# This is a combination of 2 commits.

# This is the 1st commit message:

Resteasy IAST instrumentation

# This is the commit message #2:

Addressing git comments

Author: DDJavierSantos

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/source/WebModuleImpl.java

@@ -6,10 +6,15 @@
 import com.datadog.iast.model.Source;
 import com.datadog.iast.model.SourceType;
 import com.datadog.iast.taint.Ranges;
+import com.datadog.iast.taint.TaintedObject;
 import com.datadog.iast.taint.TaintedObjects;
 import datadog.trace.api.iast.source.WebModule;
 import java.io.BufferedReader;
 import java.io.InputStream;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 
@@ -131,4 +136,100 @@ public void onHeaderValue(@Nullable final String headerName, @Nullable final Str
     taintedObjects.taintInputString(
         headerValue, new Source(SourceType.REQUEST_HEADER_VALUE, headerName, headerValue));
   }
+
+  @Override
+  public void onCookieValue(@Nullable final String cookieName, @Nullable final String cookieValue) {
+    if (!canBeTainted(cookieName)) {
+      return;
+    }
+    final IastRequestContext ctx = IastRequestContext.get();
+    if (ctx == null) {
+      return;
+    }
+    final TaintedObjects taintedObjects = ctx.getTaintedObjects();
+    taintedObjects.taintInputString(
+        cookieValue, new Source(SourceType.REQUEST_COOKIE_VALUE, cookieName, cookieValue));
+  }
+
+  @Override
+  public void onJaxGetQueryParameters(@Nonnull Object multiValuedMap) {
+    final IastRequestContext ctx = IastRequestContext.get();
+    if (ctx == null) {
+      return;
+    }
+    final TaintedObjects taintedObjects = ctx.getTaintedObjects();
+    taintedObjects.taint(multiValuedMap, Ranges.EMPTY);
+  }
+
+  @Override
+  public void onMultiValuedMapAccess(
+      @Nonnull Object multiValuedMap, @Nonnull Object key, @Nonnull Object returnedValue) {
+    final IastRequestContext ctx = IastRequestContext.get();
+    if (ctx == null) {
+      return;
+    }
+    final TaintedObjects taintedObjects = ctx.getTaintedObjects();
+    TaintedObject taintedMultiValuedMap = taintedObjects.get(multiValuedMap);
+    if (null != taintedMultiValuedMap && key instanceof String) {
+      if (returnedValue instanceof String) {
+        taintedObjects.taintInputString(
+            (String) returnedValue,
+            new Source(SourceType.REQUEST_PARAMETER_VALUE, (String) key, (String) returnedValue));
+      } else if (returnedValue instanceof List) {
+        for (Object o : ((List) returnedValue)) {
+          if (o instanceof String) {
+            taintedObjects.taintInputString(
+                (String) o,
+                new Source(SourceType.REQUEST_PARAMETER_VALUE, (String) key, (String) o));
+          }
+        }
+      }
+    }
+  }
+
+  @Override
+  public void taintSetIfInputIsTainted(@Nonnull Set toTaint, @Nullable Object input) {
+    final IastRequestContext ctx = IastRequestContext.get();
+    if (ctx == null) {
+      return;
+    }
+    final TaintedObjects taintedObjects = ctx.getTaintedObjects();
+    TaintedObject tainted = taintedObjects.get(input);
+    if (tainted != null) {
+      for (Object o : toTaint) {
+        if (o instanceof String) {
+          taintedObjects.taintInputString(
+              (String) o, new Source(SourceType.REQUEST_PARAMETER_VALUE, null, (String) o));
+        } else if (o instanceof Map.Entry) {
+          Map.Entry entry = (Map.Entry) o;
+          if (entry.getKey() instanceof String && entry.getValue() instanceof String) {
+            taintedObjects.taintInputString(
+                (String) entry.getValue(),
+                new Source(
+                    SourceType.REQUEST_PARAMETER_VALUE,
+                    (String) entry.getKey(),
+                    (String) entry.getValue()));
+          }
+        }
+      }
+    }
+  }
+
+  @Override
+  public void taintCollectionIfInputIsTainted(@Nonnull Collection toTaint, @Nullable Object input) {
+    final IastRequestContext ctx = IastRequestContext.get();
+    if (ctx == null) {
+      return;
+    }
+    final TaintedObjects taintedObjects = ctx.getTaintedObjects();
+    TaintedObject tainted = taintedObjects.get(input);
+    if (tainted != null) {
+      for (Object o : toTaint) {
+        if (o instanceof String) {
+          taintedObjects.taintInputString(
+              (String) o, new Source(SourceType.REQUEST_PARAMETER_VALUE, null, (String) o));
+        }
+      }
+    }
+  }
 }

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/source/WebModuleTest.groovy

@@ -346,4 +346,28 @@ class WebModuleTest extends IastModuleImplTestBase {
     def to = ctx.getTaintedObjects().get(reader)
     assert to != null
   }
+
+  void 'test taintSetIfInputIsTainted'() {
+    given:
+    final span = Mock(AgentSpan)
+    tracer.activeSpan() >> span
+    final reqCtx = Mock(RequestContext)
+    span.getRequestContext() >> reqCtx
+    final ctx = new IastRequestContext()
+    reqCtx.getData(RequestContextSlot.IAST) >> ctx
+    def multiValuedMap = new Object()
+    def retValue = new String()
+
+    when:
+    module.taintSetIfInputIsTainted(retValue, multiValuedMap)
+
+    then:
+    1 * tracer.activeSpan() >> span
+    1 * span.getRequestContext() >> reqCtx
+    1 * reqCtx.getData(RequestContextSlot.IAST) >> ctx
+    0 * _
+
+    def to = ctx.getTaintedObjects().get(retValue)
+    assert to != null
+  }
 }

dd-java-agent/instrumentation/resteasy-appsec/src/main/java/datadog/trace/instrumentation/resteasy/CookieParamInjectorAdvice.java

@@ -0,0 +1,38 @@
+package datadog.trace.instrumentation.resteasy;
+
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.source.WebModule;
+import java.util.Collection;
+import net.bytebuddy.asm.Advice;
+import org.jboss.resteasy.core.CookieParamInjector;
+
+public class CookieParamInjectorAdvice {
+  @Advice.OnMethodExit
+  public static void onExit(
+      @Advice.This CookieParamInjector self,
+      @Advice.Return(readOnly = true) Object result,
+      @Advice.FieldValue("paramName") String paramName) {
+    if (result instanceof String || result instanceof Collection) {
+      final WebModule module = InstrumentationBridge.WEB;
+
+      if (module != null) {
+        try {
+          if (result instanceof Collection) {
+            Collection collection = (Collection) result;
+            for (Object o : collection) {
+              if (o instanceof String) {
+                module.onCookieValue(paramName, (String) o);
+              }
+            }
+          } else {
+            module.onCookieValue(paramName, (String) result);
+          }
+        } catch (final Throwable e) {
+          module.onUnexpectedException("CookieParamInjectorAdvice.onExit threw", e);
+        }
+      } else {
+        System.out.println("Module is null");
+      }
+    }
+  }
+}

dd-java-agent/instrumentation/resteasy-appsec/src/main/java/datadog/trace/instrumentation/resteasy/CookieParamInjectorInstrumentation.java

@@ -0,0 +1,27 @@
+package datadog.trace.instrumentation.resteasy;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+import static net.bytebuddy.matcher.ElementMatchers.isPublic;
+
+import com.google.auto.service.AutoService;
+import datadog.trace.agent.tooling.Instrumenter;
+
+@AutoService(Instrumenter.class)
+public class CookieParamInjectorInstrumentation extends Instrumenter.Iast
+    implements Instrumenter.ForSingleType {
+
+  public CookieParamInjectorInstrumentation() {
+    super("Cookie Param Value Injector for RestEasy");
+  }
+
+  @Override
+  public void adviceTransformations(AdviceTransformation transformation) {
+    transformation.applyAdvice(
+        named("inject").and(isPublic()), packageName + ".CookieParamInjectorAdvice");
+  }
+
+  @Override
+  public String instrumentedType() {
+    return "org.jboss.resteasy.core.CookieParamInjector";
+  }
+}

dd-java-agent/instrumentation/resteasy-appsec/src/main/java/datadog/trace/instrumentation/resteasy/HeaderParamInjectorAdvice.java

@@ -0,0 +1,38 @@
+package datadog.trace.instrumentation.resteasy;
+
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.source.WebModule;
+import java.util.Collection;
+import net.bytebuddy.asm.Advice;
+import org.jboss.resteasy.core.HeaderParamInjector;
+
+public class HeaderParamInjectorAdvice {
+  @Advice.OnMethodExit
+  public static void onExit(
+      @Advice.This HeaderParamInjector self,
+      @Advice.Return(readOnly = true) Object result,
+      @Advice.FieldValue("paramName") String paramName) {
+    if (result instanceof String || result instanceof Collection) {
+      final WebModule module = InstrumentationBridge.WEB;
+
+      if (module != null) {
+        try {
+          if (result instanceof Collection) {
+            Collection collection = (Collection) result;
+            for (Object o : collection) {
+              if (o instanceof String) {
+                module.onHeaderValue(paramName, (String) o);
+              }
+            }
+          } else {
+            module.onHeaderValue(null, (String) result);
+          }
+        } catch (final Throwable e) {
+          module.onUnexpectedException("PathParamInjectorAdvice.onExit threw", e);
+        }
+      } else {
+        System.out.println("Module is null");
+      }
+    }
+  }
+}

dd-java-agent/instrumentation/resteasy-appsec/src/main/java/datadog/trace/instrumentation/resteasy/HeaderParamInjectorInstrumentation.java

@@ -0,0 +1,27 @@
+package datadog.trace.instrumentation.resteasy;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+import static net.bytebuddy.matcher.ElementMatchers.isPublic;
+
+import com.google.auto.service.AutoService;
+import datadog.trace.agent.tooling.Instrumenter;
+
+@AutoService(Instrumenter.class)
+public class HeaderParamInjectorInstrumentation extends Instrumenter.Iast
+    implements Instrumenter.ForSingleType {
+
+  public HeaderParamInjectorInstrumentation() {
+    super("Header Value Injector for RestEasy");
+  }
+
+  @Override
+  public void adviceTransformations(AdviceTransformation transformation) {
+    transformation.applyAdvice(
+        named("inject").and(isPublic()), packageName + ".HeaderParamInjectorAdvice");
+  }
+
+  @Override
+  public String instrumentedType() {
+    return "org.jboss.resteasy.core.HeaderParamInjector";
+  }
+}

dd-java-agent/instrumentation/resteasy-appsec/src/main/java/datadog/trace/instrumentation/resteasy/MultivaluedMapInstrumentation.java

@@ -0,0 +1,58 @@
+package datadog.trace.instrumentation.resteasy;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.HierarchyMatchers.implementsInterface;
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.namedOneOf;
+
+import datadog.trace.agent.tooling.Instrumenter;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.source.WebModule;
+import net.bytebuddy.asm.Advice;
+import net.bytebuddy.description.type.TypeDescription;
+import net.bytebuddy.matcher.ElementMatcher;
+
+public class MultivaluedMapInstrumentation extends Instrumenter.Iast
+    implements Instrumenter.ForTypeHierarchy {
+
+  public MultivaluedMapInstrumentation() {
+    super("MultivaluedMap");
+  }
+
+  @Override
+  public void adviceTransformations(AdviceTransformation transformation) {
+    transformation.applyAdvice(
+        namedOneOf("getFirst", "get"), getClass().getName() + "$MultiValuedMapAdviceGet");
+    transformation.applyAdvice(
+        namedOneOf("keySet", "values", "entrySet"),
+        getClass().getName() + "$MultiValuedMapAdviceReturningMultipleValues");
+  }
+
+  @Override
+  public String hierarchyMarkerType() {
+    return "jakarta.ws.rs.core.MultivaluedMap";
+  }
+
+  @Override
+  public ElementMatcher<TypeDescription> hierarchyMatcher() {
+    return implementsInterface(named(hierarchyMarkerType()));
+  }
+
+  public static class MultiValuedMapAdviceGet {
+
+    @Advice.OnMethodExit
+    public static void onExit(
+        @Advice.This Object self, @Advice.Return(readOnly = true) Object result) {
+      final WebModule module = InstrumentationBridge.WEB;
+
+      if (module != null) {
+        try {
+          module.onJaxGetQueryParameters(result);
+        } catch (final Throwable e) {
+          module.onUnexpectedException("UriInfoAdvice.onExit threw", e);
+        }
+      } else {
+        System.out.println("Module is null");
+      }
+    }
+  }
+}

dd-java-agent/instrumentation/resteasy-appsec/src/main/java/datadog/trace/instrumentation/resteasy/PathParamInjectorAdvice.java

@@ -0,0 +1,38 @@
+package datadog.trace.instrumentation.resteasy;
+
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.source.WebModule;
+import java.util.Collection;
+import net.bytebuddy.asm.Advice;
+import org.jboss.resteasy.core.PathParamInjector;
+
+public class PathParamInjectorAdvice {
+  @Advice.OnMethodExit
+  public static void onExit(
+      @Advice.This PathParamInjector self,
+      @Advice.Return(readOnly = true) Object result,
+      @Advice.FieldValue("paramName") String paramName) {
+    if (result instanceof String || result instanceof Collection) {
+      final WebModule module = InstrumentationBridge.WEB;
+
+      if (module != null) {
+        try {
+          if (result instanceof Collection) {
+            Collection collection = (Collection) result;
+            for (Object o : collection) {
+              if (o instanceof String) {
+                module.onParameterValue(paramName, (String) o);
+              }
+            }
+          } else {
+            module.onParameterValue(paramName, (String) result);
+          }
+        } catch (final Throwable e) {
+          module.onUnexpectedException("PathParamInjectorAdvice.onExit threw", e);
+        }
+      } else {
+        System.out.println("Module is null");
+      }
+    }
+  }
+}