Add new Default app deployed vulnerability for Tomcat and Jetty

jandro996 · jandro996 · commit e1e520f3c5e1 · 2024-04-10T08:46:10.000+02:00
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java
@@ -89,6 +89,9 @@ public interface VulnerabilityType {
   VulnerabilityType SESSION_REWRITING =
       new ServiceVulnerabilityType(VulnerabilityTypes.SESSION_REWRITING);
 
+  VulnerabilityType DEFAULT_APP_DEPLOYED =
+      new ServiceVulnerabilityType(VulnerabilityTypes.DEFAULT_APP_DEPLOYED);
+
   String name();
 
   /** A bit flag to ignore tainted ranges for this vulnerability. Set to 0 if none. */
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ApplicationModuleImpl.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ApplicationModuleImpl.java
@@ -68,6 +68,27 @@ public class ApplicationModuleImpl extends SinkModuleBase implements Application
   static final String TOMCAT_HOST_MANAGER_APP = "Tomcat Host Manager Application";
   private static final String TOMCAT_HOST_MANAGER_APP_PATTERN =
       DISPLAY_NAME_START_TAG + TOMCAT_HOST_MANAGER_APP + DISPLAY_NAME_END_TAG;
+  static final String TOMCAT_SAMPLES_APP = "Servlet and JSP Examples";
+  private static final String TOMCAT_SAMPLES_APP_PATTERN =
+      DISPLAY_NAME_START_TAG + TOMCAT_SAMPLES_APP + DISPLAY_NAME_END_TAG;
+  static final String JETTY_ASYNC_REST_APP = "Async REST Webservice Example";
+  private static final String JETTY_ASYNC_REST_APP_PATTERN =
+      DISPLAY_NAME_START_TAG + JETTY_ASYNC_REST_APP + DISPLAY_NAME_END_TAG;
+  static final String JETTY_JAVADOC_APP = "Transparent Proxy WebApp";
+  private static final String JETTY_JAVADOC_APP_PATTERN =
+      DISPLAY_NAME_START_TAG + JETTY_JAVADOC_APP + DISPLAY_NAME_END_TAG;
+  static final String JETTY_JAAS_APP = "JAAS Test";
+  private static final String JETTY_JAAS_APP_PATTERN =
+      DISPLAY_NAME_START_TAG + JETTY_JAAS_APP + DISPLAY_NAME_END_TAG;
+  static final String JETTY_JNDI_APP = "Test JNDI WebApp";
+  private static final String JETTY_JNDI_APP_PATTERN =
+      DISPLAY_NAME_START_TAG + JETTY_JNDI_APP + DISPLAY_NAME_END_TAG;
+  static final String JETTY_SPEC_APP = "Test Annotations WebApp";
+  private static final String JETTY_SPEC_APP_PATTERN =
+      DISPLAY_NAME_START_TAG + JETTY_SPEC_APP + DISPLAY_NAME_END_TAG;
+  static final String JETTY_TEST_APP = "Test WebApp";
+  private static final String JETTY_TEST_APP_PATTERN =
+      DISPLAY_NAME_START_TAG + JETTY_TEST_APP + DISPLAY_NAME_END_TAG;
   public static final String WEB_INF = "WEB-INF";
   public static final String WEB_XML = "web.xml";
   public static final String WEBLOGIC_XML = "weblogic.xml";
@@ -83,6 +104,13 @@ public class ApplicationModuleImpl extends SinkModuleBase implements Application
                   DEFAULT_HTML_ESCAPE,
                   TOMCAT_MANAGER_APP_PATTERN,
                   TOMCAT_HOST_MANAGER_APP_PATTERN,
+                  TOMCAT_SAMPLES_APP_PATTERN,
+                  JETTY_ASYNC_REST_APP_PATTERN,
+                  JETTY_JAVADOC_APP_PATTERN,
+                  JETTY_JAAS_APP_PATTERN,
+                  JETTY_JNDI_APP_PATTERN,
+                  JETTY_SPEC_APP_PATTERN,
+                  JETTY_TEST_APP_PATTERN,
                   LISTINGS_PATTERN,
                   JETTY_LISTINGS_PATTERN,
                   SESSION_TIMEOUT_START_TAG,
@@ -212,6 +240,27 @@ private void checkWebXmlVulnerabilities(@Nonnull Path path, AgentSpan span) {
         case TOMCAT_HOST_MANAGER_APP_PATTERN:
           reportAdminConsoleActive(span, TOMCAT_HOST_MANAGER_APP);
           break;
+        case TOMCAT_SAMPLES_APP_PATTERN:
+          reportDefaultAppDeployed(span, TOMCAT_SAMPLES_APP);
+          break;
+        case JETTY_ASYNC_REST_APP_PATTERN:
+          reportDefaultAppDeployed(span, JETTY_ASYNC_REST_APP);
+          break;
+        case JETTY_JAVADOC_APP_PATTERN:
+          reportDefaultAppDeployed(span, JETTY_JAVADOC_APP);
+          break;
+        case JETTY_JAAS_APP_PATTERN:
+          reportDefaultAppDeployed(span, JETTY_JAAS_APP);
+          break;
+        case JETTY_JNDI_APP_PATTERN:
+          reportDefaultAppDeployed(span, JETTY_JNDI_APP);
+          break;
+        case JETTY_SPEC_APP_PATTERN:
+          reportDefaultAppDeployed(span, JETTY_SPEC_APP);
+          break;
+        case JETTY_TEST_APP_PATTERN:
+          reportDefaultAppDeployed(span, JETTY_TEST_APP);
+          break;
         case LISTINGS_PATTERN:
         case JETTY_LISTINGS_PATTERN:
           checkDirectoryListingLeak(webXmlContent, matcher.start(), span);
@@ -266,6 +315,15 @@ private void reportAdminConsoleActive(AgentSpan span, final String evidence) {
             new Evidence(evidence)));
   }
 
+  private void reportDefaultAppDeployed(final AgentSpan span, final String evidence) {
+    reporter.noDedupReport(
+        span,
+        new Vulnerability(
+            VulnerabilityType.DEFAULT_APP_DEPLOYED,
+            Location.forSpan(span),
+            new Evidence(evidence)));
+  }
+
   private void checkDirectoryListingLeak(
       final String webXmlContent, int index, final AgentSpan span) {
     int valueIndex =
diff --git a/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/ApplicationModuleTest.groovy b/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/ApplicationModuleTest.groovy
@@ -8,6 +8,7 @@ import datadog.trace.api.iast.InstrumentationBridge
 import datadog.trace.api.iast.sink.ApplicationModule
 
 import static com.datadog.iast.model.VulnerabilityType.ADMIN_CONSOLE_ACTIVE
+import static com.datadog.iast.model.VulnerabilityType.DEFAULT_APP_DEPLOYED
 import static com.datadog.iast.model.VulnerabilityType.DEFAULT_HTML_ESCAPE_INVALID
 import static com.datadog.iast.model.VulnerabilityType.DIRECTORY_LISTING_LEAK
 import static com.datadog.iast.model.VulnerabilityType.INSECURE_JSP_LAYOUT
@@ -71,6 +72,14 @@ class ApplicationModuleTest extends IastModuleImplTestBase {
     'noDedupReport'  | 'application/adminconsoleactive/secure'           | null                        | null                                                       | _
     'noDedupReport'  | 'application/adminconsoleactive/insecure/tomcat/manager'         | ADMIN_CONSOLE_ACTIVE        | ApplicationModuleImpl.TOMCAT_MANAGER_APP                    | NO_LINE
     'noDedupReport'  | 'application/adminconsoleactive/insecure/tomcat/host'            | ADMIN_CONSOLE_ACTIVE        | ApplicationModuleImpl.TOMCAT_HOST_MANAGER_APP               | NO_LINE
+    'noDedupReport'  | 'application/defaultappdeployed/secure'           | null                        | null                                                       | _
+    'noDedupReport'  | 'application/defaultappdeployed/insecure/tomcat/samples'         | DEFAULT_APP_DEPLOYED        | ApplicationModuleImpl.TOMCAT_SAMPLES_APP                    | NO_LINE
+    'noDedupReport'  | 'application/defaultappdeployed/insecure/jetty/async'            | DEFAULT_APP_DEPLOYED        | ApplicationModuleImpl.JETTY_ASYNC_REST_APP                  | NO_LINE
+    'noDedupReport'  | 'application/defaultappdeployed/insecure/jetty/jaas'             | DEFAULT_APP_DEPLOYED        | ApplicationModuleImpl.JETTY_JAAS_APP                        | NO_LINE
+    'noDedupReport'  | 'application/defaultappdeployed/insecure/jetty/javadoc'          | DEFAULT_APP_DEPLOYED        | ApplicationModuleImpl.JETTY_JAVADOC_APP                     | NO_LINE
+    'noDedupReport'  | 'application/defaultappdeployed/insecure/jetty/jndi'             | DEFAULT_APP_DEPLOYED        | ApplicationModuleImpl.JETTY_JNDI_APP                        | NO_LINE
+    'noDedupReport'  | 'application/defaultappdeployed/insecure/jetty/spec'             | DEFAULT_APP_DEPLOYED        | ApplicationModuleImpl.JETTY_SPEC_APP                        | NO_LINE
+    'noDedupReport'  | 'application/defaultappdeployed/insecure/jetty/test'             | DEFAULT_APP_DEPLOYED        | ApplicationModuleImpl.JETTY_TEST_APP                        | NO_LINE
     'report'         | 'application/defaulthtmlescapeinvalid/secure'     | null                        | null                                                       | _
     'report'         | 'application/defaulthtmlescapeinvalid/secure_tag' | null                        | null                                                       | _
     'report'         | 'application/defaulthtmlescapeinvalid/false_tag'  | DEFAULT_HTML_ESCAPE_INVALID | 'defaultHtmlEscape tag should be true'                     | 8
diff --git a/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/insecure/jetty/async/WEB-INF/web.xml b/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/insecure/jetty/async/WEB-INF/web.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0"?>
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" 
+   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" 
+   version="3.1">
+
+	<display-name>Async REST Webservice Example</display-name>
+
+</web-app>
diff --git a/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/insecure/jetty/jaas/WEB-INF/web.xml b/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/insecure/jetty/jaas/WEB-INF/web.xml
@@ -0,0 +1,9 @@
+<web-app
+   xmlns="http://java.sun.com/xml/ns/javaee"
+   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+   version="2.5">
+
+  <display-name>JAAS Test</display-name>
+
+</web-app>
diff --git a/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/insecure/jetty/javadoc/WEB-INF/web.xml b/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/insecure/jetty/javadoc/WEB-INF/web.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" metadata-complete="false" version="3.0">
+
+  <display-name>Transparent Proxy WebApp</display-name>
+
+</web-app>
diff --git a/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/insecure/jetty/jndi/WEB-INF/web.xml b/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/insecure/jetty/jndi/WEB-INF/web.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app 
+   xmlns="http://java.sun.com/xml/ns/javaee" 
+   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
+   metadata-complete="true"
+   version="2.5"> 
+
+  <display-name>Test JNDI WebApp</display-name>
+
+
+</web-app>
+
+
diff --git a/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/insecure/jetty/spec/WEB-INF/web.xml b/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/insecure/jetty/spec/WEB-INF/web.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app 
+   xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+   metadata-complete="false"
+   version="3.1"> 
+
+  <display-name>Test Annotations WebApp</display-name>
+
+</web-app>
diff --git a/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/insecure/jetty/test/WEB-INF/web.xml b/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/insecure/jetty/test/WEB-INF/web.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app 
+   xmlns="http://xmlns.jcp.org/xml/ns/javaee" 
+   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+   metadata-complete="false"
+   version="3.1"> 
+
+  <display-name>Test WebApp</display-name>
+
+</web-app>
+
+
diff --git a/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/insecure/tomcat/samples/WEB-INF/web.xml b/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/insecure/tomcat/samples/WEB-INF/web.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
+                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
+  version="4.0"
+  metadata-complete="true">
+
+    <description>
+      Servlet and JSP Examples.
+    </description>
+    <display-name>Servlet and JSP Examples</display-name>
+
+</web-app>
diff --git a/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/secure/WEB-INF/web.xml b/dd-java-agent/agent-iast/src/test/resources/application/defaultappdeployed/secure/WEB-INF/web.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
+         version="4.0">
+  <display-name>Test app</display-name>
+</web-app>
diff --git a/internal-api/src/main/java/datadog/trace/api/iast/VulnerabilityTypes.java b/internal-api/src/main/java/datadog/trace/api/iast/VulnerabilityTypes.java
@@ -35,6 +35,7 @@ private VulnerabilityTypes() {}
   public static final byte INSECURE_AUTH_PROTOCOL = 26;
   public static final byte REFLECTION_INJECTION = 27;
   public static final byte SESSION_REWRITING = 28;
+  public static final byte DEFAULT_APP_DEPLOYED = 29;
 
   /**
    * Use for telemetry only, this is a special vulnerability type that is not reported, reported
@@ -75,7 +76,8 @@ private VulnerabilityTypes() {}
     SESSION_TIMEOUT,
     DIRECTORY_LISTING_LEAK,
     INSECURE_JSP_LAYOUT,
-    SESSION_REWRITING
+    SESSION_REWRITING,
+    DEFAULT_APP_DEPLOYED,
   };
 
   /**
@@ -111,7 +113,8 @@ private VulnerabilityTypes() {}
     "HARDCODED_SECRET",
     "INSECURE_AUTH_PROTOCOL",
     "REFLECTION_INJECTION",
-    "SESSION_REWRITING"
+    "SESSION_REWRITING",
+    "DEFAULT_APP_DEPLOYED"
   };
 
   public static String toString(final byte vulnerability) {
diff --git a/internal-api/src/test/groovy/datadog/trace/api/iast/VulnerabilityTypesTest.groovy b/internal-api/src/test/groovy/datadog/trace/api/iast/VulnerabilityTypesTest.groovy
@@ -43,5 +43,6 @@ class VulnerabilityTypesTest extends DDSpecification {
     VulnerabilityTypes.INSECURE_AUTH_PROTOCOL      | 'INSECURE_AUTH_PROTOCOL'
     VulnerabilityTypes.REFLECTION_INJECTION        | 'REFLECTION_INJECTION'
     VulnerabilityTypes.SESSION_REWRITING           | 'SESSION_REWRITING'
+    VulnerabilityTypes.DEFAULT_APP_DEPLOYED        | 'DEFAULT_APP_DEPLOYED'
   }
 }
