Skip to content

Commit 6b66dc2

Browse files
jandro996jandro996
committed
Add file upload WAF rules crs-944-140 and dog-920-100 to default config
Ports two new rules from DataDog/appsec-event-rules#277: - crs-944-140: detects JSP/JSPX script file uploads via server.request.body.filenames and x-filename headers - dog-920-100: detects double-extension file uploads (e.g. file.php.jpg)
1 parent 5ab378f commit 6b66dc2

File tree

2 files changed

+110
-1
lines changed

2 files changed

+110
-1
lines changed

dd-java-agent/appsec/src/main/resources/default_config.json

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4528,6 +4528,61 @@
45284528
"lowercase"
45294529
]
45304530
},
4531+
{
4532+
"id": "crs-944-140",
4533+
"name": "Java Injection Attack: Java Script File Upload Found",
4534+
"tags": {
4535+
"type": "unrestricted_file_upload",
4536+
"crs_id": "944140",
4537+
"category": "attack_attempt",
4538+
"cwe": "434",
4539+
"capec": "1000/152/242",
4540+
"confidence": "1",
4541+
"module": "waf"
4542+
},
4543+
"conditions": [
4544+
{
4545+
"parameters": {
4546+
"inputs": [
4547+
{
4548+
"address": "server.request.body.filenames"
4549+
},
4550+
{
4551+
"address": "server.request.headers.no_cookies",
4552+
"key_path": [
4553+
"x-filename"
4554+
]
4555+
},
4556+
{
4557+
"address": "server.request.headers.no_cookies",
4558+
"key_path": [
4559+
"x_filename"
4560+
]
4561+
},
4562+
{
4563+
"address": "server.request.headers.no_cookies",
4564+
"key_path": [
4565+
"x.filename"
4566+
]
4567+
},
4568+
{
4569+
"address": "server.request.headers.no_cookies",
4570+
"key_path": [
4571+
"x-file-name"
4572+
]
4573+
}
4574+
],
4575+
"regex": "\\.jspx?$",
4576+
"options": {
4577+
"case_sensitive": true,
4578+
"min_length": 5
4579+
}
4580+
},
4581+
"operator": "match_regex"
4582+
}
4583+
],
4584+
"transformers": []
4585+
},
45314586
{
45324587
"id": "crs-944-260",
45334588
"name": "Remote Command Execution: Malicious class-loading payload",
@@ -5457,6 +5512,60 @@
54575512
],
54585513
"transformers": []
54595514
},
5515+
{
5516+
"id": "dog-920-100",
5517+
"name": "File upload with double extension",
5518+
"tags": {
5519+
"type": "http_protocol_violation",
5520+
"category": "attack_attempt",
5521+
"cwe": "176",
5522+
"capec": "1000/255/153/267/71",
5523+
"confidence": "0",
5524+
"module": "waf"
5525+
},
5526+
"conditions": [
5527+
{
5528+
"parameters": {
5529+
"inputs": [
5530+
{
5531+
"address": "server.request.body.filenames"
5532+
},
5533+
{
5534+
"address": "server.request.headers.no_cookies",
5535+
"key_path": [
5536+
"x-filename"
5537+
]
5538+
},
5539+
{
5540+
"address": "server.request.headers.no_cookies",
5541+
"key_path": [
5542+
"x_filename"
5543+
]
5544+
},
5545+
{
5546+
"address": "server.request.headers.no_cookies",
5547+
"key_path": [
5548+
"x.filename"
5549+
]
5550+
},
5551+
{
5552+
"address": "server.request.headers.no_cookies",
5553+
"key_path": [
5554+
"x-file-name"
5555+
]
5556+
}
5557+
],
5558+
"regex": "\\w\\.[a-zA-Z0-9]{2,5}\\.[a-zA-Z0-9]{2,5}$",
5559+
"options": {
5560+
"case_sensitive": true,
5561+
"min_length": 6
5562+
}
5563+
},
5564+
"operator": "match_regex"
5565+
}
5566+
],
5567+
"transformers": []
5568+
},
54605569
{
54615570
"id": "dog-931-001",
54625571
"name": "RFI: URL Payload to well known RFI target",

dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -604,7 +604,7 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest {
604604
then:
605605
rootSpans.size() == 1
606606
forEachRootSpanTrigger {
607-
assert it['rule']['id'] == '__test_file_upload_block'
607+
assert it['rule']['id'] in ['__test_file_upload_block', 'crs-944-140']
608608
}
609609
rootSpans.each {
610610
assert it.meta.get('appsec.blocked') != null, 'appsec.blocked is not set'

0 commit comments

Comments
 (0)