Rasp rule can be specified when addresses are pushed

Author: estringana

appsec/src/extension/commands/request_exec.c

@@ -8,13 +8,14 @@
 #include "../commands_helpers.h"
 #include "../logging.h"
 #include "../msgpack_helpers.h"
+#include "../ddappsec.h"
 #include <php.h>
 #include <zend_hash.h>
 #include <zend_types.h>
 
 struct ctx {
     struct req_info req_info; // dd_command_proc_resp_verd_span_data expect it
-    bool rasp;
+    dd_rasp_rule rasp_rule;
     zval *nonnull data;
 };
 
@@ -29,15 +30,15 @@ static const dd_command_spec _spec = {
     .config_features_cb = dd_command_process_config_features_unexpected,
 };
 
-dd_result dd_request_exec(dd_conn *nonnull conn, zval *nonnull data, bool rasp)
+dd_result dd_request_exec(dd_conn *nonnull conn, zval *nonnull data, unsigned rasp_rule)
 {
     if (Z_TYPE_P(data) != IS_ARRAY) {
         mlog(dd_log_debug, "Invalid data provided to command request_exec, "
                            "expected hash table.");
         return dd_error;
     }
 
-    struct ctx ctx = {.rasp = rasp, .data = data};
+    struct ctx ctx = {.rasp_rule = rasp_rule, .data = data};
 
     return dd_command_exec_req_info(conn, &_spec, &ctx.req_info);
 }
@@ -47,7 +48,7 @@ static dd_result _pack_command(mpack_writer_t *nonnull w, void *nonnull _ctx)
     assert(_ctx != NULL);
     struct ctx *ctx = _ctx;
 
-    mpack_write(w, ctx->rasp);
+    mpack_write(w, ctx->rasp_rule);
     dd_mpack_write_zval(w, ctx->data);
 
     return dd_success;

appsec/src/extension/commands/request_exec.h

@@ -9,4 +9,4 @@
 #include <SAPI.h>
 #include <php.h>
 
-dd_result dd_request_exec(dd_conn *nonnull conn, zval *nonnull data, bool rasp);
+dd_result dd_request_exec(dd_conn *nonnull conn, zval *nonnull data, unsigned rasp_rule);

appsec/src/extension/ddappsec.c

@@ -488,8 +488,8 @@ static PHP_FUNCTION(datadog_appsec_push_addresses)
     }
 
     zval *addresses = NULL;
-    bool rasp = false;
-    if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|b", &addresses, &rasp) ==
+    long rasp_rule = dd_rasp_rule_none;
+    if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|l", &addresses, &rasp_rule) ==
         FAILURE) {
         RETURN_FALSE;
     }
@@ -498,7 +498,12 @@ static PHP_FUNCTION(datadog_appsec_push_addresses)
         RETURN_FALSE;
     }
 
-    if (rasp && !get_global_DD_APPSEC_RASP_ENABLED()) {
+    if (rasp_rule != dd_rasp_rule_lfi && rasp_rule != dd_rasp_rule_ssrf) {
+        rasp_rule = dd_rasp_rule_none;
+    }
+
+    if (rasp_rule != dd_rasp_rule_none &&
+        !get_global_DD_APPSEC_RASP_ENABLED()) {
         return;
     }
 
@@ -508,9 +513,9 @@ static PHP_FUNCTION(datadog_appsec_push_addresses)
         return;
     }
 
-    dd_result res = dd_request_exec(conn, addresses, rasp);
+    dd_result res = dd_request_exec(conn, addresses, rasp_rule);
 
-    if (rasp) {
+    if (rasp_rule > dd_rasp_rule_none) {
         clock_gettime(CLOCK_MONOTONIC_RAW, &end);
         elapsed =
             ((int64_t)end.tv_sec - (int64_t)start.tv_sec) *
@@ -570,6 +575,16 @@ static void _register_testing_objects()
 {
     dd_phpobj_reg_funcs(functions);
 
+#    define _REG_RASP_CONST(php_name, value)                                    \
+        do {                                                                   \
+            char v[] = "datadog\\appsec\\rasp\\" php_name;       \
+            dd_phpobj_reg_long_const(                                          \
+                v, sizeof(v) - 1, value, CONST_CS | CONST_PERSISTENT);         \
+        } while (0)
+
+    _REG_RASP_CONST("LFI", dd_rasp_rule_lfi);
+    _REG_RASP_CONST("SSRF", dd_rasp_rule_ssrf);
+
     if (!get_global_DD_APPSEC_TESTING()) {
         return;
     }

appsec/src/extension/ddappsec.h

@@ -67,4 +67,10 @@ int dd_appsec_rshutdown(bool ignore_verdict);
 
 #define PHP_DDAPPSEC_EXTNAME "ddappsec"
 
+typedef enum {
+    dd_rasp_rule_none = 0,
+    dd_rasp_rule_lfi,
+    dd_rasp_rule_ssrf,
+} dd_rasp_rule;
+
 #endif // DDAPPSEC_H

appsec/tests/extension/actions_handling_01.phpt

@@ -32,7 +32,7 @@ array(2) {
   [1]=>
   array(2) {
     [0]=>
-    bool(false)
+    int(0)
     [1]=>
     array(1) {
       ["server.request.path_params"]=>

appsec/tests/extension/push_params_ok_01.phpt

@@ -32,7 +32,7 @@ array(2) {
   [1]=>
   array(2) {
     [0]=>
-    bool(false)
+    int(0)
     [1]=>
     array(1) {
       ["server.request.path_params"]=>

appsec/tests/extension/push_params_ok_02.phpt

@@ -32,7 +32,7 @@ array(2) {
   [1]=>
   array(2) {
     [0]=>
-    bool(false)
+    int(0)
     [1]=>
     array(1) {
       ["server.request.path_params"]=>

appsec/tests/extension/push_params_ok_03.phpt

@@ -32,7 +32,7 @@ array(2) {
   [1]=>
   array(2) {
     [0]=>
-    bool(false)
+    int(0)
     [1]=>
     array(1) {
       ["server.request.path_params"]=>

appsec/tests/extension/push_params_ok_04.phpt

@@ -18,8 +18,7 @@ $helper = Helper::createInitedRun([
 ]);
 
 var_dump(rinit());
-$is_rasp = true;
-push_addresses(["server.request.path_params" => 1234], $is_rasp);
+push_addresses(["server.request.path_params" => 1234], \datadog\appsec\rasp\LFI);
 var_dump(rshutdown());
 print_r(root_span_get_metrics());
 
@@ -41,7 +40,7 @@ array(2) {
   [1]=>
   array(2) {
     [0]=>
-    bool(true)
+    int(1)
     [1]=>
     array(1) {
       ["server.request.path_params"]=>

appsec/tests/extension/push_params_ok_05.phpt

@@ -18,8 +18,7 @@ $helper = Helper::createInitedRun([
 ]);
 
 var_dump(rinit());
-$is_rasp = true;
-push_addresses(["server.request.path_params" => 1234], $is_rasp);
+push_addresses(["server.request.path_params" => 1234], \datadog\appsec\rasp\LFI);
 var_dump(rshutdown());
 print_r(root_span_get_metrics());