feat(appsec): add command injection (CMDi) RASP via os.StartProcess#4978
feat(appsec): add command injection (CMDi) RASP via os.StartProcess#4978eliottness wants to merge 1 commit into
Conversation
Config Audit |
🎉 All green!🧪 All tests passed 🎯 Code Coverage (details) 🔗 Commit SHA: c2bd250 | Docs | Datadog PR Page | Give us feedback! |
Wire command-injection RASP end-to-end at the os.StartProcess choke point, mirroring the existing LFI feature. Under Orchestrion, a command-injection attempt detected by the WAF (rule rasp-932-110, address server.sys.exec.cmd) is blocked: os.StartProcess returns a BlockingSecurityEvent error and (nil, err). - emitter: RunCommandOperation/Args/Res in instrumentation/appsec/emitter/ossec - listener: NewExecSecFeature (activates on server.sys.exec.cmd), registered in features.go; forces argv[0]=name so the WAF evaluates the real executable (RFC-0989) - contrib/os: context-aware StartProcess wrapper (named returns, argv unchanged) - orchestrion: os.StartProcess aspect - remoteconfig: advertise ASM_RASP_CMDI capability under orchestrion.Enabled() - tests: contrib/os unit tests (incl. real-WAF cmdi_detector vectors) + orchestrion integration test (real WAF, HTTP 403) + testdata rasp-932-110 - ci: run APPSEC_RASP / APPSEC_RASP_NON_BLOCKING / REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD on net-http-orchestrion - docs: appsec README + orchestrion.yml meta No spans, no shell variant, no go-libddwaf change.
391217f to
c2bd250
Compare
BenchmarksBenchmark execution time: 2026-07-02 16:31:46 Comparing candidate commit c2bd250 in PR branch Found 2 performance improvements and 0 performance regressions! Performance is the same for 322 metrics, 2 unstable metrics, 1 flaky benchmarks without significant changes.
|
|
Cross-branch validation (dd-trace-go |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c2bd25085e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
/merge |
|
View all feedbacks in Devflow UI.
This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings. Use ⏳ Processing |
What does this PR do?
Adds Command Injection (CMDi) RASP to the tracer, wired end-to-end at the single
os.StartProcesschoke point (which underlies everyos/execcall) and active under Orchestrion. When the WAF detects a command-injection attempt (rulerasp-932-110, addressserver.sys.exec.cmd),os.StartProcessis blocked: it returns aBlockingSecurityEventerror and(nil, err)instead of launching the process. This mirrors the existing LFI feature.RunCommandOperation/Args/Resininstrumentation/appsec/emitter/ossec(noosimport; generic).NewExecSecFeature(activates onserver.sys.exec.cmd), registered ininternal/appsec/features.go. Forcesargv[0] = nameso the WAF evaluates the real executable per [RFC-0989] (defeats anargv[0]-spoofing bypass on rawos.StartProcess).StartProcesswrapper (named returns, argv forwarded unchanged).os.StartProcessaspect incontrib/os/orchestrion.yml.ASM_RASP_CMDIcapability underorchestrion.Enabled().contrib/osunit tests (mock wrapper + table-driven real-WAFcmdi_detectorvectors mirroring libddwaf) + orchestrion integration test (real WAF, HTTP 403) + testdatarasp-932-110.APPSEC_RASP,APPSEC_RASP_NON_BLOCKING, andREMOTE_CONFIG_MOCKED_BACKEND_ASM_DDonnet-http-orchestrion.No spans, no shell variant, no
go-libddwafchange.Motivation
Exploit prevention for command injection ([RFC-0989]). The shipped WAF ruleset already contains the command-injection rule and the tracer already has the
server.sys.exec.cmdaddress/metrics/rule-type plumbing, so this is a wiring-plus-tests change.Companion system-tests PR (adds the
/rasp/cmdiweblog endpoint and enablesTest_Cmdi_*fornet-http-orchestrion): DataDog/system-tests#7251. The CMDinet-http-orchestrionAPPSEC_RASPrun goes green once that endpoint/manifest is available; a manual cross-branchworkflow_dispatchrun validating both branches together will be linked below.Reviewer's Checklist
make lintlocally.make testlocally.make generatelocally.[RFC-0989]: internal exploit-prevention command-injection RFC