-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit the visiting of objects for Trust Boundary Violation #7847
Limit the visiting of objects for Trust Boundary Violation #7847
Conversation
824f49e
to
d394f9f
Compare
BenchmarksStartupParameters
See matching parameters
SummaryFound 1 performance improvements and 0 performance regressions! Performance is the same for 52 metrics, 10 unstable metrics.
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.42.0-SNAPSHOT~b3d6675e1f, baseline=1.42.0-SNAPSHOT~104a441d0a
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.076 s) : 0, 1076038
Total [baseline] (8.547 s) : 0, 8547433
Agent [candidate] (1.08 s) : 0, 1079824
Total [candidate] (8.54 s) : 0, 8539545
section iast
Agent [baseline] (1.204 s) : 0, 1203658
Total [baseline] (9.131 s) : 0, 9131377
Agent [candidate] (1.203 s) : 0, 1202956
Total [candidate] (9.08 s) : 0, 9079773
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.213 s) : 0, 1212731
Total [baseline] (9.08 s) : 0, 9080436
Agent [candidate] (1.228 s) : 0, 1227808
Total [candidate] (9.084 s) : 0, 9083686
section iast_TELEMETRY_OFF
Agent [baseline] (1.21 s) : 0, 1209504
Total [baseline] (9.125 s) : 0, 9124884
Agent [candidate] (1.204 s) : 0, 1204135
Total [candidate] (9.128 s) : 0, 9127902
gantt
title insecure-bank - break down per module: candidate=1.42.0-SNAPSHOT~b3d6675e1f, baseline=1.42.0-SNAPSHOT~104a441d0a
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (685.315 ms) : 0, 685315
BytebuddyAgent [candidate] (686.116 ms) : 0, 686116
GlobalTracer [baseline] (313.998 ms) : 0, 313998
GlobalTracer [candidate] (314.253 ms) : 0, 314253
AppSec [baseline] (54.1 ms) : 0, 54100
AppSec [candidate] (53.959 ms) : 0, 53959
Remote Config [baseline] (664.689 µs) : 0, 665
Remote Config [candidate] (659.491 µs) : 0, 659
Telemetry [baseline] (8.36 ms) : 0, 8360
Telemetry [candidate] (11.175 ms) : 0, 11175
section iast
BytebuddyAgent [baseline] (802.061 ms) : 0, 802061
BytebuddyAgent [candidate] (800.849 ms) : 0, 800849
GlobalTracer [baseline] (302.354 ms) : 0, 302354
GlobalTracer [candidate] (302.721 ms) : 0, 302721
AppSec [baseline] (57.559 ms) : 0, 57559
AppSec [candidate] (56.491 ms) : 0, 56491
Remote Config [baseline] (615.935 µs) : 0, 616
Remote Config [candidate] (601.839 µs) : 0, 602
Telemetry [baseline] (7.46 ms) : 0, 7460
Telemetry [candidate] (7.405 ms) : 0, 7405
IAST [baseline] (19.974 ms) : 0, 19974
IAST [candidate] (21.266 ms) : 0, 21266
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (809.687 ms) : 0, 809687
BytebuddyAgent [candidate] (818.374 ms) : 0, 818374
GlobalTracer [baseline] (303.956 ms) : 0, 303956
GlobalTracer [candidate] (308.583 ms) : 0, 308583
AppSec [baseline] (56.634 ms) : 0, 56634
AppSec [candidate] (57.168 ms) : 0, 57168
Remote Config [baseline] (616.615 µs) : 0, 617
Remote Config [candidate] (624.335 µs) : 0, 624
Telemetry [baseline] (7.378 ms) : 0, 7378
Telemetry [candidate] (7.495 ms) : 0, 7495
IAST [baseline] (20.693 ms) : 0, 20693
IAST [candidate] (21.64 ms) : 0, 21640
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (805.019 ms) : 0, 805019
BytebuddyAgent [candidate] (800.704 ms) : 0, 800704
GlobalTracer [baseline] (305.368 ms) : 0, 305368
GlobalTracer [candidate] (303.549 ms) : 0, 303549
AppSec [baseline] (56.296 ms) : 0, 56296
AppSec [candidate] (57.145 ms) : 0, 57145
Remote Config [baseline] (604.054 µs) : 0, 604
Remote Config [candidate] (606.118 µs) : 0, 606
Telemetry [baseline] (7.299 ms) : 0, 7299
Telemetry [candidate] (7.386 ms) : 0, 7386
IAST [baseline] (21.181 ms) : 0, 21181
IAST [candidate] (21.03 ms) : 0, 21030
Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.42.0-SNAPSHOT~b3d6675e1f, baseline=1.42.0-SNAPSHOT~104a441d0a
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.076 s) : 0, 1076334
Total [baseline] (10.511 s) : 0, 10510909
Agent [candidate] (1.081 s) : 0, 1081408
Total [candidate] (10.422 s) : 0, 10422448
section appsec
Agent [baseline] (1.211 s) : 0, 1210583
Total [baseline] (10.611 s) : 0, 10611421
Agent [candidate] (1.215 s) : 0, 1215334
Total [candidate] (10.707 s) : 0, 10707055
section iast
Agent [baseline] (1.229 s) : 0, 1228686
Total [baseline] (11.012 s) : 0, 11011766
Agent [candidate] (1.204 s) : 0, 1204419
Total [candidate] (10.882 s) : 0, 10882472
section profiling
Agent [baseline] (1.285 s) : 0, 1284616
Total [baseline] (10.808 s) : 0, 10807772
Agent [candidate] (1.272 s) : 0, 1271866
Total [candidate] (10.629 s) : 0, 10629419
gantt
title petclinic - break down per module: candidate=1.42.0-SNAPSHOT~b3d6675e1f, baseline=1.42.0-SNAPSHOT~104a441d0a
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (684.906 ms) : 0, 684906
BytebuddyAgent [candidate] (687.488 ms) : 0, 687488
GlobalTracer [baseline] (313.631 ms) : 0, 313631
GlobalTracer [candidate] (315.712 ms) : 0, 315712
AppSec [baseline] (53.802 ms) : 0, 53802
AppSec [candidate] (54.062 ms) : 0, 54062
Remote Config [baseline] (660.62 µs) : 0, 661
Remote Config [candidate] (664.417 µs) : 0, 664
Telemetry [baseline] (9.713 ms) : 0, 9713
Telemetry [candidate] (9.829 ms) : 0, 9829
section appsec
BytebuddyAgent [baseline] (701.851 ms) : 0, 701851
BytebuddyAgent [candidate] (705.161 ms) : 0, 705161
GlobalTracer [baseline] (311.65 ms) : 0, 311650
GlobalTracer [candidate] (312.387 ms) : 0, 312387
AppSec [baseline] (165.169 ms) : 0, 165169
AppSec [candidate] (165.826 ms) : 0, 165826
Remote Config [baseline] (641.824 µs) : 0, 642
Remote Config [candidate] (637.072 µs) : 0, 637
Telemetry [baseline] (8.411 ms) : 0, 8411
Telemetry [candidate] (8.051 ms) : 0, 8051
IAST [baseline] (18.546 ms) : 0, 18546
IAST [candidate] (19.282 ms) : 0, 19282
section iast
BytebuddyAgent [baseline] (819.906 ms) : 0, 819906
BytebuddyAgent [candidate] (802.537 ms) : 0, 802537
GlobalTracer [baseline] (307.596 ms) : 0, 307596
GlobalTracer [candidate] (302.814 ms) : 0, 302814
AppSec [baseline] (58.431 ms) : 0, 58431
AppSec [candidate] (57.022 ms) : 0, 57022
Remote Config [baseline] (632.619 µs) : 0, 633
Remote Config [candidate] (592.109 µs) : 0, 592
Telemetry [baseline] (7.608 ms) : 0, 7608
Telemetry [candidate] (7.377 ms) : 0, 7377
IAST [baseline] (20.576 ms) : 0, 20576
IAST [candidate] (20.407 ms) : 0, 20407
section profiling
BytebuddyAgent [baseline] (685.513 ms) : 0, 685513
BytebuddyAgent [candidate] (678.9 ms) : 0, 678900
GlobalTracer [baseline] (399.542 ms) : 0, 399542
GlobalTracer [candidate] (396.222 ms) : 0, 396222
AppSec [baseline] (54.689 ms) : 0, 54689
AppSec [candidate] (54.101 ms) : 0, 54101
Remote Config [baseline] (661.803 µs) : 0, 662
Remote Config [candidate] (659.561 µs) : 0, 660
Telemetry [baseline] (14.266 ms) : 0, 14266
Telemetry [candidate] (13.355 ms) : 0, 13355
ProfilingAgent [baseline] (90.826 ms) : 0, 90826
ProfilingAgent [candidate] (89.942 ms) : 0, 89942
Profiling [baseline] (90.85 ms) : 0, 90850
Profiling [candidate] (89.965 ms) : 0, 89965
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 7 metrics, 21 unstable metrics. Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.42.0-SNAPSHOT~b3d6675e1f, baseline=1.42.0-SNAPSHOT~104a441d0a
dateFormat X
axisFormat %s
section baseline
no_agent (454.495 µs) : 426, 483
. : milestone, 454,
iast (580.933 µs) : 549, 613
. : milestone, 581,
iast_FULL (835.454 µs) : 803, 868
. : milestone, 835,
iast_GLOBAL (618.825 µs) : 587, 650
. : milestone, 619,
iast_HARDCODED_SECRET_DISABLED (590.598 µs) : 558, 623
. : milestone, 591,
iast_INACTIVE (542.273 µs) : 511, 573
. : milestone, 542,
iast_TELEMETRY_OFF (580.386 µs) : 548, 613
. : milestone, 580,
tracing (538.34 µs) : 509, 568
. : milestone, 538,
section candidate
no_agent (453.237 µs) : 425, 482
. : milestone, 453,
iast (591.982 µs) : 559, 625
. : milestone, 592,
iast_FULL (838.267 µs) : 805, 871
. : milestone, 838,
iast_GLOBAL (615.364 µs) : 582, 649
. : milestone, 615,
iast_HARDCODED_SECRET_DISABLED (584.413 µs) : 553, 616
. : milestone, 584,
iast_INACTIVE (544.98 µs) : 514, 576
. : milestone, 545,
iast_TELEMETRY_OFF (578.24 µs) : 545, 611
. : milestone, 578,
tracing (542.682 µs) : 511, 574
. : milestone, 543,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.42.0-SNAPSHOT~b3d6675e1f, baseline=1.42.0-SNAPSHOT~104a441d0a
dateFormat X
axisFormat %s
section baseline
no_agent (1.734 ms) : 1708, 1759
. : milestone, 1734,
appsec (2.15 ms) : 2118, 2182
. : milestone, 2150,
appsec_no_iast (2.189 ms) : 2157, 2221
. : milestone, 2189,
iast (1.893 ms) : 1863, 1923
. : milestone, 1893,
profiling (1.916 ms) : 1882, 1949
. : milestone, 1916,
tracing (1.859 ms) : 1827, 1891
. : milestone, 1859,
section candidate
no_agent (1.714 ms) : 1688, 1740
. : milestone, 1714,
appsec (2.202 ms) : 2170, 2234
. : milestone, 2202,
appsec_no_iast (2.185 ms) : 2154, 2216
. : milestone, 2185,
iast (1.881 ms) : 1851, 1910
. : milestone, 1881,
profiling (1.934 ms) : 1900, 1968
. : milestone, 1934,
tracing (1.88 ms) : 1848, 1911
. : milestone, 1880,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.42.0-SNAPSHOT~b3d6675e1f, baseline=1.42.0-SNAPSHOT~104a441d0a
dateFormat X
axisFormat %s
section baseline
no_agent (20.649 s) : 20649000, 20649000
. : milestone, 20649000,
appsec (21.528 s) : 21528000, 21528000
. : milestone, 21528000,
iast (24.021 s) : 24021000, 24021000
. : milestone, 24021000,
iast_GLOBAL (25.513 s) : 25513000, 25513000
. : milestone, 25513000,
profiling (20.668 s) : 20668000, 20668000
. : milestone, 20668000,
tracing (20.949 s) : 20949000, 20949000
. : milestone, 20949000,
section candidate
no_agent (20.46 s) : 20460000, 20460000
. : milestone, 20460000,
appsec (20.777 s) : 20777000, 20777000
. : milestone, 20777000,
iast (24.788 s) : 24788000, 24788000
. : milestone, 24788000,
iast_GLOBAL (25.468 s) : 25468000, 25468000
. : milestone, 25468000,
profiling (21.84 s) : 21840000, 21840000
. : milestone, 21840000,
tracing (20.94 s) : 20940000, 20940000
. : milestone, 20940000,
Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.42.0-SNAPSHOT~b3d6675e1f, baseline=1.42.0-SNAPSHOT~104a441d0a
dateFormat X
axisFormat %s
section baseline
no_agent (1.55 ms) : 1537, 1563
. : milestone, 1550,
appsec (2.865 ms) : 2794, 2936
. : milestone, 2865,
iast (2.516 ms) : 2427, 2605
. : milestone, 2516,
iast_GLOBAL (2.584 ms) : 2493, 2675
. : milestone, 2584,
profiling (2.332 ms) : 2256, 2407
. : milestone, 2332,
tracing (2.315 ms) : 2244, 2387
. : milestone, 2315,
section candidate
no_agent (1.545 ms) : 1532, 1558
. : milestone, 1545,
appsec (2.894 ms) : 2822, 2967
. : milestone, 2894,
iast (2.523 ms) : 2433, 2612
. : milestone, 2523,
iast_GLOBAL (2.577 ms) : 2487, 2667
. : milestone, 2577,
profiling (2.351 ms) : 2275, 2427
. : milestone, 2351,
tracing (2.311 ms) : 2239, 2382
. : milestone, 2311,
|
d394f9f
to
0ce3551
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice!
What Does This Do
Limits the types that can be visited by IAST in the context of Trust Boundary Violation to just JDK types.
Motivation
Since any arbitrary object can be added to the session, we have to be extra careful in order not to trigger unwanted state modifications (e.g. loading of lazy objects coming from ORMs).
Additional Notes
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: [PROJ-IDENT]