Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[java] Add java endpoint for RASP LFI #2947

Merged
merged 11 commits into from
Sep 20, 2024
Merged

[java] Add java endpoint for RASP LFI #2947

merged 11 commits into from
Sep 20, 2024

Conversation

jandro996
Copy link
Member

Motivation

Changes

  • Add java endpoint for RASP LFI

Workflow

  1. ⚠️ Create your PR as draft ⚠️
  2. Work on you PR until the CI passes (if something not related to your task is failing, you can ignore it)
  3. Mark it as ready for review
    • Test logic is modified? -> Get a review from RFC owner. We're working on refining the codeowners file quickly.
    • Framework is modified, or non obvious usage of it -> get a review from R&P team

🚀 Once your PR is reviewed, you can merge it!

🛟 #apm-shared-testing 🛟

Reviewer checklist

  • If PR title starts with [<language>], double-check that only <language> is impacted by the change
  • No system-tests internal is modified. Otherwise, I have the approval from R&P team
  • CI is green, or failing jobs are not related to this change (and you are 100% sure about this statement)
  • A docker base image is modified?
    • the relevant build-XXX-image label is present
  • A scenario is added (or removed)?

datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Aug 29, 2024
View reviewed changes
...ava/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/rasp/RaspController.java
@@ -41,6 +43,16 @@ public ResponseEntity<String> sqli(@RequestBody final UserDTO body) throws SQLEx
return execSql(body.getUserId());
}

@RequestMapping(value = "/lfi", method = {GET, POST})
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Methods annotated with RequestMapping are by default mapped to all the HTTP request methods (...read more)

Classes that contain methods annotated with RequestMapping are by default mapped to all the HTTP request methods.

Spring Security's CSRF protection is not enabled by default for the HTTP request methods GETHEADTRACE, and OPTIONS.

For this reason, requests or routes with RequestMapping, and not narrowing the mapping to the HTTP request methods POSTPUTDELETE, or PATCH, makes them vulnerable to CSRF attacks.

Learn More

View in Datadog  Leave us feedback  Documentation

@jandro996 jandro996 force-pushed the alejandro.gonzalez/rasp-lfi-tests branch from 15d46b8 to 5dc97c2 Compare September 11, 2024 08:18
@jandro996 jandro996 marked this pull request as ready for review September 18, 2024 10:04
@jandro996 jandro996 requested review from a team as code owners September 18, 2024 10:04
cbeauchesne
cbeauchesne requested changes Sep 18, 2024
View reviewed changes
Copy link
Collaborator

@cbeauchesne cbeauchesne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a small request change, then all good

manifests/java.yml Outdated Show resolved Hide resolved
@jandro996 jandro996 force-pushed the alejandro.gonzalez/rasp-lfi-tests branch from 65c9d76 to 2e1735c Compare September 19, 2024 13:53
@jandro996 jandro996 merged commit d26d4d8 into main Sep 20, 2024
78 of 81 checks passed
@jandro996 jandro996 deleted the alejandro.gonzalez/rasp-lfi-tests branch September 20, 2024 07:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@datadog-datadog-prod-us1 datadog-datadog-prod-us1[bot] datadog-datadog-prod-us1[bot] left review comments

@cbeauchesne cbeauchesne cbeauchesne approved these changes

@smola smola smola approved these changes

@Mariovido Mariovido Awaiting requested review from Mariovido Mariovido is a code owner automatically assigned from DataDog/asm-java

Assignees
No one assigned
Labels
run-appsec-scenarios
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jandro996 @smola @cbeauchesne