python_lambda: rasp support

Author: florentinl

.github/workflows/run-end-to-end.yml

@@ -437,6 +437,9 @@ jobs:
     - name: Run APPSEC_LAMBDA_API_SECURITY scenario
       if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"APPSEC_LAMBDA_API_SECURITY"')
       run: ./run.sh APPSEC_LAMBDA_API_SECURITY
+    - name: Run APPSEC_LAMBDA_RASP scenario
+      if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"APPSEC_LAMBDA_RASP"')
+      run: ./run.sh APPSEC_LAMBDA_RASP
     - name: Run EXTERNAL_PROCESSING scenario
       if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"EXTERNAL_PROCESSING"')
       run: ./run.sh EXTERNAL_PROCESSING

manifests/python_lambda.yml

@@ -53,6 +53,84 @@ tests/:
           alb: missing_feature
           alb-multi: missing_feature
           function-url: missing_feature
+    rasp/:
+      test_api10.py:
+        Test_API10_all: v8.116.0.dev
+        Test_API10_request_body: v8.116.0.dev
+        Test_API10_request_headers: v8.116.0.dev
+        Test_API10_request_method: v8.116.0.dev
+        Test_API10_response_body: v8.116.0.dev
+        Test_API10_response_headers: v8.116.0.dev
+        Test_API10_response_status: v8.116.0.dev
+      test_cmdi.py:
+        Test_Cmdi_BodyJson: v8.116.0.dev
+        Test_Cmdi_BodyUrlEncoded: v8.116.0.dev
+        Test_Cmdi_BodyXml: v8.116.0.dev
+        Test_Cmdi_Capability: v8.116.0.dev
+        Test_Cmdi_Mandatory_SpanTags: v8.116.0.dev
+        Test_Cmdi_Optional_SpanTags: v8.116.0.dev
+        Test_Cmdi_Rules_Version: v8.116.0.dev
+        Test_Cmdi_StackTrace: v8.116.0.dev
+        Test_Cmdi_Telemetry: missing_feature (telemetry is not available in Lambda yet)
+        Test_Cmdi_Telemetry_V2: missing_feature (telemetry is not available in Lambda yet)
+        Test_Cmdi_Telemetry_Variant_Tag: missing_feature (telemetry is not available in Lambda yet)
+        Test_Cmdi_UrlQuery: v8.116.0.dev
+        Test_Cmdi_Waf_Version: v8.116.0.dev
+      test_lfi.py:
+        Test_Lfi_BodyJson: v8.116.0.dev
+        Test_Lfi_BodyUrlEncoded: v8.116.0.dev
+        Test_Lfi_BodyXml: v8.116.0.dev
+        Test_Lfi_Capability: v8.116.0.dev
+        Test_Lfi_Mandatory_SpanTags: v8.116.0.dev
+        Test_Lfi_Optional_SpanTags: v8.116.0.dev
+        Test_Lfi_RC_CustomAction: v8.116.0.dev
+        Test_Lfi_Rules_Version: v8.116.0.dev
+        Test_Lfi_StackTrace: v8.116.0.dev
+        Test_Lfi_Telemetry: missing_feature (telemetry is not available in Lambda yet)
+        Test_Lfi_Telemetry_Multiple_Exploits: missing_feature (telemetry is not available in Lambda yet)
+        Test_Lfi_Telemetry_V2: missing_feature (telemetry is not available in Lambda yet)
+        Test_Lfi_UrlQuery: v8.116.0.dev
+        Test_Lfi_Waf_Version: v8.116.0.dev
+      test_shi.py:
+        Test_Shi_BodyJson: v8.116.0.dev
+        Test_Shi_BodyUrlEncoded: v8.116.0.dev
+        Test_Shi_BodyXml: v8.116.0.dev
+        Test_Shi_Capability: v8.116.0.dev
+        Test_Shi_Mandatory_SpanTags: v8.116.0.dev
+        Test_Shi_Optional_SpanTags: v8.116.0.dev
+        Test_Shi_Rules_Version: v8.116.0.dev
+        Test_Shi_StackTrace: v8.116.0.dev
+        Test_Shi_Telemetry: missing_feature (telemetry is not available in Lambda yet)
+        Test_Shi_Telemetry_V2: missing_feature (telemetry is not available in Lambda yet)
+        Test_Shi_Telemetry_Variant_Tag: missing_feature (telemetry is not available in Lambda yet)
+        Test_Shi_UrlQuery: v8.116.0.dev
+        Test_Shi_Waf_Version: v8.116.0.dev
+      test_sqli.py:
+        Test_Sqli_BodyJson: v8.116.0.dev
+        Test_Sqli_BodyUrlEncoded: v8.116.0.dev
+        Test_Sqli_BodyXml: v8.116.0.dev
+        Test_Sqli_Capability: v8.116.0.dev
+        Test_Sqli_Mandatory_SpanTags: v8.116.0.dev
+        Test_Sqli_Optional_SpanTags: v8.116.0.dev
+        Test_Sqli_Rules_Version: v8.116.0.dev
+        Test_Sqli_StackTrace: v8.116.0.dev
+        Test_Sqli_Telemetry: missing_feature (telemetry is not available in Lambda yet)
+        Test_Sqli_Telemetry_V2: missing_feature (telemetry is not available in Lambda yet)
+        Test_Sqli_UrlQuery: v8.116.0.dev
+        Test_Sqli_Waf_Version: v8.116.0.dev
+      test_ssrf.py:
+        Test_Ssrf_BodyJson: v8.116.0.dev
+        Test_Ssrf_BodyUrlEncoded: v8.116.0.dev
+        Test_Ssrf_BodyXml: v8.116.0.dev
+        Test_Ssrf_Capability: v8.116.0.dev
+        Test_Ssrf_Mandatory_SpanTags: v8.116.0.dev
+        Test_Ssrf_Optional_SpanTags: v8.116.0.dev
+        Test_Ssrf_Rules_Version: v8.116.0.dev
+        Test_Ssrf_StackTrace: v8.116.0.dev
+        Test_Ssrf_Telemetry: missing_feature (telemetry is not available in Lambda yet)
+        Test_Ssrf_Telemetry_V2: missing_feature (telemetry is not available in Lambda yet)
+        Test_Ssrf_UrlQuery: v8.116.0.dev
+        Test_Ssrf_Waf_Version: v8.116.0.dev
     waf/:
       test_blocking.py:
         Test_Blocking:
@@ -114,6 +192,8 @@ tests/:
         alb-multi: v8.114.0.dev
     test_conf.py:
       Test_ConfigurationVariables_New_Obfuscation: v8.113.0
+    test_extended_request_body_collection.py:
+      Test_ExtendedRequestBodyCollection: missing_feature
     test_fingerprinting.py:
       Test_Fingerprinting_Endpoint_Preprocessor:
         "*": v8.113.0

tests/appsec/rasp/test_api10.py

@@ -50,6 +50,7 @@ def validate_metric(self, span):
 @rfc("https://docs.google.com/document/d/1gCXU3LvTH9en3Bww0AC2coSJWz1m7HcavZjvMLuDCWg/edit#heading=h.giijrtyn1fdx")
 @features.api10
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_API10_request_headers(API10):
     """API 10 for request headers"""
@@ -71,6 +72,7 @@ def test_api10_req_headers(self):
 @rfc("https://docs.google.com/document/d/1gCXU3LvTH9en3Bww0AC2coSJWz1m7HcavZjvMLuDCWg/edit#heading=h.giijrtyn1fdx")
 @features.api10
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_API10_request_method(API10):
     """API 10 for request method"""
@@ -91,6 +93,7 @@ def test_api10_req_method(self):
 @rfc("https://docs.google.com/document/d/1gCXU3LvTH9en3Bww0AC2coSJWz1m7HcavZjvMLuDCWg/edit#heading=h.giijrtyn1fdx")
 @features.api10
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_API10_request_body(API10):
     """API 10 for request body"""
@@ -114,6 +117,7 @@ def test_api10_req_body(self):
 @rfc("https://docs.google.com/document/d/1gCXU3LvTH9en3Bww0AC2coSJWz1m7HcavZjvMLuDCWg/edit#heading=h.giijrtyn1fdx")
 @features.api10
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_API10_response_status(API10):
     """API 10 for response status"""
@@ -135,6 +139,7 @@ def test_api10_res_status(self):
 @rfc("https://docs.google.com/document/d/1gCXU3LvTH9en3Bww0AC2coSJWz1m7HcavZjvMLuDCWg/edit#heading=h.giijrtyn1fdx")
 @features.api10
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_API10_response_headers(API10):
     """API 10 for response headers."""
@@ -156,6 +161,7 @@ def test_api10_res_headers(self):
 @rfc("https://docs.google.com/document/d/1gCXU3LvTH9en3Bww0AC2coSJWz1m7HcavZjvMLuDCWg/edit#heading=h.giijrtyn1fdx")
 @features.api10
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_API10_response_body(API10):
     """API 10 for response body."""
@@ -179,6 +185,7 @@ def test_api10_res_body(self):
 @rfc("https://docs.google.com/document/d/1gCXU3LvTH9en3Bww0AC2coSJWz1m7HcavZjvMLuDCWg/edit#heading=h.giijrtyn1fdx")
 @features.api10
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_API10_all(API10):
     """API 10 for all addresses at the same time."""

tests/appsec/rasp/test_cmdi.py

@@ -18,6 +18,7 @@
 @rfc("https://docs.google.com/document/d/1DDWy3frMXDTAbk-BfnZ1FdRwuPx6Pl7AWyR4zjqRFZw")
 @features.rasp_command_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Cmdi_UrlQuery:
     """Command Injection through query parameters"""
@@ -47,6 +48,7 @@ def test_cmdi_get(self):
 @rfc("https://docs.google.com/document/d/1DDWy3frMXDTAbk-BfnZ1FdRwuPx6Pl7AWyR4zjqRFZw")
 @features.rasp_command_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Cmdi_BodyUrlEncoded:
     """Command Injection through a url-encoded body parameter"""
@@ -76,6 +78,7 @@ def test_cmdi_post_urlencoded(self):
 @rfc("https://docs.google.com/document/d/1DDWy3frMXDTAbk-BfnZ1FdRwuPx6Pl7AWyR4zjqRFZw")
 @features.rasp_command_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Cmdi_BodyXml:
     """Command Injection through an xml body parameter"""
@@ -102,6 +105,7 @@ def test_cmdi_post_xml(self):
 @rfc("https://docs.google.com/document/d/1DDWy3frMXDTAbk-BfnZ1FdRwuPx6Pl7AWyR4zjqRFZw")
 @features.rasp_command_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Cmdi_BodyJson:
     """Command Injection through a json body parameter"""
@@ -133,6 +137,7 @@ def test_cmdi_post_json(self):
 @features.rasp_span_tags
 @features.rasp_command_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Cmdi_Mandatory_SpanTags:
     """Validate span tag generation on exploit attempts"""
@@ -148,6 +153,7 @@ def test_cmdi_span_tags(self):
 @features.rasp_span_tags
 @features.rasp_command_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Cmdi_Optional_SpanTags:
     """Validate span tag generation on exploit attempts"""
@@ -163,6 +169,7 @@ def test_cmdi_span_tags(self):
 @features.rasp_stack_trace
 @features.rasp_command_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Cmdi_StackTrace:
     """Validate stack trace generation on exploit attempts"""
@@ -177,6 +184,7 @@ def test_cmdi_stack_trace(self):
 @rfc("https://docs.google.com/document/d/1DDWy3frMXDTAbk-BfnZ1FdRwuPx6Pl7AWyR4zjqRFZw")
 @features.rasp_command_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Cmdi_Telemetry:
     """Validate Telemetry data on exploit attempts"""
@@ -201,6 +209,7 @@ def test_cmdi_telemetry(self):
 @rfc("https://docs.google.com/document/d/1D4hkC0jwwUyeo0hEQgyKP54kM1LZU98GL8MaP60tQrA")
 @features.rasp_command_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Cmdi_Telemetry_V2:
     """Validate Telemetry data on exploit attempts"""
@@ -229,6 +238,7 @@ def test_cmdi_telemetry(self):
 @rfc("https://docs.google.com/document/d/1DDWy3frMXDTAbk-BfnZ1FdRwuPx6Pl7AWyR4zjqRFZw")
 @features.rasp_command_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Cmdi_Telemetry_Variant_Tag:
     """Validate Telemetry data variant tag on exploit attempts"""

tests/appsec/rasp/test_lfi.py

@@ -20,6 +20,7 @@
 @rfc("https://docs.google.com/document/d/1vmMqpl8STDk7rJnd3YBsa6O9hCls_XHHdsodD61zr_4/edit#heading=h.3nydvvu7sn93")
 @features.rasp_local_file_inclusion
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Lfi_UrlQuery:
     """Local file inclusion through query parameters"""
@@ -43,6 +44,7 @@ def test_lfi_get(self):
 @rfc("https://docs.google.com/document/d/1vmMqpl8STDk7rJnd3YBsa6O9hCls_XHHdsodD61zr_4/edit#heading=h.3nydvvu7sn93")
 @features.rasp_local_file_inclusion
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Lfi_BodyUrlEncoded:
     """Local file inclusion through a url-encoded body parameter"""
@@ -66,6 +68,7 @@ def test_lfi_post_urlencoded(self):
 @rfc("https://docs.google.com/document/d/1vmMqpl8STDk7rJnd3YBsa6O9hCls_XHHdsodD61zr_4/edit#heading=h.3nydvvu7sn93")
 @features.rasp_local_file_inclusion
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Lfi_BodyXml:
     """Local file inclusion through an xml body parameter"""
@@ -90,6 +93,7 @@ def test_lfi_post_xml(self):
 @rfc("https://docs.google.com/document/d/1vmMqpl8STDk7rJnd3YBsa6O9hCls_XHHdsodD61zr_4/edit#heading=h.3nydvvu7sn93")
 @features.rasp_local_file_inclusion
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Lfi_BodyJson:
     """Local file inclusion through a json body parameter"""
@@ -115,6 +119,7 @@ def test_lfi_post_json(self):
 @features.rasp_span_tags
 @features.rasp_local_file_inclusion
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Lfi_Mandatory_SpanTags:
     """Validate span tag generation on exploit attempts"""
@@ -130,6 +135,7 @@ def test_lfi_span_tags(self):
 @features.rasp_span_tags
 @features.rasp_local_file_inclusion
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Lfi_Optional_SpanTags:
     """Validate span tag generation on exploit attempts"""
@@ -162,6 +168,7 @@ def test_rasp_match_tag(self):
 @features.rasp_stack_trace
 @features.rasp_local_file_inclusion
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Lfi_StackTrace:
     """Validate stack trace generation on exploit attempts"""
@@ -176,6 +183,7 @@ def test_lfi_stack_trace(self):
 @rfc("https://docs.google.com/document/d/1vmMqpl8STDk7rJnd3YBsa6O9hCls_XHHdsodD61zr_4/edit#heading=h.96mezjnqf46y")
 @features.rasp_local_file_inclusion
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Lfi_Telemetry:
     """Validate Telemetry data on exploit attempts"""
@@ -200,6 +208,7 @@ def test_lfi_telemetry(self):
 @rfc("https://docs.google.com/document/d/1D4hkC0jwwUyeo0hEQgyKP54kM1LZU98GL8MaP60tQrA")
 @features.rasp_local_file_inclusion
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Lfi_Telemetry_V2:
     """Validate Telemetry data on exploit attempts"""

tests/appsec/rasp/test_shi.py

@@ -27,6 +27,7 @@ def get_shell_value(self):
 @rfc("https://docs.google.com/document/d/1gCXU3LvTH9en3Bww0AC2coSJWz1m7HcavZjvMLuDCWg/edit#heading=h.giijrtyn1fdx")
 @features.rasp_shell_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Shi_UrlQuery(Test_Shi_Base):
     """Shell Injection through query parameters"""
@@ -50,6 +51,7 @@ def test_shi_get(self):
 @rfc("https://docs.google.com/document/d/1gCXU3LvTH9en3Bww0AC2coSJWz1m7HcavZjvMLuDCWg/edit#heading=h.giijrtyn1fdx")
 @features.rasp_shell_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Shi_BodyUrlEncoded(Test_Shi_Base):
     """Shell Injection through a url-encoded body parameter"""
@@ -73,6 +75,7 @@ def test_shi_post_urlencoded(self):
 @rfc("https://docs.google.com/document/d/1gCXU3LvTH9en3Bww0AC2coSJWz1m7HcavZjvMLuDCWg/edit#heading=h.giijrtyn1fdx")
 @features.rasp_shell_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Shi_BodyXml(Test_Shi_Base):
     """Shell Injection through an xml body parameter"""
@@ -97,6 +100,7 @@ def test_shi_post_xml(self):
 @rfc("https://docs.google.com/document/d/1gCXU3LvTH9en3Bww0AC2coSJWz1m7HcavZjvMLuDCWg/edit#heading=h.giijrtyn1fdx")
 @features.rasp_shell_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Shi_BodyJson(Test_Shi_Base):
     """Shell Injection through a json body parameter"""
@@ -122,6 +126,7 @@ def test_shi_post_json(self):
 @features.rasp_span_tags
 @features.rasp_shell_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Shi_Mandatory_SpanTags:
     """Validate span tag generation on exploit attempts"""
@@ -137,6 +142,7 @@ def test_shi_span_tags(self):
 @features.rasp_span_tags
 @features.rasp_shell_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Shi_Optional_SpanTags:
     """Validate span tag generation on exploit attempts"""
@@ -152,6 +158,7 @@ def test_shi_span_tags(self):
 @features.rasp_stack_trace
 @features.rasp_shell_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Shi_StackTrace:
     """Validate stack trace generation on exploit attempts"""
@@ -166,6 +173,7 @@ def test_shi_stack_trace(self):
 @rfc("https://docs.google.com/document/d/1vmMqpl8STDk7rJnd3YBsa6O9hCls_XHHdsodD61zr_4/edit#heading=h.96mezjnqf46y")
 @features.rasp_shell_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Shi_Telemetry:
     """Validate Telemetry data on exploit attempts"""
@@ -190,6 +198,7 @@ def test_shi_telemetry(self):
 @rfc("https://docs.google.com/document/d/1D4hkC0jwwUyeo0hEQgyKP54kM1LZU98GL8MaP60tQrA")
 @features.rasp_shell_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Shi_Telemetry_V2:
     """Validate Telemetry data on exploit attempts"""
@@ -216,6 +225,7 @@ def test_shi_telemetry(self):
 @rfc("https://docs.google.com/document/d/1DDWy3frMXDTAbk-BfnZ1FdRwuPx6Pl7AWyR4zjqRFZw")
 @features.rasp_shell_injection
 @scenarios.appsec_rasp
+@scenarios.appsec_lambda_rasp
 @scenarios.appsec_standalone_rasp
 class Test_Shi_Telemetry_Variant_Tag:
     """Validate Telemetry data variant tag on exploit attempts"""