Code injection instrumented metric (#5164)

Author: IlyasShabi

packages/dd-trace/src/appsec/iast/analyzers/code-injection-analyzer.js

@@ -2,14 +2,32 @@
 
 const InjectionAnalyzer = require('./injection-analyzer')
 const { CODE_INJECTION } = require('../vulnerabilities')
+const { INSTRUMENTED_SINK } = require('../telemetry/iast-metric')
+const { storage } = require('../../../../../datadog-core')
+const { getIastContext } = require('../iast-context')
 
 class CodeInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
     super(CODE_INJECTION)
+    this.evalInstrumentedInc = false
   }
 
   onConfigure () {
-    this.addSub('datadog:eval:call', ({ script }) => this.analyze(script))
+    this.addSub('datadog:eval:call', ({ script }) => {
+      if (!this.evalInstrumentedInc) {
+        const store = storage.getStore()
+        const iastContext = getIastContext(store)
+        const tags = INSTRUMENTED_SINK.formatTags(CODE_INJECTION)
+
+        for (const tag of tags) {
+          INSTRUMENTED_SINK.inc(iastContext, tag)
+        }
+
+        this.evalInstrumentedInc = true
+      }
+
+      this.analyze(script)
+    })
     this.addSub('datadog:vm:run-script:start', ({ code }) => this.analyze(code))
     this.addSub('datadog:vm:source-text-module:start', ({ code }) => this.analyze(code))
   }

packages/dd-trace/test/appsec/iast/code_injection.integration.spec.js

@@ -1,12 +1,13 @@
 'use strict'
 
-const { createSandbox, FakeAgent, spawnProc } = require('../../../../../integration-tests/helpers')
 const getPort = require('get-port')
 const path = require('path')
 const Axios = require('axios')
+const { assert } = require('chai')
+const { createSandbox, FakeAgent, spawnProc } = require('../../../../../integration-tests/helpers')
 
 describe('IAST - code_injection - integration', () => {
-  let axios, sandbox, cwd, appPort, appFile, agent, proc
+  let axios, sandbox, cwd, appPort, agent, proc
 
   before(async function () {
     this.timeout(process.platform === 'win32' ? 90000 : 30000)
@@ -19,8 +20,6 @@ describe('IAST - code_injection - integration', () => {
 
     appPort = await getPort()
     cwd = sandbox.folder
-    appFile = path.join(cwd, 'resources', 'vm.js')
-
     axios = Axios.create({
       baseURL: `http://localhost:${appPort}`
     })
@@ -33,16 +32,6 @@ describe('IAST - code_injection - integration', () => {
 
   beforeEach(async () => {
     agent = await new FakeAgent().start()
-    proc = await spawnProc(appFile, {
-      cwd,
-      env: {
-        DD_TRACE_AGENT_PORT: agent.port,
-        APP_PORT: appPort,
-        DD_IAST_ENABLED: 'true',
-        DD_IAST_REQUEST_SAMPLING: '100'
-      },
-      execArgv: ['--experimental-vm-modules']
-    })
   })
 
   afterEach(async () => {
@@ -53,24 +42,79 @@ describe('IAST - code_injection - integration', () => {
   async function testVulnerabilityRepoting (url) {
     await axios.get(url)
 
-    return agent.assertMessageReceived(({ headers, payload }) => {
-      expect(payload[0][0].metrics['_dd.iast.enabled']).to.be.equal(1)
-      expect(payload[0][0].meta).to.have.property('_dd.iast.json')
+    let iastTelemetryReceived = false
+    const checkTelemetry = agent.assertTelemetryReceived(({ headers, payload }) => {
+      const { namespace, series } = payload.payload
+
+      if (namespace === 'iast') {
+        iastTelemetryReceived = true
+
+        const instrumentedSink = series.find(({ metric, tags, type }) => {
+          return type === 'count' &&
+            metric === 'instrumented.sink' &&
+            tags[0] === 'vulnerability_type:code_injection'
+        })
+        assert.isNotNull(instrumentedSink)
+      }
+    }, 30_000, 'generate-metrics', 2)
+
+    const checkMessages = agent.assertMessageReceived(({ headers, payload }) => {
+      assert.strictEqual(payload[0][0].metrics['_dd.iast.enabled'], 1)
+      assert.property(payload[0][0].meta, '_dd.iast.json')
       const vulnerabilitiesTrace = JSON.parse(payload[0][0].meta['_dd.iast.json'])
-      expect(vulnerabilitiesTrace).to.not.be.null
+      assert.isNotNull(vulnerabilitiesTrace)
       const vulnerabilities = new Set()
 
       vulnerabilitiesTrace.vulnerabilities.forEach(v => {
         vulnerabilities.add(v.type)
       })
 
-      expect(vulnerabilities.has('CODE_INJECTION')).to.be.true
+      assert.isTrue(vulnerabilities.has('CODE_INJECTION'))
+    })
+
+    return Promise.all([checkMessages, checkTelemetry]).then(() => {
+      assert.equal(iastTelemetryReceived, true)
+
+      return true
     })
   }
 
   describe('SourceTextModule', () => {
+    beforeEach(async () => {
+      proc = await spawnProc(path.join(cwd, 'resources', 'vm.js'), {
+        cwd,
+        env: {
+          DD_TRACE_AGENT_PORT: agent.port,
+          APP_PORT: appPort,
+          DD_IAST_ENABLED: 'true',
+          DD_IAST_REQUEST_SAMPLING: '100',
+          DD_TELEMETRY_HEARTBEAT_INTERVAL: 1
+        },
+        execArgv: ['--experimental-vm-modules']
+      })
+    })
+
     it('should report Code injection vulnerability', async () => {
       await testVulnerabilityRepoting('/vm/SourceTextModule?script=export%20const%20result%20%3D%203%3B')
     })
   })
+
+  describe('eval', () => {
+    beforeEach(async () => {
+      proc = await spawnProc(path.join(cwd, 'resources', 'eval.js'), {
+        cwd,
+        env: {
+          DD_TRACE_AGENT_PORT: agent.port,
+          APP_PORT: appPort,
+          DD_IAST_ENABLED: 'true',
+          DD_IAST_REQUEST_SAMPLING: '100',
+          DD_TELEMETRY_HEARTBEAT_INTERVAL: 1
+        }
+      })
+    })
+
+    it('should report Code injection vulnerability', async () => {
+      await testVulnerabilityRepoting('/eval?code=2%2B2')
+    })
+  })
 })

packages/dd-trace/test/appsec/iast/resources/eval-methods.js

@@ -0,0 +1,10 @@
+'use strict'
+
+module.exports = {
+  runEval: (code, result) => {
+    const script = `(${code}, result)`
+
+    // eslint-disable-next-line no-eval
+    return eval(script)
+  }
+}

packages/dd-trace/test/appsec/iast/resources/eval.js

@@ -0,0 +1,21 @@
+'use strict'
+
+const tracer = require('dd-trace')
+tracer.init({
+  flushInterval: 1
+})
+const express = require('express')
+
+const app = express()
+const port = process.env.APP_PORT || 3000
+
+app.get('/eval', async (req, res) => {
+  // eslint-disable-next-line no-eval
+  require('./eval-methods').runEval(req.query.code, 'test-result')
+
+  res.end('OK')
+})
+
+app.listen(port, () => {
+  process.send({ port })
+})

packages/dd-trace/test/appsec/rasp/command_injection.integration.spec.js

@@ -65,12 +65,12 @@ describe('RASP - command_injection - integration', () => {
 
       let appsecTelemetryReceived = false
 
-      const checkMessages = await agent.assertMessageReceived(({ headers, payload }) => {
+      const checkMessages = agent.assertMessageReceived(({ headers, payload }) => {
         assert.property(payload[0][0].meta, '_dd.appsec.json')
         assert.include(payload[0][0].meta['_dd.appsec.json'], `"rasp-command_injection-rule-id-${ruleId}"`)
       })
 
-      const checkTelemetry = await agent.assertTelemetryReceived(({ headers, payload }) => {
+      const checkTelemetry = agent.assertTelemetryReceived(({ headers, payload }) => {
         const namespace = payload.payload.namespace
 
         // Only check telemetry received in appsec namespace and ignore others
@@ -92,10 +92,11 @@ describe('RASP - command_injection - integration', () => {
         }
       }, 30_000, 'generate-metrics', 2)
 
-      const checks = await Promise.all([checkMessages, checkTelemetry])
-      assert.equal(appsecTelemetryReceived, true)
+      return Promise.all([checkMessages, checkTelemetry]).then(() => {
+        assert.equal(appsecTelemetryReceived, true)
 
-      return checks
+        return true
+      })
     }
 
     throw new Error('Request should be blocked')