[IAST] Change filtered cookie vuln hash (DataDog#6032)

daniel-romano-DD · web-flow · commit 4e08a418ad4a · 2024-09-18T11:44:02.000+02:00
## Summary of changes Update [RFC](https://docs.google.com/document/d/1LLilcVkA1godL5sXuEoMlPFTT-hEF-8f-seGnx_CIvc/edit) changes in filtered cookie calculation ## Reason for change Previous option could collide with a cookie named `Filtered` ## Implementation details Changed the hash calculation to `FILTERED_VULN` instead of `VULN:Filtered` ## Test coverage Added unit test ## Other details
diff --git a/tracer/src/Datadog.Trace/Iast/IastModule.cs b/tracer/src/Datadog.Trace/Iast/IastModule.cs
@@ -375,7 +375,7 @@ private static string BuildCommandInjectionEvidence(string file, string argument
     [MethodImpl(MethodImplOptions.AggressiveInlining)]
     internal static int GetCookieHash(string vulnerability, string cookieName, bool isFiltered)
     {
-        return (vulnerability.ToString() + ":" + (isFiltered ? "Filtered" : cookieName)).GetStaticHashCode();
+        return (isFiltered ? ("FILTERED_" + vulnerability) : (vulnerability + ":" + cookieName)).GetStaticHashCode();
     }
 
     public static IastModuleResponse OnInsecureCookie(IntegrationId integrationId, string cookieName, bool isFiltered)
diff --git a/tracer/test/Datadog.Trace.Security.Unit.Tests/IAST/HashTests.cs b/tracer/test/Datadog.Trace.Security.Unit.Tests/IAST/HashTests.cs
@@ -64,4 +64,16 @@ public void GivenAKownVulnerability_WhenCalculatedHash_ValueIsExpected(string vu
         var hashCode = vulnerability.GetHashCode();
         Assert.Equal(expectedHash, hashCode);
     }
+
+    [Theory]
+    [InlineData(VulnerabilityTypeName.InsecureCookie, "AspNetCoreRateLimit.RateLimitProcessor", false, -304624042)]
+    [InlineData(VulnerabilityTypeName.InsecureCookie, "AspNetCoreRateLimit.RateLimitProcessor", true, 990913114)]
+    [InlineData(VulnerabilityTypeName.InsecureCookie, "AspNetCore.Views_Iast_ReflectedXss+<<ExecuteAsync>b__8_1>d", true, 990913114)]
+    [InlineData(VulnerabilityTypeName.NoSameSiteCookie, "AspNetCore.Views_Iast_ReflectedXss+<<ExecuteAsync>b__8_1>d", false, 1003850134)]
+    [InlineData(VulnerabilityTypeName.NoSameSiteCookie, "AspNetCore.Views_Iast_ReflectedXss+<<ExecuteAsync>b__8_1>d", true, -636226626)]
+    [InlineData(VulnerabilityTypeName.NoSameSiteCookie, "AspNetCoreRateLimit.RateLimitProcessor", true, -636226626)]
+    public void GivenACookie_WhenCalculatedHash_ValueIsExpected(string vulnName, string cookieName, bool isFiltered, int hash)
+    {
+        IastModule.GetCookieHash(vulnName, cookieName, isFiltered).Should().Be(hash);
+    }
 }
diff --git a/tracer/test/snapshots/Iast.AspNetCore5.enableIast=True.path =_Iast_AllVulnerabilitiesCookie.verified.txt b/tracer/test/snapshots/Iast.AspNetCore5.enableIast=True.path =_Iast_AllVulnerabilitiesCookie.verified.txt
@@ -47,63 +47,63 @@
     },
     {
       "type": "NO_SAMESITE_COOKIE",
-      "hash": -1837181716,
+      "hash": -636226626,
       "evidence": {
         "value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.0"
       }
     },
     {
       "type": "NO_HTTPONLY_COOKIE",
-      "hash": 1990393425,
+      "hash": -60481650,
       "evidence": {
         "value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.0"
       }
     },
     {
       "type": "INSECURE_COOKIE",
-      "hash": 1170867602,
+      "hash": 990913114,
       "evidence": {
         "value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.0"
       }
     },
     {
       "type": "NO_SAMESITE_COOKIE",
-      "hash": -1837181716,
+      "hash": -636226626,
       "evidence": {
         "value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.1"
       }
     },
     {
       "type": "NO_HTTPONLY_COOKIE",
-      "hash": 1990393425,
+      "hash": -60481650,
       "evidence": {
         "value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.1"
       }
     },
     {
       "type": "INSECURE_COOKIE",
-      "hash": 1170867602,
+      "hash": 990913114,
       "evidence": {
         "value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.1"
       }
     },
     {
       "type": "NO_SAMESITE_COOKIE",
-      "hash": -1837181716,
+      "hash": -636226626,
       "evidence": {
         "value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.2"
       }
     },
     {
       "type": "NO_HTTPONLY_COOKIE",
-      "hash": 1990393425,
+      "hash": -60481650,
       "evidence": {
         "value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.2"
       }
     },
     {
       "type": "INSECURE_COOKIE",
-      "hash": 1170867602,
+      "hash": 990913114,
       "evidence": {
         "value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.2"
       }

Original file line number	Diff line number	Diff line change
`@@ -375,7 +375,7 @@ private static string BuildCommandInjectionEvidence(string file, string argument`
`375`	`375`	`[MethodImpl(MethodImplOptions.AggressiveInlining)]`
`376`	`376`	`internal static int GetCookieHash(string vulnerability, string cookieName, bool isFiltered)`
`377`	`377`	`{`
`378`		`- return (vulnerability.ToString() + ":" + (isFiltered ? "Filtered" : cookieName)).GetStaticHashCode();`
	`378`	`+ return (isFiltered ? ("FILTERED_" + vulnerability) : (vulnerability + ":" + cookieName)).GetStaticHashCode();`
`379`	`379`	`}`
`380`	`380`
`381`	`381`	`public static IastModuleResponse OnInsecureCookie(IntegrationId integrationId, string cookieName, bool isFiltered)`
Original file line number	Diff line number	Diff line change
`@@ -47,63 +47,63 @@`
`47`	`47`	`},`
`48`	`48`	`{`
`49`	`49`	`"type": "NO_SAMESITE_COOKIE",`
`50`		`- "hash": -1837181716,`
	`50`	`+ "hash": -636226626,`
`51`	`51`	`"evidence": {`
`52`	`52`	`"value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.0"`
`53`	`53`	`}`
`54`	`54`	`},`
`55`	`55`	`{`
`56`	`56`	`"type": "NO_HTTPONLY_COOKIE",`
`57`		`- "hash": 1990393425,`
	`57`	`+ "hash": -60481650,`
`58`	`58`	`"evidence": {`
`59`	`59`	`"value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.0"`
`60`	`60`	`}`
`61`	`61`	`},`
`62`	`62`	`{`
`63`	`63`	`"type": "INSECURE_COOKIE",`
`64`		`- "hash": 1170867602,`
	`64`	`+ "hash": 990913114,`
`65`	`65`	`"evidence": {`
`66`	`66`	`"value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.0"`
`67`	`67`	`}`
`68`	`68`	`},`
`69`	`69`	`{`
`70`	`70`	`"type": "NO_SAMESITE_COOKIE",`
`71`		`- "hash": -1837181716,`
	`71`	`+ "hash": -636226626,`
`72`	`72`	`"evidence": {`
`73`	`73`	`"value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.1"`
`74`	`74`	`}`
`75`	`75`	`},`
`76`	`76`	`{`
`77`	`77`	`"type": "NO_HTTPONLY_COOKIE",`
`78`		`- "hash": 1990393425,`
	`78`	`+ "hash": -60481650,`
`79`	`79`	`"evidence": {`
`80`	`80`	`"value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.1"`
`81`	`81`	`}`
`82`	`82`	`},`
`83`	`83`	`{`
`84`	`84`	`"type": "INSECURE_COOKIE",`
`85`		`- "hash": 1170867602,`
	`85`	`+ "hash": 990913114,`
`86`	`86`	`"evidence": {`
`87`	`87`	`"value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.1"`
`88`	`88`	`}`
`89`	`89`	`},`
`90`	`90`	`{`
`91`	`91`	`"type": "NO_SAMESITE_COOKIE",`
`92`		`- "hash": -1837181716,`
	`92`	`+ "hash": -636226626,`
`93`	`93`	`"evidence": {`
`94`	`94`	`"value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.2"`
`95`	`95`	`}`
`96`	`96`	`},`
`97`	`97`	`{`
`98`	`98`	`"type": "NO_HTTPONLY_COOKIE",`
`99`		`- "hash": 1990393425,`
	`99`	`+ "hash": -60481650,`
`100`	`100`	`"evidence": {`
`101`	`101`	`"value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.2"`
`102`	`102`	`}`
`103`	`103`	`},`
`104`	`104`	`{`
`105`	`105`	`"type": "INSECURE_COOKIE",`
`106`		`- "hash": 1170867602,`
	`106`	`+ "hash": 990913114,`
`107`	`107`	`"evidence": {`
`108`	`108`	`"value": "LongCookie.abcdefghijklmnopqrstuvwxyz0123456789.2"`
`109`	`109`	`}`