Extend support for SSRF in exploit prevention (#7376)

What Does This Do
Add SSRF exploit prevention check to HttpClientDecorator
Modify http client instrumentations that relay on CallDepthThreadLocalMap to avoid issues with blocking exception (only blocks the first time) -> Fix call depth counter for sqli blocking #7522
Add smoke tests for other libraries
Motivation
improve Exploit prevention for SSRF coverage

Author: jandro996

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpClientDecorator.java

@@ -1,17 +1,24 @@
 package datadog.trace.bootstrap.instrumentation.decorator;
 
 import static datadog.trace.api.cache.RadixTreeCache.UNSET_STATUS;
+import static datadog.trace.api.gateway.Events.EVENTS;
 import static datadog.trace.bootstrap.instrumentation.api.AgentTracer.traceConfig;
 import static datadog.trace.bootstrap.instrumentation.decorator.http.HttpResourceDecorator.HTTP_RESOURCE_DECORATOR;
 
+import datadog.appsec.api.blocking.BlockingException;
 import datadog.trace.api.Config;
 import datadog.trace.api.DDTags;
 import datadog.trace.api.InstrumenterConfig;
 import datadog.trace.api.ProductActivation;
+import datadog.trace.api.gateway.BlockResponseFunction;
+import datadog.trace.api.gateway.Flow;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
 import datadog.trace.api.iast.InstrumentationBridge;
 import datadog.trace.api.iast.sink.SsrfModule;
 import datadog.trace.api.naming.SpanNaming;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
 import datadog.trace.bootstrap.instrumentation.api.InternalSpanTypes;
 import datadog.trace.bootstrap.instrumentation.api.Tags;
 import datadog.trace.bootstrap.instrumentation.api.URIUtils;
@@ -21,6 +28,7 @@
 import java.util.BitSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.function.BiFunction;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -42,6 +50,8 @@ public abstract class HttpClientDecorator<REQUEST, RESPONSE> extends UriBasedCli
 
   private static final boolean CLIENT_TAG_HEADERS = Config.get().isHttpClientTagHeaders();
 
+  private static final boolean APPSEC_RASP_ENABLED = Config.get().isAppSecRaspEnabled();
+
   protected abstract String method(REQUEST request);
 
   protected abstract URI url(REQUEST request) throws URISyntaxException;
@@ -68,9 +78,20 @@ protected boolean shouldSetResourceName() {
 
   public AgentSpan onRequest(final AgentSpan span, final REQUEST request) {
     if (request != null) {
+
       String method = method(request);
       span.setTag(Tags.HTTP_METHOD, method);
 
+      if (CLIENT_TAG_HEADERS) {
+        for (Map.Entry<String, String> headerTag :
+            traceConfig(span).getRequestHeaderTags().entrySet()) {
+          String headerValue = getRequestHeader(request, headerTag.getKey());
+          if (null != headerValue) {
+            span.setTag(headerTag.getValue(), headerValue);
+          }
+        }
+      }
+
       // Copy of HttpServerDecorator url handling
       try {
         final URI url = url(request);
@@ -86,24 +107,15 @@ public AgentSpan onRequest(final AgentSpan span, final REQUEST request) {
           if (shouldSetResourceName()) {
             HTTP_RESOURCE_DECORATOR.withClientPath(span, method, url.getPath());
           }
+          // SSRF exploit prevention check
+          onNetworkConnection(url.toString());
         } else if (shouldSetResourceName()) {
           span.setResourceName(DEFAULT_RESOURCE_NAME);
         }
       } catch (final Exception e) {
         log.debug("Error tagging url", e);
       }
-
       ssrfIastCheck(request);
-
-      if (CLIENT_TAG_HEADERS) {
-        for (Map.Entry<String, String> headerTag :
-            traceConfig(span).getRequestHeaderTags().entrySet()) {
-          String headerValue = getRequestHeader(request, headerTag.getKey());
-          if (null != headerValue) {
-            span.setTag(headerTag.getValue(), headerValue);
-          }
-        }
-      }
     }
     return span;
   }
@@ -175,6 +187,48 @@ public long getResponseContentLength(final RESPONSE response) {
     return 0;
   }
 
+  private void onNetworkConnection(final String networkConnection) {
+    if (!APPSEC_RASP_ENABLED) {
+      return;
+    }
+    if (networkConnection == null) {
+      return;
+    }
+    final BiFunction<RequestContext, String, Flow<Void>> networkConnectionCallback =
+        AgentTracer.get()
+            .getCallbackProvider(RequestContextSlot.APPSEC)
+            .getCallback(EVENTS.networkConnection());
+
+    if (networkConnectionCallback == null) {
+      return;
+    }
+
+    final AgentSpan span = AgentTracer.get().activeSpan();
+    if (span == null) {
+      return;
+    }
+
+    final RequestContext ctx = span.getRequestContext();
+    if (ctx == null) {
+      return;
+    }
+
+    Flow<Void> flow = networkConnectionCallback.apply(ctx, networkConnection);
+    Flow.Action action = flow.getAction();
+    if (action instanceof Flow.Action.RequestBlockingAction) {
+      BlockResponseFunction brf = ctx.getBlockResponseFunction();
+      if (brf != null) {
+        Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
+        brf.tryCommitBlockingResponse(
+            ctx.getTraceSegment(),
+            rba.getStatusCode(),
+            rba.getBlockingContentType(),
+            rba.getExtraHeaders());
+      }
+      throw new BlockingException("Blocked request (for SSRF attempt)");
+    }
+  }
+
   /* This method must be overriden after making the proper propagations to the client before **/
   protected Object sourceUrl(REQUEST request) {
     return null;

dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/HttpClientDecoratorTest.groovy

@@ -1,6 +1,12 @@
 package datadog.trace.bootstrap.instrumentation.decorator
 
 import datadog.trace.api.DDTags
+import datadog.trace.api.config.AppSecConfig
+import datadog.trace.api.gateway.CallbackProvider
+import static datadog.trace.api.gateway.Events.EVENTS
+import datadog.trace.api.gateway.RequestContext
+import datadog.trace.api.gateway.RequestContextSlot
+import datadog.trace.api.internal.TraceSegment
 import datadog.trace.api.iast.InstrumentationBridge
 import datadog.trace.api.iast.sink.SsrfModule
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan
@@ -12,11 +18,39 @@ import spock.lang.Shared
 import static datadog.trace.api.config.TraceInstrumentationConfig.HTTP_CLIENT_HOST_SPLIT_BY_DOMAIN
 import static datadog.trace.api.config.TraceInstrumentationConfig.HTTP_CLIENT_TAG_QUERY_STRING
 
+import java.util.function.BiFunction
+
 class HttpClientDecoratorTest extends ClientDecoratorTest {
 
   @Shared
   def testUrl = new URI("http://myhost:123/somepath")
 
+  @Shared
+  protected static final ORIGINAL_TRACER = AgentTracer.get()
+
+  protected traceSegment
+  protected reqCtx
+  protected span2
+  protected tracer
+
+  void setup() {
+    traceSegment = Stub(TraceSegment)
+    reqCtx = Stub(RequestContext) {
+      getTraceSegment() >> traceSegment
+    }
+    span2 = Stub(AgentSpan) {
+      getRequestContext() >> reqCtx
+    }
+    tracer = Stub(AgentTracer.TracerAPI) {
+      activeSpan() >> span2
+    }
+    AgentTracer.forceRegister(tracer)
+  }
+
+  void cleanup() {
+    AgentTracer.forceRegister(ORIGINAL_TRACER)
+  }
+
   def span = Mock(AgentSpan)
 
   def "test onRequest"() {
@@ -199,6 +233,26 @@ class HttpClientDecoratorTest extends ClientDecoratorTest {
     'false' | [method: "test-method", url: testUrl, path: '/somepath']
   }
 
+  void "test SSRF Exploit prevention onResponse"(){
+    setup:
+    injectSysConfig(AppSecConfig.APPSEC_ENABLED, 'true')
+    injectSysConfig(AppSecConfig.APPSEC_RASP_ENABLED, 'true')
+
+    final callbackProvider = Mock(CallbackProvider)
+    final listener = Mock(BiFunction)
+    tracer.getCallbackProvider(RequestContextSlot.APPSEC) >> callbackProvider
+
+    final decorator = newDecorator()
+    final req = [method: "GET", url: new URI("http://localhost:1234/somepath")]
+
+    when:
+    decorator.onRequest(span2,  req)
+
+    then:
+    1 * callbackProvider.getCallback(EVENTS.networkConnection()) >> listener
+    1 * listener.apply(reqCtx, _ as String)
+  }
+
   @Override
   def newDecorator(String serviceName = "test-service") {
     return new HttpClientDecorator<Map, Map>() {

dd-java-agent/instrumentation/apache-httpclient-4/src/main/java/datadog/trace/instrumentation/apachehttpclient/ApacheHttpClientInstrumentation.java

@@ -7,6 +7,7 @@
 import static net.bytebuddy.matcher.ElementMatchers.takesArguments;
 
 import com.google.auto.service.AutoService;
+import datadog.appsec.api.blocking.BlockingException;
 import datadog.trace.agent.tooling.Instrumenter;
 import datadog.trace.agent.tooling.InstrumenterModule;
 import datadog.trace.bootstrap.instrumentation.api.AgentScope;
@@ -153,7 +154,13 @@ public void methodAdvice(MethodTransformer transformer) {
   public static class UriRequestAdvice {
     @Advice.OnMethodEnter(suppress = Throwable.class)
     public static AgentScope methodEnter(@Advice.Argument(0) final HttpUriRequest request) {
-      return HelperMethods.doMethodEnter(request);
+      try {
+        return HelperMethods.doMethodEnter(request);
+      } catch (BlockingException e) {
+        HelperMethods.onBlockingRequest();
+        // re-throw blocking exceptions
+        throw e;
+      }
     }
 
     @Advice.OnMethodExit(onThrowable = Throwable.class, suppress = Throwable.class)
@@ -176,12 +183,20 @@ public static AgentScope methodEnter(
                 typing = Assigner.Typing.DYNAMIC,
                 readOnly = false)
             Object handler) {
-      final AgentScope scope = HelperMethods.doMethodEnter(request);
-      // Wrap the handler so we capture the status code
-      if (null != scope && handler instanceof ResponseHandler) {
-        handler = new WrappingStatusSettingResponseHandler(scope.span(), (ResponseHandler) handler);
+
+      try {
+        final AgentScope scope = HelperMethods.doMethodEnter(request);
+        // Wrap the handler so we capture the status code
+        if (null != scope && handler instanceof ResponseHandler) {
+          handler =
+              new WrappingStatusSettingResponseHandler(scope.span(), (ResponseHandler) handler);
+        }
+        return scope;
+      } catch (BlockingException e) {
+        HelperMethods.onBlockingRequest();
+        // re-throw blocking exceptions
+        throw e;
       }
-      return scope;
     }
 
     @Advice.OnMethodExit(onThrowable = Throwable.class, suppress = Throwable.class)
@@ -197,10 +212,16 @@ public static class RequestAdvice {
     @Advice.OnMethodEnter(suppress = Throwable.class)
     public static AgentScope methodEnter(
         @Advice.Argument(0) final HttpHost host, @Advice.Argument(1) final HttpRequest request) {
-      if (request instanceof HttpUriRequest) {
-        return HelperMethods.doMethodEnter((HttpUriRequest) request);
-      } else {
-        return HelperMethods.doMethodEnter(host, request);
+      try {
+        if (request instanceof HttpUriRequest) {
+          return HelperMethods.doMethodEnter((HttpUriRequest) request);
+        } else {
+          return HelperMethods.doMethodEnter(host, request);
+        }
+      } catch (BlockingException e) {
+        HelperMethods.onBlockingRequest();
+        // re-throw blocking exceptions
+        throw e;
       }
     }
 
@@ -225,17 +246,24 @@ public static AgentScope methodEnter(
                 typing = Assigner.Typing.DYNAMIC,
                 readOnly = false)
             Object handler) {
-      final AgentScope scope;
-      if (request instanceof HttpUriRequest) {
-        scope = HelperMethods.doMethodEnter((HttpUriRequest) request);
-      } else {
-        scope = HelperMethods.doMethodEnter(host, request);
-      }
-      // Wrap the handler so we capture the status code
-      if (null != scope && handler instanceof ResponseHandler) {
-        handler = new WrappingStatusSettingResponseHandler(scope.span(), (ResponseHandler) handler);
+      try {
+        final AgentScope scope;
+        if (request instanceof HttpUriRequest) {
+          scope = HelperMethods.doMethodEnter((HttpUriRequest) request);
+        } else {
+          scope = HelperMethods.doMethodEnter(host, request);
+        }
+        // Wrap the handler so we capture the status code
+        if (null != scope && handler instanceof ResponseHandler) {
+          handler =
+              new WrappingStatusSettingResponseHandler(scope.span(), (ResponseHandler) handler);
+        }
+        return scope;
+      } catch (BlockingException e) {
+        HelperMethods.onBlockingRequest();
+        // re-throw blocking exceptions
+        throw e;
       }
-      return scope;
     }
 
     @Advice.OnMethodExit(onThrowable = Throwable.class, suppress = Throwable.class)

dd-java-agent/instrumentation/apache-httpclient-4/src/main/java/datadog/trace/instrumentation/apachehttpclient/HelperMethods.java

@@ -73,4 +73,8 @@ public static void doMethodExit(
       CallDepthThreadLocalMap.reset(HttpClient.class);
     }
   }
+
+  public static void onBlockingRequest() {
+    CallDepthThreadLocalMap.reset(HttpClient.class);
+  }
 }

dd-java-agent/instrumentation/apache-httpclient-5/src/main/java/datadog/trace/instrumentation/apachehttpclient5/ApacheHttpClientInstrumentation.java

@@ -7,6 +7,7 @@
 import static net.bytebuddy.matcher.ElementMatchers.takesArguments;
 
 import com.google.auto.service.AutoService;
+import datadog.appsec.api.blocking.BlockingException;
 import datadog.trace.agent.tooling.Instrumenter;
 import datadog.trace.agent.tooling.InstrumenterModule;
 import datadog.trace.bootstrap.instrumentation.api.AgentScope;
@@ -115,7 +116,13 @@ public void methodAdvice(MethodTransformer transformer) {
   public static class RequestAdvice {
     @Advice.OnMethodEnter(suppress = Throwable.class)
     public static AgentScope methodEnter(@Advice.Argument(0) final ClassicHttpRequest request) {
-      return HelperMethods.doMethodEnter(request);
+      try {
+        return HelperMethods.doMethodEnter(request);
+      } catch (BlockingException e) {
+        HelperMethods.onBlockingRequest();
+        // re-throw blocking exceptions
+        throw e;
+      }
     }
 
     @Advice.OnMethodExit(onThrowable = Throwable.class, suppress = Throwable.class)
@@ -132,7 +139,13 @@ public static class HostRequestAdvice {
     public static AgentScope methodEnter(
         @Advice.Argument(0) final HttpHost host,
         @Advice.Argument(1) final ClassicHttpRequest request) {
-      return HelperMethods.doMethodEnter(host, request);
+      try {
+        return HelperMethods.doMethodEnter(host, request);
+      } catch (BlockingException e) {
+        HelperMethods.onBlockingRequest();
+        // re-throw blocking exceptions
+        throw e;
+      }
     }
 
     @Advice.OnMethodExit(onThrowable = Throwable.class, suppress = Throwable.class)
@@ -157,14 +170,20 @@ public static AgentScope methodEnter(
                 typing = Assigner.Typing.DYNAMIC,
                 readOnly = false)
             Object handler) {
-      final AgentScope scope = HelperMethods.doMethodEnter(host, request);
-      // Wrap the handler so we capture the status code
-      if (null != scope && handler instanceof HttpClientResponseHandler) {
-        handler =
-            new WrappingStatusSettingResponseHandler(
-                scope.span(), (HttpClientResponseHandler) handler);
+      try {
+        final AgentScope scope = HelperMethods.doMethodEnter(host, request);
+        // Wrap the handler so we capture the status code
+        if (null != scope && handler instanceof HttpClientResponseHandler) {
+          handler =
+              new WrappingStatusSettingResponseHandler(
+                  scope.span(), (HttpClientResponseHandler) handler);
+        }
+        return scope;
+      } catch (BlockingException e) {
+        HelperMethods.onBlockingRequest();
+        // re-throw blocking exceptions
+        throw e;
       }
-      return scope;
     }
 
     @Advice.OnMethodExit(onThrowable = Throwable.class, suppress = Throwable.class)