Fix LDAPi vulnerability location when using ldapjs-promise

packages/dd-trace/src/appsec/iast/analyzers/ldap-injection-analyzer.js

@@ -1,6 +1,9 @@
 'use strict'
 const InjectionAnalyzer = require('./injection-analyzer')
 const { LDAP_INJECTION } = require('../vulnerabilities')
+const { getNodeModulesPaths } = require('../path-line')
+
+const EXCLUDED_PATHS = getNodeModulesPaths('ldapjs-promise')
 
 class LdapInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -10,6 +13,10 @@ class LdapInjectionAnalyzer extends InjectionAnalyzer {
   onConfigure () {
     this.addSub('datadog:ldapjs:client:search', ({ base, filter }) => this.analyzeAll(base, filter))
   }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
 }
 
 module.exports = new LdapInjectionAnalyzer()

packages/dd-trace/src/util.js

@@ -66,7 +66,7 @@ function globMatch (pattern, subject) {
 function calculateDDBasePath (dirname) {
   const dirSteps = dirname.split(path.sep)
   const packagesIndex = dirSteps.lastIndexOf('packages')
-  return dirSteps.slice(0, packagesIndex).join(path.sep) + path.sep
+  return dirSteps.slice(0, packagesIndex + 1).join(path.sep) + path.sep
 }
 
 module.exports = {

packages/dd-trace/test/appsec/iast/analyzers/ldap-injection-analyzer.ldapjs.plugin.spec.js

@@ -1,5 +1,9 @@
 'use strict'
 
+const fs = require('fs')
+const os = require('os')
+const path = require('path')
+
 const { prepareTestServerForIast } = require('../utils')
 const { storage } = require('../../../../../datadog-core')
 const iastContextFunctions = require('../../../../src/appsec/iast/iast-context')
@@ -165,4 +169,53 @@ describe('ldap-injection-analyzer with ldapjs', () => {
       })
     })
   })
+
+  withVersions('ldapjs', 'ldapjs-promise', promiseVersion => {
+    prepareTestServerForIast('ldapjs-promise', (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => {
+      const srcFilePath = path.join(__dirname, 'resources', 'ldap-injection-methods.js')
+      const dstFilePath = path.join(os.tmpdir(), 'ldap-injection-methods.js')
+      let ldapMethods
+
+      beforeEach(async () => {
+        await agent.load('ldapjs')
+        vulnerabilityReporter.clearCache()
+        const ldapjs = require(`../../../../../../versions/ldapjs-promise@${promiseVersion}`).get()
+        client = ldapjs.createClient({
+          url: 'ldap://localhost:1389'
+        })
+
+        fs.copyFileSync(srcFilePath, dstFilePath)
+        ldapMethods = require(dstFilePath)
+
+        return client.bind(`cn=admin,${base}`, 'adminpassword')
+      })
+
+      afterEach(async () => {
+        fs.unlinkSync(dstFilePath)
+        await client.unbind()
+      })
+
+      describe('has vulnerability', () => {
+        testThatRequestHasVulnerability(() => {
+          const store = storage.getStore()
+          const iastCtx = iastContextFunctions.getIastContext(store)
+
+          let filter = '(objectClass=*)'
+          filter = newTaintedString(iastCtx, filter, 'param', 'Request')
+
+          return ldapMethods.executeSearch(client, base, filter)
+        }, 'LDAP_INJECTION', {
+          occurrences: 1,
+          location: { path: 'ldap-injection-methods.js' }
+        })
+      })
+
+      describe('has no vulnerability', () => {
+        testThatRequestHasNoVulnerability(() => {
+          const filter = '(objectClass=*)'
+          return ldapMethods.executeSearch(client, base, filter)
+        }, 'LDAP_INJECTION')
+      })
+    })
+  })
 })

packages/dd-trace/test/appsec/iast/analyzers/resources/ldap-injection-methods.js

@@ -0,0 +1,7 @@
+'use strict'
+
+function executeSearch (client, base, filter) {
+  return client.search(base, filter)
+}
+
+module.exports = { executeSearch }

packages/dd-trace/test/appsec/iast/path-line.spec.js

@@ -21,7 +21,7 @@ class CallSiteMock {
 }
 
 describe('path-line', function () {
-  const PATH_LINE_PATH = path.join('packages', 'dd-trace', 'src', 'appsec', 'iast', 'path-line.js')
+  const PATH_LINE_PATH = path.join('dd-trace', 'src', 'appsec', 'iast', 'path-line.js')
 
   const tmpdir = os.tmpdir()
   const firstSep = tmpdir.indexOf(path.sep)
@@ -50,19 +50,20 @@ describe('path-line', function () {
 
   describe('calculateDDBasePath', () => {
     it('/node_modules/dd-trace', () => {
-      const basePath = path.join(rootPath, 'node_modules', 'dd-trace', path.sep)
+      const basePath = path.join(rootPath, 'node_modules', 'dd-trace', 'packages', path.sep)
       const result = pathLine.calculateDDBasePath(path.join(basePath, PATH_LINE_PATH))
       expect(result).to.be.equals(basePath)
     })
 
     it('/packages/project/path/node_modules/dd-trace', () => {
-      const basePath = path.join(rootPath, 'packages', 'project', 'path', 'node_modules', 'dd-trace', path.sep)
+      const basePath =
+        path.join(rootPath, 'packages', 'project', 'path', 'node_modules', 'dd-trace', 'packages', path.sep)
       const result = pathLine.calculateDDBasePath(path.join(basePath, PATH_LINE_PATH))
       expect(result).to.be.equals(basePath)
     })
 
     it('/project/path/node_modules/dd-trace', () => {
-      const basePath = path.join(rootPath, 'project', 'path', 'node_modules', 'dd-trace', path.sep)
+      const basePath = path.join(rootPath, 'project', 'path', 'node_modules', 'dd-trace', 'packages', path.sep)
       const result = pathLine.calculateDDBasePath(path.join(basePath, PATH_LINE_PATH))
       expect(result).to.be.equals(basePath)
     })

packages/dd-trace/test/plugins/externals.json

@@ -127,6 +127,16 @@
       "versions": ["6.1.0"]
     }
   ],
+  "ldapjs": [
+    {
+      "name": "ldapjs",
+      "versions": [">= 2"]
+    },
+    {
+      "name": "ldapjs-promise",
+      "versions": [">=2"]
+    }
+  ],
   "mariadb": [
     {
       "name": "mariadb",