Skip to content

Handle comment injection for procedure CALLs #6807

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Mar 13, 2024
Merged

Handle comment injection for procedure CALLs #6807

merged 7 commits into from
Mar 13, 2024

Conversation

@sethsamuel
Copy link
Contributor

@sethsamuel sethsamuel commented Mar 12, 2024
edited by atlassian bot
Loading

What Does This Do

This PR changes SQL comment injection to append when using a CALL to a procedure.

Motivation

Both Postgres and MySQL crash if there is content before CALL in a prepared statement but appear to tolerate it at the end of the statement.

Additional Notes

Jira ticket: SDBM-876

@pr-commenter
Copy link

pr-commenter bot commented Mar 12, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master seth.samuel/SDBM-876-PSQLException-when-enabling-dbm-and-apm-correlation
git_commit_date 1710335469 1710337575
git_commit_sha 8f6b8c3 8a1b83c
release_version 1.32.0-SNAPSHOT~8f6b8c31aa 1.32.0-SNAPSHOT~8a1b83cf2b
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1710340668 1710340668
ci_job_id 458704280 458704280
ci_pipeline_id 30022928 30022928
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 48 metrics, 15 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.32.0-SNAPSHOT~8a1b83cf2b, baseline=1.32.0-SNAPSHOT~8f6b8c31aa

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.077 s) : 0, 1077242
Total [baseline] (8.557 s) : 0, 8557037
Agent [candidate] (1.088 s) : 0, 1087640
Total [candidate] (8.65 s) : 0, 8649623
section iast
Agent [baseline] (1.202 s) : 0, 1202252
Total [baseline] (9.042 s) : 0, 9041765
Agent [candidate] (1.208 s) : 0, 1208479
Total [candidate] (9.057 s) : 0, 9057032
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.202 s) : 0, 1202221
Total [baseline] (9.008 s) : 0, 9007599
Agent [candidate] (1.21 s) : 0, 1209839
Total [candidate] (9.026 s) : 0, 9025794
section iast_TELEMETRY_OFF
Agent [baseline] (1.196 s) : 0, 1195671
Total [baseline] (9.036 s) : 0, 9035968
Agent [candidate] (1.203 s) : 0, 1202531
Total [candidate] (9.077 s) : 0, 9076783
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.077 s -
Agent iast 1.202 s 125.01 ms (11.6%)
Agent iast_HARDCODED_SECRET_DISABLED 1.202 s 124.979 ms (11.6%)
Agent iast_TELEMETRY_OFF 1.196 s 118.428 ms (11.0%)
Total tracing 8.557 s -
Total iast 9.042 s 484.728 ms (5.7%)
Total iast_HARDCODED_SECRET_DISABLED 9.008 s 450.562 ms (5.3%)
Total iast_TELEMETRY_OFF 9.036 s 478.931 ms (5.6%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.088 s -
Agent iast 1.208 s 120.839 ms (11.1%)
Agent iast_HARDCODED_SECRET_DISABLED 1.21 s 122.2 ms (11.2%)
Agent iast_TELEMETRY_OFF 1.203 s 114.891 ms (10.6%)
Total tracing 8.65 s -
Total iast 9.057 s 407.409 ms (4.7%)
Total iast_HARDCODED_SECRET_DISABLED 9.026 s 376.171 ms (4.3%)
Total iast_TELEMETRY_OFF 9.077 s 427.16 ms (4.9%) 
gantt
    title insecure-bank - break down per module: candidate=1.32.0-SNAPSHOT~8a1b83cf2b, baseline=1.32.0-SNAPSHOT~8f6b8c31aa

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (694.704 ms) : 0, 694704
BytebuddyAgent [candidate] (701.2 ms) : 0, 701200
GlobalTracer [baseline] (291.038 ms) : 0, 291038
GlobalTracer [candidate] (294.296 ms) : 0, 294296
AppSec [baseline] (48.781 ms) : 0, 48781
AppSec [candidate] (49.252 ms) : 0, 49252
Remote Config [baseline] (723.18 µs) : 0, 723
Remote Config [candidate] (719.17 µs) : 0, 719
Telemetry [baseline] (7.655 ms) : 0, 7655
Telemetry [candidate] (7.692 ms) : 0, 7692
section iast
BytebuddyAgent [baseline] (799.568 ms) : 0, 799568
BytebuddyAgent [candidate] (802.815 ms) : 0, 802815
GlobalTracer [baseline] (287.936 ms) : 0, 287936
GlobalTracer [candidate] (289.425 ms) : 0, 289425
AppSec [baseline] (48.581 ms) : 0, 48581
AppSec [candidate] (48.952 ms) : 0, 48952
IAST [baseline] (23.78 ms) : 0, 23780
IAST [candidate] (24.766 ms) : 0, 24766
Remote Config [baseline] (612.326 µs) : 0, 612
Remote Config [candidate] (608.646 µs) : 0, 609
Telemetry [baseline] (7.348 ms) : 0, 7348
Telemetry [candidate] (7.401 ms) : 0, 7401
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (799.49 ms) : 0, 799490
BytebuddyAgent [candidate] (803.613 ms) : 0, 803613
GlobalTracer [baseline] (287.597 ms) : 0, 287597
GlobalTracer [candidate] (290.458 ms) : 0, 290458
AppSec [baseline] (48.187 ms) : 0, 48187
AppSec [candidate] (50.201 ms) : 0, 50201
IAST [baseline] (23.057 ms) : 0, 23057
IAST [candidate] (23.015 ms) : 0, 23015
Remote Config [baseline] (626.198 µs) : 0, 626
Remote Config [candidate] (621.693 µs) : 0, 622
Telemetry [baseline] (8.972 ms) : 0, 8972
Telemetry [candidate] (7.357 ms) : 0, 7357
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (791.632 ms) : 0, 791632
BytebuddyAgent [candidate] (795.684 ms) : 0, 795684
GlobalTracer [baseline] (288.456 ms) : 0, 288456
GlobalTracer [candidate] (291.069 ms) : 0, 291069
AppSec [baseline] (49.448 ms) : 0, 49448
AppSec [candidate] (51.632 ms) : 0, 51632
IAST [baseline] (23.315 ms) : 0, 23315
IAST [candidate] (22.514 ms) : 0, 22514
Remote Config [baseline] (573.819 µs) : 0, 574
Remote Config [candidate] (588.983 µs) : 0, 589
Telemetry [baseline] (7.878 ms) : 0, 7878
Telemetry [candidate] (6.564 ms) : 0, 6564
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.32.0-SNAPSHOT~8a1b83cf2b, baseline=1.32.0-SNAPSHOT~8f6b8c31aa

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.087 s) : 0, 1087297
Total [baseline] (9.267 s) : 0, 9266727
Agent [candidate] (1.09 s) : 0, 1089648
Total [candidate] (9.173 s) : 0, 9173280
section appsec
Agent [baseline] (1.224 s) : 0, 1223988
Total [baseline] (9.383 s) : 0, 9383284
Agent [candidate] (1.212 s) : 0, 1212102
Total [candidate] (9.272 s) : 0, 9272401
section iast
Agent [baseline] (1.204 s) : 0, 1203910
Total [baseline] (9.362 s) : 0, 9362023
Agent [candidate] (1.204 s) : 0, 1204414
Total [candidate] (9.334 s) : 0, 9333526
section profiling
Agent [baseline] (1.27 s) : 0, 1269960
Total [baseline] (9.339 s) : 0, 9338558
Agent [candidate] (1.279 s) : 0, 1278684
Total [candidate] (9.472 s) : 0, 9472332
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.087 s -
Agent appsec 1.224 s 136.691 ms (12.6%)
Agent iast 1.204 s 116.613 ms (10.7%)
Agent profiling 1.27 s 182.663 ms (16.8%)
Total tracing 9.267 s -
Total appsec 9.383 s 116.557 ms (1.3%)
Total iast 9.362 s 95.296 ms (1.0%)
Total profiling 9.339 s 71.832 ms (0.8%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.09 s -
Agent appsec 1.212 s 122.454 ms (11.2%)
Agent iast 1.204 s 114.765 ms (10.5%)
Agent profiling 1.279 s 189.035 ms (17.3%)
Total tracing 9.173 s -
Total appsec 9.272 s 99.121 ms (1.1%)
Total iast 9.334 s 160.246 ms (1.7%)
Total profiling 9.472 s 299.052 ms (3.3%) 
gantt
    title petclinic - break down per module: candidate=1.32.0-SNAPSHOT~8a1b83cf2b, baseline=1.32.0-SNAPSHOT~8f6b8c31aa

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (701.206 ms) : 0, 701206
BytebuddyAgent [candidate] (702.053 ms) : 0, 702053
GlobalTracer [baseline] (293.445 ms) : 0, 293445
GlobalTracer [candidate] (294.931 ms) : 0, 294931
AppSec [baseline] (49.619 ms) : 0, 49619
AppSec [candidate] (49.491 ms) : 0, 49491
Remote Config [baseline] (727.486 µs) : 0, 727
Remote Config [candidate] (735.423 µs) : 0, 735
Telemetry [baseline] (7.697 ms) : 0, 7697
Telemetry [candidate] (7.829 ms) : 0, 7829
section appsec
BytebuddyAgent [baseline] (709.743 ms) : 0, 709743
BytebuddyAgent [candidate] (703.038 ms) : 0, 703038
GlobalTracer [baseline] (298.003 ms) : 0, 298003
GlobalTracer [candidate] (294.598 ms) : 0, 294598
AppSec [baseline] (155.18 ms) : 0, 155180
AppSec [candidate] (154.387 ms) : 0, 154387
IAST [baseline] (18.338 ms) : 0, 18338
IAST [candidate] (17.941 ms) : 0, 17941
Remote Config [baseline] (625.125 µs) : 0, 625
Remote Config [candidate] (609.315 µs) : 0, 609
Telemetry [baseline] (7.106 ms) : 0, 7106
Telemetry [candidate] (6.92 ms) : 0, 6920
section iast
BytebuddyAgent [baseline] (800.796 ms) : 0, 800796
BytebuddyAgent [candidate] (800.269 ms) : 0, 800269
GlobalTracer [baseline] (288.059 ms) : 0, 288059
GlobalTracer [candidate] (288.958 ms) : 0, 288958
AppSec [baseline] (50.018 ms) : 0, 50018
AppSec [candidate] (49.167 ms) : 0, 49167
IAST [baseline] (23.522 ms) : 0, 23522
IAST [candidate] (23.68 ms) : 0, 23680
Remote Config [baseline] (600.781 µs) : 0, 601
Remote Config [candidate] (589.388 µs) : 0, 589
Telemetry [baseline] (6.575 ms) : 0, 6575
Telemetry [candidate] (7.426 ms) : 0, 7426
section profiling
BytebuddyAgent [baseline] (687.234 ms) : 0, 687234
BytebuddyAgent [candidate] (690.181 ms) : 0, 690181
GlobalTracer [baseline] (375.088 ms) : 0, 375088
GlobalTracer [candidate] (379.109 ms) : 0, 379109
AppSec [baseline] (49.742 ms) : 0, 49742
AppSec [candidate] (50.03 ms) : 0, 50030
Remote Config [baseline] (745.114 µs) : 0, 745
Remote Config [candidate] (799.681 µs) : 0, 800
Telemetry [baseline] (7.394 ms) : 0, 7394
Telemetry [candidate] (7.378 ms) : 0, 7378
ProfilingAgent [baseline] (93.652 ms) : 0, 93652
ProfilingAgent [candidate] (94.908 ms) : 0, 94908
Profiling [baseline] (93.675 ms) : 0, 93675
Profiling [candidate] (94.932 ms) : 0, 94932
Loading

Load

Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~8a1b83cf2b, baseline=1.32.0-SNAPSHOT~8f6b8c31aa
    dateFormat X
    axisFormat %s
section baseline
no_agent (369.121 µs) : 349, 390
.   : milestone, 369,
iast (469.005 µs) : 448, 490
.   : milestone, 469,
iast_FULL (539.223 µs) : 519, 560
.   : milestone, 539,
iast_GLOBAL (490.705 µs) : 469, 512
.   : milestone, 491,
iast_HARDCODED_SECRET_DISABLED (466.92 µs) : 447, 487
.   : milestone, 467,
iast_INACTIVE (443.798 µs) : 423, 464
.   : milestone, 444,
iast_TELEMETRY_OFF (465.709 µs) : 445, 486
.   : milestone, 466,
tracing (442.282 µs) : 422, 463
.   : milestone, 442,
section candidate
no_agent (368.12 µs) : 348, 388
.   : milestone, 368,
iast (468.392 µs) : 448, 489
.   : milestone, 468,
iast_FULL (536.819 µs) : 516, 557
.   : milestone, 537,
iast_GLOBAL (491.089 µs) : 471, 511
.   : milestone, 491,
iast_HARDCODED_SECRET_DISABLED (466.796 µs) : 446, 487
.   : milestone, 467,
iast_INACTIVE (443.92 µs) : 423, 465
.   : milestone, 444,
iast_TELEMETRY_OFF (465.628 µs) : 445, 486
.   : milestone, 466,
tracing (444.069 µs) : 423, 465
.   : milestone, 444,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 369.121 µs [348.699 µs, 389.543 µs] -
iast 469.005 µs [448.371 µs, 489.638 µs] 99.884 µs (27.1%)
iast_FULL 539.223 µs [518.623 µs, 559.824 µs] 170.102 µs (46.1%)
iast_GLOBAL 490.705 µs [469.3 µs, 512.11 µs] 121.584 µs (32.9%)
iast_HARDCODED_SECRET_DISABLED 466.92 µs [446.558 µs, 487.282 µs] 97.799 µs (26.5%)
iast_INACTIVE 443.798 µs [423.389 µs, 464.207 µs] 74.677 µs (20.2%)
iast_TELEMETRY_OFF 465.709 µs [444.946 µs, 486.473 µs] 96.588 µs (26.2%)
tracing 442.282 µs [421.91 µs, 462.654 µs] 73.161 µs (19.8%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 368.12 µs [348.001 µs, 388.238 µs] -
iast 468.392 µs [447.99 µs, 488.793 µs] 100.272 µs (27.2%)
iast_FULL 536.819 µs [516.305 µs, 557.333 µs] 168.699 µs (45.8%)
iast_GLOBAL 491.089 µs [470.845 µs, 511.332 µs] 122.969 µs (33.4%)
iast_HARDCODED_SECRET_DISABLED 466.796 µs [446.479 µs, 487.113 µs] 98.676 µs (26.8%)
iast_INACTIVE 443.92 µs [422.91 µs, 464.93 µs] 75.8 µs (20.6%)
iast_TELEMETRY_OFF 465.628 µs [444.768 µs, 486.488 µs] 97.509 µs (26.5%)
tracing 444.069 µs [423.064 µs, 465.074 µs] 75.95 µs (20.6%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~8a1b83cf2b, baseline=1.32.0-SNAPSHOT~8f6b8c31aa
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.343 ms) : 1323, 1362
.   : milestone, 1343,
appsec (1.778 ms) : 1755, 1801
.   : milestone, 1778,
iast (1.503 ms) : 1479, 1526
.   : milestone, 1503,
profiling (1.565 ms) : 1540, 1590
.   : milestone, 1565,
tracing (1.501 ms) : 1478, 1524
.   : milestone, 1501,
section candidate
no_agent (1.347 ms) : 1328, 1366
.   : milestone, 1347,
appsec (1.78 ms) : 1757, 1803
.   : milestone, 1780,
iast (1.531 ms) : 1508, 1554
.   : milestone, 1531,
profiling (1.545 ms) : 1521, 1568
.   : milestone, 1545,
tracing (1.501 ms) : 1477, 1526
.   : milestone, 1501,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.343 ms [1.323 ms, 1.362 ms] -
appsec 1.778 ms [1.755 ms, 1.801 ms] 435.286 µs (32.4%)
iast 1.503 ms [1.479 ms, 1.526 ms] 160.165 µs (11.9%)
profiling 1.565 ms [1.54 ms, 1.59 ms] 222.645 µs (16.6%)
tracing 1.501 ms [1.478 ms, 1.524 ms] 158.409 µs (11.8%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.347 ms [1.328 ms, 1.366 ms] -
appsec 1.78 ms [1.757 ms, 1.803 ms] 432.974 µs (32.1%)
iast 1.531 ms [1.508 ms, 1.554 ms] 183.834 µs (13.6%)
profiling 1.545 ms [1.521 ms, 1.568 ms] 197.299 µs (14.6%)
tracing 1.501 ms [1.477 ms, 1.526 ms] 154.199 µs (11.4%)

@sethsamuel sethsamuel marked this pull request as ready for review March 13, 2024 13:19
@sethsamuel sethsamuel requested a review from a team as a code owner March 13, 2024 13:19
@sethsamuel sethsamuel requested review from mcculls and ygree March 13, 2024 13:19
@sethsamuel sethsamuel merged commit cd18597 into master Mar 13, 2024
@sethsamuel sethsamuel deleted the seth.samuel/SDBM-876-PSQLException-when-enabling-dbm-and-apm-correlation branch March 13, 2024 15:15
@github-actions github-actions bot added this to the 1.32.0 milestone Mar 13, 2024
@PerfectSlayer PerfectSlayer added the inst: jdbc JDBC instrumentation label Apr 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcculls mcculls mcculls approved these changes

@jmeunier28 jmeunier28 jmeunier28 approved these changes

@ygree ygree Awaiting requested review from ygree ygree was automatically assigned from DataDog/apm-java

Assignees

No one assigned

Labels

inst: jdbc JDBC instrumentation

Projects

None yet

Milestone

1.32.0

Development

Successfully merging this pull request may close these issues.

5 participants

@sethsamuel @mcculls @jmeunier28 @PerfectSlayer