Merge branch 'main' into juanjux/python-fastapi-header-injection

DataDog · Jan 7, 2025 · a4d713c · a4d713c
2 parents 0be13be + 0cb45f6
commit a4d713c
Show file tree

Hide file tree

Showing 19 changed files with 727 additions and 102 deletions.
diff --git a/docs/lib-injection/docker_ssi_lib_injections_folders.png b/docs/lib-injection/docker_ssi_lib_injections_folders.png
diff --git a/docs/scenarios/docker_ssi.md b/docs/scenarios/docker_ssi.md
diff --git a/docs/scenarios/parametric.md b/docs/scenarios/parametric.md
@@ -243,7 +243,7 @@ The http server implementations for each tracer can be found at the following lo
 
 ![image](https://github.com/user-attachments/assets/fc144fc1-95aa-4d50-97c5-cda8fdbcefef)
 
-<img width="869" alt="image" src="https://user-images.githubusercontent.com/6321485/182887064-e241d65c-5e29-451b-a8a8-e8d18328c083.png">
+![image](https://github.com/user-attachments/assets/bb577aa2-b373-4468-b383-8394507309cc)
 
 [1]: https://github.com/DataDog/dd-trace-cpp
 [2]: https://docs.pytest.org/en/6.2.x/usage.html#specifying-tests-selecting-tests

diff --git a/manifests/java.yml b/manifests/java.yml
@@ -1030,24 +1030,78 @@ tests/:
       Test_V2_Login_Events_Anon: irrelevant (v1.38.0, replaced by V3)
       Test_V2_Login_Events_RC: irrelevant (v1.38.0, replaced by V3)
       Test_V3_Auto_User_Instrum_Mode_Capability:
-        '*': missing_feature
-        spring-boot-3-native: flaky (APMAPI-979)
+        '*': v1.45.0
+        spring-boot-3-native: missing_feature (GraalVM. Tracing support only)
       Test_V3_Login_Events:
-        '*': missing_feature
+        '*': v1.45.0
+        akka-http: missing_feature (login endpoints not implemented)
+        jersey-grizzly2: missing_feature (login endpoints not implemented)
+        play: missing_feature (login endpoints not implemented)
+        ratpack: missing_feature (login endpoints not implemented)
+        resteasy-netty3: missing_feature (login endpoints not implemented)
         spring-boot-3-native: flaky (APMAPI-979)
+        spring-boot-openliberty: missing_feature (weblog returns error 500)
+        vertx3: missing_feature (login endpoints not implemented)
+        vertx4: missing_feature (login endpoints not implemented)
       Test_V3_Login_Events_Anon:
-        '*': missing_feature
+        '*': v1.45.0
+        akka-http: missing_feature (login endpoints not implemented)
+        jersey-grizzly2: missing_feature (login endpoints not implemented)
+        play: missing_feature (login endpoints not implemented)
+        ratpack: missing_feature (login endpoints not implemented)
+        resteasy-netty3: missing_feature (login endpoints not implemented)
         spring-boot-3-native: flaky (APMAPI-979)
+        spring-boot-openliberty: missing_feature (weblog returns error 500)
+        vertx3: missing_feature (login endpoints not implemented)
+        vertx4: missing_feature (login endpoints not implemented)
       Test_V3_Login_Events_Blocking:
-        '*': missing_feature
+        '*': v1.45.0
+        akka-http: missing_feature (login endpoints not implemented)
+        jersey-grizzly2: missing_feature (login endpoints not implemented)
+        play: missing_feature (login endpoints not implemented)
+        ratpack: missing_feature (login endpoints not implemented)
+        resteasy-netty3: missing_feature (login endpoints not implemented)
         spring-boot-3-native: flaky (APMAPI-979)
+        spring-boot-openliberty: missing_feature (weblog returns error 500)
+        spring-boot-payara: bug (APPSEC-54985)
+        vertx3: missing_feature (login endpoints not implemented)
+        vertx4: missing_feature (login endpoints not implemented)
       Test_V3_Login_Events_RC:
-        '*': missing_feature
+        '*': v1.45.0
+        akka-http: missing_feature (login endpoints not implemented)
+        jersey-grizzly2: missing_feature (login endpoints not implemented)
+        play: missing_feature (login endpoints not implemented)
+        ratpack: missing_feature (login endpoints not implemented)
+        resteasy-netty3: missing_feature (login endpoints not implemented)
         spring-boot-3-native: flaky (APMAPI-979)
+        spring-boot-openliberty: missing_feature (weblog returns error 500)
+        vertx3: missing_feature (login endpoints not implemented)
+        vertx4: missing_feature (login endpoints not implemented)
     test_automated_user_and_session_tracking.py:
       Test_Automated_Session_Blocking: missing_feature
-      Test_Automated_User_Blocking: missing_feature
-      Test_Automated_User_Tracking: missing_feature
+      Test_Automated_User_Blocking:
+        '*': v1.45.0
+        akka-http: missing_feature (login endpoints not implemented)
+        jersey-grizzly2: missing_feature (login endpoints not implemented)
+        play: missing_feature (login endpoints not implemented)
+        ratpack: missing_feature (login endpoints not implemented)
+        resteasy-netty3: missing_feature (login endpoints not implemented)
+        spring-boot-3-native: flaky (APMAPI-979)
+        spring-boot-openliberty: missing_feature (weblog returns error 500)
+        spring-boot-payara: bug (APPSEC-54985)
+        vertx3: missing_feature (login endpoints not implemented)
+        vertx4: missing_feature (login endpoints not implemented)
+      Test_Automated_User_Tracking:
+        '*': v1.45.0
+        akka-http: missing_feature (login endpoints not implemented)
+        jersey-grizzly2: missing_feature (login endpoints not implemented)
+        play: missing_feature (login endpoints not implemented)
+        ratpack: missing_feature (login endpoints not implemented)
+        resteasy-netty3: missing_feature (login endpoints not implemented)
+        spring-boot-3-native: flaky (APMAPI-979)
+        spring-boot-openliberty: missing_feature (weblog returns error 500)
+        vertx3: missing_feature (login endpoints not implemented)
+        vertx4: missing_feature (login endpoints not implemented)
     test_blocking_addresses.py:
       Test_BlockingGraphqlResolvers: missing_feature
       Test_Blocking_client_ip:

diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml
@@ -341,14 +341,8 @@ tests/:
           express5: *ref_5_29_0
           nextjs: missing_feature
         Test_Lfi_Rules_Version: *ref_5_26_0
-        Test_Lfi_StackTrace:
-          '*': *ref_5_24_0
-          express5: *ref_5_29_0 # test uses express blocking
-          nextjs: missing_feature
-        Test_Lfi_Telemetry:
-          '*': *ref_5_24_0
-          express5: *ref_5_29_0 # test uses express blocking
-          nextjs: missing_feature
+        Test_Lfi_StackTrace: *ref_5_24_0
+        Test_Lfi_Telemetry: *ref_5_24_0
         Test_Lfi_UrlQuery:
           '*': *ref_5_24_0
           express5: *ref_5_29_0
@@ -368,17 +362,9 @@ tests/:
         Test_Shi_Mandatory_SpanTags: *ref_5_25_0
         Test_Shi_Optional_SpanTags: *ref_5_25_0
         Test_Shi_Rules_Version: *ref_5_24_0
-        Test_Shi_StackTrace:
-          '*': *ref_5_25_0
-          express5: *ref_5_29_0 # test uses express blocking
-          nextjs: missing_feature
-        Test_Shi_Telemetry:
-          '*': *ref_5_25_0
-          express5: *ref_5_29_0 # test uses express blocking
-          nextjs: missing_feature
-        Test_Shi_Telemetry_Variant_Tag:
-          '*': *ref_5_30_0
-          nextjs: missing_feature
+        Test_Shi_StackTrace: *ref_5_25_0
+        Test_Shi_Telemetry: *ref_5_25_0
+        Test_Shi_Telemetry_Variant_Tag: *ref_5_30_0
         Test_Shi_UrlQuery:
           '*': *ref_5_25_0
           express5: *ref_5_29_0
@@ -398,14 +384,8 @@ tests/:
         Test_Sqli_Mandatory_SpanTags: *ref_5_23_0
         Test_Sqli_Optional_SpanTags: *ref_5_23_0
         Test_Sqli_Rules_Version: *ref_5_25_0
-        Test_Sqli_StackTrace:
-          '*': *ref_5_23_0
-          express5: *ref_5_29_0 # test uses express blocking
-          nextjs: missing_feature
-        Test_Sqli_Telemetry:
-          '*': *ref_5_23_0
-          express5: *ref_5_29_0 # test uses express blocking
-          nextjs: missing_feature
+        Test_Sqli_StackTrace: *ref_5_23_0
+        Test_Sqli_Telemetry: *ref_5_23_0
         Test_Sqli_UrlQuery:
           '*': *ref_5_23_0
           express5: *ref_5_29_0
@@ -426,11 +406,9 @@ tests/:
         Test_Ssrf_StackTrace:
           '*': *ref_5_20_0
           express5: *ref_5_29_0 # test uses querystring
-          nextjs: missing_feature
         Test_Ssrf_Telemetry:
           '*': *ref_5_22_0
           express5: *ref_5_29_0 # test uses querystring
-          nextjs: missing_feature
         Test_Ssrf_UrlQuery:
           '*': *ref_5_20_0
           express5: *ref_5_29_0

diff --git a/tests/appsec/rasp/test_lfi.py b/tests/appsec/rasp/test_lfi.py
@@ -145,7 +145,6 @@ def setup_lfi_stack_trace(self):
         self.r = weblog.get("/rasp/lfi", params={"file": "../etc/passwd"})
 
     def test_lfi_stack_trace(self):
-        assert self.r.status_code == 403
         validate_stack_traces(self.r)
 
 
@@ -159,8 +158,6 @@ def setup_lfi_telemetry(self):
         self.r = weblog.get("/rasp/lfi", params={"file": "../etc/passwd"})
 
     def test_lfi_telemetry(self):
-        assert self.r.status_code == 403
-
         series_eval = find_series(True, "appsec", "rasp.rule.eval")
         assert series_eval
         assert any(validate_metric("rasp.rule.eval", "lfi", s) for s in series_eval), [

diff --git a/tests/appsec/rasp/test_shi.py b/tests/appsec/rasp/test_shi.py
@@ -152,7 +152,6 @@ def setup_shi_stack_trace(self):
         self.r = weblog.get("/rasp/shi", params={"list_dir": "$(cat /etc/passwd 1>&2 ; echo .)"})
 
     def test_shi_stack_trace(self):
-        assert self.r.status_code == 403
         validate_stack_traces(self.r)
 
 
@@ -166,8 +165,6 @@ def setup_shi_telemetry(self):
         self.r = weblog.get("/rasp/shi", params={"list_dir": "$(cat /etc/passwd 1>&2 ; echo .)"})
 
     def test_shi_telemetry(self):
-        assert self.r.status_code == 403
-
         series_eval = find_series(True, "appsec", "rasp.rule.eval")
         assert series_eval
         assert any(validate_metric("rasp.rule.eval", "command_injection", s) for s in series_eval), [
@@ -191,8 +188,6 @@ def setup_shi_telemetry(self):
         self.r = weblog.get("/rasp/shi", params={"list_dir": "$(cat /etc/passwd 1>&2 ; echo .)"})
 
     def test_shi_telemetry(self):
-        assert self.r.status_code == 403
-
         series_eval = find_series(True, "appsec", "rasp.rule.eval")
         assert series_eval
         assert any(validate_metric_variant("rasp.rule.eval", "command_injection", "shell", s) for s in series_eval), [

diff --git a/tests/appsec/rasp/test_sqli.py b/tests/appsec/rasp/test_sqli.py
@@ -147,7 +147,6 @@ def setup_sqli_stack_trace(self):
         self.r = weblog.get("/rasp/sqli", params={"user_id": "' OR 1 = 1 --"})
 
     def test_sqli_stack_trace(self):
-        assert self.r.status_code == 403
         validate_stack_traces(self.r)
 
 
@@ -161,8 +160,6 @@ def setup_sqli_telemetry(self):
         self.r = weblog.get("/rasp/sqli", params={"user_id": "' OR 1 = 1 --"})
 
     def test_sqli_telemetry(self):
-        assert self.r.status_code == 403
-
         series_eval = find_series(True, "appsec", "rasp.rule.eval")
         assert series_eval
         assert any(validate_metric("rasp.rule.eval", "sql_injection", s) for s in series_eval), [

diff --git a/tests/appsec/rasp/test_ssrf.py b/tests/appsec/rasp/test_ssrf.py
@@ -179,7 +179,6 @@ def setup_ssrf_stack_trace(self):
         self.r = weblog.get("/rasp/ssrf", params={"domain": "169.254.169.254"})
 
     def test_ssrf_stack_trace(self):
-        assert self.r.status_code == 403
         validate_stack_traces(self.r)
 
 
@@ -193,8 +192,6 @@ def setup_ssrf_telemetry(self):
         self.r = weblog.get("/rasp/ssrf", params={"domain": "169.254.169.254"})
 
     def test_ssrf_telemetry(self):
-        assert self.r.status_code == 403
-
         series_eval = find_series(True, "appsec", "rasp.rule.eval")
         assert series_eval
         assert any(validate_metric("rasp.rule.eval", "ssrf", s) for s in series_eval), [

diff --git a/tests/appsec/test_automated_login_events.py b/tests/appsec/test_automated_login_events.py
@@ -1221,9 +1221,9 @@ def validate_iden(meta):
         self._assert_response(self.tests[2], validate_anon)
 
 
-libs_without_user_id = []
-libs_without_user_exist = ["nodejs"]
-libs_without_user_id_on_failure = ["nodejs"]
+libs_without_user_id = ["java"]
+libs_without_user_exist = ["nodejs", "java"]
+libs_without_user_id_on_failure = ["nodejs", "java"]
 
 
 @rfc("https://docs.google.com/document/d/1RT38U6dTTcB-8muiYV4-aVDCsT_XrliyakjtAPyjUpw")
@@ -1932,8 +1932,9 @@ def test_login_event_blocking_auto_id(self):
 
         assert self.config_state_2[rc.RC_STATE] == rc.ApplyState.ACKNOWLEDGED
         assert self.config_state_3[rc.RC_STATE] == rc.ApplyState.ACKNOWLEDGED
-        interfaces.library.assert_waf_attack(self.r_login_blocked, rule="block-user-id")
-        assert self.r_login_blocked.status_code == 403
+        if context.library not in libs_without_user_id:
+            interfaces.library.assert_waf_attack(self.r_login_blocked, rule="block-user-id")
+            assert self.r_login_blocked.status_code == 403
 
     def setup_login_event_blocking_auto_login(self):
         rc.rc_state.reset().apply()

diff --git a/tests/appsec/test_automated_user_and_session_tracking.py b/tests/appsec/test_automated_user_and_session_tracking.py
@@ -29,6 +29,8 @@
 UUID_USER = "testuuid"
 PASSWORD = "1234"
 
+libs_without_user_id = ["java"]
+
 
 def login_data(context, user, password):
     """In Rails the parameters are group by scope. In the case of the test the scope is user.
@@ -55,8 +57,13 @@ def test_user_tracking_auto(self):
         assert self.r_home.status_code == 200
         for _, _, span in interfaces.library.get_spans(request=self.r_home):
             meta = span.get("meta", {})
-            assert meta["usr.id"] == "social-security-id"
-            assert meta["_dd.appsec.usr.id"] == "social-security-id"
+            if context.library in libs_without_user_id:
+                assert meta["usr.id"] == USER
+                assert meta["_dd.appsec.usr.id"] == USER
+            else:
+                assert meta["usr.id"] == "social-security-id"
+                assert meta["_dd.appsec.usr.id"] == "social-security-id"
+
             assert meta["_dd.appsec.user.collection_mode"] == "identification"
 
     def setup_user_tracking_sdk_overwrite(self):
@@ -69,7 +76,11 @@ def test_user_tracking_sdk_overwrite(self):
         for _, _, span in interfaces.library.get_spans(request=self.r_login):
             meta = span.get("meta", {})
             assert meta["usr.id"] == "sdkUser"
-            assert meta["_dd.appsec.usr.id"] == "social-security-id"
+            if context.library in libs_without_user_id:
+                assert meta["_dd.appsec.usr.id"] == USER
+            else:
+                assert meta["_dd.appsec.usr.id"] == "social-security-id"
+
             assert meta["_dd.appsec.user.collection_mode"] == "sdk"
 
 
@@ -108,7 +119,11 @@ def test_user_tracking_sdk_overwrite(self):
             {
                 "id": "blocked_users",
                 "type": "data_with_expiration",
-                "data": [{"value": "social-security-id", "expiration": 0}, {"value": "sdkUser", "expiration": 0}],
+                "data": [
+                    {"value": "test", "expiration": 0},
+                    {"value": "social-security-id", "expiration": 0},
+                    {"value": "sdkUser", "expiration": 0},
+                ],
             },
         ],
     },

diff --git a/...va/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/WebSecurityConfig.java b/...va/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/WebSecurityConfig.java
@@ -2,6 +2,7 @@
 
 import com.datadoghq.system_tests.springboot.security.AppSecAuthenticationFilter;
 import com.datadoghq.system_tests.springboot.security.AppSecAuthenticationProvider;
+import com.datadoghq.system_tests.springboot.security.AppSecUserDetailsManager;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpStatus;
@@ -12,6 +13,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.provisioning.UserDetailsManager;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
@@ -25,7 +27,12 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
 
     @Bean
     public AuthenticationManager authenticationManager() throws Exception {
-        return new ProviderManager(new AppSecAuthenticationProvider());
+        return new ProviderManager(new AppSecAuthenticationProvider(userDetailsManager()));
+    }
+
+    @Bean
+    public UserDetailsManager userDetailsManager() {
+        return new AppSecUserDetailsManager();
     }
 
     @Override

diff --git a/.../main/java/com/datadoghq/system_tests/springboot/security/AppSecAuthenticationFilter.java b/.../main/java/com/datadoghq/system_tests/springboot/security/AppSecAuthenticationFilter.java
@@ -53,9 +53,9 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
         if (sdkEvent != null) {
             String sdkUser = request.getParameter("sdk_user");
             boolean sdkUserExists = Boolean.parseBoolean(request.getParameter("sdk_user_exists"));
-            authentication = new AppSecSdkToken(username, password, sdkEvent, sdkUser, sdkUserExists);
+            authentication = new AppSecToken(username, password, sdkEvent, sdkUser, sdkUserExists);
         } else {
-            authentication = new AppSecSdkToken(username, password);
+            authentication = new AppSecToken(username, password);
         }
         return this.getAuthenticationManager().authenticate(authentication);
     }