Collect parsed request body if RASP event

Author: jandro996

dd-java-agent/appsec/src/main/java/com/datadog/appsec/ddwaf/WAFModule.java

@@ -478,6 +478,7 @@ public void onDataAvailable(
         }
 
         if (gwCtx.isRasp) {
+          reqCtx.setRaspMatched(true);
           WafMetricCollector.get().raspRuleMatch(gwCtx.raspRuleType);
         }
 

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

@@ -129,6 +129,9 @@ public class AppSecRequestContext implements DataBundle, Closeable {
   private volatile int wafTimeouts;
   private volatile int raspTimeouts;
 
+  private volatile Object processedRequestBody;
+  private volatile boolean raspMatched;
+
   // keep a reference to the last published usr.id
   private volatile String userId;
   // keep a reference to the last published usr.login
@@ -145,7 +148,7 @@ public class AppSecRequestContext implements DataBundle, Closeable {
   private static final AtomicIntegerFieldUpdater<AppSecRequestContext> WAF_TIMEOUTS_UPDATER =
       AtomicIntegerFieldUpdater.newUpdater(AppSecRequestContext.class, "wafTimeouts");
   private static final AtomicIntegerFieldUpdater<AppSecRequestContext> RASP_TIMEOUTS_UPDATER =
-      AtomicIntegerFieldUpdater.newUpdater(AppSecRequestContext.class, "raspTimeouts");
+      AtomicIntegerFieldUpdater.newUpdater(AppSecRequestContext.class, "raspTimeouts");;
 
   // to be called by the Event Dispatcher
   public void addAll(DataBundle newData) {
@@ -675,4 +678,20 @@ public boolean isWafContextClosed() {
   void setRequestEndCalled() {
     requestEndCalled = true;
   }
+
+  public void setProcessedRequestBody(Object processedRequestBody) {
+    this.processedRequestBody = processedRequestBody;
+  }
+
+  public Object getProcessedRequestBody() {
+    return processedRequestBody;
+  }
+
+  public boolean isRaspMatched() {
+    return raspMatched;
+  }
+
+  public void setRaspMatched(boolean raspMatched) {
+    this.raspMatched = raspMatched;
+  }
 }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -77,6 +77,7 @@ public class GatewayBridge {
   private static final String USER_COLLECTION_MODE_TAG = "_dd.appsec.user.collection_mode";
 
   private static final Map<LoginEvent, Address<?>> EVENT_MAPPINGS = new EnumMap<>(LoginEvent.class);
+  private static final String METASTRUCT_REQUEST_BODY = "http.request.body";
 
   static {
     EVENT_MAPPINGS.put(LoginEvent.LOGIN_SUCCESS, KnownAddresses.LOGIN_SUCCESS);
@@ -572,9 +573,11 @@ private Flow<Void> onRequestBodyProcessed(RequestContext ctx_, Object obj) {
       if (subInfo == null || subInfo.isEmpty()) {
         return NoopFlow.INSTANCE;
       }
-      DataBundle bundle =
-          new SingletonDataBundle<>(
-              KnownAddresses.REQUEST_BODY_OBJECT, ObjectIntrospection.convert(obj));
+      Object converted = ObjectIntrospection.convert(obj);
+      if (Config.get().isAppSecRaspCollectRequestBody()) {
+        ctx.setProcessedRequestBody(converted);
+      }
+      DataBundle bundle = new SingletonDataBundle<>(KnownAddresses.REQUEST_BODY_OBJECT, converted);
       try {
         GatewayContext gwCtx = new GatewayContext(false);
         return producerService.publishDataEvent(subInfo, ctx, bundle, gwCtx);
@@ -720,6 +723,12 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
           StackUtils.addStacktraceEventsToMetaStruct(ctx_, METASTRUCT_EXPLOIT, stackTraces);
         }
 
+        // Report collected parsed request body if there is a RASP event
+        if (ctx.isRaspMatched() && ctx.getProcessedRequestBody() != null) {
+          ctx_.getOrCreateMetaStructTop(
+              METASTRUCT_REQUEST_BODY, k -> ctx.getProcessedRequestBody());
+        }
+
       } else if (hasUserInfo(traceSeg)) {
         // Report all collected request headers on user tracking event
         writeRequestHeaders(traceSeg, REQUEST_HEADERS_ALLOW_LIST, ctx.getRequestHeaders(), false);

dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/ExtendedDataCollectionSmokeTest.groovy

@@ -1,19 +1,64 @@
 package datadog.smoketest.appsec
 
 import datadog.trace.agent.test.utils.OkHttpUtils
+import okhttp3.FormBody
 import okhttp3.Request
+import spock.lang.Shared
 
 class ExtendedDataCollectionSmokeTest extends AbstractAppSecServerSmokeTest {
 
+  @Shared
+  String buildDir = new File(System.getProperty("datadog.smoketest.builddir")).absolutePath
+  @Shared
+  String customRulesPath = "${buildDir}/appsec_custom_rules.json"
+
+  def prepareCustomRules() {
+    // Prepare ruleset with additional test rules
+    mergeRules(
+      customRulesPath,
+      [
+        [
+          id          : 'rasp-932-100',  // to replace default rule
+          name        : 'Shell command injection exploit',
+          enable      : 'true',
+          tags        : [
+            type: 'command_injection',
+            category: 'vulnerability_trigger',
+            cwe: '77',
+            capec: '1000/152/248/88',
+            confidence: '0',
+            module: 'rasp'
+          ],
+          conditions  : [
+            [
+              parameters: [
+                resource: [[address: 'server.sys.shell.cmd']],
+                params  : [[address: 'server.request.body']],
+              ],
+              operator  : "shi_detector",
+            ],
+          ],
+          transformers: [],
+          on_match    : ['block']
+        ]
+      ])
+  }
+
   @Override
   ProcessBuilder createProcessBuilder() {
 
+    // We run this here to ensure it runs before starting the process. Child setupSpec runs after parent setupSpec,
+    // so it is not a valid location.
+    prepareCustomRules()
+
     String springBootShadowJar = System.getProperty("datadog.smoketest.appsec.springboot.shadowJar.path")
 
     List<String> command = new ArrayList<>()
     command.add(javaPath())
+    //command.add("-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005")
     command.addAll(defaultJavaProperties)
     command.addAll(defaultAppSecProperties)
+    command.add('-Ddd.appsec.rasp.collect.request.body=true')
     command.add('-Ddd.appsec.collect.all.headers=true')
     command.add('-Ddd.appsec.header.collection.redaction.enabled=false')
     command.addAll((String[]) ["-jar", springBootShadowJar, "--server.port=${httpPort}"])
@@ -146,6 +191,83 @@ class ExtendedDataCollectionSmokeTest extends AbstractAppSecServerSmokeTest {
     rootSpan.meta.get('http.response.headers.content-language') == 'en-US'
   }
 
+  void 'test request body collection if RASP event'(){
+    when:
+    String url = "http://localhost:${httpPort}/shi/cmd"
+    def formBuilder = new FormBody.Builder()
+    formBuilder.add('cmd', '$(cat /etc/passwd 1>&2 ; echo .)')
+    final body = formBuilder.build()
+    def request = new Request.Builder()
+      .url(url)
+      .post(body)
+      .build()
+    def response = client.newCall(request).execute()
+    def responseBodyStr = response.body().string()
+
+    then:
+    response.code() == 403
+    responseBodyStr.contains('You\'ve been blocked')
+
+    when:
+    waitForTraceCount(1)
+
+    then:
+    def rootSpans = this.rootSpans.toList()
+    rootSpans.size() == 1
+    def rootSpan = rootSpans[0]
+
+    def trigger = null
+    for (t in rootSpan.triggers) {
+      if (t['rule']['id'] == 'rasp-932-100') {
+        trigger = t
+        break
+      }
+    }
+    assert trigger != null, 'test trigger not found'
+
+    rootSpan.span.metaStruct != null
+    def requestBody = rootSpan.span.metaStruct.get('http.request.body')
+    assert requestBody != null, 'request body is not set'
+
+  }
+
+  void 'test request body not collected if no RASP event'(){
+    when:
+    String url = "http://localhost:${httpPort}/greeting"
+    def formBuilder = new FormBody.Builder()
+    formBuilder.add('cmd', 'test')
+    final body = formBuilder.build()
+    def request = new Request.Builder()
+      .url(url)
+      .post(body)
+      .build()
+    def response = client.newCall(request).execute()
+    def responseBodyStr = response.body().string()
+
+    then:
+    response.code() == 200
+
+    when:
+    waitForTraceCount(1)
+
+    then:
+    def rootSpans = this.rootSpans.toList()
+    rootSpans.size() == 1
+    def rootSpan = rootSpans[0]
+
+    def trigger = null
+    for (t in rootSpan.triggers) {
+      if (t['rule']['id'] == 'rasp-932-100') {
+        trigger = t
+        break
+      }
+    }
+    assert trigger == null, 'test trigger found'
+
+    rootSpan.span.metaStruct == null
+
+  }
+
 
 
 }

dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy

@@ -469,6 +469,7 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {
       }
     }
     assert trigger != null, 'test trigger not found'
+    rootSpan.span.metaStruct == null
 
     where:
     variant               | _
@@ -508,6 +509,7 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {
       }
     }
     assert trigger != null, 'test trigger not found'
+    rootSpan.span.metaStruct == null
 
     where:
     variant | _
@@ -600,6 +602,7 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {
       }
     }
     assert trigger != null, 'test trigger not found'
+    rootSpan.span.metaStruct == null
 
     where:
     endpoint                    | cmd                              | params
@@ -650,6 +653,7 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {
       }
     }
     assert trigger != null, 'test trigger not found'
+    rootSpan.span.metaStruct == null
 
     where:
     endpoint           | cmd                                  | params

dd-trace-api/src/main/java/datadog/trace/api/config/AppSecConfig.java

@@ -47,6 +47,7 @@ public final class AppSecConfig {
   public static final String APPSEC_MAX_COLLECTED_HEADERS = "appsec.max.collected.headers";
   public static final String APPSEC_HEADER_COLLECTION_REDACTION_ENABLED =
       "appsec.header.collection.redaction.enabled";
+  public static final String APPSEC_RASP_COLLECT_REQUEST_BODY = "appsec.rasp.collect.request.body";
 
   private AppSecConfig() {}
 }

internal-api/src/main/java/datadog/trace/api/Config.java

@@ -295,6 +295,7 @@ public static String getHostName() {
   private final boolean appSecCollectAllHeaders;
   private final boolean appSecHeaderCollectionRedactionEnabled;
   private final int appSecMaxCollectedHeaders;
+  private final boolean appSecRaspCollectRequestBody;
   private final boolean apiSecurityEnabled;
   private final float apiSecuritySampleDelay;
   private final boolean apiSecurityEndpointCollectionEnabled;
@@ -1395,6 +1396,8 @@ PROFILING_DATADOG_PROFILER_ENABLED, isDatadogProfilerSafeInCurrentEnvironment())
     appSecMaxCollectedHeaders =
         configProvider.getInteger(
             APPSEC_MAX_COLLECTED_HEADERS, DEFAULT_APPSEC_MAX_COLLECTED_HEADERS);
+    appSecRaspCollectRequestBody =
+        configProvider.getBoolean(APPSEC_RASP_COLLECT_REQUEST_BODY, false);
     apiSecurityEnabled =
         configProvider.getBoolean(
             API_SECURITY_ENABLED, DEFAULT_API_SECURITY_ENABLED, API_SECURITY_ENABLED_EXPERIMENTAL);
@@ -4216,6 +4219,10 @@ public int getAppsecMaxCollectedHeaders() {
     return appSecMaxCollectedHeaders;
   }
 
+  public boolean isAppSecRaspCollectRequestBody() {
+    return appSecRaspCollectRequestBody;
+  }
+
   public boolean isCloudPayloadTaggingEnabledFor(String serviceName) {
     return cloudPayloadTaggingServices.contains(serviceName);
   }