fix truncation

Author: jandro996

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/XssModuleImpl.java

@@ -13,6 +13,8 @@
 
 public class XssModuleImpl extends SinkModuleBase implements XssModule {
 
+  private static final int MAX_LENGTH = 500;
+
   public XssModuleImpl(final Dependencies dependencies) {
     super(dependencies);
   }
@@ -61,6 +63,13 @@ public void onXss(@Nonnull CharSequence s, @Nullable String file, int line) {
     checkInjection(VulnerabilityType.XSS, s, new FileAndLineLocationSupplier(file, line));
   }
 
+  private static String truncate(final String s) {
+    if (s == null || s.length() <= MAX_LENGTH) {
+      return s;
+    }
+    return s.substring(0, MAX_LENGTH);
+  }
+
   private static class ClassMethodLocationSupplier implements LocationSupplier {
     private final String clazz;
     private final String method;
@@ -72,7 +81,7 @@ private ClassMethodLocationSupplier(final String clazz, final String method) {
 
     @Override
     public Location build(final @Nullable AgentSpan span) {
-      return Location.forSpanAndClassAndMethod(span, clazz, method);
+      return Location.forSpanAndClassAndMethod(span, truncate(clazz), truncate(method));
     }
   }
 
@@ -87,7 +96,7 @@ private FileAndLineLocationSupplier(final String file, final int line) {
 
     @Override
     public Location build(@Nullable final AgentSpan span) {
-      return Location.forSpanAndFileAndLine(span, file, line);
+      return Location.forSpanAndFileAndLine(span, truncate(file), line);
     }
   }
 }

dd-smoke-tests/springboot-thymeleaf/src/main/java/datadog/smoketest/springboot/XssController.java

@@ -5,14 +5,43 @@
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.thymeleaf.context.Context;
+import org.thymeleaf.spring5.SpringTemplateEngine;
+import org.thymeleaf.templateresolver.StringTemplateResolver;
 
 @Controller
 @RequestMapping("/xss")
 public class XssController {
 
+  private static final String TEMPLATE = "<p th:utext=\"${xss}\">Test!</p>";
+
+  private static final String BIG_TEMPLATE =
+      new String(new char[500]).replace('\0', 'A') + "<p th:utext=\"${xss}\">Test!</p>";
+
   @GetMapping("/utext")
   public String utext(@RequestParam(name = "string") String name, Model model) {
     model.addAttribute("xss", name);
     return "utext";
   }
+
+  @GetMapping(value = "/string-template", produces = "text/html")
+  @ResponseBody
+  public String stringTemplate(@RequestParam(name = "string") String name) {
+    SpringTemplateEngine engine = new SpringTemplateEngine();
+    engine.setTemplateResolver(new StringTemplateResolver());
+    Context context = new Context();
+    context.setVariable("xss", name);
+    return engine.process(TEMPLATE, context);
+  }
+
+  @GetMapping(value = "/big-string-template", produces = "text/html")
+  @ResponseBody
+  public String bigStringTemplate(@RequestParam(name = "string") String name) {
+    SpringTemplateEngine engine = new SpringTemplateEngine();
+    engine.setTemplateResolver(new StringTemplateResolver());
+    Context context = new Context();
+    context.setVariable("xss", name);
+    return engine.process(BIG_TEMPLATE, context);
+  }
 }

dd-smoke-tests/springboot-thymeleaf/src/test/groovy/datadog/smoketest/springboot/IastSpringBootThymeleafSmokeTest.groovy

@@ -2,6 +2,7 @@ package datadog.smoketest.springboot
 
 import datadog.smoketest.AbstractIastServerSmokeTest
 import okhttp3.Request
+import java.net.URLEncoder
 
 import static datadog.trace.api.config.IastConfig.IAST_DEBUG_ENABLED
 import static datadog.trace.api.config.IastConfig.IAST_DETECTION_MODE
@@ -37,13 +38,50 @@ class IastSpringBootThymeleafSmokeTest extends AbstractIastServerSmokeTest {
     final request = new Request.Builder().url(url).get().build()
 
     when:
-    client.newCall(request).execute()
+    def response = client.newCall(request).execute()
 
     then:
+    response.code() == 200
     hasVulnerability { vul -> vul.type == 'XSS' && vul.location.path == templateName && vul.location.line == line }
 
     where:
     method    | param |templateName| line
     'utext'    | 'test' | 'utext' | 12
   }
+
+  void 'xss with string template returns html as template name'() {
+    setup:
+    final param = '<script>'
+    final encoded = URLEncoder.encode(param, 'UTF-8')
+    final url = "http://localhost:${httpPort}/xss/string-template?string=${encoded}"
+    final request = new Request.Builder().url(url).get().build()
+
+    when:
+    client.newCall(request).execute()
+
+    then:
+    hasVulnerability { vul ->
+      vul.type == 'XSS' &&
+        vul.location.path == '<p th:utext="${xss}">Test!</p>' &&
+        vul.location.line == 1
+    }
+  }
+
+  void 'xss with string template returns html as template name - truncated'() {
+    setup:
+    final param = '<script>'
+    final encoded = URLEncoder.encode(param, 'UTF-8')
+    final url = "http://localhost:${httpPort}/xss/big-string-template?string=${encoded}"
+    final request = new Request.Builder().url(url).get().build()
+
+    when:
+    client.newCall(request).execute()
+
+    then:
+    hasVulnerability { vul ->
+      vul.type == 'XSS' &&
+        vul.location.path == 'A'*500 &&
+        vul.location.line == 1
+    }
+  }
 }