Extended iast location fields (#5171)

* Extend iast location fields

* improve iast test to check if frame have location

* check that location do not have column

* Exlude test without location

* use official msgpack

* Fix linter

* send class and function from original location

* fix test

Author: IlyasShabi

packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -75,11 +75,17 @@ class Analyzer extends SinkIastPlugin {
     if (locationFromSourceMap?.path) {
       originalLocation.path = locationFromSourceMap.path
     }
+
     if (locationFromSourceMap?.line) {
       originalLocation.line = locationFromSourceMap.line
     }
-    if (locationFromSourceMap?.column) {
-      originalLocation.column = locationFromSourceMap.column
+
+    if (location?.class_name) {
+      originalLocation.class = location.class_name
+    }
+
+    if (location?.function) {
+      originalLocation.method = location.function
     }
 
     return originalLocation

packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js

@@ -81,21 +81,16 @@ class VulnerabilityFormatter {
   }
 
   formatVulnerability (vulnerability, sourcesIndexes, sources) {
+    const { type, hash, stackId, evidence, location } = vulnerability
+
     const formattedVulnerability = {
-      type: vulnerability.type,
-      hash: vulnerability.hash,
-      stackId: vulnerability.stackId,
-      evidence: this.formatEvidence(vulnerability.type, vulnerability.evidence, sourcesIndexes, sources),
-      location: {
-        spanId: vulnerability.location.spanId
-      }
-    }
-    if (vulnerability.location.path) {
-      formattedVulnerability.location.path = vulnerability.location.path
-    }
-    if (vulnerability.location.line) {
-      formattedVulnerability.location.line = vulnerability.location.line
+      type,
+      hash,
+      stackId,
+      evidence: this.formatEvidence(type, evidence, sourcesIndexes, sources),
+      location
     }
+
     return formattedVulnerability
   }
 

packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -131,6 +131,7 @@ function replaceCallSiteFromSourceMap (callsite) {
     if (line) {
       callsite.line = line
     }
+    // We send the column in the stack trace but not in the vulnerability location
     if (column) {
       callsite.column = column
     }

packages/dd-trace/test/appsec/iast/analyzers/hsts-header-missing-analyzer.spec.js

@@ -27,23 +27,23 @@ describe('hsts header missing analyzer', () => {
       }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
         expect(vulnerabilities[0].evidence).to.be.undefined
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
-      }, makeRequestWithXFordwardedProtoHeader)
+      }, makeRequestWithXFordwardedProtoHeader, undefined, false)
 
       testThatRequestHasVulnerability((req, res) => {
         res.setHeader('content-type', 'text/html;charset=utf-8')
         res.end('<html><body><h1>Test</h1></body></html>')
       }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
         expect(vulnerabilities[0].evidence).to.be.undefined
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
-      }, makeRequestWithXFordwardedProtoHeader)
+      }, makeRequestWithXFordwardedProtoHeader, undefined, false)
 
       testThatRequestHasVulnerability((req, res) => {
         res.setHeader('content-type', 'application/xhtml+xml')
         res.end('<html><body><h1>Test</h1></body></html>')
       }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
         expect(vulnerabilities[0].evidence).to.be.undefined
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
-      }, makeRequestWithXFordwardedProtoHeader)
+      }, makeRequestWithXFordwardedProtoHeader, undefined, false)
 
       testThatRequestHasVulnerability((req, res) => {
         res.setHeader('content-type', 'text/html')
@@ -52,7 +52,7 @@ describe('hsts header missing analyzer', () => {
       }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
         expect(vulnerabilities[0].evidence.value).to.be.equal('max-age=-100')
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
-      }, makeRequestWithXFordwardedProtoHeader)
+      }, makeRequestWithXFordwardedProtoHeader, undefined, false)
 
       testThatRequestHasVulnerability((req, res) => {
         res.setHeader('content-type', 'text/html')
@@ -61,7 +61,7 @@ describe('hsts header missing analyzer', () => {
       }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
         expect(vulnerabilities[0].evidence.value).to.be.equal('max-age=-100; includeSubDomains')
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
-      }, makeRequestWithXFordwardedProtoHeader)
+      }, makeRequestWithXFordwardedProtoHeader, undefined, false)
 
       testThatRequestHasVulnerability((req, res) => {
         res.setHeader('content-type', 'text/html')
@@ -70,7 +70,7 @@ describe('hsts header missing analyzer', () => {
       }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
         expect(vulnerabilities[0].evidence.value).to.be.equal('invalid')
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
-      }, makeRequestWithXFordwardedProtoHeader)
+      }, makeRequestWithXFordwardedProtoHeader, undefined, false)
 
       testThatRequestHasVulnerability((req, res) => {
         res.setHeader('content-type', ['text/html'])
@@ -79,7 +79,7 @@ describe('hsts header missing analyzer', () => {
       }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
         expect(vulnerabilities[0].evidence.value).to.be.equal('invalid')
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
-      }, makeRequestWithXFordwardedProtoHeader)
+      }, makeRequestWithXFordwardedProtoHeader, undefined, false)
 
       testThatRequestHasVulnerability((req, res) => {
         res.setHeader('content-type', ['text/html'])
@@ -88,7 +88,7 @@ describe('hsts header missing analyzer', () => {
       }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
         expect(vulnerabilities[0].evidence).to.be.undefined
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
-      }, makeRequestWithXFordwardedProtoHeader)
+      }, makeRequestWithXFordwardedProtoHeader, undefined, false)
 
       testThatRequestHasVulnerability((req, res) => {
         res.setHeader('content-type', ['text/html'])
@@ -97,7 +97,7 @@ describe('hsts header missing analyzer', () => {
       }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
         expect(vulnerabilities[0].evidence.value).to.be.equal(JSON.stringify(['invalid1', 'invalid2']))
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
-      }, makeRequestWithXFordwardedProtoHeader)
+      }, makeRequestWithXFordwardedProtoHeader, undefined, false)
 
       testThatRequestHasNoVulnerability((req, res) => {
         res.setHeader('content-type', 'application/json')

packages/dd-trace/test/appsec/iast/analyzers/vulnerability-analyzer.spec.js

@@ -6,7 +6,9 @@ const proxyquire = require('proxyquire')
 describe('vulnerability-analyzer', () => {
   const VULNERABLE_VALUE = 'VULNERABLE_VALUE'
   const VULNERABILITY = 'VULNERABILITY'
-  const VULNERABILITY_LOCATION_FROM_SOURCEMAP = { path: 'VULNERABILITY_LOCATION_FROM_SOURCEMAP', line: 42, column: 21 }
+  const VULNERABILITY_LOCATION_FROM_SOURCEMAP = {
+    path: 'VULNERABILITY_LOCATION_FROM_SOURCEMAP', line: 42, method: 'callFn'
+  }
   const ANALYZER_TYPE = 'TEST_ANALYZER'
   const SPAN_ID = '123456'
 

packages/dd-trace/test/appsec/iast/analyzers/xcontenttype-header-missing-analyzer.spec.js

@@ -18,23 +18,23 @@ describe('xcontenttype header missing analyzer', () => {
       }, XCONTENTTYPE_HEADER_MISSING, 1, function (vulnerabilities) {
         expect(vulnerabilities[0].evidence).to.be.undefined
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('XCONTENTTYPE_HEADER_MISSING:mocha'))
-      })
+      }, undefined, undefined, false)
 
       testThatRequestHasVulnerability((req, res) => {
         res.setHeader('content-type', 'text/html;charset=utf-8')
         res.end('<html><body><h1>Test</h1></body></html>')
       }, XCONTENTTYPE_HEADER_MISSING, 1, function (vulnerabilities) {
         expect(vulnerabilities[0].evidence).to.be.undefined
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('XCONTENTTYPE_HEADER_MISSING:mocha'))
-      })
+      }, undefined, undefined, false)
 
       testThatRequestHasVulnerability((req, res) => {
         res.setHeader('content-type', 'application/xhtml+xml')
         res.end('<html><body><h1>Test</h1></body></html>')
       }, XCONTENTTYPE_HEADER_MISSING, 1, function (vulnerabilities) {
         expect(vulnerabilities[0].evidence).to.be.undefined
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('XCONTENTTYPE_HEADER_MISSING:mocha'))
-      })
+      }, undefined, undefined, false)
 
       testThatRequestHasVulnerability((req, res) => {
         res.setHeader('content-type', 'text/html')
@@ -43,7 +43,7 @@ describe('xcontenttype header missing analyzer', () => {
       }, XCONTENTTYPE_HEADER_MISSING, 1, function (vulnerabilities) {
         expect(vulnerabilities[0].evidence.value).to.be.equal('whatever')
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('XCONTENTTYPE_HEADER_MISSING:mocha'))
-      })
+      }, undefined, undefined, false)
 
       testThatRequestHasVulnerability((req, res) => {
         res.setHeader('content-type', ['text/html'])
@@ -52,7 +52,7 @@ describe('xcontenttype header missing analyzer', () => {
       }, XCONTENTTYPE_HEADER_MISSING, 1, function (vulnerabilities) {
         expect(vulnerabilities[0].evidence.value).to.be.equal('whatever')
         expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('XCONTENTTYPE_HEADER_MISSING:mocha'))
-      })
+      }, undefined, undefined, false)
 
       testThatRequestHasNoVulnerability((req, res) => {
         res.setHeader('content-type', 'application/json')

packages/dd-trace/test/appsec/iast/taint-tracking/sources/sql_row.sequelize.plugin.spec.js

@@ -39,7 +39,7 @@ describe('db sources with sequelize', () => {
 
           res.end('OK')
         }, 'SQL_INJECTION', { occurrences: 1 }, null, null,
-        'Should have SQL_INJECTION using the first row of the result')
+        'Should have SQL_INJECTION using the first row of the result', false)
 
         testThatRequestHasNoVulnerability(async (req, res) => {
           const result = await sequelize.query('SELECT * from examples')
@@ -82,7 +82,7 @@ describe('db sources with sequelize', () => {
 
           res.end('OK')
         }, 'SQL_INJECTION', { occurrences: 1 }, null, null,
-        'Should have SQL_INJECTION using the first row of the result')
+        'Should have SQL_INJECTION using the first row of the result', false)
 
         testThatRequestHasNoVulnerability(async (req, res) => {
           const examples = await Example.findAll()

packages/dd-trace/test/appsec/iast/utils.js

@@ -4,6 +4,7 @@ const fs = require('fs')
 const os = require('os')
 const path = require('path')
 const { assert } = require('chai')
+const msgpack = require('@msgpack/msgpack')
 
 const agent = require('../../plugins/agent')
 const axios = require('axios')
@@ -152,7 +153,15 @@ function checkNoVulnerabilityInRequest (vulnerability, config, done, makeRequest
   }
 }
 
-function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb, makeRequest, config, done) {
+function checkVulnerabilityInRequest (
+  vulnerability,
+  occurrencesAndLocation,
+  cb,
+  makeRequest,
+  config,
+  done,
+  matchLocation
+) {
   let location
   let occurrences = occurrencesAndLocation
   if (occurrencesAndLocation !== null && typeof occurrencesAndLocation === 'object') {
@@ -199,6 +208,12 @@ function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb,
         }
       }
 
+      if (matchLocation) {
+        const matchFound = locationHasMatchingFrame(span, vulnerability, vulnerabilitiesTrace.vulnerabilities)
+
+        assert.isTrue(matchFound)
+      }
+
       if (cb) {
         cb(vulnerabilitiesTrace.vulnerabilities.filter(v => v.type === vulnerability))
       }
@@ -254,11 +269,19 @@ function prepareTestServerForIast (description, tests, iastConfig) {
       return agent.close({ ritmReset: false })
     })
 
-    function testThatRequestHasVulnerability (fn, vulnerability, occurrences, cb, makeRequest, description) {
+    function testThatRequestHasVulnerability (
+      fn,
+      vulnerability,
+      occurrences,
+      cb,
+      makeRequest,
+      description,
+      matchLocation = true
+    ) {
       it(description || `should have ${vulnerability} vulnerability`, function (done) {
         this.timeout(5000)
         app = fn
-        checkVulnerabilityInRequest(vulnerability, occurrences, cb, makeRequest, config, done)
+        checkVulnerabilityInRequest(vulnerability, occurrences, cb, makeRequest, config, done, matchLocation)
       })
     }
 
@@ -373,6 +396,29 @@ function prepareTestServerForIastInExpress (description, expressVersion, loadMid
   })
 }
 
+function locationHasMatchingFrame (span, vulnerabilityType, vulnerabilities) {
+  const stack = msgpack.decode(span.meta_struct['_dd.stack'])
+  const matchingVulns = vulnerabilities.filter(vulnerability => vulnerability.type === vulnerabilityType)
+
+  for (const vulnerability of stack.vulnerability) {
+    for (const frame of vulnerability.frames) {
+      for (const { location } of matchingVulns) {
+        if (
+          frame.line === location.line &&
+          frame.class_name === location.class &&
+          frame.function === location.method &&
+          frame.path === location.path &&
+          !location.hasOwnProperty('column')
+        ) {
+          return true
+        }
+      }
+    }
+  }
+
+  return false
+}
+
 module.exports = {
   testOutsideRequestHasVulnerability,
   testInRequest,

packages/dd-trace/test/appsec/iast/vulnerability-formatter/index.spec.js

@@ -93,21 +93,37 @@ describe('Vulnerability formatter', () => {
   })
 
   describe('toJson', () => {
-    it('should filter out column property from location', () => {
+    it('should format vulnerability correctly', () => {
       const vulnerabilities = [{
         type: 'test-vulnerability',
+        hash: 123456,
+        stackId: 1,
         evidence: {
           value: 'payload'
         },
         location: {
           path: 'path',
-          line: 42,
-          column: 3
+          line: 42
         }
       }]
 
-      const json = vulnerabilityFormatter.toJson(vulnerabilities)
-      expect(json.vulnerabilities[0].location.column).to.be.undefined
+      const result = vulnerabilityFormatter.toJson(vulnerabilities)
+
+      expect(result).to.deep.equal({
+        sources: [],
+        vulnerabilities: [{
+          type: 'test-vulnerability',
+          hash: 123456,
+          stackId: 1,
+          evidence: {
+            value: 'payload'
+          },
+          location: {
+            path: 'path',
+            line: 42
+          }
+        }]
+      })
     })
   })