Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unvalidated redirect analyzer #3204

Merged
merged 3 commits into from
Jun 13, 2023
Merged

Unvalidated redirect analyzer #3204

merged 3 commits into from
Jun 13, 2023

Conversation

iunanua
Copy link
Contributor

@iunanua iunanua commented Jun 1, 2023

What does this PR do?

Includes a new analyzer to detect unvalidated redirects checking if a tainted value reaches Location header value.

Motivation

Plugin Checklist

Additional Notes

@github-actions
Copy link

github-actions bot commented Jun 1, 2023
edited
Loading

Overall package size

Self size: 4.31 MB
Deduped: 60.67 MB
No deduping: 60.71 MB

Dependency sizes

name version self size total size
@datadog/pprof 2.2.1 14.24 MB 15.12 MB
@datadog/native-iast-taint-tracking 1.4.1 14.85 MB 14.86 MB
@datadog/native-appsec 3.2.0 13.38 MB 13.39 MB
protobufjs 7.1.2 2.76 MB 6.55 MB
@datadog/native-iast-rewriter 2.0.1 2.09 MB 2.1 MB
@opentelemetry/core 1.3.1 784.66 kB 1.37 MB
@datadog/native-metrics 2.0.0 898.77 kB 1.3 MB
@opentelemetry/api 1.4.1 780.32 kB 780.32 kB
opentracing 0.14.7 194.81 kB 194.81 kB
semver 7.3.8 88.2 kB 118.6 kB
@datadog/sketches-js 2.1.0 109.9 kB 109.9 kB
lodash.sortby 4.7.0 75.76 kB 75.76 kB
lru-cache 7.14.0 74.95 kB 74.95 kB
ipaddr.js 2.0.1 59.52 kB 59.52 kB
ignore 5.2.0 48.87 kB 48.87 kB
import-in-the-middle 1.3.5 34.34 kB 38.81 kB
istanbul-lib-coverage 3.2.0 29.34 kB 29.34 kB
retry 0.10.1 27.44 kB 27.44 kB
lodash.uniq 4.5.0 25.01 kB 25.01 kB
limiter 1.1.5 23.17 kB 23.17 kB
lodash.kebabcase 4.1.1 17.75 kB 17.75 kB
lodash.pick 4.4.0 16.33 kB 16.33 kB
node-abort-controller 3.0.1 14.33 kB 14.33 kB
crypto-randomuuid 1.0.0 11.18 kB 11.18 kB
diagnostics_channel 1.1.0 7.07 kB 7.07 kB
path-to-regexp 0.1.7 6.78 kB 6.78 kB
koalas 1.0.2 6.47 kB 6.47 kB
methods 1.1.2 5.29 kB 5.29 kB
module-details-from-path 1.0.3 4.47 kB 4.47 kB

🤖 This report was automatically generated by heaviest-objects-in-the-universe

@codecov
Copy link

codecov bot commented Jun 1, 2023
edited
Loading

Codecov Report

Merging #3204 (262f786) into master (ad0736a) will increase coverage by 0.21%.
The diff coverage is 96.55%.

@@            Coverage Diff             @@
##           master    #3204      +/-   ##
==========================================
+ Coverage   85.85%   86.06%   +0.21%     
==========================================
  Files         189      190       +1     
  Lines        7416     7450      +34     
  Branches       33       33              
==========================================
+ Hits         6367     6412      +45     
+ Misses       1049     1038      -11
Impacted Files Coverage Δ
...es/dd-trace/src/appsec/iast/analyzers/analyzers.js 100.00% <ø> (ø)
...ace/src/appsec/iast/taint-tracking/origin-types.js 100.00% <ø> (ø)
...ckages/dd-trace/src/appsec/iast/vulnerabilities.js 100.00% <ø> (ø)
...ec/iast/analyzers/unvalidated-redirect-analyzer.js 94.11% <94.11%> (ø)
.../appsec/iast/analyzers/insecure-cookie-analyzer.js 100.00% <100.00%> (ø)
...rc/appsec/iast/analyzers/sql-injection-analyzer.js 80.00% <100.00%> (+0.51%) ⬆️
packages/dd-trace/src/appsec/iast/path-line.js 100.00% <100.00%> (ø)
...-formatter/evidence-redaction/sensitive-handler.js 100.00% <100.00%> (ø)

... and 5 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@pr-commenter
Copy link

pr-commenter bot commented Jun 1, 2023
edited
Loading

Benchmarks

Comparing candidate commit 262f786 in PR branch igor/unvalidated-redirect with baseline commit ad0736a in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 448 metrics, 24 unstable metrics.

@iunanua iunanua marked this pull request as ready for review June 1, 2023 10:26
@iunanua iunanua requested a review from a team as a code owner June 1, 2023 10:26
@iunanua iunanua requested review from uurien and CarlesDD June 5, 2023 15:27
@iunanua iunanua force-pushed the igor/unvalidated-redirect branch from 2fb3876 to 7ef5e13 Compare June 9, 2023 07:30
@iunanua iunanua merged commit 7b645b9 into master Jun 13, 2023
nsavoire pushed a commit that referenced this pull request Jun 20, 2023
@iunanua @nsavoire
Unvalidated redirect analyzer (#3204)
4f16ba4 
* Unvalidated redirect analyzer

* Ignore tainteds from Referer header
nsavoire pushed a commit that referenced this pull request Jun 20, 2023
@iunanua @nsavoire
Unvalidated redirect analyzer (#3204)
cc76408 
* Unvalidated redirect analyzer

* Ignore tainteds from Referer header
nsavoire pushed a commit that referenced this pull request Jun 21, 2023
@iunanua @nsavoire
Unvalidated redirect analyzer (#3204)
a7302a4 
* Unvalidated redirect analyzer

* Ignore tainteds from Referer header
This was referenced Jun 21, 2023
Merged
Merged
Merged
tlhunter pushed a commit that referenced this pull request Jun 23, 2023
@iunanua @tlhunter
Unvalidated redirect analyzer (#3204)
e68769f 
* Unvalidated redirect analyzer

* Ignore tainteds from Referer header
tlhunter pushed a commit that referenced this pull request Jun 23, 2023
@iunanua @tlhunter
Unvalidated redirect analyzer (#3204)
da0ea93 
* Unvalidated redirect analyzer

* Ignore tainteds from Referer header
tlhunter pushed a commit that referenced this pull request Jun 23, 2023
@iunanua @tlhunter
Unvalidated redirect analyzer (#3204)
224037e 
* Unvalidated redirect analyzer

* Ignore tainteds from Referer header
@iunanua iunanua deleted the igor/unvalidated-redirect branch December 19, 2023 08:29
@erikvanbrakel erikvanbrakel mentioned this pull request Jul 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uurien uurien uurien approved these changes

@CarlesDD CarlesDD Awaiting requested review from CarlesDD

Assignees
No one assigned
Labels
asm-iast semver-minor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@iunanua @uurien @CarlesDD