UNPKG

@hclsoftware/secagent

Version:

IAST agent

62 lines (52 loc) 2.38 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
//IASTIGNORE /* * **************************************************** * Licensed Materials - Property of HCL. * (c) Copyright HCL Technologies Ltd. 2017, 2025. * Note to U.S. Government Users *Restricted Rights. * **************************************************** */ const HookRule = require('../HookRules/HookRule') const StackInfo = require('../../StackInfo') const {Vulnerability} = require("../../TaintTracker"); const BeforeRule = require("./BeforeRule"); const K8sSinkTrigger = require("../Utils/K8sSinkUtils"); class AxiosSinkRule extends BeforeRule { /* * This rule is called on Axios's _request method. * _request method has two usages: * 1. _request(url, config) * 2. _request(config) * sink is called if any of the argument is tainted and also if the 'that' object is tainted */ doRule(hookValues) { const parameters = StackInfo.getParamsStringArrayPostHook(hookValues.that, hookValues.simpleThat, hookValues.methodName, hookValues.simpleArgs, hookValues.simpleRet) let params = HookRule.getActualParam(this.data.from, hookValues) if (!Array.isArray(params)) { params = [params] } // here param can be url or config object or axios object for (let param of params) { // if param is not object then it is url argument if (typeof param !== "object") { K8sSinkTrigger.sinkTrigger(param, [Vulnerability.MISSING_URL_VALIDATION, Vulnerability.PASSWORD_LEAKAGE_SENT_DATA], parameters, "url", "url") } else { this.sinkTriggerOnProperties(param, parameters) } } } sinkTriggerOnProperties(param, parameters, isAxiosObject=this.data.from==="that") { for (const property in param) { if (property !== undefined && property === "defaults" && isAxiosObject) { this.sinkTriggerOnProperties(param[property], parameters, false) } else if (property !== undefined && property === "url") { K8sSinkTrigger.sinkTrigger(param[property], [Vulnerability.MISSING_URL_VALIDATION], parameters, property) } K8sSinkTrigger.sinkTrigger(param[property], [Vulnerability.PASSWORD_LEAKAGE_SENT_DATA], parameters, property) } } } module.exports = AxiosSinkRule