From 4f0edf74a82be8a1ab206b57cfac1cc910464ce7 Mon Sep 17 00:00:00 2001 From: ishabi Date: Thu, 26 Dec 2024 11:04:31 +0100 Subject: [PATCH 1/5] update iast stack trace tests --- manifests/nodejs.yml | 49 +++++++++++++++++++++++++++--------- tests/appsec/iast/utils.py | 2 +- utils/scripts/load-binary.sh | 2 +- 3 files changed, 39 insertions(+), 14 deletions(-) diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml index 8f48b575df..b0038f25ba 100644 --- a/manifests/nodejs.yml +++ b/manifests/nodejs.yml @@ -42,6 +42,7 @@ refs: - &ref_5_27_0 '>=5.27.0 || ^4.51.0' - &ref_5_29_0 '>=5.29.0 || ^4.53.0' # express 5 support - &ref_5_30_0 '>=5.30.0 || ^4.54.0' + - &ref_5_31_0 '>=5.31.0 || ^4.55.0' tests/: apm_tracing_e2e/: @@ -94,12 +95,16 @@ tests/: TestCodeInjection: '*': *ref_5_20_0 nextjs: missing_feature - TestCodeInjection_StackTrace: missing_feature + TestCodeInjection_StackTrace: + '*': *ref_5_31_0 + nextjs: missing_feature test_command_injection.py: TestCommandInjection: '*': *ref_3_11_0 nextjs: missing_feature - TestCommandInjection_StackTrace: missing_feature + TestCommandInjection_StackTrace: + '*': *ref_5_31_0 + nextjs: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: '*': *ref_5_13_0 @@ -133,7 +138,9 @@ tests/: '*': *ref_5_26_0 express5: *ref_5_29_0 # test uses querystring nextjs: missing_feature - TestHeaderInjection_StackTrace: missing_feature + TestHeaderInjection_StackTrace: + '*': *ref_5_31_0 + nextjs: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: '*': *ref_4_8_0 @@ -154,7 +161,9 @@ tests/: TestLDAPInjection: '*': *ref_4_1_0 nextjs: missing_feature - TestLDAPInjection_StackTrace: missing_feature + TestLDAPInjection_StackTrace: + '*': *ref_5_31_0 + nextjs: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: '*': *ref_4_3_0 @@ -180,7 +189,9 @@ tests/: TestPathTraversal: '*': *ref_3_19_0 nextjs: missing_feature - TestPathTraversal_StackTrace: missing_feature + TestPathTraversal_StackTrace: + '*': *ref_5_31_0 + nextjs: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature TestReflectionInjection_StackTrace: missing_feature @@ -188,12 +199,16 @@ tests/: TestSqlInjection: '*': *ref_3_11_0 nextjs: missing_feature - TestSqlInjection_StackTrace: missing_feature + TestSqlInjection_StackTrace: + '*': *ref_5_31_0 + nextjs: missing_feature test_ssrf.py: TestSSRF: '*': *ref_4_1_0 nextjs: missing_feature - TestSSRF_StackTrace: missing_feature + TestSSRF_StackTrace: + '*': *ref_5_31_0 + nextjs: missing_feature test_template_injection.py: TestTemplateInjection: '*': *ref_5_26_0 @@ -208,11 +223,15 @@ tests/: TestUnvalidatedHeader: '*': *ref_4_3_0 nextjs: missing_feature - TestUnvalidatedHeader_StackTrace: missing_feature + TestUnvalidatedHeader_StackTrace: + '*': *ref_5_31_0 + nextjs: missing_feature TestUnvalidatedRedirect: '*': *ref_4_3_0 nextjs: missing_feature - TestUnvalidatedRedirect_StackTrace: missing_feature + TestUnvalidatedRedirect_StackTrace: + '*': *ref_5_31_0 + nextjs: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature TestUnvalidatedForward_StackTrace: missing_feature @@ -220,7 +239,9 @@ tests/: TestWeakCipher: '*': *ref_3_6_0 nextjs: missing_feature - TestWeakCipher_StackTrace: missing_feature + TestWeakCipher_StackTrace: + '*': *ref_5_31_0 + nextjs: missing_feature test_weak_hash.py: TestDeduplication: '*': *ref_3_11_0 @@ -228,12 +249,16 @@ tests/: TestWeakHash: '*': *ref_3_11_0 nextjs: missing_feature - TestWeakHash_StackTrace: missing_feature + TestWeakHash_StackTrace: + '*': *ref_5_31_0 + nextjs: missing_feature test_weak_randomness.py: TestWeakRandomness: '*': *ref_5_1_0 nextjs: missing_feature - TestWeakRandomness_StackTrace: missing_feature + TestWeakRandomness_StackTrace: + '*': *ref_5_31_0 + nextjs: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: '*': *ref_4_8_0 diff --git a/tests/appsec/iast/utils.py b/tests/appsec/iast/utils.py index 330205f495..0ba45724f2 100644 --- a/tests/appsec/iast/utils.py +++ b/tests/appsec/iast/utils.py @@ -233,7 +233,7 @@ def validate_stack_traces(request): and location["line"] == frame["line"] ) ) or ( - stack_trace["language"] == "python" + stack_trace["language"] in ("python", "nodejs") and (frame.get("file", "").endswith(location["path"]) and location["line"] == frame["line"]) ): locationFrame = frame diff --git a/utils/scripts/load-binary.sh b/utils/scripts/load-binary.sh index 743f23bb54..8d04335377 100755 --- a/utils/scripts/load-binary.sh +++ b/utils/scripts/load-binary.sh @@ -215,7 +215,7 @@ elif [ "$TARGET" = "agent" ]; then elif [ "$TARGET" = "nodejs" ]; then assert_version_is_dev # NPM builds the package, so we put a trigger file that tells install script to get package from github#master - echo "DataDog/dd-trace-js#master" > nodejs-load-from-npm + echo "DataDog/dd-trace-js#iast-stack-trace" > nodejs-load-from-npm elif [ "$TARGET" = "waf_rule_set_v1" ]; then exit 1 From 0303bf1d8d60d119a7c15bf95a77c721d624b9be Mon Sep 17 00:00:00 2001 From: ishabi Date: Thu, 2 Jan 2025 21:46:43 +0100 Subject: [PATCH 2/5] Fix mongodb stack trace test --- manifests/nodejs.yml | 4 +++- tests/appsec/iast/sink/test_nosql_mongodb_injection.py | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml index b0038f25ba..0d271f4801 100644 --- a/manifests/nodejs.yml +++ b/manifests/nodejs.yml @@ -184,7 +184,9 @@ tests/: TestNoSqlMongodbInjection: '*': *ref_4_17_0 nextjs: missing_feature - TestNoSqlMongodbInjection_StackTrace: missing_feature + TestNoSqlMongodbInjection_StackTrace: + '*': *ref_5_31_0 + nextjs: missing_feature test_path_traversal.py: TestPathTraversal: '*': *ref_3_19_0 diff --git a/tests/appsec/iast/sink/test_nosql_mongodb_injection.py b/tests/appsec/iast/sink/test_nosql_mongodb_injection.py index b5c157cd63..419df3636e 100644 --- a/tests/appsec/iast/sink/test_nosql_mongodb_injection.py +++ b/tests/appsec/iast/sink/test_nosql_mongodb_injection.py @@ -41,6 +41,7 @@ def test_telemetry_metric_executed_sink(self): @rfc( "https://docs.google.com/document/d/1ga7yCKq2htgcwgQsInYZKktV0hNlv4drY9XzSxT-o5U/edit?tab=t.0#heading=h.d0f5wzmlfhat" ) +@scenarios.integrations @features.iast_stack_trace class TestNoSqlMongodbInjection_StackTrace: """Validate stack trace generation""" From 95c0120d797b1bf2dddf7216ca4ef8c9f4e1a62a Mon Sep 17 00:00:00 2001 From: ishabi Date: Tue, 14 Jan 2025 17:31:07 +0100 Subject: [PATCH 3/5] fix dd-trace-js verion --- manifests/nodejs.yml | 28 ++++++++++++++-------------- tests/appsec/iast/utils.py | 2 +- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml index b8c384e1a5..227d10584a 100644 --- a/manifests/nodejs.yml +++ b/manifests/nodejs.yml @@ -42,7 +42,7 @@ refs: - &ref_5_27_0 '>=5.27.0 || ^4.51.0' - &ref_5_29_0 '>=5.29.0 || ^4.53.0' # express 5 support - &ref_5_30_0 '>=5.30.0 || ^4.54.0' - - &ref_5_31_0 '>=5.31.0 || ^4.55.0' + - &ref_5_32_0 '>=5.32.0 || ^4.56.0' tests/: apm_tracing_e2e/: @@ -96,14 +96,14 @@ tests/: '*': *ref_5_20_0 nextjs: missing_feature TestCodeInjection_StackTrace: - '*': *ref_5_31_0 + '*': *ref_5_32_0 nextjs: missing_feature test_command_injection.py: TestCommandInjection: '*': *ref_3_11_0 nextjs: missing_feature TestCommandInjection_StackTrace: - '*': *ref_5_31_0 + '*': *ref_5_32_0 nextjs: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: @@ -139,7 +139,7 @@ tests/: express5: *ref_5_29_0 # test uses querystring nextjs: missing_feature TestHeaderInjection_StackTrace: - '*': *ref_5_31_0 + '*': *ref_5_32_0 nextjs: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: @@ -162,7 +162,7 @@ tests/: '*': *ref_4_1_0 nextjs: missing_feature TestLDAPInjection_StackTrace: - '*': *ref_5_31_0 + '*': *ref_5_32_0 nextjs: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: @@ -185,14 +185,14 @@ tests/: '*': *ref_4_17_0 nextjs: missing_feature TestNoSqlMongodbInjection_StackTrace: - '*': *ref_5_31_0 + '*': *ref_5_32_0 nextjs: missing_feature test_path_traversal.py: TestPathTraversal: '*': *ref_3_19_0 nextjs: missing_feature TestPathTraversal_StackTrace: - '*': *ref_5_31_0 + '*': *ref_5_32_0 nextjs: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature @@ -202,14 +202,14 @@ tests/: '*': *ref_3_11_0 nextjs: missing_feature TestSqlInjection_StackTrace: - '*': *ref_5_31_0 + '*': *ref_5_32_0 nextjs: missing_feature test_ssrf.py: TestSSRF: '*': *ref_4_1_0 nextjs: missing_feature TestSSRF_StackTrace: - '*': *ref_5_31_0 + '*': *ref_5_32_0 nextjs: missing_feature test_template_injection.py: TestTemplateInjection: @@ -226,13 +226,13 @@ tests/: '*': *ref_4_3_0 nextjs: missing_feature TestUnvalidatedHeader_StackTrace: - '*': *ref_5_31_0 + '*': *ref_5_32_0 nextjs: missing_feature TestUnvalidatedRedirect: '*': *ref_4_3_0 nextjs: missing_feature TestUnvalidatedRedirect_StackTrace: - '*': *ref_5_31_0 + '*': *ref_5_32_0 nextjs: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature @@ -242,7 +242,7 @@ tests/: '*': *ref_3_6_0 nextjs: missing_feature TestWeakCipher_StackTrace: - '*': *ref_5_31_0 + '*': *ref_5_32_0 nextjs: missing_feature test_weak_hash.py: TestDeduplication: @@ -252,14 +252,14 @@ tests/: '*': *ref_3_11_0 nextjs: missing_feature TestWeakHash_StackTrace: - '*': *ref_5_31_0 + '*': *ref_5_32_0 nextjs: missing_feature test_weak_randomness.py: TestWeakRandomness: '*': *ref_5_1_0 nextjs: missing_feature TestWeakRandomness_StackTrace: - '*': *ref_5_31_0 + '*': *ref_5_32_0 nextjs: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: diff --git a/tests/appsec/iast/utils.py b/tests/appsec/iast/utils.py index 0ba45724f2..0bf1f2b9aa 100644 --- a/tests/appsec/iast/utils.py +++ b/tests/appsec/iast/utils.py @@ -224,7 +224,7 @@ def validate_stack_traces(request): locationFrame = None for frame in stack_trace["frames"]: # We are looking for the frame that corresponds to the location of the vulnerability, we will need to update this to cover all tracers - # currently support: Java, Python + # currently support: Java, Python, Node.js if ( stack_trace["language"] == "java" and ( From c719915626444852739f98d58db6023667772af4 Mon Sep 17 00:00:00 2001 From: ishabi Date: Wed, 15 Jan 2025 10:50:52 +0100 Subject: [PATCH 4/5] revert to master branch --- utils/scripts/load-binary.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/scripts/load-binary.sh b/utils/scripts/load-binary.sh index acf13ad79d..e9acd68826 100755 --- a/utils/scripts/load-binary.sh +++ b/utils/scripts/load-binary.sh @@ -215,7 +215,7 @@ elif [ "$TARGET" = "agent" ]; then elif [ "$TARGET" = "nodejs" ]; then assert_version_is_dev # NPM builds the package, so we put a trigger file that tells install script to get package from github#master - echo "DataDog/dd-trace-js#iast-stack-trace" > nodejs-load-from-npm + echo "DataDog/dd-trace-js#master" > nodejs-load-from-npm elif [ "$TARGET" = "waf_rule_set_v1" ]; then exit 1 From 629232149aa5eb693cd30061618899e58fb7d7cd Mon Sep 17 00:00:00 2001 From: ishabi Date: Mon, 20 Jan 2025 13:43:20 +0100 Subject: [PATCH 5/5] Add missing iast stack trace config --- tests/telemetry_intake/static/config_norm_rules.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/telemetry_intake/static/config_norm_rules.json b/tests/telemetry_intake/static/config_norm_rules.json index 2a4afb9a4e..ea117da534 100644 --- a/tests/telemetry_intake/static/config_norm_rules.json +++ b/tests/telemetry_intake/static/config_norm_rules.json @@ -123,7 +123,7 @@ "DD_IAST_REDACTION_VALUE_PATTERN": "iast_redaction_value_pattern", "DD_IAST_REGEXP_TIMEOUT": "iast_regexp_timeout", "DD_IAST_REQUEST_SAMPLING": "iast_request_sampling_percentage", - "DD_IAST_STACK_TRACE_ENABLED": "appsec_stack_trace_enabled", + "DD_IAST_STACK_TRACE_ENABLED": "iast_stack_trace_enabled", "DD_IAST_TELEMETRY_VERBOSITY": "iast_telemetry_verbosity", "DD_IAST_TRUNCATION_MAX_VALUE_LENGTH": "iast_truncation_max_value_length", "DD_IAST_VULNERABILITIES_PER_REQUEST": "iast_vulnerability_per_request", @@ -510,6 +510,7 @@ "iast.requestSampling": "iast_request_sampling", "iast.telemetryVerbosity": "iast_telemetry_verbosity", "iast.vulnerabilities-per-request": "iast_vulnerability_per_request", + "iast.stackTrace.enabled": "iast_stack_trace_enabled", "ignite.cache.include_keys": "ignite_cache_include_keys_enabled", "inferredProxyServicesEnabled": "inferred_proxy_services_enabled", "inject_force": "ssi_forced_injection_enabled",