Thanks to visit codestin.com
Credit goes to github.com

Skip to content

🍒 9028 - Limit the maximum size of the location path in IAST vulnerabilities #9242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

🍒 9028 - Limit the maximum size of the location path in IAST vulnerabilities #9242

wants to merge 1 commit into from

Conversation

sarahchen6
Copy link
Contributor

Backport #9028 to release/v1.50.x

@jandro996 @sarahchen6
Limit the maximum size of the location path in IAST vulnerabilities (#…
7581abc 
…9028)

What Does This Do
Add truncation to path, class and method if it's necessary for LocationSuppliers to report XSS vulnerabilities

Motivation
incident-39654

In this incident, it was reported that the location.path field of an IAST vulnerability was populated with a large HTML payload, which caused a backend error and prevented the vulnerability from being reported.

This occurred specifically with an XSS vulnerability located in a Thymeleaf template.

Normally, the location.path is extracted from the stacktrace, so this kind of behavior is unusual. However, in cases where vulnerabilities occur in template-based frameworks, we use a different approach to improve precision — specifying the template name instead of the compiled class in the vulnerability location.

In Thymeleaf, the instrumented method getTemplateName may return a full HTML document instead of just the template name, as originally expected.

To guard against these cases, we’ve decided to truncate the values of path, class, and method when they are generated using suppliers rather than stacktrace-based extraction.

(cherry picked from commit b3e2ecd)
@sarahchen6 sarahchen6 added type: bug Bug report and fix comp: asm iast Application Security Management (IAST) labels Jul 24, 2025
@sarahchen6 sarahchen6 requested review from a team as code owners July 24, 2025 16:04
@sarahchen6 sarahchen6 added the type: bug Bug report and fix label Jul 24, 2025
@sarahchen6 sarahchen6 added the comp: asm iast Application Security Management (IAST) label Jul 24, 2025
@sarahchen6 sarahchen6 added this to the 1.50.2 milestone Jul 24, 2025
@pr-commenter
Copy link

pr-commenter bot commented Jul 24, 2025

Benchmarks

Startup

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master sarah.chen/backport-pr-9028
git_commit_date 1753372641 1753373051
git_commit_sha 94cd99a 7581abc
release_version 1.51.1-SNAPSHOT~94cd99adda 1.51.0-SNAPSHOT~7581abc3f7
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1753375982 1753375982
ci_job_id 1046274936 1046274936
ci_pipeline_id 71614800 71614800
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-v8r8j3zg 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-v8r8j3zg 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 3 performance improvements and 3 performance regressions! Performance is the same for 6 metrics, 12 unstable metrics.

scenario Δ mean http_req_duration Δ mean throughput candidate mean http_req_duration candidate mean throughput baseline mean http_req_duration baseline mean throughput
scenario:load:insecure-bank:profiling:high_load worse
[+174.706µs; +471.547µs] or [+2.052%; +5.538%]		 unstable
[-84.473op/s; +45.285op/s] or [-15.514%; +8.317%]		 8.837ms 524.906op/s 8.514ms 544.500op/s
scenario:load:insecure-bank:iast:high_load better
[-781.714µs; -446.676µs] or [-8.047%; -4.598%]		 unstable
[-26.069op/s; +89.819op/s] or [-5.453%; +18.789%]		 9.100ms 509.906op/s 9.714ms 478.031op/s
scenario:load:insecure-bank:no_agent:high_load better
[-524.023µs; -412.568µs] or [-11.077%; -8.721%]		 unstable
[-6.136op/s; +214.824op/s] or [-0.632%; +22.112%]		 4.262ms 1075.875op/s 4.731ms 971.531op/s
scenario:load:insecure-bank:tracing:high_load worse
[+271.036µs; +513.668µs] or [+3.545%; +6.718%]		 unstable
[-101.321op/s; +42.633op/s] or [-16.727%; +7.038%]		 8.038ms 576.375op/s 7.646ms 605.719op/s
scenario:load:petclinic:appsec:high_load better
[-1.944ms; -1.051ms] or [-4.142%; -2.241%]		 unstable
[-4.027op/s; +10.627op/s] or [-4.038%; +10.657%]		 45.424ms 103.013op/s 46.921ms 99.713op/s
scenario:load:petclinic:profiling:high_load worse
[+1.924ms; +3.028ms] or [+3.943%; +6.206%]		 unstable
[-11.782op/s; +2.457op/s] or [-12.281%; +2.561%]		 51.270ms 91.275op/s 48.794ms 95.938op/s
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~7581abc3f7, baseline=1.51.1-SNAPSHOT~94cd99adda
    dateFormat X
    axisFormat %s
section baseline
no_agent (4.731 ms) : 4675, 4786
.   : milestone, 4731,
iast (9.714 ms) : 9554, 9874
.   : milestone, 9714,
iast_FULL (13.962 ms) : 13685, 14239
.   : milestone, 13962,
iast_GLOBAL (10.133 ms) : 9956, 10310
.   : milestone, 10133,
profiling (8.514 ms) : 8383, 8645
.   : milestone, 8514,
tracing (7.646 ms) : 7537, 7755
.   : milestone, 7646,
section candidate
no_agent (4.262 ms) : 4214, 4310
.   : milestone, 4262,
iast (9.1 ms) : 8949, 9252
.   : milestone, 9100,
iast_FULL (13.815 ms) : 13537, 14094
.   : milestone, 13815,
iast_GLOBAL (9.951 ms) : 9778, 10124
.   : milestone, 9951,
profiling (8.837 ms) : 8693, 8982
.   : milestone, 8837,
tracing (8.038 ms) : 7922, 8154
.   : milestone, 8038,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 4.731 ms [4.675 ms, 4.786 ms] -
iast 9.714 ms [9.554 ms, 9.874 ms] 4.984 ms (105.3%)
iast_FULL 13.962 ms [13.685 ms, 14.239 ms] 9.231 ms (195.1%)
iast_GLOBAL 10.133 ms [9.956 ms, 10.31 ms] 5.402 ms (114.2%)
profiling 8.514 ms [8.383 ms, 8.645 ms] 3.784 ms (80.0%)
tracing 7.646 ms [7.537 ms, 7.755 ms] 2.915 ms (61.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 4.262 ms [4.214 ms, 4.31 ms] -
iast 9.1 ms [8.949 ms, 9.252 ms] 4.838 ms (113.5%)
iast_FULL 13.815 ms [13.537 ms, 14.094 ms] 9.553 ms (224.1%)
iast_GLOBAL 9.951 ms [9.778 ms, 10.124 ms] 5.689 ms (133.5%)
profiling 8.837 ms [8.693 ms, 8.982 ms] 4.575 ms (107.3%)
tracing 8.038 ms [7.922 ms, 8.154 ms] 3.776 ms (88.6%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~7581abc3f7, baseline=1.51.1-SNAPSHOT~94cd99adda
    dateFormat X
    axisFormat %s
section baseline
no_agent (37.289 ms) : 36991, 37588
.   : milestone, 37289,
appsec (46.921 ms) : 46494, 47349
.   : milestone, 46921,
code_origins (44.301 ms) : 43932, 44670
.   : milestone, 44301,
iast (45.106 ms) : 44726, 45485
.   : milestone, 45106,
profiling (48.794 ms) : 48315, 49273
.   : milestone, 48794,
tracing (44.331 ms) : 43955, 44708
.   : milestone, 44331,
section candidate
no_agent (36.393 ms) : 36096, 36690
.   : milestone, 36393,
appsec (45.424 ms) : 45023, 45825
.   : milestone, 45424,
code_origins (44.454 ms) : 44095, 44812
.   : milestone, 44454,
iast (44.69 ms) : 44317, 45063
.   : milestone, 44690,
profiling (51.27 ms) : 50725, 51815
.   : milestone, 51270,
tracing (43.626 ms) : 43272, 43979
.   : milestone, 43626,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 37.289 ms [36.991 ms, 37.588 ms] -
appsec 46.921 ms [46.494 ms, 47.349 ms] 9.632 ms (25.8%)
code_origins 44.301 ms [43.932 ms, 44.67 ms] 7.012 ms (18.8%)
iast 45.106 ms [44.726 ms, 45.485 ms] 7.816 ms (21.0%)
profiling 48.794 ms [48.315 ms, 49.273 ms] 11.505 ms (30.9%)
tracing 44.331 ms [43.955 ms, 44.708 ms] 7.042 ms (18.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 36.393 ms [36.096 ms, 36.69 ms] -
appsec 45.424 ms [45.023 ms, 45.825 ms] 9.031 ms (24.8%)
code_origins 44.454 ms [44.095 ms, 44.812 ms] 8.06 ms (22.1%)
iast 44.69 ms [44.317 ms, 45.063 ms] 8.297 ms (22.8%)
profiling 51.27 ms [50.725 ms, 51.815 ms] 14.877 ms (40.9%)
tracing 43.626 ms [43.272 ms, 43.979 ms] 7.233 ms (19.9%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master sarah.chen/backport-pr-9028
git_commit_date 1753372641 1753373051
git_commit_sha 94cd99a 7581abc
release_version 1.51.1-SNAPSHOT~94cd99adda 1.51.0-SNAPSHOT~7581abc3f7
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1753376465 1753376465
ci_job_id 1046274939 1046274939
ci_pipeline_id 71614800 71614800
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-2-k9l496mf 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-2-k9l496mf 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 1 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:dacapo:tomcat:appsec better
[-1.410ms; -1.071ms] or [-38.825%; -29.505%]		 2.390ms 3.631ms
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~7581abc3f7, baseline=1.51.1-SNAPSHOT~94cd99adda
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.53 s) : 15530000, 15530000
.   : milestone, 15530000,
appsec (14.933 s) : 14933000, 14933000
.   : milestone, 14933000,
iast (18.182 s) : 18182000, 18182000
.   : milestone, 18182000,
iast_GLOBAL (17.985 s) : 17985000, 17985000
.   : milestone, 17985000,
profiling (14.959 s) : 14959000, 14959000
.   : milestone, 14959000,
tracing (14.909 s) : 14909000, 14909000
.   : milestone, 14909000,
section candidate
no_agent (15.285 s) : 15285000, 15285000
.   : milestone, 15285000,
appsec (15.141 s) : 15141000, 15141000
.   : milestone, 15141000,
iast (18.388 s) : 18388000, 18388000
.   : milestone, 18388000,
iast_GLOBAL (17.954 s) : 17954000, 17954000
.   : milestone, 17954000,
profiling (15.337 s) : 15337000, 15337000
.   : milestone, 15337000,
tracing (14.889 s) : 14889000, 14889000
.   : milestone, 14889000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.53 s [15.53 s, 15.53 s] -
appsec 14.933 s [14.933 s, 14.933 s] -597.0 ms (-3.8%)
iast 18.182 s [18.182 s, 18.182 s] 2.652 s (17.1%)
iast_GLOBAL 17.985 s [17.985 s, 17.985 s] 2.455 s (15.8%)
profiling 14.959 s [14.959 s, 14.959 s] -571.0 ms (-3.7%)
tracing 14.909 s [14.909 s, 14.909 s] -621.0 ms (-4.0%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.285 s [15.285 s, 15.285 s] -
appsec 15.141 s [15.141 s, 15.141 s] -144.0 ms (-0.9%)
iast 18.388 s [18.388 s, 18.388 s] 3.103 s (20.3%)
iast_GLOBAL 17.954 s [17.954 s, 17.954 s] 2.669 s (17.5%)
profiling 15.337 s [15.337 s, 15.337 s] 52.0 ms (0.3%)
tracing 14.889 s [14.889 s, 14.889 s] -396.0 ms (-2.6%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~7581abc3f7, baseline=1.51.1-SNAPSHOT~94cd99adda
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.47 ms) : 1458, 1481
.   : milestone, 1470,
appsec (3.631 ms) : 3414, 3848
.   : milestone, 3631,
iast (2.191 ms) : 2128, 2253
.   : milestone, 2191,
iast_GLOBAL (2.226 ms) : 2163, 2289
.   : milestone, 2226,
profiling (2.035 ms) : 1985, 2085
.   : milestone, 2035,
tracing (2.015 ms) : 1966, 2064
.   : milestone, 2015,
section candidate
no_agent (1.475 ms) : 1464, 1487
.   : milestone, 1475,
appsec (2.39 ms) : 2341, 2439
.   : milestone, 2390,
iast (2.178 ms) : 2116, 2240
.   : milestone, 2178,
iast_GLOBAL (2.224 ms) : 2162, 2287
.   : milestone, 2224,
profiling (2.481 ms) : 2311, 2652
.   : milestone, 2481,
tracing (1.992 ms) : 1944, 2039
.   : milestone, 1992,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.47 ms [1.458 ms, 1.481 ms] -
appsec 3.631 ms [3.414 ms, 3.848 ms] 2.161 ms (147.0%)
iast 2.191 ms [2.128 ms, 2.253 ms] 720.621 µs (49.0%)
iast_GLOBAL 2.226 ms [2.163 ms, 2.289 ms] 756.355 µs (51.5%)
profiling 2.035 ms [1.985 ms, 2.085 ms] 565.055 µs (38.4%)
tracing 2.015 ms [1.966 ms, 2.064 ms] 544.738 µs (37.1%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.475 ms [1.464 ms, 1.487 ms] -
appsec 2.39 ms [2.341 ms, 2.439 ms] 915.034 µs (62.0%)
iast 2.178 ms [2.116 ms, 2.24 ms] 702.357 µs (47.6%)
iast_GLOBAL 2.224 ms [2.162 ms, 2.287 ms] 748.973 µs (50.8%)
profiling 2.481 ms [2.311 ms, 2.652 ms] 1.006 ms (68.2%)
tracing 1.992 ms [1.944 ms, 2.039 ms] 516.251 µs (35.0%)

@sarahchen6
Copy link
Contributor Author

We no longer need to proceed with the 1.50.2 release.

@sarahchen6 sarahchen6 closed this Jul 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@smola smola Awaiting requested review from smola smola is a code owner automatically assigned from DataDog/asm-java

@sezen-datadog sezen-datadog Awaiting requested review from sezen-datadog sezen-datadog is a code owner automatically assigned from DataDog/asm-java

Assignees
No one assigned
Labels
comp: asm iast Application Security Management (IAST) type: bug Bug report and fix
Projects
None yet
Milestone
1.50.2
Development

Successfully merging this pull request may close these issues.
3 participants
@sarahchen6 @manuel-alvarez-alvarez @jandro996