Skip to content

Commit

Permalink
Merge pull request #330 from newrelic/feature/iast-restricted
Browse files Browse the repository at this point in the history
Restrict IAST to Specific Account
  • Loading branch information
lovesh-ap authored Sep 20, 2024
2 parents 4b64b6a + 0edcf36 commit e0207e8
Show file tree
Hide file tree
Showing 218 changed files with 4,154 additions and 1,007 deletions.
4 changes: 2 additions & 2 deletions gradle.properties
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# The agent version.
agentVersion=1.4.1
jsonVersion=1.2.5
agentVersion=1.4.2
jsonVersion=1.2.7
# Updated exposed NR APM API version.
nrAPIVersion=8.12.0

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ public static boolean acquireServletLockIfPossible() {
}

public static void postProcessHttpRequest(Boolean isServletLockAcquired, StringBuilder responseBody, String contentType, String className, String methodName, Token token) {
if(NewRelicSecurity.getAgent().getIastDetectionCategory().getRxssEnabled()){
return;
}
try {
token.linkAndExpire();
ServletHelper.executeBeforeExitingTransaction();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,9 @@ public static boolean acquireServletLockIfPossible() {

public static void postProcessHttpRequest(Boolean isServletLockAcquired, StringBuilder response, String contentType, int responseCode, String className, String methodName, Token token) {
try {
if(NewRelicSecurity.getAgent().getIastDetectionCategory().getRxssEnabled()){
return;
}
token.linkAndExpire();

if(!isServletLockAcquired || !NewRelicSecurity.isHookProcessingActive()){
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
import com.newrelic.api.agent.security.schema.AbstractOperation;
import com.newrelic.api.agent.security.schema.SecurityMetaData;
import com.newrelic.api.agent.security.schema.StringUtils;
import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException;
import com.newrelic.api.agent.security.schema.operation.SSRFOperation;
import com.newrelic.api.agent.security.utils.SSRFUtils;
Expand Down Expand Up @@ -65,7 +66,7 @@ public Future<Http.ServerBinding> bindAndHandleSync(
public Future<HttpResponse> singleRequest(HttpRequest httpRequest, HttpsConnectionContext connectionContext, ConnectionPoolSettings settings,
LoggingAdapter log, Materializer fm) {

boolean isLockAcquired = acquireLockIfPossible();
boolean isLockAcquired = acquireLockIfPossible(VulnerabilityCaseType.HTTP_REQUEST);
AbstractOperation operation = null;
// Preprocess Phase
if (isLockAcquired) {
Expand Down Expand Up @@ -163,9 +164,9 @@ private void releaseLock() {
}
}

private boolean acquireLockIfPossible() {
private boolean acquireLockIfPossible(VulnerabilityCaseType httpRequest) {
try {
return GenericHelper.acquireLockIfPossible(AkkaCoreUtils.NR_SEC_CUSTOM_ATTRIB_NAME, this.hashCode());
return GenericHelper.acquireLockIfPossible(httpRequest, AkkaCoreUtils.NR_SEC_CUSTOM_ATTRIB_NAME, this.hashCode());
} catch (Throwable ignored) {
}
return false;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,9 @@ public static boolean acquireServletLockIfPossible() {

public static void postProcessHttpRequest(Boolean isServletLockAcquired, StringBuilder responseBody, String contentType, int responseCode, String className, String methodName, Token token) {
try {
if(NewRelicSecurity.getAgent().getIastDetectionCategory().getRxssEnabled()){
return;
}
token.linkAndExpire();

if(!isServletLockAcquired || !NewRelicSecurity.isHookProcessingActive()){
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
import com.newrelic.api.agent.security.schema.AbstractOperation;
import com.newrelic.api.agent.security.schema.SecurityMetaData;
import com.newrelic.api.agent.security.schema.StringUtils;
import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException;
import com.newrelic.api.agent.security.schema.operation.SSRFOperation;
import com.newrelic.api.agent.security.utils.SSRFUtils;
Expand Down Expand Up @@ -66,7 +67,7 @@ public Future<Http.ServerBinding> bindAndHandleSync(
public Future<HttpResponse> singleRequestImpl(HttpRequest httpRequest, HttpsConnectionContext connectionContext, ConnectionPoolSettings poolSettings,
LoggingAdapter loggingAdapter) {

boolean isLockAcquired = acquireLockIfPossible();
boolean isLockAcquired = acquireLockIfPossible(VulnerabilityCaseType.HTTP_REQUEST);
AbstractOperation operation = null;
// Preprocess Phase
SecurityMetaData securityMetaData = NewRelicSecurity.getAgent().getSecurityMetaData();
Expand Down Expand Up @@ -167,9 +168,9 @@ private void releaseLock() {
}
}

private boolean acquireLockIfPossible() {
private boolean acquireLockIfPossible(VulnerabilityCaseType httpRequest) {
try {
return GenericHelper.acquireLockIfPossible(AkkaCoreUtils.NR_SEC_CUSTOM_ATTRIB_NAME, this.hashCode());
return GenericHelper.acquireLockIfPossible(httpRequest, AkkaCoreUtils.NR_SEC_CUSTOM_ATTRIB_NAME, this.hashCode());
} catch (Throwable ignored) {
}
return false;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,9 @@ public static boolean acquireServletLockIfPossible() {

public static void postProcessHttpRequest(Boolean isServletLockAcquired, StringBuilder responseBody, String contentType, int responseCode, String className, String methodName, Token token) {
try {
if(NewRelicSecurity.getAgent().getIastDetectionCategory().getRxssEnabled()){
return;
}
token.linkAndExpire();
if(!isServletLockAcquired || !NewRelicSecurity.isHookProcessingActive()){
return;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
import com.newrelic.api.agent.security.schema.AbstractOperation;
import com.newrelic.api.agent.security.schema.SecurityMetaData;
import com.newrelic.api.agent.security.schema.StringUtils;
import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException;
import com.newrelic.api.agent.security.schema.operation.SSRFOperation;
import com.newrelic.api.agent.security.utils.SSRFUtils;
Expand Down Expand Up @@ -66,7 +67,7 @@ public Future<Http.ServerBinding> bindAndHandleSync(
public Future<HttpResponse> singleRequestImpl(HttpRequest httpRequest, HttpsConnectionContext connectionContext, ConnectionPoolSettings poolSettings,
LoggingAdapter loggingAdapter) {

boolean isLockAcquired = acquireLockIfPossible();
boolean isLockAcquired = acquireLockIfPossible(VulnerabilityCaseType.HTTP_REQUEST);
AbstractOperation operation = null;
// Preprocess Phase
SecurityMetaData securityMetaData = NewRelicSecurity.getAgent().getSecurityMetaData();
Expand Down Expand Up @@ -167,9 +168,9 @@ private void releaseLock() {
}
}

private boolean acquireLockIfPossible() {
private boolean acquireLockIfPossible(VulnerabilityCaseType httpRequest) {
try {
return GenericHelper.acquireLockIfPossible(AkkaCoreUtils.NR_SEC_CUSTOM_ATTRIB_NAME, this.hashCode());
return GenericHelper.acquireLockIfPossible(httpRequest, AkkaCoreUtils.NR_SEC_CUSTOM_ATTRIB_NAME, this.hashCode());
} catch (Throwable ignored) {
}
return false;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,9 @@ public static boolean acquireServletLockIfPossible() {

public static void postProcessHttpRequest(Boolean isServletLockAcquired, StringBuilder responseBody, String contentType, int responseCode, String className, String methodName, Token token) {
try {
if(NewRelicSecurity.getAgent().getIastDetectionCategory().getRxssEnabled()){
return;
}
token.linkAndExpire();
if(!isServletLockAcquired || !NewRelicSecurity.isHookProcessingActive()){
return;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import com.newrelic.api.agent.security.schema.AbstractOperation;
import com.newrelic.api.agent.security.schema.SecurityMetaData;
import com.newrelic.api.agent.security.schema.StringUtils;
import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException;
import com.newrelic.api.agent.security.schema.operation.SSRFOperation;
import com.newrelic.api.agent.security.utils.SSRFUtils;
Expand Down Expand Up @@ -74,7 +75,7 @@ public Future<HttpResponse> singleRequest(HttpRequest httpRequest, HttpsConnecti
LoggingAdapter loggingAdapter) {
final Segment segment = NewRelic.getAgent().getTransaction().startSegment("Akka", "singleRequest");

boolean isLockAcquired = acquireLockIfPossible();
boolean isLockAcquired = acquireLockIfPossible(VulnerabilityCaseType.HTTP_REQUEST);
AbstractOperation operation = null;
// Preprocess Phase
SecurityMetaData securityMetaData = NewRelicSecurity.getAgent().getSecurityMetaData();
Expand Down Expand Up @@ -176,9 +177,9 @@ private void releaseLock() {
}
}

private boolean acquireLockIfPossible() {
private boolean acquireLockIfPossible(VulnerabilityCaseType httpRequest) {
try {
return GenericHelper.acquireLockIfPossible(AkkaCoreUtils.NR_SEC_CUSTOM_ATTRIB_NAME, this.hashCode());
return GenericHelper.acquireLockIfPossible(httpRequest, AkkaCoreUtils.NR_SEC_CUSTOM_ATTRIB_NAME, this.hashCode());
} catch (Throwable ignored) {
}
return false;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import com.newrelic.api.agent.security.instrumentation.helpers.GenericHelper;
import com.newrelic.api.agent.security.schema.AbstractOperation;
import com.newrelic.api.agent.security.schema.StringUtils;
import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException;
import com.newrelic.api.agent.security.schema.operation.LDAPOperation;
import com.newrelic.api.agent.security.utils.logging.LogLevel;
Expand Down Expand Up @@ -61,16 +62,16 @@ private void releaseLock() {
} catch (Throwable ignored) {}
}

private boolean acquireLockIfPossible() {
private boolean acquireLockIfPossible(VulnerabilityCaseType caseType) {
try {
return GenericHelper.acquireLockIfPossible(LDAPUtils.NR_SEC_CUSTOM_ATTRIB_NAME);
return GenericHelper.acquireLockIfPossible(caseType, LDAPUtils.NR_SEC_CUSTOM_ATTRIB_NAME);
} catch (Throwable ignored) {}
return false;
}

public SearchFuture searchAsync(Dn baseDn, String filter, SearchScope scope, String... attributes )
throws LdapException {
boolean isLockAcquired = acquireLockIfPossible();
boolean isLockAcquired = acquireLockIfPossible(VulnerabilityCaseType.LDAP);
AbstractOperation operation = null;
if(isLockAcquired) {
operation = preprocessSecurityHook(baseDn.getName(), filter, LDAPUtils.METHOD_SEARCH_ASYNC);
Expand All @@ -90,7 +91,7 @@ public SearchFuture searchAsync(Dn baseDn, String filter, SearchScope scope, Str

public SearchFuture searchAsync(String baseDn, String filter, SearchScope scope, String... attributes )
throws LdapException {
boolean isLockAcquired = acquireLockIfPossible();
boolean isLockAcquired = acquireLockIfPossible(VulnerabilityCaseType.LDAP);
AbstractOperation operation = null;
if(isLockAcquired) {
operation = preprocessSecurityHook(baseDn, filter, LDAPUtils.METHOD_SEARCH_ASYNC);
Expand All @@ -109,7 +110,7 @@ public SearchFuture searchAsync(String baseDn, String filter, SearchScope scope,
}

public SearchFuture searchAsync( SearchRequest searchRequest ) throws LdapException {
boolean isLockAcquired = acquireLockIfPossible();
boolean isLockAcquired = acquireLockIfPossible(VulnerabilityCaseType.LDAP);
AbstractOperation operation = null;
if(isLockAcquired) {
operation = preprocessSecurityHook(searchRequest.getBase().getName(), searchRequest.getFilter().toString(), LDAPUtils.METHOD_SEARCH_ASYNC);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import com.newrelic.api.agent.security.instrumentation.helpers.GenericHelper;
import com.newrelic.api.agent.security.schema.AbstractOperation;
import com.newrelic.api.agent.security.schema.StringUtils;
import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException;
import com.newrelic.api.agent.security.schema.operation.LDAPOperation;
import com.newrelic.api.agent.security.utils.logging.LogLevel;
Expand Down Expand Up @@ -61,16 +62,16 @@ private void releaseLock() {
} catch (Throwable ignored) {}
}

private boolean acquireLockIfPossible() {
private boolean acquireLockIfPossible(VulnerabilityCaseType caseType) {
try {
return GenericHelper.acquireLockIfPossible(LDAPUtils.NR_SEC_CUSTOM_ATTRIB_NAME);
return GenericHelper.acquireLockIfPossible(caseType, LDAPUtils.NR_SEC_CUSTOM_ATTRIB_NAME);
} catch (Throwable ignored) {}
return false;
}

public EntryCursor search(Dn baseDn, String filter, SearchScope scope, String... attributes )
throws LdapException {
boolean isLockAcquired = acquireLockIfPossible();
boolean isLockAcquired = acquireLockIfPossible(VulnerabilityCaseType.LDAP);
AbstractOperation operation = null;
if(isLockAcquired) {
operation = preprocessSecurityHook(baseDn.getName(), filter, LDAPUtils.METHOD_SEARCH);
Expand All @@ -90,7 +91,7 @@ public EntryCursor search(Dn baseDn, String filter, SearchScope scope, String...

public EntryCursor search( String baseDn, String filter, SearchScope scope, String... attributes )
throws LdapException {
boolean isLockAcquired = acquireLockIfPossible();
boolean isLockAcquired = acquireLockIfPossible(VulnerabilityCaseType.LDAP);
AbstractOperation operation = null;
if(isLockAcquired) {
operation = preprocessSecurityHook(baseDn, filter, LDAPUtils.METHOD_SEARCH);
Expand All @@ -109,7 +110,7 @@ public EntryCursor search( String baseDn, String filter, SearchScope scope, Stri
}

public SearchCursor search(SearchRequest searchRequest ) throws LdapException {
boolean isLockAcquired = acquireLockIfPossible();
boolean isLockAcquired = acquireLockIfPossible(VulnerabilityCaseType.LDAP);
AbstractOperation operation = null;
if(isLockAcquired) {
operation = preprocessSecurityHook(searchRequest.getBase().getName(), searchRequest.getFilter().toString(), LDAPUtils.METHOD_SEARCH);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper;
import com.newrelic.api.agent.security.schema.AbstractOperation;
import com.newrelic.api.agent.security.schema.StringUtils;
import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException;
import com.newrelic.api.agent.security.schema.operation.SSRFOperation;
import com.newrelic.api.agent.security.utils.SSRFUtils;
Expand Down Expand Up @@ -36,15 +37,8 @@ public static boolean isLockAcquired() {
return false;
}

public static boolean acquireLockIfPossible() {
try {
if (NewRelicSecurity.isHookProcessingActive() &&
!isLockAcquired()) {
NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(getNrSecCustomAttribName(), true);
return true;
}
} catch (Throwable ignored){}
return false;
public static boolean acquireLockIfPossible(VulnerabilityCaseType httpRequest) {
return GenericHelper.acquireLockIfPossible(httpRequest, getNrSecCustomAttribName());
}

public static void releaseLock() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
import com.newrelic.api.agent.security.NewRelicSecurity;
import com.newrelic.api.agent.security.instrumentation.helpers.GenericHelper;
import com.newrelic.api.agent.security.schema.AbstractOperation;
import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
import com.newrelic.api.agent.security.utils.logging.LogLevel;
import com.newrelic.api.agent.weaver.MatchType;
import com.newrelic.api.agent.weaver.Weave;
Expand All @@ -27,7 +28,7 @@ public abstract class AsyncHttpClient_Instrumentation {

public <T> ListenableFuture<T> executeRequest(Request request, AsyncHandler<T> handler) {
URI uri = null;
boolean isLockAcquired = AsynchttpHelper.acquireLockIfPossible();
boolean isLockAcquired = AsynchttpHelper.acquireLockIfPossible(VulnerabilityCaseType.HTTP_REQUEST);
AbstractOperation operation = null;
if(isLockAcquired) {
try {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import com.newrelic.api.agent.security.instrumentation.helpers.GenericHelper;
import com.newrelic.api.agent.security.schema.AbstractOperation;
import com.newrelic.api.agent.security.schema.StringUtils;
import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
import com.newrelic.api.agent.security.schema.exceptions.NewRelicSecurityException;
import com.newrelic.api.agent.security.schema.operation.XPathOperation;
import com.newrelic.api.agent.security.utils.logging.LogLevel;
Expand Down Expand Up @@ -56,15 +57,15 @@ private void releaseLock() {
} catch (Throwable ignored) {}
}

private boolean acquireLockIfPossible() {
private boolean acquireLockIfPossible(VulnerabilityCaseType xpath) {
try {
return GenericHelper.acquireLockIfPossible(XPATHUtils.NR_SEC_CUSTOM_ATTRIB_NAME);
return GenericHelper.acquireLockIfPossible(xpath, XPATHUtils.NR_SEC_CUSTOM_ATTRIB_NAME);
} catch (Throwable ignored) {}
return false;
}

public ValueBuilder xpath(String value, Class<?> resultType, Namespaces namespaces) {
boolean isLockAcquired = acquireLockIfPossible();
boolean isLockAcquired = acquireLockIfPossible(VulnerabilityCaseType.XPATH);
AbstractOperation operation = null;
if(isLockAcquired) {
operation = preprocessSecurityHook(value, XPATHUtils.METHOD_XPATH);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import com.newrelic.api.agent.security.NewRelicSecurity;
import com.newrelic.api.agent.security.instrumentation.helpers.GenericHelper;
import com.newrelic.api.agent.security.schema.AbstractOperation;
import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
import com.newrelic.api.agent.security.utils.logging.LogLevel;
import com.newrelic.api.agent.weaver.MatchType;
import com.newrelic.api.agent.weaver.Weave;
Expand All @@ -16,7 +17,7 @@ abstract class SessionManager_Instrumentation {
abstract Configuration configuration();

public ResultSetFuture executeAsync(Statement statement) {
boolean isLockAcquired = CassandraUtils.acquireLockIfPossible(statement.hashCode());
boolean isLockAcquired = CassandraUtils.acquireLockIfPossible(VulnerabilityCaseType.NOSQL_DB_COMMAND, statement.hashCode());
ResultSetFuture result = null;
AbstractOperation cqlOperation = null;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
public abstract class SimpleStatement_Instrumentation {

public SimpleStatement_Instrumentation(String query, Object... values) {
boolean isLockAcquired = CassandraUtils.acquireLockIfPossible(hashCode());
boolean isLockAcquired = CassandraUtils.acquireLockIfPossible(VulnerabilityCaseType.NOSQL_DB_COMMAND, hashCode());

try{
if(isLockAcquired){
Expand All @@ -41,7 +41,7 @@ public SimpleStatement_Instrumentation(String query, Object... values) {
}

public SimpleStatement_Instrumentation(String query, Map<String, Object> values){
boolean isLockAcquired = CassandraUtils.acquireLockIfPossible(hashCode());
boolean isLockAcquired = CassandraUtils.acquireLockIfPossible(VulnerabilityCaseType.NOSQL_DB_COMMAND, hashCode());

try{
if(isLockAcquired){
Expand Down
Loading

0 comments on commit e0207e8

Please sign in to comment.