Fix BitSet builder in VulnerabilityTypes (#8212)

Mariovido · web-flow · commit 02fa05c31df1 · 2025-01-16T11:38:40.000+01:00
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java
@@ -25,143 +25,143 @@
 
 public interface VulnerabilityType {
 
-  BitSet DB_EXCLUDED = new BitSet(SourceTypes.SQL_TABLE);
-
   VulnerabilityType WEAK_CIPHER =
-      type(VulnerabilityTypes.WEAK_CIPHER).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.WEAK_CIPHER).excludedSources(Builder.DB_EXCLUDED).build();
   VulnerabilityType WEAK_HASH =
-      type(VulnerabilityTypes.WEAK_HASH).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.WEAK_HASH).excludedSources(Builder.DB_EXCLUDED).build();
   VulnerabilityType INSECURE_COOKIE =
       type(VulnerabilityTypes.INSECURE_COOKIE)
           .hash(VulnerabilityType::evidenceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType NO_HTTPONLY_COOKIE =
       type(VulnerabilityTypes.NO_HTTPONLY_COOKIE)
           .hash(VulnerabilityType::evidenceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType HSTS_HEADER_MISSING =
       type(VulnerabilityTypes.HSTS_HEADER_MISSING)
           .hash(VulnerabilityType::serviceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType XCONTENTTYPE_HEADER_MISSING =
       type(VulnerabilityTypes.XCONTENTTYPE_HEADER_MISSING)
           .hash(VulnerabilityType::serviceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType NO_SAMESITE_COOKIE =
       type(VulnerabilityTypes.NO_SAMESITE_COOKIE)
           .hash(VulnerabilityType::evidenceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType SQL_INJECTION =
       type(VulnerabilityTypes.SQL_INJECTION).mark(SQL_INJECTION_MARK).build();
   VulnerabilityType COMMAND_INJECTION =
       type(VulnerabilityTypes.COMMAND_INJECTION)
           .mark(COMMAND_INJECTION_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType PATH_TRAVERSAL =
       type(VulnerabilityTypes.PATH_TRAVERSAL)
           .separator(File.separatorChar)
           .mark(PATH_TRAVERSAL_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType LDAP_INJECTION =
       type(VulnerabilityTypes.LDAP_INJECTION)
           .mark(LDAP_INJECTION_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType SSRF =
-      type(VulnerabilityTypes.SSRF).mark(SSRF_MARK).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.SSRF).mark(SSRF_MARK).excludedSources(Builder.DB_EXCLUDED).build();
   VulnerabilityType UNVALIDATED_REDIRECT =
       type(VulnerabilityTypes.UNVALIDATED_REDIRECT)
           .mark(UNVALIDATED_REDIRECT_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
   VulnerabilityType WEAK_RANDOMNESS =
-      type(VulnerabilityTypes.WEAK_RANDOMNESS).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.WEAK_RANDOMNESS).excludedSources(Builder.DB_EXCLUDED).build();
 
   VulnerabilityType XPATH_INJECTION =
       type(VulnerabilityTypes.XPATH_INJECTION)
           .mark(XPATH_INJECTION_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType TRUST_BOUNDARY_VIOLATION =
       type(VulnerabilityTypes.TRUST_BOUNDARY_VIOLATION)
           .mark(TRUST_BOUNDARY_VIOLATION_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType XSS = type(VulnerabilityTypes.XSS).mark(XSS_MARK).build();
 
   VulnerabilityType HEADER_INJECTION =
       type(VulnerabilityTypes.HEADER_INJECTION)
           .mark(HEADER_INJECTION_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType STACKTRACE_LEAK =
-      type(VulnerabilityTypes.STACKTRACE_LEAK).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.STACKTRACE_LEAK).excludedSources(Builder.DB_EXCLUDED).build();
 
   VulnerabilityType VERB_TAMPERING =
-      type(VulnerabilityTypes.VERB_TAMPERING).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.VERB_TAMPERING).excludedSources(Builder.DB_EXCLUDED).build();
 
   VulnerabilityType ADMIN_CONSOLE_ACTIVE =
       type(VulnerabilityTypes.ADMIN_CONSOLE_ACTIVE)
           .deduplicable(false)
           .hash(VulnerabilityType::serviceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType DEFAULT_HTML_ESCAPE_INVALID =
-      type(VulnerabilityTypes.DEFAULT_HTML_ESCAPE_INVALID).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.DEFAULT_HTML_ESCAPE_INVALID)
+          .excludedSources(Builder.DB_EXCLUDED)
+          .build();
 
   VulnerabilityType SESSION_TIMEOUT =
-      type(VulnerabilityTypes.SESSION_TIMEOUT).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.SESSION_TIMEOUT).excludedSources(Builder.DB_EXCLUDED).build();
 
   VulnerabilityType DIRECTORY_LISTING_LEAK =
-      type(VulnerabilityTypes.DIRECTORY_LISTING_LEAK).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.DIRECTORY_LISTING_LEAK).excludedSources(Builder.DB_EXCLUDED).build();
   VulnerabilityType INSECURE_JSP_LAYOUT =
-      type(VulnerabilityTypes.INSECURE_JSP_LAYOUT).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.INSECURE_JSP_LAYOUT).excludedSources(Builder.DB_EXCLUDED).build();
 
   VulnerabilityType HARDCODED_SECRET =
-      type(VulnerabilityTypes.HARDCODED_SECRET).excludedSources(DB_EXCLUDED).build();
+      type(VulnerabilityTypes.HARDCODED_SECRET).excludedSources(Builder.DB_EXCLUDED).build();
 
   VulnerabilityType INSECURE_AUTH_PROTOCOL =
       type(VulnerabilityTypes.INSECURE_AUTH_PROTOCOL)
           .hash(VulnerabilityType::evidenceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType REFLECTION_INJECTION =
       type(VulnerabilityTypes.REFLECTION_INJECTION)
           .mark(REFLECTION_INJECTION_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType SESSION_REWRITING =
       type(VulnerabilityTypes.SESSION_REWRITING)
           .deduplicable(false)
           .hash(VulnerabilityType::serviceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType DEFAULT_APP_DEPLOYED =
       type(VulnerabilityTypes.DEFAULT_APP_DEPLOYED)
           .deduplicable(false)
           .hash(VulnerabilityType::serviceHash)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   VulnerabilityType UNTRUSTED_DESERIALIZATION =
       type(VulnerabilityTypes.UNTRUSTED_DESERIALIZATION)
           .mark(UNTRUSTED_DESERIALIZATION_MARK)
-          .excludedSources(DB_EXCLUDED)
+          .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
   /* All vulnerability types that have a mark. Should be updated if new vulnerabilityType with mark is added */
@@ -271,6 +271,13 @@ public String getName() {
   }
 
   class Builder {
+    private static final BitSet DB_EXCLUDED;
+
+    static {
+      DB_EXCLUDED = new BitSet(SourceTypes.STRINGS.length + 1);
+      DB_EXCLUDED.set(SourceTypes.SQL_TABLE);
+    }
+
     private final byte type;
     private char separator = ' ';
     private int mark = NOT_MARKED;
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/taint/Ranges.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/taint/Ranges.java
@@ -438,7 +438,8 @@ public static Range[] excludeRangesBySource(Range[] ranges, BitSet source) {
     RangeBuilder newRanges = new RangeBuilder(ranges.length);
 
     for (Range range : ranges) {
-      if (!source.get(range.getSource().getOrigin())) {
+      if (range.getSource().getOrigin() == SourceTypes.NONE
+          || !source.get(range.getSource().getOrigin())) {
         newRanges.add(range);
       }
     }

Original file line number	Diff line number	Diff line change
`@@ -438,7 +438,8 @@ public static Range[] excludeRangesBySource(Range[] ranges, BitSet source) {`
`438`	`438`	`RangeBuilder newRanges = new RangeBuilder(ranges.length);`
`439`	`439`
`440`	`440`	`for (Range range : ranges) {`
`441`		`- if (!source.get(range.getSource().getOrigin())) {`
	`441`	`+ if (range.getSource().getOrigin() == SourceTypes.NONE`
	`442`	`+ \|\| !source.get(range.getSource().getOrigin())) {`
`442`	`443`	`newRanges.add(range);`
`443`	`444`	`}`
`444`	`445`	`}`