Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add tests to long cookie name vulnerabilities #3181

Merged
merged 3 commits into from
Oct 9, 2024
Merged

Add tests to long cookie name vulnerabilities #3181

merged 3 commits into from
Oct 9, 2024

Conversation

uurien
Copy link
Contributor

@uurien uurien commented Oct 7, 2024
edited
Loading

Motivation

We are implementing an improvement to prevent having thousands of vulnerabilities when the cookie name is generated.

Changes

  • Add system tests to check that cookies with different superlong name are not generating two different vulnerabilities.
  • Endpoints for nodejs express4 and express4-typescript.

Workflow

  1. ⚠️ Create your PR as draft ⚠️
  2. Work on you PR until the CI passes (if something not related to your task is failing, you can ignore it)
  3. Mark it as ready for review
    • Test logic is modified? -> Get a review from RFC owner. We're working on refining the codeowners file quickly.
    • Framework is modified, or non obvious usage of it -> get a review from R&P team

🚀 Once your PR is reviewed, you can merge it!

🛟 #apm-shared-testing 🛟

Reviewer checklist

  • If PR title starts with [<language>], double-check that only <language> is impacted by the change
  • No system-tests internal is modified. Otherwise, I have the approval from R&P team
  • CI is green, or failing jobs are not related to this change (and you are 100% sure about this statement)
  • A docker base image is modified?
    • the relevant build-XXX-image label is present
  • A scenario is added (or removed)?

@uurien uurien marked this pull request as ready for review October 8, 2024 06:39
@uurien uurien requested review from a team as code owners October 8, 2024 06:39
@uurien uurien requested review from duncanista, vitor-de-araujo, smola and ValentinZakharov and removed request for a team October 8, 2024 06:40
@uurien uurien mentioned this pull request Oct 8, 2024
Merged
daniel-romano-DD
daniel-romano-DD approved these changes Oct 8, 2024
View reviewed changes
Copy link
Contributor

@daniel-romano-DD daniel-romano-DD left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you

cbeauchesne
cbeauchesne approved these changes Oct 8, 2024
View reviewed changes
Copy link
Collaborator

@cbeauchesne cbeauchesne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a small addition to the doc, then all good !

utils/build/docker/nodejs/express4-typescript/iast.ts
@@ -137,6 +137,11 @@ function initSinkRoutes (app: Express): void {
res.send('OK')
})

app.post('/iast/insecure-cookie/custom_cookie', (req: Request, res: Response): void => {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you document in docs/weblog what this endpoint is supposed to do ?

@uurien uurien merged commit 43b1847 into main Oct 9, 2024
453 of 461 checks passed
@uurien uurien deleted the ugaitz/iast-cookie-filter-tests branch October 9, 2024 06:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cbeauchesne cbeauchesne cbeauchesne approved these changes

@CarlesDD CarlesDD CarlesDD approved these changes

@daniel-romano-DD daniel-romano-DD daniel-romano-DD approved these changes

@duncanista duncanista Awaiting requested review from duncanista duncanista is a code owner automatically assigned from DataDog/apm-python

@vitor-de-araujo vitor-de-araujo Awaiting requested review from vitor-de-araujo vitor-de-araujo is a code owner automatically assigned from DataDog/apm-python

@smola smola Awaiting requested review from smola smola is a code owner automatically assigned from DataDog/asm-java

@ValentinZakharov ValentinZakharov Awaiting requested review from ValentinZakharov ValentinZakharov is a code owner automatically assigned from DataDog/asm-java

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@uurien @cbeauchesne @CarlesDD @daniel-romano-DD