Detect X-Content-Type-Options missing header

Author: uurien

packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -11,5 +11,6 @@ module.exports = {
   'SSRF': require('./ssrf-analyzer'),
   'UNVALIDATED_REDIRECT_ANALYZER': require('./unvalidated-redirect-analyzer'),
   'WEAK_CIPHER_ANALYZER': require('./weak-cipher-analyzer'),
-  'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer')
+  'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer'),
+  'XCONTENTTYPE_HEADER_MISSING': require('./xcontenttype-header-missing-analyzer')
 }

packages/dd-trace/src/appsec/iast/analyzers/index.js

@@ -3,10 +3,10 @@
 const analyzers = require('./analyzers')
 const setCookiesHeaderInterceptor = require('./set-cookies-header-interceptor')
 
-function enableAllAnalyzers () {
-  setCookiesHeaderInterceptor.configure(true)
+function enableAllAnalyzers (tracerConfig) {
+  setCookiesHeaderInterceptor.configure({ enabled: true, tracerConfig })
   for (const analyzer in analyzers) {
-    analyzers[analyzer].configure(true)
+    analyzers[analyzer].configure({ enabled: true, tracerConfig })
   }
 }
 

packages/dd-trace/src/appsec/iast/analyzers/xcontenttype-header-missing-analyzer.js

@@ -0,0 +1,48 @@
+'use strict'
+
+const Analyzer = require('./vulnerability-analyzer')
+const { XCONTENTTYPE_HEADER_MISSING } = require('../vulnerabilities')
+
+const htmlContentTypes = ['text/html', 'application/xhtml+xml']
+function isResponseHtml (res) {
+  const contentType = res.getHeader('content-type')
+  return contentType && htmlContentTypes.some(htmlContentType => {
+    return htmlContentType === contentType || contentType.indexOf(htmlContentType + ';') === 0
+  })
+}
+
+const XCONTENTTYPEOPTIONS_HEADER_NAME = 'X-Content-Type-Options'
+
+class XcontenttypeHeaderMissingAnalyzer extends Analyzer {
+  constructor () {
+    super(XCONTENTTYPE_HEADER_MISSING)
+
+    this.addSub('datadog:iast:response-end', (data) => this.analyze(data))
+  }
+
+  _isVulnerable ({ req, res }, context) {
+    if (isResponseHtml(res)) {
+      const headerToCheck = res.getHeader(XCONTENTTYPEOPTIONS_HEADER_NAME)
+      return !headerToCheck || headerToCheck.trim().toLowerCase() !== 'nosniff'
+    }
+    return false
+  }
+
+  _getEvidence ({ res }) {
+    return { value: res.getHeader(XCONTENTTYPEOPTIONS_HEADER_NAME) }
+  }
+
+  _getLocation () {
+    return undefined
+  }
+
+  _checkOCE (context) {
+    return true
+  }
+
+  _createHashSource (type, evidence, location) {
+    return `${type}:${this.config.tracerConfig.service}`
+  }
+}
+
+module.exports = new XcontenttypeHeaderMissingAnalyzer()

packages/dd-trace/src/appsec/iast/index.js

@@ -20,9 +20,10 @@ const telemetryLogs = require('./telemetry/logs')
 //  order of the callbacks can be enforce
 const requestStart = dc.channel('dd-trace:incomingHttpRequestStart')
 const requestClose = dc.channel('dd-trace:incomingHttpRequestEnd')
+const iastResponseEnd = dc.channel('datadog:iast:response-end')
 
 function enable (config, _tracer) {
-  enableAllAnalyzers()
+  enableAllAnalyzers(config)
   enableTaintTracking(config.iast)
   requestStart.subscribe(onIncomingHttpRequestStart)
   requestClose.subscribe(onIncomingHttpRequestEnd)
@@ -72,6 +73,8 @@ function onIncomingHttpRequestEnd (data) {
     const topContext = web.getContext(data.req)
     const iastContext = iastContextFunctions.getIastContext(store, topContext)
     if (iastContext && iastContext.rootSpan) {
+      iastResponseEnd.publish(data)
+
       const vulnerabilities = iastContext.vulnerabilities
       const rootSpan = iastContext.rootSpan
       vulnerabilityReporter.sendVulnerabilities(vulnerabilities, rootSpan)

packages/dd-trace/src/appsec/iast/vulnerabilities.js

@@ -9,5 +9,6 @@ module.exports = {
   SSRF: 'SSRF',
   UNVALIDATED_REDIRECT: 'UNVALIDATED_REDIRECT',
   WEAK_CIPHER: 'WEAK_CIPHER',
-  WEAK_HASH: 'WEAK_HASH'
+  WEAK_HASH: 'WEAK_HASH',
+  XCONTENTTYPE_HEADER_MISSING: 'XCONTENTTYPE_HEADER_MISSING'
 }

packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -28,7 +28,7 @@ function addVulnerability (iastContext, vulnerability) {
 
 function isValidVulnerability (vulnerability) {
   return vulnerability && vulnerability.type &&
-    vulnerability.evidence && vulnerability.evidence.value &&
+    vulnerability.evidence &&
     vulnerability.location && vulnerability.location.spanId
 }
 

packages/dd-trace/test/appsec/iast/analyzers/xcontenttype-header-missing-analyzer.spec.js

@@ -0,0 +1,59 @@
+'use strict'
+
+const { prepareTestServerForIast } = require('../utils')
+const Analyzer = require('../../../../src/appsec/iast/analyzers/vulnerability-analyzer')
+const { XCONTENTTYPE_HEADER_MISSING } = require('../../../../src/appsec/iast/vulnerabilities')
+const analyzer = new Analyzer()
+
+describe('xcontenttype header missing analyzer', () => {
+  it('Expected vulnerability identifier', () => {
+    expect(XCONTENTTYPE_HEADER_MISSING).to.be.equals('XCONTENTTYPE_HEADER_MISSING')
+  })
+
+  prepareTestServerForIast('xcontenttype header missing analyzer',
+    (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => {
+      testThatRequestHasVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.end('<html><body><h1>Test</h1></body></html>')
+      }, XCONTENTTYPE_HEADER_MISSING, 1, function (vulnerabilities) {
+        expect(vulnerabilities[0].evidence.value).to.be.undefined
+        expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('XCONTENTTYPE_HEADER_MISSING:mocha'))
+      })
+
+      testThatRequestHasVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html;charset=utf-8')
+        res.end('<html><body><h1>Test</h1></body></html>')
+      }, XCONTENTTYPE_HEADER_MISSING, 1, function (vulnerabilities) {
+        expect(vulnerabilities[0].evidence.value).to.be.undefined
+        expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('XCONTENTTYPE_HEADER_MISSING:mocha'))
+      })
+
+      testThatRequestHasVulnerability((req, res) => {
+        res.setHeader('content-type', 'application/xhtml+xml')
+        res.end('<html><body><h1>Test</h1></body></html>')
+      }, XCONTENTTYPE_HEADER_MISSING, 1, function (vulnerabilities) {
+        expect(vulnerabilities[0].evidence.value).to.be.undefined
+        expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('XCONTENTTYPE_HEADER_MISSING:mocha'))
+      })
+
+      testThatRequestHasVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('X-Content-Type-Options', 'whatever')
+        res.end('<html><body><h1>Test</h1></body></html>')
+      }, XCONTENTTYPE_HEADER_MISSING, 1, function (vulnerabilities) {
+        expect(vulnerabilities[0].evidence.value).to.be.equal('whatever')
+        expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('XCONTENTTYPE_HEADER_MISSING:mocha'))
+      })
+
+      testThatRequestHasNoVulnerability((req, res) => {
+        res.setHeader('content-type', 'application/json')
+        res.end('{"key": "test}')
+      }, XCONTENTTYPE_HEADER_MISSING)
+
+      testThatRequestHasNoVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('X-Content-Type-Options', 'nosniff')
+        res.end('{"key": "test}')
+      }, XCONTENTTYPE_HEADER_MISSING)
+    })
+})