UNPKG

dd-trace

Version:

Datadog APM tracing client for JavaScript

github.com/DataDog/dd-trace-js

DataDog/dd-trace-js

63 lines (51 loc) 1.49 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
'use strict' const Analyzer = require('./vulnerability-analyzer') const { getNodeModulesPaths } = require('../path-line') const EXCLUDED_PATHS = [ // Express getNodeModulesPaths('express/lib/response.js'), // Fastify getNodeModulesPaths('fastify/lib/reply.js'), getNodeModulesPaths('fastify/lib/hooks.js'), getNodeModulesPaths('@fastify/cookie/plugin.js') ] class CookieAnalyzer extends Analyzer { constructor (type, propertyToBeSafe) { super(type) this.propertyToBeSafe = propertyToBeSafe.toLowerCase() } onConfigure () { this.addSub( { channelName: 'datadog:iast:set-cookie', moduleName: 'http' }, (cookieInfo) => this.analyze(cookieInfo) ) } _isVulnerable ({ cookieProperties, cookieValue }) { return cookieValue && !(cookieProperties && cookieProperties .map(x => x.toLowerCase().trim()).includes(this.propertyToBeSafe)) } _getEvidence ({ cookieName }) { return { value: cookieName } } _getExcludedPaths () { return EXCLUDED_PATHS } _checkOCE (context, value) { if (value && value.location) { return true } return super._checkOCE(context, value) } _getLocation (value, callSiteFrames) { if (!value) { return super._getLocation(value, callSiteFrames) } if (value.location) { return value.location } const location = super._getLocation(value, callSiteFrames) value.location = location return location } } module.exports = CookieAnalyzer