dd-trace 3.21.0 → 3.22.1

package/packages/dd-trace/src/appsec/blocking.js

@@ -5,32 +5,62 @@ const blockedTemplates = require('./blocked_templates')
 
 let templateHtml = blockedTemplates.html
 let templateJson = blockedTemplates.json
+let blockingConfiguration
 
-function block (req, res, rootSpan, abortController) {
-  if (res.headersSent) {
-    log.warn('Cannot send blocking response when headers have already been sent')
-    return
+function blockWithRedirect (res, rootSpan, abortController) {
+  rootSpan.addTags({
+    'appsec.blocked': 'true'
+  })
+
+  let statusCode = blockingConfiguration.parameters.status_code
+  if (!statusCode || statusCode < 300 || statusCode >= 400) {
+    statusCode = 303
   }
 
+  res.writeHead(statusCode, {
+    'Location': blockingConfiguration.parameters.location
+  }).end()
+
+  if (abortController) {
+    abortController.abort()
+  }
+}
+
+function blockWithContent (req, res, rootSpan, abortController) {
   let type
   let body
 
   // parse the Accept header, ex: Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8
   const accept = req.headers.accept && req.headers.accept.split(',').map((str) => str.split(';', 1)[0].trim())
 
-  if (accept && accept.includes('text/html') && !accept.includes('application/json')) {
-    type = 'text/html; charset=utf-8'
-    body = templateHtml
+  if (!blockingConfiguration || blockingConfiguration.parameters.type === 'auto') {
+    if (accept && accept.includes('text/html') && !accept.includes('application/json')) {
+      type = 'text/html; charset=utf-8'
+      body = templateHtml
+    } else {
+      type = 'application/json'
+      body = templateJson
+    }
   } else {
-    type = 'application/json'
-    body = templateJson
+    if (blockingConfiguration.parameters.type === 'html') {
+      type = 'text/html; charset=utf-8'
+      body = templateHtml
+    } else {
+      type = 'application/json'
+      body = templateJson
+    }
   }
 
   rootSpan.addTags({
     'appsec.blocked': 'true'
   })
 
-  res.statusCode = 403
+  if (blockingConfiguration && blockingConfiguration.type === 'block_request' &&
+    blockingConfiguration.parameters.status_code) {
+    res.statusCode = blockingConfiguration.parameters.status_code
+  } else {
+    res.statusCode = 403
+  }
   res.setHeader('Content-Type', type)
   res.setHeader('Content-Length', Buffer.byteLength(body))
   res.end(body)
@@ -40,6 +70,20 @@ function block (req, res, rootSpan, abortController) {
   }
 }
 
+function block (req, res, rootSpan, abortController) {
+  if (res.headersSent) {
+    log.warn('Cannot send blocking response when headers have already been sent')
+    return
+  }
+
+  if (blockingConfiguration && blockingConfiguration.type === 'redirect_request' &&
+      blockingConfiguration.parameters.location) {
+    blockWithRedirect(res, rootSpan, abortController)
+  } else {
+    blockWithContent(req, res, rootSpan, abortController)
+  }
+}
+
 function setTemplates (config) {
   if (config.appsec.blockedTemplateHtml) {
     templateHtml = config.appsec.blockedTemplateHtml
@@ -49,7 +93,12 @@ function setTemplates (config) {
   }
 }
 
+function updateBlockingConfiguration (newBlockingConfiguration) {
+  blockingConfiguration = newBlockingConfiguration
+}
+
 module.exports = {
   block,
-  setTemplates
+  setTemplates,
+  updateBlockingConfiguration
 }

package/packages/dd-trace/src/appsec/channels.js

@@ -4,8 +4,9 @@ const dc = require('../../../diagnostics_channel')
 
 // TODO: use TBD naming convention
 module.exports = {
+  bodyParser: dc.channel('datadog:body-parser:read:finish'),
   incomingHttpRequestStart: dc.channel('dd-trace:incomingHttpRequestStart'),
   incomingHttpRequestEnd: dc.channel('dd-trace:incomingHttpRequestEnd'),
-  bodyParser: dc.channel('datadog:body-parser:read:finish'),
-  queryParser: dc.channel('datadog:query:read:finish')
+  queryParser: dc.channel('datadog:query:read:finish'),
+  setCookieChannel: dc.channel('datadog:iast:set-cookie')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -1,10 +1,12 @@
 'use strict'
 
 module.exports = {
-  'WEAK_CIPHER_ANALYZER': require('./weak-cipher-analyzer'),
-  'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer'),
-  'SQL_INJECTION_ANALYZER': require('./sql-injection-analyzer'),
-  'PATH_TRAVERSAL_ANALYZER': require('./path-traversal-analyzer'),
   'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
-  'LDAP_ANALYZER': require('./ldap-injection-analyzer')
+  'INSECURE_COOKIE_ANALYZER': require('./insecure-cookie-analyzer'),
+  'LDAP_ANALYZER': require('./ldap-injection-analyzer'),
+  'PATH_TRAVERSAL_ANALYZER': require('./path-traversal-analyzer'),
+  'SQL_INJECTION_ANALYZER': require('./sql-injection-analyzer'),
+  'SSRF': require('./ssrf-analyzer'),
+  'WEAK_CIPHER_ANALYZER': require('./weak-cipher-analyzer'),
+  'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/index.js

@@ -1,14 +1,17 @@
 'use strict'
 
 const analyzers = require('./analyzers')
+const setCookiesHeaderInterceptor = require('./set-cookies-header-interceptor')
 
 function enableAllAnalyzers () {
+  setCookiesHeaderInterceptor.configure(true)
   for (const analyzer in analyzers) {
     analyzers[analyzer].configure(true)
   }
 }
 
 function disableAllAnalyzers () {
+  setCookiesHeaderInterceptor.configure(false)
   for (const analyzer in analyzers) {
     analyzers[analyzer].configure(false)
   }

package/packages/dd-trace/src/appsec/iast/analyzers/insecure-cookie-analyzer.js

@@ -0,0 +1,31 @@
+'use strict'
+
+const Analyzer = require('./vulnerability-analyzer')
+const { INSECURE_COOKIE } = require('../vulnerabilities')
+
+const EXCLUDED_PATHS = ['node_modules/express/lib/response.js', 'node_modules\\express\\lib\\response.js']
+
+class InsecureCookieAnalyzer extends Analyzer {
+  constructor () {
+    super(INSECURE_COOKIE)
+    this.addSub('datadog:iast:set-cookie', (cookieInfo) => this.analyze(cookieInfo))
+  }
+
+  _isVulnerable ({ cookieProperties, cookieValue }) {
+    return cookieValue && !(cookieProperties && cookieProperties.map(x => x.toLowerCase().trim()).includes('secure'))
+  }
+
+  _getEvidence ({ cookieName }) {
+    return { value: cookieName }
+  }
+
+  _createHashSource (type, evidence, location) {
+    return `${type}:${evidence.value}`
+  }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
+}
+
+module.exports = new InsecureCookieAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/path-traversal-analyzer.js

@@ -6,10 +6,14 @@ const { storage } = require('../../../../../datadog-core')
 const InjectionAnalyzer = require('./injection-analyzer')
 const { PATH_TRAVERSAL } = require('../vulnerabilities')
 
+const ignoredOperations = ['dir.close', 'close']
+
 class PathTraversalAnalyzer extends InjectionAnalyzer {
   constructor () {
     super(PATH_TRAVERSAL)
     this.addSub('apm:fs:operation:start', obj => {
+      if (ignoredOperations.includes(obj.operation)) return
+
       const pathArguments = []
       if (obj.dest) {
         pathArguments.push(obj.dest)

package/packages/dd-trace/src/appsec/iast/analyzers/set-cookies-header-interceptor.js

@@ -0,0 +1,47 @@
+'use strict'
+
+const Plugin = require('../../../plugins/plugin')
+const { setCookieChannel } = require('../../channels')
+
+class SetCookiesHeaderInterceptor extends Plugin {
+  constructor () {
+    super()
+    this.cookiesInRequest = new WeakMap()
+    this.addSub('datadog:http:server:response:set-header:finish', ({ name, value, res }) => {
+      if (name.toLowerCase() === 'set-cookie') {
+        let allCookies = value
+        if (typeof value === 'string') {
+          allCookies = [value]
+        }
+        const alreadyCheckedCookies = this._getAlreadyCheckedCookiesInResponse(res)
+        allCookies.forEach(cookieString => {
+          if (!alreadyCheckedCookies.includes(cookieString)) {
+            alreadyCheckedCookies.push(cookieString)
+            setCookieChannel.publish(this._parseCookie(cookieString))
+          }
+        })
+      }
+    })
+  }
+
+  _parseCookie (cookieString) {
+    const cookieParts = cookieString.split(';')
+    const nameValueParts = cookieParts[0].split('=')
+    const cookieName = nameValueParts[0]
+    const cookieValue = nameValueParts.slice(1).join('=')
+    const cookieProperties = cookieParts.slice(1).map(part => part.trim())
+
+    return { cookieName, cookieValue, cookieProperties, cookieString }
+  }
+
+  _getAlreadyCheckedCookiesInResponse (res) {
+    let alreadyCheckedCookies = this.cookiesInRequest.get(res)
+    if (!alreadyCheckedCookies) {
+      alreadyCheckedCookies = []
+      this.cookiesInRequest.set(res, alreadyCheckedCookies)
+    }
+    return alreadyCheckedCookies
+  }
+}
+
+module.exports = new SetCookiesHeaderInterceptor()

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -5,7 +5,10 @@ const { SQL_INJECTION } = require('../vulnerabilities')
 const { getRanges } = require('../taint-tracking/operations')
 const { storage } = require('../../../../../datadog-core')
 const { getIastContext } = require('../iast-context')
-const { createVulnerability, addVulnerability } = require('../vulnerability-reporter')
+const { addVulnerability } = require('../vulnerability-reporter')
+
+const EXCLUDED_PATHS = ['node_modules/mysql2', 'node_modules/sequelize', 'node_modules\\mysql2',
+  'node_modules\\sequelize']
 
 class SqlInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -13,6 +16,22 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
     this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
     this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
     this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, 'POSTGRES'))
+
+    this.addSub('datadog:sequelize:query:start', ({ sql, dialect }) => {
+      const parentStore = storage.getStore()
+      if (parentStore) {
+        this.analyze(sql, dialect.toUpperCase())
+
+        storage.enterWith({ ...parentStore, sqlAnalyzed: true, sequelizeParentStore: parentStore })
+      }
+    })
+
+    this.addSub('datadog:sequelize:query:finish', () => {
+      const store = storage.getStore()
+      if (store.sequelizeParentStore) {
+        storage.enterWith(store.sequelizeParentStore)
+      }
+    })
   }
 
   _getEvidence (value, iastContext, dialect) {
@@ -22,9 +41,12 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
 
   analyze (value, dialect) {
     const store = storage.getStore()
-    const iastContext = getIastContext(store)
-    if (store && !iastContext) return
-    this._reportIfVulnerable(value, iastContext, dialect)
+
+    if (!(store && store.sqlAnalyzed)) {
+      const iastContext = getIastContext(store)
+      if (store && !iastContext) return
+      this._reportIfVulnerable(value, iastContext, dialect)
+    }
   }
 
   _reportIfVulnerable (value, context, dialect) {
@@ -40,10 +62,13 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
     const location = this._getLocation()
     if (!this._isExcluded(location)) {
       const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
-      const vulnerability = createVulnerability(this._type, evidence, spanId, location)
+      const vulnerability = this._createVulnerability(this._type, evidence, spanId, location)
       addVulnerability(context, vulnerability)
     }
   }
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
 }
 
 module.exports = new SqlInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/ssrf-analyzer.js

@@ -0,0 +1,26 @@
+'use strict'
+
+const InjectionAnalyzer = require('./injection-analyzer')
+const { SSRF } = require('../vulnerabilities')
+
+class SSRFAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super(SSRF)
+
+    this.addSub('apm:http:client:request:start', ({ args }) => {
+      if (typeof args.originalUrl === 'string') {
+        this.analyze(args.originalUrl)
+      } else if (args.options && args.options.host) {
+        this.analyze(args.options.host)
+      }
+    })
+
+    this.addSub('apm:http2:client:connect:start', ({ authority }) => {
+      if (authority && typeof authority === 'string') {
+        this.analyze(authority)
+      }
+    })
+  }
+}
+
+module.exports = new SSRFAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -4,7 +4,7 @@ const Plugin = require('../../../../src/plugins/plugin')
 const { storage } = require('../../../../../datadog-core')
 const iastLog = require('../iast-log')
 const { getFirstNonDDPathAndLine } = require('../path-line')
-const { createVulnerability, addVulnerability } = require('../vulnerability-reporter')
+const { addVulnerability } = require('../vulnerability-reporter')
 const { getIastContext } = require('../iast-context')
 const overheadController = require('../overhead-controller')
 
@@ -41,7 +41,7 @@ class Analyzer extends Plugin {
     const location = this._getLocation()
     if (!this._isExcluded(location)) {
       const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
-      const vulnerability = createVulnerability(this._type, evidence, spanId, location)
+      const vulnerability = this._createVulnerability(this._type, evidence, spanId, location)
       addVulnerability(context, vulnerability)
     }
   }
@@ -59,9 +59,11 @@ class Analyzer extends Plugin {
   }
 
   _getLocation () {
-    return getFirstNonDDPathAndLine()
+    return getFirstNonDDPathAndLine(this._getExcludedPaths())
   }
 
+  _getExcludedPaths () {}
+
   analyze (value) {
     const store = storage.getStore()
     const iastContext = getIastContext(store)
@@ -87,6 +89,36 @@ class Analyzer extends Plugin {
   _checkOCE (context) {
     return overheadController.hasQuota(overheadController.OPERATIONS.REPORT_VULNERABILITY, context)
   }
+
+  _createVulnerability (type, evidence, spanId, location) {
+    if (type && evidence) {
+      const _spanId = spanId || 0
+      return {
+        type,
+        evidence,
+        location: {
+          spanId: _spanId,
+          ...location
+        },
+        hash: this._createHash(this._createHashSource(type, evidence, location))
+      }
+    }
+    return null
+  }
+
+  _createHashSource (type, evidence, location) {
+    return location ? `${type}:${location.path}:${location.line}` : type
+  }
+
+  _createHash (hashSource) {
+    let hash = 0
+    let offset = 0
+    const size = hashSource.length
+    for (let i = 0; i < size; i++) {
+      hash = ((hash << 5) - hash) + hashSource.charCodeAt(offset++)
+    }
+    return hash
+  }
 }
 
 module.exports = Analyzer

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -37,12 +37,12 @@ function getCallSiteInfo () {
   return callsiteList
 }
 
-function getFirstNonDDPathAndLineFromCallsites (callsites) {
+function getFirstNonDDPathAndLineFromCallsites (callsites, externallyExcludedPaths) {
   if (callsites) {
     for (let i = 0; i < callsites.length; i++) {
       const callsite = callsites[i]
       const filepath = callsite.getFileName()
-      if (!isExcluded(callsite) && filepath.indexOf(pathLine.ddBasePath) === -1) {
+      if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) {
         return {
           path: path.relative(process.cwd(), filepath),
           line: callsite.getLineNumber(),
@@ -54,26 +54,33 @@ function getFirstNonDDPathAndLineFromCallsites (callsites) {
   return null
 }
 
-function isExcluded (callsite) {
+function isExcluded (callsite, externallyExcludedPaths) {
   if (callsite.isNative()) return true
   const filename = callsite.getFileName()
   if (!filename) {
     return true
   }
-  for (let i = 0; i < EXCLUDED_PATHS.length; i++) {
-    if (filename.indexOf(EXCLUDED_PATHS[i]) > -1) {
+  let excludedPaths = EXCLUDED_PATHS
+  if (externallyExcludedPaths) {
+    excludedPaths = [...excludedPaths, ...externallyExcludedPaths]
+  }
+
+  for (let i = 0; i < excludedPaths.length; i++) {
+    if (filename.indexOf(excludedPaths[i]) > -1) {
       return true
     }
   }
+
   for (let i = 0; i < EXCLUDED_PATH_PREFIXES.length; i++) {
     if (filename.indexOf(EXCLUDED_PATH_PREFIXES[i]) === 0) {
       return true
     }
   }
+
   return false
 }
 
-function getFirstNonDDPathAndLine () {
-  return getFirstNonDDPathAndLineFromCallsites(getCallSiteInfo())
+function getFirstNonDDPathAndLine (externallyExcludedPaths) {
+  return getFirstNonDDPathAndLineFromCallsites(getCallSiteInfo(), externallyExcludedPaths)
 }
 module.exports = pathLine

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -12,17 +12,32 @@ class TaintTrackingPlugin extends Plugin {
     this._type = 'taint-tracking'
     this.addSub(
       'datadog:body-parser:read:finish',
-      ({ req }) => this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body')
+      ({ req }) => {
+        const iastContext = getIastContext(storage.getStore())
+        if (iastContext && iastContext['body'] !== req.body) {
+          this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
+          iastContext['body'] = req.body
+        }
+      }
     )
     this.addSub(
       'datadog:qs:parse:finish',
       ({ qs }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, qs))
+
+    this.addSub('apm:express:middleware:next', ({ req }) => {
+      if (req && req.body && typeof req.body === 'object') {
+        const iastContext = getIastContext(storage.getStore())
+        if (iastContext && iastContext['body'] !== req.body) {
+          this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
+          iastContext['body'] = req.body
+        }
+      }
+    })
   }
 
-  _taintTrackingHandler (type, target, property) {
-    const iastContext = getIastContext(storage.getStore())
+  _taintTrackingHandler (type, target, property, iastContext = getIastContext(storage.getStore())) {
     if (!property) {
-      target = taintObject(iastContext, target, type)
+      taintObject(iastContext, target, type)
     } else {
       target[property] = taintObject(iastContext, target[property], type)
     }

package/packages/dd-trace/src/appsec/iast/telemetry/logs.js

@@ -28,7 +28,7 @@ function sendLogs () {
 }
 
 function isLevelEnabled (level) {
-  return isLogCollectionEnabled(config) && (level !== 'DEBUG' || config.telemetry.debug)
+  return isLogCollectionEnabled(config) && level !== 'DEBUG'
 }
 
 function isLogCollectionEnabled (config) {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/sql-sensitive-analyzer.js

@@ -21,10 +21,20 @@ const NUMERIC_LITERAL =
       INTEGER_NUMBER + EXPONENT
     ].join('|')
   })`
+const ORACLE_ESCAPED_LITERAL = 'q\'<.*?>\'|q\'\\(.*?\\)\'|q\'\\{.*?\\}\'|q\'\\[.*?\\]\'|q\'(?<ESCAPE>.).*?\\k<ESCAPE>\''
 
 class SqlSensitiveAnalyzer {
   constructor () {
     this._patterns = {
+      ANSI: new RegExp( // Default
+        [
+          NUMERIC_LITERAL,
+          STRING_LITERAL,
+          LINE_COMMENT,
+          BLOCK_COMMENT
+        ].join('|'),
+        'gmi'
+      ),
       MYSQL: new RegExp(
         [
           NUMERIC_LITERAL,
@@ -43,13 +53,26 @@ class SqlSensitiveAnalyzer {
           BLOCK_COMMENT
         ].join('|'),
         'gmi'
-      )
+      ),
+      ORACLE: new RegExp([
+        NUMERIC_LITERAL,
+        ORACLE_ESCAPED_LITERAL,
+        STRING_LITERAL,
+        LINE_COMMENT,
+        BLOCK_COMMENT
+      ].join('|'),
+      'gmi')
     }
+    this._patterns.SQLITE = this._patterns.MYSQL
+    this._patterns.MARIADB = this._patterns.MYSQL
   }
 
   extractSensitiveRanges (evidence) {
     try {
-      const pattern = this._patterns[evidence.dialect]
+      let pattern = this._patterns[evidence.dialect]
+      if (!pattern) {
+        pattern = this._patterns['ANSI']
+      }
       pattern.lastIndex = 0
       const tokens = []
 

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/url-sensitive-analyzer.js

@@ -0,0 +1,49 @@
+'use strict'
+
+const iastLog = require('../../../iast-log')
+
+const AUTHORITY = '^(?:[^:]+:)?//([^@]+)@'
+const QUERY_FRAGMENT = '[?#&]([^=&;]+)=([^?#&]+)'
+
+class UrlSensitiveAnalyzer {
+  constructor () {
+    this._pattern = new RegExp([AUTHORITY, QUERY_FRAGMENT].join('|'), 'gmi')
+  }
+
+  extractSensitiveRanges (evidence) {
+    try {
+      const pattern = this._pattern
+
+      const ranges = []
+      let regexResult = pattern.exec(evidence.value)
+
+      while (regexResult != null) {
+        if (typeof regexResult[1] === 'string') {
+          // AUTHORITY regex match always ends by group + @
+          // it means that the match last chars - 1 are always the group
+          const end = regexResult.index + (regexResult[0].length - 1)
+          const start = end - regexResult[1].length
+          ranges.push({ start, end })
+        }
+
+        if (typeof regexResult[3] === 'string') {
+          // QUERY_FRAGMENT regex always ends with the group
+          // it means that the match last chars are always the group
+          const end = regexResult.index + regexResult[0].length
+          const start = end - regexResult[3].length
+          ranges.push({ start, end })
+        }
+
+        regexResult = pattern.exec(evidence.value)
+      }
+
+      return ranges
+    } catch (e) {
+      iastLog.debug(e)
+    }
+
+    return []
+  }
+}
+
+module.exports = UrlSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -7,6 +7,7 @@ const { contains, intersects, remove } = require('./range-utils')
 const CommandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
 const LdapSensitiveAnalyzer = require('./sensitive-analyzers/ldap-sensitive-analyzer')
 const SqlSensitiveAnalyzer = require('./sensitive-analyzers/sql-sensitive-analyzer')
+const UrlSensitiveAnalyzer = require('./sensitive-analyzers/url-sensitive-analyzer')
 
 // eslint-disable-next-line max-len
 const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)'
@@ -22,6 +23,7 @@ class SensitiveHandler {
     this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, new CommandSensitiveAnalyzer())
     this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, new LdapSensitiveAnalyzer())
     this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, new SqlSensitiveAnalyzer())
+    this._sensitiveAnalyzers.set(vulnerabilities.SSRF, new UrlSensitiveAnalyzer())
   }
 
   isSensibleName (name) {
@@ -102,7 +104,7 @@ class SensitiveHandler {
             if (entry.start === i) {
               nextSensitive = entry
             } else {
-              sensitive.push(entry)
+              sensitive.unshift(entry)
             }
           }
         }

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js

@@ -1,8 +1,10 @@
 module.exports = {
-  WEAK_HASH: 'WEAK_HASH',
-  WEAK_CIPHER: 'WEAK_CIPHER',
-  SQL_INJECTION: 'SQL_INJECTION',
-  PATH_TRAVERSAL: 'PATH_TRAVERSAL',
   COMMAND_INJECTION: 'COMMAND_INJECTION',
-  LDAP_INJECTION: 'LDAP_INJECTION'
+  INSECURE_COOKIE: 'INSECURE_COOKIE',
+  LDAP_INJECTION: 'LDAP_INJECTION',
+  PATH_TRAVERSAL: 'PATH_TRAVERSAL',
+  SQL_INJECTION: 'SQL_INJECTION',
+  SSRF: 'SSRF',
+  WEAK_CIPHER: 'WEAK_CIPHER',
+  WEAK_HASH: 'WEAK_HASH'
 }