[asm] IAST security controls #5117

iunanua · 2025-01-16T08:19:56Z

What does this PR do?

IAST security controls implementation

ST DataDog/system-tests#3872

APPSEC-56286

Motivation

Plugin Checklist

Additional Notes

github-actions · 2025-01-16T08:20:45Z

Overall package size

Self size: 8.68 MB
Deduped: 94.95 MB
No deduping: 95.46 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/libdatadog | 0.4.0 | 29.44 MB | 29.44 MB | | @datadog/native-appsec | 8.4.0 | 19.25 MB | 19.26 MB | | @datadog/native-iast-taint-tracking | 3.3.0 | 13.77 MB | 13.78 MB | | @datadog/pprof | 5.5.1 | 9.79 MB | 10.17 MB | | protobufjs | 7.2.5 | 2.77 MB | 5.16 MB | | @datadog/native-iast-rewriter | 2.8.0 | 2.6 MB | 2.74 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 3.1.0 | 1.06 MB | 1.46 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | source-map | 0.7.4 | 226 kB | 226 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | lru-cache | 7.18.3 | 133.92 kB | 133.92 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | @isaacs/ttlcache | 1.4.1 | 25.2 kB | 25.2 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | ttl-set | 1.0.0 | 4.61 kB | 9.69 kB | | path-to-regexp | 0.1.12 | 6.6 kB | 6.6 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

pr-commenter · 2025-01-16T08:31:17Z

Benchmarks

Benchmark execution time: 2025-02-05 10:00:14

Comparing candidate commit 6dc2181 in PR branch igor/iast-security-controls with baseline commit 3b782cd in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 908 metrics, 25 unstable metrics.

…ginManager in the tests

codecov · 2025-01-16T10:32:41Z

Codecov Report

Attention: Patch coverage is 94.41624% with 11 lines in your changes missing coverage. Please review.

Project coverage is 81.26%. Comparing base (3b782cd) to head (3a37485).
Report is 2 commits behind head on master.

Files with missing lines	Patch %	Lines
...d-trace/src/appsec/iast/security-controls/index.js	92.13%	7 Missing ⚠️
...-trace/src/appsec/iast/security-controls/parser.js	93.33%	3 Missing ⚠️
...iast/analyzers/nosql-injection-mongodb-analyzer.js	88.88%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5117      +/-   ##
==========================================
+ Coverage   81.16%   81.26%   +0.09%     
==========================================
  Files         482      487       +5     
  Lines       21522    21695     +173     
==========================================
+ Hits        17468    17630     +162     
- Misses       4054     4065      +11

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

packages/dd-trace/src/appsec/iast/security-controls/parser.js

packages/dd-trace/src/appsec/iast/security-controls/index.js

packages/dd-trace/src/appsec/iast/utils.js

packages/dd-trace/test/appsec/iast/analyzers/command-injection-analyzer.spec.js

…-analyzer.spec.js Co-authored-by: ishabi <[email protected]>

uurien · 2025-01-29T16:24:32Z

integration-tests/appsec/iast.esm-security-controls.spec.js

+  })
+  const nodeOptions = '--import dd-trace/initialize.mjs'
+
+  describe('with --import', () => {


Is this with --import relevant? nodeOptions is defined as const out of the describe

uurien · 2025-01-29T16:25:45Z

integration-tests/appsec/iast.esm-security-controls.spec.js

+      await agent.stop()
+    })
+
+    it('test endpoint with iv not configured have COMMAND_INJECTION vulnerability', async function () {


what is "iv"?

input validator

uurien · 2025-01-29T16:30:05Z

...sec/iast/security-controls/resources/node_modules/anotherlib/node_modules/sanitizer/index.js

could we have problems if we have a directory called node_modules? can we modify it to something like test_node_modules that we will rename when we copy that to the temp dir?

they are not copied, just required with a relative path in the test...

uurien · 2025-01-29T16:33:11Z

integration-tests/appsec/iast.esm-security-controls.spec.js

+      }, null, 1, true)
+    })
+
+    it('test endpoint with default sanitizer do not have COMMAND_INJECTION vulnerability', async () => {


I miss a test checking that the usage of the input of the sanitizer is considered vulnerable:

const untrustedData = req.query.command const safeData = sanitize(untrustedData) exec(untrustedData) // this is vulnerable exec(safeData) // this is not vulnerable

Co-authored-by: Ilyas Shabi <[email protected]>

datadog-datadog-prod-us1 · 2025-02-03T10:54:16Z

Datadog Report

Branch report: igor/iast-security-controls
Commit report: 88c7801
Test service: dd-trace-js-integration-tests

✅ 0 Failed, 619 Passed, 0 Skipped, 15m 42.23s Total Time

uurien · 2025-02-04T14:18:38Z

packages/dd-trace/src/appsec/iast/security-controls/parser.js

+    .map(param => {
+      let parsedParam = parseInt(param, 10)
+
+      // TODO: should we discard the whole securityControl??


I agree, if a string is set in a numeric column, there is a syntax error at least in that line, we should ignore the line or the security control. I think that it is not necessary to ignore all the security controls.

done! test included

iunanua added 7 commits January 10, 2025 17:43

Security controls parser and secure marks for vulnerabilities

d5a52ea

Use new NOSQL_MONGODB_INJECTION_MARK in nosql-injection-mongodb-analyzer

c4c398c

Config

9a1229c

first hooks

dce2f18

wrap object properties and more tests

ac1d502

Use dd-trace:moduleLoad(Start|End) channels

4cc7895

iterate object strings and more tests

6fe83f6

iunanua added semver-minor asm-iast labels Jan 16, 2025

fix parameter index, include createNewTainted flag and do not use Plu…

4e4d69e

…ginManager in the tests

iunanua added 17 commits January 16, 2025 11:41

Fix parameter index and include a test with incorrect index

90b9ff8

Avoid to hook multiple times the same module and config tests

2d86aee

sql_injection_mark test

5ed8aa2

vulnerable ranges tests

57548b0

fix windows paths

610e216

Merge branch 'master' into igor/iast-security-controls

ca0bbe5

Upgrade taint-tracking to 3.3.0

b4a217e

Fix * secure mark

0b0c292

add createNewTainted flag to addSecureMark

af61bf9

Use existing _isRangeSecure

fb1de25

supressed vulnerabilities metric

384d526

increment supressed vulnerability metric

fce89df

typo

c324c58

handle esm default export and filenames starting with file://

767d2db

esm integration tests

082ac75

clean up

4b948ad

secure-marks tests

d9c1393

iunanua added 3 commits January 27, 2025 13:45

move _isRangeSecure to InjectionAnalyzer

1e83152

Add programatically config option

9ebe9d8

index.d.ts

0ffe2bf

iunanua marked this pull request as ready for review January 27, 2025 13:48

iunanua requested review from a team as code owners January 27, 2025 13:49

iunanua added 2 commits January 27, 2025 14:50

Merge branch 'master' into igor/iast-security-controls

5de1eec

StoredInjectionAnalyzer

e8f623f