Taint request URI (#3302)

* Taint request URI

* Add check for safe tainted origins on unvalidated redirect analyzer

* Change assertion construction for unvalidated redirect analyzer test

* Add metric for uri sourcing

* Fix PR comments

Author: CarlesDD

packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js

@@ -4,7 +4,11 @@ const InjectionAnalyzer = require('./injection-analyzer')
 const { UNVALIDATED_REDIRECT } = require('../vulnerabilities')
 const { getNodeModulesPaths } = require('../path-line')
 const { getRanges } = require('../taint-tracking/operations')
-const { HTTP_REQUEST_HEADER_VALUE } = require('../taint-tracking/source-types')
+const {
+  HTTP_REQUEST_HEADER_VALUE,
+  HTTP_REQUEST_PATH,
+  HTTP_REQUEST_PATH_PARAM
+} = require('../taint-tracking/source-types')
 
 const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
 
@@ -17,9 +21,6 @@ class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
     this.addSub('datadog:http:server:response:set-header:finish', ({ name, value }) => this.analyze(name, value))
   }
 
-  // TODO: In case the location header value is tainted, this analyzer should check the ranges of the tainted.
-  // And do not report a vulnerability if source of the ranges (range.iinfo.type) are exclusively url or path params
-  // to avoid false positives.
   analyze (name, value) {
     if (!this.isLocationHeader(name) || typeof value !== 'string') return
 
@@ -34,12 +35,28 @@ class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
     if (!value) return false
 
     const ranges = getRanges(iastContext, value)
-    return ranges && ranges.length > 0 && !this._isRefererHeader(ranges)
+    return ranges && ranges.length > 0 && !this._areSafeRanges(ranges)
   }
 
-  _isRefererHeader (ranges) {
-    return ranges && ranges.every(range => range.iinfo.type === HTTP_REQUEST_HEADER_VALUE &&
-      range.iinfo.parameterName && range.iinfo.parameterName.toLowerCase() === 'referer')
+  // Do not report vulnerability if ranges sources are exclusively url,
+  // path params or referer header to avoid false positives.
+  _areSafeRanges (ranges) {
+    return ranges && ranges.every(
+      range => this._isPathParam(range) || this._isUrl(range) || this._isRefererHeader(range)
+    )
+  }
+
+  _isRefererHeader (range) {
+    return range.iinfo.type === HTTP_REQUEST_HEADER_VALUE &&
+      range.iinfo.parameterName && range.iinfo.parameterName.toLowerCase() === 'referer'
+  }
+
+  _isPathParam (range) {
+    return range.iinfo.type === HTTP_REQUEST_PATH_PARAM
+  }
+
+  _isUrl (range) {
+    return range.iinfo.type === HTTP_REQUEST_PATH
   }
 
   _getExcludedPaths () {

packages/dd-trace/src/appsec/iast/index.js

@@ -54,7 +54,7 @@ function onIncomingHttpRequestStart (data) {
           createTransaction(rootSpan.context().toSpanId(), iastContext)
           overheadController.initializeRequestContext(iastContext)
           iastTelemetry.onRequestStart(iastContext)
-          taintTrackingPlugin.taintHeaders(data.req.headers, iastContext)
+          taintTrackingPlugin.taintRequest(data.req, iastContext)
         }
         if (rootSpan.addTags) {
           rootSpan.addTags({

packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -3,14 +3,15 @@
 const { SourceIastPlugin } = require('../iast-plugin')
 const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
-const { taintObject } = require('./operations')
+const { taintObject, newTaintedString } = require('./operations')
 const {
   HTTP_REQUEST_BODY,
   HTTP_REQUEST_COOKIE_VALUE,
   HTTP_REQUEST_COOKIE_NAME,
   HTTP_REQUEST_HEADER_VALUE,
   HTTP_REQUEST_HEADER_NAME,
   HTTP_REQUEST_PARAMETER,
+  HTTP_REQUEST_PATH,
   HTTP_REQUEST_PATH_PARAM
 } = require('./source-types')
 
@@ -89,6 +90,21 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     })
   }
 
+  taintUrl (req, iastContext) {
+    this.execSource({
+      handler: function () {
+        req.url = newTaintedString(iastContext, req.url, 'req.url', HTTP_REQUEST_PATH)
+      },
+      tag: [HTTP_REQUEST_PATH],
+      iastContext
+    })
+  }
+
+  taintRequest (req, iastContext) {
+    this.taintHeaders(req.headers, iastContext)
+    this.taintUrl(req, iastContext)
+  }
+
   enable () {
     this.configure(true)
   }

packages/dd-trace/src/appsec/iast/taint-tracking/source-types.js

@@ -7,5 +7,6 @@ module.exports = {
   HTTP_REQUEST_HEADER_NAME: 'http.request.header.name',
   HTTP_REQUEST_HEADER_VALUE: 'http.request.header',
   HTTP_REQUEST_PARAMETER: 'http.request.parameter',
+  HTTP_REQUEST_PATH: 'http.request.path',
   HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter'
 }

packages/dd-trace/test/appsec/iast/analyzers/unvalidated-redirect-analyzer.spec.js

@@ -3,15 +3,22 @@
 const { expect } = require('chai')
 const proxyquire = require('proxyquire')
 const overheadController = require('../../../../src/appsec/iast/overhead-controller')
-const { HTTP_REQUEST_HEADER_VALUE, HTTP_REQUEST_PARAMETER } =
-  require('../../../../src/appsec/iast/taint-tracking/source-types')
+const {
+  HTTP_REQUEST_HEADER_VALUE,
+  HTTP_REQUEST_PARAMETER,
+  HTTP_REQUEST_PATH,
+  HTTP_REQUEST_PATH_PARAM
+} = require('../../../../src/appsec/iast/taint-tracking/source-types')
 
 describe('unvalidated-redirect-analyzer', () => {
   const NOT_TAINTED_LOCATION = 'url.com'
   const TAINTED_LOCATION = 'evil.com'
 
   const TAINTED_HEADER_REFERER_ONLY = 'TAINTED_HEADER_REFERER_ONLY'
-  const TAINTED_HEADER_REFERER_AMONG_OTHERS = 'TAINTED_HEADER_REFERER_ONLY_AMONG_OTHERS'
+  const TAINTED_PATH_PARAMS_ONLY = 'TAINTED_PATH_PARAMS_ONLY'
+  const TAINTED_URL_ONLY = 'TAINTED_URL_ONLY'
+  const TAINTED_SAFE_RANGES = 'TAINTED_SAFE_RANGES'
+  const TAINTED_SAFE_RANGES_AMONG_OTHERS = 'TAINTED_SAFE_RANGES_AMONG_OTHERS'
 
   const REFERER_RANGE = {
     iinfo: {
@@ -31,21 +38,40 @@ describe('unvalidated-redirect-analyzer', () => {
       parameterName: 'param2'
     }
   }
+  const PATH_PARAM_RANGE = {
+    iinfo: {
+      type: HTTP_REQUEST_PATH_PARAM,
+      parameterName: 'path_param'
+    }
+  }
+  const URL_RANGE = {
+    iinfo: {
+      type: HTTP_REQUEST_PATH,
+      parameterName: 'path'
+    }
+  }
 
   const TaintTrackingMock = {
     isTainted: (iastContext, string) => {
       return string === TAINTED_LOCATION
     },
 
     getRanges: (iastContext, value) => {
-      if (value === NOT_TAINTED_LOCATION) return null
-
-      if (value === TAINTED_HEADER_REFERER_ONLY) {
-        return [REFERER_RANGE]
-      } else if (value === TAINTED_HEADER_REFERER_AMONG_OTHERS) {
-        return [REFERER_RANGE, PARAMETER1_RANGE]
-      } else {
-        return [PARAMETER1_RANGE, PARAMETER2_RANGE]
+      switch (value) {
+        case NOT_TAINTED_LOCATION:
+          return null
+        case TAINTED_HEADER_REFERER_ONLY:
+          return [REFERER_RANGE]
+        case TAINTED_PATH_PARAMS_ONLY:
+          return [PATH_PARAM_RANGE]
+        case TAINTED_URL_ONLY:
+          return [URL_RANGE]
+        case TAINTED_SAFE_RANGES:
+          return [REFERER_RANGE, PATH_PARAM_RANGE, URL_RANGE]
+        case TAINTED_SAFE_RANGES_AMONG_OTHERS:
+          return [REFERER_RANGE, PATH_PARAM_RANGE, URL_RANGE, PARAMETER1_RANGE]
+        default:
+          return [PARAMETER1_RANGE, PARAMETER2_RANGE]
       }
     }
   }
@@ -78,19 +104,19 @@ describe('unvalidated-redirect-analyzer', () => {
   it('should not report headers other than Location', () => {
     unvalidatedRedirectAnalyzer.analyze('X-test', NOT_TAINTED_LOCATION)
 
-    expect(report).to.not.have.been.called
+    expect(report).not.to.be.called
   })
 
   it('should not report Location header with non string values', () => {
     unvalidatedRedirectAnalyzer.analyze('X-test', [TAINTED_LOCATION])
 
-    expect(report).to.not.have.been.called
+    expect(report).not.to.be.called
   })
 
   it('should not report Location header with not tainted string value', () => {
     unvalidatedRedirectAnalyzer.analyze('Location', NOT_TAINTED_LOCATION)
 
-    expect(report).to.not.have.been.called
+    expect(report).not.to.be.called
   })
 
   it('should report Location header with tainted string value', () => {
@@ -102,11 +128,29 @@ describe('unvalidated-redirect-analyzer', () => {
   it('should not report if tainted origin is referer header exclusively', () => {
     unvalidatedRedirectAnalyzer.analyze('Location', TAINTED_HEADER_REFERER_ONLY)
 
-    expect(report).to.not.be.called
+    expect(report).not.to.be.called
+  })
+
+  it('should not report if tainted origin is path param exclusively', () => {
+    unvalidatedRedirectAnalyzer.analyze('Location', TAINTED_PATH_PARAMS_ONLY)
+
+    expect(report).not.to.be.called
+  })
+
+  it('should not report if tainted origin is url exclusively', () => {
+    unvalidatedRedirectAnalyzer.analyze('Location', TAINTED_URL_ONLY)
+
+    expect(report).not.to.be.called
+  })
+
+  it('should not report if all tainted origin are safe', () => {
+    unvalidatedRedirectAnalyzer.analyze('Location', TAINTED_SAFE_RANGES)
+
+    expect(report).not.to.be.called
   })
 
   it('should report if tainted origin contains referer header among others', () => {
-    unvalidatedRedirectAnalyzer.analyze('Location', TAINTED_HEADER_REFERER_AMONG_OTHERS)
+    unvalidatedRedirectAnalyzer.analyze('Location', TAINTED_SAFE_RANGES_AMONG_OTHERS)
 
     expect(report).to.be.called
   })

packages/dd-trace/test/appsec/iast/taint-tracking/plugin.spec.js

@@ -7,6 +7,9 @@ const dc = require('../../../../../diagnostics_channel')
 const {
   HTTP_REQUEST_COOKIE_VALUE,
   HTTP_REQUEST_COOKIE_NAME,
+  HTTP_REQUEST_HEADER_NAME,
+  HTTP_REQUEST_HEADER_VALUE,
+  HTTP_REQUEST_PATH,
   HTTP_REQUEST_PATH_PARAM
 } = require('../../../../src/appsec/iast/taint-tracking/source-types')
 
@@ -227,5 +230,30 @@ describe('IAST Taint tracking plugin', () => {
       processParamsStartCh.publish({ req })
       expect(taintTrackingOperations.taintObject).to.not.be.called
     })
+
+    it('Should taint headers and uri from request', () => {
+      const req = {
+        headers: {
+          'x-iast-header': 'header-value'
+        },
+        url: 'https://testurl'
+      }
+      taintTrackingPlugin.taintRequest(req, iastContext)
+
+      expect(taintTrackingOperations.taintObject).to.be.calledOnceWith(
+        iastContext,
+        req.headers,
+        HTTP_REQUEST_HEADER_VALUE,
+        true,
+        HTTP_REQUEST_HEADER_NAME
+      )
+
+      expect(taintTrackingOperations.newTaintedString).to.be.calledOnceWith(
+        iastContext,
+        req.url,
+        'req.url',
+        HTTP_REQUEST_PATH
+      )
+    })
   })
 })

packages/dd-trace/test/appsec/iast/taint-tracking/sources/taint-tracking.express.plugin.spec.js

@@ -9,7 +9,67 @@ const { storage } = require('../../../../../../datadog-core')
 const iast = require('../../../../../src/appsec/iast')
 const iastContextFunctions = require('../../../../../src/appsec/iast/iast-context')
 const { isTainted, getRanges } = require('../../../../../src/appsec/iast/taint-tracking/operations')
-const { HTTP_REQUEST_PATH_PARAM } = require('../../../../../src/appsec/iast/taint-tracking/source-types')
+const {
+  HTTP_REQUEST_PATH,
+  HTTP_REQUEST_PATH_PARAM
+} = require('../../../../../src/appsec/iast/taint-tracking/source-types')
+
+describe('Path sourcing with express', () => {
+  let express
+  let appListener
+
+  withVersions('express', 'express', version => {
+    before(() => {
+      return agent.load(['http', 'express'], { client: false })
+    })
+
+    after(() => {
+      return agent.close({ ritmReset: false })
+    })
+
+    beforeEach(() => {
+      iast.enable(new Config({
+        experimental: {
+          iast: {
+            enabled: true,
+            requestSampling: 100
+          }
+        }
+      }))
+
+      express = require(`../../../../../../../versions/express@${version}`).get()
+    })
+
+    afterEach(() => {
+      appListener && appListener.close()
+      appListener = null
+
+      iast.disable()
+    })
+
+    it('should taint path', done => {
+      const app = express()
+      app.get('/path/*', (req, res) => {
+        const store = storage.getStore()
+        const iastContext = iastContextFunctions.getIastContext(store)
+        const isPathTainted = isTainted(iastContext, req.url)
+        expect(isPathTainted).to.be.true
+        const taintedPathValueRanges = getRanges(iastContext, req.url)
+        expect(taintedPathValueRanges[0].iinfo.type).to.be.equal(HTTP_REQUEST_PATH)
+        res.status(200).send()
+      })
+
+      getPort().then(port => {
+        appListener = app.listen(port, 'localhost', () => {
+          axios
+            .get(`http://localhost:${port}/path/vulnerable`)
+            .then(() => done())
+            .catch(done)
+        })
+      })
+    })
+  })
+})
 
 describe('Path params sourcing with express', () => {
   let express

packages/dd-trace/test/appsec/iast/telemetry/index.spec.js

@@ -216,6 +216,16 @@ describe('Telemetry', () => {
           }
         }).catch(done)
       })
+
+      it('should have url source execution metric', (done) => {
+        agent
+          .use(traces => {
+            expect(traces[0][0].metrics['_dd.iast.telemetry.executed.source.http_request_path']).to.be.equal(1)
+          })
+          .then(done)
+          .catch(done)
+        axios.get(`http://localhost:${config.port}/`).catch(done)
+      })
     }
     testInRequest(app, tests)
   })