dd-trace 3.41.0 → 3.42.0

package/packages/dd-trace/src/appsec/iast/analyzers/header-injection-analyzer.js

@@ -0,0 +1,105 @@
+'use strict'
+
+const InjectionAnalyzer = require('./injection-analyzer')
+const { HEADER_INJECTION } = require('../vulnerabilities')
+const { getNodeModulesPaths } = require('../path-line')
+const { HEADER_NAME_VALUE_SEPARATOR } = require('../vulnerabilities-formatter/constants')
+const { getRanges } = require('../taint-tracking/operations')
+const {
+  HTTP_REQUEST_COOKIE_NAME,
+  HTTP_REQUEST_COOKIE_VALUE,
+  HTTP_REQUEST_HEADER_VALUE
+} = require('../taint-tracking/source-types')
+
+const EXCLUDED_PATHS = getNodeModulesPaths('express')
+const EXCLUDED_HEADER_NAMES = [
+  'location',
+  'sec-websocket-location',
+  'sec-websocket-accept',
+  'upgrade',
+  'connection'
+]
+
+class HeaderInjectionAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super(HEADER_INJECTION)
+  }
+
+  onConfigure () {
+    this.addSub('datadog:http:server:response:set-header:finish', ({ name, value }) => {
+      if (Array.isArray(value)) {
+        for (let i = 0; i < value.length; i++) {
+          const headerValue = value[i]
+
+          this.analyze({ name, value: headerValue })
+        }
+      } else {
+        this.analyze({ name, value })
+      }
+    })
+  }
+
+  _isVulnerable ({ name, value }, iastContext) {
+    const lowerCasedHeaderName = name?.trim().toLowerCase()
+
+    if (this.isExcludedHeaderName(lowerCasedHeaderName) || typeof value !== 'string') return
+
+    const ranges = getRanges(iastContext, value)
+    if (ranges?.length > 0) {
+      return !(this.isCookieExclusion(lowerCasedHeaderName, ranges) ||
+        this.isSameHeaderExclusion(lowerCasedHeaderName, ranges) ||
+        this.isAccessControlAllowOriginExclusion(lowerCasedHeaderName, ranges))
+    }
+
+    return false
+  }
+
+  _getEvidence (headerInfo, iastContext) {
+    const prefix = headerInfo.name + HEADER_NAME_VALUE_SEPARATOR
+    const prefixLength = prefix.length
+
+    const evidence = super._getEvidence(headerInfo.value, iastContext)
+    evidence.value = prefix + evidence.value
+    evidence.ranges = evidence.ranges.map(range => {
+      return {
+        ...range,
+        start: range.start + prefixLength,
+        end: range.end + prefixLength
+      }
+    })
+
+    return evidence
+  }
+
+  isExcludedHeaderName (name) {
+    return EXCLUDED_HEADER_NAMES.includes(name)
+  }
+
+  isCookieExclusion (name, ranges) {
+    if (name === 'set-cookie') {
+      return ranges
+        .every(range => range.iinfo.type === HTTP_REQUEST_COOKIE_VALUE || range.iinfo.type === HTTP_REQUEST_COOKIE_NAME)
+    }
+
+    return false
+  }
+
+  isAccessControlAllowOriginExclusion (name, ranges) {
+    if (name === 'access-control-allow-origin') {
+      return ranges
+        .every(range => range.iinfo.type === HTTP_REQUEST_HEADER_VALUE)
+    }
+
+    return false
+  }
+
+  isSameHeaderExclusion (name, ranges) {
+    return ranges.length === 1 && name === ranges[0].iinfo.parameterName?.toLowerCase()
+  }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
+}
+
+module.exports = new HeaderInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/constants.js

@@ -0,0 +1,7 @@
+'use strict'
+
+const HEADER_NAME_VALUE_SEPARATOR = ': '
+
+module.exports = {
+  HEADER_NAME_VALUE_SEPARATOR
+}

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/command-sensitive-analyzer.js

@@ -3,27 +3,20 @@
 const iastLog = require('../../../iast-log')
 
 const COMMAND_PATTERN = '^(?:\\s*(?:sudo|doas)\\s+)?\\b\\S+\\b\\s(.*)'
+const pattern = new RegExp(COMMAND_PATTERN, 'gmi')
 
-class CommandSensitiveAnalyzer {
-  constructor () {
-    this._pattern = new RegExp(COMMAND_PATTERN, 'gmi')
-  }
-
-  extractSensitiveRanges (evidence) {
-    try {
-      this._pattern.lastIndex = 0
+module.exports = function extractSensitiveRanges (evidence) {
+  try {
+    pattern.lastIndex = 0
 
-      const regexResult = this._pattern.exec(evidence.value)
-      if (regexResult && regexResult.length > 1) {
-        const start = regexResult.index + (regexResult[0].length - regexResult[1].length)
-        const end = start + regexResult[1].length
-        return [{ start, end }]
-      }
-    } catch (e) {
-      iastLog.debug(e)
+    const regexResult = pattern.exec(evidence.value)
+    if (regexResult && regexResult.length > 1) {
+      const start = regexResult.index + (regexResult[0].length - regexResult[1].length)
+      const end = start + regexResult[1].length
+      return [{ start, end }]
     }
-    return []
+  } catch (e) {
+    iastLog.debug(e)
   }
+  return []
 }
-
-module.exports = CommandSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/header-sensitive-analyzer.js

@@ -0,0 +1,20 @@
+'use strict'
+
+const { HEADER_NAME_VALUE_SEPARATOR } = require('../../constants')
+
+module.exports = function extractSensitiveRanges (evidence, namePattern, valuePattern) {
+  const evidenceValue = evidence.value
+  const sections = evidenceValue.split(HEADER_NAME_VALUE_SEPARATOR)
+  const headerName = sections[0]
+  const headerValue = sections.slice(1).join(HEADER_NAME_VALUE_SEPARATOR)
+  namePattern.lastIndex = 0
+  valuePattern.lastIndex = 0
+  if (namePattern.test(headerName) || valuePattern.test(headerValue)) {
+    return [{
+      start: headerName.length + HEADER_NAME_VALUE_SEPARATOR.length,
+      end: evidenceValue.length
+    }]
+  }
+
+  return []
+}

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/json-sensitive-analyzer.js

@@ -2,15 +2,11 @@
 
 const { stringifyWithRanges } = require('../../utils')
 
-class JsonSensitiveAnalyzer {
-  extractSensitiveRanges (evidence) {
-    // expect object evidence
-    const { value, ranges, sensitiveRanges } = stringifyWithRanges(evidence.value, evidence.rangesToApply, true)
-    evidence.value = value
-    evidence.ranges = ranges
+module.exports = function extractSensitiveRanges (evidence) {
+  // expect object evidence
+  const { value, ranges, sensitiveRanges } = stringifyWithRanges(evidence.value, evidence.rangesToApply, true)
+  evidence.value = value
+  evidence.ranges = ranges
 
-    return sensitiveRanges
-  }
+  return sensitiveRanges
 }
-
-module.exports = JsonSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/ldap-sensitive-analyzer.js

@@ -3,33 +3,26 @@
 const iastLog = require('../../../iast-log')
 
 const LDAP_PATTERN = '\\(.*?(?:~=|=|<=|>=)(?<LITERAL>[^)]+)\\)'
+const pattern = new RegExp(LDAP_PATTERN, 'gmi')
 
-class LdapSensitiveAnalyzer {
-  constructor () {
-    this._pattern = new RegExp(LDAP_PATTERN, 'gmi')
-  }
-
-  extractSensitiveRanges (evidence) {
-    try {
-      this._pattern.lastIndex = 0
-      const tokens = []
+module.exports = function extractSensitiveRanges (evidence) {
+  try {
+    pattern.lastIndex = 0
+    const tokens = []
 
-      let regexResult = this._pattern.exec(evidence.value)
-      while (regexResult != null) {
-        if (!regexResult.groups.LITERAL) continue
-        // Computing indices manually since NodeJs 12 does not support d flag on regular expressions
-        // TODO Get indices from group by adding d flag in regular expression
-        const start = regexResult.index + (regexResult[0].length - regexResult.groups.LITERAL.length - 1)
-        const end = start + regexResult.groups.LITERAL.length
-        tokens.push({ start, end })
-        regexResult = this._pattern.exec(evidence.value)
-      }
-      return tokens
-    } catch (e) {
-      iastLog.debug(e)
+    let regexResult = pattern.exec(evidence.value)
+    while (regexResult != null) {
+      if (!regexResult.groups.LITERAL) continue
+      // Computing indices manually since NodeJs 12 does not support d flag on regular expressions
+      // TODO Get indices from group by adding d flag in regular expression
+      const start = regexResult.index + (regexResult[0].length - regexResult.groups.LITERAL.length - 1)
+      const end = start + regexResult.groups.LITERAL.length
+      tokens.push({ start, end })
+      regexResult = pattern.exec(evidence.value)
     }
-    return []
+    return tokens
+  } catch (e) {
+    iastLog.debug(e)
   }
+  return []
 }
-
-module.exports = LdapSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/sql-sensitive-analyzer.js

@@ -23,96 +23,90 @@ const NUMERIC_LITERAL =
   })`
 const ORACLE_ESCAPED_LITERAL = 'q\'<.*?>\'|q\'\\(.*?\\)\'|q\'\\{.*?\\}\'|q\'\\[.*?\\]\'|q\'(?<ESCAPE>.).*?\\k<ESCAPE>\''
 
-class SqlSensitiveAnalyzer {
-  constructor () {
-    this._patterns = {
-      ANSI: new RegExp( // Default
-        [
-          NUMERIC_LITERAL,
-          STRING_LITERAL,
-          LINE_COMMENT,
-          BLOCK_COMMENT
-        ].join('|'),
-        'gmi'
-      ),
-      MYSQL: new RegExp(
-        [
-          NUMERIC_LITERAL,
-          MYSQL_STRING_LITERAL,
-          LINE_COMMENT,
-          BLOCK_COMMENT
-        ].join('|'),
-        'gmi'
-      ),
-      POSTGRES: new RegExp(
-        [
-          NUMERIC_LITERAL,
-          POSTGRESQL_ESCAPED_LITERAL,
-          STRING_LITERAL,
-          LINE_COMMENT,
-          BLOCK_COMMENT
-        ].join('|'),
-        'gmi'
-      ),
-      ORACLE: new RegExp([
-        NUMERIC_LITERAL,
-        ORACLE_ESCAPED_LITERAL,
-        STRING_LITERAL,
-        LINE_COMMENT,
-        BLOCK_COMMENT
-      ].join('|'),
-      'gmi')
-    }
-    this._patterns.SQLITE = this._patterns.MYSQL
-    this._patterns.MARIADB = this._patterns.MYSQL
-  }
+const patterns = {
+  ANSI: new RegExp( // Default
+    [
+      NUMERIC_LITERAL,
+      STRING_LITERAL,
+      LINE_COMMENT,
+      BLOCK_COMMENT
+    ].join('|'),
+    'gmi'
+  ),
+  MYSQL: new RegExp(
+    [
+      NUMERIC_LITERAL,
+      MYSQL_STRING_LITERAL,
+      LINE_COMMENT,
+      BLOCK_COMMENT
+    ].join('|'),
+    'gmi'
+  ),
+  POSTGRES: new RegExp(
+    [
+      NUMERIC_LITERAL,
+      POSTGRESQL_ESCAPED_LITERAL,
+      STRING_LITERAL,
+      LINE_COMMENT,
+      BLOCK_COMMENT
+    ].join('|'),
+    'gmi'
+  ),
+  ORACLE: new RegExp([
+    NUMERIC_LITERAL,
+    ORACLE_ESCAPED_LITERAL,
+    STRING_LITERAL,
+    LINE_COMMENT,
+    BLOCK_COMMENT
+  ].join('|'),
+  'gmi')
+}
+patterns.SQLITE = patterns.MYSQL
+patterns.MARIADB = patterns.MYSQL
 
-  extractSensitiveRanges (evidence) {
-    try {
-      let pattern = this._patterns[evidence.dialect]
-      if (!pattern) {
-        pattern = this._patterns['ANSI']
-      }
-      pattern.lastIndex = 0
-      const tokens = []
+module.exports = function extractSensitiveRanges (evidence) {
+  try {
+    let pattern = patterns[evidence.dialect]
+    if (!pattern) {
+      pattern = patterns['ANSI']
+    }
+    pattern.lastIndex = 0
+    const tokens = []
 
-      let regexResult = pattern.exec(evidence.value)
-      while (regexResult != null) {
-        let start = regexResult.index
-        let end = regexResult.index + regexResult[0].length
-        const startChar = evidence.value.charAt(start)
-        if (startChar === '\'' || startChar === '"') {
-          start++
-          end--
-        } else if (end > start + 1) {
-          const nextChar = evidence.value.charAt(start + 1)
-          if (startChar === '/' && nextChar === '*') {
-            start += 2
-            end -= 2
-          } else if (startChar === '-' && startChar === nextChar) {
-            start += 2
-          } else if (startChar.toLowerCase() === 'q' && nextChar === '\'') {
-            start += 3
-            end -= 2
-          } else if (startChar === '$') {
-            const match = regexResult[0]
-            const size = match.indexOf('$', 1) + 1
-            if (size > 1) {
-              start += size
-              end -= size
-            }
+    let regexResult = pattern.exec(evidence.value)
+    while (regexResult != null) {
+      let start = regexResult.index
+      let end = regexResult.index + regexResult[0].length
+      const startChar = evidence.value.charAt(start)
+      if (startChar === '\'' || startChar === '"') {
+        start++
+        end--
+      } else if (end > start + 1) {
+        const nextChar = evidence.value.charAt(start + 1)
+        if (startChar === '/' && nextChar === '*') {
+          start += 2
+          end -= 2
+        } else if (startChar === '-' && startChar === nextChar) {
+          start += 2
+        } else if (startChar.toLowerCase() === 'q' && nextChar === '\'') {
+          start += 3
+          end -= 2
+        } else if (startChar === '$') {
+          const match = regexResult[0]
+          const size = match.indexOf('$', 1) + 1
+          if (size > 1) {
+            start += size
+            end -= size
           }
         }
-
-        tokens.push({ start, end })
-        regexResult = pattern.exec(evidence.value)
       }
-      return tokens
-    } catch (e) {
-      iastLog.debug(e)
+
+      tokens.push({ start, end })
+      regexResult = pattern.exec(evidence.value)
     }
-    return []
+    return tokens
+  } catch (e) {
+    iastLog.debug(e)
   }
+  return []
 }
-
-module.exports = SqlSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/url-sensitive-analyzer.js

@@ -4,46 +4,37 @@ const iastLog = require('../../../iast-log')
 
 const AUTHORITY = '^(?:[^:]+:)?//([^@]+)@'
 const QUERY_FRAGMENT = '[?#&]([^=&;]+)=([^?#&]+)'
+const pattern = new RegExp([AUTHORITY, QUERY_FRAGMENT].join('|'), 'gmi')
+
+module.exports = function extractSensitiveRanges (evidence) {
+  try {
+    const ranges = []
+    let regexResult = pattern.exec(evidence.value)
+
+    while (regexResult != null) {
+      if (typeof regexResult[1] === 'string') {
+        // AUTHORITY regex match always ends by group + @
+        // it means that the match last chars - 1 are always the group
+        const end = regexResult.index + (regexResult[0].length - 1)
+        const start = end - regexResult[1].length
+        ranges.push({ start, end })
+      }
 
-class UrlSensitiveAnalyzer {
-  constructor () {
-    this._pattern = new RegExp([AUTHORITY, QUERY_FRAGMENT].join('|'), 'gmi')
-  }
-
-  extractSensitiveRanges (evidence) {
-    try {
-      const pattern = this._pattern
-
-      const ranges = []
-      let regexResult = pattern.exec(evidence.value)
-
-      while (regexResult != null) {
-        if (typeof regexResult[1] === 'string') {
-          // AUTHORITY regex match always ends by group + @
-          // it means that the match last chars - 1 are always the group
-          const end = regexResult.index + (regexResult[0].length - 1)
-          const start = end - regexResult[1].length
-          ranges.push({ start, end })
-        }
-
-        if (typeof regexResult[3] === 'string') {
-          // QUERY_FRAGMENT regex always ends with the group
-          // it means that the match last chars are always the group
-          const end = regexResult.index + regexResult[0].length
-          const start = end - regexResult[3].length
-          ranges.push({ start, end })
-        }
-
-        regexResult = pattern.exec(evidence.value)
+      if (typeof regexResult[3] === 'string') {
+        // QUERY_FRAGMENT regex always ends with the group
+        // it means that the match last chars are always the group
+        const end = regexResult.index + regexResult[0].length
+        const start = end - regexResult[3].length
+        ranges.push({ start, end })
       }
 
-      return ranges
-    } catch (e) {
-      iastLog.debug(e)
+      regexResult = pattern.exec(evidence.value)
     }
 
-    return []
+    return ranges
+  } catch (e) {
+    iastLog.debug(e)
   }
-}
 
-module.exports = UrlSensitiveAnalyzer
+  return []
+}

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -5,11 +5,12 @@ const vulnerabilities = require('../../vulnerabilities')
 
 const { contains, intersects, remove } = require('./range-utils')
 
-const CommandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
-const JsonSensitiveAnalyzer = require('./sensitive-analyzers/json-sensitive-analyzer')
-const LdapSensitiveAnalyzer = require('./sensitive-analyzers/ldap-sensitive-analyzer')
-const SqlSensitiveAnalyzer = require('./sensitive-analyzers/sql-sensitive-analyzer')
-const UrlSensitiveAnalyzer = require('./sensitive-analyzers/url-sensitive-analyzer')
+const commandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
+const headerSensitiveAnalyzer = require('./sensitive-analyzers/header-sensitive-analyzer')
+const jsonSensitiveAnalyzer = require('./sensitive-analyzers/json-sensitive-analyzer')
+const ldapSensitiveAnalyzer = require('./sensitive-analyzers/ldap-sensitive-analyzer')
+const sqlSensitiveAnalyzer = require('./sensitive-analyzers/sql-sensitive-analyzer')
+const urlSensitiveAnalyzer = require('./sensitive-analyzers/url-sensitive-analyzer')
 
 const { DEFAULT_IAST_REDACTION_NAME_PATTERN, DEFAULT_IAST_REDACTION_VALUE_PATTERN } = require('./sensitive-regex')
 
@@ -21,13 +22,15 @@ class SensitiveHandler {
     this._valuePattern = new RegExp(DEFAULT_IAST_REDACTION_VALUE_PATTERN, 'gmi')
 
     this._sensitiveAnalyzers = new Map()
-    this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, new CommandSensitiveAnalyzer())
-    this._sensitiveAnalyzers.set(vulnerabilities.NOSQL_MONGODB_INJECTION, new JsonSensitiveAnalyzer())
-    this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, new LdapSensitiveAnalyzer())
-    this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, new SqlSensitiveAnalyzer())
-    const urlSensitiveAnalyzer = new UrlSensitiveAnalyzer()
+    this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, commandSensitiveAnalyzer)
+    this._sensitiveAnalyzers.set(vulnerabilities.NOSQL_MONGODB_INJECTION, jsonSensitiveAnalyzer)
+    this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, ldapSensitiveAnalyzer)
+    this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, sqlSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.SSRF, urlSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.UNVALIDATED_REDIRECT, urlSensitiveAnalyzer)
+    this._sensitiveAnalyzers.set(vulnerabilities.HEADER_INJECTION, (evidence) => {
+      return headerSensitiveAnalyzer(evidence, this._namePattern, this._valuePattern)
+    })
   }
 
   isSensibleName (name) {
@@ -47,7 +50,7 @@ class SensitiveHandler {
   scrubEvidence (vulnerabilityType, evidence, sourcesIndexes, sources) {
     const sensitiveAnalyzer = this._sensitiveAnalyzers.get(vulnerabilityType)
     if (sensitiveAnalyzer) {
-      const sensitiveRanges = sensitiveAnalyzer.extractSensitiveRanges(evidence)
+      const sensitiveRanges = sensitiveAnalyzer(evidence)
       return this.toRedactedJson(evidence, sensitiveRanges, sourcesIndexes, sources)
     }
     return null

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js

@@ -1,6 +1,7 @@
 module.exports = {
   COMMAND_INJECTION: 'COMMAND_INJECTION',
   HARDCODED_SECRET: 'HARDCODED_SECRET',
+  HEADER_INJECTION: 'HEADER_INJECTION',
   HSTS_HEADER_MISSING: 'HSTS_HEADER_MISSING',
   INSECURE_COOKIE: 'INSECURE_COOKIE',
   LDAP_INJECTION: 'LDAP_INJECTION',

package/packages/dd-trace/src/appsec/index.js

@@ -28,6 +28,14 @@ const { storage } = require('../../../datadog-core')
 let isEnabled = false
 let config
 
+function sampleRequest ({ enabled, requestSampling }) {
+  if (!enabled || !requestSampling) {
+    return false
+  }
+
+  return Math.random() <= requestSampling
+}
+
 function enable (_config) {
   if (isEnabled) return
 
@@ -90,6 +98,10 @@ function incomingHttpStartTranslator ({ req, res, abortController }) {
     payload[addresses.HTTP_CLIENT_IP] = clientIp
   }
 
+  if (sampleRequest(config.appsec.apiSecurity)) {
+    payload[addresses.WAF_CONTEXT_PROCESSOR] = { 'extract-schema': true }
+  }
+
   const actions = waf.run(payload, req)
 
   handleResults(actions, req, res, rootSpan, abortController)
@@ -101,7 +113,7 @@ function incomingHttpEndTranslator ({ req, res }) {
   delete responseHeaders['set-cookie']
 
   const payload = {
-    [addresses.HTTP_INCOMING_RESPONSE_CODE]: res.statusCode,
+    [addresses.HTTP_INCOMING_RESPONSE_CODE]: '' + res.statusCode,
     [addresses.HTTP_INCOMING_RESPONSE_HEADERS]: responseHeaders
   }