From 87ea5b48a3750b5979fe188b8f0fb9c6f673d848 Mon Sep 17 00:00:00 2001 From: Igor Unanua Date: Tue, 17 Sep 2024 14:53:22 +0200 Subject: [PATCH] New lfi test --- packages/datadog-instrumentations/src/fs.js | 4 +--- .../appsec/rasp/lfi.express.plugin.spec.js | 21 +++++++++++++++++-- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/packages/datadog-instrumentations/src/fs.js b/packages/datadog-instrumentations/src/fs.js index 97d666d8ec8..bbd29fd1618 100644 --- a/packages/datadog-instrumentations/src/fs.js +++ b/packages/datadog-instrumentations/src/fs.js @@ -294,9 +294,7 @@ function createWrapFunction (prefix = '', override = '') { if (name.includes('Sync')) { finish(error) throw error - } - - if (cb) { + } else if (cb) { arguments[lastIndex](error) return } else { diff --git a/packages/dd-trace/test/appsec/rasp/lfi.express.plugin.spec.js b/packages/dd-trace/test/appsec/rasp/lfi.express.plugin.spec.js index 3b80e17c56e..40c6a1a1b14 100644 --- a/packages/dd-trace/test/appsec/rasp/lfi.express.plugin.spec.js +++ b/packages/dd-trace/test/appsec/rasp/lfi.express.plugin.spec.js @@ -84,7 +84,24 @@ describe('RASP - lfi', () => { return checkRaspExecutedAndNotThreat(agent, false) }) - it('Should detect threat if path is absolute', async () => { + it('Should not detect threat using a path not present in the request', async () => { + app = (req, res) => { + try { + require('fs').statSync('/test.file') + } catch (e) { + if (e.message === 'DatadogRaspAbortError') { + res.writeHead(418) + } + } + res.end('end') + } + + await axios.get('/') + + return checkRaspExecutedAndNotThreat(agent) + }) + + it('Should detect threat using a sync method', async () => { app = (req, res) => { try { require('fs').statSync(req.query.file) @@ -99,7 +116,7 @@ describe('RASP - lfi', () => { return testBlockingRequest() }) - it('Should detect threat using await', async () => { + it('Should detect threat using async/await', async () => { app = async (req, res) => { try { await require('fs').stat(req.query.file)