SHI exploit prevention on one sink for java.lang.Runtime.exec(java.lang.String)

Author: jandro996

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigServiceImpl.java

@@ -12,6 +12,7 @@
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_HEADER_FINGERPRINT;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_IP_BLOCKING;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_NETWORK_FINGERPRINT;
+import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_SHI;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_SQLI;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_SSRF;
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_REQUEST_BLOCKING;
@@ -116,6 +117,7 @@ private void subscribeConfigurationPoller() {
     if (tracerConfig.isAppSecRaspEnabled()) {
       capabilities |= CAPABILITY_ASM_RASP_SQLI;
       capabilities |= CAPABILITY_ASM_RASP_SSRF;
+      capabilities |= CAPABILITY_ASM_RASP_SHI;
     }
     this.configurationPoller.addCapabilities(capabilities);
   }
@@ -359,6 +361,7 @@ public void close() {
             | CAPABILITY_ASM_API_SECURITY_SAMPLE_RATE
             | CAPABILITY_ASM_RASP_SQLI
             | CAPABILITY_ASM_RASP_SSRF
+            | CAPABILITY_ASM_RASP_SHI
             | CAPABILITY_ASM_AUTO_USER_INSTRUM_MODE
             | CAPABILITY_ENDPOINT_FINGERPRINT
             // TODO enable when usr.id and usr.session_id addresses are added

dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/KnownAddresses.java

@@ -125,6 +125,9 @@ public interface KnownAddresses {
 
   Address<Map<String, Object>> WAF_CONTEXT_PROCESSOR = new Address<>("waf.context.processor");
 
+  /** The Shell command being executed */
+  Address<String> SHELL_CMD = new Address<>("server.sys.shell.cmd");
+
   static Address<?> forName(String name) {
     switch (name) {
       case "server.request.body":

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -85,6 +85,7 @@ public class GatewayBridge {
   private volatile DataSubscriberInfo requestEndSubInfo;
   private volatile DataSubscriberInfo dbSqlQuerySubInfo;
   private volatile DataSubscriberInfo ioNetUrlSubInfo;
+  private volatile DataSubscriberInfo shellCmdSubInfo;
 
   public GatewayBridge(
       SubscriptionService subscriptionService,
@@ -124,6 +125,7 @@ public void init() {
     subscriptionService.registerCallback(EVENTS.databaseConnection(), this::onDatabaseConnection);
     subscriptionService.registerCallback(EVENTS.databaseSqlQuery(), this::onDatabaseSqlQuery);
     subscriptionService.registerCallback(EVENTS.networkConnection(), this::onNetworkConnection);
+    subscriptionService.registerCallback(EVENTS.shellCmd(), this::onShellCmd);
 
     if (additionalIGEvents.contains(EVENTS.requestPathParams())) {
       subscriptionService.registerCallback(EVENTS.requestPathParams(), this::onRequestPathParams);
@@ -159,6 +161,31 @@ private Flow<Void> onNetworkConnection(RequestContext ctx_, String url) {
     }
   }
 
+  private Flow<Void> onShellCmd(RequestContext ctx_, String command) {
+    AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
+    if (ctx == null) {
+      return NoopFlow.INSTANCE;
+    }
+    while (true) {
+      DataSubscriberInfo subInfo = shellCmdSubInfo;
+      if (subInfo == null) {
+        subInfo = producerService.getDataSubscribers(KnownAddresses.SHELL_CMD);
+        shellCmdSubInfo = subInfo;
+      }
+      if (subInfo == null || subInfo.isEmpty()) {
+        return NoopFlow.INSTANCE;
+      }
+      DataBundle bundle =
+          new MapDataBundle.Builder(CAPACITY_0_2).add(KnownAddresses.SHELL_CMD, command).build();
+      try {
+        GatewayContext gwCtx = new GatewayContext(true, RuleType.SHI);
+        return producerService.publishDataEvent(subInfo, ctx, bundle, gwCtx);
+      } catch (ExpiredSubscriberInfoException e) {
+        shellCmdSubInfo = null;
+      }
+    }
+  }
+
   private Flow<Void> onDatabaseSqlQuery(RequestContext ctx_, String sql) {
     AppSecRequestContext ctx = ctx_.getData(RequestContextSlot.APPSEC);
     if (ctx == null) {

dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java

@@ -403,6 +403,7 @@ private static Collection<Address<?>> getUsedAddresses(PowerwafContext ctx) {
     addressList.add(KnownAddresses.DB_TYPE);
     addressList.add(KnownAddresses.DB_SQL_QUERY);
     addressList.add(KnownAddresses.IO_NET_URL);
+    addressList.add(KnownAddresses.SHELL_CMD);
 
     return addressList;
   }

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/config/AppSecConfigServiceImplSpecification.groovy

@@ -3,6 +3,7 @@ package com.datadog.appsec.config
 import com.datadog.appsec.AppSecSystem
 import com.datadog.appsec.api.security.ApiSecurityRequestSampler
 import com.datadog.appsec.util.AbortStartupException
+import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_SHI
 import datadog.remoteconfig.ConfigurationChangesTypedListener
 import datadog.remoteconfig.ConfigurationDeserializer
 import datadog.remoteconfig.ConfigurationEndListener
@@ -269,6 +270,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
       | CAPABILITY_ASM_TRUSTED_IPS
       | CAPABILITY_ASM_RASP_SQLI
       | CAPABILITY_ASM_RASP_SSRF
+      | CAPABILITY_ASM_RASP_SHI
       | CAPABILITY_ENDPOINT_FINGERPRINT
       // | CAPABILITY_ASM_SESSION_FINGERPRINT
       | CAPABILITY_ASM_NETWORK_FINGERPRINT
@@ -420,6 +422,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
       | CAPABILITY_ASM_TRUSTED_IPS
       | CAPABILITY_ASM_RASP_SQLI
       | CAPABILITY_ASM_RASP_SSRF
+      | CAPABILITY_ASM_RASP_SHI
       | CAPABILITY_ENDPOINT_FINGERPRINT
       // | CAPABILITY_ASM_SESSION_FINGERPRINT
       | CAPABILITY_ASM_NETWORK_FINGERPRINT
@@ -492,6 +495,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
       | CAPABILITY_ASM_API_SECURITY_SAMPLE_RATE
       | CAPABILITY_ASM_RASP_SQLI
       | CAPABILITY_ASM_RASP_SSRF
+      | CAPABILITY_ASM_RASP_SHI
       | CAPABILITY_ASM_AUTO_USER_INSTRUM_MODE
       | CAPABILITY_ENDPOINT_FINGERPRINT
       // | CAPABILITY_ASM_SESSION_FINGERPRINT

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy

@@ -82,6 +82,7 @@ class GatewayBridgeSpecification extends DDSpecification {
   BiConsumer<RequestContext, String> databaseConnectionCB
   BiFunction<RequestContext, String, Flow<Void>> databaseSqlQueryCB
   BiFunction<RequestContext, String, Flow<Void>> networkConnectionCB
+  BiFunction<RequestContext, String, Flow<Void>> shellCmdCB
 
   void setup() {
     callInitAndCaptureCBs()
@@ -416,6 +417,7 @@ class GatewayBridgeSpecification extends DDSpecification {
     1 * ig.registerCallback(EVENTS.databaseConnection(), _) >> { databaseConnectionCB = it[1]; null }
     1 * ig.registerCallback(EVENTS.databaseSqlQuery(), _) >> { databaseSqlQueryCB = it[1]; null }
     1 * ig.registerCallback(EVENTS.networkConnection(), _) >> { networkConnectionCB = it[1]; null }
+    1 * ig.registerCallback(EVENTS.shellCmd(), _) >> { shellCmdCB = it[1]; null }
     0 * ig.registerCallback(_, _)
 
     bridge.init()
@@ -798,6 +800,26 @@ class GatewayBridgeSpecification extends DDSpecification {
     gatewayContext.isRasp == true
   }
 
+  void 'process shell cmd'() {
+    setup:
+    final cmd = '&lt;!--#exec%20cmd=&quot;/bin/cat%20/etc/passwd&quot;--&gt;'
+    eventDispatcher.getDataSubscribers({ KnownAddresses.SHELL_CMD in it }) >> nonEmptyDsInfo
+    DataBundle bundle
+    GatewayContext gatewayContext
+
+    when:
+    Flow<?> flow = shellCmdCB.apply(ctx, cmd)
+
+    then:
+    1 * eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >>
+    { a, b, db, gw -> bundle = db; gatewayContext = gw; NoopFlow.INSTANCE }
+    bundle.get(KnownAddresses.SHELL_CMD) == cmd
+    flow.result == null
+    flow.action == Flow.Action.Noop.INSTANCE
+    gatewayContext.isTransient == true
+    gatewayContext.isRasp == true
+  }
+
   void 'calls trace segment post processor'() {
     setup:
     AgentSpan span = Stub()

dd-java-agent/instrumentation/java-lang/src/main/java/datadog/trace/instrumentation/java/lang/RuntimeCallSite.java

@@ -1,6 +1,7 @@
 package datadog.trace.instrumentation.java.lang;
 
 import datadog.trace.agent.tooling.csi.CallSite;
+import datadog.trace.api.appsec.RaspCallSites;
 import datadog.trace.api.iast.IastCallSites;
 import datadog.trace.api.iast.InstrumentationBridge;
 import datadog.trace.api.iast.Sink;
@@ -10,20 +11,16 @@
 import javax.annotation.Nullable;
 
 @Sink(VulnerabilityTypes.COMMAND_INJECTION)
-@CallSite(spi = IastCallSites.class)
+@CallSite(
+    spi = {IastCallSites.class, RaspCallSites.class},
+    helpers = ShellCmdRaspHelper.class)
 public class RuntimeCallSite {
 
   @CallSite.Before("java.lang.Process java.lang.Runtime.exec(java.lang.String)")
   public static void beforeStart(@CallSite.Argument @Nullable final String command) {
     if (command != null) { // runtime fails if null
-      final CommandInjectionModule module = InstrumentationBridge.COMMAND_INJECTION;
-      if (module != null) {
-        try {
-          module.onRuntimeExec(command);
-        } catch (final Throwable e) {
-          module.onUnexpectedException("beforeExec threw", e);
-        }
-      }
+      iastCallback(command);
+      raspCallback(command);
     }
   }
 
@@ -109,4 +106,19 @@ public static void beforeExec(
       }
     }
   }
+
+  private static void iastCallback(String command) {
+    final CommandInjectionModule module = InstrumentationBridge.COMMAND_INJECTION;
+    if (module != null) {
+      try {
+        module.onRuntimeExec(command);
+      } catch (final Throwable e) {
+        module.onUnexpectedException("beforeExec threw", e);
+      }
+    }
+  }
+
+  private static void raspCallback(String command) {
+    ShellCmdRaspHelper.INSTANCE.beforeShellCmd(command);
+  }
 }

dd-java-agent/instrumentation/java-lang/src/main/java/datadog/trace/instrumentation/java/lang/ShellCmdRaspHelper.java

@@ -0,0 +1,74 @@
+package datadog.trace.instrumentation.java.lang;
+
+import static datadog.trace.api.gateway.Events.EVENTS;
+
+import datadog.appsec.api.blocking.BlockingException;
+import datadog.trace.api.Config;
+import datadog.trace.api.gateway.BlockResponseFunction;
+import datadog.trace.api.gateway.Flow;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
+import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
+import java.util.function.BiFunction;
+import javax.annotation.Nonnull;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class ShellCmdRaspHelper {
+
+  public static ShellCmdRaspHelper INSTANCE = new ShellCmdRaspHelper();
+
+  private static final Logger LOGGER = LoggerFactory.getLogger(ShellCmdRaspHelper.class);
+
+  private ShellCmdRaspHelper() {
+    // prevent instantiation
+  }
+
+  public void beforeShellCmd(@Nonnull final String cmd) {
+    if (!Config.get().isAppSecRaspEnabled()) {
+      return;
+    }
+    try {
+      final BiFunction<RequestContext, String, Flow<Void>> shellCmdCallback =
+          AgentTracer.get()
+              .getCallbackProvider(RequestContextSlot.APPSEC)
+              .getCallback(EVENTS.shellCmd());
+
+      if (shellCmdCallback == null) {
+        return;
+      }
+
+      final AgentSpan span = AgentTracer.get().activeSpan();
+      if (span == null) {
+        return;
+      }
+
+      final RequestContext ctx = span.getRequestContext();
+      if (ctx == null) {
+        return;
+      }
+
+      Flow<Void> flow = shellCmdCallback.apply(ctx, cmd);
+      Flow.Action action = flow.getAction();
+      if (action instanceof Flow.Action.RequestBlockingAction) {
+        BlockResponseFunction brf = ctx.getBlockResponseFunction();
+        if (brf != null) {
+          Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
+          brf.tryCommitBlockingResponse(
+              ctx.getTraceSegment(),
+              rba.getStatusCode(),
+              rba.getBlockingContentType(),
+              rba.getExtraHeaders());
+        }
+        throw new BlockingException("Blocked request (for SHI attempt)");
+      }
+    } catch (final BlockingException e) {
+      // re-throw blocking exceptions
+      throw e;
+    } catch (final Throwable e) {
+      // suppress anything else
+      LOGGER.debug("Exception during SHI rasp callback", e);
+    }
+  }
+}

dd-java-agent/instrumentation/java-lang/src/test/groovy/datadog/trace/instrumentation/java/lang/ShellCmdRaspHelperForkedTest.groovy

@@ -0,0 +1,73 @@
+package datadog.trace.instrumentation.java.lang
+
+import datadog.trace.agent.test.AgentTestRunner
+import datadog.trace.api.config.AppSecConfig
+import datadog.trace.api.config.IastConfig
+import datadog.trace.api.gateway.CallbackProvider
+import datadog.trace.api.gateway.Flow
+import datadog.trace.api.gateway.RequestContext
+import datadog.trace.api.gateway.RequestContextSlot
+import datadog.trace.api.internal.TraceSegment
+import datadog.trace.bootstrap.instrumentation.api.AgentSpan
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer
+import spock.lang.Shared
+
+import java.util.function.BiFunction
+
+import static datadog.trace.api.gateway.Events.EVENTS
+
+class ShellCmdRaspHelperForkedTest  extends  AgentTestRunner {
+
+  @Shared
+  protected static final ORIGINAL_TRACER = AgentTracer.get()
+
+  protected traceSegment
+  protected reqCtx
+  protected span
+  protected tracer
+
+  void setup() {
+    traceSegment = Stub(TraceSegment)
+    reqCtx = Stub(RequestContext) {
+      getTraceSegment() >> traceSegment
+    }
+    span = Stub(AgentSpan) {
+      getRequestContext() >> reqCtx
+    }
+    tracer = Stub(AgentTracer.TracerAPI) {
+      activeSpan() >> span
+    }
+    AgentTracer.forceRegister(tracer)
+  }
+
+  void cleanup() {
+    AgentTracer.forceRegister(ORIGINAL_TRACER)
+  }
+
+  @Override
+  protected void configurePreAgent() {
+    injectSysConfig(IastConfig.IAST_ENABLED, 'true')
+    injectSysConfig(AppSecConfig.APPSEC_ENABLED, 'true')
+    injectSysConfig(AppSecConfig.APPSEC_RASP_ENABLED, 'true')
+  }
+
+  void 'test Helper'() {
+
+    setup:
+    final callbackProvider = Mock(CallbackProvider)
+    final listener = Mock(BiFunction)
+    final flow = Mock(Flow)
+    tracer.getCallbackProvider(RequestContextSlot.APPSEC) >> callbackProvider
+
+    when:
+    ShellCmdRaspHelper.INSTANCE.beforeShellCmd(*args)
+
+    then:
+    1 * callbackProvider.getCallback(EVENTS.shellCmd()) >> listener
+    1 * listener.apply(reqCtx, expected) >> flow
+
+    where:
+    args                                                            | expected
+    ['<!--#exec%20cmd="/bin/cat%20/etc/passwd"-->'] | '<!--#exec%20cmd="/bin/cat%20/etc/passwd"-->'
+  }
+}

dd-smoke-tests/appsec/springboot/src/main/java/datadog/smoketest/appsec/springboot/controller/WebController.java

@@ -56,4 +56,27 @@ public String ssrfQuery(@RequestParam("domain") String domain) {
     }
     return "EXECUTED";
   }
+
+  @GetMapping("/shi/cmd")
+  public String shiCmd(@RequestParam("cmd") String cmd) {
+    withProcess(() -> Runtime.getRuntime().exec(cmd));
+    return "EXECUTED";
+  }
+
+  private void withProcess(final Operation<Process> op) {
+    Process process = null;
+    try {
+      process = op.run();
+    } catch (final Throwable e) {
+      // ignore it
+    } finally {
+      if (process != null && process.isAlive()) {
+        process.destroyForcibly();
+      }
+    }
+  }
+
+  private interface Operation<E> {
+    E run() throws Throwable;
+  }
 }