Module: Datadog::AppSec::Contrib::RestClient::RequestSSRFDetectionPatch

Defined in:

lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb

Overview

Module that adds SSRF detection to RestClient::Request#execute

Constant Summary

REDIRECT_STATUS_CODES =

(300..399).freeze

Instance Method Summary

• #execute(&block) ⇒ Object
• #process_response(response, sample_body:) ⇒ Object

Instance Method Details

#execute(&block) ⇒ Object

# File 'lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb', line 17

def execute(&block)
  context = AppSec.active_context
  return super unless context && AppSec.rasp_enabled?

  headers = normalize_request_headers
  # @type var ephemeral_data: ::Datadog::AppSec::Context::input_data
  ephemeral_data = {
    'server.io.net.url' => url,
    'server.io.net.request.method' => method.to_s.upcase,
    'server.io.net.request.headers' => headers
  }

  is_redirect = context.state[:downstream_redirect_url] == url
  if is_redirect
    context.state.delete(:downstream_redirect_url)
    sample_body = true
  else
    sample_body = mark_body_sampling!(context)
  end

  if !is_redirect && sample_body
    body = parse_body(payload.to_s, content_type: headers['content-type'])
    ephemeral_data['server.io.net.request.body'] = body if body
  end

  timeout = Datadog.configuration.appsec.waf_timeout
  result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_REQUEST_PHASE)
  handle(result, context: context) if result.match?

  # NOTE: RestClient raises exceptions for non-2xx responses. For POST/PUT/PATCH
  #       requests with 3xx redirects, RestClient raises instead of auto-following.
  #       We rescue to process the response before re-raising.
  begin
    response = super
  rescue ::RestClient::Exception => e
    response = e.response
    process_response(response, sample_body: sample_body) if response

    raise
  end

  process_response(response, sample_body: sample_body)
  response
end

#process_response(response, sample_body:) ⇒ Object

# File 'lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb', line 62

def process_response(response, sample_body:)
  context = AppSec.active_context
  return unless context

  headers = normalize_response_headers(response)
  # @type var ephemeral_data: ::Datadog::AppSec::Context::input_data
  ephemeral_data = {
    'server.io.net.response.status' => response.code.to_s,
    'server.io.net.response.headers' => headers
  }

  is_redirect = REDIRECT_STATUS_CODES.cover?(response.code.to_i) && headers.key?('location')
  context.state[:downstream_redirect_url] = URI.join(url, headers['location']).to_s if is_redirect && sample_body

  if sample_body && !is_redirect
    body = parse_body(response.body, content_type: headers['content-type'])
    ephemeral_data['server.io.net.response.body'] = body if body
  end

  timeout = Datadog.configuration.appsec.waf_timeout
  result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_RESPONSE_PHASE)
  handle(result, context: context) if result.match?
end