diff --git a/dd-java-agent/appsec/src/main/resources/default_config.json b/dd-java-agent/appsec/src/main/resources/default_config.json index 81936a642c5..16fa1c6b781 100644 --- a/dd-java-agent/appsec/src/main/resources/default_config.json +++ b/dd-java-agent/appsec/src/main/resources/default_config.json @@ -4528,6 +4528,61 @@ "lowercase" ] }, + { + "id": "crs-944-140", + "name": "Java Injection Attack: Java Script File Upload Found", + "tags": { + "type": "unrestricted_file_upload", + "crs_id": "944140", + "category": "attack_attempt", + "cwe": "434", + "capec": "1000/152/242", + "confidence": "1", + "module": "waf" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.body.filenames" + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x-filename" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x_filename" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x.filename" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x-file-name" + ] + } + ], + "regex": "\\.jspx?$", + "options": { + "case_sensitive": true, + "min_length": 5 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, { "id": "crs-944-260", "name": "Remote Command Execution: Malicious class-loading payload", @@ -5457,6 +5512,60 @@ ], "transformers": [] }, + { + "id": "dog-920-100", + "name": "File upload with double extension", + "tags": { + "type": "http_protocol_violation", + "category": "attack_attempt", + "cwe": "176", + "capec": "1000/255/153/267/71", + "confidence": "0", + "module": "waf" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.body.filenames" + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x-filename" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x_filename" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x.filename" + ] + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "x-file-name" + ] + } + ], + "regex": "\\w\\.[a-zA-Z0-9]{2,5}\\.[a-zA-Z0-9]{2,5}$", + "options": { + "case_sensitive": true, + "min_length": 6 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, { "id": "dog-920-110", "name": "Zipslip Attack - Unsafe Zip extraction", diff --git a/dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy b/dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy index e413cae5b77..a9418b52c0a 100644 --- a/dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy +++ b/dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/SpringBootSmokeTest.groovy @@ -604,7 +604,7 @@ class SpringBootSmokeTest extends AbstractAppSecServerSmokeTest { then: rootSpans.size() == 1 forEachRootSpanTrigger { - assert it['rule']['id'] == '__test_file_upload_block' + assert it['rule']['id'] in ['__test_file_upload_block', 'crs-944-140'] } rootSpans.each { assert it.meta.get('appsec.blocked') != null, 'appsec.blocked is not set'