From d769b98451b074f7d2b4bfa1ecae04dabc04b098 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Mazeau?= Date: Mon, 7 Feb 2022 17:05:40 +0100 Subject: [PATCH 01/10] contrib/gin-gonic: add AppSec support to gin framework --- contrib/gin-gonic/gin/appsec.go | 39 +++++++++++++++++++++++++++++++ contrib/gin-gonic/gin/gintrace.go | 6 +++++ 2 files changed, 45 insertions(+) create mode 100644 contrib/gin-gonic/gin/appsec.go diff --git a/contrib/gin-gonic/gin/appsec.go b/contrib/gin-gonic/gin/appsec.go new file mode 100644 index 0000000000..ca65e262f2 --- /dev/null +++ b/contrib/gin-gonic/gin/appsec.go @@ -0,0 +1,39 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2022 Datadog, Inc. + +package gin + +import ( + "github.com/gin-gonic/gin" + "net" + + "gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer" + "gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/dyngo/instrumentation/httpsec" +) + +func useAppSec(c *gin.Context) { + req := c.Request + span, ok := tracer.SpanFromContext(req.Context()) + if ok { + httpsec.SetAppSecTags(span) + params := make(map[string]string) + for _, p := range c.Params { + params[p.Key] = p.Value + } + args := httpsec.MakeHandlerOperationArgs(req, params) + op := httpsec.StartOperation(args, nil) + defer func() { + events := op.Finish(httpsec.HandlerOperationRes{Status: c.Writer.Status()}) + if len(events) > 0 { + remoteIP, _, err := net.SplitHostPort(req.RemoteAddr) + if err != nil { + remoteIP = req.RemoteAddr + } + httpsec.SetSecurityEventTags(span, events, remoteIP, args.Headers, c.Writer.Header()) + } + }() + } + c.Next() +} diff --git a/contrib/gin-gonic/gin/gintrace.go b/contrib/gin-gonic/gin/gintrace.go index e1342965b1..2d48b8f238 100644 --- a/contrib/gin-gonic/gin/gintrace.go +++ b/contrib/gin-gonic/gin/gintrace.go @@ -8,6 +8,7 @@ package gin // import "gopkg.in/DataDog/dd-trace-go.v1/contrib/gin-gonic/gin" import ( "fmt" + "gopkg.in/DataDog/dd-trace-go.v1/internal/appsec" "math" "net/http" "strconv" @@ -53,6 +54,11 @@ func Middleware(service string, opts ...Option) gin.HandlerFunc { // pass the span through the request context c.Request = c.Request.WithContext(ctx) + // Use AppSec if enabled by user + if appsec.Enabled() { + useAppSec(c) + } + // serve the request to the next middleware c.Next() From 6ec086648a45ff230074224339a2195ba615ab3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Mazeau?= Date: Mon, 7 Feb 2022 17:06:33 +0100 Subject: [PATCH 02/10] contrib/gin-gonic: add testing for AppSec to gintrace_test.go --- contrib/gin-gonic/gin/gintrace_test.go | 114 +++++++++++++++++++++++++ 1 file changed, 114 insertions(+) diff --git a/contrib/gin-gonic/gin/gintrace_test.go b/contrib/gin-gonic/gin/gintrace_test.go index 1009caa061..69e79400d3 100644 --- a/contrib/gin-gonic/gin/gintrace_test.go +++ b/contrib/gin-gonic/gin/gintrace_test.go @@ -9,17 +9,22 @@ import ( "errors" "fmt" "html/template" + "io/ioutil" + "net/http" "net/http/httptest" + "strconv" "strings" "testing" "gopkg.in/DataDog/dd-trace-go.v1/ddtrace/ext" "gopkg.in/DataDog/dd-trace-go.v1/ddtrace/mocktracer" "gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer" + "gopkg.in/DataDog/dd-trace-go.v1/internal/appsec" "gopkg.in/DataDog/dd-trace-go.v1/internal/globalconfig" "github.com/gin-gonic/gin" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func init() { @@ -460,3 +465,112 @@ func TestServiceName(t *testing.T) { assert.Equal("my-service", span.Tag(ext.ServiceName)) }) } + +func TestAppSec(t *testing.T) { + + appsec.Start() + defer appsec.Stop() + if !appsec.Enabled() { + t.Skip("appsec disabled") + } + + r := gin.New() + r.Use(Middleware("appsec")) + + statusCodes := []int{200, 403, 404, 500} + for _, code := range statusCodes { + strC := strconv.Itoa(code) + code := code + r.Any("/"+strC, func(c *gin.Context) { + c.String(code, "Hello "+strC+"\n") + }) + } + + r.Any("/lfi/*allPaths", func(c *gin.Context) { + c.String(200, "Hello World!\n") + }) + r.Any("/path0.0/:myPathParam0/path0.1/:myPathParam1/path0.2/:myPathParam2/path0.3/*param3", func(c *gin.Context) { + c.String(200, "Hello Params!\n") + }) + + srv := httptest.NewServer(r) + defer srv.Close() + + t.Run("request-uri", func(t *testing.T) { + mt := mocktracer.Start() + defer mt.Stop() + // Send an LFI attack (according to appsec rule id crs-930-100) + req, err := http.NewRequest("POST", srv.URL+"/lfi/../../../secret.txt", nil) + if err != nil { + panic(err) + } + res, err := srv.Client().Do(req) + require.NoError(t, err) + // Check that the server behaved as intended + require.Equal(t, http.StatusOK, res.StatusCode) + b, err := ioutil.ReadAll(res.Body) + require.NoError(t, err) + require.Equal(t, "Hello World!\n", string(b)) + // The span should contain the security event + finished := mt.FinishedSpans() + require.Len(t, finished, 1) + + // The first 301 redirection should contain the attack via the request uri + event := finished[0].Tag("_dd.appsec.json").(string) + require.NotNil(t, event) + require.True(t, strings.Contains(event, "server.request.uri.raw")) + require.True(t, strings.Contains(event, "crs-930-100")) + }) + + // Test a security scanner attack via path parameters + t.Run("path-params", func(t *testing.T) { + mt := mocktracer.Start() + defer mt.Stop() + // Send a security scanner attack (according to appsec rule id crs-913-120) + req, err := http.NewRequest("POST", srv.URL+"/path0.0/param0/path0.1/param1/path0.2/appscan_fingerprint/path0.3/param3", nil) + if err != nil { + panic(err) + } + res, err := srv.Client().Do(req) + require.NoError(t, err) + // Check that the handler was properly called + b, err := ioutil.ReadAll(res.Body) + require.NoError(t, err) + require.Equal(t, "Hello Params!\n", string(b)) + require.Equal(t, http.StatusOK, res.StatusCode) + // The span should contain the security event + finished := mt.FinishedSpans() + require.Len(t, finished, 1) + event := finished[0].Tag("_dd.appsec.json").(string) + require.NotNil(t, event) + require.True(t, strings.Contains(event, "crs-913-120")) + require.True(t, strings.Contains(event, "myPathParam2")) + require.True(t, strings.Contains(event, "server.request.path_params")) + }) + + t.Run("status-code", func(t *testing.T) { + for _, code := range statusCodes { + codeStr := strconv.Itoa(code) + t.Run(codeStr, func(t *testing.T) { + mt := mocktracer.Start() + defer mt.Stop() + + req, err := http.NewRequest("POST", srv.URL+"/"+codeStr, nil) + req.Header.Set("User-agent", "Arachni/v1.0") + if err != nil { + panic(err) + } + res, err := srv.Client().Do(req) + require.NoError(t, err) + require.Equal(t, code, res.StatusCode) + + finished := mt.FinishedSpans() + require.Len(t, finished, 1) + tagStatusCode := finished[0].Tag("http.status_code").(string) + require.NotNil(t, tagStatusCode) + require.Equal(t, codeStr, tagStatusCode) + + }) + } + }) +} From 9fc00d43969a7f39209320144ad14308f5be8ec8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Mazeau?= Date: Wed, 9 Feb 2022 16:14:48 +0100 Subject: [PATCH 03/10] contrib/gin-gonic: re-order imports --- contrib/gin-gonic/gin/appsec.go | 3 ++- contrib/gin-gonic/gin/gintrace.go | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/contrib/gin-gonic/gin/appsec.go b/contrib/gin-gonic/gin/appsec.go index ca65e262f2..4e7db23fe0 100644 --- a/contrib/gin-gonic/gin/appsec.go +++ b/contrib/gin-gonic/gin/appsec.go @@ -6,11 +6,12 @@ package gin import ( - "github.com/gin-gonic/gin" "net" "gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer" "gopkg.in/DataDog/dd-trace-go.v1/internal/appsec/dyngo/instrumentation/httpsec" + + "github.com/gin-gonic/gin" ) func useAppSec(c *gin.Context) { diff --git a/contrib/gin-gonic/gin/gintrace.go b/contrib/gin-gonic/gin/gintrace.go index 2d48b8f238..d8306e093a 100644 --- a/contrib/gin-gonic/gin/gintrace.go +++ b/contrib/gin-gonic/gin/gintrace.go @@ -8,7 +8,6 @@ package gin // import "gopkg.in/DataDog/dd-trace-go.v1/contrib/gin-gonic/gin" import ( "fmt" - "gopkg.in/DataDog/dd-trace-go.v1/internal/appsec" "math" "net/http" "strconv" @@ -16,6 +15,7 @@ import ( "gopkg.in/DataDog/dd-trace-go.v1/ddtrace" "gopkg.in/DataDog/dd-trace-go.v1/ddtrace/ext" "gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer" + "gopkg.in/DataDog/dd-trace-go.v1/internal/appsec" "gopkg.in/DataDog/dd-trace-go.v1/internal/log" "github.com/gin-gonic/gin" From 737ea9453c69d97f2daf0e00449fda5e70fd64c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Mazeau?= Date: Wed, 9 Feb 2022 17:59:45 +0100 Subject: [PATCH 04/10] contrib/gin-gonic: add apssec nfd rule test --- contrib/gin-gonic/gin/gintrace_test.go | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/contrib/gin-gonic/gin/gintrace_test.go b/contrib/gin-gonic/gin/gintrace_test.go index 69e79400d3..ad972f5c5a 100644 --- a/contrib/gin-gonic/gin/gintrace_test.go +++ b/contrib/gin-gonic/gin/gintrace_test.go @@ -573,4 +573,25 @@ func TestAppSec(t *testing.T) { }) } }) + + t.Run("nfd-000-001", func(t *testing.T) { + mt := mocktracer.Start() + defer mt.Stop() + + req, err := http.NewRequest("POST", srv.URL+"/etc/", nil) + if err != nil { + panic(err) + } + res, err := srv.Client().Do(req) + require.NoError(t, err) + require.Equal(t, 404, res.StatusCode) + + finished := mt.FinishedSpans() + require.Len(t, finished, 1) + event := finished[0].Tag("_dd.appsec.json").(string) + require.NotNil(t, event) + require.True(t, strings.Contains(event, "server.response.status")) + require.True(t, strings.Contains(event, "nfd-000-001")) + + }) } From 4035cfb2e5669f160cab650817894507aa769de1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Mazeau?= Date: Wed, 9 Feb 2022 18:02:21 +0100 Subject: [PATCH 05/10] Apply suggestions from code review Co-authored-by: Julio Guerra --- contrib/gin-gonic/gin/appsec.go | 9 ++++++--- contrib/gin-gonic/gin/gintrace_test.go | 1 - 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/contrib/gin-gonic/gin/appsec.go b/contrib/gin-gonic/gin/appsec.go index 4e7db23fe0..6fa1263c17 100644 --- a/contrib/gin-gonic/gin/appsec.go +++ b/contrib/gin-gonic/gin/appsec.go @@ -19,9 +19,12 @@ func useAppSec(c *gin.Context) { span, ok := tracer.SpanFromContext(req.Context()) if ok { httpsec.SetAppSecTags(span) - params := make(map[string]string) - for _, p := range c.Params { - params[p.Key] = p.Value + var params map[string]string + if l := len(c.Params); l > 0 { + params = make(map[string]string, l) + for _, p := range c.Params { + params[p.Key] = p.Value + } } args := httpsec.MakeHandlerOperationArgs(req, params) op := httpsec.StartOperation(args, nil) diff --git a/contrib/gin-gonic/gin/gintrace_test.go b/contrib/gin-gonic/gin/gintrace_test.go index ad972f5c5a..bec2669e02 100644 --- a/contrib/gin-gonic/gin/gintrace_test.go +++ b/contrib/gin-gonic/gin/gintrace_test.go @@ -467,7 +467,6 @@ func TestServiceName(t *testing.T) { } func TestAppSec(t *testing.T) { - appsec.Start() defer appsec.Stop() if !appsec.Enabled() { From a6ac4076d240c19d8c6c594b10ca3b13a794834c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Mazeau?= Date: Thu, 10 Feb 2022 09:54:19 +0100 Subject: [PATCH 06/10] contrib/gin-gonic: pass span to useAppSec() & use nil params map --- contrib/gin-gonic/gin/appsec.go | 39 ++++++++++++++----------------- contrib/gin-gonic/gin/gintrace.go | 2 +- 2 files changed, 18 insertions(+), 23 deletions(-) diff --git a/contrib/gin-gonic/gin/appsec.go b/contrib/gin-gonic/gin/appsec.go index 6fa1263c17..c6a55c5ccd 100644 --- a/contrib/gin-gonic/gin/appsec.go +++ b/contrib/gin-gonic/gin/appsec.go @@ -14,30 +14,25 @@ import ( "github.com/gin-gonic/gin" ) -func useAppSec(c *gin.Context) { +func useAppSec(c *gin.Context, span tracer.Span) { req := c.Request - span, ok := tracer.SpanFromContext(req.Context()) - if ok { - httpsec.SetAppSecTags(span) - var params map[string]string - if l := len(c.Params); l > 0 { - params = make(map[string]string, l) - for _, p := range c.Params { - params[p.Key] = p.Value - } + httpsec.SetAppSecTags(span) + var params map[string]string + if l := len(c.Params); l > 0 { + params = make(map[string]string, l) + for _, p := range c.Params { + params[p.Key] = p.Value } - args := httpsec.MakeHandlerOperationArgs(req, params) - op := httpsec.StartOperation(args, nil) - defer func() { - events := op.Finish(httpsec.HandlerOperationRes{Status: c.Writer.Status()}) - if len(events) > 0 { - remoteIP, _, err := net.SplitHostPort(req.RemoteAddr) - if err != nil { - remoteIP = req.RemoteAddr - } - httpsec.SetSecurityEventTags(span, events, remoteIP, args.Headers, c.Writer.Header()) - } - }() } + args := httpsec.MakeHandlerOperationArgs(req, params) + op := httpsec.StartOperation(args, nil) c.Next() + events := op.Finish(httpsec.HandlerOperationRes{Status: c.Writer.Status()}) + if len(events) > 0 { + remoteIP, _, err := net.SplitHostPort(req.RemoteAddr) + if err != nil { + remoteIP = req.RemoteAddr + } + httpsec.SetSecurityEventTags(span, events, remoteIP, args.Headers, c.Writer.Header()) + } } diff --git a/contrib/gin-gonic/gin/gintrace.go b/contrib/gin-gonic/gin/gintrace.go index d8306e093a..7ee6f38bd1 100644 --- a/contrib/gin-gonic/gin/gintrace.go +++ b/contrib/gin-gonic/gin/gintrace.go @@ -56,7 +56,7 @@ func Middleware(service string, opts ...Option) gin.HandlerFunc { // Use AppSec if enabled by user if appsec.Enabled() { - useAppSec(c) + useAppSec(c, span) } // serve the request to the next middleware From 611d5c3ffa1ea5805e47370867298d2933f5e9d9 Mon Sep 17 00:00:00 2001 From: Julio Guerra Date: Thu, 10 Feb 2022 15:21:14 +0100 Subject: [PATCH 07/10] contrib/gin-gonic/gin/gintrace_test.go: add response status code tests --- contrib/gin-gonic/gin/gintrace_test.go | 76 +++++++++++++++++++++++++- 1 file changed, 75 insertions(+), 1 deletion(-) diff --git a/contrib/gin-gonic/gin/gintrace_test.go b/contrib/gin-gonic/gin/gintrace_test.go index bec2669e02..b0e65de977 100644 --- a/contrib/gin-gonic/gin/gintrace_test.go +++ b/contrib/gin-gonic/gin/gintrace_test.go @@ -85,7 +85,81 @@ func TestTrace200(t *testing.T) { assert.Contains(span.Tag(ext.ResourceName), "GET /user/:id") assert.Equal("200", span.Tag(ext.HTTPCode)) assert.Equal("GET", span.Tag(ext.HTTPMethod)) - // TODO(x) would be much nicer to have "/user/:id" here + assert.Equal("/user/123", span.Tag(ext.HTTPURL)) +} + +func TestTraceDefaultResponse(t *testing.T) { + assert := assert.New(t) + mt := mocktracer.Start() + defer mt.Stop() + + router := gin.New() + router.Use(Middleware("foobar")) + router.GET("/user/:id", func(c *gin.Context) { + _, ok := tracer.SpanFromContext(c.Request.Context()) + assert.True(ok) + }) + + r := httptest.NewRequest("GET", "/user/123", nil) + w := httptest.NewRecorder() + + // do and verify the request + router.ServeHTTP(w, r) + response := w.Result() + assert.Equal(response.StatusCode, 200) + + // verify traces look good + spans := mt.FinishedSpans() + assert.Len(spans, 1) + if len(spans) < 1 { + t.Fatalf("no spans") + } + span := spans[0] + assert.Equal("http.request", span.OperationName()) + assert.Equal(ext.SpanTypeWeb, span.Tag(ext.SpanType)) + assert.Equal("foobar", span.Tag(ext.ServiceName)) + assert.Contains(span.Tag(ext.ResourceName), "GET /user/:id") + assert.Equal("200", span.Tag(ext.HTTPCode)) + assert.Equal("GET", span.Tag(ext.HTTPMethod)) + assert.Equal("/user/123", span.Tag(ext.HTTPURL)) +} + +func TestTraceMultipleResponses(t *testing.T) { + assert := assert.New(t) + mt := mocktracer.Start() + defer mt.Stop() + + router := gin.New() + router.Use(Middleware("foobar")) + router.GET("/user/:id", func(c *gin.Context) { + _, ok := tracer.SpanFromContext(c.Request.Context()) + assert.True(ok) + c.Status(142) + c.Writer.WriteString("test") + c.Status(133) + }) + + r := httptest.NewRequest("GET", "/user/123", nil) + w := httptest.NewRecorder() + + // do and verify the request + router.ServeHTTP(w, r) + response := w.Result() + assert.Equal(response.StatusCode, 142) + + // verify traces look good + spans := mt.FinishedSpans() + assert.Len(spans, 1) + if len(spans) < 1 { + t.Fatalf("no spans") + } + span := spans[0] + assert.Equal("http.request", span.OperationName()) + assert.Equal(ext.SpanTypeWeb, span.Tag(ext.SpanType)) + assert.Equal("foobar", span.Tag(ext.ServiceName)) + assert.Contains(span.Tag(ext.ResourceName), "GET /user/:id") + assert.Equal("133", span.Tag(ext.HTTPCode)) // Will be fixed by https://github.com/gin-gonic/gin/pull/2627 once merged and released + assert.Equal("GET", span.Tag(ext.HTTPMethod)) assert.Equal("/user/123", span.Tag(ext.HTTPURL)) } From 8344a5cd331b5eb28212268c485bb4224cf68bc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Mazeau?= Date: Thu, 10 Feb 2022 14:35:18 +0100 Subject: [PATCH 08/10] contrib/gin-gonic: make useAppSec return post middleware function --- contrib/gin-gonic/gin/appsec.go | 19 +++++++++++-------- contrib/gin-gonic/gin/gintrace.go | 6 ++++-- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/contrib/gin-gonic/gin/appsec.go b/contrib/gin-gonic/gin/appsec.go index c6a55c5ccd..2462f0c297 100644 --- a/contrib/gin-gonic/gin/appsec.go +++ b/contrib/gin-gonic/gin/appsec.go @@ -14,7 +14,9 @@ import ( "github.com/gin-gonic/gin" ) -func useAppSec(c *gin.Context, span tracer.Span) { +// useAppSec executes the AppSec logic related to the operation start and +// returns the function to be executed upon finishing the operation +func useAppSec(c *gin.Context, span tracer.Span) func() { req := c.Request httpsec.SetAppSecTags(span) var params map[string]string @@ -26,13 +28,14 @@ func useAppSec(c *gin.Context, span tracer.Span) { } args := httpsec.MakeHandlerOperationArgs(req, params) op := httpsec.StartOperation(args, nil) - c.Next() - events := op.Finish(httpsec.HandlerOperationRes{Status: c.Writer.Status()}) - if len(events) > 0 { - remoteIP, _, err := net.SplitHostPort(req.RemoteAddr) - if err != nil { - remoteIP = req.RemoteAddr + return func() { + events := op.Finish(httpsec.HandlerOperationRes{Status: c.Writer.Status()}) + if len(events) > 0 { + remoteIP, _, err := net.SplitHostPort(req.RemoteAddr) + if err != nil { + remoteIP = req.RemoteAddr + } + httpsec.SetSecurityEventTags(span, events, remoteIP, args.Headers, c.Writer.Header()) } - httpsec.SetSecurityEventTags(span, events, remoteIP, args.Headers, c.Writer.Header()) } } diff --git a/contrib/gin-gonic/gin/gintrace.go b/contrib/gin-gonic/gin/gintrace.go index 7ee6f38bd1..419b7496c2 100644 --- a/contrib/gin-gonic/gin/gintrace.go +++ b/contrib/gin-gonic/gin/gintrace.go @@ -25,6 +25,7 @@ import ( // default service name will be used. func Middleware(service string, opts ...Option) gin.HandlerFunc { cfg := newConfig(service) + appsecEnabled := appsec.Enabled() for _, opt := range opts { opt(cfg) } @@ -55,8 +56,9 @@ func Middleware(service string, opts ...Option) gin.HandlerFunc { c.Request = c.Request.WithContext(ctx) // Use AppSec if enabled by user - if appsec.Enabled() { - useAppSec(c, span) + if appsecEnabled { + afterMiddleware := useAppSec(c, span) + defer afterMiddleware() } // serve the request to the next middleware From bb9909988b06dbf38e734831ae1c9e655ccdf430 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Mazeau?= Date: Thu, 10 Feb 2022 15:33:09 +0100 Subject: [PATCH 09/10] contrib/gin-gonic: remove status-code test --- contrib/gin-gonic/gin/gintrace_test.go | 37 -------------------------- 1 file changed, 37 deletions(-) diff --git a/contrib/gin-gonic/gin/gintrace_test.go b/contrib/gin-gonic/gin/gintrace_test.go index b0e65de977..32aff62198 100644 --- a/contrib/gin-gonic/gin/gintrace_test.go +++ b/contrib/gin-gonic/gin/gintrace_test.go @@ -12,7 +12,6 @@ import ( "io/ioutil" "net/http" "net/http/httptest" - "strconv" "strings" "testing" @@ -549,16 +548,6 @@ func TestAppSec(t *testing.T) { r := gin.New() r.Use(Middleware("appsec")) - - statusCodes := []int{200, 403, 404, 500} - for _, code := range statusCodes { - strC := strconv.Itoa(code) - code := code - r.Any("/"+strC, func(c *gin.Context) { - c.String(code, "Hello "+strC+"\n") - }) - } - r.Any("/lfi/*allPaths", func(c *gin.Context) { c.String(200, "Hello World!\n") }) @@ -621,32 +610,6 @@ func TestAppSec(t *testing.T) { require.True(t, strings.Contains(event, "server.request.path_params")) }) - t.Run("status-code", func(t *testing.T) { - for _, code := range statusCodes { - codeStr := strconv.Itoa(code) - t.Run(codeStr, func(t *testing.T) { - mt := mocktracer.Start() - defer mt.Stop() - - req, err := http.NewRequest("POST", srv.URL+"/"+codeStr, nil) - req.Header.Set("User-agent", "Arachni/v1.0") - if err != nil { - panic(err) - } - res, err := srv.Client().Do(req) - require.NoError(t, err) - require.Equal(t, code, res.StatusCode) - - finished := mt.FinishedSpans() - require.Len(t, finished, 1) - tagStatusCode := finished[0].Tag("http.status_code").(string) - require.NotNil(t, tagStatusCode) - require.Equal(t, codeStr, tagStatusCode) - - }) - } - }) - t.Run("nfd-000-001", func(t *testing.T) { mt := mocktracer.Start() defer mt.Stop() From ebc8f8590546127de076f0e1fe5bc97bff54c491 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Mazeau?= Date: Thu, 10 Feb 2022 16:53:35 +0100 Subject: [PATCH 10/10] Update contrib/gin-gonic/gin/gintrace.go Co-authored-by: Julio Guerra --- contrib/gin-gonic/gin/gintrace.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/gin-gonic/gin/gintrace.go b/contrib/gin-gonic/gin/gintrace.go index 419b7496c2..a5b53d32e9 100644 --- a/contrib/gin-gonic/gin/gintrace.go +++ b/contrib/gin-gonic/gin/gintrace.go @@ -24,8 +24,8 @@ import ( // Middleware returns middleware that will trace incoming requests. If service is empty then the // default service name will be used. func Middleware(service string, opts ...Option) gin.HandlerFunc { - cfg := newConfig(service) appsecEnabled := appsec.Enabled() + cfg := newConfig(service) for _, opt := range opts { opt(cfg) }