Add name in sources for vertx 4 header names and param values

DataDog · Oct 30, 2023 · c4efc31 · c4efc31
1 parent cbff199
commit c4efc31
Show file tree

Hide file tree

Showing 7 changed files with 91 additions and 5 deletions.
diff --git a/...0/src/main/java/datadog/trace/instrumentation/vertx_4_0/core/MultiMapInstrumentation.java b/...0/src/main/java/datadog/trace/instrumentation/vertx_4_0/core/MultiMapInstrumentation.java
@@ -120,7 +120,7 @@ public static void afterEntries(
             final String name = entry.getKey();
             final String value = entry.getValue();
             if (keys.add(name)) {
-              propagation.taint(ctx, name, nameOrigin);
+              propagation.taint(ctx, name, nameOrigin, name);
             }
             propagation.taint(ctx, value, source.getOrigin(), name);
           }
@@ -141,7 +141,7 @@ public static void afterNames(
           final IastContext ctx = IastContext.Provider.get();
           final byte nameOrigin = namedSource(source.getOrigin());
           for (final String name : result) {
-            propagation.taint(ctx, name, nameOrigin);
+            propagation.taint(ctx, name, nameOrigin, name);
           }
         }
       }

diff --git a/...ent/instrumentation/vertx-web-4.0/src/test/groovy/core/MultiMapInstrumentationTest.groovy b/...ent/instrumentation/vertx-web-4.0/src/test/groovy/core/MultiMapInstrumentationTest.groovy
@@ -95,7 +95,7 @@ class MultiMapInstrumentationTest extends AgentTestRunner {
 
     then:
     1 * module.findSource(instance) >> { mockedSource(origin) }
-    1 * module.taint(_, 'key', namedSource(origin))
+    1 * module.taint(_, 'key', namedSource(origin), 'key')
 
     where:
     instance << multiMaps()
@@ -122,7 +122,7 @@ class MultiMapInstrumentationTest extends AgentTestRunner {
 
     then:
     1 * module.findSource(instance) >> { mockedSource(origin) }
-    1 * module.taint(_, 'key', namedSource(origin))
+    1 * module.taint(_, 'key', namedSource(origin), 'key')
     1 * module.taint(_, 'value1', origin, 'key')
     1 * module.taint(_, 'value2', origin, 'key')
 

diff --git a/...sts/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastVertxSmokeTest.groovy b/...sts/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastVertxSmokeTest.groovy
@@ -11,6 +11,8 @@ import spock.lang.IgnoreIf
 @CompileDynamic
 abstract class AbstractIastVertxSmokeTest extends AbstractIastServerSmokeTest {
 
+  private static final MediaType FORM = MediaType.get('application/x-www-form-urlencoded')
+
   void 'test header source'() {
     setup:
     final url = "http://localhost:${httpPort}/header"
@@ -43,6 +45,23 @@ abstract class AbstractIastVertxSmokeTest extends AbstractIastServerSmokeTest {
     }
   }
 
+  void 'test header names list source'() {
+    setup:
+    final url = "http://localhost:${httpPort}/headernames"
+    final request = new Request.Builder().url(url).header('header', 'headerValues').get().build()
+
+    when:
+    client.newCall(request).execute()
+
+    then:
+    hasTainted { tainted ->
+      tainted.value == 'header' &&
+        tainted.ranges[0].source.name == 'header' &&
+        tainted.ranges[0].source.value == 'header' &&
+        tainted.ranges[0].source.origin == 'http.request.header.name'
+    }
+  }
+
   void 'test parameter source'() {
     setup:
     final url = "http://localhost:${httpPort}/param?param=paramValue"
@@ -75,6 +94,28 @@ abstract class AbstractIastVertxSmokeTest extends AbstractIastServerSmokeTest {
     }
   }
 
+  void 'test parameter names list source'() {
+    setup:
+    final request = builder.call("http://localhost:${httpPort}/paramnames")
+    final name = params.split('=')[0]
+
+    when:
+    client.newCall(request).execute()
+
+    then:
+    hasTainted { tainted ->
+      tainted.value == name &&
+        tainted.ranges[0].source.name == name &&
+        tainted.ranges[0].source.value == name &&
+        tainted.ranges[0].source.origin == 'http.request.parameter.name'
+    }
+
+    where:
+    params            | builder
+    'postparam=value' | { String url -> new Request.Builder().url(url).post(RequestBody.create(FORM, params)).build() }
+    'getparam=value'  | { String url -> new Request.Builder().url("$url?$params").get().build() }
+  }
+
   void 'test form source'() {
     setup:
     final url = "http://localhost:${httpPort}/form_attribute"

diff --git a/...ke-tests/vertx-3.4/application/src/main/java/datadog/smoketest/vertx_3_4/IastHandler.java b/...ke-tests/vertx-3.4/application/src/main/java/datadog/smoketest/vertx_3_4/IastHandler.java
@@ -8,6 +8,7 @@
 import io.vertx.ext.web.Cookie;
 import io.vertx.ext.web.RoutingContext;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Optional;
 import java.util.Vector;
 
@@ -26,6 +27,13 @@ public void handle(final RoutingContext rc) {
       rc.response().end("Received " + value.get("header"));
     }
   },
+  HEADER_NAMES("/headernames") {
+    @Override
+    public void handle(final RoutingContext rc) {
+      final Collection<String> names = rc.request().headers().names();
+      rc.response().end("Received " + String.join(",", names));
+    }
+  },
   PARAM("/param") {
     @Override
     public void handle(final RoutingContext rc) {
@@ -40,6 +48,13 @@ public void handle(final RoutingContext rc) {
       rc.response().end("Received " + value.get("param"));
     }
   },
+  PARAM_NAMES("/paramnames") {
+    @Override
+    public void handle(final RoutingContext rc) {
+      final Collection<String> names = rc.request().params().names();
+      rc.response().end("Received " + String.join(",", names));
+    }
+  },
   FORM_ATTRIBUTE("/form_attribute") {
     @Override
     public void handle(final RoutingContext rc) {

diff --git a/...ke-tests/vertx-3.9/application/src/main/java/datadog/smoketest/vertx_3_9/IastHandler.java b/...ke-tests/vertx-3.9/application/src/main/java/datadog/smoketest/vertx_3_9/IastHandler.java
@@ -8,6 +8,7 @@
 import io.vertx.core.json.JsonObject;
 import io.vertx.ext.web.RoutingContext;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Optional;
 import java.util.Vector;
 
@@ -27,6 +28,13 @@ public void handle(final RoutingContext rc) {
       rc.response().end("Received " + value.get("header"));
     }
   },
+  HEADER_NAMES("/headernames") {
+    @Override
+    public void handle(final RoutingContext rc) {
+      final Collection<String> names = rc.request().headers().names();
+      rc.response().end("Received " + String.join(",", names));
+    }
+  },
   PARAM("/param") {
     @Override
     public void handle(final RoutingContext rc) {
@@ -41,6 +49,13 @@ public void handle(final RoutingContext rc) {
       rc.response().end("Received " + value.get("param"));
     }
   },
+  PARAM_NAMES("/paramnames") {
+    @Override
+    public void handle(final RoutingContext rc) {
+      final Collection<String> names = rc.request().params().names();
+      rc.response().end("Received " + String.join(",", names));
+    }
+  },
   FORM_ATTRIBUTE("/form_attribute") {
     @Override
     public void handle(final RoutingContext rc) {

diff --git a/...ke-tests/vertx-4.2/application/src/main/java/datadog/smoketest/vertx_4_2/IastHandler.java b/...ke-tests/vertx-4.2/application/src/main/java/datadog/smoketest/vertx_4_2/IastHandler.java
@@ -9,6 +9,7 @@
 import io.vertx.core.json.JsonObject;
 import io.vertx.ext.web.RoutingContext;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Optional;
 import java.util.Vector;
 
@@ -28,6 +29,13 @@ public void handle(final RoutingContext rc) {
       rc.response().end("Received " + value.get("header"));
     }
   },
+  HEADER_NAMES("/headernames") {
+    @Override
+    public void handle(final RoutingContext rc) {
+      final Collection<String> names = rc.request().headers().names();
+      rc.response().end("Received " + String.join(",", names));
+    }
+  },
   PARAM("/param") {
     @Override
     public void handle(final RoutingContext rc) {
@@ -42,6 +50,13 @@ public void handle(final RoutingContext rc) {
       rc.response().end("Received " + value.get("param"));
     }
   },
+  PARAM_NAMES("/paramnames") {
+    @Override
+    public void handle(final RoutingContext rc) {
+      final Collection<String> names = rc.request().params().names();
+      rc.response().end("Received " + String.join(",", names));
+    }
+  },
   FORM_ATTRIBUTE("/form_attribute") {
     @Override
     public void handle(final RoutingContext rc) {

diff --git a/dd-smoke-tests/vertx-4.2/src/test/groovy/IastVertxSmokeTest.groovy b/dd-smoke-tests/vertx-4.2/src/test/groovy/IastVertxSmokeTest.groovy
@@ -44,7 +44,7 @@ class IastVertxSmokeTest extends AbstractIastVertxSmokeTest {
     command.add(javaPath())
     command.addAll(defaultJavaProperties)
     command.addAll((String[]) [
-      //'-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005',
+      '-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005',
       withSystemProperty(IAST_ENABLED, true),
       withSystemProperty(IAST_DETECTION_MODE, 'FULL'),
       withSystemProperty(IAST_DEBUG_ENABLED, true),