Implement SSRF

[estringana]

Description

Expand rasp capabilities with SSRF. This PR changes also the php method push_address. The reason is that now there are php functions which need to push mulitple addresses. Each call to push_address was doing a call to the WAF. This method has been changed to push_addresses allowing to push one or more at the same time.

APPSEC-52930

Reviewer checklist

• Test coverage seems ok.
• Appropriate labels assigned.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 30.00000% with 14 lines in your changes missing coverage. Please review.

Project coverage is 74.75%. Comparing base (8413b26) to head (b514593).

Files with missing lines	Patch %	Lines
.../Integrations/Filesystem/FilesystemIntegration.php	0.00%	14 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #3014      +/-   ##
============================================
- Coverage     74.79%   74.75%   -0.05%     
- Complexity     2787     2791       +4     
============================================
  Files           112      112              
  Lines         11033    11039       +6     
============================================
  Hits           8252     8252              
- Misses         2781     2787       +6     

Flag	Coverage Δ
tracer-php	74.75% <30.00%> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...DTrace/Integrations/Laravel/LaravelIntegration.php	80.22% <100.00%> (ø)
...DTrace/Integrations/Symfony/SymfonyIntegration.php	82.71% <100.00%> (ø)
...ce/Integrations/WordPress/WordPressIntegration.php	94.11% <100.00%> (ø)
.../Integrations/Filesystem/FilesystemIntegration.php	0.00% <0.00%> (ø)

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8413b26...b514593. Read the comment docs.

[pr-commenter]

Benchmarks [ tracer ]

Benchmark execution time: 2025-01-03 12:12:49

Comparing candidate commit 537c557 in PR branch estringana/implement-ssrf with baseline commit c69df0a in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 178 metrics, 0 unstable metrics.

[cataphract]

This doesn't seem sufficient to actually subscribe to the ASM_RASP_* products. In fact, it seems we're not subscribed even to ASM_RASP_LFI (see the logic in ddog_init_remote_config).

To avoid these situations, I would strong recommend that you implement an appsec/tests/integration test that submits the RASP configuration via remote config.

[cataphract]

This doesn't seem sufficient to actually subscribe to the ASM_RASP_* products. In fact, it seems we're not subscribed even to ASM_RASP_LFI (see the logic in ddog_init_remote_config).

To avoid these situations, I would strong recommend that you implement an appsec/tests/integration test that submits the RASP configuration via remote config.

Anil brought to me attention the fact that there are no new products related to RASP, only capabilities. So:

• Add SSRF Rasp capability libdatadog#814 should be reverted,
• the addition of RemoteConfigProduct::AsmRaspLfi should be reverted as well,
• this PR should not contain any references to these nonexistent products on the helper c++ files,
• ddog_init_remote_config should be modified to send these rasp capabilities,
• change integration tests so that it's tested that these capabilities are sent (there is already a test that checks the sent capabilities),
• add integration test for rasp rules, with configuration either via remote config or a local json file.