Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add propagation to StringBuffer substring methods #7992

Merged
merged 2 commits into from
Nov 22, 2024
Merged

Add propagation to StringBuffer substring methods #7992

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c23f9be
Add support for StringBuffer substring
Mariovido Nov 21, 2024
e1bcfc9
Fix StringModuleTest
Mariovido Nov 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 45 additions & 36 deletions ...ava-agent/agent-iast/src/test/groovy/com/datadog/iast/propagation/StringModuleTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -481,42 +481,47 @@ class StringModuleTest extends IastModuleImplTestBase {
}

where:
self | beginIndex | endIndex | expected
"==>0123<==" | 0 | 4 | "==>0123<=="
"0123==>456<==78" | 0 | 5 | "0123==>4<=="
"01==>234<==5==>678<==90" | 0 | 8 | "01==>234<==5==>67<=="
"==>0123<==" | 0 | 3 | "==>012<=="
"==>0123<==" | 1 | 4 | "==>123<=="
"==>0123<==" | 1 | 3 | "==>12<=="
"0123==>456<==78" | 1 | 8 | "123==>456<==7"
"0123==>456<==78" | 0 | 4 | "0123"
"0123==>456<==78" | 7 | 9 | "78"
"0123==>456<==78" | 1 | 5 | "123==>4<=="
"0123==>456<==78" | 1 | 6 | "123==>45<=="
"0123==>456<==78" | 4 | 7 | "==>456<=="
"0123==>456<==78" | 6 | 8 | "==>6<==7"
"0123==>456<==78" | 5 | 8 | "==>56<==7"
"0123==>456<==78" | 4 | 6 | "==>45<=="
"01==>234<==5==>678<==90" | 1 | 10 | "1==>234<==5==>678<==9"
"01==>234<==5==>678<==90" | 1 | 2 | "1"
"01==>234<==5==>678<==90" | 5 | 6 | "5"
"01==>234<==5==>678<==90" | 9 | 10 | "9"
"01==>234<==5==>678<==90" | 1 | 4 | "1==>23<=="
"01==>234<==5==>678<==90" | 2 | 4 | "==>23<=="
"01==>234<==5==>678<==90" | 2 | 5 | "==>234<=="
"01==>234<==5==>678<==90" | 1 | 8 | "1==>234<==5==>67<=="
"01==>234<==5==>678<==90" | 2 | 8 | "==>234<==5==>67<=="
"01==>234<==5==>678<==90" | 2 | 9 | "==>234<==5==>678<=="
"01==>234<==5==>678<==90" | 5 | 8 | "5==>67<=="
"01==>234<==5==>678<==90" | 6 | 8 | "==>67<=="
"01==>234<==5==>678<==90" | 6 | 9 | "==>678<=="
"01==>234<==5==>678<==90" | 4 | 9 | "==>4<==5==>678<=="
"01==>234<==5==>678<==90" | 4 | 8 | "==>4<==5==>67<=="
sb("==>0123<==") | 0 | 4 | "==>0123<=="
sb("0123==>456<==78") | 0 | 5 | "0123==>4<=="
sb("01==>234<==5==>678<==90") | 0 | 8 | "01==>234<==5==>67<=="
sb("0123==>456<==78") | 4 | 6 | "==>45<=="
sb("01==>234<==5==>678<==90") | 4 | 8 | "==>4<==5==>67<=="
self | beginIndex | endIndex | expected
"==>0123<==" | 0 | 4 | "==>0123<=="
"0123==>456<==78" | 0 | 5 | "0123==>4<=="
"01==>234<==5==>678<==90" | 0 | 8 | "01==>234<==5==>67<=="
"==>0123<==" | 0 | 3 | "==>012<=="
"==>0123<==" | 1 | 4 | "==>123<=="
"==>0123<==" | 1 | 3 | "==>12<=="
"0123==>456<==78" | 1 | 8 | "123==>456<==7"
"0123==>456<==78" | 0 | 4 | "0123"
"0123==>456<==78" | 7 | 9 | "78"
"0123==>456<==78" | 1 | 5 | "123==>4<=="
"0123==>456<==78" | 1 | 6 | "123==>45<=="
"0123==>456<==78" | 4 | 7 | "==>456<=="
"0123==>456<==78" | 6 | 8 | "==>6<==7"
"0123==>456<==78" | 5 | 8 | "==>56<==7"
"0123==>456<==78" | 4 | 6 | "==>45<=="
"01==>234<==5==>678<==90" | 1 | 10 | "1==>234<==5==>678<==9"
"01==>234<==5==>678<==90" | 1 | 2 | "1"
"01==>234<==5==>678<==90" | 5 | 6 | "5"
"01==>234<==5==>678<==90" | 9 | 10 | "9"
"01==>234<==5==>678<==90" | 1 | 4 | "1==>23<=="
"01==>234<==5==>678<==90" | 2 | 4 | "==>23<=="
"01==>234<==5==>678<==90" | 2 | 5 | "==>234<=="
"01==>234<==5==>678<==90" | 1 | 8 | "1==>234<==5==>67<=="
"01==>234<==5==>678<==90" | 2 | 8 | "==>234<==5==>67<=="
"01==>234<==5==>678<==90" | 2 | 9 | "==>234<==5==>678<=="
"01==>234<==5==>678<==90" | 5 | 8 | "5==>67<=="
"01==>234<==5==>678<==90" | 6 | 8 | "==>67<=="
"01==>234<==5==>678<==90" | 6 | 9 | "==>678<=="
"01==>234<==5==>678<==90" | 4 | 9 | "==>4<==5==>678<=="
"01==>234<==5==>678<==90" | 4 | 8 | "==>4<==5==>67<=="
sb("==>0123<==") | 0 | 4 | "==>0123<=="
sb("0123==>456<==78") | 0 | 5 | "0123==>4<=="
sb("01==>234<==5==>678<==90") | 0 | 8 | "01==>234<==5==>67<=="
sb("0123==>456<==78") | 4 | 6 | "==>45<=="
sb("01==>234<==5==>678<==90") | 4 | 8 | "==>4<==5==>67<=="
sbf("==>0123<==") | 0 | 4 | "==>0123<=="
sbf("0123==>456<==78") | 0 | 5 | "0123==>4<=="
sbf("01==>234<==5==>678<==90") | 0 | 8 | "01==>234<==5==>67<=="
sbf("0123==>456<==78") | 4 | 6 | "==>45<=="
sbf("01==>234<==5==>678<==90") | 4 | 8 | "==>4<==5==>67<=="
}

void 'onStringJoin without null delimiter or elements (#delimiter, #elements)'() {
Expand Down Expand Up @@ -1263,4 +1268,8 @@ class StringModuleTest extends IastModuleImplTestBase {
private static StringBuilder sb(final String string) {
return new StringBuilder(string)
}

private static StringBuffer sbf(final String string) {
return new StringBuffer(string)
}
}
9 changes: 7 additions & 2 deletions dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/taint/TaintUtils.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,13 +103,18 @@ class TaintUtils {
return resultString
}

static StringBuilder addFromTaintFormat(final TaintedObjects tos, final StringBuilder sb) {
static Appendable addFromTaintFormat(final TaintedObjects tos, final Appendable sb) {
final String s = sb.toString()
final ranges = fromTaintFormat(s)
if (ranges == null || ranges.length == 0) {
return sb
}
final result = new StringBuilder(getStringFromTaintFormat(s))
def result
if (sb instanceof StringBuffer) {
result = new StringBuffer(getStringFromTaintFormat(s))
} else {
result = new StringBuilder(getStringFromTaintFormat(s))
}
tos.taint(result, ranges)
return result
}
Expand Down
5 changes: 5 additions & 0 deletions ...ava-lang/src/main/java/datadog/trace/instrumentation/java/lang/StringBuilderCallSite.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@
import javax.annotation.Nonnull;
import javax.annotation.Nullable;

/**
* This class provides instrumentation for {@link StringBuilder} and {@link StringBuffer} methods.
*/
@Propagation
@CallSite(spi = IastCallSites.class)
public class StringBuilderCallSite {
Expand Down Expand Up @@ -103,6 +106,7 @@ public static String afterToString(
}

@CallSite.After("java.lang.String java.lang.StringBuilder.substring(int)")
@CallSite.After("java.lang.String java.lang.StringBuffer.substring(int)")
public static String afterSubstring(
@CallSite.This final CharSequence self,
@CallSite.Argument final int beginIndex,
Expand All @@ -119,6 +123,7 @@ public static String afterSubstring(
}

@CallSite.After("java.lang.String java.lang.StringBuilder.substring(int, int)")
@CallSite.After("java.lang.String java.lang.StringBuffer.substring(int, int)")
public static String afterSubstring(
@CallSite.This final CharSequence self,
@CallSite.Argument final int beginIndex,
Expand Down
14 changes: 10 additions & 4 deletions .../src/test/groovy/datadog/trace/instrumentation/java/lang/StringBuilderCallSiteTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,8 +188,9 @@ class StringBuilderCallSiteTest extends AgentTestRunner {
0 * _

where:
param | beginIndex | expected
sb('012345') | 1 | '12345'
param | beginIndex | expected
sb('012345') | 1 | '12345'
sbf('012345') | 1 | '12345'
}

def 'test string builder substring with endIndex call site'() {
Expand All @@ -206,8 +207,9 @@ class StringBuilderCallSiteTest extends AgentTestRunner {
0 * _

where:
param | beginIndex | endIndex | expected
sb('012345') | 1 | 5 | '1234'
param | beginIndex | endIndex | expected
sb('012345') | 1 | 5 | '1234'
sbf('012345') | 1 | 5 | '1234'
}

private static class BrokenToString {
Expand All @@ -226,4 +228,8 @@ class StringBuilderCallSiteTest extends AgentTestRunner {
private static StringBuilder sb(final String string) {
return new StringBuilder(string)
}

private static StringBuffer sbf(final String string) {
return new StringBuffer(string)
}
}
14 changes: 14 additions & 0 deletions dd-java-agent/instrumentation/java-lang/src/test/java/foo/bar/TestStringBuilderSuite.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,4 +90,18 @@ public static String substring(StringBuilder self, int beginIndex) {
LOGGER.debug("After string builder substring {}", result);
return result;
}

public static String substring(StringBuffer self, int beginIndex, int endIndex) {
LOGGER.debug("Before string buffer substring {} from {} to {}", self, beginIndex, endIndex);
final String result = self.substring(beginIndex, endIndex);
LOGGER.debug("After string buffer substring {}", result);
return result;
}

public static String substring(StringBuffer self, int beginIndex) {
LOGGER.debug("Before string buffer substring {} from {}", self, beginIndex);
final String result = self.substring(beginIndex);
LOGGER.debug("After string buffer substring {}", result);
return result;
}
}
Loading