Skip to content

Commit adf9784

Browse files
MariovidoMariovido
authored
Add propagation to StringBuffer substring methods (#7992)
1 parent c5cda3f commit adf9784

File tree

5 files changed

+81
-42
lines changed

5 files changed

+81
-42
lines changed

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/propagation/StringModuleTest.groovy

Lines changed: 45 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -481,42 +481,47 @@ class StringModuleTest extends IastModuleImplTestBase {
481481
}
482482
483483
where:
484-
self | beginIndex | endIndex | expected
485-
"==>0123<==" | 0 | 4 | "==>0123<=="
486-
"0123==>456<==78" | 0 | 5 | "0123==>4<=="
487-
"01==>234<==5==>678<==90" | 0 | 8 | "01==>234<==5==>67<=="
488-
"==>0123<==" | 0 | 3 | "==>012<=="
489-
"==>0123<==" | 1 | 4 | "==>123<=="
490-
"==>0123<==" | 1 | 3 | "==>12<=="
491-
"0123==>456<==78" | 1 | 8 | "123==>456<==7"
492-
"0123==>456<==78" | 0 | 4 | "0123"
493-
"0123==>456<==78" | 7 | 9 | "78"
494-
"0123==>456<==78" | 1 | 5 | "123==>4<=="
495-
"0123==>456<==78" | 1 | 6 | "123==>45<=="
496-
"0123==>456<==78" | 4 | 7 | "==>456<=="
497-
"0123==>456<==78" | 6 | 8 | "==>6<==7"
498-
"0123==>456<==78" | 5 | 8 | "==>56<==7"
499-
"0123==>456<==78" | 4 | 6 | "==>45<=="
500-
"01==>234<==5==>678<==90" | 1 | 10 | "1==>234<==5==>678<==9"
501-
"01==>234<==5==>678<==90" | 1 | 2 | "1"
502-
"01==>234<==5==>678<==90" | 5 | 6 | "5"
503-
"01==>234<==5==>678<==90" | 9 | 10 | "9"
504-
"01==>234<==5==>678<==90" | 1 | 4 | "1==>23<=="
505-
"01==>234<==5==>678<==90" | 2 | 4 | "==>23<=="
506-
"01==>234<==5==>678<==90" | 2 | 5 | "==>234<=="
507-
"01==>234<==5==>678<==90" | 1 | 8 | "1==>234<==5==>67<=="
508-
"01==>234<==5==>678<==90" | 2 | 8 | "==>234<==5==>67<=="
509-
"01==>234<==5==>678<==90" | 2 | 9 | "==>234<==5==>678<=="
510-
"01==>234<==5==>678<==90" | 5 | 8 | "5==>67<=="
511-
"01==>234<==5==>678<==90" | 6 | 8 | "==>67<=="
512-
"01==>234<==5==>678<==90" | 6 | 9 | "==>678<=="
513-
"01==>234<==5==>678<==90" | 4 | 9 | "==>4<==5==>678<=="
514-
"01==>234<==5==>678<==90" | 4 | 8 | "==>4<==5==>67<=="
515-
sb("==>0123<==") | 0 | 4 | "==>0123<=="
516-
sb("0123==>456<==78") | 0 | 5 | "0123==>4<=="
517-
sb("01==>234<==5==>678<==90") | 0 | 8 | "01==>234<==5==>67<=="
518-
sb("0123==>456<==78") | 4 | 6 | "==>45<=="
519-
sb("01==>234<==5==>678<==90") | 4 | 8 | "==>4<==5==>67<=="
484+
self | beginIndex | endIndex | expected
485+
"==>0123<==" | 0 | 4 | "==>0123<=="
486+
"0123==>456<==78" | 0 | 5 | "0123==>4<=="
487+
"01==>234<==5==>678<==90" | 0 | 8 | "01==>234<==5==>67<=="
488+
"==>0123<==" | 0 | 3 | "==>012<=="
489+
"==>0123<==" | 1 | 4 | "==>123<=="
490+
"==>0123<==" | 1 | 3 | "==>12<=="
491+
"0123==>456<==78" | 1 | 8 | "123==>456<==7"
492+
"0123==>456<==78" | 0 | 4 | "0123"
493+
"0123==>456<==78" | 7 | 9 | "78"
494+
"0123==>456<==78" | 1 | 5 | "123==>4<=="
495+
"0123==>456<==78" | 1 | 6 | "123==>45<=="
496+
"0123==>456<==78" | 4 | 7 | "==>456<=="
497+
"0123==>456<==78" | 6 | 8 | "==>6<==7"
498+
"0123==>456<==78" | 5 | 8 | "==>56<==7"
499+
"0123==>456<==78" | 4 | 6 | "==>45<=="
500+
"01==>234<==5==>678<==90" | 1 | 10 | "1==>234<==5==>678<==9"
501+
"01==>234<==5==>678<==90" | 1 | 2 | "1"
502+
"01==>234<==5==>678<==90" | 5 | 6 | "5"
503+
"01==>234<==5==>678<==90" | 9 | 10 | "9"
504+
"01==>234<==5==>678<==90" | 1 | 4 | "1==>23<=="
505+
"01==>234<==5==>678<==90" | 2 | 4 | "==>23<=="
506+
"01==>234<==5==>678<==90" | 2 | 5 | "==>234<=="
507+
"01==>234<==5==>678<==90" | 1 | 8 | "1==>234<==5==>67<=="
508+
"01==>234<==5==>678<==90" | 2 | 8 | "==>234<==5==>67<=="
509+
"01==>234<==5==>678<==90" | 2 | 9 | "==>234<==5==>678<=="
510+
"01==>234<==5==>678<==90" | 5 | 8 | "5==>67<=="
511+
"01==>234<==5==>678<==90" | 6 | 8 | "==>67<=="
512+
"01==>234<==5==>678<==90" | 6 | 9 | "==>678<=="
513+
"01==>234<==5==>678<==90" | 4 | 9 | "==>4<==5==>678<=="
514+
"01==>234<==5==>678<==90" | 4 | 8 | "==>4<==5==>67<=="
515+
sb("==>0123<==") | 0 | 4 | "==>0123<=="
516+
sb("0123==>456<==78") | 0 | 5 | "0123==>4<=="
517+
sb("01==>234<==5==>678<==90") | 0 | 8 | "01==>234<==5==>67<=="
518+
sb("0123==>456<==78") | 4 | 6 | "==>45<=="
519+
sb("01==>234<==5==>678<==90") | 4 | 8 | "==>4<==5==>67<=="
520+
sbf("==>0123<==") | 0 | 4 | "==>0123<=="
521+
sbf("0123==>456<==78") | 0 | 5 | "0123==>4<=="
522+
sbf("01==>234<==5==>678<==90") | 0 | 8 | "01==>234<==5==>67<=="
523+
sbf("0123==>456<==78") | 4 | 6 | "==>45<=="
524+
sbf("01==>234<==5==>678<==90") | 4 | 8 | "==>4<==5==>67<=="
520525
}
521526
522527
void 'onStringJoin without null delimiter or elements (#delimiter, #elements)'() {
@@ -1263,4 +1268,8 @@ class StringModuleTest extends IastModuleImplTestBase {
12631268
private static StringBuilder sb(final String string) {
12641269
return new StringBuilder(string)
12651270
}
1271+
1272+
private static StringBuffer sbf(final String string) {
1273+
return new StringBuffer(string)
1274+
}
12661275
}

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/taint/TaintUtils.groovy

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -103,13 +103,18 @@ class TaintUtils {
103103
return resultString
104104
}
105105

106-
static StringBuilder addFromTaintFormat(final TaintedObjects tos, final StringBuilder sb) {
106+
static Appendable addFromTaintFormat(final TaintedObjects tos, final Appendable sb) {
107107
final String s = sb.toString()
108108
final ranges = fromTaintFormat(s)
109109
if (ranges == null || ranges.length == 0) {
110110
return sb
111111
}
112-
final result = new StringBuilder(getStringFromTaintFormat(s))
112+
def result
113+
if (sb instanceof StringBuffer) {
114+
result = new StringBuffer(getStringFromTaintFormat(s))
115+
} else {
116+
result = new StringBuilder(getStringFromTaintFormat(s))
117+
}
113118
tos.taint(result, ranges)
114119
return result
115120
}

dd-java-agent/instrumentation/java-lang/src/main/java/datadog/trace/instrumentation/java/lang/StringBuilderCallSite.java

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@
1010
import javax.annotation.Nonnull;
1111
import javax.annotation.Nullable;
1212

13+
/**
14+
* This class provides instrumentation for {@link StringBuilder} and {@link StringBuffer} methods.
15+
*/
1316
@Propagation
1417
@CallSite(spi = IastCallSites.class)
1518
public class StringBuilderCallSite {
@@ -103,6 +106,7 @@ public static String afterToString(
103106
}
104107

105108
@CallSite.After("java.lang.String java.lang.StringBuilder.substring(int)")
109+
@CallSite.After("java.lang.String java.lang.StringBuffer.substring(int)")
106110
public static String afterSubstring(
107111
@CallSite.This final CharSequence self,
108112
@CallSite.Argument final int beginIndex,
@@ -119,6 +123,7 @@ public static String afterSubstring(
119123
}
120124

121125
@CallSite.After("java.lang.String java.lang.StringBuilder.substring(int, int)")
126+
@CallSite.After("java.lang.String java.lang.StringBuffer.substring(int, int)")
122127
public static String afterSubstring(
123128
@CallSite.This final CharSequence self,
124129
@CallSite.Argument final int beginIndex,

dd-java-agent/instrumentation/java-lang/src/test/groovy/datadog/trace/instrumentation/java/lang/StringBuilderCallSiteTest.groovy

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -188,8 +188,9 @@ class StringBuilderCallSiteTest extends AgentTestRunner {
188188
0 * _
189189
190190
where:
191-
param | beginIndex | expected
192-
sb('012345') | 1 | '12345'
191+
param | beginIndex | expected
192+
sb('012345') | 1 | '12345'
193+
sbf('012345') | 1 | '12345'
193194
}
194195
195196
def 'test string builder substring with endIndex call site'() {
@@ -206,8 +207,9 @@ class StringBuilderCallSiteTest extends AgentTestRunner {
206207
0 * _
207208
208209
where:
209-
param | beginIndex | endIndex | expected
210-
sb('012345') | 1 | 5 | '1234'
210+
param | beginIndex | endIndex | expected
211+
sb('012345') | 1 | 5 | '1234'
212+
sbf('012345') | 1 | 5 | '1234'
211213
}
212214
213215
private static class BrokenToString {
@@ -226,4 +228,8 @@ class StringBuilderCallSiteTest extends AgentTestRunner {
226228
private static StringBuilder sb(final String string) {
227229
return new StringBuilder(string)
228230
}
231+
232+
private static StringBuffer sbf(final String string) {
233+
return new StringBuffer(string)
234+
}
229235
}

dd-java-agent/instrumentation/java-lang/src/test/java/foo/bar/TestStringBuilderSuite.java

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,4 +90,18 @@ public static String substring(StringBuilder self, int beginIndex) {
9090
LOGGER.debug("After string builder substring {}", result);
9191
return result;
9292
}
93+
94+
public static String substring(StringBuffer self, int beginIndex, int endIndex) {
95+
LOGGER.debug("Before string buffer substring {} from {} to {}", self, beginIndex, endIndex);
96+
final String result = self.substring(beginIndex, endIndex);
97+
LOGGER.debug("After string buffer substring {}", result);
98+
return result;
99+
}
100+
101+
public static String substring(StringBuffer self, int beginIndex) {
102+
LOGGER.debug("Before string buffer substring {} from {}", self, beginIndex);
103+
final String result = self.substring(beginIndex);
104+
LOGGER.debug("After string buffer substring {}", result);
105+
return result;
106+
}
93107
}

0 commit comments

Comments
 (0)