diff --git a/dd-smoke-tests/armeria-grpc/src/test/groovy/datadog/smoketest/IastArmeriaSmokeTest.groovy b/dd-smoke-tests/armeria-grpc/src/test/groovy/datadog/smoketest/IastArmeriaSmokeTest.groovy index f5a76df9cb9..f4a44fabd2e 100644 --- a/dd-smoke-tests/armeria-grpc/src/test/groovy/datadog/smoketest/IastArmeriaSmokeTest.groovy +++ b/dd-smoke-tests/armeria-grpc/src/test/groovy/datadog/smoketest/IastArmeriaSmokeTest.groovy @@ -31,9 +31,13 @@ class IastArmeriaSmokeTest extends AbstractIastServerSmokeTest { return processBuilder } + protected boolean withExternalServer() { + true + } + void 'test SSRF detection'() { setup: - final url = 'https://dd.datad0g.com/' + final url = externalServer.address.toString() final request = Iast.Request.newBuilder().setType(Iast.Request.Type.URL) .setUrl(Iast.Request.Url.newBuilder().setValue(url).build()).build() diff --git a/dd-smoke-tests/grpc-1.5/src/test/groovy/datadog/smoketest/IastGrpcSmokeTest.groovy b/dd-smoke-tests/grpc-1.5/src/test/groovy/datadog/smoketest/IastGrpcSmokeTest.groovy index 34ac068b907..3ea36d0da8a 100644 --- a/dd-smoke-tests/grpc-1.5/src/test/groovy/datadog/smoketest/IastGrpcSmokeTest.groovy +++ b/dd-smoke-tests/grpc-1.5/src/test/groovy/datadog/smoketest/IastGrpcSmokeTest.groovy @@ -29,9 +29,14 @@ class IastGrpcSmokeTest extends AbstractIastServerSmokeTest { return processBuilder } + @Override + boolean withExternalServer() { + true + } + void 'test SSRF detection'() { setup: - final url = 'https://dd.datad0g.com/' + final url = externalServer.address.toString() final request = Iast.Request.newBuilder().setType(Iast.Request.Type.URL) .setUrl(Iast.Request.Url.newBuilder().setValue(url).build()).build() diff --git a/dd-smoke-tests/iast-util/iast-util-11/src/testFixtures/groovy/datadog/smoketest/AbstractIast11SpringBootTest.groovy b/dd-smoke-tests/iast-util/iast-util-11/src/testFixtures/groovy/datadog/smoketest/AbstractIast11SpringBootTest.groovy index c34a9bfaa30..861125d27b9 100644 --- a/dd-smoke-tests/iast-util/iast-util-11/src/testFixtures/groovy/datadog/smoketest/AbstractIast11SpringBootTest.groovy +++ b/dd-smoke-tests/iast-util/iast-util-11/src/testFixtures/groovy/datadog/smoketest/AbstractIast11SpringBootTest.groovy @@ -33,6 +33,11 @@ abstract class AbstractIast11SpringBootTest extends AbstractIastServerSmokeTest ] } + @Override + protected boolean withExternalServer() { + true + } + void 'ssrf is present (#path)'() { setup: final url = "http://localhost:${httpPort}/ssrf/${path}" @@ -60,9 +65,9 @@ abstract class AbstractIast11SpringBootTest extends AbstractIastServerSmokeTest } where: - path | parameter | value | async | promise - "java-net" | "url" | "https://dd.datad0g.com/" | "false" | "false" - "java-net" | "url" | "https://dd.datad0g.com/" | "true" | "false" - "java-net" | "url" | "https://dd.datad0g.com/" | "true" | "true" + path | parameter | value | async | promise + "java-net" | "url" | externalServer.address.toString() | "false" | "false" + "java-net" | "url" | externalServer.address.toString() | "true" | "false" + "java-net" | "url" | externalServer.address.toString() | "true" | "true" } } diff --git a/dd-smoke-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastServerSmokeTest.groovy b/dd-smoke-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastServerSmokeTest.groovy index 97f6ff8defd..d6e16b40467 100644 --- a/dd-smoke-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastServerSmokeTest.groovy +++ b/dd-smoke-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastServerSmokeTest.groovy @@ -1,14 +1,18 @@ package datadog.smoketest +import static datadog.trace.agent.test.server.http.TestHttpServer.httpServer + import datadog.smoketest.model.TaintedObject import datadog.smoketest.model.Vulnerability import datadog.smoketest.model.Vulnerability.Source +import datadog.trace.agent.test.server.http.TestHttpServer import groovy.json.JsonBuilder import groovy.json.JsonSlurper import groovy.transform.CompileDynamic import groovy.transform.stc.ClosureParams import groovy.transform.stc.SimpleType import org.spockframework.runtime.SpockTimeoutError +import spock.lang.AutoCleanup import spock.lang.Shared import spock.util.concurrent.PollingConditions @@ -33,6 +37,17 @@ abstract class AbstractIastServerSmokeTest extends AbstractServerSmokeTest { return {} // force traces decoding } + @AutoCleanup + @Shared + TestHttpServer externalServer = withExternalServer() ? httpServer { + handlers { + prefix('/') { + String msg = "Hello." + response.status(200).send(msg) + } + } + } : null + def setupSpec() { try { processTestLogLines { it.contains(IAST_STARTED_MSG) } @@ -246,4 +261,8 @@ abstract class AbstractIastServerSmokeTest extends AbstractServerSmokeTest { } return vulnerabilities } + + protected boolean withExternalServer() { + false + } } diff --git a/dd-smoke-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastSpringBootTest.groovy b/dd-smoke-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastSpringBootTest.groovy index 69244b061cb..911a8bf8fc3 100644 --- a/dd-smoke-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastSpringBootTest.groovy +++ b/dd-smoke-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastSpringBootTest.groovy @@ -41,6 +41,11 @@ abstract class AbstractIastSpringBootTest extends AbstractIastServerSmokeTest { ] } + @Override + protected boolean withExternalServer() { + true + } + @Override boolean isErrorLog(String log) { if (log.contains('no such algorithm: DES for provider SUN')) { @@ -777,10 +782,10 @@ abstract class AbstractIastSpringBootTest extends AbstractIastServerSmokeTest { where: path | parameter | value - '' | 'url' | 'https://dd.datad0g.com/' - '' | 'host' | 'dd.datad0g.com' - '/uri' | 'url' | 'https://dd.datad0g.com/' - '/uri' | 'host' | 'dd.datad0g.com' + '' | 'url' | externalServer.address.toString() + '' | 'host' | externalServer.address.host + '/uri' | 'url' | externalServer.address.toString() + '/uri' | 'host' | externalServer.address.host } void 'ssrf is present (#path) (#parameter)'() { @@ -818,18 +823,18 @@ abstract class AbstractIastSpringBootTest extends AbstractIastServerSmokeTest { } where: - path | parameter | value | protocolSecure | endSlash - "apache-httpclient4" | "url" | "https://dd.datad0g.com/" | true | true - "apache-httpclient4" | "host" | "dd.datad0g.com" | false | false - "apache-httpasyncclient" | "url" | "https://dd.datad0g.com/" | true | true - "apache-httpasyncclient" | "urlProducer" | "https://dd.datad0g.com/" | true | true - "apache-httpasyncclient" | "host" | "dd.datad0g.com" | false | false - "apache-httpclient5" | "url" | "https://dd.datad0g.com/" | true | true - "apache-httpclient5" | "urlHandler" | "https://dd.datad0g.com/" | true | true - "apache-httpclient5" | "host" | "dd.datad0g.com" | false | true - "commons-httpclient2" | "url" | "https://dd.datad0g.com/" | true | true - "okHttp2" | "url" | "https://dd.datad0g.com/" | true | true - "okHttp3" | "url" | "https://dd.datad0g.com/" | true | true + path | parameter | value | protocolSecure | endSlash + "apache-httpclient4" | "url" | "$externalServer.address/" | true | true + "apache-httpclient4" | "host" | externalServer.address.host | false | false + "apache-httpasyncclient" | "url" | "$externalServer.address/" | true | true + "apache-httpasyncclient" | "urlProducer" | "$externalServer.address/" | true | true + "apache-httpasyncclient" | "host" | externalServer.address.host | false | false + "apache-httpclient5" | "url" | "$externalServer.address/" | true | true + "apache-httpclient5" | "urlHandler" | "$externalServer.address/" | true | true + "apache-httpclient5" | "host" | externalServer.address.host | false | true + "commons-httpclient2" | "url" | "$externalServer.address/" | true | true + "okHttp2" | "url" | "$externalServer.address/" | true | true + "okHttp3" | "url" | "$externalServer.address/" | true | true } void 'test iast metrics stored in spans'() {