Fix IAST evidence redaction (#3160)

* Add test for vulnerability evidence scrubber * Fix IAST SQL redaction with tainted contained in sensitive
DataDog · Jun 1, 2023 · 8076e8c · 8076e8c
1 parent f21de3d
commit 8076e8c
Show file tree

Hide file tree

Showing 2 changed files with 147 additions and 1 deletion.
diff --git a/...d-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js b/...d-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js
@@ -102,7 +102,7 @@ class SensitiveHandler {
             if (entry.start === i) {
               nextSensitive = entry
             } else {
-              sensitive.push(entry)
+              sensitive.unshift(entry)
             }
           }
         }

diff --git a/...dd-trace/test/appsec/iast/vulnerability-formatter/resources/evidence-redaction-suite.json b/...dd-trace/test/appsec/iast/vulnerability-formatter/resources/evidence-redaction-suite.json
@@ -300,6 +300,61 @@
         ]
       }
     },
+    {
+      "type": "VULNERABILITIES",
+      "description": "Query with string literal $1",
+      "parameters": {
+        "$1": [
+          "john",
+          "username with 🌉 surrogate"
+        ]
+      },
+      "input": [
+        {
+          "type": "SQL_INJECTION",
+          "evidence": {
+            "dialect": "MYSQL",
+            "value": "select * from users where username = \"$1\" and last_name = 'another surrogate 😃'",
+            "ranges": [
+              {
+                "start": 14,
+                "end": 19,
+                "iinfo": {
+                  "type": "http.request.parameter",
+                  "parameterName": "table",
+                  "parameterValue": "users"
+                }
+              }
+            ]
+          }
+        }
+      ],
+      "expected": {
+        "sources": [
+          {
+            "origin": "http.request.parameter",
+            "name": "table",
+            "value": "users"
+          }
+        ],
+        "vulnerabilities": [
+          {
+            "type": "SQL_INJECTION",
+            "evidence": {
+              "valueParts": [
+                { "value": "select * from " },
+                { "source": 0, "value": "users" },
+                { "value": " where username = \"" },
+                { "redacted": true },
+                { "value": "\" and last_name = '" },
+                { "redacted": true },
+                { "value": "'" }
+              ]
+            }
+          }
+        ]
+      }
+    },
     {
       "type": "VULNERABILITIES",
       "description": "POSTGRES Query with escaped string literal",
@@ -929,6 +984,53 @@
         ]
       }
     },
+    {
+      "type": "VULNERABILITIES",
+      "description": "Query with string literal containing tainted range",
+      "input": [
+        {
+          "type": "SQL_INJECTION",
+          "evidence": {
+            "dialect": "POSTGRES",
+            "value": "select * from users where username = 'john:doe:ADMIN'",
+            "ranges": [
+              {
+                "start": 43,
+                "end": 46,
+                "iinfo": {
+                  "type": "http.request.parameter",
+                  "parameterName": "last_name",
+                  "parameterValue": "doe"
+                }
+              }
+            ]
+          }
+        }
+      ],
+      "expected": {
+        "sources": [
+          {
+            "origin": "http.request.parameter",
+            "name": "last_name",
+            "redacted": true
+          }
+        ],
+        "vulnerabilities": [
+          {
+            "type": "SQL_INJECTION",
+            "evidence": {
+              "valueParts": [
+                { "value": "select * from users where username = '" },
+                { "redacted": true },
+                { "source": 0, "redacted": true },
+                { "redacted": true },
+                { "value": "'" }
+              ]
+            }
+          }
+        ]
+      }
+    },
     {
       "type": "VULNERABILITIES",
       "description": "Query with string literal and tainted range crossing boundaries",
@@ -978,6 +1080,50 @@
         ]
       }
     },
+    {
+      "type": "VULNERABILITIES",
+      "description": "Query with tainted range in two LIKEs with not tainted % char",
+      "input": [
+        {
+          "type": "SQL_INJECTION",
+          "evidence": {
+            "dialect": "MYSQL",
+            "value": "select * from table where name LIKE '%searchparam%' OR description LIKE '%searchparam%'",
+            "ranges": [
+              {
+                "start": 38, "end": 49, "iinfo": { "type": "http.request.parameter", "parameterName": "query", "parameterValue": "searchparam" }
+              },
+              {
+                "start": 74, "end": 85, "iinfo": { "type": "http.request.parameter", "parameterName": "query", "parameterValue": "searchparam" }
+              }
+            ]
+          }
+        }
+      ],
+      "expected": {
+        "sources": [
+          { "origin": "http.request.parameter", "name": "query", "redacted": true }
+        ],
+        "vulnerabilities": [
+          {
+            "type": "SQL_INJECTION",
+            "evidence": {
+              "valueParts": [
+                { "value": "select * from table where name LIKE '" },
+                { "redacted": true },
+                { "source": 0, "redacted": true },
+                { "redacted": true },
+                { "value": "' OR description LIKE '" },
+                { "redacted": true },
+                { "source": 0, "redacted": true },
+                { "redacted": true },
+                { "value": "'" }
+              ]
+            }
+          }
+        ]
+      }
+    },
     {
       "type": "VULNERABILITIES",
       "description": "Query with string literal and weird tainted range crossing boundaries",