Updated ASM rules to 1.13.1 (#7831)

* Updated ASM rules to 1.13.1

Author: ValentinZakharov

dd-java-agent/appsec/src/main/resources/default_config.json

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.13.0"
+    "rules_version": "1.13.1"
   },
   "rules": [
     {
@@ -6239,7 +6239,6 @@
     {
       "id": "rasp-930-100",
       "name": "Local file inclusion exploit",
-      "enabled": false,
       "tags": {
         "type": "lfi",
         "category": "vulnerability_trigger",
@@ -6287,8 +6286,7 @@
     },
     {
       "id": "rasp-932-100",
-      "name": "Shell injection exploit",
-      "enabled": false,
+      "name": "Command injection exploit",
       "tags": {
         "type": "command_injection",
         "category": "vulnerability_trigger",
@@ -6385,7 +6383,7 @@
     },
     {
       "id": "rasp-942-100",
-      "name": "SQL injection exploit",
+      "name": "SQL injection exploit (legacy)",
       "enabled": false,
       "tags": {
         "type": "sql_injection",
@@ -6395,6 +6393,7 @@
         "confidence": "0",
         "module": "rasp"
       },
+      "max_version": "1.19.1",
       "conditions": [
         {
           "parameters": {
@@ -6434,6 +6433,58 @@
         "stack_trace"
       ]
     },
+    {
+      "id": "rasp-942-110",
+      "name": "SQL injection exploit",
+      "enabled": false,
+      "tags": {
+        "type": "sql_injection",
+        "category": "vulnerability_trigger",
+        "cwe": "89",
+        "capec": "1000/152/248/66",
+        "confidence": "0",
+        "module": "rasp"
+      },
+      "min_version": "1.20.0",
+      "conditions": [
+        {
+          "parameters": {
+            "resource": [
+              {
+                "address": "server.db.statement"
+              }
+            ],
+            "params": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "graphql.server.all_resolvers"
+              },
+              {
+                "address": "graphql.server.resolver"
+              }
+            ],
+            "db_type": [
+              {
+                "address": "server.db.system"
+              }
+            ]
+          },
+          "operator": "sqli_detector@v2"
+        }
+      ],
+      "transformers": [],
+      "on_match": [
+        "stack_trace"
+      ]
+    },
     {
       "id": "sqr-000-001",
       "name": "SSRF: Try to access the credential manager of the main cloud services",
@@ -9780,4 +9831,4 @@
       }
     }
   ]
-}
+}

dd-smoke-tests/appsec/springboot-grpc/src/test/groovy/datadog/smoketest/appsec/ServerMethodTest.groovy

@@ -15,7 +15,7 @@ class ServerMethodTest extends AbstractSpringBootWithGRPCAppSecTest {
   ProcessBuilder createProcessBuilder() {
     // We run this here to ensure it runs before starting the process. Child setupSpec runs after parent setupSpec,
     // so it is not a valid location.
-    appendRules(customRulesPath, [
+    mergeRules(customRulesPath, [
       [
         id          : '__test_server_method_bock',
         name        : 'test rule to block on server method',

dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy

@@ -18,7 +18,7 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {
 
   def prepareCustomRules() {
     // Prepare ruleset with additional test rules
-    appendRules(
+    mergeRules(
       customRulesPath,
       [
         [
@@ -108,7 +108,7 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {
           on_match    : ['block']
         ],
         [
-          id          : '__test_lfi_block',
+          id          : 'rasp-930-100',     // to replace default rule
           name        : 'Local File Inclusion  exploit',
           enable      : 'true',
           tags        : [
@@ -439,7 +439,7 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {
     assert rootSpan.meta.get('_dd.appsec.json') != null, '_dd.appsec.json is not set'
     def trigger = null
     for (t in rootSpan.triggers) {
-      if (t['rule']['id'] == '__test_lfi_block') {
+      if (t['rule']['id'] == 'rasp-930-100') {
         trigger = t
         break
       }

dd-smoke-tests/appsec/src/main/groovy/datadog/smoketest/appsec/AbstractAppSecServerSmokeTest.groovy

@@ -82,16 +82,21 @@ abstract class AbstractAppSecServerSmokeTest extends AbstractServerSmokeTest {
   }
 
   /**
-   * This method fetches default ruleset included in the agent and appends the selected rules, then it points
+   * This method fetches default ruleset included in the agent and merges the selected rules, then it points
    * the {@code dd.appsec.rules} variable to the new file
    */
-  void appendRules(final String path, final List<Map<String, Object>> customRules) {
+  void mergeRules(final String path, final List<Map<String, Object>> customRules) {
     // Prepare a file with the new rules
     final jarFile = new JarFile(shadowJarPath)
     final zipEntry = jarFile.getEntry("appsec/default_config.json")
     final content = IOUtils.toString(jarFile.getInputStream(zipEntry), StandardCharsets.UTF_8)
     final json = new JsonSlurper().parseText(content) as Map<String, Object>
     final rules = json.rules as List<Map<String, Object>>
+
+    // remove already existing rules for merge
+    List<Object> customRulesNames = customRules.collect { it.id }
+    rules.removeIf { it.id in customRulesNames }
+
     rules.addAll(customRules)
     final gen = new JsonGenerator.Options().build()
     IOUtils.write(gen.toJson(json), new FileOutputStream(path, false), StandardCharsets.UTF_8)