From f36ec4abc78de6353b9fb4e149654ce8cc510656 Mon Sep 17 00:00:00 2001
From: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Date: Mon, 25 Mar 2024 11:45:42 +0100
Subject: [PATCH] TEMP!: hardcode RASP SSRF rule & span tag for staging

Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
---
 contrib/net/http/roundtripper.go |  1 +
 internal/appsec/waf.go           | 61 ++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)

diff --git a/contrib/net/http/roundtripper.go b/contrib/net/http/roundtripper.go
index 7212983dd1..376c1953f7 100644
--- a/contrib/net/http/roundtripper.go
+++ b/contrib/net/http/roundtripper.go
@@ -78,6 +78,7 @@ func (rt *roundTripper) RoundTrip(req *http.Request) (res *http.Response, err er
 		}
 	}
 	if appsec.Enabled() {
+		span.SetTag("_dd.appsec.rasp", "1")
 		res, err = httpsec.RoundTrip(httpsec.RoundTripArgs{
 			Ctx: ctx,
 			Req: r2,
diff --git a/internal/appsec/waf.go b/internal/appsec/waf.go
index 8e74bfca89..9af059a2b0 100644
--- a/internal/appsec/waf.go
+++ b/internal/appsec/waf.go
@@ -6,6 +6,8 @@
 package appsec
 
 import (
+	"encoding/json"
+	"fmt"
 	"github.com/DataDog/appsec-internal-go/limiter"
 	waf "github.com/DataDog/go-libddwaf/v2"
 	"gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/config"
@@ -74,7 +76,66 @@ func actionFromEntry(e *config.ActionEntry) *sharedsec.Action {
 	}
 }
 
+const raspSSRFRule = `
+{
+	"id": "rasp-934-100",
+	"name": "Server-side request forgery exploit",
+	"tags": {
+		"type": "ssrf",
+		"category": "vulnerability_trigger",
+		"cwe": "918",
+		"capec": "1000/225/115/664",
+		"confidence": "0",
+		"module": "rasp"
+	},
+	"conditions": [
+		{
+			"parameters": {
+				"resource": [
+					{
+						"address": "server.io.net.url"
+					}
+				],
+				"params": [
+					{
+						"address": "server.request.query"
+					},
+					{
+						"address": "server.request.body"
+					},
+					{
+						"address": "server.request.path_params"
+					},
+					{
+						"address": "grpc.server.request.message"
+					},
+					{
+						"address": "graphql.server.all_resolvers"
+					},
+					{
+						"address": "graphql.server.resolver"
+					}
+				]
+			},
+			"operator": "ssrf_detector"
+		}
+	],
+	"transformers": [],
+	"on_match": [
+		"stack_trace"
+	]
+}
+`
+
 func newWAFHandle(rules config.RulesFragment, cfg *config.Config) (*wafHandle, error) {
+	var parsedSSRFRule map[string]interface{}
+	err := json.Unmarshal([]byte(raspSSRFRule), &parsedSSRFRule)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse RASP SSRF rule: %v", err)
+	}
+
+	rules.Rules = append(rules.Rules, parsedSSRFRule)
+
 	handle, err := waf.NewHandle(rules, cfg.Obfuscator.KeyRegex, cfg.Obfuscator.ValueRegex)
 	actions := sharedsec.Actions{
 		// Default built-in block action