Fix comment in PR and add test

uurien · uurien · commit b391ad0023be · 2023-07-11T12:54:44.000+02:00
diff --git a/packages/dd-trace/src/appsec/iast/analyzers/hsts-header-missing-analyzer.js b/packages/dd-trace/src/appsec/iast/analyzers/hsts-header-missing-analyzer.js
@@ -4,14 +4,37 @@ const { HSTS_HEADER_MISSING } = require('../vulnerabilities')
 const { MissingHeaderAnalyzer } = require('./missing-header-analyzer')
 
 const HSTS_HEADER_NAME = 'Strict-Transport-Security'
-
+const HEADER_VALID_PREFIX = 'max-age'
 class HstsHeaderMissingAnalyzer extends MissingHeaderAnalyzer {
   constructor () {
     super(HSTS_HEADER_MISSING, HSTS_HEADER_NAME)
   }
   _validateRequestAndResponse (req, res) {
     const headerToCheck = res.getHeader(HSTS_HEADER_NAME)
-    return !headerToCheck && this._isHttpsProtocol(req)
+    return !this._isHeaderValid(headerToCheck) && this._isHttpsProtocol(req)
+  }
+
+  _isHeaderValid (headerValue) {
+    if (!headerValue) {
+      return false
+    }
+    headerValue = headerValue.trim()
+
+    if (!headerValue.startsWith(HEADER_VALID_PREFIX)) {
+      return false
+    }
+
+    const semicolonIndex = headerValue.indexOf(';')
+    let timestampString
+    if (semicolonIndex > -1) {
+      timestampString = headerValue.substring(HEADER_VALID_PREFIX.length + 1, semicolonIndex)
+    } else {
+      timestampString = headerValue.substring(HEADER_VALID_PREFIX.length + 1)
+    }
+
+    const timestamp = parseInt(timestampString)
+    // eslint-disable-next-line eqeqeq
+    return timestamp == timestampString && timestamp > 0
   }
 
   _isHttpsProtocol (req) {
diff --git a/packages/dd-trace/test/appsec/iast/analyzers/hsts-header-missing-analyzer.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/hsts-header-missing-analyzer.spec.js
@@ -44,6 +44,33 @@ describe('hsts header missing analyzer', () => {
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
       }, makeRequestWithXFordwardedProtoHeader)
 
+      testThatRequestHasVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('Strict-Transport-Security', 'max-age=-100')
+        res.end('<html><body><h1>Test</h1></body></html>')
+      }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
+        expect(vulnerabilities[0].evidence.value).to.be.equal('max-age=-100')
+        expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
+      }, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('Strict-Transport-Security', 'max-age=-100; includeSubDomains')
+        res.end('<html><body><h1>Test</h1></body></html>')
+      }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
+        expect(vulnerabilities[0].evidence.value).to.be.equal('max-age=-100; includeSubDomains')
+        expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
+      }, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('Strict-Transport-Security', 'invalid')
+        res.end('<html><body><h1>Test</h1></body></html>')
+      }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
+        expect(vulnerabilities[0].evidence.value).to.be.equal('invalid')
+        expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
+      }, makeRequestWithXFordwardedProtoHeader)
+
       testThatRequestHasNoVulnerability((req, res) => {
         res.setHeader('content-type', 'application/json')
         res.end('{"key": "test}')
@@ -54,5 +81,23 @@ describe('hsts header missing analyzer', () => {
         res.setHeader('Strict-Transport-Security', 'max-age=100')
         res.end('{"key": "test}')
       }, HSTS_HEADER_MISSING, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasNoVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('Strict-Transport-Security', '  max-age=100  ')
+        res.end('{"key": "test}')
+      }, HSTS_HEADER_MISSING, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasNoVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('Strict-Transport-Security', 'max-age=100;includeSubDomains')
+        res.end('{"key": "test}')
+      }, HSTS_HEADER_MISSING, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasNoVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('Strict-Transport-Security', 'max-age=100   ;includeSubDomains')
+        res.end('{"key": "test}')
+      }, HSTS_HEADER_MISSING, makeRequestWithXFordwardedProtoHeader)
     })
 })
