dd-trace 5.54.0 → 5.55.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/ci/cypress/plugin.js +8 -0
- package/ci/cypress/polyfills.js +23 -0
- package/ci/init.js +8 -7
- package/initialize.mjs +2 -2
- package/package.json +6 -6
- package/packages/datadog-code-origin/index.js +22 -4
- package/packages/datadog-core/src/utils/src/kebabcase.js +3 -3
- package/packages/datadog-instrumentations/src/cassandra-driver.js +5 -6
- package/packages/datadog-instrumentations/src/confluentinc-kafka-javascript.js +2 -3
- package/packages/datadog-instrumentations/src/cookie-parser.js +1 -1
- package/packages/datadog-instrumentations/src/couchbase.js +3 -6
- package/packages/datadog-instrumentations/src/cucumber.js +21 -28
- package/packages/datadog-instrumentations/src/dns.js +4 -4
- package/packages/datadog-instrumentations/src/elasticsearch.js +9 -10
- package/packages/datadog-instrumentations/src/fastify.js +7 -9
- package/packages/datadog-instrumentations/src/google-cloud-pubsub.js +14 -16
- package/packages/datadog-instrumentations/src/hapi.js +10 -11
- package/packages/datadog-instrumentations/src/helpers/fetch.js +4 -5
- package/packages/datadog-instrumentations/src/helpers/hook.js +1 -2
- package/packages/datadog-instrumentations/src/helpers/register.js +6 -5
- package/packages/datadog-instrumentations/src/jest.js +67 -98
- package/packages/datadog-instrumentations/src/koa.js +2 -3
- package/packages/datadog-instrumentations/src/mariadb.js +11 -4
- package/packages/datadog-instrumentations/src/mocha/main.js +79 -75
- package/packages/datadog-instrumentations/src/mocha.js +3 -1
- package/packages/datadog-instrumentations/src/mysql.js +11 -2
- package/packages/datadog-instrumentations/src/nyc.js +2 -1
- package/packages/datadog-instrumentations/src/openai.js +2 -2
- package/packages/datadog-instrumentations/src/otel-sdk-trace.js +4 -3
- package/packages/datadog-instrumentations/src/pg.js +2 -3
- package/packages/datadog-instrumentations/src/playwright.js +19 -22
- package/packages/datadog-instrumentations/src/protobufjs.js +3 -4
- package/packages/datadog-instrumentations/src/redis.js +1 -1
- package/packages/datadog-instrumentations/src/restify.js +9 -13
- package/packages/datadog-instrumentations/src/router.js +12 -11
- package/packages/datadog-instrumentations/src/tedious.js +1 -2
- package/packages/datadog-instrumentations/src/vitest.js +15 -29
- package/packages/datadog-plugin-avsc/src/schema_iterator.js +12 -12
- package/packages/datadog-plugin-aws-sdk/src/base.js +12 -8
- package/packages/datadog-plugin-aws-sdk/src/services/cloudwatchlogs.js +3 -5
- package/packages/datadog-plugin-aws-sdk/src/services/dynamodb.js +12 -20
- package/packages/datadog-plugin-aws-sdk/src/services/kinesis.js +4 -5
- package/packages/datadog-plugin-aws-sdk/src/services/lambda.js +3 -5
- package/packages/datadog-plugin-aws-sdk/src/services/redshift.js +3 -5
- package/packages/datadog-plugin-aws-sdk/src/services/s3.js +3 -5
- package/packages/datadog-plugin-aws-sdk/src/services/sns.js +1 -2
- package/packages/datadog-plugin-aws-sdk/src/services/sqs.js +7 -10
- package/packages/datadog-plugin-cucumber/src/index.js +3 -2
- package/packages/datadog-plugin-cypress/src/cypress-plugin.js +2 -1
- package/packages/datadog-plugin-dd-trace-api/src/index.js +2 -1
- package/packages/datadog-plugin-elasticsearch/src/index.js +1 -1
- package/packages/datadog-plugin-google-cloud-vertexai/src/tracing.js +1 -1
- package/packages/datadog-plugin-graphql/src/index.js +3 -2
- package/packages/datadog-plugin-graphql/src/resolve.js +17 -10
- package/packages/datadog-plugin-http/src/client.js +5 -6
- package/packages/datadog-plugin-http2/src/client.js +7 -8
- package/packages/datadog-plugin-jest/src/index.js +3 -2
- package/packages/datadog-plugin-mocha/src/index.js +6 -1
- package/packages/datadog-plugin-mongodb-core/src/index.js +2 -1
- package/packages/datadog-plugin-mysql/src/index.js +11 -0
- package/packages/datadog-plugin-next/src/index.js +1 -1
- package/packages/datadog-plugin-openai/src/tracing.js +2 -4
- package/packages/datadog-plugin-playwright/src/index.js +3 -2
- package/packages/datadog-plugin-protobufjs/src/schema_iterator.js +8 -9
- package/packages/datadog-plugin-redis/src/index.js +1 -3
- package/packages/datadog-plugin-vitest/src/index.js +5 -4
- package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js +0 -1
- package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-password-rules.js +0 -1
- package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secret-rules.js +0 -1
- package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secrets-rules.js +0 -1
- package/packages/dd-trace/src/appsec/iast/analyzers/missing-header-analyzer.js +1 -2
- package/packages/dd-trace/src/appsec/iast/security-controls/index.js +11 -12
- package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js +1 -1
- package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js +2 -1
- package/packages/dd-trace/src/appsec/iast/telemetry/span-tags.js +1 -1
- package/packages/dd-trace/src/appsec/iast/telemetry/verbosity.js +1 -2
- package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/range-utils.js +10 -11
- package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js +0 -4
- package/packages/dd-trace/src/appsec/iast/vulnerabilities.js +0 -1
- package/packages/dd-trace/src/appsec/index.js +4 -4
- package/packages/dd-trace/src/appsec/reporter.js +5 -7
- package/packages/dd-trace/src/appsec/sdk/set_user.js +2 -2
- package/packages/dd-trace/src/appsec/sdk/track_event.js +3 -3
- package/packages/dd-trace/src/appsec/telemetry/index.js +31 -1
- package/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js +6 -2
- package/packages/dd-trace/src/azure_metadata.js +8 -3
- package/packages/dd-trace/src/ci-visibility/dynamic-instrumentation/index.js +8 -7
- package/packages/dd-trace/src/ci-visibility/early-flake-detection/get-known-tests.js +2 -1
- package/packages/dd-trace/src/ci-visibility/exporters/agentless/coverage-writer.js +2 -1
- package/packages/dd-trace/src/ci-visibility/exporters/agentless/di-logs-writer.js +2 -1
- package/packages/dd-trace/src/ci-visibility/exporters/agentless/writer.js +2 -1
- package/packages/dd-trace/src/ci-visibility/exporters/git/git_metadata.js +4 -3
- package/packages/dd-trace/src/ci-visibility/exporters/test-worker/index.js +7 -6
- package/packages/dd-trace/src/ci-visibility/intelligent-test-runner/get-skippable-suites.js +2 -1
- package/packages/dd-trace/src/ci-visibility/log-submission/log-submission-plugin.js +4 -3
- package/packages/dd-trace/src/ci-visibility/requests/get-library-configuration.js +4 -3
- package/packages/dd-trace/src/ci-visibility/test-management/get-test-management-tests.js +2 -1
- package/packages/dd-trace/src/config-helper.js +89 -0
- package/packages/dd-trace/src/config.js +77 -78
- package/packages/dd-trace/src/config_stable.js +7 -4
- package/packages/dd-trace/src/datastreams/fnv.js +1 -1
- package/packages/dd-trace/src/datastreams/schemas/schema_builder.js +6 -6
- package/packages/dd-trace/src/debugger/devtools_client/breakpoints.js +1 -2
- package/packages/dd-trace/src/debugger/devtools_client/condition.js +1 -2
- package/packages/dd-trace/src/debugger/devtools_client/index.js +2 -1
- package/packages/dd-trace/src/debugger/devtools_client/send.js +3 -2
- package/packages/dd-trace/src/debugger/devtools_client/snapshot/collector.js +1 -2
- package/packages/dd-trace/src/debugger/devtools_client/snapshot/processor.js +3 -4
- package/packages/dd-trace/src/debugger/devtools_client/snapshot/redaction.js +1 -1
- package/packages/dd-trace/src/debugger/index.js +1 -0
- package/packages/dd-trace/src/dogstatsd.js +2 -2
- package/packages/dd-trace/src/encode/0.4.js +5 -2
- package/packages/dd-trace/src/encode/0.5.js +3 -5
- package/packages/dd-trace/src/encode/agentless-ci-visibility.js +5 -5
- package/packages/dd-trace/src/exporter.js +2 -1
- package/packages/dd-trace/src/exporters/common/docker.js +3 -2
- package/packages/dd-trace/src/exporters/common/request.js +4 -1
- package/packages/dd-trace/src/exporters/common/util.js +3 -1
- package/packages/dd-trace/src/id.js +3 -3
- package/packages/dd-trace/src/index.js +4 -3
- package/packages/dd-trace/src/lambda/handler.js +2 -1
- package/packages/dd-trace/src/lambda/index.js +2 -1
- package/packages/dd-trace/src/lambda/runtime/patch.js +3 -2
- package/packages/dd-trace/src/lambda/runtime/ritm.js +3 -2
- package/packages/dd-trace/src/llmobs/constants/tags.js +1 -0
- package/packages/dd-trace/src/llmobs/index.js +21 -5
- package/packages/dd-trace/src/llmobs/noop.js +18 -20
- package/packages/dd-trace/src/llmobs/plugins/langchain/handlers/index.js +11 -13
- package/packages/dd-trace/src/llmobs/plugins/openai.js +1 -2
- package/packages/dd-trace/src/llmobs/sdk.js +2 -1
- package/packages/dd-trace/src/llmobs/span_processor.js +1 -1
- package/packages/dd-trace/src/llmobs/tagger.js +19 -6
- package/packages/dd-trace/src/llmobs/writers/base.js +1 -1
- package/packages/dd-trace/src/log/index.js +5 -4
- package/packages/dd-trace/src/log/writer.js +1 -2
- package/packages/dd-trace/src/msgpack/encoder.js +3 -3
- package/packages/dd-trace/src/noop/span.js +1 -1
- package/packages/dd-trace/src/opentelemetry/tracer.js +1 -1
- package/packages/dd-trace/src/opentracing/propagation/log.js +4 -5
- package/packages/dd-trace/src/opentracing/propagation/text_map.js +17 -18
- package/packages/dd-trace/src/opentracing/span.js +7 -6
- package/packages/dd-trace/src/payload-tagging/config/index.js +17 -21
- package/packages/dd-trace/src/plugin_manager.js +4 -3
- package/packages/dd-trace/src/plugins/ci_plugin.js +25 -1
- package/packages/dd-trace/src/plugins/plugin.js +1 -1
- package/packages/dd-trace/src/plugins/util/ci.js +7 -7
- package/packages/dd-trace/src/plugins/util/git.js +1 -1
- package/packages/dd-trace/src/plugins/util/llm.js +2 -2
- package/packages/dd-trace/src/plugins/util/stacktrace.js +8 -1
- package/packages/dd-trace/src/plugins/util/test.js +4 -3
- package/packages/dd-trace/src/plugins/util/user-provided-git.js +2 -1
- package/packages/dd-trace/src/plugins/util/web.js +3 -4
- package/packages/dd-trace/src/priority_sampler.js +46 -35
- package/packages/dd-trace/src/profiling/config.js +12 -32
- package/packages/dd-trace/src/profiling/exporter_cli.js +20 -20
- package/packages/dd-trace/src/profiling/exporters/agent.js +1 -1
- package/packages/dd-trace/src/profiling/exporters/event_serializer.js +2 -1
- package/packages/dd-trace/src/profiling/index.js +2 -1
- package/packages/dd-trace/src/profiling/profiler.js +7 -4
- package/packages/dd-trace/src/profiling/ssi-telemetry-mock-profiler.js +3 -1
- package/packages/dd-trace/src/profiling/tagger.js +22 -12
- package/packages/dd-trace/src/proxy.js +2 -1
- package/packages/dd-trace/src/ritm.js +4 -4
- package/packages/dd-trace/src/runtime_metrics/runtime_metrics.js +3 -2
- package/packages/dd-trace/src/sampler.js +10 -2
- package/packages/dd-trace/src/serverless.js +11 -4
- package/packages/dd-trace/src/span_processor.js +2 -1
- package/packages/dd-trace/src/standalone/tracesource.js +1 -2
- package/packages/dd-trace/src/standalone/tracesource_priority_sampler.js +1 -2
- package/packages/dd-trace/src/startup-log.js +5 -17
- package/packages/dd-trace/src/supported-configurations.json +439 -0
- package/packages/dd-trace/src/telemetry/dependencies.js +62 -57
- package/packages/dd-trace/src/telemetry/send-data.js +7 -6
- package/packages/dd-trace/src/telemetry/telemetry.js +12 -25
- package/packages/dd-trace/src/tracer.js +3 -7
- package/packages/dd-trace/src/util.js +0 -5
- package/packages/dd-trace/src/appsec/iast/analyzers/header-injection-analyzer.js +0 -120
- package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/header-sensitive-analyzer.js +0 -20
|
@@ -22,7 +22,7 @@ let heartbeatTimeout
|
|
|
22
22
|
let heartbeatInterval
|
|
23
23
|
let extendedInterval
|
|
24
24
|
let integrations
|
|
25
|
-
|
|
25
|
+
const configWithOrigin = new Map()
|
|
26
26
|
let retryData = null
|
|
27
27
|
const extendedHeartbeatPayload = {}
|
|
28
28
|
|
|
@@ -113,7 +113,7 @@ function getInstallSignature (config) {
|
|
|
113
113
|
function appStarted (config) {
|
|
114
114
|
const app = {
|
|
115
115
|
products: getProducts(config),
|
|
116
|
-
configuration: configWithOrigin
|
|
116
|
+
configuration: [...configWithOrigin.values()]
|
|
117
117
|
}
|
|
118
118
|
const installSignature = getInstallSignature(config)
|
|
119
119
|
if (installSignature) {
|
|
@@ -282,7 +282,7 @@ function stop () {
|
|
|
282
282
|
}
|
|
283
283
|
|
|
284
284
|
function updateIntegrations () {
|
|
285
|
-
if (!config
|
|
285
|
+
if (!config?.telemetry.enabled) {
|
|
286
286
|
return
|
|
287
287
|
}
|
|
288
288
|
const integrations = getIntegrations()
|
|
@@ -322,6 +322,8 @@ const nameMapping = {
|
|
|
322
322
|
traceId128BitLoggingEnabled: 'DD_TRACE_128_BIT_TRACEID_LOGGING_ENABLED'
|
|
323
323
|
}
|
|
324
324
|
|
|
325
|
+
const namesNeedFormatting = new Set(['DD_TAGS', 'peerServiceMapping', 'serviceMapping'])
|
|
326
|
+
|
|
325
327
|
function updateConfig (changes, config) {
|
|
326
328
|
if (!config.telemetry.enabled) return
|
|
327
329
|
if (changes.length === 0) return
|
|
@@ -331,15 +333,11 @@ function updateConfig (changes, config) {
|
|
|
331
333
|
const application = createAppObject(config)
|
|
332
334
|
const host = createHostObject()
|
|
333
335
|
|
|
334
|
-
const
|
|
335
|
-
|
|
336
|
-
const configuration = []
|
|
337
|
-
const names = [] // list of config names whose values have been changed
|
|
336
|
+
const changed = configWithOrigin.size > 0
|
|
338
337
|
|
|
339
338
|
for (const change of changes) {
|
|
340
339
|
const name = nameMapping[change.name] || change.name
|
|
341
340
|
|
|
342
|
-
names.push(name)
|
|
343
341
|
const { origin, value } = change
|
|
344
342
|
const entry = { name, value, origin }
|
|
345
343
|
|
|
@@ -354,21 +352,15 @@ function updateConfig (changes, config) {
|
|
|
354
352
|
} else if (Array.isArray(entry.value)) {
|
|
355
353
|
entry.value = value.join(',')
|
|
356
354
|
}
|
|
357
|
-
|
|
358
|
-
}
|
|
359
|
-
|
|
360
|
-
function isNotModified (entry) {
|
|
361
|
-
return !names.includes(entry.name)
|
|
355
|
+
configWithOrigin.set(name, entry)
|
|
362
356
|
}
|
|
363
357
|
|
|
364
|
-
if (
|
|
358
|
+
if (changed) {
|
|
365
359
|
// update configWithOrigin to contain up-to-date full list of config values for app-extended-heartbeat
|
|
366
|
-
|
|
367
|
-
|
|
368
|
-
|
|
360
|
+
const { reqType, payload } = createPayload('app-client-configuration-change', {
|
|
361
|
+
configuration: [...configWithOrigin.values()]
|
|
362
|
+
})
|
|
369
363
|
sendData(config, application, host, reqType, payload, updateRetryData)
|
|
370
|
-
} else {
|
|
371
|
-
configWithOrigin = configuration
|
|
372
364
|
}
|
|
373
365
|
}
|
|
374
366
|
|
|
@@ -376,12 +368,7 @@ function profilingEnabledToBoolean (profilingEnabled) {
|
|
|
376
368
|
if (typeof profilingEnabled === 'boolean') {
|
|
377
369
|
return profilingEnabled
|
|
378
370
|
}
|
|
379
|
-
|
|
380
|
-
return true
|
|
381
|
-
}
|
|
382
|
-
if (profilingEnabled === 'false') {
|
|
383
|
-
return false
|
|
384
|
-
}
|
|
371
|
+
return profilingEnabled === 'true' || profilingEnabled === 'auto'
|
|
385
372
|
}
|
|
386
373
|
|
|
387
374
|
module.exports = {
|
|
@@ -46,9 +46,7 @@ class DatadogTracer extends Tracer {
|
|
|
46
46
|
}
|
|
47
47
|
|
|
48
48
|
trace (name, options, fn) {
|
|
49
|
-
options =
|
|
50
|
-
childOf: this.scope().active()
|
|
51
|
-
}, options)
|
|
49
|
+
options = { childOf: this.scope().active(), ...options }
|
|
52
50
|
|
|
53
51
|
const span = this.startSpan(name, options)
|
|
54
52
|
|
|
@@ -76,9 +74,8 @@ class DatadogTracer extends Tracer {
|
|
|
76
74
|
throw err
|
|
77
75
|
}
|
|
78
76
|
)
|
|
79
|
-
} else {
|
|
80
|
-
span.finish()
|
|
81
77
|
}
|
|
78
|
+
span.finish()
|
|
82
79
|
|
|
83
80
|
return result
|
|
84
81
|
} catch (e) {
|
|
@@ -110,9 +107,8 @@ class DatadogTracer extends Tracer {
|
|
|
110
107
|
|
|
111
108
|
return fn.apply(this, arguments)
|
|
112
109
|
})
|
|
113
|
-
} else {
|
|
114
|
-
return tracer.trace(name, optionsObj, () => fn.apply(this, arguments))
|
|
115
110
|
}
|
|
111
|
+
return tracer.trace(name, optionsObj, () => fn.apply(this, arguments))
|
|
116
112
|
}
|
|
117
113
|
}
|
|
118
114
|
|
|
@@ -69,10 +69,6 @@ function calculateDDBasePath (dirname) {
|
|
|
69
69
|
return dirSteps.slice(0, packagesIndex + 1).join(path.sep) + path.sep
|
|
70
70
|
}
|
|
71
71
|
|
|
72
|
-
function hasOwn (object, prop) {
|
|
73
|
-
return Object.prototype.hasOwnProperty.call(object, prop)
|
|
74
|
-
}
|
|
75
|
-
|
|
76
72
|
function normalizeProfilingEnabledValue (configValue) {
|
|
77
73
|
return isTrue(configValue)
|
|
78
74
|
? 'true'
|
|
@@ -87,6 +83,5 @@ module.exports = {
|
|
|
87
83
|
isError,
|
|
88
84
|
globMatch,
|
|
89
85
|
ddBasePath: calculateDDBasePath(__dirname),
|
|
90
|
-
hasOwn,
|
|
91
86
|
normalizeProfilingEnabledValue
|
|
92
87
|
}
|
|
@@ -1,120 +0,0 @@
|
|
|
1
|
-
'use strict'
|
|
2
|
-
|
|
3
|
-
const InjectionAnalyzer = require('./injection-analyzer')
|
|
4
|
-
const { HEADER_INJECTION } = require('../vulnerabilities')
|
|
5
|
-
const { getNodeModulesPaths } = require('../path-line')
|
|
6
|
-
const { HEADER_NAME_VALUE_SEPARATOR } = require('../vulnerabilities-formatter/constants')
|
|
7
|
-
const { getRanges } = require('../taint-tracking/operations')
|
|
8
|
-
const {
|
|
9
|
-
HTTP_REQUEST_COOKIE_VALUE,
|
|
10
|
-
HTTP_REQUEST_HEADER_VALUE
|
|
11
|
-
} = require('../taint-tracking/source-types')
|
|
12
|
-
|
|
13
|
-
const EXCLUDED_PATHS = getNodeModulesPaths('express')
|
|
14
|
-
const EXCLUDED_HEADER_NAMES = new Set([
|
|
15
|
-
'location',
|
|
16
|
-
'sec-websocket-location',
|
|
17
|
-
'sec-websocket-accept',
|
|
18
|
-
'upgrade',
|
|
19
|
-
'connection'
|
|
20
|
-
])
|
|
21
|
-
|
|
22
|
-
class HeaderInjectionAnalyzer extends InjectionAnalyzer {
|
|
23
|
-
constructor () {
|
|
24
|
-
super(HEADER_INJECTION)
|
|
25
|
-
}
|
|
26
|
-
|
|
27
|
-
onConfigure () {
|
|
28
|
-
this.addSub('datadog:http:server:response:set-header:finish', ({ name, value }) => {
|
|
29
|
-
if (Array.isArray(value)) {
|
|
30
|
-
for (const headerValue of value) {
|
|
31
|
-
this.analyze({ name, value: headerValue })
|
|
32
|
-
}
|
|
33
|
-
} else {
|
|
34
|
-
this.analyze({ name, value })
|
|
35
|
-
}
|
|
36
|
-
})
|
|
37
|
-
}
|
|
38
|
-
|
|
39
|
-
_isVulnerable ({ name, value }, iastContext) {
|
|
40
|
-
const lowerCasedHeaderName = name?.trim().toLowerCase()
|
|
41
|
-
|
|
42
|
-
if (this.isExcludedHeaderName(lowerCasedHeaderName) || typeof value !== 'string') return
|
|
43
|
-
|
|
44
|
-
const ranges = getRanges(iastContext, value)
|
|
45
|
-
return ranges?.length > 0 && !this.shouldIgnoreHeader(lowerCasedHeaderName, ranges)
|
|
46
|
-
}
|
|
47
|
-
|
|
48
|
-
_getEvidence (headerInfo, iastContext) {
|
|
49
|
-
const prefix = headerInfo.name + HEADER_NAME_VALUE_SEPARATOR
|
|
50
|
-
const prefixLength = prefix.length
|
|
51
|
-
|
|
52
|
-
const evidence = super._getEvidence(headerInfo.value, iastContext)
|
|
53
|
-
evidence.value = prefix + evidence.value
|
|
54
|
-
evidence.ranges = evidence.ranges.map(range => {
|
|
55
|
-
return {
|
|
56
|
-
...range,
|
|
57
|
-
start: range.start + prefixLength,
|
|
58
|
-
end: range.end + prefixLength
|
|
59
|
-
}
|
|
60
|
-
})
|
|
61
|
-
|
|
62
|
-
return evidence
|
|
63
|
-
}
|
|
64
|
-
|
|
65
|
-
isExcludedHeaderName (name) {
|
|
66
|
-
return EXCLUDED_HEADER_NAMES.has(name)
|
|
67
|
-
}
|
|
68
|
-
|
|
69
|
-
isAllRangesFromHeader (ranges, headerName) {
|
|
70
|
-
return ranges
|
|
71
|
-
.every(range =>
|
|
72
|
-
range.iinfo.type === HTTP_REQUEST_HEADER_VALUE && range.iinfo.parameterName?.toLowerCase() === headerName
|
|
73
|
-
)
|
|
74
|
-
}
|
|
75
|
-
|
|
76
|
-
isAllRangesFromSource (ranges, source) {
|
|
77
|
-
return ranges
|
|
78
|
-
.every(range => range.iinfo.type === source)
|
|
79
|
-
}
|
|
80
|
-
|
|
81
|
-
/**
|
|
82
|
-
* Exclude access-control-allow-*: when the header starts with access-control-allow- and the
|
|
83
|
-
* source of the tainted range is a request header
|
|
84
|
-
*/
|
|
85
|
-
isAccessControlAllowExclusion (name, ranges) {
|
|
86
|
-
if (name?.startsWith('access-control-allow-')) {
|
|
87
|
-
return this.isAllRangesFromSource(ranges, HTTP_REQUEST_HEADER_VALUE)
|
|
88
|
-
}
|
|
89
|
-
|
|
90
|
-
return false
|
|
91
|
-
}
|
|
92
|
-
|
|
93
|
-
/** Exclude when the header is reflected from the request */
|
|
94
|
-
isSameHeaderExclusion (name, ranges) {
|
|
95
|
-
return ranges.length === 1 && name === ranges[0].iinfo.parameterName?.toLowerCase()
|
|
96
|
-
}
|
|
97
|
-
|
|
98
|
-
shouldIgnoreHeader (headerName, ranges) {
|
|
99
|
-
switch (headerName) {
|
|
100
|
-
case 'set-cookie':
|
|
101
|
-
/** Exclude set-cookie header if the source of all the tainted ranges are cookies */
|
|
102
|
-
return this.isAllRangesFromSource(ranges, HTTP_REQUEST_COOKIE_VALUE)
|
|
103
|
-
case 'pragma':
|
|
104
|
-
/** Ignore pragma headers when the source is the cache control header. */
|
|
105
|
-
return this.isAllRangesFromHeader(ranges, 'cache-control')
|
|
106
|
-
case 'transfer-encoding':
|
|
107
|
-
case 'content-encoding':
|
|
108
|
-
/** Ignore transfer and content encoding headers when the source is the accept encoding header. */
|
|
109
|
-
return this.isAllRangesFromHeader(ranges, 'accept-encoding')
|
|
110
|
-
}
|
|
111
|
-
|
|
112
|
-
return this.isAccessControlAllowExclusion(headerName, ranges) || this.isSameHeaderExclusion(headerName, ranges)
|
|
113
|
-
}
|
|
114
|
-
|
|
115
|
-
_getExcludedPaths () {
|
|
116
|
-
return EXCLUDED_PATHS
|
|
117
|
-
}
|
|
118
|
-
}
|
|
119
|
-
|
|
120
|
-
module.exports = new HeaderInjectionAnalyzer()
|
|
@@ -1,20 +0,0 @@
|
|
|
1
|
-
'use strict'
|
|
2
|
-
|
|
3
|
-
const { HEADER_NAME_VALUE_SEPARATOR } = require('../../constants')
|
|
4
|
-
|
|
5
|
-
module.exports = function extractSensitiveRanges (evidence, namePattern, valuePattern) {
|
|
6
|
-
const evidenceValue = evidence.value
|
|
7
|
-
const sections = evidenceValue.split(HEADER_NAME_VALUE_SEPARATOR)
|
|
8
|
-
const headerName = sections[0]
|
|
9
|
-
const headerValue = sections.slice(1).join(HEADER_NAME_VALUE_SEPARATOR)
|
|
10
|
-
namePattern.lastIndex = 0
|
|
11
|
-
valuePattern.lastIndex = 0
|
|
12
|
-
if (namePattern.test(headerName) || valuePattern.test(headerValue)) {
|
|
13
|
-
return [{
|
|
14
|
-
start: headerName.length + HEADER_NAME_VALUE_SEPARATOR.length,
|
|
15
|
-
end: evidenceValue.length
|
|
16
|
-
}]
|
|
17
|
-
}
|
|
18
|
-
|
|
19
|
-
return []
|
|
20
|
-
}
|