Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Taint gson sources (deserialization) v1.1 #6082

Closed
wants to merge 21 commits into from
Closed

Taint gson sources (deserialization) v1.1 #6082

wants to merge 21 commits into from

Conversation

jandro996
Copy link
Member

@jandro996 jandro996 commented Oct 23, 2023
edited by jira bot
Loading

What Does This Do

Add instrumentation to com.google.gson.JsonParser

Motivation

Add gson source propagation for v1.1

Additional Notes

related with #6056

This PR is not completed, for ReInit method instrumentation we need to check if the input is tainted and if check if the JsonParser instance is tainted and remove it from the tainted objects.
Right now there is no mechanism to allow the removal of tainted objects (This will impact performance)

Jira ticket: APPSEC-11794

jandro996 and others added 21 commits October 11, 2023 13:59
@jandro996
First gson deserialization propagation version, tested for 1.1
8ea7e5d
@jandro996
Refactor, current instrumentation only works for v1.1
73e7f23
@jandro996
Gson instrumentation for 1.4 and 1.5
dde6d7a
@jandro996
Gson instrumentation from 1.6
8c62450
@jandro996
Fix gradle
52e583d
@jandro996
Update smoke test
c5e84cb
@jandro996
fix spotless
f98d8b8
@jandro996
fix muzzle
daeaeaa
@jandro996
Merge branch 'master' into alejandro.gonzalez/Taint_gson_sources_dese…
1c24265 
…rialization
@jandro996
remove unnecessary exclusions
50813e8
@jandro996
Merge branch 'master' into alejandro.gonzalez/Taint_gson_sources_dese…
165bce8 
…rialization
@jandro996
Merge branch 'master' into alejandro.gonzalez/Taint_gson_sources_dese…
4205f7c 
…rialization
@jandro996
First gson deserialization propagation version, tested for 1.1
c65ffa2
@jandro996
Refactor, current instrumentation only works for v1.1
8144934
@jandro996
Gson instrumentation for 1.4 and 1.5
83a0d41
@jandro996
Gson instrumentation from 1.6
8999064
@jpbempel @jandro996
Introduce PII redaction based on keywords
b508a18 
Redacts values based on a list of predefined words
name are normalized in lower case and by removing special characters:
`@`, `$`, `-` and `_`
Redaction happening at:
 - expression language for reference, index and getmember operations
 - serialization for snapshot or template values including maps
 - capture of the values from instrumentation
For conditions (log or span decoration probes) evaluation of a
redacted values triggers an evaluation exception that will be reported
as evaluation error into a snapshot.
@jpbempel @jandro996
Throw exception on expression language in any case
503d337
@jandro996
remove unnecessary exclusions
7cfac2a
@jandro996
Add instrumentation to constructor with InputStream and ReInit methods
af5be91
@jandro996
Gson IAST source propagation for version 1.1
3d3f83e
@jandro996 jandro996 closed this Oct 23, 2023
@jandro996
Copy link
Member Author

This PR will be resumed one we are able to remove elements from tainted objects

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jandro996 @jpbempel