Skip to content

Exploit prevention for Shell Injection / Command Injection#7615

Merged
jandro996 merged 25 commits intomasterfrom
alejandro.gonzalez/rasp-command-injection
Dec 19, 2024
Merged

Exploit prevention for Shell Injection / Command Injection#7615
jandro996 merged 25 commits intomasterfrom
alejandro.gonzalez/rasp-command-injection

Conversation

@jandro996
Copy link
Copy Markdown
Member

@jandro996 jandro996 commented Sep 13, 2024
edited
Loading

What Does This Do

  • Added support for Command Injection (CMDI) exploit prevention:

    • Reused existing instrumentation of java.lang.ProcessImpl.

  • Added support for Shell Injection (SHI) exploit prevention:

    • Instrumented java.lang.Runtime#exec(String, String[], File) for detection.
    • Leveraged SHI heuristics as a workaround for cases where the command is a single String, given that WAF heuristics for CMDI only support String[].

  • Enhanced RASP metrics mechanism:

    • Introduced a new rule_variant tag to metrics.
      • For CMDI: exec.
      • For SHI: shell.
    • Both variants are categorized under the ruletype as command_injection.

Motivation

Additional Notes

Contributor Checklist

Jira ticket: APPSEC-52330

@jandro996
Copy link
Copy Markdown
Member Author

jandro996 commented Sep 13, 2024

Blocked!
At this momento WAF shell injection detection rule available has been designed to specifically target functions which are explicitly or implicitly calling a shell such as /bin/sh or otherwise
We also need support for String[] as the best place to call the WAF is reusing ProcessImplInstrumentation instead of the CallSites

@jandro996 jandro996 force-pushed the alejandro.gonzalez/rasp-command-injection branch from 6e8331e to 8a43c76 Compare November 28, 2024 10:31
@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Nov 28, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/rasp-command-injection
git_commit_date 1734517793 1734523719
git_commit_sha a19f73a 15ba143
release_version 1.45.0-SNAPSHOT~a19f73a5ea 1.45.0-SNAPSHOT~15ba1436c2
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1734525980 1734525980
ci_job_id 743638578 743638578
ci_pipeline_id 51433873 51433873
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 53 metrics, 10 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.096 s) : 0, 1096171
Total [baseline] (10.46 s) : 0, 10460193
Agent [candidate] (1.101 s) : 0, 1101353
Total [candidate] (10.436 s) : 0, 10435771
section appsec
Agent [baseline] (1.228 s) : 0, 1228153
Total [baseline] (10.736 s) : 0, 10736482
Agent [candidate] (1.247 s) : 0, 1246633
Total [candidate] (10.757 s) : 0, 10757269
section iast
Agent [baseline] (1.225 s) : 0, 1225104
Total [baseline] (10.974 s) : 0, 10973954
Agent [candidate] (1.235 s) : 0, 1234625
Total [candidate] (11.029 s) : 0, 11029322
section profiling
Agent [baseline] (1.325 s) : 0, 1325413
Total [baseline] (10.899 s) : 0, 10898854
Agent [candidate] (1.33 s) : 0, 1329862
Total [candidate] (10.872 s) : 0, 10872133
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.096 s -
Agent appsec 1.228 s 131.982 ms (12.0%)
Agent iast 1.225 s 128.933 ms (11.8%)
Agent profiling 1.325 s 229.242 ms (20.9%)
Total tracing 10.46 s -
Total appsec 10.736 s 276.289 ms (2.6%)
Total iast 10.974 s 513.761 ms (4.9%)
Total profiling 10.899 s 438.66 ms (4.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.101 s -
Agent appsec 1.247 s 145.28 ms (13.2%)
Agent iast 1.235 s 133.272 ms (12.1%)
Agent profiling 1.33 s 228.509 ms (20.7%)
Total tracing 10.436 s -
Total appsec 10.757 s 321.497 ms (3.1%)
Total iast 11.029 s 593.551 ms (5.7%)
Total profiling 10.872 s 436.362 ms (4.2%) 
gantt
    title petclinic - break down per module: candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (696.496 ms) : 0, 696496
BytebuddyAgent [candidate] (708.467 ms) : 0, 708467
GlobalTracer [baseline] (317.423 ms) : 0, 317423
GlobalTracer [candidate] (315.36 ms) : 0, 315360
AppSec [baseline] (55.045 ms) : 0, 55045
AppSec [candidate] (55.26 ms) : 0, 55260
Remote Config [baseline] (670.863 µs) : 0, 671
Remote Config [candidate] (670.193 µs) : 0, 670
Telemetry [baseline] (12.79 ms) : 0, 12790
Telemetry [candidate] (7.81 ms) : 0, 7810
section appsec
BytebuddyAgent [baseline] (714.575 ms) : 0, 714575
BytebuddyAgent [candidate] (731.562 ms) : 0, 731562
GlobalTracer [baseline] (314.252 ms) : 0, 314252
GlobalTracer [candidate] (314.485 ms) : 0, 314485
AppSec [baseline] (167.215 ms) : 0, 167215
AppSec [candidate] (166.455 ms) : 0, 166455
Remote Config [baseline] (652.937 µs) : 0, 653
Remote Config [candidate] (648.96 µs) : 0, 649
Telemetry [baseline] (7.795 ms) : 0, 7795
Telemetry [candidate] (8.253 ms) : 0, 8253
IAST [baseline] (19.735 ms) : 0, 19735
IAST [candidate] (22.774 ms) : 0, 22774
section iast
BytebuddyAgent [baseline] (816.587 ms) : 0, 816587
BytebuddyAgent [candidate] (828.312 ms) : 0, 828312
GlobalTracer [baseline] (307.237 ms) : 0, 307237
GlobalTracer [candidate] (308.207 ms) : 0, 308207
AppSec [baseline] (57.607 ms) : 0, 57607
AppSec [candidate] (55.385 ms) : 0, 55385
Remote Config [baseline] (623.571 µs) : 0, 624
Remote Config [candidate] (619.071 µs) : 0, 619
Telemetry [baseline] (7.392 ms) : 0, 7392
Telemetry [candidate] (7.406 ms) : 0, 7406
IAST [baseline] (21.869 ms) : 0, 21869
IAST [candidate] (20.904 ms) : 0, 20904
section profiling
BytebuddyAgent [baseline] (692.985 ms) : 0, 692985
BytebuddyAgent [candidate] (701.774 ms) : 0, 701774
GlobalTracer [baseline] (436.077 ms) : 0, 436077
GlobalTracer [candidate] (431.314 ms) : 0, 431314
AppSec [baseline] (53.961 ms) : 0, 53961
AppSec [candidate] (54.427 ms) : 0, 54427
Remote Config [baseline] (670.036 µs) : 0, 670
Remote Config [candidate] (651.029 µs) : 0, 651
Telemetry [baseline] (7.785 ms) : 0, 7785
Telemetry [candidate] (7.779 ms) : 0, 7779
ProfilingAgent [baseline] (94.634 ms) : 0, 94634
ProfilingAgent [candidate] (94.559 ms) : 0, 94559
Profiling [baseline] (94.658 ms) : 0, 94658
Profiling [candidate] (94.584 ms) : 0, 94584
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.098 s) : 0, 1098435
Total [baseline] (8.677 s) : 0, 8677355
Agent [candidate] (1.102 s) : 0, 1101881
Total [candidate] (8.632 s) : 0, 8631753
section iast
Agent [baseline] (1.224 s) : 0, 1224065
Total [baseline] (9.197 s) : 0, 9197462
Agent [candidate] (1.24 s) : 0, 1240192
Total [candidate] (9.306 s) : 0, 9305851
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.238 s) : 0, 1238173
Total [baseline] (9.179 s) : 0, 9178851
Agent [candidate] (1.24 s) : 0, 1240194
Total [candidate] (9.242 s) : 0, 9242408
section iast_TELEMETRY_OFF
Agent [baseline] (1.22 s) : 0, 1219885
Total [baseline] (9.199 s) : 0, 9198795
Agent [candidate] (1.234 s) : 0, 1233606
Total [candidate] (9.254 s) : 0, 9253664
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.098 s -
Agent iast 1.224 s 125.63 ms (11.4%)
Agent iast_HARDCODED_SECRET_DISABLED 1.238 s 139.738 ms (12.7%)
Agent iast_TELEMETRY_OFF 1.22 s 121.45 ms (11.1%)
Total tracing 8.677 s -
Total iast 9.197 s 520.106 ms (6.0%)
Total iast_HARDCODED_SECRET_DISABLED 9.179 s 501.496 ms (5.8%)
Total iast_TELEMETRY_OFF 9.199 s 521.44 ms (6.0%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.102 s -
Agent iast 1.24 s 138.311 ms (12.6%)
Agent iast_HARDCODED_SECRET_DISABLED 1.24 s 138.313 ms (12.6%)
Agent iast_TELEMETRY_OFF 1.234 s 131.726 ms (12.0%)
Total tracing 8.632 s -
Total iast 9.306 s 674.098 ms (7.8%)
Total iast_HARDCODED_SECRET_DISABLED 9.242 s 610.656 ms (7.1%)
Total iast_TELEMETRY_OFF 9.254 s 621.911 ms (7.2%) 
gantt
    title insecure-bank - break down per module: candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (698.76 ms) : 0, 698760
BytebuddyAgent [candidate] (709.363 ms) : 0, 709363
GlobalTracer [baseline] (319.208 ms) : 0, 319208
GlobalTracer [candidate] (315.244 ms) : 0, 315244
AppSec [baseline] (55.19 ms) : 0, 55190
AppSec [candidate] (55.004 ms) : 0, 55004
Remote Config [baseline] (673.215 µs) : 0, 673
Remote Config [candidate] (679.014 µs) : 0, 679
Telemetry [baseline] (10.822 ms) : 0, 10822
Telemetry [candidate] (7.814 ms) : 0, 7814
section iast
BytebuddyAgent [baseline] (816.015 ms) : 0, 816015
BytebuddyAgent [candidate] (831.647 ms) : 0, 831647
GlobalTracer [baseline] (306.937 ms) : 0, 306937
GlobalTracer [candidate] (307.953 ms) : 0, 307953
AppSec [baseline] (57.223 ms) : 0, 57223
AppSec [candidate] (57.569 ms) : 0, 57569
IAST [baseline] (22.003 ms) : 0, 22003
IAST [candidate] (21.057 ms) : 0, 21057
Remote Config [baseline] (630.623 µs) : 0, 631
Remote Config [candidate] (620.933 µs) : 0, 621
Telemetry [baseline] (7.513 ms) : 0, 7513
Telemetry [candidate] (7.456 ms) : 0, 7456
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (826.37 ms) : 0, 826370
BytebuddyAgent [candidate] (831.013 ms) : 0, 831013
GlobalTracer [baseline] (309.862 ms) : 0, 309862
GlobalTracer [candidate] (309.999 ms) : 0, 309999
AppSec [baseline] (57.775 ms) : 0, 57775
AppSec [candidate] (56.044 ms) : 0, 56044
IAST [baseline] (22.13 ms) : 0, 22130
IAST [candidate] (21.167 ms) : 0, 21167
Remote Config [baseline] (624.849 µs) : 0, 625
Remote Config [candidate] (643.06 µs) : 0, 643
Telemetry [baseline] (7.486 ms) : 0, 7486
Telemetry [candidate] (7.473 ms) : 0, 7473
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (812.347 ms) : 0, 812347
BytebuddyAgent [candidate] (826.924 ms) : 0, 826924
GlobalTracer [baseline] (306.409 ms) : 0, 306409
GlobalTracer [candidate] (306.342 ms) : 0, 306342
AppSec [baseline] (57.738 ms) : 0, 57738
AppSec [candidate] (56.911 ms) : 0, 56911
IAST [baseline] (21.672 ms) : 0, 21672
IAST [candidate] (21.556 ms) : 0, 21556
Remote Config [baseline] (616.424 µs) : 0, 616
Remote Config [candidate] (620.71 µs) : 0, 621
Telemetry [baseline] (7.364 ms) : 0, 7364
Telemetry [candidate] (7.392 ms) : 0, 7392
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-12-18T12:16:23 2024-12-18T12:23:23
git_branch master alejandro.gonzalez/rasp-command-injection
git_commit_date 1734517793 1734523719
git_commit_sha a19f73a 15ba143
release_version 1.45.0-SNAPSHOT~a19f73a5ea 1.45.0-SNAPSHOT~15ba1436c2
start_time 2024-12-18T12:16:09 2024-12-18T12:23:09
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1734524955 1734524955
ci_job_id 743638579 743638579
ci_pipeline_id 51433873 51433873
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 16 unstable metrics.

scenario Δ mean http_req_duration Δ mean throughput candidate mean http_req_duration candidate mean throughput baseline mean http_req_duration baseline mean throughput
scenario:load:petclinic:profiling better
[-91.162µs; -40.157µs] or [-5.817%; -2.563%]		 unstable
[-443.351op/s; +671.271op/s] or [-14.963%; +22.655%]		 1.501ms 3076.923op/s 1.567ms 2962.963op/s
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea
    dateFormat X
    axisFormat %s
section baseline
no_agent (376.733 µs) : 356, 397
.   : milestone, 377,
iast (493.966 µs) : 472, 516
.   : milestone, 494,
iast_FULL (656.743 µs) : 635, 678
.   : milestone, 657,
iast_GLOBAL (527.998 µs) : 505, 551
.   : milestone, 528,
iast_HARDCODED_SECRET_DISABLED (490.584 µs) : 469, 512
.   : milestone, 491,
iast_INACTIVE (451.004 µs) : 430, 472
.   : milestone, 451,
iast_TELEMETRY_OFF (486.848 µs) : 465, 509
.   : milestone, 487,
tracing (448.668 µs) : 428, 470
.   : milestone, 449,
section candidate
no_agent (376.292 µs) : 357, 396
.   : milestone, 376,
iast (496.882 µs) : 475, 518
.   : milestone, 497,
iast_FULL (653.745 µs) : 632, 675
.   : milestone, 654,
iast_GLOBAL (519.084 µs) : 498, 540
.   : milestone, 519,
iast_HARDCODED_SECRET_DISABLED (488.673 µs) : 468, 510
.   : milestone, 489,
iast_INACTIVE (451.08 µs) : 430, 472
.   : milestone, 451,
iast_TELEMETRY_OFF (480.04 µs) : 459, 501
.   : milestone, 480,
tracing (453.533 µs) : 432, 475
.   : milestone, 454,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 376.733 µs [356.311 µs, 397.155 µs] -
iast 493.966 µs [472.267 µs, 515.666 µs] 117.233 µs (31.1%)
iast_FULL 656.743 µs [635.23 µs, 678.256 µs] 280.01 µs (74.3%)
iast_GLOBAL 527.998 µs [505.333 µs, 550.663 µs] 151.265 µs (40.2%)
iast_HARDCODED_SECRET_DISABLED 490.584 µs [469.084 µs, 512.084 µs] 113.85 µs (30.2%)
iast_INACTIVE 451.004 µs [430.026 µs, 471.981 µs] 74.27 µs (19.7%)
iast_TELEMETRY_OFF 486.848 µs [465.078 µs, 508.619 µs] 110.115 µs (29.2%)
tracing 448.668 µs [427.586 µs, 469.749 µs] 71.934 µs (19.1%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 376.292 µs [356.643 µs, 395.942 µs] -
iast 496.882 µs [475.329 µs, 518.435 µs] 120.59 µs (32.0%)
iast_FULL 653.745 µs [632.227 µs, 675.264 µs] 277.453 µs (73.7%)
iast_GLOBAL 519.084 µs [497.894 µs, 540.274 µs] 142.791 µs (37.9%)
iast_HARDCODED_SECRET_DISABLED 488.673 µs [467.526 µs, 509.82 µs] 112.381 µs (29.9%)
iast_INACTIVE 451.08 µs [430.274 µs, 471.886 µs] 74.788 µs (19.9%)
iast_TELEMETRY_OFF 480.04 µs [458.79 µs, 501.291 µs] 103.748 µs (27.6%)
tracing 453.533 µs [431.738 µs, 475.328 µs] 77.24 µs (20.5%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.365 ms) : 1345, 1384
.   : milestone, 1365,
appsec (1.751 ms) : 1728, 1775
.   : milestone, 1751,
appsec_no_iast (1.757 ms) : 1731, 1782
.   : milestone, 1757,
iast (1.492 ms) : 1470, 1514
.   : milestone, 1492,
profiling (1.567 ms) : 1543, 1591
.   : milestone, 1567,
tracing (1.491 ms) : 1467, 1516
.   : milestone, 1491,
section candidate
no_agent (1.368 ms) : 1348, 1387
.   : milestone, 1368,
appsec (1.746 ms) : 1722, 1769
.   : milestone, 1746,
appsec_no_iast (1.758 ms) : 1734, 1781
.   : milestone, 1758,
iast (1.488 ms) : 1465, 1511
.   : milestone, 1488,
profiling (1.501 ms) : 1478, 1525
.   : milestone, 1501,
tracing (1.469 ms) : 1444, 1495
.   : milestone, 1469,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.365 ms [1.345 ms, 1.384 ms] -
appsec 1.751 ms [1.728 ms, 1.775 ms] 386.575 µs (28.3%)
appsec_no_iast 1.757 ms [1.731 ms, 1.782 ms] 392.124 µs (28.7%)
iast 1.492 ms [1.47 ms, 1.514 ms] 127.589 µs (9.3%)
profiling 1.567 ms [1.543 ms, 1.591 ms] 202.459 µs (14.8%)
tracing 1.491 ms [1.467 ms, 1.516 ms] 126.579 µs (9.3%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.368 ms [1.348 ms, 1.387 ms] -
appsec 1.746 ms [1.722 ms, 1.769 ms] 377.989 µs (27.6%)
appsec_no_iast 1.758 ms [1.734 ms, 1.781 ms] 389.892 µs (28.5%)
iast 1.488 ms [1.465 ms, 1.511 ms] 119.945 µs (8.8%)
profiling 1.501 ms [1.478 ms, 1.525 ms] 133.782 µs (9.8%)
tracing 1.469 ms [1.444 ms, 1.495 ms] 101.591 µs (7.4%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/rasp-command-injection
git_commit_date 1734517793 1734523719
git_commit_sha a19f73a 15ba143
release_version 1.45.0-SNAPSHOT~a19f73a5ea 1.45.0-SNAPSHOT~15ba1436c2
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1734525639 1734525639
ci_job_id 743638580 743638580
ci_pipeline_id 51433873 51433873
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.004 s) : 15004000, 15004000
.   : milestone, 15004000,
appsec (14.944 s) : 14944000, 14944000
.   : milestone, 14944000,
iast (18.657 s) : 18657000, 18657000
.   : milestone, 18657000,
iast_GLOBAL (18.005 s) : 18005000, 18005000
.   : milestone, 18005000,
profiling (15.215 s) : 15215000, 15215000
.   : milestone, 15215000,
tracing (15.098 s) : 15098000, 15098000
.   : milestone, 15098000,
section candidate
no_agent (15.222 s) : 15222000, 15222000
.   : milestone, 15222000,
appsec (14.885 s) : 14885000, 14885000
.   : milestone, 14885000,
iast (18.779 s) : 18779000, 18779000
.   : milestone, 18779000,
iast_GLOBAL (17.876 s) : 17876000, 17876000
.   : milestone, 17876000,
profiling (15.44 s) : 15440000, 15440000
.   : milestone, 15440000,
tracing (15.198 s) : 15198000, 15198000
.   : milestone, 15198000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.004 s [15.004 s, 15.004 s] -
appsec 14.944 s [14.944 s, 14.944 s] -60.0 ms (-0.4%)
iast 18.657 s [18.657 s, 18.657 s] 3.653 s (24.3%)
iast_GLOBAL 18.005 s [18.005 s, 18.005 s] 3.001 s (20.0%)
profiling 15.215 s [15.215 s, 15.215 s] 211.0 ms (1.4%)
tracing 15.098 s [15.098 s, 15.098 s] 94.0 ms (0.6%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.222 s [15.222 s, 15.222 s] -
appsec 14.885 s [14.885 s, 14.885 s] -337.0 ms (-2.2%)
iast 18.779 s [18.779 s, 18.779 s] 3.557 s (23.4%)
iast_GLOBAL 17.876 s [17.876 s, 17.876 s] 2.654 s (17.4%)
profiling 15.44 s [15.44 s, 15.44 s] 218.0 ms (1.4%)
tracing 15.198 s [15.198 s, 15.198 s] -24.0 ms (-0.2%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.48 ms) : 1469, 1492
.   : milestone, 1480,
appsec (2.36 ms) : 2319, 2402
.   : milestone, 2360,
iast (2.1 ms) : 2047, 2154
.   : milestone, 2100,
iast_GLOBAL (2.142 ms) : 2088, 2195
.   : milestone, 2142,
profiling (1.979 ms) : 1935, 2023
.   : milestone, 1979,
tracing (1.936 ms) : 1895, 1977
.   : milestone, 1936,
section candidate
no_agent (1.475 ms) : 1463, 1486
.   : milestone, 1475,
appsec (2.365 ms) : 2322, 2407
.   : milestone, 2365,
iast (2.089 ms) : 2036, 2142
.   : milestone, 2089,
iast_GLOBAL (2.137 ms) : 2084, 2190
.   : milestone, 2137,
profiling (1.99 ms) : 1947, 2034
.   : milestone, 1990,
tracing (1.932 ms) : 1891, 1972
.   : milestone, 1932,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.48 ms [1.469 ms, 1.492 ms] -
appsec 2.36 ms [2.319 ms, 2.402 ms] 880.128 µs (59.5%)
iast 2.1 ms [2.047 ms, 2.154 ms] 620.246 µs (41.9%)
iast_GLOBAL 2.142 ms [2.088 ms, 2.195 ms] 661.384 µs (44.7%)
profiling 1.979 ms [1.935 ms, 2.023 ms] 498.55 µs (33.7%)
tracing 1.936 ms [1.895 ms, 1.977 ms] 455.814 µs (30.8%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.475 ms [1.463 ms, 1.486 ms] -
appsec 2.365 ms [2.322 ms, 2.407 ms] 890.003 µs (60.4%)
iast 2.089 ms [2.036 ms, 2.142 ms] 614.524 µs (41.7%)
iast_GLOBAL 2.137 ms [2.084 ms, 2.19 ms] 662.587 µs (44.9%)
profiling 1.99 ms [1.947 ms, 2.034 ms] 515.937 µs (35.0%)
tracing 1.932 ms [1.891 ms, 1.972 ms] 456.957 µs (31.0%)

@jandro996 jandro996 force-pushed the alejandro.gonzalez/rasp-command-injection branch from 93385e6 to ff456d8 Compare December 10, 2024 11:45
@jandro996 jandro996 force-pushed the alejandro.gonzalez/rasp-command-injection branch from 4ed9f80 to 69555f3 Compare December 10, 2024 15:58
@jandro996 jandro996 changed the title Add SHI exploit prevention support Add CMDI exploit prevention support Dec 11, 2024
@jandro996 jandro996 force-pushed the alejandro.gonzalez/rasp-command-injection branch from 47d90de to 474257e Compare December 13, 2024 11:19
@jandro996 jandro996 changed the title Add CMDI exploit prevention support Add CMDI/SHI exploit prevention support Dec 13, 2024
@jandro996 jandro996 changed the title Add CMDI/SHI exploit prevention support Exploit prevention for Shell Injection / Command Injection Dec 13, 2024
@jandro996 jandro996 added the comp: asm waf Application Security Management (WAF) label Dec 13, 2024
@jandro996 jandro996 force-pushed the alejandro.gonzalez/rasp-command-injection branch from 7c12922 to cf855f7 Compare December 14, 2024 09:34
@jandro996 jandro996 marked this pull request as ready for review December 16, 2024 11:37
@jandro996 jandro996 requested review from a team as code owners December 16, 2024 11:37
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Dec 16, 2024
edited
Loading

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

smola
smola reviewed Dec 16, 2024
View reviewed changes
Comment thread ...java-lang/src/main/java/datadog/trace/instrumentation/java/lang/RuntimeExecStringAdvice.java
@@ -0,0 +1,20 @@
package datadog.trace.instrumentation.java.lang;
Copy link
Copy Markdown
Member

@smola smola Dec 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not for this PR, since this just follows the current convention, but we should probably move RASP/APPSEC/IAST code in instrumentations to *.iast packages, to make sure codeowners apply to our team instead of APM IDM.

@jandro996 jandro996 requested a review from smola December 16, 2024 12:49
@jandro996 jandro996 added this to the 1.45.0 milestone Dec 16, 2024
@smola smola added the type: enhancement Enhancements and improvements label Dec 18, 2024
@jandro996 jandro996 merged commit 1a33732 into master Dec 19, 2024
@jandro996 jandro996 deleted the alejandro.gonzalez/rasp-command-injection branch December 19, 2024 06:52
svc-squareup-copybara pushed a commit to cashapp/misk that referenced this pull request Jan 9, 2025
@github-cash-renovate-jvm-2 @svc-squareup-copybara
This PR contains the following updates:
680bca2 
| Package | Type | Package file | Manager | Update | Change |
|---|---|---|---|---|---|
|
[com.google.api.grpc:proto-google-common-protos](https://github.com/googleapis/sdk-platform-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.50.0` -> `2.50.1` |
|
[com.google.cloud:google-cloud-core-http](https://github.com/googleapis/sdk-platform-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.49.0` -> `2.49.1` |
|
[com.google.cloud:google-cloud-core](https://github.com/googleapis/sdk-platform-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.49.0` -> `2.49.1` |
| [com.google.api:gax](https://github.com/googleapis/sdk-platform-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.59.0` -> `2.59.1` |
| [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.44.1` -> `1.45.0` |
| [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.44.1` -> `1.45.0` |
| [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.29.47` -> `2.29.48` |
|
[software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava)
| dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.29.47` -> `2.29.48` |
| [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.29.47` -> `2.29.48` |
| [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.29.47` -> `2.29.48` |
| [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.29.47` -> `2.29.48` |
| [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.29.47` -> `2.29.48` |

---

### Release Notes

<details>
<summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary>

###
[`v1.45.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.45.0):
1.45.0

##### Breaking changes

> \[!WARNING]\
> Support for custom scope manager using OpenTelemetry tracer artifact
(`dd-trace-ot`) is dropped.
> Tracing with OpenTracing API and custom scope manager will continue to
work on 1.44.x releases.

##### Components

##### Application Security Management (IAST)

- ✨ Add propagation to URI#toURL method
([#&#8203;8146](DataDog/dd-trace-java#8146) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Increase IAST propagation to StringBuilder setLength
([#&#8203;8119](DataDog/dd-trace-java#8119) -
[@&#8203;Mariovido](https://github.com/Mariovido))
- ✨ Increase IAST propagation to StringBuffer append
([#&#8203;8082](DataDog/dd-trace-java#8082) -
[@&#8203;Mariovido](https://github.com/Mariovido))
- ✨ Handle IAST security controls custom validation and
sanitization methods
([#&#8203;7997](DataDog/dd-trace-java#7997) -
[@&#8203;jandro996](https://github.com/jandro996))

##### Application Security Management (WAF)

- ✨ Update user lifecycle tracking to V3
([#&#8203;8108](DataDog/dd-trace-java#8108) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Exploit prevention for Shell Injection / Command Injection
([#&#8203;7615](DataDog/dd-trace-java#7615) -
[@&#8203;jandro996](https://github.com/jandro996))

##### Build & Tooling

- 💡 Support instrumentation of repackaged libraries
([#&#8203;8153](DataDog/dd-trace-java#8153) -
[@&#8203;mcculls](https://github.com/mcculls))
- ✨ Configure native image build setting for JDK-22 based
GraalVM
([#&#8203;8092](DataDog/dd-trace-java#8092) -
[@&#8203;MattAlp](https://github.com/MattAlp))

##### Database Monitoring

- ✨ Add full APM/DBM mode for Oracle
([#&#8203;8090](DataDog/dd-trace-java#8090) -
[@&#8203;nenadnoveljic](https://github.com/nenadnoveljic))

##### Dynamic Instrumentation

- 🐛 make local var hoisting disabled by default
([#&#8203;8158](DataDog/dd-trace-java#8158) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- 🐛 Fix var hoisting issue when no previous store
([#&#8203;8122](DataDog/dd-trace-java#8122) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Only decorate spans without code origin information
([#&#8203;8105](DataDog/dd-trace-java#8105) -
[@&#8203;evanchooly](https://github.com/evanchooly))
- 🐛 Fix suspend Kotlin methods instrumentation
([#&#8203;8080](DataDog/dd-trace-java#8080) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- 🐛 Fix class file version detection
([#&#8203;8057](DataDog/dd-trace-java#8057) -
[@&#8203;jpbempel](https://github.com/jpbempel))

##### GraalVM native-image

- ✨ Configure native image build setting for JDK-22 based
GraalVM
([#&#8203;8092](DataDog/dd-trace-java#8092) -
[@&#8203;MattAlp](https://github.com/MattAlp))

##### ML Observability (LLMObs)

- ✨🧪 Add LLMObs configuration
([#&#8203;8076](DataDog/dd-trace-java#8076) -
[@&#8203;gary-huang](https://github.com/gary-huang))

##### Metrics

- Bump integrations-core submodule to 7.60.0
([#&#8203;8098](DataDog/dd-trace-java#8098) -
[@&#8203;mcculls](https://github.com/mcculls))
- Upgrade to java-dogstatsd-client v4.4.3
([#&#8203;8096](DataDog/dd-trace-java#8096) -
[@&#8203;mcculls](https://github.com/mcculls))

##### OpenTracing

- ⚠️🧹 Remove custom scope manager support
([#&#8203;8164](DataDog/dd-trace-java#8164) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))

##### Telemetry

- ✨ Retry telemetry requests if CI Visibility is enabled
([#&#8203;8147](DataDog/dd-trace-java#8147) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- ✨ Add configurable Dependency service resolution period
([#&#8203;8079](DataDog/dd-trace-java#8079) -
[@&#8203;jandro996](https://github.com/jandro996))

##### Testing

- 🐛 Remove restriction to not run vertx4 latest tests on java 17
([#&#8203;8133](DataDog/dd-trace-java#8133) -
[@&#8203;vandonr](https://github.com/vandonr))

##### Tracer core

- ✨ Defer remote components to avoid OkHttp class-loading
side-effects
([#&#8203;8131](DataDog/dd-trace-java#8131) -
[@&#8203;mcculls](https://github.com/mcculls))
- ✨ Improve Context API null handling and Javadoc
([#&#8203;8129](DataDog/dd-trace-java#8129) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))
- 🐛⚡ Avoid performing blocking I/O operation on application
thread
([#&#8203;8120](DataDog/dd-trace-java#8120) -
[@&#8203;mcculls](https://github.com/mcculls))
- 💡 Introduce a shared context component, independent of tracing
([#&#8203;8117](DataDog/dd-trace-java#8117) -
[@&#8203;mcculls](https://github.com/mcculls))
- ✨ Improves ServiceNameCollector
([#&#8203;8109](DataDog/dd-trace-java#8109) -
[@&#8203;amarziali](https://github.com/amarziali))
- Upgrade to ASM 9.7.1 (adds new constant for Java 24)
([#&#8203;8097](DataDog/dd-trace-java#8097) -
[@&#8203;mcculls](https://github.com/mcculls))
- 🐛 Dynamically evaluate service name for message consumers
([#&#8203;8088](DataDog/dd-trace-java#8088) -
[@&#8203;amarziali](https://github.com/amarziali))

##### Serverless

- 🐛 Add avoid double instrumenting lambda non-streaming handlers.
([#&#8203;8073](DataDog/dd-trace-java#8073) -
[@&#8203;purple4reina](https://github.com/purple4reina))

##### Instrumentations

##### AWS SDK instrumentation

- 💡 Instrument EMR's relocated AWS SDK
([#&#8203;8157](DataDog/dd-trace-java#8157) -
[@&#8203;mcculls](https://github.com/mcculls))

##### Eclipse Vert.x instrumentation

- 🐛 Remove restriction to not run vertx4 latest tests on java 17
([#&#8203;8133](DataDog/dd-trace-java#8133) -
[@&#8203;vandonr](https://github.com/vandonr))

##### JDBC instrumentation

- ✨ Add full APM/DBM mode for Oracle
([#&#8203;8090](DataDog/dd-trace-java#8090) -
[@&#8203;nenadnoveljic](https://github.com/nenadnoveljic))

##### Jetty instrumentation

- 🐛 Ensure jetty 12 has servlet.path starting with /
([#&#8203;8093](DataDog/dd-trace-java#8093) -
[@&#8203;github-actions](https://github.com/github-actions)\[bot])

##### JMS instrumentation

- 🧹 Re-use `javax` JMS module for `jakarta` namespace
([#&#8203;8155](DataDog/dd-trace-java#8155) -
[@&#8203;mcculls](https://github.com/mcculls))
- 🧹 Group `javax.jms` instrumentations under a single module
([#&#8203;8154](DataDog/dd-trace-java#8154) -
[@&#8203;mcculls](https://github.com/mcculls))

##### Reactor instrumentation

- 🐛 Reactor: early propagate span in context when subscribing
([#&#8203;8166](DataDog/dd-trace-java#8166) -
[@&#8203;amarziali](https://github.com/amarziali))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am
every weekday" in timezone Australia/Melbourne, Automerge - At any time
(no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://github.com/renovatebot/renovate).

GitOrigin-RevId: ba2355aa4e2e39ab1fee27319cc4176238efd90b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smola smola smola approved these changes

@ValentinZakharov ValentinZakharov ValentinZakharov approved these changes

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

1.45.0

Development

Successfully merging this pull request may close these issues.

3 participants

@jandro996 @smola @ValentinZakharov