Allow blocking on fastify path params (#5889)

IlyasShabi · web-flow · commit 020c925d4156 · 2025-06-18T12:40:10.000+02:00
Allow blocking on fastify path params
diff --git a/packages/datadog-instrumentations/src/fastify.js b/packages/datadog-instrumentations/src/fastify.js
@@ -8,6 +8,7 @@ const handleChannel = channel('apm:fastify:request:handle')
 const routeAddedChannel = channel('apm:fastify:route:added')
 const bodyParserReadCh = channel('datadog:fastify:body-parser:finish')
 const queryParamsReadCh = channel('datadog:fastify:query-params:finish')
+const pathParamsReadCh = channel('datadog:fastify:path-params:finish')
 
 const parsingResources = new WeakMap()
 
@@ -112,9 +113,10 @@ function preValidation (request, reply, done) {
   const parsingResource = parsingResources.get(req)
 
   const processInContext = () => {
-    if (queryParamsReadCh.hasSubscribers && request.query) {
-      const abortController = new AbortController()
+    let abortController
 
+    if (queryParamsReadCh.hasSubscribers && request.query) {
+      abortController ??= new AbortController()
       queryParamsReadCh.publish({
         req,
         res,
@@ -126,13 +128,24 @@ function preValidation (request, reply, done) {
     }
 
     if (bodyParserReadCh.hasSubscribers && request.body) {
-      const abortController = new AbortController()
-
+      abortController ??= new AbortController()
       bodyParserReadCh.publish({ req, res, body: request.body, abortController })
 
       if (abortController.signal.aborted) return
     }
 
+    if (pathParamsReadCh.hasSubscribers && request.params) {
+      abortController ??= new AbortController()
+      pathParamsReadCh.publish({
+        req,
+        res,
+        abortController,
+        params: request.params
+      })
+
+      if (abortController.signal.aborted) return
+    }
+
     done()
   }
 
diff --git a/packages/dd-trace/src/appsec/channels.js b/packages/dd-trace/src/appsec/channels.js
@@ -14,6 +14,7 @@ module.exports = {
   expressSession: dc.channel('datadog:express-session:middleware:finish'),
   fastifyBodyParser: dc.channel('datadog:fastify:body-parser:finish'),
   fastifyQueryParams: dc.channel('datadog:fastify:query-params:finish'),
+  fastifyPathParams: dc.channel('datadog:fastify:path-params:finish'),
   fsOperationStart: dc.channel('apm:fs:operation:start'),
   graphqlMiddlewareChannel: dc.tracingChannel('datadog:apollo:middleware'),
   httpClientRequestStart: dc.channel('apm:http:client:request:start'),
diff --git a/packages/dd-trace/src/appsec/index.js b/packages/dd-trace/src/appsec/index.js
@@ -21,7 +21,8 @@ const {
   responseBody,
   responseWriteHead,
   responseSetHeader,
-  routerParam
+  routerParam,
+  fastifyPathParams
 } = require('./channels')
 const waf = require('./waf')
 const addresses = require('./addresses')
@@ -69,7 +70,6 @@ function enable (_config) {
 
     bodyParser.subscribe(onRequestBodyParsed)
     multerParser.subscribe(onRequestBodyParsed)
-    fastifyBodyParser.subscribe(onRequestBodyParsed)
     cookieParser.subscribe(onRequestCookieParser)
     incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
     incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
@@ -80,7 +80,9 @@ function enable (_config) {
     nextBodyParsed.subscribe(onRequestBodyParsed)
     nextQueryParsed.subscribe(onRequestQueryParsed)
     expressProcessParams.subscribe(onRequestProcessParams)
+    fastifyBodyParser.subscribe(onRequestBodyParsed)
     fastifyQueryParams.subscribe(onRequestQueryParsed)
+    fastifyPathParams.subscribe(onRequestProcessParams)
     routerParam.subscribe(onRequestProcessParams)
     responseBody.subscribe(onResponseBody)
     responseWriteHead.subscribe(onResponseWriteHead)
@@ -361,7 +363,6 @@ function disable () {
   // Channel#unsubscribe() is undefined for non active channels
   if (bodyParser.hasSubscribers) bodyParser.unsubscribe(onRequestBodyParsed)
   if (multerParser.hasSubscribers) multerParser.unsubscribe(onRequestBodyParsed)
-  if (fastifyBodyParser.hasSubscribers) fastifyBodyParser.unsubscribe(onRequestBodyParsed)
   if (cookieParser.hasSubscribers) cookieParser.unsubscribe(onRequestCookieParser)
   if (incomingHttpRequestStart.hasSubscribers) incomingHttpRequestStart.unsubscribe(incomingHttpStartTranslator)
   if (incomingHttpRequestEnd.hasSubscribers) incomingHttpRequestEnd.unsubscribe(incomingHttpEndTranslator)
@@ -372,7 +373,9 @@ function disable () {
   if (nextBodyParsed.hasSubscribers) nextBodyParsed.unsubscribe(onRequestBodyParsed)
   if (nextQueryParsed.hasSubscribers) nextQueryParsed.unsubscribe(onRequestQueryParsed)
   if (expressProcessParams.hasSubscribers) expressProcessParams.unsubscribe(onRequestProcessParams)
+  if (fastifyBodyParser.hasSubscribers) fastifyBodyParser.unsubscribe(onRequestBodyParsed)
   if (fastifyQueryParams.hasSubscribers) fastifyQueryParams.unsubscribe(onRequestQueryParsed)
+  if (fastifyPathParams.hasSubscribers) fastifyPathParams.unsubscribe(onRequestProcessParams)
   if (routerParam.hasSubscribers) routerParam.unsubscribe(onRequestProcessParams)
   if (responseBody.hasSubscribers) responseBody.unsubscribe(onResponseBody)
   if (responseWriteHead.hasSubscribers) responseWriteHead.unsubscribe(onResponseWriteHead)
diff --git a/packages/dd-trace/test/appsec/index.fastify.plugin.spec.js b/packages/dd-trace/test/appsec/index.fastify.plugin.spec.js
@@ -262,6 +262,188 @@ withVersions('fastify', 'fastify', version => {
       }
     })
   })
+
+  describe('Suspicious request blocking - path parameters', () => {
+    // Skip Fastify v1 - preValidation hook is not supported
+    if (semver.lt(semver.coerce(version), '2.0.0')) {
+      return
+    }
+
+    let server, preHandlerHookSpy, preValidationHookSpy, axios
+
+    before(() => {
+      return agent.load(['fastify', 'http'], { client: false })
+    })
+
+    before((done) => {
+      const fastify = require(`../../../../versions/fastify@${version}`).get()
+
+      const app = fastify()
+      app.get('/multiple-path-params/:parameter1/:parameter2', (request, reply) => {
+        reply.send('DONE')
+      })
+
+      app.register(async function (nested) {
+        nested.get('/:nestedParam', async (request, reply) => {
+          reply.send('DONE')
+        })
+      }, { prefix: '/nested/:parentParam' })
+
+      const paramHook = (request, reply, done) => {
+        done()
+      }
+
+      preHandlerHookSpy = sinon.spy(paramHook)
+
+      app.addHook('preHandler', preHandlerHookSpy)
+
+      const validationHook = (request, reply, done) => {
+        done()
+      }
+
+      preValidationHookSpy = sinon.spy(validationHook)
+      app.addHook('preValidation', preValidationHookSpy)
+
+      app.get('/callback-path-param/:pathParameter', (request, reply) => {
+        reply.send('DONE')
+      })
+
+      getPort().then((port) => {
+        app.listen({ port }, () => {
+          axios = Axios.create({ baseURL: `http://localhost:${port}` })
+          done()
+        })
+        server = app.server
+      })
+    })
+
+    after(() => {
+      server.close()
+      return agent.close({ ritmReset: false })
+    })
+
+    beforeEach(async () => {
+      appsec.enable(new Config({
+        appsec: {
+          enabled: true,
+          rules: path.join(__dirname, 'rules-example.json')
+        }
+      }))
+    })
+
+    afterEach(() => {
+      appsec.disable()
+      sinon.reset()
+    })
+
+    describe('route with multiple path parameters', () => {
+      it('should not block the request when attack is not detected', async () => {
+        const res = await axios.get('/multiple-path-params/safe_param/safe_param')
+
+        assert.equal(res.status, 200)
+        assert.equal(res.data, 'DONE')
+      })
+
+      it('should block the request when attack is detected in both parameters', async () => {
+        try {
+          await axios.get('/multiple-path-params/testattack/testattack')
+
+          return Promise.reject(new Error('Request should not return 200'))
+        } catch (e) {
+          assert.equal(e.response.status, 403)
+          assert.deepEqual(e.response.data, JSON.parse(json))
+        }
+      })
+
+      it('should block the request when attack is detected in the first parameter', async () => {
+        try {
+          await axios.get('/multiple-path-params/testattack/safe_param')
+
+          return Promise.reject(new Error('Request should not return 200'))
+        } catch (e) {
+          assert.equal(e.response.status, 403)
+          assert.deepEqual(e.response.data, JSON.parse(json))
+        }
+      })
+
+      it('should block the request when attack is detected in the second parameter', async () => {
+        try {
+          await axios.get('/multiple-path-params/safe_param/testattack')
+
+          return Promise.reject(new Error('Request should not return 200'))
+        } catch (e) {
+          assert.equal(e.response.status, 403)
+          assert.deepEqual(e.response.data, JSON.parse(json))
+        }
+      })
+    })
+
+    describe('nested routes', () => {
+      it('should not block the request when attack is not detected', async () => {
+        const res = await axios.get('/nested/safe_param/safe_param')
+
+        assert.equal(res.status, 200)
+        assert.equal(res.data, 'DONE')
+      })
+
+      it('should block the request when attack is detected in the nested parameter', async () => {
+        try {
+          await axios.get('/nested/safe_param/testattack')
+
+          return Promise.reject(new Error('Request should not return 200'))
+        } catch (e) {
+          assert.equal(e.response.status, 403)
+          assert.deepEqual(e.response.data, JSON.parse(json))
+        }
+      })
+
+      it('should block the request when attack is detected in the parent parameter', async () => {
+        try {
+          await axios.get('/nested/testattack/safe_param')
+
+          return Promise.reject(new Error('Request should not return 200'))
+        } catch (e) {
+          assert.equal(e.response.status, 403)
+          assert.deepEqual(e.response.data, JSON.parse(json))
+        }
+      })
+
+      it('should block the request when attack is detected in both parameters', async () => {
+        try {
+          await axios.get('/nested/testattack/testattack')
+
+          return Promise.reject(new Error('Request should not return 200'))
+        } catch (e) {
+          assert.equal(e.response.status, 403)
+          assert.deepEqual(e.response.data, JSON.parse(json))
+        }
+      })
+    })
+
+    describe('path parameter with hook', () => {
+      it('should not block the request when attack is not detected', async () => {
+        const res = await axios.get('/callback-path-param/safe_param')
+
+        assert.equal(res.status, 200)
+        assert.equal(res.data, 'DONE')
+        sinon.assert.calledOnce(preHandlerHookSpy)
+        sinon.assert.calledOnce(preValidationHookSpy)
+      })
+
+      it('should block the request when attack is detected', async () => {
+        try {
+          await axios.get('/callback-path-param/testattack')
+
+          return Promise.reject(new Error('Request should not return 200'))
+        } catch (e) {
+          assert.equal(e.response.status, 403)
+          assert.deepEqual(e.response.data, JSON.parse(json))
+          sinon.assert.notCalled(preHandlerHookSpy)
+          sinon.assert.notCalled(preValidationHookSpy)
+        }
+      })
+    })
+  })
 })
 
 const createNestedObject = (n, obj) => {
