Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update header injection exclusions (reduce false positives) #7821

Merged

Conversation

manuel-alvarez-alvarez
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez commented Oct 22, 2024

What Does This Do

Adds new exclusions for the header inject module:

  • Transfer-Encoding/Content-Encoding: when sources come from Accept-Encoding
  • Pragma: when sources come from Cache-Control
  • Vary: when sources are coming only from http header names

Motivation

Some customers were reporting false positive issues due to frameworks adding these types of hteaders

Additional Notes

Contributor Checklist

Jira ticket: APPSEC-52833

@manuel-alvarez-alvarez manuel-alvarez-alvarez added type: bug comp: asm iast Application Security Management (IAST) labels Oct 22, 2024
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-improve-header-injection branch from e84d372 to 50016c6 Compare October 22, 2024 08:28
@manuel-alvarez-alvarez manuel-alvarez-alvarez marked this pull request as ready for review October 22, 2024 08:34
@manuel-alvarez-alvarez manuel-alvarez-alvarez requested a review from a team as a code owner October 22, 2024 08:34
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-improve-header-injection branch 2 times, most recently from fd21e36 to b42939e Compare October 22, 2024 08:48
Copy link
Member

@smola smola left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. One thing about the switch.

@smola smola changed the title Update header injection exclusions Update header injection exclusions (reduce false positives) Oct 22, 2024
@pr-commenter
Copy link

pr-commenter bot commented Oct 22, 2024

Benchmarks

Startup

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-10-24T07:31:49 2024-10-24T07:38:39
git_branch master malvarez/iast-improve-header-injection
git_commit_date 1729717305 1729754497
git_commit_sha 0cf47ed dd692ba
release_version 1.42.0-SNAPSHOT~0cf47ed20e 1.42.0-SNAPSHOT~dd692ba060
start_time 2024-10-24T07:31:36 2024-10-24T07:38:26
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1729755866 1729755866
ci_job_id 682465792 682465792
ci_pipeline_id 47307021 47307021
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for insecure-bank
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.42.0-SNAPSHOT~dd692ba060, baseline=1.42.0-SNAPSHOT~0cf47ed20e
    dateFormat X
    axisFormat %s
section baseline
no_agent (367.317 µs) : 346, 389
.   : milestone, 367,
iast (485.343 µs) : 464, 507
.   : milestone, 485,
iast_FULL (557.346 µs) : 536, 579
.   : milestone, 557,
iast_GLOBAL (512.889 µs) : 492, 534
.   : milestone, 513,
iast_HARDCODED_SECRET_DISABLED (486.863 µs) : 465, 508
.   : milestone, 487,
iast_INACTIVE (445.275 µs) : 424, 466
.   : milestone, 445,
iast_TELEMETRY_OFF (476.205 µs) : 455, 498
.   : milestone, 476,
tracing (441.679 µs) : 421, 463
.   : milestone, 442,
section candidate
no_agent (368.799 µs) : 349, 389
.   : milestone, 369,
iast (482.526 µs) : 461, 504
.   : milestone, 483,
iast_FULL (558.997 µs) : 538, 580
.   : milestone, 559,
iast_GLOBAL (514.68 µs) : 494, 536
.   : milestone, 515,
iast_HARDCODED_SECRET_DISABLED (490.495 µs) : 469, 512
.   : milestone, 490,
iast_INACTIVE (455.003 µs) : 434, 476
.   : milestone, 455,
iast_TELEMETRY_OFF (475.098 µs) : 454, 497
.   : milestone, 475,
tracing (440.041 µs) : 419, 461
.   : milestone, 440,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 367.317 µs [346.072 µs, 388.563 µs] -
iast 485.343 µs [464.149 µs, 506.537 µs] 118.025 µs (32.1%)
iast_FULL 557.346 µs [536.015 µs, 578.678 µs] 190.029 µs (51.7%)
iast_GLOBAL 512.889 µs [491.616 µs, 534.161 µs] 145.571 µs (39.6%)
iast_HARDCODED_SECRET_DISABLED 486.863 µs [465.385 µs, 508.341 µs] 119.546 µs (32.5%)
iast_INACTIVE 445.275 µs [424.059 µs, 466.491 µs] 77.957 µs (21.2%)
iast_TELEMETRY_OFF 476.205 µs [454.509 µs, 497.9 µs] 108.887 µs (29.6%)
tracing 441.679 µs [420.796 µs, 462.562 µs] 74.362 µs (20.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 368.799 µs [348.581 µs, 389.016 µs] -
iast 482.526 µs [461.141 µs, 503.911 µs] 113.727 µs (30.8%)
iast_FULL 558.997 µs [537.802 µs, 580.192 µs] 190.198 µs (51.6%)
iast_GLOBAL 514.68 µs [493.624 µs, 535.736 µs] 145.881 µs (39.6%)
iast_HARDCODED_SECRET_DISABLED 490.495 µs [468.669 µs, 512.322 µs] 121.697 µs (33.0%)
iast_INACTIVE 455.003 µs [434.055 µs, 475.952 µs] 86.205 µs (23.4%)
iast_TELEMETRY_OFF 475.098 µs [453.572 µs, 496.625 µs] 106.3 µs (28.8%)
tracing 440.041 µs [419.05 µs, 461.032 µs] 71.242 µs (19.3%)
Request duration reports for petclinic
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.42.0-SNAPSHOT~dd692ba060, baseline=1.42.0-SNAPSHOT~0cf47ed20e
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.344 ms) : 1324, 1363
.   : milestone, 1344,
appsec (1.717 ms) : 1692, 1742
.   : milestone, 1717,
appsec_no_iast (1.701 ms) : 1677, 1726
.   : milestone, 1701,
iast (1.473 ms) : 1450, 1495
.   : milestone, 1473,
profiling (1.474 ms) : 1451, 1496
.   : milestone, 1474,
tracing (1.478 ms) : 1453, 1502
.   : milestone, 1478,
section candidate
no_agent (1.337 ms) : 1318, 1356
.   : milestone, 1337,
appsec (1.747 ms) : 1723, 1772
.   : milestone, 1747,
appsec_no_iast (1.734 ms) : 1709, 1758
.   : milestone, 1734,
iast (1.475 ms) : 1452, 1498
.   : milestone, 1475,
profiling (1.477 ms) : 1454, 1499
.   : milestone, 1477,
tracing (1.473 ms) : 1449, 1498
.   : milestone, 1473,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.344 ms [1.324 ms, 1.363 ms] -
appsec 1.717 ms [1.692 ms, 1.742 ms] 373.476 µs (27.8%)
appsec_no_iast 1.701 ms [1.677 ms, 1.726 ms] 357.686 µs (26.6%)
iast 1.473 ms [1.45 ms, 1.495 ms] 129.043 µs (9.6%)
profiling 1.474 ms [1.451 ms, 1.496 ms] 130.011 µs (9.7%)
tracing 1.478 ms [1.453 ms, 1.502 ms] 134.09 µs (10.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.337 ms [1.318 ms, 1.356 ms] -
appsec 1.747 ms [1.723 ms, 1.772 ms] 410.331 µs (30.7%)
appsec_no_iast 1.734 ms [1.709 ms, 1.758 ms] 396.637 µs (29.7%)
iast 1.475 ms [1.452 ms, 1.498 ms] 138.013 µs (10.3%)
profiling 1.477 ms [1.454 ms, 1.499 ms] 139.873 µs (10.5%)
tracing 1.473 ms [1.449 ms, 1.498 ms] 136.273 µs (10.2%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/iast-improve-header-injection
git_commit_date 1729717305 1729754497
git_commit_sha 0cf47ed dd692ba
release_version 1.42.0-SNAPSHOT~0cf47ed20e 1.42.0-SNAPSHOT~dd692ba060
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1729756547 1729756547
ci_job_id 682465793 682465793
ci_pipeline_id 47307021 47307021
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.42.0-SNAPSHOT~dd692ba060, baseline=1.42.0-SNAPSHOT~0cf47ed20e
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.474 ms) : 1463, 1486
.   : milestone, 1474,
appsec (2.332 ms) : 2291, 2374
.   : milestone, 2332,
iast (2.09 ms) : 2038, 2142
.   : milestone, 2090,
iast_GLOBAL (2.133 ms) : 2080, 2186
.   : milestone, 2133,
profiling (1.933 ms) : 1892, 1973
.   : milestone, 1933,
tracing (1.915 ms) : 1876, 1954
.   : milestone, 1915,
section candidate
no_agent (1.475 ms) : 1463, 1486
.   : milestone, 1475,
appsec (2.332 ms) : 2291, 2374
.   : milestone, 2332,
iast (2.087 ms) : 2035, 2139
.   : milestone, 2087,
iast_GLOBAL (2.13 ms) : 2078, 2182
.   : milestone, 2130,
profiling (1.947 ms) : 1904, 1989
.   : milestone, 1947,
tracing (1.92 ms) : 1881, 1960
.   : milestone, 1920,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.474 ms [1.463 ms, 1.486 ms] -
appsec 2.332 ms [2.291 ms, 2.374 ms] 858.214 µs (58.2%)
iast 2.09 ms [2.038 ms, 2.142 ms] 615.919 µs (41.8%)
iast_GLOBAL 2.133 ms [2.08 ms, 2.186 ms] 658.852 µs (44.7%)
profiling 1.933 ms [1.892 ms, 1.973 ms] 458.481 µs (31.1%)
tracing 1.915 ms [1.876 ms, 1.954 ms] 441.063 µs (29.9%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.475 ms [1.463 ms, 1.486 ms] -
appsec 2.332 ms [2.291 ms, 2.374 ms] 857.688 µs (58.2%)
iast 2.087 ms [2.035 ms, 2.139 ms] 612.268 µs (41.5%)
iast_GLOBAL 2.13 ms [2.078 ms, 2.182 ms] 655.063 µs (44.4%)
profiling 1.947 ms [1.904 ms, 1.989 ms] 471.9 µs (32.0%)
tracing 1.92 ms [1.881 ms, 1.96 ms] 445.704 µs (30.2%)
Execution time for biojava
gantt
    title biojava - execution time [CI 0.99] : candidate=1.42.0-SNAPSHOT~dd692ba060, baseline=1.42.0-SNAPSHOT~0cf47ed20e
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.462 s) : 15462000, 15462000
.   : milestone, 15462000,
appsec (15.186 s) : 15186000, 15186000
.   : milestone, 15186000,
iast (18.734 s) : 18734000, 18734000
.   : milestone, 18734000,
iast_GLOBAL (18.203 s) : 18203000, 18203000
.   : milestone, 18203000,
profiling (15.16 s) : 15160000, 15160000
.   : milestone, 15160000,
tracing (15.246 s) : 15246000, 15246000
.   : milestone, 15246000,
section candidate
no_agent (15.374 s) : 15374000, 15374000
.   : milestone, 15374000,
appsec (15.377 s) : 15377000, 15377000
.   : milestone, 15377000,
iast (19.137 s) : 19137000, 19137000
.   : milestone, 19137000,
iast_GLOBAL (18.08 s) : 18080000, 18080000
.   : milestone, 18080000,
profiling (15.229 s) : 15229000, 15229000
.   : milestone, 15229000,
tracing (15.168 s) : 15168000, 15168000
.   : milestone, 15168000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.462 s [15.462 s, 15.462 s] -
appsec 15.186 s [15.186 s, 15.186 s] -276.0 ms (-1.8%)
iast 18.734 s [18.734 s, 18.734 s] 3.272 s (21.2%)
iast_GLOBAL 18.203 s [18.203 s, 18.203 s] 2.741 s (17.7%)
profiling 15.16 s [15.16 s, 15.16 s] -302.0 ms (-2.0%)
tracing 15.246 s [15.246 s, 15.246 s] -216.0 ms (-1.4%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.374 s [15.374 s, 15.374 s] -
appsec 15.377 s [15.377 s, 15.377 s] 3.0 ms (0.0%)
iast 19.137 s [19.137 s, 19.137 s] 3.763 s (24.5%)
iast_GLOBAL 18.08 s [18.08 s, 18.08 s] 2.706 s (17.6%)
profiling 15.229 s [15.229 s, 15.229 s] -145.0 ms (-0.9%)
tracing 15.168 s [15.168 s, 15.168 s] -206.0 ms (-1.3%)

@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-improve-header-injection branch from b42939e to 6363a08 Compare October 22, 2024 09:03
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-improve-header-injection branch from 6363a08 to af38f08 Compare October 23, 2024 11:08
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-improve-header-injection branch from af38f08 to dd692ba Compare October 24, 2024 07:21
@manuel-alvarez-alvarez manuel-alvarez-alvarez merged commit 6a54cc2 into master Oct 24, 2024
102 of 103 checks passed
@manuel-alvarez-alvarez manuel-alvarez-alvarez deleted the malvarez/iast-improve-header-injection branch October 24, 2024 08:50
@github-actions github-actions bot added this to the 1.42.0 milestone Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp: asm iast Application Security Management (IAST) type: bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants