Skip to content

Commit

Permalink
Short circuit for WAF/RASP calls (#7630)
Browse files Browse the repository at this point in the history 
* Removed hardcoded WAF addresses

* Missing test
  • Loading branch information
@ValentinZakharov @shatzi
ValentinZakharov authored and shatzi committed Sep 25, 2024
1 parent 80ad360 commit df3ed1f
Show file tree
Hide file tree
Showing 3 changed files with 197 additions and 16 deletions.
16 changes: 0 additions & 16 deletions dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -389,22 +389,6 @@ private static Collection<Address<?>> getUsedAddresses(PowerwafContext ctx) {
addressList.add(address);
}
}

// TODO: get addresses dynamically when will it be implemented in waf
addressList.add(KnownAddresses.WAF_CONTEXT_PROCESSOR);
addressList.add(KnownAddresses.HEADERS_NO_COOKIES);
addressList.add(KnownAddresses.REQUEST_QUERY);
addressList.add(KnownAddresses.REQUEST_PATH_PARAMS);
addressList.add(KnownAddresses.REQUEST_COOKIES);
addressList.add(KnownAddresses.REQUEST_BODY_RAW);
addressList.add(KnownAddresses.RESPONSE_HEADERS_NO_COOKIES);
addressList.add(KnownAddresses.RESPONSE_BODY_OBJECT);
addressList.add(KnownAddresses.GRAPHQL_SERVER_ALL_RESOLVERS);
addressList.add(KnownAddresses.DB_TYPE);
addressList.add(KnownAddresses.DB_SQL_QUERY);
addressList.add(KnownAddresses.IO_NET_URL);
addressList.add(KnownAddresses.IO_FS_FILE);

return addressList;
}

Expand Down
16 changes: 16 additions & 0 deletions ...ent/appsec/src/test/groovy/com/datadog/appsec/powerwaf/PowerWAFModuleSpecification.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1539,6 +1539,22 @@ class PowerWAFModuleSpecification extends DDSpecification {
})
}

void 'retrieve used addresses'() {
when:
setupWithStubConfigService('small_config.json')
def ctx0 = pwafModule.ctxAndAddresses.get().ctx
def addresses = pwafModule.getUsedAddresses(ctx0)

then:
addresses.size() == 6
addresses.contains(KnownAddresses.REQUEST_INFERRED_CLIENT_IP)
addresses.contains(KnownAddresses.REQUEST_QUERY)
addresses.contains(KnownAddresses.REQUEST_PATH_PARAMS)
addresses.contains(KnownAddresses.HEADERS_NO_COOKIES)
addresses.contains(KnownAddresses.REQUEST_URI_RAW)
addresses.contains(KnownAddresses.REQUEST_BODY_OBJECT)
}

private Map<String, Object> getDefaultConfig() {
def service = new StubAppSecConfigService()
service.init()
Expand Down
181 changes: 181 additions & 0 deletions dd-java-agent/appsec/src/test/resources/small_config.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,181 @@
{
"version": "2.1",
"metadata": {
"rules_version": "0.42.0"
},
"actions": [
{
"id": "block",
"type": "block_request",
"parameters": {
"status_code": 418,
"type": "html"
}
}
],
"rules": [
{
"id": "ip_match_rule",
"name": "rule1",
"tags": {
"type": "flow1",
"category": "category1"
},
"conditions": [
{
"operator": "ip_match",
"parameters": {
"inputs": [
{
"address": "http.client_ip"
}
],
"data": "ip_data"
}
}
],
"on_match": ["block"]
},
{
"id": "crs-913-110",
"name": "Found request header associated with Acunetix security scanner",
"tags": {
"type": "security_scanner",
"crs_id": "913110",
"category": "attack_attempt"
},
"conditions": [
{
"parameters": {
"inputs": [
{
"address": "server.request.headers.no_cookies"
}
],
"list": [
"acunetix-product",
"(acunetix web vulnerability scanner",
"acunetix-scanning-agreement",
"acunetix-user-agreement"
]
},
"operator": "phrase_match"
}
],
"transformers": [
"lowercase"
]
},
{
"id": "crs-913-120",
"name": "Found request filename/argument associated with security scanner",
"tags": {
"type": "security_scanner",
"crs_id": "913120",
"category": "attack_attempt"
},
"conditions": [
{
"parameters": {
"inputs": [
{
"address": "server.request.query"
},
{
"address": "server.request.body"
},
{
"address": "server.request.path_params"
}
],
"list": [
"/.adsensepostnottherenonobook",
"/<invalid>hello.html",
"/actsensepostnottherenonotive",
"/acunetix-wvs-test-for-some-inexistent-file",
"/antidisestablishmentarianism",
"/appscan_fingerprint/mac_address",
"/arachni-",
"/cybercop",
"/nessus_is_probing_you_",
"/nessustest",
"/netsparker-",
"/rfiinc.txt",
"/thereisnowaythat-you-canbethere",
"/w3af/remotefileinclude.html",
"appscan_fingerprint",
"w00tw00t.at.isc.sans.dfind",
"w00tw00t.at.blackhats.romanian.anti-sec"
]
},
"operator": "phrase_match"
}
],
"transformers": [
"lowercase"
]
},
{
"id": "crs-920-260",
"name": "Unicode Full/Half Width Abuse Attack Attempt",
"tags": {
"type": "http_protocol_violation",
"crs_id": "920260",
"category": "attack_attempt"
},
"conditions": [
{
"parameters": {
"inputs": [
{
"address": "server.request.uri.raw"
}
],
"regex": "\\%u[fF]{2}[0-9a-fA-F]{2}",
"options": {
"case_sensitive": true,
"min_length": 6
}
},
"operator": "match_regex"
}
],
"transformers": []
},
{
"id": "crs-921-110",
"name": "HTTP Request Smuggling Attack",
"tags": {
"type": "http_protocol_violation",
"crs_id": "921110",
"category": "attack_attempt"
},
"conditions": [
{
"parameters": {
"inputs": [
{
"address": "server.request.query"
},
{
"address": "server.request.body"
},
{
"address": "server.request.path_params"
}
],
"regex": "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+[^\\s]+\\s+http/\\d",
"options": {
"case_sensitive": true,
"min_length": 12
}
},
"operator": "match_regex"
}
],
"transformers": [
"lowercase"
]
}
]
}

0 comments on commit df3ed1f

Please sign in to comment.