Limit the maximum size of the location path in IAST vulnerabilities

[jandro996]

What Does This Do

Add truncation to path, class and method if it's necessary for LocationSuppliers to report XSS vulnerabilities

Motivation

incident-39654

In this incident, it was reported that the location.path field of an IAST vulnerability was populated with a large HTML payload, which caused a backend error and prevented the vulnerability from being reported.

This occurred specifically with an XSS vulnerability located in a Thymeleaf template.

Normally, the location.path is extracted from the stacktrace, so this kind of behavior is unusual. However, in cases where vulnerabilities occur in template-based frameworks, we use a different approach to improve precision — specifying the template name instead of the compiled class in the vulnerability location.

In Thymeleaf, the instrumented method getTemplateName may return a full HTML document instead of just the template name, as originally expected.

To guard against these cases, we’ve decided to truncate the values of path, class, and method when they are generated using suppliers rather than stacktrace-based extraction.

Additional Notes

Contributor Checklist

• Format the title according the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any usefull labels
• Don't use close, fix or any linking keywords when referencing an issue.
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, move, or deletion
• Update the public documentation in case of new configuration flag or behavior

Jira ticket: [PROJ-IDENT]

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/incident-39654
git_commit_date	1750768664	1750771020
git_commit_sha	b7fd382	555d652
release_version	1.51.0-SNAPSHOT~b7fd382549	1.51.0-SNAPSHOT~555d6524ca

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1750772866	1750772866
ci_job_id	995746664	995746664
ci_pipeline_id	68595385	68595385
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-ecr1ksdw-project-304-concurrent-0-8ckek0uo 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-ecr1ksdw-project-304-concurrent-0-8ckek0uo 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None

Summary

Found 1 performance improvements and 8 performance regressions! Performance is the same for 33 metrics, 11 unstable metrics.

scenario	Δ mean execution_time	candidate mean execution_time	baseline mean execution_time
scenario:startup:insecure-bank:tracing:Agent.start	worse [+22.306ms; +50.840ms] or [+2.237%; +5.099%]	1033.684ms	997.111ms
scenario:startup:petclinic:appsec:AppSec	worse [+9.218ms; +11.460ms] or [+5.449%; +6.775%]	179.491ms	169.152ms
scenario:startup:petclinic:appsec:Telemetry	better [-927.777µs; -764.578µs] or [-11.310%; -9.320%]	7.357ms	8.203ms
scenario:startup:petclinic:iast:Agent.start	worse [+24.472ms; +30.398ms] or [+2.170%; +2.696%]	1.155s	1.128s
scenario:startup:petclinic:iast:Debugger	worse [+161.603µs; +317.050µs] or [+2.796%; +5.485%]	6.020ms	5.780ms
scenario:startup:petclinic:iast:Remote Config	worse [+17.655µs; +48.905µs] or [+3.064%; +8.488%]	609.460µs	576.180µs
scenario:startup:petclinic:profiling:ProfilingAgent	worse [+2.185ms; +7.064ms] or [+2.128%; +6.881%]	107.286ms	102.662ms
scenario:startup:petclinic:profiling:AppSec	worse [+29.984ms; +32.672ms] or [+96.223%; +104.851%]	62.489ms	31.161ms
scenario:startup:petclinic:profiling:Profiling	worse [+2.183ms; +7.064ms] or [+2.126%; +6.879%]	107.310ms	102.687ms

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.51.0-SNAPSHOT~555d6524ca, baseline=1.51.0-SNAPSHOT~b7fd382549

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (997.111 ms) : 0, 997111
Total [baseline] (8.553 s) : 0, 8553301
Agent [candidate] (1.034 s) : 0, 1033684
Total [candidate] (8.578 s) : 0, 8578445
section iast
Agent [baseline] (1.133 s) : 0, 1133144
Total [baseline] (9.24 s) : 0, 9240308
Agent [candidate] (1.15 s) : 0, 1149859
Total [candidate] (9.179 s) : 0, 9179435

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	997.111 ms	-
Agent	iast	1.133 s	136.033 ms (13.6%)
Total	tracing	8.553 s	-
Total	iast	9.24 s	687.007 ms (8.0%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.034 s	-
Agent	iast	1.15 s	116.175 ms (11.2%)
Total	tracing	8.578 s	-
Total	iast	9.179 s	600.99 ms (7.0%)

gantt
    title insecure-bank - break down per module: candidate=1.51.0-SNAPSHOT~555d6524ca, baseline=1.51.0-SNAPSHOT~b7fd382549

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (688.225 ms) : 0, 688225
BytebuddyAgent [candidate] (691.517 ms) : 0, 691517
GlobalTracer [baseline] (242.739 ms) : 0, 242739
GlobalTracer [candidate] (243.889 ms) : 0, 243889
AppSec [baseline] (30.309 ms) : 0, 30309
AppSec [candidate] (58.485 ms) : 0, 58485
Debugger [baseline] (6.08 ms) : 0, 6080
Debugger [candidate] (6.235 ms) : 0, 6235
Remote Config [baseline] (656.996 µs) : 0, 657
Remote Config [candidate] (671.148 µs) : 0, 671
Telemetry [baseline] (8.252 ms) : 0, 8252
Telemetry [candidate] (11.926 ms) : 0, 11926
section iast
BytebuddyAgent [baseline] (810.387 ms) : 0, 810387
BytebuddyAgent [candidate] (804.497 ms) : 0, 804497
GlobalTracer [baseline] (232.415 ms) : 0, 232415
GlobalTracer [candidate] (231.321 ms) : 0, 231321
AppSec [baseline] (25.918 ms) : 0, 25918
AppSec [candidate] (52.919 ms) : 0, 52919
Debugger [baseline] (5.835 ms) : 0, 5835
Debugger [candidate] (5.969 ms) : 0, 5969
Remote Config [baseline] (590.962 µs) : 0, 591
Remote Config [candidate] (598.728 µs) : 0, 599
Telemetry [baseline] (7.913 ms) : 0, 7913
Telemetry [candidate] (7.993 ms) : 0, 7993
IAST [baseline] (29.269 ms) : 0, 29269
IAST [candidate] (25.87 ms) : 0, 25870

Loading

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.51.0-SNAPSHOT~555d6524ca, baseline=1.51.0-SNAPSHOT~b7fd382549

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.001 s) : 0, 1000593
Total [baseline] (10.579 s) : 0, 10578594
Agent [candidate] (1.031 s) : 0, 1031447
Total [candidate] (10.543 s) : 0, 10542851
section appsec
Agent [baseline] (1.176 s) : 0, 1176184
Total [baseline] (10.682 s) : 0, 10681876
Agent [candidate] (1.179 s) : 0, 1179109
Total [candidate] (10.675 s) : 0, 10674514
section iast
Agent [baseline] (1.128 s) : 0, 1127652
Total [baseline] (10.82 s) : 0, 10820175
Agent [candidate] (1.155 s) : 0, 1155087
Total [candidate] (10.88 s) : 0, 10880166
section profiling
Agent [baseline] (1.245 s) : 0, 1245414
Total [baseline] (10.949 s) : 0, 10949090
Agent [candidate] (1.271 s) : 0, 1270746
Total [candidate] (10.944 s) : 0, 10944164

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.001 s	-
Agent	appsec	1.176 s	175.591 ms (17.5%)
Agent	iast	1.128 s	127.059 ms (12.7%)
Agent	profiling	1.245 s	244.821 ms (24.5%)
Total	tracing	10.579 s	-
Total	appsec	10.682 s	103.282 ms (1.0%)
Total	iast	10.82 s	241.581 ms (2.3%)
Total	profiling	10.949 s	370.496 ms (3.5%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.031 s	-
Agent	appsec	1.179 s	147.662 ms (14.3%)
Agent	iast	1.155 s	123.639 ms (12.0%)
Agent	profiling	1.271 s	239.299 ms (23.2%)
Total	tracing	10.543 s	-
Total	appsec	10.675 s	131.664 ms (1.2%)
Total	iast	10.88 s	337.315 ms (3.2%)
Total	profiling	10.944 s	401.313 ms (3.8%)

gantt
    title petclinic - break down per module: candidate=1.51.0-SNAPSHOT~555d6524ca, baseline=1.51.0-SNAPSHOT~b7fd382549

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (691.009 ms) : 0, 691009
BytebuddyAgent [candidate] (691.0 ms) : 0, 691000
GlobalTracer [baseline] (243.422 ms) : 0, 243422
GlobalTracer [candidate] (243.531 ms) : 0, 243531
AppSec [baseline] (30.237 ms) : 0, 30237
AppSec [candidate] (58.437 ms) : 0, 58437
Debugger [baseline] (6.065 ms) : 0, 6065
Debugger [candidate] (6.215 ms) : 0, 6215
Remote Config [baseline] (654.904 µs) : 0, 655
Remote Config [candidate] (733.755 µs) : 0, 734
Telemetry [baseline] (8.247 ms) : 0, 8247
Telemetry [candidate] (10.513 ms) : 0, 10513
section appsec
BytebuddyAgent [baseline] (713.331 ms) : 0, 713331
BytebuddyAgent [candidate] (708.331 ms) : 0, 708331
GlobalTracer [baseline] (236.046 ms) : 0, 236046
GlobalTracer [candidate] (234.958 ms) : 0, 234958
AppSec [baseline] (169.152 ms) : 0, 169152
AppSec [candidate] (179.491 ms) : 0, 179491
Debugger [baseline] (5.824 ms) : 0, 5824
Debugger [candidate] (5.806 ms) : 0, 5806
Remote Config [baseline] (600.769 µs) : 0, 601
Remote Config [candidate] (622.114 µs) : 0, 622
Telemetry [baseline] (8.203 ms) : 0, 8203
Telemetry [candidate] (7.357 ms) : 0, 7357
IAST [baseline] (22.11 ms) : 0, 22110
IAST [candidate] (21.725 ms) : 0, 21725
section iast
BytebuddyAgent [baseline] (806.29 ms) : 0, 806290
BytebuddyAgent [candidate] (807.775 ms) : 0, 807775
GlobalTracer [baseline] (231.362 ms) : 0, 231362
GlobalTracer [candidate] (232.282 ms) : 0, 232282
AppSec [baseline] (27.385 ms) : 0, 27385
AppSec [candidate] (51.967 ms) : 0, 51967
Debugger [baseline] (5.78 ms) : 0, 5780
Debugger [candidate] (6.02 ms) : 0, 6020
Remote Config [baseline] (576.18 µs) : 0, 576
Remote Config [candidate] (609.46 µs) : 0, 609
Telemetry [baseline] (7.87 ms) : 0, 7870
Telemetry [candidate] (7.963 ms) : 0, 7963
IAST [baseline] (27.654 ms) : 0, 27654
IAST [candidate] (27.582 ms) : 0, 27582
section profiling
ProfilingAgent [baseline] (102.662 ms) : 0, 102662
ProfilingAgent [candidate] (107.286 ms) : 0, 107286
BytebuddyAgent [baseline] (679.784 ms) : 0, 679784
BytebuddyAgent [candidate] (676.051 ms) : 0, 676051
GlobalTracer [baseline] (361.695 ms) : 0, 361695
GlobalTracer [candidate] (361.36 ms) : 0, 361360
AppSec [baseline] (31.161 ms) : 0, 31161
AppSec [candidate] (62.489 ms) : 0, 62489
Debugger [baseline] (11.965 ms) : 0, 11965
Debugger [candidate] (6.144 ms) : 0, 6144
Remote Config [baseline] (657.114 µs) : 0, 657
Remote Config [candidate] (669.517 µs) : 0, 670
Telemetry [baseline] (8.684 ms) : 0, 8684
Telemetry [candidate] (8.085 ms) : 0, 8085
Profiling [baseline] (102.687 ms) : 0, 102687
Profiling [candidate] (107.31 ms) : 0, 107310

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/incident-39654
git_commit_date	1750768664	1750771020
git_commit_sha	b7fd382	555d652
release_version	1.51.0-SNAPSHOT~b7fd382549	1.51.0-SNAPSHOT~555d6524ca

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1750772478	1750772478
ci_job_id	995746668	995746668
ci_pipeline_id	68595385	68595385
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-bziamzy-project-304-concurrent-1-65i763uc 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-bziamzy-project-304-concurrent-1-65i763uc 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 1 performance regressions! Performance is the same for 9 metrics, 12 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:insecure-bank:tracing:high_load	better [-561.160µs; -304.503µs] or [-7.030%; -3.815%]	unstable [-41.294op/s; +107.294op/s] or [-7.116%; +18.489%]	7.549ms	613.312op/s	7.982ms	580.312op/s
scenario:load:petclinic:code_origins:high_load	worse [+1.243ms; +2.034ms] or [+2.830%; +4.630%]	unstable [-12.471op/s; +2.100op/s] or [-11.565%; +1.947%]	45.570ms	102.650op/s	43.931ms	107.835op/s
scenario:load:petclinic:tracing:high_load	better [-1.969ms; -1.222ms] or [-4.472%; -2.776%]	unstable [-4.760op/s; +9.944op/s] or [-4.422%; +9.239%]	42.428ms	110.225op/s	44.023ms	107.633op/s

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~555d6524ca, baseline=1.51.0-SNAPSHOT~b7fd382549
    dateFormat X
    axisFormat %s
section baseline
no_agent (4.285 ms) : 4237, 4333
.   : milestone, 4285,
iast (9.402 ms) : 9230, 9574
.   : milestone, 9402,
iast_FULL (14.005 ms) : 13729, 14281
.   : milestone, 14005,
iast_GLOBAL (10.291 ms) : 10110, 10473
.   : milestone, 10291,
profiling (8.947 ms) : 8803, 9092
.   : milestone, 8947,
tracing (7.982 ms) : 7850, 8114
.   : milestone, 7982,
section candidate
no_agent (4.408 ms) : 4358, 4459
.   : milestone, 4408,
iast (9.188 ms) : 9036, 9339
.   : milestone, 9188,
iast_FULL (14.102 ms) : 13822, 14382
.   : milestone, 14102,
iast_GLOBAL (10.289 ms) : 10104, 10475
.   : milestone, 10289,
profiling (8.91 ms) : 8761, 9059
.   : milestone, 8910,
tracing (7.549 ms) : 7444, 7655
.   : milestone, 7549,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	4.285 ms [4.237 ms, 4.333 ms]	-
iast	9.402 ms [9.23 ms, 9.574 ms]	5.117 ms (119.4%)
iast_FULL	14.005 ms [13.729 ms, 14.281 ms]	9.72 ms (226.8%)
iast_GLOBAL	10.291 ms [10.11 ms, 10.473 ms]	6.006 ms (140.2%)
profiling	8.947 ms [8.803 ms, 9.092 ms]	4.662 ms (108.8%)
tracing	7.982 ms [7.85 ms, 8.114 ms]	3.697 ms (86.3%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	4.408 ms [4.358 ms, 4.459 ms]	-
iast	9.188 ms [9.036 ms, 9.339 ms]	4.78 ms (108.4%)
iast_FULL	14.102 ms [13.822 ms, 14.382 ms]	9.694 ms (219.9%)
iast_GLOBAL	10.289 ms [10.104 ms, 10.475 ms]	5.881 ms (133.4%)
profiling	8.91 ms [8.761 ms, 9.059 ms]	4.502 ms (102.1%)
tracing	7.549 ms [7.444 ms, 7.655 ms]	3.141 ms (71.3%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~555d6524ca, baseline=1.51.0-SNAPSHOT~b7fd382549
    dateFormat X
    axisFormat %s
section baseline
no_agent (36.875 ms) : 36585, 37165
.   : milestone, 36875,
appsec (47.687 ms) : 47262, 48111
.   : milestone, 47687,
code_origins (43.931 ms) : 43575, 44288
.   : milestone, 43931,
iast (46.03 ms) : 45627, 46433
.   : milestone, 46030,
profiling (47.567 ms) : 47129, 48005
.   : milestone, 47567,
tracing (44.023 ms) : 43662, 44384
.   : milestone, 44023,
section candidate
no_agent (36.881 ms) : 36592, 37170
.   : milestone, 36881,
appsec (47.576 ms) : 47170, 47983
.   : milestone, 47576,
code_origins (45.57 ms) : 45192, 45948
.   : milestone, 45570,
iast (45.728 ms) : 45321, 46135
.   : milestone, 45728,
profiling (48.959 ms) : 48511, 49407
.   : milestone, 48959,
tracing (42.428 ms) : 42096, 42760
.   : milestone, 42428,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	36.875 ms [36.585 ms, 37.165 ms]	-
appsec	47.687 ms [47.262 ms, 48.111 ms]	10.812 ms (29.3%)
code_origins	43.931 ms [43.575 ms, 44.288 ms]	7.056 ms (19.1%)
iast	46.03 ms [45.627 ms, 46.433 ms]	9.155 ms (24.8%)
profiling	47.567 ms [47.129 ms, 48.005 ms]	10.692 ms (29.0%)
tracing	44.023 ms [43.662 ms, 44.384 ms]	7.148 ms (19.4%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	36.881 ms [36.592 ms, 37.17 ms]	-
appsec	47.576 ms [47.17 ms, 47.983 ms]	10.695 ms (29.0%)
code_origins	45.57 ms [45.192 ms, 45.948 ms]	8.689 ms (23.6%)
iast	45.728 ms [45.321 ms, 46.135 ms]	8.847 ms (24.0%)
profiling	48.959 ms [48.511 ms, 49.407 ms]	12.078 ms (32.7%)
tracing	42.428 ms [42.096 ms, 42.76 ms]	5.547 ms (15.0%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/incident-39654
git_commit_date	1750768664	1750771020
git_commit_sha	b7fd382	555d652
release_version	1.51.0-SNAPSHOT~b7fd382549	1.51.0-SNAPSHOT~555d6524ca

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1750772963	1750772963
ci_job_id	995746674	995746674
ci_pipeline_id	68595385	68595385
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-psdwjdjn-project-304-concurrent-0-awxg83ak 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-psdwjdjn-project-304-concurrent-0-awxg83ak 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~555d6524ca, baseline=1.51.0-SNAPSHOT~b7fd382549
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.542 s) : 15542000, 15542000
.   : milestone, 15542000,
appsec (14.737 s) : 14737000, 14737000
.   : milestone, 14737000,
iast (18.589 s) : 18589000, 18589000
.   : milestone, 18589000,
iast_GLOBAL (17.853 s) : 17853000, 17853000
.   : milestone, 17853000,
profiling (15.291 s) : 15291000, 15291000
.   : milestone, 15291000,
tracing (14.819 s) : 14819000, 14819000
.   : milestone, 14819000,
section candidate
no_agent (15.564 s) : 15564000, 15564000
.   : milestone, 15564000,
appsec (14.834 s) : 14834000, 14834000
.   : milestone, 14834000,
iast (18.453 s) : 18453000, 18453000
.   : milestone, 18453000,
iast_GLOBAL (17.673 s) : 17673000, 17673000
.   : milestone, 17673000,
profiling (15.11 s) : 15110000, 15110000
.   : milestone, 15110000,
tracing (14.866 s) : 14866000, 14866000
.   : milestone, 14866000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.542 s [15.542 s, 15.542 s]	-
appsec	14.737 s [14.737 s, 14.737 s]	-805.0 ms (-5.2%)
iast	18.589 s [18.589 s, 18.589 s]	3.047 s (19.6%)
iast_GLOBAL	17.853 s [17.853 s, 17.853 s]	2.311 s (14.9%)
profiling	15.291 s [15.291 s, 15.291 s]	-251.0 ms (-1.6%)
tracing	14.819 s [14.819 s, 14.819 s]	-723.0 ms (-4.7%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.564 s [15.564 s, 15.564 s]	-
appsec	14.834 s [14.834 s, 14.834 s]	-730.0 ms (-4.7%)
iast	18.453 s [18.453 s, 18.453 s]	2.889 s (18.6%)
iast_GLOBAL	17.673 s [17.673 s, 17.673 s]	2.109 s (13.6%)
profiling	15.11 s [15.11 s, 15.11 s]	-454.0 ms (-2.9%)
tracing	14.866 s [14.866 s, 14.866 s]	-698.0 ms (-4.5%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~555d6524ca, baseline=1.51.0-SNAPSHOT~b7fd382549
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.474 ms) : 1463, 1485
.   : milestone, 1474,
appsec (2.399 ms) : 2350, 2447
.   : milestone, 2399,
iast (2.172 ms) : 2111, 2233
.   : milestone, 2172,
iast_GLOBAL (2.219 ms) : 2157, 2280
.   : milestone, 2219,
profiling (2.043 ms) : 1993, 2093
.   : milestone, 2043,
tracing (2.01 ms) : 1962, 2057
.   : milestone, 2010,
section candidate
no_agent (1.474 ms) : 1463, 1486
.   : milestone, 1474,
appsec (2.39 ms) : 2342, 2438
.   : milestone, 2390,
iast (2.189 ms) : 2128, 2250
.   : milestone, 2189,
iast_GLOBAL (2.216 ms) : 2155, 2277
.   : milestone, 2216,
profiling (2.045 ms) : 1995, 2094
.   : milestone, 2045,
tracing (2.012 ms) : 1965, 2059
.   : milestone, 2012,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.474 ms [1.463 ms, 1.485 ms]	-
appsec	2.399 ms [2.35 ms, 2.447 ms]	924.528 µs (62.7%)
iast	2.172 ms [2.111 ms, 2.233 ms]	698.275 µs (47.4%)
iast_GLOBAL	2.219 ms [2.157 ms, 2.28 ms]	744.507 µs (50.5%)
profiling	2.043 ms [1.993 ms, 2.093 ms]	569.161 µs (38.6%)
tracing	2.01 ms [1.962 ms, 2.057 ms]	535.56 µs (36.3%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.474 ms [1.463 ms, 1.486 ms]	-
appsec	2.39 ms [2.342 ms, 2.438 ms]	915.385 µs (62.1%)
iast	2.189 ms [2.128 ms, 2.25 ms]	714.781 µs (48.5%)
iast_GLOBAL	2.216 ms [2.155 ms, 2.277 ms]	741.675 µs (50.3%)
profiling	2.045 ms [1.995 ms, 2.094 ms]	570.396 µs (38.7%)
tracing	2.012 ms [1.965 ms, 2.059 ms]	537.762 µs (36.5%)

[manuel-alvarez-alvarez]

Should we do it for all vulns, in case this happens in other places?

[jandro996]

If I recall correctly, we only use the LocationSupplier approach for XSS and Unvalidated redirect, checking the codo for the unvalidated redirects seems that only is used by this advice

public static class SpringAdvice {

  @Advice.OnMethodExit(suppress = Throwable.class)
   @Sink(VulnerabilityTypes.SPRING_RESPONSE)
   public static void checkReturnedObject(
       @Advice.Return HandlerMethodReturnValueHandler handler,
       @Advice.Argument(0) final Object value,
       @Advice.Argument(1) MethodParameter returnType) {
     final UnvalidatedRedirectModule unvalidatedRedirectModule =
         InstrumentationBridge.UNVALIDATED_REDIRECT;
     final XssModule xssModule = InstrumentationBridge.XSS;
     if (handler != null && value != null && returnType != null) {
       String clazz = returnType.getMethod().getDeclaringClass().getName();
       String method = returnType.getMethod().getName();
       if (unvalidatedRedirectModule != null && value instanceof AbstractUrlBasedView) {
         unvalidatedRedirectModule.onRedirect(
             ((AbstractUrlBasedView) value).getUrl(), clazz, method);
       } else if (unvalidatedRedirectModule != null && value instanceof ModelAndView) {
         unvalidatedRedirectModule.onRedirect(((ModelAndView) value).getViewName(), clazz, method);
       } else if (value instanceof String) {
         if (xssModule != null && handler instanceof RequestResponseBodyMethodProcessor) {
           xssModule.onXss((String) value, clazz, method);
         } else if (unvalidatedRedirectModule != null) {
           unvalidatedRedirectModule.onRedirect((String) value, clazz, method);
         }
       }
     }
   }
 }

So IMHO we are safe with this but we can add some default behavior or comment to warn this in the LocationSuplier just to be aware in future implementations