-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit the collections that the iast visitor can handle #7764
Limit the collections that the iast visitor can handle #7764
Conversation
74e1c72
to
ab66ad0
Compare
@@ -66,7 +66,6 @@ class GrpcRequestMessageHandlerTest extends IastModuleImplTestBase { | |||
given: | |||
final visitor = Mock(ObjectVisitor.Visitor) { | |||
visit(_ as String, _ as Object) >> { | |||
println 'feo' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unrelated print of ferrous oxide 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 53 metrics, 10 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.066 s) : 0, 1066454
Total [baseline] (10.474 s) : 0, 10473682
Agent [candidate] (1.066 s) : 0, 1065817
Total [candidate] (10.414 s) : 0, 10413541
section appsec
Agent [baseline] (1.205 s) : 0, 1205166
Total [baseline] (10.574 s) : 0, 10574252
Agent [candidate] (1.209 s) : 0, 1208733
Total [candidate] (10.581 s) : 0, 10580548
section iast
Agent [baseline] (1.207 s) : 0, 1207389
Total [baseline] (10.928 s) : 0, 10927831
Agent [candidate] (1.196 s) : 0, 1196354
Total [candidate] (10.905 s) : 0, 10905189
section profiling
Agent [baseline] (1.272 s) : 0, 1272274
Total [baseline] (10.607 s) : 0, 10607230
Agent [candidate] (1.265 s) : 0, 1264854
Total [candidate] (10.671 s) : 0, 10670661
gantt
title petclinic - break down per module: candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (680.864 ms) : 0, 680864
BytebuddyAgent [candidate] (680.594 ms) : 0, 680594
GlobalTracer [baseline] (310.122 ms) : 0, 310122
GlobalTracer [candidate] (309.685 ms) : 0, 309685
AppSec [baseline] (53.72 ms) : 0, 53720
AppSec [candidate] (53.723 ms) : 0, 53723
Remote Config [baseline] (663.935 µs) : 0, 664
Remote Config [candidate] (668.758 µs) : 0, 669
Telemetry [baseline] (7.496 ms) : 0, 7496
Telemetry [candidate] (7.557 ms) : 0, 7557
section appsec
BytebuddyAgent [baseline] (702.292 ms) : 0, 702292
BytebuddyAgent [candidate] (702.929 ms) : 0, 702929
GlobalTracer [baseline] (307.339 ms) : 0, 307339
GlobalTracer [candidate] (308.756 ms) : 0, 308756
AppSec [baseline] (161.618 ms) : 0, 161618
AppSec [candidate] (163.546 ms) : 0, 163546
Remote Config [baseline] (638.543 µs) : 0, 639
Remote Config [candidate] (634.068 µs) : 0, 634
Telemetry [baseline] (8.728 ms) : 0, 8728
Telemetry [candidate] (8.089 ms) : 0, 8089
IAST [baseline] (21.743 ms) : 0, 21743
IAST [candidate] (22.183 ms) : 0, 22183
section iast
BytebuddyAgent [baseline] (806.688 ms) : 0, 806688
BytebuddyAgent [candidate] (797.707 ms) : 0, 797707
GlobalTracer [baseline] (300.563 ms) : 0, 300563
GlobalTracer [candidate] (299.154 ms) : 0, 299154
AppSec [baseline] (54.895 ms) : 0, 54895
AppSec [candidate] (56.223 ms) : 0, 56223
Remote Config [baseline] (619.851 µs) : 0, 620
Remote Config [candidate] (612.094 µs) : 0, 612
Telemetry [baseline] (7.172 ms) : 0, 7172
Telemetry [candidate] (7.088 ms) : 0, 7088
IAST [baseline] (23.694 ms) : 0, 23694
IAST [candidate] (21.939 ms) : 0, 21939
section profiling
BytebuddyAgent [baseline] (679.173 ms) : 0, 679173
BytebuddyAgent [candidate] (674.879 ms) : 0, 674879
GlobalTracer [baseline] (394.433 ms) : 0, 394433
GlobalTracer [candidate] (392.393 ms) : 0, 392393
AppSec [baseline] (55.0 ms) : 0, 55000
AppSec [candidate] (54.596 ms) : 0, 54596
Remote Config [baseline] (658.434 µs) : 0, 658
Remote Config [candidate] (658.849 µs) : 0, 659
Telemetry [baseline] (7.484 ms) : 0, 7484
Telemetry [candidate] (7.416 ms) : 0, 7416
ProfilingAgent [baseline] (96.765 ms) : 0, 96765
ProfilingAgent [candidate] (96.37 ms) : 0, 96370
Profiling [baseline] (96.789 ms) : 0, 96789
Profiling [candidate] (96.393 ms) : 0, 96393
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.067 s) : 0, 1066849
Total [baseline] (8.563 s) : 0, 8563413
Agent [candidate] (1.072 s) : 0, 1072448
Total [candidate] (8.568 s) : 0, 8567925
section iast
Agent [baseline] (1.193 s) : 0, 1193089
Total [baseline] (9.116 s) : 0, 9116394
Agent [candidate] (1.195 s) : 0, 1194772
Total [candidate] (9.119 s) : 0, 9119046
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.195 s) : 0, 1195382
Total [baseline] (9.089 s) : 0, 9088868
Agent [candidate] (1.203 s) : 0, 1203310
Total [candidate] (9.106 s) : 0, 9105958
section iast_TELEMETRY_OFF
Agent [baseline] (1.201 s) : 0, 1200740
Total [baseline] (9.119 s) : 0, 9119058
Agent [candidate] (1.208 s) : 0, 1207876
Total [candidate] (9.069 s) : 0, 9068712
gantt
title insecure-bank - break down per module: candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (680.891 ms) : 0, 680891
BytebuddyAgent [candidate] (685.439 ms) : 0, 685439
GlobalTracer [baseline] (310.266 ms) : 0, 310266
GlobalTracer [candidate] (311.077 ms) : 0, 311077
AppSec [baseline] (53.912 ms) : 0, 53912
AppSec [candidate] (53.984 ms) : 0, 53984
Remote Config [baseline] (663.766 µs) : 0, 664
Remote Config [candidate] (669.333 µs) : 0, 669
Telemetry [baseline] (7.534 ms) : 0, 7534
Telemetry [candidate] (7.57 ms) : 0, 7570
section iast
BytebuddyAgent [baseline] (795.66 ms) : 0, 795660
BytebuddyAgent [candidate] (797.628 ms) : 0, 797628
GlobalTracer [baseline] (297.825 ms) : 0, 297825
GlobalTracer [candidate] (298.333 ms) : 0, 298333
AppSec [baseline] (54.933 ms) : 0, 54933
AppSec [candidate] (54.634 ms) : 0, 54634
IAST [baseline] (23.427 ms) : 0, 23427
IAST [candidate] (22.846 ms) : 0, 22846
Remote Config [baseline] (600.748 µs) : 0, 601
Remote Config [candidate] (606.177 µs) : 0, 606
Telemetry [baseline] (7.016 ms) : 0, 7016
Telemetry [candidate] (7.042 ms) : 0, 7042
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (797.004 ms) : 0, 797004
BytebuddyAgent [candidate] (801.808 ms) : 0, 801808
GlobalTracer [baseline] (298.962 ms) : 0, 298962
GlobalTracer [candidate] (300.916 ms) : 0, 300916
AppSec [baseline] (54.705 ms) : 0, 54705
AppSec [candidate] (53.724 ms) : 0, 53724
IAST [baseline] (23.414 ms) : 0, 23414
IAST [candidate] (25.351 ms) : 0, 25351
Remote Config [baseline] (606.071 µs) : 0, 606
Remote Config [candidate] (612.236 µs) : 0, 612
Telemetry [baseline] (7.036 ms) : 0, 7036
Telemetry [candidate] (7.152 ms) : 0, 7152
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (799.013 ms) : 0, 799013
BytebuddyAgent [candidate] (805.285 ms) : 0, 805285
GlobalTracer [baseline] (301.24 ms) : 0, 301240
GlobalTracer [candidate] (302.275 ms) : 0, 302275
AppSec [baseline] (55.301 ms) : 0, 55301
AppSec [candidate] (53.162 ms) : 0, 53162
IAST [baseline] (23.708 ms) : 0, 23708
IAST [candidate] (25.74 ms) : 0, 25740
Remote Config [baseline] (640.041 µs) : 0, 640
Remote Config [candidate] (618.258 µs) : 0, 618
Telemetry [baseline] (7.079 ms) : 0, 7079
Telemetry [candidate] (6.943 ms) : 0, 6943
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics. Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82
dateFormat X
axisFormat %s
section baseline
no_agent (373.178 µs) : 353, 393
. : milestone, 373,
iast (490.007 µs) : 468, 512
. : milestone, 490,
iast_FULL (548.247 µs) : 527, 569
. : milestone, 548,
iast_GLOBAL (505.32 µs) : 484, 527
. : milestone, 505,
iast_HARDCODED_SECRET_DISABLED (479.604 µs) : 459, 501
. : milestone, 480,
iast_INACTIVE (449.69 µs) : 429, 471
. : milestone, 450,
iast_TELEMETRY_OFF (473.367 µs) : 452, 494
. : milestone, 473,
tracing (439.036 µs) : 419, 459
. : milestone, 439,
section candidate
no_agent (373.804 µs) : 354, 393
. : milestone, 374,
iast (477.598 µs) : 457, 499
. : milestone, 478,
iast_FULL (555.12 µs) : 534, 576
. : milestone, 555,
iast_GLOBAL (508.97 µs) : 487, 531
. : milestone, 509,
iast_HARDCODED_SECRET_DISABLED (490.681 µs) : 469, 512
. : milestone, 491,
iast_INACTIVE (445.029 µs) : 425, 465
. : milestone, 445,
iast_TELEMETRY_OFF (472.936 µs) : 452, 494
. : milestone, 473,
tracing (440.493 µs) : 420, 461
. : milestone, 440,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82
dateFormat X
axisFormat %s
section baseline
no_agent (1.337 ms) : 1318, 1356
. : milestone, 1337,
appsec (1.719 ms) : 1694, 1743
. : milestone, 1719,
appsec_no_iast (1.702 ms) : 1678, 1727
. : milestone, 1702,
iast (1.472 ms) : 1449, 1495
. : milestone, 1472,
profiling (1.523 ms) : 1498, 1548
. : milestone, 1523,
tracing (1.468 ms) : 1443, 1492
. : milestone, 1468,
section candidate
no_agent (1.34 ms) : 1320, 1360
. : milestone, 1340,
appsec (1.719 ms) : 1695, 1744
. : milestone, 1719,
appsec_no_iast (1.741 ms) : 1717, 1764
. : milestone, 1741,
iast (1.466 ms) : 1443, 1489
. : milestone, 1466,
profiling (1.469 ms) : 1444, 1494
. : milestone, 1469,
tracing (1.464 ms) : 1440, 1489
. : milestone, 1464,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82
dateFormat X
axisFormat %s
section baseline
no_agent (1.465 ms) : 1454, 1477
. : milestone, 1465,
appsec (2.317 ms) : 2276, 2358
. : milestone, 2317,
iast (2.072 ms) : 2020, 2125
. : milestone, 2072,
iast_GLOBAL (2.108 ms) : 2056, 2160
. : milestone, 2108,
profiling (1.939 ms) : 1896, 1982
. : milestone, 1939,
tracing (1.907 ms) : 1868, 1947
. : milestone, 1907,
section candidate
no_agent (1.458 ms) : 1447, 1470
. : milestone, 1458,
appsec (2.323 ms) : 2281, 2364
. : milestone, 2323,
iast (2.069 ms) : 2017, 2121
. : milestone, 2069,
iast_GLOBAL (2.095 ms) : 2043, 2148
. : milestone, 2095,
profiling (1.936 ms) : 1894, 1978
. : milestone, 1936,
tracing (1.913 ms) : 1872, 1953
. : milestone, 1913,
Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.41.0-SNAPSHOT~ab66ad0c5b, baseline=1.41.0-SNAPSHOT~79648faf82
dateFormat X
axisFormat %s
section baseline
no_agent (15.465 s) : 15465000, 15465000
. : milestone, 15465000,
appsec (15.251 s) : 15251000, 15251000
. : milestone, 15251000,
iast (19.097 s) : 19097000, 19097000
. : milestone, 19097000,
iast_GLOBAL (18.167 s) : 18167000, 18167000
. : milestone, 18167000,
profiling (15.32 s) : 15320000, 15320000
. : milestone, 15320000,
tracing (15.055 s) : 15055000, 15055000
. : milestone, 15055000,
section candidate
no_agent (15.088 s) : 15088000, 15088000
. : milestone, 15088000,
appsec (15.259 s) : 15259000, 15259000
. : milestone, 15259000,
iast (18.749 s) : 18749000, 18749000
. : milestone, 18749000,
iast_GLOBAL (17.975 s) : 17975000, 17975000
. : milestone, 17975000,
profiling (14.914 s) : 14914000, 14914000
. : milestone, 14914000,
tracing (15.498 s) : 15498000, 15498000
. : milestone, 15498000,
|
@@ -74,6 +70,29 @@ class ObjectVisitorTest extends Specification { | |||
0 * _ | |||
} | |||
|
|||
void 'test visiting ignored collection'() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's not clear to me what we're asserting in this test... I understand that we're not supposed to access the list, so shouldn't we throw an exception in the get
for instance ? Or count accesses and make sure it's ==0 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we could throw an exception but in the end we are asserting that there are no mock invocations of the visitor with 0 * _
which is equivalent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK thanks I wasn't familiar with that notation
What Does This Do
Limits the types of collections that IAST object visitor can handle to:
Motivation
When an hibernate persistent collection is added to the session scope, we will try to visit the different elements in order to detect trust boundary violation vulnerabilities and we might trigger issues further down the line due to lazy loading in ORMs.
Additional Notes
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: SCRS-1113