From 4f62b5ad9f2a1224fb4ce9178461a63be09b13d4 Mon Sep 17 00:00:00 2001
From: Igor Unanua <igor.unanua@datadoghq.com>
Date: Fri, 18 Oct 2024 09:07:59 +0200
Subject: [PATCH] [ASM] Ssrf handle request options (#4791)

* Handle request options

* Remove .only

* clean up

* suggestion
---
 packages/dd-trace/src/appsec/rasp/ssrf.js     |  7 +--
 .../appsec/rasp/ssrf.express.plugin.spec.js   | 43 +++++++++++++++++++
 packages/dd-trace/test/plugins/externals.json |  4 ++
 3 files changed, 51 insertions(+), 3 deletions(-)

diff --git a/packages/dd-trace/src/appsec/rasp/ssrf.js b/packages/dd-trace/src/appsec/rasp/ssrf.js
index ae45ed7daf2..38a3c150d74 100644
--- a/packages/dd-trace/src/appsec/rasp/ssrf.js
+++ b/packages/dd-trace/src/appsec/rasp/ssrf.js
@@ -1,5 +1,6 @@
 'use strict'
 
+const { format } = require('url')
 const { httpClientRequestStart } = require('../channels')
 const { storage } = require('../../../../datadog-core')
 const addresses = require('../addresses')
@@ -20,12 +21,12 @@ function disable () {
 function analyzeSsrf (ctx) {
   const store = storage.getStore()
   const req = store?.req
-  const url = ctx.args.uri
+  const outgoingUrl = (ctx.args.options?.uri && format(ctx.args.options.uri)) ?? ctx.args.uri
 
-  if (!req || !url) return
+  if (!req || !outgoingUrl) return
 
   const persistent = {
-    [addresses.HTTP_OUTGOING_URL]: url
+    [addresses.HTTP_OUTGOING_URL]: outgoingUrl
   }
 
   const result = waf.run({ persistent }, req, RULE_TYPES.SSRF)
diff --git a/packages/dd-trace/test/appsec/rasp/ssrf.express.plugin.spec.js b/packages/dd-trace/test/appsec/rasp/ssrf.express.plugin.spec.js
index 26dc25219f4..6b5ba45ad0a 100644
--- a/packages/dd-trace/test/appsec/rasp/ssrf.express.plugin.spec.js
+++ b/packages/dd-trace/test/appsec/rasp/ssrf.express.plugin.spec.js
@@ -162,6 +162,49 @@ describe('RASP - ssrf', () => {
           })
         })
       })
+
+      describe('Test using request', () => {
+        withVersions('express', 'request', requestVersion => {
+          let requestToTest
+
+          beforeEach(() => {
+            requestToTest = require(`../../../../../versions/request@${requestVersion}`).get()
+          })
+
+          it('Should not detect threat', async () => {
+            app = (req, res) => {
+              requestToTest.get(`https://${req.query.host}`).on('response', () => {
+                res.end('end')
+              })
+            }
+
+            axios.get('/?host=www.datadoghq.com')
+
+            return checkRaspExecutedAndNotThreat(agent)
+          })
+
+          it('Should detect threat doing a GET request', async () => {
+            app = async (req, res) => {
+              try {
+                requestToTest.get(`https://${req.query.host}`)
+                  .on('error', (e) => {
+                    if (e.message === 'DatadogRaspAbortError') {
+                      res.writeHead(500)
+                    }
+                    res.end('end')
+                  })
+              } catch (e) {
+                if (e.cause.message === 'DatadogRaspAbortError') {
+                  res.writeHead(500)
+                }
+                res.end('end')
+              }
+            }
+
+            await testBlockingRequest()
+          })
+        })
+      })
     })
   })
 
diff --git a/packages/dd-trace/test/plugins/externals.json b/packages/dd-trace/test/plugins/externals.json
index 78373b16daa..e3d3e696a1c 100644
--- a/packages/dd-trace/test/plugins/externals.json
+++ b/packages/dd-trace/test/plugins/externals.json
@@ -65,6 +65,10 @@
     {
       "name": "cookie-parser",
       "versions": [">=1.4.6"]
+    },
+    {
+      "name": "request",
+      "versions": ["2.88.2"]
     }
   ],
   "express-mongo-sanitize": [