Prevent before callsites targeting constructors

manuel-alvarez-alvarez · manuel-alvarez-alvarez · commit 6923877a4681 · 2025-03-13T11:22:26.000+01:00
diff --git a/buildSrc/call-site-instrumentation-plugin/src/main/java/datadog/trace/plugin/csi/impl/CallSiteSpecification.java b/buildSrc/call-site-instrumentation-plugin/src/main/java/datadog/trace/plugin/csi/impl/CallSiteSpecification.java
@@ -513,8 +513,8 @@ protected void validateAdvice(@Nonnull final ValidationContext context) {
       if (findReturn() != null) {
         context.addError(ErrorCode.ADVICE_BEFORE_SHOULD_NOT_CONTAIN_RETURN);
       }
-      if (pointcut.isConstructor() && includeThis()) {
-        context.addError(ErrorCode.ADVICE_BEFORE_CTOR_SHOULD_NOT_CONTAIN_THIS);
+      if (pointcut.isConstructor()) {
+        context.addError(ErrorCode.ADVICE_BEFORE_CTOR);
       }
       super.validateAdvice(context);
     }
diff --git a/buildSrc/call-site-instrumentation-plugin/src/main/java/datadog/trace/plugin/csi/util/ErrorCode.java b/buildSrc/call-site-instrumentation-plugin/src/main/java/datadog/trace/plugin/csi/util/ErrorCode.java
@@ -317,10 +317,10 @@ public String apply(final Object[] objects) {
     }
   },
 
-  ADVICE_BEFORE_CTOR_SHOULD_NOT_CONTAIN_THIS {
+  ADVICE_BEFORE_CTOR {
     @Override
     public String apply(final Object[] objects) {
-      return "Before advice should not contain @This annotated parameters in constructors";
+      return "Before advice should not be used in constructors";
     }
   },
 
diff --git a/buildSrc/call-site-instrumentation-plugin/src/test/groovy/datadog/trace/plugin/csi/impl/AdviceSpecificationTest.groovy b/buildSrc/call-site-instrumentation-plugin/src/test/groovy/datadog/trace/plugin/csi/impl/AdviceSpecificationTest.groovy
@@ -564,4 +564,23 @@ class AdviceSpecificationTest extends BaseCsiPluginTest {
     1 * context.addError(ErrorCode.ADVICE_AFTER_VOID_METHOD_SHOULD_RETURN_VOID, _)
     1 * context.addError(ErrorCode.ADVICE_AFTER_VOID_METHOD_SHOULD_NOT_HAVE_RETURN, _)
   }
+
+  @CallSite(spi = CallSites)
+  class BeforeWithConstructor {
+    @CallSite.Before("void java.io.File.<init>(java.lang.String)")
+    static void before(@CallSite.Argument final String path) {
+    }
+  }
+
+  void 'test before advice with constructor'() {
+    setup:
+    final context = mockValidationContext()
+    final spec = buildClassSpecification(BeforeWithConstructor)
+
+    when:
+    spec.advices.each { it.validate(context) }
+
+    then:
+    1 * context.addError(ErrorCode.ADVICE_BEFORE_CTOR, _)
+  }
 }
diff --git a/dd-java-agent/instrumentation/java-io/src/main/java/datadog/trace/instrumentation/java/lang/FileCallSite.java b/dd-java-agent/instrumentation/java-io/src/main/java/datadog/trace/instrumentation/java/lang/FileCallSite.java
@@ -9,51 +9,57 @@
 import datadog.trace.api.iast.sink.PathTraversalModule;
 import java.io.File;
 import java.net.URI;
-import javax.annotation.Nullable;
 
 @Sink(VulnerabilityTypes.PATH_TRAVERSAL)
 @CallSite(
     spi = {IastCallSites.class, RaspCallSites.class},
     helpers = FileLoadedRaspHelper.class)
 public class FileCallSite {
 
-  @CallSite.Before("void java.io.File.<init>(java.lang.String)")
-  public static void beforeConstructor(@CallSite.Argument @Nullable final String path) {
-    if (path != null) { // new File(null) throws NPE
+  @CallSite.After("void java.io.File.<init>(java.lang.String)")
+  public static File afterConstructorString(
+      @CallSite.AllArguments final Object[] args, @CallSite.Return final File result) {
+    if (args.length > 0) { // new File(null) throws NPE
+      final String path = (String) args[0];
       iastCallback(path);
       raspCallback(path);
     }
+    return result;
   }
 
-  @CallSite.Before("void java.io.File.<init>(java.lang.String, java.lang.String)")
-  public static void beforeConstructor(
-      @CallSite.Argument @Nullable final String parent,
-      @CallSite.Argument @Nullable final String child) {
-    if (child != null) { // new File("abc", null) throws NPE
-      final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
+  @CallSite.After("void java.io.File.<init>(java.lang.String, java.lang.String)")
+  public static File afterConstructorStringString(
+      @CallSite.AllArguments final Object[] args, @CallSite.Return final File result) {
+    if (args.length > 1 && args[1] != null) { // new File("abc", null) throws NPE
+      final String parent = (String) args[0];
+      final String child = (String) args[1];
       iastCallback(parent, child);
       raspCallback(parent, child);
     }
+    return result;
   }
 
-  @CallSite.Before("void java.io.File.<init>(java.io.File, java.lang.String)")
-  public static void beforeConstructor(
-      @CallSite.Argument @Nullable final File parent,
-      @CallSite.Argument @Nullable final String child) {
-    if (child != null) { // new File(parent, null) throws NPE
-      final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
+  @CallSite.After("void java.io.File.<init>(java.io.File, java.lang.String)")
+  public static File afterConstructorFileString(
+      @CallSite.AllArguments final Object[] args, @CallSite.Return final File result) {
+    if (args.length > 1 && args[1] != null) { // new File(parent, null) throws NPE
+      final File parent = (File) args[0];
+      final String child = (String) args[1];
       iastCallback(parent, child);
       raspCallback(parent, child);
     }
+    return result;
   }
 
-  @CallSite.Before("void java.io.File.<init>(java.net.URI)")
-  public static void beforeConstructor(@CallSite.Argument @Nullable final URI uri) {
-    if (uri != null) {
-      final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
+  @CallSite.After("void java.io.File.<init>(java.net.URI)")
+  public static File afterConstructorUri(
+      @CallSite.AllArguments final Object[] args, @CallSite.Return final File result) {
+    if (args.length > 0 && args[0] != null) {
+      final URI uri = (URI) args[0];
       iastCallback(uri);
       raspCallback(uri);
     }
+    return result;
   }
 
   private static void iastCallback(String path) {
@@ -62,7 +68,7 @@ private static void iastCallback(String path) {
       try {
         module.onPathTraversal(path);
       } catch (final Throwable e) {
-        module.onUnexpectedException("beforeConstructor threw", e);
+        module.onUnexpectedException("afterConstructor threw", e);
       }
     }
   }
@@ -73,7 +79,7 @@ private static void iastCallback(File parent, String child) {
       try {
         module.onPathTraversal(parent, child);
       } catch (final Throwable e) {
-        module.onUnexpectedException("beforeConstructor threw", e);
+        module.onUnexpectedException("afterConstructor threw", e);
       }
     }
   }
@@ -84,7 +90,7 @@ private static void iastCallback(String parent, String child) {
       try {
         module.onPathTraversal(parent, child);
       } catch (final Throwable e) {
-        module.onUnexpectedException("beforeConstructor threw", e);
+        module.onUnexpectedException("afterConstructor threw", e);
       }
     }
   }
@@ -95,7 +101,7 @@ private static void iastCallback(URI uri) {
       try {
         module.onPathTraversal(uri);
       } catch (final Throwable e) {
-        module.onUnexpectedException("beforeConstructor threw", e);
+        module.onUnexpectedException("afterConstructor threw", e);
       }
     }
   }
diff --git a/dd-java-agent/instrumentation/java-io/src/main/java/datadog/trace/instrumentation/java/lang/FileInputStreamCallSite.java b/dd-java-agent/instrumentation/java-io/src/main/java/datadog/trace/instrumentation/java/lang/FileInputStreamCallSite.java
@@ -7,20 +7,23 @@
 import datadog.trace.api.iast.Sink;
 import datadog.trace.api.iast.VulnerabilityTypes;
 import datadog.trace.api.iast.sink.PathTraversalModule;
-import javax.annotation.Nullable;
+import java.io.FileInputStream;
 
 @Sink(VulnerabilityTypes.PATH_TRAVERSAL)
 @CallSite(
     spi = {IastCallSites.class, RaspCallSites.class},
     helpers = FileLoadedRaspHelper.class)
 public class FileInputStreamCallSite {
 
-  @CallSite.Before("void java.io.FileInputStream.<init>(java.lang.String)")
-  public static void beforeConstructor(@CallSite.Argument @Nullable final String path) {
-    if (path != null) {
+  @CallSite.After("void java.io.FileInputStream.<init>(java.lang.String)")
+  public static FileInputStream afterConstructor(
+      @CallSite.AllArguments final Object[] args, @CallSite.Return final FileInputStream result) {
+    if (args.length > 0 && args[0] != null) {
+      final String path = (String) args[0];
       iastCallback(path);
       raspCallback(path);
     }
+    return result;
   }
 
   private static void iastCallback(String path) {
@@ -29,7 +32,7 @@ private static void iastCallback(String path) {
       try {
         module.onPathTraversal(path);
       } catch (final Throwable e) {
-        module.onUnexpectedException("beforeConstructor threw", e);
+        module.onUnexpectedException("afterConstructor threw", e);
       }
     }
   }
diff --git a/dd-java-agent/instrumentation/java-io/src/main/java/datadog/trace/instrumentation/java/lang/FileOutputStreamCallSite.java b/dd-java-agent/instrumentation/java-io/src/main/java/datadog/trace/instrumentation/java/lang/FileOutputStreamCallSite.java
@@ -7,21 +7,24 @@
 import datadog.trace.api.iast.Sink;
 import datadog.trace.api.iast.VulnerabilityTypes;
 import datadog.trace.api.iast.sink.PathTraversalModule;
-import javax.annotation.Nullable;
+import java.io.FileOutputStream;
 
 @Sink(VulnerabilityTypes.PATH_TRAVERSAL)
 @CallSite(
     spi = {IastCallSites.class, RaspCallSites.class},
     helpers = FileLoadedRaspHelper.class)
 public class FileOutputStreamCallSite {
 
-  @CallSite.Before("void java.io.FileOutputStream.<init>(java.lang.String)")
-  @CallSite.Before("void java.io.FileOutputStream.<init>(java.lang.String, boolean)")
-  public static void beforeConstructor(@CallSite.Argument(0) @Nullable final String path) {
-    if (path != null) {
+  @CallSite.After("void java.io.FileOutputStream.<init>(java.lang.String)")
+  @CallSite.After("void java.io.FileOutputStream.<init>(java.lang.String, boolean)")
+  public static FileOutputStream afterConstructor(
+      @CallSite.AllArguments final Object[] args, @CallSite.Return final FileOutputStream result) {
+    if (args.length > 0 && args[0] != null) {
+      final String path = (String) args[0];
       iastCallback(path);
       raspCallback(path);
     }
+    return result;
   }
 
   private static void iastCallback(String path) {
@@ -30,7 +33,7 @@ private static void iastCallback(String path) {
       try {
         module.onPathTraversal(path);
       } catch (final Throwable e) {
-        module.onUnexpectedException("beforeConstructor threw", e);
+        module.onUnexpectedException("afterConstructor threw", e);
       }
     }
   }
diff --git a/dd-java-agent/instrumentation/java-io/src/main/java/datadog/trace/instrumentation/java/lang/ObjectInputStreamCallSite.java b/dd-java-agent/instrumentation/java-io/src/main/java/datadog/trace/instrumentation/java/lang/ObjectInputStreamCallSite.java
@@ -7,21 +7,25 @@
 import datadog.trace.api.iast.VulnerabilityTypes;
 import datadog.trace.api.iast.sink.UntrustedDeserializationModule;
 import java.io.InputStream;
+import java.io.ObjectInputStream;
 
 @Sink(VulnerabilityTypes.UNTRUSTED_DESERIALIZATION)
 @CallSite(spi = IastCallSites.class)
 public class ObjectInputStreamCallSite {
 
-  @CallSite.Before("void java.io.ObjectInputStream.<init>(java.io.InputStream)")
-  public static void beforeConstructorUntrusted(@CallSite.Argument(0) final InputStream is) {
+  @CallSite.After("void java.io.ObjectInputStream.<init>(java.io.InputStream)")
+  public static ObjectInputStream afterConstructorUntrusted(
+      @CallSite.AllArguments final Object[] args, @CallSite.Return final ObjectInputStream result) {
     final UntrustedDeserializationModule module = InstrumentationBridge.UNTRUSTED_DESERIALIZATION;
 
-    if (module != null) {
+    if (module != null && args.length > 0 && args[0] != null) {
       try {
+        final InputStream is = (InputStream) args[0];
         module.onObject(is);
       } catch (Throwable e) {
-        module.onUnexpectedException("before constructor untrusted threw", e);
+        module.onUnexpectedException("after constructor untrusted threw", e);
       }
     }
+    return result;
   }
 }
diff --git a/dd-java-agent/instrumentation/java-io/src/test/groovy/datadog/trace/instrumentation/java/io/ObjectInputStreamCallSiteTest.groovy b/dd-java-agent/instrumentation/java-io/src/test/groovy/datadog/trace/instrumentation/java/io/ObjectInputStreamCallSiteTest.groovy
@@ -4,6 +4,7 @@ import datadog.trace.agent.test.AgentTestRunner
 import datadog.trace.api.iast.InstrumentationBridge
 import datadog.trace.api.iast.sink.UntrustedDeserializationModule
 import foo.bar.TestObjectInputStreamSuite
+import foo.bar.TestCustomObjectInputStream
 
 class ObjectInputStreamCallSiteTest extends AgentTestRunner {
 
@@ -17,12 +18,28 @@ class ObjectInputStreamCallSiteTest extends AgentTestRunner {
     final module = Mock(UntrustedDeserializationModule)
     InstrumentationBridge.registerIastModule(module)
 
-    final InputStream inputStream = new ByteArrayInputStream(new byte[0])
-
     when:
-    TestObjectInputStreamSuite.init(inputStream)
+    TestObjectInputStreamSuite.init(inputStream())
 
     then:
     1 * module.onObject(_)
   }
+
+  void 'test super call to ObjectInputStream.<init>'() {
+    given:
+    final iastModule = Mock(UntrustedDeserializationModule)
+    InstrumentationBridge.registerIastModule(iastModule)
+
+    when:
+    new TestCustomObjectInputStream(inputStream())
+
+    then:
+    1 * iastModule.onObject(_)
+  }
+
+  private static InputStream inputStream() {
+    final baos = new ByteArrayOutputStream()
+    new ObjectOutputStream(baos).writeObject([:])
+    return new ByteArrayInputStream(baos.toByteArray())
+  }
 }
diff --git a/dd-java-agent/instrumentation/java-io/src/test/java/foo/bar/TestCustomObjectInputStream.java b/dd-java-agent/instrumentation/java-io/src/test/java/foo/bar/TestCustomObjectInputStream.java
@@ -0,0 +1,12 @@
+package foo.bar;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+
+public class TestCustomObjectInputStream extends ObjectInputStream {
+
+  public TestCustomObjectInputStream(final InputStream in) throws IOException {
+    super(in);
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -513,8 +513,8 @@ protected void validateAdvice(@Nonnull final ValidationContext context) {`
`513`	`513`	`if (findReturn() != null) {`
`514`	`514`	`context.addError(ErrorCode.ADVICE_BEFORE_SHOULD_NOT_CONTAIN_RETURN);`
`515`	`515`	`}`
`516`		`- if (pointcut.isConstructor() && includeThis()) {`
`517`		`- context.addError(ErrorCode.ADVICE_BEFORE_CTOR_SHOULD_NOT_CONTAIN_THIS);`
	`516`	`+ if (pointcut.isConstructor()) {`
	`517`	`+ context.addError(ErrorCode.ADVICE_BEFORE_CTOR);`
`518`	`518`	`}`
`519`	`519`	`super.validateAdvice(context);`
`520`	`520`	`}`
Original file line number	Diff line number	Diff line change
`@@ -317,10 +317,10 @@ public String apply(final Object[] objects) {`
`317`	`317`	`}`
`318`	`318`	`},`
`319`	`319`
`320`		`- ADVICE_BEFORE_CTOR_SHOULD_NOT_CONTAIN_THIS {`
	`320`	`+ ADVICE_BEFORE_CTOR {`
`321`	`321`	`@Override`
`322`	`322`	`public String apply(final Object[] objects) {`
`323`		`- return "Before advice should not contain @This annotated parameters in constructors";`
	`323`	`+ return "Before advice should not be used in constructors";`
`324`	`324`	`}`
`325`	`325`	`},`
`326`	`326`
Original file line number	Diff line number	Diff line change
`@@ -9,51 +9,57 @@`
`9`	`9`	`import datadog.trace.api.iast.sink.PathTraversalModule;`
`10`	`10`	`import java.io.File;`
`11`	`11`	`import java.net.URI;`
`12`		`-import javax.annotation.Nullable;`
`13`	`12`
`14`	`13`	`@Sink(VulnerabilityTypes.PATH_TRAVERSAL)`
`15`	`14`	`@CallSite(`
`16`	`15`	`spi = {IastCallSites.class, RaspCallSites.class},`
`17`	`16`	`helpers = FileLoadedRaspHelper.class)`
`18`	`17`	`public class FileCallSite {`
`19`	`18`
`20`		`- @CallSite.Before("void java.io.File.<init>(java.lang.String)")`
`21`		`- public static void beforeConstructor(@CallSite.Argument @Nullable final String path) {`
`22`		`- if (path != null) { // new File(null) throws NPE`
	`19`	`+ @CallSite.After("void java.io.File.<init>(java.lang.String)")`
	`20`	`+ public static File afterConstructorString(`
	`21`	`+ @CallSite.AllArguments final Object[] args, @CallSite.Return final File result) {`
	`22`	`+ if (args.length > 0) { // new File(null) throws NPE`
	`23`	`+ final String path = (String) args[0];`
`23`	`24`	`iastCallback(path);`
`24`	`25`	`raspCallback(path);`
`25`	`26`	`}`
	`27`	`+ return result;`
`26`	`28`	`}`
`27`	`29`
`28`		`- @CallSite.Before("void java.io.File.<init>(java.lang.String, java.lang.String)")`
`29`		`- public static void beforeConstructor(`
`30`		`- @CallSite.Argument @Nullable final String parent,`
`31`		`- @CallSite.Argument @Nullable final String child) {`
`32`		`- if (child != null) { // new File("abc", null) throws NPE`
`33`		`- final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;`
	`30`	`+ @CallSite.After("void java.io.File.<init>(java.lang.String, java.lang.String)")`
	`31`	`+ public static File afterConstructorStringString(`
	`32`	`+ @CallSite.AllArguments final Object[] args, @CallSite.Return final File result) {`
	`33`	`+ if (args.length > 1 && args[1] != null) { // new File("abc", null) throws NPE`
	`34`	`+ final String parent = (String) args[0];`
	`35`	`+ final String child = (String) args[1];`
`34`	`36`	`iastCallback(parent, child);`
`35`	`37`	`raspCallback(parent, child);`
`36`	`38`	`}`
	`39`	`+ return result;`
`37`	`40`	`}`
`38`	`41`
`39`		`- @CallSite.Before("void java.io.File.<init>(java.io.File, java.lang.String)")`
`40`		`- public static void beforeConstructor(`
`41`		`- @CallSite.Argument @Nullable final File parent,`
`42`		`- @CallSite.Argument @Nullable final String child) {`
`43`		`- if (child != null) { // new File(parent, null) throws NPE`
`44`		`- final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;`
	`42`	`+ @CallSite.After("void java.io.File.<init>(java.io.File, java.lang.String)")`
	`43`	`+ public static File afterConstructorFileString(`
	`44`	`+ @CallSite.AllArguments final Object[] args, @CallSite.Return final File result) {`
	`45`	`+ if (args.length > 1 && args[1] != null) { // new File(parent, null) throws NPE`
	`46`	`+ final File parent = (File) args[0];`
	`47`	`+ final String child = (String) args[1];`
`45`	`48`	`iastCallback(parent, child);`
`46`	`49`	`raspCallback(parent, child);`
`47`	`50`	`}`
	`51`	`+ return result;`
`48`	`52`	`}`
`49`	`53`
`50`		`- @CallSite.Before("void java.io.File.<init>(java.net.URI)")`
`51`		`- public static void beforeConstructor(@CallSite.Argument @Nullable final URI uri) {`
`52`		`- if (uri != null) {`
`53`		`- final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;`
	`54`	`+ @CallSite.After("void java.io.File.<init>(java.net.URI)")`
	`55`	`+ public static File afterConstructorUri(`
	`56`	`+ @CallSite.AllArguments final Object[] args, @CallSite.Return final File result) {`
	`57`	`+ if (args.length > 0 && args[0] != null) {`
	`58`	`+ final URI uri = (URI) args[0];`
`54`	`59`	`iastCallback(uri);`
`55`	`60`	`raspCallback(uri);`
`56`	`61`	`}`
	`62`	`+ return result;`
`57`	`63`	`}`
`58`	`64`
`59`	`65`	`private static void iastCallback(String path) {`
`@@ -62,7 +68,7 @@ private static void iastCallback(String path) {`
`62`	`68`	`try {`
`63`	`69`	`module.onPathTraversal(path);`
`64`	`70`	`} catch (final Throwable e) {`
`65`		`- module.onUnexpectedException("beforeConstructor threw", e);`
	`71`	`+ module.onUnexpectedException("afterConstructor threw", e);`
`66`	`72`	`}`
`67`	`73`	`}`
`68`	`74`	`}`
`@@ -73,7 +79,7 @@ private static void iastCallback(File parent, String child) {`
`73`	`79`	`try {`
`74`	`80`	`module.onPathTraversal(parent, child);`
`75`	`81`	`} catch (final Throwable e) {`
`76`		`- module.onUnexpectedException("beforeConstructor threw", e);`
	`82`	`+ module.onUnexpectedException("afterConstructor threw", e);`
`77`	`83`	`}`
`78`	`84`	`}`
`79`	`85`	`}`
`@@ -84,7 +90,7 @@ private static void iastCallback(String parent, String child) {`
`84`	`90`	`try {`
`85`	`91`	`module.onPathTraversal(parent, child);`
`86`	`92`	`} catch (final Throwable e) {`
`87`		`- module.onUnexpectedException("beforeConstructor threw", e);`
	`93`	`+ module.onUnexpectedException("afterConstructor threw", e);`
`88`	`94`	`}`
`89`	`95`	`}`
`90`	`96`	`}`
`@@ -95,7 +101,7 @@ private static void iastCallback(URI uri) {`
`95`	`101`	`try {`
`96`	`102`	`module.onPathTraversal(uri);`
`97`	`103`	`} catch (final Throwable e) {`
`98`		`- module.onUnexpectedException("beforeConstructor threw", e);`
	`104`	`+ module.onUnexpectedException("afterConstructor threw", e);`
`99`	`105`	`}`
`100`	`106`	`}`
`101`	`107`	`}`