Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exploit Prevention LFI #4676

Merged
merged 36 commits into from
Oct 8, 2024
Merged

Exploit Prevention LFI #4676

merged 36 commits into from
Oct 8, 2024

Conversation

iunanua
Copy link
Contributor

@iunanua iunanua commented Sep 12, 2024

What does this PR do?

  • Add new AppsecFsPlugin to mark child fs operations and to mark excluded operations when express is rendering views.
  • Add LFI analyzer
  • Discard fs child operations in IAST PathTraversalAnalyzer
  • Include ASM_RASP_LFI RC capability

ST DataDog/system-tests#3024

Motivation

Plugin Checklist

Additional Notes

Copy link

github-actions bot commented Sep 12, 2024

Overall package size

Self size: 7.4 MB
Deduped: 62.8 MB
No deduping: 63.08 MB

Dependency sizes | name | version | self size | total size | |------|---------|-----------|------------| | @datadog/native-appsec | 8.1.1 | 18.67 MB | 18.68 MB | | @datadog/native-iast-taint-tracking | 3.1.0 | 12.27 MB | 12.28 MB | | @datadog/pprof | 5.3.0 | 9.85 MB | 10.22 MB | | protobufjs | 7.2.5 | 2.77 MB | 5.16 MB | | @datadog/native-iast-rewriter | 2.4.1 | 2.14 MB | 2.23 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 2.0.0 | 898.77 kB | 1.3 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | jsonpath-plus | 9.0.0 | 580.4 kB | 1.03 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | msgpack-lite | 0.1.26 | 201.16 kB | 281.59 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | lru-cache | 7.14.0 | 74.95 kB | 74.95 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | int64-buffer | 0.1.10 | 49.18 kB | 49.18 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | path-to-regexp | 0.1.10 | 6.38 kB | 6.38 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |

🤖 This report was automatically generated by heaviest-objects-in-the-universe

@pr-commenter
Copy link

pr-commenter bot commented Sep 12, 2024

Benchmarks

Benchmark execution time: 2024-10-07 12:55:17

Comparing candidate commit 8efbd70 in PR branch igor/lfi-exploit-prevention with baseline commit d024777 in branch master.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 258 metrics, 7 unstable metrics.

scenario:appsec-iast-startup-time-iast-enabled-18

  • 🟥 instructions [+156.2M instructions; +174.4M instructions] or [+5.248%; +5.860%]

@iunanua iunanua force-pushed the igor/lfi-exploit-prevention branch from b1efbeb to bb85c99 Compare September 12, 2024 12:12
@iunanua iunanua force-pushed the igor/lfi-exploit-prevention branch from 349155f to e626f7b Compare September 12, 2024 13:10
@iunanua iunanua marked this pull request as ready for review September 13, 2024 13:36
@iunanua iunanua requested review from a team as code owners September 13, 2024 13:36
@iunanua iunanua marked this pull request as draft September 13, 2024 13:52
* Delay Appsec fs plugin subscription to fs:operations until the first req is received

* disable rasp in tests

* fix tests recursive call

* Avoid multiple subscriptions to incomingHttpRequestStart

* another try

* replace spy with stub

* execute unsubscribe asynchronously

* sinon.assert async

* clarify comment
Copy link
Collaborator

@uurien uurien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, change also the title of the PR to something like. "Exploit Prevention LFI" instead of "rasp lfi" (and use it in the squash and merge commit title

packages/dd-trace/src/appsec/iast/index.js Outdated Show resolved Hide resolved
packages/dd-trace/src/appsec/rasp/lfi.js Show resolved Hide resolved
packages/dd-trace/test/appsec/index.express.plugin.spec.js Outdated Show resolved Hide resolved
packages/dd-trace/test/appsec/index.spec.js Outdated Show resolved Hide resolved
packages/dd-trace/test/appsec/response_blocking.spec.js Outdated Show resolved Hide resolved
@iunanua iunanua changed the title rasp lfi Exploit Prevention LFI Sep 30, 2024
uurien
uurien previously approved these changes Oct 3, 2024
uurien
uurien previously approved these changes Oct 4, 2024
@iunanua iunanua merged commit 111a156 into master Oct 8, 2024
196 checks passed
@iunanua iunanua deleted the igor/lfi-exploit-prevention branch October 8, 2024 08:05
bengl pushed a commit that referenced this pull request Oct 16, 2024
* rasp lfi and iast using rasp fs-plugin

* Add rasp lfi capability in RC

* Handle aborted operations in fs instrumentation

* enable test without express

* cleanup and console log to debug test error

* Do not throw

* another test

* Try increasing timeout

* Enable debug again

* Enable debug again

* increase timeout a lot

* increase timeout more

* New lfi test

* Increase test timeout

* print all errors

* remote debug info

* Handle the different invocation cases

* Handle non string properties

* specify types to be analyzed

* a bunch of tests

* clean up

* rasp lfi subs delayed (#4715)

* Delay Appsec fs plugin subscription to fs:operations until the first req is received

* disable rasp in tests

* fix tests recursive call

* Avoid multiple subscriptions to incomingHttpRequestStart

* another try

* replace spy with stub

* execute unsubscribe asynchronously

* sinon.assert async

* clarify comment

* Use a constant

* Do not enable rasp in some tests

* Remove not needed config property

* Rename properties

* Test iast and rasp fs-plugin subscription order

* Avoid multiple analyzeLfi subscriptions

* Block synchronous operations

* Include synchronous blocking integration test

* Test refactor

* rename test file

* Cleanup
bengl pushed a commit that referenced this pull request Oct 16, 2024
* rasp lfi and iast using rasp fs-plugin

* Add rasp lfi capability in RC

* Handle aborted operations in fs instrumentation

* enable test without express

* cleanup and console log to debug test error

* Do not throw

* another test

* Try increasing timeout

* Enable debug again

* Enable debug again

* increase timeout a lot

* increase timeout more

* New lfi test

* Increase test timeout

* print all errors

* remote debug info

* Handle the different invocation cases

* Handle non string properties

* specify types to be analyzed

* a bunch of tests

* clean up

* rasp lfi subs delayed (#4715)

* Delay Appsec fs plugin subscription to fs:operations until the first req is received

* disable rasp in tests

* fix tests recursive call

* Avoid multiple subscriptions to incomingHttpRequestStart

* another try

* replace spy with stub

* execute unsubscribe asynchronously

* sinon.assert async

* clarify comment

* Use a constant

* Do not enable rasp in some tests

* Remove not needed config property

* Rename properties

* Test iast and rasp fs-plugin subscription order

* Avoid multiple analyzeLfi subscriptions

* Block synchronous operations

* Include synchronous blocking integration test

* Test refactor

* rename test file

* Cleanup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants