Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Taint cookies and headers #3232

Merged
merged 11 commits into from
Jun 15, 2023
Merged

Taint cookies and headers #3232

merged 11 commits into from
Jun 15, 2023

Conversation

CarlesDD
Copy link
Contributor

What does this PR do?

Provides the feature to taint values coming from cookies and headers.

Motivation

Include more sources for tainting, improving custom code vulnerability detection

  • Unit tests.

@github-actions
Copy link

github-actions bot commented Jun 12, 2023
edited
Loading

Overall package size

Self size: 4.33 MB
Deduped: 60.69 MB
No deduping: 60.73 MB

Dependency sizes

name version self size total size
@datadog/pprof 2.2.1 14.24 MB 15.12 MB
@datadog/native-iast-taint-tracking 1.5.0 14.86 MB 14.86 MB
@datadog/native-appsec 3.2.0 13.38 MB 13.39 MB
protobufjs 7.1.2 2.76 MB 6.55 MB
@datadog/native-iast-rewriter 2.0.1 2.09 MB 2.1 MB
@opentelemetry/core 1.3.1 784.66 kB 1.37 MB
@datadog/native-metrics 2.0.0 898.77 kB 1.3 MB
@opentelemetry/api 1.4.1 780.32 kB 780.32 kB
opentracing 0.14.7 194.81 kB 194.81 kB
semver 7.3.8 88.2 kB 118.6 kB
@datadog/sketches-js 2.1.0 109.9 kB 109.9 kB
lodash.sortby 4.7.0 75.76 kB 75.76 kB
lru-cache 7.14.0 74.95 kB 74.95 kB
ipaddr.js 2.0.1 59.52 kB 59.52 kB
ignore 5.2.0 48.87 kB 48.87 kB
import-in-the-middle 1.3.5 34.34 kB 38.81 kB
istanbul-lib-coverage 3.2.0 29.34 kB 29.34 kB
retry 0.10.1 27.44 kB 27.44 kB
lodash.uniq 4.5.0 25.01 kB 25.01 kB
limiter 1.1.5 23.17 kB 23.17 kB
lodash.kebabcase 4.1.1 17.75 kB 17.75 kB
lodash.pick 4.4.0 16.33 kB 16.33 kB
node-abort-controller 3.0.1 14.33 kB 14.33 kB
crypto-randomuuid 1.0.0 11.18 kB 11.18 kB
diagnostics_channel 1.1.0 7.07 kB 7.07 kB
path-to-regexp 0.1.7 6.78 kB 6.78 kB
koalas 1.0.2 6.47 kB 6.47 kB
methods 1.1.2 5.29 kB 5.29 kB
module-details-from-path 1.0.3 4.47 kB 4.47 kB

🤖 This report was automatically generated by heaviest-objects-in-the-universe

@codecov
Copy link

codecov bot commented Jun 12, 2023
edited
Loading

Codecov Report

Merging #3232 (5ead7ac) into master (f2e3022) will increase coverage by 1.24%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #3232      +/-   ##
==========================================
+ Coverage   84.74%   85.98%   +1.24%     
==========================================
  Files         197      191       -6     
  Lines        8075     7485     -590     
  Branches      133       33     -100     
==========================================
- Hits         6843     6436     -407     
+ Misses       1232     1049     -183
Impacted Files Coverage Δ
...s/dd-trace/src/appsec/iast/taint-tracking/index.js 100.00% <ø> (ø)
...ace/src/appsec/iast/taint-tracking/origin-types.js 100.00% <ø> (ø)
packages/dd-trace/src/appsec/iast/index.js 100.00% <100.00%> (ø)
...trace/src/appsec/iast/taint-tracking/operations.js 98.41% <100.00%> (-1.59%) ⬇️
.../dd-trace/src/appsec/iast/taint-tracking/plugin.js 100.00% <100.00%> (ø)

... and 6 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@CarlesDD CarlesDD marked this pull request as ready for review June 13, 2023 07:04
@CarlesDD CarlesDD requested review from a team as code owners June 13, 2023 07:04
@pr-commenter
Copy link

pr-commenter bot commented Jun 13, 2023
edited
Loading

Benchmarks

Comparing candidate commit 5ead7ac in PR branch ccapell/taint-cookies-headers with baseline commit f2e3022 in branch master.

Found 1 performance improvements and 0 performance regressions! Performance is the same for 445 metrics, 26 unstable metrics.

scenario:plugin-graphql-with-depth-off-18

  • 🟩 max_rss_usage [-0.073MB; -0.067MB] or [-7.102%; -6.551%]

@CarlesDD CarlesDD force-pushed the ccapell/taint-cookies-headers branch from 1417800 to 6700768 Compare June 13, 2023 09:01
iunanua
iunanua previously approved these changes Jun 13, 2023
View reviewed changes
@CarlesDD CarlesDD force-pushed the ccapell/taint-cookies-headers branch from 10ca2be to e449b0a Compare June 14, 2023 13:26
@CarlesDD CarlesDD force-pushed the ccapell/taint-cookies-headers branch from c832de2 to 5ead7ac Compare June 15, 2023 07:08
@CarlesDD CarlesDD merged commit 19be37a into master Jun 15, 2023
nsavoire pushed a commit that referenced this pull request Jun 20, 2023
@CarlesDD @nsavoire
Taint cookies and headers (#3232)
6dccdea 
* Taint cookies and headers

* Bump minimum node version for v4 on cookie plugin test

* Add test with latest node version for cookie plugin test

* Provide iastContext from index when tainting headers

* Add test for cookie tainting in taint tracking plugin

* Remove iast transaction after taint tracking plugin tests to avoid hiting setMaxTransactions in tests

* Add test for taintObject with taintingKeys flag

* Address header tainting test for keys shorter than 10 chars

* Upgrade native-iast-taint-tracking to v1.5.0

* Rewrite expect in taint tracking plugin test

* Fix tag requiring in IAST index
nsavoire pushed a commit that referenced this pull request Jun 20, 2023
@CarlesDD @nsavoire
Taint cookies and headers (#3232)
0f6cc21 
* Taint cookies and headers

* Bump minimum node version for v4 on cookie plugin test

* Add test with latest node version for cookie plugin test

* Provide iastContext from index when tainting headers

* Add test for cookie tainting in taint tracking plugin

* Remove iast transaction after taint tracking plugin tests to avoid hiting setMaxTransactions in tests

* Add test for taintObject with taintingKeys flag

* Address header tainting test for keys shorter than 10 chars

* Upgrade native-iast-taint-tracking to v1.5.0

* Rewrite expect in taint tracking plugin test

* Fix tag requiring in IAST index
nsavoire pushed a commit that referenced this pull request Jun 21, 2023
@CarlesDD @nsavoire
Taint cookies and headers (#3232)
6e0e455 
* Taint cookies and headers

* Bump minimum node version for v4 on cookie plugin test

* Add test with latest node version for cookie plugin test

* Provide iastContext from index when tainting headers

* Add test for cookie tainting in taint tracking plugin

* Remove iast transaction after taint tracking plugin tests to avoid hiting setMaxTransactions in tests

* Add test for taintObject with taintingKeys flag

* Address header tainting test for keys shorter than 10 chars

* Upgrade native-iast-taint-tracking to v1.5.0

* Rewrite expect in taint tracking plugin test

* Fix tag requiring in IAST index
This was referenced Jun 21, 2023
Merged
Merged
Merged
tlhunter pushed a commit that referenced this pull request Jun 23, 2023
@CarlesDD @tlhunter
Taint cookies and headers (#3232)
b4bb557 
* Taint cookies and headers

* Bump minimum node version for v4 on cookie plugin test

* Add test with latest node version for cookie plugin test

* Provide iastContext from index when tainting headers

* Add test for cookie tainting in taint tracking plugin

* Remove iast transaction after taint tracking plugin tests to avoid hiting setMaxTransactions in tests

* Add test for taintObject with taintingKeys flag

* Address header tainting test for keys shorter than 10 chars

* Upgrade native-iast-taint-tracking to v1.5.0

* Rewrite expect in taint tracking plugin test

* Fix tag requiring in IAST index
tlhunter pushed a commit that referenced this pull request Jun 23, 2023
@CarlesDD @tlhunter
Taint cookies and headers (#3232)
08374a2 
* Taint cookies and headers

* Bump minimum node version for v4 on cookie plugin test

* Add test with latest node version for cookie plugin test

* Provide iastContext from index when tainting headers

* Add test for cookie tainting in taint tracking plugin

* Remove iast transaction after taint tracking plugin tests to avoid hiting setMaxTransactions in tests

* Add test for taintObject with taintingKeys flag

* Address header tainting test for keys shorter than 10 chars

* Upgrade native-iast-taint-tracking to v1.5.0

* Rewrite expect in taint tracking plugin test

* Fix tag requiring in IAST index
tlhunter pushed a commit that referenced this pull request Jun 23, 2023
@CarlesDD @tlhunter
Taint cookies and headers (#3232)
0ce423d 
* Taint cookies and headers

* Bump minimum node version for v4 on cookie plugin test

* Add test with latest node version for cookie plugin test

* Provide iastContext from index when tainting headers

* Add test for cookie tainting in taint tracking plugin

* Remove iast transaction after taint tracking plugin tests to avoid hiting setMaxTransactions in tests

* Add test for taintObject with taintingKeys flag

* Address header tainting test for keys shorter than 10 chars

* Upgrade native-iast-taint-tracking to v1.5.0

* Rewrite expect in taint tracking plugin test

* Fix tag requiring in IAST index
@tlhunter tlhunter deleted the ccapell/taint-cookies-headers branch January 19, 2024 22:18
@erikvanbrakel erikvanbrakel mentioned this pull request Jul 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uurien uurien uurien approved these changes

@iunanua iunanua iunanua left review comments

Assignees
No one assigned
Labels
asm-iast semver-minor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@CarlesDD @uurien @iunanua