Initial version of the native agent

benchmark/benchmarks.sh

@@ -8,6 +8,7 @@ export UTILS_DIR="${SCRIPT_DIR}/utils"
 export SHELL_UTILS_DIR="${UTILS_DIR}/shell"
 export K6_UTILS_DIR="${UTILS_DIR}/k6"
 export TRACER="${SCRIPT_DIR}/tracer/dd-java-agent.jar"
+export NATIVE_TRACER=$(readlink --canonicalize "${SCRIPT_DIR}/../native-agent/libdd-java-agent.so")
 export NO_AGENT_VARIANT="no_agent"
 
 run_benchmarks() {

benchmark/dacapo/benchmark.json

@@ -35,6 +35,12 @@
         "JAVA_OPTS": "-javaagent:${TRACER} -Ddd.iast.enabled=true"
       }
     },
+    "iast_NATIVE": {
+      "env": {
+        "VARIANT": "iast_NATIVE",
+        "JAVA_OPTS": "-agentpath:${NATIVE_TRACER} -javaagent:${TRACER} -Ddd.iast.enabled=true"
+      }
+    },
     "iast_GLOBAL": {
       "env": {
         "VARIANT": "iast_GLOBAL",

benchmark/load/insecure-bank/benchmark.json

@@ -24,6 +24,12 @@
         "JAVA_OPTS": "-javaagent:${TRACER} -Ddd.iast.enabled=true"
       }
     },
+    "iast_NATIVE": {
+      "env": {
+        "VARIANT": "iast_NATIVE",
+        "JAVA_OPTS": "-agentpath:${NATIVE_TRACER} -javaagent:${TRACER} -Ddd.iast.enabled=true"
+      }
+    },
     "iast_GLOBAL": {
       "env": {
         "VARIANT": "iast_GLOBAL",
@@ -36,6 +42,12 @@
         "JAVA_OPTS": "-javaagent:${TRACER} -Ddd.iast.enabled=true -Ddd.iast.detection.mode=FULL"
       }
     },
+    "iast_NATIVE_FULL": {
+      "env": {
+        "VARIANT": "iast_NATIVE_FULL",
+        "JAVA_OPTS": "-agentpath:${NATIVE_TRACER} -javaagent:${TRACER} -Ddd.iast.enabled=true -Ddd.iast.detection.mode=FULL"
+      }
+    },
     "iast_INACTIVE": {
       "env": {
         "VARIANT": "iast_INACTIVE",

benchmark/load/petclinic/benchmark.json

@@ -41,6 +41,12 @@
         "VARIANT": "iast",
         "JAVA_OPTS": "-javaagent:${TRACER} -Ddd.iast.enabled=true"
       }
+    },
+    "iast_NATIVE": {
+      "env": {
+        "VARIANT": "iast_NATIVE",
+        "JAVA_OPTS": "-agentpath:${NATIVE_TRACER} -javaagent:${TRACER} -Ddd.iast.enabled=true"
+      }
     }
   }
 }

dd-java-agent/agent-iast/build.gradle

@@ -94,6 +94,8 @@ ext {
     'com.datadog.iast.model.json.FormattingAdapter',
     'com.datadog.iast.model.json.SourceTypeAdapter',
     'com.datadog.iast.model.json.VulnerabilityTypeAdapter',
+    // native component not testable without the lib
+    'com.datadog.iast.taint.NativeTaintedObjectsAdapter'
   ]
   excludedClassesBranchCoverage = []
   excludedClassesInstructionCoverage = []

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/IastRequestContext.java

@@ -4,6 +4,7 @@
 
 import com.datadog.iast.model.VulnerabilityBatch;
 import com.datadog.iast.overhead.OverheadContext;
+import com.datadog.iast.taint.NativeTaintedObjectsAdapter;
 import com.datadog.iast.taint.TaintedMap;
 import com.datadog.iast.taint.TaintedObjectsMap;
 import com.datadog.iast.util.Wrapper;
@@ -12,6 +13,7 @@
 import datadog.trace.api.iast.taint.TaintedObjects;
 import datadog.trace.api.iast.telemetry.IastMetricCollector;
 import datadog.trace.api.iast.telemetry.IastMetricCollector.HasMetricCollector;
+import datadog.trace.api.nagent.NativeAgent;
 import java.io.IOException;
 import java.util.Queue;
 import java.util.concurrent.ArrayBlockingQueue;
@@ -144,6 +146,15 @@ public static class Provider extends IastContext.Provider {
     @Nullable
     @Override
     public TaintedObjects resolveTaintedObjects() {
+      if (NativeAgent.isInstalled()) {
+        return new NativeTaintedObjectsAdapter(this::resolveTaintedObjectsFn);
+      } else {
+        return resolveTaintedObjectsFn();
+      }
+    }
+
+    @Nullable
+    private TaintedObjects resolveTaintedObjectsFn() {
       final IastContext ctx = get();
       return ctx == null ? null : ctx.getTaintedObjects();
     }
@@ -153,6 +164,9 @@ public IastContext buildRequestContext() {
       TaintedObjects taintedObjects = pool.poll();
       if (taintedObjects == null) {
         taintedObjects = TaintedObjectsMap.build(TaintedMap.build(MAP_SIZE));
+        if (NativeAgent.isInstalled()) {
+          taintedObjects = new NativeTaintedObjectsAdapter(taintedObjects);
+        }
       }
       final IastRequestContext ctx = new IastRequestContext(taintedObjects);
       ctx.release = this::releaseRequestContext;

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/json/TaintedObjectAdapter.java

@@ -26,7 +26,7 @@ public void toJson(@Nonnull final JsonWriter writer, @Nullable final TaintedObje
       writer.value(target == null ? "[Value GCed]" : target.toString());
       writer.name("ranges");
       writer.beginArray();
-      for (final Range range : value.getRanges()) {
+      for (final Range range : (Range[]) value.getRanges()) {
         toJson(writer, range);
       }
       writer.endArray();

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/propagation/CodecModuleImpl.java

@@ -7,6 +7,7 @@
 import datadog.trace.api.iast.IastContext;
 import datadog.trace.api.iast.propagation.CodecModule;
 import datadog.trace.api.iast.propagation.PropagationModule;
+import datadog.trace.api.iast.taint.Range;
 import datadog.trace.api.iast.taint.TaintedObject;
 import datadog.trace.api.iast.taint.TaintedObjects;
 import java.net.URI;
@@ -116,7 +117,7 @@ private void taintUrlIfAnyTainted(
         hasTainted = true;
         final int offset = toString.indexOf(arg.toString());
         if (offset >= 0) {
-          builder.add(tainted.getRanges(), offset);
+          builder.add((Range[]) tainted.getRanges(), offset);
         }
       }
     }

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/propagation/PropagationModuleImpl.java

@@ -278,7 +278,7 @@ private static Range[] getRanges(
       }
     } else if (to != null) {
       final TaintedObject tainted = to.get(object);
-      return tainted == null ? null : tainted.getRanges();
+      return tainted == null ? null : (Range[]) tainted.getRanges();
     } else {
       return null;
     }
@@ -350,7 +350,7 @@ private static void internalTaint(
       final TaintedObject tainted = to.get(value);
       if (tainted != null) {
         // append ranges
-        final Range[] newRanges = Ranges.mergeRangesSorted(tainted.getRanges(), ranges);
+        final Range[] newRanges = Ranges.mergeRangesSorted((Range[]) tainted.getRanges(), ranges);
         tainted.setRanges(newRanges);
       } else {
         // taint new value

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/propagation/StringModuleImpl.java

@@ -70,12 +70,14 @@ public void onStringConcat(
     }
     final Range[] ranges;
     if (taintedRight == null) {
-      ranges = taintedLeft.getRanges();
+      ranges = (Range[]) taintedLeft.getRanges();
     } else if (taintedLeft == null) {
       ranges = new Range[taintedRight.getRanges().length];
-      Ranges.copyShift(taintedRight.getRanges(), ranges, 0, left.length());
+      Ranges.copyShift((Range[]) taintedRight.getRanges(), ranges, 0, left.length());
     } else {
-      ranges = mergeRanges(left.length(), taintedLeft.getRanges(), taintedRight.getRanges());
+      ranges =
+          mergeRanges(
+              left.length(), (Range[]) taintedLeft.getRanges(), (Range[]) taintedRight.getRanges());
     }
     to.taint(result, ranges);
   }
@@ -94,7 +96,7 @@ public void onStringBuilderInit(
     if (paramTainted == null) {
       return;
     }
-    to.taint(builder, paramTainted.getRanges());
+    to.taint(builder, (Range[]) paramTainted.getRanges());
   }
 
   @Override
@@ -114,13 +116,13 @@ public void onStringBuilderAppend(
     final TaintedObject builderTainted = to.get(builder);
     final int shift = builder.length() - param.length();
     if (builderTainted == null) {
-      final Range[] paramRanges = paramTainted.getRanges();
+      final Range[] paramRanges = (Range[]) paramTainted.getRanges();
       final Range[] ranges = new Range[paramRanges.length];
       Ranges.copyShift(paramRanges, ranges, 0, shift);
       to.taint(builder, ranges);
     } else {
-      final Range[] builderRanges = builderTainted.getRanges();
-      final Range[] paramRanges = paramTainted.getRanges();
+      final Range[] builderRanges = (Range[]) builderTainted.getRanges();
+      final Range[] paramRanges = (Range[]) paramTainted.getRanges();
       final Range[] ranges = mergeRanges(shift, builderRanges, paramRanges);
       builderTainted.setRanges(ranges);
     }
@@ -140,7 +142,7 @@ public void onStringBuilderToString(
     if (tainted == null) {
       return;
     }
-    to.taint(result, tainted.getRanges());
+    to.taint(result, (Range[]) tainted.getRanges());
   }
 
   @Override
@@ -195,7 +197,7 @@ public void onStringSubSequence(
     if (selfTainted == null) {
       return;
     }
-    final Range[] rangesSelf = selfTainted.getRanges();
+    final Range[] rangesSelf = (Range[]) selfTainted.getRanges();
     if (rangesSelf.length == 0) {
       return;
     }
@@ -303,7 +305,7 @@ public void onStringCaseChanged(@Nonnull String self, @Nullable String result) {
     if (taintedSelf == null) {
       return;
     }
-    final Range[] rangesSelf = taintedSelf.getRanges();
+    final Range[] rangesSelf = (Range[]) taintedSelf.getRanges();
     if (null == rangesSelf || rangesSelf.length == 0) {
       return;
     }
@@ -355,7 +357,7 @@ private static int insertRange(
   }
 
   private static Range[] getRanges(@Nullable final TaintedObject taintedObject) {
-    return taintedObject == null ? EMPTY : taintedObject.getRanges();
+    return taintedObject == null ? EMPTY : (Range[]) taintedObject.getRanges();
   }
 
   @Override
@@ -383,7 +385,7 @@ public void onStringTrim(@Nonnull final String self, @Nullable final String resu
 
     int resultLength = result.length();
 
-    final Range[] rangesSelf = taintedSelf.getRanges();
+    final Range[] rangesSelf = (Range[]) taintedSelf.getRanges();
     if (null == rangesSelf || rangesSelf.length == 0) {
       return;
     }
@@ -433,7 +435,7 @@ public void onStringFormat(
     final Deque<Range> formatRanges = new LinkedList<>();
     final TaintedObject formatTainted = to.get(format);
     if (formatTainted != null) {
-      formatRanges.addAll(Arrays.asList(formatTainted.getRanges()));
+      formatRanges.addAll(Arrays.asList((Range[]) formatTainted.getRanges()));
     }
     // params can appear zero or multiple times in the pattern so the final number of ranges is
     // unknown beforehand
@@ -470,7 +472,8 @@ public void onStringFormat(
       final Ranged placeholderPos = Ranged.build(matcher.start(), placeholder.length());
       final Range placeholderRange =
           addFormatTaintedRanges(placeholderPos, offset, formatRanges, finalRanges);
-      final Range[] paramRanges = taintedObject == null ? null : taintedObject.getRanges();
+      final Range[] paramRanges =
+          taintedObject == null ? null : (Range[]) taintedObject.getRanges();
       final int shift = placeholderPos.getStart() + offset;
       addParameterTaintedRanges(
           placeholderRange, parameter, formattedValue, shift, paramRanges, finalRanges);
@@ -521,7 +524,7 @@ public void onStringFormat(
       if (it.hasNext() && paramIndex < parameters.length) {
         final Object parameter = parameters[paramIndex++];
         final TaintedObject tainted = to.get(parameter);
-        final Range[] parameterRanges = tainted == null ? null : tainted.getRanges();
+        final Range[] parameterRanges = tainted == null ? null : (Range[]) tainted.getRanges();
         final String formatted = String.valueOf(parameter);
         addParameterTaintedRanges(null, parameter, formatted, offset, parameterRanges, finalRanges);
         offset += formatted.length();
@@ -552,7 +555,7 @@ public void onSplit(@Nonnull String self, @Nonnull String[] result) {
     if (taintedString == null) {
       return;
     }
-    Range priorityRange = highestPriorityRange(taintedString.getRanges());
+    Range priorityRange = highestPriorityRange((Range[]) taintedString.getRanges());
     for (String s : result) {
       to.taint(s, new Range[] {Ranges.copyWithPosition(priorityRange, 0, s.length())});
     }
@@ -573,7 +576,7 @@ public void onStringStrip(@Nonnull String self, @Nonnull String result, boolean
       return;
     }
 
-    final Range[] rangesSelf = taintedSelf.getRanges();
+    final Range[] rangesSelf = (Range[]) taintedSelf.getRanges();
     if (rangesSelf.length == 0) {
       return;
     }
@@ -609,7 +612,7 @@ public void onIndent(@Nonnull String self, int indentation, @Nonnull String resu
       return;
     }
 
-    final Range[] rangesSelf = taintedSelf.getRanges();
+    final Range[] rangesSelf = (Range[]) taintedSelf.getRanges();
     if (rangesSelf.length == 0) {
       return;
     }
@@ -636,7 +639,7 @@ public void onStringReplace(
       return;
     }
 
-    final Range[] rangesSelf = taintedSelf.getRanges();
+    final Range[] rangesSelf = (Range[]) taintedSelf.getRanges();
     if (rangesSelf.length == 0) {
       return;
     }
@@ -656,13 +659,13 @@ public String onStringReplace(
     final TaintedObject taintedSelf = to.get(self);
     Range[] rangesSelf = new Range[0];
     if (taintedSelf != null) {
-      rangesSelf = taintedSelf.getRanges();
+      rangesSelf = (Range[]) taintedSelf.getRanges();
     }
 
     final TaintedObject taintedInput = to.get(newCharSeq);
     Range[] rangesInput = null;
     if (taintedInput != null) {
-      rangesInput = taintedInput.getRanges();
+      rangesInput = (Range[]) taintedInput.getRanges();
     }
 
     if (rangesSelf.length == 0 && rangesInput == null) {
@@ -699,13 +702,13 @@ public String onStringReplace(
     final TaintedObject taintedSelf = to.get(self);
     Range[] rangesSelf = new Range[0];
     if (taintedSelf != null) {
-      rangesSelf = taintedSelf.getRanges();
+      rangesSelf = (Range[]) taintedSelf.getRanges();
     }
 
     final TaintedObject taintedInput = to.get(replacement);
     Range[] rangesInput = null;
     if (taintedInput != null) {
-      rangesInput = taintedInput.getRanges();
+      rangesInput = (Range[]) taintedInput.getRanges();
     }
 
     if (rangesSelf.length == 0 && rangesInput == null) {
@@ -748,7 +751,7 @@ public void onStringValueOf(Object param, @Nonnull String result) {
         return;
       }
 
-      final Range[] rangesParam = taintedParam.getRanges();
+      final Range[] rangesParam = (Range[]) taintedParam.getRanges();
       if (rangesParam.length == 0) {
         return;
       }

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/SinkModuleBase.java

@@ -126,7 +126,7 @@ protected final Evidence checkInjection(
       final Object origin = source.getRawValue();
       final TaintedObject tainted = origin == null ? null : to.get(origin);
       if (origin != null && tainted != null) {
-        valueRanges = Ranges.getNotMarkedRanges(tainted.getRanges(), type.mark());
+        valueRanges = Ranges.getNotMarkedRanges((Range[]) tainted.getRanges(), type.mark());
         value = origin;
       } else {
         valueRanges = Ranges.forObject((Source) taintable.$$DD$getSource(), type.mark());
@@ -137,7 +137,7 @@ protected final Evidence checkInjection(
       if (tainted == null) {
         return null;
       }
-      valueRanges = Ranges.getNotMarkedRanges(tainted.getRanges(), type.mark());
+      valueRanges = Ranges.getNotMarkedRanges((Range[]) tainted.getRanges(), type.mark());
     }
 
     if (valueRanges == null || valueRanges.length == 0) {
@@ -217,7 +217,7 @@ protected final Evidence checkInjection(
       final TaintedObject tainted = to.get(value);
       Range[] valueRanges = null;
       if (tainted != null) {
-        valueRanges = Ranges.getNotMarkedRanges(tainted.getRanges(), type.mark());
+        valueRanges = Ranges.getNotMarkedRanges((Range[]) tainted.getRanges(), type.mark());
       }
       addToEvidence(type, evidence, ranges, value, valueRanges, evidenceBuilder);