Skip to content

Commit

Permalink
TEMP!: hardcode RASP SSRF rule & span tag for staging
Browse files Browse the repository at this point in the history
Signed-off-by: Eliott Bouhana <[email protected]>
  • Loading branch information
eliottness committed Mar 25, 2024
1 parent d45c538 commit f36ec4a
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 0 deletions.
1 change: 1 addition & 0 deletions contrib/net/http/roundtripper.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ func (rt *roundTripper) RoundTrip(req *http.Request) (res *http.Response, err er
}
}
if appsec.Enabled() {
span.SetTag("_dd.appsec.rasp", "1")
res, err = httpsec.RoundTrip(httpsec.RoundTripArgs{
Ctx: ctx,
Req: r2,
Expand Down
61 changes: 61 additions & 0 deletions internal/appsec/waf.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@
package appsec

import (
"encoding/json"
"fmt"
"github.com/DataDog/appsec-internal-go/limiter"
waf "github.com/DataDog/go-libddwaf/v2"
"gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/config"
Expand Down Expand Up @@ -74,7 +76,66 @@ func actionFromEntry(e *config.ActionEntry) *sharedsec.Action {
}
}

const raspSSRFRule = `
{
"id": "rasp-934-100",
"name": "Server-side request forgery exploit",
"tags": {
"type": "ssrf",
"category": "vulnerability_trigger",
"cwe": "918",
"capec": "1000/225/115/664",
"confidence": "0",
"module": "rasp"
},
"conditions": [
{
"parameters": {
"resource": [
{
"address": "server.io.net.url"
}
],
"params": [
{
"address": "server.request.query"
},
{
"address": "server.request.body"
},
{
"address": "server.request.path_params"
},
{
"address": "grpc.server.request.message"
},
{
"address": "graphql.server.all_resolvers"
},
{
"address": "graphql.server.resolver"
}
]
},
"operator": "ssrf_detector"
}
],
"transformers": [],
"on_match": [
"stack_trace"
]
}
`

func newWAFHandle(rules config.RulesFragment, cfg *config.Config) (*wafHandle, error) {
var parsedSSRFRule map[string]interface{}
err := json.Unmarshal([]byte(raspSSRFRule), &parsedSSRFRule)
if err != nil {
return nil, fmt.Errorf("failed to parse RASP SSRF rule: %v", err)
}

rules.Rules = append(rules.Rules, parsedSSRFRule)

handle, err := waf.NewHandle(rules, cfg.Obfuscator.KeyRegex, cfg.Obfuscator.ValueRegex)
actions := sharedsec.Actions{
// Default built-in block action
Expand Down

0 comments on commit f36ec4a

Please sign in to comment.