npm - dd-trace - Versions diffs - 4.18.0 → 5.6.0 - Mend

dd-trace 4.18.0 → 5.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (209) hide show

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/constants.js ADDED Viewed

@@ -0,0 +1,7 @@
+'use strict'
+const HEADER_NAME_VALUE_SEPARATOR = ': '
+module.exports = {
+  HEADER_NAME_VALUE_SEPARATOR
+}

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/command-sensitive-analyzer.js CHANGED Viewed

@@ -3,27 +3,20 @@
 const iastLog = require('../../../iast-log')
 const COMMAND_PATTERN = '^(?:\\s*(?:sudo|doas)\\s+)?\\b\\S+\\b\\s(.*)'
+const pattern = new RegExp(COMMAND_PATTERN, 'gmi')
-class CommandSensitiveAnalyzer {
-  constructor () {
-    this._pattern = new RegExp(COMMAND_PATTERN, 'gmi')
-  }
-  extractSensitiveRanges (evidence) {
-    try {
-      this._pattern.lastIndex = 0
+module.exports = function extractSensitiveRanges (evidence) {
+  try {
+    pattern.lastIndex = 0
-      const regexResult = this._pattern.exec(evidence.value)
-      if (regexResult && regexResult.length > 1) {
-        const start = regexResult.index + (regexResult[0].length - regexResult[1].length)
-        const end = start + regexResult[1].length
-        return [{ start, end }]
-      }
-    } catch (e) {
-      iastLog.debug(e)
+    const regexResult = pattern.exec(evidence.value)
+    if (regexResult && regexResult.length > 1) {
+      const start = regexResult.index + (regexResult[0].length - regexResult[1].length)
+      const end = start + regexResult[1].length
+      return [{ start, end }]
     }
-    return []
+  } catch (e) {
+    iastLog.debug(e)
   }
+  return []
 }
-module.exports = CommandSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/header-sensitive-analyzer.js ADDED Viewed

@@ -0,0 +1,20 @@
+'use strict'
+const { HEADER_NAME_VALUE_SEPARATOR } = require('../../constants')
+module.exports = function extractSensitiveRanges (evidence, namePattern, valuePattern) {
+  const evidenceValue = evidence.value
+  const sections = evidenceValue.split(HEADER_NAME_VALUE_SEPARATOR)
+  const headerName = sections[0]
+  const headerValue = sections.slice(1).join(HEADER_NAME_VALUE_SEPARATOR)
+  namePattern.lastIndex = 0
+  valuePattern.lastIndex = 0
+  if (namePattern.test(headerName) || valuePattern.test(headerValue)) {
+    return [{
+      start: headerName.length + HEADER_NAME_VALUE_SEPARATOR.length,
+      end: evidenceValue.length
+    }]
+  }
+  return []
+}

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/json-sensitive-analyzer.js CHANGED Viewed

@@ -2,15 +2,11 @@
 const { stringifyWithRanges } = require('../../utils')
-class JsonSensitiveAnalyzer {
-  extractSensitiveRanges (evidence) {
-    // expect object evidence
-    const { value, ranges, sensitiveRanges } = stringifyWithRanges(evidence.value, evidence.rangesToApply, true)
-    evidence.value = value
-    evidence.ranges = ranges
+module.exports = function extractSensitiveRanges (evidence) {
+  // expect object evidence
+  const { value, ranges, sensitiveRanges } = stringifyWithRanges(evidence.value, evidence.rangesToApply, true)
+  evidence.value = value
+  evidence.ranges = ranges
-    return sensitiveRanges
-  }
+  return sensitiveRanges
 }
-module.exports = JsonSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/ldap-sensitive-analyzer.js CHANGED Viewed

@@ -3,33 +3,26 @@
 const iastLog = require('../../../iast-log')
 const LDAP_PATTERN = '\\(.*?(?:~=|=|<=|>=)(?<LITERAL>[^)]+)\\)'
+const pattern = new RegExp(LDAP_PATTERN, 'gmi')
-class LdapSensitiveAnalyzer {
-  constructor () {
-    this._pattern = new RegExp(LDAP_PATTERN, 'gmi')
-  }
-  extractSensitiveRanges (evidence) {
-    try {
-      this._pattern.lastIndex = 0
-      const tokens = []
+module.exports = function extractSensitiveRanges (evidence) {
+  try {
+    pattern.lastIndex = 0
+    const tokens = []
-      let regexResult = this._pattern.exec(evidence.value)
-      while (regexResult != null) {
-        if (!regexResult.groups.LITERAL) continue
-        // Computing indices manually since NodeJs 12 does not support d flag on regular expressions
-        // TODO Get indices from group by adding d flag in regular expression
-        const start = regexResult.index + (regexResult[0].length - regexResult.groups.LITERAL.length - 1)
-        const end = start + regexResult.groups.LITERAL.length
-        tokens.push({ start, end })
-        regexResult = this._pattern.exec(evidence.value)
-      }
-      return tokens
-    } catch (e) {
-      iastLog.debug(e)
+    let regexResult = pattern.exec(evidence.value)
+    while (regexResult != null) {
+      if (!regexResult.groups.LITERAL) continue
+      // Computing indices manually since NodeJs 12 does not support d flag on regular expressions
+      // TODO Get indices from group by adding d flag in regular expression
+      const start = regexResult.index + (regexResult[0].length - regexResult.groups.LITERAL.length - 1)
+      const end = start + regexResult.groups.LITERAL.length
+      tokens.push({ start, end })
+      regexResult = pattern.exec(evidence.value)
     }
-    return []
+    return tokens
+  } catch (e) {
+    iastLog.debug(e)
   }
+  return []
 }
-module.exports = LdapSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/sql-sensitive-analyzer.js CHANGED Viewed

@@ -23,96 +23,90 @@ const NUMERIC_LITERAL =
   })`
 const ORACLE_ESCAPED_LITERAL = 'q\'<.*?>\'|q\'\\(.*?\\)\'|q\'\\{.*?\\}\'|q\'\\[.*?\\]\'|q\'(?<ESCAPE>.).*?\\k<ESCAPE>\''
-class SqlSensitiveAnalyzer {
-  constructor () {
-    this._patterns = {
-      ANSI: new RegExp( // Default
-        [
-          NUMERIC_LITERAL,
-          STRING_LITERAL,
-          LINE_COMMENT,
-          BLOCK_COMMENT
-        ].join('|'),
-        'gmi'
-      ),
-      MYSQL: new RegExp(
-        [
-          NUMERIC_LITERAL,
-          MYSQL_STRING_LITERAL,
-          LINE_COMMENT,
-          BLOCK_COMMENT
-        ].join('|'),
-        'gmi'
-      ),
-      POSTGRES: new RegExp(
-        [
-          NUMERIC_LITERAL,
-          POSTGRESQL_ESCAPED_LITERAL,
-          STRING_LITERAL,
-          LINE_COMMENT,
-          BLOCK_COMMENT
-        ].join('|'),
-        'gmi'
-      ),
-      ORACLE: new RegExp([
-        NUMERIC_LITERAL,
-        ORACLE_ESCAPED_LITERAL,
-        STRING_LITERAL,
-        LINE_COMMENT,
-        BLOCK_COMMENT
-      ].join('|'),
-      'gmi')
-    }
-    this._patterns.SQLITE = this._patterns.MYSQL
-    this._patterns.MARIADB = this._patterns.MYSQL
-  }
+const patterns = {
+  ANSI: new RegExp( // Default
+    [
+      NUMERIC_LITERAL,
+      STRING_LITERAL,
+      LINE_COMMENT,
+      BLOCK_COMMENT
+    ].join('|'),
+    'gmi'
+  ),
+  MYSQL: new RegExp(
+    [
+      NUMERIC_LITERAL,
+      MYSQL_STRING_LITERAL,
+      LINE_COMMENT,
+      BLOCK_COMMENT
+    ].join('|'),
+    'gmi'
+  ),
+  POSTGRES: new RegExp(
+    [
+      NUMERIC_LITERAL,
+      POSTGRESQL_ESCAPED_LITERAL,
+      STRING_LITERAL,
+      LINE_COMMENT,
+      BLOCK_COMMENT
+    ].join('|'),
+    'gmi'
+  ),
+  ORACLE: new RegExp([
+    NUMERIC_LITERAL,
+    ORACLE_ESCAPED_LITERAL,
+    STRING_LITERAL,
+    LINE_COMMENT,
+    BLOCK_COMMENT
+  ].join('|'),
+  'gmi')
+}
+patterns.SQLITE = patterns.MYSQL
+patterns.MARIADB = patterns.MYSQL
-  extractSensitiveRanges (evidence) {
-    try {
-      let pattern = this._patterns[evidence.dialect]
-      if (!pattern) {
-        pattern = this._patterns['ANSI']
-      }
-      pattern.lastIndex = 0
-      const tokens = []
+module.exports = function extractSensitiveRanges (evidence) {
+  try {
+    let pattern = patterns[evidence.dialect]
+    if (!pattern) {
+      pattern = patterns['ANSI']
+    }
+    pattern.lastIndex = 0
+    const tokens = []
-      let regexResult = pattern.exec(evidence.value)
-      while (regexResult != null) {
-        let start = regexResult.index
-        let end = regexResult.index + regexResult[0].length
-        const startChar = evidence.value.charAt(start)
-        if (startChar === '\'' || startChar === '"') {
-          start++
-          end--
-        } else if (end > start + 1) {
-          const nextChar = evidence.value.charAt(start + 1)
-          if (startChar === '/' && nextChar === '*') {
-            start += 2
-            end -= 2
-          } else if (startChar === '-' && startChar === nextChar) {
-            start += 2
-          } else if (startChar.toLowerCase() === 'q' && nextChar === '\'') {
-            start += 3
-            end -= 2
-          } else if (startChar === '$') {
-            const match = regexResult[0]
-            const size = match.indexOf('$', 1) + 1
-            if (size > 1) {
-              start += size
-              end -= size
-            }
+    let regexResult = pattern.exec(evidence.value)
+    while (regexResult != null) {
+      let start = regexResult.index
+      let end = regexResult.index + regexResult[0].length
+      const startChar = evidence.value.charAt(start)
+      if (startChar === '\'' || startChar === '"') {
+        start++
+        end--
+      } else if (end > start + 1) {
+        const nextChar = evidence.value.charAt(start + 1)
+        if (startChar === '/' && nextChar === '*') {
+          start += 2
+          end -= 2
+        } else if (startChar === '-' && startChar === nextChar) {
+          start += 2
+        } else if (startChar.toLowerCase() === 'q' && nextChar === '\'') {
+          start += 3
+          end -= 2
+        } else if (startChar === '$') {
+          const match = regexResult[0]
+          const size = match.indexOf('$', 1) + 1
+          if (size > 1) {
+            start += size
+            end -= size
           }
         }
-        tokens.push({ start, end })
-        regexResult = pattern.exec(evidence.value)
       }
-      return tokens
-    } catch (e) {
-      iastLog.debug(e)
+      tokens.push({ start, end })
+      regexResult = pattern.exec(evidence.value)
     }
-    return []
+    return tokens
+  } catch (e) {
+    iastLog.debug(e)
   }
+  return []
 }
-module.exports = SqlSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/url-sensitive-analyzer.js CHANGED Viewed

@@ -4,46 +4,37 @@ const iastLog = require('../../../iast-log')
 const AUTHORITY = '^(?:[^:]+:)?//([^@]+)@'
 const QUERY_FRAGMENT = '[?#&]([^=&;]+)=([^?#&]+)'
+const pattern = new RegExp([AUTHORITY, QUERY_FRAGMENT].join('|'), 'gmi')
+module.exports = function extractSensitiveRanges (evidence) {
+  try {
+    const ranges = []
+    let regexResult = pattern.exec(evidence.value)
+    while (regexResult != null) {
+      if (typeof regexResult[1] === 'string') {
+        // AUTHORITY regex match always ends by group + @
+        // it means that the match last chars - 1 are always the group
+        const end = regexResult.index + (regexResult[0].length - 1)
+        const start = end - regexResult[1].length
+        ranges.push({ start, end })
+      }
-class UrlSensitiveAnalyzer {
-  constructor () {
-    this._pattern = new RegExp([AUTHORITY, QUERY_FRAGMENT].join('|'), 'gmi')
-  }
-  extractSensitiveRanges (evidence) {
-    try {
-      const pattern = this._pattern
-      const ranges = []
-      let regexResult = pattern.exec(evidence.value)
-      while (regexResult != null) {
-        if (typeof regexResult[1] === 'string') {
-          // AUTHORITY regex match always ends by group + @
-          // it means that the match last chars - 1 are always the group
-          const end = regexResult.index + (regexResult[0].length - 1)
-          const start = end - regexResult[1].length
-          ranges.push({ start, end })
-        }
-        if (typeof regexResult[3] === 'string') {
-          // QUERY_FRAGMENT regex always ends with the group
-          // it means that the match last chars are always the group
-          const end = regexResult.index + regexResult[0].length
-          const start = end - regexResult[3].length
-          ranges.push({ start, end })
-        }
-        regexResult = pattern.exec(evidence.value)
+      if (typeof regexResult[3] === 'string') {
+        // QUERY_FRAGMENT regex always ends with the group
+        // it means that the match last chars are always the group
+        const end = regexResult.index + regexResult[0].length
+        const start = end - regexResult[3].length
+        ranges.push({ start, end })
       }
-      return ranges
-    } catch (e) {
-      iastLog.debug(e)
+      regexResult = pattern.exec(evidence.value)
     }
-    return []
+    return ranges
+  } catch (e) {
+    iastLog.debug(e)
   }
-}
-module.exports = UrlSensitiveAnalyzer
+  return []
+}

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js CHANGED Viewed

@@ -5,11 +5,12 @@ const vulnerabilities = require('../../vulnerabilities')
 const { contains, intersects, remove } = require('./range-utils')
-const CommandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
-const JsonSensitiveAnalyzer = require('./sensitive-analyzers/json-sensitive-analyzer')
-const LdapSensitiveAnalyzer = require('./sensitive-analyzers/ldap-sensitive-analyzer')
-const SqlSensitiveAnalyzer = require('./sensitive-analyzers/sql-sensitive-analyzer')
-const UrlSensitiveAnalyzer = require('./sensitive-analyzers/url-sensitive-analyzer')
+const commandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
+const headerSensitiveAnalyzer = require('./sensitive-analyzers/header-sensitive-analyzer')
+const jsonSensitiveAnalyzer = require('./sensitive-analyzers/json-sensitive-analyzer')
+const ldapSensitiveAnalyzer = require('./sensitive-analyzers/ldap-sensitive-analyzer')
+const sqlSensitiveAnalyzer = require('./sensitive-analyzers/sql-sensitive-analyzer')
+const urlSensitiveAnalyzer = require('./sensitive-analyzers/url-sensitive-analyzer')
 const { DEFAULT_IAST_REDACTION_NAME_PATTERN, DEFAULT_IAST_REDACTION_VALUE_PATTERN } = require('./sensitive-regex')
@@ -21,13 +22,15 @@ class SensitiveHandler {
     this._valuePattern = new RegExp(DEFAULT_IAST_REDACTION_VALUE_PATTERN, 'gmi')
     this._sensitiveAnalyzers = new Map()
-    this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, new CommandSensitiveAnalyzer())
-    this._sensitiveAnalyzers.set(vulnerabilities.NOSQL_MONGODB_INJECTION, new JsonSensitiveAnalyzer())
-    this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, new LdapSensitiveAnalyzer())
-    this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, new SqlSensitiveAnalyzer())
-    const urlSensitiveAnalyzer = new UrlSensitiveAnalyzer()
+    this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, commandSensitiveAnalyzer)
+    this._sensitiveAnalyzers.set(vulnerabilities.NOSQL_MONGODB_INJECTION, jsonSensitiveAnalyzer)
+    this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, ldapSensitiveAnalyzer)
+    this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, sqlSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.SSRF, urlSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.UNVALIDATED_REDIRECT, urlSensitiveAnalyzer)
+    this._sensitiveAnalyzers.set(vulnerabilities.HEADER_INJECTION, (evidence) => {
+      return headerSensitiveAnalyzer(evidence, this._namePattern, this._valuePattern)
+    })
   }
   isSensibleName (name) {
@@ -47,7 +50,7 @@ class SensitiveHandler {
   scrubEvidence (vulnerabilityType, evidence, sourcesIndexes, sources) {
     const sensitiveAnalyzer = this._sensitiveAnalyzers.get(vulnerabilityType)
     if (sensitiveAnalyzer) {
-      const sensitiveRanges = sensitiveAnalyzer.extractSensitiveRanges(evidence)
+      const sensitiveRanges = sensitiveAnalyzer(evidence)
       return this.toRedactedJson(evidence, sensitiveRanges, sourcesIndexes, sources)
     }
     return null

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/utils.js CHANGED Viewed

@@ -20,7 +20,7 @@ function iterateObject (target, fn, levelKeys = [], depth = 50) {
     fn(val, nextLevelKeys, target, key)
-    if (val !== null && typeof val === 'object') {
+    if (val !== null && typeof val === 'object' && depth > 0) {
       iterateObject(val, fn, nextLevelKeys, depth - 1)
     }
   })

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js CHANGED Viewed

@@ -1,6 +1,7 @@
 module.exports = {
   COMMAND_INJECTION: 'COMMAND_INJECTION',
   HARDCODED_SECRET: 'HARDCODED_SECRET',
+  HEADER_INJECTION: 'HEADER_INJECTION',
   HSTS_HEADER_MISSING: 'HSTS_HEADER_MISSING',
   INSECURE_COOKIE: 'INSECURE_COOKIE',
   LDAP_INJECTION: 'LDAP_INJECTION',
@@ -13,5 +14,6 @@ module.exports = {
   UNVALIDATED_REDIRECT: 'UNVALIDATED_REDIRECT',
   WEAK_CIPHER: 'WEAK_CIPHER',
   WEAK_HASH: 'WEAK_HASH',
+  WEAK_RANDOMNESS: 'WEAK_RANDOMNESS',
   XCONTENTTYPE_HEADER_MISSING: 'XCONTENTTYPE_HEADER_MISSING'
 }