From 0b71a3e68bd6bc48a52b9fd99d586b89999dcd36 Mon Sep 17 00:00:00 2001 From: NachoEchevarria Date: Wed, 29 May 2024 17:09:21 +0200 Subject: [PATCH] Populate ddbb before test --- .../RASP/AspNetCore2Rasp.cs | 3 ++- .../RASP/AspNetCore5Rasp.cs | 3 ++- .../RASP/AspNetMvc5Rasp.cs | 4 ++++ ..._body={-UserName-- -' or '1'='1-}.verified.txt | 2 +- ..._body={-UserName-- -' or '1'='1-}.verified.txt | 2 +- ..._body={-UserName-- -' or '1'='1-}.verified.txt | 2 +- ..._body={-UserName-- -' or '1'='1-}.verified.txt | 2 +- ..._body={-UserName-- -' or '1'='1-}.verified.txt | 2 +- ..._body={-UserName-- -' or '1'='1-}.verified.txt | 2 +- ..._body={-UserName-- -' or '1'='1-}.verified.txt | 2 +- ..._body={-UserName-- -' or '2'='2-}.verified.txt | 1 + ..._body={-UserName-- -' or '1'='1-}.verified.txt | 2 +- .../Controllers/IastController.cs | 15 +++++++++++++++ .../Controllers/IastController.cs | 14 ++++++++++++++ 14 files changed, 46 insertions(+), 10 deletions(-) create mode 100644 tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '2'='2-}.verified.txt diff --git a/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore2Rasp.cs b/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore2Rasp.cs index 3c6ff4970296..affd6e56017b 100644 --- a/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore2Rasp.cs +++ b/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore2Rasp.cs @@ -102,8 +102,9 @@ public async Task TestRaspRequestBody(string url, string exploit, string body = IncludeAllHttpSpans = true; await TryStartApp(); var agent = Fixture.Agent; + _ = await SendRequestsAsync(agent, "/Iast/PopulateDDBB", null, 1, 1, string.Empty, "application/json", null); var spans = await SendRequestsAsync(agent, url, body, 1, 1, string.Empty, "application/json", null); - var spansFiltered = spans.Where(x => x.Type == SpanTypes.Web).ToList(); + var spansFiltered = spans.Where(x => x.Type == SpanTypes.Web && !x.Resource.Contains("/Iast/PopulateDDBB")).ToList(); var settings = VerifyHelper.GetSpanVerifierSettings(); settings.UseParameters(url, exploit, body); settings.AddIastScrubbing(); diff --git a/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore5Rasp.cs b/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore5Rasp.cs index 784dfbf6724f..2b5474cf93f8 100644 --- a/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore5Rasp.cs +++ b/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetCore5Rasp.cs @@ -103,8 +103,9 @@ public async Task TestRaspRequestBody(string url, string exploit, string body = IncludeAllHttpSpans = true; await TryStartApp(); var agent = Fixture.Agent; + _ = await SendRequestsAsync(agent, "/Iast/PopulateDDBB", null, 1, 1, string.Empty, "application/json", null); var spans = await SendRequestsAsync(agent, url, body, 1, 1, string.Empty, "application/json", null); - var spansFiltered = spans.Where(x => x.Type == SpanTypes.Web).ToList(); + var spansFiltered = spans.Where(x => x.Type == SpanTypes.Web && !x.Resource.Contains("/Iast/PopulateDDBB")).ToList(); var settings = VerifyHelper.GetSpanVerifierSettings(); settings.UseParameters(url, exploit, body); settings.AddIastScrubbing(); diff --git a/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetMvc5Rasp.cs b/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetMvc5Rasp.cs index b560ad994a8e..2345f84c6daf 100644 --- a/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetMvc5Rasp.cs +++ b/tracer/test/Datadog.Trace.Security.IntegrationTests/RASP/AspNetMvc5Rasp.cs @@ -116,6 +116,10 @@ public async Task TestRaspRequestBody(string url, string exploit, string body = settings.UseParameters(url, exploit, body); settings.AddIastScrubbing(); var dateTime = DateTime.UtcNow; + var answer = await SubmitRequest("/Iast/PopulateDDBB", null, string.Empty); + _iisFixture.Agent.SpanFilters.Add(s => !s.Resource.Contains("/Iast/PopulateDDBB")); + agent.WaitForSpans(2, minDateTime: dateTime); + dateTime = DateTime.UtcNow; var testName = _enableIast ? "RaspIast.AspNetMvc5" : "Rasp.AspNetMvc5"; testName += _classicMode ? ".Classic" : ".Integrated"; await SubmitRequest(url, body, "application/json"); diff --git a/tracer/test/snapshots/Rasp.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index 2b28a8a70fef..3fc7548e6298 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -56,7 +56,7 @@ _dd.appsec.enabled: 1.0, _dd.appsec.rasp.duration: 0.0, _dd.appsec.rasp.duration_ext: 0.0, - _dd.appsec.rasp.rule.eval: 17.0, + _dd.appsec.rasp.rule.eval: 1.0, _dd.appsec.waf.duration: 0.0, _dd.appsec.waf.duration_ext: 0.0, _dd.top_level: 1.0, diff --git a/tracer/test/snapshots/Rasp.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index 76219d22d35c..0ce0ce6a3d73 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -57,7 +57,7 @@ _dd.appsec.enabled: 1.0, _dd.appsec.rasp.duration: 0.0, _dd.appsec.rasp.duration_ext: 0.0, - _dd.appsec.rasp.rule.eval: 17.0, + _dd.appsec.rasp.rule.eval: 1.0, _dd.appsec.waf.duration: 0.0, _dd.appsec.waf.duration_ext: 0.0, _dd.top_level: 1.0, diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index 1ca74f6b89cd..b4c35f141348 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -33,7 +33,7 @@ _dd.appsec.enabled: 1.0, _dd.appsec.rasp.duration: 0.0, _dd.appsec.rasp.duration_ext: 0.0, - _dd.appsec.rasp.rule.eval: 17.0, + _dd.appsec.rasp.rule.eval: 1.0, _dd.appsec.waf.duration: 0.0, _dd.appsec.waf.duration_ext: 0.0, _dd.top_level: 1.0, diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index eefa28c702d8..9383641d6dbc 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -34,7 +34,7 @@ _dd.appsec.enabled: 1.0, _dd.appsec.rasp.duration: 0.0, _dd.appsec.rasp.duration_ext: 0.0, - _dd.appsec.rasp.rule.eval: 17.0, + _dd.appsec.rasp.rule.eval: 1.0, _dd.appsec.waf.duration: 0.0, _dd.appsec.waf.duration_ext: 0.0, _dd.top_level: 1.0, diff --git a/tracer/test/snapshots/RaspIast.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index 8a83e21db600..2ee2a76126ae 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore2.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -92,7 +92,7 @@ _dd.appsec.enabled: 1.0, _dd.appsec.rasp.duration: 0.0, _dd.appsec.rasp.duration_ext: 0.0, - _dd.appsec.rasp.rule.eval: 17.0, + _dd.appsec.rasp.rule.eval: 1.0, _dd.appsec.waf.duration: 0.0, _dd.appsec.waf.duration_ext: 0.0, _dd.top_level: 1.0, diff --git a/tracer/test/snapshots/RaspIast.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index fcefe3038b40..0a663082ce70 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore5.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -93,7 +93,7 @@ _dd.appsec.enabled: 1.0, _dd.appsec.rasp.duration: 0.0, _dd.appsec.rasp.duration_ext: 0.0, - _dd.appsec.rasp.rule.eval: 17.0, + _dd.appsec.rasp.rule.eval: 1.0, _dd.appsec.waf.duration: 0.0, _dd.appsec.waf.duration_ext: 0.0, _dd.top_level: 1.0, diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index b4fadadbc91b..4e42140420da 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -69,7 +69,7 @@ _dd.appsec.enabled: 1.0, _dd.appsec.rasp.duration: 0.0, _dd.appsec.rasp.duration_ext: 0.0, - _dd.appsec.rasp.rule.eval: 17.0, + _dd.appsec.rasp.rule.eval: 1.0, _dd.appsec.waf.duration: 0.0, _dd.appsec.waf.duration_ext: 0.0, _dd.top_level: 1.0, diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '2'='2-}.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '2'='2-}.verified.txt new file mode 100644 index 000000000000..5f282702bb03 --- /dev/null +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '2'='2-}.verified.txt @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index 028652e780ff..b9cae822b336 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -82,7 +82,7 @@ _dd.appsec.enabled: 1.0, _dd.appsec.rasp.duration: 0.0, _dd.appsec.rasp.duration_ext: 0.0, - _dd.appsec.rasp.rule.eval: 17.0, + _dd.appsec.rasp.rule.eval: 1.0, _dd.appsec.waf.duration: 0.0, _dd.appsec.waf.duration_ext: 0.0, _dd.top_level: 1.0, diff --git a/tracer/test/test-applications/security/Samples.Security.AspNetCore5/Controllers/IastController.cs b/tracer/test/test-applications/security/Samples.Security.AspNetCore5/Controllers/IastController.cs index b9a006a46cfe..f633b6dc3e23 100644 --- a/tracer/test/test-applications/security/Samples.Security.AspNetCore5/Controllers/IastController.cs +++ b/tracer/test/test-applications/security/Samples.Security.AspNetCore5/Controllers/IastController.cs @@ -115,6 +115,21 @@ public IActionResult WeakHashing(int delay1 = 0, int delay2 = 0) #pragma warning restore SYSLIB0021 // Type or member is obsolete } + [HttpGet("PopulateDDBB")] + [Route("PopulateDDBB")] + public IActionResult PopulateDDBB() + { + try + { + dbConnection ??= IastControllerHelper.CreateDatabase(); + return Content("OK"); + } + catch (SQLiteException ex) + { + return StatusCode(500, IastControllerHelper.ToFormattedString(ex)); + } + } + [HttpGet("SqlQuery")] [Route("SqlQuery")] public IActionResult SqlQuery(string username, string query) diff --git a/tracer/test/test-applications/security/aspnet/Samples.Security.AspNetMvc5/Controllers/IastController.cs b/tracer/test/test-applications/security/aspnet/Samples.Security.AspNetMvc5/Controllers/IastController.cs index e628db251437..8afdc29d1a2d 100644 --- a/tracer/test/test-applications/security/aspnet/Samples.Security.AspNetMvc5/Controllers/IastController.cs +++ b/tracer/test/test-applications/security/aspnet/Samples.Security.AspNetMvc5/Controllers/IastController.cs @@ -70,6 +70,20 @@ public ActionResult WeakHashing(int delay1 = 0, int delay2 = 0) #pragma warning restore SYSLIB0021 // Type or member is obsolete } + [Route("PopulateDDBB")] + public ActionResult PopulateDDBB() + { + try + { + dbConnection = dbConnection ?? IastControllerHelper.CreateDatabase(); + return Content("OK"); + } + catch (SQLiteException ex) + { + return Content(IastControllerHelper.ToFormattedString(ex)); + } + } + [Route("SqlQuery")] public ActionResult SqlQuery(string username, string query) {