Rasp rule can be specified when addresses are pushed

DataDog · Jan 29, 2025 · 6300ec5 · 6300ec5
1 parent c11372f
commit 6300ec5
Show file tree

Hide file tree

Showing 15 changed files with 138 additions and 23 deletions.
diff --git a/appsec/src/extension/commands/request_exec.c b/appsec/src/extension/commands/request_exec.c
@@ -8,13 +8,14 @@
 #include "../commands_helpers.h"
 #include "../logging.h"
 #include "../msgpack_helpers.h"
+#include "../ddappsec.h"
 #include <php.h>
 #include <zend_hash.h>
 #include <zend_types.h>
 
 struct ctx {
     struct req_info req_info; // dd_command_proc_resp_verd_span_data expect it
-    bool rasp;
+    dd_rasp_rule rasp_rule;
     zval *nonnull data;
 };
 
@@ -29,15 +30,15 @@ static const dd_command_spec _spec = {
     .config_features_cb = dd_command_process_config_features_unexpected,
 };
 
-dd_result dd_request_exec(dd_conn *nonnull conn, zval *nonnull data, bool rasp)
+dd_result dd_request_exec(dd_conn *nonnull conn, zval *nonnull data, unsigned rasp_rule)
 {
     if (Z_TYPE_P(data) != IS_ARRAY) {
         mlog(dd_log_debug, "Invalid data provided to command request_exec, "
                            "expected hash table.");
         return dd_error;
     }
 
-    struct ctx ctx = {.rasp = rasp, .data = data};
+    struct ctx ctx = {.rasp_rule = rasp_rule, .data = data};
 
     return dd_command_exec_req_info(conn, &_spec, &ctx.req_info);
 }
@@ -47,7 +48,7 @@ static dd_result _pack_command(mpack_writer_t *nonnull w, void *nonnull _ctx)
     assert(_ctx != NULL);
     struct ctx *ctx = _ctx;
 
-    mpack_write(w, ctx->rasp);
+    mpack_write(w, ctx->rasp_rule);
     dd_mpack_write_zval(w, ctx->data);
 
     return dd_success;

diff --git a/appsec/src/extension/commands/request_exec.h b/appsec/src/extension/commands/request_exec.h
@@ -9,4 +9,4 @@
 #include <SAPI.h>
 #include <php.h>
 
-dd_result dd_request_exec(dd_conn *nonnull conn, zval *nonnull data, bool rasp);
+dd_result dd_request_exec(dd_conn *nonnull conn, zval *nonnull data, unsigned rasp_rule);
diff --git a/appsec/src/extension/ddappsec.c b/appsec/src/extension/ddappsec.c
@@ -488,8 +488,8 @@ static PHP_FUNCTION(datadog_appsec_push_addresses)
     }
 
     zval *addresses = NULL;
-    bool rasp = false;
-    if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|b", &addresses, &rasp) ==
+    long rasp_rule = dd_rasp_rule_none;
+    if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|l", &addresses, &rasp_rule) ==
         FAILURE) {
         RETURN_FALSE;
     }
@@ -498,7 +498,12 @@ static PHP_FUNCTION(datadog_appsec_push_addresses)
         RETURN_FALSE;
     }
 
-    if (rasp && !get_global_DD_APPSEC_RASP_ENABLED()) {
+    if (rasp_rule != dd_rasp_rule_lfi && rasp_rule != dd_rasp_rule_ssrf) {
+        rasp_rule = dd_rasp_rule_none;
+    }
+
+    if (rasp_rule != dd_rasp_rule_none &&
+        !get_global_DD_APPSEC_RASP_ENABLED()) {
         return;
     }
 
@@ -508,9 +513,9 @@ static PHP_FUNCTION(datadog_appsec_push_addresses)
         return;
     }
 
-    dd_result res = dd_request_exec(conn, addresses, rasp);
+    dd_result res = dd_request_exec(conn, addresses, rasp_rule);
 
-    if (rasp) {
+    if (rasp_rule > dd_rasp_rule_none) {
         clock_gettime(CLOCK_MONOTONIC_RAW, &end);
         elapsed =
             ((int64_t)end.tv_sec - (int64_t)start.tv_sec) *
@@ -570,6 +575,16 @@ static void _register_testing_objects()
 {
     dd_phpobj_reg_funcs(functions);
 
+#    define _REG_RASP_CONST(php_name, value)                                    \
+        do {                                                                   \
+            char v[] = "datadog\\appsec\\rasp\\" php_name;       \
+            dd_phpobj_reg_long_const(                                          \
+                v, sizeof(v) - 1, value, CONST_CS | CONST_PERSISTENT);         \
+        } while (0)
+
+    _REG_RASP_CONST("LFI", dd_rasp_rule_lfi);
+    _REG_RASP_CONST("SSRF", dd_rasp_rule_ssrf);
+
     if (!get_global_DD_APPSEC_TESTING()) {
         return;
     }

diff --git a/appsec/src/extension/ddappsec.h b/appsec/src/extension/ddappsec.h
@@ -67,4 +67,10 @@ int dd_appsec_rshutdown(bool ignore_verdict);
 
 #define PHP_DDAPPSEC_EXTNAME "ddappsec"
 
+typedef enum {
+    dd_rasp_rule_none = 0,
+    dd_rasp_rule_lfi,
+    dd_rasp_rule_ssrf,
+} dd_rasp_rule;
+
 #endif // DDAPPSEC_H
diff --git a/appsec/tests/extension/actions_handling_01.phpt b/appsec/tests/extension/actions_handling_01.phpt
@@ -32,7 +32,7 @@ array(2) {
   [1]=>
   array(2) {
     [0]=>
-    bool(false)
+    int(0)
     [1]=>
     array(1) {
       ["server.request.path_params"]=>

diff --git a/appsec/tests/extension/push_params_ok_01.phpt b/appsec/tests/extension/push_params_ok_01.phpt
@@ -32,7 +32,7 @@ array(2) {
   [1]=>
   array(2) {
     [0]=>
-    bool(false)
+    int(0)
     [1]=>
     array(1) {
       ["server.request.path_params"]=>

diff --git a/appsec/tests/extension/push_params_ok_02.phpt b/appsec/tests/extension/push_params_ok_02.phpt
@@ -32,7 +32,7 @@ array(2) {
   [1]=>
   array(2) {
     [0]=>
-    bool(false)
+    int(0)
     [1]=>
     array(1) {
       ["server.request.path_params"]=>

diff --git a/appsec/tests/extension/push_params_ok_03.phpt b/appsec/tests/extension/push_params_ok_03.phpt
@@ -32,7 +32,7 @@ array(2) {
   [1]=>
   array(2) {
     [0]=>
-    bool(false)
+    int(0)
     [1]=>
     array(1) {
       ["server.request.path_params"]=>

diff --git a/appsec/tests/extension/push_params_ok_04.phpt b/appsec/tests/extension/push_params_ok_04.phpt
@@ -18,8 +18,7 @@ $helper = Helper::createInitedRun([
 ]);
 
 var_dump(rinit());
-$is_rasp = true;
-push_addresses(["server.request.path_params" => 1234], $is_rasp);
+push_addresses(["server.request.path_params" => 1234], \datadog\appsec\rasp\LFI);
 var_dump(rshutdown());
 print_r(root_span_get_metrics());
 
@@ -41,7 +40,7 @@ array(2) {
   [1]=>
   array(2) {
     [0]=>
-    bool(true)
+    int(1)
     [1]=>
     array(1) {
       ["server.request.path_params"]=>

diff --git a/appsec/tests/extension/push_params_ok_05.phpt b/appsec/tests/extension/push_params_ok_05.phpt
@@ -18,8 +18,7 @@ $helper = Helper::createInitedRun([
 ]);
 
 var_dump(rinit());
-$is_rasp = true;
-push_addresses(["server.request.path_params" => 1234], $is_rasp);
+push_addresses(["server.request.path_params" => 1234], \datadog\appsec\rasp\LFI);
 var_dump(rshutdown());
 print_r(root_span_get_metrics());
 

diff --git a/appsec/tests/extension/push_params_ok_06.phpt b/appsec/tests/extension/push_params_ok_06.phpt
@@ -16,8 +16,7 @@ $helper = Helper::createInitedRun([
 ]);
 
 var_dump(rinit());
-$is_rasp = true;
-push_addresses(["server.request.path_params" => 1234], $is_rasp);
+push_addresses(["server.request.path_params" => 1234], \datadog\appsec\rasp\LFI);
 var_dump(rshutdown());
 print_r(root_span_get_metrics());
 

diff --git a/appsec/tests/extension/push_params_ok_07.phpt b/appsec/tests/extension/push_params_ok_07.phpt
@@ -32,7 +32,7 @@ array(2) {
   [1]=>
   array(2) {
     [0]=>
-    bool(false)
+    int(0)
     [1]=>
     array(2) {
       ["server.request.path_params"]=>

diff --git a/appsec/tests/extension/push_params_ok_08.phpt b/appsec/tests/extension/push_params_ok_08.phpt
@@ -0,0 +1,48 @@
+--TEST--
+LFI Rule can be sent
+--INI--
+extension=ddtrace.so
+datadog.appsec.enabled=1
+datadog.appsec.rasp_enabled=1
+--FILE--
+<?php
+use function datadog\appsec\testing\{rinit,rshutdown};
+use function datadog\appsec\push_addresses;
+
+include __DIR__ . '/inc/mock_helper.php';
+
+$helper = Helper::createInitedRun([
+    response_list(response_request_init([[['ok', []]]])),
+    response_list(response_request_exec([[['ok', []]], [], [], [], false])),
+    response_list(response_request_shutdown([[['ok', []]], new ArrayObject(), new ArrayObject()]))
+]);
+
+var_dump(rinit());
+push_addresses(["server.request.path_params" => ["some" => "params", "more" => "parameters"]], \datadog\appsec\rasp\LFI);
+var_dump(rshutdown());
+
+var_dump($helper->get_command("request_exec"));
+
+?>
+--EXPECTF--
+bool(true)
+bool(true)
+array(2) {
+  [0]=>
+  string(12) "request_exec"
+  [1]=>
+  array(2) {
+    [0]=>
+    int(1)
+    [1]=>
+    array(1) {
+      ["server.request.path_params"]=>
+      array(2) {
+        ["some"]=>
+        string(6) "params"
+        ["more"]=>
+        string(10) "parameters"
+      }
+    }
+  }
+}
diff --git a/appsec/tests/extension/push_params_ok_09.phpt b/appsec/tests/extension/push_params_ok_09.phpt
@@ -0,0 +1,48 @@
+--TEST--
+SSRF Rule can be sent
+--INI--
+extension=ddtrace.so
+datadog.appsec.enabled=1
+datadog.appsec.rasp_enabled=1
+--FILE--
+<?php
+use function datadog\appsec\testing\{rinit,rshutdown};
+use function datadog\appsec\push_addresses;
+
+include __DIR__ . '/inc/mock_helper.php';
+
+$helper = Helper::createInitedRun([
+    response_list(response_request_init([[['ok', []]]])),
+    response_list(response_request_exec([[['ok', []]], [], [], [], false])),
+    response_list(response_request_shutdown([[['ok', []]], new ArrayObject(), new ArrayObject()]))
+]);
+
+var_dump(rinit());
+push_addresses(["server.request.path_params" => ["some" => "params", "more" => "parameters"]], \datadog\appsec\rasp\SSRF);
+var_dump(rshutdown());
+
+var_dump($helper->get_command("request_exec"));
+
+?>
+--EXPECTF--
+bool(true)
+bool(true)
+array(2) {
+  [0]=>
+  string(12) "request_exec"
+  [1]=>
+  array(2) {
+    [0]=>
+    int(2)
+    [1]=>
+    array(1) {
+      ["server.request.path_params"]=>
+      array(2) {
+        ["some"]=>
+        string(6) "params"
+        ["more"]=>
+        string(10) "parameters"
+      }
+    }
+  }
+}
diff --git a/appsec/tests/extension/request_exec.phpt b/appsec/tests/extension/request_exec.phpt
@@ -47,7 +47,7 @@ array(2) {
   [1]=>
   array(2) {
     [0]=>
-    bool(false)
+    int(0)
     [1]=>
     array(3) {
       ["key 01"]=>