Instance trace poc

[breadchris]

Instances of a built application can be traced by using the java agent. The POC of this feature will aim to capture malicious input sent to traced calls in the damn vulnerable java app.

screencast-localhost_4455-2023.01.02-21_59_23.webm

• [ ] java agent pulls function hooking config from graphql
• [ ] java agent inserts logs for called function into graphql
• [ ] tracing UI formats log messages and identifies potentially malicious behavior
• [ ] dvja is able to be inventoried, function hooks generated, and logs are viewable in UI
• [ ] java vulnerabilities are selected to showcase feature

[github-actions[bot]]

Hasura Semantic Diff

Hasura config files have changed. This comment shows which fields have changed ignoring formatting.

Click to expand!

``` (root level) + five map entries added: table: name: instance_log schema: public object_relationships: - name: instance using: foreign_key_constraint_on: instance_id insert_permissions: - role: cli permission: check: instance: agent_access_token: _eq: X-Hasura-Access-Token columns: - id - instance_id - message select_permissions: - role: cli permission: columns: - id - message - instance_id filter: instance: agent_access_token: _eq: X-Hasura-Access-Token allow_aggregations: true - role: user permission: columns: - id - message - instance_id filter: instance: build: project: organization: organization_users: user_id: _eq: X-Hasura-Real-User-Id allow_aggregations: true update_permissions: - role: cli permission: columns: - id - message - instance_id filter: instance: agent_access_token: _eq: X-Hasura-Access-Token check: null (root level) + four map entries added: array_relationships: - name: logs using: foreign_key_constraint_on: column: instance_id table: name: instance_log schema: public insert_permissions: - role: cli permission: check: _exists: _table: name: builds schema: public _where: agent_access_token: _eq: X-Hasura-Access-Token set: agent_access_token: x-hasura-Access-Token columns: - agent_access_token - created_at - hostname - id - last_heartbeat select_permissions: - role: cli permission: columns: - agent_access_token - created_at - hostname - id - last_heartbeat filter: _exists: _table: name: builds schema: public _where: agent_access_token: _eq: X-Hasura-Access-Token - role: user permission: columns: - agent_access_token - created_at - hostname - id - last_heartbeat filter: build: project: organization: organization_users: user_id: _eq: X-Hasura-Real-User-Id update_permissions: - role: cli permission: columns: - agent_access_token - created_at - hostname - id - last_heartbeat filter: _exists: _table: name: builds schema: public _where: agent_access_token: _eq: X-Hasura-Access-Token check: null set: agent_access_token: x-hasura-Access-Token (root level) + one list entry added: - "!include public_instance_log.yaml" lunatrace-custom.permissions - three list entries removed: - role: user definition: schema: | scalar JSON scalar UUID type AuthenticatedRepoCloneUrlOutput { url: String } type Mutation { presignManifestUpload(project_id: UUID!): PresignedUrlResponse } type PresignedUrlResponse { bucket: String! headers: JSON! key: String! url: String! } type Query { authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput fakeQueryToHackHasuraBeingABuggyMess: String sbomUrl(buildId: UUID!): String } type SbomUploadUrlOutput { error: Boolean! uploadUrl: UploadUrl } type UploadUrl { headers: JSON! url: String! } - role: service definition: schema: | scalar JSON scalar UUID type AuthenticatedRepoCloneUrlOutput { url: String } type Mutation { presignManifestUpload(project_id: UUID!): PresignedUrlResponse } type PresignedUrlResponse { bucket: String! headers: JSON! key: String! url: String! } type Query { authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput fakeQueryToHackHasuraBeingABuggyMess: String presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput sbomUrl(buildId: UUID!): String } type SbomUploadUrlOutput { error: Boolean! uploadUrl: UploadUrl } type UploadUrl { headers: JSON! url: String! } input SbomUploadUrlInput { orgId: UUID! projectId: UUID! } - role: cli definition: schema: | scalar JSON scalar UUID type Query { presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput } type SbomUploadUrlOutput { error: Boolean! uploadUrl: UploadUrl } type UploadUrl { headers: JSON! url: String! } + three list entries added: - role: user definition: schema: | scalar JSON scalar UUID type AuthenticatedRepoCloneUrlOutput { url: String } type Mutation { presignManifestUpload(project_id: UUID!): PresignedUrlResponse } type PresignedUrlResponse { bucket: String! headers: JSON! key: String! url: String! } type Query { authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput fakeQueryToHackHasuraBeingABuggyMess: String sbomUrl(buildId: UUID!): String } type SbomUploadUrlOutput { error: Boolean! uploadUrl: UploadUrl } type UploadUrl { headers: JSON! url: String! } - role: service definition: schema: | scalar JSON scalar UUID type AuthenticatedRepoCloneUrlOutput { url: String } type Mutation { presignManifestUpload(project_id: UUID!): PresignedUrlResponse } type PresignedUrlResponse { bucket: String! headers: JSON! key: String! url: String! } type Query { authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput fakeQueryToHackHasuraBeingABuggyMess: String presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput sbomUrl(buildId: UUID!): String } type SbomUploadUrlOutput { error: Boolean! uploadUrl: UploadUrl } type UploadUrl { headers: JSON! url: String! } input SbomUploadUrlInput { orgId: UUID! projectId: UUID! } - role: cli definition: schema: | scalar JSON scalar UUID type Query { presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput } type SbomUploadUrlOutput { error: Boolean! uploadUrl: UploadUrl } type UploadUrl { headers: JSON! url: String! } diff --git a/lunatrace/bsl/hasura/migrations/lunatrace/1672699698282_squashed/down.sql b/lunatrace/bsl/hasura/migrations/lunatrace/1672699698282_squashed/down.sql new file mode 100644 index 00000000..c337e832 --- /dev/null +++ b/lunatrace/bsl/hasura/migrations/lunatrace/1672699698282_squashed/down.sql @@ -0,0 +1,10 @@ +DROP TABLE "public"."instance_log"; + +ALTER TABLE "public"."instances" ALTER COLUMN "id" drop default; +alter table "public"."instances" rename column "id" to "instance_id"; + +alter table "public"."instances" + add constraint "instances_agent_access_token_fkey" + foreign key ("agent_access_token") + references "public"."builds" + ("agent_access_token") on update no action on delete cascade; diff --git a/lunatrace/bsl/hasura/migrations/lunatrace/1672699698282_squashed/up.sql b/lunatrace/bsl/hasura/migrations/lunatrace/1672699698282_squashed/up.sql new file mode 100644 index 00000000..a583a1c8 --- /dev/null +++ b/lunatrace/bsl/hasura/migrations/lunatrace/1672699698282_squashed/up.sql @@ -0,0 +1,11 @@ +alter table "public"."instances" rename column "instance_id" to "id"; + +CREATE TABLE "public"."instance_log" ("id" serial NOT NULL, "instance_id" uuid NOT NULL, "message" jsonb NOT NULL, PRIMARY KEY ("id") , FOREIGN KEY ("instance_id") REFERENCES "public"."instances"("id") ON UPDATE cascade ON DELETE cascade);COMMENT ON TABLE "public"."instance_log" IS E'Instance log messages from runtime tracing.'; + +alter table "public"."instances" + add constraint "instances_agent_access_token_fkey" + foreign key ("agent_access_token") + references "public"."builds" + ("agent_access_token") on update cascade on delete cascade; + +alter table "public"."instances" alter column "id" set default gen_random_uuid(); diff --git a/lunatrace/bsl/hasura/migrations/lunatrace/1672724138003_alter_table_public_instances_add_column_hostname/down.sql b/lunatrace/bsl/hasura/migrations/lunatrace/1672724138003_alter_table_public_instances_add_column_hostname/down.sql new file mode 100644 index 00000000..492d49a7 --- /dev/null +++ b/lunatrace/bsl/hasura/migrations/lunatrace/1672724138003_alter_table_public_instances_add_column_hostname/down.sql @@ -0,0 +1,4 @@ +-- Could not auto-generate a down migration. +-- Please write an appropriate down migration for the SQL below: +-- alter table "public"."instances" add column "hostname" text +-- null; diff --git a/lunatrace/bsl/hasura/migrations/lunatrace/1672724138003_alter_table_public_instances_add_column_hostname/up.sql b/lunatrace/bsl/hasura/migrations/lunatrace/1672724138003_alter_table_public_instances_add_column_hostname/up.sql new file mode 100644 index 00000000..47d3f574 --- /dev/null +++ b/lunatrace/bsl/hasura/migrations/lunatrace/1672724138003_alter_table_public_instances_add_column_hostname/up.sql @@ -0,0 +1,2 @@ +alter table "public"."instances" add column "hostname" text + null; ```

[factoidforrest]

I think we should feature flag this before dumping it into the UI, if we haven't. Same for the common weakness enumeration database.