Appsec support for Play 2.5+ #5968
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cataphract
force-pushed
the
glopes/play-appsec
branch
from
594ae71 to
5261e19
Compare
cataphract
force-pushed
the
glopes/akka-appsec
branch
from
b7ed547 to
a392fd7
Compare
cataphract
force-pushed
the
glopes/play-appsec
branch
from
5261e19 to
750c827
Compare
cataphract
force-pushed
the
glopes/play-appsec
branch
2 times, most recently
from
9d971de to
13fe51a
Compare
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 54 cases. Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.22.0-SNAPSHOT~6e523456cc, baseline=1.22.0-SNAPSHOT~61ab1df9ae
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.012 s) : 0, 1012317
Total [baseline] (8.677 s) : 0, 8677442
Agent [candidate] (1.019 s) : 0, 1018517
Total [candidate] (8.694 s) : 0, 8694051
section iast
Agent [baseline] (1.138 s) : 0, 1137876
Total [baseline] (9.209 s) : 0, 9209394
Agent [candidate] (1.144 s) : 0, 1144266
Total [candidate] (9.216 s) : 0, 9216442
section iast_TELEMETRY_OFF
Agent [baseline] (1.143 s) : 0, 1142544
Total [baseline] (9.187 s) : 0, 9187222
Agent [candidate] (1.144 s) : 0, 1144283
Total [candidate] (9.229 s) : 0, 9229341
gantt
title insecure-bank - break down per module: candidate=1.22.0-SNAPSHOT~6e523456cc, baseline=1.22.0-SNAPSHOT~61ab1df9ae
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (631.044 ms) : 0, 631044
BytebuddyAgent [candidate] (636.58 ms) : 0, 636580
GlobalTracer [baseline] (291.467 ms) : 0, 291467
GlobalTracer [candidate] (291.768 ms) : 0, 291768
AppSec [baseline] (48.918 ms) : 0, 48918
AppSec [candidate] (49.119 ms) : 0, 49119
Remote Config [baseline] (662.994 µs) : 0, 663
Remote Config [candidate] (676.402 µs) : 0, 676
Telemetry [baseline] (5.973 ms) : 0, 5973
Telemetry [candidate] (6.044 ms) : 0, 6044
section iast
BytebuddyAgent [baseline] (758.915 ms) : 0, 758915
BytebuddyAgent [candidate] (765.407 ms) : 0, 765407
GlobalTracer [baseline] (271.46 ms) : 0, 271460
GlobalTracer [candidate] (272.523 ms) : 0, 272523
AppSec [baseline] (46.185 ms) : 0, 46185
AppSec [candidate] (46.056 ms) : 0, 46056
IAST [baseline] (17.626 ms) : 0, 17626
IAST [candidate] (17.26 ms) : 0, 17260
Remote Config [baseline] (566.74 µs) : 0, 567
Remote Config [candidate] (586.703 µs) : 0, 587
Telemetry [baseline] (8.882 ms) : 0, 8882
Telemetry [candidate] (8.209 ms) : 0, 8209
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (760.082 ms) : 0, 760082
BytebuddyAgent [candidate] (764.058 ms) : 0, 764058
GlobalTracer [baseline] (274.385 ms) : 0, 274385
GlobalTracer [candidate] (273.351 ms) : 0, 273351
AppSec [baseline] (46.462 ms) : 0, 46462
AppSec [candidate] (46.513 ms) : 0, 46513
IAST [baseline] (18.749 ms) : 0, 18749
IAST [candidate] (17.079 ms) : 0, 17079
Remote Config [baseline] (606.717 µs) : 0, 607
Remote Config [candidate] (561.302 µs) : 0, 561
Telemetry [baseline] (7.692 ms) : 0, 7692
Telemetry [candidate] (8.197 ms) : 0, 8197
Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.22.0-SNAPSHOT~6e523456cc, baseline=1.22.0-SNAPSHOT~61ab1df9ae
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.012 s) : 0, 1012109
Total [baseline] (9.188 s) : 0, 9188406
Agent [candidate] (1.026 s) : 0, 1025988
Total [candidate] (9.223 s) : 0, 9222898
section appsec
Agent [baseline] (1.108 s) : 0, 1108424
Total [baseline] (9.302 s) : 0, 9301860
Agent [candidate] (1.108 s) : 0, 1108001
Total [candidate] (9.276 s) : 0, 9276030
section iast
Agent [baseline] (1.142 s) : 0, 1141548
Total [baseline] (9.464 s) : 0, 9464381
Agent [candidate] (1.144 s) : 0, 1144049
Total [candidate] (9.43 s) : 0, 9430442
section profiling
Agent [baseline] (1.201 s) : 0, 1201169
Total [baseline] (9.448 s) : 0, 9447809
Agent [candidate] (1.207 s) : 0, 1206971
Total [candidate] (9.512 s) : 0, 9512101
gantt
title petclinic - break down per module: candidate=1.22.0-SNAPSHOT~6e523456cc, baseline=1.22.0-SNAPSHOT~61ab1df9ae
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (630.297 ms) : 0, 630297
BytebuddyAgent [candidate] (640.905 ms) : 0, 640905
GlobalTracer [baseline] (291.746 ms) : 0, 291746
GlobalTracer [candidate] (294.521 ms) : 0, 294521
AppSec [baseline] (49.094 ms) : 0, 49094
AppSec [candidate] (49.303 ms) : 0, 49303
Remote Config [baseline] (661.473 µs) : 0, 661
Remote Config [candidate] (693.36 µs) : 0, 693
Telemetry [baseline] (6.094 ms) : 0, 6094
Telemetry [candidate] (6.083 ms) : 0, 6083
section appsec
BytebuddyAgent [baseline] (636.685 ms) : 0, 636685
BytebuddyAgent [candidate] (637.726 ms) : 0, 637726
GlobalTracer [baseline] (293.252 ms) : 0, 293252
GlobalTracer [candidate] (291.889 ms) : 0, 291889
AppSec [baseline] (137.493 ms) : 0, 137493
AppSec [candidate] (137.663 ms) : 0, 137663
Remote Config [baseline] (643.87 µs) : 0, 644
Remote Config [candidate] (638.076 µs) : 0, 638
Telemetry [baseline] (5.747 ms) : 0, 5747
Telemetry [candidate] (5.688 ms) : 0, 5688
section iast
BytebuddyAgent [baseline] (761.561 ms) : 0, 761561
BytebuddyAgent [candidate] (765.161 ms) : 0, 765161
GlobalTracer [baseline] (272.297 ms) : 0, 272297
GlobalTracer [candidate] (271.639 ms) : 0, 271639
AppSec [baseline] (46.291 ms) : 0, 46291
AppSec [candidate] (47.538 ms) : 0, 47538
IAST [baseline] (18.232 ms) : 0, 18232
IAST [candidate] (17.204 ms) : 0, 17204
Remote Config [baseline] (586.07 µs) : 0, 586
Remote Config [candidate] (584.924 µs) : 0, 585
Telemetry [baseline] (8.271 ms) : 0, 8271
Telemetry [candidate] (7.525 ms) : 0, 7525
section profiling
BytebuddyAgent [baseline] (651.079 ms) : 0, 651079
BytebuddyAgent [candidate] (656.607 ms) : 0, 656607
GlobalTracer [baseline] (358.14 ms) : 0, 358140
GlobalTracer [candidate] (358.834 ms) : 0, 358834
AppSec [baseline] (49.537 ms) : 0, 49537
AppSec [candidate] (49.348 ms) : 0, 49348
Remote Config [baseline] (664.943 µs) : 0, 665
Remote Config [candidate] (656.362 µs) : 0, 656
Telemetry [baseline] (6.185 ms) : 0, 6185
Telemetry [candidate] (6.112 ms) : 0, 6112
ProfilingAgent [baseline] (81.615 ms) : 0, 81615
ProfilingAgent [candidate] (81.5 ms) : 0, 81500
Profiling [baseline] (81.639 ms) : 0, 81639
Profiling [candidate] (81.527 ms) : 0, 81527
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 22 cases. Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.22.0-SNAPSHOT~6e523456cc, baseline=1.22.0-SNAPSHOT~61ab1df9ae
dateFormat X
axisFormat %s
section baseline
no_agent (361.905 µs) : 340, 384
. : milestone, 362,
iast (464.422 µs) : 443, 486
. : milestone, 464,
iast_FULL (513.289 µs) : 493, 534
. : milestone, 513,
iast_INACTIVE (435.086 µs) : 414, 456
. : milestone, 435,
iast_TELEMETRY_OFF (458.595 µs) : 438, 479
. : milestone, 459,
tracing (422.594 µs) : 402, 444
. : milestone, 423,
section candidate
no_agent (357.933 µs) : 337, 378
. : milestone, 358,
iast (451.851 µs) : 431, 473
. : milestone, 452,
iast_FULL (514.741 µs) : 494, 535
. : milestone, 515,
iast_INACTIVE (423.332 µs) : 403, 444
. : milestone, 423,
iast_TELEMETRY_OFF (455.554 µs) : 434, 477
. : milestone, 456,
tracing (422.534 µs) : 402, 443
. : milestone, 423,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.22.0-SNAPSHOT~6e523456cc, baseline=1.22.0-SNAPSHOT~61ab1df9ae
dateFormat X
axisFormat %s
section baseline
no_agent (1.34 ms) : 1321, 1359
. : milestone, 1340,
appsec (1.683 ms) : 1657, 1708
. : milestone, 1683,
iast (1.442 ms) : 1418, 1466
. : milestone, 1442,
profiling (1.469 ms) : 1445, 1494
. : milestone, 1469,
tracing (1.458 ms) : 1434, 1482
. : milestone, 1458,
section candidate
no_agent (1.315 ms) : 1296, 1334
. : milestone, 1315,
appsec (1.668 ms) : 1643, 1693
. : milestone, 1668,
iast (1.444 ms) : 1420, 1468
. : milestone, 1444,
profiling (1.436 ms) : 1411, 1461
. : milestone, 1436,
tracing (1.431 ms) : 1406, 1455
. : milestone, 1431,
|
An error occurred while trying to automatically change base from
glopes/akka-appsec
to
master
October 2, 2023 20:59
An error occurred while trying to automatically change base from
glopes/akka-appsec
to
master
October 2, 2023 20:59
cataphract
force-pushed
the
glopes/play-appsec
branch
from
13fe51a to
536c674
Compare
bantonsson
reviewed
Oct 6, 2023
| @@ -145,9 +145,9 @@ class HttpServerDecoratorTest extends ServerDecoratorTest { | |||
|
|
|||
| where: | |||
| rawQuery | rawResource | url | expectedUrl | expectedQuery | expectedResource | |||
| false | false | "http://host/p%20ath?query%3F?" | "http://host/p ath" | "query??" | "/path" | |||
| false | false | "http://host/p%20ath?query%3F?" | "http://host/p ath" | "query??" | "/p ath" | |||
There was a problem hiding this comment.
This change scares me. Does this imply that the resource name for some customer will change? That is not something that can be rolled out in a minor version.
There was a problem hiding this comment.
Well, potentially, yes. My thought was that this was a bug. Even if this was intentional, the result of removing the spaces is that multiple different endpoints will end up with the same resource name, if they only differ by the spaces in them (a%20b and ab will result in ab).
There was a problem hiding this comment.
Yes I understand what the changes are, and I agree that the old behavior is not what one would expect, but the fact remains that this is a change that can potentially break current customer dashboards and monitors since the resource changes.
There should at least be a feature flag to revert to the old behavior.
There was a problem hiding this comment.
I've added a feature flag.
jandro996
approved these changes
Oct 10, 2023
|
@cataphract I have added the JIRA tickets to the description, could you confirm if they are correct? thanks! |
cataphract
force-pushed
the
glopes/play-appsec
branch
from
536c674 to
6d03032
Compare
Disable to get back the old behavior of suppressing spaces in resource names when using non-raw resource names.
cataphract
force-pushed
the
glopes/play-appsec
branch
from
6d03032 to
6e52345
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add support for ASM WAF (AKA AppSec) on Play 2.5+
Additional notes
Added the option
dd.http.server.decoded.resource.preserve-spaces. This defaults totrue. Ifdd.http.server.raw.resourceis set tofalse, setting it tofalse, the old behavior is restored, where whitespace in the resource name is suppressed. This shows up when the resource name is created from an endpoint with spaces, like/path%20%with%20spaces. Withraw.resourceset totrue, in the resource name the spaces will show up as%20. Withraw.resourcesetfalse, now the resource name will include/path with spaces. The old behavior, which can be restored withpreserve-spacesset tofalse, will result in a resource name including/pathwithspaces.APPSEC-10445 and APPSEC-10446