-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix String subsequence taint tracking bug #7778
Fix String subsequence taint tracking bug #7778
Conversation
… the intersection method
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 54 metrics, 9 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.41.0-SNAPSHOT~da1f033f90, baseline=1.41.0-SNAPSHOT~b53b6dc565
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.07 s) : 0, 1069610
Total [baseline] (10.371 s) : 0, 10371152
Agent [candidate] (1.068 s) : 0, 1068293
Total [candidate] (10.381 s) : 0, 10381422
section appsec
Agent [baseline] (1.202 s) : 0, 1202262
Total [baseline] (10.594 s) : 0, 10593667
Agent [candidate] (1.21 s) : 0, 1210381
Total [candidate] (10.558 s) : 0, 10558276
section iast
Agent [baseline] (1.2 s) : 0, 1199599
Total [baseline] (10.812 s) : 0, 10811930
Agent [candidate] (1.196 s) : 0, 1195799
Total [candidate] (10.838 s) : 0, 10838362
section profiling
Agent [baseline] (1.266 s) : 0, 1265828
Total [baseline] (10.576 s) : 0, 10576327
Agent [candidate] (1.282 s) : 0, 1281935
Total [candidate] (10.641 s) : 0, 10640839
gantt
title petclinic - break down per module: candidate=1.41.0-SNAPSHOT~da1f033f90, baseline=1.41.0-SNAPSHOT~b53b6dc565
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (682.637 ms) : 0, 682637
BytebuddyAgent [candidate] (681.225 ms) : 0, 681225
GlobalTracer [baseline] (311.398 ms) : 0, 311398
GlobalTracer [candidate] (311.644 ms) : 0, 311644
AppSec [baseline] (53.84 ms) : 0, 53840
AppSec [candidate] (53.689 ms) : 0, 53689
Remote Config [baseline] (673.202 µs) : 0, 673
Remote Config [candidate] (656.94 µs) : 0, 657
Telemetry [baseline] (7.425 ms) : 0, 7425
Telemetry [candidate] (7.479 ms) : 0, 7479
section appsec
BytebuddyAgent [baseline] (698.681 ms) : 0, 698681
BytebuddyAgent [candidate] (703.063 ms) : 0, 703063
GlobalTracer [baseline] (308.428 ms) : 0, 308428
GlobalTracer [candidate] (310.456 ms) : 0, 310456
AppSec [baseline] (163.587 ms) : 0, 163587
AppSec [candidate] (163.943 ms) : 0, 163943
Remote Config [baseline] (632.019 µs) : 0, 632
Remote Config [candidate] (631.723 µs) : 0, 632
Telemetry [baseline] (8.123 ms) : 0, 8123
Telemetry [candidate] (8.791 ms) : 0, 8791
IAST [baseline] (18.465 ms) : 0, 18465
IAST [candidate] (19.538 ms) : 0, 19538
section iast
BytebuddyAgent [baseline] (798.68 ms) : 0, 798680
BytebuddyAgent [candidate] (795.924 ms) : 0, 795924
GlobalTracer [baseline] (301.291 ms) : 0, 301291
GlobalTracer [candidate] (300.537 ms) : 0, 300537
AppSec [baseline] (55.416 ms) : 0, 55416
AppSec [candidate] (56.949 ms) : 0, 56949
Remote Config [baseline] (656.322 µs) : 0, 656
Remote Config [candidate] (599.139 µs) : 0, 599
Telemetry [baseline] (6.997 ms) : 0, 6997
Telemetry [candidate] (7.002 ms) : 0, 7002
IAST [baseline] (22.906 ms) : 0, 22906
IAST [candidate] (21.179 ms) : 0, 21179
section profiling
ProfilingAgent [baseline] (95.824 ms) : 0, 95824
ProfilingAgent [candidate] (97.279 ms) : 0, 97279
BytebuddyAgent [baseline] (675.361 ms) : 0, 675361
BytebuddyAgent [candidate] (685.133 ms) : 0, 685133
GlobalTracer [baseline] (393.901 ms) : 0, 393901
GlobalTracer [candidate] (397.154 ms) : 0, 397154
AppSec [baseline] (54.261 ms) : 0, 54261
AppSec [candidate] (55.04 ms) : 0, 55040
Remote Config [baseline] (638.42 µs) : 0, 638
Remote Config [candidate] (656.908 µs) : 0, 657
Telemetry [baseline] (7.385 ms) : 0, 7385
Telemetry [candidate] (7.515 ms) : 0, 7515
Profiling [baseline] (95.847 ms) : 0, 95847
Profiling [candidate] (97.303 ms) : 0, 97303
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.41.0-SNAPSHOT~da1f033f90, baseline=1.41.0-SNAPSHOT~b53b6dc565
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.073 s) : 0, 1072621
Total [baseline] (8.584 s) : 0, 8584059
Agent [candidate] (1.069 s) : 0, 1069359
Total [candidate] (8.542 s) : 0, 8541882
section iast
Agent [baseline] (1.203 s) : 0, 1202735
Total [baseline] (9.095 s) : 0, 9094884
Agent [candidate] (1.204 s) : 0, 1203748
Total [candidate] (9.128 s) : 0, 9127825
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.204 s) : 0, 1204261
Total [baseline] (9.05 s) : 0, 9049973
Agent [candidate] (1.206 s) : 0, 1206102
Total [candidate] (9.107 s) : 0, 9107152
section iast_TELEMETRY_OFF
Agent [baseline] (1.201 s) : 0, 1201330
Total [baseline] (9.059 s) : 0, 9058696
Agent [candidate] (1.194 s) : 0, 1194496
Total [candidate] (9.086 s) : 0, 9085895
gantt
title insecure-bank - break down per module: candidate=1.41.0-SNAPSHOT~da1f033f90, baseline=1.41.0-SNAPSHOT~b53b6dc565
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (684.643 ms) : 0, 684643
BytebuddyAgent [candidate] (681.87 ms) : 0, 681870
GlobalTracer [baseline] (312.416 ms) : 0, 312416
GlobalTracer [candidate] (312.023 ms) : 0, 312023
AppSec [baseline] (53.855 ms) : 0, 53855
AppSec [candidate] (53.645 ms) : 0, 53645
Remote Config [baseline] (670.562 µs) : 0, 671
Remote Config [candidate] (668.275 µs) : 0, 668
Telemetry [baseline] (7.437 ms) : 0, 7437
Telemetry [candidate] (7.508 ms) : 0, 7508
section iast
BytebuddyAgent [baseline] (802.708 ms) : 0, 802708
BytebuddyAgent [candidate] (801.853 ms) : 0, 801853
GlobalTracer [baseline] (301.071 ms) : 0, 301071
GlobalTracer [candidate] (302.031 ms) : 0, 302031
AppSec [baseline] (56.304 ms) : 0, 56304
AppSec [candidate] (54.752 ms) : 0, 54752
IAST [baseline] (21.25 ms) : 0, 21250
IAST [candidate] (23.692 ms) : 0, 23692
Remote Config [baseline] (601.532 µs) : 0, 602
Remote Config [candidate] (622.261 µs) : 0, 622
Telemetry [baseline] (7.083 ms) : 0, 7083
Telemetry [candidate] (7.052 ms) : 0, 7052
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (802.542 ms) : 0, 802542
BytebuddyAgent [candidate] (802.681 ms) : 0, 802681
GlobalTracer [baseline] (302.196 ms) : 0, 302196
GlobalTracer [candidate] (303.32 ms) : 0, 303320
AppSec [baseline] (55.37 ms) : 0, 55370
AppSec [candidate] (57.868 ms) : 0, 57868
IAST [baseline] (22.821 ms) : 0, 22821
IAST [candidate] (20.724 ms) : 0, 20724
Remote Config [baseline] (597.421 µs) : 0, 597
Remote Config [candidate] (605.333 µs) : 0, 605
Telemetry [baseline] (7.035 ms) : 0, 7035
Telemetry [candidate] (7.124 ms) : 0, 7124
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (800.178 ms) : 0, 800178
BytebuddyAgent [candidate] (794.248 ms) : 0, 794248
GlobalTracer [baseline] (302.18 ms) : 0, 302180
GlobalTracer [candidate] (301.242 ms) : 0, 301242
AppSec [baseline] (56.243 ms) : 0, 56243
AppSec [candidate] (55.426 ms) : 0, 55426
IAST [baseline] (21.509 ms) : 0, 21509
IAST [candidate] (22.293 ms) : 0, 22293
Remote Config [baseline] (580.898 µs) : 0, 581
Remote Config [candidate] (604.61 µs) : 0, 605
Telemetry [baseline] (6.915 ms) : 0, 6915
Telemetry [candidate] (6.973 ms) : 0, 6973
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics. Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.41.0-SNAPSHOT~da1f033f90, baseline=1.41.0-SNAPSHOT~b53b6dc565
dateFormat X
axisFormat %s
section baseline
no_agent (370.49 µs) : 351, 390
. : milestone, 370,
iast (484.374 µs) : 463, 505
. : milestone, 484,
iast_FULL (554.036 µs) : 533, 575
. : milestone, 554,
iast_GLOBAL (521.497 µs) : 498, 545
. : milestone, 521,
iast_HARDCODED_SECRET_DISABLED (484.019 µs) : 463, 505
. : milestone, 484,
iast_INACTIVE (455.962 µs) : 435, 477
. : milestone, 456,
iast_TELEMETRY_OFF (474.591 µs) : 453, 496
. : milestone, 475,
tracing (451.621 µs) : 431, 472
. : milestone, 452,
section candidate
no_agent (378.7 µs) : 359, 398
. : milestone, 379,
iast (486.908 µs) : 465, 509
. : milestone, 487,
iast_FULL (558.952 µs) : 538, 580
. : milestone, 559,
iast_GLOBAL (513.113 µs) : 491, 535
. : milestone, 513,
iast_HARDCODED_SECRET_DISABLED (491.433 µs) : 470, 513
. : milestone, 491,
iast_INACTIVE (457.901 µs) : 436, 480
. : milestone, 458,
iast_TELEMETRY_OFF (476.996 µs) : 455, 499
. : milestone, 477,
tracing (449.764 µs) : 429, 471
. : milestone, 450,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.41.0-SNAPSHOT~da1f033f90, baseline=1.41.0-SNAPSHOT~b53b6dc565
dateFormat X
axisFormat %s
section baseline
no_agent (1.355 ms) : 1336, 1375
. : milestone, 1355,
appsec (1.705 ms) : 1680, 1730
. : milestone, 1705,
appsec_no_iast (1.722 ms) : 1698, 1746
. : milestone, 1722,
iast (1.484 ms) : 1461, 1507
. : milestone, 1484,
profiling (1.548 ms) : 1523, 1572
. : milestone, 1548,
tracing (1.485 ms) : 1461, 1510
. : milestone, 1485,
section candidate
no_agent (1.333 ms) : 1313, 1353
. : milestone, 1333,
appsec (1.705 ms) : 1681, 1728
. : milestone, 1705,
appsec_no_iast (1.709 ms) : 1685, 1734
. : milestone, 1709,
iast (1.503 ms) : 1481, 1526
. : milestone, 1503,
profiling (1.531 ms) : 1507, 1555
. : milestone, 1531,
tracing (1.484 ms) : 1458, 1509
. : milestone, 1484,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.41.0-SNAPSHOT~da1f033f90, baseline=1.41.0-SNAPSHOT~b53b6dc565
dateFormat X
axisFormat %s
section baseline
no_agent (1.46 ms) : 1449, 1472
. : milestone, 1460,
appsec (2.318 ms) : 2276, 2359
. : milestone, 2318,
iast (2.055 ms) : 2003, 2107
. : milestone, 2055,
iast_GLOBAL (2.089 ms) : 2038, 2141
. : milestone, 2089,
profiling (1.936 ms) : 1894, 1978
. : milestone, 1936,
tracing (1.909 ms) : 1869, 1948
. : milestone, 1909,
section candidate
no_agent (1.457 ms) : 1446, 1469
. : milestone, 1457,
appsec (2.309 ms) : 2268, 2350
. : milestone, 2309,
iast (2.072 ms) : 2020, 2124
. : milestone, 2072,
iast_GLOBAL (2.105 ms) : 2053, 2157
. : milestone, 2105,
profiling (1.924 ms) : 1883, 1965
. : milestone, 1924,
tracing (1.903 ms) : 1863, 1942
. : milestone, 1903,
Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.41.0-SNAPSHOT~da1f033f90, baseline=1.41.0-SNAPSHOT~b53b6dc565
dateFormat X
axisFormat %s
section baseline
no_agent (15.786 s) : 15786000, 15786000
. : milestone, 15786000,
appsec (15.329 s) : 15329000, 15329000
. : milestone, 15329000,
iast (18.577 s) : 18577000, 18577000
. : milestone, 18577000,
iast_GLOBAL (18.093 s) : 18093000, 18093000
. : milestone, 18093000,
profiling (14.83 s) : 14830000, 14830000
. : milestone, 14830000,
tracing (15.149 s) : 15149000, 15149000
. : milestone, 15149000,
section candidate
no_agent (15.784 s) : 15784000, 15784000
. : milestone, 15784000,
appsec (14.939 s) : 14939000, 14939000
. : milestone, 14939000,
iast (18.689 s) : 18689000, 18689000
. : milestone, 18689000,
iast_GLOBAL (17.943 s) : 17943000, 17943000
. : milestone, 17943000,
profiling (15.402 s) : 15402000, 15402000
. : milestone, 15402000,
tracing (15.011 s) : 15011000, 15011000
. : milestone, 15011000,
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
What Does This Do
Change old bugged forSubstring implementation for a new one that uses the intersection method
Motivation
Fix
Error tainting object, it won't be tainted java.lang.IllegalArgumentException: found null range in [null] at com.datadog.iast.taint.TaintedObject.validateRanges(TaintedObject.java:78) at com.datadog.iast.taint.TaintedObject.<init>(TaintedObject.java:29) at com.datadog.iast.taint.TaintedObjects$TaintedObjectsImpl.taint(TaintedObjects.java:50) at com.datadog.iast.telemetry.taint.TaintedObjectsWithTelemetry.taint(TaintedObjectsWithTelemetry.java:41) at com.datadog.iast.propagation.StringModuleImpl.onStringSubSequence(StringModuleImpl.java:205) at datadog.trace.instrumentation.java.lang.StringCallSite.afterSubstring(StringCallSite.java:44) at (redacted: 13 frames) at javax.servlet.http.HttpServlet.service(HttpServlet.java:555) at javax.servlet.http.HttpServlet.service(HttpServlet.java:623) at (redacted: 40 frames) at java.base/java.lang.Thread.run(Thread.java:829)
Additional Notes
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: APPSEC-55303