[golang] fix API security go weblogs

Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
DataDog · Sep 18, 2024 · 3e30ad0 · 3e30ad0
1 parent 1f274c6
commit 3e30ad0
Show file tree

Hide file tree

Showing 6 changed files with 94 additions and 42 deletions.
diff --git a/manifests/golang.yml b/manifests/golang.yml
@@ -1,4 +1,5 @@
 tests/:
+
   apm_tracing_e2e/:
     test_otel.py:
       Test_Otel_Span:
@@ -20,23 +21,17 @@ tests/:
           net-http: irrelevant (net-http doesn't handle path params)
       test_schemas.py:
         Test_Scanners: missing_feature
-        Test_Schema_Request_Cookies:
-          '*': v1.60.0-dev
-          net-http: irrelevant (net-http doesn't handle path params)
-        Test_Schema_Request_FormUrlEncoded_Body: missing_feature
-        Test_Schema_Request_Headers:
-          '*': v1.60.0-dev
-          net-http: irrelevant (net-http doesn't handle path params)
-        Test_Schema_Request_Json_Body: v1.69.0-dev
+        Test_Schema_Request_Cookies: v1.60.0
+        Test_Schema_Request_FormUrlEncoded_Body: v1.60.0
+        Test_Schema_Request_Headers: v1.60.0
+        Test_Schema_Request_Json_Body: v1.60.0
         Test_Schema_Request_Path_Parameters:
           '*': v1.60.0-dev
           net-http: irrelevant (net-http doesn't handle path params)
-        Test_Schema_Request_Query_Parameters:
-          '*': v1.60.0-dev
-          net-http: irrelevant (net-http doesn't handle path params)
-        Test_Schema_Response_Body: v1.69.0-dev
-        Test_Schema_Response_Body_env_var: v1.69.0-dev
-        Test_Schema_Response_Headers: v1.69.0-dev
+        Test_Schema_Request_Query_Parameters: v1.60.0
+        Test_Schema_Response_Body: missing_feature
+        Test_Schema_Response_Body_env_var: missing_feature
+        Test_Schema_Response_Headers: v1.60.0
     iast/:
       sink/:
         test_code_injection.py:

diff --git a/tests/test_schemas.py b/tests/test_schemas.py
@@ -48,7 +48,6 @@ def test_library_schema_telemetry_conf_value(self):
     def test_library_schema_telemetry_job_object(self):
         interfaces.library.assert_schema_point("/telemetry/proxy/api/v2/apmtelemetry", "$.payload")
 
-    @bug(library="golang", reason="APMS-12697")
     def test_library_telenetry_configuration_value(self):
         interfaces.library.assert_schema_point(
             "/telemetry/proxy/api/v2/apmtelemetry", "$.payload.configuration[].value"
@@ -93,6 +92,5 @@ def test_agent_schema_telemetry_job_object(self):
     def test_agent_schema_telemetry_main_payload(self):
         interfaces.agent.assert_schema_point("/api/v2/apmtelemetry", "$")
 
-    @bug(library="golang", reason="APMS-12697")
     def test_library_telenetry_configuration_value(self):
         interfaces.agent.assert_schema_point("/api/v2/apmtelemetry", "$.payload.configuration[].value")
diff --git a/utils/build/docker/golang/app/chi/main.go b/utils/build/docker/golang/app/chi/main.go
@@ -2,12 +2,14 @@ package main
 
 import (
 	"context"
+	"encoding/json"
+	"io"
 	"log"
 	"net/http"
 	"os"
-	"encoding/json"
 	"strconv"
 	"time"
+
 	"weblog/internal/rasp"
 
 	"weblog/internal/common"
@@ -39,18 +41,18 @@ func main() {
 	mux.HandleFunc("/healthcheck", func(w http.ResponseWriter, r *http.Request) {
 
 		healthCheck, err := common.GetHealtchCheck()
-        if err != nil {
-            http.Error(w, "Can't get JSON data", http.StatusInternalServerError)
-        }
+		if err != nil {
+			http.Error(w, "Can't get JSON data", http.StatusInternalServerError)
+		}
 
-        jsonData, err := json.Marshal(healthCheck)
-        if err != nil {
-            http.Error(w, "Can't build JSON data", http.StatusInternalServerError)
-            return
-        }
+		jsonData, err := json.Marshal(healthCheck)
+		if err != nil {
+			http.Error(w, "Can't build JSON data", http.StatusInternalServerError)
+			return
+		}
 
-        w.Header().Set("Content-Type", "application/json")
-        w.Write(jsonData)
+		w.Header().Set("Content-Type", "application/json")
+		w.Write(jsonData)
 	})
 
 	mux.HandleFunc("/waf/*", func(w http.ResponseWriter, r *http.Request) {
@@ -81,9 +83,18 @@ func main() {
 		ctx := chi.RouteContext(r.Context())
 		tag := ctx.URLParam("tag_value")
 		status, _ := strconv.Atoi(ctx.URLParam("status_code"))
-
 		span, _ := tracer.SpanFromContext(r.Context())
 		span.SetTag("appsec.events.system_tests_appsec_event.value", tag)
+		for key, values := range r.URL.Query() {
+			for _, value := range values {
+				w.Header().Add(key, value)
+			}
+		}
+		body, _ := io.ReadAll(r.Body)
+		var bodyMap map[string]any
+		if err := json.Unmarshal(body, &bodyMap); err != nil {
+			appsec.MonitorParsedHTTPBody(r.Context(), bodyMap)
+		}
 		w.WriteHeader(status)
 		w.Write([]byte("Value tagged"))
 	})

diff --git a/utils/build/docker/golang/app/echo/main.go b/utils/build/docker/golang/app/echo/main.go
@@ -1,10 +1,13 @@
 package main
 
 import (
+	"encoding/json"
+	"io"
 	"log"
 	"net/http"
 	"os"
 	"strconv"
+
 	"weblog/internal/common"
 	"weblog/internal/grpc"
 	"weblog/internal/rasp"
@@ -35,7 +38,7 @@ func main() {
 		if err != nil {
 			return c.JSON(http.StatusInternalServerError, err)
 		}
-		
+
 		return c.JSON(http.StatusOK, healthCheck)
 	})
 
@@ -68,6 +71,16 @@ func main() {
 		status, _ := strconv.Atoi(c.Param("status_code"))
 		span, _ := tracer.SpanFromContext(c.Request().Context())
 		span.SetTag("appsec.events.system_tests_appsec_event.value", tag)
+		for key, values := range c.QueryParams() {
+			for _, value := range values {
+				c.Response().Header().Add(key, value)
+			}
+		}
+		body, _ := io.ReadAll(c.Request().Body)
+		var bodyMap map[string]any
+		if err := json.Unmarshal(body, &bodyMap); err != nil {
+			appsec.MonitorParsedHTTPBody(c.Request().Context(), bodyMap)
+		}
 		return c.String(status, "Value tagged")
 	})
 

diff --git a/utils/build/docker/golang/app/gin/main.go b/utils/build/docker/golang/app/gin/main.go
@@ -1,10 +1,13 @@
 package main
 
 import (
+	"encoding/json"
+	"io"
 	"log"
 	"net/http"
 	"os"
 	"strconv"
+
 	"weblog/internal/common"
 	"weblog/internal/grpc"
 	"weblog/internal/rasp"
@@ -34,7 +37,7 @@ func main() {
 		if err != nil {
 			ctx.JSON(http.StatusInternalServerError, err)
 		}
-		
+
 		ctx.JSON(http.StatusOK, healthCheck)
 	})
 
@@ -67,6 +70,16 @@ func main() {
 		status, _ := strconv.Atoi(ctx.Param("status_code"))
 		span, _ := tracer.SpanFromContext(ctx.Request.Context())
 		span.SetTag("appsec.events.system_tests_appsec_event.value", tag)
+		for key, values := range ctx.Request.URL.Query() {
+			for _, value := range values {
+				ctx.Writer.Header().Add(key, value)
+			}
+		}
+		body, _ := io.ReadAll(ctx.Request.Body)
+		var bodyMap map[string]any
+		if err := json.Unmarshal(body, &bodyMap); err != nil {
+			appsec.MonitorParsedHTTPBody(ctx.Request.Context(), bodyMap)
+		}
 		ctx.Writer.WriteHeader(status)
 		ctx.Writer.Write([]byte("Value tagged"))
 	})

diff --git a/utils/build/docker/golang/app/net-http/main.go b/utils/build/docker/golang/app/net-http/main.go
@@ -5,17 +5,20 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"log"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"strconv"
 	"time"
+
 	"weblog/internal/common"
 	"weblog/internal/grpc"
 	"weblog/internal/rasp"
 
 	"github.com/Shopify/sarama"
+
 	saramatrace "gopkg.in/DataDog/dd-trace-go.v1/contrib/Shopify/sarama"
 	"gopkg.in/DataDog/dd-trace-go.v1/datastreams"
 
@@ -52,18 +55,18 @@ func main() {
 	mux.HandleFunc("/healthcheck", func(w http.ResponseWriter, r *http.Request) {
 
 		healthCheck, err := common.GetHealtchCheck()
-        if err != nil {
-            http.Error(w, "Can't get JSON data", http.StatusInternalServerError)
-        }
-
-        jsonData, err := json.Marshal(healthCheck)
-        if err != nil {
-            http.Error(w, "Can't build JSON data", http.StatusInternalServerError)
-            return
-        }
-
-        w.Header().Set("Content-Type", "application/json")
-        w.Write(jsonData)
+		if err != nil {
+			http.Error(w, "Can't get JSON data", http.StatusInternalServerError)
+		}
+
+		jsonData, err := json.Marshal(healthCheck)
+		if err != nil {
+			http.Error(w, "Can't build JSON data", http.StatusInternalServerError)
+			return
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		w.Write(jsonData)
 	})
 
 	mux.HandleFunc("/waf", func(w http.ResponseWriter, r *http.Request) {
@@ -95,6 +98,25 @@ func main() {
 		w.Write([]byte("OK"))
 	})
 
+	mux.HandleFunc("/tag_value/{tag_value}/{status_code}", func(w http.ResponseWriter, r *http.Request) {
+		tag := r.PathValue("tag_value")
+		status, _ := strconv.Atoi(r.PathValue("status_code"))
+		span, _ := tracer.SpanFromContext(r.Context())
+		span.SetTag("appsec.events.system_tests_appsec_event.value", tag)
+		for key, values := range r.URL.Query() {
+			for _, value := range values {
+				w.Header().Add(key, value)
+			}
+		}
+		body, _ := io.ReadAll(r.Body)
+		var bodyMap map[string]any
+		if err := json.Unmarshal(body, &bodyMap); err != nil {
+			appsec.MonitorParsedHTTPBody(r.Context(), bodyMap)
+		}
+		w.WriteHeader(status)
+		w.Write([]byte("Value tagged"))
+	})
+
 	mux.HandleFunc("/status", func(w http.ResponseWriter, r *http.Request) {
 		if c := r.URL.Query().Get("code"); c != "" {
 			if code, err := strconv.Atoi(c); err == nil {