diff --git a/dd-java-agent/instrumentation/akka-http-10.0/src/iastTest/groovy/datadog/trace/instrumentation/akkahttp/iast/IastAkkaTest.groovy b/dd-java-agent/instrumentation/akka-http-10.0/src/iastTest/groovy/datadog/trace/instrumentation/akkahttp/iast/IastAkkaTest.groovy index fe44d66f04a..049145e81d4 100644 --- a/dd-java-agent/instrumentation/akka-http-10.0/src/iastTest/groovy/datadog/trace/instrumentation/akkahttp/iast/IastAkkaTest.groovy +++ b/dd-java-agent/instrumentation/akka-http-10.0/src/iastTest/groovy/datadog/trace/instrumentation/akkahttp/iast/IastAkkaTest.groovy @@ -13,7 +13,6 @@ import spock.lang.Shared import java.nio.charset.StandardCharsets import static org.hamcrest.Matchers.greaterThan -import static org.hamcrest.Matchers.nullValue class IastAkkaTest extends IastRequestTestRunner { @Shared @@ -340,7 +339,7 @@ class IastAkkaTest extends IastRequestTestRunner { then: toc.hasTaintedObject { value 'var1=foo&var1=bar&var2=a+b+c' - range 0, 28, source(SourceTypes.REQUEST_QUERY, null, null) + range 0, 28, source(SourceTypes.REQUEST_QUERY, null, 'var1=foo&var1=bar&var2=a+b+c') } toc.hasTaintedObject { value 'var1' @@ -486,14 +485,16 @@ class IastAkkaTest extends IastRequestTestRunner { } void 'json request — #variant variant'() { + given: + final json = '''{ + "var1": "foo", + "var2": ["foo2", "foo2"] + }''' + when: String url = buildUrl "iast/$variant" def request = new Builder().url(url).post( - RequestBody.create(MediaType.get("application/json"), '''{ - "var1": "foo", - "var2": ["foo2", "foo2"] - }'''.getBytes(StandardCharsets.US_ASCII)) - ).build() + RequestBody.create(MediaType.get("application/json"), json.getBytes(StandardCharsets.US_ASCII))).build() def response = client.newCall(request).execute() def respBody = response.body().string() @@ -505,21 +506,22 @@ class IastAkkaTest extends IastRequestTestRunner { def toc = finReqTaintedObjects then: + // source values take the value of the full body as it's converted to string at TaintFutureHelper toc.hasTaintedObject { value 'var1' - range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', nullValue()) + range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', json) } toc.hasTaintedObject { value 'var2' - range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue()) + range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', json) } toc.hasTaintedObject { value 'foo' - range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', nullValue()) + range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', json) } toc.hasTaintedObject { value 'foo2' - range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue()) + range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', json) } where: diff --git a/dd-java-agent/instrumentation/pekko-http-1.0/src/iastTest/groovy/datadog/trace/instrumentation/pekkohttp/iast/IastPekkoTest.groovy b/dd-java-agent/instrumentation/pekko-http-1.0/src/iastTest/groovy/datadog/trace/instrumentation/pekkohttp/iast/IastPekkoTest.groovy index fa3da2004f0..4bc459eed19 100644 --- a/dd-java-agent/instrumentation/pekko-http-1.0/src/iastTest/groovy/datadog/trace/instrumentation/pekkohttp/iast/IastPekkoTest.groovy +++ b/dd-java-agent/instrumentation/pekko-http-1.0/src/iastTest/groovy/datadog/trace/instrumentation/pekkohttp/iast/IastPekkoTest.groovy @@ -13,7 +13,6 @@ import spock.lang.Shared import java.nio.charset.StandardCharsets import static org.hamcrest.Matchers.greaterThan -import static org.hamcrest.Matchers.nullValue class IastPekkoTest extends IastRequestTestRunner { @Shared @@ -340,7 +339,7 @@ class IastPekkoTest extends IastRequestTestRunner { then: toc.hasTaintedObject { value 'var1=foo&var1=bar&var2=a+b+c' - range 0, 28, source(SourceTypes.REQUEST_QUERY, null, null) + range 0, 28, source(SourceTypes.REQUEST_QUERY, null, 'var1=foo&var1=bar&var2=a+b+c') } toc.hasTaintedObject { value 'var1' @@ -486,14 +485,16 @@ class IastPekkoTest extends IastRequestTestRunner { } void 'json request — #variant variant'() { + given: + final json = '''{ + "var1": "foo", + "var2": ["foo2", "foo2"] + }''' + when: String url = buildUrl "iast/$variant" def request = new Builder().url(url).post( - RequestBody.create(MediaType.get("application/json"), '''{ - "var1": "foo", - "var2": ["foo2", "foo2"] - }'''.getBytes(StandardCharsets.US_ASCII)) - ).build() + RequestBody.create(MediaType.get("application/json"), json.getBytes(StandardCharsets.US_ASCII))).build() def response = client.newCall(request).execute() def respBody = response.body().string() @@ -505,21 +506,22 @@ class IastPekkoTest extends IastRequestTestRunner { def toc = finReqTaintedObjects then: + // source values take the value of the full body as it's converted to string at TaintFutureHelper toc.hasTaintedObject { value 'var1' - range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', nullValue()) + range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', json) } toc.hasTaintedObject { value 'var2' - range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue()) + range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', json) } toc.hasTaintedObject { value 'foo' - range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', nullValue()) + range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', json) } toc.hasTaintedObject { value 'foo2' - range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue()) + range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', json) } where: diff --git a/dd-java-agent/instrumentation/spring-webflux-5/src/iastTest/groovy/datadog/trace/instrumentation/springwebflux/server/IastWebFluxTest.groovy b/dd-java-agent/instrumentation/spring-webflux-5/src/iastTest/groovy/datadog/trace/instrumentation/springwebflux/server/IastWebFluxTest.groovy index 81d144eac9a..01851dcc5d1 100644 --- a/dd-java-agent/instrumentation/spring-webflux-5/src/iastTest/groovy/datadog/trace/instrumentation/springwebflux/server/IastWebFluxTest.groovy +++ b/dd-java-agent/instrumentation/spring-webflux-5/src/iastTest/groovy/datadog/trace/instrumentation/springwebflux/server/IastWebFluxTest.groovy @@ -24,7 +24,6 @@ import org.springframework.web.reactive.config.WebFluxConfigurer import java.nio.charset.StandardCharsets import static org.hamcrest.Matchers.equalToIgnoringCase -import static org.hamcrest.Matchers.nullValue @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = [Application]) class IastWebFluxTest extends IastRequestTestRunner { @@ -275,21 +274,22 @@ class IastWebFluxTest extends IastRequestTestRunner { def toc = finReqTaintedObjects then: + // source values take the value of the current object as the body is never converted to a CharSequence toc.hasTaintedObject { value 'var1' - range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', nullValue()) + range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', 'var1') } toc.hasTaintedObject { value 'var2' - range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue()) + range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', 'var2') } toc.hasTaintedObject { value 'foo' - range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', nullValue()) + range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', 'foo') } toc.hasTaintedObject { value 'foo2' - range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue()) + range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', 'foo2') } } } diff --git a/dd-java-agent/instrumentation/spring-webflux-6/src/iastTest/groovy/datadog/trace/instrumentation/springwebflux6/server/IastWebFluxTest.groovy b/dd-java-agent/instrumentation/spring-webflux-6/src/iastTest/groovy/datadog/trace/instrumentation/springwebflux6/server/IastWebFluxTest.groovy index 7e8841681f7..30a079dc146 100644 --- a/dd-java-agent/instrumentation/spring-webflux-6/src/iastTest/groovy/datadog/trace/instrumentation/springwebflux6/server/IastWebFluxTest.groovy +++ b/dd-java-agent/instrumentation/spring-webflux-6/src/iastTest/groovy/datadog/trace/instrumentation/springwebflux6/server/IastWebFluxTest.groovy @@ -25,7 +25,6 @@ import org.springframework.web.reactive.config.WebFluxConfigurer import java.nio.charset.StandardCharsets import static org.hamcrest.Matchers.equalToIgnoringCase -import static org.hamcrest.Matchers.nullValue @SpringBootTest( properties = "spring.main.web-application-type=reactive", @@ -278,21 +277,22 @@ class IastWebFluxTest extends IastRequestTestRunner { def toc = finReqTaintedObjects then: + // source values take the value of the current object as the body is never converted to a CharSequence toc.hasTaintedObject { value 'var1' - range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', nullValue()) + range 0, 4, source(SourceTypes.REQUEST_BODY, 'var1', 'var1') } toc.hasTaintedObject { value 'var2' - range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue()) + range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', 'var2') } toc.hasTaintedObject { value 'foo' - range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', nullValue()) + range 0, 3, source(SourceTypes.REQUEST_BODY, 'var1', 'foo') } toc.hasTaintedObject { value 'foo2' - range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', nullValue()) + range 0, 4, source(SourceTypes.REQUEST_BODY, 'var2', 'foo2') } } }