Add taint propagation to the String indent method (#7707)

Author: Mariovido

buildSrc/call-site-instrumentation-plugin/build.gradle.kts

@@ -34,8 +34,8 @@ dependencies {
   compileOnly("com.google.code.findbugs", "jsr305", "3.0.2")
 
   implementation("org.freemarker", "freemarker", "2.3.30")
-  implementation("org.ow2.asm", "asm", "9.0")
-  implementation("org.ow2.asm", "asm-tree", "9.0")
+  implementation("org.ow2.asm", "asm", "9.7")
+  implementation("org.ow2.asm", "asm-tree", "9.7")
   implementation("com.github.javaparser", "javaparser-symbol-solver-core", "3.24.4")
 
   testImplementation("net.bytebuddy", "byte-buddy", "1.14.18")

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/propagation/StringModuleImpl.java

@@ -604,6 +604,33 @@ public void onStringStrip(@Nonnull String self, @Nonnull String result, boolean
     }
   }
 
+  @Override
+  @SuppressFBWarnings("ES_COMPARING_PARAMETER_STRING_WITH_EQ")
+  public void onIndent(@Nonnull String self, int indentation, @Nonnull String result) {
+    if (self == result || !canBeTainted(self)) {
+      return;
+    }
+    final IastContext ctx = IastContext.Provider.get();
+    if (ctx == null) {
+      return;
+    }
+    final TaintedObjects taintedObjects = ctx.getTaintedObjects();
+    final TaintedObject taintedSelf = taintedObjects.get(self);
+    if (taintedSelf == null) {
+      return;
+    }
+
+    final Range[] rangesSelf = taintedSelf.getRanges();
+    if (rangesSelf.length == 0) {
+      return;
+    }
+
+    final Range[] newRanges = Ranges.forIndentation(self, indentation, rangesSelf);
+    if (newRanges != null) {
+      taintedObjects.taint(result, newRanges);
+    }
+  }
+
   /**
    * Adds the tainted ranges belonging to the current parameter added via placeholder taking care of
    * an optional tainted placeholder.

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/taint/Ranges.java

@@ -8,6 +8,7 @@
 import com.datadog.iast.util.HttpHeader;
 import com.datadog.iast.util.RangeBuilder;
 import com.datadog.iast.util.Ranged;
+import com.datadog.iast.util.StringUtils;
 import datadog.trace.api.iast.SourceTypes;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
@@ -304,4 +305,125 @@ public static Range[] getNotMarkedRanges(@Nullable final Range[] ranges, final i
   public static Range copyWithPosition(final Range range, final int offset, final int length) {
     return new Range(offset, length, range.getSource(), range.getMarks());
   }
+
+  /** Returns a new array of ranges with the indentation applied to each line */
+  public static Range[] forIndentation(
+      String input, int indentation, final @Nonnull Range[] ranges) {
+    final Range[] newRanges = new Range[ranges.length];
+    int delimitersCount = 0;
+    int offset = 0;
+    int rangeStart = 0;
+    int currentIndex = 0;
+    int totalWhiteSpaces = 0;
+    while (rangeStart < ranges.length || currentIndex < input.length() - 1) {
+      final int[] delimiterIndex = getNextDelimiterIndex(input, currentIndex, currentIndex + 1);
+      final int lineOffset = delimiterIndex[1] == 2 ? 1 : 0;
+      int currentIndentation;
+      // In case indentation is negative we need to check if it will take more than the first
+      // non-white space character
+      if (indentation < 0) {
+        final int whiteSpaces =
+            StringUtils.leadingWhitespaces(input, currentIndex, delimiterIndex[0]);
+        currentIndentation = Math.max(indentation, -whiteSpaces) - totalWhiteSpaces;
+        totalWhiteSpaces += whiteSpaces;
+      } else {
+        currentIndentation = indentation * ++delimitersCount;
+      }
+      currentIndentation -= offset;
+      rangeStart =
+          updateRangesWithIndentation(
+              currentIndex,
+              delimiterIndex[0] - 1,
+              indentation,
+              rangeStart,
+              ranges,
+              newRanges,
+              currentIndentation,
+              lineOffset);
+      offset += lineOffset;
+      currentIndex = delimiterIndex[0];
+    }
+
+    return newRanges;
+  }
+
+  /**
+   * Returns two numbers in an array:
+   *
+   * <p>1. The index of the next delimiter (his last character)
+   *
+   * <p>2. The length of the delimiter ({@code 1} or {@code 2})
+   *
+   * <p>In case there is no delimiter, it will return the last index of the string and {@code 1}
+   *
+   * @param original is the original string
+   * @param start is the start index of the substring
+   * @param offset is to take into account the previous lines
+   */
+  private static int[] getNextDelimiterIndex(
+      @Nonnull final String original, final int start, final int offset) {
+    for (int i = start; i < original.length(); i++) {
+      final char c = original.charAt(i);
+      if (c == '\n') {
+        return new int[] {i + offset, 1};
+      } else if (c == '\r') {
+        if (i + 1 < original.length() && original.charAt(i + 1) == '\n') {
+          return new int[] {i + 1 + offset, 2};
+        }
+        return new int[] {i + offset, 1};
+      }
+    }
+
+    return new int[] {original.length() - 1 + offset - start, 1};
+  }
+
+  /**
+   * Updates the {@code newRanges} array between the {@code start} index and the {@code end} index
+   * and taking into account the {@code indentation}
+   *
+   * <p>The {@code rangeStart} is the index of the first range that will be checked
+   *
+   * <p>The {@code ranges} is the current ranges array
+   *
+   * <p>The {@code offset} is to take into account the normalization of the indent method
+   *
+   * <p>The {@code lineOffset} is to know if the line is being normalized
+   *
+   * @return the index of the first range that will be checked
+   */
+  private static int updateRangesWithIndentation(
+      int start,
+      int end,
+      int indentation,
+      int rangeStart,
+      final @Nonnull Range[] ranges,
+      final @Nonnull Range[] newRanges,
+      int offset,
+      int lineOffset) {
+    int i = rangeStart;
+    while (i < ranges.length && ranges[i].getStart() <= end) {
+      Range range = ranges[i];
+      if (range.getStart() >= start) {
+        final int newStart = range.getStart() + offset;
+        int newLength = range.getLength();
+        if (range.getStart() + range.getLength() > end) {
+          newLength -= lineOffset;
+        }
+        newRanges[i] = new Range(newStart, newLength, range.getSource(), range.getMarks());
+      } else if (range.getStart() + range.getLength() >= start) {
+        final Range newRange = newRanges[i];
+        final int newLength = newRange.getLength() + indentation;
+        newRanges[i] =
+            new Range(newRange.getStart(), newLength, newRange.getSource(), newRange.getMarks());
+      }
+
+      if (range.getStart() + range.getLength() - 1 <= end) {
+        rangeStart++;
+      }
+
+      i++;
+    }
+
+    return rangeStart;
+  }
 }

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/util/StringUtils.java

@@ -38,4 +38,14 @@ public static String substringTrim(@Nonnull final String value, int start, int e
     }
     return start >= end ? "" : value.substring(start, end);
   }
+
+  /** Returns how many leading whitespaces are between the start and the end of the string */
+  @Nonnull
+  public static int leadingWhitespaces(@Nonnull final String value, int start, int end) {
+    int whitespaces = start;
+    while (whitespaces < end && Character.isWhitespace(value.charAt(whitespaces))) {
+      whitespaces++;
+    }
+    return whitespaces;
+  }
 }

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/propagation/StringModuleTest.groovy

@@ -1056,6 +1056,46 @@ class StringModuleTest extends IastModuleImplTestBase {
     true     | ""                      | ""
   }
 
+  void 'test indent and make sure IastRequestContext is called'() {
+    given:
+    final taintedObjects = ctx.getTaintedObjects()
+    def self = addFromTaintFormat(taintedObjects, testString)
+    objectHolder.add(self)
+
+    and:
+    final result = getStringFromTaintFormat(expected)
+    objectHolder.add(expected)
+    final shouldBeTainted = fromTaintFormat(expected) != null
+
+    when:
+    module.onIndent(self, indentation, result)
+
+    then:
+    1 * tracer.activeSpan() >> span
+    def to = ctx.getTaintedObjects().get(result)
+    if (shouldBeTainted) {
+      assert to != null
+      assert to.get() == result
+      assert taintFormat(to.get() as String, to.getRanges()) == expected
+    } else {
+      assert to == null
+    }
+    where:
+    indentation | testString                                                      | expected
+    4           | "==>123<==\n12==>3<=="                                          | "    ==>123<==\n    12==>3<=="
+    4           | "==>123<==\r\n12==>3<=="                                        | "    ==>123<==\n    12==>3<=="
+    4           | "==>123\n1<==2==>3<=="                                          | "    ==>123\n    1<==2==>3<=="
+    4           | "==>123\r\n1<==2==>3<=="                                        | "    ==>123\n    1<==2==>3<=="
+    0           | "==>123<==\r\n==>123<=="                                        | "==>123<==\n==>123<=="
+    0           | "==>123\r\n<====>123<=="                                        | "==>123\n<====>123<=="
+    0           | "==>123<==\r==>123<=="                                          | "==>123<==\n==>123<=="
+    0           | "==>123\r<====>123<=="                                          | "==>123\n<====>123<=="
+    -4          | "    ==>123<==\n    12==>3<=="                                  | "==>123<==\n12==>3<=="
+    -4          | "    ==>123<==\r\n    12==>3<=="                                | "==>123<==\n12==>3<=="
+    -4          | "    ==>123\n    1<==2==>3<=="                                  | "==>123\n1<==2==>3<=="
+    -4          | "    ==>123\r\n    1<==2==>3<=="                                | "==>123\n1<==2==>3<=="
+  }
+
   private static Date date(final String pattern, final String value) {
     return new SimpleDateFormat(pattern).parse(value)
   }

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/taint/RangesTest.groovy

@@ -289,7 +289,7 @@ class RangesTest extends DDSpecification {
     [REFERER] | [
       rangeWithSource(REQUEST_HEADER_VALUE, REFERER.name),
       rangeWithSource(REQUEST_HEADER_VALUE, LOCATION.name)
-    ] | true
+    ]                                                                                             | true
   }
 
   void 'test intersection of ranges'() {
@@ -332,6 +332,30 @@ class RangesTest extends DDSpecification {
     [range(2, 2), range(6, 2)] | [range(0, 2), range(4, 2)] | [range(0, 2), range(2, 2), range(4, 2), range(6, 2)]
   }
 
+  void 'test forIndentation method'() {
+    when:
+    final result = Ranges.forIndentation(input, indentation, ranges as Range[])
+
+    then:
+    final expectedArray = expected as Range[]
+    result == expectedArray
+
+    where:
+    input                | indentation | ranges                                                                                            | expected
+    //    "123\n123"           | 4           | [rangeWithSource(0, 3, (byte) 1, null, "123"), rangeWithSource(6, 1, (byte) 2, null, "3")]        | [rangeWithSource(4, 3, (byte) 1, null, "123"), rangeWithSource(14, 1, (byte) 2, null, "3")]
+    //    "123\r\n123"         | 4           | [rangeWithSource(0, 3, (byte) 1, null, "123"), rangeWithSource(7, 1, (byte) 2, null, "3")]        | [rangeWithSource(4, 3, (byte) 1, null, "123"), rangeWithSource(14, 1, (byte) 2, null, "3")]
+    "123\n123"           | 4           | [rangeWithSource(0, 5, (byte) 1, null, "123\n1"), rangeWithSource(6, 1, (byte) 2, null, "3")]     | [rangeWithSource(4, 9, (byte) 1, null, "123\n1"), rangeWithSource(14, 1, (byte) 2, null, "3")]
+    //    "123\r\n123"         | 4           | [rangeWithSource(0, 6, (byte) 1, null, "123\r\n1"), rangeWithSource(7, 1, (byte) 2, null, "3")]   | [rangeWithSource(4, 9, (byte) 1, null, "123\r\n1"), rangeWithSource(14, 1, (byte) 2, null, "3")]
+    //    "123\n123"           | 0           | [rangeWithSource(0, 3, (byte) 1, null, "123"), rangeWithSource(6, 1, (byte) 2, null, "3")]        | [rangeWithSource(0, 3, (byte) 1, null, "123"), rangeWithSource(6, 1, (byte) 2, null, "3")]
+    //    "123\r\n123"         | 0           | [rangeWithSource(0, 3, (byte) 1, null, "123"), rangeWithSource(7, 1, (byte) 2, null, "3")]        | [rangeWithSource(0, 3, (byte) 1, null, "123"), rangeWithSource(6, 1, (byte) 2, null, "3")]
+    //    "123\n123"           | 0           | [rangeWithSource(0, 5, (byte) 1, null, "123\n1"), rangeWithSource(6, 1, (byte) 2, null, "3")]     | [rangeWithSource(0, 5, (byte) 1, null, "123\n1"), rangeWithSource(6, 1, (byte) 2, null, "3")]
+    //    "123\r\n123"         | 0           | [rangeWithSource(0, 6, (byte) 1, null, "123\r\n1"), rangeWithSource(7, 1, (byte) 2, null, "3")]   | [rangeWithSource(0, 5, (byte) 1, null, "123\r\n1"), rangeWithSource(6, 1, (byte) 2, null, "3")]
+    //    "    123\n    123"   | -4          | [rangeWithSource(4, 3, (byte) 1, null, "123"), rangeWithSource(14, 1, (byte) 2, null, "3")]       | [rangeWithSource(0, 3, (byte) 1, null, "123"), rangeWithSource(6, 1, (byte) 2, null, "3")]
+    //    "    123\r\n    123" | -4          | [rangeWithSource(4, 3, (byte) 1, null, "123"), rangeWithSource(15, 1, (byte) 2, null, "3")]       | [rangeWithSource(0, 3, (byte) 1, null, "123"), rangeWithSource(6, 1, (byte) 2, null, "3")]
+    //    "    123\n    123"   | -4          | [rangeWithSource(4, 9, (byte) 1, null, "123\n1"), rangeWithSource(14, 1, (byte) 2, null, "3")]    | [rangeWithSource(0, 5, (byte) 1, null, "123\n1"), rangeWithSource(6, 1, (byte) 2, null, "3")]
+    //    "    123\r\n    123" | -4          | [rangeWithSource(4, 10, (byte) 1, null, "123\r\n1"), rangeWithSource(15, 1, (byte) 2, null, "3")] | [rangeWithSource(0, 5, (byte) 1, null, "123\r\n1"), rangeWithSource(6, 1, (byte) 2, null, "3")]
+  }
+
 
   Range[] rangesFromSpec(List<List<Object>> spec) {
     def ranges = new Range[spec.size()]
@@ -368,4 +392,8 @@ class RangesTest extends DDSpecification {
   Range range(final int start, final int length) {
     return new Range(start, length, new Source(REQUEST_HEADER_NAME, 'a', 'b'), NOT_MARKED)
   }
+
+  Range rangeWithSource(final int start, final int length, final byte source, final String name = 'name', final String value = 'value') {
+    return new Range(start, length, new Source(source, name, value), NOT_MARKED)
+  }
 }

dd-java-agent/instrumentation/java-lang/java-lang-17/build.gradle

@@ -0,0 +1,43 @@
+plugins {
+  id 'idea'
+}
+
+ext {
+  minJavaVersionForTests = JavaVersion.VERSION_17
+}
+
+apply from: "$rootDir/gradle/java.gradle"
+apply plugin: 'call-site-instrumentation'
+
+muzzle {
+  pass {
+    coreJdk()
+  }
+}
+
+idea {
+  module {
+    jdkName = '17'
+  }
+}
+
+csi {
+  javaVersion = JavaLanguageVersion.of(17)
+}
+
+addTestSuiteForDir('latestDepTest', 'test')
+
+dependencies {
+  testRuntimeOnly project(':dd-java-agent:instrumentation:iast-instrumenter')
+}
+
+project.tasks.withType(AbstractCompile).configureEach {
+  setJavaVersion(it, 17)
+  if (it.name != 'compileCsiJava') {
+    sourceCompatibility = JavaVersion.VERSION_17
+    targetCompatibility = JavaVersion.VERSION_17
+    if (it instanceof JavaCompile) {
+      it.options.release.set(17)
+    }
+  }
+}

dd-java-agent/instrumentation/java-lang/java-lang-17/src/main/java/datadog/trace/instrumentation/java/lang/jdk17/StringCallSite.java

@@ -0,0 +1,29 @@
+package datadog.trace.instrumentation.java.lang.jdk17;
+
+import datadog.trace.agent.tooling.csi.CallSite;
+import datadog.trace.api.iast.IastCallSites;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.Propagation;
+import datadog.trace.api.iast.propagation.StringModule;
+
+@Propagation
+@CallSite(
+    spi = IastCallSites.class,
+    enabled = {"datadog.trace.api.iast.IastEnabledChecks", "isMajorJavaVersionAtLeast", "17"})
+public class StringCallSite {
+  @CallSite.After("java.lang.String java.lang.String.indent(int)")
+  public static String afterIndent(
+      @CallSite.This final String self,
+      @CallSite.Argument final int indentation,
+      @CallSite.Return final String result) {
+    final StringModule module = InstrumentationBridge.STRING;
+    try {
+      if (module != null) {
+        module.onIndent(self, indentation, result);
+      }
+    } catch (final Throwable e) {
+      module.onUnexpectedException("afterIndent threw", e);
+    }
+    return result;
+  }
+}

dd-java-agent/instrumentation/java-lang/java-lang-17/src/test/groovy/datadog/trace/instrumentation/java/lang/jdk17/StringCallSiteTest.groovy

@@ -0,0 +1,35 @@
+package datadog.trace.instrumentation.java.lang.jdk17
+
+import datadog.trace.agent.test.AgentTestRunner
+import datadog.trace.api.iast.InstrumentationBridge
+import datadog.trace.api.iast.propagation.StringModule
+import foo.bar.TestStringJDK17Suite
+import spock.lang.Requires
+
+@Requires({
+  jvm.java17Compatible
+})
+class StringCallSiteTest extends AgentTestRunner {
+
+  @Override
+  protected void configurePreAgent() {
+    injectSysConfig("dd.iast.enabled", "true")
+  }
+
+  def 'test string indent call site'() {
+    setup:
+    final iastModule = Mock(StringModule)
+    InstrumentationBridge.registerIastModule(iastModule)
+
+    when:
+    final result = TestStringJDK17Suite.stringIndent(input, indentation)
+
+    then:
+    result == output
+    1 * iastModule.onIndent(input, indentation, output)
+
+    where:
+    input                   | indentation | output
+    'Hello\nThis is a line' | 3           | '   Hello\n   This is a line\n'
+  }
+}