UNPKG

dd-trace

Version:

Datadog APM tracing client for JavaScript

github.com/DataDog/dd-trace-js

DataDog/dd-trace-js

65 lines (50 loc) 1.65 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
'use strict' const InjectionAnalyzer = require('./injection-analyzer') const { UNVALIDATED_REDIRECT } = require('../vulnerabilities') const { getNodeModulesPaths } = require('../path-line') const { getRanges } = require('../taint-tracking/operations') const { HTTP_REQUEST_BODY, HTTP_REQUEST_PARAMETER } = require('../taint-tracking/source-types') const EXCLUDED_PATHS = [ getNodeModulesPaths('express/lib/response.js'), getNodeModulesPaths('fastify/lib/reply.js'), ] const VULNERABLE_SOURCE_TYPES = new Set([ HTTP_REQUEST_BODY, HTTP_REQUEST_PARAMETER ]) class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer { constructor () { super(UNVALIDATED_REDIRECT) } onConfigure () { this.addSub('datadog:http:server:response:set-header:finish', ({ name, value }) => this.analyze(name, value)) this.addSub('datadog:fastify:set-header:finish', ({ name, value }) => this.analyze(name, value)) } analyze (name, value) { if (!this.isLocationHeader(name) || typeof value !== 'string') return super.analyze(value) } isLocationHeader (name) { return name && name.trim().toLowerCase() === 'location' } _isVulnerable (value, iastContext) { if (!value) return false const ranges = getRanges(iastContext, value) return ranges?.length > 0 && this._hasUnsafeRange(ranges) } _hasUnsafeRange (ranges) { return ranges.some( range => this._isVulnerableRange(range) ) } _isVulnerableRange (range) { return VULNERABLE_SOURCE_TYPES.has(range.iinfo.type) } _getExcludedPaths () { return EXCLUDED_PATHS } } module.exports = new UnvalidatedRedirectAnalyzer()