UNPKG

dd-trace

Version:

Datadog APM tracing client for JavaScript

github.com/DataDog/dd-trace-js

DataDog/dd-trace-js

85 lines (69 loc) 2.21 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
'use strict' const Analyzer = require('./vulnerability-analyzer') const SC_MOVED_PERMANENTLY = 301 const SC_MOVED_TEMPORARILY = 302 const SC_NOT_MODIFIED = 304 const SC_TEMPORARY_REDIRECT = 307 const SC_NOT_FOUND = 404 const SC_GONE = 410 const SC_INTERNAL_SERVER_ERROR = 500 const IGNORED_RESPONSE_STATUS_LIST = [SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_NOT_MODIFIED, SC_TEMPORARY_REDIRECT, SC_NOT_FOUND, SC_GONE, SC_INTERNAL_SERVER_ERROR] const HTML_CONTENT_TYPES = ['text/html', 'application/xhtml+xml'] class MissingHeaderAnalyzer extends Analyzer { constructor (type, headerName) { super(type) this.headerName = headerName } onConfigure () { this.addSub({ channelName: 'datadog:iast:response-end', moduleName: 'http' }, (data) => this.analyze(data)) } _getHeaderValues (res, headerName) { const headerValue = res.getHeader(headerName) if (Array.isArray(headerValue)) { return headerValue } else { return headerValue ? [headerValue.toString()] : [] } } _getLocation () { return undefined } _checkOCE (context) { return true } _createHashSource (type, evidence, location) { return `${type}:${this.config.tracerConfig.service}` } _getEvidence ({ res }) { const headerValues = this._getHeaderValues(res, this.headerName) let value if (headerValues.length === 1) { value = headerValues[0] } else if (headerValues.length > 0) { value = JSON.stringify(headerValues) } return { value } } _isVulnerable ({ req, res }, context) { if (!IGNORED_RESPONSE_STATUS_LIST.includes(res.statusCode) && this._isResponseHtml(res)) { return this._isVulnerableFromRequestAndResponse(req, res) } return false } _isVulnerableFromRequestAndResponse (req, res) { return false } _isResponseHtml (res) { const contentTypes = this._getHeaderValues(res, 'content-type') return contentTypes.some(contentType => { return contentType && HTML_CONTENT_TYPES.some(htmlContentType => { return htmlContentType === contentType || contentType.startsWith(htmlContentType + ';') }) }) } } module.exports = { MissingHeaderAnalyzer }