Skip to content

Avoid crashtracking temp-script path hijack#11613

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 9 commits into
masterfrom
jb/fix-APMSP-3192
Jun 10, 2026
Merged

Avoid crashtracking temp-script path hijack#11613
gh-worker-dd-mergequeue-cf854d[bot] merged 9 commits into
masterfrom
jb/fix-APMSP-3192

Conversation

@jbachorik

@jbachorik jbachorik commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

What Does This Do

Adds POSIX ownership and permission validation to the crashtracking temp-directory tree so that a pre-planted attacker-controlled script or directory cannot be silently reused.

  • TempLocationManager: validates every pre-existing directory from baseTempDir down to tempDir is owned by the current JVM user and has no group/world bits (0700); throws IllegalStateException + emits a ProfilerFlareLogger message on failure.
  • Initializer: adds isOwnedAndPrivate() helper (POSIX-gated; uses TempLocationManager to resolve the expected JVM process owner without string-based username lookup).
  • CrashUploaderScriptInitializer / OOMENotifierScriptInitializer: drops the world-wide setReadable/setWritable/setExecutable(true, false) calls; creates new script directories with owner-only permissions via mkdirs() + setReadable/setWritable/setExecutable(true, true); validates ownership and permissions before reusing any pre-existing directory or script file.
  • All checks are POSIX-gated; Windows/non-POSIX behaviour is unchanged.

Motivation

Crashtracking is enabled by default. The agent sets HotSpot OnError/OnOutOfMemoryError to execute scripts under a predictable temp path (<java.io.tmpdir>/ddprof_<user>/pid_<pid>/). A local attacker who pre-creates that directory and plants dd_crash_uploader.sh or dd_oome_notifier.sh there can cause the JVM crash/OOME handler to execute attacker-controlled code as the instrumented service user.

Additional Notes

Two sibling issues were fixed in the same pass:

  • CrashUploaderScriptInitializer: world-wide perms on script dir + unchecked reuse of pre-existing script
  • OOMENotifierScriptInitializer: same

ConfigManager is covered transitively — once the parent directory has a validated trust boundary, config files written into it are safe.

Contributor Checklist

  • Format the title according to the contribution guidelines
  • Assign the type: and (comp: or inst:) labels in addition to any other useful labels
  • Avoid using close, fix, or any linking keywords when referencing an issue
    Use solves instead, and assign the PR milestone to the issue
  • Update the CODEOWNERS file on source file addition, migration, or deletion
  • Update public documentation with any new configuration flags or behaviors
  • Add your completed PR to the merge queue by commenting /merge. You can also:
    • Customize the commit message associated with the merge with /merge --commit-message "..."
    • Remove your PR from the merge queue with /merge -c
    • Skip all merge queue checks with /merge -f --reason "reason"; please use this judiciously, as some checks do not run at the PR-level (note: the PR still needs to be mergeable, this will only skip the pre-merge build)
    • Get more information in this doc

Jira ticket: APMSP-3192

@jbachorik @claude
fix: validate temp dir ownership/perms in crashtracking (APMSP-3192)
ade7027 
- TempLocationManager: POSIX ownership+0700 check on pre-existing dirs
- Initializer: add isOwnedAndPrivate() helper (null-safe)
- CrashUploaderScriptInitializer/OOMENotifierScriptInitializer: drop
  world-wide perms, validate pre-existing dirs/scripts, create new dirs
  with 0700 via Files.createDirectories+PosixFilePermissions
- Add acceptance tests for both initializers and TempLocationManager

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jbachorik jbachorik added the tag: ai generated Largely based on code generated by an AI or LLM label Jun 10, 2026
@datadog-prod-us1-4

This comment has been minimized.

Sign in to view
@jbachorik jbachorik added type: bug Bug report and fix comp: crash tracking Crash Tracking labels Jun 10, 2026
@jbachorik jbachorik requested a review from amarziali June 10, 2026 10:02
@jbachorik jbachorik marked this pull request as ready for review June 10, 2026 10:02
@jbachorik jbachorik requested review from a team as code owners June 10, 2026 10:02
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 10, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ade7027697

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .../agent-crashtracking/src/main/java/datadog/crashtracking/CrashUploaderScriptInitializer.java
Comment thread ...t/agent-crashtracking/src/main/java/datadog/crashtracking/OOMENotifierScriptInitializer.java
@dd-octo-sts

dd-octo-sts Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite Status
Startup 🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results
Scenario Candidate master Δ (95% CI of mean)
startup:insecure-bank:iast:Agent 13.98 s 13.97 s [-0.8%; +1.0%] (no difference)
startup:insecure-bank:tracing:Agent 12.88 s 12.92 s [-1.0%; +0.3%] (no difference)
startup:petclinic:appsec:Agent 16.80 s 16.71 s [-0.3%; +1.5%] (no difference)
startup:petclinic:iast:Agent 16.87 s 16.92 s [-1.2%; +0.7%] (no difference)
startup:petclinic:profiling:Agent 16.51 s 16.91 s [-3.2%; -1.6%] (significantly better)
startup:petclinic:sca:Agent 16.95 s 16.75 s [+0.2%; +2.1%] (maybe worse)
startup:petclinic:tracing:Agent 15.99 s 16.02 s [-1.1%; +0.8%] (no difference)

Commit: 0d0b7fa7 · CI Pipeline · Benchmarking Platform UI

Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

@jbachorik @claude
fix: gate JVM OnError/OnOutOfMemoryError flag on script init success
1107909 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
amarziali
amarziali reviewed Jun 10, 2026
View reviewed changes
Comment thread docs/sphinx/specs/2026-06-10-crashtracking-temp-script-hijack-enables-loca.md Outdated
Comment thread dd-java-agent/agent-crashtracking/src/main/java/datadog/crashtracking/Initializer.java Outdated
Comment thread dd-java-agent/agent-crashtracking/src/main/java/datadog/crashtracking/Initializer.java Outdated
jbachorik and others added 6 commits June 10, 2026 13:28
@jbachorik
Remove escaped local artifact
061beaf
@jbachorik @claude
fix: boolean return + cleanup in script initializers
2e59c5f 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jbachorik @claude
fix: minimize java.nio usage in crashtracking security checks
b4a7b89 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jbachorik @claude
fix: static telemetry log messages, remove tester plan refs
a00c4f1 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jbachorik @claude
fix: remove internal artifact refs from test Javadocs
e033080 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jbachorik @claude
fix: remove numbered test section comments from security tests
9703aba 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jbachorik jbachorik changed the title Fix crashtracking temp-script path hijack (local code execution) Avoid crashtracking temp-script path hijack Jun 10, 2026
@jbachorik jbachorik requested a review from amarziali June 10, 2026 14:48
@jbachorik

jbachorik commented Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-06-10 15:33:41 UTC ℹ️ Start processing command /merge

2026-06-10 15:33:56 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 1h (p90).

2026-06-10 16:33:46 UTC ℹ️ MergeQueue: This merge request was merged

@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit a33ca10 into master Jun 10, 2026
573 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the jb/fix-APMSP-3192 branch June 10, 2026 16:33
@github-actions github-actions Bot added this to the 1.64.0 milestone Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PerfectSlayer PerfectSlayer PerfectSlayer left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@amarziali amarziali amarziali approved these changes

Assignees

No one assigned

Labels

comp: crash tracking Crash Tracking tag: ai generated Largely based on code generated by an AI or LLM type: bug Bug report and fix

Projects

None yet

Milestone

1.64.0

Development

Successfully merging this pull request may close these issues.

3 participants

@jbachorik @PerfectSlayer @amarziali