TEMP!: hardcode RASP SSRF rule & span tag for staging

Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
DataDog · May 23, 2024 · 89209f0 · 89209f0
1 parent fb1fd87
commit 89209f0
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 0 deletions.
diff --git a/contrib/net/http/roundtripper.go b/contrib/net/http/roundtripper.go
@@ -78,6 +78,7 @@ func (rt *roundTripper) RoundTrip(req *http.Request) (res *http.Response, err er
 		}
 	}
 	if appsec.Enabled() {
+		span.SetTag("_dd.appsec.rasp", "1")
 		res, err = httpsec.RoundTrip(httpsec.RoundTripArgs{
 			Ctx: ctx,
 			Req: r2,

diff --git a/internal/appsec/waf.go b/internal/appsec/waf.go
@@ -50,6 +50,57 @@ func (a *appsec) swapWAF(rules config.RulesFragment) (err error) {
 	return nil
 }
 
+const raspSSRFRule = `
+{
+	"id": "rasp-934-100",
+	"name": "Server-side request forgery exploit",
+	"tags": {
+		"type": "ssrf",
+		"category": "vulnerability_trigger",
+		"cwe": "918",
+		"capec": "1000/225/115/664",
+		"confidence": "0",
+		"module": "rasp"
+	},
+	"conditions": [
+		{
+			"parameters": {
+				"resource": [
+					{
+						"address": "server.io.net.url"
+					}
+				],
+				"params": [
+					{
+						"address": "server.request.query"
+					},
+					{
+						"address": "server.request.body"
+					},
+					{
+						"address": "server.request.path_params"
+					},
+					{
+						"address": "grpc.server.request.message"
+					},
+					{
+						"address": "graphql.server.all_resolvers"
+					},
+					{
+						"address": "graphql.server.resolver"
+					}
+				]
+			},
+			"operator": "ssrf_detector"
+		}
+	],
+	"transformers": [],
+	"on_match": [
+		"stack_trace"
+	]
+}
+`
+
 type wafEventListener func(*waf.Handle, *config.Config, limiter.Limiter, dyngo.Operation)
 
 // wafEventListeners is the global list of event listeners registered by contribs at init time. This