Taint express route paramaters (#3187)

* Wrap express process_params to taint route params

* Add taint tracking plugin test for route params

* Change name of express process params channel

* Return process_param result

* Address taint tracking plugin subscriptions test

Author: CarlesDD

packages/datadog-instrumentations/src/express.js

@@ -57,3 +57,26 @@ addHook({
     })
   })
 })
+
+const processParamsStartCh = channel('datadog:express:process_params:start')
+const wrapProcessParamsMethod = (requestPositionInArguments) => {
+  return (original) => {
+    return function () {
+      if (processParamsStartCh.hasSubscribers) {
+        processParamsStartCh.publish({ req: arguments[requestPositionInArguments] })
+      }
+
+      return original.apply(this, arguments)
+    }
+  }
+}
+
+addHook({ name: 'express', versions: ['>=4.0.0 <4.3.0'] }, express => {
+  shimmer.wrap(express.Router, 'process_params', wrapProcessParamsMethod(1))
+  return express
+})
+
+addHook({ name: 'express', versions: ['>=4.3.0'] }, express => {
+  shimmer.wrap(express.Router, 'process_params', wrapProcessParamsMethod(2))
+  return express
+})

packages/dd-trace/src/appsec/iast/taint-tracking/origin-types.js

@@ -2,9 +2,10 @@
 
 module.exports = {
   HTTP_REQUEST_BODY: 'http.request.body',
-  HTTP_REQUEST_PARAMETER: 'http.request.parameter',
   HTTP_REQUEST_COOKIE_VALUE: 'http.request.cookie.value',
   HTTP_REQUEST_COOKIE_NAME: 'http.request.cookie.name',
   HTTP_REQUEST_HEADER_NAME: 'http.request.header.name',
-  HTTP_REQUEST_HEADER_VALUE: 'http.request.header'
+  HTTP_REQUEST_HEADER_VALUE: 'http.request.header',
+  HTTP_REQUEST_PARAMETER: 'http.request.parameter',
+  HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter'
 }

packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -5,12 +5,14 @@ const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
 const { taintObject } = require('./operations')
 const {
-  HTTP_REQUEST_PARAMETER,
   HTTP_REQUEST_BODY,
   HTTP_REQUEST_COOKIE_VALUE,
   HTTP_REQUEST_COOKIE_NAME,
   HTTP_REQUEST_HEADER_VALUE,
-  HTTP_REQUEST_HEADER_NAME
+  HTTP_REQUEST_HEADER_NAME,
+  HTTP_REQUEST_PARAMETER,
+  HTTP_REQUEST_PATH_PARAM
+
 } = require('./origin-types')
 
 class TaintTrackingPlugin extends Plugin {
@@ -44,6 +46,14 @@ class TaintTrackingPlugin extends Plugin {
       'datadog:cookie:parse:finish',
       ({ cookies }) => this._cookiesTaintTrackingHandler(cookies)
     )
+    this.addSub(
+      'datadog:express:process_params:start',
+      ({ req }) => {
+        if (req && req.params && typeof req.params === 'object') {
+          this._taintTrackingHandler(HTTP_REQUEST_PATH_PARAM, req, 'params')
+        }
+      }
+    )
   }
 
   _taintTrackingHandler (type, target, property, iastContext = getIastContext(storage.getStore())) {

packages/dd-trace/test/appsec/iast/taint-tracking/plugin.spec.js

@@ -6,13 +6,15 @@ const taintTrackingOperations = require('../../../../src/appsec/iast/taint-track
 const dc = require('../../../../../diagnostics_channel')
 const {
   HTTP_REQUEST_COOKIE_VALUE,
-  HTTP_REQUEST_COOKIE_NAME
+  HTTP_REQUEST_COOKIE_NAME,
+  HTTP_REQUEST_PATH_PARAM
 } = require('../../../../src/appsec/iast/taint-tracking/origin-types')
 
 const middlewareNextChannel = dc.channel('apm:express:middleware:next')
 const queryParseFinishChannel = dc.channel('datadog:qs:parse:finish')
 const bodyParserFinishChannel = dc.channel('datadog:body-parser:read:finish')
 const cookieParseFinishCh = dc.channel('datadog:cookie:parse:finish')
+const processParamsStartCh = dc.channel('datadog:express:process_params:start')
 
 describe('IAST Taint tracking plugin', () => {
   let taintTrackingPlugin
@@ -38,12 +40,13 @@ describe('IAST Taint tracking plugin', () => {
     sinon.restore()
   })
 
-  it('Should subscribe to body parser, qs and cookie channel', () => {
-    expect(taintTrackingPlugin._subscriptions).to.have.lengthOf(4)
+  it('Should subscribe to body parser, qs, cookie and process_params channel', () => {
+    expect(taintTrackingPlugin._subscriptions).to.have.lengthOf(5)
     expect(taintTrackingPlugin._subscriptions[0]._channel.name).to.equals('datadog:body-parser:read:finish')
     expect(taintTrackingPlugin._subscriptions[1]._channel.name).to.equals('datadog:qs:parse:finish')
     expect(taintTrackingPlugin._subscriptions[2]._channel.name).to.equals('apm:express:middleware:next')
     expect(taintTrackingPlugin._subscriptions[3]._channel.name).to.equals('datadog:cookie:parse:finish')
+    expect(taintTrackingPlugin._subscriptions[4]._channel.name).to.equals('datadog:express:process_params:start')
   })
 
   describe('taint sources', () => {
@@ -202,5 +205,27 @@ describe('IAST Taint tracking plugin', () => {
         HTTP_REQUEST_COOKIE_NAME
       )
     })
+
+    it('Should taint request params when process params event is published', () => {
+      const req = {
+        params: {
+          parameter1: 'tainted1'
+        }
+      }
+
+      processParamsStartCh.publish({ req })
+      expect(taintTrackingOperations.taintObject).to.be.calledOnceWith(
+        iastContext,
+        req.params,
+        HTTP_REQUEST_PATH_PARAM
+      )
+    })
+
+    it('Should not taint request params when process params event is published with non params request', () => {
+      const req = {}
+
+      processParamsStartCh.publish({ req })
+      expect(taintTrackingOperations.taintObject).to.not.be.called
+    })
   })
 })

packages/dd-trace/test/appsec/iast/taint-tracking/sources/taint-tracking.express.plugin.spec.js

@@ -0,0 +1,169 @@
+'use strict'
+
+const axios = require('axios')
+const getPort = require('get-port')
+const semver = require('semver')
+const agent = require('../../../../plugins/agent')
+const Config = require('../../../../../src/config')
+const { storage } = require('../../../../../../datadog-core')
+const iast = require('../../../../../src/appsec/iast')
+const iastContextFunctions = require('../../../../../src/appsec/iast/iast-context')
+const { isTainted, getRanges } = require('../../../../../src/appsec/iast/taint-tracking/operations')
+const { HTTP_REQUEST_PATH_PARAM } = require('../../../../../src/appsec/iast/taint-tracking/origin-types')
+
+describe('Path params sourcing with express', () => {
+  let express
+  let expressVersion
+  let appListener
+
+  withVersions('express', 'express', version => {
+    const checkParamIsTaintedAndNext = (req, res, next, param) => {
+      const store = storage.getStore()
+      const iastContext = iastContextFunctions.getIastContext(store)
+
+      const pathParamValue = param
+      const isParameterTainted = isTainted(iastContext, pathParamValue)
+      expect(isParameterTainted).to.be.true
+      const taintedParameterValueRanges = getRanges(iastContext, pathParamValue)
+      expect(taintedParameterValueRanges[0].iinfo.type).to.be.equal(HTTP_REQUEST_PATH_PARAM)
+
+      next()
+    }
+
+    before(() => {
+      return agent.load(['http', 'express'], { client: false })
+    })
+
+    after(() => {
+      return agent.close({ ritmReset: false })
+    })
+
+    beforeEach(() => {
+      iast.enable(new Config({
+        experimental: {
+          iast: {
+            enabled: true,
+            requestSampling: 100
+          }
+        }
+      }))
+
+      const expressRequire = require(`../../../../../../../versions/express@${version}`)
+      express = expressRequire.get()
+      expressVersion = expressRequire.version()
+    })
+
+    afterEach(() => {
+      appListener && appListener.close()
+      appListener = null
+
+      iast.disable()
+    })
+
+    it('should taint path params', function (done) {
+      const app = express()
+      app.get('/:parameter1/:parameter2', (req, res) => {
+        const store = storage.getStore()
+        const iastContext = iastContextFunctions.getIastContext(store)
+
+        for (const pathParamName of ['parameter1', 'parameter2']) {
+          const pathParamValue = req.params[pathParamName]
+          const isParameterTainted = isTainted(iastContext, pathParamValue)
+          expect(isParameterTainted).to.be.true
+          const taintedParameterValueRanges = getRanges(iastContext, pathParamValue)
+          expect(taintedParameterValueRanges[0].iinfo.type).to.be.equal(HTTP_REQUEST_PATH_PARAM)
+        }
+
+        res.status(200).send()
+      })
+
+      getPort().then(port => {
+        appListener = app.listen(port, 'localhost', () => {
+          axios
+            .get(`http://localhost:${port}/tainted1/tainted2`)
+            .then(() => done())
+            .catch(done)
+        })
+      })
+    })
+
+    it('should taint path params in nested routers with merged params', function (done) {
+      if (!semver.satisfies(expressVersion, '>4.5.0')) {
+        this.skip()
+      }
+
+      const app = express()
+      const nestedRouter = express.Router({ mergeParams: true })
+
+      nestedRouter.get('/:parameterChild', (req, res) => {
+        const store = storage.getStore()
+        const iastContext = iastContextFunctions.getIastContext(store)
+
+        for (const pathParamName of ['parameterParent', 'parameterChild']) {
+          const pathParamValue = req.params[pathParamName]
+          const isParameterTainted = isTainted(iastContext, pathParamValue)
+          expect(isParameterTainted).to.be.true
+          const taintedParameterValueRanges = getRanges(iastContext, pathParamValue)
+          expect(taintedParameterValueRanges[0].iinfo.type).to.be.equal(HTTP_REQUEST_PATH_PARAM)
+        }
+
+        res.status(200).send()
+      })
+
+      app.use('/:parameterParent', nestedRouter)
+
+      getPort().then(port => {
+        appListener = app.listen(port, 'localhost', () => {
+          axios
+            .get(`http://localhost:${port}/tainted1/tainted2`)
+            .then(() => done())
+            .catch(done)
+        })
+      })
+    })
+
+    it('should taint path param on router.params callback', function (done) {
+      const app = express()
+
+      app.use('/:parameter1/:parameter2', (req, res) => {
+        res.status(200).send()
+      })
+
+      app.param('parameter1', checkParamIsTaintedAndNext)
+      app.param('parameter2', checkParamIsTaintedAndNext)
+
+      getPort().then(port => {
+        appListener = app.listen(port, 'localhost', () => {
+          axios
+            .get(`http://localhost:${port}/tainted1/tainted2`)
+            .then(() => done())
+            .catch(done)
+        })
+      })
+    })
+
+    it('should taint path param on router.params callback with custom implementation', function (done) {
+      const app = express()
+
+      app.use('/:parameter1/:parameter2', (req, res) => {
+        res.status(200).send()
+      })
+
+      app.param((param, option) => {
+        return checkParamIsTaintedAndNext
+      })
+
+      app.param('parameter1')
+      app.param('parameter2')
+
+      getPort().then(port => {
+        appListener = app.listen(port, 'localhost', () => {
+          axios
+            .get(`http://localhost:${port}/tainted1/tainted2`)
+            .then(() => done())
+            .catch(done)
+        })
+      })
+    })
+  })
+})