Fix LDAPi vulnerability location

Author: CarlesDD

packages/dd-trace/src/appsec/iast/analyzers/ldap-injection-analyzer.js

@@ -1,6 +1,9 @@
 'use strict'
 const InjectionAnalyzer = require('./injection-analyzer')
 const { LDAP_INJECTION } = require('../vulnerabilities')
+const { getNodeModulesPaths } = require('../path-line')
+
+const EXCLUDED_PATHS = getNodeModulesPaths('ldapjs-promise')
 
 class LdapInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -10,6 +13,10 @@ class LdapInjectionAnalyzer extends InjectionAnalyzer {
   onConfigure () {
     this.addSub('datadog:ldapjs:client:search', ({ base, filter }) => this.analyzeAll(base, filter))
   }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
 }
 
 module.exports = new LdapInjectionAnalyzer()

packages/dd-trace/src/appsec/iast/path-line.js

@@ -8,7 +8,8 @@ const pathLine = {
   getNodeModulesPaths,
   getFirstNonDDPathAndLineFromCallsites, // Exported only for test purposes
   calculateDDBasePath, // Exported only for test purposes
-  ddBasePath: calculateDDBasePath(__dirname) // Only for test purposes
+  ddBasePath: calculateDDBasePath(__dirname), // Only for test purposes
+  ddBasePathVersions: path.join(calculateDDBasePath(__dirname), 'versions') // Only for test purposes
 }
 
 const EXCLUDED_PATHS = [
@@ -43,7 +44,10 @@ function getFirstNonDDPathAndLineFromCallsites (callsites, externallyExcludedPat
     for (let i = 0; i < callsites.length; i++) {
       const callsite = callsites[i]
       const filepath = callsite.getFileName()
-      if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) {
+      if (
+        !isExcluded(callsite, externallyExcludedPaths) &&
+        (filepath.indexOf(pathLine.ddBasePathVersions) > -1 || filepath.indexOf(pathLine.ddBasePath) === -1)
+      ) {
         return {
           path: path.relative(process.cwd(), filepath),
           line: callsite.getLineNumber(),

packages/dd-trace/test/appsec/iast/analyzers/ldap-injection-analyzer.ldapjs.plugin.spec.js

@@ -1,5 +1,9 @@
 'use strict'
 
+const fs = require('fs')
+const os = require('os')
+const path = require('path')
+
 const { prepareTestServerForIast } = require('../utils')
 const { storage } = require('../../../../../datadog-core')
 const iastContextFunctions = require('../../../../src/appsec/iast/iast-context')
@@ -165,4 +169,53 @@ describe('ldap-injection-analyzer with ldapjs', () => {
       })
     })
   })
+
+  withVersions('ldapjs', 'ldapjs-promise', promiseVersion => {
+    prepareTestServerForIast('ldapjs-promise', (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => {
+      const srcFilePath = path.join(__dirname, 'resources', 'ldap-injection-methods.js')
+      const dstFilePath = path.join(os.tmpdir(), 'ldap-injection-methods.js')
+      let ldapMethods
+
+      beforeEach(async () => {
+        await agent.load('ldapjs')
+        vulnerabilityReporter.clearCache()
+        const ldapjs = require(`../../../../../../versions/ldapjs-promise@${promiseVersion}`).get()
+        client = ldapjs.createClient({
+          url: 'ldap://localhost:1389'
+        })
+
+        fs.copyFileSync(srcFilePath, dstFilePath)
+        ldapMethods = require(dstFilePath)
+
+        return client.bind(`cn=admin,${base}`, 'adminpassword')
+      })
+
+      afterEach(async () => {
+        fs.unlinkSync(dstFilePath)
+        await client.unbind()
+      })
+
+      describe('has vulnerability', () => {
+        testThatRequestHasVulnerability(() => {
+          const store = storage.getStore()
+          const iastCtx = iastContextFunctions.getIastContext(store)
+
+          let filter = '(objectClass=*)'
+          filter = newTaintedString(iastCtx, filter, 'param', 'Request')
+
+          return ldapMethods.executeSearch(client, base, filter)
+        }, 'LDAP_INJECTION', {
+          occurrences: 1,
+          location: { path: 'ldap-injection-methods.js' }
+        })
+      })
+
+      describe('has no vulnerability', () => {
+        testThatRequestHasNoVulnerability(() => {
+          const filter = '(objectClass=*)'
+          return ldapMethods.executeSearch(client, base, filter)
+        }, 'LDAP_INJECTION')
+      })
+    })
+  })
 })

packages/dd-trace/test/appsec/iast/analyzers/resources/ldap-injection-methods.js

@@ -0,0 +1,7 @@
+'use strict'
+
+function executeSearch (client, base, filter) {
+  return client.search(base, filter)
+}
+
+module.exports = { executeSearch }

packages/dd-trace/test/plugins/externals.json

@@ -127,6 +127,16 @@
       "versions": ["6.1.0"]
     }
   ],
+  "ldapjs": [
+    {
+      "name": "ldapjs",
+      "versions": [">= 2"]
+    },
+    {
+      "name": "ldapjs-promise",
+      "versions": [">=2"]
+    }
+  ],
   "mariadb": [
     {
       "name": "mariadb",