Skip to content

Commit

Permalink
Ignore header vulnerabilities in cors headers (#3962)
Browse files Browse the repository at this point in the history 

---------

Co-authored-by: Igor Unanua <igor.unanua@datadoghq.com>
  • Loading branch information
@uurien @iunanua
uurien and iunanua authored Jan 15, 2024
1 parent a0abbbc commit e678f30
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 3 deletions.
6 changes: 3 additions & 3 deletions packages/dd-trace/src/appsec/iast/analyzers/header-injection-analyzer.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ class HeaderInjectionAnalyzer extends InjectionAnalyzer {
if (ranges?.length > 0) {
return !(this.isCookieExclusion(lowerCasedHeaderName, ranges) ||
this.isSameHeaderExclusion(lowerCasedHeaderName, ranges) ||
this.isAccessControlAllowOriginExclusion(lowerCasedHeaderName, ranges))
this.isAccessControlAllowExclusion(lowerCasedHeaderName, ranges))
}

return false
Expand Down Expand Up @@ -84,8 +84,8 @@ class HeaderInjectionAnalyzer extends InjectionAnalyzer {
return false
}

isAccessControlAllowOriginExclusion (name, ranges) {
if (name === 'access-control-allow-origin') {
isAccessControlAllowExclusion (name, ranges) {
if (name?.startsWith('access-control-allow-')) {
return ranges
.every(range => range.iinfo.type === HTTP_REQUEST_HEADER_VALUE)
}
Expand Down
31 changes: 31 additions & 0 deletions packages/dd-trace/test/appsec/iast/analyzers/header-injection.express.plugin.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,37 @@ describe('Header injection vulnerability', () => {
}).catch(done)
}
})

testThatRequestHasNoVulnerability({
fn: (req, res) => {
setHeaderFunction('Access-Control-Allow-Origin', req.headers['origin'], res)
setHeaderFunction('Access-Control-Allow-Headers', req.headers['access-control-request-headers'], res)
setHeaderFunction('Access-Control-Allow-Methods', req.headers['access-control-request-methods'], res)
},
testDescription: 'Should not have vulnerability with CORS headers',
vulnerability: 'HEADER_INJECTION',
occurrencesAndLocation: {
occurrences: 1,
location: {
path: setHeaderFunctionFilename,
line: 4
}
},
cb: (headerInjectionVulnerabilities) => {
const evidenceString = headerInjectionVulnerabilities[0].evidence.valueParts
.map(part => part.value).join('')
expect(evidenceString).to.be.equal('custom: value')
},
makeRequest: (done, config) => {
return axios.options(`http://localhost:${config.port}/`, {
headers: {
'origin': 'http://custom-origin',
'Access-Control-Request-Headers': 'TestHeader',
'Access-Control-Request-Methods': 'GET'
}
}).catch(done)
}
})
})
})
})

0 comments on commit e678f30

Please sign in to comment.