Alejandro González García

icon indicating an email [email protected]

icon company @DataDog

Results 22 issues of Alejandro González García

[WIP][IAST][JAVA] IAST Overhead control engine v0

1 comment

# What Does This Do Implement Overhead Control Engine (OCE) for IAST operations. It creates a module that by design ensures the maximum overhead for IAST operations. The OCE will...

do-not-merge/WIP
iast

[WIP][IAST][JAVA] Vulnerability hashing and deduplication V0

# What Does This Do - Add the `hash` property to vulnerability model, this will be used to determine if two vulnerabilities are equals - Implement new component `DeduplicationController` that...

do-not-merge/WIP
iast

String taint tracking - repeat method

# What Does This Do Adds all the instrumentation needed to perform taint tacking in repeat operation for String objects # Motivation IAST requires to track all modifications that happen...

do-not-merge/WIP
no release notes
iast

String taint tracking - join methods

# What Does This Do Adds all the instrumentation needed to perform taint tacking in join operations for String objects # Motivation IAST requires to track all modifications that happen...

do-not-merge/WIP
no release notes
iast

String taint tracking - substring and subSequence methods

# What Does This Do Adds all the instrumentation needed to perform taint tacking in substring operations for String objects # Motivation IAST requires to track all modifications that happen...

do-not-merge/WIP
no release notes
iast

Add session rewriting detection

3 comment

# What Does This Do Add session rewriting detection in servlet3 and servlet. The main condition to report the vulnerability is that ServletContext#getEffectiveSessionTrackingModes contains SessionTrackingMode.URL We will take advantage of...

comp: asm iast

Standalone ASM billing

# What Does This Do Add new boolean environment variable `DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED`, when it's enabled: - Libraries must add the numeric tag `_dd.apm.enabled:0` to the metrics map of the service entry...

Map JSP stack traces to file names

1 comment

# What Does This Do Add StratumManger to deal with SMAP Syntax from [Jakarta Debugging Support for Other Languages](https://jakarta.ee/specifications/debugging/2.0/jdsol-spec-2.0#smap-syntax) Replace the StackTraceElement used to create the vulnerability location with the...

comp: asm iast

Use Clock in ASM Standalone Sampler

# What Does This Do - Use clock.millis() instead os System.currentTimeMillis() in the ASM Standalone Sampler - fix the rate limiter to 1 minute as is defined in the RFC...

tag: no release notes
comp: asm waf

Attach stacktrace to IAST vulnerabilities

1 comment

# What Does This Do Rework current stack trace utilities for RASP to: - Be accesible for IAST ( and other product in the future) - Add missing fields and...

comp: asm iast