-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix jackson json parser propagation for field names #7606
Conversation
.../src/main/java/datadog/trace/instrumentation/jackson/core/Json2_16ParserInstrumentation.java
Outdated
Show resolved
Hide resolved
...6/src/main/java/datadog/trace/instrumentation/jackson/core/Json2_6ParserInstrumentation.java
Outdated
Show resolved
Hide resolved
...re/jackson-core-2.16/src/main/java/com/fasterxml/jackson/core/json/Json2_16ParserHelper.java
Outdated
Show resolved
Hide resolved
...core-2.16/src/main/java/com/fasterxml/jackson/core/sym/ByteQuadsCanonicalizer2_16Helper.java
Outdated
Show resolved
Hide resolved
...core/jackson-core-2.6/src/main/java/com/fasterxml/jackson/core/json/Json2_6ParserHelper.java
Outdated
Show resolved
Hide resolved
...n-core-2.6/src/main/java/com/fasterxml/jackson/core/sym/ByteQuadsCanonicalizer2_6Helper.java
Outdated
Show resolved
Hide resolved
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 51 metrics, 12 unstable metrics. Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.40.0-SNAPSHOT~367dec7ac7, baseline=1.40.0-SNAPSHOT~efa3824d5d
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.07 s) : 0, 1070211
Total [baseline] (8.555 s) : 0, 8555470
Agent [candidate] (1.077 s) : 0, 1076805
Total [candidate] (8.598 s) : 0, 8598458
section iast
Agent [baseline] (1.195 s) : 0, 1195109
Total [baseline] (9.028 s) : 0, 9027690
Agent [candidate] (1.209 s) : 0, 1209019
Total [candidate] (9.114 s) : 0, 9113947
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.213 s) : 0, 1212687
Total [baseline] (9.067 s) : 0, 9067370
Agent [candidate] (1.198 s) : 0, 1197962
Total [candidate] (9.081 s) : 0, 9080758
section iast_TELEMETRY_OFF
Agent [baseline] (1.202 s) : 0, 1201549
Total [baseline] (9.088 s) : 0, 9088304
Agent [candidate] (1.194 s) : 0, 1194470
Total [candidate] (9.076 s) : 0, 9075531
gantt
title insecure-bank - break down per module: candidate=1.40.0-SNAPSHOT~367dec7ac7, baseline=1.40.0-SNAPSHOT~efa3824d5d
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (682.713 ms) : 0, 682713
BytebuddyAgent [candidate] (686.959 ms) : 0, 686959
GlobalTracer [baseline] (311.517 ms) : 0, 311517
GlobalTracer [candidate] (313.539 ms) : 0, 313539
AppSec [baseline] (53.873 ms) : 0, 53873
AppSec [candidate] (54.028 ms) : 0, 54028
Remote Config [baseline] (667.334 µs) : 0, 667
Remote Config [candidate] (665.934 µs) : 0, 666
Telemetry [baseline] (7.638 ms) : 0, 7638
Telemetry [candidate] (7.734 ms) : 0, 7734
section iast
BytebuddyAgent [baseline] (794.34 ms) : 0, 794340
BytebuddyAgent [candidate] (805.978 ms) : 0, 805978
GlobalTracer [baseline] (300.41 ms) : 0, 300410
GlobalTracer [candidate] (302.433 ms) : 0, 302433
AppSec [baseline] (53.964 ms) : 0, 53964
AppSec [candidate] (55.845 ms) : 0, 55845
IAST [baseline] (24.821 ms) : 0, 24821
IAST [candidate] (22.962 ms) : 0, 22962
Remote Config [baseline] (630.772 µs) : 0, 631
Remote Config [candidate] (637.856 µs) : 0, 638
Telemetry [baseline] (7.104 ms) : 0, 7104
Telemetry [candidate] (7.152 ms) : 0, 7152
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (807.001 ms) : 0, 807001
BytebuddyAgent [candidate] (796.771 ms) : 0, 796771
GlobalTracer [baseline] (304.65 ms) : 0, 304650
GlobalTracer [candidate] (300.905 ms) : 0, 300905
AppSec [baseline] (58.725 ms) : 0, 58725
AppSec [candidate] (55.468 ms) : 0, 55468
IAST [baseline] (20.452 ms) : 0, 20452
IAST [candidate] (23.133 ms) : 0, 23133
Remote Config [baseline] (613.577 µs) : 0, 614
Remote Config [candidate] (636.468 µs) : 0, 636
Telemetry [baseline] (7.178 ms) : 0, 7178
Telemetry [candidate] (7.143 ms) : 0, 7143
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (797.737 ms) : 0, 797737
BytebuddyAgent [candidate] (793.231 ms) : 0, 793231
GlobalTracer [baseline] (303.063 ms) : 0, 303063
GlobalTracer [candidate] (301.28 ms) : 0, 301280
AppSec [baseline] (57.429 ms) : 0, 57429
AppSec [candidate] (55.96 ms) : 0, 55960
IAST [baseline] (21.813 ms) : 0, 21813
IAST [candidate] (22.531 ms) : 0, 22531
Remote Config [baseline] (638.583 µs) : 0, 639
Remote Config [candidate] (649.611 µs) : 0, 650
Telemetry [baseline] (6.899 ms) : 0, 6899
Telemetry [candidate] (6.928 ms) : 0, 6928
Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.40.0-SNAPSHOT~367dec7ac7, baseline=1.40.0-SNAPSHOT~efa3824d5d
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.077 s) : 0, 1077187
Total [baseline] (10.38 s) : 0, 10380154
Agent [candidate] (1.078 s) : 0, 1078246
Total [candidate] (10.383 s) : 0, 10382751
section appsec
Agent [baseline] (1.212 s) : 0, 1212122
Total [baseline] (10.666 s) : 0, 10666209
Agent [candidate] (1.212 s) : 0, 1211910
Total [candidate] (10.662 s) : 0, 10661895
section iast
Agent [baseline] (1.203 s) : 0, 1203227
Total [baseline] (10.899 s) : 0, 10898882
Agent [candidate] (1.199 s) : 0, 1198556
Total [candidate] (10.956 s) : 0, 10956253
section profiling
Agent [baseline] (1.266 s) : 0, 1265658
Total [baseline] (10.591 s) : 0, 10591185
Agent [candidate] (1.268 s) : 0, 1268375
Total [candidate] (10.675 s) : 0, 10674534
gantt
title petclinic - break down per module: candidate=1.40.0-SNAPSHOT~367dec7ac7, baseline=1.40.0-SNAPSHOT~efa3824d5d
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (686.536 ms) : 0, 686536
BytebuddyAgent [candidate] (687.781 ms) : 0, 687781
GlobalTracer [baseline] (314.178 ms) : 0, 314178
GlobalTracer [candidate] (313.798 ms) : 0, 313798
AppSec [baseline] (54.187 ms) : 0, 54187
AppSec [candidate] (54.403 ms) : 0, 54403
Remote Config [baseline] (667.151 µs) : 0, 667
Remote Config [candidate] (668.278 µs) : 0, 668
Telemetry [baseline] (7.775 ms) : 0, 7775
Telemetry [candidate] (7.748 ms) : 0, 7748
section appsec
BytebuddyAgent [baseline] (703.949 ms) : 0, 703949
BytebuddyAgent [candidate] (702.986 ms) : 0, 702986
GlobalTracer [baseline] (310.715 ms) : 0, 310715
GlobalTracer [candidate] (310.075 ms) : 0, 310075
AppSec [baseline] (163.268 ms) : 0, 163268
AppSec [candidate] (163.873 ms) : 0, 163873
Remote Config [baseline] (652.315 µs) : 0, 652
Remote Config [candidate] (647.501 µs) : 0, 648
Telemetry [baseline] (8.601 ms) : 0, 8601
Telemetry [candidate] (9.282 ms) : 0, 9282
IAST [baseline] (22.29 ms) : 0, 22290
IAST [candidate] (22.433 ms) : 0, 22433
section iast
BytebuddyAgent [baseline] (800.075 ms) : 0, 800075
BytebuddyAgent [candidate] (797.889 ms) : 0, 797889
GlobalTracer [baseline] (302.412 ms) : 0, 302412
GlobalTracer [candidate] (301.054 ms) : 0, 301054
AppSec [baseline] (55.36 ms) : 0, 55360
AppSec [candidate] (55.808 ms) : 0, 55808
Remote Config [baseline] (641.221 µs) : 0, 641
Remote Config [candidate] (638.886 µs) : 0, 639
Telemetry [baseline] (7.031 ms) : 0, 7031
Telemetry [candidate] (7.109 ms) : 0, 7109
IAST [baseline] (23.826 ms) : 0, 23826
IAST [candidate] (22.216 ms) : 0, 22216
section profiling
ProfilingAgent [baseline] (96.179 ms) : 0, 96179
ProfilingAgent [candidate] (96.934 ms) : 0, 96934
BytebuddyAgent [baseline] (674.072 ms) : 0, 674072
BytebuddyAgent [candidate] (675.193 ms) : 0, 675193
GlobalTracer [baseline] (393.789 ms) : 0, 393789
GlobalTracer [candidate] (394.304 ms) : 0, 394304
AppSec [baseline] (54.672 ms) : 0, 54672
AppSec [candidate] (54.879 ms) : 0, 54879
Remote Config [baseline] (654.062 µs) : 0, 654
Remote Config [candidate] (658.622 µs) : 0, 659
Telemetry [baseline] (7.54 ms) : 0, 7540
Telemetry [candidate] (7.562 ms) : 0, 7562
Profiling [baseline] (96.202 ms) : 0, 96202
Profiling [candidate] (96.958 ms) : 0, 96958
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics. Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.40.0-SNAPSHOT~367dec7ac7, baseline=1.40.0-SNAPSHOT~efa3824d5d
dateFormat X
axisFormat %s
section baseline
no_agent (1.345 ms) : 1326, 1365
. : milestone, 1345,
appsec (1.732 ms) : 1707, 1757
. : milestone, 1732,
appsec_no_iast (1.733 ms) : 1708, 1757
. : milestone, 1733,
iast (1.475 ms) : 1453, 1498
. : milestone, 1475,
profiling (1.496 ms) : 1474, 1518
. : milestone, 1496,
tracing (1.471 ms) : 1446, 1495
. : milestone, 1471,
section candidate
no_agent (1.36 ms) : 1340, 1380
. : milestone, 1360,
appsec (1.732 ms) : 1709, 1756
. : milestone, 1732,
appsec_no_iast (1.749 ms) : 1725, 1773
. : milestone, 1749,
iast (1.479 ms) : 1456, 1502
. : milestone, 1479,
profiling (1.531 ms) : 1507, 1555
. : milestone, 1531,
tracing (1.471 ms) : 1447, 1495
. : milestone, 1471,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.40.0-SNAPSHOT~367dec7ac7, baseline=1.40.0-SNAPSHOT~efa3824d5d
dateFormat X
axisFormat %s
section baseline
no_agent (377.954 µs) : 358, 398
. : milestone, 378,
iast (492.017 µs) : 471, 513
. : milestone, 492,
iast_FULL (559.242 µs) : 538, 580
. : milestone, 559,
iast_GLOBAL (517.454 µs) : 496, 539
. : milestone, 517,
iast_HARDCODED_SECRET_DISABLED (491.666 µs) : 470, 513
. : milestone, 492,
iast_INACTIVE (453.506 µs) : 432, 475
. : milestone, 454,
iast_TELEMETRY_OFF (478.994 µs) : 457, 501
. : milestone, 479,
tracing (444.966 µs) : 424, 465
. : milestone, 445,
section candidate
no_agent (374.626 µs) : 355, 394
. : milestone, 375,
iast (491.559 µs) : 470, 513
. : milestone, 492,
iast_FULL (557.605 µs) : 536, 579
. : milestone, 558,
iast_GLOBAL (509.608 µs) : 489, 531
. : milestone, 510,
iast_HARDCODED_SECRET_DISABLED (491.09 µs) : 470, 512
. : milestone, 491,
iast_INACTIVE (449.609 µs) : 429, 470
. : milestone, 450,
iast_TELEMETRY_OFF (484.653 µs) : 463, 506
. : milestone, 485,
tracing (450.844 µs) : 430, 472
. : milestone, 451,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics. Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.40.0-SNAPSHOT~367dec7ac7, baseline=1.40.0-SNAPSHOT~efa3824d5d
dateFormat X
axisFormat %s
section baseline
no_agent (1.463 ms) : 1452, 1475
. : milestone, 1463,
appsec (2.279 ms) : 2240, 2319
. : milestone, 2279,
iast (2.057 ms) : 2008, 2107
. : milestone, 2057,
iast_GLOBAL (2.093 ms) : 2043, 2144
. : milestone, 2093,
profiling (1.921 ms) : 1881, 1962
. : milestone, 1921,
tracing (1.903 ms) : 1865, 1942
. : milestone, 1903,
section candidate
no_agent (1.466 ms) : 1455, 1478
. : milestone, 1466,
appsec (2.304 ms) : 2264, 2344
. : milestone, 2304,
iast (2.057 ms) : 2007, 2108
. : milestone, 2057,
iast_GLOBAL (2.111 ms) : 2060, 2163
. : milestone, 2111,
profiling (2.437 ms) : 2245, 2628
. : milestone, 2437,
tracing (1.915 ms) : 1876, 1954
. : milestone, 1915,
Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.40.0-SNAPSHOT~367dec7ac7, baseline=1.40.0-SNAPSHOT~efa3824d5d
dateFormat X
axisFormat %s
section baseline
no_agent (15.128 s) : 15128000, 15128000
. : milestone, 15128000,
appsec (15.322 s) : 15322000, 15322000
. : milestone, 15322000,
iast (18.915 s) : 18915000, 18915000
. : milestone, 18915000,
iast_GLOBAL (18.047 s) : 18047000, 18047000
. : milestone, 18047000,
profiling (15.076 s) : 15076000, 15076000
. : milestone, 15076000,
tracing (15.369 s) : 15369000, 15369000
. : milestone, 15369000,
section candidate
no_agent (15.321 s) : 15321000, 15321000
. : milestone, 15321000,
appsec (15.121 s) : 15121000, 15121000
. : milestone, 15121000,
iast (18.727 s) : 18727000, 18727000
. : milestone, 18727000,
iast_GLOBAL (18.115 s) : 18115000, 18115000
. : milestone, 18115000,
profiling (15.001 s) : 15001000, 15001000
. : milestone, 15001000,
tracing (15.258 s) : 15258000, 15258000
. : milestone, 15258000,
|
Kafka / producer-benchmarkParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 3 metrics, 0 unstable metrics. See unchanged results
|
Kafka / consumer-benchmarkParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 3 metrics, 0 unstable metrics. See unchanged results
|
...8/src/main/java/datadog/trace/instrumentation/jackson/core/Json2_8ParserInstrumentation.java
Outdated
Show resolved
Hide resolved
...n-core-2.8/src/main/java/com/fasterxml/jackson/core/sym/ByteQuadsCanonicalizer2_8Helper.java
Outdated
Show resolved
Hide resolved
...core-2.12/src/main/java/com/fasterxml/jackson/core/sym/ByteQuadsCanonicalizer2_12Helper.java
Outdated
Show resolved
Hide resolved
...re/jackson-core-2.12/src/main/java/com/fasterxml/jackson/core/json/Json2_12ParserHelper.java
Outdated
Show resolved
Hide resolved
...core/jackson-core-2.8/src/main/java/com/fasterxml/jackson/core/json/Json2_8ParserHelper.java
Outdated
Show resolved
Hide resolved
.../src/main/java/datadog/trace/instrumentation/jackson/core/Json2_12ParserInstrumentation.java
Outdated
Show resolved
Hide resolved
.../src/main/java/datadog/trace/instrumentation/jackson/core/Json2_16ParserInstrumentation.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
What Does This Do
This fix the unwanted tainting of field names that are being interned by the parser. This is making us report vulnerabilities that we don't want to report. One example could be SQL Injection, where we are reporting an SQL Injection in the eBean framework due to the fact that we are tainting the name of a field in the request, and this name is interned, so when eBean look for it is tainted.
Motivation
It is motivated by the report of a client using eBean.
Additional Notes
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: APPSEC-54675