-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SSRF in Apache HttpClient V4 #6112
Support SSRF in Apache HttpClient V4 #6112
Conversation
ae66378
to
0cc36ee
Compare
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 49 metrics, 5 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.27.0-SNAPSHOT~ff2b409800, baseline=1.27.0-SNAPSHOT~030073d069
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.048 s) : 0, 1047872
Total [baseline] (9.431 s) : 0, 9431134
Agent [candidate] (1.057 s) : 0, 1057390
Total [candidate] (9.392 s) : 0, 9391987
section appsec
Agent [baseline] (1.156 s) : 0, 1155830
Total [baseline] (9.477 s) : 0, 9477303
Agent [candidate] (1.149 s) : 0, 1149294
Total [candidate] (9.443 s) : 0, 9443099
section iast
Agent [baseline] (1.171 s) : 0, 1171190
Total [baseline] (9.671 s) : 0, 9670768
Agent [candidate] (1.177 s) : 0, 1177366
Total [candidate] (9.67 s) : 0, 9669554
section profiling
Agent [baseline] (1.245 s) : 0, 1245136
Total [baseline] (9.651 s) : 0, 9650532
Agent [candidate] (1.245 s) : 0, 1245181
Total [candidate] (9.62 s) : 0, 9620030
gantt
title petclinic - break down per module: candidate=1.27.0-SNAPSHOT~ff2b409800, baseline=1.27.0-SNAPSHOT~030073d069
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (647.893 ms) : 0, 647893
BytebuddyAgent [candidate] (653.983 ms) : 0, 653983
GlobalTracer [baseline] (306.905 ms) : 0, 306905
GlobalTracer [candidate] (309.819 ms) : 0, 309819
AppSec [baseline] (50.821 ms) : 0, 50821
AppSec [candidate] (51.071 ms) : 0, 51071
Remote Config [baseline] (674.732 µs) : 0, 675
Remote Config [candidate] (678.38 µs) : 0, 678
Telemetry [baseline] (7.174 ms) : 0, 7174
Telemetry [candidate] (7.326 ms) : 0, 7326
section appsec
BytebuddyAgent [baseline] (653.818 ms) : 0, 653818
BytebuddyAgent [candidate] (650.456 ms) : 0, 650456
GlobalTracer [baseline] (309.815 ms) : 0, 309815
GlobalTracer [candidate] (307.984 ms) : 0, 307984
AppSec [baseline] (149.951 ms) : 0, 149951
AppSec [candidate] (148.99 ms) : 0, 148990
Remote Config [baseline] (655.185 µs) : 0, 655
Remote Config [candidate] (641.483 µs) : 0, 641
Telemetry [baseline] (6.948 ms) : 0, 6948
Telemetry [candidate] (6.852 ms) : 0, 6852
section iast
BytebuddyAgent [baseline] (770.949 ms) : 0, 770949
BytebuddyAgent [candidate] (776.743 ms) : 0, 776743
GlobalTracer [baseline] (287.25 ms) : 0, 287250
GlobalTracer [candidate] (288.43 ms) : 0, 288430
AppSec [baseline] (49.153 ms) : 0, 49153
AppSec [candidate] (49.479 ms) : 0, 49479
IAST [baseline] (20.905 ms) : 0, 20905
IAST [candidate] (20.108 ms) : 0, 20108
Remote Config [baseline] (617.083 µs) : 0, 617
Remote Config [candidate] (597.445 µs) : 0, 597
Telemetry [baseline] (7.916 ms) : 0, 7916
Telemetry [candidate] (7.445 ms) : 0, 7445
section profiling
BytebuddyAgent [baseline] (658.677 ms) : 0, 658677
BytebuddyAgent [candidate] (659.024 ms) : 0, 659024
GlobalTracer [baseline] (377.851 ms) : 0, 377851
GlobalTracer [candidate] (377.929 ms) : 0, 377929
AppSec [baseline] (51.47 ms) : 0, 51470
AppSec [candidate] (51.268 ms) : 0, 51268
Remote Config [baseline] (1.008 ms) : 0, 1008
Remote Config [candidate] (986.018 µs) : 0, 986
Telemetry [baseline] (7.25 ms) : 0, 7250
Telemetry [candidate] (7.163 ms) : 0, 7163
ProfilingAgent [baseline] (94.632 ms) : 0, 94632
ProfilingAgent [candidate] (94.571 ms) : 0, 94571
Profiling [baseline] (94.657 ms) : 0, 94657
Profiling [candidate] (94.596 ms) : 0, 94596
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.27.0-SNAPSHOT~ff2b409800, baseline=1.27.0-SNAPSHOT~030073d069
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.056 s) : 0, 1056200
Total [baseline] (8.726 s) : 0, 8725844
Agent [candidate] (1.057 s) : 0, 1056551
Total [candidate] (8.77 s) : 0, 8769755
section iast
Agent [baseline] (1.166 s) : 0, 1166182
Total [baseline] (9.251 s) : 0, 9250929
Agent [candidate] (1.166 s) : 0, 1165776
Total [candidate] (9.262 s) : 0, 9262221
section iast_TELEMETRY_OFF
Agent [baseline] (1.159 s) : 0, 1158689
Total [baseline] (9.263 s) : 0, 9262562
Agent [candidate] (1.161 s) : 0, 1161361
Total [candidate] (9.278 s) : 0, 9277582
gantt
title insecure-bank - break down per module: candidate=1.27.0-SNAPSHOT~ff2b409800, baseline=1.27.0-SNAPSHOT~030073d069
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (653.071 ms) : 0, 653071
BytebuddyAgent [candidate] (653.584 ms) : 0, 653584
GlobalTracer [baseline] (309.625 ms) : 0, 309625
GlobalTracer [candidate] (309.265 ms) : 0, 309265
AppSec [baseline] (51.06 ms) : 0, 51060
AppSec [candidate] (51.273 ms) : 0, 51273
Remote Config [baseline] (673.045 µs) : 0, 673
Remote Config [candidate] (670.099 µs) : 0, 670
Telemetry [baseline] (7.268 ms) : 0, 7268
Telemetry [candidate] (7.263 ms) : 0, 7263
section iast
BytebuddyAgent [baseline] (768.742 ms) : 0, 768742
BytebuddyAgent [candidate] (768.527 ms) : 0, 768527
GlobalTracer [baseline] (285.369 ms) : 0, 285369
GlobalTracer [candidate] (284.948 ms) : 0, 284948
AppSec [baseline] (48.738 ms) : 0, 48738
AppSec [candidate] (49.022 ms) : 0, 49022
IAST [baseline] (22.001 ms) : 0, 22001
IAST [candidate] (21.909 ms) : 0, 21909
Remote Config [baseline] (596.384 µs) : 0, 596
Remote Config [candidate] (673.311 µs) : 0, 673
Telemetry [baseline] (6.42 ms) : 0, 6420
Telemetry [candidate] (6.494 ms) : 0, 6494
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (761.743 ms) : 0, 761743
BytebuddyAgent [candidate] (763.501 ms) : 0, 763501
GlobalTracer [baseline] (286.254 ms) : 0, 286254
GlobalTracer [candidate] (286.472 ms) : 0, 286472
AppSec [baseline] (49.164 ms) : 0, 49164
AppSec [candidate] (49.003 ms) : 0, 49003
IAST [baseline] (19.121 ms) : 0, 19121
IAST [candidate] (20.021 ms) : 0, 20021
Remote Config [baseline] (618.957 µs) : 0, 619
Remote Config [candidate] (615.558 µs) : 0, 616
Telemetry [baseline] (7.408 ms) : 0, 7408
Telemetry [candidate] (7.281 ms) : 0, 7281
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 9 metrics, 13 unstable metrics. Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.27.0-SNAPSHOT~ff2b409800, baseline=1.27.0-SNAPSHOT~030073d069
dateFormat X
axisFormat %s
section baseline
no_agent (1.359 ms) : 1340, 1378
. : milestone, 1359,
appsec (1.78 ms) : 1755, 1805
. : milestone, 1780,
iast (1.507 ms) : 1482, 1531
. : milestone, 1507,
profiling (1.567 ms) : 1540, 1593
. : milestone, 1567,
tracing (1.507 ms) : 1482, 1533
. : milestone, 1507,
section candidate
no_agent (1.352 ms) : 1333, 1371
. : milestone, 1352,
appsec (1.757 ms) : 1732, 1782
. : milestone, 1757,
iast (1.513 ms) : 1488, 1538
. : milestone, 1513,
profiling (1.534 ms) : 1509, 1559
. : milestone, 1534,
tracing (1.516 ms) : 1492, 1541
. : milestone, 1516,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.27.0-SNAPSHOT~ff2b409800, baseline=1.27.0-SNAPSHOT~030073d069
dateFormat X
axisFormat %s
section baseline
no_agent (364.123 µs) : 345, 384
. : milestone, 364,
iast (475.43 µs) : 455, 496
. : milestone, 475,
iast_FULL (538.244 µs) : 518, 559
. : milestone, 538,
iast_INACTIVE (446.526 µs) : 426, 467
. : milestone, 447,
iast_TELEMETRY_OFF (469.32 µs) : 449, 490
. : milestone, 469,
tracing (438.848 µs) : 418, 460
. : milestone, 439,
section candidate
no_agent (375.096 µs) : 355, 395
. : milestone, 375,
iast (472.485 µs) : 452, 493
. : milestone, 472,
iast_FULL (531.447 µs) : 511, 552
. : milestone, 531,
iast_INACTIVE (457.889 µs) : 437, 479
. : milestone, 458,
iast_TELEMETRY_OFF (468.475 µs) : 448, 489
. : milestone, 468,
tracing (444.256 µs) : 423, 465
. : milestone, 444,
|
9f59593
to
7808112
Compare
...client-4/src/main/java/datadog/trace/instrumentation/apachehttpclient/IastHelperMethods.java
Outdated
Show resolved
Hide resolved
...java/datadog/trace/instrumentation/apachehttpclient/IastApacheHttpClientInstrumentation.java
Outdated
Show resolved
Hide resolved
4f54b87
to
c5a4757
Compare
c8bc4dd
to
1a62cf3
Compare
…rumentation module
dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/SsrfModuleImpl.java
Outdated
Show resolved
Hide resolved
.../src/main/java/datadog/trace/instrumentation/apachehttpcore/IastHttpHostInstrumentation.java
Outdated
Show resolved
Hide resolved
@@ -189,6 +189,8 @@ | |||
1 org.aopalliance.* | |||
1 org.antlr.* | |||
1 org.apache.* | |||
#apache httpClient needs URI propagation | |||
0 org.apache.http.client.methods.* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are not instrumenting all of the classes on that package. My understanding is that the policy is to explicit the classes that are instrumented:
0 org.apache.http.client.methods.HttpUriRequest
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change in the exclusion list is not necessary for HttpUriRequest, it aims to instrument the call to URI#create in all the http verb classes like:
HttpTrace
HttpPut
HttpPost
HttpOptions
HttpHead
HttpGet
HttpDelete
This list change between version, so I decided to exclude all the package
Let me know if this is a valid approach or we need to invest in look for each class in all versions
What Does This Do
Add new IAST instrumentation for
org.apache.http.client.HttpClient
Motivation
Add SSRF support for Apache HttpClient V4
Additional Notes
ApacheHttpClientInstrumentation
As
org.apache.http.client.HttpClient
is currently instrumented for tracing implementingInstrumenter.CanShortcutTypeMatching
we will keep the same approachJira ticket: APPSEC-11925