@contrast/agent 4.32.18 → 4.32.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/assess/sinks/ssrf-url.js +31 -21
- package/package.json +1 -1
|
@@ -20,6 +20,7 @@ Copyright: 2023 Contrast Security, Inc
|
|
|
20
20
|
* We will parse the url and only check the protocol, host, path
|
|
21
21
|
*/
|
|
22
22
|
|
|
23
|
+
const logger = require('../../core/logger')('contrast:hooks:ssrf-url');
|
|
23
24
|
const { isString } = require('../../util/is-string');
|
|
24
25
|
const tracker = require('../../tracker');
|
|
25
26
|
const { URL } = require('url');
|
|
@@ -42,7 +43,7 @@ module.exports = ({ common: { isVulnerable } }) => {
|
|
|
42
43
|
* @param {string} params.name name of tag to add
|
|
43
44
|
* @return {TagRange[]} params.list of TagRanges including the new tag
|
|
44
45
|
*/
|
|
45
|
-
ssrfUrl.addTag = function({ tags, start, stop, name }) {
|
|
46
|
+
ssrfUrl.addTag = function ({ tags, start, stop, name }) {
|
|
46
47
|
const tagRange = new TagRange(start, stop, name);
|
|
47
48
|
|
|
48
49
|
return tagRangeUtil.add(tags, tagRange);
|
|
@@ -57,7 +58,7 @@ module.exports = ({ common: { isVulnerable } }) => {
|
|
|
57
58
|
* @param {Object} disallowedTags for sink
|
|
58
59
|
* @return {Boolean} if input is vulnerable or not
|
|
59
60
|
*/
|
|
60
|
-
ssrfUrl.handle = function({ input, requiredTags, disallowedTags }) {
|
|
61
|
+
ssrfUrl.handle = function ({ input, requiredTags, disallowedTags }) {
|
|
61
62
|
if (!isString(input)) {
|
|
62
63
|
return false;
|
|
63
64
|
}
|
|
@@ -68,27 +69,36 @@ module.exports = ({ common: { isVulnerable } }) => {
|
|
|
68
69
|
return false;
|
|
69
70
|
}
|
|
70
71
|
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
72
|
+
try {
|
|
73
|
+
// we define a default base here so that `input` can be a relative path
|
|
74
|
+
const url = new URL(input, 'abc://xyz');
|
|
75
|
+
const qpIndex = url.search ? input.indexOf(url.search) : -1;
|
|
76
|
+
const pathIndex = url.pathname ? input.indexOf(
|
|
77
|
+
url.pathname,
|
|
78
|
+
// start search after protocol + // so it doesn't match `/` as first in the http://
|
|
79
|
+
// if our generated base is used, protocol will be `abc` and won't be present in the input
|
|
80
|
+
url.protocol === 'abc:' ? 0 : url.protocol.length + 2
|
|
81
|
+
) : -1;
|
|
75
82
|
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
83
|
+
if (pathIndex >= 0) {
|
|
84
|
+
contrastProps.tagRanges = ssrfUrl.addTag({
|
|
85
|
+
tags: contrastProps.tagRanges,
|
|
86
|
+
start: pathIndex,
|
|
87
|
+
stop: pathIndex + url.pathname.length - 1,
|
|
88
|
+
name: PATH_TAG
|
|
89
|
+
});
|
|
90
|
+
}
|
|
84
91
|
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
+
if (qpIndex >= 0) {
|
|
93
|
+
contrastProps.tagRanges = ssrfUrl.addTag({
|
|
94
|
+
tags: contrastProps.tagRanges,
|
|
95
|
+
start: qpIndex,
|
|
96
|
+
stop: qpIndex + url.search.length - 1,
|
|
97
|
+
name: QUERY_TAG
|
|
98
|
+
});
|
|
99
|
+
}
|
|
100
|
+
} catch (err) {
|
|
101
|
+
logger.warn('Unable to parse url %s, err: %o', err);
|
|
92
102
|
}
|
|
93
103
|
|
|
94
104
|
return isVulnerable({ input, requiredTags, disallowedTags });
|