Merge branch 'master' into dougqh/crash-tracking-in-smoke-tests

Author: dougqh

.circleci/config.continue.yml.j2

@@ -36,7 +36,7 @@ instrumentation_modules: &instrumentation_modules "dd-java-agent/instrumentation
 debugger_modules: &debugger_modules "dd-java-agent/agent-debugger|dd-java-agent/agent-bootstrap|dd-java-agent/agent-builder|internal-api|communication|dd-trace-core"
 profiling_modules: &profiling_modules "dd-java-agent/agent-profiling"
 
-default_system_tests_commit: &default_system_tests_commit 53d9b2c43876a39e5c0426f4df4dd5fd79d062e8
+default_system_tests_commit: &default_system_tests_commit 67fe30ac7504997685859d31feae1782f3527f39
 
 parameters:
   nightly:

.github/workflows/check-pull-requests.yaml

@@ -27,7 +27,7 @@ jobs:
             const ignoreReleaseNotes = labels.filter(label => label == 'tag: no release notes').length > 0
             const hasTypeLabel = labels.filter(label => label.startsWith('type:')).length > 0
             const hasComponentLabel = labels.filter(label => label.startsWith('comp:')).length > 0
-            const hasInstrumentationLabel = labels.filter(label => label.startsWith('instr:')).length > 0
+            const hasInstrumentationLabel = labels.filter(label => label.startsWith('inst:')).length > 0
             const labelsCheckFailed = !ignoreReleaseNotes && (!hasTypeLabel || (!hasComponentLabel && !hasInstrumentationLabel));
             if (labelsCheckFailed) {
               core.setFailed('Please add at least one type, and one component or instrumentation label to the pull request.')

.github/workflows/tests/check-pull-requests/payload-pull-request-instrumentation.json

@@ -0,0 +1,15 @@
+{
+    "pull_request": {
+        "number": 7884,
+        "draft": false,
+        "labels": [
+            {
+                "name": "inst: java"
+            },
+            {
+                "name": "type: bug"
+            }
+        ],
+        "title": "Adding some new features"
+    }
+}

.github/workflows/tests/check-pull-requests/test-pull-request.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 source "$(dirname "$0")/../env.sh"
 testworkflow pull_request && \
+testworkflow pull_request instrumentation && \
 testworkflow pull_request draft && \
 testworkflow pull_request no-release-notes && \
 ! testworkflow pull_request missing-label && \

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpClientDecorator.java

@@ -1,17 +1,24 @@
 package datadog.trace.bootstrap.instrumentation.decorator;
 
 import static datadog.trace.api.cache.RadixTreeCache.UNSET_STATUS;
+import static datadog.trace.api.gateway.Events.EVENTS;
 import static datadog.trace.bootstrap.instrumentation.api.AgentTracer.traceConfig;
 import static datadog.trace.bootstrap.instrumentation.decorator.http.HttpResourceDecorator.HTTP_RESOURCE_DECORATOR;
 
+import datadog.appsec.api.blocking.BlockingException;
 import datadog.trace.api.Config;
 import datadog.trace.api.DDTags;
 import datadog.trace.api.InstrumenterConfig;
 import datadog.trace.api.ProductActivation;
+import datadog.trace.api.gateway.BlockResponseFunction;
+import datadog.trace.api.gateway.Flow;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
 import datadog.trace.api.iast.InstrumentationBridge;
 import datadog.trace.api.iast.sink.SsrfModule;
 import datadog.trace.api.naming.SpanNaming;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
 import datadog.trace.bootstrap.instrumentation.api.InternalSpanTypes;
 import datadog.trace.bootstrap.instrumentation.api.Tags;
 import datadog.trace.bootstrap.instrumentation.api.URIUtils;
@@ -21,6 +28,7 @@
 import java.util.BitSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.function.BiFunction;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -42,6 +50,8 @@ public abstract class HttpClientDecorator<REQUEST, RESPONSE> extends UriBasedCli
 
   private static final boolean CLIENT_TAG_HEADERS = Config.get().isHttpClientTagHeaders();
 
+  private static final boolean APPSEC_RASP_ENABLED = Config.get().isAppSecRaspEnabled();
+
   protected abstract String method(REQUEST request);
 
   protected abstract URI url(REQUEST request) throws URISyntaxException;
@@ -68,9 +78,20 @@ protected boolean shouldSetResourceName() {
 
   public AgentSpan onRequest(final AgentSpan span, final REQUEST request) {
     if (request != null) {
+
       String method = method(request);
       span.setTag(Tags.HTTP_METHOD, method);
 
+      if (CLIENT_TAG_HEADERS) {
+        for (Map.Entry<String, String> headerTag :
+            traceConfig(span).getRequestHeaderTags().entrySet()) {
+          String headerValue = getRequestHeader(request, headerTag.getKey());
+          if (null != headerValue) {
+            span.setTag(headerTag.getValue(), headerValue);
+          }
+        }
+      }
+
       // Copy of HttpServerDecorator url handling
       try {
         final URI url = url(request);
@@ -86,24 +107,15 @@ public AgentSpan onRequest(final AgentSpan span, final REQUEST request) {
           if (shouldSetResourceName()) {
             HTTP_RESOURCE_DECORATOR.withClientPath(span, method, url.getPath());
           }
+          // SSRF exploit prevention check
+          onNetworkConnection(url.toString());
         } else if (shouldSetResourceName()) {
           span.setResourceName(DEFAULT_RESOURCE_NAME);
         }
       } catch (final Exception e) {
         log.debug("Error tagging url", e);
       }
-
       ssrfIastCheck(request);
-
-      if (CLIENT_TAG_HEADERS) {
-        for (Map.Entry<String, String> headerTag :
-            traceConfig(span).getRequestHeaderTags().entrySet()) {
-          String headerValue = getRequestHeader(request, headerTag.getKey());
-          if (null != headerValue) {
-            span.setTag(headerTag.getValue(), headerValue);
-          }
-        }
-      }
     }
     return span;
   }
@@ -175,6 +187,48 @@ public long getResponseContentLength(final RESPONSE response) {
     return 0;
   }
 
+  private void onNetworkConnection(final String networkConnection) {
+    if (!APPSEC_RASP_ENABLED) {
+      return;
+    }
+    if (networkConnection == null) {
+      return;
+    }
+    final BiFunction<RequestContext, String, Flow<Void>> networkConnectionCallback =
+        AgentTracer.get()
+            .getCallbackProvider(RequestContextSlot.APPSEC)
+            .getCallback(EVENTS.networkConnection());
+
+    if (networkConnectionCallback == null) {
+      return;
+    }
+
+    final AgentSpan span = AgentTracer.get().activeSpan();
+    if (span == null) {
+      return;
+    }
+
+    final RequestContext ctx = span.getRequestContext();
+    if (ctx == null) {
+      return;
+    }
+
+    Flow<Void> flow = networkConnectionCallback.apply(ctx, networkConnection);
+    Flow.Action action = flow.getAction();
+    if (action instanceof Flow.Action.RequestBlockingAction) {
+      BlockResponseFunction brf = ctx.getBlockResponseFunction();
+      if (brf != null) {
+        Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
+        brf.tryCommitBlockingResponse(
+            ctx.getTraceSegment(),
+            rba.getStatusCode(),
+            rba.getBlockingContentType(),
+            rba.getExtraHeaders());
+      }
+      throw new BlockingException("Blocked request (for SSRF attempt)");
+    }
+  }
+
   /* This method must be overriden after making the proper propagations to the client before **/
   protected Object sourceUrl(REQUEST request) {
     return null;

dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/HttpClientDecoratorTest.groovy

@@ -1,6 +1,12 @@
 package datadog.trace.bootstrap.instrumentation.decorator
 
 import datadog.trace.api.DDTags
+import datadog.trace.api.config.AppSecConfig
+import datadog.trace.api.gateway.CallbackProvider
+import static datadog.trace.api.gateway.Events.EVENTS
+import datadog.trace.api.gateway.RequestContext
+import datadog.trace.api.gateway.RequestContextSlot
+import datadog.trace.api.internal.TraceSegment
 import datadog.trace.api.iast.InstrumentationBridge
 import datadog.trace.api.iast.sink.SsrfModule
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan
@@ -12,11 +18,39 @@ import spock.lang.Shared
 import static datadog.trace.api.config.TraceInstrumentationConfig.HTTP_CLIENT_HOST_SPLIT_BY_DOMAIN
 import static datadog.trace.api.config.TraceInstrumentationConfig.HTTP_CLIENT_TAG_QUERY_STRING
 
+import java.util.function.BiFunction
+
 class HttpClientDecoratorTest extends ClientDecoratorTest {
 
   @Shared
   def testUrl = new URI("http://myhost:123/somepath")
 
+  @Shared
+  protected static final ORIGINAL_TRACER = AgentTracer.get()
+
+  protected traceSegment
+  protected reqCtx
+  protected span2
+  protected tracer
+
+  void setup() {
+    traceSegment = Stub(TraceSegment)
+    reqCtx = Stub(RequestContext) {
+      getTraceSegment() >> traceSegment
+    }
+    span2 = Stub(AgentSpan) {
+      getRequestContext() >> reqCtx
+    }
+    tracer = Stub(AgentTracer.TracerAPI) {
+      activeSpan() >> span2
+    }
+    AgentTracer.forceRegister(tracer)
+  }
+
+  void cleanup() {
+    AgentTracer.forceRegister(ORIGINAL_TRACER)
+  }
+
   def span = Mock(AgentSpan)
 
   def "test onRequest"() {
@@ -199,6 +233,26 @@ class HttpClientDecoratorTest extends ClientDecoratorTest {
     'false' | [method: "test-method", url: testUrl, path: '/somepath']
   }
 
+  void "test SSRF Exploit prevention onResponse"(){
+    setup:
+    injectSysConfig(AppSecConfig.APPSEC_ENABLED, 'true')
+    injectSysConfig(AppSecConfig.APPSEC_RASP_ENABLED, 'true')
+
+    final callbackProvider = Mock(CallbackProvider)
+    final listener = Mock(BiFunction)
+    tracer.getCallbackProvider(RequestContextSlot.APPSEC) >> callbackProvider
+
+    final decorator = newDecorator()
+    final req = [method: "GET", url: new URI("http://localhost:1234/somepath")]
+
+    when:
+    decorator.onRequest(span2,  req)
+
+    then:
+    1 * callbackProvider.getCallback(EVENTS.networkConnection()) >> listener
+    1 * listener.apply(reqCtx, _ as String)
+  }
+
   @Override
   def newDecorator(String serviceName = "test-service") {
     return new HttpClientDecorator<Map, Map>() {

dd-java-agent/agent-ci-visibility/src/main/java/datadog/trace/civisibility/git/tree/GitClient.java

@@ -484,7 +484,7 @@ public Path createPackFiles(List<String> objectHashes)
     return executeCommand(
         Command.PACK_OBJECTS,
         () -> {
-          byte[] input = Strings.join("\n", objectHashes).getBytes(Charset.defaultCharset());
+          byte[] input = String.join("\n", objectHashes).getBytes(Charset.defaultCharset());
 
           Path tempDirectory = createTempDirectory();
           String basename = Strings.random(8);

dd-java-agent/agent-ci-visibility/src/main/java/datadog/trace/civisibility/utils/ShellCommandExecutor.java

@@ -5,7 +5,6 @@
 import datadog.trace.context.TraceScope;
 import datadog.trace.util.AgentThreadFactory;
 import datadog.trace.util.AgentThreadFactory.AgentThread;
-import datadog.trace.util.Strings;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
@@ -124,7 +123,7 @@ private <T> T executeCommand(
           throw new ShellCommandFailedException(
               exitValue,
               "Command '"
-                  + Strings.join(" ", command)
+                  + String.join(" ", command)
                   + "' failed with exit code "
                   + exitValue
                   + ": "
@@ -147,7 +146,7 @@ private <T> T executeCommand(
         terminate(p);
         throw new TimeoutException(
             "Timeout while waiting for '"
-                + Strings.join(" ", command)
+                + String.join(" ", command)
                 + "'; "
                 + IOUtils.readFully(errorStreamConsumer.read(), Charset.defaultCharset()));
       }

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/propagation/StringModuleImpl.java

@@ -185,7 +185,7 @@ public void onStringConcatFactory(
   @Override
   @SuppressFBWarnings("ES_COMPARING_PARAMETER_STRING_WITH_EQ")
   public void onStringSubSequence(
-      @Nonnull String self, int beginIndex, int endIndex, @Nullable CharSequence result) {
+      @Nonnull CharSequence self, int beginIndex, int endIndex, @Nullable CharSequence result) {
     if (self == result || !canBeTainted(result)) {
       return;
     }

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/propagation/StringModuleTest.groovy

@@ -481,37 +481,42 @@ class StringModuleTest extends IastModuleImplTestBase {
     }
 
     where:
-    self                      | beginIndex | endIndex | expected
-    "==>0123<=="              | 0          | 4        | "==>0123<=="
-    "0123==>456<==78"         | 0          | 5        | "0123==>4<=="
-    "01==>234<==5==>678<==90" | 0          | 8        | "01==>234<==5==>67<=="
-    "==>0123<=="              | 0          | 3        | "==>012<=="
-    "==>0123<=="              | 1          | 4        | "==>123<=="
-    "==>0123<=="              | 1          | 3        | "==>12<=="
-    "0123==>456<==78"         | 1          | 8        | "123==>456<==7"
-    "0123==>456<==78"         | 0          | 4        | "0123"
-    "0123==>456<==78"         | 7          | 9        | "78"
-    "0123==>456<==78"         | 1          | 5        | "123==>4<=="
-    "0123==>456<==78"         | 1          | 6        | "123==>45<=="
-    "0123==>456<==78"         | 4          | 7        | "==>456<=="
-    "0123==>456<==78"         | 6          | 8        | "==>6<==7"
-    "0123==>456<==78"         | 5          | 8        | "==>56<==7"
-    "0123==>456<==78"         | 4          | 6        | "==>45<=="
-    "01==>234<==5==>678<==90" | 1          | 10       | "1==>234<==5==>678<==9"
-    "01==>234<==5==>678<==90" | 1          | 2        | "1"
-    "01==>234<==5==>678<==90" | 5          | 6        | "5"
-    "01==>234<==5==>678<==90" | 9          | 10       | "9"
-    "01==>234<==5==>678<==90" | 1          | 4        | "1==>23<=="
-    "01==>234<==5==>678<==90" | 2          | 4        | "==>23<=="
-    "01==>234<==5==>678<==90" | 2          | 5        | "==>234<=="
-    "01==>234<==5==>678<==90" | 1          | 8        | "1==>234<==5==>67<=="
-    "01==>234<==5==>678<==90" | 2          | 8        | "==>234<==5==>67<=="
-    "01==>234<==5==>678<==90" | 2          | 9        | "==>234<==5==>678<=="
-    "01==>234<==5==>678<==90" | 5          | 8        | "5==>67<=="
-    "01==>234<==5==>678<==90" | 6          | 8        | "==>67<=="
-    "01==>234<==5==>678<==90" | 6          | 9        | "==>678<=="
-    "01==>234<==5==>678<==90" | 4          | 9        | "==>4<==5==>678<=="
-    "01==>234<==5==>678<==90" | 4          | 8        | "==>4<==5==>67<=="
+    self                          | beginIndex | endIndex | expected
+    "==>0123<=="                  | 0          | 4        | "==>0123<=="
+    "0123==>456<==78"             | 0          | 5        | "0123==>4<=="
+    "01==>234<==5==>678<==90"     | 0          | 8        | "01==>234<==5==>67<=="
+    "==>0123<=="                  | 0          | 3        | "==>012<=="
+    "==>0123<=="                  | 1          | 4        | "==>123<=="
+    "==>0123<=="                  | 1          | 3        | "==>12<=="
+    "0123==>456<==78"             | 1          | 8        | "123==>456<==7"
+    "0123==>456<==78"             | 0          | 4        | "0123"
+    "0123==>456<==78"             | 7          | 9        | "78"
+    "0123==>456<==78"             | 1          | 5        | "123==>4<=="
+    "0123==>456<==78"             | 1          | 6        | "123==>45<=="
+    "0123==>456<==78"             | 4          | 7        | "==>456<=="
+    "0123==>456<==78"             | 6          | 8        | "==>6<==7"
+    "0123==>456<==78"             | 5          | 8        | "==>56<==7"
+    "0123==>456<==78"             | 4          | 6        | "==>45<=="
+    "01==>234<==5==>678<==90"     | 1          | 10       | "1==>234<==5==>678<==9"
+    "01==>234<==5==>678<==90"     | 1          | 2        | "1"
+    "01==>234<==5==>678<==90"     | 5          | 6        | "5"
+    "01==>234<==5==>678<==90"     | 9          | 10       | "9"
+    "01==>234<==5==>678<==90"     | 1          | 4        | "1==>23<=="
+    "01==>234<==5==>678<==90"     | 2          | 4        | "==>23<=="
+    "01==>234<==5==>678<==90"     | 2          | 5        | "==>234<=="
+    "01==>234<==5==>678<==90"     | 1          | 8        | "1==>234<==5==>67<=="
+    "01==>234<==5==>678<==90"     | 2          | 8        | "==>234<==5==>67<=="
+    "01==>234<==5==>678<==90"     | 2          | 9        | "==>234<==5==>678<=="
+    "01==>234<==5==>678<==90"     | 5          | 8        | "5==>67<=="
+    "01==>234<==5==>678<==90"     | 6          | 8        | "==>67<=="
+    "01==>234<==5==>678<==90"     | 6          | 9        | "==>678<=="
+    "01==>234<==5==>678<==90"     | 4          | 9        | "==>4<==5==>678<=="
+    "01==>234<==5==>678<==90"     | 4          | 8        | "==>4<==5==>67<=="
+    sb("==>0123<==")              | 0          | 4        | "==>0123<=="
+    sb("0123==>456<==78")         | 0          | 5        | "0123==>4<=="
+    sb("01==>234<==5==>678<==90") | 0          | 8        | "01==>234<==5==>67<=="
+    sb("0123==>456<==78")         | 4          | 6        | "==>45<=="
+    sb("01==>234<==5==>678<==90") | 4          | 8        | "==>4<==5==>67<=="
   }
 
   void 'onStringJoin without null delimiter or elements (#delimiter, #elements)'() {