datadog 2.7.1 → 2.17.0

data/lib/datadog/appsec/assets/waf_rules/README.md

@@ -1,7 +1,52 @@
-Vendored WAF rules originate from https://github.com/datadog/appsec-event-rules
+AppSec WAF rules based on [appsec-event-rules](https://github.com/datadog/appsec-event-rules) builds
 
-One should check rule compatibility with libddwaf, which is the end consumer of
-these rules.
+## How to update
 
-There might be rules that look to be irrelevant to Ruby as they may still help
-identify bad actors.
+> [!WARNING]
+> This process is a temporary workaround to maintain compatibility with the existing code structure and will be changed.
+
+1. Download `recommended.json` and `strict.json` of the desired version from [appsec-event-rules](https://github.com/datadog/appsec-event-rules) (example: [v1.13.3](https://github.com/DataDog/appsec-event-rules/tree/1.13.3/build))
+2. Run the script below inside `waf_rules` folder to extract scanners and processors into separate files
+
+    ```ruby
+    require 'json'
+
+    recommended_rules = JSON.parse(File.read(File.expand_path('recommended.json', __dir__)))
+    strict_rules = JSON.parse(File.read(File.expand_path('strict.json', __dir__)))
+
+    recommended_processors = recommended_rules.delete('processors')
+    strict_processors = strict_rules.delete('processors')
+
+    if recommended_processors.sort_by { |processor| processor['id'] } !=
+        strict_processors.sort_by { |processor| processor['id'] }
+      raise 'Processors are not the same, unable to extract them'
+    end
+
+    puts 'Extracting processors...'
+    File.open(File.expand_path('processors.json', __dir__), 'wb') do |file|
+      file.write(JSON.pretty_generate(recommended_processors))
+    end
+
+    recommended_scanners = recommended_rules.delete('scanners')
+    strict_scanners = strict_rules.delete('scanners')
+
+    if recommended_scanners.sort_by { |processor| processor['id'] } !=
+        strict_scanners.sort_by { |processor| processor['id'] }
+      raise 'Scanners are not the same, unable to extract them'
+    end
+
+    puts 'Extracting scanners...'
+    File.open(File.expand_path('scanners.json', __dir__), 'wb') do |file|
+      file.write(JSON.pretty_generate(recommended_scanners))
+    end
+
+    puts 'Updating rules...'
+
+    File.open(File.expand_path('recommended.json', __dir__), 'wb') do |file|
+      file.write(JSON.pretty_generate(recommended_rules))
+    end
+
+    File.open(File.expand_path('strict.json', __dir__), 'wb') do |file|
+      file.write(JSON.pretty_generate(strict_rules))
+    end
+    ```

data/lib/datadog/appsec/assets/waf_rules/processors.json

@@ -1,6 +1,57 @@
 [
   {
-    "id": "processor-001",
+    "id": "http-endpoint-fingerprint",
+    "generator": "http_endpoint_fingerprint",
+    "conditions": [
+      {
+        "operator": "exists",
+        "parameters": {
+          "inputs": [
+            {
+              "address": "waf.context.event"
+            },
+            {
+              "address": "server.business_logic.users.login.failure"
+            },
+            {
+              "address": "server.business_logic.users.login.success"
+            }
+          ]
+        }
+      }
+    ],
+    "parameters": {
+      "mappings": [
+        {
+          "method": [
+            {
+              "address": "server.request.method"
+            }
+          ],
+          "uri_raw": [
+            {
+              "address": "server.request.uri.raw"
+            }
+          ],
+          "body": [
+            {
+              "address": "server.request.body"
+            }
+          ],
+          "query": [
+            {
+              "address": "server.request.query"
+            }
+          ],
+          "output": "_dd.appsec.fp.http.endpoint"
+        }
+      ]
+    },
+    "evaluate": false,
+    "output": true
+  },
+  {
+    "id": "extract-content",
     "generator": "extract_schema",
     "conditions": [
       {
@@ -32,10 +83,10 @@
         {
           "inputs": [
             {
-              "address": "server.request.headers.no_cookies"
+              "address": "server.request.cookies"
             }
           ],
-          "output": "_dd.appsec.s.req.headers"
+          "output": "_dd.appsec.s.req.cookies"
         },
         {
           "inputs": [
@@ -56,29 +107,89 @@
         {
           "inputs": [
             {
-              "address": "server.request.cookies"
+              "address": "server.response.body"
             }
           ],
-          "output": "_dd.appsec.s.req.cookies"
+          "output": "_dd.appsec.s.res.body"
         },
         {
           "inputs": [
             {
-              "address": "server.response.headers.no_cookies"
+              "address": "graphql.server.all_resolvers"
             }
           ],
-          "output": "_dd.appsec.s.res.headers"
+          "output": "_dd.appsec.s.graphql.all_resolvers"
         },
         {
           "inputs": [
             {
-              "address": "server.response.body"
+              "address": "graphql.server.resolver"
             }
           ],
-          "output": "_dd.appsec.s.res.body"
+          "output": "_dd.appsec.s.graphql.resolver"
+        }
+      ],
+      "scanners": [
+        {
+          "tags": {
+            "category": "payment"
+          }
+        },
+        {
+          "tags": {
+            "category": "pii"
+          }
+        }
+      ]
+    },
+    "evaluate": false,
+    "output": true
+  },
+  {
+    "id": "extract-headers",
+    "generator": "extract_schema",
+    "conditions": [
+      {
+        "operator": "equals",
+        "parameters": {
+          "inputs": [
+            {
+              "address": "waf.context.processor",
+              "key_path": [
+                "extract-schema"
+              ]
+            }
+          ],
+          "type": "boolean",
+          "value": true
+        }
+      }
+    ],
+    "parameters": {
+      "mappings": [
+        {
+          "inputs": [
+            {
+              "address": "server.request.headers.no_cookies"
+            }
+          ],
+          "output": "_dd.appsec.s.req.headers"
+        },
+        {
+          "inputs": [
+            {
+              "address": "server.response.headers.no_cookies"
+            }
+          ],
+          "output": "_dd.appsec.s.res.headers"
         }
       ],
       "scanners": [
+        {
+          "tags": {
+            "category": "credentials"
+          }
+        },
         {
           "tags": {
             "category": "pii"
@@ -88,5 +199,123 @@
     },
     "evaluate": false,
     "output": true
+  },
+  {
+    "id": "http-header-fingerprint",
+    "generator": "http_header_fingerprint",
+    "conditions": [
+      {
+        "operator": "exists",
+        "parameters": {
+          "inputs": [
+            {
+              "address": "waf.context.event"
+            },
+            {
+              "address": "server.business_logic.users.login.failure"
+            },
+            {
+              "address": "server.business_logic.users.login.success"
+            }
+          ]
+        }
+      }
+    ],
+    "parameters": {
+      "mappings": [
+        {
+          "headers": [
+            {
+              "address": "server.request.headers.no_cookies"
+            }
+          ],
+          "output": "_dd.appsec.fp.http.header"
+        }
+      ]
+    },
+    "evaluate": false,
+    "output": true
+  },
+  {
+    "id": "http-network-fingerprint",
+    "generator": "http_network_fingerprint",
+    "conditions": [
+      {
+        "operator": "exists",
+        "parameters": {
+          "inputs": [
+            {
+              "address": "waf.context.event"
+            },
+            {
+              "address": "server.business_logic.users.login.failure"
+            },
+            {
+              "address": "server.business_logic.users.login.success"
+            }
+          ]
+        }
+      }
+    ],
+    "parameters": {
+      "mappings": [
+        {
+          "headers": [
+            {
+              "address": "server.request.headers.no_cookies"
+            }
+          ],
+          "output": "_dd.appsec.fp.http.network"
+        }
+      ]
+    },
+    "evaluate": false,
+    "output": true
+  },
+  {
+    "id": "session-fingerprint",
+    "generator": "session_fingerprint",
+    "conditions": [
+      {
+        "operator": "exists",
+        "parameters": {
+          "inputs": [
+            {
+              "address": "waf.context.event"
+            },
+            {
+              "address": "server.business_logic.users.login.failure"
+            },
+            {
+              "address": "server.business_logic.users.login.success"
+            }
+          ]
+        }
+      }
+    ],
+    "parameters": {
+      "mappings": [
+        {
+          "cookies": [
+            {
+              "address": "server.request.cookies"
+            }
+          ],
+          "session_id": [
+            {
+              "address": "usr.session_id"
+            }
+          ],
+          "user_id": [
+            {
+              "address": "usr.id"
+            }
+          ],
+          "output": "_dd.appsec.fp.session"
+        }
+      ]
+    },
+    "evaluate": false,
+    "output": true
   }
-]
+]