Expand SSRF support in IAST to apache-httpclient, commons-httpclient and okhttp (#7792)

Author: Mariovido

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpClientDecorator.java

@@ -6,6 +6,10 @@
 
 import datadog.trace.api.Config;
 import datadog.trace.api.DDTags;
+import datadog.trace.api.InstrumenterConfig;
+import datadog.trace.api.ProductActivation;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.sink.SsrfModule;
 import datadog.trace.api.naming.SpanNaming;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.InternalSpanTypes;
@@ -89,6 +93,8 @@ public AgentSpan onRequest(final AgentSpan span, final REQUEST request) {
         log.debug("Error tagging url", e);
       }
 
+      ssrfIastCheck(request);
+
       if (CLIENT_TAG_HEADERS) {
         for (Map.Entry<String, String> headerTag :
             traceConfig(span).getRequestHeaderTags().entrySet()) {
@@ -168,4 +174,23 @@ public long getResponseContentLength(final RESPONSE response) {
 
     return 0;
   }
+
+  /* This method must be overriden after making the proper propagations to the client before **/
+  protected Object sourceUrl(REQUEST request) {
+    return null;
+  }
+
+  private void ssrfIastCheck(final REQUEST request) {
+    final Object sourceUrl = sourceUrl(request);
+    if (sourceUrl == null) {
+      return;
+    }
+    if (InstrumenterConfig.get().getIastActivation() != ProductActivation.FULLY_ENABLED) {
+      return;
+    }
+    final SsrfModule ssrfModule = InstrumentationBridge.SSRF;
+    if (ssrfModule != null) {
+      ssrfModule.onURLConnection(sourceUrl);
+    }
+  }
 }

dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/HttpClientDecoratorTest.groovy

@@ -1,6 +1,8 @@
 package datadog.trace.bootstrap.instrumentation.decorator
 
 import datadog.trace.api.DDTags
+import datadog.trace.api.iast.InstrumentationBridge
+import datadog.trace.api.iast.sink.SsrfModule
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer
 import datadog.trace.bootstrap.instrumentation.api.ResourceNamePriorities
@@ -171,6 +173,32 @@ class HttpClientDecoratorTest extends ClientDecoratorTest {
     null   | null           | false
   }
 
+  def "test ssrfIastCheck is called"() {
+    setup:
+    injectSysConfig('dd.iast.enabled', input)
+    def decorator = newDecorator()
+    final module = Mock(SsrfModule)
+    InstrumentationBridge.registerIastModule(module)
+
+    when:
+    decorator.onRequest(span, req)
+
+    then:
+    if (input == 'true') {
+      1 * module.onURLConnection(_)
+    } else {
+      0 * module.onURLConnection(_)
+    }
+    if (req) {
+      1 * span.traceConfig() >> AgentTracer.traceConfig()
+    }
+
+    where:
+    input  | req
+    'true' | [method: "test-method", url: testUrl, path: '/somepath']
+    'false' | [method: "test-method", url: testUrl, path: '/somepath']
+  }
+
   @Override
   def newDecorator(String serviceName = "test-service") {
     return new HttpClientDecorator<Map, Map>() {
@@ -199,6 +227,11 @@ class HttpClientDecoratorTest extends ClientDecoratorTest {
           return m.url
         }
 
+        @Override
+        protected String sourceUrl(Map m) {
+          return m.url
+        }
+
         @Override
         protected int status(Map m) {
           null == m.status ? 0 : m.status.intValue()

dd-java-agent/agent-iast/build.gradle

@@ -86,6 +86,7 @@ ext {
   excludedClassesCoverage = [
     // Avoid coverage measurement of model getters atm
     'com.datadog.iast.model.Evidence',
+    'com.datadog.iast.sink.SinkModuleBase.EvidenceBuilder',
     'com.datadog.iast.model.Range',
     'com.datadog.iast.model.Source',
     'com.datadog.iast.model.Vulnerability',

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/SsrfModuleImpl.java

@@ -1,11 +1,7 @@
 package com.datadog.iast.sink;
 
 import com.datadog.iast.Dependencies;
-import com.datadog.iast.model.Range;
 import com.datadog.iast.model.VulnerabilityType;
-import com.datadog.iast.taint.Ranges;
-import com.datadog.iast.util.Iterators;
-import com.datadog.iast.util.RangeBuilder;
 import datadog.trace.api.iast.sink.SsrfModule;
 import javax.annotation.Nullable;
 
@@ -22,64 +18,4 @@ public void onURLConnection(@Nullable final Object url) {
     }
     checkInjection(VulnerabilityType.SSRF, url);
   }
-
-  /**
-   * if the host or the uri are tainted, we report the url as tainted as well a new range is created
-   * covering all the value string in order to simplify the algorithm
-   */
-  @Override
-  public void onURLConnection(@Nullable String value, @Nullable Object host, @Nullable Object uri) {
-    if (value == null) {
-      return;
-    }
-    checkInjection(VulnerabilityType.SSRF, Iterators.of(host, uri), new SsrfEvidenceBuilder(value));
-  }
-
-  private static class SsrfEvidenceBuilder implements EvidenceBuilder {
-
-    private final String url;
-
-    private SsrfEvidenceBuilder(final String url) {
-      this.url = url;
-    }
-
-    @Override
-    public void tainted(
-        final StringBuilder evidence,
-        final RangeBuilder ranges,
-        final Object value,
-        final Range[] valueRanges) {
-      if (!ranges.isEmpty()) {
-        return; // skip if already tainted
-      }
-      evidence.append(url);
-      if (value != null && url.equals(value.toString())) {
-        // safe path, the URL is exactly the same
-        ranges.add(valueRanges);
-      } else {
-        final Range range = Ranges.highestPriorityRange(valueRanges);
-        final String tainted = substring(value, range);
-        final int offset = tainted == null ? -1 : url.indexOf(tainted);
-        if (offset >= 0) {
-          // use the specific part of the tainted URL
-          ranges.add(range.shift(offset));
-        } else {
-          // resort to fully taint the URL
-          ranges.add(Ranges.forCharSequence(url, range.getSource()));
-        }
-      }
-    }
-
-    @Nullable
-    private String substring(Object value, final Range range) {
-      if (value == null) {
-        return null;
-      }
-      final String stringValue = value.toString();
-      if (range.getStart() + range.getLength() > stringValue.length()) {
-        return null;
-      }
-      return stringValue.substring(range.getStart(), range.getStart() + range.getLength());
-    }
-  }
 }

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/SsrfModuleTest.groovy

@@ -11,10 +11,6 @@ import datadog.trace.api.iast.SourceTypes
 import datadog.trace.api.iast.VulnerabilityMarks
 import datadog.trace.api.iast.sink.SsrfModule
 
-import static com.datadog.iast.taint.TaintUtils.fromTaintFormat
-import static com.datadog.iast.taint.TaintUtils.getStringFromTaintFormat
-import static com.datadog.iast.taint.TaintUtils.taintFormat
-
 class SsrfModuleTest extends IastModuleImplTestBase {
 
   private SsrfModule module
@@ -36,14 +32,6 @@ class SsrfModuleTest extends IastModuleImplTestBase {
     0 * _
   }
 
-  void 'test null value'() {
-    when:
-    module.onURLConnection(null, null, null)
-
-    then:
-    0 * _
-  }
-
   void 'test SSRF detection'() {
     when:
     module.onURLConnection(url)
@@ -89,68 +77,7 @@ class SsrfModuleTest extends IastModuleImplTestBase {
     0 * reporter.report(_, _)
   }
 
-  void 'test SSRF detection for host and uri'() {
-    when:
-    module.onURLConnection(value, host, uri)
-
-    then: 'report is not called if no active span'
-    tracer.activeSpan() >> null
-    0 * reporter.report(_, _)
-
-    when:
-    module.onURLConnection(value, host, uri)
-
-    then: 'report is not called if host or uri are not tainted'
-    tracer.activeSpan() >> span
-    0 * reporter.report(_, _)
-
-    when:
-    host = tainted(host)
-    uri = taintedURI(uri)
-    module.onURLConnection(value, host, uri)
-
-    then: 'report is called when the host or uri are tainted'
-    tracer.activeSpan() >> span
-    if (expected == null) {
-      0 * reporter.report(_, _)
-    } else {
-      1 * reporter.report(span, { Vulnerability vul ->
-        vul.type == VulnerabilityType.SSRF && taintFormat(vul.evidence.value, vul.evidence.ranges) == expected
-      })
-    }
-
-    where:
-    value                        | host                | uri                                | expected
-    'http://test.com/tested?1=1' | 'test.com'          | 'http://test.com/tested?1=1'       | null
-    'http://test.com/tested?1=1' | '==>test.com<=='    | 'http://test.com/tested?1=1'       | 'http://==>test.com<==/tested?1=1'
-    'http://test.com/tested?1=1' | '==>another.com<==' | 'http://test.com/tested?1=1'       | '==>http://test.com/tested?1=1<==' // no match so full taint
-    'http://test.com/tested?1=1' | 'test.com'          | '==>http://test.com/tested?1=1<==' | '==>http://test.com/tested?1=1<=='
-    'http://test.com/tested?1=1' | 'test.com'          | '==>http<==://test.com/tested?1=1' | '==>http<==://test.com/tested?1=1'
-    'http://test.com/tested?1=1' | 'test.com'          | 'http://==>test.com<==/tested?1=1' | 'http://==>test.com<==/tested?1=1'
-    'http://test.com/tested?1=1' | 'test.com'          | 'http://test.com/==>tested<==?1=1' | 'http://test.com/==>tested<==?1=1'
-    'http://test.com/tested?1=1' | 'test.com'          | 'http://test.com/tested==>?1=1<==' | 'http://test.com/tested==>?1=1<=='
-  }
-
   private taint(final Object value) {
     ctx.getTaintedObjects().taint(value, Ranges.forObject(new Source(SourceTypes.REQUEST_PARAMETER_VALUE, 'name', value.toString())))
   }
-
-
-  private String tainted(final String url) {
-    final uri = getStringFromTaintFormat(url)
-    final ranges = fromTaintFormat(url)
-    if (ranges?.length > 0) {
-      ctx.getTaintedObjects().taint(uri, ranges)
-    }
-    return uri
-  }
-
-  private URI taintedURI(final String url) {
-    final uri = new URI(getStringFromTaintFormat(url))
-    final ranges = fromTaintFormat(url)
-    if (ranges?.length > 0) {
-      ctx.getTaintedObjects().taint(uri, ranges)
-    }
-    return uri
-  }
 }

dd-java-agent/instrumentation/apache-httpclient-4/src/main/java/datadog/trace/instrumentation/apachehttpclient/ApacheHttpClientDecorator.java

@@ -34,6 +34,11 @@ protected URI url(final HttpUriRequest request) {
     return request.getURI();
   }
 
+  @Override
+  protected URI sourceUrl(final HttpUriRequest request) {
+    return request.getURI();
+  }
+
   @Override
   protected int status(final HttpResponse httpResponse) {
     return httpResponse.getStatusLine().getStatusCode();