[ASM][IAST] Hardcoded secrets (#4666)

* Implementation and tests (no codegen files) Codegen files Updated config test data * Reduced polling time Added debug traces Removed inherited member * Reworked linux tls implementation * Removed static CS instance causing segfaults on proc exit Fix build Removed unneeded virtual clause * Minor optimizations * Update HardcodedSecretsAnalyzer.cs Fix compilation errors * Fixed snapshots Added extra logs Changed hash calculation Fix some linux systems native string decoding Reverted pointer to string change * Added extra traces * Possible race condition fix Fix GetName race condition initialization Removed unnecesary traces Fixed linux compilation --------- Co-authored-by: Andrew Lock <andrew.lock@datadoghq.com>
DataDog · Nov 8, 2023 · 4a838c5 · 4a838c5
1 parent 4cdd83c
commit 4a838c5
Show file tree

Hide file tree

Showing 63 changed files with 1,613 additions and 386 deletions.
diff --git a/tracer/src/Datadog.Trace/ClrProfiler/NativeMethods.cs b/tracer/src/Datadog.Trace/ClrProfiler/NativeMethods.cs
@@ -5,6 +5,8 @@
 
 using System;
 using System.Runtime.InteropServices;
+using Datadog.Trace.Debugger.PInvoke;
+using Datadog.Trace.Iast.Analyzers;
 
 // ReSharper disable MemberHidesStaticFromOuterClass
 namespace Datadog.Trace.ClrProfiler
@@ -249,6 +251,18 @@ public static void UpdateSettings(string[] keys, string[] values)
             }
         }
 
+        public static int GetUserStrings(int arrSize, [In, Out] UserStringInterop[] arr)
+        {
+            if (IsWindows)
+            {
+                return Windows.GetUserStrings(arrSize, arr);
+            }
+            else
+            {
+                return NonWindows.GetUserStrings(arrSize, arr);
+            }
+        }
+
         // the "dll" extension is required on .NET Framework
         // and optional on .NET Core
         // The DllImport methods are re-written by cor_profiler to have the correct vales
@@ -301,6 +315,9 @@ public static extern void UpdateSettings(
                 [In, MarshalAs(UnmanagedType.LPArray, ArraySubType = UnmanagedType.LPWStr)] string[] keys,
                 [In, MarshalAs(UnmanagedType.LPArray, ArraySubType = UnmanagedType.LPWStr)] string[] values,
                 int length);
+
+            [DllImport("Datadog.Tracer.Native.dll", CharSet = CharSet.Unicode)]
+            public static extern int GetUserStrings(int arrSize, [In, Out] UserStringInterop[] arr);
         }
 
         // assume .NET Core if not running on Windows
@@ -354,6 +371,9 @@ public static extern void UpdateSettings(
                 [In, MarshalAs(UnmanagedType.LPArray, ArraySubType = UnmanagedType.LPWStr)] string[] keys,
                 [In, MarshalAs(UnmanagedType.LPArray, ArraySubType = UnmanagedType.LPWStr)] string[] values,
                 int length);
+
+            [DllImport("Datadog.Tracer.Native", CharSet = CharSet.Unicode)]
+            public static extern int GetUserStrings(int arrSize, [In, Out] UserStringInterop[] arr);
         }
     }
 }
diff --git a/tracer/src/Datadog.Trace/Configuration/ConfigurationKeys.Iast.cs b/tracer/src/Datadog.Trace/Configuration/ConfigurationKeys.Iast.cs
@@ -74,11 +74,11 @@ internal class Iast
             public const string RedactionValuesRegex = "DD_IAST_REDACTION_VALUES_REGEXP";
 
             /// <summary>
-            /// Configuration key for specifying a timeout in milliseconds to the execution of the obfuscation regexes
+            /// Configuration key for specifying a timeout in milliseconds to the execution of regexes in IAST
             /// Default value is 200ms
             /// </summary>
-            /// <seealso cref="IastSettings.RedactionRegexTimeout"/>
-            public const string RedactionRegexTimeout = "DD_IAST_REDACTION_REGEXP_TIMEOUT";
+            /// <seealso cref="IastSettings.RegexTimeout"/>
+            public const string RegexTimeout = "DD_IAST_REGEXP_TIMEOUT";
 
             /// <summary>
             /// Configuration key for IAST verbosity.

diff --git a/tracer/src/Datadog.Trace/Configuration/IntegrationId.cs b/tracer/src/Datadog.Trace/Configuration/IntegrationId.cs
@@ -66,6 +66,7 @@ internal enum IntegrationId
         AzureServiceBus,
         SystemRandom,
         AwsDynamoDb,
+        HardcodedSecret,
         // If you add an integration here, please don't forget to impact the allow / block list of telemetry config
         // In the telemetry repository. (and keep that comment at the bottom :))
     }

diff --git a/...rceGenerators/EnumExtensionsGenerator/IastInstrumentedSinksExtensions_EnumExtensions.g.cs b/...rceGenerators/EnumExtensionsGenerator/IastInstrumentedSinksExtensions_EnumExtensions.g.cs
@@ -17,7 +17,7 @@ internal static partial class IastInstrumentedSinksExtensions
     /// The number of members in the enum.
     /// This is a non-distinct count of defined names.
     /// </summary>
-    public const int Length = 13;
+    public const int Length = 14;
 
     /// <summary>
     /// Returns the string representation of the <see cref="Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks"/> value.
@@ -43,6 +43,7 @@ public static string ToStringFast(this Datadog.Trace.Telemetry.Metrics.MetricTag
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.NoHttpOnlyCookie => "vulnerability_type:no_httponly_cookie",
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.NoSameSiteCookie => "vulnerability_type:no_samesite_cookie",
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.WeakRandomness => "vulnerability_type:weak_randomness",
+            Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HardcodedSecret => "vulnerability_type:hardcoded_secret",
             _ => value.ToString(),
         };
 
@@ -69,6 +70,7 @@ public static Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks[]
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.NoHttpOnlyCookie,
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.NoSameSiteCookie,
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.WeakRandomness,
+            Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HardcodedSecret,
         };
 
     /// <summary>
@@ -95,6 +97,7 @@ public static string[] GetNames()
             nameof(Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.NoHttpOnlyCookie),
             nameof(Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.NoSameSiteCookie),
             nameof(Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.WeakRandomness),
+            nameof(Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HardcodedSecret),
         };
 
     /// <summary>
@@ -121,5 +124,6 @@ public static string[] GetDescriptions()
             "vulnerability_type:no_httponly_cookie",
             "vulnerability_type:no_samesite_cookie",
             "vulnerability_type:weak_randomness",
+            "vulnerability_type:hardcoded_secret",
         };
 }
diff --git a/...race.SourceGenerators/EnumExtensionsGenerator/IntegrationIdExtensions_EnumExtensions.g.cs b/...race.SourceGenerators/EnumExtensionsGenerator/IntegrationIdExtensions_EnumExtensions.g.cs
@@ -17,7 +17,7 @@ internal static partial class IntegrationIdExtensions
     /// The number of members in the enum.
     /// This is a non-distinct count of defined names.
     /// </summary>
-    public const int Length = 54;
+    public const int Length = 55;
 
     /// <summary>
     /// Returns the string representation of the <see cref="Datadog.Trace.Configuration.IntegrationId"/> value.
@@ -84,6 +84,7 @@ public static string ToStringFast(this Datadog.Trace.Configuration.IntegrationId
             Datadog.Trace.Configuration.IntegrationId.AzureServiceBus => nameof(Datadog.Trace.Configuration.IntegrationId.AzureServiceBus),
             Datadog.Trace.Configuration.IntegrationId.SystemRandom => nameof(Datadog.Trace.Configuration.IntegrationId.SystemRandom),
             Datadog.Trace.Configuration.IntegrationId.AwsDynamoDb => nameof(Datadog.Trace.Configuration.IntegrationId.AwsDynamoDb),
+            Datadog.Trace.Configuration.IntegrationId.HardcodedSecret => nameof(Datadog.Trace.Configuration.IntegrationId.HardcodedSecret),
             _ => value.ToString(),
         };
 
@@ -151,6 +152,7 @@ public static Datadog.Trace.Configuration.IntegrationId[] GetValues()
             Datadog.Trace.Configuration.IntegrationId.AzureServiceBus,
             Datadog.Trace.Configuration.IntegrationId.SystemRandom,
             Datadog.Trace.Configuration.IntegrationId.AwsDynamoDb,
+            Datadog.Trace.Configuration.IntegrationId.HardcodedSecret,
         };
 
     /// <summary>
@@ -218,5 +220,6 @@ public static string[] GetNames()
             nameof(Datadog.Trace.Configuration.IntegrationId.AzureServiceBus),
             nameof(Datadog.Trace.Configuration.IntegrationId.SystemRandom),
             nameof(Datadog.Trace.Configuration.IntegrationId.AwsDynamoDb),
+            nameof(Datadog.Trace.Configuration.IntegrationId.HardcodedSecret),
         };
 }
diff --git a/...enerators/TelemetryMetricGenerator/CiVisibilityMetricsTelemetryCollector_CountShared.g.cs b/...enerators/TelemetryMetricGenerator/CiVisibilityMetricsTelemetryCollector_CountShared.g.cs
@@ -11,7 +11,7 @@
 namespace Datadog.Trace.Telemetry;
 internal partial class CiVisibilityMetricsTelemetryCollector
 {
-    private const int CountSharedLength = 177;
+    private const int CountSharedLength = 180;
 
     /// <summary>
     /// Creates the buffer for the <see cref="Datadog.Trace.Telemetry.Metrics.CountShared" /> values.
@@ -185,6 +185,9 @@ private static AggregatedMetric[] GetCountSharedBuffer()
             new(new[] { "integration_name:ldap", "error_type:duck_typing" }),
             new(new[] { "integration_name:ldap", "error_type:invoker" }),
             new(new[] { "integration_name:ldap", "error_type:execution" }),
+            new(new[] { "integration_name:hardcodedsecret", "error_type:duck_typing" }),
+            new(new[] { "integration_name:hardcodedsecret", "error_type:invoker" }),
+            new(new[] { "integration_name:hardcodedsecret", "error_type:execution" }),
             new(new[] { "integration_name:awskinesis", "error_type:duck_typing" }),
             new(new[] { "integration_name:awskinesis", "error_type:invoker" }),
             new(new[] { "integration_name:awskinesis", "error_type:execution" }),
@@ -205,7 +208,7 @@ private static AggregatedMetric[] GetCountSharedBuffer()
     /// It is equal to the cardinality of the tag combinations (or 1 if there are no tags)
     /// </summary>
     private static int[] CountSharedEntryCounts { get; }
-        = new int[]{ 177, };
+        = new int[]{ 180, };
 
     public void RecordCountSharedIntegrationsError(Datadog.Trace.Telemetry.Metrics.MetricTags.IntegrationName tag1, Datadog.Trace.Telemetry.Metrics.MetricTags.InstrumentationError tag2, int increment = 1)
     {