Improve header injection redaction

[jandro996]

What Does This Do

Headers could store sensitive information, we should redact whole <header_value> if:

• <header_name> matches with configured sensitive name pattern
• <header_value> matches with configured sensitive value pattern

We should redact the sensitive information from the evidence when tainted range is considered sensitive value

Motivation

Additional Notes

Jira ticket: [PROJ-IDENT]

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/improve_header_injection_redaction
git_commit_date	1706562398	1706601487
git_commit_sha	281e492	62ac356
release_version	1.29.0-SNAPSHOT~281e492170	1.29.0-SNAPSHOT~62ac3565b1

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1706604410	1706604410
ci_job_id	421351144	421351144
ci_pipeline_id	27381520	27381520
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 45 metrics, 9 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.29.0-SNAPSHOT~62ac3565b1, baseline=1.29.0-SNAPSHOT~281e492170

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.064 s) : 0, 1064248
Total [baseline] (9.368 s) : 0, 9368392
Agent [candidate] (1.057 s) : 0, 1057166
Total [candidate] (9.332 s) : 0, 9331607
section appsec
Agent [baseline] (1.157 s) : 0, 1156789
Total [baseline] (9.451 s) : 0, 9450640
Agent [candidate] (1.159 s) : 0, 1159126
Total [candidate] (9.439 s) : 0, 9439327
section iast
Agent [baseline] (1.187 s) : 0, 1186647
Total [baseline] (9.674 s) : 0, 9673911
Agent [candidate] (1.183 s) : 0, 1183060
Total [candidate] (9.699 s) : 0, 9699067
section profiling
Agent [baseline] (1.285 s) : 0, 1285395
Total [baseline] (9.589 s) : 0, 9588597
Agent [candidate] (1.291 s) : 0, 1290739
Total [candidate] (9.557 s) : 0, 9556630

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.064 s	-
Agent	appsec	1.157 s	92.541 ms (8.7%)
Agent	iast	1.187 s	122.4 ms (11.5%)
Agent	profiling	1.285 s	221.147 ms (20.8%)
Total	tracing	9.368 s	-
Total	appsec	9.451 s	82.248 ms (0.9%)
Total	iast	9.674 s	305.52 ms (3.3%)
Total	profiling	9.589 s	220.206 ms (2.4%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.057 s	-
Agent	appsec	1.159 s	101.96 ms (9.6%)
Agent	iast	1.183 s	125.894 ms (11.9%)
Agent	profiling	1.291 s	233.573 ms (22.1%)
Total	tracing	9.332 s	-
Total	appsec	9.439 s	107.72 ms (1.2%)
Total	iast	9.699 s	367.46 ms (3.9%)
Total	profiling	9.557 s	225.022 ms (2.4%)

gantt
    title petclinic - break down per module: candidate=1.29.0-SNAPSHOT~62ac3565b1, baseline=1.29.0-SNAPSHOT~281e492170

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (670.246 ms) : 0, 670246
BytebuddyAgent [candidate] (666.421 ms) : 0, 666421
GlobalTracer [baseline] (298.6 ms) : 0, 298600
GlobalTracer [candidate] (296.398 ms) : 0, 296398
AppSec [baseline] (52.667 ms) : 0, 52667
AppSec [candidate] (51.927 ms) : 0, 51927
Remote Config [baseline] (690.627 µs) : 0, 691
Remote Config [candidate] (683.913 µs) : 0, 684
Telemetry [baseline] (7.552 ms) : 0, 7552
Telemetry [candidate] (7.496 ms) : 0, 7496
section appsec
BytebuddyAgent [baseline] (667.64 ms) : 0, 667640
BytebuddyAgent [candidate] (669.737 ms) : 0, 669737
GlobalTracer [baseline] (297.421 ms) : 0, 297421
GlobalTracer [candidate] (297.044 ms) : 0, 297044
AppSec [baseline] (149.879 ms) : 0, 149879
AppSec [candidate] (150.487 ms) : 0, 150487
Remote Config [baseline] (651.266 µs) : 0, 651
Remote Config [candidate] (648.954 µs) : 0, 649
Telemetry [baseline] (6.756 ms) : 0, 6756
Telemetry [candidate] (6.718 ms) : 0, 6718
section iast
BytebuddyAgent [baseline] (780.78 ms) : 0, 780780
BytebuddyAgent [candidate] (777.728 ms) : 0, 777728
GlobalTracer [baseline] (288.542 ms) : 0, 288542
GlobalTracer [candidate] (288.181 ms) : 0, 288181
AppSec [baseline] (52.069 ms) : 0, 52069
AppSec [candidate] (54.393 ms) : 0, 54393
Remote Config [baseline] (621.8 µs) : 0, 622
Remote Config [candidate] (622.918 µs) : 0, 623
Telemetry [baseline] (6.608 ms) : 0, 6608
Telemetry [candidate] (6.633 ms) : 0, 6633
IAST [baseline] (23.649 ms) : 0, 23649
IAST [candidate] (21.127 ms) : 0, 21127
section profiling
BytebuddyAgent [baseline] (664.154 ms) : 0, 664154
BytebuddyAgent [candidate] (666.85 ms) : 0, 666850
GlobalTracer [baseline] (380.453 ms) : 0, 380453
GlobalTracer [candidate] (382.104 ms) : 0, 382104
AppSec [baseline] (52.479 ms) : 0, 52479
AppSec [candidate] (53.021 ms) : 0, 53021
Remote Config [baseline] (664.207 µs) : 0, 664
Remote Config [candidate] (678.608 µs) : 0, 679
Telemetry [baseline] (8.721 ms) : 0, 8721
Telemetry [candidate] (7.575 ms) : 0, 7575
ProfilingAgent [baseline] (124.361 ms) : 0, 124361
ProfilingAgent [candidate] (125.973 ms) : 0, 125973
Profiling [baseline] (124.386 ms) : 0, 124386
Profiling [candidate] (125.998 ms) : 0, 125998

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2024-01-30T08:22:58	2024-01-30T08:41:50
git_branch	master	alejandro.gonzalez/improve_header_injection_redaction
git_commit_date	1706562398	1706601487
git_commit_sha	281e492	62ac356
release_version	1.29.0-SNAPSHOT~281e492170	1.29.0-SNAPSHOT~62ac3565b1
start_time	2024-01-30T08:22:46	2024-01-30T08:41:37

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1706604410	1706604410
ci_job_id	421351144	421351144
ci_pipeline_id	27381520	27381520
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 16 unstable metrics.

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.29.0-SNAPSHOT~62ac3565b1, baseline=1.29.0-SNAPSHOT~281e492170
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.351 ms) : 1332, 1370
.   : milestone, 1351,
appsec (1.744 ms) : 1719, 1770
.   : milestone, 1744,
iast (1.524 ms) : 1500, 1548
.   : milestone, 1524,
profiling (1.525 ms) : 1501, 1549
.   : milestone, 1525,
tracing (1.501 ms) : 1476, 1527
.   : milestone, 1501,
section candidate
no_agent (1.356 ms) : 1337, 1375
.   : milestone, 1356,
appsec (1.764 ms) : 1739, 1790
.   : milestone, 1764,
iast (1.502 ms) : 1477, 1526
.   : milestone, 1502,
profiling (1.518 ms) : 1492, 1544
.   : milestone, 1518,
tracing (1.487 ms) : 1462, 1512
.   : milestone, 1487,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.351 ms [1.332 ms, 1.37 ms]	-
appsec	1.744 ms [1.719 ms, 1.77 ms]	393.501 µs (29.1%)
iast	1.524 ms [1.5 ms, 1.548 ms]	173.407 µs (12.8%)
profiling	1.525 ms [1.501 ms, 1.549 ms]	174.038 µs (12.9%)
tracing	1.501 ms [1.476 ms, 1.527 ms]	150.412 µs (11.1%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.356 ms [1.337 ms, 1.375 ms]	-
appsec	1.764 ms [1.739 ms, 1.79 ms]	408.174 µs (30.1%)
iast	1.502 ms [1.477 ms, 1.526 ms]	145.326 µs (10.7%)
profiling	1.518 ms [1.492 ms, 1.544 ms]	161.718 µs (11.9%)
tracing	1.487 ms [1.462 ms, 1.512 ms]	130.591 µs (9.6%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.29.0-SNAPSHOT~62ac3565b1, baseline=1.29.0-SNAPSHOT~281e492170
    dateFormat X
    axisFormat %s
section baseline
no_agent (362.752 µs) : 343, 383
.   : milestone, 363,
iast (464.778 µs) : 444, 485
.   : milestone, 465,
iast_FULL (527.145 µs) : 507, 548
.   : milestone, 527,
iast_GLOBAL (494.053 µs) : 474, 514
.   : milestone, 494,
iast_HARDCODED_SECRET_DISABLED (469.105 µs) : 448, 490
.   : milestone, 469,
iast_INACTIVE (441.689 µs) : 421, 463
.   : milestone, 442,
iast_TELEMETRY_OFF (468.945 µs) : 448, 490
.   : milestone, 469,
tracing (434.041 µs) : 414, 454
.   : milestone, 434,
section candidate
no_agent (366.355 µs) : 345, 388
.   : milestone, 366,
iast (468.991 µs) : 448, 490
.   : milestone, 469,
iast_FULL (531.96 µs) : 511, 553
.   : milestone, 532,
iast_GLOBAL (488.295 µs) : 468, 509
.   : milestone, 488,
iast_HARDCODED_SECRET_DISABLED (470.551 µs) : 450, 491
.   : milestone, 471,
iast_INACTIVE (442.033 µs) : 420, 464
.   : milestone, 442,
iast_TELEMETRY_OFF (462.137 µs) : 441, 483
.   : milestone, 462,
tracing (435.957 µs) : 415, 457
.   : milestone, 436,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	362.752 µs [342.832 µs, 382.671 µs]	-
iast	464.778 µs [444.295 µs, 485.261 µs]	102.026 µs (28.1%)
iast_FULL	527.145 µs [506.681 µs, 547.61 µs]	164.393 µs (45.3%)
iast_GLOBAL	494.053 µs [473.801 µs, 514.304 µs]	131.301 µs (36.2%)
iast_HARDCODED_SECRET_DISABLED	469.105 µs [448.121 µs, 490.09 µs]	106.353 µs (29.3%)
iast_INACTIVE	441.689 µs [420.744 µs, 462.635 µs]	78.938 µs (21.8%)
iast_TELEMETRY_OFF	468.945 µs [448.095 µs, 489.796 µs]	106.194 µs (29.3%)
tracing	434.041 µs [413.834 µs, 454.248 µs]	71.289 µs (19.7%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	366.355 µs [345.151 µs, 387.558 µs]	-
iast	468.991 µs [447.761 µs, 490.221 µs]	102.636 µs (28.0%)
iast_FULL	531.96 µs [511.299 µs, 552.621 µs]	165.605 µs (45.2%)
iast_GLOBAL	488.295 µs [467.566 µs, 509.024 µs]	121.94 µs (33.3%)
iast_HARDCODED_SECRET_DISABLED	470.551 µs [449.728 µs, 491.373 µs]	104.196 µs (28.4%)
iast_INACTIVE	442.033 µs [420.487 µs, 463.579 µs]	75.678 µs (20.7%)
iast_TELEMETRY_OFF	462.137 µs [441.359 µs, 482.914 µs]	95.782 µs (26.1%)
tracing	435.957 µs [415.057 µs, 456.857 µs]	69.602 µs (19.0%)