Merge branch 'main' into cbeauchesne/ruby-healthcheck

docs/weblog/README.md

@@ -175,6 +175,22 @@ must set the appropriate tag in the span to `tainted_value` and return a respons
 
 The goal is to be able to easily test if a request was blocked before reaching the server code or after by looking at the span and also test security rules on reponse status code or response header content.
 
+### GET /iast/insecure-cookie/test_secure
+
+This endpoint should set at least one cookie with all security flags (Secure, HttpOnly, SameSite=Strict) to prevent any vulnerabilities from being detected.
+
+### GET /iast/insecure-cookie/test_insecure
+
+This endpoint should set a cookie with all security flags except Secure, to detect only the INSECURE_COOKIE vulnerability.
+
+### POST /iast/insecure-cookie/custom_cookie
+
+This endpoint should set a cookie with the name and value coming from the request body (using the cookieName and cookieValue properties), with all security flags except Secure, to detect only the INSECURE_COOKIE vulnerability.
+
+### GET /iast/insecure-cookie/test_empty_cookie
+
+This endpoint should set a cookie with empty cookie value without Secure flag, INSECURE_COOKIE vulnerability shouldn't be detected.
+
 ### GET /iast/insecure_hashing/deduplicate
 
 Parameterless endpoint. This endpoint contains a vulnerable souce code line (weak hash) in a loop with at least two iterations.
@@ -197,6 +213,38 @@ The endpoint executes a unique operation of String hashing with unsecure MD5 alg
 
 Parameterless endpoint. This endpoint contains a hardcoded secret. The declaration of the hardcoded secret should be sufficient to trigger the vulnerability, so returning it in the response is optional.
 
+### GET /iast/no-httponly-cookie/test_secure
+
+This endpoint should set at least one cookie with all security flags (Secure, HttpOnly, SameSite=Strict) to prevent any vulnerabilities from being detected.
+
+### GET /iast/no-httponly-cookie/test_insecure
+
+This endpoint should set a cookie with all security flags except HttpOnly, to detect only the NO_HTTPONLY_COOKIE vulnerability.
+
+### GET /iast/no-httponly-cookie/test_empty_cookie
+
+This endpoint should set a cookie with empty cookie value without HttpOnly flag, NO_HTTPONLY_COOKIE vulnerability shouldn't be detected.
+
+### POST /iast/no-httponly-cookie/custom_cookie
+
+This endpoint should set a cookie with the name and value coming from the request body (using the cookieName and cookieValue properties), with all security flags except HttpOnly, to detect only the NO_HTTPONLY_COOKIE vulnerability.
+
+### GET /iast/no-samesite-cookie/test_secure
+
+This endpoint should set at least one cookie with all security flags (Secure, HttpOnly, SameSite=Strict) to prevent any vulnerabilities from being detected.
+
+### GET /iast/no-samesite-cookie/test_insecure
+
+This endpoint should set a cookie with all security flags except SameSite=Strict, to detect only the NO_SAMESITE_COOKIE vulnerability.
+
+### GET /iast/no-samesite-cookie/test_empty_cookie
+
+This endpoint should set a cookie with empty cookie value without SameSite=Strict flag, NO_SAMESITE_COOKIE vulnerability shouldn't be detected.
+
+### POST /iast/no-samesite-cookie/custom_cookie
+
+This endpoint should set a cookie with the name and value coming from the request body (using the cookieName and cookieValue properties), with all security flags except SameSite=Strict, to detect only the NO_SAMESITE_COOKIE vulnerability.
+
 ### \[GET, POST\] /iast/source/*
 
 This group of endpoints should trigger vulnerabilities detected by IAST with untrusted data coming from certain sources. The used vulnerability is irrelevant. It could be a command injection, SQL injection, or something else.
@@ -652,9 +700,7 @@ Returns a JSON dict, with those values :
     "status": "ok",
     "library": {
       "language": "<language>",  // one of cpp, dotnet, golang, java, nodejs, php, python, ruby
-      "version": "1.2.3",  // version of the library
-      "libddwaf_version": "4.5.6"  // version of libddwaf,
-      "appsec_event_rules_version": "7.8.9"  // version of appsec event rules
+      "version": "1.2.3"  // version of the library
     }
   }
 ```

manifests/dotnet.yml

@@ -42,12 +42,15 @@ tests/:
           Test_InsecureAuthProtocol: v2.49.0
         test_insecure_cookie.py:
           TestInsecureCookie: v2.39.0
+          TestInsecureCookieNameFilter: missing_feature
         test_ldap_injection.py:
           TestLDAPInjection: v2.36.0
         test_no_httponly_cookie.py:
           TestNoHttponlyCookie: v2.39.0
+          TestNoHttponlyCookieNameFilter: missing_feature
         test_no_samesite_cookie.py:
           TestNoSamesiteCookie: v2.39.0
+          TestNoSamesiteCookieNameFilter: missing_feature
         test_nosql_mongodb_injection.py:
           TestNoSqlMongodbInjection: v2.47.0
         test_path_traversal.py:

manifests/golang.yml

@@ -51,12 +51,15 @@ tests/:
           Test_InsecureAuthProtocol: missing_feature
         test_insecure_cookie.py:
           TestInsecureCookie: missing_feature
+          TestInsecureCookieNameFilter: missing_feature
         test_ldap_injection.py:
           TestLDAPInjection: missing_feature
         test_no_httponly_cookie.py:
           TestNoHttponlyCookie: missing_feature
+          TestNoHttponlyCookieNameFilter: missing_feature
         test_no_samesite_cookie.py:
           TestNoSamesiteCookie: missing_feature
+          TestNoSamesiteCookieNameFilter: missing_feature
         test_nosql_mongodb_injection.py:
           TestNoSqlMongodbInjection: missing_feature
         test_path_traversal.py:

manifests/java.yml

@@ -116,6 +116,7 @@ tests/:
             play: missing_feature
             ratpack: missing_feature
             spring-boot-3-native: missing_feature
+          TestInsecureCookieNameFilter: missing_feature
         test_ldap_injection.py:
           TestLDAPInjection:
             '*': v1.3.0
@@ -134,13 +135,15 @@ tests/:
             play: missing_feature
             ratpack: missing_feature
             spring-boot-3-native: missing_feature
+          TestNoHttponlyCookieNameFilter: missing_feature
         test_no_samesite_cookie.py:
           TestNoSamesiteCookie:
             '*': v1.18.0
             akka-http: missing_feature
             play: missing_feature
             ratpack: missing_feature
             spring-boot-3-native: missing_feature
+          TestNoSamesiteCookieNameFilter: missing_feature
         test_nosql_mongodb_injection.py:
           TestNoSqlMongodbInjection: missing_feature
         test_path_traversal.py:

manifests/nodejs.yml

@@ -36,6 +36,7 @@ refs:
   - &ref_5_20_0 '>=5.20.0 || ^4.44.0'
   - &ref_5_22_0 '>=5.22.0 || ^4.46.0'
   - &ref_5_23_0 '>=5.23.0 || ^4.47.0'
+  - &ref_5_24_0 '>=5.24.0 || ^4.48.0'
 
 tests/:
   apm_tracing_e2e/:
@@ -102,6 +103,7 @@ tests/:
           TestInsecureCookie:
             '*': *ref_4_1_0
             nextjs: missing_feature
+          TestInsecureCookieNameFilter: missing_feature
         test_ldap_injection.py:
           TestLDAPInjection:
             '*': *ref_4_1_0
@@ -110,10 +112,12 @@ tests/:
           TestNoHttponlyCookie:
             '*': *ref_4_3_0
             nextjs: missing_feature
+          TestNoHttponlyCookieNameFilter: missing_feature
         test_no_samesite_cookie.py:
           TestNoSamesiteCookie:
             '*': *ref_4_3_0
             nextjs: missing_feature
+          TestNoSamesiteCookieNameFilter: missing_feature
         test_nosql_mongodb_injection.py:
           TestNoSqlMongodbInjection:
             '*': *ref_4_17_0
@@ -375,11 +379,11 @@ tests/:
         '*': *ref_3_13_0
         nextjs: missing_feature
     test_fingerprinting.py:
-      Test_Fingerprinting_Endpoint: missing_feature
-      Test_Fingerprinting_Endpoint_Capability: missing_feature
-      Test_Fingerprinting_Header_And_Network: missing_feature
-      Test_Fingerprinting_Header_Capability: missing_feature
-      Test_Fingerprinting_Network_Capability: missing_feature
+      Test_Fingerprinting_Endpoint: *ref_5_24_0
+      Test_Fingerprinting_Endpoint_Capability: *ref_5_24_0
+      Test_Fingerprinting_Header_And_Network: *ref_5_24_0
+      Test_Fingerprinting_Header_Capability: *ref_5_24_0
+      Test_Fingerprinting_Network_Capability: *ref_5_24_0
       Test_Fingerprinting_Session: missing_feature
       Test_Fingerprinting_Session_Capability: missing_feature
     test_identify.py:

manifests/php.yml

@@ -42,12 +42,15 @@ tests/:
           Test_InsecureAuthProtocol: missing_feature
         test_insecure_cookie.py:
           TestInsecureCookie: missing_feature
+          TestInsecureCookieNameFilter: missing_feature
         test_ldap_injection.py:
           TestLDAPInjection: missing_feature
         test_no_httponly_cookie.py:
           TestNoHttponlyCookie: missing_feature
+          TestNoHttponlyCookieNameFilter: missing_feature
         test_no_samesite_cookie.py:
           TestNoSamesiteCookie: missing_feature
+          TestNoSamesiteCookieNameFilter: missing_feature
         test_nosql_mongodb_injection.py:
           TestNoSqlMongodbInjection: missing_feature
         test_path_traversal.py:

manifests/python.yml

@@ -82,16 +82,19 @@ tests/:
           TestInsecureCookie:
             '*': v1.19.0
             fastapi: missing_feature
+          TestInsecureCookieNameFilter: missing_feature
         test_ldap_injection.py:
           TestLDAPInjection: missing_feature
         test_no_httponly_cookie.py:
           TestNoHttponlyCookie:
             '*': v1.19.0
             fastapi: missing_feature
+          TestNoHttponlyCookieNameFilter: missing_feature
         test_no_samesite_cookie.py:
           TestNoSamesiteCookie:
             '*': v1.19.0
             fastapi: missing_feature
+          TestNoSamesiteCookieNameFilter: missing_feature
         test_nosql_mongodb_injection.py:
           TestNoSqlMongodbInjection: missing_feature
         test_path_traversal.py:
@@ -841,4 +844,4 @@ tests/:
     Test_ProductsDisabled: missing_feature
     Test_Telemetry: v1.16.0
     Test_TelemetrySCAEnvVar: missing_feature
-    Test_TelemetryV2: v1.17.3
+    Test_TelemetryV2: v1.17.3

manifests/ruby.yml

@@ -44,12 +44,15 @@ tests/:
           Test_InsecureAuthProtocol: missing_feature
         test_insecure_cookie.py:
           TestInsecureCookie: missing_feature
+          TestInsecureCookieNameFilter: missing_feature
         test_ldap_injection.py:
           TestLDAPInjection: missing_feature
         test_no_httponly_cookie.py:
           TestNoHttponlyCookie: missing_feature
+          TestNoHttponlyCookieNameFilter: missing_feature
         test_no_samesite_cookie.py:
           TestNoSamesiteCookie: missing_feature
+          TestNoSamesiteCookieNameFilter: missing_feature
         test_nosql_mongodb_injection.py:
           TestNoSqlMongodbInjection: missing_feature
         test_path_traversal.py:

tests/appsec/iast/sink/test_insecure_cookie.py

@@ -3,7 +3,7 @@
 # Copyright 2021 Datadog, Inc.
 
 from utils import context, missing_feature, bug, weblog, features
-from ..utils import BaseSinkTest
+from ..utils import BaseSinkTest, BaseTestCookieNameFilter
 
 
 @features.iast_sink_insecure_cookie
@@ -37,3 +37,11 @@ def test_telemetry_metric_instrumented_sink(self):
     @missing_feature(weblog_variant="vertx4", reason="Metrics not implemented")
     def test_telemetry_metric_executed_sink(self):
         super().test_telemetry_metric_executed_sink()
+
+
+@features.iast_sink_insecure_cookie
+class TestInsecureCookieNameFilter(BaseTestCookieNameFilter):
+    """Test no SameSite cookie name filter."""
+
+    vulnerability_type = "INSECURE_COOKIE"
+    endpoint = "/iast/insecure-cookie/custom_cookie"

tests/appsec/iast/sink/test_no_httponly_cookie.py

@@ -3,7 +3,7 @@
 # Copyright 2021 Datadog, Inc.
 
 from utils import context, missing_feature, bug, weblog, features
-from ..utils import BaseSinkTest
+from ..utils import BaseSinkTest, BaseSinkTestWithoutTelemetry, BaseTestCookieNameFilter
 
 
 @features.iast_sink_http_only_cookie
@@ -37,3 +37,11 @@ def test_telemetry_metric_instrumented_sink(self):
     @missing_feature(weblog_variant="vertx4", reason="Metric not implemented")
     def test_telemetry_metric_executed_sink(self):
         super().test_telemetry_metric_executed_sink()
+
+
+@features.iast_sink_http_only_cookie
+class TestNoHttponlyCookieNameFilter(BaseTestCookieNameFilter):
+    """Test no HttpOnly cookie name filter."""
+
+    vulnerability_type = "NO_HTTPONLY_COOKIE"
+    endpoint = "/iast/no-httponly-cookie/custom_cookie"

tests/appsec/iast/sink/test_no_samesite_cookie.py

@@ -3,7 +3,7 @@
 # Copyright 2021 Datadog, Inc.
 
 from utils import context, missing_feature, bug, weblog, features
-from ..utils import BaseSinkTest
+from ..utils import BaseSinkTest, BaseTestCookieNameFilter
 
 
 @features.iast_sink_samesite_cookie
@@ -37,3 +37,11 @@ def test_telemetry_metric_instrumented_sink(self):
     @missing_feature(weblog_variant="vertx4", reason="Metrics not implemented")
     def test_telemetry_metric_executed_sink(self):
         super().test_telemetry_metric_executed_sink()
+
+
+@features.iast_sink_samesite_cookie
+class TestNoSamesiteCookieNameFilter(BaseTestCookieNameFilter):
+    """Test no SameSite cookie name filter."""
+
+    vulnerability_type = "NO_SAMESITE_COOKIE"
+    endpoint = "/iast/no-samesite-cookie/custom_cookie"

tests/appsec/iast/utils.py

@@ -373,3 +373,24 @@ def test_telemetry_metric_executed_source(self):
             assert len(s["points"]) == 1
             p = s["points"][0]
             assert p[1] >= 1
+
+
+class BaseTestCookieNameFilter:
+    vulnerability_type = None
+    endpoint = None
+
+    def setup_cookie_name_filter(self):
+        prefix = "0" * 36
+        cookieName1 = prefix + "name1"
+        cookieName2 = "name2"
+        cookieName3 = prefix + "name3"
+        self.req1 = weblog.post(self.endpoint, data={"cookieName": cookieName1, "cookieValue": "value1"})
+        self.req2 = weblog.post(self.endpoint, data={"cookieName": cookieName2, "cookieValue": "value2"})
+        self.req3 = weblog.post(self.endpoint, data={"cookieName": cookieName3, "cookieValue": "value3"})
+
+    def test_cookie_name_filter(self):
+        assert_iast_vulnerability(request=self.req1, vulnerability_count=1, vulnerability_type=self.vulnerability_type)
+        assert_iast_vulnerability(request=self.req2, vulnerability_count=1, vulnerability_type=self.vulnerability_type)
+
+        meta_req3 = _get_span_meta(self.req3)
+        assert "_dd.iast.json" not in meta_req3

utils/_context/_scenarios/endtoend.py

@@ -452,14 +452,6 @@ def appsec_rules_file(self):
     def uds_socket(self):
         return self.weblog_container.uds_socket
 
-    @property
-    def libddwaf_version(self):
-        return self.weblog_container.libddwaf_version
-
-    @property
-    def appsec_rules_version(self):
-        return self.weblog_container.appsec_rules_version
-
     @property
     def uds_mode(self):
         return self.weblog_container.uds_mode
@@ -476,7 +468,6 @@ def get_junit_properties(self):
         result["dd_tags[systest.suite.context.library.version]"] = self.library.version
         result["dd_tags[systest.suite.context.weblog_variant]"] = self.weblog_variant
         result["dd_tags[systest.suite.context.sampling_rate]"] = self.weblog_container.tracer_sampling_rate
-        result["dd_tags[systest.suite.context.libddwaf_version]"] = self.weblog_container.libddwaf_version
         result["dd_tags[systest.suite.context.appsec_rules_file]"] = self.weblog_container.appsec_rules_file
 
         return result
@@ -486,6 +477,4 @@ def components(self):
         return {
             "agent": self.agent_version,
             "library": self.library.version,
-            "libddwaf": self.weblog_container.libddwaf_version,
-            "appsec_rules": self.appsec_rules_version,
         }

utils/_context/_scenarios/parametric.py

@@ -453,7 +453,7 @@ def dotnet_library_factory():
 # `binutils` is required by 'install_ddtrace.sh' to call 'strings' command
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y binutils
 
-COPY utils/build/docker/dotnet/install_ddtrace.sh utils/build/docker/dotnet/query-versions.fsx binaries/ /binaries/
+COPY utils/build/docker/dotnet/install_ddtrace.sh binaries/ /binaries/
 RUN /binaries/install_ddtrace.sh
 
 # dotnet restore