From 8a63909a0c5db0f38d517c05133e4279ac0d103e Mon Sep 17 00:00:00 2001 From: Nikhil Shahi Date: Fri, 14 Apr 2023 01:39:18 -0500 Subject: [PATCH] xss and sqli for non response sections (#489) --- ingestors/rust-common/src/main.rs | 10 +++++++++- ingestors/rust-common/src/process_trace.rs | 14 ++++++++------ 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/ingestors/rust-common/src/main.rs b/ingestors/rust-common/src/main.rs index 0978b1a7..1d2fdcf1 100644 --- a/ingestors/rust-common/src/main.rs +++ b/ingestors/rust-common/src/main.rs @@ -138,7 +138,15 @@ async fn main() -> Result<(), Box> { Some(port) => Some(port), None => match env::var("BACKEND_PORT") { Ok(s) => Some(s.parse().unwrap()), - Err(_) => None, + Err(_) => match Url::parse(&metlo_host) { + Ok(url) + if url.scheme() == "http" + && !url.host_str().unwrap_or_default().contains("app.metlo.com") => + { + Some(8000) + } + _ => None, + }, }, }; diff --git a/ingestors/rust-common/src/process_trace.rs b/ingestors/rust-common/src/process_trace.rs index 0339570d..035730a7 100644 --- a/ingestors/rust-common/src/process_trace.rs +++ b/ingestors/rust-common/src/process_trace.rs @@ -122,13 +122,15 @@ pub fn process_json_val( let resolved_path = fix_path(path, response_alias_map); insert_data_type(data_types, resolved_path.as_str(), "string".to_string()); - if xss(e).unwrap_or(false) { - xss_detected.insert(resolved_path.clone(), e.to_string()); - } + if !path.starts_with("res") { + if xss(e).unwrap_or(false) { + xss_detected.insert(resolved_path.clone(), e.to_string()); + } - let is_sqli = sqli(e).unwrap_or((false, "".to_string())); - if is_sqli.0 { - sqli_detected.insert(resolved_path.clone(), (e.to_string(), is_sqli.1)); + let is_sqli = sqli(e).unwrap_or((false, "".to_string())); + if is_sqli.0 { + sqli_detected.insert(resolved_path.clone(), (e.to_string(), is_sqli.1)); + } } let sensitive_data = detect_sensitive_data(e.as_str());