-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Reflection Injection support #6622
Conversation
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 46 metrics, 8 unstable metrics. Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.31.0-SNAPSHOT~aa4f5bdee1, baseline=1.31.0-SNAPSHOT~142c8cac77
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.06 s) : 0, 1060155
Total [baseline] (9.341 s) : 0, 9341095
Agent [candidate] (1.069 s) : 0, 1068784
Total [candidate] (9.365 s) : 0, 9364972
section appsec
Agent [baseline] (1.16 s) : 0, 1159756
Total [baseline] (9.522 s) : 0, 9521973
Agent [candidate] (1.159 s) : 0, 1158993
Total [candidate] (9.507 s) : 0, 9506995
section iast
Agent [baseline] (1.197 s) : 0, 1197246
Total [baseline] (9.728 s) : 0, 9727801
Agent [candidate] (1.189 s) : 0, 1189137
Total [candidate] (9.708 s) : 0, 9708071
section profiling
Agent [baseline] (1.277 s) : 0, 1277406
Total [baseline] (9.591 s) : 0, 9591347
Agent [candidate] (1.285 s) : 0, 1285498
Total [candidate] (9.574 s) : 0, 9574128
gantt
title petclinic - break down per module: candidate=1.31.0-SNAPSHOT~aa4f5bdee1, baseline=1.31.0-SNAPSHOT~142c8cac77
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (667.38 ms) : 0, 667380
BytebuddyAgent [candidate] (673.004 ms) : 0, 673004
GlobalTracer [baseline] (298.475 ms) : 0, 298475
GlobalTracer [candidate] (301.099 ms) : 0, 301099
AppSec [baseline] (51.745 ms) : 0, 51745
AppSec [candidate] (51.797 ms) : 0, 51797
Remote Config [baseline] (707.496 µs) : 0, 707
Remote Config [candidate] (706.867 µs) : 0, 707
Telemetry [baseline] (7.644 ms) : 0, 7644
Telemetry [candidate] (7.72 ms) : 0, 7720
section appsec
BytebuddyAgent [baseline] (668.082 ms) : 0, 668082
BytebuddyAgent [candidate] (667.684 ms) : 0, 667684
GlobalTracer [baseline] (298.76 ms) : 0, 298760
GlobalTracer [candidate] (298.395 ms) : 0, 298395
AppSec [baseline] (151.199 ms) : 0, 151199
AppSec [candidate] (151.191 ms) : 0, 151191
Remote Config [baseline] (635.918 µs) : 0, 636
Remote Config [candidate] (630.492 µs) : 0, 630
Telemetry [baseline] (6.846 ms) : 0, 6846
Telemetry [candidate] (6.828 ms) : 0, 6828
section iast
BytebuddyAgent [baseline] (789.135 ms) : 0, 789135
BytebuddyAgent [candidate] (781.422 ms) : 0, 781422
GlobalTracer [baseline] (291.139 ms) : 0, 291139
GlobalTracer [candidate] (290.51 ms) : 0, 290510
AppSec [baseline] (55.884 ms) : 0, 55884
AppSec [candidate] (53.6 ms) : 0, 53600
IAST [baseline] (19.022 ms) : 0, 19022
IAST [candidate] (22.054 ms) : 0, 22054
Remote Config [baseline] (603.639 µs) : 0, 604
Remote Config [candidate] (586.704 µs) : 0, 587
Telemetry [baseline] (6.597 ms) : 0, 6597
Telemetry [candidate] (6.57 ms) : 0, 6570
section profiling
BytebuddyAgent [baseline] (665.925 ms) : 0, 665925
BytebuddyAgent [candidate] (669.945 ms) : 0, 669945
GlobalTracer [baseline] (381.254 ms) : 0, 381254
GlobalTracer [candidate] (384.443 ms) : 0, 384443
AppSec [baseline] (52.18 ms) : 0, 52180
AppSec [candidate] (52.102 ms) : 0, 52102
Remote Config [baseline] (656.405 µs) : 0, 656
Remote Config [candidate] (661.101 µs) : 0, 661
Telemetry [baseline] (13.589 ms) : 0, 13589
Telemetry [candidate] (12.245 ms) : 0, 12245
ProfilingAgent [baseline] (109.257 ms) : 0, 109257
ProfilingAgent [candidate] (111.253 ms) : 0, 111253
Profiling [baseline] (109.282 ms) : 0, 109282
Profiling [candidate] (111.277 ms) : 0, 111277
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 1 performance regressions! Performance is the same for 9 metrics, 16 unstable metrics.
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.31.0-SNAPSHOT~aa4f5bdee1, baseline=1.31.0-SNAPSHOT~142c8cac77
dateFormat X
axisFormat %s
section baseline
no_agent (1.341 ms) : 1322, 1360
. : milestone, 1341,
appsec (1.742 ms) : 1717, 1768
. : milestone, 1742,
iast (1.502 ms) : 1477, 1527
. : milestone, 1502,
profiling (1.512 ms) : 1487, 1536
. : milestone, 1512,
tracing (1.486 ms) : 1461, 1511
. : milestone, 1486,
section candidate
no_agent (1.372 ms) : 1354, 1391
. : milestone, 1372,
appsec (1.776 ms) : 1751, 1801
. : milestone, 1776,
iast (1.513 ms) : 1488, 1538
. : milestone, 1513,
profiling (1.591 ms) : 1565, 1618
. : milestone, 1591,
tracing (1.516 ms) : 1491, 1541
. : milestone, 1516,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.31.0-SNAPSHOT~aa4f5bdee1, baseline=1.31.0-SNAPSHOT~142c8cac77
dateFormat X
axisFormat %s
section baseline
no_agent (366.869 µs) : 347, 387
. : milestone, 367,
iast (475.996 µs) : 455, 497
. : milestone, 476,
iast_FULL (536.08 µs) : 515, 557
. : milestone, 536,
iast_GLOBAL (496.608 µs) : 475, 518
. : milestone, 497,
iast_HARDCODED_SECRET_DISABLED (470.028 µs) : 449, 491
. : milestone, 470,
iast_INACTIVE (440.291 µs) : 420, 461
. : milestone, 440,
iast_TELEMETRY_OFF (480.481 µs) : 460, 501
. : milestone, 480,
tracing (440.265 µs) : 420, 461
. : milestone, 440,
section candidate
no_agent (375.574 µs) : 353, 398
. : milestone, 376,
iast (469.371 µs) : 449, 490
. : milestone, 469,
iast_FULL (539.407 µs) : 518, 560
. : milestone, 539,
iast_GLOBAL (496.977 µs) : 476, 518
. : milestone, 497,
iast_HARDCODED_SECRET_DISABLED (475.595 µs) : 454, 497
. : milestone, 476,
iast_INACTIVE (444.175 µs) : 423, 465
. : milestone, 444,
iast_TELEMETRY_OFF (474.069 µs) : 453, 495
. : milestone, 474,
tracing (440.918 µs) : 420, 462
. : milestone, 441,
|
2488d17
to
ef7e09e
Compare
dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ReflectionInjectionModuleImpl.java
Show resolved
Hide resolved
dd-smoke-tests/springboot/src/test/groovy/datadog/smoketest/IastSpringBootSmokeTest.groovy
Outdated
Show resolved
Hide resolved
9a213b4
to
5d3ae1b
Compare
I'm missing call sites for |
internal-api/src/main/java/datadog/trace/api/iast/sink/ReflectionInjectionModule.java
Outdated
Show resolved
Hide resolved
return; | ||
} | ||
final IastContext ctx = IastContext.Provider.get(); | ||
if (ctx == null) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some conditionals are var == null and some are null == var.
I don't care either way, but it would be nice to be consistent.
What Does This Do
This is a fist version to be able to detect Reflection Injection Vulnerability
Motivation
Add basic Reflection Injection support
Additional Notes
There are more sink points to cover, we decide to do it in another PR
Jira ticket: APPSEC-17150