Skip to content

Taint request URI #3302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 17, 2023
Merged

Taint request URI #3302

merged 5 commits into from
Jul 17, 2023

Conversation

CarlesDD
Copy link
Contributor

@CarlesDD CarlesDD commented Jun 28, 2023
edited
Loading

What does this PR do?

Provides a new function in taint tracking to taint all relevant information from request:

  • Request headers (already tainted from previous feature)
  • Request url

Once IAST receives a message from a new request start, these information is tainted.

This PR also adds a check in Unvalidated redirect analyzer in order to not report vulnerability when tainted origins are URL or path parameters.

Motivation

Taint more sources to improve custom code vulnerability detection.
Avoid false positives for Unvalidated redirect vulnerability.

  • Unit tests.

@github-actions
Copy link

github-actions bot commented Jun 28, 2023
edited
Loading

Overall package size

Self size: 4.88 MB
Deduped: 57.86 MB
No deduping: 57.96 MB

Dependency sizes

name version self size total size
@datadog/native-iast-taint-tracking 1.5.0 14.86 MB 14.86 MB
@datadog/native-appsec 3.2.0 13.38 MB 13.39 MB
@datadog/pprof 3.0.0 10.54 MB 11.39 MB
protobufjs 7.2.4 2.74 MB 6.52 MB
@datadog/native-iast-rewriter 2.0.1 2.09 MB 2.1 MB
@opentelemetry/core 1.14.0 872.87 kB 1.47 MB
@datadog/native-metrics 2.0.0 898.77 kB 1.3 MB
@opentelemetry/api 1.4.1 780.32 kB 780.32 kB
msgpack-lite 0.1.26 201.16 kB 281.59 kB
opentracing 0.14.7 194.81 kB 194.81 kB
semver 7.5.3 93.39 kB 123.79 kB
@datadog/sketches-js 2.1.0 109.9 kB 109.9 kB
lodash.sortby 4.7.0 75.76 kB 75.76 kB
lru-cache 7.14.0 74.95 kB 74.95 kB
ipaddr.js 2.0.1 59.52 kB 59.52 kB
int64-buffer 0.1.10 49.18 kB 49.18 kB
ignore 5.2.0 48.87 kB 48.87 kB
import-in-the-middle 1.3.5 34.34 kB 38.81 kB
istanbul-lib-coverage 3.2.0 29.34 kB 29.34 kB
retry 0.10.1 27.44 kB 27.44 kB
lodash.uniq 4.5.0 25.01 kB 25.01 kB
limiter 1.1.5 23.17 kB 23.17 kB
lodash.kebabcase 4.1.1 17.75 kB 17.75 kB
lodash.pick 4.4.0 16.33 kB 16.33 kB
node-abort-controller 3.0.1 14.33 kB 14.33 kB
crypto-randomuuid 1.0.0 11.18 kB 11.18 kB
diagnostics_channel 1.1.0 7.07 kB 7.07 kB
path-to-regexp 0.1.7 6.78 kB 6.78 kB
koalas 1.0.2 6.47 kB 6.47 kB
methods 1.1.2 5.29 kB 5.29 kB
module-details-from-path 1.0.3 4.47 kB 4.47 kB

🤖 This report was automatically generated by heaviest-objects-in-the-universe

@codecov
Copy link

codecov bot commented Jun 28, 2023
edited
Loading

Codecov Report

Merging #3302 (77c7ec9) into master (3a2347c) will increase coverage by 4.01%.
The diff coverage is 97.79%.

@@            Coverage Diff             @@
##           master    #3302      +/-   ##
==========================================
+ Coverage   84.09%   88.10%   +4.01%     
==========================================
  Files         204      207       +3     
  Lines        8017     7855     -162     
  Branches       33       33              
==========================================
+ Hits         6742     6921     +179     
+ Misses       1275      934     -341
Impacted Files Coverage Δ
...ppsec/iast/analyzers/command-injection-analyzer.js 100.00% <ø> (ø)
...c/appsec/iast/analyzers/ldap-injection-analyzer.js 100.00% <ø> (ø)
...d-trace/src/appsec/iast/analyzers/ssrf-analyzer.js 100.00% <ø> (ø)
.../src/appsec/iast/analyzers/weak-cipher-analyzer.js 100.00% <ø> (ø)
...ce/src/appsec/iast/analyzers/weak-hash-analyzer.js 100.00% <ø> (ø)
packages/dd-trace/src/appsec/iast/tags.js 100.00% <ø> (ø)
...race/src/appsec/iast/taint-tracking/csi-methods.js 100.00% <ø> (ø)
...ace/src/appsec/iast/taint-tracking/source-types.js 100.00% <ø> (ø)
...s/dd-trace/src/appsec/iast/telemetry/namespaces.js 89.65% <89.65%> (ø)
...d-trace/src/appsec/iast/taint-tracking/rewriter.js 94.87% <93.75%> (+0.75%) ⬆️
... and 20 more

... and 8 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@CarlesDD CarlesDD force-pushed the ccapell/taint-uri-path branch from 65ebab9 to df272aa Compare June 28, 2023 06:32
@pr-commenter
Copy link

pr-commenter bot commented Jun 28, 2023
edited
Loading

Benchmarks

Benchmark execution time: 2023-07-13 09:41:31

Comparing candidate commit 77c7ec9 in PR branch ccapell/taint-uri-path with baseline commit 3d05ac2 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 463 metrics, 29 unstable metrics.

@CarlesDD CarlesDD force-pushed the ccapell/taint-uri-path branch from df272aa to 4be651c Compare June 29, 2023 05:45
@CarlesDD CarlesDD marked this pull request as ready for review June 29, 2023 07:35
@CarlesDD CarlesDD requested a review from a team as a code owner June 29, 2023 07:35
@uurien
Copy link
Collaborator

uurien commented Jun 29, 2023

unvalidated redirect analyzer file has a TODO related with this PR.

dd-trace-js/packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js

Line 19 in 27e1530

// And do not report a vulnerability if source of the ranges (range.iinfo.type) are exclusively url or path params

@CarlesDD CarlesDD marked this pull request as draft June 29, 2023 08:01
@CarlesDD CarlesDD force-pushed the ccapell/taint-uri-path branch from b02ff9f to 307d696 Compare June 29, 2023 10:23
@CarlesDD CarlesDD marked this pull request as ready for review June 29, 2023 10:46
@CarlesDD CarlesDD force-pushed the ccapell/taint-uri-path branch from 307d696 to 983992b Compare June 29, 2023 14:19
@CarlesDD CarlesDD force-pushed the ccapell/taint-uri-path branch from 983992b to 6886e18 Compare July 4, 2023 09:33
uurien
uurien previously approved these changes Jul 4, 2023
View reviewed changes
@CarlesDD CarlesDD force-pushed the ccapell/taint-uri-path branch from 6886e18 to 04e4335 Compare July 11, 2023 09:27
@CarlesDD CarlesDD force-pushed the ccapell/taint-uri-path branch from 04e4335 to c33f2e8 Compare July 11, 2023 09:33
uurien
uurien reviewed Jul 13, 2023
View reviewed changes
uurien
uurien previously approved these changes Jul 13, 2023
View reviewed changes
@CarlesDD CarlesDD merged commit 9401a34 into master Jul 17, 2023
szegedi pushed a commit that referenced this pull request Jul 20, 2023
@CarlesDD @szegedi
Taint request URI (#3302)
9ab9872 
* Taint request URI

* Add check for safe tainted origins on unvalidated redirect analyzer

* Change assertion construction for unvalidated redirect analyzer test

* Add metric for uri sourcing

* Fix PR comments
@szegedi szegedi mentioned this pull request Jul 20, 2023
Merged
szegedi pushed a commit that referenced this pull request Jul 20, 2023
@CarlesDD @szegedi
Taint request URI (#3302)
fa35b91 
* Taint request URI

* Add check for safe tainted origins on unvalidated redirect analyzer

* Change assertion construction for unvalidated redirect analyzer test

* Add metric for uri sourcing

* Fix PR comments
@szegedi szegedi mentioned this pull request Jul 20, 2023
Merged
szegedi pushed a commit that referenced this pull request Jul 20, 2023
@CarlesDD @szegedi
Taint request URI (#3302)
917f0e5 
* Taint request URI

* Add check for safe tainted origins on unvalidated redirect analyzer

* Change assertion construction for unvalidated redirect analyzer test

* Add metric for uri sourcing

* Fix PR comments
This was referenced Jul 20, 2023
Closed
Merged
tlhunter pushed a commit that referenced this pull request Jul 21, 2023
@CarlesDD @tlhunter
Taint request URI (#3302)
0d9e81b 
* Taint request URI

* Add check for safe tainted origins on unvalidated redirect analyzer

* Change assertion construction for unvalidated redirect analyzer test

* Add metric for uri sourcing

* Fix PR comments
tlhunter pushed a commit that referenced this pull request Jul 21, 2023
@CarlesDD @tlhunter
Taint request URI (#3302)
b2ffd24 
* Taint request URI

* Add check for safe tainted origins on unvalidated redirect analyzer

* Change assertion construction for unvalidated redirect analyzer test

* Add metric for uri sourcing

* Fix PR comments
tlhunter pushed a commit that referenced this pull request Jul 21, 2023
@CarlesDD @tlhunter
Taint request URI (#3302)
a8b3ddf 
* Taint request URI

* Add check for safe tainted origins on unvalidated redirect analyzer

* Change assertion construction for unvalidated redirect analyzer test

* Add metric for uri sourcing

* Fix PR comments
@tlhunter tlhunter deleted the ccapell/taint-uri-path branch January 19, 2024 22:18
@erikvanbrakel erikvanbrakel mentioned this pull request Jul 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uurien uurien uurien approved these changes

Assignees
No one assigned
Labels
asm-iast semver-minor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CarlesDD @uurien