Fix progagation for Untrusted Deserialization vulnerability #7374

Mariovido · 2024-07-31T14:18:59Z

What Does This Do

This improves the smoke tests and add new instrumentations to ensure the propagation.

Motivation

Improve the propagation and smoke tests for the Untrusted Deserialization

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Squash your commits prior merging or merge using GitHub's Squash and merge
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-54157

…ttp.Part

pr-commenter · 2024-07-31T14:54:56Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	mario.vidal/untrusted_deserialization_improvements
git_commit_date	1724310250	1724312651
git_commit_sha	`594a2a4`	`c830d6c`
release_version	1.39.0-SNAPSHOT~594a2a4428	1.39.0-SNAPSHOT~c830d6c73b

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1724314942	1724314942
ci_job_id	613279972	613279972
ci_pipeline_id	42529009	42529009
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 47 metrics, 16 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.39.0-SNAPSHOT~c830d6c73b, baseline=1.39.0-SNAPSHOT~594a2a4428

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.055 s) : 0, 1055444
Total [baseline] (10.401 s) : 0, 10400896
Agent [candidate] (1.048 s) : 0, 1048352
Total [candidate] (10.366 s) : 0, 10366407
section appsec
Agent [baseline] (1.174 s) : 0, 1174015
Total [baseline] (10.461 s) : 0, 10461482
Agent [candidate] (1.175 s) : 0, 1175343
Total [candidate] (10.472 s) : 0, 10471691
section iast
Agent [baseline] (1.18 s) : 0, 1180035
Total [baseline] (10.863 s) : 0, 10863477
Agent [candidate] (1.173 s) : 0, 1172716
Total [candidate] (10.855 s) : 0, 10855061
section profiling
Agent [baseline] (1.245 s) : 0, 1244910
Total [baseline] (10.635 s) : 0, 10634931
Agent [candidate] (1.26 s) : 0, 1260380
Total [candidate] (10.678 s) : 0, 10678119

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.055 s	-
Agent	appsec	1.174 s	118.571 ms (11.2%)
Agent	iast	1.18 s	124.592 ms (11.8%)
Agent	profiling	1.245 s	189.467 ms (18.0%)
Total	tracing	10.401 s	-
Total	appsec	10.461 s	60.586 ms (0.6%)
Total	iast	10.863 s	462.581 ms (4.4%)
Total	profiling	10.635 s	234.036 ms (2.3%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.048 s	-
Agent	appsec	1.175 s	126.99 ms (12.1%)
Agent	iast	1.173 s	124.363 ms (11.9%)
Agent	profiling	1.26 s	212.028 ms (20.2%)
Total	tracing	10.366 s	-
Total	appsec	10.472 s	105.284 ms (1.0%)
Total	iast	10.855 s	488.654 ms (4.7%)
Total	profiling	10.678 s	311.712 ms (3.0%)

gantt
    title petclinic - break down per module: candidate=1.39.0-SNAPSHOT~c830d6c73b, baseline=1.39.0-SNAPSHOT~594a2a4428

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (673.43 ms) : 0, 673430
BytebuddyAgent [candidate] (668.944 ms) : 0, 668944
GlobalTracer [baseline] (308.356 ms) : 0, 308356
GlobalTracer [candidate] (306.292 ms) : 0, 306292
AppSec [baseline] (51.897 ms) : 0, 51897
AppSec [candidate] (51.446 ms) : 0, 51446
Remote Config [baseline] (674.47 µs) : 0, 674
Remote Config [candidate] (657.698 µs) : 0, 658
Telemetry [baseline] (7.573 ms) : 0, 7573
Telemetry [candidate] (7.532 ms) : 0, 7532
section appsec
BytebuddyAgent [baseline] (681.593 ms) : 0, 681593
BytebuddyAgent [candidate] (682.427 ms) : 0, 682427
GlobalTracer [baseline] (301.389 ms) : 0, 301389
GlobalTracer [candidate] (301.06 ms) : 0, 301060
AppSec [baseline] (157.624 ms) : 0, 157624
AppSec [candidate] (157.255 ms) : 0, 157255
Remote Config [baseline] (610.642 µs) : 0, 611
Remote Config [candidate] (612.119 µs) : 0, 612
Telemetry [baseline] (9.078 ms) : 0, 9078
Telemetry [candidate] (9.336 ms) : 0, 9336
IAST [baseline] (20.332 ms) : 0, 20332
IAST [candidate] (22.137 ms) : 0, 22137
section iast
BytebuddyAgent [baseline] (783.763 ms) : 0, 783763
BytebuddyAgent [candidate] (778.427 ms) : 0, 778427
GlobalTracer [baseline] (298.486 ms) : 0, 298486
GlobalTracer [candidate] (295.812 ms) : 0, 295812
AppSec [baseline] (48.858 ms) : 0, 48858
AppSec [candidate] (50.423 ms) : 0, 50423
Remote Config [baseline] (582.242 µs) : 0, 582
Remote Config [candidate] (597.139 µs) : 0, 597
Telemetry [baseline] (8.885 ms) : 0, 8885
Telemetry [candidate] (7.835 ms) : 0, 7835
IAST [baseline] (25.875 ms) : 0, 25875
IAST [candidate] (26.08 ms) : 0, 26080
section profiling
ProfilingAgent [baseline] (94.23 ms) : 0, 94230
ProfilingAgent [candidate] (94.629 ms) : 0, 94629
BytebuddyAgent [baseline] (663.502 ms) : 0, 663502
BytebuddyAgent [candidate] (673.855 ms) : 0, 673855
GlobalTracer [baseline] (389.267 ms) : 0, 389267
GlobalTracer [candidate] (393.291 ms) : 0, 393291
AppSec [baseline] (52.651 ms) : 0, 52651
AppSec [candidate] (52.757 ms) : 0, 52757
Remote Config [baseline] (684.858 µs) : 0, 685
Remote Config [candidate] (688.781 µs) : 0, 689
Telemetry [baseline] (7.37 ms) : 0, 7370
Telemetry [candidate] (7.431 ms) : 0, 7431
Profiling [baseline] (94.255 ms) : 0, 94255
Profiling [candidate] (94.653 ms) : 0, 94653

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.39.0-SNAPSHOT~c830d6c73b, baseline=1.39.0-SNAPSHOT~594a2a4428

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.049 s) : 0, 1048675
Total [baseline] (8.511 s) : 0, 8511493
Agent [candidate] (1.049 s) : 0, 1048955
Total [candidate] (8.507 s) : 0, 8506637
section iast
Agent [baseline] (1.181 s) : 0, 1180880
Total [baseline] (9.005 s) : 0, 9005183
Agent [candidate] (1.19 s) : 0, 1190400
Total [candidate] (9.019 s) : 0, 9018908
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.172 s) : 0, 1172262
Total [baseline] (8.944 s) : 0, 8944393
Agent [candidate] (1.173 s) : 0, 1173427
Total [candidate] (8.962 s) : 0, 8961599
section iast_TELEMETRY_OFF
Agent [baseline] (1.168 s) : 0, 1167820
Total [baseline] (9.014 s) : 0, 9013622
Agent [candidate] (1.169 s) : 0, 1169440
Total [candidate] (8.953 s) : 0, 8953497

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.049 s	-
Agent	iast	1.181 s	132.205 ms (12.6%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.172 s	123.586 ms (11.8%)
Agent	iast_TELEMETRY_OFF	1.168 s	119.145 ms (11.4%)
Total	tracing	8.511 s	-
Total	iast	9.005 s	493.69 ms (5.8%)
Total	iast_HARDCODED_SECRET_DISABLED	8.944 s	432.9 ms (5.1%)
Total	iast_TELEMETRY_OFF	9.014 s	502.129 ms (5.9%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.049 s	-
Agent	iast	1.19 s	141.444 ms (13.5%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.173 s	124.472 ms (11.9%)
Agent	iast_TELEMETRY_OFF	1.169 s	120.484 ms (11.5%)
Total	tracing	8.507 s	-
Total	iast	9.019 s	512.271 ms (6.0%)
Total	iast_HARDCODED_SECRET_DISABLED	8.962 s	454.961 ms (5.3%)
Total	iast_TELEMETRY_OFF	8.953 s	446.86 ms (5.3%)

gantt
    title insecure-bank - break down per module: candidate=1.39.0-SNAPSHOT~c830d6c73b, baseline=1.39.0-SNAPSHOT~594a2a4428

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (668.567 ms) : 0, 668567
BytebuddyAgent [candidate] (669.117 ms) : 0, 669117
GlobalTracer [baseline] (306.699 ms) : 0, 306699
GlobalTracer [candidate] (306.661 ms) : 0, 306661
AppSec [baseline] (51.744 ms) : 0, 51744
AppSec [candidate] (51.568 ms) : 0, 51568
Remote Config [baseline] (679.05 µs) : 0, 679
Remote Config [candidate] (662.102 µs) : 0, 662
Telemetry [baseline] (7.557 ms) : 0, 7557
Telemetry [candidate] (7.476 ms) : 0, 7476
section iast
BytebuddyAgent [baseline] (784.141 ms) : 0, 784141
BytebuddyAgent [candidate] (792.03 ms) : 0, 792030
GlobalTracer [baseline] (298.113 ms) : 0, 298113
GlobalTracer [candidate] (299.88 ms) : 0, 299880
AppSec [baseline] (52.892 ms) : 0, 52892
AppSec [candidate] (50.693 ms) : 0, 50693
IAST [baseline] (23.581 ms) : 0, 23581
IAST [candidate] (25.539 ms) : 0, 25539
Remote Config [baseline] (584.318 µs) : 0, 584
Remote Config [candidate] (597.374 µs) : 0, 597
Telemetry [baseline] (7.999 ms) : 0, 7999
Telemetry [candidate] (7.974 ms) : 0, 7974
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (779.299 ms) : 0, 779299
BytebuddyAgent [candidate] (778.54 ms) : 0, 778540
GlobalTracer [baseline] (296.306 ms) : 0, 296306
GlobalTracer [candidate] (296.781 ms) : 0, 296781
AppSec [baseline] (49.267 ms) : 0, 49267
AppSec [candidate] (49.612 ms) : 0, 49612
IAST [baseline] (22.96 ms) : 0, 22960
IAST [candidate] (25.613 ms) : 0, 25613
Remote Config [baseline] (603.075 µs) : 0, 603
Remote Config [candidate] (594.421 µs) : 0, 594
Telemetry [baseline] (10.357 ms) : 0, 10357
Telemetry [candidate] (8.767 ms) : 0, 8767
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (774.336 ms) : 0, 774336
BytebuddyAgent [candidate] (775.734 ms) : 0, 775734
GlobalTracer [baseline] (296.554 ms) : 0, 296554
GlobalTracer [candidate] (296.107 ms) : 0, 296107
AppSec [baseline] (51.934 ms) : 0, 51934
AppSec [candidate] (53.395 ms) : 0, 53395
IAST [baseline] (23.796 ms) : 0, 23796
IAST [candidate] (21.375 ms) : 0, 21375
Remote Config [baseline] (584.181 µs) : 0, 584
Remote Config [candidate] (580.383 µs) : 0, 580
Telemetry [baseline] (7.143 ms) : 0, 7143
Telemetry [candidate] (8.74 ms) : 0, 8740

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2024-08-22T07:53:04	2024-08-22T07:59:54
git_branch	master	mario.vidal/untrusted_deserialization_improvements
git_commit_date	1724310250	1724312651
git_commit_sha	`594a2a4`	`c830d6c`
release_version	1.39.0-SNAPSHOT~594a2a4428	1.39.0-SNAPSHOT~c830d6c73b
start_time	2024-08-22T07:52:51	2024-08-22T07:59:40

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1724313936	1724313936
ci_job_id	613279974	613279974
ci_pipeline_id	42529009	42529009
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 18 unstable metrics.

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.39.0-SNAPSHOT~c830d6c73b, baseline=1.39.0-SNAPSHOT~594a2a4428
    dateFormat X
    axisFormat %s
section baseline
no_agent (371.196 µs) : 352, 391
.   : milestone, 371,
iast (479.853 µs) : 458, 502
.   : milestone, 480,
iast_FULL (545.382 µs) : 523, 567
.   : milestone, 545,
iast_GLOBAL (515.173 µs) : 491, 539
.   : milestone, 515,
iast_HARDCODED_SECRET_DISABLED (476.391 µs) : 454, 499
.   : milestone, 476,
iast_INACTIVE (444.707 µs) : 423, 466
.   : milestone, 445,
iast_TELEMETRY_OFF (471.083 µs) : 450, 493
.   : milestone, 471,
tracing (442.972 µs) : 422, 464
.   : milestone, 443,
section candidate
no_agent (375.341 µs) : 353, 397
.   : milestone, 375,
iast (484.466 µs) : 462, 507
.   : milestone, 484,
iast_FULL (548.986 µs) : 528, 570
.   : milestone, 549,
iast_GLOBAL (501.115 µs) : 479, 523
.   : milestone, 501,
iast_HARDCODED_SECRET_DISABLED (473.528 µs) : 451, 496
.   : milestone, 474,
iast_INACTIVE (440.033 µs) : 419, 461
.   : milestone, 440,
iast_TELEMETRY_OFF (461.879 µs) : 441, 483
.   : milestone, 462,
tracing (442.646 µs) : 422, 464
.   : milestone, 443,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	371.196 µs [351.596 µs, 390.796 µs]	-
iast	479.853 µs [457.796 µs, 501.909 µs]	108.656 µs (29.3%)
iast_FULL	545.382 µs [523.452 µs, 567.311 µs]	174.185 µs (46.9%)
iast_GLOBAL	515.173 µs [491.026 µs, 539.321 µs]	143.977 µs (38.8%)
iast_HARDCODED_SECRET_DISABLED	476.391 µs [453.767 µs, 499.015 µs]	105.195 µs (28.3%)
iast_INACTIVE	444.707 µs [423.297 µs, 466.116 µs]	73.51 µs (19.8%)
iast_TELEMETRY_OFF	471.083 µs [449.615 µs, 492.551 µs]	99.887 µs (26.9%)
tracing	442.972 µs [421.872 µs, 464.073 µs]	71.776 µs (19.3%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	375.341 µs [353.397 µs, 397.284 µs]	-
iast	484.466 µs [461.958 µs, 506.975 µs]	109.126 µs (29.1%)
iast_FULL	548.986 µs [527.951 µs, 570.021 µs]	173.645 µs (46.3%)
iast_GLOBAL	501.115 µs [478.736 µs, 523.495 µs]	125.775 µs (33.5%)
iast_HARDCODED_SECRET_DISABLED	473.528 µs [451.25 µs, 495.806 µs]	98.187 µs (26.2%)
iast_INACTIVE	440.033 µs [419.368 µs, 460.699 µs]	64.693 µs (17.2%)
iast_TELEMETRY_OFF	461.879 µs [440.698 µs, 483.06 µs]	86.539 µs (23.1%)
tracing	442.646 µs [421.779 µs, 463.514 µs]	67.306 µs (17.9%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.39.0-SNAPSHOT~c830d6c73b, baseline=1.39.0-SNAPSHOT~594a2a4428
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.35 ms) : 1331, 1369
.   : milestone, 1350,
appsec (1.734 ms) : 1710, 1758
.   : milestone, 1734,
appsec_no_iast (1.724 ms) : 1700, 1749
.   : milestone, 1724,
iast (1.462 ms) : 1439, 1484
.   : milestone, 1462,
profiling (1.483 ms) : 1458, 1507
.   : milestone, 1483,
tracing (1.458 ms) : 1433, 1482
.   : milestone, 1458,
section candidate
no_agent (1.325 ms) : 1306, 1345
.   : milestone, 1325,
appsec (1.718 ms) : 1694, 1743
.   : milestone, 1718,
appsec_no_iast (1.714 ms) : 1690, 1739
.   : milestone, 1714,
iast (1.477 ms) : 1455, 1500
.   : milestone, 1477,
profiling (1.486 ms) : 1461, 1511
.   : milestone, 1486,
tracing (1.473 ms) : 1449, 1497
.   : milestone, 1473,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.35 ms [1.331 ms, 1.369 ms]	-
appsec	1.734 ms [1.71 ms, 1.758 ms]	383.573 µs (28.4%)
appsec_no_iast	1.724 ms [1.7 ms, 1.749 ms]	374.276 µs (27.7%)
iast	1.462 ms [1.439 ms, 1.484 ms]	111.715 µs (8.3%)
profiling	1.483 ms [1.458 ms, 1.507 ms]	132.577 µs (9.8%)
tracing	1.458 ms [1.433 ms, 1.482 ms]	107.605 µs (8.0%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.325 ms [1.306 ms, 1.345 ms]	-
appsec	1.718 ms [1.694 ms, 1.743 ms]	392.99 µs (29.6%)
appsec_no_iast	1.714 ms [1.69 ms, 1.739 ms]	388.615 µs (29.3%)
iast	1.477 ms [1.455 ms, 1.5 ms]	151.908 µs (11.5%)
profiling	1.486 ms [1.461 ms, 1.511 ms]	160.482 µs (12.1%)
tracing	1.473 ms [1.449 ms, 1.497 ms]	147.32 µs (11.1%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	mario.vidal/untrusted_deserialization_improvements
git_commit_date	1724310250	1724312651
git_commit_sha	`594a2a4`	`c830d6c`
release_version	1.39.0-SNAPSHOT~594a2a4428	1.39.0-SNAPSHOT~c830d6c73b

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1724314462	1724314462
ci_job_id	613279976	613279976
ci_pipeline_id	42529009	42529009
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.39.0-SNAPSHOT~c830d6c73b, baseline=1.39.0-SNAPSHOT~594a2a4428
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.455 ms) : 1443, 1466
.   : milestone, 1455,
appsec (2.211 ms) : 2176, 2246
.   : milestone, 2211,
iast (1.953 ms) : 1911, 1995
.   : milestone, 1953,
iast_GLOBAL (2.005 ms) : 1962, 2048
.   : milestone, 2005,
profiling (1.861 ms) : 1825, 1896
.   : milestone, 1861,
tracing (1.832 ms) : 1800, 1865
.   : milestone, 1832,
section candidate
no_agent (1.457 ms) : 1446, 1469
.   : milestone, 1457,
appsec (2.21 ms) : 2175, 2245
.   : milestone, 2210,
iast (1.954 ms) : 1912, 1996
.   : milestone, 1954,
iast_GLOBAL (2.018 ms) : 1974, 2062
.   : milestone, 2018,
profiling (1.851 ms) : 1817, 1885
.   : milestone, 1851,
tracing (1.834 ms) : 1801, 1867
.   : milestone, 1834,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.455 ms [1.443 ms, 1.466 ms]	-
appsec	2.211 ms [2.176 ms, 2.246 ms]	756.667 µs (52.0%)
iast	1.953 ms [1.911 ms, 1.995 ms]	498.134 µs (34.2%)
iast_GLOBAL	2.005 ms [1.962 ms, 2.048 ms]	550.278 µs (37.8%)
profiling	1.861 ms [1.825 ms, 1.896 ms]	406.136 µs (27.9%)
tracing	1.832 ms [1.8 ms, 1.865 ms]	377.671 µs (26.0%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.457 ms [1.446 ms, 1.469 ms]	-
appsec	2.21 ms [2.175 ms, 2.245 ms]	752.728 µs (51.6%)
iast	1.954 ms [1.912 ms, 1.996 ms]	496.912 µs (34.1%)
iast_GLOBAL	2.018 ms [1.974 ms, 2.062 ms]	560.209 µs (38.4%)
profiling	1.851 ms [1.817 ms, 1.885 ms]	393.53 µs (27.0%)
tracing	1.834 ms [1.801 ms, 1.867 ms]	376.324 µs (25.8%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.39.0-SNAPSHOT~c830d6c73b, baseline=1.39.0-SNAPSHOT~594a2a4428
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.755 s) : 14755000, 14755000
.   : milestone, 14755000,
appsec (15.329 s) : 15329000, 15329000
.   : milestone, 15329000,
iast (18.731 s) : 18731000, 18731000
.   : milestone, 18731000,
iast_GLOBAL (17.911 s) : 17911000, 17911000
.   : milestone, 17911000,
profiling (15.369 s) : 15369000, 15369000
.   : milestone, 15369000,
tracing (14.964 s) : 14964000, 14964000
.   : milestone, 14964000,
section candidate
no_agent (15.459 s) : 15459000, 15459000
.   : milestone, 15459000,
appsec (15.125 s) : 15125000, 15125000
.   : milestone, 15125000,
iast (18.806 s) : 18806000, 18806000
.   : milestone, 18806000,
iast_GLOBAL (18.068 s) : 18068000, 18068000
.   : milestone, 18068000,
profiling (14.892 s) : 14892000, 14892000
.   : milestone, 14892000,
tracing (15.177 s) : 15177000, 15177000
.   : milestone, 15177000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.755 s [14.755 s, 14.755 s]	-
appsec	15.329 s [15.329 s, 15.329 s]	574.0 ms (3.9%)
iast	18.731 s [18.731 s, 18.731 s]	3.976 s (26.9%)
iast_GLOBAL	17.911 s [17.911 s, 17.911 s]	3.156 s (21.4%)
profiling	15.369 s [15.369 s, 15.369 s]	614.0 ms (4.2%)
tracing	14.964 s [14.964 s, 14.964 s]	209.0 ms (1.4%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.459 s [15.459 s, 15.459 s]	-
appsec	15.125 s [15.125 s, 15.125 s]	-334.0 ms (-2.2%)
iast	18.806 s [18.806 s, 18.806 s]	3.347 s (21.7%)
iast_GLOBAL	18.068 s [18.068 s, 18.068 s]	2.609 s (16.9%)
profiling	14.892 s [14.892 s, 14.892 s]	-567.0 ms (-3.7%)
tracing	15.177 s [15.177 s, 15.177 s]	-282.0 ms (-1.8%)

…ovements

jandro996

LGTM!

dd-java-agent/instrumentation/commons-fileupload/build.gradle

…ovements

Mariovido added 5 commits July 29, 2024 11:29

Add instrumentation for getInputStream in javax and jakarta servlet.h…

d47974a

…ttp.Part

Add smoke tests for multipartfile

a813838

Add instrumentation for the commons.fileupload

0776735

Add instrumentation for commons.fileupload + add tests

5bc6e83

Added instrumentation + unit tests of the ServletFileUpload

66c504f

Mariovido added the comp: asm iast Application Security Management (IAST) label Jul 31, 2024

Mariovido added this to the 1.38.0 milestone Jul 31, 2024

Mariovido and others added 4 commits August 1, 2024 10:09

Merge branch 'master' into mario.vidal/untrusted_deserialization_impr…

0ddf03a

…ovements

Improve build.gradle from instrumentations

d3c3885

Fix formatting ServletFileUploadInstrumenter

88ca4b7

Add smoke tests for ServletFileUpload

c5910b4

Mariovido marked this pull request as ready for review August 2, 2024 13:33

Mariovido requested review from a team as code owners August 2, 2024 13:33

Mariovido requested review from smola and ValentinZakharov August 2, 2024 13:33

smola changed the title ~~Improve smoke tests and progagation for Untrusted Deserialization vulnerability~~ Fix progagation for Untrusted Deserialization vulnerability Aug 5, 2024

Mariovido and others added 4 commits August 5, 2024 11:26

Add smoke tests for Multipart of SpringBoot

5f8be24

Merge branch 'master' into mario.vidal/untrusted_deserialization_impr…

aac4c5f

…ovements

Merge branch 'master' into mario.vidal/untrusted_deserialization_impr…

86f3ff1

…ovements

Close ObjectInputStream from controller and servlets

8ba71df

Mariovido modified the milestones: 1.38.0, 1.39.0 Aug 5, 2024

jandro996 approved these changes Aug 20, 2024

View reviewed changes

smola added the type: enhancement label Aug 21, 2024

smola requested changes Aug 21, 2024

View reviewed changes

dd-java-agent/instrumentation/commons-fileupload/build.gradle Show resolved Hide resolved

dd-java-agent/instrumentation/commons-fileupload/build.gradle Show resolved Hide resolved

smola mentioned this pull request Aug 21, 2024

Add detection of untrusted deserialization in snakeyaml library #7406

Merged

5 tasks

Mariovido and others added 2 commits August 21, 2024 15:00

Add latestDepTestImplementation to the build.gradle

f847ba6

Merge branch 'master' into mario.vidal/untrusted_deserialization_impr…

483caaa

…ovements

Mariovido added 2 commits August 21, 2024 15:43

Merge branch 'master' into mario.vidal/untrusted_deserialization_impr…

5c1f37a

…ovements

Merge branch 'master' into mario.vidal/untrusted_deserialization_impr…

c830d6c

…ovements

smola approved these changes Aug 22, 2024

View reviewed changes

Mariovido merged commit fd7f750 into master Aug 22, 2024
80 checks passed

Mariovido deleted the mario.vidal/untrusted_deserialization_improvements branch August 22, 2024 08:39

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix progagation for Untrusted Deserialization vulnerability #7374

Fix progagation for Untrusted Deserialization vulnerability #7374

Mariovido commented Jul 31, 2024 •

edited by smola

Loading

pr-commenter bot commented Jul 31, 2024 •

edited

Loading

jandro996 left a comment

Fix progagation for Untrusted Deserialization vulnerability #7374

Fix progagation for Untrusted Deserialization vulnerability #7374

Conversation

Mariovido commented Jul 31, 2024 • edited by smola Loading

What Does This Do

Motivation

Additional Notes

Contributor Checklist

pr-commenter bot commented Jul 31, 2024 • edited Loading

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

jandro996 left a comment

Choose a reason for hiding this comment

Mariovido commented Jul 31, 2024 •

edited by smola

Loading

pr-commenter bot commented Jul 31, 2024 •

edited

Loading