Fix IAST SQL redaction with tainted contained in sensitive

DataDog · May 16, 2023 · 1645f04 · 1645f04
1 parent 66dd772
commit 1645f04
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 1 deletion.
diff --git a/...d-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js b/...d-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js
@@ -102,7 +102,7 @@ class SensitiveHandler {
             if (entry.start === i) {
               nextSensitive = entry
             } else {
-              sensitive.push(entry)
+              sensitive.unshift(entry)
             }
           }
         }

diff --git a/...dd-trace/test/appsec/iast/vulnerability-formatter/resources/evidence-redaction-suite.json b/...dd-trace/test/appsec/iast/vulnerability-formatter/resources/evidence-redaction-suite.json
@@ -1080,6 +1080,50 @@
         ]
       }
     },
+    {
+      "type": "VULNERABILITIES",
+      "description": "Query with tainted range in two LIKEs with not tainted % char",
+      "input": [
+        {
+          "type": "SQL_INJECTION",
+          "evidence": {
+            "dialect": "MYSQL",
+            "value": "select * from table where name LIKE '%searchparam%' OR description LIKE '%searchparam%'",
+            "ranges": [
+              {
+                "start": 38, "end": 49, "iinfo": { "type": "http.request.parameter", "parameterName": "query", "parameterValue": "searchparam" }
+              },
+              {
+                "start": 74, "end": 85, "iinfo": { "type": "http.request.parameter", "parameterName": "query", "parameterValue": "searchparam" }
+              }
+            ]
+          }
+        }
+      ],
+      "expected": {
+        "sources": [
+          { "origin": "http.request.parameter", "name": "query", "redacted": true }
+        ],
+        "vulnerabilities": [
+          {
+            "type": "SQL_INJECTION",
+            "evidence": {
+              "valueParts": [
+                { "value": "select * from table where name LIKE '" },
+                { "redacted": true },
+                { "source": 0, "redacted": true },
+                { "redacted": true },
+                { "value": "' OR description LIKE '" },
+                { "redacted": true },
+                { "source": 0, "redacted": true },
+                { "redacted": true },
+                { "value": "'" }
+              ]
+            }
+          }
+        ]
+      }
+    },
     {
       "type": "VULNERABILITIES",
       "description": "Query with string literal and weird tainted range crossing boundaries",