String.prototype.replace: String by string (#38)

* String.prototype.replace: String by string

* Replace when matcher is a regex

* Refactor: Trying to reduce long methods

* Refactor replace methods in order to remove maintainability issues.

Co-authored-by: Julio Gonzalez <[email protected]>

Author: uurien

binding.gyp

@@ -16,6 +16,7 @@
                 "./src/api/trim.cc",
                 "./src/api/slice.cc",
                 "./src/api/substring.cc",
+                "./src/api/replace.cc",
                 "./src/iast.cc"
             ],
             "include_dirs" : [

index.d.ts

@@ -30,5 +30,6 @@ declare module 'datadog-iast-taint-tracking' {
         slice(transactionId: string, result: string, original: string, start: number, end: number): string;
         substring(transactionId: string, subject: string, result: string, start: number, end: number): string;
         substr(transactionId: string, subject: string, result: string, start: number, length: number): string;
+        replace(transactionId: string, result: string, thisArg: string, matcher: unknown, replacer: unknown): string;
     }
 }

index.js

@@ -22,6 +22,9 @@ try {
     },
     removeTransaction () {
     },
+    replace (transactionId, result) {
+      return result
+    },
     concat (transactionId, result) {
       return result
     },
@@ -49,6 +52,7 @@ const iastNativeMethods = {
   getRanges: addon.getRanges,
   createTransaction: addon.createTransaction,
   removeTransaction: addon.removeTransaction,
+  replace: require('./replace.js')(addon),
   concat: addon.concat,
   trim: addon.trim,
   trimEnd: addon.trimEnd,

package.json

@@ -48,6 +48,7 @@
     "index.js",
     "index.d.ts",
     "prebuilds/**/*",
+    "replace.js",
     "scripts/libc.js",
     "LICENSE",
     "LICENSE-3rdparty.csv",

replace.js

@@ -0,0 +1,44 @@
+const isSpecialRegex = /(\$\$)|(\$&)|(\$`)|(\$')|(\$\d)/
+
+function getReplace (addon) {
+  function isSpecialReplacement (replacer) {
+    return replacer.indexOf('$') > -1 && !!replacer.match(isSpecialRegex)
+  }
+  function shouldBePropagated (transactionId, thisArg, replacer) {
+    return addon.isTainted(transactionId, thisArg, replacer) && !isSpecialReplacement(replacer)
+  }
+  if (addon.replace) {
+    return addon.replace
+  }
+  return function replace (transactionId, result, thisArg, matcher, replacer) {
+    if (transactionId && typeof thisArg === 'string' && typeof replacer === 'string') {
+      if (typeof matcher === 'string') {
+        if (shouldBePropagated(transactionId, thisArg, replacer)) {
+          const index = thisArg.indexOf(matcher)
+          if (index > -1) {
+            return addon.replaceStringByString(transactionId, result, thisArg, matcher, replacer, index)
+          }
+        }
+      } else if (matcher instanceof RegExp) {
+        if (shouldBePropagated(transactionId, thisArg, replacer)) {
+          const replacements = []
+          let lastIndex = -1
+          for (let match = matcher.exec(thisArg), i = 0; match != null; match = matcher.exec(thisArg), i++) {
+            const index = match.index
+            if (index !== lastIndex) {
+              replacements.push([index, match[0]])
+              lastIndex = index
+            } else {
+              break
+            }
+          }
+          return addon.replaceStringByStringUsingRegex(transactionId, result, thisArg, matcher,
+            replacer, replacements)
+        }
+      }
+    }
+    return result
+  }
+}
+
+module.exports = getReplace

src/api/replace.cc

@@ -0,0 +1,306 @@
+/**
+* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+* This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2022 Datadog, Inc.
+**/
+#include <node.h>
+#include <new>
+#include <vector>
+#include <memory>
+
+#include "replace.h"
+#include "../tainted/string_resource.h"
+#include "../tainted/range.h"
+#include "../tainted/transaction.h"
+#include "../iast.h"
+#include "../utils/validation_utils.h"
+#include "v8.h"
+
+using v8::FunctionCallbackInfo;
+using v8::Value;
+using v8::Local;
+using v8::Context;
+using v8::Object;
+using v8::Array;
+using v8::String;
+using v8::Local;
+using v8::Integer;
+using v8::Int32;
+
+using iast::tainted::Range;
+using iast::utils::GetLocalStringPointer;
+
+namespace iast {
+namespace api {
+
+struct JsReplacementInfo {
+    int64_t index;
+    int64_t matchLength;
+    int64_t offset;
+};
+
+struct MatcherArguments {
+    Local<Value> result;
+    Local<Value> self;
+    Local<Value> matcher;
+    Local<Value> replacer;
+    Local<Value> replacements;
+};
+
+inline void addReplacerRanges(Transaction* transaction,
+        SharedRanges* replacerRanges,
+        int toReplaceStart,
+        SharedRanges* newRanges) {
+    if (replacerRanges) {
+        if (toReplaceStart == 0) {
+            newRanges->Add(replacerRanges);
+        } else {
+            auto replacerItEnd = replacerRanges->end();
+            for (auto replacerIt = replacerRanges->begin(); replacerItEnd != replacerIt; replacerIt++) {
+                auto range = (*replacerIt);
+                newRanges->PushBack(transaction->GetRange(range->start + toReplaceStart,
+                            range->end + toReplaceStart, range->inputInfo));
+            }
+        }
+    }
+}
+
+inline SharedRanges* adjustReplacementRanges(Transaction* transaction,
+        SharedRanges* subjectRanges,
+        SharedRanges* replacerRanges,
+        const MatcherArguments& args) {
+    auto matcherLength = String::Cast(*(args.matcher))->Length();
+    auto replacementLength = String::Cast(*(args.replacer))->Length();
+    auto toReplaceStart = Integer::Cast(*(args.replacements))->Value();
+    int toReplaceEnd = toReplaceStart + matcherLength;
+    int offset = replacementLength - matcherLength;
+    auto newRanges = transaction->GetSharedVectorRange();
+
+    std::vector<Range*>::iterator subjectIt;
+    std::vector<Range*>::iterator subjectItEnd;
+
+    if (subjectRanges) {
+        subjectIt = subjectRanges->begin();
+        subjectItEnd = subjectRanges->end();
+        while (subjectIt != subjectItEnd && (*subjectIt)->start < toReplaceStart) {
+            auto range = (*subjectIt);
+            if (range->end <= toReplaceStart) {
+                newRanges->PushBack(range);
+            } else if (range->end > toReplaceStart) {
+                newRanges->PushBack(transaction->GetRange(range->start, toReplaceStart, range->inputInfo));
+                break;
+            }
+            ++subjectIt;
+        }
+    }
+
+    addReplacerRanges(transaction, replacerRanges, toReplaceStart, newRanges);
+
+    if (subjectRanges) {
+        while (subjectIt != subjectItEnd) {
+            auto range = (*subjectIt);
+            if (range->end > toReplaceEnd) {
+                if (range->start <= toReplaceEnd) {
+                    newRanges->PushBack(transaction->GetRange(toReplaceEnd + offset,
+                                range->end + offset,
+                                range->inputInfo));
+                } else if (offset == 0) {
+                    newRanges->PushBack(range);
+                } else {
+                    newRanges->PushBack(transaction->GetRange(range->start + offset,
+                                range->end + offset,
+                                range->inputInfo));
+                }
+            }
+            subjectIt++;
+        }
+    }
+
+    return newRanges;
+}
+
+inline SharedRanges* adjustRegexReplacementRanges(Transaction* transaction,
+        SharedRanges* subjectRanges,
+        SharedRanges* replacerRanges,
+        const MatcherArguments& args,
+        Local<Context> context) {
+    std::vector<Range*>::iterator subjectIt;
+    std::vector<Range*>::iterator subjectItEnd;
+    auto replacerLen = String::Cast(*(args.replacer))->Length();
+    auto jsReplacements = Array::Cast(*args.replacements);
+    auto newRanges = transaction->GetSharedVectorRange();
+
+    if (subjectRanges != nullptr) {
+        subjectIt = subjectRanges->begin();
+        subjectItEnd = subjectRanges->end();
+    }
+
+    int offset = 0;
+    int lastEnd = 0;
+    for (unsigned int i = 0; i < jsReplacements->Length(); i++) {
+        auto jsReplacement = Object::Cast(*(jsReplacements->Get(context, i).ToLocalChecked()));
+        auto index = Int32::Cast(*(jsReplacement->Get(context, 0).ToLocalChecked()))->Value();
+        auto matcherLength = String::Cast(*(jsReplacement->Get(context, 1).ToLocalChecked()))->Length();
+        struct JsReplacementInfo currentReplacement = {index, matcherLength, replacerLen - matcherLength};
+
+        if (subjectRanges) {
+            while (subjectIt != subjectItEnd && (*subjectIt)->start < index) {
+                auto breakLoop = false;
+                auto range = *subjectIt;
+                if (lastEnd < range->end) {
+                    auto start = range->start;
+                    auto end = range->end;
+                    if (lastEnd > range->start) {
+                        start = lastEnd;
+                    }
+                    start += offset;
+                    if (range->end > index) {
+                        breakLoop = true;
+                        end = index;
+                    }
+                    end += offset;
+                    if (start == range->start && end == range->end) {
+                        newRanges->PushBack(range);
+                    } else {
+                        newRanges->PushBack(transaction->GetRange(start, end, range->inputInfo));
+                    }
+                }
+                if (breakLoop) {
+                    break;
+                }
+                ++subjectIt;
+            }
+        }
+
+        addReplacerRanges(transaction, replacerRanges, index + offset, newRanges);
+
+        lastEnd = currentReplacement.index + currentReplacement.matchLength;
+        offset = offset + currentReplacement.offset;
+    }
+
+    if (subjectRanges) {
+        while (subjectIt != subjectItEnd) {
+            auto range = *subjectIt;
+            if (lastEnd < range->end) {
+                if (lastEnd > range->start) {
+                    newRanges->PushBack(transaction->GetRange(lastEnd + offset, range->end + offset,
+                                range->inputInfo));
+                } else if (offset == 0) {
+                    newRanges->PushBack(range);
+                } else {
+                    newRanges->PushBack(
+                            transaction->GetRange(range->start + offset, range->end + offset,
+                                range->inputInfo));
+                }
+            }
+            ++subjectIt;
+        }
+    }
+    return newRanges;
+}
+
+void TaintReplaceStringByStringMethod(const FunctionCallbackInfo<Value>& args) {
+    if (!utils::ValidateMethodArguments(args, 6, "Wrong number of arguments")) {
+        return;
+    }
+    auto replaceResult = args[1];
+    if (!replaceResult->IsString()) {
+        args.GetReturnValue().Set(replaceResult);
+        return;
+    }
+
+    auto transaction = GetTransaction(GetLocalStringPointer(args[0]));
+    if (!transaction) {
+        args.GetReturnValue().Set(replaceResult);
+        return;
+    }
+
+    try {
+        MatcherArguments methodArguments = {args[1], args[2], args[3], args[4], args[5]};
+
+        auto taintedSubject = transaction->FindTaintedObject(GetLocalStringPointer(methodArguments.self));
+        auto taintedReplacer = transaction->FindTaintedObject(GetLocalStringPointer(methodArguments.replacer));
+        auto subjectRanges = (taintedSubject) ? taintedSubject->getRanges() : nullptr;
+        auto replacerRanges = (taintedReplacer) ? taintedReplacer->getRanges() : nullptr;
+
+        if (subjectRanges == nullptr && replacerRanges == nullptr) {
+            args.GetReturnValue().Set(replaceResult);
+            return;
+        }
+
+        auto newRanges = adjustReplacementRanges(transaction, subjectRanges, replacerRanges, methodArguments);
+        if (newRanges->Size() > 0) {
+            auto isolate = args.GetIsolate();
+            auto resultString = replaceResult->ToString(isolate->GetCurrentContext()).ToLocalChecked();
+            auto resultLength = resultString->Length();
+            if (resultLength == 1) {
+                replaceResult = tainted::NewExternalString(isolate, replaceResult);
+            }
+            auto key = GetLocalStringPointer(replaceResult);
+            transaction->AddTainted(key, newRanges, replaceResult);
+        }
+    } catch (const std::bad_alloc& err) {
+    } catch (const container::QueuedPoolBadAlloc& err) {
+    } catch (const container::PoolBadAlloc& err) {
+    }
+    args.GetReturnValue().Set(replaceResult);
+}
+
+void TaintReplaceStringByStringUsingRegexMethod(const FunctionCallbackInfo<Value>& args) {
+    // transactionId, result, subject, matcher, replacer, replacements
+    if (!utils::ValidateMethodArguments(args, 6, "Wrong number of arguments")) {
+        return;
+    }
+    auto replaceResult = args[1];
+    if (!replaceResult->IsString()) {
+        args.GetReturnValue().Set(replaceResult);
+        return;
+    }
+
+    auto transaction = GetTransaction(GetLocalStringPointer(args[0]));
+    if (!transaction) {
+        args.GetReturnValue().Set(replaceResult);
+        return;
+    }
+
+    try {
+        MatcherArguments methodArguments = {args[1], args[2], args[3], args[4], args[5]};
+
+        auto taintedSubject = transaction->FindTaintedObject(GetLocalStringPointer(methodArguments.self));
+        auto taintedReplacer = transaction->FindTaintedObject(GetLocalStringPointer(methodArguments.replacer));
+        auto subjectRanges = (taintedSubject) ? taintedSubject->getRanges() : nullptr;
+        auto replacerRanges = (taintedReplacer) ? taintedReplacer->getRanges() : nullptr;
+
+        if (subjectRanges == nullptr && replacerRanges == nullptr) {
+            args.GetReturnValue().Set(replaceResult);
+            return;
+        }
+
+        auto newRanges = adjustRegexReplacementRanges(transaction,
+                subjectRanges,
+                replacerRanges,
+                methodArguments,
+                args.GetIsolate()->GetCurrentContext());
+
+        if (newRanges->Size() > 0) {
+            auto resultString = replaceResult->ToString(args.GetIsolate()->GetCurrentContext()).ToLocalChecked();
+            auto resultLength = resultString->Length();
+            if (resultLength == 1) {
+                replaceResult = tainted::NewExternalString(args.GetIsolate(), replaceResult);
+            }
+            auto key = utils::GetLocalStringPointer(replaceResult);
+            transaction->AddTainted(key, newRanges, replaceResult);
+        }
+    } catch (const std::bad_alloc& err) {
+    } catch (const container::QueuedPoolBadAlloc& err) {
+    } catch (const container::PoolBadAlloc& err) {
+    }
+    args.GetReturnValue().Set(replaceResult);
+}
+
+void ReplaceOperations::Init(Local<Object> exports) {
+    NODE_SET_METHOD(exports, "replaceStringByString", TaintReplaceStringByStringMethod);
+    NODE_SET_METHOD(exports, "replaceStringByStringUsingRegex", TaintReplaceStringByStringUsingRegexMethod);
+}
+}   // namespace api
+}   // namespace iast
+