poc: App & API Protection

bottlecap/Cargo.toml

@@ -6,6 +6,9 @@ publish = false
 
 [dependencies]
 async-trait = { version = "0.1", default-features = false }
+aws_lambda_events = { version = "0.16", default-features = false, features = ["alb", "apigw", "cloudwatch_events", "cloudwatch_logs", "dynamodb", "eventbridge", "kinesis", "s3","sns", "sqs", "lambda_function_urls"] }
+axum = { version = "0.8.4", default-features = false, features = ["default"] }
+axum-extra = { version = "0.10.1", default-features = false, features = ["cookie"] }
 bytes = { version = "1.2", default-features = false }
 chrono = { version = "0.4", features = ["serde", "std", "now"], default-features = false }
 figment = { version = "0.10", default-features = false, features = ["yaml", "env"] }
@@ -16,15 +19,19 @@ hyper-util = { version = "0.1.10", features = [
     "client-legacy",
 ] }
 http-body = "0.1"
-http-body-util = "0.1" 
+http-body-util = "0.1"
+mime = { version = "0.3", default-features = false }
 lazy_static = { version = "1.5", default-features = false }
 log = { version = "0.4", default-features = false }
+multer = { version = "3.1", default-features = false }
 nix = { version = "0.26", default-features = false, features = ["feature", "fs"] }
 protobuf = { version = "3.5", default-features = false }
 regex = { version = "1.10", default-features = false }
 reqwest = { version = "0.12.11", features = ["json", "http2"], default-features = false }
 serde = { version = "1.0", default-features = false, features = ["derive"] }
+serde_html_form = { version = "0.2", default-features = false }
 serde_json = { version = "1.0", default-features = false, features = ["alloc"] }
+serde-xml-rs = { version = "0.8", default-features = false }
 thiserror = { version = "1.0", default-features = false }
 tokio = { version = "1.37", default-features = false, features = ["macros", "rt-multi-thread"] }
 tokio-util = { version = "0.7", default-features = false }
@@ -50,7 +57,7 @@ rustls-native-certs = { version = "0.8.1", optional = true }
 # method in favor of our
 # datadog_fips::reqwest_adapter::create_reqwest_client_builder. An example can
 # be found in the clippy.toml file adjacent to this Cargo.toml.
-datadog-protos = { version = "0.1.0", default-features = false, git = "https://github.com/DataDog/saluki/", rev = "c89b58e5784b985819baf11f13f7d35876741222"}
+datadog-protos = { version = "0.1.0", default-features = false, git = "https://github.com/DataDog/saluki/", rev = "c89b58e5784b985819baf11f13f7d35876741222" }
 ddsketch-agent = { version = "0.1.0", default-features = false, git = "https://github.com/DataDog/saluki/" }
 ddcommon = { git = "https://github.com/DataDog/libdatadog", rev = "ca19adc5c782be316210b69510ebb6c8dff12d87" }
 datadog-trace-protobuf = { git = "https://github.com/DataDog/libdatadog", rev = "ca19adc5c782be316210b69510ebb6c8dff12d87"  }
@@ -60,7 +67,7 @@ datadog-trace-obfuscation = { git = "https://github.com/DataDog/libdatadog", rev
 dogstatsd = { git = "https://github.com/DataDog/serverless-components", rev = "c3d8ed4f90591c6958921145d485463860307f78", default-features = false }
 datadog-trace-agent = { git = "https://github.com/DataDog/serverless-components", rev = "c3d8ed4f90591c6958921145d485463860307f78" }
 datadog-fips = { git = "https://github.com/DataDog/serverless-components", rev = "c3d8ed4f90591c6958921145d485463860307f78", default-features = false }
-axum = { version = "0.8.4", default-features = false, features = ["default"] }
+libddwaf = { version = "1.25.1", git = "https://github.com/DataDog/libddwaf-rust", rev = "b23b2d7e6abd6340b30dc8031482a6326bda57cd", default-features = false, features = ["default"] }
 
 [dev-dependencies]
 figment = { version = "0.10", default-features = false, features = ["yaml", "env", "test"] }

bottlecap/src/appsec/mod.rs

@@ -0,0 +1,29 @@
+use std::env;
+
+use crate::config::Config;
+
+mod payload;
+pub mod processor;
+
+#[must_use]
+pub const fn is_enabled(config: &Config) -> bool {
+    config.serverless_appsec_enabled
+}
+
+/// Reads the `DD_APM_TRACING_ENABLED` environment variable to determine whether ASM runs in
+/// standalone mode.
+///
+/// This is a direct port of the Go logic and that is why we are not using the
+/// `config` crate.
+#[must_use]
+pub fn is_standalone() -> bool {
+    let apm_tracing_enabled = env::var("DD_APM_TRACING_ENABLED");
+    let is_set = apm_tracing_enabled.is_ok();
+
+    let enabled = apm_tracing_enabled
+        .unwrap_or("false".to_string())
+        .to_lowercase()
+        == "true";
+
+    is_set && enabled
+}

bottlecap/src/appsec/payload/body.rs

@@ -0,0 +1,76 @@
+use base64::Engine;
+use bytes::Buf;
+use libddwaf::object::{WafMap, WafObject, WafString};
+use mime::Mime;
+use tracing::{debug, warn};
+
+pub(super) async fn parse_body(
+    body: impl AsRef<[u8]>,
+    is_base64_encoded: bool,
+    content_type: Option<&str>,
+) -> Result<Option<WafObject>, Box<dyn std::error::Error>> {
+    if is_base64_encoded {
+        let body = base64::engine::general_purpose::STANDARD.decode(body)?;
+        return Box::pin(parse_body(body, false, content_type)).await;
+    }
+
+    let body = body.as_ref();
+    let mime_type = match content_type
+        .unwrap_or("application/json")
+        .parse::<mime::Mime>()
+    {
+        Ok(mime) => mime,
+        Err(e) => return Err(e.into()),
+    };
+
+    Ok(match (mime_type.type_(), mime_type.subtype()) {
+        // text/json | application/json | application/vnd.api+json
+        (mime::APPLICATION, sub) if sub == mime::JSON || sub == "vnd.api+json" => {
+            Some(serde_json::from_slice(body)?)
+        }
+        (mime::APPLICATION, mime::WWW_FORM_URLENCODED) => Some(serde_html_form::from_bytes(body)?),
+        (mime::APPLICATION | mime::TEXT, mime::XML) => {
+            Some(serde_xml_rs::from_reader(body.reader())?)
+        }
+        (mime::MULTIPART, mime::FORM_DATA) => {
+            let Some(boundary) = mime_type.get_param("boundary") else {
+                warn!("appsec: cannot attempt parsing multipart/form-data without boundary");
+                return Ok(None);
+            };
+            // We have to go through this dance because [`multer::Multipart`] requires an async stream.
+            let body = body.to_vec();
+            let reader = futures::stream::iter([Result::<Vec<u8>, std::io::Error>::Ok(body)]);
+            let mut multipart = multer::Multipart::new(reader, boundary.as_str());
+
+            let mut fields = Vec::new();
+            while let Some(field) = multipart.next_field().await? {
+                let Some(name) = field.name().map(str::to_string) else {
+                    continue;
+                };
+                let Some(content_type) = field.content_type().map(Mime::to_string) else {
+                    continue;
+                };
+                let Some(value) = Box::pin(parse_body(
+                    field.bytes().await?,
+                    false,
+                    Some(content_type.as_ref()),
+                ))
+                .await?
+                else {
+                    continue;
+                };
+                fields.push((name, value));
+            }
+            let mut res = WafMap::new(fields.len() as u64);
+            for (i, (name, value)) in fields.into_iter().enumerate() {
+                res[i] = (name.as_str(), value).into();
+            }
+            Some(res.into())
+        }
+        (mime::TEXT, mime::PLAIN) => Some(WafString::new(body).into()),
+        _ => {
+            debug!("appsec: unsupported content type: {mime_type}");
+            None
+        }
+    })
+}