Merge branch 'master' into evanchooly/DEBUG-2719

DataDog · Sep 9, 2024 · 2de3ffb · 2de3ffb
2 parents 0026f35 + 5699a18
commit 2de3ffb
Show file tree

Hide file tree

Showing 26 changed files with 456 additions and 27 deletions.
diff --git a/.circleci/config.continue.yml.j2 b/.circleci/config.continue.yml.j2
@@ -36,7 +36,7 @@ instrumentation_modules: &instrumentation_modules "dd-java-agent/instrumentation
 debugger_modules: &debugger_modules "dd-java-agent/agent-debugger|dd-java-agent/agent-bootstrap|dd-java-agent/agent-builder|internal-api|communication|dd-trace-core"
 profiling_modules: &profiling_modules "dd-java-agent/agent-profiling"
 
-default_system_tests_commit: &default_system_tests_commit 39bf65e0d94278c60fdd6ff85ba668cb436467f0
+default_system_tests_commit: &default_system_tests_commit c87bd359aad64a29f280fc5c70a879f7c7f4846e
 
 parameters:
   nightly:
@@ -273,13 +273,6 @@ commands:
             git fetch origin << parameters.systemTestsCommit >>
             git reset --hard FETCH_HEAD
 
-      - run:
-          name: Install python 3.12
-          command: |
-            sudo apt-get update
-            sudo apt-get install -y python3.12-full python3.12-dev python3.12-venv
-            echo 'export PATH="$HOME/.local/bin:$PATH"' >>"$BASH_ENV"
-
 jobs:
   build:
     <<: *defaults

diff --git a/...agent-debugger/src/main/java/com/datadog/debugger/exception/DefaultExceptionDebugger.java b/...agent-debugger/src/main/java/com/datadog/debugger/exception/DefaultExceptionDebugger.java
@@ -26,6 +26,8 @@ public class DefaultExceptionDebugger implements DebuggerContext.ExceptionDebugg
   private static final Logger LOGGER = LoggerFactory.getLogger(DefaultExceptionDebugger.class);
   public static final String DD_DEBUG_ERROR_PREFIX = "_dd.debug.error.";
   public static final String DD_DEBUG_ERROR_EXCEPTION_ID = DD_DEBUG_ERROR_PREFIX + "exception_id";
+  public static final String DD_DEBUG_ERROR_EXCEPTION_HASH =
+      DD_DEBUG_ERROR_PREFIX + "exception_hash";
   public static final String ERROR_DEBUG_INFO_CAPTURED = "error.debug_info_captured";
   public static final String SNAPSHOT_ID_TAG_FMT = DD_DEBUG_ERROR_PREFIX + "%d.snapshot_id";
 
@@ -84,7 +86,7 @@ public void handleException(Throwable t, AgentSpan span) {
         LOGGER.debug("Unable to find state for throwable: {}", innerMostException.toString());
         return;
       }
-      processSnapshotsAndSetTags(t, span, state, innerMostException);
+      processSnapshotsAndSetTags(t, span, state, innerMostException, fingerprint);
       exceptionProbeManager.updateLastCapture(fingerprint);
     } else {
       if (exceptionProbeManager.createProbesForException(innerMostException.getStackTrace())) {
@@ -101,7 +103,11 @@ private void applyExceptionConfiguration(String fingerprint) {
   }
 
   private static void processSnapshotsAndSetTags(
-      Throwable t, AgentSpan span, ThrowableState state, Throwable innerMostException) {
+      Throwable t,
+      AgentSpan span,
+      ThrowableState state,
+      Throwable innerMostException,
+      String fingerprint) {
     if (span.getTag(DD_DEBUG_ERROR_EXCEPTION_ID) != null) {
       LOGGER.debug("Clear previous frame tags");
       // already set for this span, clear the frame tags
@@ -141,6 +147,7 @@ private static void processSnapshotsAndSetTags(
           DD_DEBUG_ERROR_EXCEPTION_ID,
           state.getExceptionId());
       span.setTag(ERROR_DEBUG_INFO_CAPTURED, true);
+      span.setTag(DD_DEBUG_ERROR_EXCEPTION_HASH, fingerprint);
     }
   }
 

diff --git a/...a-agent/agent-debugger/src/test/java/com/datadog/debugger/agent/CapturedSnapshotTest.java b/...a-agent/agent-debugger/src/test/java/com/datadog/debugger/agent/CapturedSnapshotTest.java
@@ -99,6 +99,7 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.DisabledIf;
 import org.junit.jupiter.api.condition.EnabledForJreRange;
 import org.junit.jupiter.api.condition.EnabledOnJre;
 import org.junit.jupiter.api.condition.JRE;
@@ -1725,6 +1726,9 @@ public void evaluateAtExitFalse() throws IOException, URISyntaxException {
   }
 
   @Test
+  @DisabledIf(
+      value = "datadog.trace.api.Platform#isJ9",
+      disabledReason = "we cannot get local variable debug info")
   public void uncaughtExceptionConditionLocalVar() throws IOException, URISyntaxException {
     final String CLASS_NAME = "CapturedSnapshot05";
     LogProbe probe =
@@ -1755,6 +1759,9 @@ public void uncaughtExceptionConditionLocalVar() throws IOException, URISyntaxEx
   }
 
   @Test
+  @DisabledIf(
+      value = "datadog.trace.api.Platform#isJ9",
+      disabledReason = "we cannot get local variable debug info")
   public void uncaughtExceptionCaptureLocalVars() throws IOException, URISyntaxException {
     final String CLASS_NAME = "com.datadog.debugger.CapturedSnapshot31";
     LogProbe probe = createProbeAtExit(PROBE_ID, CLASS_NAME, "uncaughtException", null);
@@ -1776,6 +1783,9 @@ public void uncaughtExceptionCaptureLocalVars() throws IOException, URISyntaxExc
   }
 
   @Test
+  @DisabledIf(
+      value = "datadog.trace.api.Platform#isJ9",
+      disabledReason = "we cannot get local variable debug info")
   public void methodProbeLocalVarsLocalScopes() throws IOException, URISyntaxException {
     final String CLASS_NAME = "com.datadog.debugger.CapturedSnapshot31";
     LogProbe probe = createProbeAtExit(PROBE_ID, CLASS_NAME, "localScopes", "(String)");
@@ -1789,6 +1799,9 @@ public void methodProbeLocalVarsLocalScopes() throws IOException, URISyntaxExcep
   }
 
   @Test
+  @DisabledIf(
+      value = "datadog.trace.api.Platform#isJ9",
+      disabledReason = "we cannot get local variable debug info")
   public void methodProbeLocalVarsDeepScopes() throws IOException, URISyntaxException {
     final String CLASS_NAME = "com.datadog.debugger.CapturedSnapshot31";
     LogProbe probe = createProbeAtExit(PROBE_ID, CLASS_NAME, "deepScopes", "(String)");
@@ -1806,6 +1819,9 @@ public void methodProbeLocalVarsDeepScopes() throws IOException, URISyntaxExcept
   }
 
   @Test
+  @DisabledIf(
+      value = "datadog.trace.api.Platform#isJ9",
+      disabledReason = "we cannot get local variable debug info")
   public void methodProbeExceptionLocalVars() throws IOException, URISyntaxException {
     final String CLASS_NAME = "com.datadog.debugger.CapturedSnapshot31";
     LogProbe probe = createProbeAtExit(PROBE_ID, CLASS_NAME, "caughtException", "(String)");

diff --git a/...ugger/src/test/java/com/datadog/debugger/exception/ExceptionProbeInstrumentationTest.java b/...ugger/src/test/java/com/datadog/debugger/exception/ExceptionProbeInstrumentationTest.java
@@ -1,6 +1,7 @@
 package com.datadog.debugger.exception;
 
 import static com.datadog.debugger.agent.ConfigurationAcceptor.Source.REMOTE_CONFIG;
+import static com.datadog.debugger.exception.DefaultExceptionDebugger.DD_DEBUG_ERROR_EXCEPTION_HASH;
 import static com.datadog.debugger.exception.DefaultExceptionDebugger.DD_DEBUG_ERROR_EXCEPTION_ID;
 import static com.datadog.debugger.exception.DefaultExceptionDebugger.ERROR_DEBUG_INFO_CAPTURED;
 import static com.datadog.debugger.exception.DefaultExceptionDebugger.SNAPSHOT_ID_TAG_FMT;
@@ -135,6 +136,7 @@ public void instrumentAndCaptureSnapshots() throws Exception {
         location.getType() + "." + location.getMethod(), snapshot0.getStack().get(0).getFunction());
     MutableSpan span = traceInterceptor.getFirstSpan();
     assertEquals(snapshot0.getExceptionId(), span.getTags().get(DD_DEBUG_ERROR_EXCEPTION_ID));
+    assertEquals(fingerprint, span.getTags().get(DD_DEBUG_ERROR_EXCEPTION_HASH));
     assertEquals(Boolean.TRUE, span.getTags().get(ERROR_DEBUG_INFO_CAPTURED));
     assertEquals(snapshot0.getId(), span.getTags().get(String.format(SNAPSHOT_ID_TAG_FMT, 0)));
     assertEquals(1, probeSampler.getCallCount());

diff --git a/dd-java-agent/instrumentation/freemarker/build.gradle b/dd-java-agent/instrumentation/freemarker/build.gradle
@@ -0,0 +1 @@
+apply from: "$rootDir/gradle/java.gradle"
diff --git a/...umentation/freemarker-2.3.24/build.gradle → ...freemarker/freemarker-2.3.24/build.gradle b/...umentation/freemarker-2.3.24/build.gradle → ...freemarker/freemarker-2.3.24/build.gradle
@@ -17,6 +17,7 @@ dependencies {
   compileOnly group: 'org.freemarker', name: 'freemarker', version: '2.3.24-incubating'
 
   testImplementation group: 'org.freemarker', name: 'freemarker', version: '2.3.24-incubating'
+  testImplementation project(':dd-java-agent:instrumentation:freemarker:freemarker-2.3.9')
 
   testRuntimeOnly project(':dd-java-agent:instrumentation:iast-instrumenter')
 

diff --git a/...ntation/freemarker-2.3.24/gradle.lockfile → ...emarker/freemarker-2.3.24/gradle.lockfile b/...ntation/freemarker-2.3.24/gradle.lockfile → ...emarker/freemarker-2.3.24/gradle.lockfile
diff --git a/...tation/freemarker/StringUtilCallSite.java → ...tation/freemarker/StringUtilCallSite.java b/...tation/freemarker/StringUtilCallSite.java → ...tation/freemarker/StringUtilCallSite.java
diff --git a/...marker24/DollarVariableDatadogAdvice.java → ...marker24/DollarVariableDatadogAdvice.java b/...marker24/DollarVariableDatadogAdvice.java → ...marker24/DollarVariableDatadogAdvice.java
diff --git a/...rker24/DollarVariableInstrumentation.java → ...rker24/DollarVariableInstrumentation.java b/...rker24/DollarVariableInstrumentation.java → ...rker24/DollarVariableInstrumentation.java
diff --git a/...arker24/ObjectWrapperInstrumentation.java → ...arker24/ObjectWrapperInstrumentation.java b/...arker24/ObjectWrapperInstrumentation.java → ...arker24/ObjectWrapperInstrumentation.java
diff --git a/...eemarker/core/DollarVariable24Helper.java → ...eemarker/core/DollarVariable24Helper.java b/...eemarker/core/DollarVariable24Helper.java → ...eemarker/core/DollarVariable24Helper.java
diff --git a/.../freemarker/StringUtilCallSiteTest.groovy → .../freemarker/StringUtilCallSiteTest.groovy b/.../freemarker/StringUtilCallSiteTest.groovy → .../freemarker/StringUtilCallSiteTest.groovy
diff --git a/.../DollarVariableInstrumentationTest.groovy → .../DollarVariableInstrumentationTest.groovy b/.../DollarVariableInstrumentationTest.groovy → .../DollarVariableInstrumentationTest.groovy
diff --git a/...4/ObjectWrapperInstrumentationTest.groovy → ...4/ObjectWrapperInstrumentationTest.groovy b/...4/ObjectWrapperInstrumentationTest.groovy → ...4/ObjectWrapperInstrumentationTest.groovy
diff --git a/...est/java/foo/bar/TestStringUtilSuite.java → ...est/java/foo/bar/TestStringUtilSuite.java b/...est/java/foo/bar/TestStringUtilSuite.java → ...est/java/foo/bar/TestStringUtilSuite.java
diff --git a/dd-java-agent/instrumentation/freemarker/freemarker-2.3.9/build.gradle b/dd-java-agent/instrumentation/freemarker/freemarker-2.3.9/build.gradle
@@ -0,0 +1,23 @@
+muzzle {
+  fail {
+    name = 'freemarker-2.3.9'
+    group = 'org.freemarker'
+    module = 'freemarker'
+    versions = '[2.3.24-incubating,]'
+    assertInverse = true
+  }
+}
+
+apply from: "$rootDir/gradle/java.gradle"
+
+addTestSuiteForDir("version2_3_23Test", "test")
+
+dependencies {
+  compileOnly group: 'org.freemarker', name: 'freemarker', version: '2.3.9'
+
+  testImplementation group: 'org.freemarker', name: 'freemarker', version: '2.3.9'
+
+  testRuntimeOnly project(':dd-java-agent:instrumentation:iast-instrumenter')
+
+  version2_3_23TestImplementation group: 'org.freemarker', name: 'freemarker', version: '2.3.23'
+}
diff --git a/...rc/main/java/datadog/trace/instrumentation/freemarker9/DollarVariableInstrumentation.java b/...rc/main/java/datadog/trace/instrumentation/freemarker9/DollarVariableInstrumentation.java
@@ -0,0 +1,81 @@
+package datadog.trace.instrumentation.freemarker9;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.ClassLoaderMatchers.hasClassNamed;
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+import static net.bytebuddy.matcher.ElementMatchers.isMethod;
+import static net.bytebuddy.matcher.ElementMatchers.not;
+import static net.bytebuddy.matcher.ElementMatchers.takesArgument;
+
+import com.google.auto.service.AutoService;
+import datadog.trace.agent.tooling.Instrumenter;
+import datadog.trace.agent.tooling.InstrumenterModule;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.Sink;
+import datadog.trace.api.iast.VulnerabilityTypes;
+import datadog.trace.api.iast.sink.XssModule;
+import freemarker.core.DollarVariable2_3_9Helper;
+import freemarker.core.Environment;
+import net.bytebuddy.asm.Advice;
+import net.bytebuddy.matcher.ElementMatcher;
+
+@AutoService(InstrumenterModule.class)
+public class DollarVariableInstrumentation extends InstrumenterModule.Iast
+    implements Instrumenter.ForSingleType {
+  static final String FREEMARKER_CORE = "freemarker.core";
+
+  public DollarVariableInstrumentation() {
+    super("freemarker");
+  }
+
+  @Override
+  public String muzzleDirective() {
+    return "freemarker-2.3.9";
+  }
+
+  static final ElementMatcher.Junction<ClassLoader> NOT_VERSION_PRIOR_2_3_24 =
+      not(hasClassNamed("freemarker.cache.ByteArrayTemplateLoader"));
+
+  @Override
+  public ElementMatcher.Junction<ClassLoader> classLoaderMatcher() {
+    return NOT_VERSION_PRIOR_2_3_24;
+  }
+
+  @Override
+  public String instrumentedType() {
+    return FREEMARKER_CORE + ".DollarVariable";
+  }
+
+  @Override
+  public String[] helperClassNames() {
+    return new String[] {FREEMARKER_CORE + ".DollarVariable2_3_9Helper"};
+  }
+
+  @Override
+  public void methodAdvice(MethodTransformer transformer) {
+    transformer.applyAdvice(
+        named("accept")
+            .and(isMethod())
+            .and(takesArgument(0, named(FREEMARKER_CORE + ".Environment"))),
+        DollarVariableInstrumentation.class.getName() + "$DollarVariableAdvice");
+  }
+
+  public static class DollarVariableAdvice {
+
+    @Advice.OnMethodEnter(suppress = Throwable.class)
+    @Sink(VulnerabilityTypes.XSS)
+    public static void onEnter(
+        @Advice.Argument(0) final Environment environment, @Advice.This final Object self) {
+      if (environment == null || self == null) {
+        return;
+      }
+      final XssModule xssModule = InstrumentationBridge.XSS;
+      if (xssModule == null) {
+        return;
+      }
+      String charSec = DollarVariable2_3_9Helper.fetchCharSec(self, environment);
+      final String templateName = environment.getTemplate().getName();
+      final int line = DollarVariable2_3_9Helper.fetchBeginLine(self);
+      xssModule.onXss(charSec, templateName, line);
+    }
+  }
+}
diff --git a/.../freemarker/freemarker-2.3.9/src/main/java/freemarker/core/DollarVariable2_3_9Helper.java b/.../freemarker/freemarker-2.3.9/src/main/java/freemarker/core/DollarVariable2_3_9Helper.java
@@ -0,0 +1,59 @@
+package freemarker.core;
+
+import freemarker.template.TemplateModelException;
+import java.lang.reflect.Field;
+import java.lang.reflect.UndeclaredThrowableException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public final class DollarVariable2_3_9Helper {
+  private DollarVariable2_3_9Helper() {}
+
+  private static final Logger log = LoggerFactory.getLogger(DollarVariable2_3_9Helper.class);
+
+  private static final Field ESCAPED_EXPRESSION = prepareEscapedExpression();
+
+  private static Field prepareEscapedExpression() {
+    try {
+      Field autoEscape = DollarVariable.class.getDeclaredField("escapedExpression");
+      autoEscape.setAccessible(true);
+      return autoEscape;
+    } catch (Throwable e) {
+      log.debug("Failed to get DollarVariable escapedExpression", e);
+      return null;
+    }
+  }
+
+  public static Expression fetchEscapeExpression(Object object) {
+    if (ESCAPED_EXPRESSION == null || !(object instanceof DollarVariable)) {
+      return null;
+    }
+    try {
+      return (Expression) ESCAPED_EXPRESSION.get(object);
+    } catch (IllegalAccessException e) {
+      throw new UndeclaredThrowableException(e);
+    }
+  }
+
+  public static String fetchCharSec(Object object, Environment environment) {
+    if (!(object instanceof DollarVariable)) {
+      return null;
+    }
+    final Expression expression = DollarVariable2_3_9Helper.fetchEscapeExpression(object);
+    if (expression instanceof BuiltIn) {
+      return null;
+    }
+    try {
+      return environment.getDataModel().get(expression.toString()).toString();
+    } catch (TemplateModelException e) {
+      throw new UndeclaredThrowableException(e);
+    }
+  }
+
+  public static Integer fetchBeginLine(Object object) {
+    if (!(object instanceof DollarVariable)) {
+      return null;
+    }
+    return ((DollarVariable) object).beginLine;
+  }
+}
diff --git a/...groovy/datadog/trace/instrumentation/freemarker9/DollarVariableInstrumentationTest.groovy b/...groovy/datadog/trace/instrumentation/freemarker9/DollarVariableInstrumentationTest.groovy
@@ -0,0 +1,38 @@
+package datadog.trace.instrumentation.freemarker9
+
+import datadog.trace.agent.test.AgentTestRunner
+import datadog.trace.api.iast.InstrumentationBridge
+import datadog.trace.api.iast.sink.XssModule
+import freemarker.template.Configuration
+import freemarker.template.SimpleHash
+import freemarker.template.Template
+import freemarker.template.TemplateHashModel
+
+class DollarVariableInstrumentationTest extends AgentTestRunner {
+
+  @Override
+  protected void configurePreAgent() {
+    injectSysConfig('dd.iast.enabled', 'true')
+  }
+
+  void 'test freemarker process'() {
+    given:
+    final module = Mock(XssModule)
+    InstrumentationBridge.registerIastModule(module)
+
+    final Configuration cfg = new Configuration()
+    final Template template = new Template("test", new StringReader("test \${$stringExpression}"), cfg)
+    final TemplateHashModel rootDataModel = new SimpleHash(cfg.getObjectWrapper())
+    rootDataModel.put(stringExpression, expression)
+
+    when:
+    template.process(rootDataModel, Mock(FileWriter))
+
+    then:
+    1 * module.onXss(_, _, _)
+
+    where:
+    stringExpression | expression
+    "test"           | "test"
+  }
+}