Extract interface for tainted objects

Author: manuel-alvarez-alvarez

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/iast/NamedContext.java

@@ -2,8 +2,9 @@
 
 import datadog.trace.api.iast.IastContext;
 import datadog.trace.api.iast.InstrumentationBridge;
-import datadog.trace.api.iast.Taintable.Source;
 import datadog.trace.api.iast.propagation.PropagationModule;
+import datadog.trace.api.iast.taint.Source;
+import datadog.trace.api.iast.taint.TaintedObjects;
 import datadog.trace.bootstrap.ContextStore;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import javax.annotation.Nonnull;
@@ -30,7 +31,8 @@ public static <E> NamedContext getOrCreate(
     }
     final PropagationModule module = InstrumentationBridge.PROPAGATION;
     if (module != null) {
-      final Source source = module.findSource(target);
+      final TaintedObjects to = IastContext.Provider.taintedObjects();
+      final Source source = module.findSource(to, target);
       if (source != null) {
         result = new NamedContextImpl(module, source);
       }
@@ -60,7 +62,7 @@ private static class NamedContextImpl extends NamedContext {
     @Nullable private String currentName;
 
     private boolean fetched;
-    @Nullable private IastContext context;
+    @Nullable private TaintedObjects to;
 
     public NamedContextImpl(@Nonnull final PropagationModule module, @Nonnull final Source source) {
       this.module = module;
@@ -69,7 +71,7 @@ public NamedContextImpl(@Nonnull final PropagationModule module, @Nonnull final
 
     @Override
     public void taintValue(@Nullable final String value) {
-      module.taintString(iastCtx(), value, source.getOrigin(), currentName, source.getValue());
+      module.taintObject(to(), value, source.getOrigin(), currentName, source.getValue());
     }
 
     @Override
@@ -79,7 +81,7 @@ public void taintName(@Nullable final String name) {
       // prevent tainting the same name more than once
       if (currentName != name) {
         currentName = name;
-        module.taintString(iastCtx(), name, source.getOrigin(), name, source.getValue());
+        module.taintObject(to(), name, source.getOrigin(), name, source.getValue());
       }
     }
 
@@ -88,12 +90,12 @@ public void setCurrentName(@Nullable final String name) {
       currentName = name;
     }
 
-    private IastContext iastCtx() {
+    private TaintedObjects to() {
       if (!fetched) {
         fetched = true;
-        context = IastContext.Provider.get();
+        to = IastContext.Provider.taintedObjects();
       }
-      return context;
+      return to;
     }
   }
 }

dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/iast/NamedContextTest.groovy

@@ -3,8 +3,8 @@ package datadog.trace.bootstrap.instrumentation.iast
 
 import datadog.trace.api.iast.InstrumentationBridge
 import datadog.trace.api.iast.SourceTypes
-import datadog.trace.api.iast.Taintable.Source
 import datadog.trace.api.iast.propagation.PropagationModule
+import datadog.trace.api.iast.taint.Source
 import datadog.trace.bootstrap.ContextStore
 import datadog.trace.test.util.DDSpecification
 
@@ -38,7 +38,7 @@ class NamedContextTest extends DDSpecification {
     context.taintName(name)
 
     then:
-    1 * module.taintString(_, name, source.origin, name, source.value)
+    1 * module.taintObject(_, name, source.origin, name, source.value)
 
     when:
     context.taintName(name)
@@ -50,7 +50,7 @@ class NamedContextTest extends DDSpecification {
     context.taintValue(value)
 
     then:
-    1 * module.taintString(_, value, source.origin, name, source.value)
+    1 * module.taintObject(_, value, source.origin, name, source.value)
     0 * _
   }
 
@@ -82,5 +82,20 @@ class NamedContextTest extends DDSpecification {
     byte origin
     String name
     String value
+
+    @Override
+    Source attachValue(Object newValue) {
+      return new SourceImpl(origin: origin, name: name, value: newValue as String)
+    }
+
+    @Override
+    boolean isReference() {
+      return false
+    }
+
+    @Override
+    Object getRawValue() {
+      return value
+    }
   }
 }

dd-java-agent/agent-builder/src/main/java/datadog/trace/agent/tooling/AgentInstaller.java

@@ -6,7 +6,6 @@
 import static net.bytebuddy.matcher.ElementMatchers.isDefaultFinalizer;
 
 import datadog.trace.agent.tooling.bytebuddy.SharedTypePools;
-import datadog.trace.agent.tooling.bytebuddy.iast.TaintableRedefinitionStrategyListener;
 import datadog.trace.agent.tooling.bytebuddy.matcher.DDElementMatchers;
 import datadog.trace.agent.tooling.bytebuddy.memoize.MemoizedMatchers;
 import datadog.trace.agent.tooling.bytebuddy.outline.TypePoolFacade;
@@ -146,7 +145,6 @@ public static ClassFileTransformer installBytebuddyAgent(
             .with(AgentStrategies.transformerDecorator())
             .with(AgentBuilder.RedefinitionStrategy.RETRANSFORMATION)
             .with(AgentStrategies.rediscoveryStrategy())
-            .with(redefinitionStrategyListener(enabledSystems))
             .with(AgentStrategies.locationStrategy())
             .with(AgentStrategies.poolStrategy())
             .with(AgentBuilder.DescriptionStrategy.Default.POOL_ONLY)
@@ -163,7 +161,6 @@ public static ClassFileTransformer installBytebuddyAgent(
           agentBuilder
               .with(AgentBuilder.RedefinitionStrategy.RETRANSFORMATION)
               .with(AgentStrategies.rediscoveryStrategy())
-              .with(redefinitionStrategyListener(enabledSystems))
               .with(new RedefinitionLoggingListener())
               .with(new TransformLoggingListener());
     }
@@ -331,15 +328,6 @@ private static void addByteBuddyRawSetting() {
     }
   }
 
-  private static AgentBuilder.RedefinitionStrategy.Listener redefinitionStrategyListener(
-      final Set<InstrumenterModule.TargetSystem> enabledSystems) {
-    if (enabledSystems.contains(InstrumenterModule.TargetSystem.IAST)) {
-      return TaintableRedefinitionStrategyListener.INSTANCE;
-    } else {
-      return AgentBuilder.RedefinitionStrategy.Listener.NoOp.INSTANCE;
-    }
-  }
-
   static class RedefinitionLoggingListener implements AgentBuilder.RedefinitionStrategy.Listener {
 
     private static final Logger log = LoggerFactory.getLogger(RedefinitionLoggingListener.class);

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/AbstractBenchmark.java

@@ -3,14 +3,15 @@
 import static java.util.concurrent.TimeUnit.NANOSECONDS;
 
 import com.datadog.iast.IastSystem;
-import com.datadog.iast.model.Range;
-import com.datadog.iast.model.Source;
-import com.datadog.iast.taint.TaintedObjects;
+import com.datadog.iast.model.SourceImpl;
 import datadog.trace.api.Config;
 import datadog.trace.api.ProductActivation;
 import datadog.trace.api.gateway.InstrumentationGateway;
 import datadog.trace.api.gateway.RequestContextSlot;
 import datadog.trace.api.iast.IastContext;
+import datadog.trace.api.iast.taint.Range;
+import datadog.trace.api.iast.taint.Source;
+import datadog.trace.api.iast.taint.TaintedObjects;
 import datadog.trace.bootstrap.instrumentation.api.AgentScope;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
@@ -95,7 +96,7 @@ protected <E> E notTainted(final E value) {
   }
 
   protected Source source() {
-    return new Source((byte) 0, "key", "value");
+    return new SourceImpl((byte) 0, "key", "value");
   }
 
   private static long computeHash(final Object value) {

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringBuilderAppendBenchmark.java

@@ -3,7 +3,7 @@
 import static datadog.trace.api.iast.VulnerabilityMarks.NOT_MARKED;
 
 import com.datadog.iast.IastRequestContext;
-import com.datadog.iast.model.Range;
+import com.datadog.iast.model.RangeImpl;
 import datadog.trace.api.iast.IastContext;
 import datadog.trace.instrumentation.java.lang.StringBuilderCallSite;
 import org.openjdk.jmh.annotations.Benchmark;
@@ -17,14 +17,14 @@ protected Context initializeContext() {
     final IastRequestContext context = new IastRequestContext();
     final String notTainted = notTainted("I am not a tainted string");
     final String tainted =
-        tainted(context, "I am a tainted string", new Range(5, 6, source(), NOT_MARKED));
+        tainted(context, "I am a tainted string", new RangeImpl(5, 6, source(), NOT_MARKED));
     final StringBuilder notTaintedBuilder =
         notTainted(new StringBuilder("I am not a tainted string builder"));
     final StringBuilder taintedBuilder =
         tainted(
             context,
             new StringBuilder("I am a tainted string builder"),
-            new Range(5, 6, source(), NOT_MARKED));
+            new RangeImpl(5, 6, source(), NOT_MARKED));
     return new Context(context, notTainted, tainted, notTaintedBuilder, taintedBuilder);
   }
 

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringBuilderBatchBenchmark.java

@@ -4,7 +4,7 @@
 import static java.util.concurrent.TimeUnit.MICROSECONDS;
 
 import com.datadog.iast.IastRequestContext;
-import com.datadog.iast.model.Range;
+import com.datadog.iast.model.RangeImpl;
 import datadog.trace.api.iast.IastContext;
 import datadog.trace.instrumentation.java.lang.StringBuilderCallSite;
 import java.util.ArrayList;
@@ -36,7 +36,8 @@ protected StringBuilderBatchBenchmark.Context initializeContext() {
       final String value;
       if (current < limit) {
         value =
-            tainted(context, UUID.randomUUID().toString(), new Range(3, 6, source(), NOT_MARKED));
+            tainted(
+                context, UUID.randomUUID().toString(), new RangeImpl(3, 6, source(), NOT_MARKED));
       } else {
         value = notTainted(UUID.randomUUID().toString());
       }

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringBuilderInitBenchmark.java

@@ -3,7 +3,7 @@
 import static datadog.trace.api.iast.VulnerabilityMarks.NOT_MARKED;
 
 import com.datadog.iast.IastRequestContext;
-import com.datadog.iast.model.Range;
+import com.datadog.iast.model.RangeImpl;
 import datadog.trace.api.iast.IastContext;
 import datadog.trace.instrumentation.java.lang.StringBuilderCallSite;
 import org.openjdk.jmh.annotations.Benchmark;
@@ -17,7 +17,7 @@ protected Context initializeContext() {
     final IastRequestContext context = new IastRequestContext();
     final String notTainted = notTainted("I am not a tainted string");
     final String tainted =
-        tainted(context, "I am a tainted string", new Range(3, 6, source(), NOT_MARKED));
+        tainted(context, "I am a tainted string", new RangeImpl(3, 6, source(), NOT_MARKED));
     return new Context(context, notTainted, tainted);
   }
 

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringBuilderToStringBenchmark.java

@@ -3,7 +3,7 @@
 import static datadog.trace.api.iast.VulnerabilityMarks.NOT_MARKED;
 
 import com.datadog.iast.IastRequestContext;
-import com.datadog.iast.model.Range;
+import com.datadog.iast.model.RangeImpl;
 import datadog.trace.api.iast.IastContext;
 import datadog.trace.instrumentation.java.lang.StringBuilderCallSite;
 import org.openjdk.jmh.annotations.Benchmark;
@@ -21,7 +21,7 @@ protected Context initializeContext() {
         tainted(
             context,
             new StringBuilder("I am a tainted string builder"),
-            new Range(5, 7, source(), NOT_MARKED));
+            new RangeImpl(5, 7, source(), NOT_MARKED));
     return new Context(context, notTaintedBuilder, taintedBuilder);
   }
 

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringConcatBenchmark.java

@@ -3,7 +3,7 @@
 import static datadog.trace.api.iast.VulnerabilityMarks.NOT_MARKED;
 
 import com.datadog.iast.IastRequestContext;
-import com.datadog.iast.model.Range;
+import com.datadog.iast.model.RangeImpl;
 import datadog.trace.api.iast.IastContext;
 import datadog.trace.instrumentation.java.lang.StringCallSite;
 import org.openjdk.jmh.annotations.Benchmark;
@@ -16,7 +16,7 @@ protected StringConcatBenchmark.Context initializeContext() {
     final IastRequestContext context = new IastRequestContext();
     final String notTainted = notTainted("I am not a tainted string");
     final String tainted =
-        tainted(context, "I am a tainted string", new Range(3, 5, source(), NOT_MARKED));
+        tainted(context, "I am a tainted string", new RangeImpl(3, 5, source(), NOT_MARKED));
     return new StringConcatBenchmark.Context(context, notTainted, tainted);
   }
 

dd-java-agent/agent-iast/src/jmh/java/com/datadog/iast/propagation/StringConcatFactoryBatchBenchmark.java

@@ -4,7 +4,7 @@
 import static java.util.concurrent.TimeUnit.MICROSECONDS;
 
 import com.datadog.iast.IastRequestContext;
-import com.datadog.iast.model.Range;
+import com.datadog.iast.model.RangeImpl;
 import datadog.trace.api.iast.IastContext;
 import datadog.trace.api.iast.InstrumentationBridge;
 import java.lang.invoke.MethodHandle;
@@ -56,7 +56,7 @@ protected StringConcatFactoryBatchBenchmark.Context initializeContext() {
       double current = i / (double) stringCount;
       final String value;
       if (current < limit) {
-        value = tainted(context, "Yep, tainted", new Range(3, 5, source(), NOT_MARKED));
+        value = tainted(context, "Yep, tainted", new RangeImpl(3, 5, source(), NOT_MARKED));
       } else {
         value = notTainted("Nop, tainted");
       }