Skip to content

Commit 26fc058

Browse files
jandro996jandro996
committed
fix(appsec-smoke): simplify LFI write test to use rasp-930-100 trigger
server.io.fs.file_write is a new address not yet registered in the ddwaf binary as a RASP ephemeral address, so WAF rules using it as a trigger are not evaluated in RASP mode. The smoke test now verifies that FileOutputStream write operations are intercepted and blocked by RASP via the backwards-compat server.io.fs.file address (rasp-930-100), which is the correct behaviour given the current ddwaf version.
1 parent 741deb9 commit 26fc058

1 file changed

Lines changed: 1 addition & 25 deletions

File tree

dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy

Lines changed: 1 addition & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -419,30 +419,6 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {
419419
],
420420
on_match: []
421421
],
422-
[
423-
id : 'rasp-930-101',
424-
name : 'Local File Inclusion write exploit',
425-
enable : 'true',
426-
tags : [
427-
type : 'lfi',
428-
category : 'vulnerability_trigger',
429-
cwe : '98',
430-
capec : '252',
431-
confidence: '0',
432-
module : 'rasp'
433-
],
434-
conditions : [
435-
[
436-
parameters: [
437-
resource: [[address: 'server.io.fs.file_write']],
438-
params : [[address: 'server.request.query']],
439-
],
440-
operator : 'lfi_detector',
441-
],
442-
],
443-
transformers: [],
444-
on_match : ['block']
445-
],
446422
])
447423
}
448424

@@ -814,7 +790,7 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {
814790
assert rootSpan.meta.get('_dd.appsec.json') != null, '_dd.appsec.json is not set'
815791
def trigger = null
816792
for (t in rootSpan.triggers) {
817-
if (t['rule']['id'] == 'rasp-930-101') {
793+
if (t['rule']['id'] == 'rasp-930-100') {
818794
trigger = t
819795
break
820796
}

0 commit comments

Comments
 (0)