-
Notifications
You must be signed in to change notification settings - Fork 395
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(asm): add exploit prevention LFI support #8568
feat(asm): add exploit prevention LFI support #8568
Conversation
…xploit_prevention_stack_traces_support
Datadog ReportBranch report: ✅ 0 Failed, 148124 Passed, 20428 Skipped, 8h 21m 48.03s Total duration (1h 21m 39.1s time saved) |
BenchmarksBenchmark execution time: 2024-03-25 19:28:42 Comparing candidate commit e658581 in PR branch Found 0 performance improvements and 1 performance regressions! Performance is the same for 200 metrics, 9 unstable metrics. scenario:sethttpmeta-obfuscation-disabled
|
8563a19
to
1e42a28
Compare
…xploit_prevention_stack_traces_support
…xploit_prevention_stack_traces_support
…xploit_prevention_stack_traces_support
…xploit_prevention_stack_traces_support
…af (#8734) Previously, all waf addresses were persistent, meaning that we only needed to send them once to the waf per request. With the introduction of new features, ephemeral addresses will become more and more common, and they need to be resent each time to the waf. This PR address that by keeping a list of persistent addresses and treat all other addresses as ephemeral. Required for #8568 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [ ] Title is accurate - [ ] All changes are related to the pull request's stated goal - [ ] Description motivates each change - [ ] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [ ] Testing strategy adequately addresses listed risks - [ ] Change is maintainable (easy to change, telemetry, documentation) - [ ] Release note makes sense to a user of the library - [ ] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [ ] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
…xploit_prevention_stack_traces_support
Co-authored-by: Federico Mon <federico.mon@datadoghq.com>
Co-authored-by: Federico Mon <federico.mon@datadoghq.com>
Following #8568, this PR add support for SSRF for exploit prevention. 1. Add support for SSRF using urllib.request in standard Python API 2. Improve handling of parameters for exploit prevention (positioned or named) 3. Add endpoints and new unit tests for SSRF 4. Add preliminary support for iast in threat hatch tests This feature is still private and disabled. Corresponding tests were run locally and on the CI before being marked skipped. APPSEC-51853 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) --------- Co-authored-by: Romain Komorn <136473744+romainkomorndatadog@users.noreply.github.com> Co-authored-by: Federico Mon <federico.mon@datadoghq.com> Co-authored-by: Teague Bick <teague.bick@datadoghq.com> Co-authored-by: Emmett Butler <723615+emmettbutler@users.noreply.github.com> Co-authored-by: Yun Kim <35776586+Yun-Kim@users.noreply.github.com> Co-authored-by: erikayasuda <153395705+erikayasuda@users.noreply.github.com> Co-authored-by: Alberto Vara <alberto.vara@datadoghq.com>
First PR to introduce the new exploit prevention feature to ASM.
Add LFI support to Exploit Prevention, and patch mechanism to support more entry points.
This PR is internal only. No new feature is activated, new tests are not enable either for now.
This feature needs an unreleased libddwaf version, and was only tested locally. Tests and feature will be activated later.
APPSEC-51853
Checklist
changelog/no-changelog
is set@DataDog/apm-tees
.@DataDog/security-design-and-guidance
.Reviewer Checklist
APPSEC-51853