Detect SSRF vulnerabilities

[uurien]

What does this PR do?

When it detects than a string that comes from request data (GET parameter, body, ...) is used to make a new request, it identifies a SSRF vulnerability, because an attacker can force a request to an external page.

Motivation

SSRF vulnerability detection is a feature that tracer IAST should implement.

Plugin Checklist

• Unit tests.

[github-actions]

Overall package size

Self size: 4.2 MB
Deduped: 58.39 MB
No deduping: 58.44 MB

Dependency sizes

name	version	self size	total size
@datadog/pprof	2.2.1	14.24 MB	15.12 MB
@datadog/native-iast-taint-tracking	1.4.1	14.85 MB	14.86 MB
@datadog/native-appsec	3.2.0	13.38 MB	13.39 MB
protobufjs	7.1.2	2.76 MB	6.55 MB
@datadog/native-iast-rewriter	2.0.1	2.09 MB	2.1 MB
@datadog/native-metrics	2.0.0	898.77 kB	1.3 MB
opentracing	0.14.7	194.81 kB	194.81 kB
semver	7.3.8	88.2 kB	118.6 kB
@datadog/sketches-js	2.1.0	109.9 kB	109.9 kB
lodash.sortby	4.7.0	75.76 kB	75.76 kB
lru-cache	7.14.0	74.95 kB	74.95 kB
ipaddr.js	2.0.1	59.52 kB	59.52 kB
ignore	5.2.0	48.87 kB	48.87 kB
import-in-the-middle	1.3.5	34.34 kB	38.81 kB
istanbul-lib-coverage	3.2.0	29.34 kB	29.34 kB
retry	0.10.1	27.44 kB	27.44 kB
lodash.uniq	4.5.0	25.01 kB	25.01 kB
limiter	1.1.5	23.17 kB	23.17 kB
lodash.kebabcase	4.1.1	17.75 kB	17.75 kB
lodash.pick	4.4.0	16.33 kB	16.33 kB
node-abort-controller	3.0.1	14.33 kB	14.33 kB
crypto-randomuuid	1.0.0	11.18 kB	11.18 kB
diagnostics_channel	1.1.0	7.07 kB	7.07 kB
path-to-regexp	0.1.7	6.78 kB	6.78 kB
koalas	1.0.2	6.47 kB	6.47 kB
methods	1.1.2	5.29 kB	5.29 kB
module-details-from-path	1.0.3	4.47 kB	4.47 kB

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[codecov]

Codecov Report

Merging #3115 (8a88678) into master (d638b4b) will decrease coverage by 0.06%.
The diff coverage is 70.73%.

@@            Coverage Diff             @@
##           master    #3115      +/-   ##
==========================================
- Coverage   86.57%   86.52%   -0.06%     
==========================================
  Files         333      335       +2     
  Lines       11934    11974      +40     
  Branches       33       33              
==========================================
+ Hits        10332    10360      +28     
- Misses       1602     1614      +12     

Impacted Files	Coverage Δ
...es/dd-trace/src/appsec/iast/analyzers/analyzers.js	100.00% <ø> (ø)
...ckages/dd-trace/src/appsec/iast/vulnerabilities.js	100.00% <ø> (ø)
...tion/sensitive-analyzers/url-sensitive-analyzer.js	50.00% <50.00%> (ø)
...kages/datadog-instrumentations/src/http2/client.js	97.22% <66.66%> (-2.78%)	⬇️
...ckages/datadog-instrumentations/src/http/client.js	94.80% <100.00%> (+0.06%)	⬆️
...d-trace/src/appsec/iast/analyzers/ssrf-analyzer.js	100.00% <100.00%> (ø)
...-formatter/evidence-redaction/sensitive-handler.js	100.00% <100.00%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[pr-commenter]

Benchmarks

Comparing candidate commit 8a88678 in PR branch ugaitz/ssrf-vulnerability-detection with baseline commit d638b4b in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 449 metrics, 23 unstable metrics.

[uurien]

To be able to detect that the arguments are coming from the request, we need the values that the customer is using in the code, and not the normalized args object created by the tracer.

[uurien]

To detect the SSRF vulnerability, we need to check the original parameter of the connect method, we don't need the events and the data that the tracer needs.

[rochdev]

My only problem with this is that the goal of args was so that the subscriber doesn't need to know about the structure of the arguments. If we're gonna move this to the subscriber, it should be moved fully. But I would actually prefer if we did the opposite and do both the normalization and denormalization on the publisher side. In any case, any of the two would be fine with me, but let's not have both approaches at the same time.

[uurien]

Ok, make sense. The file which understand about the arguments in the instrumentation file. I've changed it to send more normalized args: { authority }
I've changed it also in packages/datadog-instrumentations/src/http/client.js to send { ..., originalArgs: { wholeUrl, options }}

[rochdev]

The new implementation seems to have the same issue and it's duplicating what is passed to the subscriber. The normalizing/denormalizing of arguments should only happen in once place.

[uurien]

I think that you are talking about the changes in packages/datadog-instrumentations/src/http/client.js.

Yes, you are right, we were normalizing it twice. I removed my normalizing method and modify the existing just to add the parameter that we need.

[rochdev]

My only problem with this is that the goal of args was so that the subscriber doesn't need to know about the structure of the arguments. If we're gonna move this to the subscriber, it should be moved fully. But I would actually prefer if we did the opposite and do both the normalization and denormalization on the publisher side. In any case, any of the two would be fine with me, but let's not have both approaches at the same time.