UNPKG

@hclsoftware/secagent

Version:

IAST agent

82 lines (69 loc) 3.27 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
//IASTIGNORE /* * **************************************************** * Licensed Materials - Property of HCL. * (c) Copyright HCL Technologies Ltd. 2017, 2025. * Note to U.S. Government Users *Restricted Rights. * **************************************************** */ 'use strict' const ContextType = require("./ContextType.js") const ContextInfo = require("./ContextInfo"); const ctxOpenersBase = { "'" : ContextType.SINGLE_QUOTE, "\"": ContextType.DOUBLE_QUOTE, "(": ContextType.PARENTHESES, "[": ContextType.BRACKETS, "{": ContextType.BRACES } module.exports.ctxOpenersBase = ctxOpenersBase module.exports.VulnerabilityContext = class VulnerabilityContext { constructor(query, parameter){ this.contextsTypes = this.estimateContextsStackBased(query, parameter, null, 0) } getContextsTypes() { return this.contextsTypes } //abstract like method estimateContextStackBased (leftEdge, rightEdge){} estimateContextsStackBased(query, parameter, html, startIndex){ // Find first occurrence of the processed original param and it's length let currentOccurrenceIdx = -1 let paramLen = 0 if(parameter.originalProcessedParam != null && parameter.originalProcessedParam.length > 0 ){ currentOccurrenceIdx = query.origIndexOf(parameter.originalProcessedParam) paramLen = parameter.originalProcessedParam.length } let contextTypes = [] // If the parameter is not found in the query, it is considered as no reflection if (currentOccurrenceIdx === -1) { contextTypes.push(new ContextInfo([ContextType["NO_REFLECTION"].contextTypeName])) } // If the parameter is found more than once in the query, it is considered as multiple reflections else if (query.origIndexOf(parameter.originalProcessedParam, currentOccurrenceIdx + paramLen) !== -1) { contextTypes.push(new ContextInfo([ContextType["MULTIPLE_REFLECTION"].contextTypeName])) } while(currentOccurrenceIdx !== -1){ let leftEdge = query.origSubstring(0, startIndex + currentOccurrenceIdx) let rightEdge = query.origSubstring(startIndex+ currentOccurrenceIdx + paramLen) const cp = this.estimateContextStackBased(leftEdge, rightEdge) if(null !=cp){ contextTypes.push(cp) } currentOccurrenceIdx = query.origIndexOf(parameter.originalProcessedParam, currentOccurrenceIdx + paramLen) } let contextTypesProcessed = [] if(contextTypes.length === 0){ contextTypesProcessed.push(new ContextInfo([ContextType["UNKNOWN"].contextTypeName])) }else { for(let i = 0; i < contextTypes.length; i++){ if(contextTypes[i].getContextTypesStackBased().origArrayIncludes(ContextType["UNKNOWN"].contextTypeName) || contextTypes[i].getContextTypesStackBased().length == 0){ contextTypesProcessed.push( new ContextInfo([ContextType["UNKNOWN"].contextTypeName])) }else{ contextTypesProcessed.push(contextTypes[i]) } } } return contextTypesProcessed } }