Add http params to wordpress

appsec/src/extension/tags.c

@@ -4,9 +4,11 @@
 // This product includes software developed at Datadog
 // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
 #include "tags.h"
+#include "commands/request_exec.h"
 #include "ddappsec.h"
 #include "ddtrace.h"
 #include "ext/pcre/php_pcre.h"
+#include "helper_process.h"
 #include "ip_extraction.h"
 #include "logging.h"
 #include "php_compat.h"
@@ -39,6 +41,7 @@
 #define DD_TAG_HTTP_RH_CONTENT_LANGUAGE "http.response.headers.content-language"
 #define DD_TAG_HTTP_CLIENT_IP "http.client_ip"
 #define DD_TAG_USER_ID "usr.id"
+#define DD_TAG_SERVER_REQUEST_PATH_PARAMS "server.request.path_params"
 #define DD_MULTIPLE_IP_HEADERS "_dd.multiple-ip-headers"
 #define DD_METRIC_ENABLED "_dd.appsec.enabled"
 #define DD_APPSEC_EVENTS_PREFIX "appsec.events."
@@ -100,6 +103,7 @@ static zend_string *_key_server_name_zstr;
 static zend_string *_key_http_user_agent_zstr;
 static zend_string *_key_https_zstr;
 static zend_string *_key_remote_addr_zstr;
+static zend_string *_key_server_request_path_params;
 static zend_string *_true_zstr;
 static zend_string *_false_zstr;
 static zend_string *_track_zstr;
@@ -174,6 +178,8 @@ void dd_tags_startup()
     _key_https_zstr = zend_string_init_interned(LSTRARG("HTTPS"), 1);
     _key_remote_addr_zstr =
         zend_string_init_interned(LSTRARG("REMOTE_ADDR"), 1);
+    _key_server_request_path_params = zend_string_init_interned(
+        LSTRARG(DD_TAG_SERVER_REQUEST_PATH_PARAMS), 1);
 
     // Event related strings
     _track_zstr =
@@ -1138,6 +1144,46 @@ static PHP_FUNCTION(datadog_appsec_track_custom_event)
     dd_tags_set_sampling_priority();
 }
 
+static PHP_FUNCTION(datadog_appsec_push_params)
+{
+    UNUSED(return_value);
+    if (DDAPPSEC_G(enabled) != ENABLED) {
+        mlog(dd_log_debug, "Trying to access to push_params "
+                           "function while appsec is disabled");
+        return;
+    }
+
+    zval *parameters = NULL;
+    if (zend_parse_parameters(ZEND_NUM_ARGS(), "z", &parameters) == FAILURE ||
+        Z_TYPE_P(parameters) != IS_ARRAY) {
+        mlog(dd_log_warning, "Unexpected parameters type. Expected array");
+        return;
+    }
+
+    zval parameters_zv;
+    zend_array *parameters_arr = zend_new_array(1);
+    ZVAL_ARR(&parameters_zv, parameters_arr);
+    zval *res = zend_hash_add(
+        Z_ARRVAL(parameters_zv), _key_server_request_path_params, parameters);
+    if (res == NULL) {
+        zval_ptr_dtor(&parameters_zv);
+        mlog_g(dd_log_debug, "Parameters could not be added");
+        return;
+    }
+    Z_ADDREF_P(parameters);
+
+    dd_conn *conn = dd_helper_mgr_cur_conn();
+    if (conn == NULL) {
+        zval_ptr_dtor(&parameters_zv);
+        mlog_g(dd_log_debug, "No connection; skipping push_params");
+        return;
+    }
+
+    dd_request_exec(conn, &parameters_zv);
+
+    zval_ptr_dtor(&parameters_zv);
+}
+
 static bool _set_appsec_enabled(zval *metrics_zv)
 {
     zval zv;
@@ -1228,11 +1274,16 @@ ZEND_ARG_INFO(0, event_name)
 ZEND_ARG_INFO(0, metadata)
 ZEND_END_ARG_INFO()
 
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(push_params_arginfo, 0, 0, IS_VOID, 1)
+ZEND_ARG_INFO(0, parameters)
+ZEND_END_ARG_INFO()
+
 static const zend_function_entry functions[] = {
     ZEND_RAW_FENTRY(DD_APPSEC_NS "track_user_signup_event", PHP_FN(datadog_appsec_track_user_signup_event), datadog_appsec_track_user_signup_event_arginfo, 0)
     ZEND_RAW_FENTRY(DD_APPSEC_NS "track_user_login_success_event", PHP_FN(datadog_appsec_track_user_login_success_event), track_user_login_success_event_arginfo, 0)
     ZEND_RAW_FENTRY(DD_APPSEC_NS "track_user_login_failure_event", PHP_FN(datadog_appsec_track_user_login_failure_event), track_user_login_failure_event_arginfo, 0)
     ZEND_RAW_FENTRY(DD_APPSEC_NS "track_custom_event", PHP_FN(datadog_appsec_track_custom_event), track_custom_event_arginfo, 0)
+    ZEND_RAW_FENTRY(DD_APPSEC_NS "push_params", PHP_FN(datadog_appsec_push_params), push_params_arginfo, 0)
     PHP_FE_END
 };
 

appsec/tests/extension/inc/mock_helper.php

@@ -152,6 +152,16 @@ function print_commands($sort = true) {
         print_r($commands);
     }
 
+    function get_command($command) {
+            $commands = $this->get_commands();
+            foreach($commands as $c) {
+                if ($c[0] == $command) {
+                    return $c;
+                }
+            }
+            return [];
+        }
+
     static function ksort_recurse(&$arr) {
         if (!is_array($arr)) {
             return;

appsec/tests/extension/push_params.phpt

@@ -0,0 +1,53 @@
+--TEST--
+Push params ara sent on request_exec
+--INI--
+extension=ddtrace.so
+datadog.appsec.log_file=/tmp/php_appsec_test.log
+datadog.appsec.waf_timeout=42
+datadog.appsec.log_level=debug
+datadog.appsec.enabled=1
+--ENV--
+DD_TRACE_GENERATE_ROOT_SPAN=0
+REQUEST_URI=/static01/dynamic01/static02/dynamic02
+URL_SCHEME=http
+HTTP_CONTENT_TYPE=text/plain
+HTTP_CONTENT_LENGTH=0
+--FILE--
+<?php
+use function datadog\appsec\testing\{rinit,rshutdown};
+use function datadog\appsec\push_params;
+
+include __DIR__ . '/inc/mock_helper.php';
+
+$helper = Helper::createInitedRun([
+    response_list(response_request_init(['ok', []])),
+    response_list(response_request_exec(['ok', [], [], [], [], false]))
+]);
+
+var_dump(rinit());
+push_params(["some" => "params", "more" => "parameters"]);
+var_dump(rshutdown());
+
+var_dump($helper->get_command("request_exec"));
+
+?>
+--EXPECTF--
+bool(true)
+bool(true)
+array(2) {
+  [0]=>
+  string(12) "request_exec"
+  [1]=>
+  array(1) {
+    [0]=>
+    array(1) {
+      ["server.request.path_params"]=>
+      array(2) {
+        ["some"]=>
+        string(6) "params"
+        ["more"]=>
+        string(10) "parameters"
+      }
+    }
+  }
+}

src/Integrations/Integrations/Laravel/LaravelIntegration.php

@@ -155,6 +155,12 @@ function ($This, $scope, $args, $route) use ($integration) {
                 if (\method_exists($route, 'uri')) {
                     $rootSpan->meta[Tag::HTTP_ROUTE] = $route->uri();
                 }
+                if (\method_exists($route, 'parameters') && function_exists('\datadog\appsec\push_params')) {
+                    $parameters = $route->parameters();
+                    if (count($parameters) > 0) {
+                        \datadog\appsec\push_params($parameters);
+                    }
+                }
                 $rootSpan->meta[Tag::HTTP_METHOD] = $request->method();
                 $rootSpan->meta[Tag::SPAN_KIND] = 'server';
             }

src/Integrations/Integrations/Symfony/SymfonyIntegration.php

@@ -401,6 +401,13 @@ function (SpanData $span, $args, $response) use ($integration) {
                     $rootSpan->meta[Tag::HTTP_STATUS_CODE] = $response->getStatusCode();
                 }
 
+                $parameters = $request->get('_route_params');
+                if (!empty($parameters) &&
+                    is_array($parameters) &&
+                    function_exists('\datadog\appsec\push_params')) {
+                    \datadog\appsec\push_params($parameters);
+                }
+
                 $route = $request->get('_route');
                 if (null !== $route && null !== $request) {
                     if (dd_trace_env_config("DD_HTTP_SERVER_ROUTE_BASED_NAMING")) {

src/Integrations/Integrations/WordPress/WordPressIntegration.php

@@ -70,6 +70,23 @@ public function init()
             return true;
         });
 
+        \DDTrace\hook_method('WP', 'main',  null, function ($This, $scope, $args) {
+            if (\property_exists($This, 'did_permalink') && $This->did_permalink === true &&
+                function_exists('is_404') && is_404() === false) {
+                $rootSpan = \DDTrace\root_span();
+                if (\property_exists($This, 'matched_rule')) {
+                    $rootSpan->meta[Tag::HTTP_ROUTE] = $This->matched_rule;
+                }
+                if (function_exists('\datadog\appsec\push_params') &&
+                    \property_exists($This, 'query_vars')) {
+                    $parameters = $This->query_vars;
+                    if (count($parameters) > 0) {
+                        \datadog\appsec\push_params($parameters);
+                    }
+                }
+            }
+        });
+
         \DDTrace\hook_function(
             'wp_authenticate',
             null,

tests/Appsec/Mock.php

@@ -6,9 +6,6 @@ class AppsecStatus {
 
     private static $instance = null;
 
-    protected function __construct() {
-    }
-
     public static function getInstance()
     {
         if (!self::$instance) {
@@ -23,33 +20,51 @@ protected function getDbPdo()
         return new \PDO('mysql:host=mysql_integration;dbname=test', 'test', 'test');
     }
 
+    /**
+    * Not all test are interested on events but frameworks are instrumented so this check is to avoid errors
+    */
+    private function initiated()
+    {
+        return $this->getDbPdo()->query("SELECT * FROM information_schema.tables WHERE table_name = 'appsec_events'")->rowCount() > 0;
+    }
+
     public function init()
     {
         $this->getDbPdo()->exec("CREATE TABLE IF NOT EXISTS appsec_events (event varchar(1000))");
+        $this->initiated = true;
     }
 
     public function destroy()
     {
         $this->getDbPdo()->exec("DROP TABLE appsec_events");
-    }   
-
+    }
 
     public function setDefaults()
     {
+        if (!$this->initiated()) {
+         return;
+        }
         $this->getDbPdo()->exec("DELETE FROM appsec_events");
 
     }
 
     public function addEvent(array $event, $eventName)
     {
+        if (!$this->initiated()) {
+         return;
+        }
         $event['eventName'] = $eventName;
         $this->getDbPdo()->exec(sprintf("INSERT INTO appsec_events VALUES ('%s')", json_encode($event)));
     }
 
     public function getEvents()
     {
         $result = [];
-
+
+        if (!$this->initiated()) {
+        return result;
+       }
+
         $events = $this->getDbPdo()->query("SELECT * FROM appsec_events")->fetchAll();
 
         foreach ($events as $event) {
@@ -99,3 +114,11 @@ function track_user_signup_event($userId, $metadata, $automated) {
     ];
     AppsecStatus::getInstance()->addEvent($event, 'track_user_signup_event');
 }
+
+/**
+ * This function is exposed by appsec but here we are mocking it for tests
+ * @param array $params
+ */
+function push_params($params) {
+    AppsecStatus::getInstance()->addEvent($params, 'push_params');
+}

tests/Frameworks/Symfony/Version_3_3/src/AppBundle/Controller/CommonScenariosController.php

@@ -31,6 +31,16 @@ public function simpleViewAction(Request $request)
         ]);
     }
 
+    /**
+     * @Route("/dynamic_route/{param01}/{param02}", name="dynamic route with optionals")
+     */
+    public function dynamicWithOptionalsAction($param01, $param02)
+    {
+        return new Response(
+                   'Hi!'
+               );
+    }
+
     /**
      * @Route("/error", name="error")
      * @throws \Exception

tests/Frameworks/Symfony/Version_4_4/src/Controller/CommonScenariosController.php

@@ -31,6 +31,16 @@ public function simpleViewAction(Request $request)
         ]);
     }
 
+    /**
+     * @Route("/dynamic_route/{param01}/{param02?}", name="dynamic route with optionals")
+     */
+    public function dynamicWithOptionalsAction($param01, $param02)
+    {
+        return new Response(
+                   'Hi!'
+               );
+    }
+
     /**
      * @Route("/error", name="error")
      * @throws \Exception

tests/Frameworks/Symfony/Version_5_2/src/Controller/CommonScenariosController.php

@@ -32,6 +32,16 @@ public function simpleViewAction(Request $request)
         ]);
     }
 
+    /**
+     * @Route("/dynamic_route/{param01}/{param02?}", name="dynamic route with optionals")
+     */
+    public function dynamicWithOptionalsAction($param01, $param02)
+    {
+        return new Response(
+                   'Hi!'
+               );
+    }
+
     /**
      * @Route("/error", name="error")
      * @throws \Exception

tests/Frameworks/Symfony/Version_6_2/src/Controller/CommonScenariosController.php

@@ -32,6 +32,16 @@ public function simpleViewAction(Request $request)
         ]);
     }
 
+    /**
+     * @Route("/dynamic_route/{param01}/{param02?}", name="dynamic route with optionals")
+     */
+    public function dynamicWithOptionalsAction($param01, $param02)
+    {
+        return new Response(
+                   'Hi!'
+               );
+    }
+
     /**
      * @Route("/error", name="error")
      * @throws \Exception

tests/Frameworks/WordPress/Version_4_8/wp-config.php

@@ -89,5 +89,8 @@
 if ( !defined('ABSPATH') )
 	define('ABSPATH', dirname(__FILE__) . '/');
 
+//Appsec mock. This wont be needed on customer apps since this functions will be exposed by appsec
+ require __DIR__.'/../../../Appsec/Mock.php';
+
 /** Sets up WordPress vars and included files. */
 require_once(ABSPATH . 'wp-settings.php');

tests/Frameworks/WordPress/Version_4_8/wp-login.php

@@ -11,9 +11,6 @@
 /** Make sure that the WordPress bootstrap has run before continuing. */
 require( dirname(__FILE__) . '/wp-load.php' );
 
-//Appsec mock. This wont be needed on customer apps since this functions will be exposed by appsec
- require __DIR__.'/../../../Appsec/Mock.php';
-
 // Redirect to https login if forced to use SSL
 if ( force_ssl_admin() && ! is_ssl() ) {
 	if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {