Merge branch 'master' into andrea.marziali/instrument-spring-boot-application

amarziali · web-flow · commit 77923a824729 · 2024-02-19T20:01:17.000+01:00
diff --git a/dd-java-agent/instrumentation/akka-http-10.0/src/iastTest/groovy/datadog/trace/instrumentation/akkahttp/iast/IastAkkaTest.groovy b/dd-java-agent/instrumentation/akka-http-10.0/src/iastTest/groovy/datadog/trace/instrumentation/akkahttp/iast/IastAkkaTest.groovy
@@ -13,7 +13,6 @@ import spock.lang.Shared
 import java.nio.charset.StandardCharsets
 
 import static org.hamcrest.Matchers.greaterThan
-import static org.hamcrest.Matchers.nullValue
 
 class IastAkkaTest extends IastRequestTestRunner {
   @Shared
@@ -340,7 +339,7 @@ class IastAkkaTest extends IastRequestTestRunner {
     then:
     toc.hasTaintedObject {
       value 'var1=foo&var1=bar&var2=a+b+c'
-      range 0, 28, source(SourceTypes.REQUEST_QUERY, null, null)
+      range 0, 28, source(SourceTypes.REQUEST_QUERY, null, 'var1=foo&var1=bar&var2=a+b+c')
     }
     toc.hasTaintedObject {
       value 'var1'
@@ -486,14 +485,16 @@ class IastAkkaTest extends IastRequestTestRunner {
   }
 
   void 'json request — #variant variant'() {
+    given:
+    final json =  '''{
+        "var1": "foo",
+        "var2": ["foo2", "foo2"]
+      }'''
+
     when:
     String url = buildUrl "iast/$variant"
     def request = new Builder().url(url).post(
-      RequestBody.create(MediaType.get("application/json"), '''{
-        "var1": "foo",
-        "var2": ["foo2", "foo2"]
-      }'''.getBytes(StandardCharsets.US_ASCII))
-      ).build()
+      RequestBody.create(MediaType.get("application/json"), json.getBytes(StandardCharsets.US_ASCII))).build()
     def response = client.newCall(request).execute()
     def respBody = response.body().string()
 
@@ -505,21 +506,22 @@ class IastAkkaTest extends IastRequestTestRunner {
     def toc = finReqTaintedObjects
 
     then:
+    // source values take the value of the full body as it's converted to string at TaintFutureHelper
     toc.hasTaintedObject {
       value 'var1'
-      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', nullValue())
+      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', json)
     }
     toc.hasTaintedObject {
       value 'var2'
-      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue())
+      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', json)
     }
     toc.hasTaintedObject {
       value 'foo'
-      range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', nullValue())
+      range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', json)
     }
     toc.hasTaintedObject {
       value 'foo2'
-      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue())
+      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', json)
     }
 
     where:
diff --git a/dd-java-agent/instrumentation/pekko-http-1.0/src/iastTest/groovy/datadog/trace/instrumentation/pekkohttp/iast/IastPekkoTest.groovy b/dd-java-agent/instrumentation/pekko-http-1.0/src/iastTest/groovy/datadog/trace/instrumentation/pekkohttp/iast/IastPekkoTest.groovy
@@ -13,7 +13,6 @@ import spock.lang.Shared
 import java.nio.charset.StandardCharsets
 
 import static org.hamcrest.Matchers.greaterThan
-import static org.hamcrest.Matchers.nullValue
 
 class IastPekkoTest extends IastRequestTestRunner {
   @Shared
@@ -340,7 +339,7 @@ class IastPekkoTest extends IastRequestTestRunner {
     then:
     toc.hasTaintedObject {
       value 'var1=foo&var1=bar&var2=a+b+c'
-      range 0, 28, source(SourceTypes.REQUEST_QUERY, null, null)
+      range 0, 28, source(SourceTypes.REQUEST_QUERY, null, 'var1=foo&var1=bar&var2=a+b+c')
     }
     toc.hasTaintedObject {
       value 'var1'
@@ -486,14 +485,16 @@ class IastPekkoTest extends IastRequestTestRunner {
   }
 
   void 'json request — #variant variant'() {
+    given:
+    final json =  '''{
+        "var1": "foo",
+        "var2": ["foo2", "foo2"]
+      }'''
+
     when:
     String url = buildUrl "iast/$variant"
     def request = new Builder().url(url).post(
-      RequestBody.create(MediaType.get("application/json"), '''{
-        "var1": "foo",
-        "var2": ["foo2", "foo2"]
-      }'''.getBytes(StandardCharsets.US_ASCII))
-      ).build()
+      RequestBody.create(MediaType.get("application/json"), json.getBytes(StandardCharsets.US_ASCII))).build()
     def response = client.newCall(request).execute()
     def respBody = response.body().string()
 
@@ -505,21 +506,22 @@ class IastPekkoTest extends IastRequestTestRunner {
     def toc = finReqTaintedObjects
 
     then:
+    // source values take the value of the full body as it's converted to string at TaintFutureHelper
     toc.hasTaintedObject {
       value 'var1'
-      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', nullValue())
+      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', json)
     }
     toc.hasTaintedObject {
       value 'var2'
-      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue())
+      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', json)
     }
     toc.hasTaintedObject {
       value 'foo'
-      range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', nullValue())
+      range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', json)
     }
     toc.hasTaintedObject {
       value 'foo2'
-      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue())
+      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', json)
     }
 
     where:
diff --git a/dd-java-agent/instrumentation/spring-webflux-5/src/iastTest/groovy/datadog/trace/instrumentation/springwebflux/server/IastWebFluxTest.groovy b/dd-java-agent/instrumentation/spring-webflux-5/src/iastTest/groovy/datadog/trace/instrumentation/springwebflux/server/IastWebFluxTest.groovy
@@ -24,7 +24,6 @@ import org.springframework.web.reactive.config.WebFluxConfigurer
 import java.nio.charset.StandardCharsets
 
 import static org.hamcrest.Matchers.equalToIgnoringCase
-import static org.hamcrest.Matchers.nullValue
 
 @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = [Application])
 class IastWebFluxTest extends IastRequestTestRunner {
@@ -275,21 +274,22 @@ class IastWebFluxTest extends IastRequestTestRunner {
     def toc = finReqTaintedObjects
 
     then:
+    // source values take the value of the current object as the body is never converted to a CharSequence
     toc.hasTaintedObject {
       value 'var1'
-      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1',  nullValue())
+      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1',  'var1')
     }
     toc.hasTaintedObject {
       value 'var2'
-      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2',  nullValue())
+      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2',  'var2')
     }
     toc.hasTaintedObject {
       value 'foo'
-      range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1',  nullValue())
+      range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1',  'foo')
     }
     toc.hasTaintedObject {
       value 'foo2'
-      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2',  nullValue())
+      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2',  'foo2')
     }
   }
 }
diff --git a/dd-java-agent/instrumentation/spring-webflux-6/src/iastTest/groovy/datadog/trace/instrumentation/springwebflux6/server/IastWebFluxTest.groovy b/dd-java-agent/instrumentation/spring-webflux-6/src/iastTest/groovy/datadog/trace/instrumentation/springwebflux6/server/IastWebFluxTest.groovy
@@ -25,7 +25,6 @@ import org.springframework.web.reactive.config.WebFluxConfigurer
 import java.nio.charset.StandardCharsets
 
 import static org.hamcrest.Matchers.equalToIgnoringCase
-import static org.hamcrest.Matchers.nullValue
 
 @SpringBootTest(
 properties = "spring.main.web-application-type=reactive",
@@ -278,21 +277,22 @@ class IastWebFluxTest extends IastRequestTestRunner {
     def toc = finReqTaintedObjects
 
     then:
+    // source values take the value of the current object as the body is never converted to a CharSequence
     toc.hasTaintedObject {
       value 'var1'
-      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1',  nullValue())
+      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1',  'var1')
     }
     toc.hasTaintedObject {
       value 'var2'
-      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2',  nullValue())
+      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2',  'var2')
     }
     toc.hasTaintedObject {
       value 'foo'
-      range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1',  nullValue())
+      range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1',  'foo')
     }
     toc.hasTaintedObject {
       value 'foo2'
-      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2',  nullValue())
+      range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2',  'foo2')
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,6 @@ import org.springframework.web.reactive.config.WebFluxConfigurer`
`24`	`24`	`import java.nio.charset.StandardCharsets`
`25`	`25`
`26`	`26`	`import static org.hamcrest.Matchers.equalToIgnoringCase`
`27`		`-import static org.hamcrest.Matchers.nullValue`
`28`	`27`
`29`	`28`	`@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = [Application])`
`30`	`29`	`class IastWebFluxTest extends IastRequestTestRunner {`
`@@ -275,21 +274,22 @@ class IastWebFluxTest extends IastRequestTestRunner {`
`275`	`274`	`def toc = finReqTaintedObjects`
`276`	`275`
`277`	`276`	`then:`
	`277`	`+ // source values take the value of the current object as the body is never converted to a CharSequence`
`278`	`278`	`toc.hasTaintedObject {`
`279`	`279`	`value 'var1'`
`280`		`- range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', nullValue())`
	`280`	`+ range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', 'var1')`
`281`	`281`	`}`
`282`	`282`	`toc.hasTaintedObject {`
`283`	`283`	`value 'var2'`
`284`		`- range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue())`
	`284`	`+ range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', 'var2')`
`285`	`285`	`}`
`286`	`286`	`toc.hasTaintedObject {`
`287`	`287`	`value 'foo'`
`288`		`- range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', nullValue())`
	`288`	`+ range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', 'foo')`
`289`	`289`	`}`
`290`	`290`	`toc.hasTaintedObject {`
`291`	`291`	`value 'foo2'`
`292`		`- range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue())`
	`292`	`+ range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', 'foo2')`
`293`	`293`	`}`
`294`	`294`	`}`
`295`	`295`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,6 @@ import org.springframework.web.reactive.config.WebFluxConfigurer`
`25`	`25`	`import java.nio.charset.StandardCharsets`
`26`	`26`
`27`	`27`	`import static org.hamcrest.Matchers.equalToIgnoringCase`
`28`		`-import static org.hamcrest.Matchers.nullValue`
`29`	`28`
`30`	`29`	`@SpringBootTest(`
`31`	`30`	`properties = "spring.main.web-application-type=reactive",`
`@@ -278,21 +277,22 @@ class IastWebFluxTest extends IastRequestTestRunner {`
`278`	`277`	`def toc = finReqTaintedObjects`
`279`	`278`
`280`	`279`	`then:`
	`280`	`+ // source values take the value of the current object as the body is never converted to a CharSequence`
`281`	`281`	`toc.hasTaintedObject {`
`282`	`282`	`value 'var1'`
`283`		`- range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', nullValue())`
	`283`	`+ range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', 'var1')`
`284`	`284`	`}`
`285`	`285`	`toc.hasTaintedObject {`
`286`	`286`	`value 'var2'`
`287`		`- range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue())`
	`287`	`+ range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', 'var2')`
`288`	`288`	`}`
`289`	`289`	`toc.hasTaintedObject {`
`290`	`290`	`value 'foo'`
`291`		`- range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', nullValue())`
	`291`	`+ range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', 'foo')`
`292`	`292`	`}`
`293`	`293`	`toc.hasTaintedObject {`
`294`	`294`	`value 'foo2'`
`295`		`- range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue())`
	`295`	`+ range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', 'foo2')`
`296`	`296`	`}`
`297`	`297`	`}`
`298`	`298`	`}`