Suspicious request blocking - Express Path Parameters #4769
Conversation
Overall package sizeSelf size: 7.48 MB Dependency sizes| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/native-appsec | 8.1.1 | 18.67 MB | 18.68 MB | | @datadog/native-iast-taint-tracking | 3.1.0 | 12.27 MB | 12.28 MB | | @datadog/pprof | 5.3.0 | 9.85 MB | 10.22 MB | | protobufjs | 7.2.5 | 2.77 MB | 5.16 MB | | @datadog/native-iast-rewriter | 2.5.0 | 2.51 MB | 2.59 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 2.0.0 | 898.77 kB | 1.3 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | jsonpath-plus | 9.0.0 | 580.4 kB | 1.03 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | msgpack-lite | 0.1.26 | 201.16 kB | 281.59 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | lru-cache | 7.14.0 | 74.95 kB | 74.95 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | int64-buffer | 0.1.10 | 49.18 kB | 49.18 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | path-to-regexp | 0.1.10 | 6.38 kB | 6.38 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |🤖 This report was automatically generated by heaviest-objects-in-the-universe |
There was a problem hiding this comment.
Wdyt about splitting this file into supsicious-request-blocking.express.plugin.spec.js and api-security.express.plugin.spec.js ?
There was a problem hiding this comment.
Yes, this file is getting longer and longer... We could separate this in two files, but should we also split the src/appsec/index.js in different files?
There was a problem hiding this comment.
Do you mean packages/dd-trace/test/appsec/index.spec.js? If so, I'd not go with it, since it contains unit test for src/appsec/index.js so, to me, it makes sense to mirror the filenames.
There was a problem hiding this comment.
No, I am not talking about test file, I am talking about appsec/index.js source file.
But anyway, a refactor shouldn't be part of this PR. So not to implement here.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4769 +/- ##
==========================================
+ Coverage 69.19% 70.15% +0.96%
==========================================
Files 1 307 +306
Lines 198 12992 +12794
Branches 33 0 -33
==========================================
+ Hits 137 9115 +8978
- Misses 61 3877 +3816 ☔ View full report in Codecov by Sentry. |
BenchmarksBenchmark execution time: 2024-10-14 14:07:53 Comparing candidate commit c545063 in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 260 metrics, 6 unstable metrics. |
| @@ -106,7 +106,17 @@ const wrapProcessParamsMethod = (requestPositionInArguments) => { | |||
| return (original) => { | |||
There was a problem hiding this comment.
Can we make wrapProcessParamsMethod a non arrow function, and add names to the functions under that ? it's easier to reason about with actual function names.
Usually it goes like
wrapProcessParams()
-> wrappedProcessParams()
-> -> processParamsCallback()
or something like that
| @@ -6,6 +6,7 @@ const remoteConfig = require('./remote_config') | |||
| const { | |||
| bodyParser, | |||
| cookieParser, | |||
| expressProcessParams, | |||
There was a problem hiding this comment.
can we try to keep consistency of order between channel.js, appsec/index.js require, subscribe, handler, and unsubscribe ? just so it's not all over the place and it's easier to find a specific one.
| const rootSpan = web.root(req) | ||
| if (!rootSpan) return | ||
|
|
||
| if (!params || typeof params !== 'object' || !Object.keys(params).length) return |
There was a problem hiding this comment.
is this the only place where we have Object.keys check ? why is that
There was a problem hiding this comment.
In the other site - TaintTrackingPlugin- , the key length check is done (indirectly) later on, in the subscriber handler (taintObject method).
Here, this is done to avoid an unnecessary call to the WAF.
| expect(e.response.status).to.be.equals(403) | ||
| expect(e.response.data).to.be.deep.equal(JSON.parse(json)) | ||
| expect(requestBody).not.to.be.called | ||
| assert.equal(e.response.status, 403) |
There was a problem hiding this comment.
😮 you replaced all the expect by assert in this file, thanks for it :-D
Co-authored-by: Ugaitz Urien <[email protected]>
CarlesDD
force-pushed
the
ccapell/path-params-blocking
branch
from
49fb545
to
c545063
Compare
What does this PR do?
Subscribe to express
process_paramin order to report express path parameters to the WAF and block malicious incoming requests.Motivation
To extend suspicious request blocking feature, blocking malicious payloads coming in express path parameters.
Plugin Checklist
Additional Notes
Based on @simon-id previous work #3666
System Test PR
APPSEC-8367