Server-side request forgery (SSRF) detection operator #268

Anilm3 · 2024-02-26T17:23:35Z

SSRF detection operator
URL parsing helpers
Fuzzer tests for both URL parser and SSRF detector
Unit tests

codecov-commenter · 2024-02-26T17:28:11Z

Codecov Report

Attention: Patch coverage is 87.60331% with 45 lines in your changes are missing coverage. Please review.

Project coverage is 83.08%. Comparing base (c51ae81) to head (a05f2ac).

Files	Patch %	Lines
src/uri_utils.cpp	88.42%	7 Missing and 18 partials ⚠️
src/condition/ssrf_detector.cpp	83.51%	1 Missing and 14 partials ⚠️
src/ip_utils.cpp	92.59%	1 Missing and 1 partial ⚠️
src/matcher/ip_match.hpp	81.81%	1 Missing and 1 partial ⚠️
src/matcher/ip_match.cpp	93.33%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #268      +/-   ##
==========================================
+ Coverage   82.86%   83.08%   +0.22%     
==========================================
  Files         113      115       +2     
  Lines        4225     4564     +339     
  Branches     1992     2138     +146     
==========================================
+ Hits         3501     3792     +291     
- Misses        292      301       +9     
- Partials      432      471      +39

Flag	Coverage Δ
waf_test	`83.08% <87.60%> (+0.22%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

pr-commenter · 2024-02-26T17:46:35Z

Benchmarks

Benchmark execution time: 2024-03-08 11:07:53

Comparing candidate commit 8362937 in PR branch anilm3/ssrf with baseline commit c51ae81 in branch master.

Found 8 performance improvements and 3 performance regressions! Performance is the same for 8 metrics, 0 unstable metrics.

scenario:bool_equals_matcher.random

🟩 execution_time [-73.955µs; -73.000µs] or [-6.260%; -6.179%]

scenario:exact_match_matcher.random

🟩 execution_time [-91.189µs; -90.251µs] or [-5.938%; -5.877%]

scenario:float_equals_matcher.random

🟩 execution_time [-39.620µs; -35.899µs] or [-3.352%; -3.037%]

scenario:lowercase_transformer.random

🟩 execution_time [-90.507µs; -89.450µs] or [-5.306%; -5.244%]

scenario:regex_match_matcher.case_insensitive_flag.random

🟥 execution_time [+503.956µs; +505.429µs] or [+11.841%; +11.875%]

scenario:regex_match_matcher.case_insensitive_option.random

🟥 execution_time [+507.538µs; +508.981µs] or [+11.938%; +11.972%]

scenario:regex_match_matcher.lowercase_transformer.random

🟥 execution_time [+534.016µs; +535.766µs] or [+9.380%; +9.411%]

scenario:regex_match_matcher.random

🟩 execution_time [-151.071µs; -149.932µs] or [-7.667%; -7.610%]

scenario:signed_equals_matcher.random

🟩 execution_time [-72.200µs; -71.120µs] or [-6.115%; -6.023%]

scenario:string_equals_matcher.random

🟩 execution_time [-74.838µs; -73.514µs] or [-5.160%; -5.069%]

scenario:unsigned_equals_matcher.random

🟩 execution_time [-77.997µs; -76.709µs] or [-6.590%; -6.481%]

src/condition/ssrf_detector.cpp

src/uri_utils.cpp

src/condition/ssrf_detector.cpp

* Improvements on SSRF detectors * Improved URI parser * IP Match helper

…/ssrf

Anilm3 · 2024-03-04T16:37:09Z

.clang-tidy

@@ -1,7 +1,7 @@
 ---
 # readability-function-cognitive-complexity temporarily disabled until clang-tidy is fixed
 # right now emalloc causes it to misbehave
-Checks:          '*,misc-const-correctness,-bugprone-reserved-identifier,-hicpp-signed-bitwise,-llvmlibc-restrict-system-libc-headers,-altera-unroll-loops,-hicpp-named-parameter,-cert-dcl37-c,-cert-dcl51-cpp,-read,-cppcoreguidelines-init-variables,-cppcoreguidelines-avoid-non-const-global-variables,-altera-id-dependent-backward-branch,-performance-no-int-to-ptr,-altera-struct-pack-align,-google-readability-casting,-modernize-use-trailing-return-type,-llvmlibc-implementation-in-namespace,-llvmlibc-callee-namespace,-cppcoreguidelines-pro-bounds-pointer-arithmetic,-fuchsia-default-arguments-declarations,-fuchsia-overloaded-operator,-cppcoreguidelines-pro-type-union-access,-fuchsia-default-arguments-calls,-cppcoreguidelines-non-private-member-variables-in-classes,-misc-non-private-member-variables-in-classes,-google-readability-todo,-llvm-header-guard,-readability-function-cognitive-complexity,-readability-identifier-length,-cppcoreguidelines-owning-memory,-cert-err58-cpp,-fuchsia-statically-constructed-objects,-google-build-using-namespace,-hicpp-avoid-goto,-cppcoreguidelines-avoid-goto,-hicpp-no-array-decay,-cppcoreguidelines-pro-bounds-array-to-pointer-decay,-cppcoreguidelines-pro-bounds-constant-array-index,-cppcoreguidelines-avoid-magic-numbers,-readability-magic-numbers,-abseil-string-find-str-contains'
+Checks:          '*,misc-const-correctness,-bugprone-reserved-identifier,-hicpp-signed-bitwise,-llvmlibc-restrict-system-libc-headers,-altera-unroll-loops,-hicpp-named-parameter,-cert-dcl37-c,-cert-dcl51-cpp,-read,-cppcoreguidelines-init-variables,-cppcoreguidelines-avoid-non-const-global-variables,-altera-id-dependent-backward-branch,-performance-no-int-to-ptr,-altera-struct-pack-align,-google-readability-casting,-modernize-use-trailing-return-type,-llvmlibc-implementation-in-namespace,-llvmlibc-callee-namespace,-cppcoreguidelines-pro-bounds-pointer-arithmetic,-fuchsia-default-arguments-declarations,-fuchsia-overloaded-operator,-cppcoreguidelines-pro-type-union-access,-fuchsia-default-arguments-calls,-cppcoreguidelines-non-private-member-variables-in-classes,-misc-non-private-member-variables-in-classes,-google-readability-todo,-llvm-header-guard,-readability-function-cognitive-complexity,-readability-identifier-length,-cppcoreguidelines-owning-memory,-cert-err58-cpp,-fuchsia-statically-constructed-objects,-google-build-using-namespace,-hicpp-avoid-goto,-cppcoreguidelines-avoid-goto,-hicpp-no-array-decay,-cppcoreguidelines-pro-bounds-array-to-pointer-decay,-cppcoreguidelines-pro-bounds-constant-array-index,-cppcoreguidelines-avoid-magic-numbers,-readability-magic-numbers,-abseil-string-find-str-contains,-bugprone-unchecked-optional-access'


-bugprone-unchecked-optional-access seems to have an issue which is causing it to get stuck in an infinite loop...

llvm/llvm-project#59492

src/condition/ssrf_detector.cpp

estringana

Left some comments but nothing big

src/condition/ssrf_detector.cpp

* Remove questionable false positive check * Improve code to reduce unnecessary checks

Taiki-San

Partial review. The core heuristic needs to be tuned before prod release

src/condition/ssrf_detector.cpp

Co-authored-by: Taiki <emilehugo.spir@datadoghq.com>

src/matcher/ip_match.cpp

src/uri_utils.cpp

estringana

lgtm

Anilm3 added 2 commits February 22, 2024 17:30

Server-side request forgery (SSRF) detection operator

2d97fd4

Add more checks and tests

08057cb

Anilm3 added 13 commits February 26, 2024 22:09

Add support for path, fragment and query

33ca35c

Working commit

31de926

Detect more parameter injections

a425a63

Lint

20420ff

Add more false positive tests

acdfe61

Add URI bound check

81a94d8

Refactor fuzzer and add uri parser fuzzer

dd806af

Fuzzer fixes

f2ed1b3

fuzzer improvements

8cee0e5

Fixes and SSRF fuzzer

5aa9e5b

Fix typo

931eb33

Remove print statement from fuzzer

03c94c8

Improvements

ce92cc5

Anilm3 marked this pull request as ready for review February 29, 2024 17:25

Anilm3 requested a review from a team as a code owner February 29, 2024 17:25

Anilm3 added 2 commits February 29, 2024 17:30

More test cases

b7f9218

Fixes

31322df

cataphract reviewed Mar 1, 2024

View reviewed changes

Anilm3 added 5 commits March 4, 2024 13:46

Address review comments:

93c6134

* Improvements on SSRF detectors * Improved URI parser * IP Match helper

Merge branch 'master' into anilm3/ssrf

7f087ca

Minor improvements

639f391

Mergh branch 'anilm3/ssrf' of github.com:DataDog/libddwaf into anilm3…

c5ac1a1

…/ssrf

Disable bugprone-unchecked-optional-access as it's buggy in clang < 18

d4a8501

Anilm3 commented Mar 4, 2024

View reviewed changes

Anilm3 added 2 commits March 4, 2024 17:01

Increase test coverage

1c06b24

Fix

6beac4d

More fixes

32f863e

estringana reviewed Mar 5, 2024

View reviewed changes

src/condition/ssrf_detector.cpp Outdated Show resolved Hide resolved

estringana reviewed Mar 5, 2024

View reviewed changes

src/condition/ssrf_detector.cpp Show resolved Hide resolved

estringana reviewed Mar 5, 2024

View reviewed changes

src/condition/ssrf_detector.cpp Outdated Show resolved Hide resolved

estringana previously approved these changes Mar 5, 2024

View reviewed changes

Anilm3 added 2 commits March 5, 2024 14:48

Merge branch 'master' into anilm3/ssrf

72bbb41

Improve comments and add extra check

959f199

Anilm3 dismissed estringana’s stale review via 959f199 March 5, 2024 15:36

Anilm3 requested review from Taiki-San, cataphract and estringana March 5, 2024 15:49

Anilm3 added 2 commits March 5, 2024 15:51

Remove unnecessary header

ec21a23

Add more test cases

da7d883

cataphract previously approved these changes Mar 5, 2024

View reviewed changes

Address review comments

5701d1d

Anilm3 dismissed cataphract’s stale review via 5701d1d March 6, 2024 09:43

* Detect %2f as an injection

a05f2ac

* Remove questionable false positive check * Improve code to reduce unnecessary checks

Anilm3 requested a review from cataphract March 6, 2024 13:32

Taiki-San previously approved these changes Mar 7, 2024

View reviewed changes

src/condition/ssrf_detector.cpp Outdated Show resolved Hide resolved

Add check for %5c

d370a07

Anilm3 dismissed Taiki-San’s stale review via d370a07 March 7, 2024 13:11

Update src/condition/ssrf_detector.cpp

c1fe050

Co-authored-by: Taiki <emilehugo.spir@datadoghq.com>

cataphract reviewed Mar 8, 2024

View reviewed changes

Address review comments

8362937

estringana approved these changes Mar 8, 2024

View reviewed changes

cataphract approved these changes Mar 8, 2024

View reviewed changes

Anilm3 merged commit 88df1d4 into master Mar 8, 2024
34 checks passed

Anilm3 deleted the anilm3/ssrf branch March 8, 2024 13:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Server-side request forgery (SSRF) detection operator #268

Server-side request forgery (SSRF) detection operator #268

Anilm3 commented Feb 26, 2024 •

edited by jira bot

Loading

codecov-commenter commented Feb 26, 2024 •

edited

Loading

pr-commenter bot commented Feb 26, 2024 •

edited

Loading

Anilm3 Mar 4, 2024

estringana left a comment

Taiki-San left a comment

estringana left a comment

Server-side request forgery (SSRF) detection operator #268

Server-side request forgery (SSRF) detection operator #268

Conversation

Anilm3 commented Feb 26, 2024 • edited by jira bot Loading

codecov-commenter commented Feb 26, 2024 • edited Loading

Codecov Report

pr-commenter bot commented Feb 26, 2024 • edited Loading

Benchmarks

scenario:bool_equals_matcher.random

scenario:exact_match_matcher.random

scenario:float_equals_matcher.random

scenario:lowercase_transformer.random

scenario:regex_match_matcher.case_insensitive_flag.random

scenario:regex_match_matcher.case_insensitive_option.random

scenario:regex_match_matcher.lowercase_transformer.random

scenario:regex_match_matcher.random

scenario:signed_equals_matcher.random

scenario:string_equals_matcher.random

scenario:unsigned_equals_matcher.random

Anilm3 Mar 4, 2024

Choose a reason for hiding this comment

estringana left a comment

Choose a reason for hiding this comment

Taiki-San left a comment

Choose a reason for hiding this comment

estringana left a comment

Choose a reason for hiding this comment

Anilm3 commented Feb 26, 2024 •

edited by jira bot

Loading

codecov-commenter commented Feb 26, 2024 •

edited

Loading

pr-commenter bot commented Feb 26, 2024 •

edited

Loading