search

DataDog / dd-trace-dotnet

.NET Client Library for Datadog APM
https://docs.datadoghq.com/tracing/
Apache License 2.0
437 stars 137 forks source link

BlockingMiddleware.cs:117 Can't catch BlockException in this type of case #5878

Closed RTxin closed 1 month ago

RTxin commented 1 month ago
  1. var rname = new SQLiteCommand(taintedQuery, dbConnection).ExecuteScalar();will be blocked by RaspModule.runWaf on execution and throw BlockException.

  2. However, since the user code uses catch (Exception ex) to catch all exceptions without rethrowing them, it causes BlockingMiddleware to fail to catch and forward BlockException

        [HttpGet("SqlQuery")]
    [Route("SqlQuery/{username}")]
    public IActionResult SqlQuery(string username, string query)
    {
        try
        {
            if (dbConnection is null)
            {
                dbConnection = IastControllerHelper.CreateDatabase();
            }

            if (!string.IsNullOrEmpty(username))
            {
                var taintedQuery = CreateTaintedQuery(username);
                var rname = new SQLiteCommand(taintedQuery, dbConnection).ExecuteScalar();
                return Content($"Result: " + rname);
            }

            if (!string.IsNullOrEmpty(query))
            {
                var rname = new SQLiteCommand(query, dbConnection).ExecuteScalar();
                return Content($"Result: " + rname);
            }
        }
        catch (Exception ex)
        {
            return StatusCode(500, IastControllerHelper.ToFormattedString(ex));
        }

        return BadRequest("No username was provided");
    }
robertpi commented 1 month ago

Please contact support@datadoghq.com for questions about using the Datadog dotnet client library.