fix(iast): skip XSS check for freemarker built-in escaping expressions in 2.3.24 instrumentation

Author: jandro996

dd-java-agent/instrumentation/freemarker/freemarker-2.3.24/src/main/java/datadog/trace/instrumentation/freemarker24/DollarVariableDatadogAdvice.java

@@ -27,6 +27,9 @@ public static void onEnter(
         return;
       }
       String charSec = DollarVariable24Helper.fetchCharSec(self, environment);
+      if (charSec == null) {
+        return;
+      }
       final String templateName = environment.getMainTemplate().getName();
       final int line = DollarVariable24Helper.fetchBeginLine(self);
       xssModule.onXss(charSec, templateName, line);

dd-java-agent/instrumentation/freemarker/freemarker-2.3.24/src/main/java/freemarker/core/DollarVariable24Helper.java

@@ -12,6 +12,7 @@ private DollarVariable24Helper() {}
   private static final Logger log = LoggerFactory.getLogger(DollarVariable24Helper.class);
 
   private static final Field AUTO_ESCAPE = prepareAutoEscape();
+  private static final Field ESCAPED_EXPRESSION = prepareEscapedExpression();
 
   private static Field prepareAutoEscape() {
     Field autoEscape = null;
@@ -25,6 +26,17 @@ private static Field prepareAutoEscape() {
     return autoEscape;
   }
 
+  private static Field prepareEscapedExpression() {
+    try {
+      Field escapedExpression = DollarVariable.class.getDeclaredField("escapedExpression");
+      escapedExpression.setAccessible(true);
+      return escapedExpression;
+    } catch (Throwable e) {
+      log.debug("Failed to get DollarVariable escapedExpression", e);
+      return null;
+    }
+  }
+
   public static boolean fetchAutoEscape(Object dollarVariable) {
     if (AUTO_ESCAPE == null || !(dollarVariable instanceof DollarVariable)) {
       return true;
@@ -40,6 +52,15 @@ public static String fetchCharSec(Object object, Environment environment) {
     if (!(object instanceof DollarVariable)) {
       return null;
     }
+    if (ESCAPED_EXPRESSION != null) {
+      try {
+        if (ESCAPED_EXPRESSION.get(object) instanceof BuiltIn) {
+          return null;
+        }
+      } catch (IllegalAccessException e) {
+        throw new UndeclaredThrowableException(e);
+      }
+    }
     try {
       return (String) ((DollarVariable) object).calculateInterpolatedStringOrMarkup(environment);
     } catch (TemplateException e) {

dd-java-agent/instrumentation/freemarker/freemarker-2.3.24/src/test/groovy/datadog/trace/instrumentation/freemarker24/DollarVariableInstrumentationTest.groovy

@@ -35,4 +35,21 @@ class DollarVariableInstrumentationTest extends InstrumentationSpecification {
     stringExpression | expression
     "test"           | "test"
   }
+
+  void 'test freemarker process with built-in escaping does not report xss'() {
+    given:
+    final module = Mock(XssModule)
+    InstrumentationBridge.registerIastModule(module)
+
+    final Configuration cfg = new Configuration()
+    final Template template = new Template("test", new StringReader('test ${name?html}'), cfg)
+    final TemplateHashModel rootDataModel = new SimpleHash(cfg.getObjectWrapper())
+    rootDataModel.put("name", "<script>alert(1)</script>")
+
+    when:
+    template.process(rootDataModel, Mock(FileWriter))
+
+    then:
+    0 * module.onXss(_, _, _)
+  }
 }