Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rasp command injection tests #3524

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Conversation

NachoEchevarria
Copy link
Contributor

@NachoEchevarria NachoEchevarria commented Nov 21, 2024

Motivation

This PR implements the system tests that will be required for the command injection vulnerability in RASP.

The details of this vulnerability can be found here: https://docs.google.com/document/d/1DDWy3frMXDTAbk-BfnZ1FdRwuPx6Pl7AWyR4zjqRFZw/edit?tab=t.0#heading=h.giijrtyn1fdx

The tests are based on other vulnerabilities tests and have passed under .Net (version not yet merged)

Changes

Workflow

  1. ⚠️ Create your PR as draft ⚠️
  2. Work on you PR until the CI passes (if something not related to your task is failing, you can ignore it)
  3. Mark it as ready for review
    • Test logic is modified? -> Get a review from RFC owner. We're working on refining the codeowners file quickly.
    • Framework is modified, or non obvious usage of it -> get a review from R&P team

🚀 Once your PR is reviewed, you can merge it!

🛟 #apm-shared-testing 🛟

Reviewer checklist

  • If PR title starts with [<language>], double-check that only <language> is impacted by the change
  • No system-tests internal is modified. Otherwise, I have the approval from R&P team
  • CI is green, or failing jobs are not related to this change (and you are 100% sure about this statement)
  • A docker base image is modified?
    • the relevant build-XXX-image label is present
  • A scenario is added (or removed)?

@NachoEchevarria NachoEchevarria marked this pull request as ready for review November 22, 2024 13:31
@NachoEchevarria NachoEchevarria requested review from a team as code owners November 22, 2024 13:31
@NachoEchevarria NachoEchevarria requested review from wconti27 and mabdinur and removed request for a team November 22, 2024 13:31
@NachoEchevarria NachoEchevarria requested review from manuel-alvarez-alvarez, Mariovido and dubloom and removed request for a team November 22, 2024 13:31
@@ -162,6 +173,7 @@ tests/:
Test_Lfi_UrlQuery: v2.51.0
test_libddwaf.py:
Test_Libddwaf_Version: v3.4.1
Test_Libddwaf_Version_CmdI: missing_feature
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we are going to have multiple libddwaf min versions, it will worth to move the test to each test file, like we are doing with Rules_Version

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I have updated the code addressing your comment.

@NachoEchevarria NachoEchevarria marked this pull request as draft November 22, 2024 15:29
@NachoEchevarria NachoEchevarria marked this pull request as ready for review November 22, 2024 15:52
Copy link
Collaborator

@robertomonteromiguel robertomonteromiguel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are CI failures related with this PR

@NachoEchevarria NachoEchevarria marked this pull request as draft November 25, 2024 08:19
@NachoEchevarria
Copy link
Contributor Author

There are CI failures related with this PR

You are right. They are fixed. Thanks!

@NachoEchevarria NachoEchevarria marked this pull request as ready for review November 25, 2024 11:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants