-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix session rewriting false positives #7323
Conversation
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 50 metrics, 13 unstable metrics. Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.044 s) : 0, 1044077
Total [baseline] (8.461 s) : 0, 8460969
Agent [candidate] (1.044 s) : 0, 1044026
Total [candidate] (8.482 s) : 0, 8481810
section iast
Agent [baseline] (1.179 s) : 0, 1179207
Total [baseline] (8.996 s) : 0, 8996183
Agent [candidate] (1.174 s) : 0, 1173795
Total [candidate] (8.973 s) : 0, 8972879
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.17 s) : 0, 1170489
Total [baseline] (8.946 s) : 0, 8945730
Agent [candidate] (1.171 s) : 0, 1171477
Total [candidate] (8.938 s) : 0, 8938223
section iast_TELEMETRY_OFF
Agent [baseline] (1.17 s) : 0, 1170019
Total [baseline] (8.989 s) : 0, 8988617
Agent [candidate] (1.187 s) : 0, 1187293
Total [candidate] (8.979 s) : 0, 8979160
gantt
title insecure-bank - break down per module: candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (667.103 ms) : 0, 667103
BytebuddyAgent [candidate] (666.823 ms) : 0, 666823
GlobalTracer [baseline] (305.099 ms) : 0, 305099
GlobalTracer [candidate] (305.395 ms) : 0, 305395
AppSec [baseline] (50.195 ms) : 0, 50195
AppSec [candidate] (50.043 ms) : 0, 50043
Remote Config [baseline] (675.803 µs) : 0, 676
Remote Config [candidate] (677.568 µs) : 0, 678
Telemetry [baseline] (7.602 ms) : 0, 7602
Telemetry [candidate] (7.62 ms) : 0, 7620
section iast
BytebuddyAgent [baseline] (787.367 ms) : 0, 787367
BytebuddyAgent [candidate] (782.27 ms) : 0, 782270
GlobalTracer [baseline] (296.158 ms) : 0, 296158
GlobalTracer [candidate] (295.247 ms) : 0, 295247
AppSec [baseline] (48.17 ms) : 0, 48170
AppSec [candidate] (50.876 ms) : 0, 50876
IAST [baseline] (26.414 ms) : 0, 26414
IAST [candidate] (24.194 ms) : 0, 24194
Remote Config [baseline] (589.579 µs) : 0, 590
Remote Config [candidate] (595.122 µs) : 0, 595
Telemetry [baseline] (6.966 ms) : 0, 6966
Telemetry [candidate] (7.106 ms) : 0, 7106
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (779.042 ms) : 0, 779042
BytebuddyAgent [candidate] (780.604 ms) : 0, 780604
GlobalTracer [baseline] (294.953 ms) : 0, 294953
GlobalTracer [candidate] (296.052 ms) : 0, 296052
AppSec [baseline] (51.945 ms) : 0, 51945
AppSec [candidate] (49.078 ms) : 0, 49078
IAST [baseline] (22.728 ms) : 0, 22728
IAST [candidate] (24.489 ms) : 0, 24489
Remote Config [baseline] (581.521 µs) : 0, 582
Remote Config [candidate] (596.459 µs) : 0, 596
Telemetry [baseline] (7.785 ms) : 0, 7785
Telemetry [candidate] (7.148 ms) : 0, 7148
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (779.489 ms) : 0, 779489
BytebuddyAgent [candidate] (791.96 ms) : 0, 791960
GlobalTracer [baseline] (295.667 ms) : 0, 295667
GlobalTracer [candidate] (299.864 ms) : 0, 299864
AppSec [baseline] (47.365 ms) : 0, 47365
AppSec [candidate] (48.141 ms) : 0, 48141
IAST [baseline] (25.7 ms) : 0, 25700
IAST [candidate] (25.92 ms) : 0, 25920
Remote Config [baseline] (578.902 µs) : 0, 579
Remote Config [candidate] (624.414 µs) : 0, 624
Telemetry [baseline] (7.722 ms) : 0, 7722
Telemetry [candidate] (7.081 ms) : 0, 7081
Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.042 s) : 0, 1042470
Total [baseline] (10.36 s) : 0, 10359714
Agent [candidate] (1.042 s) : 0, 1042304
Total [candidate] (10.337 s) : 0, 10337483
section appsec
Agent [baseline] (1.163 s) : 0, 1163052
Total [baseline] (10.495 s) : 0, 10494886
Agent [candidate] (1.169 s) : 0, 1168863
Total [candidate] (10.512 s) : 0, 10512274
section iast
Agent [baseline] (1.172 s) : 0, 1171812
Total [baseline] (10.705 s) : 0, 10704773
Agent [candidate] (1.174 s) : 0, 1173667
Total [candidate] (10.827 s) : 0, 10827496
section profiling
Agent [baseline] (1.24 s) : 0, 1239691
Total [baseline] (10.556 s) : 0, 10556304
Agent [candidate] (1.244 s) : 0, 1243635
Total [candidate] (10.618 s) : 0, 10618419
gantt
title petclinic - break down per module: candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (665.893 ms) : 0, 665893
BytebuddyAgent [candidate] (665.74 ms) : 0, 665740
GlobalTracer [baseline] (304.801 ms) : 0, 304801
GlobalTracer [candidate] (304.984 ms) : 0, 304984
AppSec [baseline] (50.099 ms) : 0, 50099
AppSec [candidate] (49.91 ms) : 0, 49910
Remote Config [baseline] (664.7 µs) : 0, 665
Remote Config [candidate] (657.924 µs) : 0, 658
Telemetry [baseline] (7.584 ms) : 0, 7584
Telemetry [candidate] (7.559 ms) : 0, 7559
section appsec
BytebuddyAgent [baseline] (676.646 ms) : 0, 676646
BytebuddyAgent [candidate] (679.922 ms) : 0, 679922
GlobalTracer [baseline] (299.413 ms) : 0, 299413
GlobalTracer [candidate] (300.392 ms) : 0, 300392
AppSec [baseline] (154.068 ms) : 0, 154068
AppSec [candidate] (154.41 ms) : 0, 154410
Remote Config [baseline] (624.093 µs) : 0, 624
Remote Config [candidate] (631.773 µs) : 0, 632
Telemetry [baseline] (7.929 ms) : 0, 7929
Telemetry [candidate] (8.344 ms) : 0, 8344
IAST [baseline] (21.797 ms) : 0, 21797
IAST [candidate] (23.261 ms) : 0, 23261
section iast
BytebuddyAgent [baseline] (782.17 ms) : 0, 782170
BytebuddyAgent [candidate] (781.635 ms) : 0, 781635
GlobalTracer [baseline] (295.827 ms) : 0, 295827
GlobalTracer [candidate] (295.459 ms) : 0, 295459
AppSec [baseline] (47.479 ms) : 0, 47479
AppSec [candidate] (50.438 ms) : 0, 50438
Remote Config [baseline] (601.156 µs) : 0, 601
Remote Config [candidate] (590.315 µs) : 0, 590
Telemetry [baseline] (7.062 ms) : 0, 7062
Telemetry [candidate] (7.966 ms) : 0, 7966
IAST [baseline] (25.202 ms) : 0, 25202
IAST [candidate] (24.053 ms) : 0, 24053
section profiling
BytebuddyAgent [baseline] (661.929 ms) : 0, 661929
BytebuddyAgent [candidate] (664.127 ms) : 0, 664127
GlobalTracer [baseline] (387.997 ms) : 0, 387997
GlobalTracer [candidate] (388.358 ms) : 0, 388358
AppSec [baseline] (51.577 ms) : 0, 51577
AppSec [candidate] (51.517 ms) : 0, 51517
Remote Config [baseline] (664.741 µs) : 0, 665
Remote Config [candidate] (647.946 µs) : 0, 648
Telemetry [baseline] (7.367 ms) : 0, 7367
Telemetry [candidate] (7.345 ms) : 0, 7345
ProfilingAgent [baseline] (94.121 ms) : 0, 94121
ProfilingAgent [candidate] (95.476 ms) : 0, 95476
Profiling [baseline] (94.145 ms) : 0, 94145
Profiling [candidate] (95.5 ms) : 0, 95500
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 17 unstable metrics. Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a
dateFormat X
axisFormat %s
section baseline
no_agent (364.504 µs) : 344, 385
. : milestone, 365,
iast (472.821 µs) : 452, 494
. : milestone, 473,
iast_FULL (542.221 µs) : 521, 563
. : milestone, 542,
iast_GLOBAL (497.262 µs) : 476, 518
. : milestone, 497,
iast_HARDCODED_SECRET_DISABLED (476.776 µs) : 456, 498
. : milestone, 477,
iast_INACTIVE (448.253 µs) : 427, 469
. : milestone, 448,
iast_TELEMETRY_OFF (461.749 µs) : 441, 482
. : milestone, 462,
tracing (433.974 µs) : 413, 455
. : milestone, 434,
section candidate
no_agent (359.781 µs) : 340, 379
. : milestone, 360,
iast (481.249 µs) : 459, 503
. : milestone, 481,
iast_FULL (541.771 µs) : 521, 563
. : milestone, 542,
iast_GLOBAL (495.316 µs) : 474, 516
. : milestone, 495,
iast_HARDCODED_SECRET_DISABLED (475.057 µs) : 454, 496
. : milestone, 475,
iast_INACTIVE (448.233 µs) : 426, 470
. : milestone, 448,
iast_TELEMETRY_OFF (462.094 µs) : 441, 483
. : milestone, 462,
tracing (433.799 µs) : 413, 454
. : milestone, 434,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a
dateFormat X
axisFormat %s
section baseline
no_agent (1.334 ms) : 1314, 1354
. : milestone, 1334,
appsec (1.709 ms) : 1685, 1733
. : milestone, 1709,
appsec_no_iast (1.715 ms) : 1690, 1739
. : milestone, 1715,
iast (1.482 ms) : 1460, 1505
. : milestone, 1482,
profiling (1.522 ms) : 1496, 1547
. : milestone, 1522,
tracing (1.474 ms) : 1450, 1498
. : milestone, 1474,
section candidate
no_agent (1.334 ms) : 1315, 1353
. : milestone, 1334,
appsec (1.697 ms) : 1673, 1721
. : milestone, 1697,
appsec_no_iast (1.716 ms) : 1693, 1740
. : milestone, 1716,
iast (1.473 ms) : 1451, 1496
. : milestone, 1473,
profiling (1.472 ms) : 1448, 1497
. : milestone, 1472,
tracing (1.467 ms) : 1442, 1492
. : milestone, 1467,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a
dateFormat X
axisFormat %s
section baseline
no_agent (1.458 ms) : 1447, 1470
. : milestone, 1458,
appsec (2.224 ms) : 2189, 2259
. : milestone, 2224,
iast (1.961 ms) : 1919, 2002
. : milestone, 1961,
iast_GLOBAL (2.002 ms) : 1960, 2045
. : milestone, 2002,
profiling (1.862 ms) : 1826, 1897
. : milestone, 1862,
tracing (1.843 ms) : 1810, 1876
. : milestone, 1843,
section candidate
no_agent (1.459 ms) : 1447, 1470
. : milestone, 1459,
appsec (2.228 ms) : 2193, 2263
. : milestone, 2228,
iast (1.959 ms) : 1918, 2000
. : milestone, 1959,
iast_GLOBAL (2.021 ms) : 1978, 2063
. : milestone, 2021,
profiling (1.865 ms) : 1831, 1900
. : milestone, 1865,
tracing (1.836 ms) : 1803, 1869
. : milestone, 1836,
Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.38.0-SNAPSHOT~3727c44e6a, baseline=1.38.0-SNAPSHOT~e146e2f28a
dateFormat X
axisFormat %s
section baseline
no_agent (15.418 s) : 15418000, 15418000
. : milestone, 15418000,
appsec (14.972 s) : 14972000, 14972000
. : milestone, 14972000,
iast (18.762 s) : 18762000, 18762000
. : milestone, 18762000,
iast_GLOBAL (18.106 s) : 18106000, 18106000
. : milestone, 18106000,
profiling (15.286 s) : 15286000, 15286000
. : milestone, 15286000,
tracing (15.278 s) : 15278000, 15278000
. : milestone, 15278000,
section candidate
no_agent (15.357 s) : 15357000, 15357000
. : milestone, 15357000,
appsec (15.098 s) : 15098000, 15098000
. : milestone, 15098000,
iast (18.75 s) : 18750000, 18750000
. : milestone, 18750000,
iast_GLOBAL (17.959 s) : 17959000, 17959000
. : milestone, 17959000,
profiling (16.012 s) : 16012000, 16012000
. : milestone, 16012000,
tracing (15.016 s) : 15016000, 15016000
. : milestone, 15016000,
|
...main/java/datadog/trace/instrumentation/servlet3/IastHttpServletRequest3Instrumentation.java
Outdated
Show resolved
Hide resolved
} | ||
|
||
@Override | ||
protected boolean isOptOutEnabled() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although we already have a JakartaHttpServletRequestInstrumentation for IAST we need another one due to session rewriting is an opt-out feature
What Does This Do
Solved for javax and jakarta implementations
Motivation
The current implementation for detecting Session Rewriting is causing false positives because it only considers the servlet configuration. This may be insecure, but if the session is not being used, an Session Rewriting should not be reported.
Additional Notes
Jira ticket: APPSEC-53722