Add Untrusted Deserialization vulnerability (#7345)

Mariovido · web-flow · commit e146e2f28a96 · 2024-07-23T12:22:41.000+02:00
* Added instrumentation bridge and vulnerability types + module interface for Untrusted Deserialization

* Added module for UntrustedDeserialization

* Added instrumentation for UntrustedDeserialization

* Added tests of the module for UntrustedDeserialization + improvements in the instrumentation tests

* Added smoke tests
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/IastSystem.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/IastSystem.java
@@ -25,6 +25,7 @@
 import com.datadog.iast.sink.SsrfModuleImpl;
 import com.datadog.iast.sink.StacktraceLeakModuleImpl;
 import com.datadog.iast.sink.TrustBoundaryViolationModuleImpl;
+import com.datadog.iast.sink.UntrustedDeserializationModuleImpl;
 import com.datadog.iast.sink.UnvalidatedRedirectModuleImpl;
 import com.datadog.iast.sink.WeakCipherModuleImpl;
 import com.datadog.iast.sink.WeakHashModuleImpl;
@@ -147,7 +148,8 @@ private static Stream<IastModule> iastModules(
             ApplicationModuleImpl.class,
             HardcodedSecretModuleImpl.class,
             InsecureAuthProtocolModuleImpl.class,
-            ReflectionInjectionModuleImpl.class);
+            ReflectionInjectionModuleImpl.class,
+            UntrustedDeserializationModuleImpl.class);
     if (iast != FULLY_ENABLED) {
       modules = modules.filter(IastSystem::isOptOut);
     }
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java
@@ -10,6 +10,7 @@
 import static datadog.trace.api.iast.VulnerabilityMarks.SQL_INJECTION_MARK;
 import static datadog.trace.api.iast.VulnerabilityMarks.SSRF_MARK;
 import static datadog.trace.api.iast.VulnerabilityMarks.TRUST_BOUNDARY_VIOLATION_MARK;
+import static datadog.trace.api.iast.VulnerabilityMarks.UNTRUSTED_DESERIALIZATION_MARK;
 import static datadog.trace.api.iast.VulnerabilityMarks.UNVALIDATED_REDIRECT_MARK;
 import static datadog.trace.api.iast.VulnerabilityMarks.XPATH_INJECTION_MARK;
 import static datadog.trace.api.iast.VulnerabilityMarks.XSS_MARK;
@@ -103,6 +104,11 @@ public interface VulnerabilityType {
           .hash(VulnerabilityType::serviceHash)
           .build();
 
+  VulnerabilityType UNTRUSTED_DESERIALIZATION =
+      type(VulnerabilityTypes.UNTRUSTED_DESERIALIZATION)
+          .mark(UNTRUSTED_DESERIALIZATION_MARK)
+          .build();
+
   String name();
 
   /** A bit flag to ignore tainted ranges for this vulnerability. Set to 0 if none. */
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/UntrustedDeserializationModuleImpl.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/UntrustedDeserializationModuleImpl.java
@@ -0,0 +1,23 @@
+package com.datadog.iast.sink;
+
+import com.datadog.iast.Dependencies;
+import com.datadog.iast.model.VulnerabilityType;
+import datadog.trace.api.iast.sink.UntrustedDeserializationModule;
+import java.io.InputStream;
+import javax.annotation.Nullable;
+
+public class UntrustedDeserializationModuleImpl extends SinkModuleBase
+    implements UntrustedDeserializationModule {
+
+  public UntrustedDeserializationModuleImpl(final Dependencies dependencies) {
+    super(dependencies);
+  }
+
+  @Override
+  public void onInputStream(@Nullable InputStream is) {
+    if (is == null) {
+      return;
+    }
+    checkInjection(VulnerabilityType.UNTRUSTED_DESERIALIZATION, is);
+  }
+}
diff --git a/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/UntrustedDeserializationModuleTest.groovy b/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/UntrustedDeserializationModuleTest.groovy
@@ -0,0 +1,54 @@
+package com.datadog.iast.sink
+
+import com.datadog.iast.IastModuleImplTestBase
+import com.datadog.iast.Reporter
+import com.datadog.iast.model.Source
+import com.datadog.iast.model.Vulnerability
+import com.datadog.iast.model.VulnerabilityType
+import com.datadog.iast.taint.Ranges
+import datadog.trace.api.iast.SourceTypes
+import datadog.trace.api.iast.sink.UntrustedDeserializationModule
+
+class UntrustedDeserializationModuleTest extends IastModuleImplTestBase {
+
+  private UntrustedDeserializationModule module
+
+  def setup() {
+    module = new UntrustedDeserializationModuleImpl(dependencies)
+  }
+
+  @Override
+  protected Reporter buildReporter() {
+    return Mock(Reporter)
+  }
+
+  void 'test null value'() {
+    when:
+    module.onInputStream(null)
+
+    then:
+    0 * _
+  }
+
+  void 'test untrusted deserialization detection' () {
+    setup:
+    def inputStream = Mock(InputStream)
+
+    when:
+    module.onInputStream(inputStream)
+
+    then: 'without tainted input stream'
+    0 * reporter.report(_, _)
+
+    when:
+    taint(inputStream)
+    module.onInputStream(inputStream)
+
+    then: 'with tainted input stream'
+    1 * reporter.report(_, { Vulnerability vul -> vul.type == VulnerabilityType.UNTRUSTED_DESERIALIZATION})
+  }
+
+  private void taint(final Object value) {
+    ctx.getTaintedObjects().taint(value, Ranges.forObject(new Source(SourceTypes.REQUEST_BODY, 'name', value.toString())))
+  }
+}
diff --git a/dd-java-agent/instrumentation/java-io/src/main/java/datadog/trace/instrumentation/java/lang/ObjectInputStreamCallSite.java b/dd-java-agent/instrumentation/java-io/src/main/java/datadog/trace/instrumentation/java/lang/ObjectInputStreamCallSite.java
@@ -0,0 +1,27 @@
+package datadog.trace.instrumentation.java.lang;
+
+import datadog.trace.agent.tooling.csi.CallSite;
+import datadog.trace.api.iast.IastCallSites;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.Sink;
+import datadog.trace.api.iast.VulnerabilityTypes;
+import datadog.trace.api.iast.sink.UntrustedDeserializationModule;
+import java.io.InputStream;
+
+@Sink(VulnerabilityTypes.UNTRUSTED_DESERIALIZATION)
+@CallSite(spi = IastCallSites.class)
+public class ObjectInputStreamCallSite {
+
+  @CallSite.Before("void java.io.ObjectInputStream.<init>(java.io.InputStream)")
+  public static void beforeConstructorUntrusted(@CallSite.Argument(0) final InputStream is) {
+    final UntrustedDeserializationModule module = InstrumentationBridge.UNTRUSTED_DESERIALIZATION;
+
+    if (module != null) {
+      try {
+        module.onInputStream(is);
+      } catch (Throwable e) {
+        module.onUnexpectedException("before constructor untrusted threw", e);
+      }
+    }
+  }
+}
diff --git a/dd-java-agent/instrumentation/java-io/src/test/groovy/datadog/trace/instrumentation/java/io/ObjectInputStreamCallSiteTest.groovy b/dd-java-agent/instrumentation/java-io/src/test/groovy/datadog/trace/instrumentation/java/io/ObjectInputStreamCallSiteTest.groovy
@@ -0,0 +1,28 @@
+package datadog.trace.instrumentation.java.io
+
+import datadog.trace.agent.test.AgentTestRunner
+import datadog.trace.api.iast.InstrumentationBridge
+import datadog.trace.api.iast.sink.UntrustedDeserializationModule
+import foo.bar.TestObjectInputStreamSuite
+
+class ObjectInputStreamCallSiteTest extends AgentTestRunner {
+
+  @Override
+  protected void configurePreAgent() {
+    injectSysConfig('dd.iast.enabled', 'true')
+  }
+
+  void 'test onInputStream'() {
+    setup:
+    final module = Mock(UntrustedDeserializationModule)
+    InstrumentationBridge.registerIastModule(module)
+
+    final InputStream inputStream = new ByteArrayInputStream(new byte[0])
+
+    when:
+    TestObjectInputStreamSuite.init(inputStream)
+
+    then:
+    1 * module.onInputStream(_)
+  }
+}
diff --git a/dd-java-agent/instrumentation/java-io/src/test/java/foo/bar/TestObjectInputStreamSuite.java b/dd-java-agent/instrumentation/java-io/src/test/java/foo/bar/TestObjectInputStreamSuite.java
@@ -0,0 +1,16 @@
+package foo.bar;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+
+public class TestObjectInputStreamSuite {
+
+  public static void init(final InputStream inputStream) {
+    try {
+      new ObjectInputStream(inputStream);
+    } catch (IOException e) {
+      // Irrelevant
+    }
+  }
+}
diff --git a/dd-smoke-tests/iast-util/src/main/java/datadog/smoketest/springboot/controller/IastWebController.java b/dd-smoke-tests/iast-util/src/main/java/datadog/smoketest/springboot/controller/IastWebController.java
@@ -7,6 +7,7 @@
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import java.io.File;
 import java.io.IOException;
+import java.io.ObjectInputStream;
 import java.io.StringReader;
 import java.io.UnsupportedEncodingException;
 import java.net.HttpCookie;
@@ -394,6 +395,12 @@ public String headerInjectionRedaction(
     return "Ok";
   }
 
+  @GetMapping("/untrusted_deserialization")
+  public String untrustedDeserialization(HttpServletRequest request) throws IOException {
+    ObjectInputStream ois = new ObjectInputStream(request.getInputStream());
+    return "OK";
+  }
+
   private void withProcess(final Operation<Process> op) {
     Process process = null;
     try {
diff --git a/dd-smoke-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastSpringBootTest.groovy b/dd-smoke-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastSpringBootTest.groovy
@@ -1008,5 +1008,17 @@ abstract class AbstractIastSpringBootTest extends AbstractIastServerSmokeTest {
     }
   }
 
+  void 'untrusted deserialization for an input stream'() {
+    setup:
+    final url = "http://localhost:${httpPort}/untrusted_deserialization"
+    final request = new Request.Builder().url(url).get().build()
+
+    when:
+    client.newCall(request).execute()
+
+    then:
+    hasVulnerability { vul -> vul.type == 'UNTRUSTED_DESERIALIZATION' }
+  }
+
 
 }
diff --git a/internal-api/src/main/java/datadog/trace/api/iast/InstrumentationBridge.java b/internal-api/src/main/java/datadog/trace/api/iast/InstrumentationBridge.java
@@ -20,6 +20,7 @@
 import datadog.trace.api.iast.sink.SsrfModule;
 import datadog.trace.api.iast.sink.StacktraceLeakModule;
 import datadog.trace.api.iast.sink.TrustBoundaryViolationModule;
+import datadog.trace.api.iast.sink.UntrustedDeserializationModule;
 import datadog.trace.api.iast.sink.UnvalidatedRedirectModule;
 import datadog.trace.api.iast.sink.WeakCipherModule;
 import datadog.trace.api.iast.sink.WeakHashModule;
@@ -65,6 +66,7 @@ public abstract class InstrumentationBridge {
   public static HardcodedSecretModule HARDCODED_SECRET;
   public static InsecureAuthProtocolModule INSECURE_AUTH_PROTOCOL;
   public static ReflectionInjectionModule REFLECTION_INJECTION;
+  public static UntrustedDeserializationModule UNTRUSTED_DESERIALIZATION;
 
   private static final Map<Class<? extends IastModule>, Field> MODULE_MAP = buildModuleMap();
 
diff --git a/internal-api/src/main/java/datadog/trace/api/iast/VulnerabilityMarks.java b/internal-api/src/main/java/datadog/trace/api/iast/VulnerabilityMarks.java
@@ -19,4 +19,5 @@ private VulnerabilityMarks() {}
   public static final int TRUST_BOUNDARY_VIOLATION_MARK = 1 << 8;
   public static final int HEADER_INJECTION_MARK = 1 << 9;
   public static final int REFLECTION_INJECTION_MARK = 1 << 10;
+  public static final int UNTRUSTED_DESERIALIZATION_MARK = 1 << 11;
 }
diff --git a/internal-api/src/main/java/datadog/trace/api/iast/VulnerabilityTypes.java b/internal-api/src/main/java/datadog/trace/api/iast/VulnerabilityTypes.java
@@ -36,6 +36,7 @@ private VulnerabilityTypes() {}
   public static final byte REFLECTION_INJECTION = 27;
   public static final byte SESSION_REWRITING = 28;
   public static final byte DEFAULT_APP_DEPLOYED = 29;
+  public static final byte UNTRUSTED_DESERIALIZATION = 30;
 
   /**
    * Use for telemetry only, this is a special vulnerability type that is not reported, reported
@@ -114,7 +115,8 @@ private VulnerabilityTypes() {}
     "INSECURE_AUTH_PROTOCOL",
     "REFLECTION_INJECTION",
     "SESSION_REWRITING",
-    "DEFAULT_APP_DEPLOYED"
+    "DEFAULT_APP_DEPLOYED",
+    "UNTRUSTED_DESERIALIZATION"
   };
 
   public static String toString(final byte vulnerability) {
diff --git a/internal-api/src/main/java/datadog/trace/api/iast/sink/UntrustedDeserializationModule.java b/internal-api/src/main/java/datadog/trace/api/iast/sink/UntrustedDeserializationModule.java
@@ -0,0 +1,10 @@
+package datadog.trace.api.iast.sink;
+
+import datadog.trace.api.iast.IastModule;
+import java.io.InputStream;
+import javax.annotation.Nullable;
+
+public interface UntrustedDeserializationModule extends IastModule {
+
+  void onInputStream(@Nullable InputStream is);
+}
diff --git a/internal-api/src/test/groovy/datadog/trace/api/iast/VulnerabilityTypesTest.groovy b/internal-api/src/test/groovy/datadog/trace/api/iast/VulnerabilityTypesTest.groovy
@@ -44,5 +44,6 @@ class VulnerabilityTypesTest extends DDSpecification {
     VulnerabilityTypes.REFLECTION_INJECTION        | 'REFLECTION_INJECTION'
     VulnerabilityTypes.SESSION_REWRITING           | 'SESSION_REWRITING'
     VulnerabilityTypes.DEFAULT_APP_DEPLOYED        | 'DEFAULT_APP_DEPLOYED'
+    VulnerabilityTypes.UNTRUSTED_DESERIALIZATION   | 'UNTRUSTED_DESERIALIZATION'
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1008,5 +1008,17 @@ abstract class AbstractIastSpringBootTest extends AbstractIastServerSmokeTest {`
`1008`	`1008`	`}`
`1009`	`1009`	`}`
`1010`	`1010`
	`1011`	`+ void 'untrusted deserialization for an input stream'() {`
	`1012`	`+ setup:`
	`1013`	`+ final url = "http://localhost:${httpPort}/untrusted_deserialization"`
	`1014`	`+ final request = new Request.Builder().url(url).get().build()`
	`1015`	`+`
	`1016`	`+ when:`
	`1017`	`+ client.newCall(request).execute()`
	`1018`	`+`
	`1019`	`+ then:`
	`1020`	`+ hasVulnerability { vul -> vul.type == 'UNTRUSTED_DESERIALIZATION' }`
	`1021`	`+ }`
	`1022`	`+`
`1011`	`1023`
`1012`	`1024`	`}`