Add tests for RestClient AppSec instrumentation

y9v · y9v · commit d32f93f26043 · 2025-02-24T12:33:10.000+01:00
diff --git a/Matrixfile b/Matrixfile
@@ -303,6 +303,9 @@
   'appsec:excon' => {
     'excon-latest' => '✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ✅ 3.0 / ✅ 3.1 / ✅ 3.2 / ✅ 3.3 / ✅ 3.4 / ✅ jruby',
   },
+  'appsec:rest_client' => {
+    'http' => '✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ✅ 3.0 / ✅ 3.1 / ✅ 3.2 / ✅ 3.3 / ✅ 3.4 / ✅ jruby',
+  },
   'di:active_record' => {
     'rails61-mysql2' => '❌ 2.5 / ✅ 2.6 / ✅ 2.7 / ✅ 3.0 / ✅ 3.1 / ✅ 3.2 / ✅ 3.3 / ✅ 3.4 / ❌ jruby',
   },
diff --git a/Rakefile b/Rakefile
@@ -286,6 +286,7 @@ namespace :spec do
       :graphql,
       :faraday,
       :excon,
+      :rest_client,
       :integration
     ]
 
@@ -314,7 +315,8 @@ namespace :spec do
       :devise,
       :graphql,
       :faraday,
-      :excon
+      :excon,
+      :rest_client
     ].each do |contrib|
       desc '' # "Explicitly hiding from `rake -T`"
       RSpec::Core::RakeTask.new(contrib) do |t, args|
diff --git a/appraisal/ruby-3.3.rb b/appraisal/ruby-3.3.rb
@@ -191,6 +191,7 @@
   gem 'devise', '~> 4.9'
   gem 'faraday', '~> 2.0'
   gem 'excon', '~> 1.2'
+  gem 'rest-client'
   gem 'rack', '~> 2'
   gem 'rack-contrib', '~> 2'
   gem 'rack-test' # Dev dependencies for testing rack-based code
diff --git a/gemfiles/ruby_3.3_rails_app.gemfile b/gemfiles/ruby_3.3_rails_app.gemfile
diff --git a/gemfiles/ruby_3.3_rails_app.gemfile.lock b/gemfiles/ruby_3.3_rails_app.gemfile.lock
diff --git a/spec/datadog/appsec/contrib/integration/rest_client_ssrf_spec.rb b/spec/datadog/appsec/contrib/integration/rest_client_ssrf_spec.rb
@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+require 'datadog/tracing/contrib/support/spec_helper'
+require 'datadog/appsec/spec_helper'
+require 'rack/test'
+
+require 'rest_client'
+require 'datadog/tracing'
+require 'datadog/appsec'
+
+RSpec.describe 'RestClient SSRF Injection' do
+  include Rack::Test::Methods
+
+  before do
+    Datadog.configure do |c|
+      c.tracing.enabled = true
+      c.tracing.instrument :rack
+      c.tracing.instrument :http
+
+      c.appsec.enabled = true
+      c.appsec.instrument :rack
+      c.appsec.instrument :rest_client
+
+      c.appsec.ruleset = {
+        rules: [
+          {
+            id: 'rasp-934-100',
+            name: 'Server-side request forgery exploit',
+            tags: {
+              type: 'ssrf',
+              category: 'vulnerability_trigger',
+              cwe: '918',
+              capec: '1000/225/115/664',
+              confidence: '0',
+              module: 'rasp'
+            },
+            conditions: [
+              {
+                parameters: {
+                  resource: [{ address: 'server.io.net.url' }],
+                  params: [
+                    { address: 'server.request.query' },
+                  ]
+                },
+                operator: 'ssrf_detector'
+              }
+            ],
+            transformers: [],
+            on_match: ['block']
+          }
+        ]
+      }
+
+      c.remote.enabled = false
+    end
+
+    allow_any_instance_of(Datadog::Tracing::Transport::HTTP::Client).to receive(:send_request)
+
+    stub_request(:get, 'http://example.com').to_return(status: 200, body: 'OK')
+  end
+
+  after do
+    Datadog.configuration.reset!
+    Datadog.registry[:rack].reset_configuration!
+  end
+
+  let(:app) do
+    stack = Rack::Builder.new do
+      use Datadog::Tracing::Contrib::Rack::TraceMiddleware
+      use Datadog::AppSec::Contrib::Rack::RequestMiddleware
+
+      map '/ssrf' do
+        run(
+          lambda do |env|
+            request = Rack::Request.new(env)
+            response = RestClient.get("http://#{request.params['url']}")
+
+            [200, { 'Content-Type' => 'application/json' }, [response.code]]
+          end
+        )
+      end
+    end
+
+    stack.to_app
+  end
+
+  let(:http_service_entry_span) do
+    Datadog::Tracing::Transport::TraceFormatter.format!(trace)
+    spans.find { |s| s.name == 'rack.request' }
+  end
+
+  context 'when request params contain SSRF attack' do
+    before do
+      get('/ssrf', { 'url' => '169.254.169.254' }, { 'REMOTE_ADDR' => '127.0.0.1' })
+    end
+
+    it { expect(last_response).to be_forbidden }
+  end
+
+  context 'when request params do not contain SSRF attack' do
+    before do
+      get('/ssrf', { 'url' => 'example.com' }, { 'REMOTE_ADDR' => '127.0.0.1' })
+    end
+
+    it { expect(last_response).to be_ok }
+  end
+end
diff --git a/spec/datadog/appsec/contrib/rest_client/request_patch_spec.rb b/spec/datadog/appsec/contrib/rest_client/request_patch_spec.rb
@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require 'datadog/appsec/spec_helper'
+require 'rest_client'
+
+RSpec.describe 'RestClient::Request patch for SSRF detection' do
+  let(:context) { instance_double(Datadog::AppSec::Context, run_rasp: waf_response) }
+  let(:waf_response) { instance_double(Datadog::AppSec::SecurityEngine::Result::Ok, match?: false) }
+
+  let(:request_url) { 'http://example.com/success' }
+
+  before do
+    Datadog.configure do |c|
+      c.appsec.enabled = true
+      c.appsec.instrument :rest_client
+    end
+
+    allow(Datadog::AppSec).to receive(:active_context).and_return(context)
+
+    WebMock.disable_net_connect!(allow: agent_url)
+    WebMock.enable!(allow: agent_url)
+
+    stub_request(:get, request_url).to_return(status: 200, body: 'OK')
+  end
+
+  after do
+    Datadog.configuration.reset!
+  end
+
+  context 'when RASP is disabled' do
+    before do
+      allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(false)
+    end
+
+    it 'does not call waf when making a request' do
+      expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
+
+      RestClient.get(request_url)
+    end
+  end
+
+  context 'when there is no active context' do
+    let(:context) { nil }
+
+    it 'does not call waf when making a request' do
+      expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
+
+      RestClient.get(request_url)
+    end
+  end
+
+  context 'when RASP is enabled' do
+    before do
+      allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(true)
+    end
+
+    it 'calls waf with correct arguments when making a request' do
+      expect(Datadog::AppSec.active_context).to(
+        receive(:run_rasp).with(
+          Datadog::AppSec::Ext::RASP_SSRF,
+          {},
+          { 'server.io.net.url' => 'http://example.com/success' },
+          Datadog.configuration.appsec.waf_timeout
+        )
+      )
+
+      RestClient.get(request_url)
+    end
+
+    it 'returns the http response' do
+      response = RestClient.get(request_url)
+
+      expect(response.code).to eq(200)
+      expect(response.body).to eq('OK')
+    end
+  end
+end
