Support url.parse, url.URL.parse and new url.URL for IAST taint tracking

[uurien]

What does this PR do?

Add support to taint tracking string in iast when they are parsed URLs.

Motivation

Improve iast vulnerabilities detection, especially SSRF

Checklist

• Unit tests.

[github-actions]

Overall package size

Self size: 7.87 MB
Deduped: 64.89 MB
No deduping: 65.23 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/native-appsec | 8.2.1 | 19.18 MB | 19.19 MB | | @datadog/native-iast-taint-tracking | 3.2.0 | 13.9 MB | 13.91 MB | | @datadog/pprof | 5.4.1 | 9.76 MB | 10.13 MB | | protobufjs | 7.2.5 | 2.77 MB | 5.16 MB | | @datadog/native-iast-rewriter | 2.5.0 | 2.51 MB | 2.65 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 3.0.1 | 1.06 MB | 1.46 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | msgpack-lite | 0.1.26 | 201.16 kB | 281.59 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | lru-cache | 7.18.3 | 133.92 kB | 133.92 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | int64-buffer | 0.1.10 | 49.18 kB | 49.18 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | path-to-regexp | 0.1.10 | 6.38 kB | 6.38 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[pr-commenter]

Benchmarks

Benchmark execution time: 2024-10-31 09:55:34

Comparing candidate commit 70cb896 in PR branch ugaitz/iast-support-url-parse with baseline commit 1c0958e in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 258 metrics, 8 unstable metrics.

[simon-id]

I put the same comment in Ilyas' PR but why using arguments[x] instead of just named arguments ?

[uurien]

I think that I am using it because I am already using arguments to call to apply(this, arguments) or super(...arguments). But yes, it is cleaner if I use input and base variables.

[juan-fernandez]

will parseFinishedChannel have listeners if IAST is not enabled? I'm trying to think whether the url instrumentation should be enabled in Test Visibility or not

[uurien]

will parseFinishedChannel have listeners if IAST is not enabled?

I don't think so, I dunno in the future, but for now it is going to be used only to be able to track the string when it converted to URL object. It doesn't look like an object that tracer will want to track.

[CarlesDD]

Note that the following case will not be correctly tainted:

const { URL } = require('url')
const baseURL = URL.parse(req.body.url)
const url = URL.parse('/path', baseURL)

This could be addressed in a future PR

[CarlesDD]

If host name of input contains Unicode characters, range's parameterValue of tainted value will be the ASCII converted value, not the original one.

http://exаmple.com/ will be converted to xn--exmple-4nf.com. The latter is the value reported as valuePart in the evidence of a potential detected vulnerability.