appsec: add sdk body test to contribs

contrib/gin-gonic/gin/gintrace_test.go

@@ -15,6 +15,7 @@ import (
 	"strings"
 	"testing"
 
+	pAppsec "gopkg.in/DataDog/dd-trace-go.v1/appsec"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/ext"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/mocktracer"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
@@ -554,6 +555,10 @@ func TestAppSec(t *testing.T) {
 	r.Any("/path0.0/:myPathParam0/path0.1/:myPathParam1/path0.2/:myPathParam2/path0.3/*param3", func(c *gin.Context) {
 		c.String(200, "Hello Params!\n")
 	})
+	r.Any("/body", func(c *gin.Context) {
+		pAppsec.MonitorParsedHTTPBody(c.Request.Context(), "$globals")
+		c.String(200, "Hello Body!\n")
+	})
 
 	srv := httptest.NewServer(r)
 	defer srv.Close()
@@ -630,4 +635,29 @@ func TestAppSec(t *testing.T) {
 		require.True(t, strings.Contains(event, "nfd-000-001"))
 
 	})
+
+	// Test a PHP injection attack via request parsed body
+	t.Run("SDK-body", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+
+		req, err := http.NewRequest("POST", srv.URL+"/body", nil)
+		if err != nil {
+			panic(err)
+		}
+		res, err := srv.Client().Do(req)
+		require.NoError(t, err)
+
+		// Check that the handler was properly called
+		b, err := ioutil.ReadAll(res.Body)
+		require.NoError(t, err)
+		require.Equal(t, "Hello Body!\n", string(b))
+
+		finished := mt.FinishedSpans()
+		require.Len(t, finished, 1)
+
+		event := finished[0].Tag("_dd.appsec.json")
+		require.NotNil(t, event)
+		require.True(t, strings.Contains(event.(string), "crs-933-130"))
+	})
 }

contrib/go-chi/chi.v4/chi_test.go

@@ -14,6 +14,7 @@ import (
 	"strings"
 	"testing"
 
+	pAppsec "gopkg.in/DataDog/dd-trace-go.v1/appsec"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/ext"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/mocktracer"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
@@ -323,6 +324,11 @@ func TestAppSec(t *testing.T) {
 		_, err := w.Write([]byte("Hello World!\n"))
 		require.NoError(t, err)
 	})
+	router.HandleFunc("/body", func(w http.ResponseWriter, r *http.Request) {
+		pAppsec.MonitorParsedHTTPBody(r.Context(), "$globals")
+		_, err := w.Write([]byte("Hello Body!\n"))
+		require.NoError(t, err)
+	})
 
 	srv := httptest.NewServer(router)
 	defer srv.Close()
@@ -379,4 +385,29 @@ func TestAppSec(t *testing.T) {
 		require.True(t, strings.Contains(event, "myPathParam2"))
 		require.True(t, strings.Contains(event, "server.request.path_params"))
 	})
+
+	// Test a PHP injection attack via request parsed body
+	t.Run("SDK-body", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+
+		req, err := http.NewRequest("POST", srv.URL+"/body", nil)
+		if err != nil {
+			panic(err)
+		}
+		res, err := srv.Client().Do(req)
+		require.NoError(t, err)
+
+		// Check that the handler was properly called
+		b, err := ioutil.ReadAll(res.Body)
+		require.NoError(t, err)
+		require.Equal(t, "Hello Body!\n", string(b))
+
+		finished := mt.FinishedSpans()
+		require.Len(t, finished, 1)
+
+		event := finished[0].Tag("_dd.appsec.json")
+		require.NotNil(t, event)
+		require.True(t, strings.Contains(event.(string), "crs-933-130"))
+	})
 }

contrib/go-chi/chi.v5/chi_test.go

@@ -14,6 +14,7 @@ import (
 	"strings"
 	"testing"
 
+	pAppsec "gopkg.in/DataDog/dd-trace-go.v1/appsec"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/ext"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/mocktracer"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
@@ -323,6 +324,11 @@ func TestAppSec(t *testing.T) {
 		_, err := w.Write([]byte("Hello World!\n"))
 		require.NoError(t, err)
 	})
+	router.HandleFunc("/body", func(w http.ResponseWriter, r *http.Request) {
+		pAppsec.MonitorParsedHTTPBody(r.Context(), "$globals")
+		_, err := w.Write([]byte("Hello Body!\n"))
+		require.NoError(t, err)
+	})
 
 	srv := httptest.NewServer(router)
 	defer srv.Close()
@@ -379,4 +385,29 @@ func TestAppSec(t *testing.T) {
 		require.True(t, strings.Contains(event, "myPathParam2"))
 		require.True(t, strings.Contains(event, "server.request.path_params"))
 	})
+
+	// Test a PHP injection attack via request parsed body
+	t.Run("SDK-body", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+
+		req, err := http.NewRequest("POST", srv.URL+"/body", nil)
+		if err != nil {
+			panic(err)
+		}
+		res, err := srv.Client().Do(req)
+		require.NoError(t, err)
+
+		// Check that the handler was properly called
+		b, err := ioutil.ReadAll(res.Body)
+		require.NoError(t, err)
+		require.Equal(t, "Hello Body!\n", string(b))
+
+		finished := mt.FinishedSpans()
+		require.Len(t, finished, 1)
+
+		event := finished[0].Tag("_dd.appsec.json")
+		require.NotNil(t, event)
+		require.True(t, strings.Contains(event.(string), "crs-933-130"))
+	})
 }

contrib/go-chi/chi/chi_test.go

@@ -7,6 +7,7 @@ package chi
 
 import (
 	"fmt"
+	pAppsec "gopkg.in/DataDog/dd-trace-go.v1/appsec"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
@@ -323,6 +324,11 @@ func TestAppSec(t *testing.T) {
 		_, err := w.Write([]byte("Hello World!\n"))
 		require.NoError(t, err)
 	})
+	router.HandleFunc("/body", func(w http.ResponseWriter, r *http.Request) {
+		pAppsec.MonitorParsedHTTPBody(r.Context(), "$globals")
+		_, err := w.Write([]byte("Hello Body!\n"))
+		require.NoError(t, err)
+	})
 
 	srv := httptest.NewServer(router)
 	defer srv.Close()
@@ -379,4 +385,29 @@ func TestAppSec(t *testing.T) {
 		require.True(t, strings.Contains(event, "myPathParam2"))
 		require.True(t, strings.Contains(event, "server.request.path_params"))
 	})
+
+	// Test a PHP injection attack via request parsed body
+	t.Run("SDK-body", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+
+		req, err := http.NewRequest("POST", srv.URL+"/body", nil)
+		if err != nil {
+			panic(err)
+		}
+		res, err := srv.Client().Do(req)
+		require.NoError(t, err)
+
+		// Check that the handler was properly called
+		b, err := ioutil.ReadAll(res.Body)
+		require.NoError(t, err)
+		require.Equal(t, "Hello Body!\n", string(b))
+
+		finished := mt.FinishedSpans()
+		require.Len(t, finished, 1)
+
+		event := finished[0].Tag("_dd.appsec.json")
+		require.NotNil(t, event)
+		require.True(t, strings.Contains(event.(string), "crs-933-130"))
+	})
 }

contrib/gorilla/mux/mux_test.go

@@ -14,6 +14,7 @@ import (
 	"strings"
 	"testing"
 
+	pAppsec "gopkg.in/DataDog/dd-trace-go.v1/appsec"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/ext"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/mocktracer"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
@@ -326,6 +327,11 @@ func TestAppSec(t *testing.T) {
 		_, err := w.Write([]byte("Hello World!\n"))
 		require.NoError(t, err)
 	})
+	router.HandleFunc("/body", func(w http.ResponseWriter, r *http.Request) {
+		pAppsec.MonitorParsedHTTPBody(r.Context(), "$globals")
+		_, err := w.Write([]byte("Hello Body!\n"))
+		require.NoError(t, err)
+	})
 
 	srv := httptest.NewServer(router)
 	defer srv.Close()
@@ -384,4 +390,29 @@ func TestAppSec(t *testing.T) {
 		require.True(t, strings.Contains(event, "myPathParam2"))
 		require.True(t, strings.Contains(event, "server.request.path_params"))
 	})
+
+	// Test a PHP injection attack via request parsed body
+	t.Run("SDK-body", func(t *testing.T) {
+		mt := mocktracer.Start()
+		defer mt.Stop()
+
+		req, err := http.NewRequest("POST", srv.URL+"/body", nil)
+		if err != nil {
+			panic(err)
+		}
+		res, err := srv.Client().Do(req)
+		require.NoError(t, err)
+
+		// Check that the handler was properly called
+		b, err := ioutil.ReadAll(res.Body)
+		require.NoError(t, err)
+		require.Equal(t, "Hello Body!\n", string(b))
+
+		finished := mt.FinishedSpans()
+		require.Len(t, finished, 1)
+
+		event := finished[0].Tag("_dd.appsec.json")
+		require.NotNil(t, event)
+		require.True(t, strings.Contains(event.(string), "crs-933-130"))
+	})
 }

contrib/labstack/echo.v4/echotrace_test.go

@@ -13,6 +13,7 @@ import (
 	"strings"
 	"testing"
 
+	pAppsec "gopkg.in/DataDog/dd-trace-go.v1/appsec"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/ext"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/mocktracer"
 	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
@@ -290,6 +291,10 @@ func TestAppSec(t *testing.T) {
 	e.POST("/", func(c echo.Context) error {
 		return c.String(200, "Hello World!\n")
 	})
+	e.POST("/body", func(c echo.Context) error {
+		pAppsec.MonitorParsedHTTPBody(c.Request().Context(), "$globals")
+		return c.String(200, "Hello Body!\n")
+	})
 	srv := httptest.NewServer(e)
 	defer srv.Close()
 
@@ -367,5 +372,30 @@ func TestAppSec(t *testing.T) {
 			require.False(t, strings.Contains(event, "myPathParam3"))
 			require.True(t, strings.Contains(event, "server.request.path_params"))
 		})
+
+		// Test a PHP injection attack via request parsed body
+		t.Run("SDK-body", func(t *testing.T) {
+			mt := mocktracer.Start()
+			defer mt.Stop()
+
+			req, err := http.NewRequest("POST", srv.URL+"/body", nil)
+			if err != nil {
+				panic(err)
+			}
+			res, err := srv.Client().Do(req)
+			require.NoError(t, err)
+
+			// Check that the handler was properly called
+			b, err := ioutil.ReadAll(res.Body)
+			require.NoError(t, err)
+			require.Equal(t, "Hello Body!\n", string(b))
+
+			finished := mt.FinishedSpans()
+			require.Len(t, finished, 1)
+
+			event := finished[0].Tag("_dd.appsec.json")
+			require.NotNil(t, event)
+			require.True(t, strings.Contains(event.(string), "crs-933-130"))
+		})
 	})
 }

internal/appsec/waf_test.go

@@ -77,6 +77,7 @@ func TestWAF(t *testing.T) {
 		require.True(t, strings.Contains(event.(string), "crs-930-100"))
 	})
 
+	// Test a PHP injection attack via request parsed body
 	t.Run("SDK-body", func(t *testing.T) {
 		mt := mocktracer.Start()
 		defer mt.Stop()