Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(asm): add exploit prevention LFI support #8568

Merged
merged 38 commits into from
Mar 26, 2024
Merged

feat(asm): add exploit prevention LFI support #8568

merged 38 commits into from
Mar 26, 2024

Conversation

christophe-papazian
Copy link
Contributor

@christophe-papazian christophe-papazian commented Mar 1, 2024
edited
Loading

First PR to introduce the new exploit prevention feature to ASM.
Add LFI support to Exploit Prevention, and patch mechanism to support more entry points.
This PR is internal only. No new feature is activated, new tests are not enable either for now.

  • move patch mechanism from IAST to appsec common file to support multiple ASM features with a common patch instrumentation
  • add support for stack trace report in waf run using metastruct
  • add new endpoints and skipped unit test for that feature.
  • add a new exploit prevention setting in asm config set to always False (the feature can't be enabled for now)

This feature needs an unreleased libddwaf version, and was only tested locally. Tests and feature will be activated later.

APPSEC-51853

Checklist

  • Change(s) are motivated and described in the PR description
  • Testing strategy is described if automated tests are not included in the PR
  • Risks are described (performance impact, potential for breakage, maintainability)
  • Change is maintainable (easy to change, telemetry, documentation)
  • Library release note guidelines are followed or label changelog/no-changelog is set
  • Documentation is included (in-code, generated user docs, public corp docs)
  • Backport labels are set (if applicable)
  • If this PR changes the public interface, I've notified @DataDog/apm-tees.
  • If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from @DataDog/security-design-and-guidance.

Reviewer Checklist

  • Title is accurate
  • All changes are related to the pull request's stated goal
  • Description motivates each change
  • Avoids breaking API changes
  • Testing strategy adequately addresses listed risks
  • Change is maintainable (easy to change, telemetry, documentation)
  • Release note makes sense to a user of the library
  • Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
  • Backport labels are set in a manner that is consistent with the release branch maintenance policy

APPSEC-51853

@datadog-dd-trace-py-rkomorn
Copy link

datadog-dd-trace-py-rkomorn bot commented Mar 1, 2024
edited
Loading

Datadog Report

Branch report: christophe-papazian/exploit_prevention_stack_traces_support
Commit report: b7a98ab
Test service: dd-trace-py

✅ 0 Failed, 148124 Passed, 20428 Skipped, 8h 21m 48.03s Total duration (1h 21m 39.1s time saved)

@pr-commenter
Copy link

pr-commenter bot commented Mar 1, 2024
edited
Loading

Benchmarks

Benchmark execution time: 2024-03-25 19:28:42

Comparing candidate commit e658581 in PR branch christophe-papazian/exploit_prevention_stack_traces_support with baseline commit 6955407 in branch main.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 200 metrics, 9 unstable metrics.

scenario:sethttpmeta-obfuscation-disabled

  • 🟥 max_rss_usage [+470.170KB; +710.706KB] or [+2.180%; +3.295%]

@christophe-papazian christophe-papazian force-pushed the christophe-papazian/exploit_prevention_stack_traces_support branch from 8563a19 to 1e42a28 Compare March 13, 2024 16:05
@christophe-papazian christophe-papazian mentioned this pull request Mar 21, 2024
Merged
18 tasks
christophe-papazian added a commit that referenced this pull request Mar 21, 2024
@christophe-papazian
chore(asm): add persistent and ephemeral addresses handling for the w…
e40d29f 
…af (#8734)

Previously, all waf addresses were persistent, meaning that we only
needed to send them once to the waf per request. With the introduction
of new features, ephemeral addresses will become more and more common,
and they need to be resent each time to the waf.

This PR address that by keeping a list of persistent addresses and treat
all other addresses as ephemeral.
Required for #8568

## Checklist

- [x] Change(s) are motivated and described in the PR description
- [x] Testing strategy is described if automated tests are not included
in the PR
- [x] Risks are described (performance impact, potential for breakage,
maintainability)
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed or label `changelog/no-changelog` is set
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/))
- [x] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))
- [x] If this PR changes the public interface, I've notified
`@DataDog/apm-tees`.
- [x] If change touches code that signs or publishes builds or packages,
or handles credentials of any kind, I've requested a review from
`@DataDog/security-design-and-guidance`.

## Reviewer Checklist

- [ ] Title is accurate
- [ ] All changes are related to the pull request's stated goal
- [ ] Description motivates each change
- [ ] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- [ ] Testing strategy adequately addresses listed risks
- [ ] Change is maintainable (easy to change, telemetry, documentation)
- [ ] Release note makes sense to a user of the library
- [ ] Author has acknowledged and discussed the performance implications
of this PR as reported in the benchmarks PR comment
- [ ] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 21, 2024
View reviewed changes
tests/appsec/contrib_appsec/fastapi_app/app.py Dismissed Show dismissed Hide dismissed
tests/appsec/contrib_appsec/flask_app/app.py Dismissed Show dismissed Hide dismissed
tests/appsec/contrib_appsec/django_app/urls.py Dismissed Show dismissed Hide dismissed
tests/appsec/contrib_appsec/fastapi_app/app.py Dismissed Show dismissed Hide dismissed
tests/appsec/contrib_appsec/django_app/urls.py Dismissed Show dismissed Hide dismissed
tests/appsec/contrib_appsec/django_app/urls.py Dismissed Show dismissed Hide dismissed
christophe-papazian and others added 2 commits March 22, 2024 13:38
@christophe-papazian @gnufede
Update ddtrace/appsec/_asm_request_context.py
60cfeb0 
Co-authored-by: Federico Mon <federico.mon@datadoghq.com>
@christophe-papazian @gnufede
Update ddtrace/appsec/_asm_request_context.py
f342ac7 
Co-authored-by: Federico Mon <federico.mon@datadoghq.com>
@christophe-papazian christophe-papazian enabled auto-merge (squash) March 25, 2024 13:04
@emmettbutler emmettbutler self-requested a review March 25, 2024 17:50
@christophe-papazian christophe-papazian merged commit aa6eb09 into main Mar 26, 2024
149 of 150 checks passed
@christophe-papazian christophe-papazian deleted the christophe-papazian/exploit_prevention_stack_traces_support branch March 26, 2024 09:37
@christophe-papazian christophe-papazian mentioned this pull request Mar 26, 2024
Merged
18 tasks
christophe-papazian added a commit that referenced this pull request Apr 11, 2024
@christophe-papazian @romainkomorndatadog
@gnufede @tabgok @emmettbutler @Yun-Kim @erikayasuda @avara1986
chore(asm): add ssrf support for urllib.request (#8776)
9a40868 
Following #8568, this PR add
support for SSRF for exploit prevention.

1.  Add support for SSRF using urllib.request in standard Python API
2. Improve handling of parameters for exploit prevention (positioned or
named)
3. Add endpoints and new unit tests for SSRF
4. Add preliminary support for iast in threat hatch tests

This feature is still private and disabled. Corresponding tests were run
locally and on the CI before being marked skipped.

APPSEC-51853

## Checklist

- [x] Change(s) are motivated and described in the PR description
- [x] Testing strategy is described if automated tests are not included
in the PR
- [x] Risks are described (performance impact, potential for breakage,
maintainability)
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed or label `changelog/no-changelog` is set
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/))
- [x] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))
- [x] If this PR changes the public interface, I've notified
`@DataDog/apm-tees`.
- [x] If change touches code that signs or publishes builds or packages,
or handles credentials of any kind, I've requested a review from
`@DataDog/security-design-and-guidance`.

## Reviewer Checklist

- [x] Title is accurate
- [x] All changes are related to the pull request's stated goal
- [x] Description motivates each change
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- [x] Testing strategy adequately addresses listed risks
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] Release note makes sense to a user of the library
- [x] Author has acknowledged and discussed the performance implications
of this PR as reported in the benchmarks PR comment
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

---------

Co-authored-by: Romain Komorn <136473744+romainkomorndatadog@users.noreply.github.com>
Co-authored-by: Federico Mon <federico.mon@datadoghq.com>
Co-authored-by: Teague Bick <teague.bick@datadoghq.com>
Co-authored-by: Emmett Butler <723615+emmettbutler@users.noreply.github.com>
Co-authored-by: Yun Kim <35776586+Yun-Kim@users.noreply.github.com>
Co-authored-by: erikayasuda <153395705+erikayasuda@users.noreply.github.com>
Co-authored-by: Alberto Vara <alberto.vara@datadoghq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gnufede gnufede gnufede approved these changes

@emmettbutler emmettbutler emmettbutler approved these changes

@majorgreys majorgreys Awaiting requested review from majorgreys majorgreys is a code owner automatically assigned from DataDog/apm-core-python

@mabdinur mabdinur Awaiting requested review from mabdinur mabdinur is a code owner automatically assigned from DataDog/apm-core-python

Assignees
No one assigned
Labels
ASM Application Security Monitoring changelog/no-changelog A changelog entry is not required for this PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@christophe-papazian @gnufede @emmettbutler