Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[APPSEC-10967] ASM API security. Schema extraction #3131

Merged
merged 7 commits into from
Sep 18, 2023

Conversation

GustavoCaso
Copy link
Member

@GustavoCaso GustavoCaso commented Sep 14, 2023

What does this PR do?

This PR adds the necessary bits to enable API Security's new feature. Schema Extraction 🎉

To enable that, we need the latest version of libddwaf 1.14.0. At the end request lifecycle, we would call the WAF to extract the schema of the different WAF addresses. Calling schema extraction is gated via specific configuration: DD_EXPERIMENTAL_API_SECURITY_ENABLED and DD_API_SECURITY_REQUEST_SAMPLE_RATE

The schema extraction information is appended to the top-level span attributes so the backend can later process it.

At the moment, the processor configuration is not part of the static WAF rules, so we need to make sure we always include it as part of the Handle rules. We store the processor configuration at the same pace as the WAF rule.

To better review the changes, I split the work into separate commits. I recommend reading individual commits to make it easier to understand the changes. Another suggestion is to filter out all the .lock file changes. Here is a handy link to filter out those files

Motivation:

Additional Notes:

There are a few missing features of the API Secuirty RFC that would be implemented on the following PRs

  • Compress schema information
  • Add support for the new WAF address server.response.body

How to test the change?

For Datadog employees:

  • If this PR touches code that signs or publishes builds or packages, or handles
    credentials of any kind, I've requested a review from @DataDog/security-design-and-guidance.
  • This PR doesn't touch any of that.

Unsure? Have a question? Request a review!

@github-actions github-actions bot added appsec Application Security monitoring product integrations Involves tracing integrations labels Sep 14, 2023
@GustavoCaso GustavoCaso force-pushed the asm-api-security-extract-schemas branch 2 times, most recently from 95c40cb to 3837125 Compare September 15, 2023 12:04
@GustavoCaso GustavoCaso changed the title ASM API security. Schema collection [APPSEC-10967] ASM API security. Schema extraction Sep 15, 2023
@GustavoCaso GustavoCaso marked this pull request as ready for review September 15, 2023 12:14
@GustavoCaso GustavoCaso requested review from a team and lloeki September 15, 2023 12:14
@GustavoCaso GustavoCaso force-pushed the asm-api-security-extract-schemas branch 2 times, most recently from b82f8e7 to df79586 Compare September 15, 2023 13:30
Copy link
Member

@lloeki lloeki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, a few notes but nothing consequential or worth a block.

@@ -16,8 +18,13 @@ def initialize(version1, version2)
end
end

DEFAULT_PROCESSORS = JSON.parse(Datadog::AppSec::Assets.waf_processors)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd call that DEFAULT_WAF_PROCESSORS to materialize the distinction with AppSec::Processor

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would also refrain from reading+parsing that file + setting that constant at file load time. I'd rather have that be a memoized method.

@@ -10,6 +10,10 @@ def waf_rules(kind = :recommended)
read("waf_rules/#{kind}.json")
end

def waf_processors
read('waf_rules/processors.json')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ha our Appsec::Processor naming is a bit unfortunate. Let's make sure there's no confusion in our code.

@@ -62,7 +62,7 @@ Gem::Specification.new do |spec|
spec.add_dependency 'debase-ruby_core_source', '= 3.2.1'

# Used by appsec
spec.add_dependency 'libddwaf', '~> 1.11.0.0.0'
spec.add_dependency 'libddwaf', '~> 1.14.0.0.0'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sure to update libddwaf signatures in vendor/rbs

Comment on lines +78 to +86
result = scope.processor_context.extract_schema

if result
scope.processor_context.events << {
trace: scope.trace,
span: scope.service_entry_span,
waf_result: result,
}
end
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused by this, the extracted schema is a waf result, and stored in the events list?

Comment on lines +108 to +114
waf_result = event[:waf_result]
tags['_dd.appsec.triggers'] ||= []
tags['_dd.appsec.triggers'] += event[:waf_result].events
tags['_dd.appsec.triggers'] += waf_result.events

waf_result.derivatives.each do |key, value|
tags[key] = JSON.dump(value)
end
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm I think I get it now, but coming back to this after a long time I feel some confusion.

Comment on lines +42 to +48
input = {
'waf.context.processor' => {
'extract-schema' => true
}
}

_code, res = @context.run(input, WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This libddwaf API looks very strange, which might be the root cause of my confusion.

@GustavoCaso GustavoCaso force-pushed the asm-api-security-extract-schemas branch from 2e003b0 to b47295e Compare September 18, 2023 13:22
@GustavoCaso GustavoCaso merged commit 1511f99 into master Sep 18, 2023
175 of 176 checks passed
@GustavoCaso GustavoCaso deleted the asm-api-security-extract-schemas branch September 18, 2023 14:57
@github-actions github-actions bot added this to the 1.15.0 milestone Sep 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
appsec Application Security monitoring product integrations Involves tracing integrations
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants