Implement LFI

Makefile

@@ -1214,6 +1214,8 @@ test_integrations_amqp35: global_test_run_dependencies tests/Integrations/AMQP/V
 	$(call run_tests_debug,tests/Integrations/AMQP/V3_5)
 test_integrations_deferred_loading: global_test_run_dependencies tests/Integrations/DeferredLoading/composer.lock-php$(PHP_MAJOR_MINOR)
 	$(call run_tests_debug,tests/Integrations/DeferredLoading)
+test_integrations_filesystem: global_test_run_dependencies
+	$(call run_tests_debug,tests/Integrations/Filesystem)
 test_integrations_curl: global_test_run_dependencies
 	$(call run_tests_debug,tests/Integrations/Curl)
 test_integrations_elasticsearch1: global_test_run_dependencies tests/Integrations/Elasticsearch/V1/composer.lock-php$(PHP_MAJOR_MINOR)

appsec/src/extension/backtrace.c

@@ -6,6 +6,7 @@
 #include "backtrace.h"
 #include "compatibility.h"
 #include "configuration.h"
+#include "ddappsec.h"
 #include "ddtrace.h"
 #include "logging.h"
 #include "php_compat.h"
@@ -246,13 +247,11 @@ bool dd_report_exploit_backtrace(zend_string *nullable id)
     zval *dd_stack = zend_hash_find(Z_ARR_P(meta_struct), _dd_stack_key);
     zval *exploit = NULL;
     if (!dd_stack || Z_TYPE_P(dd_stack) == IS_NULL) {
-        zval new_dd_stack;
-        zval new_exploit;
         dd_stack = zend_hash_add_new(
-            Z_ARR_P(meta_struct), _dd_stack_key, &new_dd_stack);
+            Z_ARR_P(meta_struct), _dd_stack_key, &EG(uninitialized_zval));
         array_init(dd_stack);
-        exploit =
-            zend_hash_add_new(Z_ARR_P(dd_stack), _exploit_key, &new_exploit);
+        exploit = zend_hash_add_new(
+            Z_ARR_P(dd_stack), _exploit_key, &EG(uninitialized_zval));
         array_init(exploit);
     } else if (Z_TYPE_P(dd_stack) != IS_ARRAY) {
         return false;

appsec/src/extension/commands/request_exec.c

@@ -14,6 +14,7 @@
 
 struct ctx {
     struct req_info req_info; // dd_command_proc_resp_verd_span_data expect it
+    bool rasp;
     zval *nonnull data;
 };
 
@@ -22,21 +23,21 @@ static dd_result _pack_command(mpack_writer_t *nonnull w, void *nonnull ctx);
 static const dd_command_spec _spec = {
     .name = "request_exec",
     .name_len = sizeof("request_exec") - 1,
-    .num_args = 1, // a single map
+    .num_args = 2,
     .outgoing_cb = _pack_command,
     .incoming_cb = dd_command_proc_resp_verd_span_data,
     .config_features_cb = dd_command_process_config_features_unexpected,
 };
 
-dd_result dd_request_exec(dd_conn *nonnull conn, zval *nonnull data)
+dd_result dd_request_exec(dd_conn *nonnull conn, zval *nonnull data, bool rasp)
 {
     if (Z_TYPE_P(data) != IS_ARRAY) {
         mlog(dd_log_debug, "Invalid data provided to command request_exec, "
                            "expected hash table.");
         return dd_error;
     }
 
-    struct ctx ctx = {.data = data};
+    struct ctx ctx = {.rasp = rasp, .data = data};
 
     return dd_command_exec_req_info(conn, &_spec, &ctx.req_info);
 }
@@ -46,6 +47,7 @@ static dd_result _pack_command(mpack_writer_t *nonnull w, void *nonnull _ctx)
     assert(_ctx != NULL);
     struct ctx *ctx = _ctx;
 
+    mpack_write(w, ctx->rasp);
     dd_mpack_write_zval(w, ctx->data);
 
     return dd_success;

appsec/src/extension/commands/request_exec.h

@@ -9,4 +9,4 @@
 #include <SAPI.h>
 #include <php.h>
 
-dd_result dd_request_exec(dd_conn *nonnull conn, zval *nonnull data);
+dd_result dd_request_exec(dd_conn *nonnull conn, zval *nonnull data, bool rasp);

appsec/src/extension/configuration.h

@@ -46,6 +46,7 @@ extern bool runtime_config_first_init;
     SYSCFG(BOOL, DD_APPSEC_HELPER_LAUNCH, "true")                                                                                     \
     CONFIG(STRING, DD_APPSEC_HELPER_PATH, DD_BASE("bin/libddappsec-helper.so"))                                                       \
     SYSCFG(BOOL, DD_APPSEC_STACK_TRACE_ENABLED, "true")                                                                               \
+    SYSCFG(BOOL, DD_APPSEC_RASP_ENABLED , "false")                                                                                    \
     SYSCFG(INT, DD_APPSEC_MAX_STACK_TRACE_DEPTH, "32")                                                                                \
     SYSCFG(INT, DD_APPSEC_MAX_STACK_TRACES, "2")                                                                                      \
     CONFIG(STRING, DD_APPSEC_HELPER_RUNTIME_PATH, "/tmp", .ini_change = dd_on_runtime_path_update)                                    \

appsec/src/extension/ddappsec.c

@@ -467,7 +467,7 @@ static PHP_FUNCTION(datadog_appsec_testing_request_exec)
         RETURN_FALSE;
     }
 
-    if (dd_request_exec(conn, data) != dd_success) {
+    if (dd_request_exec(conn, data, false) != dd_success) {
         RETURN_FALSE;
     }
 
@@ -476,6 +476,10 @@ static PHP_FUNCTION(datadog_appsec_testing_request_exec)
 
 static PHP_FUNCTION(datadog_appsec_push_address)
 {
+    struct timespec start;
+    struct timespec end;
+    clock_gettime(CLOCK_MONOTONIC_RAW, &start);
+    long elapsed = 0;
     UNUSED(return_value);
     if (!DDAPPSEC_G(active)) {
         mlog(dd_log_debug, "Trying to access to push_address "
@@ -485,10 +489,16 @@ static PHP_FUNCTION(datadog_appsec_push_address)
 
     zend_string *key = NULL;
     zval *value = NULL;
-    if (zend_parse_parameters(ZEND_NUM_ARGS(), "Sz", &key, &value) == FAILURE) {
+    bool rasp = false;
+    if (zend_parse_parameters(ZEND_NUM_ARGS(), "Sz|b", &key, &value, &rasp) ==
+        FAILURE) {
         RETURN_FALSE;
     }
 
+    if (rasp && !get_global_DD_APPSEC_RASP_ENABLED()) {
+        return;
+    }
+
     zval parameters_zv;
     zend_array *parameters_arr = zend_new_array(1);
     ZVAL_ARR(&parameters_zv, parameters_arr);
@@ -502,9 +512,22 @@ static PHP_FUNCTION(datadog_appsec_push_address)
         return;
     }
 
-    dd_result res = dd_request_exec(conn, &parameters_zv);
+    dd_result res = dd_request_exec(conn, &parameters_zv, rasp);
     zval_ptr_dtor(&parameters_zv);
 
+    if (rasp) {
+        clock_gettime(CLOCK_MONOTONIC_RAW, &end);
+        elapsed =
+            ((int64_t)end.tv_sec - (int64_t)start.tv_sec) *
+                // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers)
+                (int64_t)1000000000 +
+            ((int64_t)end.tv_nsec - (int64_t)start.tv_nsec);
+        zend_object *span = dd_trace_get_active_root_span();
+        if (span) {
+            dd_tags_add_rasp_duration_ext(span, elapsed);
+        }
+    }
+
     if (dd_req_is_user_req()) {
         if (res == dd_should_block || res == dd_should_redirect) {
             dd_req_call_blocking_function(res);
@@ -529,6 +552,7 @@ ZEND_END_ARG_INFO()
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(push_address_arginfo, 0, 0, IS_VOID, 1)
 ZEND_ARG_INFO(0, key)
 ZEND_ARG_INFO(0, value)
+ZEND_ARG_INFO(0, rasp)
 ZEND_END_ARG_INFO()
 
 // clang-format off

appsec/src/extension/tags.c

@@ -60,6 +60,7 @@
     "_dd.appsec.events.users.login.success.sdk"
 #define DD_EVENTS_USER_LOGIN_FAILURE_SDK                                       \
     "_dd.appsec.events.users.login.failure.sdk"
+#define DD_EVENTS_RASP_DURATION_EXT "_dd.appsec.rasp.duration_ext"
 
 static zend_string *_dd_tag_data_zstr;
 static zend_string *_dd_tag_event_zstr;
@@ -78,6 +79,7 @@ static zend_string *_dd_tag_rh_content_encoding; // response
 static zend_string *_dd_tag_rh_content_language; // response
 static zend_string *_dd_tag_user_id;
 static zend_string *_dd_metric_enabled;
+static zend_string *_dd_rasp_duration_ext;
 static zend_string *_dd_signup_event;
 static zend_string *_dd_login_success_event;
 static zend_string *_dd_login_failure_event;
@@ -173,6 +175,9 @@ void dd_tags_startup()
     _key_remote_addr_zstr =
         zend_string_init_interned(LSTRARG("REMOTE_ADDR"), 1);
 
+    _dd_rasp_duration_ext =
+        zend_string_init_interned(LSTRARG(DD_EVENTS_RASP_DURATION_EXT), 1);
+
     // Event related strings
     _track_zstr =
         zend_string_init_interned(LSTRARG("track"), 1 /* permanent */);
@@ -298,6 +303,18 @@ void dd_tags_set_event_user_id(zend_string *nonnull zstr)
     _event_user_id = zend_string_copy(zstr);
 }
 
+void dd_tags_add_rasp_duration_ext(
+    zend_object *nonnull span, zend_long duration)
+{
+    zval *metrics_zv = dd_trace_span_get_metrics(span);
+    if (!metrics_zv) {
+        return;
+    }
+    zval zv;
+    ZVAL_LONG(&zv, duration);
+    zend_hash_add(Z_ARRVAL_P(metrics_zv), _dd_rasp_duration_ext, &zv);
+}
+
 void dd_tags_rshutdown()
 {
     zend_llist_clean(&_appsec_json_frags);

appsec/src/extension/tags.h

@@ -28,4 +28,5 @@ void dd_tags_set_event_user_id(zend_string *nonnull zstr);
 // does not increase the refcount on zstr
 void dd_tags_add_appsec_json_frag(zend_string *nonnull zstr);
 
-
+void dd_tags_add_rasp_duration_ext(
+    zend_object *nonnull span, zend_long duration);

appsec/src/extension/user_tracking.c

@@ -131,7 +131,7 @@ void dd_find_and_apply_verdict_for_user(zend_string *nonnull user_id)
     zend_hash_str_add_new(
         Z_ARRVAL(data_zv), "usr.id", sizeof("usr.id") - 1, &user_id_zv);
 
-    dd_result res = dd_request_exec(conn, &data_zv);
+    dd_result res = dd_request_exec(conn, &data_zv, false);
     zval_ptr_dtor(&data_zv);
 
     dd_tags_set_event_user_id(user_id);

appsec/src/helper/client.cpp

@@ -226,14 +226,14 @@ template <typename T> bool client::service_guard()
 
 template <typename T>
 std::shared_ptr<typename T::response> client::publish(
-    typename T::request &command)
+    typename T::request &command, bool rasp)
 {
     SPDLOG_DEBUG("received command {}", T::name);
 
     auto response = std::make_shared<typename T::response>();
     try {
         // NOLINTNEXTLINE(bugprone-unchecked-optional-access)
-        auto res = context_->publish(std::move(command.data));
+        auto res = context_->publish(std::move(command.data), rasp);
         if (res) {
             for (auto &act : res->actions) {
                 dds::network::action_struct new_action;
@@ -316,7 +316,7 @@ bool client::handle_command(network::request_exec::request &command)
         context_.emplace(*service_->get_engine());
     }
 
-    auto response = publish<network::request_exec>(command);
+    auto response = publish<network::request_exec>(command, command.rasp);
     return send_message<network::request_exec>(response);
 }
 

appsec/src/helper/client.hpp

@@ -65,7 +65,8 @@ class client {
 
 protected:
     template <typename T>
-    std::shared_ptr<typename T::response> publish(typename T::request &command);
+    std::shared_ptr<typename T::response> publish(
+        typename T::request &command, bool rasp = false);
     template <typename T> bool service_guard();
     template <typename T, bool actions = true>
     bool send_message(const std::shared_ptr<typename T::response> &message);

appsec/src/helper/engine.cpp

@@ -51,7 +51,8 @@ void engine::update(
     std::atomic_store_explicit(&common_, new_common, std::memory_order_release);
 }
 
-std::optional<engine::result> engine::context::publish(parameter &&param)
+std::optional<engine::result> engine::context::publish(
+    parameter &&param, bool rasp)
 {
     // Once the parameter reaches this function, it is guaranteed to be
     // owned by the engine.
@@ -82,7 +83,7 @@ std::optional<engine::result> engine::context::publish(parameter &&param)
         }
         try {
             const auto &listener = it->second;
-            listener->call(data, event_);
+            listener->call(data, event_, rasp);
         } catch (std::exception &e) {
             SPDLOG_ERROR("subscriber failed: {}", e.what());
         }

appsec/src/helper/engine.hpp

@@ -66,7 +66,7 @@ class engine {
         context &operator=(context &&) = delete;
         ~context() = default;
 
-        std::optional<result> publish(parameter &&param);
+        std::optional<result> publish(parameter &&param, bool rasp = false);
         // NOLINTNEXTLINE(google-runtime-references)
         void get_metrics(metrics::telemetry_submitter &msubmitter);
 

appsec/src/helper/metrics.hpp

@@ -98,6 +98,11 @@ constexpr std::string_view event_rules_version =
 constexpr std::string_view waf_version = "_dd.appsec.waf.version";
 constexpr std::string_view waf_duration = "_dd.appsec.waf.duration";
 
+// rasp
+constexpr std::string_view rasp_duration = "_dd.appsec.rasp.duration";
+constexpr std::string_view rasp_rule_eval = "_dd.appsec.rasp.rule.eval";
+constexpr std::string_view rasp_timeout = "_dd.appsec.rasp.timeout";
+
 } // namespace dds::metrics
 
 template <>

appsec/src/helper/network/proto.hpp

@@ -187,6 +187,7 @@ struct request_exec {
         static constexpr const char *name = request_exec::name;
         static constexpr request_id id = request_id::request_exec;
 
+        bool rasp = false;
         dds::parameter data;
 
         request() = default;
@@ -196,7 +197,7 @@ struct request_exec {
         request &operator=(request &&) = default;
         ~request() override = default;
 
-        MSGPACK_DEFINE(data)
+        MSGPACK_DEFINE(rasp, data)
     };
 
     struct response : base_response_generic<response> {

appsec/src/helper/remote_config/listeners/engine_listener.hpp

@@ -34,7 +34,7 @@ class engine_listener : public listener_base {
     [[nodiscard]] std::unordered_set<product> get_supported_products() override
     {
         return {known_products::ASM, known_products::ASM_DD,
-            known_products::ASM_DATA};
+            known_products::ASM_DATA, known_products::ASM_RASP_LFI};
     }
 
 protected:

appsec/src/helper/remote_config/product.hpp

@@ -29,6 +29,8 @@ struct known_products {
     static inline constexpr product ASM_DATA{std::string_view{"ASM_DATA"}};
     static inline constexpr product ASM_FEATURES{
         std::string_view{"ASM_FEATURES"}};
+    static inline constexpr product ASM_RASP_LFI{
+        std::string_view{"ASM_RASP_LFI"}};
     static inline constexpr product UNKNOWN{std::string_view{"UNKOWN"}};
 
     static product for_name(std::string_view name)
@@ -45,6 +47,9 @@ struct known_products {
         if (name == ASM_FEATURES.name()) {
             return ASM_FEATURES;
         }
+        if (name == ASM_RASP_LFI.name()) {
+            return ASM_RASP_LFI;
+        }
 
         return UNKNOWN;
     }

appsec/src/helper/subscriber/base.hpp

@@ -28,7 +28,8 @@ class subscriber {
 
         virtual ~listener() = default;
         // NOLINTNEXTLINE(google-runtime-references)
-        virtual void call(parameter_view &data, event &event) = 0;
+        virtual void call(
+            parameter_view &data, event &event, bool rasp = false) = 0;
 
         // NOLINTNEXTLINE(google-runtime-references)
         virtual void submit_metrics(

appsec/src/helper/subscriber/waf.cpp

@@ -300,7 +300,8 @@ instance::listener::~listener()
     }
 }
 
-void instance::listener::call(dds::parameter_view &data, event &event)
+void instance::listener::call(
+    dds::parameter_view &data, event &event, bool rasp)
 {
     ddwaf_result res;
     DDWAF_RET_CODE code;
@@ -345,6 +346,14 @@ void instance::listener::call(dds::parameter_view &data, event &event)
             break;
         }
     }
+    if (rasp) {
+        // NOLINTNEXTLINE
+        rasp_runtime_ += res.total_runtime / 1000.0;
+        rasp_calls_++;
+        if (res.timeout) {
+            rasp_timeouts_ += 1;
+        }
+    }
 
     const parameter_view derivatives{res.derivatives};
     for (const auto &derivative : derivatives) {
@@ -403,6 +412,15 @@ void instance::listener::submit_metrics(
         metrics::event_rules_version, std::string{ruleset_version_});
     msubmitter.submit_span_metric(metrics::waf_duration, total_runtime_);
 
+    if (rasp_calls_ > 0) {
+        msubmitter.submit_span_metric(metrics::rasp_duration, rasp_runtime_);
+        msubmitter.submit_span_metric(metrics::rasp_rule_eval, rasp_calls_);
+        if (rasp_timeouts_ > 0) {
+            msubmitter.submit_span_metric(
+                metrics::rasp_timeout, rasp_timeouts_);
+        }
+    }
+
     for (const auto &[key, value] : derivatives_) {
         std::string derivative = value;
         if (value.length() > max_plain_schema_allowed &&