Merge branch 'master' into andrea.marziali/jetty-http-client

Author: amarziali

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sensitive/HeaderRegexpTokenizer.java

@@ -0,0 +1,62 @@
+package com.datadog.iast.sensitive;
+
+import com.datadog.iast.model.Evidence;
+import com.datadog.iast.util.Ranged;
+import java.util.NoSuchElementException;
+import java.util.regex.Pattern;
+import javax.annotation.Nullable;
+
+public class HeaderRegexpTokenizer implements SensitiveHandler.Tokenizer {
+
+  @Nullable private Ranged current;
+
+  private boolean checked = false;
+
+  private String evidenceValue;
+
+  private Pattern namePattern;
+
+  private Pattern valuePattern;
+
+  public HeaderRegexpTokenizer(final Evidence evidence, Pattern namePattern, Pattern valuePattern) {
+    this.evidenceValue = evidence.getValue();
+    this.namePattern = namePattern;
+    this.valuePattern = valuePattern;
+  }
+
+  @Override
+  public boolean next() {
+    current = buildNext();
+    return current != null;
+  }
+
+  @Override
+  public Ranged current() {
+    if (current == null) {
+      throw new NoSuchElementException();
+    }
+    return current;
+  }
+
+  @Nullable
+  private Ranged buildNext() {
+    if (!checked) {
+      checked = true;
+      // Header evidence format is <headerName>: <headerValue>
+      int separatorIndex = evidenceValue.indexOf(":");
+      if (separatorIndex < 1) {
+        return null; // Wrong evidence format: there is no separator or <headerName>
+      }
+      int headerValueIndex = separatorIndex + 2; // there is a white space after :
+      if (evidenceValue.length() <= headerValueIndex) {
+        return null; // Wrong evidence format: there is no <headerValue>
+      }
+      String name = evidenceValue.substring(0, separatorIndex);
+      String value = evidenceValue.substring(headerValueIndex);
+      if (namePattern.matcher(name).find() || valuePattern.matcher(value).find()) {
+        return Ranged.build(name.length() + 2, value.length());
+      }
+    }
+    return null;
+  }
+}

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sensitive/SensitiveHandlerImpl.java

@@ -46,7 +46,9 @@ public SensitiveHandlerImpl() {
     tokenizers.put(VulnerabilityType.SSRF, UrlRegexpTokenizer::new);
     tokenizers.put(VulnerabilityType.UNVALIDATED_REDIRECT, UrlRegexpTokenizer::new);
     tokenizers.put(VulnerabilityType.XSS, TaintedRangeBasedTokenizer::new);
-    tokenizers.put(VulnerabilityType.HEADER_INJECTION, TaintedRangeBasedTokenizer::new);
+    tokenizers.put(
+        VulnerabilityType.HEADER_INJECTION,
+        evidence -> new HeaderRegexpTokenizer(evidence, namePattern, valuePattern));
   }
 
   @Override

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/util/CookieSecurityParser.java

@@ -61,15 +61,16 @@ public static List<Cookie> parse(final HttpHeader headerName, String headerValue
         }
         boolean addCookie = false;
         boolean eof = i == headerValue.length() - 1;
-        if (eof || next == ',' || next == '=' || next == ';') {
+        boolean separator = next == ',' || next == '=' || next == ';';
+        if (eof || separator) {
           if (next == ',') {
             if (quoteCount % 2 == 0 && version == 1) {
               addCookie = true; // multiple cookie separator
             } else {
               continue;
             }
           }
-          final int end = eof ? i + 1 : i;
+          final int end = separator ? i : i + 1;
           switch (state) {
             case COOKIE_NAME:
               cookieName = headerValue.substring(start, end).trim();

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/util/CookieSecurityParserTest.groovy

@@ -30,6 +30,7 @@ class CookieSecurityParserTest extends Specification {
 
     where:
     header                                                                                                                                                       | cookieName | isSecure | isHttpOnly | sameSite
+    "Set-Cookie: user-id="                                                                                                                                       | "user-id"  | false    | false      | null
     "Set-Cookie: user-id=7"                                                                                                                                      | "user-id"  | false    | false      | null
     'Set-Cookie: user-id="7"'                                                                                                                                    | "user-id"  | false    | false      | null
     "Set-Cookie: user-id=7;Secure"                                                                                                                               | "user-id"  | true     | false      | null

dd-java-agent/agent-iast/src/test/resources/redaction/evidence-redaction-suite.yml

@@ -2023,43 +2023,222 @@ suite:
         ]
       }
   - type: 'VULNERABILITIES'
-    description: 'Testing header injection redaction'
+    description: 'Header injection without sensitive data'
     input: >
       [
         {
           "type": "HEADER_INJECTION",
           "evidence": {
-            "value": "Authorization: bearer 12345644",
+            "value": "custom: text",
             "ranges": [
-              { "start" : 0, "length" : 30, "source": { "origin": "http.request.header", "name": "X-Test-Header", "value": "Authorization: bearer 12345644" }}
+              { "start" : 8, "length" : 4, "source": { "origin": "http.request.parameter", "name": "param", "value": "text" } }
             ]
           }
         }
       ]
     expected: >
-     {
-         "vulnerabilities": [
-             {
-                "type": "HEADER_INJECTION",
-                 "evidence": {
-                     "valueParts": [
-                         {
-                             "source": 0,
-                             "redacted": true,
-                             "pattern": "abcdefghijklmnopqrstuvwxyzABCD"
-                         }
-                     ]
-                 },
-                 "hash": 0,
-                 "type": "HEADER_INJECTION"
-             }
-         ],
-         "sources": [
-             {
-                 "origin": "http.request.header",
-                 "name": "X-Test-Header",
-                 "redacted": true,
-                 "pattern": "abcdefghijklmnopqrstuvwxyzABCD"
-             }
-         ]
-     }
+      {
+        "sources": [
+          { "origin": "http.request.parameter", "name": "param", "value": "text" }
+        ],
+        "vulnerabilities": [
+          {
+            "type": "HEADER_INJECTION",
+            "evidence": {
+              "valueParts": [
+                { "value": "custom: " },
+                { "source": 0, "value": "text" }
+              ]
+            }
+          }
+        ]
+      }
+  - type: 'VULNERABILITIES'
+    description: 'Header injection with only sensitive data from tainted'
+    input: >
+      [
+        {
+          "type": "HEADER_INJECTION",
+          "evidence": {
+            "value": "custom: pass",
+            "ranges": [
+              { "start" : 8, "length" : 4, "source": { "origin": "http.request.parameter", "name": "password", "value": "pass" } }
+            ]
+          }
+        }
+      ]
+    expected: >
+      {
+        "sources": [
+          { "origin": "http.request.parameter", "name": "password", "redacted": true, "pattern": "abcd" }
+        ],
+        "vulnerabilities": [
+          {
+            "type": "HEADER_INJECTION",
+            "evidence": {
+              "valueParts": [
+                { "value": "custom: " },
+                { "source": 0, "redacted": true, "pattern": "abcd" }
+              ]
+            }
+          }
+        ]
+      }
+  - type: 'VULNERABILITIES'
+    description: 'Header injection with partial sensitive data from tainted'
+    input: >
+      [
+        {
+          "type": "HEADER_INJECTION",
+          "evidence": {
+            "value": "custom: this is pass",
+            "ranges": [
+              { "start" : 16, "length" : 4, "source": { "origin": "http.request.parameter", "name": "password", "value": "pass" } }
+            ]
+          }
+        }
+      ]
+    expected: >
+      {
+        "sources": [
+          { "origin": "http.request.parameter", "name": "password", "redacted": true, "pattern": "abcd" }
+        ],
+        "vulnerabilities": [
+          {
+            "type": "HEADER_INJECTION",
+            "evidence": {
+              "valueParts": [
+                { "value": "custom: this is " },
+                { "source": 0, "redacted": true, "pattern": "abcd" }
+              ]
+            }
+          }
+        ]
+      }
+  - type: 'VULNERABILITIES'
+    description: 'Header injection with sensitive data from header name'
+    input: >
+      [
+        {
+          "type": "HEADER_INJECTION",
+          "evidence": {
+            "value": "password: text",
+            "ranges": [
+              { "start" : 10, "length" : 4, "source": { "origin": "http.request.parameter", "name": "param", "value": "text" } }
+            ]
+          }
+        }
+      ]
+    expected: >
+      {
+        "sources": [
+          { "origin": "http.request.parameter", "name": "param", "redacted": true, "pattern": "abcd" }
+        ],
+        "vulnerabilities": [
+          {
+            "type": "HEADER_INJECTION",
+            "evidence": {
+              "valueParts": [
+                { "value": "password: " },
+                { "source": 0, "redacted": true, "pattern": "abcd" }
+              ]
+            }
+          }
+        ]
+      }
+  - type: 'VULNERABILITIES'
+    description: 'Header injection with sensitive data from header value'
+    input: >
+      [
+        {
+          "type": "HEADER_INJECTION",
+          "evidence": {
+            "value": "custom: bearer 1234123",
+            "ranges": [
+              { "start" : 15, "length" : 7, "source": { "origin": "http.request.parameter", "name": "param", "value": "1234123" } }
+            ]
+          }
+        }
+      ]
+    expected: >
+      {
+        "sources": [
+          { "origin": "http.request.parameter", "name": "param", "redacted": true, "pattern": "abcdefg" }
+        ],
+        "vulnerabilities": [
+          {
+            "type": "HEADER_INJECTION",
+            "evidence": {
+              "valueParts": [
+                { "value": "custom: " },
+                { "redacted": true },
+                { "source": 0, "redacted": true, "pattern": "abcdefg" }
+              ]
+            }
+          }
+        ]
+      }
+  - type: 'VULNERABILITIES'
+    description: 'Header injection with sensitive data from header and tainted'
+    input: >
+      [
+        {
+          "type": "HEADER_INJECTION",
+          "evidence": {
+            "value": "password: this is pass",
+            "ranges": [
+              { "start" : 18, "length" : 4, "source": { "origin": "http.request.parameter", "name": "password", "value": "pass" } }
+            ]
+          }
+        }
+      ]
+    expected: >
+      {
+        "sources": [
+          { "origin": "http.request.parameter", "name": "password", "redacted": true, "pattern": "abcd" }
+        ],
+        "vulnerabilities": [
+          {
+            "type": "HEADER_INJECTION",
+            "evidence": {
+              "valueParts": [
+                { "value": "password: " },
+                { "redacted": true },
+                { "source": 0, "redacted": true, "pattern": "abcd" }
+              ]
+            }
+          }
+        ]
+      }
+  - type: 'VULNERABILITIES'
+    description: 'Header injection with sensitive data from header and tainted (source does not match)'
+    input: >
+      [
+        {
+          "type": "HEADER_INJECTION",
+          "evidence": {
+            "value": "password: this is key word",
+            "ranges": [
+              { "start" : 18, "length" : 8, "source": { "origin": "http.request.parameter", "name": "password", "value": "key%20word" } }
+            ]
+          }
+        }
+      ]
+    expected: >
+      {
+        "sources": [
+          { "origin": "http.request.parameter", "name": "password", "redacted": true, "pattern": "abcdefghij" }
+        ],
+        "vulnerabilities": [
+          {
+            "type": "HEADER_INJECTION",
+            "evidence": {
+              "valueParts": [
+                { "value": "password: " },
+                { "redacted": true },
+                { "source": 0, "redacted": true, "pattern": "********" }
+              ]
+            }
+          }
+        ]
+      }

dd-java-agent/instrumentation/iast-instrumenter/src/main/resources/datadog/trace/instrumentation/iastinstrumenter/iast_exclusion.trie

@@ -193,6 +193,9 @@
 0 org.apache.http.client.methods.*
 # apache compiled jsps
 0 org.apache.jsp.*
+# Need for kafka propagation
+2 org.apache.kafka.common.serialization.ByteBufferDeserializer
+2 org.apache.kafka.common.serialization.StringDeserializer
 1 org.apiguardian.*
 1 org.aspectj.*
 1 org.attoparser.*

dd-java-agent/instrumentation/jackson-core/src/main/java/datadog/trace/instrumentation/jackson/core/Json2FactoryInstrumentation.java

@@ -34,7 +34,8 @@ public void methodAdvice(MethodTransformer transformer) {
                         takesArguments(String.class)
                             .or(takesArguments(InputStream.class))
                             .or(takesArguments(Reader.class))
-                            .or(takesArguments(URL.class)))),
+                            .or(takesArguments(URL.class))
+                            .or(takesArguments(byte[].class)))),
         Json2FactoryInstrumentation.class.getName() + "$InstrumenterAdvice");
   }
 

dd-java-agent/instrumentation/jackson-core/src/test/groovy/Json2FactoryInstrumentationTest.groovy

@@ -80,6 +80,22 @@ class Json2FactoryInstrumentationTest extends AgentTestRunner {
     0 * _
   }
 
+  void 'test createParser(byte[])'() {
+    setup:
+    final propagationModule = Mock(PropagationModule)
+    InstrumentationBridge.registerIastModule(propagationModule)
+    final bytes = '{}'.bytes
+
+    when:
+    final result = new JsonFactory().createParser(bytes)
+
+
+    then:
+    result != null
+    1 * propagationModule.taintIfTainted(_ as JsonParser, bytes)
+    0 * _
+  }
+
   void 'test createParser(URL)'() {
     setup:
     final propagationModule = Mock(PropagationModule)