Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add experimental taint propagation to the String replace, replaceFirst, replaceAll methods #7741

Merged
merged 19 commits into from
Nov 8, 2024

Conversation

Mariovido
Copy link
Contributor

@Mariovido Mariovido commented Oct 7, 2024

What Does This Do

This adds the instrumentation to propagate the taint values through the methods of String called replace, replaceFirst, replaceAll.
The approach is using a CallSite.Around to avoid iterating all the string to check the tainted values. This will add an overhead to the method as the algorithm is not as efficient as the original, but will increase the efficiency in as it will not iterate a second time through the string.

Motivation

Increase propagation of String methods

Additional Notes

Contributor Checklist

Jira ticket: APPSEC-5763

@Mariovido Mariovido added comp: asm iast Application Security Management (IAST) inst: java Core Java language instrumentation labels Oct 7, 2024
@pr-commenter
Copy link

pr-commenter bot commented Oct 7, 2024

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master mario.vidal/taint_propagation_replace
git_commit_date 1730886991 1730891623
git_commit_sha 8233fc5 9bd24c3
release_version 1.43.0-SNAPSHOT~8233fc5ff8 1.43.0-SNAPSHOT~9bd24c3774
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1730894034 1730894034
ci_job_id 697060097 697060097
ci_pipeline_id 48334234 48334234
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 55 metrics, 8 unstable metrics.

Startup time reports for petclinic
gantt
    title petclinic - global startup overhead: candidate=1.43.0-SNAPSHOT~9bd24c3774, baseline=1.43.0-SNAPSHOT~8233fc5ff8

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.091 s) : 0, 1091436
Total [baseline] (10.382 s) : 0, 10382414
Agent [candidate] (1.084 s) : 0, 1083545
Total [candidate] (10.368 s) : 0, 10367757
section appsec
Agent [baseline] (1.223 s) : 0, 1223113
Total [baseline] (10.706 s) : 0, 10706018
Agent [candidate] (1.216 s) : 0, 1216157
Total [candidate] (10.699 s) : 0, 10699455
section iast
Agent [baseline] (1.219 s) : 0, 1218775
Total [baseline] (10.953 s) : 0, 10952952
Agent [candidate] (1.208 s) : 0, 1208432
Total [candidate] (10.957 s) : 0, 10957490
section profiling
Agent [baseline] (1.279 s) : 0, 1278994
Total [baseline] (10.736 s) : 0, 10735746
Agent [candidate] (1.279 s) : 0, 1278532
Total [candidate] (10.741 s) : 0, 10740989
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.091 s -
Agent appsec 1.223 s 131.677 ms (12.1%)
Agent iast 1.219 s 127.339 ms (11.7%)
Agent profiling 1.279 s 187.557 ms (17.2%)
Total tracing 10.382 s -
Total appsec 10.706 s 323.604 ms (3.1%)
Total iast 10.953 s 570.538 ms (5.5%)
Total profiling 10.736 s 353.332 ms (3.4%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.084 s -
Agent appsec 1.216 s 132.613 ms (12.2%)
Agent iast 1.208 s 124.887 ms (11.5%)
Agent profiling 1.279 s 194.987 ms (18.0%)
Total tracing 10.368 s -
Total appsec 10.699 s 331.698 ms (3.2%)
Total iast 10.957 s 589.733 ms (5.7%)
Total profiling 10.741 s 373.232 ms (3.6%)
gantt
    title petclinic - break down per module: candidate=1.43.0-SNAPSHOT~9bd24c3774, baseline=1.43.0-SNAPSHOT~8233fc5ff8

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (693.084 ms) : 0, 693084
BytebuddyAgent [candidate] (688.232 ms) : 0, 688232
GlobalTracer [baseline] (318.109 ms) : 0, 318109
GlobalTracer [candidate] (315.976 ms) : 0, 315976
AppSec [baseline] (54.55 ms) : 0, 54550
AppSec [candidate] (54.21 ms) : 0, 54210
Remote Config [baseline] (679.131 µs) : 0, 679
Remote Config [candidate] (669.432 µs) : 0, 669
Telemetry [baseline] (11.208 ms) : 0, 11208
Telemetry [candidate] (10.716 ms) : 0, 10716
section appsec
BytebuddyAgent [baseline] (709.466 ms) : 0, 709466
BytebuddyAgent [candidate] (705.036 ms) : 0, 705036
GlobalTracer [baseline] (315.14 ms) : 0, 315140
GlobalTracer [candidate] (312.648 ms) : 0, 312648
AppSec [baseline] (164.852 ms) : 0, 164852
AppSec [candidate] (166.696 ms) : 0, 166696
Remote Config [baseline] (642.005 µs) : 0, 642
Remote Config [candidate] (634.522 µs) : 0, 635
Telemetry [baseline] (8.85 ms) : 0, 8850
Telemetry [candidate] (7.741 ms) : 0, 7741
IAST [baseline] (20.792 ms) : 0, 20792
IAST [candidate] (19.357 ms) : 0, 19357
section iast
BytebuddyAgent [baseline] (810.944 ms) : 0, 810944
BytebuddyAgent [candidate] (804.154 ms) : 0, 804154
GlobalTracer [baseline] (307.096 ms) : 0, 307096
GlobalTracer [candidate] (304.571 ms) : 0, 304571
AppSec [baseline] (57.148 ms) : 0, 57148
AppSec [candidate] (57.471 ms) : 0, 57471
Remote Config [baseline] (628.952 µs) : 0, 629
Remote Config [candidate] (600.118 µs) : 0, 600
Telemetry [baseline] (7.502 ms) : 0, 7502
Telemetry [candidate] (7.417 ms) : 0, 7417
IAST [baseline] (21.621 ms) : 0, 21621
IAST [candidate] (20.469 ms) : 0, 20469
section profiling
BytebuddyAgent [baseline] (681.98 ms) : 0, 681980
BytebuddyAgent [candidate] (681.09 ms) : 0, 681090
GlobalTracer [baseline] (398.401 ms) : 0, 398401
GlobalTracer [candidate] (397.783 ms) : 0, 397783
AppSec [baseline] (54.544 ms) : 0, 54544
AppSec [candidate] (54.772 ms) : 0, 54772
Remote Config [baseline] (679.355 µs) : 0, 679
Remote Config [candidate] (686.03 µs) : 0, 686
Telemetry [baseline] (10.085 ms) : 0, 10085
Telemetry [candidate] (10.767 ms) : 0, 10767
ProfilingAgent [baseline] (94.298 ms) : 0, 94298
ProfilingAgent [candidate] (94.371 ms) : 0, 94371
Profiling [baseline] (94.321 ms) : 0, 94321
Profiling [candidate] (94.394 ms) : 0, 94394
Loading
Startup time reports for insecure-bank
gantt
    title insecure-bank - global startup overhead: candidate=1.43.0-SNAPSHOT~9bd24c3774, baseline=1.43.0-SNAPSHOT~8233fc5ff8

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.086 s) : 0, 1085895
Total [baseline] (8.606 s) : 0, 8605775
Agent [candidate] (1.086 s) : 0, 1085832
Total [candidate] (8.625 s) : 0, 8624982
section iast
Agent [baseline] (1.205 s) : 0, 1205396
Total [baseline] (9.145 s) : 0, 9144588
Agent [candidate] (1.21 s) : 0, 1209751
Total [candidate] (9.184 s) : 0, 9184316
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.209 s) : 0, 1209075
Total [baseline] (9.136 s) : 0, 9135726
Agent [candidate] (1.215 s) : 0, 1214669
Total [candidate] (9.125 s) : 0, 9125392
section iast_TELEMETRY_OFF
Agent [baseline] (1.211 s) : 0, 1210601
Total [baseline] (9.142 s) : 0, 9142376
Agent [candidate] (1.212 s) : 0, 1211857
Total [candidate] (9.168 s) : 0, 9168363
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.086 s -
Agent iast 1.205 s 119.501 ms (11.0%)
Agent iast_HARDCODED_SECRET_DISABLED 1.209 s 123.179 ms (11.3%)
Agent iast_TELEMETRY_OFF 1.211 s 124.706 ms (11.5%)
Total tracing 8.606 s -
Total iast 9.145 s 538.813 ms (6.3%)
Total iast_HARDCODED_SECRET_DISABLED 9.136 s 529.95 ms (6.2%)
Total iast_TELEMETRY_OFF 9.142 s 536.601 ms (6.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.086 s -
Agent iast 1.21 s 123.919 ms (11.4%)
Agent iast_HARDCODED_SECRET_DISABLED 1.215 s 128.837 ms (11.9%)
Agent iast_TELEMETRY_OFF 1.212 s 126.025 ms (11.6%)
Total tracing 8.625 s -
Total iast 9.184 s 559.334 ms (6.5%)
Total iast_HARDCODED_SECRET_DISABLED 9.125 s 500.41 ms (5.8%)
Total iast_TELEMETRY_OFF 9.168 s 543.38 ms (6.3%)
gantt
    title insecure-bank - break down per module: candidate=1.43.0-SNAPSHOT~9bd24c3774, baseline=1.43.0-SNAPSHOT~8233fc5ff8

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (690.733 ms) : 0, 690733
BytebuddyAgent [candidate] (690.524 ms) : 0, 690524
GlobalTracer [baseline] (316.949 ms) : 0, 316949
GlobalTracer [candidate] (316.849 ms) : 0, 316849
AppSec [baseline] (54.5 ms) : 0, 54500
AppSec [candidate] (54.707 ms) : 0, 54707
Remote Config [baseline] (667.71 µs) : 0, 668
Remote Config [candidate] (667.97 µs) : 0, 668
Telemetry [baseline] (9.254 ms) : 0, 9254
Telemetry [candidate] (9.31 ms) : 0, 9310
section iast
BytebuddyAgent [baseline] (801.769 ms) : 0, 801769
BytebuddyAgent [candidate] (804.588 ms) : 0, 804588
GlobalTracer [baseline] (304.187 ms) : 0, 304187
GlobalTracer [candidate] (304.989 ms) : 0, 304989
AppSec [baseline] (57.07 ms) : 0, 57070
AppSec [candidate] (57.586 ms) : 0, 57586
Remote Config [baseline] (632.094 µs) : 0, 632
Remote Config [candidate] (607.067 µs) : 0, 607
Telemetry [baseline] (7.5 ms) : 0, 7500
Telemetry [candidate] (7.482 ms) : 0, 7482
IAST [baseline] (20.525 ms) : 0, 20525
IAST [candidate] (20.674 ms) : 0, 20674
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (804.199 ms) : 0, 804199
BytebuddyAgent [candidate] (808.059 ms) : 0, 808059
GlobalTracer [baseline] (304.6 ms) : 0, 304600
GlobalTracer [candidate] (306.253 ms) : 0, 306253
AppSec [baseline] (56.83 ms) : 0, 56830
AppSec [candidate] (57.552 ms) : 0, 57552
Remote Config [baseline] (622.837 µs) : 0, 623
Remote Config [candidate] (626.492 µs) : 0, 626
Telemetry [baseline] (7.511 ms) : 0, 7511
Telemetry [candidate] (7.523 ms) : 0, 7523
IAST [baseline] (21.506 ms) : 0, 21506
IAST [candidate] (20.799 ms) : 0, 20799
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (804.254 ms) : 0, 804254
BytebuddyAgent [candidate] (805.569 ms) : 0, 805569
GlobalTracer [baseline] (306.047 ms) : 0, 306047
GlobalTracer [candidate] (305.963 ms) : 0, 305963
AppSec [baseline] (57.943 ms) : 0, 57943
AppSec [candidate] (57.276 ms) : 0, 57276
Remote Config [baseline] (641.134 µs) : 0, 641
Remote Config [candidate] (617.976 µs) : 0, 618
Telemetry [baseline] (7.461 ms) : 0, 7461
Telemetry [candidate] (7.461 ms) : 0, 7461
IAST [baseline] (20.441 ms) : 0, 20441
IAST [candidate] (21.142 ms) : 0, 21142
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-11-06T11:22:10 2024-11-06T11:29:04
git_branch master mario.vidal/taint_propagation_replace
git_commit_date 1730886991 1730891623
git_commit_sha 8233fc5 9bd24c3
release_version 1.43.0-SNAPSHOT~8233fc5ff8 1.43.0-SNAPSHOT~9bd24c3774
start_time 2024-11-06T11:21:57 2024-11-06T11:28:51
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1730892893 1730892893
ci_job_id 697060098 697060098
ci_pipeline_id 48334234 48334234
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics.

Request duration reports for insecure-bank
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.43.0-SNAPSHOT~9bd24c3774, baseline=1.43.0-SNAPSHOT~8233fc5ff8
    dateFormat X
    axisFormat %s
section baseline
no_agent (365.523 µs) : 346, 385
.   : milestone, 366,
iast (482.234 µs) : 461, 504
.   : milestone, 482,
iast_FULL (641.638 µs) : 620, 663
.   : milestone, 642,
iast_GLOBAL (517.771 µs) : 495, 540
.   : milestone, 518,
iast_HARDCODED_SECRET_DISABLED (482.578 µs) : 461, 504
.   : milestone, 483,
iast_INACTIVE (456.763 µs) : 436, 478
.   : milestone, 457,
iast_TELEMETRY_OFF (470.624 µs) : 449, 492
.   : milestone, 471,
tracing (438.082 µs) : 418, 458
.   : milestone, 438,
section candidate
no_agent (367.092 µs) : 347, 388
.   : milestone, 367,
iast (483.284 µs) : 462, 504
.   : milestone, 483,
iast_FULL (639.971 µs) : 618, 662
.   : milestone, 640,
iast_GLOBAL (506.591 µs) : 485, 528
.   : milestone, 507,
iast_HARDCODED_SECRET_DISABLED (486.688 µs) : 466, 508
.   : milestone, 487,
iast_INACTIVE (448.603 µs) : 427, 470
.   : milestone, 449,
iast_TELEMETRY_OFF (468.698 µs) : 448, 490
.   : milestone, 469,
tracing (449.133 µs) : 428, 470
.   : milestone, 449,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 365.523 µs [345.637 µs, 385.41 µs] -
iast 482.234 µs [460.924 µs, 503.543 µs] 116.71 µs (31.9%)
iast_FULL 641.638 µs [620.172 µs, 663.104 µs] 276.115 µs (75.5%)
iast_GLOBAL 517.771 µs [495.237 µs, 540.306 µs] 152.248 µs (41.7%)
iast_HARDCODED_SECRET_DISABLED 482.578 µs [461.259 µs, 503.897 µs] 117.055 µs (32.0%)
iast_INACTIVE 456.763 µs [436.017 µs, 477.508 µs] 91.24 µs (25.0%)
iast_TELEMETRY_OFF 470.624 µs [449.177 µs, 492.071 µs] 105.101 µs (28.8%)
tracing 438.082 µs [417.985 µs, 458.18 µs] 72.559 µs (19.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 367.092 µs [346.549 µs, 387.634 µs] -
iast 483.284 µs [462.332 µs, 504.236 µs] 116.192 µs (31.7%)
iast_FULL 639.971 µs [618.416 µs, 661.526 µs] 272.879 µs (74.3%)
iast_GLOBAL 506.591 µs [485.368 µs, 527.814 µs] 139.499 µs (38.0%)
iast_HARDCODED_SECRET_DISABLED 486.688 µs [465.588 µs, 507.788 µs] 119.596 µs (32.6%)
iast_INACTIVE 448.603 µs [427.491 µs, 469.716 µs] 81.512 µs (22.2%)
iast_TELEMETRY_OFF 468.698 µs [447.798 µs, 489.597 µs] 101.606 µs (27.7%)
tracing 449.133 µs [428.398 µs, 469.868 µs] 82.041 µs (22.3%)
Request duration reports for petclinic
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.43.0-SNAPSHOT~9bd24c3774, baseline=1.43.0-SNAPSHOT~8233fc5ff8
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.341 ms) : 1322, 1361
.   : milestone, 1341,
appsec (1.73 ms) : 1706, 1754
.   : milestone, 1730,
appsec_no_iast (1.727 ms) : 1703, 1751
.   : milestone, 1727,
iast (1.461 ms) : 1438, 1484
.   : milestone, 1461,
profiling (1.478 ms) : 1455, 1500
.   : milestone, 1478,
tracing (1.45 ms) : 1425, 1475
.   : milestone, 1450,
section candidate
no_agent (1.334 ms) : 1315, 1352
.   : milestone, 1334,
appsec (1.727 ms) : 1704, 1750
.   : milestone, 1727,
appsec_no_iast (1.716 ms) : 1692, 1741
.   : milestone, 1716,
iast (1.481 ms) : 1459, 1503
.   : milestone, 1481,
profiling (1.514 ms) : 1490, 1538
.   : milestone, 1514,
tracing (1.454 ms) : 1430, 1479
.   : milestone, 1454,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.341 ms [1.322 ms, 1.361 ms] -
appsec 1.73 ms [1.706 ms, 1.754 ms] 388.461 µs (29.0%)
appsec_no_iast 1.727 ms [1.703 ms, 1.751 ms] 385.721 µs (28.8%)
iast 1.461 ms [1.438 ms, 1.484 ms] 119.921 µs (8.9%)
profiling 1.478 ms [1.455 ms, 1.5 ms] 136.28 µs (10.2%)
tracing 1.45 ms [1.425 ms, 1.475 ms] 108.918 µs (8.1%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.334 ms [1.315 ms, 1.352 ms] -
appsec 1.727 ms [1.704 ms, 1.75 ms] 393.81 µs (29.5%)
appsec_no_iast 1.716 ms [1.692 ms, 1.741 ms] 382.642 µs (28.7%)
iast 1.481 ms [1.459 ms, 1.503 ms] 147.564 µs (11.1%)
profiling 1.514 ms [1.49 ms, 1.538 ms] 180.639 µs (13.5%)
tracing 1.454 ms [1.43 ms, 1.479 ms] 120.433 µs (9.0%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master mario.vidal/taint_propagation_replace
git_commit_date 1730886991 1730891623
git_commit_sha 8233fc5 9bd24c3
release_version 1.43.0-SNAPSHOT~8233fc5ff8 1.43.0-SNAPSHOT~9bd24c3774
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1730893530 1730893530
ci_job_id 697060100 697060100
ci_pipeline_id 48334234 48334234
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.43.0-SNAPSHOT~9bd24c3774, baseline=1.43.0-SNAPSHOT~8233fc5ff8
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.462 ms) : 1451, 1474
.   : milestone, 1462,
appsec (2.336 ms) : 2294, 2378
.   : milestone, 2336,
iast (2.075 ms) : 2023, 2127
.   : milestone, 2075,
iast_GLOBAL (2.119 ms) : 2067, 2172
.   : milestone, 2119,
profiling (2.27 ms) : 2115, 2425
.   : milestone, 2270,
tracing (1.919 ms) : 1880, 1959
.   : milestone, 1919,
section candidate
no_agent (1.46 ms) : 1449, 1472
.   : milestone, 1460,
appsec (2.333 ms) : 2291, 2374
.   : milestone, 2333,
iast (2.068 ms) : 2016, 2120
.   : milestone, 2068,
iast_GLOBAL (2.111 ms) : 2060, 2163
.   : milestone, 2111,
profiling (1.942 ms) : 1900, 1984
.   : milestone, 1942,
tracing (1.912 ms) : 1872, 1952
.   : milestone, 1912,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.462 ms [1.451 ms, 1.474 ms] -
appsec 2.336 ms [2.294 ms, 2.378 ms] 873.519 µs (59.7%)
iast 2.075 ms [2.023 ms, 2.127 ms] 612.643 µs (41.9%)
iast_GLOBAL 2.119 ms [2.067 ms, 2.172 ms] 656.836 µs (44.9%)
profiling 2.27 ms [2.115 ms, 2.425 ms] 807.561 µs (55.2%)
tracing 1.919 ms [1.88 ms, 1.959 ms] 456.816 µs (31.2%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.46 ms [1.449 ms, 1.472 ms] -
appsec 2.333 ms [2.291 ms, 2.374 ms] 872.525 µs (59.8%)
iast 2.068 ms [2.016 ms, 2.12 ms] 607.902 µs (41.6%)
iast_GLOBAL 2.111 ms [2.06 ms, 2.163 ms] 651.087 µs (44.6%)
profiling 1.942 ms [1.9 ms, 1.984 ms] 481.75 µs (33.0%)
tracing 1.912 ms [1.872 ms, 1.952 ms] 451.529 µs (30.9%)
Execution time for biojava
gantt
    title biojava - execution time [CI 0.99] : candidate=1.43.0-SNAPSHOT~9bd24c3774, baseline=1.43.0-SNAPSHOT~8233fc5ff8
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.058 s) : 15058000, 15058000
.   : milestone, 15058000,
appsec (15.365 s) : 15365000, 15365000
.   : milestone, 15365000,
iast (18.525 s) : 18525000, 18525000
.   : milestone, 18525000,
iast_GLOBAL (18.162 s) : 18162000, 18162000
.   : milestone, 18162000,
profiling (15.155 s) : 15155000, 15155000
.   : milestone, 15155000,
tracing (15.518 s) : 15518000, 15518000
.   : milestone, 15518000,
section candidate
no_agent (15.072 s) : 15072000, 15072000
.   : milestone, 15072000,
appsec (15.073 s) : 15073000, 15073000
.   : milestone, 15073000,
iast (18.425 s) : 18425000, 18425000
.   : milestone, 18425000,
iast_GLOBAL (18.327 s) : 18327000, 18327000
.   : milestone, 18327000,
profiling (15.052 s) : 15052000, 15052000
.   : milestone, 15052000,
tracing (15.076 s) : 15076000, 15076000
.   : milestone, 15076000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.058 s [15.058 s, 15.058 s] -
appsec 15.365 s [15.365 s, 15.365 s] 307.0 ms (2.0%)
iast 18.525 s [18.525 s, 18.525 s] 3.467 s (23.0%)
iast_GLOBAL 18.162 s [18.162 s, 18.162 s] 3.104 s (20.6%)
profiling 15.155 s [15.155 s, 15.155 s] 97.0 ms (0.6%)
tracing 15.518 s [15.518 s, 15.518 s] 460.0 ms (3.1%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.072 s [15.072 s, 15.072 s] -
appsec 15.073 s [15.073 s, 15.073 s] 1.0 ms (0.0%)
iast 18.425 s [18.425 s, 18.425 s] 3.353 s (22.2%)
iast_GLOBAL 18.327 s [18.327 s, 18.327 s] 3.255 s (21.6%)
profiling 15.052 s [15.052 s, 15.052 s] -20.0 ms (-0.1%)
tracing 15.076 s [15.076 s, 15.076 s] 4.0 ms (0.0%)

@Mariovido Mariovido changed the title Add taint propagation to the String replace method Add taint propagation to the String replace, replaceFirst, replaceAll methods Oct 21, 2024
@Mariovido Mariovido marked this pull request as ready for review October 21, 2024 10:49
@Mariovido Mariovido requested review from a team as code owners October 21, 2024 10:49
@manuel-alvarez-alvarez
Copy link
Member

Rolling out this feature like this really makes me feel nervous, I think we should:

  • Always forward the call to the JDK for the replaced methods (those annotated with @Around) and them compare their result with the one we've computed, if they don't match:
    • Throw away the computed tainted value
    • Return the JDK computed method
    • Generate a telemetry log with all the info we can get (without causing PI issues)
  • Feature gate those instrumentations so customers can disable them in case of issues.

Once we are more confident with the solution we could return it to the most optimal state without having to rely on the JDK.

CC @smola

-4 | " ==>123\r\n 1<==2==>3<==" | "==>123\n1<==2==>3<=="
}

void 'test replace with a single char and make sure IastRequestContext is called'() {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the replacing methods did you have look to Regex.java and LiteralReplace.java, there are many cases including ones that produce out of memory errors that we should contemplate for this PR.

@Mariovido Mariovido requested a review from a team as a code owner October 28, 2024 14:30
@Mariovido Mariovido requested a review from dougqh October 28, 2024 14:30
@Mariovido Mariovido changed the title Add taint propagation to the String replace, replaceFirst, replaceAll methods Add experimental taint propagation to the String replace, replaceFirst, replaceAll methods Nov 8, 2024
Copy link
Contributor

github-actions bot commented Nov 8, 2024

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

@Mariovido Mariovido merged commit d3151b6 into master Nov 8, 2024
103 of 104 checks passed
@Mariovido Mariovido deleted the mario.vidal/taint_propagation_replace branch November 8, 2024 11:12
@github-actions github-actions bot added this to the 1.43.0 milestone Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp: asm iast Application Security Management (IAST) inst: java Core Java language instrumentation tag: experimental Experimental changes type: enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants