Skip to content

Add ObjectInputStream.readObject to forbidden apis#10952

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 5 commits intomasterfrom
dd/prevent-objectinputstream-deserialization
Mar 31, 2026
Merged

Add ObjectInputStream.readObject to forbidden apis#10952
gh-worker-dd-mergequeue-cf854d[bot] merged 5 commits intomasterfrom
dd/prevent-objectinputstream-deserialization

Conversation

@dougqh
Copy link
Copy Markdown
Contributor

@dougqh dougqh commented Mar 24, 2026
edited by atlassian Bot
Loading

What Does This Do

Adds a forbidden API filter to prevent the use of ObjectInputStream.readObject()

Motivation

Restrict future use of ObjectInputStream

Additional Notes

The filter includes a descriptive error message to guide developers on the proper way to handle exceptions when deserialization is required. This follows the same pattern as other reflection-based forbidden APIs already configured in the project.

Contributor Checklist

Jira ticket: APMLP-1135

PR by Bits - View session in Datadog

Comment @DataDog to request changes

@datadog-datadog-prod-us1 @dougqh
Add ObjectInputStream.readObject to forbidden apis
bdd877e 
Co-authored-by: dougqh <dougqh@gmail.com>
@datadog-datadog-prod-us1
Copy link
Copy Markdown
Contributor

datadog-datadog-prod-us1 Bot commented Mar 24, 2026
edited
Loading

View session in Datadog

Bits Dev status: ✅ Done

Comment @DataDog to request changes

@datadog-official
Copy link
Copy Markdown
Contributor

datadog-official Bot commented Mar 24, 2026

I can only run on private repositories.

@dougqh dougqh added comp: core Tracer core tag: ai generated Largely based on code generated by an AI or LLM tag: diagnostics Diagnostics related changes type: bug Bug report and fix and removed Bits AI labels Mar 24, 2026
@dougqh dougqh marked this pull request as ready for review March 24, 2026 17:24
@dougqh dougqh requested a review from a team as a code owner March 24, 2026 17:24
@dougqh dougqh requested a review from mhlidd March 24, 2026 17:24
@dougqh dougqh enabled auto-merge March 24, 2026 17:37
@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Mar 24, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master dd/prevent-objectinputstream-deserialization
git_commit_date 1774897204 1774898474
git_commit_sha b6e89cd 48440ff
release_version 1.61.0-SNAPSHOT~b6e89cdef9 1.61.0-SNAPSHOT~48440ff3ee
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1774900147 1774900147
ci_job_id 1551935356 1551935356
ci_pipeline_id 105123312 105123312
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-l8oz4nxg 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-l8oz4nxg 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 64 metrics, 7 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.61.0-SNAPSHOT~48440ff3ee, baseline=1.61.0-SNAPSHOT~b6e89cdef9

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.063 s) : 0, 1063099
Total [baseline] (8.881 s) : 0, 8881227
Agent [candidate] (1.064 s) : 0, 1064183
Total [candidate] (8.885 s) : 0, 8885065
section iast
Agent [baseline] (1.23 s) : 0, 1229854
Total [baseline] (9.613 s) : 0, 9612650
Agent [candidate] (1.233 s) : 0, 1233271
Total [candidate] (9.622 s) : 0, 9621542
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.063 s -
Agent iast 1.23 s 166.755 ms (15.7%)
Total tracing 8.881 s -
Total iast 9.613 s 731.424 ms (8.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.064 s -
Agent iast 1.233 s 169.088 ms (15.9%)
Total tracing 8.885 s -
Total iast 9.622 s 736.476 ms (8.3%) 
gantt
    title insecure-bank - break down per module: candidate=1.61.0-SNAPSHOT~48440ff3ee, baseline=1.61.0-SNAPSHOT~b6e89cdef9

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.198 ms) : 0, 1198
crashtracking [candidate] (1.231 ms) : 0, 1231
BytebuddyAgent [baseline] (631.873 ms) : 0, 631873
BytebuddyAgent [candidate] (632.433 ms) : 0, 632433
AgentMeter [baseline] (29.972 ms) : 0, 29972
AgentMeter [candidate] (29.686 ms) : 0, 29686
GlobalTracer [baseline] (259.578 ms) : 0, 259578
GlobalTracer [candidate] (259.353 ms) : 0, 259353
AppSec [baseline] (32.141 ms) : 0, 32141
AppSec [candidate] (32.061 ms) : 0, 32061
Debugger [baseline] (59.986 ms) : 0, 59986
Debugger [candidate] (60.243 ms) : 0, 60243
Remote Config [baseline] (590.571 µs) : 0, 591
Remote Config [candidate] (611.067 µs) : 0, 611
Telemetry [baseline] (8.054 ms) : 0, 8054
Telemetry [candidate] (8.111 ms) : 0, 8111
Flare Poller [baseline] (3.549 ms) : 0, 3549
Flare Poller [candidate] (4.285 ms) : 0, 4285
section iast
crashtracking [baseline] (1.198 ms) : 0, 1198
crashtracking [candidate] (1.203 ms) : 0, 1203
BytebuddyAgent [baseline] (797.856 ms) : 0, 797856
BytebuddyAgent [candidate] (799.206 ms) : 0, 799206
AgentMeter [baseline] (11.431 ms) : 0, 11431
AgentMeter [candidate] (11.427 ms) : 0, 11427
GlobalTracer [baseline] (247.795 ms) : 0, 247795
GlobalTracer [candidate] (249.103 ms) : 0, 249103
AppSec [baseline] (26.63 ms) : 0, 26630
AppSec [candidate] (26.884 ms) : 0, 26884
Debugger [baseline] (69.397 ms) : 0, 69397
Debugger [candidate] (67.789 ms) : 0, 67789
Remote Config [baseline] (535.231 µs) : 0, 535
Remote Config [candidate] (526.332 µs) : 0, 526
Telemetry [baseline] (9.731 ms) : 0, 9731
Telemetry [candidate] (11.163 ms) : 0, 11163
Flare Poller [baseline] (3.562 ms) : 0, 3562
Flare Poller [candidate] (4.0 ms) : 0, 4000
IAST [baseline] (25.463 ms) : 0, 25463
IAST [candidate] (25.692 ms) : 0, 25692
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.61.0-SNAPSHOT~48440ff3ee, baseline=1.61.0-SNAPSHOT~b6e89cdef9

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.061 s) : 0, 1060618
Total [baseline] (11.099 s) : 0, 11099328
Agent [candidate] (1.068 s) : 0, 1068219
Total [candidate] (11.094 s) : 0, 11093967
section appsec
Agent [baseline] (1.257 s) : 0, 1257320
Total [baseline] (11.168 s) : 0, 11168431
Agent [candidate] (1.26 s) : 0, 1259526
Total [candidate] (11.219 s) : 0, 11218609
section iast
Agent [baseline] (1.234 s) : 0, 1234316
Total [baseline] (11.364 s) : 0, 11363729
Agent [candidate] (1.237 s) : 0, 1237176
Total [candidate] (11.386 s) : 0, 11385913
section profiling
Agent [baseline] (1.2 s) : 0, 1200052
Total [baseline] (11.18 s) : 0, 11179950
Agent [candidate] (1.194 s) : 0, 1194236
Total [candidate] (11.047 s) : 0, 11047037
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.061 s -
Agent appsec 1.257 s 196.701 ms (18.5%)
Agent iast 1.234 s 173.697 ms (16.4%)
Agent profiling 1.2 s 139.433 ms (13.1%)
Total tracing 11.099 s -
Total appsec 11.168 s 69.103 ms (0.6%)
Total iast 11.364 s 264.401 ms (2.4%)
Total profiling 11.18 s 80.623 ms (0.7%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.068 s -
Agent appsec 1.26 s 191.307 ms (17.9%)
Agent iast 1.237 s 168.958 ms (15.8%)
Agent profiling 1.194 s 126.017 ms (11.8%)
Total tracing 11.094 s -
Total appsec 11.219 s 124.642 ms (1.1%)
Total iast 11.386 s 291.946 ms (2.6%)
Total profiling 11.047 s -46.93 ms (-0.4%) 
gantt
    title petclinic - break down per module: candidate=1.61.0-SNAPSHOT~48440ff3ee, baseline=1.61.0-SNAPSHOT~b6e89cdef9

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.214 ms) : 0, 1214
crashtracking [candidate] (1.225 ms) : 0, 1225
BytebuddyAgent [baseline] (631.3 ms) : 0, 631300
BytebuddyAgent [candidate] (636.068 ms) : 0, 636068
AgentMeter [baseline] (29.403 ms) : 0, 29403
AgentMeter [candidate] (29.683 ms) : 0, 29683
GlobalTracer [baseline] (257.355 ms) : 0, 257355
GlobalTracer [candidate] (259.523 ms) : 0, 259523
AppSec [baseline] (31.818 ms) : 0, 31818
AppSec [candidate] (32.178 ms) : 0, 32178
Debugger [baseline] (60.413 ms) : 0, 60413
Debugger [candidate] (60.944 ms) : 0, 60944
Remote Config [baseline] (593.997 µs) : 0, 594
Remote Config [candidate] (597.763 µs) : 0, 598
Telemetry [baseline] (8.006 ms) : 0, 8006
Telemetry [candidate] (8.136 ms) : 0, 8136
Flare Poller [baseline] (4.255 ms) : 0, 4255
Flare Poller [candidate] (3.53 ms) : 0, 3530
section appsec
crashtracking [baseline] (1.218 ms) : 0, 1218
crashtracking [candidate] (1.213 ms) : 0, 1213
BytebuddyAgent [baseline] (665.296 ms) : 0, 665296
BytebuddyAgent [candidate] (665.749 ms) : 0, 665749
AgentMeter [baseline] (12.284 ms) : 0, 12284
AgentMeter [candidate] (12.323 ms) : 0, 12323
GlobalTracer [baseline] (259.992 ms) : 0, 259992
GlobalTracer [candidate] (260.993 ms) : 0, 260993
AppSec [baseline] (178.384 ms) : 0, 178384
AppSec [candidate] (178.338 ms) : 0, 178338
Debugger [baseline] (66.634 ms) : 0, 66634
Debugger [candidate] (67.184 ms) : 0, 67184
Remote Config [baseline] (642.098 µs) : 0, 642
Remote Config [candidate] (648.163 µs) : 0, 648
Telemetry [baseline] (8.277 ms) : 0, 8277
Telemetry [candidate] (8.355 ms) : 0, 8355
Flare Poller [baseline] (3.617 ms) : 0, 3617
Flare Poller [candidate] (3.689 ms) : 0, 3689
IAST [baseline] (24.362 ms) : 0, 24362
IAST [candidate] (24.455 ms) : 0, 24455
section iast
crashtracking [baseline] (1.197 ms) : 0, 1197
crashtracking [candidate] (1.226 ms) : 0, 1226
BytebuddyAgent [baseline] (799.507 ms) : 0, 799507
BytebuddyAgent [candidate] (802.288 ms) : 0, 802288
AgentMeter [baseline] (11.497 ms) : 0, 11497
AgentMeter [candidate] (11.62 ms) : 0, 11620
GlobalTracer [baseline] (249.385 ms) : 0, 249385
GlobalTracer [candidate] (249.679 ms) : 0, 249679
AppSec [baseline] (26.82 ms) : 0, 26820
AppSec [candidate] (26.579 ms) : 0, 26579
Debugger [baseline] (70.833 ms) : 0, 70833
Debugger [candidate] (70.22 ms) : 0, 70220
Remote Config [baseline] (539.645 µs) : 0, 540
Remote Config [candidate] (533.128 µs) : 0, 533
Telemetry [baseline] (9.261 ms) : 0, 9261
Telemetry [candidate] (9.769 ms) : 0, 9769
Flare Poller [baseline] (3.477 ms) : 0, 3477
Flare Poller [candidate] (3.424 ms) : 0, 3424
IAST [baseline] (25.616 ms) : 0, 25616
IAST [candidate] (25.368 ms) : 0, 25368
section profiling
ProfilingAgent [baseline] (95.458 ms) : 0, 95458
ProfilingAgent [candidate] (95.656 ms) : 0, 95656
crashtracking [baseline] (1.192 ms) : 0, 1192
crashtracking [candidate] (1.174 ms) : 0, 1174
BytebuddyAgent [baseline] (692.408 ms) : 0, 692408
BytebuddyAgent [candidate] (688.639 ms) : 0, 688639
AgentMeter [baseline] (9.142 ms) : 0, 9142
AgentMeter [candidate] (9.085 ms) : 0, 9085
GlobalTracer [baseline] (218.225 ms) : 0, 218225
GlobalTracer [candidate] (216.988 ms) : 0, 216988
AppSec [baseline] (32.694 ms) : 0, 32694
AppSec [candidate] (32.708 ms) : 0, 32708
Debugger [baseline] (67.113 ms) : 0, 67113
Debugger [candidate] (66.559 ms) : 0, 66559
Remote Config [baseline] (589.569 µs) : 0, 590
Remote Config [candidate] (575.396 µs) : 0, 575
Telemetry [baseline] (7.943 ms) : 0, 7943
Telemetry [candidate] (7.915 ms) : 0, 7915
Flare Poller [baseline] (3.631 ms) : 0, 3631
Flare Poller [candidate] (3.578 ms) : 0, 3578
Profiling [baseline] (96.019 ms) : 0, 96019
Profiling [candidate] (96.22 ms) : 0, 96220
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master dd/prevent-objectinputstream-deserialization
git_commit_date 1774897204 1774898474
git_commit_sha b6e89cd 48440ff
release_version 1.61.0-SNAPSHOT~b6e89cdef9 1.61.0-SNAPSHOT~48440ff3ee
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1774900617 1774900617
ci_job_id 1551935359 1551935359
ci_pipeline_id 105123312 105123312
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-bmz3jo01 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-bmz3jo01 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 0 performance regressions! Performance is the same for 17 metrics, 17 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:iast:high_load better
[-237.330µs; -157.266µs] or [-9.022%; -5.978%]		 same
[-490.852µs; +37.078µs] or [-6.489%; +0.490%]		 unstable
[-51.324op/s; +216.137op/s] or [-3.767%; +15.864%]		 2.433ms 7.337ms 1444.875op/s 2.631ms 7.564ms 1362.469op/s
scenario:load:petclinic:code_origins:high_load better
[-1453.714µs; -465.463µs] or [-7.923%; -2.537%]		 unsure
[-1.585ms; -0.565ms] or [-5.325%; -1.898%]		 unstable
[-17.466op/s; +37.529op/s] or [-6.913%; +14.854%]		 17.388ms 28.696ms 262.688op/s 18.347ms 29.771ms 252.656op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.61.0-SNAPSHOT~48440ff3ee, baseline=1.61.0-SNAPSHOT~b6e89cdef9
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.309 ms) : 18122, 18496
.   : milestone, 18309,
appsec (19.087 ms) : 18894, 19279
.   : milestone, 19087,
code_origins (18.467 ms) : 18280, 18654
.   : milestone, 18467,
iast (18.224 ms) : 18043, 18404
.   : milestone, 18224,
profiling (18.681 ms) : 18497, 18865
.   : milestone, 18681,
tracing (18.035 ms) : 17858, 18212
.   : milestone, 18035,
section candidate
no_agent (18.255 ms) : 18070, 18440
.   : milestone, 18255,
appsec (18.94 ms) : 18752, 19129
.   : milestone, 18940,
code_origins (17.76 ms) : 17583, 17936
.   : milestone, 17760,
iast (18.025 ms) : 17848, 18201
.   : milestone, 18025,
profiling (19.029 ms) : 18836, 19221
.   : milestone, 19029,
tracing (17.741 ms) : 17571, 17910
.   : milestone, 17741,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.309 ms [18.122 ms, 18.496 ms] -
appsec 19.087 ms [18.894 ms, 19.279 ms] 777.508 µs (4.2%)
code_origins 18.467 ms [18.28 ms, 18.654 ms] 158.112 µs (0.9%)
iast 18.224 ms [18.043 ms, 18.404 ms] -85.47 µs (-0.5%)
profiling 18.681 ms [18.497 ms, 18.865 ms] 372.129 µs (2.0%)
tracing 18.035 ms [17.858 ms, 18.212 ms] -274.165 µs (-1.5%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.255 ms [18.07 ms, 18.44 ms] -
appsec 18.94 ms [18.752 ms, 19.129 ms] 685.614 µs (3.8%)
code_origins 17.76 ms [17.583 ms, 17.936 ms] -495.049 µs (-2.7%)
iast 18.025 ms [17.848 ms, 18.201 ms] -229.871 µs (-1.3%)
profiling 19.029 ms [18.836 ms, 19.221 ms] 773.828 µs (4.2%)
tracing 17.741 ms [17.571 ms, 17.91 ms] -513.875 µs (-2.8%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.61.0-SNAPSHOT~48440ff3ee, baseline=1.61.0-SNAPSHOT~b6e89cdef9
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.238 ms) : 1225, 1250
.   : milestone, 1238,
iast (3.361 ms) : 3313, 3410
.   : milestone, 3361,
iast_FULL (5.895 ms) : 5836, 5954
.   : milestone, 5895,
iast_GLOBAL (3.735 ms) : 3673, 3796
.   : milestone, 3735,
profiling (2.152 ms) : 2131, 2173
.   : milestone, 2152,
tracing (1.864 ms) : 1848, 1880
.   : milestone, 1864,
section candidate
no_agent (1.222 ms) : 1210, 1234
.   : milestone, 1222,
iast (3.165 ms) : 3123, 3208
.   : milestone, 3165,
iast_FULL (6.018 ms) : 5956, 6079
.   : milestone, 6018,
iast_GLOBAL (3.679 ms) : 3626, 3731
.   : milestone, 3679,
profiling (2.235 ms) : 2213, 2257
.   : milestone, 2235,
tracing (1.855 ms) : 1839, 1871
.   : milestone, 1855,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.238 ms [1.225 ms, 1.25 ms] -
iast 3.361 ms [3.313 ms, 3.41 ms] 2.124 ms (171.6%)
iast_FULL 5.895 ms [5.836 ms, 5.954 ms] 4.657 ms (376.4%)
iast_GLOBAL 3.735 ms [3.673 ms, 3.796 ms] 2.497 ms (201.8%)
profiling 2.152 ms [2.131 ms, 2.173 ms] 914.248 µs (73.9%)
tracing 1.864 ms [1.848 ms, 1.88 ms] 626.567 µs (50.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.222 ms [1.21 ms, 1.234 ms] -
iast 3.165 ms [3.123 ms, 3.208 ms] 1.943 ms (159.0%)
iast_FULL 6.018 ms [5.956 ms, 6.079 ms] 4.796 ms (392.5%)
iast_GLOBAL 3.679 ms [3.626 ms, 3.731 ms] 2.457 ms (201.0%)
profiling 2.235 ms [2.213 ms, 2.257 ms] 1.013 ms (82.9%)
tracing 1.855 ms [1.839 ms, 1.871 ms] 632.952 µs (51.8%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master dd/prevent-objectinputstream-deserialization
git_commit_date 1774897204 1774898474
git_commit_sha b6e89cd 48440ff
release_version 1.61.0-SNAPSHOT~b6e89cdef9 1.61.0-SNAPSHOT~48440ff3ee
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1774900382 1774900382
ci_job_id 1551935361 1551935361
ci_pipeline_id 105123312 105123312
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-4-gwykixbe 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-4-gwykixbe 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.61.0-SNAPSHOT~48440ff3ee, baseline=1.61.0-SNAPSHOT~b6e89cdef9
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.494 ms) : 1482, 1505
.   : milestone, 1494,
appsec (2.53 ms) : 2476, 2585
.   : milestone, 2530,
iast (2.278 ms) : 2209, 2347
.   : milestone, 2278,
iast_GLOBAL (2.326 ms) : 2256, 2396
.   : milestone, 2326,
profiling (2.109 ms) : 2054, 2164
.   : milestone, 2109,
tracing (2.096 ms) : 2042, 2150
.   : milestone, 2096,
section candidate
no_agent (1.491 ms) : 1480, 1503
.   : milestone, 1491,
appsec (3.852 ms) : 3629, 4075
.   : milestone, 3852,
iast (2.276 ms) : 2207, 2346
.   : milestone, 2276,
iast_GLOBAL (2.335 ms) : 2265, 2405
.   : milestone, 2335,
profiling (2.134 ms) : 2077, 2190
.   : milestone, 2134,
tracing (2.107 ms) : 2053, 2162
.   : milestone, 2107,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.494 ms [1.482 ms, 1.505 ms] -
appsec 2.53 ms [2.476 ms, 2.585 ms] 1.036 ms (69.4%)
iast 2.278 ms [2.209 ms, 2.347 ms] 784.425 µs (52.5%)
iast_GLOBAL 2.326 ms [2.256 ms, 2.396 ms] 832.553 µs (55.7%)
profiling 2.109 ms [2.054 ms, 2.164 ms] 615.27 µs (41.2%)
tracing 2.096 ms [2.042 ms, 2.15 ms] 602.252 µs (40.3%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.491 ms [1.48 ms, 1.503 ms] -
appsec 3.852 ms [3.629 ms, 4.075 ms] 2.36 ms (158.3%)
iast 2.276 ms [2.207 ms, 2.346 ms] 784.843 µs (52.6%)
iast_GLOBAL 2.335 ms [2.265 ms, 2.405 ms] 843.342 µs (56.5%)
profiling 2.134 ms [2.077 ms, 2.19 ms] 642.116 µs (43.1%)
tracing 2.107 ms [2.053 ms, 2.162 ms] 615.805 µs (41.3%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.61.0-SNAPSHOT~48440ff3ee, baseline=1.61.0-SNAPSHOT~b6e89cdef9
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.025 s) : 15025000, 15025000
.   : milestone, 15025000,
appsec (14.783 s) : 14783000, 14783000
.   : milestone, 14783000,
iast (18.153 s) : 18153000, 18153000
.   : milestone, 18153000,
iast_GLOBAL (17.81 s) : 17810000, 17810000
.   : milestone, 17810000,
profiling (15.43 s) : 15430000, 15430000
.   : milestone, 15430000,
tracing (14.815 s) : 14815000, 14815000
.   : milestone, 14815000,
section candidate
no_agent (15.632 s) : 15632000, 15632000
.   : milestone, 15632000,
appsec (14.716 s) : 14716000, 14716000
.   : milestone, 14716000,
iast (18.313 s) : 18313000, 18313000
.   : milestone, 18313000,
iast_GLOBAL (18.081 s) : 18081000, 18081000
.   : milestone, 18081000,
profiling (14.819 s) : 14819000, 14819000
.   : milestone, 14819000,
tracing (14.748 s) : 14748000, 14748000
.   : milestone, 14748000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.025 s [15.025 s, 15.025 s] -
appsec 14.783 s [14.783 s, 14.783 s] -242.0 ms (-1.6%)
iast 18.153 s [18.153 s, 18.153 s] 3.128 s (20.8%)
iast_GLOBAL 17.81 s [17.81 s, 17.81 s] 2.785 s (18.5%)
profiling 15.43 s [15.43 s, 15.43 s] 405.0 ms (2.7%)
tracing 14.815 s [14.815 s, 14.815 s] -210.0 ms (-1.4%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.632 s [15.632 s, 15.632 s] -
appsec 14.716 s [14.716 s, 14.716 s] -916.0 ms (-5.9%)
iast 18.313 s [18.313 s, 18.313 s] 2.681 s (17.2%)
iast_GLOBAL 18.081 s [18.081 s, 18.081 s] 2.449 s (15.7%)
profiling 14.819 s [14.819 s, 14.819 s] -813.0 ms (-5.2%)
tracing 14.748 s [14.748 s, 14.748 s] -884.0 ms (-5.7%)

PerfectSlayer
PerfectSlayer approved these changes Mar 25, 2026
View reviewed changes
Comment thread gradle/forbiddenApiFilters/main.txt Outdated
java.lang.reflect.Field#setDouble(java.lang.Object,double)
java.lang.invoke.MethodHandles.Lookup#unreflectSetter(java.lang.reflect.Field)

# avoid Java deserialization entrypoint
Copy link
Copy Markdown
Contributor

@PerfectSlayer PerfectSlayer Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 suggestion: ‏What about adding reference to the security concerns expressed from the JDK documentation or even the related secure coding guidelines?

Copy link
Copy Markdown
Contributor Author

@dougqh dougqh Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do

@dougqh dougqh added this pull request to the merge queue Mar 30, 2026
@dd-octo-sts
Copy link
Copy Markdown
Contributor

dd-octo-sts Bot commented Mar 30, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 Bot commented Mar 30, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-03-30 20:10:44 UTC ℹ️ Start processing command /merge

2026-03-30 20:10:49 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 2h (p90).

2026-03-30 21:13:47 UTC 🚨 MergeQueue: This merge request is in error

mergequeue build completed successfully, but the github api returned an error while merging the pr.
GitHub returned an error during the merge attempt. This is a known issue that can often be resolved by retrying the merge request in an hour.

Details

Error: PUT https://api.github.com/repos/DataDog/dd-trace-java/pulls/10952/merge: 405 Merge already in progress [] (Request ID: 9890:8D4A:DD9CD6:38D5230:69CAE786)

FullStacktrace:
activity error (type: github.GithubService_MergePullRequest, scheduledEventID: 50, startedEventID: 51, identity: 1@github-worker-95488c969-gtlwh@): PUT https://api.github.com/repos/DataDog/dd-trace-java/pulls/10952/merge: 405 Merge already in progress [] (Request ID: 9890:8D4A:DD9CD6:38D5230:69CAE786) (type: GitFailure, retryable: false): PUT https://api.github.com/repos/DataDog/dd-trace-java/pulls/10952/merge: 405 Merge already in progress [] (type: ErrorResponse, retryable: true)

@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Mar 30, 2026
pull Bot pushed a commit to ConnectionMaster/dd-trace-java that referenced this pull request Mar 31, 2026
@dougqh @datadog-datadog-prod-us1
Add ObjectInputStream.readObject to forbidden apis (DataDog#10952)
39f8353 
Add ObjectInputStream.readObject to forbidden apis

Co-authored-by: dougqh <dougqh@gmail.com>

Removing unnecessary defaultmessage added by AI

Adding URL to relevant documentation

Merge branch 'master' into dd/prevent-objectinputstream-deserialization

Co-authored-by: datadog-datadog-prod-us1[bot] <88084959+datadog-datadog-prod-us1[bot]@users.noreply.github.com>
Co-authored-by: devflow.devflow-routing-intake <devflow.devflow-routing-intake@kubernetes.us1.ddbuild.io>
@dougqh dougqh enabled auto-merge March 31, 2026 12:18
@dougqh dougqh added this pull request to the merge queue Mar 31, 2026
@dd-octo-sts
Copy link
Copy Markdown
Contributor

dd-octo-sts Bot commented Mar 31, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 Bot commented Mar 31, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-03-31 13:07:54 UTC ℹ️ Start processing command /merge

2026-03-31 13:07:59 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 2h (p90).

2026-03-31 15:22:54 UTC ℹ️ MergeQueue: Readding this merge request to the queue because another merge request processed with yours failed. No action is needed from your side.

2026-03-31 16:27:16 UTC ℹ️ MergeQueue: This merge request was merged

@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Mar 31, 2026
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit b52e28e into master Mar 31, 2026
566 checks passed
@github-actions github-actions Bot added this to the 1.61.0 milestone Mar 31, 2026
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the dd/prevent-objectinputstream-deserialization branch March 31, 2026 16:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PerfectSlayer PerfectSlayer PerfectSlayer approved these changes

@mhlidd mhlidd mhlidd approved these changes

Assignees

No one assigned

Labels

comp: core Tracer core tag: ai generated Largely based on code generated by an AI or LLM tag: diagnostics Diagnostics related changes type: bug Bug report and fix

Projects

None yet

Milestone

1.61.0

Development

Successfully merging this pull request may close these issues.

3 participants

@dougqh @PerfectSlayer @mhlidd