Merge branch 'master' into alejandro.gonzalez/add-http-route-play-in-iast

Author: jandro996

.github/workflows/analyze-changes.yaml

@@ -109,7 +109,7 @@ jobs:
           ls -laR "./workspace/.trivy"
 
       - name: Run Trivy security scanner
-        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.31.0
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
         with:
           scan-type: rootfs
           scan-ref: './workspace/.trivy/'

.gitignore

@@ -68,3 +68,11 @@ replay_pid*
 benchmark/reports
 benchmark/tracer
 benchmark/dacapo/scratch
+
+# JDK provisioning tools #
+# mise
+mise*.local.toml
+.mise*.local.toml
+.config/mise*.toml
+# asdf
+.tool-versions

dd-java-agent/agent-bootstrap/src/jmh/java/datadog/trace/bootstrap/instrumentation/buffer/InjectingPipeOutputStreamBenchmark.java

@@ -0,0 +1,65 @@
+package datadog.trace.bootstrap.instrumentation.buffer;
+
+import static java.util.concurrent.TimeUnit.MICROSECONDS;
+import static java.util.concurrent.TimeUnit.SECONDS;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintWriter;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.util.List;
+import org.apache.commons.io.IOUtils;
+import org.openjdk.jmh.annotations.Benchmark;
+import org.openjdk.jmh.annotations.BenchmarkMode;
+import org.openjdk.jmh.annotations.Fork;
+import org.openjdk.jmh.annotations.Measurement;
+import org.openjdk.jmh.annotations.Mode;
+import org.openjdk.jmh.annotations.OutputTimeUnit;
+import org.openjdk.jmh.annotations.Scope;
+import org.openjdk.jmh.annotations.State;
+import org.openjdk.jmh.annotations.Warmup;
+
+/*
+ * Benchmark                                       Mode  Cnt   Score   Error  Units
+ * InjectingPipeOutputStreamBenchmark.withPipe     avgt    2  15.515          us/op
+ * InjectingPipeOutputStreamBenchmark.withoutPipe  avgt    2  12.861          us/op
+ */
+@State(Scope.Benchmark)
+@Warmup(iterations = 1, time = 30, timeUnit = SECONDS)
+@Measurement(iterations = 2, time = 30, timeUnit = SECONDS)
+@BenchmarkMode(Mode.AverageTime)
+@OutputTimeUnit(MICROSECONDS)
+@Fork(value = 1)
+public class InjectingPipeOutputStreamBenchmark {
+  private static final List<String> htmlContent;
+  private static final byte[] marker;
+  private static final byte[] content;
+
+  static {
+    try (InputStream is = new URL("https://www.google.com").openStream()) {
+      htmlContent = IOUtils.readLines(is, StandardCharsets.UTF_8);
+    } catch (IOException ioe) {
+      throw new RuntimeException(ioe);
+    }
+    marker = "</head>".getBytes(StandardCharsets.UTF_8);
+    content = "<script/>".getBytes(StandardCharsets.UTF_8);
+  }
+
+  @Benchmark
+  public void withPipe() throws Exception {
+    try (final PrintWriter out =
+        new PrintWriter(
+            new InjectingPipeOutputStream(new ByteArrayOutputStream(), marker, content, null))) {
+      htmlContent.forEach(out::println);
+    }
+  }
+
+  @Benchmark
+  public void withoutPipe() throws Exception {
+    try (final PrintWriter out = new PrintWriter(new ByteArrayOutputStream())) {
+      htmlContent.forEach(out::println);
+    }
+  }
+}

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/buffer/InjectingPipeOutputStream.java

@@ -0,0 +1,153 @@
+package datadog.trace.bootstrap.instrumentation.buffer;
+
+import java.io.FilterOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+
+/**
+ * A circular buffer with a lookbehind buffer of n bytes. The first time that the latest n bytes
+ * matches the marker, a content is injected before.
+ */
+public class InjectingPipeOutputStream extends FilterOutputStream {
+  private final byte[] lookbehind;
+  private int pos;
+  private boolean bufferFilled;
+  private final byte[] marker;
+  private final byte[] contentToInject;
+  private boolean found = false;
+  private int matchingPos = 0;
+  private final Runnable onContentInjected;
+  private final int bulkWriteThreshold;
+
+  /**
+   * @param downstream the delegate output stream
+   * @param marker the marker to find in the stream
+   * @param contentToInject the content to inject once before the marker if found.
+   * @param onContentInjected callback called when and if the content is injected.
+   */
+  public InjectingPipeOutputStream(
+      final OutputStream downstream,
+      final byte[] marker,
+      final byte[] contentToInject,
+      final Runnable onContentInjected) {
+    super(downstream);
+    this.marker = marker;
+    this.lookbehind = new byte[marker.length];
+    this.pos = 0;
+    this.contentToInject = contentToInject;
+    this.onContentInjected = onContentInjected;
+    this.bulkWriteThreshold = marker.length * 2 - 2;
+  }
+
+  @Override
+  public void write(int b) throws IOException {
+    if (found) {
+      out.write(b);
+      return;
+    }
+
+    if (bufferFilled) {
+      out.write(lookbehind[pos]);
+    }
+
+    lookbehind[pos] = (byte) b;
+    pos = (pos + 1) % lookbehind.length;
+
+    if (!bufferFilled) {
+      bufferFilled = pos == 0;
+    }
+
+    if (marker[matchingPos++] == b) {
+      if (matchingPos == marker.length) {
+        found = true;
+        out.write(contentToInject);
+        if (onContentInjected != null) {
+          onContentInjected.run();
+        }
+        drain();
+      }
+    } else {
+      matchingPos = 0;
+    }
+  }
+
+  @Override
+  public void write(byte[] b, int off, int len) throws IOException {
+    if (found) {
+      out.write(b, off, len);
+      return;
+    }
+    if (len > bulkWriteThreshold) {
+      // if the content is large enough, we can bulk write everything but the N trail and tail.
+      // This because the buffer can already contain some byte from a previous single write.
+      // Also we need to fill the buffer with the tail since we don't know about the next write.
+      int idx = arrayContains(b, marker);
+      if (idx >= 0) {
+        // we have a full match. just write everything
+        found = true;
+        drain();
+        out.write(b, off, idx);
+        out.write(contentToInject);
+        if (onContentInjected != null) {
+          onContentInjected.run();
+        }
+        out.write(b, off + idx, len - idx);
+      } else {
+        // we don't have a full match. write everything in a bulk except the lookbehind buffer
+        // sequentially
+        for (int i = off; i < off + marker.length - 1; i++) {
+          write(b[i]);
+        }
+        drain();
+        out.write(b, off + marker.length - 1, len - bulkWriteThreshold);
+        for (int i = len - marker.length + 1; i < len; i++) {
+          write(b[i]);
+        }
+      }
+    } else {
+      // use slow path because the length to write is small and within the lookbehind buffer size
+      super.write(b, off, len);
+    }
+  }
+
+  private int arrayContains(byte[] array, byte[] search) {
+    for (int i = 0; i < array.length - search.length; i++) {
+      if (array[i] == search[0]) {
+        boolean found = true;
+        int k = i;
+        for (int j = 1; j < search.length; j++) {
+          k++;
+          if (array[k] != search[j]) {
+            found = false;
+            break;
+          }
+        }
+        if (found) {
+          return i;
+        }
+      }
+    }
+    return -1;
+  }
+
+  private void drain() throws IOException {
+    if (bufferFilled) {
+      for (int i = 0; i < lookbehind.length; i++) {
+        out.write(lookbehind[(pos + i) % lookbehind.length]);
+      }
+    } else {
+      out.write(this.lookbehind, 0, pos);
+    }
+    pos = 0;
+    matchingPos = 0;
+    bufferFilled = false;
+  }
+
+  @Override
+  public void close() throws IOException {
+    if (!found) {
+      drain();
+    }
+    super.close();
+  }
+}

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecorator.java

@@ -57,6 +57,7 @@ public abstract class HttpServerDecorator<REQUEST, CONNECTION, RESPONSE, REQUEST
 
   public static final String DD_SPAN_ATTRIBUTE = "datadog.span";
   public static final String DD_DISPATCH_SPAN_ATTRIBUTE = "datadog.span.dispatch";
+  public static final String DD_RUM_INJECTED = "datadog.rum.injected";
   public static final String DD_FIN_DISP_LIST_SPAN_ATTRIBUTE =
       "datadog.span.finish_dispatch_listener";
   public static final String DD_RESPONSE_ATTRIBUTE = "datadog.response";

dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/buffer/InjectingPipeOutputStreamTest.groovy

@@ -0,0 +1,41 @@
+package datadog.trace.bootstrap.instrumentation.buffer
+
+import datadog.trace.test.util.DDSpecification
+
+class InjectingPipeOutputStreamTest extends DDSpecification {
+
+  static class ExceptionControlledOutputStream extends FilterOutputStream {
+
+    boolean failWrite = false
+
+    ExceptionControlledOutputStream(OutputStream out) {
+      super(out)
+    }
+
+    @Override
+    void write(int b) throws IOException {
+      if (failWrite) {
+        throw new IOException("Failed")
+      }
+      super.write(b)
+    }
+  }
+
+  def 'should filter a buffer and inject if found #found'() {
+    setup:
+    def downstream = new ByteArrayOutputStream()
+    def piped = new OutputStreamWriter(new InjectingPipeOutputStream(downstream, marker.getBytes("UTF-8"), contentToInject.getBytes("UTF-8"), null),
+    "UTF-8")
+    when:
+    try (def closeme = piped) {
+      piped.write(body)
+    }
+    then:
+    assert downstream.toByteArray() == expected.getBytes("UTF-8")
+    where:
+    body                                      | marker            | contentToInject         | found | expected
+    "<html><head><foo/></head><body/></html>" | "</head>"         | "<script>true</script>" | true  | "<html><head><foo/><script>true</script></head><body/></html>"
+    "<html><body/></html>"                    | "</head>"         | "<something/>"          | false | "<html><body/></html>"
+    "<foo/>"                                  | "<longerThanFoo>" | "<nothing>"             | false | "<foo/>"
+  }
+}

dd-java-agent/agent-debugger/src/main/java/com/datadog/debugger/agent/ClassesToRetransformFinder.java

@@ -111,4 +111,8 @@ private static boolean lookupClass(Trie changedClasses, Class<?> clazz) {
     String simpleName = extractSimpleName(clazz);
     return changedClasses.contains(reverseStr(simpleName));
   }
+
+  ConcurrentMap<String, String> getClassNamesBySourceFile() {
+    return classNamesBySourceFile;
+  }
 }

dd-java-agent/agent-debugger/src/main/java/com/datadog/debugger/agent/DebuggerAgent.java

@@ -324,6 +324,10 @@ private static String getDiagnosticEndpoint(
 
   private static void setupSourceFileTracking(
       Instrumentation instrumentation, ClassesToRetransformFinder finder) {
+    if (!Config.get().isDebuggerSourceFileTrackingEnabled()) {
+      LOGGER.debug("Source file tracking is disabled");
+      return;
+    }
     SourceFileTrackingTransformer sourceFileTrackingTransformer =
         new SourceFileTrackingTransformer(finder);
     sourceFileTrackingTransformer.start();

dd-java-agent/agent-debugger/src/main/java/com/datadog/debugger/agent/SourceFileTrackingTransformer.java

@@ -75,6 +75,9 @@ private void registerSourceFile(String className, byte[] classfileBuffer) {
     if (sourceFile == null) {
       return;
     }
+    if (!isExtensionAllowed(sourceFile)) {
+      return;
+    }
     String simpleClassName = stripPackagePath(className);
     String simpleSourceFile = removeExtension(sourceFile);
     if (simpleClassName.equals(simpleSourceFile)) {
@@ -83,6 +86,13 @@ private void registerSourceFile(String className, byte[] classfileBuffer) {
     finder.register(sourceFile, className);
   }
 
+  private boolean isExtensionAllowed(String sourceFile) {
+    return sourceFile.endsWith(".java")
+        || sourceFile.endsWith(".kt")
+        || sourceFile.endsWith(".scala")
+        || sourceFile.endsWith(".groovy");
+  }
+
   private static class SourceFileItem {
     final String className;
     final byte[] classfileBuffer;

dd-java-agent/agent-debugger/src/test/java/com/datadog/debugger/agent/SourceFileTrackingTransformerTest.java

@@ -79,6 +79,38 @@ void transformInner() throws IllegalClassFormatException {
     assertEquals(InnerHelper.MySecondInner.class, changedClasses.get(2));
   }
 
+  @Test
+  void transformNotAllowed() throws IllegalClassFormatException {
+    ClassesToRetransformFinder finder = new ClassesToRetransformFinder();
+    SourceFileTrackingTransformer sourceFileTrackingTransformer =
+        new SourceFileTrackingTransformer(finder);
+    ConfigurationComparer comparer = createComparer("TopLevelHelper.java");
+    byte[] classFileBytes = getClassFileBytes(TopLevelHelper.class);
+    replaceInByteArray(
+        classFileBytes, "TopLevelHelper.java".getBytes(), "TopLevelHelper.cloj".getBytes());
+    sourceFileTrackingTransformer.transform(null, "", null, null, classFileBytes);
+    sourceFileTrackingTransformer.flush();
+    List<Class<?>> changedClasses =
+        finder.getAllLoadedChangedClasses(new Class[] {InnerHelper.class}, comparer);
+    assertEquals(0, finder.getClassNamesBySourceFile().size());
+  }
+
+  private static void replaceInByteArray(byte[] buffer, byte[] oldBytes, byte[] newBytes) {
+    int oldIdx = 0;
+    for (int i = 0; i < buffer.length; i++) {
+      if (buffer[i] == oldBytes[oldIdx]) {
+        oldIdx++;
+        if (oldIdx == oldBytes.length) {
+          // Found the oldBytes, replace with newBytes
+          System.arraycopy(newBytes, 0, buffer, i - oldIdx + 1, newBytes.length);
+          oldIdx = 0; // Reset for next search
+        }
+      } else {
+        oldIdx = 0; // Reset if current byte does not match
+      }
+    }
+  }
+
   private ConfigurationComparer createComparer(String sourceFile) {
     Configuration emptyConfig = Configuration.builder().setService("service-name").build();
     Configuration newConfig =