Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: net/http server-side instrumentation #403

Merged
merged 18 commits into from
Nov 22, 2024

Conversation

rarguelloF
Copy link
Contributor

@rarguelloF rarguelloF commented Nov 19, 2024

Resolves #173, resolves #400

This PR changes net/http server-side instrumentation aspects to trace the library itself (similar approach as we are doing today with the client-side instrumentation). The hook where we inject is the http.Server.Serve method, which should be the common method that is always called when the http server is started (and at this point, the Handler should already be set).

This fixes problems in the existing instrumentation where we:

As a side-effect, this approach removes the ability to use orchestrion:ignore comments to skip tracing on http servers (which happens for other aspects as well where we instrument the library code).

@rarguelloF rarguelloF marked this pull request as ready for review November 20, 2024 12:50
@rarguelloF rarguelloF requested a review from a team as a code owner November 20, 2024 12:50
Copy link
Contributor

@nsrip-dd nsrip-dd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! The general approach makes sense to me. I haven't reviewed this PR deeply. I'll leave that to the Orchestrion experts. I tried this PR out locally on a Go HTTP server we use in the profiling backend that uses ServeMux (the one that motivated #173). I confirmed that the handler gets instrumented :)

}
cmd.OnClose(func() error {
log.Debugf("Adding %s file into %q\n", linkdeps.LinkDepsFilename, cmd.Flags.Output)
child := exec.Command("go", "tool", "pack", "r", cmd.Flags.Output, linkDepsFile)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Check command call and ensure there is no unsanitized data used. The variable `linkDepsFile` may need to be validated (...read more)

In Go, the exec.Command function is used to run external commands. Using this function carelessly can lead to command injection vulnerabilities.

Command injection occurs when untrusted input is passed directly to a system shell, allowing an attacker to execute arbitrary commands. This can result in unauthorized access to the system, data leaks, or other security breaches.

To prevent command injection vulnerabilities when using exec.Command in Go, follow these coding best practices:

  1. Sanitize User Input: Always validate and sanitize user inputs before passing them to exec.Command. Avoid executing commands constructed using user-provided data.
  2. Avoid using Shell Expansion: If possible, pass the command and arguments as separate strings to exec.Command. This prevents the shell from interpreting special characters in a potentially malicious way.
  3. Use Absolute Paths: When specifying the command to be executed, use absolute paths for executables whenever possible. This reduces the risk of inadvertently running a similarly named malicious command from the system's PATH.
  4. Avoid String Concatenation: Refrain from dynamically constructing commands by concatenating strings. Instead, use the arg ...string parameter of exec.Command to pass arguments safely.
  5. Limit Privileges: Run commands with the least privilege required to carry out the task. Avoid running commands with elevated privileges unnecessarily.

By following these practices, you can reduce the risk of command injection vulnerabilities when using exec.Command in Go and enhance the security of your application.

View in Datadog  Leave us feedback  Documentation

},
},
},
Children: nil,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it expected that the children are gone here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, see in the diff there was a comment // FIXME: this span shouldn't exist
This is because we were somehow double instrumenting something (not sure where exactly).

Before (4 spans):

client -> server (net/http) -> server (gorilla/mux) -> server (net/http)

Now (3 spans):

client -> server (net/http) -> server (gorilla/mux)

@@ -62,10 +62,56 @@ var weavingSpecialCase = []specialCase{
{path: "github.com/DataDog/go-tuf/client", prefix: false, behavior: neverWeave},
}

func (w Weaver) OnCompile(cmd *proxy.CompileCommand) error {
func (w Weaver) OnCompile(cmd *proxy.CompileCommand) (result error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ I'm going to do a refactor of this monstrosity tomorrow before we can merge this.

@RomainMuller RomainMuller added this pull request to the merge queue Nov 21, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Nov 21, 2024
@RomainMuller RomainMuller added this pull request to the merge queue Nov 21, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Nov 21, 2024
@RomainMuller RomainMuller added this pull request to the merge queue Nov 22, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Nov 22, 2024
@RomainMuller RomainMuller added this pull request to the merge queue Nov 22, 2024
Merged via the queue into main with commit a8237ee Nov 22, 2024
23 checks passed
@RomainMuller RomainMuller deleted the rarguellof/APPSEC-55883/fix-net-http-server branch November 22, 2024 11:57
Copy link

codecov bot commented Nov 22, 2024

Codecov Report

Attention: Patch coverage is 82.14286% with 50 lines in your changes missing coverage. Please review.

Project coverage is 60.54%. Comparing base (842ba8d) to head (f868c46).
Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
internal/toolexec/aspect/oncompile.go 57.77% 13 Missing and 6 partials ⚠️
internal/toolexec/aspect/oncompile-main.go 59.37% 9 Missing and 4 partials ⚠️
internal/toolexec/aspect/linkdeps/linkdeps.go 65.00% 6 Missing and 1 partial ⚠️
instrument/http.go 69.23% 3 Missing and 1 partial ⚠️
_integration-tests/tests/net_http/func_handler.go 76.92% 3 Missing ⚠️
...ion-tests/tests/net_http/handler_implementation.go 82.35% 3 Missing ⚠️
internal/toolexec/aspect/onlink.go 75.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #403      +/-   ##
==========================================
+ Coverage   60.36%   60.54%   +0.17%     
==========================================
  Files         181      185       +4     
  Lines       12707    12858     +151     
==========================================
+ Hits         7671     7785     +114     
- Misses       4526     4527       +1     
- Partials      510      546      +36     
Components Coverage Δ
Generators 76.72% <ø> (ø)
Instruments 73.41% <69.23%> (-14.65%) ⬇️
Go Driver 73.94% <ø> (ø)
Toolexec Driver 70.04% <60.39%> (-0.63%) ⬇️
Aspects 68.44% <ø> (-3.06%) ⬇️
Injector 70.07% <ø> (-1.80%) ⬇️
Job Server 66.14% <ø> (+2.12%) ⬆️
Integration Test Suite 54.92% <96.38%> (+0.67%) ⬆️
Other 60.54% <82.14%> (+0.17%) ⬆️
Files with missing lines Coverage Δ
_integration-tests/tests/chi.v5/chi.go 100.00% <100.00%> (ø)
_integration-tests/tests/echo.v4/echo.go 100.00% <100.00%> (ø)
_integration-tests/tests/fiber.v2/fiber.go 100.00% <100.00%> (ø)
_integration-tests/tests/gin/gin.go 100.00% <100.00%> (ø)
...integration-tests/tests/gorilla_mux/gorilla_mux.go 100.00% <100.00%> (ø)
_integration-tests/tests/net_http/base.go 87.17% <100.00%> (ø)
_integration-tests/tests/net_http/issue_400.go 100.00% <100.00%> (ø)
...egration-tests/tests/net_http/serve_mux_handler.go 100.00% <100.00%> (ø)
_integration-tests/utils/suite.go 100.00% <100.00%> (ø)
internal/toolexec/aspect/onlink.go 56.09% <75.00%> (ø)
... and 6 more

... and 10 files with indirect coverage changes

---- 🚨 Try these New Features:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
4 participants