From a292479ab30f6474a30e221a4e5b1a495a5789f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Mazeau?= Date: Fri, 24 May 2024 14:00:34 +0200 Subject: [PATCH] Register RC capa and check RASP enablement --- internal/appsec/appsec.go | 1 + internal/appsec/config/config.go | 22 +++++++++++++--------- internal/appsec/remoteconfig.go | 10 ++++++++++ internal/remoteconfig/remoteconfig.go | 2 ++ 4 files changed, 26 insertions(+), 9 deletions(-) diff --git a/internal/appsec/appsec.go b/internal/appsec/appsec.go index 17d7846870..77ab9db35e 100644 --- a/internal/appsec/appsec.go +++ b/internal/appsec/appsec.go @@ -162,6 +162,7 @@ func (a *appsec) start(telemetry *appsecTelemetry) error { } a.enableRCBlocking() + a.enableRASP() a.started = true log.Info("appsec: up and running") diff --git a/internal/appsec/config/config.go b/internal/appsec/config/config.go index d7cf538881..8dbf116928 100644 --- a/internal/appsec/config/config.go +++ b/internal/appsec/config/config.go @@ -11,8 +11,9 @@ import ( "strconv" "time" - internal "github.com/DataDog/appsec-internal-go/appsec" + appsecInternal "github.com/DataDog/appsec-internal-go/appsec" + "gopkg.in/DataDog/dd-trace-go.v1/internal" "gopkg.in/DataDog/dd-trace-go.v1/internal/log" "gopkg.in/DataDog/dd-trace-go.v1/internal/remoteconfig" "gopkg.in/DataDog/dd-trace-go.v1/internal/telemetry" @@ -62,11 +63,12 @@ type Config struct { // AppSec trace rate limit (traces per second). TraceRateLimit int64 // Obfuscator configuration - Obfuscator internal.ObfuscatorConfig + Obfuscator appsecInternal.ObfuscatorConfig // APISec configuration - APISec internal.APISecConfig + APISec appsecInternal.APISecConfig // RC is the remote configuration client used to receive product configuration updates. Nil if RC is disabled (default) - RC *remoteconfig.ClientConfig + RC *remoteconfig.ClientConfig + RASP bool } // WithRCConfig sets the AppSec remote config client configuration to the specified cfg @@ -99,7 +101,7 @@ func parseBoolEnvVar(env string) (enabled bool, set bool, err error) { // NewConfig returns a fresh appsec configuration read from the env func NewConfig() (*Config, error) { - rules, err := internal.RulesFromEnv() + rules, err := appsecInternal.RulesFromEnv() if err != nil { return nil, err } @@ -111,9 +113,11 @@ func NewConfig() (*Config, error) { return &Config{ RulesManager: r, - WAFTimeout: internal.WAFTimeoutFromEnv(), - TraceRateLimit: int64(internal.RateLimitFromEnv()), - Obfuscator: internal.NewObfuscatorConfig(), - APISec: internal.NewAPISecConfig(), + WAFTimeout: appsecInternal.WAFTimeoutFromEnv(), + TraceRateLimit: int64(appsecInternal.RateLimitFromEnv()), + Obfuscator: appsecInternal.NewObfuscatorConfig(), + APISec: appsecInternal.NewAPISecConfig(), + // TODO: use appsecInternal.RASPENabled() when merged and released + RASP: internal.BoolEnv("DD_APPSEC_RASP_ENABLED", true), }, nil } diff --git a/internal/appsec/remoteconfig.go b/internal/appsec/remoteconfig.go index ecaa60a2a4..9dddf65a8d 100644 --- a/internal/appsec/remoteconfig.go +++ b/internal/appsec/remoteconfig.go @@ -402,6 +402,16 @@ func (a *appsec) enableRCBlocking() { } } +func (a *appsec) enableRASP() { + if !a.cfg.RASP { + return + } + if err := remoteconfig.RegisterCapability(remoteconfig.ASMRASPSSRF); err != nil { + log.Debug("appsec: Remote config: couldn't register RASP SSRF: %v", err) + } + // TODO: register other RASP capabilities when supported +} + func (a *appsec) disableRCBlocking() { if a.cfg.RC == nil { return diff --git a/internal/remoteconfig/remoteconfig.go b/internal/remoteconfig/remoteconfig.go index 5c8f026392..86b8f69231 100644 --- a/internal/remoteconfig/remoteconfig.go +++ b/internal/remoteconfig/remoteconfig.go @@ -70,6 +70,8 @@ const ( APMTracingHTTPHeaderTags // APMTracingCustomTags enables APM client to set custom tags on all spans APMTracingCustomTags + // ASMRASPSSRF enables ASM support for runtime protection against SSRF attacks + ASMRASPSSRF = 23 ) // Additional capability bit index values that are non-consecutive from above.