppSec [baseline] (160.239 ms) : 0, 160239
AppSec [candidate] (160.056 ms) : 0, 160056
Remote Config [baseline] (643.0 µs) : 0, 643
Remote Config [candidate] (652.375 µs) : 0, 652
Telemetry [baseline] (7.943 ms) : 0, 7943
Telemetry [candidate] (9.047 ms) : 0, 9047
IAST [baseline] (21.525 ms) : 0, 21525
IAST [candidate] (21.532 ms) : 0, 21532
section iast
BytebuddyAgent [baseline] (789.761 ms) : 0, 789761
BytebuddyAgent [candidate] (791.614 ms) : 0, 791614
GlobalTracer [baseline] (298.676 ms) : 0, 298676
GlobalTracer [candidate] (298.578 ms) : 0, 298578
AppSec [baseline] (53.812 ms) : 0, 53812
AppSec [candidate] (53.152 ms) : 0, 53152
Remote Config [baseline] (645.455 µs) : 0, 645
Remote Config [candidate] (617.156 µs) : 0, 617
Telemetry [baseline] (7.342 ms) : 0, 7342
Telemetry [candidate] (7.399 ms) : 0, 7399
IAST [baseline] (22.807 ms) : 0, 22807
IAST [candidate] (23.952 ms) : 0, 23952
section profiling
ProfilingAgent [baseline] (96.134 ms) : 0, 96134
ProfilingAgent [candidate] (96.803 ms) : 0, 96803
BytebuddyAgent [baseline] (676.722 ms) : 0, 676722
BytebuddyAgent [candidate] (672.801 ms) : 0, 672801
GlobalTracer [baseline] (395.012 ms) : 0, 395012
GlobalTracer [candidate] (393.286 ms) : 0, 393286
AppSec [baseline] (52.416 ms) : 0, 52416
AppSec [candidate] (52.405 ms) : 0, 52405
Remote Config [baseline] (707.318 µs) : 0, 707
Remote Config [candidate] (720.101 µs) : 0, 720
Telemetry [baseline] (7.467 ms) : 0, 7467
Telemetry [candidate] (7.469 ms) : 0, 7469
Profiling [baseline] (96.157 ms) : 0, 96157
Profiling [candidate] (96.827 ms) : 0, 96827
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.40.0-SNAPSHOT~d0a640a504, baseline=1.40.0-SNAPSHOT~d2ff624132
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.064 s) : 0, 1064442
Total [baseline] (8.526 s) : 0, 8526466
Agent [candidate] (1.064 s) : 0, 1064067
Total [candidate] (8.512 s) : 0, 8512048
section iast
Agent [baseline] (1.188 s) : 0, 1187550
Total [baseline] (9.041 s) : 0, 9041381
Agent [candidate] (1.188 s) : 0, 1188477
Total [candidate] (8.957 s) : 0, 8957200
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.187 s) : 0, 1187196
Total [baseline] (8.945 s) : 0, 8944642
Agent [candidate] (1.205 s) : 0, 1204944
Total [candidate] (8.999 s) : 0, 8999431
section iast_TELEMETRY_OFF
Agent [baseline] (1.192 s) : 0, 1192209
Total [baseline] (8.963 s) : 0, 8963164
Agent [candidate] (1.187 s) : 0, 1186584
Total [candidate] (9.004 s) : 0, 9004372
gantt
title insecure-bank - break down per module: candidate=1.40.0-SNAPSHOT~d0a640a504, baseline=1.40.0-SNAPSHOT~d2ff624132
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (678.163 ms) : 0, 678163
BytebuddyAgent [candidate] (679.516 ms) : 0, 679516
GlobalTracer [baseline] (312.304 ms) : 0, 312304
GlobalTracer [candidate] (310.933 ms) : 0, 310933
AppSec [baseline] (52.154 ms) : 0, 52154
AppSec [candidate] (51.796 ms) : 0, 51796
Remote Config [baseline] (719.957 µs) : 0, 720
Remote Config [candidate] (713.038 µs) : 0, 713
Telemetry [baseline] (7.544 ms) : 0, 7544
Telemetry [candidate] (7.512 ms) : 0, 7512
section iast
BytebuddyAgent [baseline] (791.336 ms) : 0, 791336
BytebuddyAgent [candidate] (791.72 ms) : 0, 791720
GlobalTracer [baseline] (299.244 ms) : 0, 299244
GlobalTracer [candidate] (298.5 ms) : 0, 298500
AppSec [baseline] (53.565 ms) : 0, 53565
AppSec [candidate] (53.856 ms) : 0, 53856
IAST [baseline] (21.742 ms) : 0, 21742
IAST [candidate] (22.693 ms) : 0, 22693
Remote Config [baseline] (635.937 µs) : 0, 636
Remote Config [candidate] (708.293 µs) : 0, 708
Telemetry [baseline] (7.419 ms) : 0, 7419
Telemetry [candidate] (7.352 ms) : 0, 7352
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (790.203 ms) : 0, 790203
BytebuddyAgent [candidate] (803.695 ms) : 0, 803695
GlobalTracer [baseline] (298.776 ms) : 0, 298776
GlobalTracer [candidate] (302.639 ms) : 0, 302639
AppSec [baseline] (54.187 ms) : 0, 54187
AppSec [candidate] (52.266 ms) : 0, 52266
IAST [baseline] (21.712 ms) : 0, 21712
IAST [candidate] (24.62 ms) : 0, 24620
Remote Config [baseline] (601.345 µs) : 0, 601
Remote Config [candidate] (636.761 µs) : 0, 637
Telemetry [baseline] (8.11 ms) : 0, 8110
Telemetry [candidate] (7.395 ms) : 0, 7395
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (792.324 ms) : 0, 792324
BytebuddyAgent [candidate] (788.594 ms) : 0, 788594
GlobalTracer [baseline] (300.993 ms) : 0, 300993
GlobalTracer [candidate] (299.394 ms) : 0, 299394
AppSec [baseline] (52.176 ms) : 0, 52176
AppSec [candidate] (51.922 ms) : 0, 51922
IAST [baseline] (25.109 ms) : 0, 25109
IAST [candidate] (25.085 ms) : 0, 25085
Remote Config [baseline] (603.055 µs) : 0, 603
Remote Config [candidate] (613.186 µs) : 0, 613
Telemetry [baseline] (7.3 ms) : 0, 7300
Telemetry [candidate] (7.321 ms) : 0, 7321
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 18 unstable metrics. Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.40.0-SNAPSHOT~d0a640a504, baseline=1.40.0-SNAPSHOT~d2ff624132
dateFormat X
axisFormat %s
section baseline
no_agent (1.352 ms) : 1333, 1372
. : milestone, 1352,
appsec (1.724 ms) : 1701, 1748
. : milestone, 1724,
appsec_no_iast (1.744 ms) : 1720, 1769
. : milestone, 1744,
iast (1.456 ms) : 1434, 1479
. : milestone, 1456,
profiling (1.485 ms) : 1461, 1510
. : milestone, 1485,
tracing (1.458 ms) : 1434, 1482
. : milestone, 1458,
section candidate
no_agent (1.329 ms) : 1309, 1349
. : milestone, 1329,
appsec (1.707 ms) : 1684, 1731
. : milestone, 1707,
appsec_no_iast (1.717 ms) : 1690, 1744
. : milestone, 1717,
iast (1.466 ms) : 1443, 1490
. : milestone, 1466,
profiling (1.478 ms) : 1455, 1501
. : milestone, 1478,
tracing (1.469 ms) : 1445, 1492
. : milestone, 1469,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.40.0-SNAPSHOT~d0a640a504, baseline=1.40.0-SNAPSHOT~d2ff624132
dateFormat X
axisFormat %s
section baseline
no_agent (366.271 µs) : 347, 386
. : milestone, 366,
iast (481.793 µs) : 460, 504
. : milestone, 482,
iast_FULL (553.46 µs) : 532, 575
. : milestone, 553,
iast_GLOBAL (502.466 µs) : 481, 524
. : milestone, 502,
iast_HARDCODED_SECRET_DISABLED (481.225 µs) : 460, 503
. : milestone, 481,
iast_INACTIVE (447.799 µs) : 427, 469
. : milestone, 448,
iast_TELEMETRY_OFF (476.339 µs) : 453, 499
. : milestone, 476,
tracing (431.113 µs) : 411, 451
. : milestone, 431,
section candidate
no_agent (372.49 µs) : 353, 392
. : milestone, 372,
iast (478.994 µs) : 458, 500
. : milestone, 479,
iast_FULL (546.568 µs) : 525, 568
. : milestone, 547,
iast_GLOBAL (508.997 µs) : 486, 532
. : milestone, 509,
iast_HARDCODED_SECRET_DISABLED (480.791 µs) : 460, 502
. : milestone, 481,
iast_INACTIVE (454.429 µs) : 433, 476
. : milestone, 454,
iast_TELEMETRY_OFF (478.227 µs) : 455, 501
. : milestone, 478,
tracing (440.249 µs) : 419, 461
. : milestone, 440,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.40.0-SNAPSHOT~d0a640a504, baseline=1.40.0-SNAPSHOT~d2ff624132
dateFormat X
axisFormat %s
section baseline
no_agent (1.464 ms) : 1453, 1476
. : milestone, 1464,
appsec (2.289 ms) : 2249, 2330
. : milestone, 2289,
iast (2.057 ms) : 2007, 2107
. : milestone, 2057,
iast_GLOBAL (2.107 ms) : 2056, 2158
. : milestone, 2107,
profiling (1.929 ms) : 1889, 1970
. : milestone, 1929,
tracing (1.902 ms) : 1863, 1940
. : milestone, 1902,
section candidate
no_agent (1.466 ms) : 1455, 1478
. : milestone, 1466,
appsec (2.303 ms) : 2262, 2344
. : milestone, 2303,
iast (2.034 ms) : 1986, 2082
. : milestone, 2034,
iast_GLOBAL (2.093 ms) : 2042, 2144
. : milestone, 2093,
profiling (1.928 ms) : 1887, 1970
. : milestone, 1928,
tracing (1.899 ms) : 1861, 1938
. : milestone, 1899,
Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.40.0-SNAPSHOT~d0a640a504, baseline=1.40.0-SNAPSHOT~d2ff624132
dateFormat X
axisFormat %s
section baseline
no_agent (15.079 s) : 15079000, 15079000
. : milestone, 15079000,
appsec (15.27 s) : 15270000, 15270000
. : milestone, 15270000,
iast (19.228 s) : 19228000, 19228000
. : milestone, 19228000,
iast_GLOBAL (18.028 s) : 18028000, 18028000
. : milestone, 18028000,
profiling (15.252 s) : 15252000, 15252000
. : milestone, 15252000,
tracing (15.181 s) : 15181000, 15181000
. : milestone, 15181000,
section candidate
no_agent (15.071 s) : 15071000, 15071000
. : milestone, 15071000,
appsec (15.036 s) : 15036000, 15036000
. : milestone, 15036000,
iast (19.166 s) : 19166000, 19166000
. : milestone, 19166000,
iast_GLOBAL (18.445 s) : 18445000, 18445000
. : milestone, 18445000,
profiling (15.663 s) : 15663000, 15663000
. : milestone, 15663000,
tracing (15.121 s) : 15121000, 15121000
. : milestone, 15121000,
|
...rc/test/groovy/datadog/trace/instrumentation/velocity/ASTReferenceInstrumentationTest.groovy
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
What Does This Do
Adds support to the detection of XSS in the Velocity library
Motivation
Being able to detect XSS in the library of Velocity
Additional Notes
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: APPSEC-53841