Add propagation to StringBuilder substring methods (#7980)

Author: Mariovido

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/propagation/StringModuleImpl.java

@@ -185,7 +185,7 @@ public void onStringConcatFactory(
   @Override
   @SuppressFBWarnings("ES_COMPARING_PARAMETER_STRING_WITH_EQ")
   public void onStringSubSequence(
-      @Nonnull String self, int beginIndex, int endIndex, @Nullable CharSequence result) {
+      @Nonnull CharSequence self, int beginIndex, int endIndex, @Nullable CharSequence result) {
     if (self == result || !canBeTainted(result)) {
       return;
     }

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/propagation/StringModuleTest.groovy

@@ -481,37 +481,42 @@ class StringModuleTest extends IastModuleImplTestBase {
     }
 
     where:
-    self                      | beginIndex | endIndex | expected
-    "==>0123<=="              | 0          | 4        | "==>0123<=="
-    "0123==>456<==78"         | 0          | 5        | "0123==>4<=="
-    "01==>234<==5==>678<==90" | 0          | 8        | "01==>234<==5==>67<=="
-    "==>0123<=="              | 0          | 3        | "==>012<=="
-    "==>0123<=="              | 1          | 4        | "==>123<=="
-    "==>0123<=="              | 1          | 3        | "==>12<=="
-    "0123==>456<==78"         | 1          | 8        | "123==>456<==7"
-    "0123==>456<==78"         | 0          | 4        | "0123"
-    "0123==>456<==78"         | 7          | 9        | "78"
-    "0123==>456<==78"         | 1          | 5        | "123==>4<=="
-    "0123==>456<==78"         | 1          | 6        | "123==>45<=="
-    "0123==>456<==78"         | 4          | 7        | "==>456<=="
-    "0123==>456<==78"         | 6          | 8        | "==>6<==7"
-    "0123==>456<==78"         | 5          | 8        | "==>56<==7"
-    "0123==>456<==78"         | 4          | 6        | "==>45<=="
-    "01==>234<==5==>678<==90" | 1          | 10       | "1==>234<==5==>678<==9"
-    "01==>234<==5==>678<==90" | 1          | 2        | "1"
-    "01==>234<==5==>678<==90" | 5          | 6        | "5"
-    "01==>234<==5==>678<==90" | 9          | 10       | "9"
-    "01==>234<==5==>678<==90" | 1          | 4        | "1==>23<=="
-    "01==>234<==5==>678<==90" | 2          | 4        | "==>23<=="
-    "01==>234<==5==>678<==90" | 2          | 5        | "==>234<=="
-    "01==>234<==5==>678<==90" | 1          | 8        | "1==>234<==5==>67<=="
-    "01==>234<==5==>678<==90" | 2          | 8        | "==>234<==5==>67<=="
-    "01==>234<==5==>678<==90" | 2          | 9        | "==>234<==5==>678<=="
-    "01==>234<==5==>678<==90" | 5          | 8        | "5==>67<=="
-    "01==>234<==5==>678<==90" | 6          | 8        | "==>67<=="
-    "01==>234<==5==>678<==90" | 6          | 9        | "==>678<=="
-    "01==>234<==5==>678<==90" | 4          | 9        | "==>4<==5==>678<=="
-    "01==>234<==5==>678<==90" | 4          | 8        | "==>4<==5==>67<=="
+    self                          | beginIndex | endIndex | expected
+    "==>0123<=="                  | 0          | 4        | "==>0123<=="
+    "0123==>456<==78"             | 0          | 5        | "0123==>4<=="
+    "01==>234<==5==>678<==90"     | 0          | 8        | "01==>234<==5==>67<=="
+    "==>0123<=="                  | 0          | 3        | "==>012<=="
+    "==>0123<=="                  | 1          | 4        | "==>123<=="
+    "==>0123<=="                  | 1          | 3        | "==>12<=="
+    "0123==>456<==78"             | 1          | 8        | "123==>456<==7"
+    "0123==>456<==78"             | 0          | 4        | "0123"
+    "0123==>456<==78"             | 7          | 9        | "78"
+    "0123==>456<==78"             | 1          | 5        | "123==>4<=="
+    "0123==>456<==78"             | 1          | 6        | "123==>45<=="
+    "0123==>456<==78"             | 4          | 7        | "==>456<=="
+    "0123==>456<==78"             | 6          | 8        | "==>6<==7"
+    "0123==>456<==78"             | 5          | 8        | "==>56<==7"
+    "0123==>456<==78"             | 4          | 6        | "==>45<=="
+    "01==>234<==5==>678<==90"     | 1          | 10       | "1==>234<==5==>678<==9"
+    "01==>234<==5==>678<==90"     | 1          | 2        | "1"
+    "01==>234<==5==>678<==90"     | 5          | 6        | "5"
+    "01==>234<==5==>678<==90"     | 9          | 10       | "9"
+    "01==>234<==5==>678<==90"     | 1          | 4        | "1==>23<=="
+    "01==>234<==5==>678<==90"     | 2          | 4        | "==>23<=="
+    "01==>234<==5==>678<==90"     | 2          | 5        | "==>234<=="
+    "01==>234<==5==>678<==90"     | 1          | 8        | "1==>234<==5==>67<=="
+    "01==>234<==5==>678<==90"     | 2          | 8        | "==>234<==5==>67<=="
+    "01==>234<==5==>678<==90"     | 2          | 9        | "==>234<==5==>678<=="
+    "01==>234<==5==>678<==90"     | 5          | 8        | "5==>67<=="
+    "01==>234<==5==>678<==90"     | 6          | 8        | "==>67<=="
+    "01==>234<==5==>678<==90"     | 6          | 9        | "==>678<=="
+    "01==>234<==5==>678<==90"     | 4          | 9        | "==>4<==5==>678<=="
+    "01==>234<==5==>678<==90"     | 4          | 8        | "==>4<==5==>67<=="
+    sb("==>0123<==")              | 0          | 4        | "==>0123<=="
+    sb("0123==>456<==78")         | 0          | 5        | "0123==>4<=="
+    sb("01==>234<==5==>678<==90") | 0          | 8        | "01==>234<==5==>67<=="
+    sb("0123==>456<==78")         | 4          | 6        | "==>45<=="
+    sb("01==>234<==5==>678<==90") | 4          | 8        | "==>4<==5==>67<=="
   }
 
   void 'onStringJoin without null delimiter or elements (#delimiter, #elements)'() {

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/taint/TaintUtils.groovy

@@ -74,6 +74,13 @@ class TaintUtils {
     new String(s.replace(OPEN_MARK, "").replace(CLOSE_MARK, ""))
   }
 
+  static String getStringFromTaintFormat(final Appendable appendable) {
+    if (appendable == null) {
+      return null
+    }
+    getStringFromTaintFormat(appendable.toString())
+  }
+
   static <E> E taint(final TaintedObjects tos, final E value) {
     if (value instanceof String) {
       return addFromTaintFormat(tos, value as String)

dd-java-agent/instrumentation/java-lang/src/main/java/datadog/trace/instrumentation/java/lang/StringBuilderCallSite.java

@@ -101,4 +101,37 @@ public static String afterToString(
     }
     return result;
   }
+
+  @CallSite.After("java.lang.String java.lang.StringBuilder.substring(int)")
+  public static String afterSubstring(
+      @CallSite.This final CharSequence self,
+      @CallSite.Argument final int beginIndex,
+      @CallSite.Return final String result) {
+    final StringModule module = InstrumentationBridge.STRING;
+    if (module != null) {
+      try {
+        module.onStringSubSequence(self, beginIndex, self.length(), result);
+      } catch (final Throwable e) {
+        module.onUnexpectedException("afterSubstring threw", e);
+      }
+    }
+    return result;
+  }
+
+  @CallSite.After("java.lang.String java.lang.StringBuilder.substring(int, int)")
+  public static String afterSubstring(
+      @CallSite.This final CharSequence self,
+      @CallSite.Argument final int beginIndex,
+      @CallSite.Argument final int endIndex,
+      @CallSite.Return final String result) {
+    final StringModule module = InstrumentationBridge.STRING;
+    if (module != null) {
+      try {
+        module.onStringSubSequence(self, beginIndex, endIndex, result);
+      } catch (final Throwable e) {
+        module.onUnexpectedException("afterSubstring threw", e);
+      }
+    }
+    return result;
+  }
 }

dd-java-agent/instrumentation/java-lang/src/test/groovy/datadog/trace/instrumentation/java/lang/StringBuilderCallSiteTest.groovy

@@ -174,6 +174,42 @@ class StringBuilderCallSiteTest extends AgentTestRunner {
     ex.stackTrace.find { it.className == StringBuilderCallSite.name } == null
   }
 
+  def 'test string builder substring call site'() {
+    setup:
+    final iastModule = Mock(StringModule)
+    InstrumentationBridge.registerIastModule(iastModule)
+
+    when:
+    final result = TestStringBuilderSuite.substring(param, beginIndex)
+
+    then:
+    result == expected
+    1 * iastModule.onStringSubSequence(param, beginIndex, param.length(), expected)
+    0 * _
+
+    where:
+    param        | beginIndex | expected
+    sb('012345') | 1          | '12345'
+  }
+
+  def 'test string builder substring with endIndex call site'() {
+    setup:
+    final iastModule = Mock(StringModule)
+    InstrumentationBridge.registerIastModule(iastModule)
+
+    when:
+    final result = TestStringBuilderSuite.substring(param, beginIndex, endIndex)
+
+    then:
+    result == expected
+    1 * iastModule.onStringSubSequence(param, beginIndex, endIndex, expected)
+    0 * _
+
+    where:
+    param        | beginIndex | endIndex | expected
+    sb('012345') | 1          | 5        | '1234'
+  }
+
   private static class BrokenToString {
     @Override
     String toString() {
@@ -186,4 +222,8 @@ class StringBuilderCallSiteTest extends AgentTestRunner {
       super(message)
     }
   }
+
+  private static StringBuilder sb(final String string) {
+    return new StringBuilder(string)
+  }
 }

dd-java-agent/instrumentation/java-lang/src/test/java/foo/bar/TestStringBuilderSuite.java

@@ -76,4 +76,18 @@ public String plus(final Object... items) {
     LOGGER.debug("After string builder toString {}", result);
     return result;
   }
+
+  public static String substring(StringBuilder self, int beginIndex, int endIndex) {
+    LOGGER.debug("Before string builder substring {} from {} to {}", self, beginIndex, endIndex);
+    final String result = self.substring(beginIndex, endIndex);
+    LOGGER.debug("After string builder substring {}", result);
+    return result;
+  }
+
+  public static String substring(StringBuilder self, int beginIndex) {
+    LOGGER.debug("Before string builder substring {} from {}", self, beginIndex);
+    final String result = self.substring(beginIndex);
+    LOGGER.debug("After string builder substring {}", result);
+    return result;
+  }
 }

internal-api/src/main/java/datadog/trace/api/iast/propagation/StringModule.java

@@ -23,7 +23,7 @@ void onStringConcatFactory(
       @Nonnull int[] recipeOffsets);
 
   void onStringSubSequence(
-      @Nonnull String self, int beginIndex, int endIndex, @Nullable CharSequence result);
+      @Nonnull CharSequence self, int beginIndex, int endIndex, @Nullable CharSequence result);
 
   void onStringJoin(
       @Nullable String result, @Nonnull CharSequence delimiter, @Nonnull CharSequence[] elements);