Skip to content

Commit

Permalink
Change source origin from HTTP_REQUEST_PATH to HTTP_REQUEST_URI
Browse files Browse the repository at this point in the history
  • Loading branch information
@CarlesDD
CarlesDD committed Sep 22, 2023
1 parent 8f145bf commit 350a31a
Show file tree
Hide file tree
Showing 7 changed files with 22 additions and 21 deletions.
6 changes: 3 additions & 3 deletions packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ const { getNodeModulesPaths } = require('../path-line')
const { getRanges } = require('../taint-tracking/operations')
const {
HTTP_REQUEST_HEADER_VALUE,
HTTP_REQUEST_PATH,
HTTP_REQUEST_PATH_PARAM
HTTP_REQUEST_PATH_PARAM,
HTTP_REQUEST_URI
} = require('../taint-tracking/source-types')

const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
Expand Down Expand Up @@ -56,7 +56,7 @@ class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
}

_isUrl (range) {
return range.iinfo.type === HTTP_REQUEST_PATH
return range.iinfo.type === HTTP_REQUEST_URI
}

_getExcludedPaths () {
Expand Down
8 changes: 4 additions & 4 deletions packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ const {
HTTP_REQUEST_HEADER_VALUE,
HTTP_REQUEST_HEADER_NAME,
HTTP_REQUEST_PARAMETER,
HTTP_REQUEST_PATH,
HTTP_REQUEST_PATH_PARAM
HTTP_REQUEST_PATH_PARAM,
HTTP_REQUEST_URI
} = require('./source-types')

class TaintTrackingPlugin extends SourceIastPlugin {
Expand Down Expand Up @@ -93,9 +93,9 @@ class TaintTrackingPlugin extends SourceIastPlugin {
taintUrl (req, iastContext) {
this.execSource({
handler: function () {
req.url = newTaintedString(iastContext, req.url, 'req.url', HTTP_REQUEST_PATH)
req.url = newTaintedString(iastContext, req.url, HTTP_REQUEST_URI, HTTP_REQUEST_URI)
},
tag: [HTTP_REQUEST_PATH],
tag: [HTTP_REQUEST_URI],
iastContext
})
}
Expand Down
3 changes: 2 additions & 1 deletion packages/dd-trace/src/appsec/iast/taint-tracking/source-types.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@ module.exports = {
HTTP_REQUEST_HEADER_VALUE: 'http.request.header',
HTTP_REQUEST_PARAMETER: 'http.request.parameter',
HTTP_REQUEST_PATH: 'http.request.path',
HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter'
HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter',
HTTP_REQUEST_URI: 'http.request.uri'
}
6 changes: 3 additions & 3 deletions packages/dd-trace/test/appsec/iast/analyzers/unvalidated-redirect-analyzer.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ const overheadController = require('../../../../src/appsec/iast/overhead-control
const {
HTTP_REQUEST_HEADER_VALUE,
HTTP_REQUEST_PARAMETER,
HTTP_REQUEST_PATH,
HTTP_REQUEST_PATH_PARAM
HTTP_REQUEST_PATH_PARAM,
HTTP_REQUEST_URI
} = require('../../../../src/appsec/iast/taint-tracking/source-types')

describe('unvalidated-redirect-analyzer', () => {
Expand Down Expand Up @@ -46,7 +46,7 @@ describe('unvalidated-redirect-analyzer', () => {
}
const URL_RANGE = {
iinfo: {
type: HTTP_REQUEST_PATH,
type: HTTP_REQUEST_URI,
parameterName: 'path'
}
}
Expand Down
8 changes: 4 additions & 4 deletions packages/dd-trace/test/appsec/iast/taint-tracking/plugin.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ const {
HTTP_REQUEST_COOKIE_NAME,
HTTP_REQUEST_HEADER_NAME,
HTTP_REQUEST_HEADER_VALUE,
HTTP_REQUEST_PATH,
HTTP_REQUEST_PATH_PARAM
HTTP_REQUEST_PATH_PARAM,
HTTP_REQUEST_URI
} = require('../../../../src/appsec/iast/taint-tracking/source-types')

const middlewareNextChannel = dc.channel('apm:express:middleware:next')
Expand Down Expand Up @@ -251,8 +251,8 @@ describe('IAST Taint tracking plugin', () => {
expect(taintTrackingOperations.newTaintedString).to.be.calledOnceWith(
iastContext,
req.url,
'req.url',
HTTP_REQUEST_PATH
HTTP_REQUEST_URI,
HTTP_REQUEST_URI
)
})
})
Expand Down
10 changes: 5 additions & 5 deletions ...es/dd-trace/test/appsec/iast/taint-tracking/sources/taint-tracking.express.plugin.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,11 @@ const iast = require('../../../../../src/appsec/iast')
const iastContextFunctions = require('../../../../../src/appsec/iast/iast-context')
const { isTainted, getRanges } = require('../../../../../src/appsec/iast/taint-tracking/operations')
const {
HTTP_REQUEST_PATH,
HTTP_REQUEST_PATH_PARAM
HTTP_REQUEST_PATH_PARAM,
HTTP_REQUEST_URI
} = require('../../../../../src/appsec/iast/taint-tracking/source-types')

describe('Path sourcing with express', () => {
describe('URI sourcing with express', () => {
let express
let appListener

Expand Down Expand Up @@ -47,15 +47,15 @@ describe('Path sourcing with express', () => {
iast.disable()
})

it('should taint path', done => {
it('should taint uri', done => {
const app = express()
app.get('/path/*', (req, res) => {
const store = storage.getStore()
const iastContext = iastContextFunctions.getIastContext(store)
const isPathTainted = isTainted(iastContext, req.url)
expect(isPathTainted).to.be.true
const taintedPathValueRanges = getRanges(iastContext, req.url)
expect(taintedPathValueRanges[0].iinfo.type).to.be.equal(HTTP_REQUEST_PATH)
expect(taintedPathValueRanges[0].iinfo.type).to.be.equal(HTTP_REQUEST_URI)
res.status(200).send()
})

Expand Down
2 changes: 1 addition & 1 deletion packages/dd-trace/test/appsec/iast/telemetry/index.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,7 @@ describe('Telemetry', () => {
it('should have url source execution metric', (done) => {
agent
.use(traces => {
expect(traces[0][0].metrics['_dd.iast.telemetry.executed.source.http_request_path']).to.be.equal(1)
expect(traces[0][0].metrics['_dd.iast.telemetry.executed.source.http_request_uri']).to.be.equal(1)
})
.then(done)
.catch(done)
Expand Down

0 comments on commit 350a31a

Please sign in to comment.