Exploit prevention for SSRF (in java.net.URL) (#7373)

Adds support for SSRF protection via RASP to network connections started via java.net.URL:

Extend support of IAST call sites to RASP (usually both IAST and RASP share the same targets as IAST detects the vulnerability and RASP performs the protection)
Add SSRF support to the WAF via the server.io.net.url address

Author: manuel-alvarez-alvarez

buildSrc/call-site-instrumentation-plugin/src/main/java/datadog/trace/plugin/csi/impl/AdviceGeneratorImpl.java

@@ -55,6 +55,7 @@
 import datadog.trace.plugin.csi.util.ErrorCode;
 import datadog.trace.plugin.csi.util.MethodType;
 import java.io.File;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 import java.util.stream.Collectors;
@@ -156,9 +157,11 @@ private static ClassOrInterfaceDeclaration callSitesType(
     type.setModifier(PUBLIC, true);
     type.setName(getClassName(advice));
     type.addImplementedType(CALL_SITES_CLASS);
-    if (!CALL_SITES_FQCN.equals(callSite.getSpi().getClassName())) {
-      javaClass.addImport(callSite.getSpi().getClassName());
-      type.addImplementedType(getClassName(callSite.getSpi(), false));
+    for (final Type spi : callSite.getSpi()) {
+      if (!CALL_SITES_FQCN.equals(spi.getClassName())) {
+        javaClass.addImport(spi.getClassName());
+        type.addImplementedType(getClassName(spi, false));
+      }
     }
     javaClass.addType(type);
     return type;
@@ -168,9 +171,12 @@ private static void addAutoServiceAnnotation(
       final ClassOrInterfaceDeclaration javaClass, final CallSiteSpecification callSite) {
     final NormalAnnotationExpr autoService = new NormalAnnotationExpr();
     autoService.setName(AUTO_SERVICE_FQDN);
-    autoService.addPair(
-        "value",
-        new ClassExpr(new ClassOrInterfaceType().setName(getClassName(callSite.getSpi(), false))));
+    final Type[] spiTypes = callSite.getSpi();
+    final List<Expression> spiExprs = new ArrayList<>(spiTypes.length);
+    for (final Type spi : spiTypes) {
+      spiExprs.add(new ClassExpr(new ClassOrInterfaceType().setName(getClassName(spi, false))));
+    }
+    autoService.addPair("value", new ArrayInitializerExpr().setValues(new NodeList<>(spiExprs)));
     javaClass.addAnnotation(autoService);
   }
 

buildSrc/call-site-instrumentation-plugin/src/main/java/datadog/trace/plugin/csi/impl/AsmSpecificationBuilder.java

@@ -76,7 +76,7 @@ private static class SpecificationVisitor extends ClassVisitor {
     private boolean isCallSite;
     private final List<AdviceSpecification> advices = new ArrayList<>();
     private final Set<Type> helpers = new HashSet<>();
-    private Type spi;
+    private final Set<Type> spi = new HashSet<>();
     private List<String> enabled = new ArrayList<>();
     private CallSiteSpecification result;
 
@@ -101,16 +101,17 @@ public AnnotationVisitor visitAnnotation(final String descriptor, final boolean
       if (isCallSite) {
         helpers.add(clazz);
         return new AnnotationVisitor(ASM_API_VERSION) {
-          @Override
-          public void visit(final String key, final Object value) {
-            if ("spi".equals(key)) {
-              spi = (Type) value;
-            }
-          }
 
           @Override
           public AnnotationVisitor visitArray(final String name) {
-            if ("helpers".equals(name)) {
+            if ("spi".equals(name)) {
+              return new AnnotationVisitor(ASM_API_VERSION) {
+                @Override
+                public void visit(final String name, final Object value) {
+                  spi.add((Type) value);
+                }
+              };
+            } else if ("helpers".equals(name)) {
               return new AnnotationVisitor(ASM_API_VERSION) {
                 @Override
                 public void visit(final String name, final Object value) {

buildSrc/call-site-instrumentation-plugin/src/main/java/datadog/trace/plugin/csi/impl/CallSiteSpecification.java

@@ -32,19 +32,19 @@ public class CallSiteSpecification implements Validatable {
 
   private final Type clazz;
   private final List<AdviceSpecification> advices;
-  private final Type spi;
+  private final Type[] spi;
   private final Enabled enabled;
   private final Type[] helpers;
 
   public CallSiteSpecification(
       @Nonnull final Type clazz,
       @Nonnull final List<AdviceSpecification> advices,
-      @Nonnull final Type spi,
+      @Nonnull final Set<Type> spi,
       @Nonnull final List<String> enabled,
       @Nonnull final Set<Type> helpers) {
     this.clazz = clazz;
     this.advices = advices;
-    this.spi = spi;
+    this.spi = spi.toArray(new Type[0]);
     this.enabled = enabled.isEmpty() ? null : new Enabled(enabled);
     this.helpers = helpers.toArray(new Type[0]);
   }
@@ -53,12 +53,14 @@ public CallSiteSpecification(
   public void validate(@Nonnull final ValidationContext context) {
     final TypeResolver typeResolver = context.getContextProperty(TYPE_RESOLVER);
     try {
-      Class<?> spiClass = typeResolver.resolveType(spi);
-      if (!spiClass.isInterface()) {
-        context.addError(ErrorCode.CALL_SITE_SPI_SHOULD_BE_AN_INTERFACE, spiClass);
-      } else {
-        if (spiClass.getDeclaredMethods().length > 0) {
-          context.addError(ErrorCode.CALL_SITE_SPI_SHOULD_BE_EMPTY, spiClass);
+      for (Type spiType : spi) {
+        Class<?> spiClass = typeResolver.resolveType(spiType);
+        if (!spiClass.isInterface()) {
+          context.addError(ErrorCode.CALL_SITE_SPI_SHOULD_BE_AN_INTERFACE, spiClass);
+        } else {
+          if (spiClass.getDeclaredMethods().length > 0) {
+            context.addError(ErrorCode.CALL_SITE_SPI_SHOULD_BE_EMPTY, spiClass);
+          }
         }
       }
     } catch (ResolutionException e) {
@@ -84,7 +86,7 @@ public Type getClazz() {
     return clazz;
   }
 
-  public Type getSpi() {
+  public Type[] getSpi() {
     return spi;
   }
 

buildSrc/call-site-instrumentation-plugin/src/main/java/datadog/trace/plugin/csi/impl/ext/IastExtension.java

@@ -53,6 +53,7 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import javax.annotation.Nonnull;
+import org.objectweb.asm.Type;
 
 @SuppressWarnings("OptionalGetWithoutIsPresent")
 public class IastExtension implements Extension {
@@ -79,7 +80,12 @@ public class IastExtension implements Extension {
 
   @Override
   public boolean appliesTo(@Nonnull final CallSiteSpecification spec) {
-    return IAST_CALL_SITES_FQCN.equals(spec.getSpi().getClassName());
+    for (Type spi : spec.getSpi()) {
+      if (IAST_CALL_SITES_FQCN.equals(spi.getClassName())) {
+        return true;
+      }
+    }
+    return false;
   }
 
   @Override

buildSrc/call-site-instrumentation-plugin/src/test/groovy/datadog/trace/plugin/csi/impl/AdviceGeneratorTest.groovy

@@ -6,6 +6,8 @@ import datadog.trace.agent.tooling.csi.CallSites
 import datadog.trace.plugin.csi.AdviceGenerator
 import datadog.trace.plugin.csi.impl.assertion.AssertBuilder
 import datadog.trace.plugin.csi.impl.assertion.CallSiteAssert
+import datadog.trace.plugin.csi.impl.ext.tests.IastCallSites
+import datadog.trace.plugin.csi.impl.ext.tests.RaspCallSites
 import groovy.transform.CompileDynamic
 import spock.lang.Requires
 import spock.lang.TempDir
@@ -448,6 +450,29 @@ final class AdviceGeneratorTest extends BaseCsiPluginTest {
     }
   }
 
+  @CallSite(spi = [IastCallSites, RaspCallSites])
+  class MultipleSpiClassesAdvice {
+    @CallSite.After("void java.lang.StringBuilder.<init>(java.lang.String)")
+    static Object after(@CallSite.AllArguments Object[] args, @CallSite.Return Object result) {
+      return result
+    }
+  }
+
+  void 'test multiple spi classes'() {
+    setup:
+    final spec = buildClassSpecification(MultipleSpiClassesAdvice)
+    final generator = buildAdviceGenerator(buildDir)
+
+    when:
+    final result = generator.generate(spec)
+
+    then:
+    assertNoErrors result
+    assertCallSites(result.file) {
+      spi(IastCallSites, RaspCallSites)
+    }
+  }
+
   private static AdviceGenerator buildAdviceGenerator(final File targetFolder) {
     return new AdviceGeneratorImpl(targetFolder, pointcutParser())
   }

buildSrc/call-site-instrumentation-plugin/src/test/groovy/datadog/trace/plugin/csi/impl/AsmSpecificationBuilderTest.groovy

@@ -49,7 +49,7 @@ final class AsmSpecificationBuilderTest extends BaseCsiPluginTest {
     final result = specificationBuilder.build(advice).orElseThrow(RuntimeException::new)
 
     then:
-    result.spi == Type.getType(WithSpiClass.Spi)
+    result.spi == [Type.getType(WithSpiClass.Spi)] as Type[]
   }
 
   @CallSite(spi = CallSites, helpers = [SampleHelper1.class, SampleHelper2.class])

buildSrc/call-site-instrumentation-plugin/src/test/groovy/datadog/trace/plugin/csi/impl/CallSiteSpecificationTest.groovy

@@ -10,7 +10,7 @@ class CallSiteSpecificationTest extends BaseCsiPluginTest {
   def 'test call site spi should be an interface'() {
     setup:
     final context = mockValidationContext()
-    final spec = new CallSiteSpecification(Type.getType(String), [Mock(AdviceSpecification)], Type.getType(String), [] as List<String>, [] as Set<Type>)
+    final spec = new CallSiteSpecification(Type.getType(String), [Mock(AdviceSpecification)], [Type.getType(String)] as Set<Type>, [] as List<String>, [] as Set<Type>)
 
     when:
     spec.validate(context)
@@ -22,7 +22,7 @@ class CallSiteSpecificationTest extends BaseCsiPluginTest {
   def 'test call site spi should not define any methods'() {
     setup:
     final context = mockValidationContext()
-    final spec = new CallSiteSpecification(Type.getType(String), [Mock(AdviceSpecification)], Type.getType(Comparable), [] as List<String>, [] as Set<Type>)
+    final spec = new CallSiteSpecification(Type.getType(String), [Mock(AdviceSpecification)], [Type.getType(Comparable)] as Set<Type>, [] as List<String>, [] as Set<Type>)
 
     when:
     spec.validate(context)
@@ -34,7 +34,7 @@ class CallSiteSpecificationTest extends BaseCsiPluginTest {
   def 'test call site should have advices'() {
     setup:
     final context = mockValidationContext()
-    final spec = new CallSiteSpecification(Type.getType(String), [], Type.getType(CallSiteAdvice), [] as List<String>, [] as Set<Type>)
+    final spec = new CallSiteSpecification(Type.getType(String), [], [Type.getType(CallSiteAdvice)] as Set<Type>, [] as List<String>, [] as Set<Type>)
 
     when:
     spec.validate(context)

buildSrc/call-site-instrumentation-plugin/src/test/groovy/datadog/trace/plugin/csi/impl/assertion/AssertBuilder.groovy

@@ -31,33 +31,42 @@ class AssertBuilder<C extends CallSiteAssert> {
     def (enabled, enabledArgs) = getEnabledDeclaration(targetType, interfaces)
     return (C) new CallSiteAssert([
       interfaces : getInterfaces(targetType),
+      spi        : getSpi(targetType),
       helpers    : getHelpers(targetType),
       advices    : getAdvices(targetType),
       enabled    : enabled,
       enabledArgs: enabledArgs
     ])
   }
 
-  protected List<Class<?>> getInterfaces(final ClassOrInterfaceDeclaration type) {
+  protected Set<Class<?>> getSpi(final ClassOrInterfaceDeclaration type) {
+    return type.getAnnotationByName('AutoService').get().asNormalAnnotationExpr()
+      .collect { it.pairs.find { it.name.toString() == 'value' }.value.asArrayInitializerExpr() }
+      .collectMany { it.getValues() }
+      .collect { it.asClassExpr().getType().resolve().typeDeclaration.get().clazz }
+      .toSet()
+  }
+
+  protected Set<Class<?>> getInterfaces(final ClassOrInterfaceDeclaration type) {
     return type.asClassOrInterfaceDeclaration().implementedTypes.collect {
       final resolved = it.asClassOrInterfaceType().resolve()
       return resolved.typeDeclaration.get().clazz
-    }
+    }.toSet()
   }
 
-  protected def getEnabledDeclaration(final ClassOrInterfaceDeclaration type, final List<Class<?>> interfaces) {
+  protected def getEnabledDeclaration(final ClassOrInterfaceDeclaration type, final Set<Class<?>> interfaces) {
     if (!interfaces.contains(CallSites.HasEnabledProperty)) {
       return [null, null]
     }
     final isEnabled = type.getMethodsByName('isEnabled').first()
     final returnStatement = isEnabled.body.get().statements.first.get().asReturnStmt()
     final enabledMethodCall = returnStatement.expression.get().asMethodCallExpr()
     final enabled = resolveMethod(enabledMethodCall)
-    final enabledArgs = enabledMethodCall.getArguments().collect { it.asStringLiteralExpr().asString() }
+    final enabledArgs = enabledMethodCall.getArguments().collect { it.asStringLiteralExpr().asString() }.toSet()
     return [enabled, enabledArgs]
   }
 
-  protected List<Class<?>> getHelpers(final ClassOrInterfaceDeclaration type) {
+  protected Set<Class<?>> getHelpers(final ClassOrInterfaceDeclaration type) {
     final acceptMethod = type.getMethodsByName('accept').first()
     final methodCalls = getMethodCalls(acceptMethod)
     return methodCalls.findAll {
@@ -66,15 +75,15 @@ class AssertBuilder<C extends CallSiteAssert> {
       it.arguments
     }.collect {
       typeResolver().resolveType(classNameToType(it.asStringLiteralExpr().asString()))
-    }
+    }.toSet()
   }
 
   protected List<AdviceAssert> getAdvices(final ClassOrInterfaceDeclaration type) {
     final acceptMethod = type.getMethodsByName('accept').first()
     return getMethodCalls(acceptMethod).findAll {
       it.nameAsString == 'addAdvice'
     }.collect {
-      def (owner, method, descriptor) =  it.arguments.subList(0, 3)*.asStringLiteralExpr()*.asString()
+      def (owner, method, descriptor) = it.arguments.subList(0, 3)*.asStringLiteralExpr()*.asString()
       final handlerLambda = it.arguments[3].asLambdaExpr()
       final advice = handlerLambda.body.asBlockStmt().statements*.toString()
       return new AdviceAssert([

buildSrc/call-site-instrumentation-plugin/src/test/groovy/datadog/trace/plugin/csi/impl/assertion/CallSiteAssert.groovy

@@ -2,20 +2,27 @@ package datadog.trace.plugin.csi.impl.assertion
 
 import java.lang.reflect.Method
 
+import static java.util.Arrays.asList
+
 class CallSiteAssert {
 
-  protected Collection<Class<?>> interfaces
-  protected Collection<Class<?>> helpers
+  protected Set<Class<?>> interfaces
+  protected Set<Class<?>> spi
+  protected Set<Class<?>> helpers
   protected Collection<AdviceAssert> advices
   protected Method enabled
-  protected Collection<String> enabledArgs
+  protected Set<String> enabledArgs
 
   void interfaces(Class<?>... values) {
-    assert values.toList() == interfaces
+    assertSameElements(interfaces, values)
   }
 
   void helpers(Class<?>... values) {
-    assert values.toList() == helpers
+    assertSameElements(helpers, values)
+  }
+
+  void spi(Class<?>...values) {
+    assertSameElements(spi, values)
   }
 
   void advices(int index, @DelegatesTo(AdviceAssert) Closure closure) {
@@ -26,6 +33,10 @@ class CallSiteAssert {
 
   void enabled(Method method, String... args) {
     assert method == enabled
-    assert args.toList() == enabledArgs
+    assertSameElements(enabledArgs, args)
+  }
+
+  private static <E> void assertSameElements(final Set<E> expected, final E...received) {
+    assert received.length == expected.size() && expected.containsAll(asList(received))
   }
 }

buildSrc/call-site-instrumentation-plugin/src/test/groovy/datadog/trace/plugin/csi/impl/ext/IastExtensionTest.groovy

@@ -151,6 +151,7 @@ class IastExtensionTest extends BaseCsiPluginTest {
 
     IastExtensionCallSiteAssert(CallSiteAssert base) {
       interfaces = base.interfaces
+      spi = base.spi
       helpers = base.helpers
       advices = base.advices
       enabled = base.enabled