[ASM] iast: Tainting of DefaultInterpolatedStringHandler

[e-n-0]

Summary of changes

This PR introduce the support of DefaultInterpolatedStringHandler for IAST.
The resulting strings of DefaultInterpolatedStringHandler will now be tainted.

Reason for change

Since the release of .NET Core 6, interpolated strings got a performance optimisation and now use DefaultInterpolatedStringHandler to build strings.

Some vulnerabilities couldn't be detected because strings built with DefaultInterpolatedStringHandler weren't tainted.

Implementation details

As DefaultInterpolatedStringHandler is a ref struct, we call some IL to get it's own stack pointer value and taint it.
We need to get that pointer value to track it and its tainted sources.

Test coverage

• New unit tests were added:
  • testing all aspects with an explicit call to the DefaultInterpolatedStringHandler ref struct
  • testing implicit interpolated strings ($"") in various complex cases
• Aspects tests added for IastInstrumentationUnitTests

Other details

This PR don't handle the correct values for start and length of tainted Sources.

[datadog-ddstaging]

Datadog Report

Branch report: flavien/iast/interpolatedstring
Commit report: bfdfd64
Test service: dd-trace-dotnet

✅ 0 Failed, 465025 Passed, 3606 Skipped, 33h 42m 41.34s Total Time
❄️ 1 New Flaky

New Flaky Tests (1)

• SlowSenderTest - Datadog.Trace.ClrProfiler.IntegrationTests.CI.Agent.CiVisibilityProtocolWriterTests - Last Failure

  Expand for error

   Assert.Equal() Failure
   Expected: 3
   Actual:   4
  

[andrewlock]

Execution-Time Benchmarks Report ⏱️

Execution-time results for samples comparing the following branches/commits:

• This PR (6340)
• master

Execution-time benchmarks measure the whole time it takes to execute a program. And are intended to measure the one-off costs. Cases where the execution time results for the PR are worse than latest master results are shown in red. The following thresholds were used for comparing the execution times:

• Welch test with statistical test for significance of 5%
• Only results indicating a difference greater than 5% and 5 ms are considered.

Note that these results are based on a single point-in-time result for each branch. For full results, see the dashboard.

Graphs show the p99 interval based on the mean and StdDev of the test run, as well as the mean value of the run (shown as a diamond below the graph).

gantt
    title Execution time (ms) FakeDbCommand (.NET Framework 4.6.2) 
    dateFormat  X
    axisFormat %s
    todayMarker off
    section Baseline
    This PR (6340) - mean (69ms)  : 66, 72
     .   : milestone, 69,
    master - mean (69ms)  : 67, 71
     .   : milestone, 69,

    section CallTarget+Inlining+NGEN
    This PR (6340) - mean (980ms)  : 954, 1006
     .   : milestone, 980,
    master - mean (982ms)  : 953, 1010
     .   : milestone, 982,

Loading

gantt
    title Execution time (ms) FakeDbCommand (.NET Core 3.1) 
    dateFormat  X
    axisFormat %s
    todayMarker off
    section Baseline
    This PR (6340) - mean (108ms)  : 106, 110
     .   : milestone, 108,
    master - mean (108ms)  : 106, 111
     .   : milestone, 108,

    section CallTarget+Inlining+NGEN
    This PR (6340) - mean (676ms)  : 660, 692
     .   : milestone, 676,
    master - mean (677ms)  : 663, 691
     .   : milestone, 677,

Loading

gantt
    title Execution time (ms) FakeDbCommand (.NET 6) 
    dateFormat  X
    axisFormat %s
    todayMarker off
    section Baseline
    This PR (6340) - mean (91ms)  : 89, 93
     .   : milestone, 91,
    master - mean (91ms)  : 89, 93
     .   : milestone, 91,

    section CallTarget+Inlining+NGEN
    This PR (6340) - mean (627ms)  : 613, 640
     .   : milestone, 627,
    master - mean (635ms)  : 617, 653
     .   : milestone, 635,

Loading

gantt
    title Execution time (ms) HttpMessageHandler (.NET Framework 4.6.2) 
    dateFormat  X
    axisFormat %s
    todayMarker off
    section Baseline
    This PR (6340) - mean (190ms)  : 186, 194
     .   : milestone, 190,
    master - mean (191ms)  : 186, 196
     .   : milestone, 191,

    section CallTarget+Inlining+NGEN
    This PR (6340) - mean (1,095ms)  : 1062, 1127
     .   : milestone, 1095,
    master - mean (1,091ms)  : 1059, 1122
     .   : milestone, 1091,

Loading

gantt
    title Execution time (ms) HttpMessageHandler (.NET Core 3.1) 
    dateFormat  X
    axisFormat %s
    todayMarker off
    section Baseline
    This PR (6340) - mean (275ms)  : 272, 279
     .   : milestone, 275,
    master - mean (276ms)  : 271, 282
     .   : milestone, 276,

    section CallTarget+Inlining+NGEN
    This PR (6340) - mean (870ms)  : 843, 896
     .   : milestone, 870,
    master - mean (871ms)  : 839, 903
     .   : milestone, 871,

Loading

gantt
    title Execution time (ms) HttpMessageHandler (.NET 6) 
    dateFormat  X
    axisFormat %s
    todayMarker off
    section Baseline
    This PR (6340) - mean (266ms)  : 262, 270
     .   : milestone, 266,
    master - mean (265ms)  : 261, 269
     .   : milestone, 265,

    section CallTarget+Inlining+NGEN
    This PR (6340) - mean (852ms)  : 818, 886
     .   : milestone, 852,
    master - mean (851ms)  : 820, 881
     .   : milestone, 851,

Loading

[andrewlock]

Benchmarks Report for tracer 🐌

Benchmarks for #6340 compared to master:

• All benchmarks have the same speed
• All benchmarks have the same allocations

The following thresholds were used for comparing the benchmark speeds:

• Mann–Whitney U test with statistical test for significance of 5%
• Only results indicating a difference greater than 10% and 0.3 ns are considered.

Allocation changes below 0.5% are ignored.

Benchmark details

Benchmarks.Trace.ActivityBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	StartStopWithChild	net6.0	8.1μs	45ns	302ns	0.0162	0.00812	0	5.61 KB
master	StartStopWithChild	netcoreapp3.1	10.2μs	55.7ns	315ns	0.0206	0.0103	0	5.79 KB
master	StartStopWithChild	net472	16.4μs	36.8ns	138ns	1.04	0.313	0.0989	6.21 KB
#6340	StartStopWithChild	net6.0	8.01μs	44.6ns	302ns	0.0193	0.00774	0	5.61 KB
#6340	StartStopWithChild	netcoreapp3.1	9.94μs	54.9ns	315ns	0.0249	0.00997	0	5.8 KB
#6340	StartStopWithChild	net472	16.5μs	39.8ns	154ns	1.04	0.288	0.0905	6.21 KB

Benchmarks.Trace.AgentWriterBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	WriteAndFlushEnrichedTraces	net6.0	492μs	441ns	1.65μs	0	0	0	2.7 KB
master	WriteAndFlushEnrichedTraces	netcoreapp3.1	651μs	186ns	720ns	0	0	0	2.7 KB
master	WriteAndFlushEnrichedTraces	net472	838μs	293ns	1.1μs	0.419	0	0	3.3 KB
#6340	WriteAndFlushEnrichedTraces	net6.0	507μs	452ns	1.69μs	0	0	0	2.7 KB
#6340	WriteAndFlushEnrichedTraces	netcoreapp3.1	644μs	595ns	2.3μs	0	0	0	2.7 KB
#6340	WriteAndFlushEnrichedTraces	net472	841μs	775ns	3μs	0.422	0	0	3.3 KB

Benchmarks.Trace.AspNetCoreBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	SendRequest	net6.0	150μs	975ns	9.55μs	0.15	0	0	14.47 KB
master	SendRequest	netcoreapp3.1	168μs	947ns	8.31μs	0.161	0	0	17.27 KB
master	SendRequest	net472	0.00249ns	0.00101ns	0.00392ns	0	0	0	0 b
#6340	SendRequest	net6.0	144μs	829ns	6.32μs	0.136	0	0	14.47 KB
#6340	SendRequest	netcoreapp3.1	167μs	1.15μs	11.2μs	0.169	0	0	17.27 KB
#6340	SendRequest	net472	0.000189ns	0.000142ns	0.000493ns	0	0	0	0 b

Benchmarks.Trace.CIVisibilityProtocolWriterBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	WriteAndFlushEnrichedTraces	net6.0	579μs	3.11μs	17.9μs	0.568	0	0	41.71 KB
master	WriteAndFlushEnrichedTraces	netcoreapp3.1	706μs	4.01μs	27.5μs	0.353	0	0	41.74 KB
master	WriteAndFlushEnrichedTraces	net472	867μs	2.79μs	10.1μs	8.36	2.64	0.44	53.3 KB
#6340	WriteAndFlushEnrichedTraces	net6.0	578μs	3.22μs	20.4μs	0.548	0	0	41.52 KB
#6340	WriteAndFlushEnrichedTraces	netcoreapp3.1	696μs	3.55μs	24.9μs	0.347	0	0	41.79 KB
#6340	WriteAndFlushEnrichedTraces	net472	896μs	2.64μs	10.2μs	8.54	2.25	0.45	53.33 KB

Benchmarks.Trace.DbCommandBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	ExecuteNonQuery	net6.0	1.31μs	1.6ns	5.97ns	0.0143	0	0	1.02 KB
master	ExecuteNonQuery	netcoreapp3.1	1.82μs	1.7ns	6.34ns	0.0135	0	0	1.02 KB
master	ExecuteNonQuery	net472	2.11μs	1.79ns	6.95ns	0.156	0.00105	0	987 B
#6340	ExecuteNonQuery	net6.0	1.24μs	1.21ns	4.52ns	0.0142	0	0	1.02 KB
#6340	ExecuteNonQuery	netcoreapp3.1	1.81μs	1.33ns	5.13ns	0.0134	0	0	1.02 KB
#6340	ExecuteNonQuery	net472	2.13μs	3.11ns	12ns	0.157	0.00107	0	987 B

Benchmarks.Trace.ElasticsearchBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	CallElasticsearch	net6.0	1.22μs	0.793ns	2.97ns	0.0138	0	0	976 B
master	CallElasticsearch	netcoreapp3.1	1.53μs	0.963ns	3.73ns	0.0134	0	0	976 B
master	CallElasticsearch	net472	2.48μs	2.68ns	10.4ns	0.157	0	0	995 B
master	CallElasticsearchAsync	net6.0	1.26μs	0.662ns	2.56ns	0.0131	0	0	952 B
master	CallElasticsearchAsync	netcoreapp3.1	1.69μs	1.93ns	7.46ns	0.0133	0	0	1.02 KB
master	CallElasticsearchAsync	net472	2.6μs	1.63ns	5.88ns	0.166	0	0	1.05 KB
#6340	CallElasticsearch	net6.0	1.17μs	0.551ns	2.06ns	0.0136	0	0	976 B
#6340	CallElasticsearch	netcoreapp3.1	1.55μs	0.648ns	2.51ns	0.0132	0	0	976 B
#6340	CallElasticsearch	net472	2.52μs	1.83ns	7.09ns	0.157	0	0	995 B
#6340	CallElasticsearchAsync	net6.0	1.3μs	0.904ns	3.38ns	0.0137	0	0	952 B
#6340	CallElasticsearchAsync	netcoreapp3.1	1.69μs	1.15ns	4.3ns	0.0135	0	0	1.02 KB
#6340	CallElasticsearchAsync	net472	2.8μs	1ns	3.88ns	0.166	0	0	1.05 KB

Benchmarks.Trace.GraphQLBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	ExecuteAsync	net6.0	1.28μs	0.388ns	1.45ns	0.0132	0	0	952 B
master	ExecuteAsync	netcoreapp3.1	1.6μs	0.609ns	2.2ns	0.0128	0	0	952 B
master	ExecuteAsync	net472	1.88μs	0.658ns	2.46ns	0.145	0	0	915 B
#6340	ExecuteAsync	net6.0	1.28μs	1.84ns	6.87ns	0.0133	0	0	952 B
#6340	ExecuteAsync	netcoreapp3.1	1.6μs	0.808ns	3.13ns	0.0128	0	0	952 B
#6340	ExecuteAsync	net472	1.83μs	0.541ns	2.02ns	0.145	0	0	915 B

Benchmarks.Trace.HttpClientBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	SendAsync	net6.0	4.47μs	9.96ns	38.6ns	0.031	0	0	2.31 KB
master	SendAsync	netcoreapp3.1	5.28μs	5.49ns	21.3ns	0.037	0	0	2.85 KB
master	SendAsync	net472	7.37μs	1.81ns	7.02ns	0.493	0	0	3.12 KB
#6340	SendAsync	net6.0	4.4μs	2.34ns	9.04ns	0.0308	0	0	2.31 KB
#6340	SendAsync	netcoreapp3.1	5.25μs	1.5ns	5.62ns	0.0368	0	0	2.85 KB
#6340	SendAsync	net472	7.31μs	3.14ns	12.2ns	0.493	0	0	3.12 KB

Benchmarks.Trace.ILoggerBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	EnrichedLog	net6.0	1.54μs	1.01ns	3.78ns	0.023	0	0	1.64 KB
master	EnrichedLog	netcoreapp3.1	2.3μs	0.696ns	2.6ns	0.0228	0	0	1.64 KB
master	EnrichedLog	net472	2.54μs	0.824ns	2.97ns	0.25	0	0	1.57 KB
#6340	EnrichedLog	net6.0	1.56μs	0.651ns	2.44ns	0.0233	0	0	1.64 KB
#6340	EnrichedLog	netcoreapp3.1	2.22μs	1.28ns	4.96ns	0.0222	0	0	1.64 KB
#6340	EnrichedLog	net472	2.57μs	0.949ns	3.42ns	0.25	0	0	1.57 KB

Benchmarks.Trace.Log4netBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	EnrichedLog	net6.0	120μs	125ns	485ns	0.06	0	0	4.28 KB
master	EnrichedLog	netcoreapp3.1	125μs	100ns	362ns	0	0	0	4.28 KB
master	EnrichedLog	net472	151μs	208ns	806ns	0.681	0.227	0	4.46 KB
#6340	EnrichedLog	net6.0	119μs	88.2ns	330ns	0	0	0	4.28 KB
#6340	EnrichedLog	netcoreapp3.1	124μs	144ns	559ns	0.0627	0	0	4.28 KB
#6340	EnrichedLog	net472	151μs	49ns	177ns	0.679	0.226	0	4.46 KB

Benchmarks.Trace.NLogBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	EnrichedLog	net6.0	3.05μs	0.844ns	3.27ns	0.0302	0	0	2.2 KB
master	EnrichedLog	netcoreapp3.1	4.14μs	4.86ns	18.8ns	0.0293	0	0	2.2 KB
master	EnrichedLog	net472	4.86μs	1.25ns	4.68ns	0.32	0	0	2.02 KB
#6340	EnrichedLog	net6.0	3.09μs	1.21ns	4.7ns	0.0311	0	0	2.2 KB
#6340	EnrichedLog	netcoreapp3.1	4.24μs	1.93ns	7.49ns	0.0295	0	0	2.2 KB
#6340	EnrichedLog	net472	4.86μs	1.28ns	4.94ns	0.319	0	0	2.02 KB

Benchmarks.Trace.RedisBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	SendReceive	net6.0	1.38μs	0.811ns	3.14ns	0.0158	0	0	1.14 KB
master	SendReceive	netcoreapp3.1	1.75μs	1.04ns	3.74ns	0.0149	0	0	1.14 KB
master	SendReceive	net472	2.11μs	2.8ns	10.8ns	0.183	0	0	1.16 KB
#6340	SendReceive	net6.0	1.46μs	0.821ns	3.18ns	0.0159	0	0	1.14 KB
#6340	SendReceive	netcoreapp3.1	1.68μs	1.12ns	4.18ns	0.0152	0	0	1.14 KB
#6340	SendReceive	net472	2.06μs	2.11ns	8.17ns	0.183	0	0	1.16 KB

Benchmarks.Trace.SerilogBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	EnrichedLog	net6.0	2.81μs	1.38ns	5.35ns	0.0225	0	0	1.6 KB
master	EnrichedLog	netcoreapp3.1	3.73μs	1.28ns	4.96ns	0.0224	0	0	1.65 KB
master	EnrichedLog	net472	4.49μs	3.58ns	13.9ns	0.322	0	0	2.04 KB
#6340	EnrichedLog	net6.0	2.79μs	0.783ns	3.03ns	0.0223	0	0	1.6 KB
#6340	EnrichedLog	netcoreapp3.1	3.92μs	1.6ns	5.98ns	0.0216	0	0	1.65 KB
#6340	EnrichedLog	net472	4.47μs	2.34ns	9.07ns	0.322	0	0	2.04 KB

Benchmarks.Trace.SpanBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	StartFinishSpan	net6.0	408ns	0.135ns	0.487ns	0.00799	0	0	576 B
master	StartFinishSpan	netcoreapp3.1	565ns	1.49ns	5.78ns	0.00779	0	0	576 B
master	StartFinishSpan	net472	676ns	0.404ns	1.56ns	0.0915	0	0	578 B
master	StartFinishScope	net6.0	487ns	0.241ns	0.934ns	0.00965	0	0	696 B
master	StartFinishScope	netcoreapp3.1	676ns	0.274ns	0.986ns	0.00934	0	0	696 B
master	StartFinishScope	net472	880ns	0.46ns	1.78ns	0.104	0	0	658 B
#6340	StartFinishSpan	net6.0	408ns	0.338ns	1.31ns	0.00817	0	0	576 B
#6340	StartFinishSpan	netcoreapp3.1	559ns	0.319ns	1.24ns	0.00781	0	0	576 B
#6340	StartFinishSpan	net472	724ns	0.307ns	1.19ns	0.0917	0	0	578 B
#6340	StartFinishScope	net6.0	498ns	0.217ns	0.842ns	0.00962	0	0	696 B
#6340	StartFinishScope	netcoreapp3.1	713ns	0.321ns	1.24ns	0.00928	0	0	696 B
#6340	StartFinishScope	net472	856ns	0.817ns	3.16ns	0.105	0	0	658 B

Benchmarks.Trace.TraceAnnotationsBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	RunOnMethodBegin	net6.0	686ns	0.519ns	2.01ns	0.00971	0	0	696 B
master	RunOnMethodBegin	netcoreapp3.1	931ns	1.24ns	4.79ns	0.00901	0	0	696 B
master	RunOnMethodBegin	net472	1.13μs	0.561ns	2.17ns	0.105	0	0	658 B
#6340	RunOnMethodBegin	net6.0	716ns	0.325ns	1.26ns	0.00969	0	0	696 B
#6340	RunOnMethodBegin	netcoreapp3.1	973ns	0.687ns	2.66ns	0.00951	0	0	696 B
#6340	RunOnMethodBegin	net472	1.18μs	0.297ns	1.11ns	0.104	0	0	658 B

[andrewlock]

Benchmarks Report for appsec 🐌

Benchmarks for #6340 compared to master:

• All benchmarks have the same speed
• 2 benchmarks have fewer allocations
• 1 benchmarks have more allocations

The following thresholds were used for comparing the benchmark speeds:

• Mann–Whitney U test with statistical test for significance of 5%
• Only results indicating a difference greater than 10% and 0.3 ns are considered.

Allocation changes below 0.5% are ignored.

Benchmark details

Benchmarks.Trace.Asm.AppSecBodyBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	AllCycleSimpleBody	net6.0	214μs	77.1ns	278ns	2.46	0.107	0	176.82 KB
master	AllCycleSimpleBody	netcoreapp3.1	317μs	240ns	930ns	2.56	0	0	184.26 KB
master	AllCycleSimpleBody	net472	278μs	142ns	551ns	33.3	2.49	0	210.04 KB
master	AllCycleMoreComplexBody	net6.0	223μs	101ns	363ns	2.57	0	0	180.33 KB
master	AllCycleMoreComplexBody	netcoreapp3.1	322μs	160ns	577ns	2.6	0	0	187.68 KB
master	AllCycleMoreComplexBody	net472	287μs	161ns	602ns	33.8	2.58	0	213.56 KB
master	ObjectExtractorSimpleBody	net6.0	147ns	0.106ns	0.41ns	0.004	0	0	280 B
master	ObjectExtractorSimpleBody	netcoreapp3.1	214ns	0.203ns	0.731ns	0.00376	0	0	272 B
master	ObjectExtractorSimpleBody	net472	212ns	0.0824ns	0.297ns	0.0446	0	0	281 B
master	ObjectExtractorMoreComplexBody	net6.0	3.04μs	2.18ns	7.86ns	0.0531	0	0	3.78 KB
master	ObjectExtractorMoreComplexBody	netcoreapp3.1	3.87μs	1.71ns	6.16ns	0.0488	0	0	3.69 KB
master	ObjectExtractorMoreComplexBody	net472	4.69μs	7.58ns	29.4ns	0.602	0.0047	0	3.8 KB
#6340	AllCycleSimpleBody	net6.0	220μs	271ns	1.05μs	2.42	0	0	176.82 KB
#6340	AllCycleSimpleBody	netcoreapp3.1	325μs	230ns	891ns	2.44	0	0	184.27 KB
#6340	AllCycleSimpleBody	net472	290μs	508ns	1.9μs	33.3	2.45	0	210.04 KB
#6340	AllCycleMoreComplexBody	net6.0	221μs	165ns	618ns	2.52	0	0	180.33 KB
#6340	AllCycleMoreComplexBody	netcoreapp3.1	334μs	442ns	1.71μs	2.49	0	0	187.68 KB
#6340	AllCycleMoreComplexBody	net472	291μs	270ns	974ns	33.8	2.62	0	213.56 KB
#6340	ObjectExtractorSimpleBody	net6.0	144ns	0.222ns	0.829ns	0.00391	0	0	280 B
#6340	ObjectExtractorSimpleBody	netcoreapp3.1	201ns	0.176ns	0.683ns	0.00371	0	0	272 B
#6340	ObjectExtractorSimpleBody	net472	220ns	0.209ns	0.781ns	0.0446	0	0	281 B
#6340	ObjectExtractorMoreComplexBody	net6.0	3.08μs	1.87ns	6.99ns	0.0524	0	0	3.78 KB
#6340	ObjectExtractorMoreComplexBody	netcoreapp3.1	3.91μs	1.87ns	6.76ns	0.0508	0	0	3.69 KB
#6340	ObjectExtractorMoreComplexBody	net472	4.58μs	7.51ns	29.1ns	0.603	0.00682	0	3.8 KB

Benchmarks.Trace.Asm.AppSecEncoderBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	EncodeArgs	net6.0	36.4μs	26.3ns	102ns	0.451	0	0	32.4 KB
master	EncodeArgs	netcoreapp3.1	54.5μs	23ns	89.2ns	0.433	0	0	32.4 KB
master	EncodeArgs	net472	66.8μs	16.1ns	62.4ns	5.15	0.0669	0	32.5 KB
master	EncodeLegacyArgs	net6.0	72.7μs	14.5ns	54.1ns	0.0359	0	0	2.14 KB
master	EncodeLegacyArgs	netcoreapp3.1	105μs	387ns	1.5μs	0	0	0	2.14 KB
master	EncodeLegacyArgs	net472	157μs	68.2ns	264ns	0.314	0	0	2.15 KB
#6340	EncodeArgs	net6.0	37.6μs	12.5ns	46.9ns	0.448	0	0	32.4 KB
#6340	EncodeArgs	netcoreapp3.1	54.3μs	31.4ns	122ns	0.43	0	0	32.4 KB
#6340	EncodeArgs	net472	69.5μs	66.6ns	258ns	5.16	0.0688	0	32.5 KB
#6340	EncodeLegacyArgs	net6.0	73.7μs	138ns	533ns	0	0	0	2.14 KB
#6340	EncodeLegacyArgs	netcoreapp3.1	106μs	138ns	517ns	0	0	0	2.14 KB
#6340	EncodeLegacyArgs	net472	157μs	84.8ns	317ns	0.316	0	0	2.15 KB

Benchmarks.Trace.Asm.AppSecWafBenchmark - Same speed ✔️ Same allocations ✔️

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	RunWafRealisticBenchmark	net6.0	185μs	197ns	737ns	0	0	0	2.44 KB
master	RunWafRealisticBenchmark	netcoreapp3.1	195μs	273ns	1.06μs	0	0	0	2.39 KB
master	RunWafRealisticBenchmark	net472	208μs	112ns	418ns	0.311	0	0	2.46 KB
master	RunWafRealisticBenchmarkWithAttack	net6.0	123μs	127ns	492ns	0	0	0	1.47 KB
master	RunWafRealisticBenchmarkWithAttack	netcoreapp3.1	131μs	141ns	528ns	0	0	0	1.46 KB
master	RunWafRealisticBenchmarkWithAttack	net472	141μs	48.6ns	188ns	0.21	0	0	1.49 KB
#6340	RunWafRealisticBenchmark	net6.0	185μs	91.7ns	355ns	0	0	0	2.44 KB
#6340	RunWafRealisticBenchmark	netcoreapp3.1	195μs	207ns	776ns	0	0	0	2.39 KB
#6340	RunWafRealisticBenchmark	net472	211μs	152ns	587ns	0.315	0	0	2.46 KB
#6340	RunWafRealisticBenchmarkWithAttack	net6.0	122μs	66.6ns	240ns	0	0	0	1.47 KB
#6340	RunWafRealisticBenchmarkWithAttack	netcoreapp3.1	132μs	159ns	594ns	0	0	0	1.46 KB
#6340	RunWafRealisticBenchmarkWithAttack	net472	140μs	57.5ns	223ns	0.209	0	0	1.49 KB

Benchmarks.Trace.Iast.StringAspectsBenchmark - Same speed ✔️ More allocations ⚠️

More allocations ⚠️ in #6340

Benchmark	Base Allocated	Diff Allocated	Change	Change %
Benchmarks.Trace.Iast.StringAspectsBenchmark.StringConcatAspectBenchmark‑net6.0	255.27 KB	256.74 KB	1.46 KB	0.57%

Fewer allocations 🎉 in #6340

Benchmark	Base Allocated	Diff Allocated	Change	Change %
Benchmarks.Trace.Iast.StringAspectsBenchmark.StringConcatAspectBenchmark‑net472	278.53 KB	276.15 KB	-2.38 KB	-0.85%
Benchmarks.Trace.Iast.StringAspectsBenchmark.StringConcatBenchmark‑net472	62.06 KB	57.34 KB	-4.71 KB	-7.59%

Raw results

Branch	Method	Toolchain	Mean	StdError	StdDev	Gen 0	Gen 1	Gen 2	Allocated
master	StringConcatBenchmark	net6.0	59.3μs	856ns	8.56μs	0	0	0	43.44 KB
master	StringConcatBenchmark	netcoreapp3.1	60.2μs	834ns	8.08μs	0	0	0	42.64 KB
master	StringConcatBenchmark	net472	37.5μs	110ns	411ns	0	0	0	62.06 KB
master	StringConcatAspectBenchmark	net6.0	317μs	1.68μs	11.9μs	0	0	0	255.27 KB
master	StringConcatAspectBenchmark	netcoreapp3.1	339μs	1.93μs	14.2μs	0	0	0	252.96 KB
master	StringConcatAspectBenchmark	net472	287μs	6.12μs	59.7μs	0	0	0	278.53 KB
#6340	StringConcatBenchmark	net6.0	52.5μs	276ns	1.43μs	0	0	0	43.44 KB
#6340	StringConcatBenchmark	netcoreapp3.1	54.6μs	297ns	1.6μs	0	0	0	42.64 KB
#6340	StringConcatBenchmark	net472	38μs	145ns	544ns	0	0	0	57.34 KB
#6340	StringConcatAspectBenchmark	net6.0	314μs	5.2μs	49.9μs	0	0	0	256.74 KB
#6340	StringConcatAspectBenchmark	netcoreapp3.1	344μs	1.88μs	12.3μs	0	0	0	253.94 KB
#6340	StringConcatAspectBenchmark	net472	259μs	1.05μs	3.65μs	0	0	0	276.15 KB

[daniel-romano-DD]

Nice. Thanks a lot

[andrewlock]

Throughput/Crank Report ⚡

Throughput results for AspNetCoreSimpleController comparing the following branches/commits:

• This PR (6340)
• master
• benchmarks/2.9.0

Cases where throughput results for the PR are worse than latest master (5% drop or greater), results are shown in red.

Note that these results are based on a single point-in-time result for each branch. For full results, see one of the many, many dashboards!

gantt
    title Throughput Linux x64 (Total requests) 
    dateFormat  X
    axisFormat %s
    section Baseline
    This PR (6340) (11.179M)   : 0, 11179393
    master (11.171M)   : 0, 11171321
    benchmarks/2.9.0 (11.033M)   : 0, 11032866

    section Automatic
    This PR (6340) (7.339M)   : 0, 7338549
    master (7.220M)   : 0, 7220293
    benchmarks/2.9.0 (7.786M)   : 0, 7785853

    section Trace stats
    master (7.672M)   : 0, 7672287

    section Manual
    master (11.297M)   : 0, 11297089

    section Manual + Automatic
    This PR (6340) (6.791M)   : 0, 6791397
    master (6.666M)   : 0, 6665729

    section DD_TRACE_ENABLED=0
    master (10.155M)   : 0, 10155271

Loading

gantt
    title Throughput Linux arm64 (Total requests) 
    dateFormat  X
    axisFormat %s
    section Baseline
    This PR (6340) (9.480M)   : 0, 9479788
    master (9.792M)   : 0, 9792239
    benchmarks/2.9.0 (9.495M)   : 0, 9494821

    section Automatic
    This PR (6340) (6.446M)   : 0, 6446414
    master (6.460M)   : 0, 6460434

    section Trace stats
    master (6.580M)   : 0, 6580287

    section Manual
    master (9.509M)   : 0, 9508789

    section Manual + Automatic
    This PR (6340) (6.031M)   : 0, 6030977
    master (5.968M)   : 0, 5968264

    section DD_TRACE_ENABLED=0
    master (8.863M)   : 0, 8863124

Loading

gantt
    title Throughput Windows x64 (Total requests) 
    dateFormat  X
    axisFormat %s
    section Baseline
    This PR (6340) (10.658M)   : 0, 10657560
    master (9.925M)   : 0, 9924990
    benchmarks/2.9.0 (10.020M)   : 0, 10019592

    section Automatic
    This PR (6340) (6.925M)   : 0, 6924546
    master (6.383M)   : 0, 6383332
    benchmarks/2.9.0 (7.255M)   : 0, 7255257

    section Trace stats
    master (7.050M)   : 0, 7050172

    section Manual
    master (9.974M)   : 0, 9974221

    section Manual + Automatic
    This PR (6340) (6.442M)   : 0, 6442129
    master (5.768M)   : 0, 5768402

    section DD_TRACE_ENABLED=0
    master (9.135M)   : 0, 9134686

Loading

[NachoEchevarria]

You might also consider to add these overloads:

AppendFormatted(Object, Int32, String)
AppendFormatted(T, String)
AppendFormatted(T, Int32, String)

Actually, you could add unit tests in IastInstrumentationUnitTests.TestMethodsAspectCover and TestAllAspectsHaveACorrespondingMethod to make sure that you cover every method that you want to cover for every framework and that you don't have useless aspects for some frameworks

[daniel-romano-DD]

We should cover relevant string related overloads, those used by the compiler when generating code for interpolated strings

[NachoEchevarria]

But if a string is declared as an object, we could potentially miss it. For instance, this test would fail:

[Fact]
public void GivenImplicitInterpolatedString_WhenAddingTaintedValuesComplex_GetString_Vulnerable()
{
    var interpolatedString = $"""
                              Hello "{((object)TaintedValue)}".
                              .
                              """;
    AssertTainted(interpolatedString);
}

[NachoEchevarria]

Also, adding these unit test could detect if we are not covering a new string method in the DefaultInterpolatedStringHandler class that could be included in future versions of .Net

[e-n-0]

😄

• I applied in new commits the supports of this test case
• I also added the tests in the IastInstrumentationUnitTests class for the aspects checks

[NachoEchevarria]

Nice! Thank you!

[NachoEchevarria]

We could consider adding some logic to keep the ranges in some methods such as append without format (like we do with strings). Anyway, this could be done in a separate PR and we should evaluate also the performance cost, so maybe it's not worth it.

[e-n-0]

Do you mean like keeping correct start and length of tainted data in the ranges?
Currently it's difficult to know the current length before appending the new data to the DefaultInterpolatedStringHandler. The _pos int of the struct is private. 😞
We could get the value by knowing the exact offset in the struct but that would be unsafe (and not done for this PR atm).

[NachoEchevarria]

Nice!