-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update header injection exclusions (reduce false positives) #7821
Update header injection exclusions (reduce false positives) #7821
Conversation
e84d372
to
50016c6
Compare
fd21e36
to
b42939e
Compare
dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/HeaderInjectionModuleImpl.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. One thing about the switch.
BenchmarksStartupLoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics. Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.42.0-SNAPSHOT~dd692ba060, baseline=1.42.0-SNAPSHOT~0cf47ed20e
dateFormat X
axisFormat %s
section baseline
no_agent (367.317 µs) : 346, 389
. : milestone, 367,
iast (485.343 µs) : 464, 507
. : milestone, 485,
iast_FULL (557.346 µs) : 536, 579
. : milestone, 557,
iast_GLOBAL (512.889 µs) : 492, 534
. : milestone, 513,
iast_HARDCODED_SECRET_DISABLED (486.863 µs) : 465, 508
. : milestone, 487,
iast_INACTIVE (445.275 µs) : 424, 466
. : milestone, 445,
iast_TELEMETRY_OFF (476.205 µs) : 455, 498
. : milestone, 476,
tracing (441.679 µs) : 421, 463
. : milestone, 442,
section candidate
no_agent (368.799 µs) : 349, 389
. : milestone, 369,
iast (482.526 µs) : 461, 504
. : milestone, 483,
iast_FULL (558.997 µs) : 538, 580
. : milestone, 559,
iast_GLOBAL (514.68 µs) : 494, 536
. : milestone, 515,
iast_HARDCODED_SECRET_DISABLED (490.495 µs) : 469, 512
. : milestone, 490,
iast_INACTIVE (455.003 µs) : 434, 476
. : milestone, 455,
iast_TELEMETRY_OFF (475.098 µs) : 454, 497
. : milestone, 475,
tracing (440.041 µs) : 419, 461
. : milestone, 440,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.42.0-SNAPSHOT~dd692ba060, baseline=1.42.0-SNAPSHOT~0cf47ed20e
dateFormat X
axisFormat %s
section baseline
no_agent (1.344 ms) : 1324, 1363
. : milestone, 1344,
appsec (1.717 ms) : 1692, 1742
. : milestone, 1717,
appsec_no_iast (1.701 ms) : 1677, 1726
. : milestone, 1701,
iast (1.473 ms) : 1450, 1495
. : milestone, 1473,
profiling (1.474 ms) : 1451, 1496
. : milestone, 1474,
tracing (1.478 ms) : 1453, 1502
. : milestone, 1478,
section candidate
no_agent (1.337 ms) : 1318, 1356
. : milestone, 1337,
appsec (1.747 ms) : 1723, 1772
. : milestone, 1747,
appsec_no_iast (1.734 ms) : 1709, 1758
. : milestone, 1734,
iast (1.475 ms) : 1452, 1498
. : milestone, 1475,
profiling (1.477 ms) : 1454, 1499
. : milestone, 1477,
tracing (1.473 ms) : 1449, 1498
. : milestone, 1473,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.42.0-SNAPSHOT~dd692ba060, baseline=1.42.0-SNAPSHOT~0cf47ed20e
dateFormat X
axisFormat %s
section baseline
no_agent (1.474 ms) : 1463, 1486
. : milestone, 1474,
appsec (2.332 ms) : 2291, 2374
. : milestone, 2332,
iast (2.09 ms) : 2038, 2142
. : milestone, 2090,
iast_GLOBAL (2.133 ms) : 2080, 2186
. : milestone, 2133,
profiling (1.933 ms) : 1892, 1973
. : milestone, 1933,
tracing (1.915 ms) : 1876, 1954
. : milestone, 1915,
section candidate
no_agent (1.475 ms) : 1463, 1486
. : milestone, 1475,
appsec (2.332 ms) : 2291, 2374
. : milestone, 2332,
iast (2.087 ms) : 2035, 2139
. : milestone, 2087,
iast_GLOBAL (2.13 ms) : 2078, 2182
. : milestone, 2130,
profiling (1.947 ms) : 1904, 1989
. : milestone, 1947,
tracing (1.92 ms) : 1881, 1960
. : milestone, 1920,
Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.42.0-SNAPSHOT~dd692ba060, baseline=1.42.0-SNAPSHOT~0cf47ed20e
dateFormat X
axisFormat %s
section baseline
no_agent (15.462 s) : 15462000, 15462000
. : milestone, 15462000,
appsec (15.186 s) : 15186000, 15186000
. : milestone, 15186000,
iast (18.734 s) : 18734000, 18734000
. : milestone, 18734000,
iast_GLOBAL (18.203 s) : 18203000, 18203000
. : milestone, 18203000,
profiling (15.16 s) : 15160000, 15160000
. : milestone, 15160000,
tracing (15.246 s) : 15246000, 15246000
. : milestone, 15246000,
section candidate
no_agent (15.374 s) : 15374000, 15374000
. : milestone, 15374000,
appsec (15.377 s) : 15377000, 15377000
. : milestone, 15377000,
iast (19.137 s) : 19137000, 19137000
. : milestone, 19137000,
iast_GLOBAL (18.08 s) : 18080000, 18080000
. : milestone, 18080000,
profiling (15.229 s) : 15229000, 15229000
. : milestone, 15229000,
tracing (15.168 s) : 15168000, 15168000
. : milestone, 15168000,
|
b42939e
to
6363a08
Compare
6363a08
to
af38f08
Compare
af38f08
to
dd692ba
Compare
What Does This Do
Adds new exclusions for the header inject module:
Transfer-Encoding
/Content-Encoding
: when sources come fromAccept-Encoding
Pragma
: when sources come fromCache-Control
Vary
: when sources are coming only from http header namesMotivation
Some customers were reporting false positive issues due to frameworks adding these types of hteaders
Additional Notes
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: APPSEC-52833