Add LFI exploit prevention support (#7487)

Gives support to LFI exploit prevention by updating IAST Path traversal callsites

Author: jandro996

.github/CODEOWNERS

@@ -55,6 +55,9 @@ dd-java-agent/instrumentation/spring-security-5/ @DataDog/asm-java
 **/iast/                               @DataDog/asm-java
 **/Iast*.java                          @DataDog/asm-java
 **/Iast*.groovy                        @DataDog/asm-java
+**/rasp/                               @Datadog/asm-java
+**/*Rasp*.java                          @DataDog/asm-java
+**/*Rasp*.groovy                        @DataDog/asm-java
 
 # @DataDog/data-jobs-monitoring
 dd-java-agent/instrumentation/spark/            @DataDog/data-jobs-monitoring

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigServiceImpl.java

@@ -12,6 +12,7 @@
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_HEADER_FINGERPRINT;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_IP_BLOCKING;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_NETWORK_FINGERPRINT;
+import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_LFI;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_SQLI;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_SSRF;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_REQUEST_BLOCKING;
@@ -116,6 +117,7 @@ private void subscribeConfigurationPoller() {
     if (tracerConfig.isAppSecRaspEnabled()) {
       capabilities |= CAPABILITY_ASM_RASP_SQLI;
       capabilities |= CAPABILITY_ASM_RASP_SSRF;
+      capabilities |= CAPABILITY_ASM_RASP_LFI;
     }
     this.configurationPoller.addCapabilities(capabilities);
   }
@@ -359,6 +361,7 @@ public void close() {
             | CAPABILITY_ASM_API_SECURITY_SAMPLE_RATE
             | CAPABILITY_ASM_RASP_SQLI
             | CAPABILITY_ASM_RASP_SSRF
+            | CAPABILITY_ASM_RASP_LFI
             | CAPABILITY_ASM_AUTO_USER_INSTRUM_MODE
             | CAPABILITY_ENDPOINT_FINGERPRINT
             // TODO enable when usr.id and usr.session_id addresses are added

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -85,6 +85,7 @@ public class GatewayBridge {
   private volatile DataSubscriberInfo requestEndSubInfo;
   private volatile DataSubscriberInfo dbSqlQuerySubInfo;
   private volatile DataSubscriberInfo ioNetUrlSubInfo;
+  private volatile DataSubscriberInfo ioFileSubInfo;
 
   public GatewayBridge(
       SubscriptionService subscriptionService,
@@ -124,6 +125,7 @@ public void init() {
     subscriptionService.registerCallback(EVENTS.databaseConnection(), this::onDatabaseConnection);
     subscriptionService.registerCallback(EVENTS.databaseSqlQuery(), this::onDatabaseSqlQuery);
     subscriptionService.registerCallback(EVENTS.networkConnection(), this::onNetworkConnection);
+    subscriptionService.registerCallback(EVENTS.fileLoaded(), this::onFileLoaded);
 
     if (additionalIGEvents.contains(EVENTS.requestPathParams())) {
       subscriptionService.registerCallback(EVENTS.requestPathParams(), this::onRequestPathParams);
@@ -159,6 +161,31 @@ private Flow<Void> onNetworkConnection(RequestContext ctx_, String url) {
     }
   }
 
+  private Flow<Void> onFileLoaded(RequestContext ctx_, String path) {
+    AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
+    if (ctx == null) {
+      return NoopFlow.INSTANCE;
+    }
+    while (true) {
+      DataSubscriberInfo subInfo = ioFileSubInfo;
+      if (subInfo == null) {
+        subInfo = producerService.getDataSubscribers(KnownAddresses.IO_FS_FILE);
+        ioFileSubInfo = subInfo;
+      }
+      if (subInfo == null || subInfo.isEmpty()) {
+        return NoopFlow.INSTANCE;
+      }
+      DataBundle bundle =
+          new MapDataBundle.Builder(CAPACITY_0_2).add(KnownAddresses.IO_FS_FILE, path).build();
+      try {
+        GatewayContext gwCtx = new GatewayContext(true, RuleType.LFI);
+        return producerService.publishDataEvent(subInfo, ctx, bundle, gwCtx);
+      } catch (ExpiredSubscriberInfoException e) {
+        ioFileSubInfo = null;
+      }
+    }
+  }
+
   private Flow<Void> onDatabaseSqlQuery(RequestContext ctx_, String sql) {
     AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
     if (ctx == null) {

dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java

@@ -403,6 +403,7 @@ private static Collection<Address<?>> getUsedAddresses(PowerwafContext ctx) {
     addressList.add(KnownAddresses.DB_TYPE);
     addressList.add(KnownAddresses.DB_SQL_QUERY);
     addressList.add(KnownAddresses.IO_NET_URL);
+    addressList.add(KnownAddresses.IO_FS_FILE);
 
     return addressList;
   }

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/config/AppSecConfigServiceImplSpecification.groovy

@@ -26,6 +26,7 @@ import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_EXCLUSION_DATA
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_HEADER_FINGERPRINT
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_IP_BLOCKING
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_NETWORK_FINGERPRINT
+import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_LFI
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_SQLI
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_SSRF
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_REQUEST_BLOCKING
@@ -269,6 +270,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
       | CAPABILITY_ASM_TRUSTED_IPS
       | CAPABILITY_ASM_RASP_SQLI
       | CAPABILITY_ASM_RASP_SSRF
+      | CAPABILITY_ASM_RASP_LFI
       | CAPABILITY_ENDPOINT_FINGERPRINT
       // | CAPABILITY_ASM_SESSION_FINGERPRINT
       | CAPABILITY_ASM_NETWORK_FINGERPRINT
@@ -420,6 +422,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
       | CAPABILITY_ASM_TRUSTED_IPS
       | CAPABILITY_ASM_RASP_SQLI
       | CAPABILITY_ASM_RASP_SSRF
+      | CAPABILITY_ASM_RASP_LFI
       | CAPABILITY_ENDPOINT_FINGERPRINT
       // | CAPABILITY_ASM_SESSION_FINGERPRINT
       | CAPABILITY_ASM_NETWORK_FINGERPRINT
@@ -492,6 +495,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
       | CAPABILITY_ASM_API_SECURITY_SAMPLE_RATE
       | CAPABILITY_ASM_RASP_SQLI
       | CAPABILITY_ASM_RASP_SSRF
+      | CAPABILITY_ASM_RASP_LFI
       | CAPABILITY_ASM_AUTO_USER_INSTRUM_MODE
       | CAPABILITY_ENDPOINT_FINGERPRINT
       // | CAPABILITY_ASM_SESSION_FINGERPRINT

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy

@@ -82,6 +82,7 @@ class GatewayBridgeSpecification extends DDSpecification {
   BiConsumer<RequestContext, String> databaseConnectionCB
   BiFunction<RequestContext, String, Flow<Void>> databaseSqlQueryCB
   BiFunction<RequestContext, String, Flow<Void>> networkConnectionCB
+  BiFunction<RequestContext, String, Flow<Void>> fileLoadedCB
 
   void setup() {
     callInitAndCaptureCBs()
@@ -416,6 +417,7 @@ class GatewayBridgeSpecification extends DDSpecification {
     1 * ig.registerCallback(EVENTS.databaseConnection(), _) >> { databaseConnectionCB = it[1]; null }
     1 * ig.registerCallback(EVENTS.databaseSqlQuery(), _) >> { databaseSqlQueryCB = it[1]; null }
     1 * ig.registerCallback(EVENTS.networkConnection(), _) >> { networkConnectionCB = it[1]; null }
+    1 * ig.registerCallback(EVENTS.fileLoaded(), _) >> { fileLoadedCB = it[1]; null }
     0 * ig.registerCallback(_, _)
 
     bridge.init()
@@ -798,6 +800,26 @@ class GatewayBridgeSpecification extends DDSpecification {
     gatewayContext.isRasp == true
   }
 
+  void 'process file loaded'() {
+    setup:
+    final path = 'https://www.datadoghq.com/demo/file.txt'
+    eventDispatcher.getDataSubscribers({ KnownAddresses.IO_FS_FILE in it }) >> nonEmptyDsInfo
+    DataBundle bundle
+    GatewayContext gatewayContext
+
+    when:
+    Flow<?> flow = fileLoadedCB.apply(ctx, path)
+
+    then:
+    1 * eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >>
+    { a, b, db, gw -> bundle = db; gatewayContext = gw; NoopFlow.INSTANCE }
+    bundle.get(KnownAddresses.IO_FS_FILE) == path
+    flow.result == null
+    flow.action == Flow.Action.Noop.INSTANCE
+    gatewayContext.isTransient == true
+    gatewayContext.isRasp == true
+  }
+
   void 'calls trace segment post processor'() {
     setup:
     AgentSpan span = Stub()

dd-java-agent/instrumentation/java-io/src/main/java/datadog/trace/instrumentation/java/lang/FileCallSite.java

@@ -1,6 +1,7 @@
 package datadog.trace.instrumentation.java.lang;
 
 import datadog.trace.agent.tooling.csi.CallSite;
+import datadog.trace.api.appsec.RaspCallSites;
 import datadog.trace.api.iast.IastCallSites;
 import datadog.trace.api.iast.InstrumentationBridge;
 import datadog.trace.api.iast.Sink;
@@ -11,20 +12,16 @@
 import javax.annotation.Nullable;
 
 @Sink(VulnerabilityTypes.PATH_TRAVERSAL)
-@CallSite(spi = IastCallSites.class)
+@CallSite(
+    spi = {IastCallSites.class, RaspCallSites.class},
+    helpers = FileLoadedRaspHelper.class)
 public class FileCallSite {
 
   @CallSite.Before("void java.io.File.<init>(java.lang.String)")
   public static void beforeConstructor(@CallSite.Argument @Nullable final String path) {
     if (path != null) { // new File(null) throws NPE
-      final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
-      if (module != null) {
-        try {
-          module.onPathTraversal(path);
-        } catch (final Throwable e) {
-          module.onUnexpectedException("beforeConstructor threw", e);
-        }
-      }
+      iastCallback(path);
+      raspCallback(path);
     }
   }
 
@@ -34,13 +31,8 @@ public static void beforeConstructor(
       @CallSite.Argument @Nullable final String child) {
     if (child != null) { // new File("abc", null) throws NPE
       final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
-      if (module != null) {
-        try {
-          module.onPathTraversal(parent, child);
-        } catch (final Throwable e) {
-          module.onUnexpectedException("beforeConstructor threw", e);
-        }
-      }
+      iastCallback(parent, child);
+      raspCallback(parent, child);
     }
   }
 
@@ -50,27 +42,77 @@ public static void beforeConstructor(
       @CallSite.Argument @Nullable final String child) {
     if (child != null) { // new File(parent, null) throws NPE
       final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
-      if (module != null) {
-        try {
-          module.onPathTraversal(parent, child);
-        } catch (final Throwable e) {
-          module.onUnexpectedException("beforeConstructor threw", e);
-        }
-      }
+      iastCallback(parent, child);
+      raspCallback(parent, child);
     }
   }
 
   @CallSite.Before("void java.io.File.<init>(java.net.URI)")
   public static void beforeConstructor(@CallSite.Argument @Nullable final URI uri) {
     if (uri != null) {
       final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
-      if (module != null) {
-        try {
-          module.onPathTraversal(uri);
-        } catch (final Throwable e) {
-          module.onUnexpectedException("beforeConstructor threw", e);
-        }
+      iastCallback(uri);
+      raspCallback(uri);
+    }
+  }
+
+  private static void iastCallback(String path) {
+    final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
+    if (module != null) {
+      try {
+        module.onPathTraversal(path);
+      } catch (final Throwable e) {
+        module.onUnexpectedException("beforeConstructor threw", e);
       }
     }
   }
+
+  private static void iastCallback(File parent, String child) {
+    final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
+    if (module != null) {
+      try {
+        module.onPathTraversal(parent, child);
+      } catch (final Throwable e) {
+        module.onUnexpectedException("beforeConstructor threw", e);
+      }
+    }
+  }
+
+  private static void iastCallback(String parent, String child) {
+    final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
+    if (module != null) {
+      try {
+        module.onPathTraversal(parent, child);
+      } catch (final Throwable e) {
+        module.onUnexpectedException("beforeConstructor threw", e);
+      }
+    }
+  }
+
+  private static void iastCallback(URI uri) {
+    final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
+    if (module != null) {
+      try {
+        module.onPathTraversal(uri);
+      } catch (final Throwable e) {
+        module.onUnexpectedException("beforeConstructor threw", e);
+      }
+    }
+  }
+
+  private static void raspCallback(File parent, String child) {
+    FileLoadedRaspHelper.INSTANCE.beforeFileLoaded(parent, child);
+  }
+
+  private static void raspCallback(String parent, String file) {
+    FileLoadedRaspHelper.INSTANCE.beforeFileLoaded(parent, file);
+  }
+
+  private static void raspCallback(String s) {
+    FileLoadedRaspHelper.INSTANCE.beforeFileLoaded(s);
+  }
+
+  private static void raspCallback(URI uri) {
+    FileLoadedRaspHelper.INSTANCE.beforeFileLoaded(uri);
+  }
 }

dd-java-agent/instrumentation/java-io/src/main/java/datadog/trace/instrumentation/java/lang/FileInputStreamCallSite.java

@@ -1,6 +1,7 @@
 package datadog.trace.instrumentation.java.lang;
 
 import datadog.trace.agent.tooling.csi.CallSite;
+import datadog.trace.api.appsec.RaspCallSites;
 import datadog.trace.api.iast.IastCallSites;
 import datadog.trace.api.iast.InstrumentationBridge;
 import datadog.trace.api.iast.Sink;
@@ -9,20 +10,31 @@
 import javax.annotation.Nullable;
 
 @Sink(VulnerabilityTypes.PATH_TRAVERSAL)
-@CallSite(spi = IastCallSites.class)
+@CallSite(
+    spi = {IastCallSites.class, RaspCallSites.class},
+    helpers = FileLoadedRaspHelper.class)
 public class FileInputStreamCallSite {
 
   @CallSite.Before("void java.io.FileInputStream.<init>(java.lang.String)")
   public static void beforeConstructor(@CallSite.Argument @Nullable final String path) {
     if (path != null) {
-      final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
-      if (module != null) {
-        try {
-          module.onPathTraversal(path);
-        } catch (final Throwable e) {
-          module.onUnexpectedException("beforeConstructor threw", e);
-        }
+      iastCallback(path);
+      raspCallback(path);
+    }
+  }
+
+  private static void iastCallback(String path) {
+    final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
+    if (module != null) {
+      try {
+        module.onPathTraversal(path);
+      } catch (final Throwable e) {
+        module.onUnexpectedException("beforeConstructor threw", e);
       }
     }
   }
+
+  private static void raspCallback(String path) {
+    FileLoadedRaspHelper.INSTANCE.beforeFileLoaded(path);
+  }
 }