Skip to content

Commit

Permalink
Delay Appsec fs plugin subscription to fs:operations until the first …
Browse files Browse the repository at this point in the history
…req is received
  • Loading branch information
iunanua committed Sep 23, 2024
1 parent 72510cc commit 01f2a19
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 8 deletions.
15 changes: 11 additions & 4 deletions packages/dd-trace/src/appsec/rasp/lfi.js
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
'use strict'

const { fsOperationStart } = require('../channels')
const { fsOperationStart, incomingHttpRequestStart } = require('../channels')
const { storage } = require('../../../../datadog-core')
const { enable: enableFsPlugin, disable: disableFsPlugin } = require('./fs-plugin')
const { FS_OPERATION_PATH } = require('../addresses')
Expand All @@ -13,17 +13,24 @@ let config
function enable (_config) {
config = _config

enableFsPlugin('rasp')

fsOperationStart.subscribe(analyzeLfi)
incomingHttpRequestStart.subscribe(onFirstReceivedRequest)
}

function disable () {
if (fsOperationStart.hasSubscribers) fsOperationStart.unsubscribe(analyzeLfi)
if (incomingHttpRequestStart.hasSubscribers) incomingHttpRequestStart.unsubscribe(onFirstReceivedRequest)

disableFsPlugin('rasp')
}

function onFirstReceivedRequest () {
incomingHttpRequestStart.unsubscribe(onFirstReceivedRequest)

enableFsPlugin('rasp')

fsOperationStart.subscribe(analyzeLfi)
}

function analyzeLfi (ctx) {
const store = storage.getStore()
if (!store) return
Expand Down
3 changes: 3 additions & 0 deletions packages/dd-trace/test/appsec/index.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ const blockedTemplate = require('../../src/appsec/blocked_templates')
const { storage } = require('../../../datadog-core')
const telemetryMetrics = require('../../src/telemetry/metrics')
const addresses = require('../../src/appsec/addresses')
const { disable: disableLfi } = require('../../src/appsec/rasp/lfi')

const resultActions = {
block_request: {
Expand Down Expand Up @@ -1062,6 +1063,8 @@ describe('IP blocking', function () {
}
}))

disableLfi()

RuleManager.updateWafFromRC({ toUnapply: [], toApply: [], toModify })
})

Expand Down
17 changes: 15 additions & 2 deletions packages/dd-trace/test/appsec/rasp/lfi.spec.js
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
'use strict'

const proxyquire = require('proxyquire')
const { fsOperationStart } = require('../../../src/appsec/channels')
const { fsOperationStart, incomingHttpRequestStart } = require('../../../src/appsec/channels')
const { FS_OPERATION_PATH } = require('../../../src/appsec/addresses')

describe('RASP - lfi.js', () => {
Expand Down Expand Up @@ -49,6 +49,9 @@ describe('RASP - lfi.js', () => {
}
}

sinon.spy(incomingHttpRequestStart, 'subscribe')
sinon.spy(incomingHttpRequestStart, 'unsubscribe')

lfi.enable(config)
})

Expand All @@ -58,8 +61,14 @@ describe('RASP - lfi.js', () => {
})

describe('enable', () => {
it('should enable AppsecFsPlugin', () => {
it('should subscribe to first http req', () => {
sinon.assert.calledOnce(incomingHttpRequestStart.subscribe)
})

it('should enable AppsecFsPlugin after the first request', () => {
incomingHttpRequestStart.publish({})
sinon.assert.calledOnceWithExactly(appsecFsPlugin.enable, 'rasp')
sinon.assert.calledOnce(incomingHttpRequestStart.unsubscribe)
})
})

Expand All @@ -75,6 +84,10 @@ describe('RASP - lfi.js', () => {
const ctx = { path }
const req = {}

beforeEach(() => {
incomingHttpRequestStart.publish({})
})

it('should analyze lfi for root fs operations', () => {
const fs = { root: true }
datadogCore.storage.getStore.returns({ req, fs })
Expand Down
4 changes: 2 additions & 2 deletions packages/dd-trace/test/appsec/response_blocking.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ const path = require('path')
const WafContext = require('../../src/appsec/waf/waf_context_wrapper')
const blockingResponse = JSON.parse(require('../../src/appsec/blocked_templates').json)
const fs = require('fs')
const { disable: disableFsPlugin } = require('../../src/appsec/rasp/fs-plugin')
const { disable: disableLfi } = require('../../src/appsec/rasp/lfi')

describe('HTTP Response Blocking', () => {
let server
Expand Down Expand Up @@ -57,7 +57,7 @@ describe('HTTP Response Blocking', () => {
}
}))

disableFsPlugin('rasp')
disableLfi()
})

beforeEach(() => {
Expand Down

0 comments on commit 01f2a19

Please sign in to comment.