check literal length in listener and add tests

DataDog · Jan 12, 2024 · 3d05c93 · 3d05c93
1 parent 2fba634
commit 3d05c93
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 10 deletions.
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/HardcodedSecretModuleImpl.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/HardcodedSecretModuleImpl.java
@@ -14,8 +14,6 @@
 
 public class HardcodedSecretModuleImpl extends SinkModuleBase implements HardcodedSecretModule {
 
-  private static final int MIN_SECRET_LENGTH = 12;
-
   public HardcodedSecretModuleImpl(final Dependencies dependencies) {
     super(dependencies);
   }
@@ -43,14 +41,12 @@ private void reportVulnerability(
   private Set<Secret> getSecrets(final Set<String> literals, final String clazz) {
     Set<Secret> secrets = null;
     for (String literal : literals) {
-      if (literal.length() >= MIN_SECRET_LENGTH) {
-        for (HardcodedSecretMatcher secretMatcher : HARDCODED_SECRET_MATCHERS) {
-          if (secretMatcher.matches(literal)) {
-            if (secrets == null) {
-              secrets = new HashSet<>();
-            }
-            secrets.add(new Secret(literal, secretMatcher.getRedactedEvidence()));
+      for (HardcodedSecretMatcher secretMatcher : HARDCODED_SECRET_MATCHERS) {
+        if (secretMatcher.matches(literal)) {
+          if (secrets == null) {
+            secrets = new HashSet<>();
           }
+          secrets.add(new Secret(literal, secretMatcher.getRedactedEvidence()));
         }
       }
     }

diff --git a/...main/java/datadog/trace/instrumentation/iastinstrumenter/IastHardcodedSecretListener.java b/...main/java/datadog/trace/instrumentation/iastinstrumenter/IastHardcodedSecretListener.java
@@ -11,6 +11,8 @@
 
 public class IastHardcodedSecretListener implements Advices.Listener {
 
+  private static final int MIN_SECRET_LENGTH = 10;
+
   public static final IastHardcodedSecretListener INSTANCE = new IastHardcodedSecretListener();
 
   @Override
@@ -25,7 +27,9 @@ public void onConstantPool(
         if (pool.getType(index) == ConstantPool.CONSTANT_STRING_TAG) {
           final int literalIndex = pool.readUnsignedShort(pool.getOffset(index));
           final String literal = pool.readUTF8(pool.getOffset(literalIndex));
-          literals.add(literal);
+          if (literal.length() >= MIN_SECRET_LENGTH) {
+            literals.add(literal);
+          }
         }
       }
       if (!literals.isEmpty()) {

diff --git a/.../instrumentation/iast-instrumenter/src/test/groovy/IastHardcodedSecretListenerTest.groovy b/.../instrumentation/iast-instrumenter/src/test/groovy/IastHardcodedSecretListenerTest.groovy
@@ -0,0 +1,54 @@
+import datadog.trace.agent.test.AgentTestRunner
+import datadog.trace.agent.tooling.bytebuddy.csi.ConstantPool
+import datadog.trace.api.iast.InstrumentationBridge
+import datadog.trace.api.iast.sink.HardcodedSecretModule
+import datadog.trace.instrumentation.iastinstrumenter.IastHardcodedSecretListener
+import net.bytebuddy.description.type.TypeDescription
+import org.apache.commons.io.IOUtils
+
+class IastHardcodedSecretListenerTest extends AgentTestRunner{
+
+
+  void 'test'(){
+    given:
+    final module = Mock(HardcodedSecretModule)
+    InstrumentationBridge.registerIastModule(module)
+    final classFile = readClassBytes(clazz)
+    final pool = new ConstantPool(classFile)
+    final type = Mock(TypeDescription)
+    final instance = IastHardcodedSecretListener.INSTANCE
+
+    when:
+    instance.onConstantPool(type, pool, classFile)
+
+    then:
+    expected * module.onStringLiteral(_, _, _)
+
+    where:
+    clazz | expected
+    HardcodedSecretTestClass | 1
+    HardcodedSecretTestClass2 | 0
+  }
+
+  byte [] readClassBytes(Class<?> clazz){
+    final String classResourceName = clazz.getName().replace('.', '/') + ".class"
+    try (InputStream is = clazz.getClassLoader().getResourceAsStream(classResourceName)) {
+      if(is == null) {
+        throw new IllegalStateException("Could not find class resource: " + classResourceName)
+      }
+      return IOUtils.toByteArray(is)
+    }
+  }
+
+  class HardcodedSecretTestClass {
+
+    public static final String FOO = "foo"
+    public static final String LITERAL_LONGER_THAN_10_CHARS = "12345678901"
+  }
+
+  class HardcodedSecretTestClass2 {
+
+    public static final String FOO = "foo"
+  }
+}
+