Enable WAF generate_stack action by default

smola · smola · commit 3b32ad1f06ba · 2024-08-28T15:22:50.000+02:00
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java
@@ -477,11 +477,14 @@ public void onDataAvailable(
           } else if ("redirect_request".equals(actionInfo.type)) {
             Flow.Action.RequestBlockingAction rba = createRedirectRequestAction(actionInfo);
             flow.setAction(rba);
-          } else if ("generate_stack".equals(actionInfo.type)
-              && Config.get().isAppSecStackTraceEnabled()) {
-            String stackId = (String) actionInfo.parameters.get("stack_id");
-            StackTraceEvent stackTraceEvent = createExploitStackTraceEvent(stackId);
-            reqCtx.reportStackTrace(stackTraceEvent);
+          } else if ("generate_stack".equals(actionInfo.type)) {
+            if (Config.get().isAppSecStackTraceEnabled()) {
+              String stackId = (String) actionInfo.parameters.get("stack_id");
+              StackTraceEvent stackTraceEvent = createExploitStackTraceEvent(stackId);
+              reqCtx.reportStackTrace(stackTraceEvent);
+            } else {
+              log.debug("Ignoring action with type generate_stack (disabled by config)");
+            }
           } else {
             log.info("Ignoring action with type {}", actionInfo.type);
           }
diff --git a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/powerwaf/PowerWAFModuleSpecification.groovy b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/powerwaf/PowerWAFModuleSpecification.groovy
@@ -657,7 +657,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
 
     then:
     1 * segment.setTagTop('_dd.appsec.waf.version', _ as String)
-    1 * segment.setTagTop('_dd.appsec.event_rules.loaded', 115)
+    1 * segment.setTagTop('_dd.appsec.event_rules.loaded', 116)
     1 * segment.setTagTop('_dd.appsec.event_rules.error_count', 1)
     1 * segment.setTagTop('_dd.appsec.event_rules.errors', { it =~ /\{"[^"]+":\["bad rule"\]\}/})
     1 * segment.setTagTop('asm.keep', true)
@@ -777,11 +777,12 @@ class PowerWAFModuleSpecification extends DDSpecification {
     setupWithStubConfigService()
     AppSecEvent event
     StackTraceEvent stackTrace
-    injectSysConfig('appsec.stacktrace.enabled', 'true')
     pwafModule = new PowerWAFModule() // replace the one created too soon
+    def attackBundle = MapDataBundle.of(KnownAddresses.HEADERS_NO_COOKIES,
+      new CaseInsensitiveMap<List<String>>(['user-agent': 'Arachni/generate-stacktrace']))
 
     when:
-    dataListener.onDataAvailable(Stub(ChangeableFlow), ctx, ATTACK_BUNDLE, gwCtx)
+    dataListener.onDataAvailable(Stub(ChangeableFlow), ctx, attackBundle, gwCtx)
     ctx.closeAdditive()
 
     then:
@@ -791,16 +792,16 @@ class PowerWAFModuleSpecification extends DDSpecification {
     ctx.reportEvents(_ as Collection<AppSecEvent>) >> { event = it[0].iterator().next() }
     ctx.reportStackTrace(_ as StackTraceEvent) >> { stackTrace = it[0] }
 
-    event.rule.id == 'ua0-600-12x'
+    event.rule.id == 'generate-stacktrace-on-scanner'
     event.rule.name == 'Arachni'
     event.rule.tags == [type: 'security_scanner', category: 'attack_attempt']
 
     event.ruleMatches[0].operator == 'match_regex'
-    event.ruleMatches[0].operator_value == '^Arachni\\/v'
+    event.ruleMatches[0].operator_value == '^Arachni\\/generate-stacktrace'
     event.ruleMatches[0].parameters[0].address == 'server.request.headers.no_cookies'
-    event.ruleMatches[0].parameters[0].highlight == ['Arachni/v']
+    event.ruleMatches[0].parameters[0].highlight == ['Arachni/generate-stacktrace']
     event.ruleMatches[0].parameters[0].key_path == ['user-agent']
-    event.ruleMatches[0].parameters[0].value == 'Arachni/v0'
+    event.ruleMatches[0].parameters[0].value == 'Arachni/generate-stacktrace'
 
     event.spanId == 777
 
diff --git a/dd-java-agent/appsec/src/test/resources/test_multi_config.json b/dd-java-agent/appsec/src/test/resources/test_multi_config.json
@@ -3803,7 +3803,33 @@
         }
       ],
       "transformers": [],
-      "on_match": ["block", "stack_trace"]
+      "on_match": ["block"]
+    },
+    {
+      "id": "generate-stacktrace-on-scanner",
+      "name": "Arachni",
+      "tags": {
+        "type": "security_scanner",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              }
+            ],
+            "regex": "^Arachni\\/generate-stacktrace"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [],
+      "on_match": ["stack_trace"]
     },
     {
       "id": "ua0-600-13x",
diff --git a/dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy b/dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy
@@ -295,6 +295,9 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {
       }
     }
     assert trigger != null, 'test trigger not found'
+    rootSpan.span.metaStruct != null
+    def stack = rootSpan.span.metaStruct.get('_dd.stack')
+    assert stack != null, 'stack is not set'
   }
 
   void 'rasp blocks on sql injection'() {
diff --git a/dd-trace-api/src/main/java/datadog/trace/api/ConfigDefaults.java b/dd-trace-api/src/main/java/datadog/trace/api/ConfigDefaults.java
@@ -103,7 +103,7 @@ public final class ConfigDefaults {
   static final boolean DEFAULT_API_SECURITY_ENABLED = false;
   static final float DEFAULT_API_SECURITY_REQUEST_SAMPLE_RATE = 0.1f; // 10 %
   static final boolean DEFAULT_APPSEC_RASP_ENABLED = false;
-  static final boolean DEFAULT_APPSEC_STACK_TRACE_ENABLED = false;
+  static final boolean DEFAULT_APPSEC_STACK_TRACE_ENABLED = true;
   static final int DEFAULT_APPSEC_MAX_STACK_TRACES = 2;
   static final int DEFAULT_APPSEC_MAX_STACK_TRACE_DEPTH = 32;
   static final String DEFAULT_IAST_ENABLED = "false";
diff --git a/utils/test-agent-utils/decoder/src/main/java/datadog/trace/test/agent/decoder/DecodedSpan.java b/utils/test-agent-utils/decoder/src/main/java/datadog/trace/test/agent/decoder/DecodedSpan.java
@@ -23,6 +23,8 @@ public interface DecodedSpan {
 
   Map<String, String> getMeta();
 
+  Map<String, Object> getMetaStruct();
+
   Map<String, Number> getMetrics();
 
   String getType();
diff --git a/utils/test-agent-utils/decoder/src/main/java/datadog/trace/test/agent/decoder/v04/raw/SpanV04.java b/utils/test-agent-utils/decoder/src/main/java/datadog/trace/test/agent/decoder/v04/raw/SpanV04.java
@@ -2,11 +2,15 @@
 
 import datadog.trace.test.agent.decoder.DecodedSpan;
 import java.io.IOException;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import org.msgpack.core.MessageIntegerOverflowException;
+import org.msgpack.core.MessagePack;
 import org.msgpack.core.MessageUnpacker;
+import org.msgpack.value.Value;
 import org.msgpack.value.ValueType;
 
 public class SpanV04 implements DecodedSpan {
@@ -33,9 +37,11 @@ static DecodedSpan[] unpackSpans(MessageUnpacker unpacker) {
   static SpanV04 unpack(MessageUnpacker unpacker) {
     try {
       int size = unpacker.unpackMapHeader();
-      if (size != 12) {
+      if (size != 12 && size != 13) {
         throw new IllegalArgumentException(
-            "Wrong span element map size " + size + ". Expected 12.");
+            "Wrong span element map size "
+                + size
+                + ". Expected 12 (plain) or 13 (with meta_struct).");
       }
 
       String service = unpackString("service", unpacker);
@@ -55,9 +61,26 @@ static SpanV04 unpack(MessageUnpacker unpacker) {
       unpackKey("meta", unpacker);
       Map<String, String> meta = unpackMeta(unpacker, spanId);
 
+      Map<String, Object> metaStruct = null;
+      if (size > 12) {
+        unpackKey("meta_struct", unpacker);
+        metaStruct = unpackMetaStruct(unpacker, spanId);
+      }
+
       return new SpanV04(
-          service, name, resource, traceId, spanId, parentId, start, duration, error, type, metrics,
-          meta);
+          service,
+          name,
+          resource,
+          traceId,
+          spanId,
+          parentId,
+          start,
+          duration,
+          error,
+          type,
+          metrics,
+          meta,
+          metaStruct);
     } catch (Throwable t) {
       if (t instanceof RuntimeException) {
         throw (RuntimeException) t;
@@ -95,6 +118,23 @@ private static Map<String, String> unpackMeta(MessageUnpacker unpacker, long spa
     return meta;
   }
 
+  private static Map<String, Object> unpackMetaStruct(MessageUnpacker unpacker, long spanId)
+      throws IOException {
+    int metaSize = unpacker.unpackMapHeader();
+    if (metaSize < 0) {
+      throw new IllegalArgumentException(
+          "Negative meta map size " + metaSize + " for span " + spanId);
+    }
+    Map<String, Object> result = new HashMap<>(metaSize);
+    for (int i = 0; i < metaSize; i++) {
+      final String key = unpacker.unpackString();
+      final int payloadSize = unpacker.unpackBinaryHeader();
+      final byte[] payload = unpacker.readPayload(payloadSize);
+      result.put(key, decodeObject(payload));
+    }
+    return result;
+  }
+
   private static String unpackString(String expectedKey, MessageUnpacker unpacker)
       throws IOException {
     unpackKey(expectedKey, unpacker);
@@ -143,6 +183,51 @@ static Number unpackNumber(MessageUnpacker unpacker) {
     return result;
   }
 
+  private static Object decodeObject(final byte[] input) {
+    MessageUnpacker unpacker = MessagePack.newDefaultUnpacker(input);
+    try {
+      final Value value = unpacker.unpackValue();
+      return convertValueToObject(value);
+    } catch (IOException e) {
+      throw new IllegalArgumentException("Failed to decode object.", e);
+    }
+  }
+
+  private static Object convertValueToObject(final Value value) {
+    switch (value.getValueType()) {
+      case NIL:
+        return null;
+      case BOOLEAN:
+        return value.asBooleanValue().getBoolean();
+      case INTEGER:
+        return value.asIntegerValue().toLong();
+      case FLOAT:
+        return value.asFloatValue().toFloat();
+      case BINARY:
+        return value.asBinaryValue().asByteArray();
+      case STRING:
+        return value.asStringValue().asString();
+      case ARRAY:
+        final List<Value> array = value.asArrayValue().list();
+        final List<Object> result = new ArrayList<>(array.size());
+        for (final Value element : array) {
+          result.add(convertValueToObject(element));
+        }
+        return result;
+      case MAP:
+        final Map<Value, Value> map = value.asMapValue().map();
+        final Map<String, Object> resultMap = new HashMap<>(map.size());
+        for (final Map.Entry<Value, Value> entry : map.entrySet()) {
+          resultMap.put(
+              entry.getKey().asStringValue().asString(), convertValueToObject(entry.getValue()));
+        }
+        return resultMap;
+      default:
+        throw new IllegalArgumentException(
+            "Failed to convert value to object. Unexpected value type " + value.getValueType());
+    }
+  }
+
   private final String service;
   private final String name;
   private final String resource;
@@ -153,6 +238,7 @@ static Number unpackNumber(MessageUnpacker unpacker) {
   private final long duration;
   private final int error;
   private final Map<String, String> meta;
+  private final Map<String, Object> metaStruct;
   private final Map<String, Number> metrics;
   private final String type;
 
@@ -168,7 +254,8 @@ public SpanV04(
       int error,
       String type,
       Map<String, Number> metrics,
-      Map<String, String> meta) {
+      Map<String, String> meta,
+      Map<String, Object> metaStruct) {
     this.service = service;
     this.name = name;
     this.resource = resource;
@@ -179,6 +266,7 @@ public SpanV04(
     this.duration = duration;
     this.error = error;
     this.meta = Collections.unmodifiableMap(meta);
+    this.metaStruct = metaStruct == null ? null : Collections.unmodifiableMap(metaStruct);
     this.metrics = Collections.unmodifiableMap(metrics);
     this.type = type;
   }
@@ -223,6 +311,10 @@ public Map<String, String> getMeta() {
     return meta;
   }
 
+  public Map<String, Object> getMetaStruct() {
+    return metaStruct;
+  }
+
   public Map<String, Number> getMetrics() {
     return metrics;
   }
@@ -257,6 +349,8 @@ public String toString() {
         + error
         + ", meta="
         + meta
+        + ", metaStruct="
+        + metaStruct
         + ", metrics="
         + metrics
         + ", type='"
diff --git a/utils/test-agent-utils/decoder/src/main/java/datadog/trace/test/agent/decoder/v05/raw/SpanV05.java b/utils/test-agent-utils/decoder/src/main/java/datadog/trace/test/agent/decoder/v05/raw/SpanV05.java
@@ -188,6 +188,11 @@ public Map<String, String> getMeta() {
     return meta;
   }
 
+  public Map<String, Object> getMetaStruct() {
+    // XXX: meta_struct is not supported in v0.5.
+    return null;
+  }
+
   public Map<String, Number> getMetrics() {
     return metrics;
   }

Original file line number	Diff line number	Diff line change
`@@ -295,6 +295,9 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {`
`295`	`295`	`}`
`296`	`296`	`}`
`297`	`297`	`assert trigger != null, 'test trigger not found'`
	`298`	`+ rootSpan.span.metaStruct != null`
	`299`	`+ def stack = rootSpan.span.metaStruct.get('_dd.stack')`
	`300`	`+ assert stack != null, 'stack is not set'`
`298`	`301`	`}`
`299`	`302`
`300`	`303`	`void 'rasp blocks on sql injection'() {`
Original file line number	Diff line number	Diff line change
`@@ -188,6 +188,11 @@ public Map<String, String> getMeta() {`
`188`	`188`	`return meta;`
`189`	`189`	`}`
`190`	`190`
	`191`	`+ public Map<String, Object> getMetaStruct() {`
	`192`	`+ // XXX: meta_struct is not supported in v0.5.`
	`193`	`+ return null;`
	`194`	`+ }`
	`195`	`+`
`191`	`196`	`public Map<String, Number> getMetrics() {`
`192`	`197`	`return metrics;`
`193`	`198`	`}`