support fastify iast

Author: IlyasShabi

packages/datadog-instrumentations/src/http/server.js

@@ -112,6 +112,14 @@ function wrapWriteHead (writeHead) {
     // this doesn't support explicit duplicate headers, but it's an edge case
     const responseHeaders = Object.assign(this.getHeaders(), obj)
 
+    // Publish all headers from writeHead to ensure frameworks like Fastify 
+    // that bypass setHeader() are still captured for analysis
+    if (finishSetHeaderCh.hasSubscribers) {
+      for (const [name, value] of Object.entries(responseHeaders)) {
+        finishSetHeaderCh.publish({ name, value, res: this })
+      }
+    }
+
     startWriteHeadCh.publish({
       req: this.req,
       res: this,

packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -3,7 +3,12 @@
 const Analyzer = require('./vulnerability-analyzer')
 const { getNodeModulesPaths } = require('../path-line')
 
-const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
+const EXCLUDED_PATHS = [
+  getNodeModulesPaths('express/lib/response.js'),
+  getNodeModulesPaths('fastify/lib/reply.js'),
+  getNodeModulesPaths('fastify/lib/hooks.js'),
+  getNodeModulesPaths('@fastify/cookie/plugin.js'),
+]
 
 class CookieAnalyzer extends Analyzer {
   constructor (type, propertyToBeSafe) {

packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -39,6 +39,13 @@ class Analyzer extends SinkIastPlugin {
 
     const location = this._getLocation(value, nonDDCallSiteFrames)
 
+    if (this._type === "INSECURE_COOKIE") {
+      console.log('======>>> callSiteFrames ', callSiteFrames)
+      console.log('======>>> nonDDCallSiteFrames ', nonDDCallSiteFrames)
+      console.log('======>>> location ', location)
+    }
+
+
     if (!this._isExcluded(location)) {
       const originalLocation = this._getOriginalLocation(location)
       const spanId = context?.rootSpan?.context().toSpanId()

packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -38,6 +38,25 @@ class TaintTrackingPlugin extends SourceIastPlugin {
   }
 
   onConfigure () {
+    this.addBodyParsingSubscriptions()
+
+    this.addQueryParameterSubscriptions()
+
+    this.addCookieSubscriptions()
+
+    this.addDatabaseSubscriptions()
+
+    this.addPathParameterSubscriptions()
+
+    this.addGraphQLSubscriptions()
+
+    this.addURLParsingSubscriptions()
+
+    // this is a special case to increment INSTRUMENTED_SOURCE metric for header
+    this.addInstrumentedSource('http', [HTTP_REQUEST_HEADER_VALUE, HTTP_REQUEST_HEADER_NAME])
+  }
+
+  addBodyParsingSubscriptions () {
     const onRequestBody = ({ req }) => {
       const iastContext = getIastContext(storage('legacy').getStore())
       if (iastContext && iastContext.body !== req.body) {
@@ -57,17 +76,14 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     )
 
     this.addSub(
-      { channelName: 'datadog:query:read:finish', tag: HTTP_REQUEST_PARAMETER },
-      ({ query }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, query)
-    )
-
-    this.addSub(
-      { channelName: 'datadog:express:query:finish', tag: HTTP_REQUEST_PARAMETER },
-      ({ query }) => {
+      { channelName: 'datadog:fastify:body-parser:finish', tag: HTTP_REQUEST_BODY },
+      ({ req, body }) => {
         const iastContext = getIastContext(storage('legacy').getStore())
-        if (!iastContext || !query) return
-
-        taintQueryWithCache(iastContext, query)
+        if (iastContext && iastContext.body !== body) {
+          req.body = body
+          this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
+          iastContext.body = body
+        }
       }
     )
 
@@ -83,12 +99,45 @@ class TaintTrackingPlugin extends SourceIastPlugin {
         }
       }
     )
+  }
 
+  addQueryParameterSubscriptions () {
+    this.addSub(
+      { channelName: 'datadog:query:read:finish', tag: HTTP_REQUEST_PARAMETER },
+      ({ query }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, query)
+    )
+
+    this.addSub(
+      { channelName: 'datadog:fastify:query-params:finish', tag: HTTP_REQUEST_PARAMETER },
+      ({ query }) => {
+        this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, query)
+      }
+    )
+
+    this.addSub(
+      { channelName: 'datadog:express:query:finish', tag: HTTP_REQUEST_PARAMETER },
+      ({ query }) => {
+        const iastContext = getIastContext(storage('legacy').getStore())
+        if (!iastContext || !query) return
+
+        taintQueryWithCache(iastContext, query)
+      }
+    )
+  }
+
+  addCookieSubscriptions () {
     this.addSub(
       { channelName: 'datadog:cookie:parse:finish', tag: [HTTP_REQUEST_COOKIE_VALUE, HTTP_REQUEST_COOKIE_NAME] },
       ({ cookies }) => this._cookiesTaintTrackingHandler(cookies)
     )
 
+    this.addSub(
+      { channelName: 'datadog:fastify-cookie:read:finish', tag: [HTTP_REQUEST_COOKIE_VALUE, HTTP_REQUEST_COOKIE_NAME] },
+      ({ cookies }) => this._cookiesTaintTrackingHandler(cookies)
+    )
+  }
+
+  addDatabaseSubscriptions () {
     this.addSub(
       { channelName: 'datadog:sequelize:query:finish', tag: SQL_ROW_VALUE },
       ({ result }) => this._taintDatabaseResult(result, 'sequelize')
@@ -98,25 +147,32 @@ class TaintTrackingPlugin extends SourceIastPlugin {
       { channelName: 'apm:pg:query:finish', tag: SQL_ROW_VALUE },
       ({ result }) => this._taintDatabaseResult(result, 'pg')
     )
+  }
+
+  addPathParameterSubscriptions () {
+    const pathParamHandler = ({ req }) => {
+      if (req && req.params !== null && typeof req.params === 'object') {
+        this._taintTrackingHandler(HTTP_REQUEST_PATH_PARAM, req, 'params')
+      }
+    }
 
     this.addSub(
       { channelName: 'datadog:express:process_params:start', tag: HTTP_REQUEST_PATH_PARAM },
-      ({ req }) => {
-        if (req && req.params !== null && typeof req.params === 'object') {
-          this._taintTrackingHandler(HTTP_REQUEST_PATH_PARAM, req, 'params')
-        }
-      }
+      pathParamHandler
+    )
+
+    this.addSub(
+      { channelName: 'datadog:fastify:path-params:finish', tag: HTTP_REQUEST_PATH_PARAM },
+      pathParamHandler
     )
 
     this.addSub(
       { channelName: 'datadog:router:param:start', tag: HTTP_REQUEST_PATH_PARAM },
-      ({ req }) => {
-        if (req && req.params !== null && typeof req.params === 'object') {
-          this._taintTrackingHandler(HTTP_REQUEST_PATH_PARAM, req, 'params')
-        }
-      }
+      pathParamHandler
     )
+  }
 
+  addGraphQLSubscriptions () {
     this.addSub(
       { channelName: 'apm:graphql:resolve:start', tag: HTTP_REQUEST_BODY },
       (data) => {
@@ -128,7 +184,9 @@ class TaintTrackingPlugin extends SourceIastPlugin {
         }
       }
     )
+  }
 
+  addURLParsingSubscriptions () {
     const urlResultTaintedProperties = ['host', 'origin', 'hostname']
     this.addSub(
       { channelName: 'datadog:url:parse:finish' },
@@ -162,9 +220,6 @@ class TaintTrackingPlugin extends SourceIastPlugin {
         context.result =
           newTaintedString(iastContext, context.result, origRange.iinfo.parameterName, origRange.iinfo.type)
       })
-
-    // this is a special case to increment INSTRUMENTED_SOURCE metric for header
-    this.addInstrumentedSource('http', [HTTP_REQUEST_HEADER_VALUE, HTTP_REQUEST_HEADER_NAME])
   }
 
   _taintTrackingHandler (type, target, property, iastContext = getIastContext(storage('legacy').getStore())) {

packages/dd-trace/test/appsec/iast/taint-tracking/plugin.fastify.plugin.spec.js

@@ -0,0 +1,178 @@
+'use strict'
+
+const { prepareTestServerForIastInFastify } = require('../utils')
+const axios = require('axios')
+const { URL } = require('url')
+
+function noop () {}
+
+describe('Taint tracking plugin sources fastify tests', () => {
+  withVersions('fastify', 'fastify', '>=2', version => {
+    prepareTestServerForIastInFastify('in fastify', version,
+      (testThatRequestHasVulnerability, _, config) => {
+        describe.skip('tainted body', () => {
+          function makePostRequest (done) {
+            axios.post(`http://localhost:${config.port}/`, {
+              command: 'echo 1'
+            }).catch(done)
+          }
+
+          testThatRequestHasVulnerability((req) => {
+            const childProcess = require('child_process')
+            childProcess.exec(req.body.command, noop)
+          }, 'COMMAND_INJECTION', 1, noop, makePostRequest)
+        })
+
+        describe.skip('tainted query param', () => {
+          function makeRequestWithQueryParam (done) {
+            axios.get(`http://localhost:${config.port}/?command=echo`).catch(done)
+          }
+
+          testThatRequestHasVulnerability((req) => {
+            const childProcess = require('child_process')
+            childProcess.exec(req.query.command, noop)
+          }, 'COMMAND_INJECTION', 1, noop, makeRequestWithQueryParam)
+        })
+
+        describe.skip('tainted header', () => {
+          function makeRequestWithHeader (done) {
+            axios.get(`http://localhost:${config.port}/`, {
+              headers: {
+                'x-iast-test-command': 'echo 1'
+              }
+            }).catch(done)
+          }
+
+          testThatRequestHasVulnerability((req) => {
+            const childProcess = require('child_process')
+            childProcess.exec(req.headers['x-iast-test-command'], noop)
+          }, 'COMMAND_INJECTION', 1, noop, makeRequestWithHeader)
+        })
+
+        describe.skip('url parse taint tracking', () => {
+          function makePostRequest (done) {
+            axios.post(`http://localhost:${config.port}/`, {
+              url: 'http://www.datadoghq.com/'
+            }).catch(done)
+          }
+
+          testThatRequestHasVulnerability(
+            {
+              fn: (req) => {
+                // eslint-disable-next-line n/no-deprecated-api
+                const { parse } = require('url')
+                const url = parse(req.body.url)
+
+                const childProcess = require('child_process')
+                childProcess.exec(url.host, noop)
+              },
+              vulnerability: 'COMMAND_INJECTION',
+              occurrences: 1,
+              cb: noop,
+              makeRequest: makePostRequest,
+              testDescription: 'should detect vulnerability when tainted is coming from url.parse'
+            })
+
+          testThatRequestHasVulnerability(
+            {
+              fn: (req) => {
+                const { URL } = require('url')
+                const url = new URL(req.body.url)
+
+                const childProcess = require('child_process')
+                childProcess.exec(url.host, noop)
+              },
+              vulnerability: 'COMMAND_INJECTION',
+              occurrences: 1,
+              cb: noop,
+              makeRequest: makePostRequest,
+              testDescription: 'should detect vulnerability when tainted is coming from new url.URL input'
+            })
+
+          testThatRequestHasVulnerability(
+            {
+              fn: (req) => {
+                const { URL } = require('url')
+                const url = new URL('/path', req.body.url)
+
+                const childProcess = require('child_process')
+                childProcess.exec(url.host, noop)
+              },
+              vulnerability: 'COMMAND_INJECTION',
+              occurrences: 1,
+              cb: noop,
+              makeRequest: makePostRequest,
+              testDescription: 'should detect vulnerability when tainted is coming from new url.URL base'
+            })
+
+          if (URL.parse) {
+            testThatRequestHasVulnerability(
+              {
+                fn: (req) => {
+                  const { URL } = require('url')
+                  const url = URL.parse(req.body.url)
+                  const childProcess = require('child_process')
+                  childProcess.exec(url.host, noop)
+                },
+                vulnerability: 'COMMAND_INJECTION',
+                occurrences: 1,
+                cb: noop,
+                makeRequest: makePostRequest,
+                testDescription: 'should detect vulnerability when tainted is coming from url.URL.parse input'
+              })
+
+            testThatRequestHasVulnerability(
+              {
+                fn: (req) => {
+                  const { URL } = require('url')
+                  const url = URL.parse('/path', req.body.url)
+                  const childProcess = require('child_process')
+                  childProcess.exec(url.host, noop)
+                },
+                vulnerability: 'COMMAND_INJECTION',
+                occurrences: 1,
+                cb: noop,
+                makeRequest: makePostRequest,
+                testDescription: 'should detect vulnerability when tainted is coming from url.URL.parse base'
+              })
+          }
+        })
+
+        describe.skip('tainted path parameters', () => {
+          function makeRequestWithPathParam (done) {
+            // Note: This would require setting up a parameterized route in Fastify
+            // For now, using query params as a substitute since the test setup is generic
+            axios.get(`http://localhost:${config.port}/?id=malicious-path`).catch(done)
+          }
+
+          testThatRequestHasVulnerability((req) => {
+            const childProcess = require('child_process')
+            // Simulating path parameter access through query for test purposes
+            childProcess.exec(req.query.id, noop)
+          }, 'COMMAND_INJECTION', 1, noop, makeRequestWithPathParam)
+        })
+
+        // NO
+        // describe.skip('tainted cookies', () => {
+        //   function makeRequestWithCookie (done) {
+        //     axios.get(`http://localhost:${config.port}/`, {
+        //       headers: {
+        //         Cookie: 'command=echo cookie-injection'
+        //       }
+        //     }).catch(done)
+        //   }
+
+        //   testThatRequestHasVulnerability((req) => {
+        //     const childProcess = require('child_process')
+        //     // Access cookie through raw request since Fastify cookie parsing may vary
+        //     const cookieHeader = req.headers.cookie
+        //     if (cookieHeader) {
+        //       const command = cookieHeader.split('=')[1]
+        //       childProcess.exec(command, noop)
+        //     }
+        //   }, 'COMMAND_INJECTION', 1, noop, makeRequestWithCookie)
+        // })
+      }
+    )
+  })
+})