-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exploit prevention for SQL injection (blocking support) #7231
Merged
Merged
Changes from all commits
Commits
Show all changes
22 commits
Select commit
Hold shift + click to select a range
aa84e51
Introduced SQL-injection blocking
ValentinZakharov 505e376
Fixed re-throwing BlockingException to change execution flow
ValentinZakharov b031429
Fixed test
ValentinZakharov 736b864
Added debug log message when suppress exception in StatementInstrumen…
ValentinZakharov 6689992
Logger in separated class
ValentinZakharov 2a892b9
No blocking in database onConnection flow
ValentinZakharov 1b94c76
add smoke test for rasp stack trace
smola 149ad7e
[wip] smoke test rasp blocking
smola dbe6c70
Missing return
ValentinZakharov 28e04e9
Fix blocking test
smola 8611f68
Fix test with groovy + jdk 11
smola 37cc42f
SQLi RASP in one shot
ValentinZakharov bcbf96c
Forbidden method invocation: java.lang.Class#forName
ValentinZakharov b8ab2e3
Exclude SQL-injection test code
ValentinZakharov 885fc92
fix appsec.blocked
smola f6def5f
remove debug level in smoke tests (increases flakiness under load)
smola 4e1aba5
add assert
smola 96fe8ab
fix tests
smola a50f162
Fixed suppress exception logic in StatementInstrumentation
ValentinZakharov a5570c9
Update dd-java-agent/instrumentation/jdbc/src/main/java/datadog/trace…
ValentinZakharov 4ee6e4c
Fixed typo in field name
ValentinZakharov f21cea0
Added RASP info in StatusLogger
ValentinZakharov File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
11 changes: 11 additions & 0 deletions
11
...entation/jdbc/src/main/java/datadog/trace/instrumentation/jdbc/InstrumentationLogger.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
package datadog.trace.instrumentation.jdbc; | ||
|
||
import org.slf4j.LoggerFactory; | ||
|
||
public class InstrumentationLogger { | ||
public static void debug( | ||
String instrumentation, final Class<?> target, final Throwable throwable) { | ||
LoggerFactory.getLogger(instrumentation) | ||
.debug("Failed to handle exception in instrumentation for " + target, throwable); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Multiple database calls (with potentially different providers) can coexist in a single request and adding this to the context might trigger race conditions. Since we always have the type in the jdbc decorator (it's saved in a context store linked to the jdbc Connection), can we pass the type as an argument with the sql callback?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed offline, needs to be addressed at libddwaf-level, since it does not seem clear what would be the correct way to pass different pairs of query/dbtype.