Fix progagation for Untrusted Deserialization vulnerability (#7374)

This improves the smoke tests and add new instrumentations to ensure the propagation.

Author: Mariovido

dd-java-agent/instrumentation/commons-fileupload/build.gradle

@@ -7,7 +7,11 @@ dependencies {
   testImplementation group: 'org.apache.commons', name: 'commons-fileupload2', version: '2.0.0-M1'
   testImplementation group: 'org.apache.tomcat.embed', name: 'tomcat-embed-core', version: '7.0.0'
 
+  compileOnly group: 'commons-fileupload', name: 'commons-fileupload', version: '1.5'
+  testImplementation group: 'commons-fileupload', name: 'commons-fileupload', version: '1.5'
+  testImplementation group: 'javax.servlet', name: 'javax.servlet-api', version: '3.1.0'
 
   testRuntimeOnly project(':dd-java-agent:instrumentation:iast-instrumenter')
   latestDepTestImplementation group: 'org.apache.commons', name: 'commons-fileupload2', version: '+'
+  latestDepTestImplementation group: 'commons-fileupload', name: 'commons-fileupload', version: '1.+'
 }

dd-java-agent/instrumentation/commons-fileupload/src/main/java/datadog/trace/instrumentation/commons/fileupload/FileItemInstrumenter.java

@@ -0,0 +1,63 @@
+package datadog.trace.instrumentation.commons.fileupload;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.HierarchyMatchers.implementsInterface;
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+import static net.bytebuddy.matcher.ElementMatchers.isPublic;
+import static net.bytebuddy.matcher.ElementMatchers.takesArguments;
+
+import com.google.auto.service.AutoService;
+import datadog.trace.advice.ActiveRequestContext;
+import datadog.trace.advice.RequiresRequestContext;
+import datadog.trace.agent.tooling.Instrumenter;
+import datadog.trace.agent.tooling.InstrumenterModule;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
+import datadog.trace.api.iast.IastContext;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.propagation.PropagationModule;
+import java.io.InputStream;
+import net.bytebuddy.asm.Advice;
+import net.bytebuddy.description.type.TypeDescription;
+import net.bytebuddy.matcher.ElementMatcher;
+import org.apache.commons.fileupload.FileItem;
+
+@AutoService(InstrumenterModule.class)
+public class FileItemInstrumenter extends InstrumenterModule.Iast
+    implements Instrumenter.ForTypeHierarchy {
+
+  public FileItemInstrumenter() {
+    super("commons-fileupload", "fileitem");
+  }
+
+  @Override
+  public String hierarchyMarkerType() {
+    return "org.apache.commons.fileupload.FileItem";
+  }
+
+  @Override
+  public ElementMatcher<TypeDescription> hierarchyMatcher() {
+    return implementsInterface(named(hierarchyMarkerType()));
+  }
+
+  @Override
+  public void methodAdvice(MethodTransformer transformer) {
+    transformer.applyAdvice(
+        named("getInputStream").and(isPublic()).and(takesArguments(0)),
+        getClass().getName() + "$GetInputStreamAdvice");
+  }
+
+  @RequiresRequestContext(RequestContextSlot.IAST)
+  public static class GetInputStreamAdvice {
+    @Advice.OnMethodExit(suppress = Throwable.class)
+    public static void onExit(
+        @Advice.Return final InputStream inputStream,
+        @Advice.This final FileItem self,
+        @ActiveRequestContext RequestContext reqCtx) {
+      final PropagationModule module = InstrumentationBridge.PROPAGATION;
+      if (module != null) {
+        IastContext ctx = reqCtx.getData(RequestContextSlot.IAST);
+        module.taintObjectIfTainted(ctx, inputStream, self);
+      }
+    }
+  }
+}

dd-java-agent/instrumentation/commons-fileupload/src/main/java/datadog/trace/instrumentation/commons/fileupload/FileItemIteratorInstrumenter.java

@@ -0,0 +1,62 @@
+package datadog.trace.instrumentation.commons.fileupload;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.HierarchyMatchers.implementsInterface;
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+import static net.bytebuddy.matcher.ElementMatchers.isPublic;
+import static net.bytebuddy.matcher.ElementMatchers.takesArguments;
+
+import com.google.auto.service.AutoService;
+import datadog.trace.advice.ActiveRequestContext;
+import datadog.trace.advice.RequiresRequestContext;
+import datadog.trace.agent.tooling.Instrumenter;
+import datadog.trace.agent.tooling.InstrumenterModule;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
+import datadog.trace.api.iast.IastContext;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.propagation.PropagationModule;
+import net.bytebuddy.asm.Advice;
+import net.bytebuddy.description.type.TypeDescription;
+import net.bytebuddy.matcher.ElementMatcher;
+import org.apache.commons.fileupload.FileItemIterator;
+import org.apache.commons.fileupload.FileItemStream;
+
+@AutoService(InstrumenterModule.class)
+public class FileItemIteratorInstrumenter extends InstrumenterModule.Iast
+    implements Instrumenter.ForTypeHierarchy {
+
+  public FileItemIteratorInstrumenter() {
+    super("commons-fileupload", "fileitemiterator");
+  }
+
+  @Override
+  public String hierarchyMarkerType() {
+    return "org.apache.commons.fileupload.FileItemIterator";
+  }
+
+  @Override
+  public ElementMatcher<TypeDescription> hierarchyMatcher() {
+    return implementsInterface(named(hierarchyMarkerType()));
+  }
+
+  @Override
+  public void methodAdvice(MethodTransformer transformer) {
+    transformer.applyAdvice(
+        named("next").and(isPublic()).and(takesArguments(0)), getClass().getName() + "$NextAdvice");
+  }
+
+  @RequiresRequestContext(RequestContextSlot.IAST)
+  public static class NextAdvice {
+    @Advice.OnMethodExit(suppress = Throwable.class)
+    public static void onExit(
+        @Advice.Return final FileItemStream fileItemStream,
+        @Advice.This final FileItemIterator self,
+        @ActiveRequestContext RequestContext reqCtx) {
+      final PropagationModule module = InstrumentationBridge.PROPAGATION;
+      if (module != null) {
+        IastContext ctx = reqCtx.getData(RequestContextSlot.IAST);
+        module.taintObjectIfTainted(ctx, fileItemStream, self);
+      }
+    }
+  }
+}

dd-java-agent/instrumentation/commons-fileupload/src/main/java/datadog/trace/instrumentation/commons/fileupload/FileItemStreamInstrumenter.java

@@ -0,0 +1,63 @@
+package datadog.trace.instrumentation.commons.fileupload;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.HierarchyMatchers.implementsInterface;
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+import static net.bytebuddy.matcher.ElementMatchers.isPublic;
+import static net.bytebuddy.matcher.ElementMatchers.takesArguments;
+
+import com.google.auto.service.AutoService;
+import datadog.trace.advice.ActiveRequestContext;
+import datadog.trace.advice.RequiresRequestContext;
+import datadog.trace.agent.tooling.Instrumenter;
+import datadog.trace.agent.tooling.InstrumenterModule;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
+import datadog.trace.api.iast.IastContext;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.propagation.PropagationModule;
+import java.io.InputStream;
+import net.bytebuddy.asm.Advice;
+import net.bytebuddy.description.type.TypeDescription;
+import net.bytebuddy.matcher.ElementMatcher;
+import org.apache.commons.fileupload.FileItemStream;
+
+@AutoService(InstrumenterModule.class)
+public class FileItemStreamInstrumenter extends InstrumenterModule.Iast
+    implements Instrumenter.ForTypeHierarchy {
+
+  public FileItemStreamInstrumenter() {
+    super("commons-fileupload", "fileitemstream");
+  }
+
+  @Override
+  public String hierarchyMarkerType() {
+    return "org.apache.commons.fileupload.FileItemStream";
+  }
+
+  @Override
+  public ElementMatcher<TypeDescription> hierarchyMatcher() {
+    return implementsInterface(named(hierarchyMarkerType()));
+  }
+
+  @Override
+  public void methodAdvice(MethodTransformer transformer) {
+    transformer.applyAdvice(
+        named("openStream").and(isPublic()).and(takesArguments(0)),
+        getClass().getName() + "$OpenStreamAdvice");
+  }
+
+  @RequiresRequestContext(RequestContextSlot.IAST)
+  public static class OpenStreamAdvice {
+    @Advice.OnMethodExit(suppress = Throwable.class)
+    public static void onExit(
+        @Advice.Return final InputStream inputStream,
+        @Advice.This final FileItemStream self,
+        @ActiveRequestContext RequestContext reqCtx) {
+      final PropagationModule module = InstrumentationBridge.PROPAGATION;
+      if (module != null) {
+        IastContext ctx = reqCtx.getData(RequestContextSlot.IAST);
+        module.taintObjectIfTainted(ctx, inputStream, self);
+      }
+    }
+  }
+}

dd-java-agent/instrumentation/commons-fileupload/src/main/java/datadog/trace/instrumentation/commons/fileupload/ServletFileUploadInstrumenter.java

@@ -0,0 +1,107 @@
+package datadog.trace.instrumentation.commons.fileupload;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+import static net.bytebuddy.matcher.ElementMatchers.isPublic;
+import static net.bytebuddy.matcher.ElementMatchers.takesArgument;
+
+import com.google.auto.service.AutoService;
+import datadog.trace.advice.ActiveRequestContext;
+import datadog.trace.advice.RequiresRequestContext;
+import datadog.trace.agent.tooling.Instrumenter;
+import datadog.trace.agent.tooling.InstrumenterModule;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
+import datadog.trace.api.iast.IastContext;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.Source;
+import datadog.trace.api.iast.SourceTypes;
+import datadog.trace.api.iast.propagation.PropagationModule;
+import java.util.List;
+import java.util.Map;
+import net.bytebuddy.asm.Advice;
+import org.apache.commons.fileupload.FileItem;
+import org.apache.commons.fileupload.FileItemIterator;
+
+@AutoService(InstrumenterModule.class)
+public class ServletFileUploadInstrumenter extends InstrumenterModule.Iast
+    implements Instrumenter.ForSingleType {
+
+  public ServletFileUploadInstrumenter() {
+    super("commons-fileupload", "servlet");
+  }
+
+  @Override
+  public String instrumentedType() {
+    return "org.apache.commons.fileupload.servlet.ServletFileUpload";
+  }
+
+  @Override
+  public void methodAdvice(MethodTransformer transformer) {
+    transformer.applyAdvice(
+        named("parseRequest")
+            .and(isPublic())
+            .and(takesArgument(0, named("javax.servlet.http.HttpServletRequest"))),
+        getClass().getName() + "$ParseRequestAdvice");
+    transformer.applyAdvice(
+        named("parseParameterMap")
+            .and(isPublic())
+            .and(takesArgument(0, named("javax.servlet.http.HttpServletRequest"))),
+        getClass().getName() + "$ParseParameterMapAdvice");
+    transformer.applyAdvice(
+        named("getItemIterator")
+            .and(isPublic())
+            .and(takesArgument(0, named("javax.servlet.http.HttpServletRequest"))),
+        getClass().getName() + "$GetItemIteratorAdvice");
+  }
+
+  @RequiresRequestContext(RequestContextSlot.IAST)
+  public static class ParseRequestAdvice {
+    @Advice.OnMethodExit(suppress = Throwable.class)
+    @Source(SourceTypes.REQUEST_MULTIPART_PARAMETER)
+    public static void onExit(
+        @Advice.Return final List<FileItem> fileItems,
+        @ActiveRequestContext RequestContext reqCtx) {
+      final PropagationModule module = InstrumentationBridge.PROPAGATION;
+      if (module != null) {
+        IastContext ctx = reqCtx.getData(RequestContextSlot.IAST);
+        for (final FileItem fileItem : fileItems) {
+          module.taintObject(ctx, fileItem, SourceTypes.REQUEST_MULTIPART_PARAMETER);
+        }
+      }
+    }
+  }
+
+  @RequiresRequestContext(RequestContextSlot.IAST)
+  public static class ParseParameterMapAdvice {
+    @Advice.OnMethodExit(suppress = Throwable.class)
+    @Source(SourceTypes.REQUEST_MULTIPART_PARAMETER)
+    public static void onExit(
+        @Advice.Return final Map<String, List<FileItem>> parameterMap,
+        @ActiveRequestContext RequestContext reqCtx) {
+      final PropagationModule module = InstrumentationBridge.PROPAGATION;
+      if (module != null) {
+        IastContext ctx = reqCtx.getData(RequestContextSlot.IAST);
+        for (List<FileItem> fileItems : parameterMap.values()) {
+          for (FileItem fileItem : fileItems) {
+            module.taintObject(ctx, fileItem, SourceTypes.REQUEST_MULTIPART_PARAMETER);
+          }
+        }
+      }
+    }
+  }
+
+  @RequiresRequestContext(RequestContextSlot.IAST)
+  public static class GetItemIteratorAdvice {
+    @Advice.OnMethodExit(suppress = Throwable.class)
+    @Source(SourceTypes.REQUEST_MULTIPART_PARAMETER)
+    public static void onExit(
+        @Advice.Return final FileItemIterator fileItemIterator,
+        @ActiveRequestContext RequestContext reqCtx) {
+      final PropagationModule module = InstrumentationBridge.PROPAGATION;
+      if (module != null) {
+        IastContext ctx = reqCtx.getData(RequestContextSlot.IAST);
+        module.taintObject(ctx, fileItemIterator, SourceTypes.REQUEST_MULTIPART_PARAMETER);
+      }
+    }
+  }
+}

dd-java-agent/instrumentation/commons-fileupload/src/test/groovy/FileItemInstrumenterTest.groovy

@@ -0,0 +1,52 @@
+import datadog.trace.agent.test.AgentTestRunner
+import datadog.trace.api.iast.IastContext
+import datadog.trace.api.iast.InstrumentationBridge
+import datadog.trace.api.iast.propagation.PropagationModule
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer
+import datadog.trace.bootstrap.instrumentation.api.TagContext
+import foo.bar.smoketest.MockFileItem
+
+class FileItemInstrumenterTest extends AgentTestRunner {
+
+  private Object iastCtx
+
+  @Override
+  protected void configurePreAgent() {
+    injectSysConfig('dd.iast.enabled', 'true')
+  }
+
+  @Override
+  void setup() {
+    iastCtx = Stub(IastContext)
+  }
+
+  @Override
+  void cleanup() {
+    InstrumentationBridge.clearIastModules()
+  }
+
+  void 'test commons fileupload FileItem getInputStream'() {
+    given:
+    final module = Mock(PropagationModule)
+    InstrumentationBridge.registerIastModule(module)
+    final inputStream = new ByteArrayInputStream('inputStream'.getBytes())
+    final fileItem = new MockFileItem('fileItemName', inputStream)
+
+    when:
+    runUnderIastTrace { fileItem.getInputStream() }
+
+    then:
+    1 * module.taintObjectIfTainted(iastCtx, inputStream, fileItem)
+    0 * _
+  }
+
+  protected <E> E runUnderIastTrace(Closure<E> cl) {
+    final ddctx = new TagContext().withRequestContextDataIast(iastCtx)
+    final span = TEST_TRACER.startSpan("test", "test-iast-span", ddctx)
+    try {
+      return AgentTracer.activateSpan(span).withCloseable(cl)
+    } finally {
+      span.finish()
+    }
+  }
+}