Skip to content

Exploit prevention for SSRF (in java.net.URL)#7373

Merged
jandro996 merged 7 commits intomasterfrom
malvarez/rasp-ssrf-with-url
Aug 22, 2024
Merged

Exploit prevention for SSRF (in java.net.URL)#7373
jandro996 merged 7 commits intomasterfrom
malvarez/rasp-ssrf-with-url

Conversation

@manuel-alvarez-alvarez
Copy link
Copy Markdown
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez commented Jul 31, 2024
edited
Loading

What Does This Do

Adds support for SSRF protection via RASP to network connections started via java.net.URL:

  1. Extend support of IAST call sites to RASP (usually both IAST and RASP share the same targets as IAST detects the vulnerability and RASP performs the protection)
  2. Add SSRF support to the WAF via the server.io.net.url address

Motivation

Additional Notes

Since java.net.URL is a JVM class and having it instrumented with byte-buddy might hurt performance, we have decided to use call sites to be able to skip internal URL calls

Contributor Checklist

Jira ticket: APPSEC-46823

@manuel-alvarez-alvarez manuel-alvarez-alvarez added the comp: asm waf Application Security Management (WAF) label Jul 31, 2024
@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Jul 31, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/rasp-ssrf-with-url
git_commit_date 1724168948 1724226033
git_commit_sha 63ccd4c 4d8ccf9
release_version 1.39.0-SNAPSHOT~63ccd4c8fc 1.39.0-SNAPSHOT~4d8ccf9360
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1724228397 1724228397
ci_job_id 611608642 611608642
ci_pipeline_id 42379958 42379958
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 46 metrics, 16 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:startup:insecure-bank:tracing:Remote Config better
[-52.283µs; -21.300µs] or [-7.562%; -3.081%]		 654.562µs 691.354µs
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.39.0-SNAPSHOT~4d8ccf9360, baseline=1.39.0-SNAPSHOT~63ccd4c8fc

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.058 s) : 0, 1057671
Total [baseline] (10.325 s) : 0, 10324598
Agent [candidate] (1.052 s) : 0, 1051731
Total [candidate] (10.474 s) : 0, 10473986
section appsec
Agent [baseline] (1.173 s) : 0, 1172773
Total [baseline] (10.481 s) : 0, 10481108
Agent [candidate] (1.178 s) : 0, 1178328
Total [candidate] (10.509 s) : 0, 10509124
section iast
Agent [baseline] (1.184 s) : 0, 1184259
Total [baseline] (10.923 s) : 0, 10923449
Agent [candidate] (1.17 s) : 0, 1170417
Total [candidate] (10.797 s) : 0, 10796950
section profiling
Agent [baseline] (1.245 s) : 0, 1245155
Total [baseline] (10.655 s) : 0, 10654708
Agent [candidate] (1.243 s) : 0, 1243401
Total [candidate] (10.619 s) : 0, 10619333
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.058 s -
Agent appsec 1.173 s 115.102 ms (10.9%)
Agent iast 1.184 s 126.589 ms (12.0%)
Agent profiling 1.245 s 187.484 ms (17.7%)
Total tracing 10.325 s -
Total appsec 10.481 s 156.51 ms (1.5%)
Total iast 10.923 s 598.85 ms (5.8%)
Total profiling 10.655 s 330.11 ms (3.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.052 s -
Agent appsec 1.178 s 126.596 ms (12.0%)
Agent iast 1.17 s 118.685 ms (11.3%)
Agent profiling 1.243 s 191.669 ms (18.2%)
Total tracing 10.474 s -
Total appsec 10.509 s 35.138 ms (0.3%)
Total iast 10.797 s 322.964 ms (3.1%)
Total profiling 10.619 s 145.347 ms (1.4%) 
gantt
    title petclinic - break down per module: candidate=1.39.0-SNAPSHOT~4d8ccf9360, baseline=1.39.0-SNAPSHOT~63ccd4c8fc

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (676.722 ms) : 0, 676722
BytebuddyAgent [candidate] (672.379 ms) : 0, 672379
GlobalTracer [baseline] (308.097 ms) : 0, 308097
GlobalTracer [candidate] (306.461 ms) : 0, 306461
AppSec [baseline] (51.092 ms) : 0, 51092
AppSec [candidate] (51.169 ms) : 0, 51169
Remote Config [baseline] (686.39 µs) : 0, 686
Remote Config [candidate] (662.887 µs) : 0, 663
Telemetry [baseline] (7.527 ms) : 0, 7527
Telemetry [candidate] (7.538 ms) : 0, 7538
section appsec
BytebuddyAgent [baseline] (680.145 ms) : 0, 680145
BytebuddyAgent [candidate] (683.443 ms) : 0, 683443
GlobalTracer [baseline] (300.803 ms) : 0, 300803
GlobalTracer [candidate] (302.557 ms) : 0, 302557
AppSec [baseline] (157.644 ms) : 0, 157644
AppSec [candidate] (158.17 ms) : 0, 158170
IAST [baseline] (21.449 ms) : 0, 21449
IAST [candidate] (19.798 ms) : 0, 19798
Remote Config [baseline] (596.055 µs) : 0, 596
Remote Config [candidate] (617.946 µs) : 0, 618
Telemetry [baseline] (9.338 ms) : 0, 9338
Telemetry [candidate] (10.062 ms) : 0, 10062
section iast
BytebuddyAgent [baseline] (787.955 ms) : 0, 787955
BytebuddyAgent [candidate] (777.304 ms) : 0, 777304
GlobalTracer [baseline] (298.101 ms) : 0, 298101
GlobalTracer [candidate] (296.117 ms) : 0, 296117
AppSec [baseline] (51.082 ms) : 0, 51082
AppSec [candidate] (50.051 ms) : 0, 50051
IAST [baseline] (24.997 ms) : 0, 24997
IAST [candidate] (23.281 ms) : 0, 23281
Remote Config [baseline] (576.79 µs) : 0, 577
Remote Config [candidate] (601.397 µs) : 0, 601
Telemetry [baseline] (8.003 ms) : 0, 8003
Telemetry [candidate] (9.58 ms) : 0, 9580
section profiling
BytebuddyAgent [baseline] (663.602 ms) : 0, 663602
BytebuddyAgent [candidate] (662.622 ms) : 0, 662622
GlobalTracer [baseline] (389.762 ms) : 0, 389762
GlobalTracer [candidate] (388.579 ms) : 0, 388579
AppSec [baseline] (52.164 ms) : 0, 52164
AppSec [candidate] (52.348 ms) : 0, 52348
Remote Config [baseline] (688.565 µs) : 0, 689
Remote Config [candidate] (688.398 µs) : 0, 688
Telemetry [baseline] (7.407 ms) : 0, 7407
Telemetry [candidate] (7.356 ms) : 0, 7356
ProfilingAgent [baseline] (94.458 ms) : 0, 94458
ProfilingAgent [candidate] (94.657 ms) : 0, 94657
Profiling [baseline] (94.482 ms) : 0, 94482
Profiling [candidate] (94.681 ms) : 0, 94681
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.39.0-SNAPSHOT~4d8ccf9360, baseline=1.39.0-SNAPSHOT~63ccd4c8fc

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.05 s) : 0, 1050024
Total [baseline] (8.508 s) : 0, 8508098
Agent [candidate] (1.055 s) : 0, 1055045
Total [candidate] (8.514 s) : 0, 8514002
section iast
Agent [baseline] (1.174 s) : 0, 1174487
Total [baseline] (8.987 s) : 0, 8987493
Agent [candidate] (1.171 s) : 0, 1170934
Total [candidate] (8.966 s) : 0, 8965782
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.184 s) : 0, 1183829
Total [baseline] (8.981 s) : 0, 8981291
Agent [candidate] (1.178 s) : 0, 1178061
Total [candidate] (8.976 s) : 0, 8975807
section iast_TELEMETRY_OFF
Agent [baseline] (1.175 s) : 0, 1175341
Total [baseline] (8.989 s) : 0, 8988607
Agent [candidate] (1.164 s) : 0, 1164358
Total [candidate] (9.003 s) : 0, 9003086
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.05 s -
Agent iast 1.174 s 124.463 ms (11.9%)
Agent iast_HARDCODED_SECRET_DISABLED 1.184 s 133.805 ms (12.7%)
Agent iast_TELEMETRY_OFF 1.175 s 125.317 ms (11.9%)
Total tracing 8.508 s -
Total iast 8.987 s 479.395 ms (5.6%)
Total iast_HARDCODED_SECRET_DISABLED 8.981 s 473.193 ms (5.6%)
Total iast_TELEMETRY_OFF 8.989 s 480.51 ms (5.6%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.055 s -
Agent iast 1.171 s 115.889 ms (11.0%)
Agent iast_HARDCODED_SECRET_DISABLED 1.178 s 123.016 ms (11.7%)
Agent iast_TELEMETRY_OFF 1.164 s 109.313 ms (10.4%)
Total tracing 8.514 s -
Total iast 8.966 s 451.78 ms (5.3%)
Total iast_HARDCODED_SECRET_DISABLED 8.976 s 461.805 ms (5.4%)
Total iast_TELEMETRY_OFF 9.003 s 489.084 ms (5.7%) 
gantt
    title insecure-bank - break down per module: candidate=1.39.0-SNAPSHOT~4d8ccf9360, baseline=1.39.0-SNAPSHOT~63ccd4c8fc

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (668.475 ms) : 0, 668475
BytebuddyAgent [candidate] (673.273 ms) : 0, 673273
GlobalTracer [baseline] (308.477 ms) : 0, 308477
GlobalTracer [candidate] (308.665 ms) : 0, 308665
AppSec [baseline] (51.333 ms) : 0, 51333
AppSec [candidate] (51.477 ms) : 0, 51477
Remote Config [baseline] (691.354 µs) : 0, 691
Remote Config [candidate] (654.562 µs) : 0, 655
Telemetry [baseline] (7.59 ms) : 0, 7590
Telemetry [candidate] (7.45 ms) : 0, 7450
section iast
BytebuddyAgent [baseline] (781.752 ms) : 0, 781752
BytebuddyAgent [candidate] (777.651 ms) : 0, 777651
GlobalTracer [baseline] (295.731 ms) : 0, 295731
GlobalTracer [candidate] (296.368 ms) : 0, 296368
AppSec [baseline] (54.575 ms) : 0, 54575
AppSec [candidate] (50.915 ms) : 0, 50915
IAST [baseline] (21.335 ms) : 0, 21335
IAST [candidate] (22.404 ms) : 0, 22404
Remote Config [baseline] (597.673 µs) : 0, 598
Remote Config [candidate] (584.184 µs) : 0, 584
Telemetry [baseline] (7.053 ms) : 0, 7053
Telemetry [candidate] (9.53 ms) : 0, 9530
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (787.032 ms) : 0, 787032
BytebuddyAgent [candidate] (782.617 ms) : 0, 782617
GlobalTracer [baseline] (298.651 ms) : 0, 298651
GlobalTracer [candidate] (298.084 ms) : 0, 298084
AppSec [baseline] (48.922 ms) : 0, 48922
AppSec [candidate] (48.725 ms) : 0, 48725
IAST [baseline] (25.362 ms) : 0, 25362
IAST [candidate] (23.16 ms) : 0, 23160
Remote Config [baseline] (589.282 µs) : 0, 589
Remote Config [candidate] (609.385 µs) : 0, 609
Telemetry [baseline] (9.656 ms) : 0, 9656
Telemetry [candidate] (11.314 ms) : 0, 11314
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (781.594 ms) : 0, 781594
BytebuddyAgent [candidate] (774.364 ms) : 0, 774364
GlobalTracer [baseline] (296.76 ms) : 0, 296760
GlobalTracer [candidate] (296.202 ms) : 0, 296202
AppSec [baseline] (52.855 ms) : 0, 52855
AppSec [candidate] (49.386 ms) : 0, 49386
IAST [baseline] (22.953 ms) : 0, 22953
IAST [candidate] (23.155 ms) : 0, 23155
Remote Config [baseline] (603.846 µs) : 0, 604
Remote Config [candidate] (600.004 µs) : 0, 600
Telemetry [baseline] (7.079 ms) : 0, 7079
Telemetry [candidate] (7.181 ms) : 0, 7181
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-08-21T07:50:32 2024-08-21T07:57:22
git_branch master malvarez/rasp-ssrf-with-url
git_commit_date 1724168948 1724226033
git_commit_sha 63ccd4c 4d8ccf9
release_version 1.39.0-SNAPSHOT~63ccd4c8fc 1.39.0-SNAPSHOT~4d8ccf9360
start_time 2024-08-21T07:50:18 2024-08-21T07:57:09
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1724227388 1724227388
ci_job_id 611608643 611608643
ci_pipeline_id 42379958 42379958
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics.

Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.39.0-SNAPSHOT~4d8ccf9360, baseline=1.39.0-SNAPSHOT~63ccd4c8fc
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.362 ms) : 1343, 1382
.   : milestone, 1362,
appsec (1.739 ms) : 1717, 1762
.   : milestone, 1739,
appsec_no_iast (1.734 ms) : 1710, 1759
.   : milestone, 1734,
iast (1.498 ms) : 1475, 1521
.   : milestone, 1498,
profiling (1.494 ms) : 1469, 1518
.   : milestone, 1494,
tracing (1.459 ms) : 1435, 1484
.   : milestone, 1459,
section candidate
no_agent (1.33 ms) : 1311, 1349
.   : milestone, 1330,
appsec (1.759 ms) : 1735, 1782
.   : milestone, 1759,
appsec_no_iast (1.731 ms) : 1708, 1755
.   : milestone, 1731,
iast (1.489 ms) : 1467, 1512
.   : milestone, 1489,
profiling (1.481 ms) : 1457, 1506
.   : milestone, 1481,
tracing (1.487 ms) : 1462, 1512
.   : milestone, 1487,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.362 ms [1.343 ms, 1.382 ms] -
appsec 1.739 ms [1.717 ms, 1.762 ms] 376.873 µs (27.7%)
appsec_no_iast 1.734 ms [1.71 ms, 1.759 ms] 372.092 µs (27.3%)
iast 1.498 ms [1.475 ms, 1.521 ms] 136.118 µs (10.0%)
profiling 1.494 ms [1.469 ms, 1.518 ms] 131.452 µs (9.6%)
tracing 1.459 ms [1.435 ms, 1.484 ms] 97.217 µs (7.1%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.33 ms [1.311 ms, 1.349 ms] -
appsec 1.759 ms [1.735 ms, 1.782 ms] 428.34 µs (32.2%)
appsec_no_iast 1.731 ms [1.708 ms, 1.755 ms] 401.063 µs (30.1%)
iast 1.489 ms [1.467 ms, 1.512 ms] 158.692 µs (11.9%)
profiling 1.481 ms [1.457 ms, 1.506 ms] 150.896 µs (11.3%)
tracing 1.487 ms [1.462 ms, 1.512 ms] 156.852 µs (11.8%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.39.0-SNAPSHOT~4d8ccf9360, baseline=1.39.0-SNAPSHOT~63ccd4c8fc
    dateFormat X
    axisFormat %s
section baseline
no_agent (367.235 µs) : 348, 386
.   : milestone, 367,
iast (485.639 µs) : 464, 507
.   : milestone, 486,
iast_FULL (551.696 µs) : 529, 574
.   : milestone, 552,
iast_GLOBAL (505.825 µs) : 483, 528
.   : milestone, 506,
iast_HARDCODED_SECRET_DISABLED (480.01 µs) : 459, 501
.   : milestone, 480,
iast_INACTIVE (460.08 µs) : 437, 483
.   : milestone, 460,
iast_TELEMETRY_OFF (481.216 µs) : 460, 503
.   : milestone, 481,
tracing (443.618 µs) : 423, 464
.   : milestone, 444,
section candidate
no_agent (369.407 µs) : 350, 389
.   : milestone, 369,
iast (479.224 µs) : 457, 501
.   : milestone, 479,
iast_FULL (559.675 µs) : 539, 581
.   : milestone, 560,
iast_GLOBAL (503.886 µs) : 482, 526
.   : milestone, 504,
iast_HARDCODED_SECRET_DISABLED (485.616 µs) : 464, 508
.   : milestone, 486,
iast_INACTIVE (449.146 µs) : 428, 470
.   : milestone, 449,
iast_TELEMETRY_OFF (476.213 µs) : 454, 498
.   : milestone, 476,
tracing (443.588 µs) : 423, 464
.   : milestone, 444,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 367.235 µs [348.025 µs, 386.445 µs] -
iast 485.639 µs [464.042 µs, 507.236 µs] 118.404 µs (32.2%)
iast_FULL 551.696 µs [529.22 µs, 574.172 µs] 184.46 µs (50.2%)
iast_GLOBAL 505.825 µs [483.284 µs, 528.366 µs] 138.589 µs (37.7%)
iast_HARDCODED_SECRET_DISABLED 480.01 µs [458.652 µs, 501.367 µs] 112.774 µs (30.7%)
iast_INACTIVE 460.08 µs [437.01 µs, 483.15 µs] 92.845 µs (25.3%)
iast_TELEMETRY_OFF 481.216 µs [459.502 µs, 502.93 µs] 113.981 µs (31.0%)
tracing 443.618 µs [423.327 µs, 463.908 µs] 76.382 µs (20.8%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 369.407 µs [349.665 µs, 389.149 µs] -
iast 479.224 µs [457.045 µs, 501.403 µs] 109.817 µs (29.7%)
iast_FULL 559.675 µs [538.641 µs, 580.709 µs] 190.268 µs (51.5%)
iast_GLOBAL 503.886 µs [481.805 µs, 525.966 µs] 134.479 µs (36.4%)
iast_HARDCODED_SECRET_DISABLED 485.616 µs [463.518 µs, 507.714 µs] 116.209 µs (31.5%)
iast_INACTIVE 449.146 µs [428.108 µs, 470.183 µs] 79.739 µs (21.6%)
iast_TELEMETRY_OFF 476.213 µs [454.293 µs, 498.134 µs] 106.807 µs (28.9%)
tracing 443.588 µs [422.975 µs, 464.201 µs] 74.181 µs (20.1%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/rasp-ssrf-with-url
git_commit_date 1724168948 1724226033
git_commit_sha 63ccd4c 4d8ccf9
release_version 1.39.0-SNAPSHOT~63ccd4c8fc 1.39.0-SNAPSHOT~4d8ccf9360
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1724227904 1724227904
ci_job_id 611608644 611608644
ci_pipeline_id 42379958 42379958
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.39.0-SNAPSHOT~4d8ccf9360, baseline=1.39.0-SNAPSHOT~63ccd4c8fc
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.164 s) : 15164000, 15164000
.   : milestone, 15164000,
appsec (15.276 s) : 15276000, 15276000
.   : milestone, 15276000,
iast (18.973 s) : 18973000, 18973000
.   : milestone, 18973000,
iast_GLOBAL (17.671 s) : 17671000, 17671000
.   : milestone, 17671000,
profiling (16.009 s) : 16009000, 16009000
.   : milestone, 16009000,
tracing (15.115 s) : 15115000, 15115000
.   : milestone, 15115000,
section candidate
no_agent (14.879 s) : 14879000, 14879000
.   : milestone, 14879000,
appsec (15.198 s) : 15198000, 15198000
.   : milestone, 15198000,
iast (18.564 s) : 18564000, 18564000
.   : milestone, 18564000,
iast_GLOBAL (17.879 s) : 17879000, 17879000
.   : milestone, 17879000,
profiling (15.903 s) : 15903000, 15903000
.   : milestone, 15903000,
tracing (15.24 s) : 15240000, 15240000
.   : milestone, 15240000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.164 s [15.164 s, 15.164 s] -
appsec 15.276 s [15.276 s, 15.276 s] 112.0 ms (0.7%)
iast 18.973 s [18.973 s, 18.973 s] 3.809 s (25.1%)
iast_GLOBAL 17.671 s [17.671 s, 17.671 s] 2.507 s (16.5%)
profiling 16.009 s [16.009 s, 16.009 s] 845.0 ms (5.6%)
tracing 15.115 s [15.115 s, 15.115 s] -49.0 ms (-0.3%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.879 s [14.879 s, 14.879 s] -
appsec 15.198 s [15.198 s, 15.198 s] 319.0 ms (2.1%)
iast 18.564 s [18.564 s, 18.564 s] 3.685 s (24.8%)
iast_GLOBAL 17.879 s [17.879 s, 17.879 s] 3.0 s (20.2%)
profiling 15.903 s [15.903 s, 15.903 s] 1.024 s (6.9%)
tracing 15.24 s [15.24 s, 15.24 s] 361.0 ms (2.4%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.39.0-SNAPSHOT~4d8ccf9360, baseline=1.39.0-SNAPSHOT~63ccd4c8fc
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.459 ms) : 1448, 1470
.   : milestone, 1459,
appsec (2.232 ms) : 2198, 2267
.   : milestone, 2232,
iast (1.966 ms) : 1925, 2008
.   : milestone, 1966,
iast_GLOBAL (2.015 ms) : 1973, 2058
.   : milestone, 2015,
profiling (1.867 ms) : 1833, 1901
.   : milestone, 1867,
tracing (1.847 ms) : 1814, 1879
.   : milestone, 1847,
section candidate
no_agent (1.462 ms) : 1450, 1473
.   : milestone, 1462,
appsec (2.22 ms) : 2185, 2254
.   : milestone, 2220,
iast (1.959 ms) : 1917, 2000
.   : milestone, 1959,
iast_GLOBAL (2.031 ms) : 1987, 2075
.   : milestone, 2031,
profiling (1.875 ms) : 1839, 1911
.   : milestone, 1875,
tracing (1.838 ms) : 1806, 1870
.   : milestone, 1838,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.459 ms [1.448 ms, 1.47 ms] -
appsec 2.232 ms [2.198 ms, 2.267 ms] 773.362 µs (53.0%)
iast 1.966 ms [1.925 ms, 2.008 ms] 507.349 µs (34.8%)
iast_GLOBAL 2.015 ms [1.973 ms, 2.058 ms] 556.297 µs (38.1%)
profiling 1.867 ms [1.833 ms, 1.901 ms] 408.0 µs (28.0%)
tracing 1.847 ms [1.814 ms, 1.879 ms] 387.678 µs (26.6%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.462 ms [1.45 ms, 1.473 ms] -
appsec 2.22 ms [2.185 ms, 2.254 ms] 758.229 µs (51.9%)
iast 1.959 ms [1.917 ms, 2.0 ms] 496.839 µs (34.0%)
iast_GLOBAL 2.031 ms [1.987 ms, 2.075 ms] 569.532 µs (39.0%)
profiling 1.875 ms [1.839 ms, 1.911 ms] 412.943 µs (28.3%)
tracing 1.838 ms [1.806 ms, 1.87 ms] 376.166 µs (25.7%)

@manuel-alvarez-alvarez manuel-alvarez-alvarez changed the title Add support for RASP SSRF callbacks using URL connections Exploit prevention for SSRF (in java.net.URL) Jul 31, 2024
jandro996
jandro996 approved these changes Jul 31, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@jandro996 jandro996 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Great Job! I've added a minor comment related with naming

@manuel-alvarez-alvarez manuel-alvarez-alvarez marked this pull request as ready for review July 31, 2024 12:36
@manuel-alvarez-alvarez manuel-alvarez-alvarez requested review from a team as code owners July 31, 2024 12:36
dougqh
dougqh reviewed Aug 1, 2024
View reviewed changes
Comment thread ...ntation-plugin/src/test/groovy/datadog/trace/plugin/csi/impl/assertion/CallSiteAssert.groovy Outdated
Copy link
Copy Markdown
Contributor

@dougqh dougqh Aug 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this is a Set comparison? Why not use Sets?

Copy link
Copy Markdown
Member Author

@manuel-alvarez-alvarez manuel-alvarez-alvarez Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, changed!, thanks for the input.

dougqh
dougqh reviewed Aug 1, 2024
View reviewed changes
Comment thread .../main/java/datadog/trace/instrumentation/iastinstrumenter/service/MultipleServiceLoader.java Outdated
Copy link
Copy Markdown
Contributor

@dougqh dougqh Aug 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Size the ArrayList

Copy link
Copy Markdown
Member Author

@manuel-alvarez-alvarez manuel-alvarez-alvarez Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!, thanks

dougqh
dougqh reviewed Aug 1, 2024
View reviewed changes
Comment thread .../main/java/datadog/trace/instrumentation/iastinstrumenter/service/MultipleServiceLoader.java Outdated
Copy link
Copy Markdown
Contributor

@dougqh dougqh Aug 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems questionable to let this exception propagate.
Why not return an empty List.

Copy link
Copy Markdown
Member Author

@manuel-alvarez-alvarez manuel-alvarez-alvarez Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In case of failure fetching the call sites for the instrumenter it makes no sense to continue and it's better to let the AgentInstaller take care of the error:

[dd.trace 2024-08-07 11:16:20:637 +0200] [main] ERROR datadog.trace.agent.tooling.AgentInstaller - Failed to load - instrumentation.class=datadog.trace.instrumentation.iastinstrumenter.IastInstrumentation
java.io.UncheckedIOException: Problem loading call sites

@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/rasp-ssrf-with-url branch from 6c3abd6 to 83336f3 Compare August 2, 2024 07:59
smola
smola approved these changes Aug 6, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@smola smola left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, provided that previous comments are addressed.

@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/rasp-ssrf-with-url branch 2 times, most recently from 4e135cd to 60b804f Compare August 7, 2024 09:33
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/rasp-ssrf-with-url branch 4 times, most recently from 9920b1c to 16a7bf8 Compare August 14, 2024 08:49
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/rasp-ssrf-with-url branch 3 times, most recently from a67ca4e to be799c5 Compare August 16, 2024 09:30
@manuel-alvarez-alvarez manuel-alvarez-alvarez changed the base branch from master to malvarez/increase-size-agent-jar-check August 16, 2024 09:45
Base automatically changed from malvarez/increase-size-agent-jar-check to master August 16, 2024 11:47
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/rasp-ssrf-with-url branch from be799c5 to 9dc7948 Compare August 16, 2024 11:49
@jandro996 jandro996 merged commit 594a2a4 into master Aug 22, 2024
@jandro996 jandro996 deleted the malvarez/rasp-ssrf-with-url branch August 22, 2024 07:04
@github-actions github-actions Bot added this to the 1.39.0 milestone Aug 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smola smola smola approved these changes

@dougqh dougqh dougqh approved these changes

@ValentinZakharov ValentinZakharov ValentinZakharov approved these changes

@jandro996 jandro996 jandro996 approved these changes

@ygree ygree Awaiting requested review from ygree ygree is a code owner automatically assigned from DataDog/apm-java

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF)

Projects

None yet

Milestone

1.39.0

Development

Successfully merging this pull request may close these issues.

5 participants

@manuel-alvarez-alvarez @smola @dougqh @ValentinZakharov @jandro996