Skip to content

Commit

Permalink
Add WebApi path param and body blocking tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@e-n-0
e-n-0 committed Dec 30, 2024
1 parent ebc42dd commit 94d998d
Show file tree
Hide file tree
Showing 10 changed files with 2,153 additions and 0 deletions.
16 changes: 16 additions & 0 deletions tracer/test/Datadog.Trace.Security.IntegrationTests/AspNetWebApi.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,22 @@ public async Task TestBlockedRequest(string test)
await TestAppSecRequestWithVerifyAsync(_iisFixture.Agent, url, null, 5, 1, settings, userAgent: "Hello/V");
}

[Trait("Category", "EndToEnd")]
[Trait("RunOnWindows", "True")]
[Trait("LoadFromGAC", "True")]
[SkippableTheory]
[InlineData(AddressesConstants.RequestPathParams, "/api/route/2?arg=[blocking_test]")]
[InlineData(AddressesConstants.RequestBody, "/api/Home/Upload", "{\"Property1\": \"[blocking_test]\"}")]
public async Task TestBlockedRequests(string test, string url, string body = null)
{
var sanitisedUrl = VerifyHelper.SanitisePathsForVerify(url);
var settings = VerifyHelper.GetSpanVerifierSettings(test, sanitisedUrl, body);

var expectedSpans = test == AddressesConstants.RequestPathParams ? 1 : 2;

await TestAppSecRequestWithVerifyAsync(_iisFixture.Agent, url, body, 5, expectedSpans, settings, "application/json");
}

[SkippableFact]
public async Task TestNullAction()
{
Expand Down
36 changes: 36 additions & 0 deletions tracer/test/Datadog.Trace.Security.IntegrationTests/ruleset.3.0.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5946,6 +5946,42 @@
"on_match": [
"block"
]
},
{
"id": "block-on-path-params",
"name": "Block on path params",
"tags": {
"type": "nosql_injection",
"crs_id": "000009",
"category": "attack_attempt"
},
"conditions": [
{
"parameters": {
"inputs": [
{
"address": "server.request.query"
},
{
"address": "server.request.body"
},
{
"address": "server.request.path_params"
}
],
"regex": "(?i:(?:\\[blocking_test\\]))",
"options": {
"case_sensitive": true,
"min_length": 5
}
},
"operator": "match_regex"
}
],
"transformers": [],
"on_match": [
"block"
]
}
]
}
237 changes: 237 additions & 0 deletions ...rver.request.body_url=_api_Home_Upload_body={-Property1-- -[blocking_test]-}.verified.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,237 @@
[
{
TraceId: Id_1,
SpanId: Id_2,
Name: aspnet-webapi.request,
Resource: POST /api/home/{id},
Service: sample,
Type: web,
ParentId: Id_3,
Tags: {
aspnet.controller: home,
aspnet.route: api/{controller}/{id},
env: integration_tests,
http.method: POST,
http.request.headers.host: localhost:00000,
http.status_code: 204,
http.url: http://localhost:00000/api/Home/Upload,
http.useragent: Mistake Not...,
language: dotnet,
span.kind: server
}
},
{
TraceId: Id_1,
SpanId: Id_3,
Name: aspnet.request,
Resource: POST /api/home/{id},
Service: sample,
Type: web,
Tags: {
env: integration_tests,
http.method: POST,
http.request.headers.host: localhost:00000,
http.route: api/{controller}/{id},
http.status_code: 204,
http.url: http://localhost:00000/api/Home/Upload,
http.useragent: Mistake Not...,
language: dotnet,
runtime-id: Guid_1,
span.kind: server
},
Metrics: {
process_id: 0,
_dd.top_level: 1.0,
_dd.tracer_kr: 1.0,
_sampling_priority_v1: 1.0
}
},
{
TraceId: Id_4,
SpanId: Id_5,
Name: aspnet-webapi.request,
Resource: POST /api/home/{id},
Service: sample,
Type: web,
ParentId: Id_6,
Tags: {
aspnet.controller: home,
aspnet.route: api/{controller}/{id},
env: integration_tests,
http.method: POST,
http.request.headers.host: localhost:00000,
http.status_code: 204,
http.url: http://localhost:00000/api/Home/Upload,
http.useragent: Mistake Not...,
language: dotnet,
span.kind: server
}
},
{
TraceId: Id_4,
SpanId: Id_6,
Name: aspnet.request,
Resource: POST /api/home/{id},
Service: sample,
Type: web,
Tags: {
env: integration_tests,
http.method: POST,
http.request.headers.host: localhost:00000,
http.route: api/{controller}/{id},
http.status_code: 204,
http.url: http://localhost:00000/api/Home/Upload,
http.useragent: Mistake Not...,
language: dotnet,
runtime-id: Guid_1,
span.kind: server
},
Metrics: {
process_id: 0,
_dd.top_level: 1.0,
_dd.tracer_kr: 1.0,
_sampling_priority_v1: 1.0
}
},
{
TraceId: Id_7,
SpanId: Id_8,
Name: aspnet-webapi.request,
Resource: POST /api/home/{id},
Service: sample,
Type: web,
ParentId: Id_9,
Tags: {
aspnet.controller: home,
aspnet.route: api/{controller}/{id},
env: integration_tests,
http.method: POST,
http.request.headers.host: localhost:00000,
http.status_code: 204,
http.url: http://localhost:00000/api/Home/Upload,
http.useragent: Mistake Not...,
language: dotnet,
span.kind: server
}
},
{
TraceId: Id_7,
SpanId: Id_9,
Name: aspnet.request,
Resource: POST /api/home/{id},
Service: sample,
Type: web,
Tags: {
env: integration_tests,
http.method: POST,
http.request.headers.host: localhost:00000,
http.route: api/{controller}/{id},
http.status_code: 204,
http.url: http://localhost:00000/api/Home/Upload,
http.useragent: Mistake Not...,
language: dotnet,
runtime-id: Guid_1,
span.kind: server
},
Metrics: {
process_id: 0,
_dd.top_level: 1.0,
_dd.tracer_kr: 1.0,
_sampling_priority_v1: 1.0
}
},
{
TraceId: Id_10,
SpanId: Id_11,
Name: aspnet-webapi.request,
Resource: POST /api/home/{id},
Service: sample,
Type: web,
ParentId: Id_12,
Tags: {
aspnet.controller: home,
aspnet.route: api/{controller}/{id},
env: integration_tests,
http.method: POST,
http.request.headers.host: localhost:00000,
http.status_code: 204,
http.url: http://localhost:00000/api/Home/Upload,
http.useragent: Mistake Not...,
language: dotnet,
span.kind: server
}
},
{
TraceId: Id_10,
SpanId: Id_12,
Name: aspnet.request,
Resource: POST /api/home/{id},
Service: sample,
Type: web,
Tags: {
env: integration_tests,
http.method: POST,
http.request.headers.host: localhost:00000,
http.route: api/{controller}/{id},
http.status_code: 204,
http.url: http://localhost:00000/api/Home/Upload,
http.useragent: Mistake Not...,
language: dotnet,
runtime-id: Guid_1,
span.kind: server
},
Metrics: {
process_id: 0,
_dd.top_level: 1.0,
_dd.tracer_kr: 1.0,
_sampling_priority_v1: 1.0
}
},
{
TraceId: Id_13,
SpanId: Id_14,
Name: aspnet-webapi.request,
Resource: POST /api/home/{id},
Service: sample,
Type: web,
ParentId: Id_15,
Tags: {
aspnet.controller: home,
aspnet.route: api/{controller}/{id},
env: integration_tests,
http.method: POST,
http.request.headers.host: localhost:00000,
http.status_code: 204,
http.url: http://localhost:00000/api/Home/Upload,
http.useragent: Mistake Not...,
language: dotnet,
span.kind: server
}
},
{
TraceId: Id_13,
SpanId: Id_15,
Name: aspnet.request,
Resource: POST /api/home/{id},
Service: sample,
Type: web,
Tags: {
env: integration_tests,
http.method: POST,
http.request.headers.host: localhost:00000,
http.route: api/{controller}/{id},
http.status_code: 204,
http.url: http://localhost:00000/api/Home/Upload,
http.useragent: Mistake Not...,
language: dotnet,
runtime-id: Guid_1,
span.kind: server
},
Metrics: {
process_id: 0,
_dd.top_level: 1.0,
_dd.tracer_kr: 1.0,
_sampling_priority_v1: 1.0
}
}
]
Loading

0 comments on commit 94d998d

Please sign in to comment.