{{ message }}
Limit the maximum size of the location path in IAST vulnerabilities#9028
Merged
Conversation
gillarramendi
approved these changes
Jun 25, 2025
There was a problem hiding this comment.
Should we do it for all vulns, in case this happens in other places?
Member
Author
There was a problem hiding this comment.
If I recall correctly, we only use the LocationSupplier approach for XSS and Unvalidated redirect, checking the codo for the unvalidated redirects seems that only is used by this advice
public static class SpringAdvice {
@Advice.OnMethodExit(suppress = Throwable.class)
@Sink(VulnerabilityTypes.SPRING_RESPONSE)
public static void checkReturnedObject(
@Advice.Return HandlerMethodReturnValueHandler handler,
@Advice.Argument(0) final Object value,
@Advice.Argument(1) MethodParameter returnType) {
final UnvalidatedRedirectModule unvalidatedRedirectModule =
InstrumentationBridge.UNVALIDATED_REDIRECT;
final XssModule xssModule = InstrumentationBridge.XSS;
if (handler != null && value != null && returnType != null) {
String clazz = returnType.getMethod().getDeclaringClass().getName();
String method = returnType.getMethod().getName();
if (unvalidatedRedirectModule != null && value instanceof AbstractUrlBasedView) {
unvalidatedRedirectModule.onRedirect(
((AbstractUrlBasedView) value).getUrl(), clazz, method);
} else if (unvalidatedRedirectModule != null && value instanceof ModelAndView) {
unvalidatedRedirectModule.onRedirect(((ModelAndView) value).getViewName(), clazz, method);
} else if (value instanceof String) {
if (xssModule != null && handler instanceof RequestResponseBodyMethodProcessor) {
xssModule.onXss((String) value, clazz, method);
} else if (unvalidatedRedirectModule != null) {
unvalidatedRedirectModule.onRedirect((String) value, clazz, method);
}
}
}
}
}
So IMHO we are safe with this but we can add some default behavior or comment to warn this in the LocationSuplier just to be aware in future implementations
manuel-alvarez-alvarez
approved these changes
Jul 3, 2025
svc-squareup-copybara
pushed a commit
to cashapp/misk
that referenced
this pull request
Jul 10, 2025
| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.errorprone:error_prone_annotations](https://errorprone.info) ([source](https://github.com/google/error-prone)) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.39.0` -> `2.40.0` | | [org.apache.commons:commons-lang3](https://commons.apache.org/proper/commons-lang/) ([source](https://gitbox.apache.org/repos/asf/commons-lang.git)) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `3.17.0` -> `3.18.0` | | [org.jetbrains.kotlinx.binary-compatibility-validator](https://github.com/Kotlin/binary-compatibility-validator) | plugin | misk/gradle/libs.versions.toml | gradle | patch | `0.18.0` -> `0.18.1` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.50.1` -> `1.51.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | --- ### Release Notes <details> <summary>google/error-prone (com.google.errorprone:error_prone_annotations)</summary> ### [`v2.40.0`](https://github.com/google/error-prone/releases/tag/v2.40.0): Error Prone 2.40.0 Changes: - Bug fixes and improvements - Releases (including snapshots) have migrated from [OSSRH to the Central Publisher Portal](https://central.sonatype.org/pages/ossrh-eol/#process-to-migrate) Full changelog: google/error-prone@v2.39.0...v2.40.0 </details> <details> <summary>Kotlin/binary-compatibility-validator (org.jetbrains.kotlinx.binary-compatibility-validator)</summary> ### [`v0.18.1`](https://github.com/Kotlin/binary-compatibility-validator/releases/tag/0.18.1) [Compare Source](Kotlin/binary-compatibility-validator@0.18.0...0.18.1) #### What's Changed - Fixed a bug preventing use of cross-compilation support during KLIB dump validation \[[#​304](https://github.com/Kotlin/binary-compatibility-validator/issues/304)]\[[#​306](https://github.com/Kotlin/binary-compatibility-validator/issues/306)] </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.51.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.51.0): 1.51.0 ### Components #### Application Security Management (IAST) - 🐛 Fix verify error when ctor params are used after a call site ([#​9083](DataDog/dd-trace-java#9083) - [@​manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛 Limit the maximum size of the location path in IAST vulnerabilities ([#​9028](DataDog/dd-trace-java#9028) - [@​jandro996](https://github.com/jandro996)) - 🐛 Fix IAST gRPC handler with null superclass ([#​8984](DataDog/dd-trace-java#8984) - [@​smola](https://github.com/smola)) - ✨ Optimize IAST Vulnerability Detection ([#​8885](DataDog/dd-trace-java#8885) - [@​jandro996](https://github.com/jandro996)) #### Application Security Management (WAF) - ✨ Upgrade libddwaf-java to 15.0.0 ([#​9022](DataDog/dd-trace-java#9022) - [@​sezen-datadog](https://github.com/sezen-datadog)) - ✨ Extract RestEasy json body response schemas ([#​9015](DataDog/dd-trace-java#9015) - [@​jandro996](https://github.com/jandro996)) - ✨ Extract Jersey json body response schemas ([#​9014](DataDog/dd-trace-java#9014) - [@​jandro996](https://github.com/jandro996)) - ✨ Extract Ratpack json body response schemas ([#​9013](DataDog/dd-trace-java#9013) - [@​manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Enable API Security by default and make it lazy loading ([#​9009](DataDog/dd-trace-java#9009) - [@​smola](https://github.com/smola)) - ✨ Extract Vert.x json body response schemas ([#​9001](DataDog/dd-trace-java#9001) - [@​manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Extract Play json body response schemas ([#​8995](DataDog/dd-trace-java#8995) - [@​manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛 Fix Jackson nodes introspection for request/response schema extraction ([#​8980](DataDog/dd-trace-java#8980) - [@​manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Extract Spring json body response schemas ([#​8938](DataDog/dd-trace-java#8938) - [@​sezen-datadog](https://github.com/sezen-datadog)) - ✨ Default obfuscation regexp update ([#​8937](DataDog/dd-trace-java#8937) - [@​sezen-datadog](https://github.com/sezen-datadog)) #### Build & Tooling - ✨ Cancel GitLab running pipeline on new PR push ([#​9023](DataDog/dd-trace-java#9023) - [@​PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Migrate publishing to Maven Central Portal ([#​8807](DataDog/dd-trace-java#8807) - [@​sarahchen6](https://github.com/sarahchen6)) #### Continuous Integration Visibility - 🐛 Fix Test Optimization to work with JDK 24 ([#​9114](DataDog/dd-trace-java#9114) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add repo root as safe directory on git client creation ([#​9033](DataDog/dd-trace-java#9033) - [@​daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Add PR number tag and improve PR information building ([#​8990](DataDog/dd-trace-java#8990) - [@​daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Update impacted tests logic ([#​8923](DataDog/dd-trace-java#8923) - [@​daniel-mohedano](https://github.com/daniel-mohedano)) #### Data Streams Monitoring - 🧹 Clean up DSM context injection ([#​8776](DataDog/dd-trace-java#8776) - [@​PerfectSlayer](https://github.com/PerfectSlayer)) #### Database Monitoring - 🐛 Set trace\_injected in try block ([#​9025](DataDog/dd-trace-java#9025) - [@​natashadada](https://github.com/natashadada)) #### Dynamic Instrumentation - 🐛 Add source file tracking enable option ([#​9115](DataDog/dd-trace-java#9115) - [@​jpbempel](https://github.com/jpbempel)) - ✨ Add java.util.Date support ([#​9111](DataDog/dd-trace-java#9111) - [@​jpbempel](https://github.com/jpbempel)) - ✨ Update file probe format ([#​9047](DataDog/dd-trace-java#9047) - [@​jpbempel](https://github.com/jpbempel)) - ✨ add safe local var hoisting ([#​9034](DataDog/dd-trace-java#9034) - [@​jpbempel](https://github.com/jpbempel)) - 🧹 Add new config for debugger upload interval ([#​8959](DataDog/dd-trace-java#8959) - [@​jpbempel](https://github.com/jpbempel)) - ✨ Enable Code Origin with Dynamic instrumentation ([#​8940](DataDog/dd-trace-java#8940) - [@​jpbempel](https://github.com/jpbempel)) #### ML Observability (LLMObs) - 💡 LLM Observability SDK ([#​8781](DataDog/dd-trace-java#8781) - [@​gary-huang](https://github.com/gary-huang), [@​nayeem-kamal](https://github.com/nayeem-kamal)) #### Metrics - 🐛 Ensure client stat reporter is started when the agent is not available at bootstrap ([#​9082](DataDog/dd-trace-java#9082) - [@​amarziali](https://github.com/amarziali)) - ✨ Create metric: appsec.waf.config\_errors ([#​8394](DataDog/dd-trace-java#8394) - [@​sezen-datadog](https://github.com/sezen-datadog)) #### Platform components - ✨ Introduce environment component ([#​9071](DataDog/dd-trace-java#9071) - [@​PerfectSlayer](https://github.com/PerfectSlayer)) #### Profiling - 🐛 Remove annoying warning for smap event parsing ([#​9119](DataDog/dd-trace-java#9119) - [@​jbachorik](https://github.com/jbachorik)) - 🐛 Fix ByteCountingInputStream when reading past EOF ([#​8988](DataDog/dd-trace-java#8988) - [@​manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Realtime User Monitoring - ✨ Add RUM SDK injection for servlet based web servers ([#​9110](DataDog/dd-trace-java#9110) - [@​PerfectSlayer](https://github.com/PerfectSlayer) [@​amarziali](https://github.com/amarziali)) #### Telemetry - ✨ Update the config origin metric to match what it's mapping ([#​9045](DataDog/dd-trace-java#9045) - [@​sezen-datadog](https://github.com/sezen-datadog)) #### Testing - ✨ Add testing for latest stable version (JDK 24) ([#​8875](DataDog/dd-trace-java#8875) - [@​sarahchen6](https://github.com/sarahchen6)) #### Trace context propagation - 🐛 Fix bug with dropping baggage when `TracePropagationBehaviorExtract=IGNORE` ([#​9037](DataDog/dd-trace-java#9037) - [@​mhlidd](https://github.com/mhlidd)) - 🐛 Fix ArrayIndexOutOfBoundsException in PercentEscaper ([#​9032](DataDog/dd-trace-java#9032) - [@​mhlidd](https://github.com/mhlidd)) #### Tracer core - 🐛 Fix `Error` handling for trace interceptors ([#​9097](DataDog/dd-trace-java#9097) - [@​AlexeyKuznetsov-DD](https://github.com/AlexeyKuznetsov-DD)) - 💡 Add wildcard feature for `DD_TRACE_HEADER_TAGS` and enabling for Http Response headers ([#​9067](DataDog/dd-trace-java#9067) - [@​mhlidd](https://github.com/mhlidd)) #### Tracer public API - 💡 Add LLM Observability SDK ([#​8781](DataDog/dd-trace-java#8781) - [@​gary-huang](https://github.com/gary-huang)) ### Instrumentations #### Akka instrumentation - 🐛 Fix NPE in akka-http and pekko-http integrations ([#​9019](DataDog/dd-trace-java#9019) - [@​mcculls](https://github.com/mcculls)) #### Eclipse Vert.x instrumentation - ✨ Extract Vert.x json body response schemas ([#​9001](DataDog/dd-trace-java#9001) - [@​manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Write http.route tag as soon as possible in vert.x ([#​8952](DataDog/dd-trace-java#8952) - [@​manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### JAX-WS instrumentation - 💡⚠️ Enable jax-ws integration by default ([#​9030](DataDog/dd-trace-java#9030) - [@​bm1549](https://github.com/bm1549)) - ✨ Extract Jersey json body response schemas ([#​9014](DataDog/dd-trace-java#9014) - [@​jandro996](https://github.com/jandro996)) #### Mule instrumentation - 🐛 Propagate grizzly http span in filters if nothing is active ([#​9016](DataDog/dd-trace-java#9016) - [@​amarziali](https://github.com/amarziali)) #### Play Framework instrumentation - ✨ Extract Play json body response schemas ([#​8995](DataDog/dd-trace-java#8995) - [@​manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Ratpack instrumentation - ✨ Extract Ratpack json body response schemas ([#​9013](DataDog/dd-trace-java#9013) - [@​manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Spring instrumentation - ✨ Extract Spring json body response schemas ([#​8938](DataDog/dd-trace-java#8938) - [@​sezen-datadog](https://github.com/sezen-datadog)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 649b690d4c9d7dcb572c457f0802b42b8e3e682e
sarahchen6
pushed a commit
that referenced
this pull request
Jul 24, 2025
…9028) What Does This Do Add truncation to path, class and method if it's necessary for LocationSuppliers to report XSS vulnerabilities Motivation incident-39654 In this incident, it was reported that the location.path field of an IAST vulnerability was populated with a large HTML payload, which caused a backend error and prevented the vulnerability from being reported. This occurred specifically with an XSS vulnerability located in a Thymeleaf template. Normally, the location.path is extracted from the stacktrace, so this kind of behavior is unusual. However, in cases where vulnerabilities occur in template-based frameworks, we use a different approach to improve precision — specifying the template name instead of the compiled class in the vulnerability location. In Thymeleaf, the instrumented method getTemplateName may return a full HTML document instead of just the template name, as originally expected. To guard against these cases, we’ve decided to truncate the values of path, class, and method when they are generated using suppliers rather than stacktrace-based extraction. (cherry picked from commit b3e2ecd)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What Does This Do
Add truncation to path, class and method if it's necessary for LocationSuppliers to report XSS vulnerabilities
Motivation
incident-39654
In this incident, it was reported that the location.path field of an IAST vulnerability was populated with a large HTML payload, which caused a backend error and prevented the vulnerability from being reported.
This occurred specifically with an XSS vulnerability located in a Thymeleaf template.
Normally, the location.path is extracted from the stacktrace, so this kind of behavior is unusual. However, in cases where vulnerabilities occur in template-based frameworks, we use a different approach to improve precision — specifying the template name instead of the compiled class in the vulnerability location.
In Thymeleaf, the instrumented method getTemplateName may return a full HTML document instead of just the template name, as originally expected.
To guard against these cases, we’ve decided to truncate the values of path, class, and method when they are generated using suppliers rather than stacktrace-based extraction.
Additional Notes
Contributor Checklist
type:and (comp:orinst:) labels in addition to any usefull labelsclose,fixor any linking keywords when referencing an issue.Use
solvesinstead, and assign the PR milestone to the issueJira ticket: [PROJ-IDENT]