Skip to content

Commit

Permalink
Optimizing the preprocessing hooks to reduce SA overhead
Browse files Browse the repository at this point in the history
  • Loading branch information
@IshikaDawda
IshikaDawda committed Nov 21, 2024
1 parent 8be8ec3 commit 2477231
Show file tree
Hide file tree
Showing 59 changed files with 153 additions and 625 deletions.
7 changes: 3 additions & 4 deletions ...0/src/main/java/com/newrelic/agent/security/instrumentation/grpc1220/GrpcClientUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,13 @@
import io.grpc.Metadata;

public class GrpcClientUtils {
public static final String METHOD_NAME_START = "start";
private static final String METHOD_NAME_START = "start";

private static final String NR_SEC_CUSTOM_ATTRIB_NAME = "NR_CSEC_GRPC_CLIENT_OPERATIONAL_LOCK_";

public static void registerExitOperation(boolean isProcessingAllowed, AbstractOperation operation) {
try {
if (operation == null || !isProcessingAllowed || !NewRelicSecurity.isHookProcessingActive() || NewRelicSecurity.getAgent().getSecurityMetaData().getRequest().isEmpty()
) {
if (operation == null || !isProcessingAllowed || !NewRelicSecurity.isHookProcessingActive() || NewRelicSecurity.getAgent().getSecurityMetaData().getRequest().isEmpty()) {
return;
}
NewRelicSecurity.getAgent().registerExitEvent(operation);
Expand All @@ -32,7 +32,6 @@ public static void registerExitOperation(boolean isProcessingAllowed, AbstractOp

public static AbstractOperation preprocessSecurityHook(String uri, Metadata meta, String klass) {
try {

SSRFOperation operation = new SSRFOperation(uri, klass, METHOD_NAME_START);

NewRelicSecurity.getAgent().getSecurityMetaData().getMetaData().setFromJumpRequiredInStackTrace(3);
Expand Down
38 changes: 5 additions & 33 deletions ...0/src/main/java/com/newrelic/agent/security/instrumentation/grpc1220/GrpcServerUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,19 +22,14 @@
import java.util.Set;

public class GrpcServerUtils {
public static final String LIBRARY_NAME = "gRPC";
private static final String X_FORWARDED_FOR = "x-forwarded-for";
private static final String EMPTY = "";
public static final String METHOD_NAME_START_CALL = "startCall";
public static final String NR_SEC_CUSTOM_ATTRIB_NAME = "NR_CSEC_GRPC_SERVER_OPERATIONAL_LOCK_";
private static Set<Descriptors.Descriptor> typeRegistries = new HashSet<>();


public static <ReqT, ResT> void preprocessSecurityHook(ServerStream_Instrumentation call, ServerMethodDefinition<ReqT, ResT> methodDef, Metadata meta, String klass) {
try {
if (!NewRelicSecurity.isHookProcessingActive()) {
return;
}
SecurityMetaData securityMetaData = NewRelicSecurity.getAgent().getSecurityMetaData();

HttpRequest securityRequest = securityMetaData.getRequest();
Expand Down Expand Up @@ -91,10 +86,7 @@ public static <ReqT, ResT> void preprocessSecurityHook(ServerStream_Instrumentat

public static void postProcessSecurityHook(Metadata metadata, int statusCode, String className, String methodName) {
try {
if(NewRelicSecurity.getAgent().getIastDetectionCategory().getRxssEnabled()){
return;
}
if (!NewRelicSecurity.isHookProcessingActive()) {
if (!NewRelicSecurity.isHookProcessingActive() || NewRelicSecurity.getAgent().getIastDetectionCategory().getRxssEnabled()) {
return;
}
NewRelicSecurity.getAgent().getSecurityMetaData().getResponse().setResponseCode(statusCode);
Expand Down Expand Up @@ -132,38 +124,18 @@ public static void postProcessSecurityHook(Metadata metadata, int statusCode, St


public static void releaseLock() {
try {
if(NewRelicSecurity.isHookProcessingActive()) {
NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(getNrSecCustomAttrName(), null);
}
} catch (Throwable ignored) {
}
GenericHelper.releaseLock(getNrSecCustomAttrName());
}

private static String getNrSecCustomAttrName() {
return GrpcServerUtils.NR_SEC_CUSTOM_ATTRIB_NAME+Thread.currentThread().getId();
}

public static boolean acquireLockIfPossible() {
try {
if (NewRelicSecurity.isHookProcessingActive() &&
!isLockAcquired(getNrSecCustomAttrName())) {
NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(getNrSecCustomAttrName(), true);
return true;
}
} catch (Throwable ignored){}
return false;
}

private static boolean isLockAcquired(String nrSecCustomAttrName) {
try {
return NewRelicSecurity.isHookProcessingActive() &&
Boolean.TRUE.equals(NewRelicSecurity.getAgent().getSecurityMetaData().getCustomAttribute(nrSecCustomAttrName, Boolean.class));
} catch (Throwable ignored) {}
return false;
return GenericHelper.acquireLockIfPossible(getNrSecCustomAttrName());
}

public static String getTraceHeader(Map<String, String> headers) {
private static String getTraceHeader(Map<String, String> headers) {
String data = EMPTY;
if (headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER) || headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())) {
data = headers.get(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER);
Expand All @@ -174,7 +146,7 @@ public static String getTraceHeader(Map<String, String> headers) {
return data;
}

public static void processGRPCRequestMetadata(Metadata metadata, HttpRequest securityRequest) {
private static void processGRPCRequestMetadata(Metadata metadata, HttpRequest securityRequest) {
Set<String> headerNames = metadata.keys();
for (String headerKey : headerNames) {
boolean takeNextValue = false;
Expand Down
25 changes: 2 additions & 23 deletions ...-1.22.0/src/main/java/com/newrelic/agent/security/instrumentation/grpc1220/GrpcUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,31 +47,10 @@ public static <T> void preProcessSecurityHook(T receivedMessage, Type type, Stri
}

public static void releaseLock(int hashcode) {
try {
if(NewRelicSecurity.isHookProcessingActive()) {
NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(NR_SEC_CUSTOM_ATTRIB_NAME+hashcode, null);
}
} catch (Throwable ignored){}
GenericHelper.releaseLock(NR_SEC_CUSTOM_ATTRIB_NAME, hashcode);
}

public static boolean acquireLockIfPossible(int hashcode) {
try {
if (NewRelicSecurity.isHookProcessingActive() &&
!isLockAcquired(NR_SEC_CUSTOM_ATTRIB_NAME+hashcode)) {
NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(NR_SEC_CUSTOM_ATTRIB_NAME+hashcode, true);
return true;
}
} catch (Throwable ignored){
}
return false;
}

private static boolean isLockAcquired(String nrSecCustomAttrName) {
try {
return NewRelicSecurity.isHookProcessingActive() &&
Boolean.TRUE.equals(NewRelicSecurity.getAgent().getSecurityMetaData().getCustomAttribute(nrSecCustomAttrName, Boolean.class));
} catch (Throwable ignored) {
}
return false;
return GenericHelper.acquireLockIfPossible(NR_SEC_CUSTOM_ATTRIB_NAME, hashcode);
}
}
1 change: 0 additions & 1 deletion ...com/newrelic/agent/security/instrumentation/grpc1220/processor/GrpcRequestThreadPool.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@
import java.util.concurrent.atomic.AtomicInteger;

public class GrpcRequestThreadPool {
public static final String CALL_FAILED_REQUEST_S_REASON = "Call failed : request %s reason : ";

/**
* Thread pool executor.
Expand Down
3 changes: 1 addition & 2 deletions ....0/src/main/java/com/newrelic/agent/security/instrumentation/grpc140/GrpcClientUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,7 @@ public class GrpcClientUtils {

public static void registerExitOperation(boolean isProcessingAllowed, AbstractOperation operation) {
try {
if (operation == null || !isProcessingAllowed || !NewRelicSecurity.isHookProcessingActive() || NewRelicSecurity.getAgent().getSecurityMetaData().getRequest().isEmpty()
) {
if (operation == null || !isProcessingAllowed || !NewRelicSecurity.isHookProcessingActive() || NewRelicSecurity.getAgent().getSecurityMetaData().getRequest().isEmpty()) {
return;
}
NewRelicSecurity.getAgent().registerExitEvent(operation);
Expand Down
32 changes: 3 additions & 29 deletions ....0/src/main/java/com/newrelic/agent/security/instrumentation/grpc140/GrpcServerUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,6 @@ public class GrpcServerUtils {

public static <ReqT, ResT> void preprocessSecurityHook(ServerStream_Instrumentation call, ServerMethodDefinition<ReqT, ResT> methodDef, Metadata meta, String klass) {
try {
if (!NewRelicSecurity.isHookProcessingActive()) {
return;
}
SecurityMetaData securityMetaData = NewRelicSecurity.getAgent().getSecurityMetaData();

HttpRequest securityRequest = securityMetaData.getRequest();
Expand Down Expand Up @@ -95,10 +92,7 @@ public static <ReqT, ResT> void preprocessSecurityHook(ServerStream_Instrumentat

public static void postProcessSecurityHook(Metadata metadata, int statusCode, String className, String methodName) {
try {
if(NewRelicSecurity.getAgent().getIastDetectionCategory().getRxssEnabled()){
return;
}
if (!NewRelicSecurity.isHookProcessingActive()) {
if (!NewRelicSecurity.isHookProcessingActive() || NewRelicSecurity.getAgent().getIastDetectionCategory().getRxssEnabled()) {
return;
}
NewRelicSecurity.getAgent().getSecurityMetaData().getResponse().setResponseCode(statusCode);
Expand Down Expand Up @@ -136,35 +130,15 @@ public static void postProcessSecurityHook(Metadata metadata, int statusCode, St


public static void releaseLock() {
try {
if(NewRelicSecurity.isHookProcessingActive()) {
NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(getNrSecCustomAttrName(), null);
}
} catch (Throwable ignored) {
}
GenericHelper.releaseLock(getNrSecCustomAttrName());
}

private static String getNrSecCustomAttrName() {
return GrpcServerUtils.NR_SEC_CUSTOM_ATTRIB_NAME+Thread.currentThread().getId();
}

public static boolean acquireLockIfPossible() {
try {
if (NewRelicSecurity.isHookProcessingActive() &&
!isLockAcquired(getNrSecCustomAttrName())) {
NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(getNrSecCustomAttrName(), true);
return true;
}
} catch (Throwable ignored){}
return false;
}

private static boolean isLockAcquired(String nrSecCustomAttrName) {
try {
return NewRelicSecurity.isHookProcessingActive() &&
Boolean.TRUE.equals(NewRelicSecurity.getAgent().getSecurityMetaData().getCustomAttribute(nrSecCustomAttrName, Boolean.class));
} catch (Throwable ignored) {}
return false;
return GenericHelper.acquireLockIfPossible(getNrSecCustomAttrName());
}

public static String getTraceHeader(Map<String, String> headers) {
Expand Down
26 changes: 3 additions & 23 deletions ...pc-1.4.0/src/main/java/com/newrelic/agent/security/instrumentation/grpc140/GrpcUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
import java.util.Map;

public class GrpcUtils {
public static final String NR_SEC_CUSTOM_ATTRIB_NAME = "NR_CSEC_GRPC_OBJECT_LOCK_";
private static final String NR_SEC_CUSTOM_ATTRIB_NAME = "NR_CSEC_GRPC_OBJECT_LOCK_";
public static final String GRPC_1_4_0 = "GRPC-1.4.0";

public enum Type {
Expand Down Expand Up @@ -48,30 +48,10 @@ public static <T> void preProcessSecurityHook(T receivedMessage, Type type, Stri
}

public static void releaseLock(int hashcode) {
try {
if(NewRelicSecurity.isHookProcessingActive()) {
NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(NR_SEC_CUSTOM_ATTRIB_NAME+hashcode, null);
}
} catch (Throwable ignored) {
}
GenericHelper.releaseLock(NR_SEC_CUSTOM_ATTRIB_NAME, hashcode);
}

public static boolean acquireLockIfPossible(int hashcode) {
try {
if (NewRelicSecurity.isHookProcessingActive() &&
!isLockAcquired(NR_SEC_CUSTOM_ATTRIB_NAME+hashcode)) {
NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(NR_SEC_CUSTOM_ATTRIB_NAME+hashcode, true);
return true;
}
} catch (Throwable ignored){}
return false;
}

private static boolean isLockAcquired(String nrSecCustomAttrName) {
try {
return NewRelicSecurity.isHookProcessingActive() &&
Boolean.TRUE.equals(NewRelicSecurity.getAgent().getSecurityMetaData().getCustomAttribute(nrSecCustomAttrName, Boolean.class));
} catch (Throwable ignored) {}
return false;
return GenericHelper.acquireLockIfPossible(NR_SEC_CUSTOM_ATTRIB_NAME, hashcode);
}
}
1 change: 0 additions & 1 deletion .../com/newrelic/agent/security/instrumentation/grpc140/processor/GrpcRequestThreadPool.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@
import java.util.concurrent.atomic.AtomicInteger;

public class GrpcRequestThreadPool {
public static final String CALL_FAILED_REQUEST_S_REASON = "Call failed : request %s reason : ";

/**
* Thread pool executor.
Expand Down
7 changes: 3 additions & 4 deletions ...0/src/main/java/com/newrelic/agent/security/instrumentation/grpc1400/GrpcClientUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,12 @@
import io.grpc.Metadata;

public class GrpcClientUtils {
public static final String METHOD_NAME_START = "start";
public static final String NR_SEC_CUSTOM_ATTRIB_NAME = "NR_CSEC_GRPC_CLIENT_OPERATIONAL_LOCK_";
private static final String METHOD_NAME_START = "start";
private static final String NR_SEC_CUSTOM_ATTRIB_NAME = "NR_CSEC_GRPC_CLIENT_OPERATIONAL_LOCK_";

public static void registerExitOperation(boolean isProcessingAllowed, AbstractOperation operation) {
try {
if (operation == null || !isProcessingAllowed || !NewRelicSecurity.isHookProcessingActive() || NewRelicSecurity.getAgent().getSecurityMetaData().getRequest().isEmpty()
) {
if (operation == null || !isProcessingAllowed || !NewRelicSecurity.isHookProcessingActive() || NewRelicSecurity.getAgent().getSecurityMetaData().getRequest().isEmpty()) {
return;
}
NewRelicSecurity.getAgent().registerExitEvent(operation);
Expand Down
35 changes: 5 additions & 30 deletions ...0/src/main/java/com/newrelic/agent/security/instrumentation/grpc1400/GrpcServerUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,6 @@ public class GrpcServerUtils {

public static <ReqT, ResT> void preprocessSecurityHook(ServerStream_Instrumentation call, ServerMethodDefinition<ReqT, ResT> methodDef, Metadata meta, String klass) {
try {
if (!NewRelicSecurity.isHookProcessingActive()) {
return;
}
SecurityMetaData securityMetaData = NewRelicSecurity.getAgent().getSecurityMetaData();

HttpRequest securityRequest = securityMetaData.getRequest();
Expand Down Expand Up @@ -90,10 +87,7 @@ public static <ReqT, ResT> void preprocessSecurityHook(ServerStream_Instrumentat

public static void postProcessSecurityHook(Metadata metadata, int statusCode, String className, String methodName) {
try {
if(NewRelicSecurity.getAgent().getIastDetectionCategory().getRxssEnabled()){
return;
}
if (!NewRelicSecurity.isHookProcessingActive()) {
if (!NewRelicSecurity.isHookProcessingActive() || NewRelicSecurity.getAgent().getIastDetectionCategory().getRxssEnabled()) {
return;
}
NewRelicSecurity.getAgent().getSecurityMetaData().getResponse().setResponseCode(statusCode);
Expand Down Expand Up @@ -131,37 +125,18 @@ public static void postProcessSecurityHook(Metadata metadata, int statusCode, St


public static void releaseLock() {
try {
if(NewRelicSecurity.isHookProcessingActive()) {
NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(getNrSecCustomAttrName(), null);
}
} catch (Throwable ignored){}
GenericHelper.releaseLock(getNrSecCustomAttrName());
}

private static String getNrSecCustomAttrName() {
return GrpcServerUtils.NR_SEC_CUSTOM_ATTRIB_NAME+Thread.currentThread().getId();
}

public static boolean acquireLockIfPossible() {
try {
if (NewRelicSecurity.isHookProcessingActive() &&
!isLockAcquired(getNrSecCustomAttrName())) {
NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(getNrSecCustomAttrName(), true);
return true;
}
} catch (Throwable ignored){}
return false;
}

private static boolean isLockAcquired(String nrSecCustomAttrName) {
try {
return NewRelicSecurity.isHookProcessingActive() &&
Boolean.TRUE.equals(NewRelicSecurity.getAgent().getSecurityMetaData().getCustomAttribute(nrSecCustomAttrName, Boolean.class));
} catch (Throwable ignored) {}
return false;
return GenericHelper.acquireLockIfPossible(getNrSecCustomAttrName());
}

public static String getTraceHeader(Map<String, String> headers) {
private static String getTraceHeader(Map<String, String> headers) {
String data = EMPTY;
if (headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER) || headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())) {
data = headers.get(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER);
Expand All @@ -172,7 +147,7 @@ public static String getTraceHeader(Map<String, String> headers) {
return data;
}

public static void processGRPCRequestMetadata(Metadata metadata, HttpRequest securityRequest) {
private static void processGRPCRequestMetadata(Metadata metadata, HttpRequest securityRequest) {
Set<String> headerNames = metadata.keys();
for (String headerKey : headerNames) {
boolean takeNextValue = false;
Expand Down
24 changes: 3 additions & 21 deletions ...-1.40.0/src/main/java/com/newrelic/agent/security/instrumentation/grpc1400/GrpcUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
import java.util.Map;

public class GrpcUtils {
public static final String NR_SEC_CUSTOM_ATTRIB_NAME = "NR_CSEC_GRPC_OBJECT_LOCK_";
private static final String NR_SEC_CUSTOM_ATTRIB_NAME = "NR_CSEC_GRPC_OBJECT_LOCK_";
public static final String GRPC_1_40_0 = "GRPC-1.40.0";

public enum Type {
Expand Down Expand Up @@ -48,29 +48,11 @@ public static <T> void preProcessSecurityHook(T receivedMessage, Type type, Stri
}

public static void releaseLock(int hashcode) {
try {
if(NewRelicSecurity.isHookProcessingActive()) {
NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(NR_SEC_CUSTOM_ATTRIB_NAME+hashcode, null);
}
} catch (Throwable ignored){}
GenericHelper.releaseLock(NR_SEC_CUSTOM_ATTRIB_NAME, hashcode);
}

public static boolean acquireLockIfPossible(int hashcode) {
try {
if (NewRelicSecurity.isHookProcessingActive() &&
!isLockAcquired(NR_SEC_CUSTOM_ATTRIB_NAME+hashcode)) {
NewRelicSecurity.getAgent().getSecurityMetaData().addCustomAttribute(NR_SEC_CUSTOM_ATTRIB_NAME+hashcode, true);
return true;
}
} catch (Throwable ignored){}
return false;
return GenericHelper.acquireLockIfPossible(NR_SEC_CUSTOM_ATTRIB_NAME, hashcode);
}

private static boolean isLockAcquired(String nrSecCustomAttrName) {
try {
return NewRelicSecurity.isHookProcessingActive() &&
Boolean.TRUE.equals(NewRelicSecurity.getAgent().getSecurityMetaData().getCustomAttribute(nrSecCustomAttrName, Boolean.class));
} catch (Throwable ignored) {}
return false;
}
}
Loading

0 comments on commit 2477231

Please sign in to comment.