-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support spring-boot-devtools reloadable classloader #7320
base: master
Are you sure you want to change the base?
Conversation
BenchmarksStartupParameters
See matching parameters
SummaryFound 1 performance improvements and 0 performance regressions! Performance is the same for 49 metrics, 13 unstable metrics.
Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.046 s) : 0, 1045838
Total [baseline] (8.503 s) : 0, 8502512
Agent [candidate] (1.047 s) : 0, 1046555
Total [candidate] (8.506 s) : 0, 8506056
section iast
Agent [baseline] (1.173 s) : 0, 1173462
Total [baseline] (9.022 s) : 0, 9021708
Agent [candidate] (1.194 s) : 0, 1194168
Total [candidate] (9.054 s) : 0, 9054204
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.173 s) : 0, 1172614
Total [baseline] (8.971 s) : 0, 8971217
Agent [candidate] (1.175 s) : 0, 1175252
Total [candidate] (8.946 s) : 0, 8946140
section iast_TELEMETRY_OFF
Agent [baseline] (1.17 s) : 0, 1170184
Total [baseline] (8.993 s) : 0, 8992813
Agent [candidate] (1.17 s) : 0, 1169946
Total [candidate] (8.991 s) : 0, 8991194
gantt
title insecure-bank - break down per module: candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (668.23 ms) : 0, 668230
BytebuddyAgent [candidate] (669.132 ms) : 0, 669132
GlobalTracer [baseline] (305.66 ms) : 0, 305660
GlobalTracer [candidate] (305.38 ms) : 0, 305380
AppSec [baseline] (50.493 ms) : 0, 50493
AppSec [candidate] (50.516 ms) : 0, 50516
Remote Config [baseline] (684.769 µs) : 0, 685
Remote Config [candidate] (672.778 µs) : 0, 673
Telemetry [baseline] (7.348 ms) : 0, 7348
Telemetry [candidate] (7.405 ms) : 0, 7405
section iast
BytebuddyAgent [baseline] (782.377 ms) : 0, 782377
BytebuddyAgent [candidate] (796.199 ms) : 0, 796199
GlobalTracer [baseline] (294.699 ms) : 0, 294699
GlobalTracer [candidate] (299.613 ms) : 0, 299613
AppSec [baseline] (52.796 ms) : 0, 52796
AppSec [candidate] (52.417 ms) : 0, 52417
IAST [baseline] (22.414 ms) : 0, 22414
IAST [candidate] (23.012 ms) : 0, 23012
Remote Config [baseline] (602.58 µs) : 0, 603
Remote Config [candidate] (591.827 µs) : 0, 592
Telemetry [baseline] (7.101 ms) : 0, 7101
Telemetry [candidate] (8.635 ms) : 0, 8635
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (782.055 ms) : 0, 782055
BytebuddyAgent [candidate] (785.112 ms) : 0, 785112
GlobalTracer [baseline] (295.699 ms) : 0, 295699
GlobalTracer [candidate] (295.901 ms) : 0, 295901
AppSec [baseline] (51.513 ms) : 0, 51513
AppSec [candidate] (47.846 ms) : 0, 47846
IAST [baseline] (22.29 ms) : 0, 22290
IAST [candidate] (25.197 ms) : 0, 25197
Remote Config [baseline] (569.301 µs) : 0, 569
Remote Config [candidate] (591.512 µs) : 0, 592
Telemetry [baseline] (6.972 ms) : 0, 6972
Telemetry [candidate] (7.049 ms) : 0, 7049
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (779.517 ms) : 0, 779517
BytebuddyAgent [candidate] (779.137 ms) : 0, 779137
GlobalTracer [baseline] (295.315 ms) : 0, 295315
GlobalTracer [candidate] (295.372 ms) : 0, 295372
AppSec [baseline] (47.052 ms) : 0, 47052
AppSec [candidate] (48.542 ms) : 0, 48542
IAST [baseline] (26.334 ms) : 0, 26334
IAST [candidate] (25.971 ms) : 0, 25971
Remote Config [baseline] (629.416 µs) : 0, 629
Remote Config [candidate] (583.06 µs) : 0, 583
Telemetry [baseline] (7.808 ms) : 0, 7808
Telemetry [candidate] (6.868 ms) : 0, 6868
Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.046 s) : 0, 1045516
Total [baseline] (10.281 s) : 0, 10280797
Agent [candidate] (1.055 s) : 0, 1054626
Total [candidate] (10.307 s) : 0, 10306585
section appsec
Agent [baseline] (1.165 s) : 0, 1164630
Total [baseline] (10.496 s) : 0, 10496298
Agent [candidate] (1.171 s) : 0, 1170736
Total [candidate] (10.538 s) : 0, 10537946
section iast
Agent [baseline] (1.171 s) : 0, 1171363
Total [baseline] (10.778 s) : 0, 10778500
Agent [candidate] (1.173 s) : 0, 1172542
Total [candidate] (10.764 s) : 0, 10764278
section profiling
Agent [baseline] (1.248 s) : 0, 1247627
Total [baseline] (10.625 s) : 0, 10624635
Agent [candidate] (1.246 s) : 0, 1245683
Total [candidate] (10.612 s) : 0, 10612186
gantt
title petclinic - break down per module: candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (668.4 ms) : 0, 668400
BytebuddyAgent [candidate] (673.077 ms) : 0, 673077
GlobalTracer [baseline] (305.251 ms) : 0, 305251
GlobalTracer [candidate] (309.22 ms) : 0, 309220
AppSec [baseline] (50.334 ms) : 0, 50334
AppSec [candidate] (50.821 ms) : 0, 50821
Remote Config [baseline] (687.289 µs) : 0, 687
Remote Config [candidate] (676.107 µs) : 0, 676
Telemetry [baseline] (7.411 ms) : 0, 7411
Telemetry [candidate] (7.383 ms) : 0, 7383
section appsec
BytebuddyAgent [baseline] (677.758 ms) : 0, 677758
BytebuddyAgent [candidate] (681.887 ms) : 0, 681887
GlobalTracer [baseline] (298.361 ms) : 0, 298361
GlobalTracer [candidate] (299.936 ms) : 0, 299936
AppSec [baseline] (154.934 ms) : 0, 154934
AppSec [candidate] (155.198 ms) : 0, 155198
Remote Config [baseline] (599.353 µs) : 0, 599
Remote Config [candidate] (598.232 µs) : 0, 598
Telemetry [baseline] (8.46 ms) : 0, 8460
Telemetry [candidate] (9.2 ms) : 0, 9200
IAST [baseline] (22.114 ms) : 0, 22114
IAST [candidate] (20.796 ms) : 0, 20796
section iast
BytebuddyAgent [baseline] (781.886 ms) : 0, 781886
BytebuddyAgent [candidate] (782.429 ms) : 0, 782429
GlobalTracer [baseline] (294.536 ms) : 0, 294536
GlobalTracer [candidate] (295.498 ms) : 0, 295498
AppSec [baseline] (52.056 ms) : 0, 52056
AppSec [candidate] (48.245 ms) : 0, 48245
Remote Config [baseline] (1.316 ms) : 0, 1316
Remote Config [candidate] (629.007 µs) : 0, 629
Telemetry [baseline] (7.03 ms) : 0, 7030
Telemetry [candidate] (7.066 ms) : 0, 7066
IAST [baseline] (21.081 ms) : 0, 21081
IAST [candidate] (25.174 ms) : 0, 25174
section profiling
BytebuddyAgent [baseline] (666.65 ms) : 0, 666650
BytebuddyAgent [candidate] (665.077 ms) : 0, 665077
GlobalTracer [baseline] (389.169 ms) : 0, 389169
GlobalTracer [candidate] (388.952 ms) : 0, 388952
AppSec [baseline] (51.686 ms) : 0, 51686
AppSec [candidate] (51.489 ms) : 0, 51489
Remote Config [baseline] (694.479 µs) : 0, 694
Remote Config [candidate] (690.752 µs) : 0, 691
Telemetry [baseline] (7.244 ms) : 0, 7244
Telemetry [candidate] (7.237 ms) : 0, 7237
ProfilingAgent [baseline] (94.833 ms) : 0, 94833
ProfilingAgent [candidate] (95.078 ms) : 0, 95078
Profiling [baseline] (94.858 ms) : 0, 94858
Profiling [candidate] (95.103 ms) : 0, 95103
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 6 metrics, 22 unstable metrics. Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d
dateFormat X
axisFormat %s
section baseline
no_agent (452.388 µs) : 424, 481
. : milestone, 452,
iast (586.074 µs) : 554, 618
. : milestone, 586,
iast_FULL (684.146 µs) : 652, 717
. : milestone, 684,
iast_GLOBAL (610.97 µs) : 578, 643
. : milestone, 611,
iast_HARDCODED_SECRET_DISABLED (581.932 µs) : 550, 614
. : milestone, 582,
iast_INACTIVE (551.631 µs) : 519, 585
. : milestone, 552,
iast_TELEMETRY_OFF (566.486 µs) : 535, 598
. : milestone, 566,
tracing (536.096 µs) : 506, 566
. : milestone, 536,
section candidate
no_agent (459.168 µs) : 429, 489
. : milestone, 459,
iast (588.102 µs) : 557, 619
. : milestone, 588,
iast_FULL (679.113 µs) : 648, 710
. : milestone, 679,
iast_GLOBAL (618.779 µs) : 586, 651
. : milestone, 619,
iast_HARDCODED_SECRET_DISABLED (585.468 µs) : 554, 617
. : milestone, 585,
iast_INACTIVE (551.221 µs) : 520, 583
. : milestone, 551,
iast_TELEMETRY_OFF (575.503 µs) : 544, 607
. : milestone, 576,
tracing (533.469 µs) : 504, 563
. : milestone, 533,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d
dateFormat X
axisFormat %s
section baseline
no_agent (1.713 ms) : 1688, 1737
. : milestone, 1713,
appsec (2.166 ms) : 2135, 2198
. : milestone, 2166,
appsec_no_iast (2.182 ms) : 2149, 2215
. : milestone, 2182,
iast (1.86 ms) : 1830, 1890
. : milestone, 1860,
profiling (1.904 ms) : 1872, 1936
. : milestone, 1904,
tracing (1.849 ms) : 1818, 1881
. : milestone, 1849,
section candidate
no_agent (1.713 ms) : 1688, 1738
. : milestone, 1713,
appsec (2.185 ms) : 2155, 2216
. : milestone, 2185,
appsec_no_iast (2.186 ms) : 2155, 2217
. : milestone, 2186,
iast (1.849 ms) : 1819, 1879
. : milestone, 1849,
profiling (1.896 ms) : 1860, 1932
. : milestone, 1896,
tracing (1.877 ms) : 1845, 1910
. : milestone, 1877,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics. Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d
dateFormat X
axisFormat %s
section baseline
no_agent (1.462 ms) : 1451, 1474
. : milestone, 1462,
appsec (2.222 ms) : 2187, 2257
. : milestone, 2222,
iast (1.974 ms) : 1932, 2016
. : milestone, 1974,
iast_GLOBAL (2.022 ms) : 1980, 2065
. : milestone, 2022,
profiling (1.878 ms) : 1843, 1913
. : milestone, 1878,
tracing (1.838 ms) : 1805, 1871
. : milestone, 1838,
section candidate
no_agent (1.462 ms) : 1451, 1474
. : milestone, 1462,
appsec (2.22 ms) : 2185, 2255
. : milestone, 2220,
iast (1.961 ms) : 1920, 2002
. : milestone, 1961,
iast_GLOBAL (2.01 ms) : 1967, 2052
. : milestone, 2010,
profiling (2.35 ms) : 2167, 2534
. : milestone, 2350,
tracing (1.845 ms) : 1812, 1878
. : milestone, 1845,
Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.39.0-SNAPSHOT~f7a71344de, baseline=1.39.0-SNAPSHOT~42eee0817d
dateFormat X
axisFormat %s
section baseline
no_agent (15.429 s) : 15429000, 15429000
. : milestone, 15429000,
appsec (14.887 s) : 14887000, 14887000
. : milestone, 14887000,
iast (18.678 s) : 18678000, 18678000
. : milestone, 18678000,
iast_GLOBAL (17.717 s) : 17717000, 17717000
. : milestone, 17717000,
profiling (15.21 s) : 15210000, 15210000
. : milestone, 15210000,
tracing (15.223 s) : 15223000, 15223000
. : milestone, 15223000,
section candidate
no_agent (15.444 s) : 15444000, 15444000
. : milestone, 15444000,
appsec (14.969 s) : 14969000, 14969000
. : milestone, 14969000,
iast (18.959 s) : 18959000, 18959000
. : milestone, 18959000,
iast_GLOBAL (17.728 s) : 17728000, 17728000
. : milestone, 17728000,
profiling (15.285 s) : 15285000, 15285000
. : milestone, 15285000,
tracing (15.046 s) : 15046000, 15046000
. : milestone, 15046000,
|
7e51450
to
cce2b0d
Compare
cce2b0d
to
ba0bcaf
Compare
testImplementation group: 'org.springframework.boot', name: 'spring-boot', version: '1.3.0.RELEASE' | ||
testImplementation group: 'org.springframework.boot', name: 'spring-boot-devtools', version: '1.3.0.RELEASE' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔴 Library Vulnerability
org.springframework.boot:spring-boot → 1.3.0.RELEASE
Temporary Directory Hijacking to Local Privilege Escalation Vulnerability in org.springframework.boot:spring-boot (...read more)
spring-boot versions prior to version v2.2.11.RELEASE
was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir
method.
The vulnerable method is used to create a work directory for embedded web servers such as Tomcat and Jetty. The directory contains configuration files, JSP/class files, etc. If a local attacker got the permission to write in this directory, they could completely take over the application (ie. local privilege escalation).
Impact Location
This vulnerability impacted the following source location:
/**
* Return the absolute temp dir for given web server.
* @param prefix server name
* @return the temp dir for given server.
*/
protected final File createTempDir(String prefix) {
try {
File tempDir = File.createTempFile(prefix + ".", "." + getPort());
tempDir.delete();
tempDir.mkdir();
tempDir.deleteOnExit();
return tempDir;
}
This vulnerability exists because File.mkdir
returns false
when it fails to create a directory, it does not throw an exception. As such, the following race condition exists:
File tmpDir =File.createTempFile(prefix + ".", "." + getPort()); // Attacker knows the full path of the file that will be generated
// delete the file that was created
tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty.
// and make a directory of the same name
// SECURITY VULNERABILITY: Race Condition! - Attacker beats java code and now owns this directory
tmpDir.mkdirs(); // This method returns 'false' because it was unable to create the directory. No exception is thrown.
// Attacker can write any new files to this directory that they wish.
// Attacker can read any files created by this process.
Prerequisites
This vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.
Patches
This vulnerability was inadvertently fixed as a part of this patch: spring-projects/spring-boot@667ccda
This vulnerability is patched in versions v2.2.11.RELEASE
or later.
Workarounds
Setting the java.io.tmpdir
system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For testing. This message can be ignored
What Does This Do
This PR wants to add support for spring reloadable classloader. This kind of classloader is used on spring-boot-devtools and allows to re-apply instrumentations on hot reloaded classes while, normally, this would not be possible because of internal tracer memoizers.
The simple strategy used here is that we record each creation of this kind of classloader and we are resetting the memoizer state once per first class lookup
Motivation
Additional Notes
Jira ticket: AIDM-152