From fbaee9214d93633ecc988f4bea76da005ed882ad Mon Sep 17 00:00:00 2001 From: Ugaitz Urien Date: Wed, 11 Sep 2024 17:02:11 +0200 Subject: [PATCH] Add rasp capabilities in RC (#4672) --- .../src/appsec/remote_config/capabilities.js | 2 + .../src/appsec/remote_config/index.js | 8 +++ .../test/appsec/remote_config/index.spec.js | 53 +++++++++++++++++-- 3 files changed, 60 insertions(+), 3 deletions(-) diff --git a/packages/dd-trace/src/appsec/remote_config/capabilities.js b/packages/dd-trace/src/appsec/remote_config/capabilities.js index 6e320493336..f42d7358203 100644 --- a/packages/dd-trace/src/appsec/remote_config/capabilities.js +++ b/packages/dd-trace/src/appsec/remote_config/capabilities.js @@ -17,5 +17,7 @@ module.exports = { APM_TRACING_HTTP_HEADER_TAGS: 1n << 14n, APM_TRACING_CUSTOM_TAGS: 1n << 15n, APM_TRACING_ENABLED: 1n << 19n, + ASM_RASP_SQLI: 1n << 21n, + ASM_RASP_SSRF: 1n << 23n, APM_TRACING_SAMPLE_RULES: 1n << 29n } diff --git a/packages/dd-trace/src/appsec/remote_config/index.js b/packages/dd-trace/src/appsec/remote_config/index.js index a1bd2a22b8c..b63b3690102 100644 --- a/packages/dd-trace/src/appsec/remote_config/index.js +++ b/packages/dd-trace/src/appsec/remote_config/index.js @@ -76,6 +76,11 @@ function enableWafUpdate (appsecConfig) { rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true) rc.updateCapabilities(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true) + if (appsecConfig.rasp?.enabled) { + rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, true) + rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, true) + } + // TODO: delete noop handlers and kPreUpdate and replace with batched handlers rc.setProductHandler('ASM_DATA', noop) rc.setProductHandler('ASM_DD', noop) @@ -99,6 +104,9 @@ function disableWafUpdate () { rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, false) rc.updateCapabilities(RemoteConfigCapabilities.ASM_TRUSTED_IPS, false) + rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, false) + rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, false) + rc.removeProductHandler('ASM_DATA') rc.removeProductHandler('ASM_DD') rc.removeProductHandler('ASM') diff --git a/packages/dd-trace/test/appsec/remote_config/index.spec.js b/packages/dd-trace/test/appsec/remote_config/index.spec.js index d04e9f5592b..fd923c9a92b 100644 --- a/packages/dd-trace/test/appsec/remote_config/index.spec.js +++ b/packages/dd-trace/test/appsec/remote_config/index.spec.js @@ -264,7 +264,7 @@ describe('Remote Config index', () => { }) it('should enable when using default rules', () => { - config.appsec = { enabled: true, rules: null } + config.appsec = { enabled: true, rules: null, rasp: { enabled: true } } remoteConfig.enable(config) remoteConfig.enableWafUpdate(config.appsec) @@ -286,6 +286,10 @@ describe('Remote Config index', () => { .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true) expect(rc.updateCapabilities) .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, true) expect(rc.setProductHandler).to.have.been.calledWith('ASM_DATA') expect(rc.setProductHandler).to.have.been.calledWith('ASM_DD') @@ -294,7 +298,7 @@ describe('Remote Config index', () => { }) it('should activate if appsec is manually enabled', () => { - config.appsec = { enabled: true } + config.appsec = { enabled: true, rasp: { enabled: true } } remoteConfig.enable(config) remoteConfig.enableWafUpdate(config.appsec) @@ -316,6 +320,10 @@ describe('Remote Config index', () => { .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true) expect(rc.updateCapabilities) .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, true) expect(rc.setProductHandler).to.have.been.calledWith('ASM_DATA') expect(rc.setProductHandler).to.have.been.calledWith('ASM_DD') @@ -324,7 +332,38 @@ describe('Remote Config index', () => { }) it('should activate if appsec enabled is not defined', () => { - config.appsec = {} + config.appsec = { rasp: { enabled: true } } + remoteConfig.enable(config) + remoteConfig.enableWafUpdate(config.appsec) + + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_ACTIVATION, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_IP_BLOCKING, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_USER_BLOCKING, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_DD_RULES, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_EXCLUSIONS, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_REQUEST_BLOCKING, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RESPONSE_BLOCKING, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_RULES, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, true) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, true) + }) + + it('should not activate rasp capabilities if rasp is disabled', () => { + config.appsec = { rasp: { enabled: false } } remoteConfig.enable(config) remoteConfig.enableWafUpdate(config.appsec) @@ -348,6 +387,10 @@ describe('Remote Config index', () => { .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true) expect(rc.updateCapabilities) .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true) + expect(rc.updateCapabilities) + .to.not.have.been.calledWith(RemoteConfigCapabilities.ASM_RASP_SSRF) + expect(rc.updateCapabilities) + .to.not.have.been.calledWith(RemoteConfigCapabilities.ASM_RASP_SQLI) }) }) @@ -375,6 +418,10 @@ describe('Remote Config index', () => { .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, false) expect(rc.updateCapabilities) .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_TRUSTED_IPS, false) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SSRF, false) + expect(rc.updateCapabilities) + .to.have.been.calledWithExactly(RemoteConfigCapabilities.ASM_RASP_SQLI, false) expect(rc.removeProductHandler).to.have.been.calledWith('ASM_DATA') expect(rc.removeProductHandler).to.have.been.calledWith('ASM_DD')