Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass HTTP client IP to WAF #2316

Merged
merged 17 commits into from
Nov 15, 2022
Merged

Pass HTTP client IP to WAF #2316

merged 17 commits into from
Nov 15, 2022

Conversation

lloeki
Copy link
Contributor

@lloeki lloeki commented Oct 13, 2022

What does this PR do?

Pass HTTP client IP to WAF, which in turn makes it blockable.

Motivation

IP blocking.

How to test the change?

Specs, or manually:

# with Datadog.configure { |c| c.appsec.ip_denylist = ['1.2.3.4'] }
curl -vv -H 'X-Forwarded-For: 1.2.3.4' -H 'Accept: text/html' http://127.0.0.1:9292/
curl -vv -H 'X-Forwarded-For: 1.2.3.4' -H 'Accept: application/json' http://127.0.0.1:9292/
curl -vv -H 'X-Forwarded-For: 1.2.3.4' -H 'Accept: text/plain' http://127.0.0.1:9292/
curl -vv -H 'X-Forwarded-For: 1.2.3.4' http://127.0.0.1:9292/

@github-actions github-actions bot added appsec Application Security monitoring product integrations Involves tracing integrations labels Oct 13, 2022
@lloeki lloeki mentioned this pull request Oct 14, 2022
Merged
@lloeki
Pass HTTP client IP to WAF
ca4d708 
A configurable was added as well to ease testing. As a consequence,
since the blocking process was implemented, the expected 403 response is
sent upon match.
@lloeki
Add basic content negotiation support for blocking
e3d11c7 
Also updates blocking assets to be spec compliant.
@lloeki
Change expected 403 to 200 when appsec is disabled
042c2f0 
This is a 403 FORBIDDEN span, but in these tests it's used for the
blocking case so the no-appsec case should be a 200 OK
@lloeki
Change reset with around to after
8e226dc 
Presumably after is enough, around was carried over from tracing specs,
where it was probably added because other tests were leaking
configuration. This is not the case in the appsec spec scope.
@lloeki
Enable AppSec IP blocking test for Sinatra and Rails
0328405
@lloeki
Improve blocking code
bfe1f0a 
- factor out response generation
- support blocking for Sinatra route events
@lloeki lloeki force-pushed the lloeki/pass-client-ip-to-waf branch from 4123115 to bfe1f0a Compare November 10, 2022 12:46
@github-actions github-actions bot added core Involves Datadog core libraries profiling Involves Datadog profiling tracing labels Nov 10, 2022
@lloeki lloeki changed the base branch from 1.5-stable to master November 10, 2022 12:48
@lloeki lloeki marked this pull request as ready for review November 10, 2022 12:49
@lloeki lloeki requested a review from a team November 10, 2022 12:49
@github-actions github-actions bot removed tracing core Involves Datadog core libraries profiling Involves Datadog profiling labels Nov 10, 2022
@lloeki lloeki force-pushed the lloeki/pass-client-ip-to-waf branch from 78f7d41 to 1f68f94 Compare November 10, 2022 14:00
@lloeki @marcotc
Split HTTP_ACCEPT only once
5f25e24 
Co-authored-by: Marco Costa <marco.costa@datadoghq.com>
@lloeki lloeki force-pushed the lloeki/pass-client-ip-to-waf branch from fb5d99f to 5f25e24 Compare November 14, 2022 14:57
@lloeki
Remove extra spec declaration line
b4c2694
@lloeki
Disable AppSec rails contrib tests
f7b43e9 
JRuby seems to have issues with memory / GC in these cases
marcotc
marcotc reviewed Nov 14, 2022
View reviewed changes
Rakefile Outdated
declare '❌ 2.1 / ✅ 2.2 / ✅ 2.3 / ✅ 2.4 / ✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ❌ 3.0 / ❌ 3.1 / ❌ 3.2 / ✅ jruby' => 'bundle exec appraisal rails5-mysql2 rake spec:appsec:rails'
declare '❌ 2.1 / ❌ 2.2 / ❌ 2.3 / ❌ 2.4 / ✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ❌ 3.0 / ❌ 3.1 / ❌ 3.2 / ✅ jruby' => 'bundle exec appraisal rails6-mysql2 rake spec:appsec:rails'
declare '❌ 2.1 / ❌ 2.2 / ❌ 2.3 / ❌ 2.4 / ✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ✅ 3.0 / ✅ 3.1 / ❌ 3.2 / ✅ jruby' => 'bundle exec appraisal rails61-mysql2 rake spec:appsec:rails'
declare '✅ 2.1 / ✅ 2.2 / ✅ 2.3 / ❌ 2.4 / ❌ 2.5 / ❌ 2.6 / ❌ 2.7 / ❌ 3.0 / ❌ 3.1 / ❌ 3.2 / ❌ jruby' => 'bundle exec appraisal rails32-mysql2 rake spec:rails'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you mean to disable JRuby for Tracing tests? bundle exec appraisal rails32-mysql2 rake spec:rails

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, good catch @marcotc, I think I fat-fingered that one.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the fat finger was in the original PR that added it? This actually seems duplicated from the non-appsec section 😱

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, actually:

diff --git a/Rakefile b/Rakefile
index 9b854bd151..c0b07de3d3 100644
--- a/Rakefile
+++ b/Rakefile
@@ -388,7 +388,6 @@ task :ci do
   # AppSec contrib specs
   declare '✅ 2.1 / ✅ 2.2 / ✅ 2.3 / ✅ 2.4 / ✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ✅ 3.0 / ✅ 3.1 / ✅ 3.2 / ✅ jruby' => 'bundle exec appraisal contrib rake spec:appsec:rack'
   declare '✅ 2.1 / ✅ 2.2 / ✅ 2.3 / ✅ 2.4 / ✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ✅ 3.0 / ✅ 3.1 / ✅ 3.2 / ✅ jruby' => 'bundle exec appraisal contrib rake spec:appsec:sinatra'
-  declare '✅ 2.1 / ✅ 2.2 / ✅ 2.3 / ❌ 2.4 / ❌ 2.5 / ❌ 2.6 / ❌ 2.7 / ❌ 3.0 / ❌ 3.1 / ❌ 3.2 / ✅ jruby' => 'bundle exec appraisal rails4-mysql2 rake spec:rails'
 
   # AppSec Rails specs
   declare '✅ 2.1 / ✅ 2.2 / ✅ 2.3 / ❌ 2.4 / ❌ 2.5 / ❌ 2.6 / ❌ 2.7 / ❌ 3.0 / ❌ 3.1 / ❌ 3.2 / ✅ jruby' => 'bundle exec appraisal rails32-mysql2 rake spec:rails'

☝️ This diff removed an extra line that was duplicated.

diff --git a/Rakefile b/Rakefile
index c0b07de3d3..30fd9257e6 100644
--- a/Rakefile
+++ b/Rakefile
@@ -390,11 +390,11 @@ task :ci do
   declare '✅ 2.1 / ✅ 2.2 / ✅ 2.3 / ✅ 2.4 / ✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ✅ 3.0 / ✅ 3.1 / ✅ 3.2 / ✅ jruby' => 'bundle exec appraisal contrib rake spec:appsec:sinatra'
 
   # AppSec Rails specs
-  declare '✅ 2.1 / ✅ 2.2 / ✅ 2.3 / ❌ 2.4 / ❌ 2.5 / ❌ 2.6 / ❌ 2.7 / ❌ 3.0 / ❌ 3.1 / ❌ 3.2 / ✅ jruby' => 'bundle exec appraisal rails32-mysql2 rake spec:rails'
-  declare '✅ 2.1 / ✅ 2.2 / ✅ 2.3 / ❌ 2.4 / ❌ 2.5 / ❌ 2.6 / ❌ 2.7 / ❌ 3.0 / ❌ 3.1 / ❌ 3.2 / ✅ jruby' => 'bundle exec appraisal rails4-mysql2 rake spec:appsec:rails'
-  declare '❌ 2.1 / ✅ 2.2 / ✅ 2.3 / ✅ 2.4 / ✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ❌ 3.0 / ❌ 3.1 / ❌ 3.2 / ✅ jruby' => 'bundle exec appraisal rails5-mysql2 rake spec:appsec:rails'
-  declare '❌ 2.1 / ❌ 2.2 / ❌ 2.3 / ❌ 2.4 / ✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ❌ 3.0 / ❌ 3.1 / ❌ 3.2 / ✅ jruby' => 'bundle exec appraisal rails6-mysql2 rake spec:appsec:rails'
-  declare '❌ 2.1 / ❌ 2.2 / ❌ 2.3 / ❌ 2.4 / ✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ✅ 3.0 / ✅ 3.1 / ❌ 3.2 / ✅ jruby' => 'bundle exec appraisal rails61-mysql2 rake spec:appsec:rails'
+  declare '✅ 2.1 / ✅ 2.2 / ✅ 2.3 / ❌ 2.4 / ❌ 2.5 / ❌ 2.6 / ❌ 2.7 / ❌ 3.0 / ❌ 3.1 / ❌ 3.2 / ❌ jruby' => 'bundle exec appraisal rails32-mysql2 rake spec:rails'
+  declare '✅ 2.1 / ✅ 2.2 / ✅ 2.3 / ❌ 2.4 / ❌ 2.5 / ❌ 2.6 / ❌ 2.7 / ❌ 3.0 / ❌ 3.1 / ❌ 3.2 / ❌ jruby' => 'bundle exec appraisal rails4-mysql2 rake spec:appsec:rails'
+  declare '❌ 2.1 / ✅ 2.2 / ✅ 2.3 / ✅ 2.4 / ✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ❌ 3.0 / ❌ 3.1 / ❌ 3.2 / ❌ jruby' => 'bundle exec appraisal rails5-mysql2 rake spec:appsec:rails'
+  declare '❌ 2.1 / ❌ 2.2 / ❌ 2.3 / ❌ 2.4 / ✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ❌ 3.0 / ❌ 3.1 / ❌ 3.2 / ❌ jruby' => 'bundle exec appraisal rails6-mysql2 rake spec:appsec:rails'
+  declare '❌ 2.1 / ❌ 2.2 / ❌ 2.3 / ❌ 2.4 / ✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ✅ 3.0 / ✅ 3.1 / ❌ 3.2 / ❌ jruby' => 'bundle exec appraisal rails61-mysql2 rake spec:appsec:rails'
 end
 
 namespace :coverage do

☝️ This diff had the corresponding line that was duplicated. Notice though that both are spec:rails... instead of spec:appsec:rails, which is the actual mistake!

@lloeki
Fix incorrect spec target
9ec5ec3 
There appears to have been a mistake here, either progressively slipping
in, or an automerge failure.
@lloeki
Use head instead of render for AppSec Rails specs
9314c7a 
Using head eschews view lookup, which failed for Rails 3 since
`render plain: 'ok'` is not supported.
@lloeki
Copy link
Contributor Author

lloeki commented Nov 15, 2022
edited

Alright, I fixed the 3.2 crash in specs using head instead of render.

Last spec failures are about Rails 3.2 not instrumenting correctly for AppSec. This is detected by system tests as well, as the following result is absent from 3.2 variants:

runner           | XPASSED tests/appsec/waf/test_addresses.py::Test_PathParams::test_security_scanner - Expected to fail, but all is ok

Sadly I don't have those enforced yet (hence XPASSED), otherwise we would have detected the issue before.

Root cause is strange, the following is properly called but afterwards ProcessActionPatch is conspicuously missing from the TestController ancestry.

          def patch_process_action
            binding.pry
            ::ActionController::Instrumentation.prepend(ProcessActionPatch)
          end

@lloeki
Patch ActionController::Metal instead of ActionController::Instrument…
ba2147c 
…ation

The former patch point appears to be ineffective on Rails 3.2.

In addition this aligns with Tracing's ActionPack patch.
@codecov-commenter
Copy link

Codecov Report

Merging #2316 (ba2147c) into master (97885d7) will increase coverage by 0.02%.
The diff coverage is 98.26%.

@@            Coverage Diff             @@
##           master    #2316      +/-   ##
==========================================
+ Coverage   98.34%   98.36%   +0.02%     
==========================================
  Files        1102     1103       +1     
  Lines       58942    59149     +207     
==========================================
+ Hits        57967    58183     +216     
+ Misses        975      966       -9
Impacted Files Coverage Δ
.../datadog/appsec/contrib/sinatra/gateway/watcher.rb 100.00% <ø> (ø)
lib/datadog/appsec/extensions.rb 88.05% <83.33%> (-0.47%) ⬇️
lib/datadog/appsec/response.rb 88.46% <88.46%> (ø)
lib/datadog/appsec/assets.rb 100.00% <100.00%> (+5.88%) ⬆️
lib/datadog/appsec/configuration.rb 100.00% <100.00%> (ø)
lib/datadog/appsec/configuration/settings.rb 81.39% <100.00%> (+0.44%) ⬆️
...ib/datadog/appsec/contrib/rack/reactive/request.rb 92.50% <100.00%> (+0.39%) ⬆️
lib/datadog/appsec/contrib/rack/request.rb 97.14% <100.00%> (+1.14%) ⬆️
...dog/appsec/contrib/rack/request_body_middleware.rb 100.00% <100.00%> (+5.55%) ⬆️
.../datadog/appsec/contrib/rack/request_middleware.rb 100.00% <100.00%> (+1.47%) ⬆️
... and 17 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@lloeki lloeki merged commit 2731a04 into master Nov 15, 2022
@lloeki lloeki deleted the lloeki/pass-client-ip-to-waf branch November 15, 2022 22:16
@github-actions github-actions bot added this to the 1.7.0 milestone Nov 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ivoanjo ivoanjo ivoanjo left review comments

@marcotc marcotc marcotc approved these changes

Assignees
No one assigned
Labels
appsec Application Security monitoring product integrations Involves tracing integrations
Projects
None yet
Milestone
1.7.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@lloeki @codecov-commenter @marcotc @ivoanjo