Fix location for SSRF with Kong Unirest #8407

smola · 2025-02-17T18:34:09Z

What Does This Do

Fix SSRF vuln location when using Kong Unirest.

Motivation

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-56800

pr-commenter · 2025-02-17T19:18:17Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	smola/exclude-kong-unirest
git_commit_date	1739876417	1739882505
git_commit_sha	`e0242cf`	`9a6673c`
release_version	1.47.0-SNAPSHOT~e0242cfadc	1.47.0-SNAPSHOT~9a6673c29e

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1739884825	1739884825
ci_job_id	811797894	811797894
ci_pipeline_id	56144302	56144302
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-pf96l-bk-project-304-concurrent-0-dfvcvuzm 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-pf96l-bk-project-304-concurrent-0-dfvcvuzm 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 59 metrics, 4 unstable metrics.

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.47.0-SNAPSHOT~9a6673c29e, baseline=1.47.0-SNAPSHOT~e0242cfadc

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.043 s) : 0, 1042839
Total [baseline] (8.632 s) : 0, 8632170
Agent [candidate] (1.04 s) : 0, 1040239
Total [candidate] (8.678 s) : 0, 8677619
section iast
Agent [baseline] (1.169 s) : 0, 1169299
Total [baseline] (9.261 s) : 0, 9261188
Agent [candidate] (1.171 s) : 0, 1170819
Total [candidate] (9.235 s) : 0, 9235463
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.178 s) : 0, 1178027
Total [baseline] (9.233 s) : 0, 9233081
Agent [candidate] (1.175 s) : 0, 1174851
Total [candidate] (9.269 s) : 0, 9269294
section iast_TELEMETRY_OFF
Agent [baseline] (1.167 s) : 0, 1166556
Total [baseline] (9.22 s) : 0, 9219643
Agent [candidate] (1.167 s) : 0, 1167023
Total [candidate] (9.259 s) : 0, 9258630

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.043 s	-
Agent	iast	1.169 s	126.459 ms (12.1%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.178 s	135.187 ms (13.0%)
Agent	iast_TELEMETRY_OFF	1.167 s	123.717 ms (11.9%)
Total	tracing	8.632 s	-
Total	iast	9.261 s	629.018 ms (7.3%)
Total	iast_HARDCODED_SECRET_DISABLED	9.233 s	600.911 ms (7.0%)
Total	iast_TELEMETRY_OFF	9.22 s	587.473 ms (6.8%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.04 s	-
Agent	iast	1.171 s	130.58 ms (12.6%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.175 s	134.612 ms (12.9%)
Agent	iast_TELEMETRY_OFF	1.167 s	126.784 ms (12.2%)
Total	tracing	8.678 s	-
Total	iast	9.235 s	557.843 ms (6.4%)
Total	iast_HARDCODED_SECRET_DISABLED	9.269 s	591.674 ms (6.8%)
Total	iast_TELEMETRY_OFF	9.259 s	581.011 ms (6.7%)

gantt
    title insecure-bank - break down per module: candidate=1.47.0-SNAPSHOT~9a6673c29e, baseline=1.47.0-SNAPSHOT~e0242cfadc

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (718.616 ms) : 0, 718616
BytebuddyAgent [candidate] (717.139 ms) : 0, 717139
GlobalTracer [baseline] (239.354 ms) : 0, 239354
GlobalTracer [candidate] (240.072 ms) : 0, 240072
AppSec [baseline] (55.374 ms) : 0, 55374
AppSec [candidate] (55.704 ms) : 0, 55704
Remote Config [baseline] (702.531 µs) : 0, 703
Remote Config [candidate] (702.874 µs) : 0, 703
Telemetry [baseline] (13.516 ms) : 0, 13516
Telemetry [candidate] (11.454 ms) : 0, 11454
section iast
BytebuddyAgent [baseline] (835.007 ms) : 0, 835007
BytebuddyAgent [candidate] (836.394 ms) : 0, 836394
GlobalTracer [baseline] (230.691 ms) : 0, 230691
GlobalTracer [candidate] (230.416 ms) : 0, 230416
IAST [baseline] (22.623 ms) : 0, 22623
IAST [candidate] (22.528 ms) : 0, 22528
AppSec [baseline] (56.544 ms) : 0, 56544
AppSec [candidate] (56.963 ms) : 0, 56963
Remote Config [baseline] (610.501 µs) : 0, 611
Remote Config [candidate] (598.499 µs) : 0, 598
Telemetry [baseline] (8.628 ms) : 0, 8628
Telemetry [candidate] (8.635 ms) : 0, 8635
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (841.21 ms) : 0, 841210
BytebuddyAgent [candidate] (838.384 ms) : 0, 838384
GlobalTracer [baseline] (231.637 ms) : 0, 231637
GlobalTracer [candidate] (231.798 ms) : 0, 231798
IAST [baseline] (22.966 ms) : 0, 22966
IAST [candidate] (22.899 ms) : 0, 22899
AppSec [baseline] (57.434 ms) : 0, 57434
AppSec [candidate] (57.145 ms) : 0, 57145
Remote Config [baseline] (605.663 µs) : 0, 606
Remote Config [candidate] (600.148 µs) : 0, 600
Telemetry [baseline] (8.794 ms) : 0, 8794
Telemetry [candidate] (8.706 ms) : 0, 8706
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (832.932 ms) : 0, 832932
BytebuddyAgent [candidate] (833.007 ms) : 0, 833007
GlobalTracer [baseline] (230.685 ms) : 0, 230685
GlobalTracer [candidate] (230.594 ms) : 0, 230594
IAST [baseline] (27.2 ms) : 0, 27200
IAST [candidate] (24.268 ms) : 0, 24268
AppSec [baseline] (51.386 ms) : 0, 51386
AppSec [candidate] (54.72 ms) : 0, 54720
Remote Config [baseline] (611.592 µs) : 0, 612
Remote Config [candidate] (608.961 µs) : 0, 609
Telemetry [baseline] (8.479 ms) : 0, 8479
Telemetry [candidate] (8.5 ms) : 0, 8500

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.47.0-SNAPSHOT~9a6673c29e, baseline=1.47.0-SNAPSHOT~e0242cfadc

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.057 s)
8000
 : 0, 1057001
Total [baseline] (10.528 s) : 0, 10527980
Agent [candidate] (1.047 s) : 0, 1046659
Total [candidate] (10.498 s) : 0, 10497857
section appsec
Agent [baseline] (1.189 s) : 0, 1188651
Total [baseline] (10.767 s) : 0, 10767078
Agent [candidate] (1.186 s) : 0, 1185778
Total [candidate] (10.719 s) : 0, 10718745
section iast
Agent [baseline] (1.171 s) : 0, 1171435
Total [baseline] (11.022 s) : 0, 11021698
Agent [candidate] (1.179 s) : 0, 1178936
Total [candidate] (10.964 s) : 0, 10963616
section profiling
Agent [baseline] (1.261 s) : 0, 1261343
Total [baseline] (10.881 s) : 0, 10880694
Agent [candidate] (1.262 s) : 0, 1262471
Total [candidate] (10.865 s) : 0, 10865465

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.057 s	-
Agent	appsec	1.189 s	131.649 ms (12.5%)
Agent	iast	1.171 s	114.433 ms (10.8%)
Agent	profiling	1.261 s	204.342 ms (19.3%)
Total	tracing	10.528 s	-
Total	appsec	10.767 s	239.098 ms (2.3%)
Total	iast	11.022 s	493.717 ms (4.7%)
Total	profiling	10.881 s	352.714 ms (3.4%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.047 s	-
Agent	appsec	1.186 s	139.119 ms (13.3%)
Agent	iast	1.179 s	132.277 ms (12.6%)
Agent	profiling	1.262 s	215.812 ms (20.6%)
Total	tracing	10.498 s	-
Total	appsec	10.719 s	220.888 ms (2.1%)
Total	iast	10.964 s	465.759 ms (4.4%)
Total	profiling	10.865 s	367.608 ms (3.5%)

gantt
    title petclinic - break down per module: candidate=1.47.0-SNAPSHOT~9a6673c29e, baseline=1.47.0-SNAPSHOT~e0242cfadc

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (728.349 ms) : 0, 728349
BytebuddyAgent [candidate] (722.011 ms) : 0, 722011
GlobalTracer [baseline] (243.181 ms) : 0, 243181
GlobalTracer [candidate] (241.015 ms) : 0, 241015
AppSec [baseline] (56.146 ms) : 0, 56146
AppSec [candidate] (55.646 ms) : 0, 55646
Remote Config [baseline] (712.087 µs) : 0, 712
Remote Config [candidate] (692.304 µs) : 0, 692
Telemetry [baseline] (13.14 ms) : 0, 13140
Telemetry [candidate] (11.868 ms) : 0, 11868
section appsec
BytebuddyAgent [baseline] (737.742 ms) : 0, 737742
BytebuddyAgent [candidate] (736.37 ms) : 0, 736370
GlobalTracer [baseline] (237.819 ms) : 0, 237819
GlobalTracer [candidate] (237.465 ms) : 0, 237465
IAST [baseline] (21.851 ms) : 0, 21851
IAST [candidate] (21.425 ms) : 0, 21425
AppSec [baseline] (177.853 ms) : 0, 177853
AppSec [candidate] (176.978 ms) : 0, 176978
Remote Config [baseline] (674.235 µs) : 0, 674
Remote Config [candidate] (663.755 µs) : 0, 664
Telemetry [baseline] (8.308 ms) : 0, 8308
Telemetry [candidate] (8.295 ms) : 0, 8295
section iast
BytebuddyAgent [baseline] (835.866 ms) : 0, 835866
BytebuddyAgent [candidate] (841.273 ms) : 0, 841273
GlobalTracer [baseline] (230.756 ms) : 0, 230756
GlobalTracer [candidate] (231.842 ms) : 0, 231842
IAST [baseline] (22.907 ms) : 0, 22907
IAST [candidate] (23.005 ms) : 0, 23005
AppSec [baseline] (57.306 ms) : 0, 57306
AppSec [candidate] (57.97 ms) : 0, 57970
Remote Config [baseline] (613.218 µs) : 0, 613
Remote Config [candidate] (627.985 µs) : 0, 628
Telemetry [baseline] (8.732 ms) : 0, 8732
Telemetry [candidate] (8.82 ms) : 0, 8820
section profiling
BytebuddyAgent [baseline] (707.64 ms) : 0, 707640
BytebuddyAgent [candidate] (708.344 ms) : 0, 708344
GlobalTracer [baseline] (350.391 ms) : 0, 350391
GlobalTracer [candidate] (351.136 ms) : 0, 351136
AppSec [baseline] (55.559 ms) : 0, 55559
AppSec [candidate] (54.736 ms) : 0, 54736
Remote Config [baseline] (670.315 µs) : 0, 670
Remote Config [candidate] (671.531 µs) : 0, 672
Telemetry [baseline] (8.827 ms) : 0, 8827
Telemetry [candidate] (8.924 ms) : 0, 8924
ProfilingAgent [baseline] (96.007 ms) : 0, 96007
ProfilingAgent [candidate] (96.253 ms) : 0, 96253
Profiling [baseline] (96.031 ms) : 0, 96031
Profiling [candidate] (96.277 ms) : 0, 96277

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-02-18T12:52:24	2025-02-18T12:59:28
git_branch	master	smola/exclude-kong-unirest
git_commit_date	1739882661	1739882505
git_commit_sha	`d8dc1f2`	`9a6673c`
release_version	1.47.0-SNAPSHOT~d8dc1f26a1	1.47.0-SNAPSHOT~9a6673c29e
start_time	2025-02-18T12:52:10	2025-02-18T12:59:13

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1739883925	1739883925
ci_job_id	811797895	811797895
ci_pipeline_id	56144302	56144302
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-yzw1vlp-project-304-concurrent-0-vaqgnfu3 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-yzw1vlp-project-304-concurrent-0-vaqgnfu3 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 16 unstable metrics.

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.47.0-SNAPSHOT~9a6673c29e, baseline=1.47.0-SNAPSHOT~d8dc1f26a1
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.367 ms) : 1347, 1386
.   : milestone, 1367,
appsec (1.73 ms) : 1706, 1754
.   : milestone, 1730,
appsec_no_iast (1.755 ms) : 1732, 1778
.   : milestone, 1755,
iast (1.5 ms) : 1476, 1525
.   : milestone, 1500,
profiling (1.537 ms) : 1512, 1562
.   : milestone, 1537,
tracing (1.491 ms) : 1466, 1516
.   : milestone, 1491,
section candidate
no_agent (1.34 ms) : 1320, 1360
.   : milestone, 1340,
appsec (1.744 ms) : 1721, 1768
.   : milestone, 1744,
appsec_no_iast (1.755 ms) : 1732, 1777
.   : milestone, 1755,
iast (1.507 ms) : 1482, 1532
.   : milestone, 1507,
profiling (1.507 ms) : 1484, 1531
.   : milestone, 1507,
tracing (1.471 ms) : 1445, 1496
.   : milestone, 1471,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.367 ms [1.347 ms, 1.386 ms]	-
appsec	1.73 ms [1.706 ms, 1.754 ms]	362.893 µs (26.5%)
appsec_no_iast	1.755 ms [1.732 ms, 1.778 ms]	388.422 µs (28.4%)
iast	1.5 ms [1.476 ms, 1.525 ms]	133.612 µs (9.8%)
profiling	1.537 ms [1.512 ms, 1.562 ms]	170.215 µs (12.5%)
tracing	1.491 ms [1.466 ms, 1.516 ms]	123.777 µs (9.1%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.34 ms [1.32 ms, 1.36 ms]	-
appsec	1.744 ms [1.721 ms, 1.768 ms]	404.373 µs (30.2%)
appsec_no_iast	1.755 ms [1.732 ms, 1.777 ms]	414.601 µs (30.9%)
iast	1.507 ms [1.482 ms, 1.532 ms]	166.714 µs (12.4%)
profiling	1.507 ms [1.484 ms, 1.531 ms]	167.516 µs (12.5%)
tracing	1.471 ms [1.445 ms, 1.496 ms]	130.571 µs (9.7%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.47.0-SNAPSHOT~9a6673c29e, baseline=1.47.0-SNAPSHOT~d8dc1f26a1
    dateFormat X
    axisFormat %s
section baseline
no_agent (377.539 µs) : 356, 399
.   : milestone, 378,
iast (509.051 µs) : 487, 531
.   : milestone, 509,
iast_FULL (724.031 µs) : 702, 746
.   : milestone, 724,
iast_GLOBAL (561.505 µs) : 538, 585
.   : milestone, 562,
iast_HARDCODED_SECRET_DISABLED (506.797 µs) : 483, 531
.   : milestone, 507,
iast_INACTIVE (462.014 µs) : 441, 483
.   : milestone, 462,
iast_TELEMETRY_OFF (499.0 µs) : 476, 522
.   : milestone, 499,
tracing (452.883 µs) : 432, 474
.   : milestone, 453,
section candidate
no_agent (377.813 µs) : 358, 398
.   : milestone, 378,
iast (514.691 µs) : 491, 538
.   : milestone, 515,
iast_FULL (745.1 µs) : 723, 767
.   : milestone, 745,
iast_GLOBAL (558.402 µs) : 537, 580
.   : milestone, 558,
iast_HARDCODED_SECRET_DISABLED (506.579 µs) : 485, 528
.   : milestone, 507,
iast_INACTIVE (450.808 µs) : 430, 472
.   : milestone, 451,
iast_TELEMETRY_OFF (494.913 µs) : 471, 519
.   : milestone, 495,
tracing (454.023 µs) : 434, 475
.   : milestone, 454,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	377.539 µs [356.29 µs, 398.788 µs]	-
iast	509.051 µs [487.124 µs, 530.978 µs]	131.512 µs (34.8%)
iast_FULL	724.031 µs [702.272 µs, 745.791 µs]	346.492 µs (91.8%)
iast_GLOBAL	561.505 µs [537.707 µs, 585.302 µs]	183.966 µs (48.7%)
iast_HARDCODED_SECRET_DISABLED	506.797 µs [482.967 µs, 530.628 µs]	129.259 µs (34.2%)
iast_INACTIVE	462.014 µs [440.559 µs, 483.469 µs]	84.475 µs (22.4%)
iast_TELEMETRY_OFF	499.0 µs [475.709 µs, 522.291 µs]	121.461 µs (32.2%)
tracing	452.883 µs [431.936 µs, 473.83 µs]	75.344 µs (20.0%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	377.813 µs [357.603 µs, 398.024 µs]	-
iast	514.691 µs [491.478 µs, 537.904 µs]	136.878 µs (36.2%)
iast_FULL	745.1 µs [722.942 µs, 767.258 µs]	367.287 µs (97.2%)
iast_GLOBAL	558.402 µs [536.622 µs, 580.182 µs]	180.588 µs (47.8%)
iast_HARDCODED_SECRET_DISABLED	506.579 µs [484.854 µs, 528.305 µs]	128.766 µs (34.1%)
iast_INACTIVE	450.808 µs [430.077 µs, 471.538 µs]	72.995 µs (19.3%)
iast_TELEMETRY_OFF	494.913 µs [471.179 µs, 518.648 µs]	117.1 µs (31.0%)
tracing	454.023 µs [433.503 µs, 474.544 µs]	76.21 µs (20.2%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	smola/exclude-kong-unirest
git_commit_date	1739882661	1739882505
git_commit_sha	`d8dc1f2`	`9a6673c`
release_version	1.47.0-SNAPSHOT~d8dc1f26a1	1.47.0-SNAPSHOT~9a6673c29e

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1739884464	1739884464
ci_job_id	811797896	811797896
ci_pipeline_id	56144302	56144302
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-wxk4-4f-project-304-concurrent-0-lltsmhue 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-wxk4-4f-project-304-concurrent-0-lltsmhue 6.8.0-1021-aws #23~22.04.1-Ubuntu SMP Tue Dec 10 16:50:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.47.0-SNAPSHOT~9a6673c29e, baseline=1.47.0-SNAPSHOT~d8dc1f26a1
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.961 s) : 14961000, 14961000
.   : milestone, 14961000,
appsec (15.13 s) : 15130000, 15130000
.   : milestone, 15130000,
iast (18.467 s) : 18467000, 18467000
.   : milestone, 18467000,
iast_GLOBAL (17.932 s) : 17932000, 17932000
.   : milestone, 17932000,
profiling (15.873 s) : 15873000, 15873000
.   : milestone, 15873000,
tracing (15.075 s) : 15075000, 15075000
.   : milestone, 15075000,
section candidate
no_agent (15.572 s) : 15572000, 15572000
.   : milestone, 15572000,
appsec (15.187 s) : 15187000, 15187000
.   : milestone, 15187000,
iast (18.463 s) : 18463000, 18463000
.   : milestone, 18463000,
iast_GLOBAL (17.455 s) : 17455000, 17455000
.   : milestone, 17455000,
profiling (15.522 s) : 15522000, 15522000
.   : milestone, 15522000,
tracing (15.212 s) : 15212000, 15212000
.   : milestone, 15212000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.961 s [14.961 s, 14.961 s]	-
appsec	15.13 s [15.13 s, 15.13 s]	169.0 ms (1.1%)
iast	18.467 s [18.467 s, 18.467 s]	3.506 s (23.4%)
iast_GLOBAL	17.932 s [17.932 s, 17.932 s]	2.971 s (19.9%)
profiling	15.873 s [15.873 s, 15.873 s]	912.0 ms (6.1%)
tracing	15.075 s [15.075 s, 15.075 s]	114.0 ms (0.8%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.572 s [15.572 s, 15.572 s]	-
appsec	15.187 s [15.187 s, 15.187 s]	-385.0 ms (-2.5%)
iast	18.463 s [18.463 s, 18.463 s]	2.891 s (18.6%)
iast_GLOBAL	17.455 s [17.455 s, 17.455 s]	1.883 s (12.1%)
profiling	15.522 s [15.522 s, 15.522 s]	-50.0 ms (-0.3%)
tracing	15.212 s [15.212 s, 15.212 s]	-360.0 ms (-2.3%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.47.0-SNAPSHOT~9a6673c29e, baseline=1.47.0-SNAPSHOT~d8dc1f26a1
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.469 ms) : 1458, 1481
.   : milestone, 1469,
appsec (2.371 ms) : 2327, 2414
.   : milestone, 2371,
iast (2.108 ms) : 2053, 2164
.   : milestone, 2108,
iast_GLOBAL (2.152 ms) : 2096, 2207
.   : milestone, 2152,
profiling (2.401 ms) : 2222, 2580
.   : milestone, 2401,
tracing (1.944 ms) : 1902, 1986
.   : milestone, 1944,
section candidate
no_agent (1.474 ms) : 1463, 1486
.   : milestone, 1474,
appsec (2.363 ms) : 2319, 2406
.   : milestone, 2363,
iast (2.103 ms) : 2049, 2158
.   : milestone, 2103,
iast_GLOBAL (2.157 ms) : 2102, 2213
.   : milestone, 2157,
profiling (1.975 ms) : 1931, 2019
.   : milestone, 1975,
tracing (1.951 ms) : 1909, 1994
.   : milestone, 1951,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.469 ms [1.458 ms, 1.481 ms]	-
appsec	2.371 ms [2.327 ms, 2.414 ms]	901.617 µs (61.4%)
iast	2.108 ms [2.053 ms, 2.164 ms]	639.188 µs (43.5%)
iast_GLOBAL	2.152 ms [2.096 ms, 2.207 ms]	682.46 µs (46.4%)
profiling	2.401 ms [2.222 ms, 2.58 ms]	931.387 µs (63.4%)
tracing	1.944 ms [1.902 ms, 1.986 ms]	475.037 µs (32.3%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.474 ms [1.463 ms, 1.486 ms]	-
appsec	2.363 ms [2.319 ms, 2.406 ms]	888.26 µs (60.2%)
iast	2.103 ms [2.049 ms, 2.158 ms]	629.005 µs (42.7%)
iast_GLOBAL	2.157 ms [2.102 ms, 2.213 ms]	682.907 µs (46.3%)
profiling	1.975 ms [1.931 ms, 2.019 ms]	500.34 µs (33.9%)
tracing	1.951 ms [1.909 ms, 1.994 ms]	476.913 µs (32.3%)

jandro996 · 2025-02-18T08:46:52Z

...menter/src/main/resources/datadog/trace/instrumentation/iastinstrumenter/iast_exclusion.trie

@@ -172,6 +172,7 @@
 1 jva_cup.*
 1 liquibase.*
 1 kodo.*
+2 kong.unirest.*


Just to clarify... why 2 and not 1?

# 2 = Iast Instrumenter allows and filter stacktrace

This is not really a false positive, just a location problem. We want to detect the SSRF vulnerability in the code that calls the HTTP client, not within the HTTP client itself. So propagation inside this code is good, but we want to filter out it from the stacktrace.

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.46.1` -> `1.47.0` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.46.1` -> `1.47.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | --- ### Release Notes <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.47.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.47.0): 1.47.0 ##### Components ##### Application Security Management (IAST) - 🐛 Exclude com.stripe.net.HttpURLConnectionClient to solve IAST SSRF vulnerability false positives ([#8483](DataDog/dd-trace-java#8483) - [@jandro996](https://github.com/jandro996)) - 🐛 Add exclusion to solve IAST weak randomness vulnerability false positives ([#8462](DataDog/dd-trace-java#8462) - [@jandro996](https://github.com/jandro996)) - ✨ Fix weak randomness false positive in Kafka client ([#8408](DataDog/dd-trace-java#8408) - [@smola](https://github.com/smola)) - ✨ Fix location for SSRF with Kong Unirest ([#8407](DataDog/dd-trace-java#8407) - [@smola](https://github.com/smola)) - ✨ Exclude IBM Instana from IAST ([#8406](DataDog/dd-trace-java#8406) - [@smola](https://github.com/smola)) - 🐛 Fix org.json iast instrumentation test for latest dependency ([#8347](DataDog/dd-trace-java#8347) - [@jandro996](https://github.com/jandro996)) - ✨ Configuration to Disable APM Tracing ([#8219](DataDog/dd-trace-java#8219) - [@jandro996](https://github.com/jandro996)) - ✨ Address cookie vulnerability cardinality issues ([#8210](DataDog/dd-trace-java#8210) - [@jandro996](https://github.com/jandro996)) - ✨ Email HTML Injection detection in IAST ([#8205](DataDog/dd-trace-java#8205) - [@sezen-datadog](https://github.com/sezen-datadog)) ##### Application Security Management (WAF) - 🐛✨ Ensure usr.exists tag is not overridden when UsernameNotFoundException is thrown ([#8376](DataDog/dd-trace-java#8376) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛✨ Ensure usr.exists tag is not overridden by auto instrumentation ([#8374](DataDog/dd-trace-java#8374) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Update appsec metrics with event_rules_version tag ([#8354](DataDog/dd-trace-java#8354) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Update metrics: appsec.waf.requests ([#8353](DataDog/dd-trace-java#8353) - [@Mariovido](https://github.com/Mariovido)) - ✨ Improve ASM support in vert.x 5.0 ([#8285](DataDog/dd-trace-java#8285) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Update metrics: appsec.waf.updates and appsec.waf.init ([#8280](DataDog/dd-trace-java#8280) - [@Mariovido](https://github.com/Mariovido)) - ✨ Configuration to Disable APM Tracing ([#8219](DataDog/dd-trace-java#8219) - [@jandro996](https://github.com/jandro996)) ##### Build & Tooling - 🐛 Do not generate Muzzle references for primitive arrays in method body ([#8361](DataDog/dd-trace-java#8361) - [@amarziali](https://github.com/amarziali)) - 📖 Improve dev env setup documentation for Windows ([#8180](DataDog/dd-trace-java#8180) - [@lucaspimentel](https://github.com/lucaspimentel)) ##### Continuous Integration Visibility - ✨ Add support for skip-EFD tagging ([#8487](DataDog/dd-trace-java#8487) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix an NPE in Gradle Android instrumentation ([#8484](DataDog/dd-trace-java#8484) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Consider modified tests when applying fail-fast tests ordering ([#8474](DataDog/dd-trace-java#8474) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement tests reordering for TestNG ([#8467](DataDog/dd-trace-java#8467) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix Gradle Launcher instrumentation to not interfere with Gradle Test Kit ([#8465](DataDog/dd-trace-java#8465) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Use separate TestEventHandlers per framework in CI Vis instrumentations ([#8451](DataDog/dd-trace-java#8451) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Remove warning log when JUnit 4 test method cannot be retrieved ([#8445](DataDog/dd-trace-java#8445) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix Scalatest tracing for tests that are reported asynchronously ([#8444](DataDog/dd-trace-java#8444) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement attempt to fix tests ([#8393](DataDog/dd-trace-java#8393) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement test disabling ([#8377](DataDog/dd-trace-java#8377) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Update CODEOWNERS parser to not log errors on comments with leading whitespace ([#8349](DataDog/dd-trace-java#8349) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Request Test Management tests list ([#8345](DataDog/dd-trace-java#8345) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Receive test management settings from CIVis settings request ([#8331](DataDog/dd-trace-java#8331) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement quarantined tests tagging ([#8326](DataDog/dd-trace-java#8326) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement tests quarantining ([#8320](DataDog/dd-trace-java#8320) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add tag to specify if the user is setting DD_SERVICE ([#8318](DataDog/dd-trace-java#8318) - [@daniel-mohedano](https://github.com/daniel-mohedano)) ##### Crash tracking - ✨ Only fork jps when required ([#8419](DataDog/dd-trace-java#8419) - [@mcculls](https://github.com/mcculls)) - 🐛 Use Java home of the crashed process to launch crash uploader ([#8348](DataDog/dd-trace-java#8348) - [@jbachorik](https://github.com/jbachorik)) ##### Data Streams Monitoring - 🐛 Fix error happening when sqs message attributes are readonly ([#8473](DataDog/dd-trace-java#8473) - [@vandonr](https://github.com/vandonr)) - 🐛 Fix bug on proto schema extraction ([#8403](DataDog/dd-trace-java#8403) - [@vandonr](https://github.com/vandonr)) - 🐛 Fix service name overrides in consumers ([#8387](DataDog/dd-trace-java#8387) - [@piochelepiotr](https://github.com/piochelepiotr)) ##### Database Monitoring - ✨ Add DBMTracePreparedStatements to tracer configuration log ([#8508](DataDog/dd-trace-java#8508) - [@cecile75](https://github.com/cecile75)) ##### Dynamic Instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) - 🐛 Fix Exception Replay with Lambda proxy classes ([#8452](DataDog/dd-trace-java#8452) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add code origin support for spring-webmvc ([#8416](DataDog/dd-trace-java#8416) - [@evanchooly](https://github.com/evanchooly)) - ✨ Add support for scanning jar from loaded class ([#8370](DataDog/dd-trace-java#8370) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Disable capture of entry values ([#8369](DataDog/dd-trace-java#8369) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix CodeOrigin for `@Trace` annotation ([#8344](DataDog/dd-trace-java#8344) - [@jpbempel](https://github.com/jpbempel)) - 🐛 Fix equals/hashCode for CodeOrigin probe ([#8319](DataDog/dd-trace-java#8319) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add code origin support to kafka message listeners ([#8301](DataDog/dd-trace-java#8301) - [@evanchooly](https://github.com/evanchooly)) ##### Metrics - ✨ Create metric: appsec.waf.error ([#8381](DataDog/dd-trace-java#8381) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Create metric: appsec.rasp.error ([#8364](DataDog/dd-trace-java#8364) - [@sezen-datadog](https://github.com/sezen-datadog)) ##### Profiling - ✨ Bump ddprof library to 1.22.0 ([#8463](DataDog/dd-trace-java#8463) - [@jbachorik](https://github.com/jbachorik)) - IBM J9 8u361 corresponds to OpenJDK 8u362 by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#187 - Fix compatibility with musl libc 1.2.4 by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#189 - Modify version extraction by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#179 - Do not write null values to jvminfo event by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#184 - Productize VMStructs-based stack walker by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#177 - A few minor downport issues by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#180 - Enable ASGCT by default on fairly safe J9 JDK versions by [@jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#181 - 🐛 Exclude OrderedThreadPoolExecutor from queue-time measurements ([#8456](DataDog/dd-trace-java#8456) - [@jbachorik](https://github.com/jbachorik)) - ✨ Record JVM info on JVMs without JFR ([#8431](DataDog/dd-trace-java#8431) - [@jbachorik](https://github.com/jbachorik)) - 🐛 Actually use CleanupTask in TempLocationManager ([#8420](DataDog/dd-trace-java#8420) - [@mcculls](https://github.com/mcculls)) - ✨ Only fork jps when required ([#8419](DataDog/dd-trace-java#8419) - [@mcculls](https://github.com/mcculls)) - 🐛 Adjust JFR checks for J9 ([#8405](DataDog/dd-trace-java#8405) - [@jbachorik](https://github.com/jbachorik)) - 🧹 Disable smap RSS parsing by default ([#8342](DataDog/dd-trace-java#8342) - [@MattAlp](https://github.com/MattAlp)) ##### Telemetry - 🐛 Add support for JBoss jar:file format to DependencyResolver ([#8428](DataDog/dd-trace-java#8428) - [@jandro996](https://github.com/jandro996)) - ✨ Update metrics: appsec.waf.requests ([#8353](DataDog/dd-trace-java#8353) - [@Mariovido](https://github.com/Mariovido)) ##### Trace context propagation - ✨ Introduce tracing propagator ([#8313](DataDog/dd-trace-java#8313) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Tracer core - 🐛 Fix Stable Config telemetry source names ([#8460](DataDog 8000 /dd-trace-java#8460) - [@BaptisteFoy](https://github.com/BaptisteFoy)) - ✨ Probe trace endpoints with a valid payload of empty arrays ([#8414](DataDog/dd-trace-java#8414) - [@mcculls](https://github.com/mcculls)) - ✨ Add 1 minute fail-safe to JUL/JMX class-loading callback ([#8399](DataDog/dd-trace-java#8399) - [@mcculls](https://github.com/mcculls)) - ✨ Migrate DSM injection calls to context-first APIs ([#8383](DataDog/dd-trace-java#8383) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 🧹 Move continuation capture methods from scope to tracer ([#8371](DataDog/dd-trace-java#8371) - [@mcculls](https://github.com/mcculls)) - ✨ Migrate context extraction calls to context-first APIs ([#8368](DataDog/dd-trace-java#8368) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 🧹 Migrate context injection calls to context-first APIs ([#8358](DataDog/dd-trace-java#8358) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - 💡 Support reading configurations from files ([#8338](DataDog/dd-trace-java#8338) - [@mtoffl01](https://github.com/mtoffl01)) - 💡 Implementation of BaggagePropagator and BaggageContext ([#8330](DataDog/dd-trace-java#8330) - [@mhlidd](https://github.com/mhlidd)) - 🧹 Combine continuation implementations into one which supports multiple activations ([#8324](DataDog/dd-trace-java#8324) - [@mcculls](https://github.com/mcculls)) - ✨ Introduce tracing propagator ([#8313](DataDog/dd-trace-java#8313) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Remove old context propagation API ([#8271](DataDog/dd-trace-java#8271) - [@PerfectSlayer](https://github.com/PerfectSlayer)) ##### Instrumentations ##### AWS Lambda instrumentation - 🐛 Send error message and stack to Lambda extension ([#8417](DataDog/dd-trace-java#8417) - [@nhulston](https://github.com/nhulston)) ##### AWS SDK instrumentation - 🐛 Fix error happening when sqs message attributes are readonly ([#8473](DataDog/dd-trace-java#8473) - [@vandonr](https://github.com/vandonr)) - 💡 Inject trace context into AWS Step Functions input ([#7585](DataDog/dd-trace-java#7585) - [@DylanLovesCoffee](https://github.com/DylanLovesCoffee)) ##### Core Java language instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) - ✨ Add code origin support for spring-webmvc ([#8416](DataDog/dd-trace-java#8416) - [@evanchooly](https://github.com/evanchooly)) - 💡 Implementation of BaggagePropagator and BaggageContext ([#8330](DataDog/dd-trace-java#8330) - [@mhlidd](https://github.com/mhlidd)) - ✨ Add code origin support to kafka message listeners ([#8301](DataDog/dd-trace-java#8301) - [@evanchooly](https://github.com/evanchooly)) ##### gRPC instrumentation - ✨ Look in another location for grpc service methods ([#8468](DataDog/dd-trace-java#8468) - [@evanchooly](https://github.com/evanchooly)) ##### Kafka instrumentation - ✨ Add messaging.destination.name tag to kafka integrations ([#8366](DataDog/dd-trace-java#8366) - [@rarguelloF](https://github.com/rarguelloF)) ##### Protocol Buffer instrumentation - 🐛 Fix bug on proto schema extraction ([#8403](DataDog/dd-trace-java#8403) - [@vandonr](https://github.com/vandonr)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 108a0f86aa59ab4c938cbac0688dd4c19cb301fa

Fix location for SSRF with Kong Unirest

e9a38fe

smola added type: enhancement comp: asm iast Application Security Management (IAST) labels Feb 17, 2025

smola requested a review from a team as a code owner February 17, 2025 18:34

smola requested review from ValentinZakharov and jandro996 February 17, 2025 18:34

jandro996 approved these changes Feb 18, 2025

View reviewed changes

jandro996 reviewed Feb 18, 2025

View reviewed changes

Merge branch 'master' into smola/exclude-kong-unirest

9a6673c

smola enabled auto-merge (squash) February 18, 2025 12:41

Merge branch 'master' into smola/exclude-kong-unirest

9e7eb1d

smola merged commit 453d81d into master Feb 18, 2025
199 of 201 checks passed

smola deleted the smola/exclude-kong-unirest branch February 18, 2025 17:16

github-actions bot added this to the 1.47.0 milestone Feb 18, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix location for SSRF with Kong Unirest #8407

Fix location for SSRF with Kong Unirest #8407

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Fix location for SSRF with Kong Unirest #8407

Fix location for SSRF with Kong Unirest #8407

Uh oh!

Conversation

Uh oh!

What Does This Do

Motivation

Additional Notes

Contributor Checklist

Uh oh!

Uh oh!

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!