Add XSS support for JSP (#6944)

What Does This Do
Add instrumentation to call XSS module:

javax.servlet.jsp.JspWriter#print
javax.servlet.jsp.JspWriter#println
javax.servlet.jsp.JspWriter#write
jakarta.servlet.jsp.JspWriter#print
jakarta.servlet.jsp.JspWriter#println
jakarta.servlet.jsp.JspWriter#write
Add smoke tests

Motivation
Being able to report XSS vulnerabilities in JSP

Author: jandro996

dd-java-agent/instrumentation/servlet/request-5/build.gradle

@@ -54,6 +54,7 @@ dependencies {
   implementation files(relocatedJavaxJar.outputs.files)
   compileOnly group: 'jakarta.servlet', name: 'jakarta.servlet-api', version: '5.0.0'
   testImplementation group: 'jakarta.servlet', name: 'jakarta.servlet-api', version: '5.0.0'
+  testImplementation group: 'jakarta.servlet.jsp', name: 'jakarta.servlet.jsp-api', version: '3.0.0'
   testRuntimeOnly project(':dd-java-agent:instrumentation:iast-instrumenter')
 
   javaxClassesToRelocate project(':dd-java-agent:instrumentation:servlet-common'), {

dd-java-agent/instrumentation/servlet/request-5/src/main/java/datadog/trace/instrumentation/servlet5/jsp/JakartaJspWriterCallSite.java

@@ -0,0 +1,28 @@
+package datadog.trace.instrumentation.servlet5.jsp;
+
+import datadog.trace.agent.tooling.csi.CallSite;
+import datadog.trace.api.iast.IastCallSites;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.Sink;
+import datadog.trace.api.iast.VulnerabilityTypes;
+import datadog.trace.api.iast.sink.XssModule;
+import javax.annotation.Nonnull;
+
+@Sink(VulnerabilityTypes.XSS)
+@CallSite(spi = IastCallSites.class)
+public class JakartaJspWriterCallSite {
+
+  @CallSite.Before("void jakarta.servlet.jsp.JspWriter.print(java.lang.String)")
+  @CallSite.Before("void jakarta.servlet.jsp.JspWriter.println(java.lang.String)")
+  @CallSite.Before("void jakarta.servlet.jsp.JspWriter.write(java.lang.String)")
+  public static void beforeStringParam(@CallSite.Argument(0) @Nonnull final String s) {
+    final XssModule module = InstrumentationBridge.XSS;
+    if (module != null) {
+      try {
+        module.onXss(s);
+      } catch (final Throwable e) {
+        module.onUnexpectedException("beforeStringParam threw", e);
+      }
+    }
+  }
+}

dd-java-agent/instrumentation/servlet/request-5/src/main/java/datadog/trace/instrumentation/servlet5/jsp/JakartaJspWriterFullDetectionCallSite.java

@@ -0,0 +1,30 @@
+package datadog.trace.instrumentation.servlet5.jsp;
+
+import datadog.trace.agent.tooling.csi.CallSite;
+import datadog.trace.api.iast.IastCallSites;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.Sink;
+import datadog.trace.api.iast.VulnerabilityTypes;
+import datadog.trace.api.iast.sink.XssModule;
+import javax.annotation.Nonnull;
+
+@Sink(VulnerabilityTypes.XSS)
+@CallSite(
+    spi = IastCallSites.class,
+    enabled = {"datadog.trace.api.iast.IastEnabledChecks", "isFullDetection"})
+public class JakartaJspWriterFullDetectionCallSite {
+
+  @CallSite.Before("void jakarta.servlet.jsp.JspWriter.print(char[])")
+  @CallSite.Before("void jakarta.servlet.jsp.JspWriter.println(char[])")
+  @CallSite.Before("void jakarta.servlet.jsp.JspWriter.write(char[])")
+  public static void beforeCharArrayParam(@CallSite.Argument(0) @Nonnull final char[] buf) {
+    final XssModule module = InstrumentationBridge.XSS;
+    if (module != null) {
+      try {
+        module.onXss(buf);
+      } catch (final Throwable e) {
+        module.onUnexpectedException("beforeCharArrayParam threw", e);
+      }
+    }
+  }
+}

dd-java-agent/instrumentation/servlet/request-5/src/test/groovy/JakartaJspWriterCallsiteTest.groovy

@@ -0,0 +1,41 @@
+import datadog.trace.agent.test.AgentTestRunner
+import datadog.trace.api.iast.InstrumentationBridge
+import datadog.trace.api.iast.sink.XssModule
+import foo.bar.smoketest.TestJspWriterSuite
+
+import jakarta.servlet.jsp.JspWriter
+
+class JakartaJspWriterCallsiteTest extends AgentTestRunner{
+
+  static final STRING = "test"
+  static final CHAR_ARRAY = STRING.toCharArray()
+
+  @Override
+  protected void configurePreAgent() {
+    injectSysConfig("dd.iast.enabled", "true")
+  }
+
+  void 'test JspWriter'() {
+    setup:
+    final iastModule = Mock(XssModule)
+    InstrumentationBridge.registerIastModule(iastModule)
+    final writer = Mock(JspWriter)
+    final suite = new TestJspWriterSuite(writer)
+
+    when:
+    suite.&"$method".call(args)
+
+    then:
+    expected * iastModule.onXss(args[0])
+    0 * iastModule._
+
+    where:
+    method | args | expected
+    "printTest" | [STRING]  | 1
+    "printlnTest" | [STRING]  | 1
+    "write" | [STRING]  | 1
+    "printTest" | [CHAR_ARRAY]  | 0
+    "printlnTest" | [CHAR_ARRAY]  | 0
+    "write" | [CHAR_ARRAY]  | 0
+  }
+}

dd-java-agent/instrumentation/servlet/request-5/src/test/groovy/JakartaJspWriterFullDetectionCallsiteTest.groovy

@@ -0,0 +1,41 @@
+import datadog.trace.agent.test.AgentTestRunner
+import datadog.trace.api.iast.InstrumentationBridge
+import datadog.trace.api.iast.sink.XssModule
+import foo.bar.smoketest.TestJspWriterSuite
+import jakarta.servlet.jsp.JspWriter
+
+class JakartaJspWriterFullDetectionCallsiteTest extends AgentTestRunner{
+
+  static final STRING = "test"
+  static final CHAR_ARRAY = STRING.toCharArray()
+
+  @Override
+  protected void configurePreAgent() {
+    injectSysConfig("dd.iast.enabled", "true")
+    injectSysConfig("dd.iast.detection.mode", "FULL")
+  }
+
+  void 'test JspWriter'() {
+    setup:
+    final iastModule = Mock(XssModule)
+    InstrumentationBridge.registerIastModule(iastModule)
+    final writer = Mock(JspWriter)
+    final suite = new TestJspWriterSuite(writer)
+
+    when:
+    suite.&"$method".call(args)
+
+    then:
+    1 * iastModule.onXss(args[0])
+    0 * iastModule._
+
+    where:
+    method | args
+    "printTest" | [STRING]
+    "printlnTest" | [STRING]
+    "write" | [STRING]
+    "printTest" | [CHAR_ARRAY]
+    "printlnTest" | [CHAR_ARRAY]
+    "write" | [CHAR_ARRAY]
+  }
+}

dd-java-agent/instrumentation/servlet/request-5/src/test/java/foo/bar/smoketest/TestJspWriterSuite.java

@@ -0,0 +1,37 @@
+package foo.bar.smoketest;
+
+import jakarta.servlet.jsp.JspWriter;
+import java.io.IOException;
+
+public class TestJspWriterSuite {
+
+  JspWriter writer;
+
+  public TestJspWriterSuite(final JspWriter writer) {
+    this.writer = writer;
+  }
+
+  public void printlnTest(char x[]) throws IOException {
+    writer.println(x);
+  }
+
+  public void printlnTest(String x) throws IOException {
+    writer.println(x);
+  }
+
+  public void printTest(char s[]) throws IOException {
+    writer.print(s);
+  }
+
+  public void printTest(String s) throws IOException {
+    writer.print(s);
+  }
+
+  public void write(char s[]) throws IOException {
+    writer.write(s);
+  }
+
+  public void write(String s) throws IOException {
+    writer.write(s);
+  }
+}

dd-java-agent/instrumentation/servlet/src/main/java/datadog/trace/instrumentation/servlet/jsp/JspWriterCallSite.java

@@ -0,0 +1,28 @@
+package datadog.trace.instrumentation.servlet.jsp;
+
+import datadog.trace.agent.tooling.csi.CallSite;
+import datadog.trace.api.iast.IastCallSites;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.Sink;
+import datadog.trace.api.iast.VulnerabilityTypes;
+import datadog.trace.api.iast.sink.XssModule;
+import javax.annotation.Nonnull;
+
+@Sink(VulnerabilityTypes.XSS)
+@CallSite(spi = IastCallSites.class)
+public class JspWriterCallSite {
+
+  @CallSite.Before("void javax.servlet.jsp.JspWriter.print(java.lang.String)")
+  @CallSite.Before("void javax.servlet.jsp.JspWriter.println(java.lang.String)")
+  @CallSite.Before("void javax.servlet.jsp.JspWriter.write(java.lang.String)")
+  public static void beforeStringParam(@CallSite.Argument(0) @Nonnull final String s) {
+    final XssModule module = InstrumentationBridge.XSS;
+    if (module != null) {
+      try {
+        module.onXss(s);
+      } catch (final Throwable e) {
+        module.onUnexpectedException("beforeStringParam threw", e);
+      }
+    }
+  }
+}

dd-java-agent/instrumentation/servlet/src/main/java/datadog/trace/instrumentation/servlet/jsp/JspWriterFullDetectionCallSite.java

@@ -0,0 +1,30 @@
+package datadog.trace.instrumentation.servlet.jsp;
+
+import datadog.trace.agent.tooling.csi.CallSite;
+import datadog.trace.api.iast.IastCallSites;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.Sink;
+import datadog.trace.api.iast.VulnerabilityTypes;
+import datadog.trace.api.iast.sink.XssModule;
+import javax.annotation.Nonnull;
+
+@Sink(VulnerabilityTypes.XSS)
+@CallSite(
+    spi = IastCallSites.class,
+    enabled = {"datadog.trace.api.iast.IastEnabledChecks", "isFullDetection"})
+public class JspWriterFullDetectionCallSite {
+
+  @CallSite.Before("void javax.servlet.jsp.JspWriter.print(char[])")
+  @CallSite.Before("void javax.servlet.jsp.JspWriter.println(char[])")
+  @CallSite.Before("void javax.servlet.jsp.JspWriter.write(char[])")
+  public static void beforeCharArrayParam(@CallSite.Argument(0) @Nonnull final char[] buf) {
+    final XssModule module = InstrumentationBridge.XSS;
+    if (module != null) {
+      try {
+        module.onXss(buf);
+      } catch (final Throwable e) {
+        module.onUnexpectedException("beforeCharArrayParam threw", e);
+      }
+    }
+  }
+}

dd-java-agent/instrumentation/servlet/src/test/groovy/JspWriterCallSiteTest.groovy

@@ -0,0 +1,41 @@
+import datadog.trace.agent.test.AgentTestRunner
+import datadog.trace.api.iast.InstrumentationBridge
+import datadog.trace.api.iast.sink.XssModule
+import foo.bar.TestJspWriterSuite
+
+import javax.servlet.jsp.JspWriter
+
+class JspWriterCallSiteTest extends AgentTestRunner{
+
+  static final STRING = "test"
+  static final CHAR_ARRAY = STRING.toCharArray()
+
+  @Override
+  protected void configurePreAgent() {
+    injectSysConfig("dd.iast.enabled", "true")
+  }
+
+  void 'test JspWriter'() {
+    setup:
+    final iastModule = Mock(XssModule)
+    InstrumentationBridge.registerIastModule(iastModule)
+    final writer = Mock(JspWriter)
+    final suite = new TestJspWriterSuite(writer)
+
+    when:
+    suite.&"$method".call(args)
+
+    then:
+    expected * iastModule.onXss(args[0])
+    0 * iastModule._
+
+    where:
+    method | args | expected
+    "printTest" | [STRING]  | 1
+    "printlnTest" | [STRING]  | 1
+    "write" | [STRING]  | 1
+    "printTest" | [CHAR_ARRAY]  | 0
+    "printlnTest" | [CHAR_ARRAY]  | 0
+    "write" | [CHAR_ARRAY]  | 0
+  }
+}

dd-java-agent/instrumentation/servlet/src/test/groovy/JspWriterFullDetectionCallSiteTest.groovy

@@ -0,0 +1,42 @@
+import datadog.trace.agent.test.AgentTestRunner
+import datadog.trace.api.iast.InstrumentationBridge
+import datadog.trace.api.iast.sink.XssModule
+import foo.bar.TestJspWriterSuite
+
+import javax.servlet.jsp.JspWriter
+
+class JspWriterFullDetectionCallSiteTest extends AgentTestRunner{
+
+  static final STRING = "test"
+  static final CHAR_ARRAY = STRING.toCharArray()
+
+  @Override
+  protected void configurePreAgent() {
+    injectSysConfig("dd.iast.enabled", "true")
+    injectSysConfig("dd.iast.detection.mode", "FULL")
+  }
+
+  void 'test JspWriter'() {
+    setup:
+    final iastModule = Mock(XssModule)
+    InstrumentationBridge.registerIastModule(iastModule)
+    final writer = Mock(JspWriter)
+    final suite = new TestJspWriterSuite(writer)
+
+    when:
+    suite.&"$method".call(args)
+
+    then:
+    1 * iastModule.onXss(args[0])
+    0 * iastModule._
+
+    where:
+    method | args
+    "printTest" | [STRING]
+    "printlnTest" | [STRING]
+    "write" | [STRING]
+    "printTest" | [CHAR_ARRAY]
+    "printlnTest" | [CHAR_ARRAY]
+    "write" | [CHAR_ARRAY]
+  }
+}