Skip to content

Commit

Permalink
Change approach, do not add extra functions
Browse files Browse the repository at this point in the history
  • Loading branch information
@uurien
uurien committed Sep 11, 2024
1 parent e50196f commit d556d51
Show file tree
Hide file tree
Showing 4 changed files with 70 additions and 92 deletions.
6 changes: 0 additions & 6 deletions packages/dd-trace/src/appsec/rasp/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,6 @@
const web = require('../../plugins/util/web')
const { setUncaughtExceptionCaptureCallbackStart } = require('../channels')
const { block } = require('../blocking')
const remoteConfig = require('../remote_config')

const ssrf = require('./ssrf')
const sqli = require('./sql_injection')

Expand Down Expand Up @@ -85,17 +83,13 @@ function handleUncaughtExceptionMonitor (err) {
}

function enable (config) {
remoteConfig.enableRaspCapabilities(config.appsec)

ssrf.enable(config)
sqli.enable(config)

process.on('uncaughtExceptionMonitor', handleUncaughtExceptionMonitor)
}

function disable () {
remoteConfig.disableRaspCapabilities()

ssrf.disable()
sqli.disable()

Expand Down
26 changes: 9 additions & 17 deletions packages/dd-trace/src/appsec/remote_config/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,11 @@ function enableWafUpdate (appsecConfig) {
rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true)
rc.updateCapabilities(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true)

if (appsecConfig.rasp?.enabled) {
rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, true)
rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
}

// TODO: delete noop handlers and kPreUpdate and replace with batched handlers
rc.setProductHandler('ASM_DATA', noop)
rc.setProductHandler('ASM_DD', noop)
Expand All @@ -99,6 +104,9 @@ function disableWafUpdate () {
rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, false)
rc.updateCapabilities(RemoteConfigCapabilities.ASM_TRUSTED_IPS, false)

rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, false)
rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, false)

rc.removeProductHandler('ASM_DATA')
rc.removeProductHandler('ASM_DD')
rc.removeProductHandler('ASM')
Expand All @@ -107,26 +115,10 @@ function disableWafUpdate () {
}
}

function enableRaspCapabilities (appsecConfig) {
if (rc && !appsecConfig.rules) {
rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, true)
rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
}
}

function disableRaspCapabilities () {
if (rc) {
rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, false)
rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, false)
}
}

function noop () {}

module.exports = {
enable,
enableWafUpdate,
disableWafUpdate,
enableRaspCapabilities,
disableRaspCapabilities
disableWafUpdate
}
37 changes: 11 additions & 26 deletions packages/dd-trace/test/appsec/rasp/index.spec.js
View file
Original file line number Diff line number Diff line change
@@ -1,43 +1,28 @@
'use strict'

const proxyquire = require('proxyquire')
const rasp = require('../../../src/appsec/rasp')
const { handleUncaughtExceptionMonitor } = require('../../../src/appsec/rasp')

describe('RASP', () => {
let rasp, remoteConfig

beforeEach(() => {
remoteConfig = {
enableRaspCapabilities: sinon.stub(),
disableRaspCapabilities: sinon.stub()
const config = {
appsec: {
stackTrace: {
enabled: true,
maxStackTraces: 2,
maxDepth: 42
}
}
}

rasp = proxyquire('../../../src/appsec/rasp', {
'../remote_config': remoteConfig
})
rasp.enable(config)
})

afterEach(() => {
sinon.restore()
rasp.disable()
})

describe('enable', () => {
it('should call to enableRaspCapabilities', () => {
const config = { appsec: {} }
rasp.enable(config)

sinon.assert.calledOnceWithExactly(remoteConfig.enableRaspCapabilities, config.appsec)
})
})

describe('disable', () => {
it('should call to disableRaspCapabilities', () => {
rasp.disable()

sinon.assert.calledOnce(remoteConfig.disableRaspCapabilities)
})
})

describe('handleUncaughtExceptionMonitor', () => {
it('should not break with infinite loop of cause', () => {
const err = new Error()
Expand Down
93 changes: 50 additions & 43 deletions packages/dd-trace/test/appsec/remote_config/index.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,7 @@ describe('Remote Config index', () => {
})

it('should enable when using default rules', () => {
config.appsec = { enabled: true, rules: null }
config.appsec = { enabled: true, rules: null, rasp: { enabled: true } }
remoteConfig.enable(config)
remoteConfig.enableWafUpdate(config.appsec)

Expand All @@ -286,6 +286,10 @@ describe('Remote Config index', () => {
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, true)

expect(rc.setProductHandler).to.have.been.calledWith('ASM_DATA')
expect(rc.setProductHandler).to.have.been.calledWith('ASM_DD')
Expand All @@ -294,7 +298,7 @@ describe('Remote Config index', () => {
})

it('should activate if appsec is manually enabled', () => {
config.appsec = { enabled: true }
config.appsec = { enabled: true, rasp: { enabled: true } }
remoteConfig.enable(config)
remoteConfig.enableWafUpdate(config.appsec)

Expand All @@ -316,6 +320,10 @@ describe('Remote Config index', () => {
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, true)

expect(rc.setProductHandler).to.have.been.calledWith('ASM_DATA')
expect(rc.setProductHandler).to.have.been.calledWith('ASM_DD')
Expand All @@ -324,7 +332,38 @@ describe('Remote Config index', () => {
})

it('should activate if appsec enabled is not defined', () => {
config.appsec = {}
config.appsec = { rasp: { enabled: true } }
remoteConfig.enable(config)
remoteConfig.enableWafUpdate(config.appsec)

expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_ACTIVATION, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_IP_BLOCKING, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_USER_BLOCKING, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_DD_RULES, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_EXCLUSIONS, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_REQUEST_BLOCKING, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RESPONSE_BLOCKING, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_RULES, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, true)
})

it('should not activate rasp capabilities if rasp is disabled', () => {
config.appsec = { rasp: { enabled: false } }
remoteConfig.enable(config)
remoteConfig.enableWafUpdate(config.appsec)

Expand All @@ -348,6 +387,10 @@ describe('Remote Config index', () => {
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true)
expect(rc.updateCapabilities)
.to.not.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
expect(rc.updateCapabilities)
.to.not.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, true)
})
})

Expand Down Expand Up @@ -375,6 +418,10 @@ describe('Remote Config index', () => {
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, false)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, false)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, false)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, false)

expect(rc.removeProductHandler).to.have.been.calledWith('ASM_DATA')
expect(rc.removeProductHandler).to.have.been.calledWith('ASM_DD')
Expand All @@ -383,44 +430,4 @@ describe('Remote Config index', () => {
})
})
})

describe('enableRaspCapabilities', () => {
describe('enable', () => {
it('should not fail if remote config is not enabled before', () => {
config.appsec = { rasp: { enabled: true } }
remoteConfig.enableRaspCapabilities(config.appsec)

expect(rc.updateCapabilities).to.not.have.been.called
expect(rc.setProductHandler).to.not.have.been.called
})

it('should enable when using default rules', () => {
config.appsec = { enabled: true, rules: null }
remoteConfig.enable(config)
sinon.resetHistory()

remoteConfig.enableRaspCapabilities(config.appsec)

expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, true)
})
})

describe('disable', () => {
it('should update capabilities', () => {
config.appsec = { enabled: true, rules: null }
remoteConfig.enable(config)
sinon.resetHistory()

remoteConfig.disableRaspCapabilities(config.appsec)

expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, false)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, false)
})
})
})
})

0 comments on commit d556d51

Please sign in to comment.