Skip to content

Commit

Permalink
internal/appsec: update the security rules to v1.2.6 (#1191)
Browse files Browse the repository at this point in the history 
Update to the latest rule file which includes:
• Add gRPC support for canary rules
• Improving LFI rules
• Add OGNL injection rules
• Move two noisy rules to strict rules
• Improve rules names
• Add Cassandra Injection rules
  • Loading branch information
@Julio-Guerra
Julio-Guerra committed Mar 7, 2022
1 parent 149b817 commit fad83bc
Show file tree
Hide file tree
Showing 11 changed files with 30 additions and 26 deletions.
4 changes: 2 additions & 2 deletions contrib/gin-gonic/gin/gintrace_test.go
View file
Expand Up @@ -566,7 +566,7 @@ func TestAppSec(t *testing.T) {
t.Run("request-uri", func(t *testing.T) {
mt := mocktracer.Start()
defer mt.Stop()
// Send an LFI attack (according to appsec rule id crs-930-100)
// Send an LFI attack (according to appsec rule id crs-930-110)
req, err := http.NewRequest("POST", srv.URL+"/lfi/../../../secret.txt", nil)
if err != nil {
panic(err)
Expand All @@ -586,7 +586,7 @@ func TestAppSec(t *testing.T) {
event := finished[0].Tag("_dd.appsec.json").(string)
require.NotNil(t, event)
require.True(t, strings.Contains(event, "server.request.uri.raw"))
require.True(t, strings.Contains(event, "crs-930-100"))
require.True(t, strings.Contains(event, "crs-930-110"))
})

// Test a security scanner attack via path parameters
Expand Down
4 changes: 2 additions & 2 deletions contrib/go-chi/chi.v4/chi_test.go
View file
Expand Up @@ -337,7 +337,7 @@ func TestAppSec(t *testing.T) {
t.Run("request-uri", func(t *testing.T) {
mt := mocktracer.Start()
defer mt.Stop()
// Send an LFI attack (according to appsec rule id crs-930-100)
// Send an LFI attack (according to appsec rule id crs-930-110)
req, err := http.NewRequest("POST", srv.URL+"/../../../secret.txt", nil)
if err != nil {
panic(err)
Expand All @@ -357,7 +357,7 @@ func TestAppSec(t *testing.T) {
event := finished[0].Tag("_dd.appsec.json").(string)
require.NotNil(t, event)
require.True(t, strings.Contains(event, "server.request.uri.raw"))
require.True(t, strings.Contains(event, "crs-930-100"))
require.True(t, strings.Contains(event, "crs-930-110"))
})

// Test a security scanner attack via path parameters
Expand Down
4 changes: 2 additions & 2 deletions contrib/go-chi/chi.v5/chi_test.go
View file
Expand Up @@ -337,7 +337,7 @@ func TestAppSec(t *testing.T) {
t.Run("request-uri", func(t *testing.T) {
mt := mocktracer.Start()
defer mt.Stop()
// Send an LFI attack (according to appsec rule id crs-930-100)
// Send an LFI attack (according to appsec rule id crs-930-110)
req, err := http.NewRequest("POST", srv.URL+"/../../../secret.txt", nil)
if err != nil {
panic(err)
Expand All @@ -357,7 +357,7 @@ func TestAppSec(t *testing.T) {
event := finished[0].Tag("_dd.appsec.json").(string)
require.NotNil(t, event)
require.True(t, strings.Contains(event, "server.request.uri.raw"))
require.True(t, strings.Contains(event, "crs-930-100"))
require.True(t, strings.Contains(event, "crs-930-110"))
})

// Test a security scanner attack via path parameters
Expand Down
4 changes: 2 additions & 2 deletions contrib/go-chi/chi/chi_test.go
View file
Expand Up @@ -337,7 +337,7 @@ func TestAppSec(t *testing.T) {
t.Run("request-uri", func(t *testing.T) {
mt := mocktracer.Start()
defer mt.Stop()
// Send an LFI attack (according to appsec rule id crs-930-100)
// Send an LFI attack (according to appsec rule id crs-930-110)
req, err := http.NewRequest("POST", srv.URL+"/../../../secret.txt", nil)
if err != nil {
panic(err)
Expand All @@ -357,7 +357,7 @@ func TestAppSec(t *testing.T) {
event := finished[0].Tag("_dd.appsec.json").(string)
require.NotNil(t, event)
require.True(t, strings.Contains(event, "server.request.uri.raw"))
require.True(t, strings.Contains(event, "crs-930-100"))
require.True(t, strings.Contains(event, "crs-930-110"))
})

// Test a security scanner attack via path parameters
Expand Down
6 changes: 3 additions & 3 deletions contrib/gorilla/mux/mux_test.go
View file
Expand Up @@ -340,7 +340,7 @@ func TestAppSec(t *testing.T) {
t.Run("request-uri", func(t *testing.T) {
mt := mocktracer.Start()
defer mt.Stop()
// Send an LFI attack (according to appsec rule id crs-930-100)
// Send an LFI attack (according to appsec rule id crs-930-110)
req, err := http.NewRequest("POST", srv.URL+"/../../../secret.txt", nil)
if err != nil {
panic(err)
Expand All @@ -357,12 +357,12 @@ func TestAppSec(t *testing.T) {
event := finished[0].Tag("_dd.appsec.json").(string)
require.NotNil(t, event)
require.True(t, strings.Contains(event, "server.request.uri.raw"))
require.True(t, strings.Contains(event, "crs-930-100"))
require.True(t, strings.Contains(event, "crs-930-110"))
// The second request should contain the event via the referrer header
event = finished[1].Tag("_dd.appsec.json").(string)
require.NotNil(t, event)
require.True(t, strings.Contains(event, "server.request.headers.no_cookies"))
require.True(t, strings.Contains(event, "crs-930-100"))
require.True(t, strings.Contains(event, "crs-930-110"))
})

// Test a security scanner attack via path parameters
Expand Down
4 changes: 2 additions & 2 deletions contrib/labstack/echo.v4/echotrace_test.go
View file
Expand Up @@ -302,7 +302,7 @@ func TestAppSec(t *testing.T) {
t.Run("request-uri", func(t *testing.T) {
mt := mocktracer.Start()
defer mt.Stop()
// Send an LFI attack (according to appsec rule id crs-930-100)
// Send an LFI attack (according to appsec rule id crs-930-110)
req, err := http.NewRequest("POST", srv.URL+"/../../../secret.txt", nil)
if err != nil {
panic(err)
Expand All @@ -316,7 +316,7 @@ func TestAppSec(t *testing.T) {
require.Len(t, finished, 1)
event := finished[0].Tag("_dd.appsec.json").(string)
require.NotNil(t, event)
require.True(t, strings.Contains(event, "crs-930-100"))
require.True(t, strings.Contains(event, "crs-930-110"))
require.True(t, strings.Contains(event, "server.request.uri.raw"))
})

Expand Down
14 changes: 9 additions & 5 deletions internal/appsec/_tools/libddwaf-updater/update.sh
View file
Expand Up @@ -15,14 +15,18 @@ set -ex

bindings_dir=$(readlink -f "$(dirname $0)/../../waf")

echo Looking up for the latest GitHub release

latest_release=$(curl -s https://api.github.com/repos/DataDog/libddwaf/releases/latest)
version=$(jq -r '.tag_name') << EOF
version=""
if [ $# -eq 1 ]; then
version=$1
else
echo Looking up for the latest GitHub release
latest_release=$(curl -s https://api.github.com/repos/DataDog/libddwaf/releases/latest)
version=$(jq -r '.tag_name') << EOF
$latest_release
EOF
fi

echo Found libddwaf v$version
echo Updating to libddwaf v$version

tmpdir=$(mktemp -d /tmp/libddwaf-XXXXXXXX)
echo Using $tmpdir
Expand Down
2 changes: 1 addition & 1 deletion internal/appsec/_tools/rules-updater/Dockerfile
View file
@@ -1,6 +1,6 @@
FROM tdewolff/minify as minify
ARG version
ADD https://raw.githubusercontent.com/DataDog/appsec-event-rules/$version/v2/build/recommended.json /home
ADD https://raw.githubusercontent.com/DataDog/appsec-event-rules/$version/build/recommended.json /home
RUN minify --type=json -o /home/out.json /home/recommended.json

FROM golang as go-format
Expand Down
2 changes: 1 addition & 1 deletion internal/appsec/_tools/rules-updater/escaper/template.txt
View file
Expand Up @@ -9,5 +9,5 @@
package appsec

// Static recommended AppSec rule {{.Version}}
// Source: https://github.com/DataDog/appsec-event-rules/blob/{{.Version}}/v2/build/recommended.json
// Source: https://github.com/DataDog/appsec-event-rules/blob/{{.Version}}/build/recommended.json
const staticRecommendedRule = {{.Rules}}
6 changes: 3 additions & 3 deletions internal/appsec/rule.go
View file

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions internal/appsec/waf_test.go
View file
Expand Up @@ -67,14 +67,14 @@ func TestWAF(t *testing.T) {
require.Len(t, finished, 2)

// Two requests were performed by the client request (due to the 301 redirection) and the two should have the LFI
// attack attempt event (appsec rule id crs-930-100).
// attack attempt event (appsec rule id crs-930-110).
event := finished[0].Tag("_dd.appsec.json")
require.NotNil(t, event)
require.True(t, strings.Contains(event.(string), "crs-930-100"))
require.Contains(t, event, "crs-930-110")

event = finished[1].Tag("_dd.appsec.json")
require.NotNil(t, event)
require.True(t, strings.Contains(event.(string), "crs-930-100"))
require.Contains(t, event, "crs-930-110")
})

// Test a PHP injection attack via request parsed body
Expand Down

0 comments on commit fad83bc

Please sign in to comment.