DataDog · Julio-Guerra · Mar 7, 2022 · Mar 1, 2022 · Mar 1, 2022 · Mar 1, 2022
diff --git a/contrib/gin-gonic/gin/gintrace_test.go b/contrib/gin-gonic/gin/gintrace_test.go
@@ -561,7 +561,7 @@ func TestAppSec(t *testing.T) {
 	t.Run("request-uri", func(t *testing.T) {
 		mt := mocktracer.Start()
 		defer mt.Stop()
-		// Send an LFI attack (according to appsec rule id crs-930-100)
+		// Send an LFI attack (according to appsec rule id crs-930-110)
 		req, err := http.NewRequest("POST", srv.URL+"/lfi/../../../secret.txt", nil)
 		if err != nil {
 			panic(err)
@@ -581,7 +581,7 @@ func TestAppSec(t *testing.T) {
 		event := finished[0].Tag("_dd.appsec.json").(string)
 		require.NotNil(t, event)
 		require.True(t, strings.Contains(event, "server.request.uri.raw"))
-		require.True(t, strings.Contains(event, "crs-930-100"))
+		require.True(t, strings.Contains(event, "crs-930-110"))
 	})
 
 	// Test a security scanner attack via path parameters

diff --git a/contrib/go-chi/chi.v4/chi_test.go b/contrib/go-chi/chi.v4/chi_test.go
@@ -331,7 +331,7 @@ func TestAppSec(t *testing.T) {
 	t.Run("request-uri", func(t *testing.T) {
 		mt := mocktracer.Start()
 		defer mt.Stop()
-		// Send an LFI attack (according to appsec rule id crs-930-100)
+		// Send an LFI attack (according to appsec rule id crs-930-110)
 		req, err := http.NewRequest("POST", srv.URL+"/../../../secret.txt", nil)
 		if err != nil {
 			panic(err)
@@ -351,7 +351,7 @@ func TestAppSec(t *testing.T) {
 		event := finished[0].Tag("_dd.appsec.json").(string)
 		require.NotNil(t, event)
 		require.True(t, strings.Contains(event, "server.request.uri.raw"))
-		require.True(t, strings.Contains(event, "crs-930-100"))
+		require.True(t, strings.Contains(event, "crs-930-110"))
 	})
 
 	// Test a security scanner attack via path parameters

diff --git a/contrib/go-chi/chi.v5/chi_test.go b/contrib/go-chi/chi.v5/chi_test.go
@@ -331,7 +331,7 @@ func TestAppSec(t *testing.T) {
 	t.Run("request-uri", func(t *testing.T) {
 		mt := mocktracer.Start()
 		defer mt.Stop()
-		// Send an LFI attack (according to appsec rule id crs-930-100)
+		// Send an LFI attack (according to appsec rule id crs-930-110)
 		req, err := http.NewRequest("POST", srv.URL+"/../../../secret.txt", nil)
 		if err != nil {
 			panic(err)
@@ -351,7 +351,7 @@ func TestAppSec(t *testing.T) {
 		event := finished[0].Tag("_dd.appsec.json").(string)
 		require.NotNil(t, event)
 		require.True(t, strings.Contains(event, "server.request.uri.raw"))
-		require.True(t, strings.Contains(event, "crs-930-100"))
+		require.True(t, strings.Contains(event, "crs-930-110"))
 	})
 
 	// Test a security scanner attack via path parameters

diff --git a/contrib/go-chi/chi/chi_test.go b/contrib/go-chi/chi/chi_test.go
@@ -331,7 +331,7 @@ func TestAppSec(t *testing.T) {
 	t.Run("request-uri", func(t *testing.T) {
 		mt := mocktracer.Start()
 		defer mt.Stop()
-		// Send an LFI attack (according to appsec rule id crs-930-100)
+		// Send an LFI attack (according to appsec rule id crs-930-110)
 		req, err := http.NewRequest("POST", srv.URL+"/../../../secret.txt", nil)
 		if err != nil {
 			panic(err)
@@ -351,7 +351,7 @@ func TestAppSec(t *testing.T) {
 		event := finished[0].Tag("_dd.appsec.json").(string)
 		require.NotNil(t, event)
 		require.True(t, strings.Contains(event, "server.request.uri.raw"))
-		require.True(t, strings.Contains(event, "crs-930-100"))
+		require.True(t, strings.Contains(event, "crs-930-110"))
 	})
 
 	// Test a security scanner attack via path parameters

diff --git a/contrib/gorilla/mux/mux_test.go b/contrib/gorilla/mux/mux_test.go
@@ -334,7 +334,7 @@ func TestAppSec(t *testing.T) {
 	t.Run("request-uri", func(t *testing.T) {
 		mt := mocktracer.Start()
 		defer mt.Stop()
-		// Send an LFI attack (according to appsec rule id crs-930-100)
+		// Send an LFI attack (according to appsec rule id crs-930-110)
 		req, err := http.NewRequest("POST", srv.URL+"/../../../secret.txt", nil)
 		if err != nil {
 			panic(err)
@@ -351,12 +351,12 @@ func TestAppSec(t *testing.T) {
 		event := finished[0].Tag("_dd.appsec.json").(string)
 		require.NotNil(t, event)
 		require.True(t, strings.Contains(event, "server.request.uri.raw"))
-		require.True(t, strings.Contains(event, "crs-930-100"))
+		require.True(t, strings.Contains(event, "crs-930-110"))
 		// The second request should contain the event via the referrer header
 		event = finished[1].Tag("_dd.appsec.json").(string)
 		require.NotNil(t, event)
 		require.True(t, strings.Contains(event, "server.request.headers.no_cookies"))
-		require.True(t, strings.Contains(event, "crs-930-100"))
+		require.True(t, strings.Contains(event, "crs-930-110"))
 	})
 
 	// Test a security scanner attack via path parameters

diff --git a/contrib/labstack/echo.v4/echotrace_test.go b/contrib/labstack/echo.v4/echotrace_test.go
@@ -297,7 +297,7 @@ func TestAppSec(t *testing.T) {
 	t.Run("request-uri", func(t *testing.T) {
 		mt := mocktracer.Start()
 		defer mt.Stop()
-		// Send an LFI attack (according to appsec rule id crs-930-100)
+		// Send an LFI attack (according to appsec rule id crs-930-110)
 		req, err := http.NewRequest("POST", srv.URL+"/../../../secret.txt", nil)
 		if err != nil {
 			panic(err)
@@ -311,7 +311,7 @@ func TestAppSec(t *testing.T) {
 		require.Len(t, finished, 1)
 		event := finished[0].Tag("_dd.appsec.json").(string)
 		require.NotNil(t, event)
-		require.True(t, strings.Contains(event, "crs-930-100"))
+		require.True(t, strings.Contains(event, "crs-930-110"))
 		require.True(t, strings.Contains(event, "server.request.uri.raw"))
 	})
 

diff --git a/internal/appsec/_tools/libddwaf-updater/update.sh b/internal/appsec/_tools/libddwaf-updater/update.sh
@@ -15,14 +15,18 @@ set -ex
 
 bindings_dir=$(readlink -f "$(dirname $0)/../../waf")
 
-echo Looking up for the latest GitHub release
-
-latest_release=$(curl -s https://api.github.com/repos/DataDog/libddwaf/releases/latest)
-version=$(jq -r '.tag_name') << EOF
+version=""
+if [ $# -eq 1 ]; then
+    version=$1
+else
+    echo Looking up for the latest GitHub release
+    latest_release=$(curl -s https://api.github.com/repos/DataDog/libddwaf/releases/latest)
+    version=$(jq -r '.tag_name') << EOF
 $latest_release
 EOF
+fi
 
-echo Found libddwaf v$version
+echo Updating to libddwaf v$version
 
 tmpdir=$(mktemp -d /tmp/libddwaf-XXXXXXXX)
 echo Using $tmpdir

diff --git a/internal/appsec/_tools/rules-updater/Dockerfile b/internal/appsec/_tools/rules-updater/Dockerfile
@@ -1,6 +1,6 @@
 FROM tdewolff/minify as minify
 ARG version
-ADD https://raw.githubusercontent.com/DataDog/appsec-event-rules/$version/v2/build/recommended.json /home
+ADD https://raw.githubusercontent.com/DataDog/appsec-event-rules/$version/build/recommended.json /home
 RUN minify --type=json -o /home/out.json /home/recommended.json
 
 FROM golang as go-format

diff --git a/internal/appsec/rule.go b/internal/appsec/rule.go
diff --git a/internal/appsec/waf_test.go b/internal/appsec/waf_test.go
@@ -12,7 +12,6 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
-	"strings"
 	"testing"
 
 	httptrace "gopkg.in/DataDog/dd-trace-go.v1/contrib/net/http"
@@ -61,12 +60,12 @@ func TestWAF(t *testing.T) {
 	require.Len(t, finished, 2)
 
 	// Two requests were performed by the client request (due to the 301 redirection) and the two should have the LFI
-	// attack attempt event (appsec rule id crs-930-100).
+	// attack attempt event (appsec rule id crs-930-110).
 	event := finished[0].Tag("_dd.appsec.json")
 	require.NotNil(t, event)
-	require.True(t, strings.Contains(event.(string), "crs-930-100"))
+	require.Contains(t, event.(string), "crs-930-110")
 
 	event = finished[1].Tag("_dd.appsec.json")
 	require.NotNil(t, event)
-	require.True(t, strings.Contains(event.(string), "crs-930-100"))
+	require.Contains(t, event.(string), "crs-930-110")
 }