@hclsoftware/secagent/src/IastDast/DastHeaderParser.js

IAST agent

//IASTIGNORE

/*
 * ****************************************************
 * Licensed Materials - Property of HCL.
 * (c) Copyright HCL Technologies Ltd. 2017, 2025.
 * Note to U.S. Government Users *Restricted Rights.
 * ****************************************************
 */


'use strict'

const {DastRequestData, Phase} = require("./DastRequestData");
const {Entity, EntityType} = require("../Entity");
const {AttackInfo} = require("./AttackInfo");
const {Vulnerability} = require("../TaintTracker");

const APPSCAN_HEADER_NAME_REQUEST = "x-appscan-iast-req";
const APPSCAN_HEADER_NAME_RESPONSE = "x-appscan-iast-res-";

const PHASE = "phase";
const ENTITY_NAME = "name";
const ENTITY_TYPE = "type";
const ENTITY = "entity";
const ATTACK_INFO = "attackInfo";
const VULNERABILITY = "vulnerability";
const MAX_HEADER_LENGTH_KB = "maxHeaderLengthKb";
const EXPLORE = "explore";
const TEST = "test";

class DastHeaderParser {

    static initializeDastIastVulnerabilitiesMap() {
        const map = new Map();
        DastHeaderParser.addEntryToDastVulnerabilityMap(map, "catCrossSiteScripting", [Vulnerability.XSS])
        DastHeaderParser.addEntryToDastVulnerabilityMap(map, "catSQLInjection", [Vulnerability.SQL_INJECTION])
        DastHeaderParser.addEntryToDastVulnerabilityMap(map, "catXPathInjection", [Vulnerability.XPATH_INJECTION])
        DastHeaderParser.addEntryToDastVulnerabilityMap(map, "catPathTraversal", [Vulnerability.PATH_TRAVERSAL])
        DastHeaderParser.addEntryToDastVulnerabilityMap(map, "catSessionFixation", [Vulnerability.SESSION_FIXATION])
        DastHeaderParser.addEntryToDastVulnerabilityMap(map, "catCrossSiteRequestForgery", [Vulnerability.CSRF])
        DastHeaderParser.addEntryToDastVulnerabilityMap(map, "catOSCommanding", [
            Vulnerability.COMMAND_INJECTION,
            Vulnerability.COMMAND_INJECTION_BASH,
            Vulnerability.COMMAND_INJECTION_CMD,
            Vulnerability.COMMAND_INJECTION_POWERSHELL,
            Vulnerability.COMMAND_INJECTION_ENV])
        DastHeaderParser.addEntryToDastVulnerabilityMap(map, "catLDAPInjection", [Vulnerability.LDAP_INJECTION])
        DastHeaderParser.addEntryToDastVulnerabilityMap(map, "catXMLExternalEntities", [Vulnerability.XXE])
        DastHeaderParser.addEntryToDastVulnerabilityMap(map, "catXMLInjection", [Vulnerability.XXE])
        DastHeaderParser.addEntryToDastVulnerabilityMap(map, "catInformationLeakage", [
            Vulnerability.SECURE_COOKIE,
            Vulnerability.HTTPONLY_COOKIE,
            Vulnerability.PASSWORD_LEAKAGE,
            Vulnerability.SERVER_HEADER,
            Vulnerability.XPOWEREDBY_HEADER])

        DastHeaderParser.dastToIastVulnerabilitiesMap = map;
    }

    static addEntryToDastVulnerabilityMap(map, key, vulnerabilities){
        const vulnerabilitiesSet = new Set(vulnerabilities);
        map.set(key, vulnerabilitiesSet);
    }

    static parse(rawHeaderValue) {
        const urlDecodedHeader = decodeURIComponent(rawHeaderValue);
        const jsonHeader = JSON.origParse(urlDecodedHeader);
        const dastPhase = jsonHeader[PHASE];
        const maxHeaderLengthKb = jsonHeader.hasOwnProperty(MAX_HEADER_LENGTH_KB) ? jsonHeader[MAX_HEADER_LENGTH_KB] : 0;
        if (dastPhase === EXPLORE) {
            return new DastRequestData(Phase.EXPLORE, null, null, maxHeaderLengthKb);
        }
        else if (dastPhase === TEST) {
            let entity = DastHeaderParser.parseEntity(jsonHeader)
            let attackInfo = DastHeaderParser.parseAttackInfo(jsonHeader)
            return new DastRequestData(Phase.TEST, entity, attackInfo, maxHeaderLengthKb);
        }
        return null;
    }

    static parseEntity(jsonHeader){
        let entityObject = jsonHeader[ENTITY];
        let entity = new Entity("", "", EntityType.NO_TYPE);
        if (entityObject != null)
        {
            let dastEntityName = jsonHeader[ENTITY][ENTITY_NAME];
            let dastEntityType = jsonHeader[ENTITY][ENTITY_TYPE];
            if (dastEntityName == null) {
                dastEntityName = "";
            }
            if (dastEntityType == null)
            {
                dastEntityType = "";
            }
            entity = new Entity(dastEntityName, "", dastEntityType.origToLowerCase());
        }
        return entity;
    }

    static parseAttackInfo(jsonHeader) {
        let attackInfoObject = jsonHeader[ATTACK_INFO];
        let attackInfo = null;
        if (attackInfoObject != null)
        {
            let dastAttackType = jsonHeader[ATTACK_INFO][VULNERABILITY];
            let vulnerabilities = null;
            if (dastAttackType != null)
            {
                vulnerabilities = DastHeaderParser.dastToIastVulnerabilitiesMap.get(dastAttackType)
            }
            attackInfo = new AttackInfo(vulnerabilities);
        }
        return attackInfo;
    }
}

DastHeaderParser.initializeDastIastVulnerabilitiesMap();

module.exports.DastHeaderParser = DastHeaderParser
module.exports.APPSCAN_HEADER_NAME_REQUEST = APPSCAN_HEADER_NAME_REQUEST
module.exports.APPSCAN_HEADER_NAME_RESPONSE = APPSCAN_HEADER_NAME_RESPONSE