-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IAST: support Spring Webflux #4942
Conversation
61ecb0f
to
65d914f
Compare
b3d3879
to
750ef85
Compare
65d914f
to
9ab5fde
Compare
750ef85
to
2ac2111
Compare
9ab5fde
to
9412cef
Compare
2ac2111
to
8fd0624
Compare
9412cef
to
9adcd5d
Compare
8fd0624
to
d7bd287
Compare
fce6045
to
4c2e62a
Compare
dd-java-agent/agent-iast/src/main/java/com/datadog/iast/propagation/PropagationModuleImpl.java
Outdated
Show resolved
Hide resolved
.../datadog/trace/instrumentation/springwebflux/server/iast/TaintHttpHeadersGetFirstAdvice.java
Outdated
Show resolved
Hide resolved
.../trace/instrumentation/springwebflux/server/iast/TaintHttpHeadersToSingleValueMapAdvice.java
Outdated
Show resolved
Hide resolved
for (Map.Entry<String, List<String>> e : | ||
((MultiValueMap<String, String>) values).entrySet()) { | ||
String lc = e.getKey().toLowerCase(Locale.ENGLISH); | ||
module.onHeaderName(lc); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We taint by reference so the local variable lc
might defeat the purpose of the tainted map, we should only taint the original string instances.
In any case, I think in here it's more suitable a wrapped Map
/MultiValueMap
instance that taints on demand (for example, the keys from the dictionary are rarely used by the app as they are often hard coded constants). Maybe we can come back to it for the next iteration?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, the tainting of the transformed key makes no sense, I've fixed it.
re: the second point, this advice is precisely for when the user injects a full map (or multimap) of headers, so I think it makes sense to taint it all. If he was interested in only one or two headers, he'd likely inject only those specific ones into string variables.
@@ -96,6 +96,19 @@ public void taint(final byte origin, @Nullable final Object... toTaintArray) { | |||
} | |||
} | |||
|
|||
@Override | |||
public boolean isTainted(@Nullable Object obj) { | |||
final TaintedObjects taintedObjects = getTaintedObjects(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The interface Taintable
can be used for non bootclasspath classes (where we can add fields) and it also marks an object as tainted (maybe we should deal with this abstraction inside the TaintedObjects
?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current version now checks first if the object is taintable:
@Override
public boolean isTainted(@Nullable Object obj) {
if (obj instanceof Taintable) {
return ((Taintable) obj).$DD$isTainted();
}
// ...
}
I think doing it in TaintedObjects
is too late; by then we've already fetched the context and traversed a few pointers, which is not needed.
This is done in https://github.com/DataDog/dd-trace-java/pull/4996/files
e33eaa0
to
4e9c442
Compare
@SuppressWarnings("Duplicates") | ||
@Advice.OnMethodExit(suppress = Throwable.class) | ||
public static void after( | ||
@Advice.Argument(2) ServerWebExchange xchg, @ActiveRequestContext RequestContext reqCtx) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can xchg
possibly be null? If there's the slightest chance of it, I will check it first and do early return. But I guess it would not be the case for onExit...
ddb1169
to
2bb1cce
Compare
2bb1cce
to
fb93b2a
Compare
fb93b2a
to
4125a56
Compare
No description provided.