Detect missing header vulnerabilities

[uurien]

What does this PR do?

Reports a vulnreability when it detects that the response don't have X-Content-Type-Options or Strict-Transport-Security in html content.
Strict-Transport-Security is checked only when the library knows that the response is https, checking the protocol or X-Forwarded-Proto header.

Checklist

• Unit tests.

[github-actions]

Overall package size

Self size: 4.89 MB
Deduped: 57.99 MB
No deduping: 58.09 MB

Dependency sizes

name	version	self size	total size
@datadog/native-iast-taint-tracking	1.5.0	14.86 MB	14.86 MB
@datadog/native-appsec	3.2.0	13.38 MB	13.39 MB
@datadog/pprof	3.1.0	10.66 MB	11.5 MB
protobufjs	7.2.4	2.74 MB	6.52 MB
@datadog/native-iast-rewriter	2.0.1	2.09 MB	2.1 MB
@opentelemetry/core	1.14.0	872.87 kB	1.47 MB
@datadog/native-metrics	2.0.0	898.77 kB	1.3 MB
@opentelemetry/api	1.4.1	780.32 kB	780.32 kB
msgpack-lite	0.1.26	201.16 kB	281.59 kB
opentracing	0.14.7	194.81 kB	194.81 kB
semver	7.5.3	93.39 kB	123.79 kB
@datadog/sketches-js	2.1.0	109.9 kB	109.9 kB
lodash.sortby	4.7.0	75.76 kB	75.76 kB
lru-cache	7.14.0	74.95 kB	74.95 kB
ipaddr.js	2.0.1	59.52 kB	59.52 kB
int64-buffer	0.1.10	49.18 kB	49.18 kB
ignore	5.2.0	48.87 kB	48.87 kB
import-in-the-middle	1.3.5	34.34 kB	38.81 kB
istanbul-lib-coverage	3.2.0	29.34 kB	29.34 kB
retry	0.10.1	27.44 kB	27.44 kB
lodash.uniq	4.5.0	25.01 kB	25.01 kB
limiter	1.1.5	23.17 kB	23.17 kB
lodash.kebabcase	4.1.1	17.75 kB	17.75 kB
lodash.pick	4.4.0	16.33 kB	16.33 kB
node-abort-controller	3.0.1	14.33 kB	14.33 kB
crypto-randomuuid	1.0.0	11.18 kB	11.18 kB
diagnostics_channel	1.1.0	7.07 kB	7.07 kB
path-to-regexp	0.1.7	6.78 kB	6.78 kB
koalas	1.0.2	6.47 kB	6.47 kB
methods	1.1.2	5.29 kB	5.29 kB
module-details-from-path	1.0.3	4.47 kB	4.47 kB

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[codecov]

Codecov Report

Merging #3269 (24b41c0) into master (9401a34) will increase coverage by 0.09%.
The diff coverage is 98.36%.

@@            Coverage Diff             @@
##           master    #3269      +/-   ##
==========================================
+ Coverage   84.15%   84.24%   +0.09%     
==========================================
  Files         211      214       +3     
  Lines        8336     8393      +57     
  Branches       33       33              
==========================================
+ Hits         7015     7071      +56     
- Misses       1321     1322       +1     

Impacted Files	Coverage Δ
...es/dd-trace/src/appsec/iast/analyzers/analyzers.js	100.00% <ø> (ø)
...ckages/dd-trace/src/appsec/iast/vulnerabilities.js	100.00% <ø> (ø)
...dd-trace/src/appsec/iast/vulnerability-reporter.js	100.00% <ø> (ø)
...c/appsec/iast/analyzers/missing-header-analyzer.js	96.15% <96.15%> (ø)
...sec/iast/analyzers/hsts-header-missing-analyzer.js	100.00% <100.00%> (ø)
...ckages/dd-trace/src/appsec/iast/analyzers/index.js	100.00% <100.00%> (ø)
.../analyzers/xcontenttype-header-missing-analyzer.js	100.00% <100.00%> (ø)
packages/dd-trace/src/appsec/iast/index.js	100.00% <100.00%> (ø)
...src/appsec/iast/vulnerabilities-formatter/index.js	100.00% <100.00%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[pr-commenter]

Benchmarks

Benchmark execution time: 2023-07-17 07:01:35

Comparing candidate commit 24b41c0 in PR branch ugaitz/header-missing-vulnerabilities with baseline commit 9401a34 in branch master.

Found 0 performance improvements and 3 performance regressions! Performance is the same for 471 metrics, 18 unstable metrics.

scenario:plugin-graphql-with-depth-and-collapse-off-18

• 🟥 max_rss_usage [+142.859KB; +151.509KB] or [+12.083%; +12.815%]

scenario:plugin-graphql-with-depth-off-18

• 🟥 max_rss_usage [+131.042KB; +150.662KB] or [+15.948%; +18.335%]

scenario:plugin-graphql-with-depth-on-max-18

• 🟥 max_rss_usage [+105.562KB; +167.066KB] or [+12.716%; +20.125%]

[anderruiz]

@uurien you did not include the validation for MaxAge you need to obtain max-age (if not then it the same case as not having header) and then compare it not to be equal to -1 or 0

int i = ivalue.indexOf(MAX_AGE);
			if (i != -1) {
				d.existHeader = true;
				int j = ivalue.indexOf('=', i);
				if (j != -1) {
					int k = ivalue.indexOf(';', j);
					if (k != -1) {
						d.cause = ivalue.substring(j + 1, k);
					}
					else {
						d.cause = ivalue.substring(j + 1);
					}
				}
				else {
					d.cause = "-1";
				}
			}

public boolean isOk() {
		return existHeader && !"-1".equals(cause) && !"0".equals(cause);
	}