feat(golang): add /rasp/cmdi endpoint + enable CMDi RASP tests on net-http-orchestrion#7251
Draft
eliottness wants to merge 1 commit into
Draft
feat(golang): add /rasp/cmdi endpoint + enable CMDi RASP tests on net-http-orchestrion#7251eliottness wants to merge 1 commit into
eliottness wants to merge 1 commit into
Conversation
Contributor
|
|
|
…-http-orchestrion Add the CMDI shared handler with array-capable request parsing (query/JSON/XML/urlencoded) and appsec.MonitorParsedHTTPBody, register /rasp/cmdi in the Go RASP weblogs (net-http-orchestrion, net-http, chi, gin, echo), and enable the Test_Cmdi_* classes for net-http-orchestrion in manifests/golang.yml. Exec runs via an instrumented os/exec path so the WAF evaluates server.sys.exec.cmd; no shell is used.
7ffec47 to
e29ce50
Compare
9 tasks
Contributor
Author
|
Cross-branch validation (dd-trace-go |
RomainMuller
approved these changes
Jul 3, 2026
gh-worker-dd-mergequeue-cf854d Bot
pushed a commit
to DataDog/dd-trace-go
that referenced
this pull request
Jul 6, 2026
…4978) ### What does this PR do? Adds **Command Injection (CMDi) RASP** to the tracer, wired end-to-end at the single `os.StartProcess` choke point (which underlies every `os/exec` call) and active under Orchestrion. When the WAF detects a command-injection attempt (rule `rasp-932-110`, address `server.sys.exec.cmd`), `os.StartProcess` is blocked: it returns a `BlockingSecurityEvent` error and `(nil, err)` instead of launching the process. This mirrors the existing LFI feature. - **emitter**: `RunCommandOperation`/`Args`/`Res` in `instrumentation/appsec/emitter/ossec` (no `os` import; generic). - **listener**: `NewExecSecFeature` (activates on `server.sys.exec.cmd`), registered in `internal/appsec/features.go`. Forces `argv[0] = name` so the WAF evaluates the real executable per [RFC-0989] (defeats an `argv[0]`-spoofing bypass on raw `os.StartProcess`). - **contrib/os**: context-aware `StartProcess` wrapper (named returns, argv forwarded unchanged). - **orchestrion**: `os.StartProcess` aspect in `contrib/os/orchestrion.yml`. - **remoteconfig**: advertise `ASM_RASP_CMDI` capability under `orchestrion.Enabled()`. - **tests**: `contrib/os` unit tests (mock wrapper + table-driven real-WAF `cmdi_detector` vectors mirroring libddwaf) + orchestrion integration test (real WAF, HTTP 403) + testdata `rasp-932-110`. - **ci**: run `APPSEC_RASP`, `APPSEC_RASP_NON_BLOCKING`, and `REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD` on `net-http-orchestrion`. - **docs**: appsec README + orchestrion.yml meta. No spans, no shell variant, no `go-libddwaf` change. ### Motivation Exploit prevention for command injection ([RFC-0989]). The shipped WAF ruleset already contains the command-injection rule and the tracer already has the `server.sys.exec.cmd` address/metrics/rule-type plumbing, so this is a wiring-plus-tests change. Companion system-tests PR (adds the `/rasp/cmdi` weblog endpoint and enables `Test_Cmdi_*` for `net-http-orchestrion`): **DataDog/system-tests#7251**. The CMDi `net-http-orchestrion` `APPSEC_RASP` run goes green once that endpoint/manifest is available; a manual cross-branch `workflow_dispatch` run validating both branches together will be linked below. ### Reviewer's Checklist - [ ] Changed code has unit tests for its functionality at or near 100% coverage. - [ ] [System-Tests](https://github.com/DataDog/system-tests/) covering this feature have been added and enabled with the va.b.c-dev version tag. - [ ] There is a benchmark for any new code, or changes to existing code. - [ ] If this interacts with the agent in a new way, a system test has been added. - [ ] New code is free of linting errors. You can check this by running `make lint` locally. - [ ] New code doesn't break existing tests. You can check this by running `make test` locally. - [ ] Add an appropriate team label so this PR gets put in the right place for the release notes. - [ ] All generated files are up to date. You can check this by running `make generate` locally. - [ ] Non-trivial go.mod changes reviewed by @DataDog/dd-trace-go-guild. [RFC-0989]: internal exploit-prevention command-injection RFC Co-authored-by: eliott.bouhana <eliott.bouhana@datadoghq.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Enable end-to-end system-tests coverage for the new dd-trace-go Command Injection (CMDi) RASP feature (exec variant,
server.sys.exec.cmd). Companion PR: DataDog/dd-trace-go#4978.Changes
CMDIshared handler inutils/build/docker/golang/app/_shared/rasp/rasp.gowith array-capable request parsing (GET query, urlencoded, JSON{"command":[...]}, XML<command><cmd>…</cmd></command>) andappsec.MonitorParsedHTTPBody. It runs the command via an instrumentedos/execpath (no shell) so the WAF evaluatesserver.sys.exec.cmd./rasp/cmdiin the Go RASP weblogs:net-http-orchestrion,net-http,chi,gin,echo.Test_Cmdi_*classes fornet-http-orchestrioninmanifests/golang.yml("*": irrelevant,net-http-orchestrion: v2.11.0-dev);test_shi.pystays irrelevant.Workflow
🛟 #apm-shared-testing 🛟
Reviewer checklist
tests/ormanifests/is modified ? I have the approval from R&P teambuild-XXX-imagelabel is present