Skip to content

chore(iast): reduce ssrf false positives #13530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Jun 3, 2025
Merged

chore(iast): reduce ssrf false positives #13530

merged 9 commits into from
Jun 3, 2025

Conversation

avara1986
Copy link
Member

@avara1986 avara1986 commented May 29, 2025
edited
Loading

This PR improves the accuracy of SSRF (Server-Side Request Forgery) vulnerability detection in the IAST module by reducing false positives, particularly when dealing with URL fragments.

URL Part Tainted? Safe Builder? Encoded? Report SSRF?
Protocol/Host/Port Yes N/A N/A Yes (HIGH)
Path Yes Yes Yes No
Path Yes No No Yes (MEDIUM)
Query Yes Yes N/A No
Query Yes No N/A Yes (MEDIUM)
Fragment Yes N/A N/A No

Key Changes

  • Enhanced SSRF detection logic to properly handle URL fragments (#)
  • Added validation to ignore cases where tainted data only appears in URL fragments
  • Added test cases to verify fragment handling behavior

Motivation

URL fragments (parts after #) are client-side only and not sent to the server, making them irrelevant for SSRF vulnerabilities. The current implementation was generating false positives when tainted data appeared only in URL fragments, leading to unnecessary alerts.

Testing Strategy

  • Added new test cases in tests/appsec/iast/taint_sinks/test_ssrf.py
  • Verified behavior with Django integration tests
  • Tested various URL fragment scenarios:
    • Tainted data in fragments only
    • Tainted data in both query params and fragments
    • Multiple fragments with tainted data

Checklist

  • PR author has checked that all the criteria below are met
  • The PR description includes an overview of the change
  • The PR description articulates the motivation for the change
  • The change includes tests OR the PR description describes a testing strategy
  • The PR description notes risks associated with the change, if any
  • Newly-added code is easy to change
  • The change follows the library release note guidelines
  • The change includes or references documentation updates if necessary
  • Backport labels are set (if applicable)

Reviewer Checklist

  • Reviewer has checked that all the criteria below are met
  • Title is accurate
  • All changes are related to the pull request's stated goal
  • Avoids breaking API changes
  • Testing strategy adequately addresses listed risks
  • Newly-added code is easy to change
  • Release note makes sense to a user of the library
  • If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
  • Backport labels are set in a manner that is consistent with the release branch maintenance policy

@avara1986 avara1986 added changelog/no-changelog A changelog entry is not required for this PR. ASM Application Security Monitoring labels May 29, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 29, 2025
edited
Loading

CODEOWNERS have been resolved as:

ddtrace/appsec/_iast/_patch_modules.py                                  @DataDog/asm-python
ddtrace/appsec/_iast/secure_marks/validators.py                         @DataDog/asm-python
ddtrace/appsec/_iast/taint_sinks/ssrf.py                                @DataDog/asm-python
tests/appsec/iast/taint_sinks/test_ssrf.py                              @DataDog/asm-python
tests/appsec/integrations/django_tests/conftest.py                      @DataDog/asm-python
tests/appsec/integrations/django_tests/django_app/urls.py               @DataDog/asm-python
tests/appsec/integrations/django_tests/django_app/views.py              @DataDog/asm-python
tests/appsec/integrations/django_tests/test_iast_django.py              @DataDog/asm-python

datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed May 29, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems May 29, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems May 29, 2025
View reviewed changes
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 29, 2025
edited
Loading

Bootstrap import analysis

Comparison of import times between this PR and base.

Summary

The average import time from this PR is: 242 ± 5 ms.

The average import time from base is: 243 ± 3 ms.

The import time difference between this PR and base is: -0.9 ± 0.2 ms.

Import time breakdown

The following import paths have shrunk:

ddtrace.auto 1.869 ms (0.77%)
ddtrace.bootstrap.sitecustomize 1.218 ms (0.50%)
ddtrace.bootstrap.preload 1.218 ms (0.50%)
ddtrace.internal.remoteconfig.client 0.617 ms (0.25%)
ddtrace 0.651 ms (0.27%)

github-advanced-security[bot]
github-advanced-security bot found potential problems May 29, 2025
View reviewed changes
@avara1986 avara1986 marked this pull request as ready for review May 29, 2025 13:06
@avara1986 avara1986 requested a review from a team as a code owner May 29, 2025 13:06
@pr-commenter
Copy link

pr-commenter bot commented May 29, 2025
edited
Loading

Benchmarks

Benchmark execution time: 2025-06-02 07:57:13

Comparing candidate commit b23335c in PR branch avara1986/APPSEC-57162-ssrf_false_positive with baseline commit 1605451 in branch main.

Found 0 performance improvements and 4 performance regressions! Performance is the same for 499 metrics, 5 unstable metrics.

scenario:iastaspects-swapcase_aspect

  • 🟥 execution_time [+176.571ns; +215.939ns] or [+7.205%; +8.812%]

scenario:iastaspectsospath-ospathnormcase_aspect

  • 🟥 execution_time [+375.511ns; +445.298ns] or [+10.883%; +12.906%]

scenario:iastaspectsospath-ospathsplitdrive_aspect

  • 🟥 execution_time [+377.225ns; +431.521ns] or [+10.374%; +11.867%]

scenario:iastaspectsospath-ospathsplitext_aspect

  • 🟥 execution_time [+440.870ns; +581.497ns] or [+9.817%; +12.949%]

@avara1986 avara1986 merged commit 4607d9e into main Jun 3, 2025
441 checks passed
@avara1986 avara1986 deleted the avara1986/APPSEC-57162-ssrf_false_positive branch June 3, 2025 14:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@datadog-datadog-prod-us1 datadog-datadog-prod-us1[bot] datadog-datadog-prod-us1[bot] left review comments

@RamyElkest RamyElkest RamyElkest approved these changes

@smola smola Awaiting requested review from smola

@christophe-papazian christophe-papazian Awaiting requested review from christophe-papazian

Assignees
No one assigned
Labels
ASM Application Security Monitoring changelog/no-changelog A changelog entry is not required for this PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@avara1986 @RamyElkest