Detect SQL injection with sequelize

.github/workflows/appsec.yml

@@ -105,7 +105,7 @@ jobs:
         ports:
           - 3306:3306
     env:
-      PLUGINS: mysql|mysql2
+      PLUGINS: mysql|mysql2|sequelize
       SERVICES: mysql
     steps:
       - uses: actions/checkout@v2

packages/datadog-instrumentations/src/helpers/hooks.js

@@ -80,6 +80,7 @@ module.exports = {
   'rhea': () => require('../rhea'),
   'router': () => require('../router'),
   'sharedb': () => require('../sharedb'),
+  'sequelize': () => require('../sequelize'),
   'tedious': () => require('../tedious'),
   'when': () => require('../when'),
   'winston': () => require('../winston')

packages/datadog-instrumentations/src/sequelize.js

@@ -0,0 +1,51 @@
+'use strict'
+
+const {
+  channel,
+  addHook,
+  AsyncResource
+} = require('./helpers/instrument')
+
+const shimmer = require('../../datadog-shimmer')
+
+addHook({ name: 'sequelize', versions: ['>=4'] }, Sequelize => {
+  const startCh = channel('datadog:sequelize:query:start')
+  const finishCh = channel('datadog:sequelize:query:finish')
+
+  shimmer.wrap(Sequelize.prototype, 'query', query => {
+    return function (sql) {
+      if (!startCh.hasSubscribers) {
+        return query.apply(this, arguments)
+      }
+
+      const asyncResource = new AsyncResource('bound-anonymous-fn')
+
+      let dialect
+      if (this.options && this.options.dialect) {
+        dialect = this.options.dialect
+      } else if (this.dialect && this.dialect.name) {
+        dialect = this.dialect.name
+      }
+
+      function onFinish () {
+        asyncResource.bind(function () {
+          finishCh.publish()
+        }, this).apply(this)
+      }
+
+      return asyncResource.bind(function () {
+        startCh.publish({
+          sql,
+          dialect
+        })
+
+        const promise = query.apply(this, arguments)
+        promise.then(onFinish, onFinish)
+
+        return promise
+      }, this).apply(this, arguments)
+    }
+  })
+
+  return Sequelize
+})

packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -13,6 +13,22 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
     this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
     this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
     this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, 'POSTGRES'))
+
+    this.addSub('datadog:sequelize:query:start', ({ sql, dialect }) => {
+      const parentStore = storage.getStore()
+      if (parentStore) {
+        this.analyze(sql, dialect.toUpperCase())
+
+        storage.enterWith({ ...parentStore, sqlAnalyzed: true, sequelizeParentStore: parentStore })
+      }
+    })
+
+    this.addSub('datadog:sequelize:query:finish', () => {
+      const store = storage.getStore()
+      if (store.sequelizeParentStore) {
+        storage.enterWith(store.sequelizeParentStore)
+      }
+    })
   }
 
   _getEvidence (value, iastContext, dialect) {
@@ -22,9 +38,12 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
 
   analyze (value, dialect) {
     const store = storage.getStore()
-    const iastContext = getIastContext(store)
-    if (store && !iastContext) return
-    this._reportIfVulnerable(value, iastContext, dialect)
+
+    if (!(store && store.sqlAnalyzed)) {
+      const iastContext = getIastContext(store)
+      if (store && !iastContext) return
+      this._reportIfVulnerable(value, iastContext, dialect)
+    }
   }
 
   _reportIfVulnerable (value, context, dialect) {
@@ -37,13 +56,17 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
 
   _report (value, context, dialect) {
     const evidence = this._getEvidence(value, context, dialect)
-    const location = this._getLocation()
+    const location = this._getLocation(this._getExcludedLocations())
     if (!this._isExcluded(location)) {
       const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
       const vulnerability = createVulnerability(this._type, evidence, spanId, location)
       addVulnerability(context, vulnerability)
     }
   }
+
+  _getExcludedLocations () {
+    return ['node_modules/mysql2', 'node_modules/sequelize']
+  }
 }
 
 module.exports = new SqlInjectionAnalyzer()

packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -58,8 +58,8 @@ class Analyzer extends Plugin {
     return { value }
   }
 
-  _getLocation () {
-    return getFirstNonDDPathAndLine()
+  _getLocation (externallyExcludedLocations) {
+    return getFirstNonDDPathAndLine(externallyExcludedLocations)
   }
 
   analyze (value) {

packages/dd-trace/src/appsec/iast/path-line.js

@@ -37,12 +37,12 @@ function getCallSiteInfo () {
   return callsiteList
 }
 
-function getFirstNonDDPathAndLineFromCallsites (callsites) {
+function getFirstNonDDPathAndLineFromCallsites (callsites, externallyExcludedLocations) {
   if (callsites) {
     for (let i = 0; i < callsites.length; i++) {
       const callsite = callsites[i]
       const filepath = callsite.getFileName()
-      if (!isExcluded(callsite) && filepath.indexOf(pathLine.ddBasePath) === -1) {
+      if (!isExcluded(callsite, externallyExcludedLocations) && filepath.indexOf(pathLine.ddBasePath) === -1) {
         return {
           path: path.relative(process.cwd(), filepath),
           line: callsite.getLineNumber(),
@@ -54,14 +54,18 @@ function getFirstNonDDPathAndLineFromCallsites (callsites) {
   return null
 }
 
-function isExcluded (callsite) {
+function isExcluded (callsite, externallyExcludedPaths) {
   if (callsite.isNative()) return true
   const filename = callsite.getFileName()
   if (!filename) {
     return true
   }
-  for (let i = 0; i < EXCLUDED_PATHS.length; i++) {
-    if (filename.indexOf(EXCLUDED_PATHS[i]) > -1) {
+  let excludedPaths = EXCLUDED_PATHS
+  if (externallyExcludedPaths) {
+    excludedPaths = [...excludedPaths, ...externallyExcludedPaths]
+  }
+  for (let i = 0; i < excludedPaths.length; i++) {
+    if (filename.indexOf(excludedPaths[i]) > -1) {
       return true
     }
   }
@@ -73,7 +77,7 @@ function isExcluded (callsite) {
   return false
 }
 
-function getFirstNonDDPathAndLine () {
-  return getFirstNonDDPathAndLineFromCallsites(getCallSiteInfo())
+function getFirstNonDDPathAndLine (externallyExcludedLocations) {
+  return getFirstNonDDPathAndLineFromCallsites(getCallSiteInfo(), externallyExcludedLocations)
 }
 module.exports = pathLine

packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -12,17 +12,32 @@ class TaintTrackingPlugin extends Plugin {
     this._type = 'taint-tracking'
     this.addSub(
       'datadog:body-parser:read:finish',
-      ({ req }) => this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body')
+      ({ req }) => {
+        const iastContext = getIastContext(storage.getStore())
+        if (iastContext && iastContext['body'] !== req.body) {
+          this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
+          iastContext['body'] = req.body
+        }
+      }
     )
     this.addSub(
       'datadog:qs:parse:finish',
       ({ qs }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, qs))
+
+    this.addSub('apm:express:middleware:next', ({ req }) => {
+      if (req && req.body && typeof req.body === 'object') {
+        const iastContext = getIastContext(storage.getStore())
+        if (iastContext && iastContext['body'] !== req.body) {
+          this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
+          iastContext['body'] = req.body
+        }
+      }
+    })
   }
 
-  _taintTrackingHandler (type, target, property) {
-    const iastContext = getIastContext(storage.getStore())
+  _taintTrackingHandler (type, target, property, iastContext = getIastContext(storage.getStore())) {
     if (!property) {
-      target = taintObject(iastContext, target, type)
+      taintObject(iastContext, target, type)
     } else {
       target[property] = taintObject(iastContext, target[property], type)
     }

packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/sql-sensitive-analyzer.js

@@ -21,10 +21,20 @@ const NUMERIC_LITERAL =
       INTEGER_NUMBER + EXPONENT
     ].join('|')
   })`
+const ORACLE_ESCAPED_LITERAL = 'q\'<.*?>\'|q\'\\(.*?\\)\'|q\'\\{.*?\\}\'|q\'\\[.*?\\]\'|q\'(?<ESCAPE>.).*?\\k<ESCAPE>\''
 
 class SqlSensitiveAnalyzer {
   constructor () {
     this._patterns = {
+      ANSI: new RegExp( // Default
+        [
+          NUMERIC_LITERAL,
+          STRING_LITERAL,
+          LINE_COMMENT,
+          BLOCK_COMMENT
+        ].join('|'),
+        'gmi'
+      ),
       MYSQL: new RegExp(
         [
           NUMERIC_LITERAL,
@@ -43,13 +53,26 @@ class SqlSensitiveAnalyzer {
           BLOCK_COMMENT
         ].join('|'),
         'gmi'
-      )
+      ),
+      ORACLE: new RegExp([
+        NUMERIC_LITERAL,
+        ORACLE_ESCAPED_LITERAL,
+        STRING_LITERAL,
+        LINE_COMMENT,
+        BLOCK_COMMENT
+      ].join('|'),
+      'gmi')
     }
+    this._patterns.SQLITE = this._patterns.MYSQL
+    this._patterns.MARIADB = this._patterns.MYSQL
   }
 
   extractSensitiveRanges (evidence) {
     try {
-      const pattern = this._patterns[evidence.dialect]
+      let pattern = this._patterns[evidence.dialect]
+      if (!pattern) {
+        pattern = this._patterns['ANSI']
+      }
       pattern.lastIndex = 0
       const tokens = []
 

packages/dd-trace/test/appsec/iast/analyzers/path-traversal-analyzer.spec.js

@@ -169,7 +169,7 @@ prepareTestServerForIast('integration test', (testThatRequestHasVulnerability, t
             callArgs[vulnerableIndex] = newTaintedString(iastCtx, callArgs[vulnerableIndex], 'param', 'Request')
           }
           return fn(callArgs)
-        }, 'PATH_TRAVERSAL', 1)
+        }, 'PATH_TRAVERSAL', { occurrences: 1 })
       })
       describe('no vulnerable', () => {
         testThatRequestHasNoVulnerability(function () {

packages/dd-trace/test/appsec/iast/analyzers/sql-injection-analyzer.sequelize.plugin.spec.js

@@ -0,0 +1,70 @@
+'use strict'
+
+const fs = require('fs')
+const os = require('os')
+const path = require('path')
+const { prepareTestServerForIast } = require('../utils')
+const { storage } = require('../../../../../datadog-core')
+const iastContextFunctions = require('../../../../src/appsec/iast/iast-context')
+const { newTaintedString } = require('../../../../src/appsec/iast/taint-tracking/operations')
+const vulnerabilityReporter = require('../../../../src/appsec/iast/vulnerability-reporter')
+
+describe('sql-injection-analyzer with sequelize', () => {
+  withVersions('sequelize', 'sequelize', sequelizeVersion => {
+    withVersions('mysql2', 'mysql2', (mysqlVersion) => {
+      let sequelize
+
+      prepareTestServerForIast('sequelize + mysql2',
+        (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => {
+          beforeEach(() => {
+            const Sequelize = require(`../../../../../../versions/sequelize@${sequelizeVersion}`).get()
+            sequelize = new Sequelize('db', 'root', '', {
+              host: '127.0.0.1',
+              dialect: 'mysql'
+            })
+            vulnerabilityReporter.clearCache()
+            return sequelize.authenticate()
+          })
+
+          testThatRequestHasVulnerability(() => {
+            const store = storage.getStore()
+            const iastCtx = iastContextFunctions.getIastContext(store)
+
+            let sql = 'SELECT 1'
+            sql = newTaintedString(iastCtx, sql, 'param', 'Request')
+
+            return sequelize.query(sql)
+          }, 'SQL_INJECTION', { occurrences: 1 })
+
+          const externalFileContent = `'use strict'
+
+module.exports = function (sequelize, sql) {
+  return sequelize.query(sql)
+}
+`
+          testThatRequestHasVulnerability(() => {
+            const filepath = path.join(os.tmpdir(), 'test-sequelize-sqli.js')
+            fs.writeFileSync(filepath, externalFileContent)
+
+            const store = storage.getStore()
+            const iastCtx = iastContextFunctions.getIastContext(store)
+
+            let sql = 'SELECT 1'
+            sql = newTaintedString(iastCtx, sql, 'param', 'Request')
+
+            return require(filepath)(sequelize, sql)
+          }, 'SQL_INJECTION', {
+            occurrences: 1,
+            location: {
+              path: 'test-sequelize-sqli.js',
+              line: 4
+            }
+          })
+
+          testThatRequestHasNoVulnerability(() => {
+            return sequelize.query('SELECT 1')
+          }, 'SQL_INJECTION')
+        })
+    })
+  })
+})

packages/dd-trace/test/appsec/iast/analyzers/sql-injection-analyzer.spec.js

@@ -20,10 +20,12 @@ describe('sql-injection-analyzer', () => {
   })
 
   it('should subscribe to mysql, mysql2 and pg start query channel', () => {
-    expect(sqlInjectionAnalyzer._subscriptions).to.have.lengthOf(3)
+    expect(sqlInjectionAnalyzer._subscriptions).to.have.lengthOf(5)
     expect(sqlInjectionAnalyzer._subscriptions[0]._channel.name).to.equals('apm:mysql:query:start')
     expect(sqlInjectionAnalyzer._subscriptions[1]._channel.name).to.equals('apm:mysql2:query:start')
     expect(sqlInjectionAnalyzer._subscriptions[2]._channel.name).to.equals('apm:pg:query:start')
+    expect(sqlInjectionAnalyzer._subscriptions[3]._channel.name).to.equals('datadog:sequelize:query:start')
+    expect(sqlInjectionAnalyzer._subscriptions[4]._channel.name).to.equals('datadog:sequelize:query:finish')
   })
 
   it('should not detect vulnerability when no query', () => {

packages/dd-trace/test/appsec/iast/analyzers/weak-cipher-analyzers.spec.js

@@ -67,6 +67,6 @@ describe('weak-cipher-analyzer', () => {
       const key = '1111111111111111'
       const iv = 'abcdefgh'
       crypto.createCipheriv(VULNERABLE_CIPHER, key, iv)
-    }, 'WEAK_CIPHER')
+    }, 'WEAK_CIPHER', { occurrences: 1 })
   })
 })