Improve coverage of application vulnerabilities for servlet #6803

jandro996 · 2024-03-12T08:45:58Z

What Does This Do

Get the realPath from the context when HttpServlet#service or javax.servlet.FilterChain#doFilter (This implementation is based on the current tracer instrumentation for servlet)

Remove javax.servlet.ServletContext#getRealPath instrumentation
Add new Iast Instrumentations for:

servlet2 -> javax.servlet.Servlet
servlet3 -> javax.servlet.Servlet
servlet5 -> jakarta.servlet.Servlet

Motivation

We noticed that javax.servlet.ServletContext#getRealPath is not always called, so we need to find a more reliable point to check the vulnerabilities

Add coverage to servlet 5

Additional Notes

Jira ticket: [PROJ-IDENT]

pr-commenter · 2024-03-12T09:57:16Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/chang_app_vulns_approach
git_commit_date	1710368126	1710403160
git_commit_sha	`ee9c0f8`	`e8d42e8`
release_version	1.32.0-SNAPSHOT~ee9c0f803a	1.32.0-SNAPSHOT~e8d42e8f26

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1710406727	1710406727
ci_job_id	459469965	459469965
ci_pipeline_id	30080943	30080943
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 50 metrics, 13 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.32.0-SNAPSHOT~e8d42e8f26, baseline=1.32.0-SNAPSHOT~ee9c0f803a

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.089 s) : 0, 1088613
Total [baseline] (9.229 s) : 0, 9228894
Agent [candidate] (1.081 s) : 0, 1081267
Total [candidate] (9.188 s) : 0, 9187591
section appsec
Agent [baseline] (1.2 s) : 0, 1200201
Total [baseline] (9.296 s) : 0, 9295711
Agent [candidate] (1.211 s) : 0, 1211305
Total [candidate] (9.312 s) : 0, 9311652
section iast
Agent [baseline] (1.206 s) : 0, 1206009
Total [baseline] (9.35 s) : 0, 9349891
Agent [candidate] (1.219 s) : 0, 1219448
Total [candidate] (9.459 s) : 0, 9458576
section profiling
Agent [baseline] (1.274 s) : 0, 1273722
Total [baseline] (9.362 s) : 0, 9362317
Agent [candidate] (1.276 s) : 0, 1276384
Total [candidate] (9.404 s) : 0, 9403624

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.089 s	-
Agent	appsec	1.2 s	111.588 ms (10.3%)
Agent	iast	1.206 s	117.397 ms (10.8%)
Agent	profiling	1.274 s	185.11 ms (17.0%)
Total	tracing	9.229 s	-
Total	appsec	9.296 s	66.818 ms (0.7%)
Total	iast	9.35 s	120.998 ms (1.3%)
Total	profiling	9.362 s	133.423 ms (1.4%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.081 s	-
Agent	appsec	1.211 s	130.038 ms (12.0%)
Agent	iast	1.219 s	138.18 ms (12.8%)
Agent	profiling	1.276 s	195.117 ms (18.0%)
Total	tracing	9.188 s	-
Total	appsec	9.312 s	124.062 ms (1.4%)
Total	iast	9.459 s	270.986 ms (2.9%)
Total	profiling	9.404 s	216.033 ms (2.4%)

gantt
    title petclinic - break down per module: candidate=1.32.0-SNAPSHOT~e8d42e8f26, baseline=1.32.0-SNAPSHOT~ee9c0f803a

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (702.294 ms) : 0, 702294
BytebuddyAgent [candidate] (696.704 ms) : 0, 696704
GlobalTracer [baseline] (293.795 ms) : 0, 293795
GlobalTracer [candidate] (292.843 ms) : 0, 292843
AppSec [baseline] (49.445 ms) : 0, 49445
AppSec [candidate] (48.879 ms) : 0, 48879
Remote Config [baseline] (722.439 µs) : 0, 722
Remote Config [candidate] (740.703 µs) : 0, 741
Telemetry [baseline] (7.744 ms) : 0, 7744
Telemetry [candidate] (7.751 ms) : 0, 7751
section appsec
BytebuddyAgent [baseline] (696.493 ms) : 0, 696493
BytebuddyAgent [candidate] (702.828 ms) : 0, 702828
GlobalTracer [baseline] (291.197 ms) : 0, 291197
GlobalTracer [candidate] (294.736 ms) : 0, 294736
AppSec [baseline] (152.886 ms) : 0, 152886
AppSec [candidate] (153.652 ms) : 0, 153652
IAST [baseline] (17.876 ms) : 0, 17876
IAST [candidate] (18.039 ms) : 0, 18039
Remote Config [baseline] (606.518 µs) : 0, 607
Remote Config [candidate] (616.885 µs) : 0, 617
Telemetry [baseline] (6.89 ms) : 0, 6890
Telemetry [candidate] (6.965 ms) : 0, 6965
section iast
BytebuddyAgent [baseline] (802.334 ms) : 0, 802334
BytebuddyAgent [candidate] (809.913 ms) : 0, 809913
GlobalTracer [baseline] (288.344 ms) : 0, 288344
GlobalTracer [candidate] (292.213 ms) : 0, 292213
AppSec [baseline] (48.575 ms) : 0, 48575
AppSec [candidate] (48.548 ms) : 0, 48548
IAST [baseline] (25.16 ms) : 0, 25160
IAST [candidate] (26.853 ms) : 0, 26853
Remote Config [baseline] (597.77 µs) : 0, 598
Remote Config [candidate] (616.33 µs) : 0, 616
Telemetry [baseline] (6.603 ms) : 0, 6603
Telemetry [candidate] (6.637 ms) : 0, 6637
section profiling
BytebuddyAgent [baseline] (689.23 ms) : 0, 689230
BytebuddyAgent [candidate] (690.612 ms) : 0, 690612
GlobalTracer [baseline] (375.785 ms) : 0, 375785
GlobalTracer [candidate] (377.133 ms) : 0, 377133
AppSec [baseline] (49.668 ms) : 0, 49668
AppSec [candidate] (49.825 ms) : 0, 49825
Remote Config [baseline] (785.161 µs) : 0, 785
Remote Config [candidate] (780.137 µs) : 0, 780
Telemetry [baseline] (7.419 ms) : 0, 7419
Telemetry [candidate] (7.47 ms) : 0, 7470
ProfilingAgent [baseline] (94.614 ms) : 0, 94614
ProfilingAgent [candidate] (94.364 ms) : 0, 94364
Profiling [baseline] (94.638 ms) : 0, 94638
Profiling [candidate] (94.387 ms) : 0, 94387

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.32.0-SNAPSHOT~e8d42e8f26, baseline=1.32.0-SNAPSHOT~ee9c0f803a

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.083 s) : 0, 1082771
Total [baseline] (8.619 s) : 0, 8619316
Agent [candidate] (1.082 s) : 0, 1082372
Total [candidate] (8.581 s) : 0, 8580788
section iast
Agent [baseline] (1.205 s) : 0, 1205369
Total [baseline] (9.051 s) : 0, 9050626
Agent [candidate] (1.221 s) : 0, 1221412
Total [candidate] (9.094 s) : 0, 9094500
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.214 s) : 0, 1213574
Total [baseline] (9.04 s) : 0, 9040471
Agent [candidate] (1.213 s) : 0, 1212617
Total [candidate] (9.033 s) : 0, 9032916
section iast_TELEMETRY_OFF
Agent [baseline] (1.198 s) : 0, 1198365
Total [baseline] (9.075 s) : 0, 9075379
Agent [candidate] (1.201 s) : 0, 1201060
Total [candidate] (9.047 s) : 0, 9046926

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.083 s	-
Agent	iast	1.205 s	122.598 ms (11.3%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.214 s	130.802 ms (12.1%)
Agent	iast_TELEMETRY_OFF	1.198 s	115.593 ms (10.7%)
Total	tracing	8.619 s	-
Total	iast	9.051 s	431.311 ms (5.0%)
Total	iast_HARDCODED_SECRET_DISABLED	9.04 s	421.155 ms (4.9%)
Total	iast_TELEMETRY_OFF	9.075 s	456.064 ms (5.3%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.082 s	-
Agent	iast	1.221 s	139.04 ms (12.8%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.213 s	130.245 ms (12.0%)
Agent	iast_TELEMETRY_OFF	1.201 s	118.688 ms (11.0%)
Total	tracing	8.581 s	-
Total	iast	9.094 s	513.712 ms (6.0%)
Total	iast_HARDCODED_SECRET_DISABLED	9.033 s	452.128 ms (5.3%)
Total	iast_TELEMETRY_OFF	9.047 s	466.138 ms (5.4%)

gantt
    title insecure-bank - break down per module: candidate=1.32.0-SNAPSHOT~e8d42e8f26, baseline=1.32.0-SNAPSHOT~ee9c0f803a

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (697.307 ms) : 0, 697307
BytebuddyAgent [candidate] (697.982 ms) : 0, 697982
GlobalTracer [baseline] (293.164 ms) : 0, 293164
GlobalTracer [candidate] (292.695 ms) : 0, 292695
AppSec [baseline] (49.472 ms) : 0, 49472
AppSec [candidate] (48.677 ms) : 0, 48677
Remote Config [baseline] (731.533 µs) : 0, 732
Remote Config [candidate] (733.329 µs) : 0, 733
Telemetry [baseline] (7.718 ms) : 0, 7718
Telemetry [candidate] (7.932 ms) : 0, 7932
section iast
BytebuddyAgent [baseline] (801.658 ms) : 0, 801658
BytebuddyAgent [candidate] (812.007 ms) : 0, 812007
GlobalTracer [baseline] (288.542 ms) : 0, 288542
GlobalTracer [candidate] (292.637 ms) : 0, 292637
AppSec [baseline] (49.908 ms) : 0, 49908
AppSec [candidate] (49.76 ms) : 0, 49760
IAST [baseline] (23.672 ms) : 0, 23672
IAST [candidate] (24.159 ms) : 0, 24159
Remote Config [baseline] (620.225 µs) : 0, 620
Remote Config [candidate] (620.629 µs) : 0, 621
Telemetry [baseline] (6.591 ms) : 0, 6591
Telemetry [candidate] (7.434 ms) : 0, 7434
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (806.837 ms) : 0, 806837
BytebuddyAgent [candidate] (805.846 ms) : 0, 805846
GlobalTracer [baseline] (290.711 ms) : 0, 290711
GlobalTracer [candidate] (291.16 ms) : 0, 291160
AppSec [baseline] (51.767 ms) : 0, 51767
AppSec [candidate] (50.298 ms) : 0, 50298
IAST [baseline] (21.59 ms) : 0, 21590
IAST [candidate] (22.824 ms) : 0, 22824
Remote Config [baseline] (629.408 µs) : 0, 629
Remote Config [candidate] (613.016 µs) : 0, 613
Telemetry [baseline] (7.383 ms) : 0, 7383
Telemetry [candidate] (7.372 ms) : 0, 7372
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (794.162 ms) : 0, 794162
BytebuddyAgent [candidate] (794.505 ms) : 0, 794505
GlobalTracer [baseline] (289.188 ms) : 0, 289188
GlobalTracer [candidate] (290.579 ms) : 0, 290579
AppSec [baseline] (51.366 ms) : 0, 51366
AppSec [candidate] (48.849 ms) : 0, 48849
IAST [baseline] (21.557 ms) : 0, 21557
IAST [candidate] (25.692 ms) : 0, 25692
Remote Config [baseline] (571.741 µs) : 0, 572
Remote Config [candidate] (576.964 µs) : 0, 577
Telemetry [baseline] (7.217 ms) : 0, 7217
Telemetry [candidate] (6.508 ms) : 0, 6508

Load

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~e8d42e8f26, baseline=1.32.0-SNAPSHOT~ee9c0f803a
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.368 ms) : 1349, 1387
.   : milestone, 1368,
appsec (1.775 ms) : 1752, 1799
.   : milestone, 1775,
iast (1.524 ms) : 1500, 1549
.   : milestone, 1524,
profiling (1.567 ms) : 1542, 1592
.   : milestone, 1567,
tracing (1.516 ms) : 1493, 1540
.   : milestone, 1516,
section candidate
no_agent (1.358 ms) : 1339, 1377
.   : milestone, 1358,
appsec (1.788 ms) : 1764, 1812
.   : milestone, 1788,
iast (1.555 ms) : 1532, 1578
.   : milestone, 1555,
profiling (1.526 ms) : 1502, 1550
.   : milestone, 1526,
tracing (1.542 ms) : 1520, 1565
.   : milestone, 1542,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.368 ms [1.349 ms, 1.387 ms]	-
appsec	1.775 ms [1.752 ms, 1.799 ms]	407.158 µs (29.8%)
iast	1.524 ms [1.5 ms, 1.549 ms]	156.079 µs (11.4%)
profiling	1.567 ms [1.542 ms, 1.592 ms]	198.796 µs (14.5%)
tracing	1.516 ms [1.493 ms, 1.54 ms]	148.017 µs (10.8%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.358 ms [1.339 ms, 1.377 ms]	-
appsec	1.788 ms [1.764 ms, 1.812 ms]	429.982 µs (31.7%)
iast	1.555 ms [1.532 ms, 1.578 ms]	196.953 µs (14.5%)
profiling	1.526 ms [1.502 ms, 1.55 ms]	167.763 µs (12.4%)
tracing	1.542 ms [1.52 ms, 1.565 ms]	184.462 µs (13.6%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~e8d42e8f26, baseline=1.32.0-SNAPSHOT~ee9c0f803a
    dateFormat X
    axisFormat %s
section baseline
no_agent (365.471 µs) : 346, 385
.   : milestone, 365,
iast (478.702 µs) : 458, 499
.   : milestone, 479,
iast_FULL (539.252 µs) : 519, 560
.   : milestone, 539,
iast_GLOBAL (502.282 µs) : 481, 524
.   : milestone, 502,
iast_HARDCODED_SECRET_DISABLED (476.122 µs) : 455, 497
.   : milestone, 476,
iast_INACTIVE (458.52 µs) : 437, 480
.   : milestone, 459,
iast_TELEMETRY_OFF (479.655 µs) : 459, 501
.   : milestone, 480,
tracing (454.608 µs) : 434, 476
.   : milestone, 455,
section candidate
no_agent (373.857 µs) : 354, 394
.   : milestone, 374,
iast (480.225 µs) : 460, 501
.   : milestone, 480,
iast_FULL (555.252 µs) : 535, 576
.   : milestone, 555,
iast_GLOBAL (508.562 µs) : 488, 529
.   : milestone, 509,
iast_HARDCODED_SECRET_DISABLED (480.232 µs) : 460, 501
.   : milestone, 480,
iast_INACTIVE (453.421 µs) : 433, 474
.   : milestone, 453,
iast_TELEMETRY_OFF (472.873 µs) : 453, 493
.   : milestone, 473,
tracing (450.157 µs) : 429, 471
.   : milestone, 450,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	365.471 µs [345.745 µs, 385.197 µs]	-
iast	478.702 µs [458.101 µs, 499.303 µs]	113.231 µs (31.0%)
iast_FULL	539.252 µs [518.861 µs, 559.644 µs]	173.781 µs (47.5%)
iast_GLOBAL	502.282 µs [481.014 µs, 523.551 µs]	136.811 µs (37.4%)
iast_HARDCODED_SECRET_DISABLED	476.122 µs [455.489 µs, 496.755 µs]	110.651 µs (30.3%)
iast_INACTIVE	458.52 µs [437.465 µs, 479.575 µs]	93.049 µs (25.5%)
iast_TELEMETRY_OFF	479.655 µs [458.747 µs, 500.563 µs]	114.184 µs (31.2%)
tracing	454.608 µs [433.548 µs, 475.667 µs]	89.136 µs (24.4%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	373.857 µs [353.591 µs, 394.124 µs]	-
iast	480.225 µs [459.65 µs, 500.8 µs]	106.367 µs (28.5%)
iast_FULL	555.252 µs [534.786 µs, 575.717 µs]	181.394 µs (48.5%)
iast_GLOBAL	508.562 µs [488.166 µs, 528.958 µs]	134.704 µs (36.0%)
iast_HARDCODED_SECRET_DISABLED	480.232 µs [459.685 µs, 500.779 µs]	106.374 µs (28.5%)
iast_INACTIVE	453.421 µs [432.786 µs, 474.056 µs]	79.563 µs (21.3%)
iast_TELEMETRY_OFF	472.873 µs [452.628 µs, 493.118 µs]	99.015 µs (26.5%)
tracing	450.157 µs [429.082 µs, 471.233 µs]	76.3 µs (20.4%)

...rvlet/request-2/src/main/java/datadog/trace/instrumentation/servlet2/IastServlet2Advice.java

jandro996 marked this pull request as ready for review March 12, 2024 09:40

jandro996 requested review from a team as code owners March 12, 2024 09:40

jandro996 requested review from smola, manuel-alvarez-alvarez, mcculls and nayeem-kamal March 12, 2024 09:40

smola approved these changes Mar 12, 2024

View reviewed changes

smola changed the title ~~Change Servlet instrumentation for application vulnerabilities~~ Improve coverage of application vulnerabilities for servlet Mar 12, 2024

smola added type: enhancement comp: asm iast Application Security Management (IAST) labels Mar 12, 2024

manuel-alvarez-alvarez reviewed Mar 13, 2024

View reviewed changes

...rvlet/request-2/src/main/java/datadog/trace/instrumentation/servlet2/IastServlet2Advice.java Outdated Show resolved Hide resolved

manuel-alvarez-alvarez approved these changes Mar 13, 2024

View reviewed changes

jandro996 added 15 commits March 14, 2024 08:10

rebasing

0cbe23b

fix servlet2 muzzle

ad2ac6c

fix latestDep for servlet3

0bc0a3c

move to forked test

8fe15ec

exclude jdk6 org.springframework.mock.web.MockServletContext

8df0eee

remove jdk8 code from advices

532ae21

Add smoke test

294f411

change approach to servlet on service

7df6067

change servlet 3 test to forked

9252f80

old approach test

f28899e

remove unnecessary session config

92e0a38

fix codenarc

22f45ab

Add HttpServletRequest check

388942e

split PR

7726fbe

split PR

e790156

jandro996 force-pushed the alejandro.gonzalez/chang_app_vulns_approach branch from ef20ab0 to e790156 Compare March 14, 2024 07:42

rename annotation and change context to boolean

e8d42e8

jandro996 merged commit f19053f into master Mar 14, 2024
80 checks passed

jandro996 deleted the alejandro.gonzalez/chang_app_vulns_approach branch March 14, 2024 09:17

github-actions bot added this to the 1.32.0 milestone Mar 14, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve coverage of application vulnerabilities for servlet #6803

Improve coverage of application vulnerabilities for servlet #6803

jandro996 commented Mar 12, 2024

pr-commenter bot commented Mar 12, 2024 •

edited

Improve coverage of application vulnerabilities for servlet #6803

Improve coverage of application vulnerabilities for servlet #6803

Conversation

jandro996 commented Mar 12, 2024

What Does This Do

Motivation

Additional Notes

pr-commenter bot commented Mar 12, 2024 • edited

Benchmarks

Startup

Parameters

Summary

Load

pr-commenter bot commented Mar 12, 2024 •

edited