DataDog · NachoEchevarria · Jan 24, 2024 · Jan 10, 2024 · Jan 11, 2024 · Jan 11, 2024
@@ -95,6 +95,7 @@ static IntegrationMap()
             NugetPackages.Add("OpenTelemetry", new [] { "OpenTelemetry" });
             NugetPackages.Add("Microsoft.AspNetCore.Server.IIS", new[] { "Microsoft.AspNetCore.Server.IIS" });
             NugetPackages.Add("Microsoft.AspNetCore.Server.Kestrel.Core", new string[] { "Microsoft.AspNetCore.Server.Kestrel.Core" });
+            NugetPackages.Add("Microsoft.AspNetCore.Diagnostics", new[] { "Microsoft.AspNetCore.Diagnostics" });
             NugetPackages.Add("Azure.Messaging.ServiceBus", new string[] { "Azure.Messaging.ServiceBus" });
             NugetPackages.Add("amqmdnetstd", new [] { "IBMMQDotnetClient" });
             NugetPackages.Add("Yarp.ReverseProxy", new [] { "Yarp.ReverseProxy" });

@@ -20,6 +20,7 @@
    <assembly fullname="HotChocolate.Execution" />
    <assembly fullname="log4net" />
    <assembly fullname="Microsoft.AspNetCore.Authentication.Abstractions" />
+   <assembly fullname="Microsoft.AspNetCore.Diagnostics" />
    <assembly fullname="Microsoft.AspNetCore.Http" />
    <assembly fullname="Microsoft.AspNetCore.Http.Abstractions">
       <type fullname="Microsoft.AspNetCore.Http.ConnectionInfo" />

@@ -0,0 +1,49 @@
+// <copyright file="DeveloperExceptionPageMiddlewareIntegration.cs" company="Datadog">
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
+// </copyright>
+
+#nullable enable
+
+#if !NETFRAMEWORK
+
+using System;
+using System.ComponentModel;
+using Datadog.Trace.ClrProfiler.CallTarget;
+using Datadog.Trace.Configuration;
+using Microsoft.AspNetCore.Http;
+
+namespace Datadog.Trace.ClrProfiler.AutoInstrumentation.StackTraceLeak;
+
+/// <summary>
+/// DeveloperExceptionPageMiddleware integration
+/// </summary>
+[InstrumentMethod(
+    AssemblyName = "Microsoft.AspNetCore.Diagnostics",
+    TypeName = "Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware",
+    ParameterTypeNames = new[] { "Microsoft.AspNetCore.Http.HttpContext", ClrNames.Exception },
+    MethodName = "DisplayException",
+    ReturnTypeName = ClrNames.Task,
+    MinimumVersion = "2.0.0.0",
+    MaximumVersion = "2.*.*.*",
+    IntegrationName = nameof(IntegrationId.StackTraceLeak),
+    InstrumentationCategory = InstrumentationCategory.Iast)]
+
+[Browsable(false)]
+[EditorBrowsable(EditorBrowsableState.Never)]
+public static class DeveloperExceptionPageMiddlewareIntegration
+{
+    /// <summary>
+    /// OnMethodBegin callback
+    /// </summary>
+    /// <param name="instance">Instance value, aka `this` of the instrumented method.</param>
+    /// <param name="context">The context of the error.</param>
+    /// <param name="exception">The exception to be shown.</param>
+    /// <typeparam name="TTarget">Type of the target</typeparam>
+    /// <returns>Calltarget state value</returns>
+    internal static CallTargetState OnMethodBegin<TTarget>(TTarget instance, HttpContext context, Exception exception)
+    {
+        return StackTraceLeakIntegrationCommon.OnExceptionLeak(IntegrationId.StackTraceLeak, exception);
+    }
+}
+#endif
diff --git a/...iler/AutoInstrumentation/StackTraceLeak/DeveloperExceptionPageMiddlewareIntegrationBis.cs b/...iler/AutoInstrumentation/StackTraceLeak/DeveloperExceptionPageMiddlewareIntegrationBis.cs
@@ -0,0 +1,68 @@
+// <copyright file="DeveloperExceptionPageMiddlewareIntegrationBis.cs" company="Datadog">
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
+// </copyright>
+
+#nullable enable
+
+#if !NETFRAMEWORK
+
+using System;
+using System.ComponentModel;
+using System.Reflection;
+using Datadog.Trace.ClrProfiler.CallTarget;
+using Datadog.Trace.Configuration;
+using Datadog.Trace.DuckTyping;
+
+namespace Datadog.Trace.ClrProfiler.AutoInstrumentation.StackTraceLeak;
+
+/// <summary>
+/// DeveloperExceptionPageMiddlewareImpl integration
+/// </summary>
+[InstrumentMethod(
+    AssemblyName = "Microsoft.AspNetCore.Diagnostics",
+    TypeName = "Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware",
+    ParameterTypeNames = new[] { "Microsoft.AspNetCore.Diagnostics.ErrorContext" },
+    MethodName = "DisplayException",
+    ReturnTypeName = ClrNames.Task,
+    MinimumVersion = "3.0.0.0",
+    MaximumVersion = "6.*.*.*",
+    IntegrationName = nameof(IntegrationId.StackTraceLeak),
+    InstrumentationCategory = InstrumentationCategory.Iast)]
+[InstrumentMethod(
+    AssemblyName = "Microsoft.AspNetCore.Diagnostics",
+    TypeName = "Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl",
+    ParameterTypeNames = new[] { "Microsoft.AspNetCore.Diagnostics.ErrorContext" },
+    MethodName = "DisplayException",
+    ReturnTypeName = ClrNames.Task,
+    MinimumVersion = "7.0.0.0",
+    MaximumVersion = "8.*.*.*",
+    IntegrationName = nameof(IntegrationId.StackTraceLeak),
+    InstrumentationCategory = InstrumentationCategory.Iast)]
+
+[Browsable(false)]
+[EditorBrowsable(EditorBrowsableState.Never)]
+public static class DeveloperExceptionPageMiddlewareIntegrationBis
+{
+    /// <summary>
+    /// OnMethodBegin callback
+    /// </summary>
+    /// <param name="instance">Instance value, aka `this` of the instrumented method.</param>
+    /// <param name="errorContext">The context of the error.</param>
+    /// <typeparam name="TTarget">Type of the target</typeparam>
+    /// <returns>Calltarget state value</returns>
+    internal static CallTargetState OnMethodBegin<TTarget>(TTarget instance, object errorContext)
+    {
+        var exception = errorContext.DuckCast<ErrorContextStruct>().Exception;
+        return StackTraceLeakIntegrationCommon.OnExceptionLeak(IntegrationId.StackTraceLeak, exception);
+    }
+
+    [DuckCopy]
+    internal struct ErrorContextStruct
+    {
+        [Duck(BindingFlags = DuckAttribute.DefaultFlags | BindingFlags.IgnoreCase)]
+        public Exception Exception;
+    }
+}
+
+#endif
@@ -0,0 +1,55 @@
+// <copyright file="HttpResponseIntegration.cs" company="Datadog">
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
+// </copyright>
+
+#nullable enable
+
+#if NETFRAMEWORK
+
+using System;
+using System.ComponentModel;
+using System.Web;
+using Datadog.Trace.ClrProfiler.CallTarget;
+using Datadog.Trace.Configuration;
+
+namespace Datadog.Trace.ClrProfiler.AutoInstrumentation.StackTraceLeak;
+
+/// <summary>
+/// HttpResponseIntegration integration
+/// </summary>
+[InstrumentMethod(
+    AssemblyName = "System.Web",
+    TypeName = "System.Web.HttpResponse",
+    ParameterTypeNames = new[] { ClrNames.Exception, ClrNames.Bool },
+    MethodName = "WriteErrorMessage",
+    ReturnTypeName = ClrNames.Void,
+    MinimumVersion = "4.0.0",
+    MaximumVersion = "4.*.*",
+    IntegrationName = nameof(IntegrationId.StackTraceLeak),
+    InstrumentationCategory = InstrumentationCategory.Iast)]
+
+[Browsable(false)]
+[EditorBrowsable(EditorBrowsableState.Never)]
+public static class HttpResponseIntegration
+{
+    /// <summary>
+    /// OnMethodBegin callback
+    /// </summary>
+    /// <param name="instance">Instance value, aka `this` of the instrumented method.</param>
+    /// <param name="exception">The exception to be shown.</param>
+    /// <param name="dontShowSensitiveErrors">The dontShowSensitiveErrors parameter of WriteErrorMessage.</param>
+    /// <typeparam name="TTarget">Type of the target</typeparam>
+    /// <returns>Calltarget state value</returns>
+    internal static CallTargetState OnMethodBegin<TTarget>(TTarget instance, Exception exception, bool dontShowSensitiveErrors)
+    {
+        if (HttpRuntime.UsingIntegratedPipeline && !dontShowSensitiveErrors)
+        {
+            return StackTraceLeakIntegrationCommon.OnExceptionLeak(IntegrationId.StackTraceLeak, exception);
+        }
+
+        return CallTargetState.GetDefault();
+    }
-    /// <summary>
-    /// OnMethodBegin callback
-    /// </summary>
-    /// <param name="instance">Instance value, aka `this` of the instrumented method.</param>
-    /// <param name="exception">The exception to be shown.</param>
-    /// <param name="dontShowSensitiveErrors">The dontShowSensitiveErrors parameter of WriteErrorMessage.</param>
-    /// <typeparam name="TTarget">Type of the target</typeparam>
-    /// <returns>Calltarget state value</returns>
-    internal static CallTargetState OnMethodBegin<TTarget>(TTarget instance, Exception exception, bool dontShowSensitiveErrors)
-    {
-        if (HttpRuntime.UsingIntegratedPipeline && !dontShowSensitiveErrors)
-        {
-            return StackTraceLeakIntegrationCommon.OnExceptionLeak(IntegrationId.StackTraceLeak, exception);
-        }
-
-        return CallTargetState.GetDefault();
-    }
+    private static readonly IDatadogLogger Log = DatadogLogging.GetLoggerFor(typeof(HttpResponseIntegration));
+    private static bool _canReadHttpResponseHeaders = true;
+
+    internal static CallTargetState OnMethodBegin<TTarget>(TTarget instance, Exception exception, bool dontShowSensitiveErrors)
+    {
+        try
+        {
+            if (_canReadHttpResponseHeaders && HttpRuntime.UsingIntegratedPipeline && !dontShowSensitiveErrors)
+            {
+                return StackTraceLeakIntegrationCommon.OnExceptionLeak(IntegrationId.StackTraceLeak, exception);
+            }
+        }
+        catch (PlatformNotSupportedException ex)
+        {
+            // Despite the HttpRuntime.UsingIntegratedPipeline check, we can still fail to access response headers, for example when using Sitefinity: "This operation requires IIS integrated pipeline mode"
+            Log.Error(ex, "Unable to access response headers performing StackLeak detection. Disabling for the rest of the application lifetime.");
+            _canReadHttpResponseHeaders = false;
+        }
+        return CallTargetState.GetDefault();
+    }
-    /// <summary>
-    /// OnMethodBegin callback
-    /// </summary>
-    /// <param name="instance">Instance value, aka `this` of the instrumented method.</param>
-    /// <param name="exception">The exception to be shown.</param>
-    /// <param name="dontShowSensitiveErrors">The dontShowSensitiveErrors parameter of WriteErrorMessage.</param>
-    /// <typeparam name="TTarget">Type of the target</typeparam>
-    /// <returns>Calltarget state value</returns>
-    internal static CallTargetState OnMethodBegin<TTarget>(TTarget instance, Exception exception, bool dontShowSensitiveErrors)
-    {
-        if (HttpRuntime.UsingIntegratedPipeline && !dontShowSensitiveErrors)
-        {
-            return StackTraceLeakIntegrationCommon.OnExceptionLeak(IntegrationId.StackTraceLeak, exception);
-        }
-
-        return CallTargetState.GetDefault();
-    }
+    private static readonly IDatadogLogger Log = DatadogLogging.GetLoggerFor(typeof(HttpResponseIntegration));
+    private static bool _canReadHttpResponseHeaders = true;
+
+    internal static CallTargetState OnMethodBegin<TTarget>(TTarget instance, Exception exception, bool dontShowSensitiveErrors)
+    {
+        try
+        {
+            if (_canReadHttpResponseHeaders && HttpRuntime.UsingIntegratedPipeline && !dontShowSensitiveErrors)
+            {
+                return StackTraceLeakIntegrationCommon.OnExceptionLeak(IntegrationId.StackTraceLeak, exception);
+            }
+        }
+        catch (PlatformNotSupportedException ex)
+        {
+            // Despite the HttpRuntime.UsingIntegratedPipeline check, we can still fail to access response headers, for example when using Sitefinity: "This operation requires IIS integrated pipeline mode"
+            Log.Error(ex, "Unable to access response headers performing StackLeak detection. Disabling for the rest of the application lifetime.");
+            _canReadHttpResponseHeaders = false;
+        }
+        return CallTargetState.GetDefault();
+    }
+}
+
+#endif
@@ -0,0 +1,40 @@
+// <copyright file="StackTraceLeakIntegrationCommon.cs" company="Datadog">
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
+// </copyright>
+
+using System;
+using Datadog.Trace.ClrProfiler.CallTarget;
+using Datadog.Trace.Configuration;
+using Datadog.Trace.Iast;
+using Datadog.Trace.Logging;
+
+namespace Datadog.Trace.ClrProfiler.AutoInstrumentation.StackTraceLeak;
+
+#nullable enable
+internal static class StackTraceLeakIntegrationCommon
+{
+    private static readonly IDatadogLogger Log = DatadogLogging.GetLoggerFor(typeof(StackTraceLeakIntegrationCommon));
+
+    internal static CallTargetState OnExceptionLeak(IntegrationId integrationId, Exception exception)
+    {
+        if (!Tracer.Instance.Settings.IsIntegrationEnabled(integrationId))
+        {
+            return CallTargetState.GetDefault();
+        }
+
+        try
+        {
+            if (exception is not null)
+            {
+                return new CallTargetState(IastModule.OnStackTraceLeak(exception, integrationId).SingleSpan);
+            }
+        }
+        catch (Exception ex)
+        {
+            Log.Error(ex, $"Error in {nameof(OnExceptionLeak)}.");
+        }
+
+        return CallTargetState.GetDefault();
+    }
+}
@@ -48,6 +48,7 @@ internal static class ClrNames
         public const string Int32Task = "System.Threading.Tasks.Task`1[System.Int32]";
 
         public const string Type = "System.Type";
+        public const string Exception = "System.Exception";
 
         public const string Activity = "System.Diagnostics.Activity";
         public const string ByteArray = "System.Byte[]";

@@ -72,5 +72,6 @@ internal enum IntegrationId
         TrustBoundaryViolation,
         UnvalidatedRedirect,
         TestPlatformAssemblyResolver,
+        StackTraceLeak
     }
 }
@@ -17,7 +17,7 @@ internal static partial class IastInstrumentedSinksExtensions
     /// The number of members in the enum.
     /// This is a non-distinct count of defined names.
     /// </summary>
-    public const int Length = 18;
+    public const int Length = 19;
 
     /// <summary>
     /// Returns the string representation of the <see cref="Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks"/> value.
@@ -48,6 +48,7 @@ public static string ToStringFast(this Datadog.Trace.Telemetry.Metrics.MetricTag
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.TrustBoundaryViolation => "vulnerability_type:trust_boundary_violation",
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HstsHeaderMissing => "vulnerability_type:hsts_header_missing",
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HeaderInjection => "vulnerability_type:header_injection",
+            Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.StackTraceLeak => "vulnerability_type:stacktrace_leak",
             _ => value.ToString(),
         };
 
@@ -79,6 +80,7 @@ public static Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks[]
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.TrustBoundaryViolation,
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HstsHeaderMissing,
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HeaderInjection,
+            Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.StackTraceLeak,
         };
 
     /// <summary>
@@ -110,6 +112,7 @@ public static string[] GetNames()
             nameof(Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.TrustBoundaryViolation),
             nameof(Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HstsHeaderMissing),
             nameof(Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HeaderInjection),
+            nameof(Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.StackTraceLeak),
         };
 
     /// <summary>
@@ -141,5 +144,6 @@ public static string[] GetDescriptions()
             "vulnerability_type:trust_boundary_violation",
             "vulnerability_type:hsts_header_missing",
             "vulnerability_type:header_injection",
+            "vulnerability_type:stacktrace_leak",
         };
 }
@@ -17,7 +17,7 @@ internal static partial class IastInstrumentedSinksExtensions
     /// The number of members in the enum.
     /// This is a non-distinct count of defined names.
     /// </summary>
-    public const int Length = 18;
+    public const int Length = 19;
 
     /// <summary>
     /// Returns the string representation of the <see cref="Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks"/> value.
@@ -48,6 +48,7 @@ public static string ToStringFast(this Datadog.Trace.Telemetry.Metrics.MetricTag
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.TrustBoundaryViolation => "vulnerability_type:trust_boundary_violation",
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HstsHeaderMissing => "vulnerability_type:hsts_header_missing",
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HeaderInjection => "vulnerability_type:header_injection",
+            Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.StackTraceLeak => "vulnerability_type:stacktrace_leak",
             _ => value.ToString(),
         };
 
@@ -79,6 +80,7 @@ public static Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks[]
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.TrustBoundaryViolation,
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HstsHeaderMissing,
             Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HeaderInjection,
+            Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.StackTraceLeak,
         };
 
     /// <summary>
@@ -110,6 +112,7 @@ public static string[] GetNames()
             nameof(Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.TrustBoundaryViolation),
             nameof(Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HstsHeaderMissing),
             nameof(Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.HeaderInjection),
+            nameof(Datadog.Trace.Telemetry.Metrics.MetricTags.IastInstrumentedSinks.StackTraceLeak),
         };
 
     /// <summary>
@@ -141,5 +144,6 @@ public static string[] GetDescriptions()
             "vulnerability_type:trust_boundary_violation",
             "vulnerability_type:hsts_header_missing",
             "vulnerability_type:header_injection",
+            "vulnerability_type:stacktrace_leak",
         };
 }