-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expand SSRF support in IAST to java.net.http.HttpClient #7877
Conversation
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 55 metrics, 8 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.42.0-SNAPSHOT~b92685dc0b, baseline=1.43.0-SNAPSHOT~318e5c8bcf
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.09 s) : 0, 1089825
Total [baseline] (10.416 s) : 0, 10416185
Agent [candidate] (1.084 s) : 0, 1083599
Total [candidate] (10.486 s) : 0, 10485936
section appsec
Agent [baseline] (1.224 s) : 0, 1224225
Total [baseline] (10.803 s) : 0, 10803064
Agent [candidate] (1.217 s) : 0, 1217201
Total [candidate] (10.715 s) : 0, 10715041
section iast
Agent [baseline] (1.223 s) : 0, 1222538
Total [baseline] (10.987 s) : 0, 10986600
Agent [candidate] (1.21 s) : 0, 1210487
Total [candidate] (11.043 s) : 0, 11042539
section profiling
Agent [baseline] (1.293 s) : 0, 1293111
Total [baseline] (10.831 s) : 0, 10831379
Agent [candidate] (1.28 s) : 0, 1279727
Total [candidate] (10.78 s) : 0, 10779879
gantt
title petclinic - break down per module: candidate=1.42.0-SNAPSHOT~b92685dc0b, baseline=1.43.0-SNAPSHOT~318e5c8bcf
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (691.005 ms) : 0, 691005
BytebuddyAgent [candidate] (689.058 ms) : 0, 689058
GlobalTracer [baseline] (318.691 ms) : 0, 318691
GlobalTracer [candidate] (316.799 ms) : 0, 316799
AppSec [baseline] (54.84 ms) : 0, 54840
AppSec [candidate] (54.133 ms) : 0, 54133
Remote Config [baseline] (668.719 µs) : 0, 669
Remote Config [candidate] (673.397 µs) : 0, 673
Telemetry [baseline] (10.795 ms) : 0, 10795
Telemetry [candidate] (9.117 ms) : 0, 9117
section appsec
BytebuddyAgent [baseline] (709.863 ms) : 0, 709863
BytebuddyAgent [candidate] (705.134 ms) : 0, 705134
GlobalTracer [baseline] (315.821 ms) : 0, 315821
GlobalTracer [candidate] (313.487 ms) : 0, 313487
AppSec [baseline] (165.881 ms) : 0, 165881
AppSec [candidate] (166.04 ms) : 0, 166040
Remote Config [baseline] (645.72 µs) : 0, 646
Remote Config [candidate] (640.6 µs) : 0, 641
Telemetry [baseline] (8.5 ms) : 0, 8500
Telemetry [candidate] (8.069 ms) : 0, 8069
IAST [baseline] (19.417 ms) : 0, 19417
IAST [candidate] (20.068 ms) : 0, 20068
section iast
BytebuddyAgent [baseline] (811.296 ms) : 0, 811296
BytebuddyAgent [candidate] (804.646 ms) : 0, 804646
GlobalTracer [baseline] (310.097 ms) : 0, 310097
GlobalTracer [candidate] (305.984 ms) : 0, 305984
AppSec [baseline] (55.694 ms) : 0, 55694
AppSec [candidate] (56.792 ms) : 0, 56792
Remote Config [baseline] (626.68 µs) : 0, 627
Remote Config [candidate] (605.777 µs) : 0, 606
Telemetry [baseline] (7.568 ms) : 0, 7568
Telemetry [candidate] (7.439 ms) : 0, 7439
IAST [baseline] (23.39 ms) : 0, 23390
IAST [candidate] (21.126 ms) : 0, 21126
section profiling
ProfilingAgent [baseline] (94.083 ms) : 0, 94083
ProfilingAgent [candidate] (90.6 ms) : 0, 90600
BytebuddyAgent [baseline] (688.262 ms) : 0, 688262
BytebuddyAgent [candidate] (681.584 ms) : 0, 681584
GlobalTracer [baseline] (403.147 ms) : 0, 403147
GlobalTracer [candidate] (399.703 ms) : 0, 399703
AppSec [baseline] (55.125 ms) : 0, 55125
AppSec [candidate] (54.713 ms) : 0, 54713
Remote Config [baseline] (686.846 µs) : 0, 687
Remote Config [candidate] (682.495 µs) : 0, 682
Telemetry [baseline] (12.369 ms) : 0, 12369
Telemetry [candidate] (13.53 ms) : 0, 13530
Profiling [baseline] (94.107 ms) : 0, 94107
Profiling [candidate] (90.623 ms) : 0, 90623
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.42.0-SNAPSHOT~b92685dc0b, baseline=1.43.0-SNAPSHOT~318e5c8bcf
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.087 s) : 0, 1087201
Total [baseline] (8.625 s) : 0, 8624983
Agent [candidate] (1.081 s) : 0, 1081152
Total [candidate] (8.604 s) : 0, 8604248
section iast
Agent [baseline] (1.209 s) : 0, 1209210
Total [baseline] (9.151 s) : 0, 9151499
Agent [candidate] (1.211 s) : 0, 1210679
Total [candidate] (9.19 s) : 0, 9189690
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.215 s) : 0, 1215270
Total [baseline] (9.18 s) : 0, 9180452
Agent [candidate] (1.217 s) : 0, 1217205
Total [candidate] (9.184 s) : 0, 9184288
section iast_TELEMETRY_OFF
Agent [baseline] (1.208 s) : 0, 1207796
Total [baseline] (9.168 s) : 0, 9167510
Agent [candidate] (1.207 s) : 0, 1207240
Total [candidate] (9.148 s) : 0, 9148181
gantt
title insecure-bank - break down per module: candidate=1.42.0-SNAPSHOT~b92685dc0b, baseline=1.43.0-SNAPSHOT~318e5c8bcf
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (690.991 ms) : 0, 690991
BytebuddyAgent [candidate] (686.984 ms) : 0, 686984
GlobalTracer [baseline] (317.926 ms) : 0, 317926
GlobalTracer [candidate] (316.274 ms) : 0, 316274
AppSec [baseline] (54.462 ms) : 0, 54462
AppSec [candidate] (54.298 ms) : 0, 54298
Remote Config [baseline] (670.441 µs) : 0, 670
Remote Config [candidate] (662.479 µs) : 0, 662
Telemetry [baseline] (9.329 ms) : 0, 9329
Telemetry [candidate] (9.132 ms) : 0, 9132
section iast
BytebuddyAgent [baseline] (803.569 ms) : 0, 803569
BytebuddyAgent [candidate] (804.898 ms) : 0, 804898
GlobalTracer [baseline] (305.733 ms) : 0, 305733
GlobalTracer [candidate] (305.565 ms) : 0, 305565
AppSec [baseline] (56.107 ms) : 0, 56107
AppSec [candidate] (57.648 ms) : 0, 57648
Remote Config [baseline] (617.129 µs) : 0, 617
Remote Config [candidate] (609.502 µs) : 0, 610
Telemetry [baseline] (7.409 ms) : 0, 7409
Telemetry [candidate] (7.496 ms) : 0, 7496
IAST [baseline] (21.979 ms) : 0, 21979
IAST [candidate] (20.59 ms) : 0, 20590
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (805.946 ms) : 0, 805946
BytebuddyAgent [candidate] (809.059 ms) : 0, 809059
GlobalTracer [baseline] (308.431 ms) : 0, 308431
GlobalTracer [candidate] (307.55 ms) : 0, 307550
AppSec [baseline] (57.292 ms) : 0, 57292
AppSec [candidate] (57.092 ms) : 0, 57092
Remote Config [baseline] (625.365 µs) : 0, 625
Remote Config [candidate] (625.132 µs) : 0, 625
Telemetry [baseline] (7.58 ms) : 0, 7580
Telemetry [candidate] (7.463 ms) : 0, 7463
IAST [baseline] (21.582 ms) : 0, 21582
IAST [candidate] (21.496 ms) : 0, 21496
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (801.333 ms) : 0, 801333
BytebuddyAgent [candidate] (801.57 ms) : 0, 801570
GlobalTracer [baseline] (306.772 ms) : 0, 306772
GlobalTracer [candidate] (305.551 ms) : 0, 305551
AppSec [baseline] (57.666 ms) : 0, 57666
AppSec [candidate] (57.846 ms) : 0, 57846
Remote Config [baseline] (616.203 µs) : 0, 616
Remote Config [candidate] (620.896 µs) : 0, 621
Telemetry [baseline] (7.415 ms) : 0, 7415
Telemetry [candidate] (7.442 ms) : 0, 7442
IAST [baseline] (20.222 ms) : 0, 20222
IAST [candidate] (20.361 ms) : 0, 20361
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics. Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.42.0-SNAPSHOT~b92685dc0b, baseline=1.43.0-SNAPSHOT~318e5c8bcf
dateFormat X
axisFormat %s
section baseline
no_agent (1.363 ms) : 1345, 1381
. : milestone, 1363,
appsec (1.734 ms) : 1710, 1759
. : milestone, 1734,
appsec_no_iast (1.729 ms) : 1704, 1754
. : milestone, 1729,
iast (1.49 ms) : 1467, 1512
. : milestone, 1490,
profiling (1.496 ms) : 1471, 1521
. : milestone, 1496,
tracing (1.481 ms) : 1457, 1506
. : milestone, 1481,
section candidate
no_agent (1.333 ms) : 1313, 1352
. : milestone, 1333,
appsec (1.716 ms) : 1692, 1739
. : milestone, 1716,
appsec_no_iast (1.723 ms) : 1699, 1746
. : milestone, 1723,
iast (1.482 ms) : 1459, 1504
. : milestone, 1482,
profiling (1.515 ms) : 1491, 1540
. : milestone, 1515,
tracing (1.479 ms) : 1455, 1503
. : milestone, 1479,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.42.0-SNAPSHOT~b92685dc0b, baseline=1.43.0-SNAPSHOT~318e5c8bcf
dateFormat X
axisFormat %s
section baseline
no_agent (373.54 µs) : 354, 393
. : milestone, 374,
iast (492.671 µs) : 471, 514
. : milestone, 493,
iast_FULL (648.661 µs) : 627, 670
. : milestone, 649,
iast_GLOBAL (520.965 µs) : 499, 543
. : milestone, 521,
iast_HARDCODED_SECRET_DISABLED (487.687 µs) : 467, 509
. : milestone, 488,
iast_INACTIVE (455.429 µs) : 434, 477
. : milestone, 455,
iast_TELEMETRY_OFF (476.582 µs) : 455, 498
. : milestone, 477,
tracing (448.183 µs) : 427, 469
. : milestone, 448,
section candidate
no_agent (372.764 µs) : 353, 393
. : milestone, 373,
iast (491.304 µs) : 470, 513
. : milestone, 491,
iast_FULL (651.095 µs) : 630, 672
. : milestone, 651,
iast_GLOBAL (518.041 µs) : 496, 540
. : milestone, 518,
iast_HARDCODED_SECRET_DISABLED (492.706 µs) : 471, 514
. : milestone, 493,
iast_INACTIVE (453.182 µs) : 431, 475
. : milestone, 453,
iast_TELEMETRY_OFF (472.591 µs) : 452, 494
. : milestone, 473,
tracing (452.54 µs) : 431, 474
. : milestone, 453,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.42.0-SNAPSHOT~b92685dc0b, baseline=1.43.0-SNAPSHOT~318e5c8bcf
dateFormat X
axisFormat %s
section baseline
no_agent (15.388 s) : 15388000, 15388000
. : milestone, 15388000,
appsec (15.021 s) : 15021000, 15021000
. : milestone, 15021000,
iast (18.411 s) : 18411000, 18411000
. : milestone, 18411000,
iast_GLOBAL (17.872 s) : 17872000, 17872000
. : milestone, 17872000,
profiling (15.291 s) : 15291000, 15291000
. : milestone, 15291000,
tracing (15.146 s) : 15146000, 15146000
. : milestone, 15146000,
section candidate
no_agent (15.075 s) : 15075000, 15075000
. : milestone, 15075000,
appsec (15.251 s) : 15251000, 15251000
. : milestone, 15251000,
iast (19.122 s) : 19122000, 19122000
. : milestone, 19122000,
iast_GLOBAL (18.223 s) : 18223000, 18223000
. : milestone, 18223000,
profiling (15.316 s) : 15316000, 15316000
. : milestone, 15316000,
tracing (15.215 s) : 15215000, 15215000
. : milestone, 15215000,
Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.42.0-SNAPSHOT~b92685dc0b, baseline=1.43.0-SNAPSHOT~318e5c8bcf
dateFormat X
axisFormat %s
section baseline
no_agent (1.465 ms) : 1454, 1477
. : milestone, 1465,
appsec (2.326 ms) : 2285, 2367
. : milestone, 2326,
iast (2.073 ms) : 2020, 2125
. : milestone, 2073,
iast_GLOBAL (2.119 ms) : 2067, 2172
. : milestone, 2119,
profiling (1.923 ms) : 1882, 1964
. : milestone, 1923,
tracing (1.91 ms) : 1870, 1949
. : milestone, 1910,
section candidate
no_agent (1.46 ms) : 1449, 1472
. : milestone, 1460,
appsec (2.323 ms) : 2281, 2364
. : milestone, 2323,
iast (2.08 ms) : 2027, 2132
. : milestone, 2080,
iast_GLOBAL (2.103 ms) : 2052, 2155
. : milestone, 2103,
profiling (1.949 ms) : 1907, 1992
. : milestone, 1949,
tracing (1.914 ms) : 1874, 1955
. : milestone, 1914,
|
...-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastSpringBootTest.groovy
Show resolved
Hide resolved
...l/iast-util-11/src/testFixtures/groovy/datadog/smoketest/AbstractIast11SpringBootTest.groovy
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
...sts/springboot-java-11/src/main/java/datadog/smoketest/springboot/SpringbootApplication.java
Show resolved
Hide resolved
...l/iast-util-11/src/testFixtures/groovy/datadog/smoketest/AbstractIast11SpringBootTest.groovy
Show resolved
Hide resolved
Hi! 👋 Thanks for your pull request! 🎉 To help us review it, please make sure to:
If you need help, please check our contributing guidelines. |
What Does This Do
Add support for the
java-net
client library to detect SSRF. This is done by detecting the vulnerability using theHttpClientDecorator
.The new
java.net.http.HttpClient
methods that will be supported are:send(HttpRequest, HttpResponse.BodyHandler<T>)
sendAsync(HttpRequest, HttpResponse.BodyHandler<T>)
sendAsync(HttpRequest, HttpResponse.BodyHandler<T>, HttpResponse.PushPromiseHandler<T>)
Motivation
With this change we want to expand the support for SSRF in the different clients supported by the
HttpClientDecorator
.Additional Notes
Apart from detecting the vulnerability, a new smoke-test, which uses Java 11, has been created.
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: APPSEC-55633