-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve header injection redaction #6577
Merged
jandro996
merged 7 commits into
master
from
alejandro.gonzalez/improve_header_injection_redaction
Jan 31, 2024
Merged
Improve header injection redaction #6577
jandro996
merged 7 commits into
master
from
alejandro.gonzalez/improve_header_injection_redaction
Jan 31, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 45 metrics, 9 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.29.0-SNAPSHOT~62ac3565b1, baseline=1.29.0-SNAPSHOT~281e492170
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.064 s) : 0, 1064248
Total [baseline] (9.368 s) : 0, 9368392
Agent [candidate] (1.057 s) : 0, 1057166
Total [candidate] (9.332 s) : 0, 9331607
section appsec
Agent [baseline] (1.157 s) : 0, 1156789
Total [baseline] (9.451 s) : 0, 9450640
Agent [candidate] (1.159 s) : 0, 1159126
Total [candidate] (9.439 s) : 0, 9439327
section iast
Agent [baseline] (1.187 s) : 0, 1186647
Total [baseline] (9.674 s) : 0, 9673911
Agent [candidate] (1.183 s) : 0, 1183060
Total [candidate] (9.699 s) : 0, 9699067
section profiling
Agent [baseline] (1.285 s) : 0, 1285395
Total [baseline] (9.589 s) : 0, 9588597
Agent [candidate] (1.291 s) : 0, 1290739
Total [candidate] (9.557 s) : 0, 9556630
gantt
title petclinic - break down per module: candidate=1.29.0-SNAPSHOT~62ac3565b1, baseline=1.29.0-SNAPSHOT~281e492170
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (670.246 ms) : 0, 670246
BytebuddyAgent [candidate] (666.421 ms) : 0, 666421
GlobalTracer [baseline] (298.6 ms) : 0, 298600
GlobalTracer [candidate] (296.398 ms) : 0, 296398
AppSec [baseline] (52.667 ms) : 0, 52667
AppSec [candidate] (51.927 ms) : 0, 51927
Remote Config [baseline] (690.627 µs) : 0, 691
Remote Config [candidate] (683.913 µs) : 0, 684
Telemetry [baseline] (7.552 ms) : 0, 7552
Telemetry [candidate] (7.496 ms) : 0, 7496
section appsec
BytebuddyAgent [baseline] (667.64 ms) : 0, 667640
BytebuddyAgent [candidate] (669.737 ms) : 0, 669737
GlobalTracer [baseline] (297.421 ms) : 0, 297421
GlobalTracer [candidate] (297.044 ms) : 0, 297044
AppSec [baseline] (149.879 ms) : 0, 149879
AppSec [candidate] (150.487 ms) : 0, 150487
Remote Config [baseline] (651.266 µs) : 0, 651
Remote Config [candidate] (648.954 µs) : 0, 649
Telemetry [baseline] (6.756 ms) : 0, 6756
Telemetry [candidate] (6.718 ms) : 0, 6718
section iast
BytebuddyAgent [baseline] (780.78 ms) : 0, 780780
BytebuddyAgent [candidate] (777.728 ms) : 0, 777728
GlobalTracer [baseline] (288.542 ms) : 0, 288542
GlobalTracer [candidate] (288.181 ms) : 0, 288181
AppSec [baseline] (52.069 ms) : 0, 52069
AppSec [candidate] (54.393 ms) : 0, 54393
Remote Config [baseline] (621.8 µs) : 0, 622
Remote Config [candidate] (622.918 µs) : 0, 623
Telemetry [baseline] (6.608 ms) : 0, 6608
Telemetry [candidate] (6.633 ms) : 0, 6633
IAST [baseline] (23.649 ms) : 0, 23649
IAST [candidate] (21.127 ms) : 0, 21127
section profiling
BytebuddyAgent [baseline] (664.154 ms) : 0, 664154
BytebuddyAgent [candidate] (666.85 ms) : 0, 666850
GlobalTracer [baseline] (380.453 ms) : 0, 380453
GlobalTracer [candidate] (382.104 ms) : 0, 382104
AppSec [baseline] (52.479 ms) : 0, 52479
AppSec [candidate] (53.021 ms) : 0, 53021
Remote Config [baseline] (664.207 µs) : 0, 664
Remote Config [candidate] (678.608 µs) : 0, 679
Telemetry [baseline] (8.721 ms) : 0, 8721
Telemetry [candidate] (7.575 ms) : 0, 7575
ProfilingAgent [baseline] (124.361 ms) : 0, 124361
ProfilingAgent [candidate] (125.973 ms) : 0, 125973
Profiling [baseline] (124.386 ms) : 0, 124386
Profiling [candidate] (125.998 ms) : 0, 125998
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 16 unstable metrics. Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.29.0-SNAPSHOT~62ac3565b1, baseline=1.29.0-SNAPSHOT~281e492170
dateFormat X
axisFormat %s
section baseline
no_agent (1.351 ms) : 1332, 1370
. : milestone, 1351,
appsec (1.744 ms) : 1719, 1770
. : milestone, 1744,
iast (1.524 ms) : 1500, 1548
. : milestone, 1524,
profiling (1.525 ms) : 1501, 1549
. : milestone, 1525,
tracing (1.501 ms) : 1476, 1527
. : milestone, 1501,
section candidate
no_agent (1.356 ms) : 1337, 1375
. : milestone, 1356,
appsec (1.764 ms) : 1739, 1790
. : milestone, 1764,
iast (1.502 ms) : 1477, 1526
. : milestone, 1502,
profiling (1.518 ms) : 1492, 1544
. : milestone, 1518,
tracing (1.487 ms) : 1462, 1512
. : milestone, 1487,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.29.0-SNAPSHOT~62ac3565b1, baseline=1.29.0-SNAPSHOT~281e492170
dateFormat X
axisFormat %s
section baseline
no_agent (362.752 µs) : 343, 383
. : milestone, 363,
iast (464.778 µs) : 444, 485
. : milestone, 465,
iast_FULL (527.145 µs) : 507, 548
. : milestone, 527,
iast_GLOBAL (494.053 µs) : 474, 514
. : milestone, 494,
iast_HARDCODED_SECRET_DISABLED (469.105 µs) : 448, 490
. : milestone, 469,
iast_INACTIVE (441.689 µs) : 421, 463
. : milestone, 442,
iast_TELEMETRY_OFF (468.945 µs) : 448, 490
. : milestone, 469,
tracing (434.041 µs) : 414, 454
. : milestone, 434,
section candidate
no_agent (366.355 µs) : 345, 388
. : milestone, 366,
iast (468.991 µs) : 448, 490
. : milestone, 469,
iast_FULL (531.96 µs) : 511, 553
. : milestone, 532,
iast_GLOBAL (488.295 µs) : 468, 509
. : milestone, 488,
iast_HARDCODED_SECRET_DISABLED (470.551 µs) : 450, 491
. : milestone, 471,
iast_INACTIVE (442.033 µs) : 420, 464
. : milestone, 442,
iast_TELEMETRY_OFF (462.137 µs) : 441, 483
. : milestone, 462,
tracing (435.957 µs) : 415, 457
. : milestone, 436,
|
jandro996
force-pushed
the
alejandro.gonzalez/improve_header_injection_redaction
branch
from
January 29, 2024 12:58
64c6f59
to
35de295
Compare
smola
reviewed
Jan 29, 2024
dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sensitive/HeaderRegexpTokenizer.java
Outdated
Show resolved
Hide resolved
smola
reviewed
Jan 29, 2024
dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sensitive/HeaderRegexpTokenizer.java
Outdated
Show resolved
Hide resolved
manuel-alvarez-alvarez
approved these changes
Jan 31, 2024
smola
approved these changes
Jan 31, 2024
jandro996
deleted the
alejandro.gonzalez/improve_header_injection_redaction
branch
January 31, 2024 12:29
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What Does This Do
Headers could store sensitive information, we should redact whole <header_value> if:
We should redact the sensitive information from the evidence when tainted range is considered sensitive value
Motivation
Additional Notes
Jira ticket: [PROJ-IDENT]