Exploit prevention for Shell Injection / Command Injection#7615

jandro996 · 2024-09-13T06:35:59Z

What Does This Do

Added support for Command Injection (CMDI) exploit prevention:
- Reused existing instrumentation of java.lang.ProcessImpl.
Added support for Shell Injection (SHI) exploit prevention:
- Instrumented java.lang.Runtime#exec(String, String[], File) for detection.
- Leveraged SHI heuristics as a workaround for cases where the command is a single String, given that WAF heuristics for CMDI only support String[].
Enhanced RASP metrics mechanism:
- Introduced a new rule_variant tag to metrics.
  - For CMDI: exec.
  - For SHI: shell.
- Both variants are categorized under the ruletype as command_injection.

Motivation

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Squash your commits prior merging or merge using GitHub's Squash and merge
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-52330

jandro996 · 2024-09-13T12:09:40Z

Blocked!
At this momento WAF shell injection detection rule available has been designed to specifically target functions which are explicitly or implicitly calling a shell such as /bin/sh or otherwise
We also need support for String[] as the best place to call the WAF is reusing ProcessImplInstrumentation instead of the CallSites

pr-commenter · 2024-11-28T11:16:22Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/rasp-command-injection
git_commit_date	1734517793	1734523719
git_commit_sha	`a19f73a`	`15ba143`
release_version	1.45.0-SNAPSHOT~a19f73a5ea	1.45.0-SNAPSHOT~15ba1436c2

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1734525980	1734525980
ci_job_id	743638578	743638578
ci_pipeline_id	51433873	51433873
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 53 metrics, 10 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.096 s) : 0, 1096171
Total [baseline] (10.46 s) : 0, 10460193
Agent [candidate] (1.101 s) : 0, 1101353
Total [candidate] (10.436 s) : 0, 10435771
section appsec
Agent [baseline] (1.228 s) : 0, 1228153
Total [baseline] (10.736 s) : 0, 10736482
Agent [candidate] (1.247 s) : 0, 1246633
Total [candidate] (10.757 s) : 0, 10757269
section iast
Agent [baseline] (1.225 s) : 0, 1225104
Total [baseline] (10.974 s) : 0, 10973954
Agent [candidate] (1.235 s) : 0, 1234625
Total [candidate] (11.029 s) : 0, 11029322
section profiling
Agent [baseline] (1.325 s) : 0, 1325413
Total [baseline] (10.899 s) : 0, 10898854
Agent [candidate] (1.33 s) : 0, 1329862
Total [candidate] (10.872 s) : 0, 10872133

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.096 s	-
Agent	appsec	1.228 s	131.982 ms (12.0%)
Agent	iast	1.225 s	128.933 ms (11.8%)
Agent	profiling	1.325 s	229.242 ms (20.9%)
Total	tracing	10.46 s	-
Total	appsec	10.736 s	276.289 ms (2.6%)
Total	iast	10.974 s	513.761 ms (4.9%)
Total	profiling	10.899 s	438.66 ms (4.2%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.101 s	-
Agent	appsec	1.247 s	145.28 ms (13.2%)
Agent	iast	1.235 s	133.272 ms (12.1%)
Agent	profiling	1.33 s	228.509 ms (20.7%)
Total	tracing	10.436 s	-
Total	appsec	10.757 s	321.497 ms (3.1%)
Total	iast	11.029 s	593.551 ms (5.7%)
Total	profiling	10.872 s	436.362 ms (4.2%)

gantt
    title petclinic - break down per module: candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (696.496 ms) : 0, 696496
BytebuddyAgent [candidate] (708.467 ms) : 0, 708467
GlobalTracer [baseline] (317.423 ms) : 0, 317423
GlobalTracer [candidate] (315.36 ms) : 0, 315360
AppSec [baseline] (55.045 ms) : 0, 55045
AppSec [candidate] (55.26 ms) : 0, 55260
Remote Config [baseline] (670.863 µs) : 0, 671
Remote Config [candidate] (670.193 µs) : 0, 670
Telemetry [baseline] (12.79 ms) : 0, 12790
Telemetry [candidate] (7.81 ms) : 0, 7810
section appsec
BytebuddyAgent [baseline] (714.575 ms) : 0, 714575
BytebuddyAgent [candidate] (731.562 ms) : 0, 731562
GlobalTracer [baseline] (314.252 ms) : 0, 314252
GlobalTracer [candidate] (314.485 ms) : 0, 314485
AppSec [baseline] (167.215 ms) : 0, 167215
AppSec [candidate] (166.455 ms) : 0, 166455
Remote Config [baseline] (652.937 µs) : 0, 653
Remote Config [candidate] (648.96 µs) : 0, 649
Telemetry [baseline] (7.795 ms) : 0, 7795
Telemetry [candidate] (8.253 ms) : 0, 8253
IAST [baseline] (19.735 ms) : 0, 19735
IAST [candidate] (22.774 ms) : 0, 22774
section iast
BytebuddyAgent [baseline] (816.587 ms) : 0, 816587
BytebuddyAgent [candidate] (828.312 ms) : 0, 828312
GlobalTracer [baseline] (307.237 ms) : 0, 307237
GlobalTracer [candidate] (308.207 ms) : 0, 308207
AppSec [baseline] (57.607 ms) : 0, 57607
AppSec [candidate] (55.385 ms) : 0, 55385
Remote Config [baseline] (623.571 µs) : 0, 624
Remote Config [candidate] (619.071 µs) : 0, 619
Telemetry [baseline] (7.392 ms) : 0, 7392
Telemetry [candidate] (7.406 ms) : 0, 7406
IAST [baseline] (21.869 ms) : 0, 21869
IAST [candidate] (20.904 ms) : 0, 20904
section profiling
BytebuddyAgent [baseline] (692.985 ms) : 0, 692985
BytebuddyAgent [candidate] (701.774 ms) : 0, 701774
GlobalTracer [baseline] (436.077 ms) : 0, 436077
GlobalTracer [candidate] (431.314 ms) : 0, 431314
AppSec [baseline] (53.961 ms) : 0, 53961
AppSec [candidate] (54.427 ms) : 0, 54427
Remote Config [baseline] (670.036 µs) : 0, 670
Remote Config [candidate] (651.029 µs) : 0, 651
Telemetry [baseline] (7.785 ms) : 0, 7785
Telemetry [candidate] (7.779 ms) : 0, 7779
ProfilingAgent [baseline] (94.634 ms) : 0, 94634
ProfilingAgent [candidate] (94.559 ms) : 0, 94559
Profiling [baseline] (94.658 ms) : 0, 94658
Profiling [candidate] (94.584 ms) : 0, 94584

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.098 s) : 0, 1098435
Total [baseline] (8.677 s) : 0, 8677355
Agent [candidate] (1.102 s) : 0, 1101881
Total [candidate] (8.632 s) : 0, 8631753
section iast
Agent [baseline] (1.224 s) : 0, 1224065
Total [baseline] (9.197 s) : 0, 9197462
Agent [candidate] (1.24 s) : 0, 1240192
Total [candidate] (9.306 s) : 0, 9305851
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.238 s) : 0, 1238173
Total [baseline] (9.179 s) : 0, 9178851
Agent [candidate] (1.24 s) : 0, 1240194
Total [candidate] (9.242 s) : 0, 9242408
section iast_TELEMETRY_OFF
Agent [baseline] (1.22 s) : 0, 1219885
Total [baseline] (9.199 s) : 0, 9198795
Agent [candidate] (1.234 s) : 0, 1233606
Total [candidate] (9.254 s) : 0, 9253664

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.098 s	-
Agent	iast	1.224 s	125.63 ms (11.4%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.238 s	139.738 ms (12.7%)
Agent	iast_TELEMETRY_OFF	1.22 s	121.45 ms (11.1%)
Total	tracing	8.677 s	-
Total	iast	9.197 s	520.106 ms (6.0%)
Total	iast_HARDCODED_SECRET_DISABLED	9.179 s	501.496 ms (5.8%)
Total	iast_TELEMETRY_OFF	9.199 s	521.44 ms (6.0%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.102 s	-
Agent	iast	1.24 s	138.311 ms (12.6%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.24 s	138.313 ms (12.6%)
Agent	iast_TELEMETRY_OFF	1.234 s	131.726 ms (12.0%)
Total	tracing	8.632 s	-
Total	iast	9.306 s	674.098 ms (7.8%)
Total	iast_HARDCODED_SECRET_DISABLED	9.242 s	610.656 ms (7.1%)
Total	iast_TELEMETRY_OFF	9.254 s	621.911 ms (7.2%)

gantt
    title insecure-bank - break down per module: candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (698.76 ms) : 0, 698760
BytebuddyAgent [candidate] (709.363 ms) : 0, 709363
GlobalTracer [baseline] (319.208 ms) : 0, 319208
GlobalTracer [candidate] (315.244 ms) : 0, 315244
AppSec [baseline] (55.19 ms) : 0, 55190
AppSec [candidate] (55.004 ms) : 0, 55004
Remote Config [baseline] (673.215 µs) : 0, 673
Remote Config [candidate] (679.014 µs) : 0, 679
Telemetry [baseline] (10.822 ms) : 0, 10822
Telemetry [candidate] (7.814 ms) : 0, 7814
section iast
BytebuddyAgent [baseline] (816.015 ms) : 0, 816015
BytebuddyAgent [candidate] (831.647 ms) : 0, 831647
GlobalTracer [baseline] (306.937 ms) : 0, 306937
GlobalTracer [candidate] (307.953 ms) : 0, 307953
AppSec [baseline] (57.223 ms) : 0, 57223
AppSec [candidate] (57.569 ms) : 0, 57569
IAST [baseline] (22.003 ms) : 0, 22003
IAST [candidate] (21.057 ms) : 0, 21057
Remote Config [baseline] (630.623 µs) : 0, 631
Remote Config [candidate] (620.933 µs) : 0, 621
Telemetry [baseline] (7.513 ms) : 0, 7513
Telemetry [candidate] (7.456 ms) : 0, 7456
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (826.37 ms) : 0, 826370
BytebuddyAgent [candidate] (831.013 ms) : 0, 831013
GlobalTracer [baseline] (309.862 ms) : 0, 309862
GlobalTracer [candidate] (309.999 ms) : 0, 309999
AppSec [baseline] (57.775 ms) : 0, 57775
AppSec [candidate] (56.044 ms) : 0, 56044
IAST [baseline] (22.13 ms) : 0, 22130
IAST [candidate] (21.167 ms) : 0, 21167
Remote Config [baseline] (624.849 µs) : 0, 625
Remote Config [candidate] (643.06 µs) : 0, 643
Telemetry [baseline] (7.486 ms) : 0, 7486
Telemetry [candidate] (7.473 ms) : 0, 7473
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (812.347 ms) : 0, 812347
BytebuddyAgent [candidate] (826.924 ms) : 0, 826924
GlobalTracer [baseline] (306.409 ms) : 0, 306409
GlobalTracer [candidate] (306.342 ms) : 0, 306342
AppSec [baseline] (57.738 ms) : 0, 57738
AppSec [candidate] (56.911 ms) : 0, 56911
IAST [baseline] (21.672 ms) : 0, 21672
IAST [candidate] (21.556 ms) : 0, 21556
Remote Config [baseline] (616.424 µs) : 0, 616
Remote Config [candidate] (620.71 µs) : 0, 621
Telemetry [baseline] (7.364 ms) : 0, 7364
Telemetry [candidate] (7.392 ms) : 0, 7392

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2024-12-18T12:16:23	2024-12-18T12:23:23
git_branch	master	alejandro.gonzalez/rasp-command-injection
git_commit_date	1734517793	1734523719
git_commit_sha	`a19f73a`	`15ba143`
release_version	1.45.0-SNAPSHOT~a19f73a5ea	1.45.0-SNAPSHOT~15ba1436c2
start_time	2024-12-18T12:16:09	2024-12-18T12:23:09

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1734524955	1734524955
ci_job_id	743638579	743638579
ci_pipeline_id	51433873	51433873
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	iast	iast

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 16 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:petclinic:profiling	better [-91.162µs; -40.157µs] or [-5.817%; -2.563%]	unstable [-443.351op/s; +671.271op/s] or [-14.963%; +22.655%]	1.501ms	3076.923op/s	1.567ms	2962.963op/s

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea
    dateFormat X
    axisFormat %s
section baseline
no_agent (376.733 µs) : 356, 397
.   : milestone, 377,
iast (493.966 µs) : 472, 516
.   : milestone, 494,
iast_FULL (656.743 µs) : 635, 678
.   : milestone, 657,
iast_GLOBAL (527.998 µs) : 505, 551
.   : milestone, 528,
iast_HARDCODED_SECRET_DISABLED (490.584 µs) : 469, 512
.   : milestone, 491,
iast_INACTIVE (451.004 µs) : 430, 472
.   : milestone, 451,
iast_TELEMETRY_OFF (486.848 µs) : 465, 509
.   : milestone, 487,
tracing (448.668 µs) : 428, 470
.   : milestone, 449,
section candidate
no_agent (376.292 µs) : 357, 396
.   : milestone, 376,
iast (496.882 µs) : 475, 518
.   : milestone, 497,
iast_FULL (653.745 µs) : 632, 675
.   : milestone, 654,
iast_GLOBAL (519.084 µs) : 498, 540
.   : milestone, 519,
iast_HARDCODED_SECRET_DISABLED (488.673 µs) : 468, 510
.   : milestone, 489,
iast_INACTIVE (451.08 µs) : 430, 472
.   : milestone, 451,
iast_TELEMETRY_OFF (480.04 µs) : 459, 501
.   : milestone, 480,
tracing (453.533 µs) : 432, 475
.   : milestone, 454,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	376.733 µs [356.311 µs, 397.155 µs]	-
iast	493.966 µs [472.267 µs, 515.666 µs]	117.233 µs (31.1%)
iast_FULL	656.743 µs [635.23 µs, 678.256 µs]	280.01 µs (74.3%)
iast_GLOBAL	527.998 µs [505.333 µs, 550.663 µs]	151.265 µs (40.2%)
iast_HARDCODED_SECRET_DISABLED	490.584 µs [469.084 µs, 512.084 µs]	113.85 µs (30.2%)
iast_INACTIVE	451.004 µs [430.026 µs, 471.981 µs]	74.27 µs (19.7%)
iast_TELEMETRY_OFF	486.848 µs [465.078 µs, 508.619 µs]	110.115 µs (29.2%)
tracing	448.668 µs [427.586 µs, 469.749 µs]	71.934 µs (19.1%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	376.292 µs [356.643 µs, 395.942 µs]	-
iast	496.882 µs [475.329 µs, 518.435 µs]	120.59 µs (32.0%)
iast_FULL	653.745 µs [632.227 µs, 675.264 µs]	277.453 µs (73.7%)
iast_GLOBAL	519.084 µs [497.894 µs, 540.274 µs]	142.791 µs (37.9%)
iast_HARDCODED_SECRET_DISABLED	488.673 µs [467.526 µs, 509.82 µs]	112.381 µs (29.9%)
iast_INACTIVE	451.08 µs [430.274 µs, 471.886 µs]	74.788 µs (19.9%)
iast_TELEMETRY_OFF	480.04 µs [458.79 µs, 501.291 µs]	103.748 µs (27.6%)
tracing	453.533 µs [431.738 µs, 475.328 µs]	77.24 µs (20.5%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.365 ms) : 1345, 1384
.   : milestone, 1365,
appsec (1.751 ms) : 1728, 1775
.   : milestone, 1751,
appsec_no_iast (1.757 ms) : 1731, 1782
.   : milestone, 1757,
iast (1.492 ms) : 1470, 1514
.   : milestone, 1492,
profiling (1.567 ms) : 1543, 1591
.   : milestone, 1567,
tracing (1.491 ms) : 1467, 1516
.   : milestone, 1491,
section candidate
no_agent (1.368 ms) : 1348, 1387
.   : milestone, 1368,
appsec (1.746 ms) : 1722, 1769
.   : milestone, 1746,
appsec_no_iast (1.758 ms) : 1734, 1781
.   : milestone, 1758,
iast (1.488 ms) : 1465, 1511
.   : milestone, 1488,
profiling (1.501 ms) : 1478, 1525
.   : milestone, 1501,
tracing (1.469 ms) : 1444, 1495
.   : milestone, 1469,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.365 ms [1.345 ms, 1.384 ms]	-
appsec	1.751 ms [1.728 ms, 1.775 ms]	386.575 µs (28.3%)
appsec_no_iast	1.757 ms [1.731 ms, 1.782 ms]	392.124 µs (28.7%)
iast	1.492 ms [1.47 ms, 1.514 ms]	127.589 µs (9.3%)
profiling	1.567 ms [1.543 ms, 1.591 ms]	202.459 µs (14.8%)
tracing	1.491 ms [1.467 ms, 1.516 ms]	126.579 µs (9.3%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.368 ms [1.348 ms, 1.387 ms]	-
appsec	1.746 ms [1.722 ms, 1.769 ms]	377.989 µs (27.6%)
appsec_no_iast	1.758 ms [1.734 ms, 1.781 ms]	389.892 µs (28.5%)
iast	1.488 ms [1.465 ms, 1.511 ms]	119.945 µs (8.8%)
profiling	1.501 ms [1.478 ms, 1.525 ms]	133.782 µs (9.8%)
tracing	1.469 ms [1.444 ms, 1.495 ms]	101.591 µs (7.4%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/rasp-command-injection
git_commit_date	1734517793	1734523719
git_commit_sha	`a19f73a`	`15ba143`
release_version	1.45.0-SNAPSHOT~a19f73a5ea	1.45.0-SNAPSHOT~15ba1436c2

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1734525639	1734525639
ci_job_id	743638580	743638580
ci_pipeline_id	51433873	51433873
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.004 s) : 15004000, 15004000
.   : milestone, 15004000,
appsec (14.944 s) : 14944000, 14944000
.   : milestone, 14944000,
iast (18.657 s) : 18657000, 18657000
.   : milestone, 18657000,
iast_GLOBAL (18.005 s) : 18005000, 18005000
.   : milestone, 18005000,
profiling (15.215 s) : 15215000, 15215000
.   : milestone, 15215000,
tracing (15.098 s) : 15098000, 15098000
.   : milestone, 15098000,
section candidate
no_agent (15.222 s) : 15222000, 15222000
.   : milestone, 15222000,
appsec (14.885 s) : 14885000, 14885000
.   : milestone, 14885000,
iast (18.779 s) : 18779000, 18779000
.   : milestone, 18779000,
iast_GLOBAL (17.876 s) : 17876000, 17876000
.   : milestone, 17876000,
profiling (15.44 s) : 15440000, 15440000
.   : milestone, 15440000,
tracing (15.198 s) : 15198000, 15198000
.   : milestone, 15198000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.004 s [15.004 s, 15.004 s]	-
appsec	14.944 s [14.944 s, 14.944 s]	-60.0 ms (-0.4%)
iast	18.657 s [18.657 s, 18.657 s]	3.653 s (24.3%)
iast_GLOBAL	18.005 s [18.005 s, 18.005 s]	3.001 s (20.0%)
profiling	15.215 s [15.215 s, 15.215 s]	211.0 ms (1.4%)
tracing	15.098 s [15.098 s, 15.098 s]	94.0 ms (0.6%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.222 s [15.222 s, 15.222 s]	-
appsec	14.885 s [14.885 s, 14.885 s]	-337.0 ms (-2.2%)
iast	18.779 s [18.779 s, 18.779 s]	3.557 s (23.4%)
iast_GLOBAL	17.876 s [17.876 s, 17.876 s]	2.654 s (17.4%)
profiling	15.44 s [15.44 s, 15.44 s]	218.0 ms (1.4%)
tracing	15.198 s [15.198 s, 15.198 s]	-24.0 ms (-0.2%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.45.0-SNAPSHOT~15ba1436c2, baseline=1.45.0-SNAPSHOT~a19f73a5ea
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.48 ms) : 1469, 1492
.   : milestone, 1480,
appsec (2.36 ms) : 2319, 2402
.   : milestone, 2360,
iast (2.1 ms) : 2047, 2154
.   : milestone, 2100,
iast_GLOBAL (2.142 ms) : 2088, 2195
.   : milestone, 2142,
profiling (1.979 ms) : 1935, 2023
.   : milestone, 1979,
tracing (1.936 ms) : 1895, 1977
.   : milestone, 1936,
section candidate
no_agent (1.475 ms) : 1463, 1486
.   : milestone, 1475,
appsec (2.365 ms) : 2322, 2407
.   : milestone, 2365,
iast (2.089 ms) : 2036, 2142
.   : milestone, 2089,
iast_GLOBAL (2.137 ms) : 2084, 2190
.   : milestone, 2137,
profiling (1.99 ms) : 1947, 2034
.   : milestone, 1990,
tracing (1.932 ms) : 1891, 1972
.   : milestone, 1932,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.48 ms [1.469 ms, 1.492 ms]	-
appsec	2.36 ms [2.319 ms, 2.402 ms]	880.128 µs (59.5%)
iast	2.1 ms [2.047 ms, 2.154 ms]	620.246 µs (41.9%)
iast_GLOBAL	2.142 ms [2.088 ms, 2.195 ms]	661.384 µs (44.7%)
profiling	1.979 ms [1.935 ms, 2.023 ms]	498.55 µs (33.7%)
tracing	1.936 ms [1.895 ms, 1.977 ms]	455.814 µs (30.8%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.475 ms [1.463 ms, 1.486 ms]	-
appsec	2.365 ms [2.322 ms, 2.407 ms]	890.003 µs (60.4%)
iast	2.089 ms [2.036 ms, 2.142 ms]	614.524 µs (41.7%)
iast_GLOBAL	2.137 ms [2.084 ms, 2.19 ms]	662.587 µs (44.9%)
profiling	1.99 ms [1.947 ms, 2.034 ms]	515.937 µs (35.0%)
tracing	1.932 ms [1.891 ms, 1.972 ms]	456.957 µs (31.0%)

…ng.String)

github-actions · 2024-12-16T11:37:54Z

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

smola · 2024-12-16T11:40:15Z

...java-lang/src/main/java/datadog/trace/instrumentation/java/lang/RuntimeExecStringAdvice.java

@@ -0,0 +1,20 @@
+package datadog.trace.instrumentation.java.lang;


Not for this PR, since this just follows the current convention, but we should probably move RASP/APPSEC/IAST code in instrumentations to *.iast packages, to make sure codeowners apply to our team instead of APM IDM.

.../java-lang/src/main/java/datadog/trace/instrumentation/java/lang/RuntimeInstrumentation.java

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.api.grpc:proto-google-common-protos](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.50.0` -> `2.50.1` | | [com.google.cloud:google-cloud-core-http](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.49.0` -> `2.49.1` | | [com.google.cloud:google-cloud-core](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.49.0` -> `2.49.1` | | [com.google.api:gax](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.59.0` -> `2.59.1` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.44.1` -> `1.45.0` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.44.1` -> `1.45.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.29.47` -> `2.29.48` | --- ### Release Notes <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.45.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.45.0): 1.45.0 ##### Breaking changes > \[!WARNING]\ > Support for custom scope manager using OpenTelemetry tracer artifact (`dd-trace-ot`) is dropped. > Tracing with OpenTracing API and custom scope manager will continue to work on 1.44.x releases. ##### Components ##### Application Security Management (IAST) - ✨ Add propagation to URI#toURL method ([#8146](DataDog/dd-trace-java#8146) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Increase IAST propagation to StringBuilder setLength ([#8119](DataDog/dd-trace-java#8119) - [@Mariovido](https://github.com/Mariovido)) - ✨ Increase IAST propagation to StringBuffer append ([#8082](DataDog/dd-trace-java#8082) - [@Mariovido](https://github.com/Mariovido)) - ✨ Handle IAST security controls custom validation and sanitization methods ([#7997](DataDog/dd-trace-java#7997) - [@jandro996](https://github.com/jandro996)) ##### Application Security Management (WAF) - ✨ Update user lifecycle tracking to V3 ([#8108](DataDog/dd-trace-java#8108) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Exploit prevention for Shell Injection / Command Injection ([#7615](DataDog/dd-trace-java#7615) - [@jandro996](https://github.com/jandro996)) ##### Build & Tooling - 💡 Support instrumentation of repackaged libraries ([#8153](DataDog/dd-trace-java#8153) - [@mcculls](https://github.com/mcculls)) - ✨ Configure native image build setting for JDK-22 based GraalVM ([#8092](DataDog/dd-trace-java#8092) - [@MattAlp](https://github.com/MattAlp)) ##### Database Monitoring - ✨ Add full APM/DBM mode for Oracle ([#8090](DataDog/dd-trace-java#8090) - [@nenadnoveljic](https://github.com/nenadnoveljic)) ##### Dynamic Instrumentation - 🐛 make local var hoisting disabled by default ([#8158](DataDog/dd-trace-java#8158) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix var hoisting issue when no previous store ([#8122](DataDog/dd-trace-java#8122) - [@jpbempel](https://github.com/jpbempel)) - ✨ Only decorate spans without code origin information ([#8105](DataDog/dd-trace-java#8105) - [@evanchooly](https://github.com/evanchooly)) - 🐛 Fix suspend Kotlin methods instrumentation ([#8080](DataDog/dd-trace-java#8080) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix class file version detection ([#8057](DataDog/dd-trace-java#8057) - [@jpbempel](https://github.com/jpbempel)) ##### GraalVM native-image - ✨ Configure native image build setting for JDK-22 based GraalVM ([#8092](DataDog/dd-trace-java#8092) - [@MattAlp](https://github.com/MattAlp)) ##### ML Observability (LLMObs) - ✨🧪 Add LLMObs configuration ([#8076](DataDog/dd-trace-java#8076) - [@gary-huang](https://github.com/gary-huang)) ##### Metrics - Bump integrations-core submodule to 7.60.0 ([#8098](DataDog/dd-trace-java#8098) - [@mcculls](https://github.com/mcculls)) - Upgrade to java-dogstatsd-client v4.4.3 ([#8096](DataDog/dd-trace-java#8096) - [@mcculls](https://github.com/mcculls)) ##### OpenTracing - ⚠️🧹 Remove custom scope manager support ([#8164](DataDog/dd-trace-java#8164) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Telemetry - ✨ Retry telemetry requests if CI Visibility is enabled ([#8147](DataDog/dd-trace-java#8147) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add configurable Dependency service resolution period ([#8079](DataDog/dd-trace-java#8079) - [@jandro996](https://github.com/jandro996)) ##### Testing - 🐛 Remove restriction to not run vertx4 latest tests on java 17 ([#8133](DataDog/dd-trace-java#8133) - [@vandonr](https://github.com/vandonr)) ##### Tracer core - ✨ Defer remote components to avoid OkHttp class-loading side-effects ([#8131](DataDog/dd-trace-java#8131) - [@mcculls](https://github.com/mcculls)) - ✨ Improve Context API null handling and Javadoc ([#8129](DataDog/dd-trace-java#8129) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 🐛⚡ Avoid performing blocking I/O operation on application thread ([#8120](DataDog/dd-trace-java#8120) - [@mcculls](https://github.com/mcculls)) - 💡 Introduce a shared context component, independent of tracing ([#8117](DataDog/dd-trace-java#8117) - [@mcculls](https://github.com/mcculls)) - ✨ Improves ServiceNameCollector ([#8109](DataDog/dd-trace-java#8109) - [@amarziali](https://github.com/amarziali)) - Upgrade to ASM 9.7.1 (adds new constant for Java 24) ([#8097](DataDog/dd-trace-java#8097) - [@mcculls](https://github.com/mcculls)) - 🐛 Dynamically evaluate service name for message consumers ([#8088](DataDog/dd-trace-java#8088) - [@amarziali](https://github.com/amarziali)) ##### Serverless - 🐛 Add avoid double instrumenting lambda non-streaming handlers. ([#8073](DataDog/dd-trace-java#8073) - [@purple4reina](https://github.com/purple4reina)) ##### Instrumentations ##### AWS SDK instrumentation - 💡 Instrument EMR's relocated AWS SDK ([#8157](DataDog/dd-trace-java#8157) - [@mcculls](https://github.com/mcculls)) ##### Eclipse Vert.x instrumentation - 🐛 Remove restriction to not run vertx4 latest tests on java 17 ([#8133](DataDog/dd-trace-java#8133) - [@vandonr](https://github.com/vandonr)) ##### JDBC instrumentation - ✨ Add full APM/DBM mode for Oracle ([#8090](DataDog/dd-trace-java#8090) - [@nenadnoveljic](https://github.com/nenadnoveljic)) ##### Jetty instrumentation - 🐛 Ensure jetty 12 has servlet.path starting with / ([#8093](DataDog/dd-trace-java#8093) - [@github-actions](https://github.com/github-actions)\[bot]) ##### JMS instrumentation - 🧹 Re-use `javax` JMS module for `jakarta` namespace ([#8155](DataDog/dd-trace-java#8155) - [@mcculls](https://github.com/mcculls)) - 🧹 Group `javax.jms` instrumentations under a single module ([#8154](DataDog/dd-trace-java#8154) - [@mcculls](https://github.com/mcculls)) ##### Reactor instrumentation - 🐛 Reactor: early propagate span in context when subscribing ([#8166](DataDog/dd-trace-java#8166) - [@amarziali](https://github.com/amarziali)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: ba2355aa4e2e39ab1fee27319cc4176238efd90b

jandro996 force-pushed the alejandro.gonzalez/rasp-command-injection branch from 6e8331e to 8a43c76 Compare November 28, 2024 10:31

jandro996 force-pushed the alejandro.gonzalez/rasp-command-injection branch from 93385e6 to ff456d8 Compare December 10, 2024 11:45

jandro996 requested review from ValentinZakharov, manuel-alvarez-alvarez and smola December 10, 2024 14:44

jandro996 force-pushed the alejandro.gonzalez/rasp-command-injection branch from 4ed9f80 to 69555f3 Compare December 10, 2024 15:58

jandro996 changed the title ~~Add SHI exploit prevention support~~ Add CMDI exploit prevention support Dec 11, 2024

jandro996 force-pushed the alejandro.gonzalez/rasp-command-injection branch from 47d90de to 474257e Compare December 13, 2024 11:19

jandro996 changed the title ~~Add CMDI exploit prevention support~~ Add CMDI/SHI exploit prevention support Dec 13, 2024

jandro996 changed the title ~~Add CMDI/SHI exploit prevention support~~ Exploit prevention for Shell Injection / Command Injection Dec 13, 2024

jandro996 added the comp: asm waf Application Security Management (WAF) label Dec 13, 2024

jandro996 added 15 commits December 14, 2024 10:33

SHI exploit prevention on one sink for java.lang.Runtime.exec(java.la…

bf9a508

…ng.String)

fix spotless

bf04013

first steps to add cmdArray support (not blocking)

7043b2c

Fix known addresses

f3bb30f

Fix test

8323532

Add support for arrayCmd methods and more smoke tests

663712b

Add support for arrayCmd methods and more smoke tests

68f08b2

Add support for arrayCmd methods and more smoke tests

3b62d1c

Add support for ProcessBuilder

d7226e1

Move to ProcessImplInstrumentation approach

b488d8a

Change to cmdi keeping ProcessImpl approach

6d97145

fix

2c7672e

Add SHI

f3c4fe1

Add metrics to cmdi and shi with rule_variant tag

996ab77

Add another test

cf855f7

jandro996 force-pushed the alejandro.gonzalez/rasp-command-injection branch from 7c12922 to cf855f7 Compare December 14, 2024 09:34

fix cmdi capability

92f9021

jandro996 added 5 commits December 16, 2024 11:57

change cmdi payloads

7846c74

Merge branch 'master' into alejandro.gonzalez/rasp-command-injection

dd3d414

format test

431cba1

fix comment

650378e

Merge branch 'master' into alejandro.gonzalez/rasp-command-injection

c37357d

jandro996 marked this pull request as ready for review December 16, 2024 11:37

jandro996 requested review from a team as code owners December 16, 2024 11:37

smola reviewed Dec 16, 2024

View reviewed changes

.../java-lang/src/main/java/datadog/trace/instrumentation/java/lang/RuntimeInstrumentation.java Outdated Show resolved Hide resolved

change Runtime instrumentation to Appsec

5615a0a

jandro996 requested a review from smola December 16, 2024 12:49

jandro996 added this to the 1.45.0 milestone Dec 16, 2024

jandro996 added 3 commits December 17, 2024 09:15

Merge branch 'master' into alejandro.gonzalez/rasp-command-injection

f384a09

Merge branch 'master' into alejandro.gonzalez/rasp-command-injection

a2bc8f8

Merge branch 'master' into alejandro.gonzalez/rasp-command-injection

15ba143

smola added the type: enhancement Enhancements and improvements label Dec 18, 2024

smola approved these changes Dec 18, 2024

View reviewed changes

ValentinZakharov approved these changes Dec 18, 2024

View reviewed changes

jandro996 merged commit 1a33732 into master Dec 19, 2024
7 checks passed

jandro996 deleted the alejandro.gonzalez/rasp-command-injection branch December 19, 2024 06:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Exploit prevention for Shell Injection / Command Injection#7615