wip

Author: jandro996

dd-java-agent/instrumentation/akka/akka-http/akka-http-10.0/src/main/java/datadog/trace/instrumentation/akkahttp/iast/UriInstrumentation.java

@@ -101,7 +101,7 @@ static void after(
 
       final IastContext ctx = reqCtx.getData(RequestContextSlot.IAST);
 
-      if (!prop.isTainted(ctx, uri)) {
+      if (prop.isTainted(ctx, uri)) {
         return;
       }
 

dd-smoke-tests/play-2.6/app/controllers/IastController.scala

@@ -4,6 +4,7 @@ import play.api.mvc._
 
 import java.nio.charset.StandardCharsets
 import java.security.MessageDigest
+import java.net.{HttpURLConnection, URL}
 
 class IastController extends Controller {
 
@@ -45,4 +46,22 @@ class IastController extends Controller {
       case e: Exception => InternalServerError(e.getMessage)
     }
   }
+
+  def sourceParameterGet = Action { request =>
+    val table = request.queryString.get("table").map(_.head).getOrElse("")
+    try {
+      val url  = new URL(table)
+      val conn = url.openConnection().asInstanceOf[HttpURLConnection]
+      conn.disconnect()
+    } catch {
+      case _: Exception => // ignorar
+    }
+    Ok(s"Request Parameters => source: $table")
+  }
+
+  def sourceParameterPost = Action { request =>
+    val table = request.body.asFormUrlEncoded.flatMap(_.get("table")).map(_.head).getOrElse("")
+    Ok(s"Request Parameters => source: $table")
+  }
+
 }

dd-smoke-tests/play-2.6/conf/routes

@@ -15,3 +15,7 @@ POST    /api_security/response              controllers.AppSecController.apiResp
 GET  /iast/multiple_vulns/:id  controllers.IastController.multipleVulns(id: String)
 POST    /iast/multiple_vulns/:id    controllers.IastController.postMultipleVulns(id: String)
 GET     /iast/multiple_vulns-2/:id  controllers.IastController.multipleVulns2(id: String)
+
+# IAST Source endpoints
+GET     /iast/source/parameter/test                 controllers.IastController.sourceParameterGet
+POST    /iast/source/parameter/test                 controllers.IastController.sourceParameterPost

dd-smoke-tests/play-2.6/src/test/groovy/datadog/smoketest/IastPlaySmokeTest.groovy

@@ -33,6 +33,7 @@ abstract class IastPlaySmokeTest extends AbstractIastServerSmokeTest {
       new ProcessBuilder("${playDirectory}/bin/${command}")
     processBuilder.directory(playDirectory)
     processBuilder.environment().put("JAVA_OPTS",
+      '-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005 '+
       (defaultIastProperties + defaultJavaProperties).collect({ it.replace(' ', '\\ ')}).join(" ")
       + " -Dconfig.file=${playDirectory}/conf/application.conf"
       + " -Dhttp.port=${httpPort}"
@@ -51,53 +52,68 @@ abstract class IastPlaySmokeTest extends AbstractIastServerSmokeTest {
 
   abstract String serverProvider()
 
-  void 'Test that all the vulnerabilities are detected'() {
+  //  void 'Test that all the vulnerabilities are detected'() {
+  //    given:
+  //    def requests = []
+  //    for (int i = 1; i <= 3; i++) {
+  //      requests.add(new Request.Builder()
+  //        .url("http://localhost:${httpPort}/iast/multiple_vulns/${i}?param=value${i}")
+  //        .get()
+  //        .build())
+  //      requests.add(new Request.Builder()
+  //        .url("http://localhost:${httpPort}/iast/multiple_vulns-2/${i}?param=value${i}")
+  //        .get()
+  //        .build())
+  //      requests.add(new Request.Builder()
+  //        .url("http://localhost:${httpPort}/iast/multiple_vulns/${i}")
+  //        .post(new FormBody.Builder().add('param', "value${i}").build())
+  //        .build())
+  //    }
+  //
+  //
+  //    when:
+  //    requests.each { req ->
+  //      client.newCall(req as Request).execute()
+  //    }
+  //
+  //    then: 'check has route dispatched'
+  //    hasMeta('http.route')
+  //
+  //    then: 'check first get mapping'
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns$1' && vul.evidence.value == 'SHA1' }
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns$1'  && vul.evidence.value == 'SHA-1' }
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns$1'  && vul.evidence.value == 'MD2'}
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns$1' && vul.evidence.value == 'MD5'}
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns$1'  && vul.evidence.value == 'RIPEMD128'}
+  //
+  //    then: 'check first post mapping'
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$postMultipleVulns$1' && vul.evidence.value == 'SHA1' }
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$postMultipleVulns$1' && vul.evidence.value == 'SHA-1' }
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$postMultipleVulns$1' && vul.evidence.value == 'MD2'}
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$postMultipleVulns$1' && vul.evidence.value == 'MD5'}
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$postMultipleVulns$1' && vul.evidence.value == 'RIPEMD128'}
+  //
+  //    then: 'check second get mapping'
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns2$1'  && vul.evidence.value == 'SHA1' }
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns2$1'  && vul.evidence.value == 'SHA-1' }
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns2$1'  && vul.evidence.value == 'MD2'}
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns2$1'  && vul.evidence.value == 'MD5'}
+  //    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns2$1'  && vul.evidence.value == 'RIPEMD128'}
+  //  }
+
+  void 'Test'() {
     given:
-    def requests = []
-    for (int i = 1; i <= 3; i++) {
-      requests.add(new Request.Builder()
-        .url("http://localhost:${httpPort}/iast/multiple_vulns/${i}?param=value${i}")
-        .get()
-        .build())
-      requests.add(new Request.Builder()
-        .url("http://localhost:${httpPort}/iast/multiple_vulns-2/${i}?param=value${i}")
-        .get()
-        .build())
-      requests.add(new Request.Builder()
-        .url("http://localhost:${httpPort}/iast/multiple_vulns/${i}")
-        .post(new FormBody.Builder().add('param', "value${i}").build())
-        .build())
-    }
-
+    def request = new Request.Builder()
+      .url("http://localhost:${httpPort}/iast/source/parameter/test?table=value1")
+      .get()
+      .build()
 
     when:
-    requests.each { req ->
-      client.newCall(req as Request).execute()
-    }
+    def response = client.newCall(request).execute()
 
-    then: 'check has route dispatched'
-    hasMeta('http.route')
-
-    then: 'check first get mapping'
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns$1' && vul.evidence.value == 'SHA1' }
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns$1'  && vul.evidence.value == 'SHA-1' }
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns$1'  && vul.evidence.value == 'MD2'}
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns$1' && vul.evidence.value == 'MD5'}
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns$1'  && vul.evidence.value == 'RIPEMD128'}
-
-    then: 'check first post mapping'
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$postMultipleVulns$1' && vul.evidence.value == 'SHA1' }
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$postMultipleVulns$1' && vul.evidence.value == 'SHA-1' }
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$postMultipleVulns$1' && vul.evidence.value == 'MD2'}
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$postMultipleVulns$1' && vul.evidence.value == 'MD5'}
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$postMultipleVulns$1' && vul.evidence.value == 'RIPEMD128'}
-
-    then: 'check second get mapping'
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns2$1'  && vul.evidence.value == 'SHA1' }
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns2$1'  && vul.evidence.value == 'SHA-1' }
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns2$1'  && vul.evidence.value == 'MD2'}
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns2$1'  && vul.evidence.value == 'MD5'}
-    hasVulnerability { vul -> vul.type == 'WEAK_HASH' && vul.location.method == '$anonfun$multipleVulns2$1'  && vul.evidence.value == 'RIPEMD128'}
+    then:
+    response.code() == 200
+    hasVulnerability {  it.type == 'SSRF'}
   }
 
   // Ensure to clean up server and not only the shell script that starts it