Taint request URI

CarlesDD · CarlesDD · commit df272aa3ec26 · 2023-06-28T08:32:05.000+02:00
diff --git a/packages/dd-trace/src/appsec/iast/index.js b/packages/dd-trace/src/appsec/iast/index.js
@@ -54,7 +54,7 @@ function onIncomingHttpRequestStart (data) {
           const iastContext = iastContextFunctions.saveIastContext(store, topContext, { rootSpan, req: data.req })
           createTransaction(rootSpan.context().toSpanId(), iastContext)
           overheadController.initializeRequestContext(iastContext)
-          taintTrackingPlugin.taintHeaders(data.req.headers, iastContext)
+          taintTrackingPlugin.taintRequest(data.req, iastContext)
         }
         if (rootSpan.addTags) {
           rootSpan.addTags({
diff --git a/packages/dd-trace/src/appsec/iast/taint-tracking/origin-types.js b/packages/dd-trace/src/appsec/iast/taint-tracking/origin-types.js
@@ -7,5 +7,6 @@ module.exports = {
   HTTP_REQUEST_HEADER_NAME: 'http.request.header.name',
   HTTP_REQUEST_HEADER_VALUE: 'http.request.header',
   HTTP_REQUEST_PARAMETER: 'http.request.parameter',
+  HTTP_REQUEST_PATH: 'http.request.path',
   HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter'
 }
diff --git a/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js b/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js
@@ -3,14 +3,15 @@
 const Plugin = require('../../../plugins/plugin')
 const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
-const { taintObject } = require('./operations')
+const { taintObject, newTaintedString } = require('./operations')
 const {
   HTTP_REQUEST_BODY,
   HTTP_REQUEST_COOKIE_VALUE,
   HTTP_REQUEST_COOKIE_NAME,
   HTTP_REQUEST_HEADER_VALUE,
   HTTP_REQUEST_HEADER_NAME,
   HTTP_REQUEST_PARAMETER,
+  HTTP_REQUEST_PATH,
   HTTP_REQUEST_PATH_PARAM
 
 } = require('./origin-types')
@@ -73,6 +74,11 @@ class TaintTrackingPlugin extends Plugin {
     taintObject(iastContext, headers, HTTP_REQUEST_HEADER_VALUE, true, HTTP_REQUEST_HEADER_NAME)
   }
 
+  taintRequest (req, iastContext) {
+    taintObject(iastContext, req.headers, HTTP_REQUEST_HEADER_VALUE, true, HTTP_REQUEST_HEADER_NAME)
+    req.url = newTaintedString(iastContext, req.url, 'req.url', HTTP_REQUEST_PATH)
+  }
+
   enable () {
     this.configure(true)
   }
diff --git a/packages/dd-trace/test/appsec/iast/taint-tracking/plugin.spec.js b/packages/dd-trace/test/appsec/iast/taint-tracking/plugin.spec.js
@@ -7,6 +7,9 @@ const dc = require('../../../../../diagnostics_channel')
 const {
   HTTP_REQUEST_COOKIE_VALUE,
   HTTP_REQUEST_COOKIE_NAME,
+  HTTP_REQUEST_HEADER_NAME,
+  HTTP_REQUEST_HEADER_VALUE,
+  HTTP_REQUEST_PATH,
   HTTP_REQUEST_PATH_PARAM
 } = require('../../../../src/appsec/iast/taint-tracking/origin-types')
 
@@ -227,5 +230,30 @@ describe('IAST Taint tracking plugin', () => {
       processParamsStartCh.publish({ req })
       expect(taintTrackingOperations.taintObject).to.not.be.called
     })
+
+    it('Should taint headers and uri from request', () => {
+      const req = {
+        headers: {
+          'x-iast-header': 'header-value'
+        },
+        url: 'https://testurl'
+      }
+      taintTrackingPlugin.taintRequest(req, iastContext)
+
+      expect(taintTrackingOperations.taintObject).to.be.calledOnceWith(
+        iastContext,
+        req.headers,
+        HTTP_REQUEST_HEADER_VALUE,
+        true,
+        HTTP_REQUEST_HEADER_NAME
+      )
+
+      expect(taintTrackingOperations.newTaintedString).to.be.calledOnceWith(
+        iastContext,
+        req.url,
+        'req.url',
+        HTTP_REQUEST_PATH
+      )
+    })
   })
 })
diff --git a/packages/dd-trace/test/appsec/iast/taint-tracking/sources/taint-tracking.express.plugin.spec.js b/packages/dd-trace/test/appsec/iast/taint-tracking/sources/taint-tracking.express.plugin.spec.js
@@ -9,7 +9,67 @@ const { storage } = require('../../../../../../datadog-core')
 const iast = require('../../../../../src/appsec/iast')
 const iastContextFunctions = require('../../../../../src/appsec/iast/iast-context')
 const { isTainted, getRanges } = require('../../../../../src/appsec/iast/taint-tracking/operations')
-const { HTTP_REQUEST_PATH_PARAM } = require('../../../../../src/appsec/iast/taint-tracking/origin-types')
+const {
+  HTTP_REQUEST_PATH,
+  HTTP_REQUEST_PATH_PARAM
+} = require('../../../../../src/appsec/iast/taint-tracking/origin-types')
+
+describe('Path sourcing with express', () => {
+  let express
+  let appListener
+
+  withVersions('express', 'express', version => {
+    before(() => {
+      return agent.load(['http', 'express'], { client: false })
+    })
+
+    after(() => {
+      return agent.close({ ritmReset: false })
+    })
+
+    beforeEach(() => {
+      iast.enable(new Config({
+        experimental: {
+          iast: {
+            enabled: true,
+            requestSampling: 100
+          }
+        }
+      }))
+
+      express = require(`../../../../../../../versions/express@${version}`).get()
+    })
+
+    afterEach(() => {
+      appListener && appListener.close()
+      appListener = null
+
+      iast.disable()
+    })
+
+    it('should taint path', done => {
+      const app = express()
+      app.get('/path/*', (req, res) => {
+        const store = storage.getStore()
+        const iastContext = iastContextFunctions.getIastContext(store)
+        const isPathTainted = isTainted(iastContext, req.url)
+        expect(isPathTainted).to.be.true
+        const taintedPathValueRanges = getRanges(iastContext, req.url)
+        expect(taintedPathValueRanges[0].iinfo.type).to.be.equal(HTTP_REQUEST_PATH)
+        res.status(200).send()
+      })
+
+      getPort().then(port => {
+        appListener = app.listen(port, 'localhost', () => {
+          axios
+            .get(`http://localhost:${port}/path/vulnearable`)
+            .then(() => done())
+            .catch(done)
+        })
+      })
+    })
+  })
+})
 
 describe('Path params sourcing with express', () => {
   let express

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ function onIncomingHttpRequestStart (data) {`
`54`	`54`	`const iastContext = iastContextFunctions.saveIastContext(store, topContext, { rootSpan, req: data.req })`
`55`	`55`	`createTransaction(rootSpan.context().toSpanId(), iastContext)`
`56`	`56`	`overheadController.initializeRequestContext(iastContext)`
`57`		`- taintTrackingPlugin.taintHeaders(data.req.headers, iastContext)`
	`57`	`+ taintTrackingPlugin.taintRequest(data.req, iastContext)`
`58`	`58`	`}`
`59`	`59`	`if (rootSpan.addTags) {`
`60`	`60`	`rootSpan.addTags({`
Original file line number	Diff line number	Diff line change
`@@ -7,5 +7,6 @@ module.exports = {`
`7`	`7`	`HTTP_REQUEST_HEADER_NAME: 'http.request.header.name',`
`8`	`8`	`HTTP_REQUEST_HEADER_VALUE: 'http.request.header',`
`9`	`9`	`HTTP_REQUEST_PARAMETER: 'http.request.parameter',`
	`10`	`+ HTTP_REQUEST_PATH: 'http.request.path',`
`10`	`11`	`HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter'`
`11`	`12`	`}`