[asm] IAST security controls #5117
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Overall package sizeSelf size: 8.68 MB Dependency sizes| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/libdatadog | 0.4.0 | 29.44 MB | 29.44 MB | | @datadog/native-appsec | 8.4.0 | 19.25 MB | 19.26 MB | | @datadog/native-iast-taint-tracking | 3.3.0 | 13.77 MB | 13.78 MB | | @datadog/pprof | 5.5.1 | 9.79 MB | 10.17 MB | | protobufjs | 7.2.5 | 2.77 MB | 5.16 MB | | @datadog/native-iast-rewriter | 2.8.0 | 2.6 MB | 2.74 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 3.1.0 | 1.06 MB | 1.46 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | source-map | 0.7.4 | 226 kB | 226 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | lru-cache | 7.18.3 | 133.92 kB | 133.92 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | @isaacs/ttlcache | 1.4.1 | 25.2 kB | 25.2 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | ttl-set | 1.0.0 | 4.61 kB | 9.69 kB | | path-to-regexp | 0.1.12 | 6.6 kB | 6.6 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |🤖 This report was automatically generated by heaviest-objects-in-the-universe |
BenchmarksBenchmark execution time: 2025-02-05 10:00:14 Comparing candidate commit 6dc2181 in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 908 metrics, 25 unstable metrics. |
…ginManager in the tests
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #5117 +/- ##
==========================================
+ Coverage 81.16% 81.26% +0.09%
==========================================
Files 482 487 +5
Lines 21527 21697 +170
==========================================
+ Hits 17473 17632 +159
- Misses 4054 4065 +11 ☔ View full report in Codecov by Sentry. |
uurien
reviewed
Jan 29, 2025
uurien
reviewed
Jan 29, 2025
...sec/iast/security-controls/resources/node_modules/anotherlib/node_modules/sanitizer/index.js
Outdated
Show resolved
Hide resolved
Co-authored-by: Ilyas Shabi <ilyas.shabi@datadoghq.com>
Datadog ReportBranch report: ✅ 0 Failed, 626 Passed, 0 Skipped, 11m 15.13s Total Time |
uurien
reviewed
Feb 4, 2025
uurien
reviewed
Feb 7, 2025
uurien
reviewed
Feb 7, 2025
|
|
||
| requireAndPublish('./resources/custom_input_validator') | ||
|
|
||
| requireAndPublish('./resources/custom_input_validator') |
There was a problem hiding this comment.
where are you testing that it is not hooking twice?
packages/dd-trace/test/appsec/iast/security-controls/parser.spec.js
Outdated
Show resolved
Hide resolved
Co-authored-by: Ugaitz Urien <ugaitz.urien@datadoghq.com>
uurien
approved these changes
Feb 12, 2025
IlyasShabi
approved these changes
Feb 12, 2025
watson
pushed a commit
that referenced
this pull request
Feb 17, 2025
* Security controls parser and secure marks for vulnerabilities * Use new NOSQL_MONGODB_INJECTION_MARK in nosql-injection-mongodb-analyzer * Config * first hooks * wrap object properties and more tests * Use dd-trace:moduleLoad(Start|End) channels * iterate object strings and more tests * fix parameter index, include createNewTainted flag and do not use PluginManager in the tests * Fix parameter index and include a test with incorrect index * Avoid to hook multiple times the same module and config tests * sql_injection_mark test * vulnerable ranges tests * fix windows paths * Upgrade taint-tracking to 3.3.0 * Fix * secure mark * add createNewTainted flag to addSecureMark * Use existing _isRangeSecure * supressed vulnerabilities metric * increment supressed vulnerability metric * typo * handle esm default export and filenames starting with file:// * esm integration tests * clean up * secure-marks tests * fix secure-marks generator test * fix config test * empty * check for repeated marks * Update packages/dd-trace/src/appsec/iast/analyzers/injection-analyzer.js Co-authored-by: Ugaitz Urien <ugaitz.urien@datadoghq.com> * Update packages/dd-trace/src/appsec/iast/security-controls/index.js Co-authored-by: Ugaitz Urien <ugaitz.urien@datadoghq.com> * Update packages/dd-trace/src/appsec/iast/taint-tracking/secure-marks.js Co-authored-by: Ugaitz Urien <ugaitz.urien@datadoghq.com> * some suggestions * move _isRangeSecure to InjectionAnalyzer * Add programatically config option * index.d.ts * StoredInjectionAnalyzer * Update packages/dd-trace/test/appsec/iast/analyzers/command-injection-analyzer.spec.js Co-authored-by: ishabi <ilyas.shabi@datadoghq.com> * store control keys to avoid recreating the array * check visited before iterating * test suggestions * Update packages/dd-trace/src/appsec/iast/security-controls/parser.js Co-authored-by: Ilyas Shabi <ilyas.shabi@datadoghq.com> * lint * ritm test * clean up * Reject security control with non numeric parameters * fix parameter 0 * Update integration-tests/appsec/iast.esm-security-controls.spec.js Co-authored-by: Ugaitz Urien <ugaitz.urien@datadoghq.com> * suggestions * use legacy store * fix test * fix test * fix test --------- Co-authored-by: Ugaitz Urien <ugaitz.urien@datadoghq.com> Co-authored-by: ishabi <ilyas.shabi@datadoghq.com>
Merged
watson
pushed a commit
that referenced
this pull request
Feb 17, 2025
* Security controls parser and secure marks for vulnerabilities * Use new NOSQL_MONGODB_INJECTION_MARK in nosql-injection-mongodb-analyzer * Config * first hooks * wrap object properties and more tests * Use dd-trace:moduleLoad(Start|End) channels * iterate object strings and more tests * fix parameter index, include createNewTainted flag and do not use PluginManager in the tests * Fix parameter index and include a test with incorrect index * Avoid to hook multiple times the same module and config tests * sql_injection_mark test * vulnerable ranges tests * fix windows paths * Upgrade taint-tracking to 3.3.0 * Fix * secure mark * add createNewTainted flag to addSecureMark * Use existing _isRangeSecure * supressed vulnerabilities metric * increment supressed vulnerability metric * typo * handle esm default export and filenames starting with file:// * esm integration tests * clean up * secure-marks tests * fix secure-marks generator test * fix config test * empty * check for repeated marks * Update packages/dd-trace/src/appsec/iast/analyzers/injection-analyzer.js Co-authored-by: Ugaitz Urien <ugaitz.urien@datadoghq.com> * Update packages/dd-trace/src/appsec/iast/security-controls/index.js Co-authored-by: Ugaitz Urien <ugaitz.urien@datadoghq.com> * Update packages/dd-trace/src/appsec/iast/taint-tracking/secure-marks.js Co-authored-by: Ugaitz Urien <ugaitz.urien@datadoghq.com> * some suggestions * move _isRangeSecure to InjectionAnalyzer * Add programatically config option * index.d.ts * StoredInjectionAnalyzer * Update packages/dd-trace/test/appsec/iast/analyzers/command-injection-analyzer.spec.js Co-authored-by: ishabi <ilyas.shabi@datadoghq.com> * store control keys to avoid recreating the array * check visited before iterating * test suggestions * Update packages/dd-trace/src/appsec/iast/security-controls/parser.js Co-authored-by: Ilyas Shabi <ilyas.shabi@datadoghq.com> * lint * ritm test * clean up * Reject security control with non numeric parameters * fix parameter 0 * Update integration-tests/appsec/iast.esm-security-controls.spec.js Co-authored-by: Ugaitz Urien <ugaitz.urien@datadoghq.com> * suggestions * use legacy store * fix test * fix test * fix test --------- Co-authored-by: Ugaitz Urien <ugaitz.urien@datadoghq.com> Co-authored-by: ishabi <ilyas.shabi@datadoghq.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
IAST security controls implementation
ST DataDog/system-tests#3872
APPSEC-56286
Motivation
Plugin Checklist
Additional Notes