Exploit prevention Shell injection #4792
Conversation
Overall package sizeSelf size: 7.63 MB Dependency sizes| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/native-appsec | 8.2.1 | 19.18 MB | 19.19 MB | | @datadog/native-iast-taint-tracking | 3.1.0 | 12.27 MB | 12.28 MB | | @datadog/pprof | 5.3.0 | 9.85 MB | 10.22 MB | | protobufjs | 7.2.5 | 2.77 MB | 5.16 MB | | @datadog/native-iast-rewriter | 2.5.0 | 2.51 MB | 2.65 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 2.0.0 | 898.77 kB | 1.3 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | msgpack-lite | 0.1.26 | 201.16 kB | 281.59 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | lru-cache | 7.18.3 | 133.92 kB | 133.92 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | int64-buffer | 0.1.10 | 49.18 kB | 49.18 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | path-to-regexp | 0.1.10 | 6.38 kB | 6.38 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |🤖 This report was automatically generated by heaviest-objects-in-the-universe |
BenchmarksBenchmark execution time: 2024-10-23 16:36:44 Comparing candidate commit 2f883f2 in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 257 metrics, 9 unstable metrics. |
uurien
force-pushed
the
ugaitz/exploit-prevention-shi
branch
from
2ad2e1a
to
bb44404
Compare
uurien
force-pushed
the
ugaitz/exploit-prevention-shi
branch
from
97ca924
to
b039787
Compare
| }, | ||
| this, | ||
| ...arguments) | ||
| const context = { |
There was a problem hiding this comment.
tracePromise does not support abortController to prevent call to the original function and reject a promise
|
|
||
| async function testBlockingRequest () { | ||
| try { | ||
| await axios.get('/?dir=$(cat /etc/passwd 1>%262 ; echo .)') |
There was a problem hiding this comment.
%26 is &, without encoding it axios was understanding that we had 2 params: dir=$(cat /etc/passwd 1> and 2 ; echo .) (without value)
There was a problem hiding this comment.
I see some mesclun with naming. These changes are for detecting/blocking shell injection exploits, but files are named after command injection, as well as the RASP rule type
Is it something we can change to keep the consistency or I am missing something?
shell injection is a subset into command injection. For now, rule is called "command_injection", that is the reason that I used mostly command injection. I used SHI for capability, and the tests. In the future when we support whole command injection, we will continue having only one I'm not superhappy with the solution, but as you said, rule is called command-injection and the capability is called SHI... and currently it only works with shell. |
What does this PR do?
Modifies child_process instrumentation to add support for abortController and send file and fileArgs in separate properties, not only in command al together.
With this new extra info, call to the waf and block the operation and request if needed.
Checklist
Additional Notes
APPSEC-52417