DataDog · iunanua · Jan 22, 2025 · Jan 22, 2025 · Jan 23, 2025 · Jan 23, 2025
@@ -46,6 +46,7 @@ refs:
   - &ref_5_33_0 '>=5.33.0'
   - &ref_5_34_0 '>=5.34.0'
   - &ref_5_35_0 '>=5.35.0'
+  - &ref_5_36_0 '>=5.36.0'
 
 tests/:
   apm_tracing_e2e/:
@@ -339,7 +340,9 @@ tests/:
         test_uri.py:
           TestURI: missing_feature
       test_security_controls.py:
-        TestSecurityControls: missing_feature
+        TestSecurityControls:
+          '*': *ref_5_36_0
+          nextjs: missing_feature
     rasp/:
       test_cmdi.py:
         Test_Cmdi_BodyJson:

@@ -2,7 +2,7 @@
 # This product includes software developed at Datadog (https://www.datadoghq.com/).
 # Copyright 2021 Datadog, Inc.
 
-from utils import features, rfc, weblog, interfaces
+from utils import context, features, rfc, weblog, interfaces, irrelevant
 from tests.appsec.iast.utils import BaseSinkTest, assert_iast_vulnerability, assert_metric
 
 
@@ -23,6 +23,7 @@ def assert_iast_is_enabled(request):
             if meta_struct and meta_struct.get("vulnerability"):
                 product_enabled = True
                 break
+
         assert product_enabled, "IAST is not available"
 
     def setup_iast_is_enabled(self):
@@ -139,6 +140,7 @@ def setup_no_vulnerability_suppression_with_a_sanitizer_configured_for_an_overlo
         self.setup_iast_is_enabled()
         self.r = weblog.post("iast/sc/s/overloaded/insecure", data={"param": "param"})
 
+    @irrelevant(context.library == "nodejs")
     def test_no_vulnerability_suppression_with_a_sanitizer_configured_for_an_overloaded_method_with_specific_signature(
         self,
     ):

@@ -19,7 +19,21 @@
         "INPUT_VALIDATOR:*:com.datadoghq.system_tests.iast.utils.SecurityControlUtil:"
         "overloadedValidation:java.lang.Object,java.lang.String,java.lang.String:1,2"
     ),
-    "nodejs": "TODO",
+    "nodejs": (
+        "SANITIZER:COMMAND_INJECTION:iast/utils/securityControlUtil.js:sanitize;"
+        "SANITIZER:*:iast/utils/securityControlUtil.js:sanitizeForAllVulns;"
+        "SANITIZER:*:iast/utils/securityControlUtil.js:overloadedSanitize:0;"
+        "INPUT_VALIDATOR:COMMAND_INJECTION:iast/utils/securityControlUtil.js:validate;"
+        "INPUT_VALIDATOR:*:iast/utils/securityControlUtil.js:validateForAllVulns;"
+        "INPUT_VALIDATOR:*:iast/utils/securityControlUtil.js:overloadedValidation:1,2;"
+        # typescript definitions
+        "SANITIZER:COMMAND_INJECTION:dist/utils/securityControlUtil.js:sanitize;"
+        "SANITIZER:*:dist/utils/securityControlUtil.js:sanitizeForAllVulns;"
+        "SANITIZER:*:dist/utils/securityControlUtil.js:overloadedSanitize:0;"
+        "INPUT_VALIDATOR:COMMAND_INJECTION:dist/utils/securityControlUtil.js:validate;"
+        "INPUT_VALIDATOR:*:dist/utils/securityControlUtil.js:validateForAllVulns;"
+        "INPUT_VALIDATOR:*:dist/utils/securityControlUtil.js:overloadedValidation:1,2"
+    ),
     "php": "TODO",
     "python": "TODO",
     "ruby": "TODO",

@@ -394,6 +394,8 @@ function initRoutes (app, tracer) {
   })
 
   require('./sources')(app, tracer)
+
+  require('./security-controls')(app, tracer)
 }
 
 module.exports = { initRoutes, initData, initMiddlewares }
@@ -0,0 +1,121 @@
+'use strict'
+
+const { Client } = require('pg')
+const { execSync } = require('child_process')
+const SecurityControlUtil = require('./utils/securityControlUtil')
+
+function execQuery (user, password) {
+  const sql = 'SELECT * FROM IAST_USER WHERE USERNAME = \'' + user +
+    '\' AND PASSWORD = \'' + password + '\''
+
+  const client = new Client()
+  return client.connect().then(() => {
+    return client.query(sql)
+  })
+}
+
+function init (app, tracer) {
+  app.post('/iast/sc/s/configured', (req, res) => {
+    const sanitized = SecurityControlUtil.sanitize(req.body.param)
+    try {
+      execSync(sanitized)
+    } catch (e) {
+      // ignore
+    }
+    res.send('OK')
+  })
+
+  app.post('/iast/sc/s/not-configured', (req, res) => {
+    const sanitized = SecurityControlUtil.sanitize(req.body.param)
+    execQuery(sanitized, 'password').then((queryResult) => {
+      res.send('OK')
+    }).catch((err) => {
+      res.send('Error: ' + err)
+    })
+  })
+
+  app.post('/iast/sc/s/all', (req, res) => {
+    const sanitized = SecurityControlUtil.sanitizeForAllVulns(req.body.param)
+    execQuery(sanitized, 'password').then((queryResult) => {
+      res.send('OK')
+    }).catch((err) => {
+      res.send('Error: ' + err)
+    })
+  })
+
+  app.post('/iast/sc/s/overloaded/secure', (req, res) => {
+    const sanitized = SecurityControlUtil.overloadedSanitize(req.body.param)
+    try {
+      execSync(sanitized)
+    } catch (e) {
+      // ignore
+    }
+    res.send('OK')
+  })
+
+  app.post('/iast/sc/s/overloaded/insecure', (req, res) => {
+    const sanitized = SecurityControlUtil.overloadedSanitize(null, req.body.param)
+    try {
+      execSync(sanitized)
+    } catch (e) {
+      // ignore
+    }
+    res.send('OK')
+  })
+
+  app.post('/iast/sc/iv/configured', (req, res) => {
+    // TODO: problem in express5?
+    if (SecurityControlUtil.validate(req.body.param)) {
+      try {
+        execSync(req.body.param)
+      } catch (e) {
+        // ignore
+      }
+    }
+    res.send('OK')
+  })
+
+  app.post('/iast/sc/iv/not-configured', (req, res) => {
+    if (SecurityControlUtil.validate(req.body.param)) {
+      execQuery(req.body.param, 'password').then((queryResult) => {
+        res.send('OK')
+      }).catch((err) => {
+        res.send('Error: ' + err)
+      })
+    }
+  })
+
+  app.post('/iast/sc/iv/all', (req, res) => {
+    if (SecurityControlUtil.validateForAllVulns(req.body.param)) {
+      execQuery(req.body.param, 'password').then((queryResult) => {
+        res.send('OK')
+      }).catch((err) => {
+        res.send('Error: ' + err)
+      })
+    }
+  })
+
+  app.post('/iast/sc/iv/overloaded/secure', (req, res) => {
+    const { user, password } = req.body
+    if (SecurityControlUtil.overloadedValidation(null, user, password)) {
+      execQuery(user, password).then((queryResult) => {
+        res.send('OK')
+      }).catch((err) => {
+        res.send('Error: ' + err)
+      })
+    }
+  })
+
+  app.post('/iast/sc/iv/overloaded/insecure', (req, res) => {
+    const { user, password } = req.body
+    if (SecurityControlUtil.overloadedValidation(user, password, null)) {
+      execQuery(user, password).then((queryResult) => {
+        res.send('OK')
+      }).catch((err) => {
+        res.send('Error: ' + err)
+      })
+    }
+  })
+}
+
+module.exports = init
@@ -0,0 +1,34 @@
+'use strict'
+
+function sanitize (input) {
+  return input // `Sanitized ${input}`
+}
+
+function sanitizeForAllVulns (input) {
+  return `Sanitized for all vulns ${input}`
+}
+
+function overloadedSanitize (input, obj) {
+  return `Sanitized ${input}`
+}
+
+function validate (input) {
+  return true // dummy implementation
+}
+
+function validateForAllVulns (input) {
+  return true // dummy implementation
+}
+
+function overloadedValidation (obj, input, input2) {
+  return true // dummy implementation
+}
+
+module.exports = {
+  sanitize,
+  sanitizeForAllVulns,
+  overloadedSanitize,
+  validate,
+  validateForAllVulns,
+  overloadedValidation
+}
@@ -18,6 +18,7 @@ const pug = require('pug')
 const { unserialize } = require('node-serialize')
 
 const ldap = require('./integrations/ldap')
+const initSecurityControls = require('./security-controls')
 
 async function initData () {
   const query = readFileSync(join(__dirname, '..', 'resources', 'iast-data.sql')).toString()
@@ -696,6 +697,7 @@ function initSourceRoutes (app: Express): void {
 function initRoutes (app: Express): void {
   initSinkRoutes(app)
   initSourceRoutes(app)
+  initSecurityControls(app)
 }
 
 

@@ -0,0 +1,122 @@
+'use strict'
+
+import type { Express, NextFunction, Request, Response } from 'express'
+const { Client } = require('pg')
+const { execSync } = require('child_process')
+const SecurityControlUtil = require('./utils/securityControlUtil')
+
+function execQuery (user: string, password: string) {
+  const sql = 'SELECT * FROM IAST_USER WHERE USERNAME = \'' + user +
+    '\' AND PASSWORD = \'' + password + '\''
+
+  const client = new Client()
+  return client.connect().then(() => {
+    return client.query(sql)
+  })
+}
+
+function initSecurityControls (app: Express) {
+  app.post('/iast/sc/s/configured', (req: Request, res: Response): void => {
+    const sanitized = SecurityControlUtil.sanitize(req.body.param)
+    try {
+      execSync(sanitized)
+    } catch (e) {
+      // ignore
+    }
+    res.send('OK')
+  })
+
+  app.post('/iast/sc/s/not-configured', (req: Request, res: Response): void => {
+    const sanitized = SecurityControlUtil.sanitize(req.body.param)
+    execQuery(sanitized, 'password').then((queryResult: any) => {
+      res.send('OK')
+    }).catch((err: Error) => {
+      res.send('Error: ' + err)
+    })
+  })
+
+  app.post('/iast/sc/s/all', (req: Request, res: Response): void => {
+    const sanitized = SecurityControlUtil.sanitizeForAllVulns(req.body.param)
+    execQuery(sanitized, 'password').then((queryResult: any) => {
+      res.send('OK')
+    }).catch((err: Error) => {
+      res.send('Error: ' + err)
+    })
+  })
+
+  app.post('/iast/sc/s/overloaded/secure', (req: Request, res: Response): void => {
+    const sanitized = SecurityControlUtil.overloadedSanitize(req.body.param)
+    try {
+      execSync(sanitized)
+    } catch (e) {
+      // ignore
+    }
+    res.send('OK')
+  })
+
+  app.post('/iast/sc/s/overloaded/insecure', (req: Request, res: Response): void => {
+    const sanitized = SecurityControlUtil.overloadedSanitize(null, req.body.param)
+    try {
+      execSync(sanitized)
+    } catch (e) {
+      // ignore
+    }
+    res.send('OK')
+  })
+
+  app.post('/iast/sc/iv/configured', (req: Request, res: Response): void => {
+    // TODO: problem in express5?
+    if (SecurityControlUtil.validate(req.body.param)) {
+      try {
+        execSync(req.body.param)
+      } catch (e) {
+        // ignore
+      }
+    }
+    res.send('OK')
+  })
+
+  app.post('/iast/sc/iv/not-configured', (req: Request, res: Response): void => {
+    if (SecurityControlUtil.validate(req.body.param)) {
+      execQuery(req.body.param, 'password').then((queryResult: any) => {
+        res.send('OK')
+      }).catch((err: Error) => {
+        res.send('Error: ' + err)
+      })
+    }
+  })
+
+  app.post('/iast/sc/iv/all', (req: Request, res: Response): void => {
+    if (SecurityControlUtil.validateForAllVulns(req.body.param)) {
+      execQuery(req.body.param, 'password').then((queryResult: any) => {
+        res.send('OK')
+      }).catch((err: Error) => {
+        res.send('Error: ' + err)
+      })
+    }
+  })
+
+  app.post('/iast/sc/iv/overloaded/secure', (req: Request, res: Response): void => {
+    const { user, password } = req.body
+    if (SecurityControlUtil.overloadedValidation(null, user, password)) {
+      execQuery(user, password).then((queryResult: any) => {
+        res.send('OK')
+      }).catch((err: Error) => {
+        res.send('Error: ' + err)
+      })
+    }
+  })
+
+  app.post('/iast/sc/iv/overloaded/insecure', (req: Request, res: Response): void => {
+    const { user, password } = req.body
+    if (SecurityControlUtil.overloadedValidation(user, password, null)) {
+      execQuery(user, password).then((queryResult: any) => {
+        res.send('OK')
+      }).catch((err: Error) => {
+        res.send('Error: ' + err)
+      })
+    }
+  })
+}
+
+module.exports = initSecurityControls