[asm] IAST security controls #5117
Conversation
Overall package sizeSelf size: 8.57 MB Dependency sizes| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/libdatadog | 0.4.0 | 29.44 MB | 29.44 MB | | @datadog/native-appsec | 8.4.0 | 19.25 MB | 19.26 MB | | @datadog/native-iast-taint-tracking | 3.3.0 | 13.77 MB | 13.78 MB | | @datadog/pprof | 5.4.1 | 9.76 MB | 10.13 MB | | protobufjs | 7.2.5 | 2.77 MB | 5.16 MB | | @datadog/native-iast-rewriter | 2.6.1 | 2.59 MB | 2.73 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 3.1.0 | 1.06 MB | 1.46 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | source-map | 0.7.4 | 226 kB | 226 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | lru-cache | 7.18.3 | 133.92 kB | 133.92 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | @isaacs/ttlcache | 1.4.1 | 25.2 kB | 25.2 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | ttl-set | 1.0.0 | 4.61 kB | 9.69 kB | | path-to-regexp | 0.1.12 | 6.6 kB | 6.6 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |🤖 This report was automatically generated by heaviest-objects-in-the-universe |
BenchmarksBenchmark execution time: 2025-01-24 09:45:58 Comparing candidate commit 3f57dea in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 908 metrics, 25 unstable metrics. |
…ginManager in the tests
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #5117 +/- ##
==========================================
- Coverage 71.53% 70.28% -1.26%
==========================================
Files 299 162 -137
Lines 13753 5387 -8366
==========================================
- Hits 9838 3786 -6052
+ Misses 3915 1601 -2314 ☔ View full report in Codecov by Sentry. |
| @@ -25,6 +28,11 @@ class Analyzer extends SinkIastPlugin { | |||
| return false | |||
| } | |||
|
|
|||
| _isRangeSecure (range) { | |||
There was a problem hiding this comment.
Does checking the secure marks out of injection-analizer make sense?
| ranges = this._filterSecureRanges(ranges) | ||
| if (!ranges?.length) { | ||
| this._incrementSuppressedMetric(iastContext) | ||
| } |
| @@ -83,8 +83,8 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer { | |||
| } | |||
| } | |||
|
|
|||
| _areRangesVulnerable () { | |||
| return true | |||
| _areRangesVulnerable (ranges) { | |||
There was a problem hiding this comment.
we have this method implemented in more analyzers, like code injection analyzer. I think that this change is necessary for all of them.
|
|
||
| controls = parse(iastConfig.securityControlsConfiguration) | ||
| if (controls?.size > 0) { | ||
| hooks = new Set() |
There was a problem hiding this comment.
If a module is required for one use and is not used anymore, we don't want to be who are blocking the GC to delete it.
| hooks = new Set() | |
| hooks = new WeakSet() |
| const fields = control.split(SECURITY_CONTROL_FIELD_DELIMITER) | ||
|
|
||
| if (fields.length < 3 || fields.length > 5) { | ||
| // TODO: do we want telemetry log for these cases? |
There was a problem hiding this comment.
I don't think so, but we could log an error rather than warn to be aware when the customer is using it incorrectly.
| function parse (securityControlsConfiguration) { | ||
| const controls = new Map() | ||
|
|
||
| securityControlsConfiguration?.replace(/\s/g, '') |
There was a problem hiding this comment.
too simple regex I think, what if a directory in the list has an space?
|
|
||
| parameters = getParameters(parameters) | ||
|
|
||
| // TODO: check if file is a valid path? |
There was a problem hiding this comment.
unnecessary fs access I think.
| @@ -3,7 +3,7 @@ | |||
| let next = 0 | |||
|
|
|||
| function getNextSecureMark () { | |||
| return 1 << next++ | |||
| return (1 << next++) >>> 0 | |||
| @@ -788,6 +790,7 @@ class Config { | |||
| this._setValue(env, 'iast.requestSampling', iastRequestSampling) | |||
| } | |||
| this._envUnprocessed['iast.requestSampling'] = DD_IAST_REQUEST_SAMPLING | |||
| this._setString(env, 'iast.securityControlsConfiguration', DD_IAST_SECURITY_CONTROLS_CONFIGURATION) | |||
There was a problem hiding this comment.
you are not giving an option to configure it programatically, intentionally or you just forgot it?
| let [asterisk, ...rest] = Object.values(marks) | ||
| rest.forEach(mark => { asterisk |= mark }) |
There was a problem hiding this comment.
I should have to read this code multiple times to understand it...
Here suggestions that I think are more readable.
| let [asterisk, ...rest] = Object.values(marks) | |
| rest.forEach(mark => { asterisk |= mark }) | |
| let asterisk = 0x0 | |
| Object.values(marks).forEach(mark => { asterisk |= mark }) |
Or
| let [asterisk, ...rest] = Object.values(marks) | |
| rest.forEach(mark => { asterisk |= mark }) | |
| const asterisk = Object.values(marks).reduce((total, current) => total | current, 0x0) |
What does this PR do?
IAST security controls implementation
ST DataDog/system-tests#3872
Motivation
Plugin Checklist
Additional Notes