Skip to content

Add Untrusted Deserialization vulnerability#7345

Merged
Mariovido merged 6 commits intomasterfrom
mariovidal/untrusted_deserialization
Jul 23, 2024
Merged

Add Untrusted Deserialization vulnerability#7345
Mariovido merged 6 commits intomasterfrom
mariovidal/untrusted_deserialization

Conversation

@Mariovido
Copy link
Copy Markdown
Contributor

@Mariovido Mariovido commented Jul 18, 2024
edited
Loading

What Does This Do

Add Untrusted Deserialization vulnerability

Motivation

Add a new vulnerability

Additional Notes

Jira ticket: APPSEC-17165

@Mariovido Mariovido added the comp: asm iast Application Security Management (IAST) label Jul 18, 2024
@Mariovido Mariovido marked this pull request as ready for review July 18, 2024 10:39
@Mariovido Mariovido requested review from a team as code owners July 18, 2024 10:39
jandro996
jandro996 approved these changes Jul 18, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@jandro996 jandro996 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Jul 18, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master mariovidal/untrusted_deserialization
git_commit_date 1721227585 1721298132
git_commit_sha 2e9ba7a dd5da0a
release_version 1.38.0-SNAPSHOT~2e9ba7a643 1.38.0-SNAPSHOT~dd5da0a21b
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1721300664 1721300664
ci_job_id 576748382 576748382
ci_pipeline_id 39521025 39521025
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 52 metrics, 11 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.38.0-SNAPSHOT~dd5da0a21b, baseline=1.38.0-SNAPSHOT~2e9ba7a643

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.072 s) : 0, 1072377
Total [baseline] (8.566 s) : 0, 8565661
Agent [candidate] (1.064 s) : 0, 1063596
Total [candidate] (8.522 s) : 0, 8522270
section iast
Agent [baseline] (1.167 s) : 0, 1166710
Total [baseline] (8.963 s) : 0, 8962628
Agent [candidate] (1.174 s) : 0, 1173828
Total [candidate] (8.998 s) : 0, 8998092
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.184 s) : 0, 1183664
Total [baseline] (8.974 s) : 0, 8973913
Agent [candidate] (1.173 s) : 0, 1172644
Total [candidate] (8.968 s) : 0, 8967673
section iast_TELEMETRY_OFF
Agent [baseline] (1.179 s) : 0, 1179308
Total [baseline] (9.021 s) : 0, 9021317
Agent [candidate] (1.166 s) : 0, 1165511
Total [candidate] (8.979 s) : 0, 8978699
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.072 s -
Agent iast 1.167 s 94.332 ms (8.8%)
Agent iast_HARDCODED_SECRET_DISABLED 1.184 s 111.287 ms (10.4%)
Agent iast_TELEMETRY_OFF 1.179 s 106.93 ms (10.0%)
Total tracing 8.566 s -
Total iast 8.963 s 396.967 ms (4.6%)
Total iast_HARDCODED_SECRET_DISABLED 8.974 s 408.252 ms (4.8%)
Total iast_TELEMETRY_OFF 9.021 s 455.655 ms (5.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.064 s -
Agent iast 1.174 s 110.232 ms (10.4%)
Agent iast_HARDCODED_SECRET_DISABLED 1.173 s 109.048 ms (10.3%)
Agent iast_TELEMETRY_OFF 1.166 s 101.915 ms (9.6%)
Total tracing 8.522 s -
Total iast 8.998 s 475.823 ms (5.6%)
Total iast_HARDCODED_SECRET_DISABLED 8.968 s 445.404 ms (5.2%)
Total iast_TELEMETRY_OFF 8.979 s 456.43 ms (5.4%) 
gantt
    title insecure-bank - break down per module: candidate=1.38.0-SNAPSHOT~dd5da0a21b, baseline=1.38.0-SNAPSHOT~2e9ba7a643

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (671.623 ms) : 0, 671623
BytebuddyAgent [candidate] (665.218 ms) : 0, 665218
GlobalTracer [baseline] (307.018 ms) : 0, 307018
GlobalTracer [candidate] (305.488 ms) : 0, 305488
AppSec [baseline] (50.509 ms) : 0, 50509
AppSec [candidate] (49.927 ms) : 0, 49927
Remote Config [baseline] (687.898 µs) : 0, 688
Remote Config [candidate] (676.498 µs) : 0, 676
Telemetry [baseline] (7.688 ms) : 0, 7688
Telemetry [candidate] (7.631 ms) : 0, 7631
section iast
BytebuddyAgent [baseline] (777.833 ms) : 0, 777833
BytebuddyAgent [candidate] (780.643 ms) : 0, 780643
GlobalTracer [baseline] (294.701 ms) : 0, 294701
GlobalTracer [candidate] (295.727 ms) : 0, 295727
AppSec [baseline] (49.857 ms) : 0, 49857
AppSec [candidate] (49.694 ms) : 0, 49694
Remote Config [baseline] (588.985 µs) : 0, 589
Remote Config [candidate] (585.144 µs) : 0, 585
Telemetry [baseline] (7.01 ms) : 0, 7010
Telemetry [candidate] (7.726 ms) : 0, 7726
IAST [baseline] (23.249 ms) : 0, 23249
IAST [candidate] (25.923 ms) : 0, 25923
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (787.917 ms) : 0, 787917
BytebuddyAgent [candidate] (780.45 ms) : 0, 780450
GlobalTracer [baseline] (297.94 ms) : 0, 297940
GlobalTracer [candidate] (295.096 ms) : 0, 295096
AppSec [baseline] (50.193 ms) : 0, 50193
AppSec [candidate] (48.903 ms) : 0, 48903
Remote Config [baseline] (575.038 µs) : 0, 575
Remote Config [candidate] (604.145 µs) : 0, 604
Telemetry [baseline] (6.968 ms) : 0, 6968
Telemetry [candidate] (7.864 ms) : 0, 7864
IAST [baseline] (26.386 ms) : 0, 26386
IAST [candidate] (26.152 ms) : 0, 26152
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (784.563 ms) : 0, 784563
BytebuddyAgent [candidate] (776.719 ms) : 0, 776719
GlobalTracer [baseline] (297.579 ms) : 0, 297579
GlobalTracer [candidate] (294.766 ms) : 0, 294766
AppSec [baseline] (47.859 ms) : 0, 47859
AppSec [candidate] (47.4 ms) : 0, 47400
Remote Config [baseline] (587.035 µs) : 0, 587
Remote Config [candidate] (596.641 µs) : 0, 597
Telemetry [baseline] (6.873 ms) : 0, 6873
Telemetry [candidate] (7.764 ms) : 0, 7764
IAST [baseline] (28.192 ms) : 0, 28192
IAST [candidate] (24.774 ms) : 0, 24774
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.38.0-SNAPSHOT~dd5da0a21b, baseline=1.38.0-SNAPSHOT~2e9ba7a643

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.064 s) : 0, 1064233
Total [baseline] (10.383 s) : 0, 10383393
Agent [candidate] (1.065 s) : 0, 1064546
Total [candidate] (10.339 s) : 0, 10339109
section appsec
Agent [baseline] (1.186 s) : 0, 1185567
Total [baseline] (10.557 s) : 0, 10556702
Agent [candidate] (1.183 s) : 0, 1183137
Total [candidate] (10.551 s) : 0, 10551336
section iast
Agent [baseline] (1.17 s) : 0, 1170176
Total [baseline] (10.845 s) : 0, 10844998
Agent [candidate] (1.173 s) : 0, 1172808
Total [candidate] (10.799 s) : 0, 10798966
section profiling
Agent [baseline] (1.285 s) : 0, 1285107
Total [baseline] (10.683 s) : 0, 10682972
Agent [candidate] (1.264 s) : 0, 1263718
Total [candidate] (10.601 s) : 0, 10600974
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.064 s -
Agent appsec 1.186 s 121.334 ms (11.4%)
Agent iast 1.17 s 105.943 ms (10.0%)
Agent profiling 1.285 s 220.873 ms (20.8%)
Total tracing 10.383 s -
Total appsec 10.557 s 173.31 ms (1.7%)
Total iast 10.845 s 461.605 ms (4.4%)
Total profiling 10.683 s 299.58 ms (2.9%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.065 s -
Agent appsec 1.183 s 118.591 ms (11.1%)
Agent iast 1.173 s 108.262 ms (10.2%)
Agent profiling 1.264 s 199.171 ms (18.7%)
Total tracing 10.339 s -
Total appsec 10.551 s 212.227 ms (2.1%)
Total iast 10.799 s 459.858 ms (4.4%)
Total profiling 10.601 s 261.865 ms (2.5%) 
gantt
    title petclinic - break down per module: candidate=1.38.0-SNAPSHOT~dd5da0a21b, baseline=1.38.0-SNAPSHOT~2e9ba7a643

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (665.727 ms) : 0, 665727
BytebuddyAgent [candidate] (666.14 ms) : 0, 666140
GlobalTracer [baseline] (305.684 ms) : 0, 305684
GlobalTracer [candidate] (305.406 ms) : 0, 305406
AppSec [baseline] (49.985 ms) : 0, 49985
AppSec [candidate] (50.052 ms) : 0, 50052
Remote Config [baseline] (665.373 µs) : 0, 665
Remote Config [candidate] (669.015 µs) : 0, 669
Telemetry [baseline] (7.559 ms) : 0, 7559
Telemetry [candidate] (7.642 ms) : 0, 7642
section appsec
BytebuddyAgent [baseline] (677.614 ms) : 0, 677614
BytebuddyAgent [candidate] (676.185 ms) : 0, 676185
GlobalTracer [baseline] (299.857 ms) : 0, 299857
GlobalTracer [candidate] (298.965 ms) : 0, 298965
AppSec [baseline] (154.015 ms) : 0, 154015
AppSec [candidate] (153.879 ms) : 0, 153879
Remote Config [baseline] (626.066 µs) : 0, 626
Remote Config [candidate] (619.443 µs) : 0, 619
Telemetry [baseline] (8.578 ms) : 0, 8578
Telemetry [candidate] (7.949 ms) : 0, 7949
IAST [baseline] (20.321 ms) : 0, 20321
IAST [candidate] (21.664 ms) : 0, 21664
section iast
BytebuddyAgent [baseline] (778.887 ms) : 0, 778887
BytebuddyAgent [candidate] (781.778 ms) : 0, 781778
GlobalTracer [baseline] (295.345 ms) : 0, 295345
GlobalTracer [candidate] (296.17 ms) : 0, 296170
AppSec [baseline] (48.219 ms) : 0, 48219
AppSec [candidate] (47.36 ms) : 0, 47360
Remote Config [baseline] (599.348 µs) : 0, 599
Remote Config [candidate] (595.55 µs) : 0, 596
Telemetry [baseline] (7.027 ms) : 0, 7027
Telemetry [candidate] (7.085 ms) : 0, 7085
IAST [baseline] (26.601 ms) : 0, 26601
IAST [candidate] (26.196 ms) : 0, 26196
section profiling
BytebuddyAgent [baseline] (676.06 ms) : 0, 676060
BytebuddyAgent [candidate] (662.798 ms) : 0, 662798
GlobalTracer [baseline] (392.459 ms) : 0, 392459
GlobalTracer [candidate] (388.121 ms) : 0, 388121
AppSec [baseline] (52.226 ms) : 0, 52226
AppSec [candidate] (51.615 ms) : 0, 51615
Remote Config [baseline] (656.874 µs) : 0, 657
Remote Config [candidate] (662.312 µs) : 0, 662
Telemetry [baseline] (7.506 ms) : 0, 7506
Telemetry [candidate] (7.442 ms) : 0, 7442
ProfilingAgent [baseline] (97.761 ms) : 0, 97761
ProfilingAgent [candidate] (95.873 ms) : 0, 95873
Profiling [baseline] (97.786 ms) : 0, 97786
Profiling [candidate] (95.897 ms) : 0, 95897
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-07-18T10:37:09 2024-07-18T10:43:59
git_branch master mariovidal/untrusted_deserialization
git_commit_date 1721227585 1721298132
git_commit_sha 2e9ba7a dd5da0a
release_version 1.38.0-SNAPSHOT~2e9ba7a643 1.38.0-SNAPSHOT~dd5da0a21b
start_time 2024-07-18T10:36:56 2024-07-18T10:43:45
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1721299784 1721299784
ci_job_id 576748383 576748383
ci_pipeline_id 39521025 39521025
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.38.0-SNAPSHOT~dd5da0a21b, baseline=1.38.0-SNAPSHOT~2e9ba7a643
    dateFormat X
    axisFormat %s
section baseline
no_agent (371.953 µs) : 353, 391
.   : milestone, 372,
iast (489.142 µs) : 467, 511
.   : milestone, 489,
iast_FULL (552.926 µs) : 532, 574
.   : milestone, 553,
iast_GLOBAL (504.69 µs) : 484, 526
.   : milestone, 505,
iast_HARDCODED_SECRET_DISABLED (487.969 µs) : 466, 510
.   : milestone, 488,
iast_INACTIVE (451.473 µs) : 430, 473
.   : milestone, 451,
iast_TELEMETRY_OFF (470.594 µs) : 450, 492
.   : milestone, 471,
tracing (437.105 µs) : 417, 457
.   : milestone, 437,
section candidate
no_agent (370.74 µs) : 349, 392
.   : milestone, 371,
iast (482.247 µs) : 460, 504
.   : milestone, 482,
iast_FULL (555.686 µs) : 532, 579
.   : milestone, 556,
iast_GLOBAL (507.617 µs) : 485, 530
.   : milestone, 508,
iast_HARDCODED_SECRET_DISABLED (476.857 µs) : 456, 498
.   : milestone, 477,
iast_INACTIVE (453.417 µs) : 432, 475
.   : milestone, 453,
iast_TELEMETRY_OFF (468.431 µs) : 447, 490
.   : milestone, 468,
tracing (446.127 µs) : 425, 467
.   : milestone, 446,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 371.953 µs [352.513 µs, 391.392 µs] -
iast 489.142 µs [467.175 µs, 511.109 µs] 117.189 µs (31.5%)
iast_FULL 552.926 µs [531.78 µs, 574.071 µs] 180.973 µs (48.7%)
iast_GLOBAL 504.69 µs [483.622 µs, 525.758 µs] 132.737 µs (35.7%)
iast_HARDCODED_SECRET_DISABLED 487.969 µs [466.376 µs, 509.563 µs] 116.017 µs (31.2%)
iast_INACTIVE 451.473 µs [430.311 µs, 472.636 µs] 79.521 µs (21.4%)
iast_TELEMETRY_OFF 470.594 µs [449.676 µs, 491.513 µs] 98.642 µs (26.5%)
tracing 437.105 µs [416.895 µs, 457.315 µs] 65.152 µs (17.5%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 370.74 µs [349.357 µs, 392.122 µs] -
iast 482.247 µs [460.287 µs, 504.207 µs] 111.508 µs (30.1%)
iast_FULL 555.686 µs [532.472 µs, 578.901 µs] 184.947 µs (49.9%)
iast_GLOBAL 507.617 µs [485.461 µs, 529.772 µs] 136.877 µs (36.9%)
iast_HARDCODED_SECRET_DISABLED 476.857 µs [456.088 µs, 497.626 µs] 106.117 µs (28.6%)
iast_INACTIVE 453.417 µs [431.781 µs, 475.052 µs] 82.677 µs (22.3%)
iast_TELEMETRY_OFF 468.431 µs [447.009 µs, 489.853 µs] 97.692 µs (26.4%)
tracing 446.127 µs [425.168 µs, 467.087 µs] 75.388 µs (20.3%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.38.0-SNAPSHOT~dd5da0a21b, baseline=1.38.0-SNAPSHOT~2e9ba7a643
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.337 ms) : 1318, 1356
.   : milestone, 1337,
appsec (1.739 ms) : 1716, 1763
.   : milestone, 1739,
appsec_no_iast (1.705 ms) : 1680, 1729
.   : milestone, 1705,
iast (1.458 ms) : 1436, 1480
.   : milestone, 1458,
profiling (1.543 ms) : 1516, 1569
.   : milestone, 1543,
tracing (1.459 ms) : 1435, 1484
.   : milestone, 1459,
section candidate
no_agent (1.364 ms) : 1343, 1384
.   : milestone, 1364,
appsec (1.717 ms) : 1693, 1740
.   : milestone, 1717,
appsec_no_iast (1.736 ms) : 1713, 1760
.   : milestone, 1736,
iast (1.491 ms) : 1469, 1512
.   : milestone, 1491,
profiling (1.485 ms) : 1460, 1510
.   : milestone, 1485,
tracing (1.463 ms) : 1438, 1488
.   : milestone, 1463,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.337 ms [1.318 ms, 1.356 ms] -
appsec 1.739 ms [1.716 ms, 1.763 ms] 402.679 µs (30.1%)
appsec_no_iast 1.705 ms [1.68 ms, 1.729 ms] 367.896 µs (27.5%)
iast 1.458 ms [1.436 ms, 1.48 ms] 121.677 µs (9.1%)
profiling 1.543 ms [1.516 ms, 1.569 ms] 205.806 µs (15.4%)
tracing 1.459 ms [1.435 ms, 1.484 ms] 122.499 µs (9.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.364 ms [1.343 ms, 1.384 ms] -
appsec 1.717 ms [1.693 ms, 1.74 ms] 353.243 µs (25.9%)
appsec_no_iast 1.736 ms [1.713 ms, 1.76 ms] 372.715 µs (27.3%)
iast 1.491 ms [1.469 ms, 1.512 ms] 127.132 µs (9.3%)
profiling 1.485 ms [1.46 ms, 1.51 ms] 121.567 µs (8.9%)
tracing 1.463 ms [1.438 ms, 1.488 ms] 99.542 µs (7.3%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master mariovidal/untrusted_deserialization
git_commit_date 1721227585 1721298132
git_commit_sha 2e9ba7a dd5da0a
release_version 1.38.0-SNAPSHOT~2e9ba7a643 1.38.0-SNAPSHOT~dd5da0a21b
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1721300166 1721300166
ci_job_id 576748384 576748384
ci_pipeline_id 39521025 39521025
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.38.0-SNAPSHOT~dd5da0a21b, baseline=1.38.0-SNAPSHOT~2e9ba7a643
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.381 s) : 15381000, 15381000
.   : milestone, 15381000,
appsec (15.127 s) : 15127000, 15127000
.   : milestone, 15127000,
iast (18.738 s) : 18738000, 18738000
.   : milestone, 18738000,
iast_GLOBAL (17.952 s) : 17952000, 17952000
.   : milestone, 17952000,
profiling (15.316 s) : 15316000, 15316000
.   : milestone, 15316000,
tracing (15.101 s) : 15101000, 15101000
.   : milestone, 15101000,
section candidate
no_agent (15.566 s) : 15566000, 15566000
.   : milestone, 15566000,
appsec (15.144 s) : 15144000, 15144000
.   : milestone, 15144000,
iast (19.177 s) : 19177000, 19177000
.   : milestone, 19177000,
iast_GLOBAL (18.001 s) : 18001000, 18001000
.   : milestone, 18001000,
profiling (16.029 s) : 16029000, 16029000
.   : milestone, 16029000,
tracing (14.824 s) : 14824000, 14824000
.   : milestone, 14824000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.381 s [15.381 s, 15.381 s] -
appsec 15.127 s [15.127 s, 15.127 s] -254.0 ms (-1.7%)
iast 18.738 s [18.738 s, 18.738 s] 3.357 s (21.8%)
iast_GLOBAL 17.952 s [17.952 s, 17.952 s] 2.571 s (16.7%)
profiling 15.316 s [15.316 s, 15.316 s] -65.0 ms (-0.4%)
tracing 15.101 s [15.101 s, 15.101 s] -280.0 ms (-1.8%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.566 s [15.566 s, 15.566 s] -
appsec 15.144 s [15.144 s, 15.144 s] -422.0 ms (-2.7%)
iast 19.177 s [19.177 s, 19.177 s] 3.611 s (23.2%)
iast_GLOBAL 18.001 s [18.001 s, 18.001 s] 2.435 s (15.6%)
profiling 16.029 s [16.029 s, 16.029 s] 463.0 ms (3.0%)
tracing 14.824 s [14.824 s, 14.824 s] -742.0 ms (-4.8%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.38.0-SNAPSHOT~dd5da0a21b, baseline=1.38.0-SNAPSHOT~2e9ba7a643
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.464 ms) : 1453, 1476
.   : milestone, 1464,
appsec (2.237 ms) : 2201, 2273
.   : milestone, 2237,
iast (1.977 ms) : 1935, 2019
.   : milestone, 1977,
iast_GLOBAL (2.027 ms) : 1983, 2070
.   : milestone, 2027,
profiling (1.863 ms) : 1830, 1897
.   : milestone, 1863,
tracing (1.844 ms) : 1811, 1877
.   : milestone, 1844,
section candidate
no_agent (1.46 ms) : 1449, 1471
.   : milestone, 1460,
appsec (2.228 ms) : 2193, 2264
.   : milestone, 2228,
iast (1.975 ms) : 1933, 2017
.   : milestone, 1975,
iast_GLOBAL (2.021 ms) : 1977, 2064
.   : milestone, 2021,
profiling (1.865 ms) : 1831, 1899
.   : milestone, 1865,
tracing (1.848 ms) : 1816, 1881
.   : milestone, 1848,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.464 ms [1.453 ms, 1.476 ms] -
appsec 2.237 ms [2.201 ms, 2.273 ms] 772.992 µs (52.8%)
iast 1.977 ms [1.935 ms, 2.019 ms] 513.096 µs (35.0%)
iast_GLOBAL 2.027 ms [1.983 ms, 2.07 ms] 562.468 µs (38.4%)
profiling 1.863 ms [1.83 ms, 1.897 ms] 399.279 µs (27.3%)
tracing 1.844 ms [1.811 ms, 1.877 ms] 379.727 µs (25.9%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.46 ms [1.449 ms, 1.471 ms] -
appsec 2.228 ms [2.193 ms, 2.264 ms] 768.004 µs (52.6%)
iast 1.975 ms [1.933 ms, 2.017 ms] 514.795 µs (35.3%)
iast_GLOBAL 2.021 ms [1.977 ms, 2.064 ms] 560.679 µs (38.4%)
profiling 1.865 ms [1.831 ms, 1.899 ms] 405.311 µs (27.8%)
tracing 1.848 ms [1.816 ms, 1.881 ms] 388.39 µs (26.6%)

manuel-alvarez-alvarez
manuel-alvarez-alvarez approved these changes Jul 18, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

I think we can expand the smoke testing in a separate PR to ensure we are not losing propagation in different scenarios:

  1. Other smoke tests than spring boot as we might be losing propagation of the body (e.g. vertx, jetty, ...)
  2. Multipart uploads with multiple binaries (using servlet or other APIs like commons file upload)

They are not directly related to untrusted deserialization but they really influence the rule 😓

PS: Nice first PR!

anderruiz
anderruiz reviewed Jul 18, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@anderruiz anderruiz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some comments

Comment thread ...java-io/src/main/java/datadog/trace/instrumentation/java/lang/ObjectInputStreamCallSite.java
Comment thread ...tests/iast-util/src/main/java/datadog/smoketest/springboot/controller/IastWebController.java
@Mariovido Mariovido merged commit e146e2f into master Jul 23, 2024
@Mariovido Mariovido deleted the mariovidal/untrusted_deserialization branch July 23, 2024 10:22
@github-actions github-actions Bot added this to the 1.38.0 milestone Jul 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anderruiz anderruiz anderruiz left review comments

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@jandro996 jandro996 jandro996 approved these changes

@smola smola Awaiting requested review from smola smola is a code owner automatically assigned from DataDog/asm-java

Assignees

No one assigned

Labels

comp: asm iast Application Security Management (IAST)

Projects

None yet

Milestone

1.38.0

Development

Successfully merging this pull request may close these issues.

4 participants

@Mariovido @anderruiz @manuel-alvarez-alvarez @jandro996