Skip to content

Commit

Permalink
Add rasp capabilities in RC (#4672)
Browse files Browse the repository at this point in the history
  • Loading branch information
uurien authored and juan-fernandez committed Oct 1, 2024
1 parent 7cfe5db commit fbaee92
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 3 deletions.
2 changes: 2 additions & 0 deletions packages/dd-trace/src/appsec/remote_config/capabilities.js
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,7 @@ module.exports = {
APM_TRACING_HTTP_HEADER_TAGS: 1n << 14n,
APM_TRACING_CUSTOM_TAGS: 1n << 15n,
APM_TRACING_ENABLED: 1n << 19n,
ASM_RASP_SQLI: 1n << 21n,
ASM_RASP_SSRF: 1n << 23n,
APM_TRACING_SAMPLE_RULES: 1n << 29n
}
8 changes: 8 additions & 0 deletions packages/dd-trace/src/appsec/remote_config/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,11 @@ function enableWafUpdate (appsecConfig) {
rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true)
rc.updateCapabilities(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true)

if (appsecConfig.rasp?.enabled) {
rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, true)
rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
}

// TODO: delete noop handlers and kPreUpdate and replace with batched handlers
rc.setProductHandler('ASM_DATA', noop)
rc.setProductHandler('ASM_DD', noop)
Expand All @@ -99,6 +104,9 @@ function disableWafUpdate () {
rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, false)
rc.updateCapabilities(RemoteConfigCapabilities.ASM_TRUSTED_IPS, false)

rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, false)
rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, false)

rc.removeProductHandler('ASM_DATA')
rc.removeProductHandler('ASM_DD')
rc.removeProductHandler('ASM')
Expand Down
53 changes: 50 additions & 3 deletions packages/dd-trace/test/appsec/remote_config/index.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,7 @@ describe('Remote Config index', () => {
})

it('should enable when using default rules', () => {
config.appsec = { enabled: true, rules: null }
config.appsec = { enabled: true, rules: null, rasp: { enabled: true } }
remoteConfig.enable(config)
remoteConfig.enableWafUpdate(config.appsec)

Expand All @@ -286,6 +286,10 @@ describe('Remote Config index', () => {
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, true)

expect(rc.setProductHandler).to.have.been.calledWith('ASM_DATA')
expect(rc.setProductHandler).to.have.been.calledWith('ASM_DD')
Expand All @@ -294,7 +298,7 @@ describe('Remote Config index', () => {
})

it('should activate if appsec is manually enabled', () => {
config.appsec = { enabled: true }
config.appsec = { enabled: true, rasp: { enabled: true } }
remoteConfig.enable(config)
remoteConfig.enableWafUpdate(config.appsec)

Expand All @@ -316,6 +320,10 @@ describe('Remote Config index', () => {
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, true)

expect(rc.setProductHandler).to.have.been.calledWith('ASM_DATA')
expect(rc.setProductHandler).to.have.been.calledWith('ASM_DD')
Expand All @@ -324,7 +332,38 @@ describe('Remote Config index', () => {
})

it('should activate if appsec enabled is not defined', () => {
config.appsec = {}
config.appsec = { rasp: { enabled: true } }
remoteConfig.enable(config)
remoteConfig.enableWafUpdate(config.appsec)

expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_ACTIVATION, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_IP_BLOCKING, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_USER_BLOCKING, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_DD_RULES, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_EXCLUSIONS, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_REQUEST_BLOCKING, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RESPONSE_BLOCKING, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_RULES, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, true)
})

it('should not activate rasp capabilities if rasp is disabled', () => {
config.appsec = { rasp: { enabled: false } }
remoteConfig.enable(config)
remoteConfig.enableWafUpdate(config.appsec)

Expand All @@ -348,6 +387,10 @@ describe('Remote Config index', () => {
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true)
expect(rc.updateCapabilities)
.to.not.have.been.calledWith(RemoteConfigCapabilities.ASM_RASP_SSRF)
expect(rc.updateCapabilities)
.to.not.have.been.calledWith(RemoteConfigCapabilities.ASM_RASP_SQLI)
})
})

Expand Down Expand Up @@ -375,6 +418,10 @@ describe('Remote Config index', () => {
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, false)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, false)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, false)
expect(rc.updateCapabilities)
.to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, false)

expect(rc.removeProductHandler).to.have.been.calledWith('ASM_DATA')
expect(rc.removeProductHandler).to.have.been.calledWith('ASM_DD')
Expand Down

0 comments on commit fbaee92

Please sign in to comment.