Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: fixed analyzer timeout issue + missing case fix #5878

Closed
wants to merge 1 commit into from

Conversation

Ice3man543
Copy link
Member

@Ice3man543 Ice3man543 commented Dec 2, 2024

Proposed changes

  • Fixed fuzz timeout for analyzer template not working
  • Removed slope check for sqli cases with double time (2 queries etc)

more details: https://discord.com/channels/695645237418131507/1312897172928466964

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Summary by CodeRabbit

  • New Features

    • Introduced a customizable timeout setting for HTTP connections, allowing users to define a CustomMaxTimeout.
  • Bug Fixes

    • Simplified logic in the confidence checking method for linear regression, enhancing accuracy in correlation evaluations.
  • Documentation

    • Updated comments to reflect recent changes in the slope error range checks and timeout configurations.

@Ice3man543 Ice3man543 marked this pull request as ready for review December 2, 2024 11:41
@auto-assign auto-assign bot requested a review from dogancanbakir December 2, 2024 11:41
Copy link

coderabbitai bot commented Dec 2, 2024

Walkthrough

The changes in this pull request involve modifications to two primary files. In pkg/fuzz/analyzers/time/time_delay.go, the IsWithinConfidence method of the simpleLinearRegression struct has been simplified by removing the slope proximity check, now relying solely on the correlation threshold. In pkg/protocols/http/httpclientpool/clientpool.go, enhancements have been made to the ConnectionConfiguration struct by adding a CustomMaxTimeout field, affecting timeout settings for HTTP requests and updating related methods to accommodate this new configuration.

Changes

File Path Change Summary
pkg/fuzz/analyzers/time/time_delay.go Modified IsWithinConfidence method logic to remove slope proximity check; updated comments accordingly.
pkg/protocols/http/httpclientpool/clientpool.go Added CustomMaxTimeout field to ConnectionConfiguration; updated Clone and Hash methods to include this field. Modified wrappedGet to prioritize CustomMaxTimeout.

Poem

In the code where rabbits play,
Changes hop in a joyful way.
With timeouts now so finely tuned,
And slopes that dance, no longer marooned.
Let's celebrate with a happy cheer,
For coding bunnies, the future is clear! 🐇✨


🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@Ice3man543 Ice3man543 self-assigned this Dec 2, 2024
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (3)
pkg/fuzz/analyzers/time/time_delay.go (1)

Line range hint 4-4: Document the change in slope check removal

The comment block explaining the time delay analyzer should be updated to reflect the removal of slope proximity check and its implications for double time cases.

Add a note like:

 // The approach is the one used in ZAP for timing based checks.
+// Note: For better handling of double time cases (involving multiple queries),
+// we only use correlation threshold without slope proximity check.
pkg/protocols/http/httpclientpool/clientpool.go (2)

Line range hint 48-52: Consider thread safety for CustomMaxTimeout

While the cookiejar has proper mutex protection, the CustomMaxTimeout field in ConnectionConfiguration isn't protected against concurrent access. Although it's typically set once during configuration, it's better to be explicit about thread safety.

Consider adding CustomMaxTimeout to the mutex protection:

type ConnectionConfiguration struct {
+	mu               sync.RWMutex
	DisableKeepAlive bool
-	CustomMaxTimeout time.Duration
	cookiejar        *cookiejar.Jar
-	mu               sync.RWMutex
+	customMaxTimeout time.Duration
}

+func (cc *ConnectionConfiguration) SetCustomMaxTimeout(timeout time.Duration) {
+	cc.mu.Lock()
+	defer cc.mu.Unlock()
+	cc.customMaxTimeout = timeout
+}

+func (cc *ConnectionConfiguration) GetCustomMaxTimeout() time.Duration {
+	cc.mu.RLock()
+	defer cc.mu.RUnlock()
+	return cc.customMaxTimeout
+}

Line range hint 48-52: Document the precedence of CustomMaxTimeout

The comment for CustomMaxTimeout should clearly document its precedence over other timeout settings.

Enhance the documentation:

 // CustomMaxTimeout is the custom timeout for the connection
-// This overrides all other timeouts and is used for accurate time based fuzzing.
+// This overrides all other timeouts (including HttpTimeout and ResponseHeaderTimeout)
+// and is specifically used for accurate time-based fuzzing where precise control
+// over request timing is required.
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 0fc4a02 and 38f25f5.

📒 Files selected for processing (2)
  • pkg/fuzz/analyzers/time/time_delay.go (1 hunks)
  • pkg/protocols/http/httpclientpool/clientpool.go (1 hunks)
🔇 Additional comments (1)
pkg/protocols/http/httpclientpool/clientpool.go (1)

114-114: LGTM: CustomMaxTimeout properly cloned

The CustomMaxTimeout field is correctly handled in the Clone method.

Comment on lines +169 to +170
return o.correlation > 1.0-correlationErrorRange
//math.Abs(expectedSlope-o.slope) < slopeErrorRange
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Removing slope check could reduce detection accuracy

Based on the test cases and implementation analysis, removing the slope proximity check appears problematic:

  1. The test file (time_delay_test.go) shows that both correlation and slope are critical metrics:

    • Test cases verify both slope and correlation values
    • Constants define error ranges for both: correlationErrorRange = 0.1 and slopeErrorRange = 0.2
  2. The code uses IsWithinConfidence in two contexts:

    • Main detection with correlationErrorRange=0.3, slope=1.0, slopeErrorRange=0.5
    • Regression analysis with custom thresholds

Removing the slope check means we're only validating the correlation between input and response times, but not the actual rate of increase. This could lead to false positives where responses show correlated but disproportionate time increases.

🔗 Analysis chain

Verify the impact of removing slope proximity check

The removal of the slope proximity check (math.Abs(expectedSlope-o.slope) < slopeErrorRange) means we're now only relying on correlation for time-based detection. While this aligns with the PR objective to handle double time cases better, we should verify this doesn't increase false positives.

Consider:

  1. Adding test cases specifically for double time scenarios
  2. Documenting the threshold values and their significance
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Search for test cases and usages to verify impact
# Look for test files and time-based detection patterns
rg -g "**/*test*.go" -A 5 "IsWithinConfidence"

# Look for SQL injection patterns to understand impact
ast-grep --pattern 'func $name($params) {
  $$$
  IsWithinConfidence($$$)
  $$$
}'

Length of output: 131


Script:

#!/bin/bash
# Let's try a broader search to understand the usage context
# First, find all test files related to time delay analysis
fd "time.*test.*\.go$"

# Search for test cases mentioning correlation or slope
rg -g "**/*test*.go" "correlation|slope" -B 2 -A 2

# Look for the actual implementation details
rg "IsWithinConfidence" -A 5 -B 5

# Check commit history for the rationale
git log -p --grep="slope" -- "pkg/fuzz/analyzers/time/time_delay.go"

Length of output: 7457

@Ice3man543
Copy link
Member Author

This is superseded by #5772 and should be closed later

@Ice3man543 Ice3man543 closed this Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants