Reduce false positives when unvalidated redirect vulnerability is detected (#5880)

Author: uurien

packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js

@@ -5,13 +5,17 @@ const { UNVALIDATED_REDIRECT } = require('../vulnerabilities')
 const { getNodeModulesPaths } = require('../path-line')
 const { getRanges } = require('../taint-tracking/operations')
 const {
-  HTTP_REQUEST_HEADER_VALUE,
-  HTTP_REQUEST_PATH_PARAM,
-  HTTP_REQUEST_URI
+  HTTP_REQUEST_BODY,
+  HTTP_REQUEST_PARAMETER
 } = require('../taint-tracking/source-types')
 
 const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
 
+const VULNERABLE_SOURCE_TYPES = new Set([
+  HTTP_REQUEST_BODY,
+  HTTP_REQUEST_PARAMETER
+])
+
 class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
   constructor () {
     super(UNVALIDATED_REDIRECT)
@@ -35,28 +39,17 @@ class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
     if (!value) return false
 
     const ranges = getRanges(iastContext, value)
-    return ranges && ranges.length > 0 && !this._areSafeRanges(ranges)
+    return ranges?.length > 0 && this._hasUnsafeRange(ranges)
   }
 
-  // Do not report vulnerability if ranges sources are exclusively url,
-  // path params or referer header to avoid false positives.
-  _areSafeRanges (ranges) {
-    return ranges && ranges.every(
-      range => this._isPathParam(range) || this._isUrl(range) || this._isRefererHeader(range)
+  _hasUnsafeRange (ranges) {
+    return ranges.some(
+      range => this._isVulnerableRange(range)
     )
   }
 
-  _isRefererHeader (range) {
-    return range.iinfo.type === HTTP_REQUEST_HEADER_VALUE &&
-      range.iinfo.parameterName && range.iinfo.parameterName.toLowerCase() === 'referer'
-  }
-
-  _isPathParam (range) {
-    return range.iinfo.type === HTTP_REQUEST_PATH_PARAM
-  }
-
-  _isUrl (range) {
-    return range.iinfo.type === HTTP_REQUEST_URI
+  _isVulnerableRange (range) {
+    return VULNERABLE_SOURCE_TYPES.has(range.iinfo.type)
   }
 
   _getExcludedPaths () {

packages/dd-trace/src/appsec/iast/taint-tracking/source-types.js

@@ -7,7 +7,6 @@ module.exports = {
   HTTP_REQUEST_HEADER_NAME: 'http.request.header.name',
   HTTP_REQUEST_HEADER_VALUE: 'http.request.header',
   HTTP_REQUEST_PARAMETER: 'http.request.parameter',
-  HTTP_REQUEST_PATH: 'http.request.path',
   HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter',
   HTTP_REQUEST_URI: 'http.request.uri',
   KAFKA_MESSAGE_KEY: 'kafka.message.key',

packages/dd-trace/test/appsec/iast/analyzers/unvalidated-redirect-analyzer.express.plugin.spec.js

@@ -6,9 +6,7 @@ const path = require('path')
 
 const { UNVALIDATED_REDIRECT } = require('../../../../src/appsec/iast/vulnerabilities')
 const { prepareTestServerForIastInExpress } = require('../utils')
-const { storage } = require('../../../../../datadog-core')
-const iastContextFunctions = require('../../../../src/appsec/iast/iast-context')
-const { newTaintedString } = require('../../../../src/appsec/iast/taint-tracking/operations')
+const Axios = require('axios')
 
 describe('Unvalidated Redirect vulnerability', () => {
   let redirectFunctions
@@ -24,58 +22,85 @@ describe('Unvalidated Redirect vulnerability', () => {
     fs.unlinkSync(redirectFunctionsPath)
   })
 
+  function getAxiosInstance (config) {
+    return Axios.create({
+      baseURL: `http://localhost:${config.port}`
+    })
+  }
+
   withVersions('express', 'express', version => {
     prepareTestServerForIastInExpress('in express', version,
       (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => {
         testThatRequestHasVulnerability((req, res) => {
-          const store = storage('legacy').getStore()
-          const iastCtx = iastContextFunctions.getIastContext(store)
-          const location = newTaintedString(iastCtx, 'https://app.com?id=tron', 'param', 'Request')
+          const location = req.query.location
           redirectFunctions.insecureWithResHeaderMethod('location', location, res)
         }, UNVALIDATED_REDIRECT, {
           occurrences: 1,
           location: {
             path: redirectFunctionsFilename,
             line: 4
           }
+        }, null, (done, config) => {
+          getAxiosInstance(config).get('/?location=https://app.com?id=tron').catch(done)
         })
 
         testThatRequestHasVulnerability((req, res) => {
-          const store = storage('legacy').getStore()
-          const iastCtx = iastContextFunctions.getIastContext(store)
-          const location = newTaintedString(iastCtx, 'http://user@app.com/', 'param', 'Request')
-          redirectFunctions.insecureWithResRedirectMethod(location, res)
+          redirectFunctions.insecureWithResRedirectMethod(req.query.location, res)
         }, UNVALIDATED_REDIRECT, {
           occurrences: 1,
           location: {
             path: redirectFunctionsFilename,
             line: 8
           }
+        }, null, (done, config) => {
+          getAxiosInstance(config).get('/?location=http://user@app.com/').catch(done)
         })
 
         testThatRequestHasVulnerability((req, res) => {
-          const store = storage('legacy').getStore()
-          const iastCtx = iastContextFunctions.getIastContext(store)
-          const location = newTaintedString(iastCtx, 'http://user@app.com/', 'param', 'Request')
-          redirectFunctions.insecureWithResLocationMethod(location, res)
+          redirectFunctions.insecureWithResLocationMethod(req.query.location, res)
         }, UNVALIDATED_REDIRECT, {
           occurrences: 1,
           location: {
             path: redirectFunctionsFilename,
             line: 12
           }
+        }, null, (done, config) => {
+          getAxiosInstance(config).get('/?location=http://user@app.com/').catch(done)
+        })
+
+        testThatRequestHasVulnerability((req, res) => {
+          redirectFunctions.insecureWithResLocationMethod(req.body.location, res)
+        }, UNVALIDATED_REDIRECT, {
+          occurrences: 1,
+          location: {
+            path: redirectFunctionsFilename,
+            line: 12
+          }
+        }, null, (done, config) => {
+          getAxiosInstance(config).post('', {
+            location: 'http://user@app.com/'
+          }).catch(done)
         })
 
         testThatRequestHasNoVulnerability((req, res) => {
-          const store = storage('legacy').getStore()
-          const iastCtx = iastContextFunctions.getIastContext(store)
-          const location = newTaintedString(iastCtx, 'http://user@app.com/', 'pathParam', 'Request')
-          res.header('X-test', location)
-        }, UNVALIDATED_REDIRECT)
+          res.header('X-test', req.query.location)
+        }, UNVALIDATED_REDIRECT, (done, config) => {
+          getAxiosInstance(config).get('/?location=http://user@app.com/').catch(done)
+        })
 
         testThatRequestHasNoVulnerability((req, res) => {
           redirectFunctions.insecureWithResHeaderMethod('location', 'http://user@app.com/', res)
         }, UNVALIDATED_REDIRECT)
+
+        testThatRequestHasNoVulnerability((req, res) => {
+          redirectFunctions.insecureWithResLocationMethod(req.headers.redirectlocation, res)
+        }, UNVALIDATED_REDIRECT, (done, config) => {
+          getAxiosInstance(config).get('', {
+            headers: {
+              redirectlocation: 'http://user@app.com/'
+            }
+          }).catch(done)
+        })
       })
   })
 })

packages/dd-trace/test/appsec/iast/analyzers/vulnerability-analyzer.express.plugin.spec.js

@@ -6,9 +6,7 @@ const path = require('path')
 
 const { UNVALIDATED_REDIRECT } = require('../../../../src/appsec/iast/vulnerabilities')
 const { prepareTestServerForIastInExpress } = require('../utils')
-const { storage } = require('../../../../../datadog-core')
-const iastContextFunctions = require('../../../../src/appsec/iast/iast-context')
-const { newTaintedString } = require('../../../../src/appsec/iast/taint-tracking/operations')
+const axios = require('axios')
 
 describe('Vulnerability Analyzer plugin', () => {
   let redirectFunctions
@@ -45,29 +43,27 @@ describe('Vulnerability Analyzer plugin', () => {
     prepareTestServerForIastInExpress('should find original source line minified or not', version,
       (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => {
         testThatRequestHasVulnerability((req, res) => {
-          const store = storage('legacy').getStore()
-          const iastCtx = iastContextFunctions.getIastContext(store)
-          const location = newTaintedString(iastCtx, 'https://app.com?id=tron', 'param', 'Request')
-          redirectMinFunctions.insecureWithResHeaderMethod('location', location, res)
+          redirectMinFunctions.insecureWithResHeaderMethod('location', req.query.location, res)
         }, UNVALIDATED_REDIRECT, {
           occurrences: 1,
           location: {
             path: redirectFunctionsFilename, // original source code file indicated in sourceMappingURL
             line: 4 // line in not minified source file
           }
+        }, null, (done, config) => {
+          axios.get(`http://localhost:${config.port}/?location=https://app.com?id=tron`).catch(done)
         })
 
         testThatRequestHasVulnerability((req, res) => {
-          const store = storage('legacy').getStore()
-          const iastCtx = iastContextFunctions.getIastContext(store)
-          const location = newTaintedString(iastCtx, 'https://app.com?id=tron', 'param', 'Request')
-          redirectFunctions.insecureWithResHeaderMethod('location', location, res)
+          redirectFunctions.insecureWithResHeaderMethod('location', req.query.location, res)
         }, UNVALIDATED_REDIRECT, {
           occurrences: 1,
           location: {
             path: redirectFunctionsFilename,
             line: 4
           }
+        }, null, (done, config) => {
+          axios.get(`http://localhost:${config.port}/?location=https://app.com?id=tron`).catch(done)
         })
       })
   })