Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exploit prevention for SQL injection (blocking support) #7231

Merged
merged 22 commits into from
Jul 5, 2024
Merged

Exploit prevention for SQL injection (blocking support) #7231

merged 22 commits into from
Jul 5, 2024

Conversation

ValentinZakharov
Copy link
Contributor

@ValentinZakharov ValentinZakharov commented Jun 21, 2024
edited by jira bot
Loading

What Does This Do

Implemented blocking functionality for the SQL-injection Exploit Prevention.

Motivation

Additional Notes

This is part of Exploit prevention initiative (RASP)

Jira ticket: APPSEC-46818

@pr-commenter
Copy link

pr-commenter bot commented Jun 21, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master vzakharov/rasp_sqli_blocking
git_commit_date 1719927125 1719932001
git_commit_sha 2c9c668 d64c021
release_version 1.37.0-SNAPSHOT~2c9c668c74 1.37.0-SNAPSHOT~d64c021824
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1719934894 1719934894
ci_job_id 559862251 559862251
ci_pipeline_id 38144011 38144011
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 48 metrics, 15 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.37.0-SNAPSHOT~d64c021824, baseline=1.37.0-SNAPSHOT~2c9c668c74

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.065 s) : 0, 1064680
Total [baseline] (8.534 s) : 0, 8533829
Agent [candidate] (1.071 s) : 0, 1071261
Total [candidate] (8.545 s) : 0, 8544949
section iast
Agent [baseline] (1.172 s) : 0, 1172400
Total [baseline] (9.021 s) : 0, 9020551
Agent [candidate] (1.169 s) : 0, 1169247
Total [candidate] (8.977 s) : 0, 8976504
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.171 s) : 0, 1170943
Total [baseline] (8.944 s) : 0, 8944177
Agent [candidate] (1.178 s) : 0, 1177917
Total [candidate] (9.005 s) : 0, 9005145
section iast_TELEMETRY_OFF
Agent [baseline] (1.169 s) : 0, 1169269
Total [baseline] (8.993 s) : 0, 8993147
Agent [candidate] (1.174 s) : 0, 1174206
Total [candidate] (9.038 s) : 0, 9038032
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.065 s -
Agent iast 1.172 s 107.72 ms (10.1%)
Agent iast_HARDCODED_SECRET_DISABLED 1.171 s 106.262 ms (10.0%)
Agent iast_TELEMETRY_OFF 1.169 s 104.589 ms (9.8%)
Total tracing 8.534 s -
Total iast 9.021 s 486.722 ms (5.7%)
Total iast_HARDCODED_SECRET_DISABLED 8.944 s 410.348 ms (4.8%)
Total iast_TELEMETRY_OFF 8.993 s 459.318 ms (5.4%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.071 s -
Agent iast 1.169 s 97.987 ms (9.1%)
Agent iast_HARDCODED_SECRET_DISABLED 1.178 s 106.656 ms (10.0%)
Agent iast_TELEMETRY_OFF 1.174 s 102.946 ms (9.6%)
Total tracing 8.545 s -
Total iast 8.977 s 431.555 ms (5.1%)
Total iast_HARDCODED_SECRET_DISABLED 9.005 s 460.196 ms (5.4%)
Total iast_TELEMETRY_OFF 9.038 s 493.082 ms (5.8%) 
gantt
    title insecure-bank - break down per module: candidate=1.37.0-SNAPSHOT~d64c021824, baseline=1.37.0-SNAPSHOT~2c9c668c74

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (666.231 ms) : 0, 666231
BytebuddyAgent [candidate] (670.797 ms) : 0, 670797
GlobalTracer [baseline] (305.232 ms) : 0, 305232
GlobalTracer [candidate] (306.437 ms) : 0, 306437
AppSec [baseline] (50.277 ms) : 0, 50277
AppSec [candidate] (50.916 ms) : 0, 50916
Remote Config [baseline] (789.443 µs) : 0, 789
Remote Config [candidate] (674.645 µs) : 0, 675
Telemetry [baseline] (7.585 ms) : 0, 7585
Telemetry [candidate] (7.67 ms) : 0, 7670
section iast
BytebuddyAgent [baseline] (781.279 ms) : 0, 781279
BytebuddyAgent [candidate] (778.831 ms) : 0, 778831
GlobalTracer [baseline] (295.123 ms) : 0, 295123
GlobalTracer [candidate] (293.971 ms) : 0, 293971
AppSec [baseline] (47.379 ms) : 0, 47379
AppSec [candidate] (47.529 ms) : 0, 47529
IAST [baseline] (27.559 ms) : 0, 27559
IAST [candidate] (27.948 ms) : 0, 27948
Remote Config [baseline] (603.369 µs) : 0, 603
Remote Config [candidate] (588.152 µs) : 0, 588
Telemetry [baseline] (6.991 ms) : 0, 6991
Telemetry [candidate] (7.004 ms) : 0, 7004
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (779.078 ms) : 0, 779078
BytebuddyAgent [candidate] (783.944 ms) : 0, 783944
GlobalTracer [baseline] (294.624 ms) : 0, 294624
GlobalTracer [candidate] (296.575 ms) : 0, 296575
AppSec [baseline] (47.283 ms) : 0, 47283
AppSec [candidate] (48.039 ms) : 0, 48039
IAST [baseline] (28.958 ms) : 0, 28958
IAST [candidate] (28.211 ms) : 0, 28211
Remote Config [baseline] (593.837 µs) : 0, 594
Remote Config [candidate] (584.066 µs) : 0, 584
Telemetry [baseline] (6.894 ms) : 0, 6894
Telemetry [candidate] (7.056 ms) : 0, 7056
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (779.18 ms) : 0, 779180
BytebuddyAgent [candidate] (782.825 ms) : 0, 782825
GlobalTracer [baseline] (294.824 ms) : 0, 294824
GlobalTracer [candidate] (295.895 ms) : 0, 295895
AppSec [baseline] (46.982 ms) : 0, 46982
AppSec [candidate] (47.553 ms) : 0, 47553
IAST [baseline] (27.33 ms) : 0, 27330
IAST [candidate] (26.111 ms) : 0, 26111
Remote Config [baseline] (635.318 µs) : 0, 635
Remote Config [candidate] (632.472 µs) : 0, 632
Telemetry [baseline] (6.781 ms) : 0, 6781
Telemetry [candidate] (7.656 ms) : 0, 7656
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.37.0-SNAPSHOT~d64c021824, baseline=1.37.0-SNAPSHOT~2c9c668c74

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.063 s) : 0, 1062701
Total [baseline] (10.305 s) : 0, 10304888
Agent [candidate] (1.064 s) : 0, 1064230
Total [candidate] (10.34 s) : 0, 10339888
section appsec
Agent [baseline] (1.181 s) : 0, 1180774
Total [baseline] (10.477 s) : 0, 10477358
Agent [candidate] (1.202 s) : 0, 1201858
Total [candidate] (10.489 s) : 0, 10488545
section iast
Agent [baseline] (1.178 s) : 0, 1177606
Total [baseline] (10.73 s) : 0, 10730282
Agent [candidate] (1.171 s) : 0, 1171424
Total [candidate] (10.784 s) : 0, 10783581
section profiling
Agent [baseline] (1.26 s) : 0, 1260404
Total [baseline] (10.669 s) : 0, 10668572
Agent [candidate] (1.264 s) : 0, 1264269
Total [candidate] (10.571 s) : 0, 10570824
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.063 s -
Agent appsec 1.181 s 118.074 ms (11.1%)
Agent iast 1.178 s 114.906 ms (10.8%)
Agent profiling 1.26 s 197.703 ms (18.6%)
Total tracing 10.305 s -
Total appsec 10.477 s 172.47 ms (1.7%)
Total iast 10.73 s 425.393 ms (4.1%)
Total profiling 10.669 s 363.684 ms (3.5%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.064 s -
Agent appsec 1.202 s 137.628 ms (12.9%)
Agent iast 1.171 s 107.194 ms (10.1%)
Agent profiling 1.264 s 200.039 ms (18.8%)
Total tracing 10.34 s -
Total appsec 10.489 s 148.657 ms (1.4%)
Total iast 10.784 s 443.693 ms (4.3%)
Total profiling 10.571 s 230.936 ms (2.2%) 
gantt
    title petclinic - break down per module: candidate=1.37.0-SNAPSHOT~d64c021824, baseline=1.37.0-SNAPSHOT~2c9c668c74

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (665.299 ms) : 0, 665299
BytebuddyAgent [candidate] (665.666 ms) : 0, 665666
GlobalTracer [baseline] (304.339 ms) : 0, 304339
GlobalTracer [candidate] (305.044 ms) : 0, 305044
AppSec [baseline] (50.172 ms) : 0, 50172
AppSec [candidate] (50.664 ms) : 0, 50664
Remote Config [baseline] (711.063 µs) : 0, 711
Remote Config [candidate] (665.066 µs) : 0, 665
Telemetry [baseline] (7.597 ms) : 0, 7597
Telemetry [candidate] (7.635 ms) : 0, 7635
section appsec
BytebuddyAgent [baseline] (675.151 ms) : 0, 675151
BytebuddyAgent [candidate] (687.234 ms) : 0, 687234
GlobalTracer [baseline] (297.604 ms) : 0, 297604
GlobalTracer [candidate] (302.219 ms) : 0, 302219
AppSec [baseline] (154.109 ms) : 0, 154109
AppSec [candidate] (155.953 ms) : 0, 155953
Remote Config [baseline] (630.417 µs) : 0, 630
Remote Config [candidate] (636.456 µs) : 0, 636
Telemetry [baseline] (8.308 ms) : 0, 8308
Telemetry [candidate] (10.101 ms) : 0, 10101
IAST [baseline] (20.877 ms) : 0, 20877
IAST [candidate] (21.181 ms) : 0, 21181
section iast
BytebuddyAgent [baseline] (785.678 ms) : 0, 785678
BytebuddyAgent [candidate] (779.315 ms) : 0, 779315
GlobalTracer [baseline] (296.057 ms) : 0, 296057
GlobalTracer [candidate] (294.231 ms) : 0, 294231
AppSec [baseline] (47.479 ms) : 0, 47479
AppSec [candidate] (47.855 ms) : 0, 47855
Remote Config [baseline] (592.201 µs) : 0, 592
Remote Config [candidate] (598.742 µs) : 0, 599
Telemetry [baseline] (8.529 ms) : 0, 8529
Telemetry [candidate] (7.071 ms) : 0, 7071
IAST [baseline] (25.691 ms) : 0, 25691
IAST [candidate] (28.921 ms) : 0, 28921
section profiling
ProfilingAgent [baseline] (95.543 ms) : 0, 95543
ProfilingAgent [candidate] (95.666 ms) : 0, 95666
BytebuddyAgent [baseline] (661.023 ms) : 0, 661023
BytebuddyAgent [candidate] (662.657 ms) : 0, 662657
GlobalTracer [baseline] (387.416 ms) : 0, 387416
GlobalTracer [candidate] (388.79 ms) : 0, 388790
AppSec [baseline] (51.517 ms) : 0, 51517
AppSec [candidate] (51.916 ms) : 0, 51916
Remote Config [baseline] (647.929 µs) : 0, 648
Remote Config [candidate] (651.028 µs) : 0, 651
Telemetry [baseline] (7.343 ms) : 0, 7343
Telemetry [candidate] (7.407 ms) : 0, 7407
Profiling [baseline] (95.568 ms) : 0, 95568
Profiling [candidate] (95.691 ms) : 0, 95691
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-07-02T15:10:36 2024-07-02T15:17:24
git_branch master vzakharov/rasp_sqli_blocking
git_commit_date 1719927125 1719932001
git_commit_sha 2c9c668 d64c021
release_version 1.37.0-SNAPSHOT~2c9c668c74 1.37.0-SNAPSHOT~d64c021824
start_time 2024-07-02T15:10:23 2024-07-02T15:17:10
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1719933788 1719933788
ci_job_id 559862252 559862252
ci_pipeline_id 38144011 38144011
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics.

Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.37.0-SNAPSHOT~d64c021824, baseline=1.37.0-SNAPSHOT~2c9c668c74
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.339 ms) : 1319, 1358
.   : milestone, 1339,
appsec (1.707 ms) : 1682, 1731
.   : milestone, 1707,
appsec_no_iast (1.708 ms) : 1683, 1733
.   : milestone, 1708,
iast (1.47 ms) : 1447, 1492
.   : milestone, 1470,
profiling (1.482 ms) : 1458, 1506
.   : milestone, 1482,
tracing (1.455 ms) : 1430, 1479
.   : milestone, 1455,
section candidate
no_agent (1.342 ms) : 1323, 1362
.   : milestone, 1342,
appsec (1.73 ms) : 1706, 1753
.   : milestone, 1730,
appsec_no_iast (1.705 ms) : 1681, 1730
.   : milestone, 1705,
iast (1.487 ms) : 1465, 1509
.   : milestone, 1487,
profiling (1.505 ms) : 1480, 1531
.   : milestone, 1505,
tracing (1.464 ms) : 1439, 1490
.   : milestone, 1464,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.339 ms [1.319 ms, 1.358 ms] -
appsec 1.707 ms [1.682 ms, 1.731 ms] 367.998 µs (27.5%)
appsec_no_iast 1.708 ms [1.683 ms, 1.733 ms] 369.3 µs (27.6%)
iast 1.47 ms [1.447 ms, 1.492 ms] 130.935 µs (9.8%)
profiling 1.482 ms [1.458 ms, 1.506 ms] 143.256 µs (10.7%)
tracing 1.455 ms [1.43 ms, 1.479 ms] 115.966 µs (8.7%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.342 ms [1.323 ms, 1.362 ms] -
appsec 1.73 ms [1.706 ms, 1.753 ms] 387.478 µs (28.9%)
appsec_no_iast 1.705 ms [1.681 ms, 1.73 ms] 363.015 µs (27.0%)
iast 1.487 ms [1.465 ms, 1.509 ms] 144.417 µs (10.8%)
profiling 1.505 ms [1.48 ms, 1.531 ms] 163.054 µs (12.1%)
tracing 1.464 ms [1.439 ms, 1.49 ms] 121.786 µs (9.1%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.37.0-SNAPSHOT~d64c021824, baseline=1.37.0-SNAPSHOT~2c9c668c74
    dateFormat X
    axisFormat %s
section baseline
no_agent (366.333 µs) : 346, 386
.   : milestone, 366,
iast (481.644 µs) : 461, 503
.   : milestone, 482,
iast_FULL (545.652 µs) : 525, 567
.   : milestone, 546,
iast_GLOBAL (507.896 µs) : 486, 530
.   : milestone, 508,
iast_HARDCODED_SECRET_DISABLED (484.155 µs) : 462, 506
.   : milestone, 484,
iast_INACTIVE (449.21 µs) : 428, 470
.   : milestone, 449,
iast_TELEMETRY_OFF (472.529 µs) : 451, 494
.   : milestone, 473,
tracing (439.167 µs) : 418, 460
.   : milestone, 439,
section candidate
no_agent (368.46 µs) : 348, 389
.   : milestone, 368,
iast (479.693 µs) : 458, 501
.   : milestone, 480,
iast_FULL (543.324 µs) : 522, 564
.   : milestone, 543,
iast_GLOBAL (496.735 µs) : 476, 518
.   : milestone, 497,
iast_HARDCODED_SECRET_DISABLED (474.354 µs) : 453, 496
.   : milestone, 474,
iast_INACTIVE (449.074 µs) : 428, 470
.   : milestone, 449,
iast_TELEMETRY_OFF (466.729 µs) : 446, 488
.   : milestone, 467,
tracing (434.24 µs) : 414, 454
.   : milestone, 434,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 366.333 µs [346.398 µs, 386.267 µs] -
iast 481.644 µs [460.527 µs, 502.761 µs] 115.312 µs (31.5%)
iast_FULL 545.652 µs [524.608 µs, 566.696 µs] 179.319 µs (48.9%)
iast_GLOBAL 507.896 µs [486.231 µs, 529.561 µs] 141.563 µs (38.6%)
iast_HARDCODED_SECRET_DISABLED 484.155 µs [462.333 µs, 505.978 µs] 117.823 µs (32.2%)
iast_INACTIVE 449.21 µs [428.131 µs, 470.289 µs] 82.878 µs (22.6%)
iast_TELEMETRY_OFF 472.529 µs [451.017 µs, 494.04 µs] 106.196 µs (29.0%)
tracing 439.167 µs [417.988 µs, 460.346 µs] 72.835 µs (19.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 368.46 µs [347.894 µs, 389.026 µs] -
iast 479.693 µs [457.953 µs, 501.434 µs] 111.233 µs (30.2%)
iast_FULL 543.324 µs [522.336 µs, 564.311 µs] 174.864 µs (47.5%)
iast_GLOBAL 496.735 µs [475.84 µs, 517.631 µs] 128.275 µs (34.8%)
iast_HARDCODED_SECRET_DISABLED 474.354 µs [453.052 µs, 495.656 µs] 105.894 µs (28.7%)
iast_INACTIVE 449.074 µs [428.097 µs, 470.052 µs] 80.614 µs (21.9%)
iast_TELEMETRY_OFF 466.729 µs [445.751 µs, 487.707 µs] 98.269 µs (26.7%)
tracing 434.24 µs [414.126 µs, 454.354 µs] 65.78 µs (17.9%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master vzakharov/rasp_sqli_blocking
git_commit_date 1719927125 1719932001
git_commit_sha 2c9c668 d64c021
release_version 1.37.0-SNAPSHOT~2c9c668c74 1.37.0-SNAPSHOT~d64c021824
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1719934396 1719934396
ci_job_id 559862253 559862253
ci_pipeline_id 38144011 38144011
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.37.0-SNAPSHOT~d64c021824, baseline=1.37.0-SNAPSHOT~2c9c668c74
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.453 ms) : 1442, 1465
.   : milestone, 1453,
appsec (2.223 ms) : 2186, 2259
.   : milestone, 2223,
iast (1.981 ms) : 1937, 2024
.   : milestone, 1981,
iast_GLOBAL (2.009 ms) : 1966, 2053
.   : milestone, 2009,
profiling (1.866 ms) : 1830, 1901
.   : milestone, 1866,
tracing (1.846 ms) : 1812, 1880
.   : milestone, 1846,
section candidate
no_agent (1.458 ms) : 1447, 1470
.   : milestone, 1458,
appsec (2.238 ms) : 2201, 2275
.   : milestone, 2238,
iast (1.976 ms) : 1933, 2020
.   : milestone, 1976,
iast_GLOBAL (2.011 ms) : 1969, 2054
.   : milestone, 2011,
profiling (1.864 ms) : 1829, 1899
.   : milestone, 1864,
tracing (1.849 ms) : 1815, 1883
.   : milestone, 1849,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.453 ms [1.442 ms, 1.465 ms] -
appsec 2.223 ms [2.186 ms, 2.259 ms] 769.242 µs (52.9%)
iast 1.981 ms [1.937 ms, 2.024 ms] 527.063 µs (36.3%)
iast_GLOBAL 2.009 ms [1.966 ms, 2.053 ms] 555.982 µs (38.3%)
profiling 1.866 ms [1.83 ms, 1.901 ms] 412.102 µs (28.4%)
tracing 1.846 ms [1.812 ms, 1.88 ms] 392.462 µs (27.0%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.458 ms [1.447 ms, 1.47 ms] -
appsec 2.238 ms [2.201 ms, 2.275 ms] 779.423 µs (53.4%)
iast 1.976 ms [1.933 ms, 2.02 ms] 517.812 µs (35.5%)
iast_GLOBAL 2.011 ms [1.969 ms, 2.054 ms] 552.869 µs (37.9%)
profiling 1.864 ms [1.829 ms, 1.899 ms] 405.95 µs (27.8%)
tracing 1.849 ms [1.815 ms, 1.883 ms] 390.512 µs (26.8%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.37.0-SNAPSHOT~d64c021824, baseline=1.37.0-SNAPSHOT~2c9c668c74
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.967 s) : 14967000, 14967000
.   : milestone, 14967000,
appsec (14.856 s) : 14856000, 14856000
.   : milestone, 14856000,
iast (18.726 s) : 18726000, 18726000
.   : milestone, 18726000,
iast_GLOBAL (17.772 s) : 17772000, 17772000
.   : milestone, 17772000,
profiling (15.27 s) : 15270000, 15270000
.   : milestone, 15270000,
tracing (14.931 s) : 14931000, 14931000
.   : milestone, 14931000,
section candidate
no_agent (15.347 s) : 15347000, 15347000
.   : milestone, 15347000,
appsec (15.002 s) : 15002000, 15002000
.   : milestone, 15002000,
iast (18.616 s) : 18616000, 18616000
.   : milestone, 18616000,
iast_GLOBAL (18.302 s) : 18302000, 18302000
.   : milestone, 18302000,
profiling (15.328 s) : 15328000, 15328000
.   : milestone, 15328000,
tracing (15.076 s) : 15076000, 15076000
.   : milestone, 15076000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.967 s [14.967 s, 14.967 s] -
appsec 14.856 s [14.856 s, 14.856 s] -111.0 ms (-0.7%)
iast 18.726 s [18.726 s, 18.726 s] 3.759 s (25.1%)
iast_GLOBAL 17.772 s [17.772 s, 17.772 s] 2.805 s (18.7%)
profiling 15.27 s [15.27 s, 15.27 s] 303.0 ms (2.0%)
tracing 14.931 s [14.931 s, 14.931 s] -36.0 ms (-0.2%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.347 s [15.347 s, 15.347 s] -
appsec 15.002 s [15.002 s, 15.002 s] -345.0 ms (-2.2%)
iast 18.616 s [18.616 s, 18.616 s] 3.269 s (21.3%)
iast_GLOBAL 18.302 s [18.302 s, 18.302 s] 2.955 s (19.3%)
profiling 15.328 s [15.328 s, 15.328 s] -19.0 ms (-0.1%)
tracing 15.076 s [15.076 s, 15.076 s] -271.0 ms (-1.8%)

@smola smola added the comp: asm waf Application Security Management (WAF) label Jun 24, 2024
@ValentinZakharov ValentinZakharov self-assigned this Jun 25, 2024
@ValentinZakharov ValentinZakharov marked this pull request as ready for review June 26, 2024 00:09
@ValentinZakharov ValentinZakharov requested review from a team as code owners June 26, 2024 00:09
PerfectSlayer
PerfectSlayer approved these changes Jun 26, 2024
View reviewed changes
Copy link
Contributor

@PerfectSlayer PerfectSlayer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for internal-api 👍

amarziali
amarziali requested changes Jun 26, 2024
View reviewed changes
Copy link
Collaborator

@amarziali amarziali left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

slf4j classes should never be injected

@smola smola changed the title Introduced SQL-injection blocking Exploit Prevention for SQL injection Jun 26, 2024
@smola smola changed the title Exploit Prevention for SQL injection Exploit prevention for SQL injection Jun 26, 2024
@smola smola changed the title Exploit prevention for SQL injection Exploit prevention for SQL injection (blocking support) Jun 26, 2024
manuel-alvarez-alvarez
manuel-alvarez-alvarez reviewed Jun 27, 2024
View reviewed changes
dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
dbConnectionSubInfo = null;
}
}
ctx.setDbType(dbType);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multiple database calls (with potentially different providers) can coexist in a single request and adding this to the context might trigger race conditions. Since we always have the type in the jdbc decorator (it's saved in a context store linked to the jdbc Connection), can we pass the type as an argument with the sql callback?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed offline, needs to be addressed at libddwaf-level, since it does not seem clear what would be the correct way to pass different pairs of query/dbtype.

@ValentinZakharov ValentinZakharov force-pushed the vzakharov/rasp_sqli_blocking branch 3 times, most recently from eeecc33 to f94aaae Compare June 28, 2024 07:58
ValentinZakharov and others added 22 commits July 5, 2024 11:31
@ValentinZakharov
Introduced SQL-injection blocking
aa84e51
@ValentinZakharov
Fixed re-throwing BlockingException to change execution flow
505e376
@ValentinZakharov
Fixed test
b031429
@ValentinZakharov
Added debug log message when suppress exception in StatementInstrumen…
736b864 
…tation
@ValentinZakharov
Logger in separated class
6689992
@ValentinZakharov
No blocking in database onConnection flow
2a892b9
@smola @ValentinZakharov
add smoke test for rasp stack trace
1b94c76
@smola @ValentinZakharov
[wip] smoke test rasp blocking
149ad7e
@ValentinZakharov
Missing return
dbe6c70
@smola @ValentinZakharov
Fix blocking test
28e04e9
@smola @ValentinZakharov
Fix test with groovy + jdk 11
8611f68
@ValentinZakharov
SQLi RASP in one shot
37cc42f
@ValentinZakharov
Forbidden method invocation: java.lang.Class#forName
bcbf96c
@ValentinZakharov
Exclude SQL-injection test code
b8ab2e3
@smola @ValentinZakharov
fix appsec.blocked
885fc92
@smola @ValentinZakharov
remove debug level in smoke tests (increases flakiness under load)
f6def5f
@smola @ValentinZakharov
add assert
4e1aba5
@smola @ValentinZakharov
fix tests
96fe8ab
@ValentinZakharov
Fixed suppress exception logic in StatementInstrumentation
a50f162
@ValentinZakharov @smola
Update dd-java-agent/instrumentation/jdbc/src/main/java/datadog/trace…
a5570c9 
…/instrumentation/jdbc/InstrumentationLogger.java

Co-authored-by: Santiago M. Mola <[email protected]>
@ValentinZakharov
Fixed typo in field name
4ee6e4c
@ValentinZakharov
Added RASP info in StatusLogger
f21cea0
@ValentinZakharov ValentinZakharov merged commit 23a8164 into master Jul 5, 2024
78 checks passed
@ValentinZakharov ValentinZakharov deleted the vzakharov/rasp_sqli_blocking branch July 5, 2024 11:25
@github-actions github-actions bot added this to the 1.38.0 milestone Jul 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@smola smola smola approved these changes

@PerfectSlayer PerfectSlayer PerfectSlayer approved these changes

@amarziali amarziali amarziali approved these changes

@am312 am312 Awaiting requested review from am312 am312 is a code owner automatically assigned from DataDog/apm-java

Assignees

@ValentinZakharov ValentinZakharov

Labels
comp: asm waf Application Security Management (WAF)
Projects
None yet
Milestone
1.38.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@ValentinZakharov @smola @PerfectSlayer @manuel-alvarez-alvarez @amarziali