dd-trace
Version:
Datadog APM tracing client for JavaScript
38 lines (30 loc) • 911 B
JavaScript
const { SSRF } = require('../vulnerabilities')
const InjectionAnalyzer = require('./injection-analyzer')
class SSRFAnalyzer extends InjectionAnalyzer {
constructor () {
super(SSRF)
}
onConfigure () {
this.addSub('apm:http:client:request:start', ({ args }) => {
if (typeof args.originalUrl === 'string') {
this.analyze(args.originalUrl)
} else if (args.options?.host) {
this.analyze(args.options.host)
}
})
this.addSub('apm:http2:client:connect:start', ({ authority }) => {
if (authority && typeof authority === 'string') {
this.analyze(authority)
}
})
}
_isRangeSecure (range, value) {
const fragmentIndex = value.indexOf('#')
if (fragmentIndex !== -1 && range.start >= fragmentIndex) {
return true
}
return super._isRangeSecure(range, value)
}
}
module.exports = new SSRFAnalyzer()