UNPKG

dd-trace

Version:

Datadog APM tracing client for JavaScript

github.com/DataDog/dd-trace-js

DataDog/dd-trace-js

83 lines (67 loc) 2.38 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
'use strict' const Analyzer = require('./vulnerability-analyzer') const SC_MOVED_PERMANENTLY = 301 const SC_MOVED_TEMPORARILY = 302 const SC_NOT_MODIFIED = 304 const SC_TEMPORARY_REDIRECT = 307 const SC_NOT_FOUND = 404 const SC_GONE = 410 const SC_INTERNAL_SERVER_ERROR = 500 const IGNORED_RESPONSE_STATUS_LIST = new Set([SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_NOT_MODIFIED, SC_TEMPORARY_REDIRECT, SC_NOT_FOUND, SC_GONE, SC_INTERNAL_SERVER_ERROR]) const HTML_CONTENT_TYPES = ['text/html', 'application/xhtml+xml'] class MissingHeaderAnalyzer extends Analyzer { constructor (type, headerName) { super(type) this.headerName = headerName } onConfigure () { this.addSub({ channelName: 'datadog:iast:response-end', moduleName: 'http' }, (data) => this.analyze(data)) } _getHeaderValues (res, storedHeaders, headerName) { headerName = headerName.toLowerCase() const headerValue = res.getHeader(headerName) || storedHeaders[headerName] if (Array.isArray(headerValue)) { return headerValue } return headerValue ? [headerValue.toString()] : [] } _getLocation () {} _checkOCE (context) { return true } _createHashSource (type, evidence, location) { return `${type}:${this.config.tracerConfig.service}` } _getEvidence ({ res, storedHeaders }) { const headerValues = this._getHeaderValues(res, storedHeaders, this.headerName) let value if (headerValues.length === 1) { value = headerValues[0] } else if (headerValues.length > 0) { value = JSON.stringify(headerValues) } return { value } } _isVulnerable ({ req, res, storedHeaders }, context) { if (!IGNORED_RESPONSE_STATUS_LIST.has(res.statusCode) && this._isResponseHtml(res, storedHeaders)) { return this._isVulnerableFromRequestAndResponse(req, res, storedHeaders) } return false } _isVulnerableFromRequestAndResponse (req, res, storedHeaders) { return false } _isResponseHtml (res, storedHeaders) { const contentTypes = this._getHeaderValues(res, storedHeaders, 'content-type') return contentTypes.some(contentType => { return contentType && HTML_CONTENT_TYPES.some(htmlContentType => { return htmlContentType === contentType || contentType.startsWith(htmlContentType + ';') }) }) } } module.exports = { MissingHeaderAnalyzer }