Improve iast mongodb nosql detection removing some false positives (#5408)

uurien · web-flow · commit 8df8c369ecb2 · 2025-04-03T18:07:49.000+02:00
diff --git a/packages/dd-trace/src/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.js b/packages/dd-trace/src/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.js
@@ -12,6 +12,9 @@ const EXCLUDED_PATHS_FROM_STACK = getNodeModulesPaths('mongodb', 'mongoose', 'mq
 const { NOSQL_MONGODB_INJECTION_MARK } = require('../taint-tracking/secure-marks')
 const { iterateObjectStrings } = require('../utils')
 
+const SAFE_OPERATORS = new Set(['$eq', '$gt', '$gte', '$in', '$lt', '$lte', '$ne', '$nin',
+  '$exists', '$type', '$mod', '$bitsAllClear', '$bitsAllSet', '$bitsAnyClear', '$bitsAnySet'])
+
 class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
   constructor () {
     super(NOSQL_MONGODB_INJECTION)
@@ -103,7 +106,11 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
     })
   }
 
-  _isVulnerableRange (range) {
+  _isVulnerableRange (range, value) {
+    const rangeIsWholeValue = range.start === 0 && range.end === value?.length
+
+    if (!rangeIsWholeValue) return false
+
     const rangeType = range?.iinfo?.type
     return rangeType === HTTP_REQUEST_PARAMETER || rangeType === HTTP_REQUEST_BODY
   }
@@ -119,29 +126,25 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
       const rangesByKey = {}
       const allRanges = []
 
-      iterateObjectStrings(value.filter, (val, nextLevelKeys) => {
+      iterateMongodbQueryStrings(value.filter, (val, nextLevelKeys) => {
         let ranges = getRanges(iastContext, val)
-        if (ranges?.length) {
-          const filteredRanges = []
-
+        if (ranges?.length === 1) {
           ranges = this._filterSecureRanges(ranges)
           if (!ranges.length) {
             this._incrementSuppressedMetric(iastContext)
+            return
           }
 
-          for (const range of ranges) {
-            if (this._isVulnerableRange(range)) {
-              isVulnerable = true
-              filteredRanges.push(range)
-            }
+          const range = ranges[0]
+          if (!this._isVulnerableRange(range, val)) {
+            return
           }
+          isVulnerable = true
 
-          if (filteredRanges.length > 0) {
-            rangesByKey[nextLevelKeys.join('.')] = filteredRanges
-            allRanges.push(...filteredRanges)
-          }
+          rangesByKey[nextLevelKeys.join('.')] = ranges
+          allRanges.push(range)
         }
-      }, [], 4)
+      })
 
       if (isVulnerable) {
         value.rangesToApply = rangesByKey
@@ -162,4 +165,25 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
   }
 }
 
+function iterateMongodbQueryStrings (target, fn, levelKeys = [], depth = 10, visited = new Set()) {
+  if (target !== null && typeof target === 'object') {
+    if (visited.has(target)) return
+
+    visited.add(target)
+
+    Object.keys(target).forEach((key) => {
+      if (SAFE_OPERATORS.has(key)) return
+
+      const nextLevelKeys = [...levelKeys, key]
+      const val = target[key]
+
+      if (typeof val === 'string') {
+        fn(val, nextLevelKeys, target, key)
+      } else if (depth > 0) {
+        iterateMongodbQueryStrings(val, fn, nextLevelKeys, depth - 1, visited)
+      }
+    })
+  }
+}
+
 module.exports = new NosqlInjectionMongodbAnalyzer()
diff --git a/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.express-mongo-sanitize.plugin.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.express-mongo-sanitize.plugin.spec.js
@@ -10,8 +10,8 @@ const agent = require('../../../plugins/agent')
 
 describe('nosql injection detection in mongodb - whole feature', () => {
   // https://github.com/fiznool/express-mongo-sanitize/issues/200
-  withVersions('mongodb', 'express', '>4.18.0 <5.0.0', expressVersion => {
-    withVersions('mongodb', 'mongodb', mongodbVersion => {
+  withVersions('express-mongo-sanitize', 'express', '>4.18.0 <5.0.0', expressVersion => {
+    withVersions('express-mongo-sanitize', 'mongodb', mongodbVersion => {
       const mongodb = require(`../../../../../../versions/mongodb@${mongodbVersion}`)
 
       const satisfiesNodeVersionForMongo3and4 =
@@ -82,6 +82,94 @@ describe('nosql injection detection in mongodb - whole feature', () => {
             }
           })
 
+          testThatRequestHasVulnerability({
+            testDescription: 'should have NOSQL_MONGODB_INJECTION vulnerability in $or clause',
+            fn: async (req, res) => {
+              await collection.find({
+                key: {
+                  $or: [req.query.key, 'test']
+                }
+              })
+              res.end()
+            },
+            vulnerability: 'NOSQL_MONGODB_INJECTION',
+            makeRequest: (done, config) => {
+              axios.get(`http://localhost:${config.port}/?key=value`).catch(done)
+            },
+            cb: function (vulnerabilities) {
+              const vulnerability = vulnerabilities[0]
+              let someRedacted = false
+              vulnerability.evidence.valueParts.forEach(valuePart => {
+                if (valuePart.redacted) {
+                  someRedacted = true
+                }
+              })
+
+              expect(someRedacted).to.be.true
+            }
+          })
+
+          testThatRequestHasNoVulnerability({
+            testDescription: 'should not have NOSQL_MONGODB_INJECTION vulnerability using $eq',
+            fn: async (req, res) => {
+              await collection.find({
+                key: {
+                  $eq: req.query.key
+                }
+              })
+              res.end()
+            },
+            vulnerability: 'NOSQL_MONGODB_INJECTION',
+            makeRequest: (done, config) => {
+              axios.get(`http://localhost:${config.port}/?key=value`).catch(done)
+            }
+          })
+
+          testThatRequestHasNoVulnerability({
+            testDescription: 'should not have NOSQL_MONGODB_INJECTION vulnerability with modified tainted string',
+            fn: async (req, res) => {
+              const data = req.query.key
+              // eslint-disable-next-line no-undef
+              const modifiedData = _ddiast.plusOperator('modified' + data, 'modified', data)
+
+              await collection.find({
+                key: modifiedData
+              })
+
+              res.end()
+            },
+            vulnerability: 'NOSQL_MONGODB_INJECTION',
+            makeRequest: (done, config) => {
+              axios.get(`http://localhost:${config.port}/?key=value`).catch(done)
+            }
+          })
+
+          testThatRequestHasNoVulnerability({
+            testDescription: 'should not have NOSQL_MONGODB_INJECTION vulnerability in too deep property',
+            fn: async (req, res) => {
+              const deep = 11
+              const obj = {}
+              let next = obj
+
+              for (let i = 0; i <= deep; i++) {
+                if (i === deep) {
+                  next.key = req.query.key
+                  break
+                }
+
+                next.key = {}
+                next = next.key
+              }
+
+              await collection.find(obj)
+              res.end()
+            },
+            vulnerability: 'NOSQL_MONGODB_INJECTION',
+            makeRequest: (done, config) => {
+              axios.get(`http://localhost:${config.port}/?key=value`).catch(done)
+            }
+          })
+
           testThatRequestHasNoVulnerability({
             testDescription: 'should not have NOSQL_MONGODB_INJECTION vulnerability with path params',
             fn: function noop () {},
diff --git a/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mquery.plugin.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mquery.plugin.spec.js
@@ -10,8 +10,8 @@ const fs = require('fs')
 
 describe('nosql injection detection with mquery', () => {
   // https://github.com/fiznool/express-mongo-sanitize/issues/200
-  withVersions('mongodb', 'express', '>4.18.0 <5.0.0', expressVersion => {
-    withVersions('mongodb', 'mongodb', mongodbVersion => {
+  withVersions('mquery', 'express', '>4.18.0 <5.0.0', expressVersion => {
+    withVersions('mquery', 'mongodb', mongodbVersion => {
       const mongodb = require(`../../../../../../versions/mongodb@${mongodbVersion}`)
 
       const satisfiesNodeVersionForMongo3and4 =
diff --git a/packages/dd-trace/test/plugins/externals.json b/packages/dd-trace/test/plugins/externals.json
@@ -120,6 +120,10 @@
     }
   ],
   "mquery": [
+    {
+      "name": "express",
+      "versions": [">=4", ">=4.0.0 <4.3.0", ">=4.0.0 <5.0.0", ">=4.3.0 <5.0.0"]
+    },
     {
       "name": "mquery",
       "versions": [">=5.0.0"]

Original file line number	Diff line number	Diff line change
`@@ -120,6 +120,10 @@`
`120`	`120`	`}`
`121`	`121`	`],`
`122`	`122`	`"mquery": [`
	`123`	`+ {`
	`124`	`+ "name": "express",`
	`125`	`+ "versions": [">=4", ">=4.0.0 <4.3.0", ">=4.0.0 <5.0.0", ">=4.3.0 <5.0.0"]`
	`126`	`+ },`
`123`	`127`	`{`
`124`	`128`	`"name": "mquery",`
`125`	`129`	`"versions": [">=5.0.0"]`