Implement SSRF (#3014)

Implement SSRF

Author: estringana

appsec/src/extension/ddappsec.c

@@ -474,46 +474,41 @@ static PHP_FUNCTION(datadog_appsec_testing_request_exec)
     RETURN_TRUE;
 }
 
-static PHP_FUNCTION(datadog_appsec_push_address)
+static PHP_FUNCTION(datadog_appsec_push_addresses)
 {
     struct timespec start;
     struct timespec end;
     clock_gettime(CLOCK_MONOTONIC_RAW, &start);
     long elapsed = 0;
     UNUSED(return_value);
     if (!DDAPPSEC_G(active)) {
-        mlog(dd_log_debug, "Trying to access to push_address "
+        mlog(dd_log_debug, "Trying to access to push_addresses "
                            "function while appsec is disabled");
         return;
     }
 
-    zend_string *key = NULL;
-    zval *value = NULL;
+    zval *addresses = NULL;
     bool rasp = false;
-    if (zend_parse_parameters(ZEND_NUM_ARGS(), "Sz|b", &key, &value, &rasp) ==
+    if (zend_parse_parameters(ZEND_NUM_ARGS(), "z|b", &addresses, &rasp) ==
         FAILURE) {
         RETURN_FALSE;
     }
 
+    if (Z_TYPE_P(addresses) != IS_ARRAY) {
+        RETURN_FALSE;
+    }
+
     if (rasp && !get_global_DD_APPSEC_RASP_ENABLED()) {
         return;
     }
 
-    zval parameters_zv;
-    zend_array *parameters_arr = zend_new_array(1);
-    ZVAL_ARR(&parameters_zv, parameters_arr);
-    zend_hash_add(Z_ARRVAL(parameters_zv), key, value);
-    Z_TRY_ADDREF_P(value);
-
     dd_conn *conn = dd_helper_mgr_cur_conn();
     if (conn == NULL) {
-        zval_ptr_dtor(&parameters_zv);
-        mlog_g(dd_log_debug, "No connection; skipping push_address");
+        mlog_g(dd_log_debug, "No connection; skipping push_addresses");
         return;
     }
 
-    dd_result res = dd_request_exec(conn, &parameters_zv, rasp);
-    zval_ptr_dtor(&parameters_zv);
+    dd_result res = dd_request_exec(conn, addresses, rasp);
 
     if (rasp) {
         clock_gettime(CLOCK_MONOTONIC_RAW, &end);
@@ -549,16 +544,16 @@ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(request_exec_arginfo, 0, 1, _IS_BOOL, 0)
 ZEND_ARG_INFO(0, "data")
 ZEND_END_ARG_INFO()
 
-ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(push_address_arginfo, 0, 0, IS_VOID, 1)
-ZEND_ARG_INFO(0, key)
-ZEND_ARG_INFO(0, value)
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(
+    push_addresses_arginfo, 0, 0, IS_VOID, 1)
+ZEND_ARG_INFO(0, addresses)
 ZEND_ARG_INFO(0, rasp)
 ZEND_END_ARG_INFO()
 
 // clang-format off
 static const zend_function_entry functions[] = {
     ZEND_RAW_FENTRY(DD_APPSEC_NS "is_enabled", PHP_FN(datadog_appsec_is_enabled), void_ret_bool_arginfo, 0, NULL, NULL)
-    ZEND_RAW_FENTRY(DD_APPSEC_NS "push_address", PHP_FN(datadog_appsec_push_address), push_address_arginfo, 0, NULL, NULL)
+    ZEND_RAW_FENTRY(DD_APPSEC_NS "push_addresses", PHP_FN(datadog_appsec_push_addresses), push_addresses_arginfo, 0, NULL, NULL)
     PHP_FE_END
 };
 static const zend_function_entry testing_functions[] = {

appsec/src/helper/remote_config/listeners/engine_listener.hpp

@@ -34,7 +34,7 @@ class engine_listener : public listener_base {
     [[nodiscard]] std::unordered_set<product> get_supported_products() override
     {
         return {known_products::ASM, known_products::ASM_DD,
-            known_products::ASM_DATA, known_products::ASM_RASP_LFI};
+            known_products::ASM_DATA};
     }
 
 protected:

appsec/src/helper/remote_config/product.hpp

@@ -29,8 +29,6 @@ struct known_products {
     static inline constexpr product ASM_DATA{std::string_view{"ASM_DATA"}};
     static inline constexpr product ASM_FEATURES{
         std::string_view{"ASM_FEATURES"}};
-    static inline constexpr product ASM_RASP_LFI{
-        std::string_view{"ASM_RASP_LFI"}};
     static inline constexpr product UNKNOWN{std::string_view{"UNKOWN"}};
 
     static product for_name(std::string_view name)
@@ -47,10 +45,6 @@ struct known_products {
         if (name == ASM_FEATURES.name()) {
             return ASM_FEATURES;
         }
-        if (name == ASM_RASP_LFI.name()) {
-            return ASM_RASP_LFI;
-        }
-
         return UNKNOWN;
     }
 };

appsec/tests/extension/actions_handling_01.phpt

@@ -6,7 +6,7 @@ datadog.appsec.enabled=1
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit,rshutdown};
-use function datadog\appsec\push_address;
+use function datadog\appsec\push_addresses;
 
 include __DIR__ . '/inc/mock_helper.php';
 
@@ -17,7 +17,7 @@ $helper = Helper::createInitedRun([
 ]);
 
 var_dump(rinit());
-push_address("server.request.path_params", ["some" => "params", "more" => "parameters"]);
+push_addresses(["server.request.path_params" => ["some" => "params", "more" => "parameters"]]);
 var_dump(rshutdown());
 
 var_dump($helper->get_command("request_exec"));

appsec/tests/extension/push_params_block.phpt

@@ -6,7 +6,7 @@ datadog.appsec.enabled=1
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit,rshutdown};
-use function datadog\appsec\push_address;
+use function datadog\appsec\push_addresses;
 
 include __DIR__ . '/inc/mock_helper.php';
 
@@ -16,7 +16,7 @@ $helper = Helper::createInitedRun([
 ]);
 
 rinit();
-push_address("server.request.path_params", ["some" => "params", "more" => "parameters"]);
+push_addresses(["server.request.path_params" => ["some" => "params", "more" => "parameters"]]);
 
 var_dump("THIS SHOULD NOT GET IN THE OUTPUT");
 
@@ -26,4 +26,4 @@ Status: 404 Not Found
 Content-type: application/json
 --EXPECTF--
 {"errors": [{"title": "You've been blocked", "detail": "Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}
-Warning: datadog\appsec\push_address(): Datadog blocked the request and presented a static error page in %s on line %d
+Warning: datadog\appsec\push_addresses(): Datadog blocked the request and presented a static error page in %s on line %d

appsec/tests/extension/push_params_block_02.phpt

@@ -6,7 +6,7 @@ datadog.appsec.enabled=1
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit,rshutdown};
-use function datadog\appsec\push_address;
+use function datadog\appsec\push_addresses;
 
 include __DIR__ . '/inc/mock_helper.php';
 
@@ -25,7 +25,7 @@ class SomeIntegration {
     private static function hooked_function()
     {
         return static function (DDTrace\HookData $hook) {
-              push_address("server.request.path_params", ["some" => "params", "more" => "parameters"]);
+              push_addresses(["server.request.path_params", ["some" => "params", "more" => "parameters"]]);
               var_dump("This should be executed");
         };
     }

appsec/tests/extension/push_params_block_03.phpt

@@ -6,7 +6,7 @@ datadog.appsec.enabled=1
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit,rshutdown};
-use function datadog\appsec\push_address;
+use function datadog\appsec\push_addresses;
 
 include __DIR__ . '/inc/mock_helper.php';
 
@@ -25,7 +25,7 @@ class SomeIntegration {
     private static function hooked_function()
     {
         return static function (DDTrace\HookData $hook) {
-              push_address("server.request.path_params", ["some" => "params", "more" => "parameters"]);
+              push_addresses(["server.request.path_params", ["some" => "params", "more" => "parameters"]]);
               var_dump("This should be executed");
         };
     }

appsec/tests/extension/push_params_ok_01.phpt

@@ -6,7 +6,7 @@ datadog.appsec.enabled=1
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit,rshutdown};
-use function datadog\appsec\push_address;
+use function datadog\appsec\push_addresses;
 
 include __DIR__ . '/inc/mock_helper.php';
 
@@ -17,7 +17,7 @@ $helper = Helper::createInitedRun([
 ]);
 
 var_dump(rinit());
-push_address("server.request.path_params", ["some" => "params", "more" => "parameters"]);
+push_addresses(["server.request.path_params" => ["some" => "params", "more" => "parameters"]]);
 var_dump(rshutdown());
 
 var_dump($helper->get_command("request_exec"));

appsec/tests/extension/push_params_ok_02.phpt

@@ -6,7 +6,7 @@ datadog.appsec.enabled=1
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit,rshutdown};
-use function datadog\appsec\push_address;
+use function datadog\appsec\push_addresses;
 
 include __DIR__ . '/inc/mock_helper.php';
 
@@ -17,7 +17,7 @@ $helper = Helper::createInitedRun([
 ]);
 
 var_dump(rinit());
-push_address("server.request.path_params", "some string");
+push_addresses(["server.request.path_params" => "some string"]);
 var_dump(rshutdown());
 
 var_dump($helper->get_command("request_exec"));

appsec/tests/extension/push_params_ok_03.phpt

@@ -6,7 +6,7 @@ datadog.appsec.enabled=1
 --FILE--
 <?php
 use function datadog\appsec\testing\{rinit,rshutdown};
-use function datadog\appsec\push_address;
+use function datadog\appsec\push_addresses;
 
 include __DIR__ . '/inc/mock_helper.php';
 
@@ -17,7 +17,7 @@ $helper = Helper::createInitedRun([
 ]);
 
 var_dump(rinit());
-push_address("server.request.path_params", 1234);
+push_addresses(["server.request.path_params" => 1234]);
 var_dump(rshutdown());
 
 var_dump($helper->get_command("request_exec"));