newrelic · sumitsuthar · Jun 4, 2024 · Jun 5, 2024
diff --git a/lib/instrumentation-security/core/event-constants.js b/lib/instrumentation-security/core/event-constants.js
@@ -20,7 +20,8 @@ const EVENT_TYPE = {
     UNVALIDATED_REDIRECT: 'UNVALIDATED_REDIRECT',
     REFLECTED_XSS: 'REFLECTED_XSS',
     XPATH: 'XPATH',
-    LDAP: 'LDAP'
+    LDAP: 'LDAP',
+    TRUSTBOUNDARY: 'TRUSTBOUNDARY'
 }
 const  EVENT_CATEGORY =  {
     MYSQL: 'MYSQL',
@@ -40,7 +41,8 @@ const  EVENT_CATEGORY =  {
     UNVALIDATED_REDIRECT: 'UNVALIDATED_REDIRECT',
     REFLECTED_XSS: 'REFLECTED_XSS',
     XPATH: 'XPATH',
-    LDAP: 'LDAP'
+    LDAP: 'LDAP',
+    TRUSTBOUNDARY: 'TRUSTBOUNDARY'
 }
 
 module.exports = {

diff --git a/lib/instrumentation-security/hooks/http/nr-http.js b/lib/instrumentation-security/hooks/http/nr-http.js
@@ -5,7 +5,7 @@
 
 module.exports = initialize
 const requestManager = require('../../core/request-manager');
-const { NR_CSEC_FUZZ_REQUEST_ID, QUESTION_MARK, EMPTY_STRING, UTF8, CONTENT_TYPE, TEXT_HTML, APPLICATION_JSON, APPLICATION_XML, APPLICATION_XHTML, TEXT_PLAIN, APPLICATION_X_FORM_URLENCODED, MULTIPART_FORM_DATA, COMMA } = require('../../core/constants');
+const { NR_CSEC_FUZZ_REQUEST_ID, QUESTION_MARK, EMPTY_STRING, UTF8, CONTENT_TYPE, TEXT_HTML, APPLICATION_JSON, APPLICATION_XML, APPLICATION_XHTML, TEXT_PLAIN, APPLICATION_X_FORM_URLENCODED, MULTIPART_FORM_DATA, COMMA, OBJECT } = require('../../core/constants');
 const ARRAY_TYPE = 'Array';
 const STRING_TYPE = 'string';
 const BUFFER_TYPE = 'Buffer';
@@ -178,7 +178,7 @@ function parseFuzzheaders(requestData, transactionId) {
         if (verifiedHash) {
           logger.debug("Encrypted Data:", encryptedData);
           logger.debug("Decrypted Data:", decryptedData)
-          logger.debug("fliesTocreate:",filesToCreate);
+          logger.debug("fliesTocreate:", filesToCreate);
           for (let i = 0; i < filesToCreate.length; i++) {
             let file = filesToCreate[i].trim();
             file = file.replace(CSEC_HOME_TMP_CONST, CSEC_HOME_TMP);
@@ -192,11 +192,11 @@ function parseFuzzheaders(requestData, transactionId) {
                   logger.debug(parentDir + ' Already Exists');
                 }
                 fs.closeSync(fs.openSync(file, 'w'));
-  
+
                 requestData.tempFiles = [];
                 requestData.tempFiles.push(file);
                 requestManager.setRequest(transactionId, requestData);
-  
+
               } catch (error) {
                 logger.debug(error);
               }
@@ -396,8 +396,11 @@ function responseHook(resp, req, shim) {
     }
     return function wrappedEnd() {
       const response = this;
-      responseBodyCompute(response, arguments);
       const request = requestManager.getRequest(shim);
+      if (request) {
+        trustBoundaryCheck(response.req.session, shim)
+      }
+      responseBodyCompute(response, arguments);
       const construct = API.checkForReflectedXSS(request, response.res.body, response.getHeaders());
       const policy = API.getPolicy();
       const dynamicScanningFlag = policy.data ? (policy.data.vulnerabilityScan?.enabled && policy.data.vulnerabilityScan.iastScan.enabled) : false;
@@ -565,4 +568,33 @@ function deleteTempFileForIAST(file) {
   } catch (error) {
     logger.debug("Unable to delete temporary file", error);
   }
+}
+
+/**
+ * Utility to generate trustboundary events.
+ * @param {*} sessionObject 
+ * @param {*} shim 
+ */
+function trustBoundaryCheck(sessionObject, shim) {
+  try {
+    const request = requestManager.getRequest(shim);
+    let params = [];
+    Object.keys(sessionObject).forEach(key => {
+      if (sessionObject[key] && typeof sessionObject[key] != OBJECT) {
+        params.push(String(key));
+        params.push(String(sessionObject[key]));
+      }
+    });
+    if (!lodash.isEmpty(params)) {
+      const traceObject = secUtils.getTraceObject(shim);
+      const secMetadata = securityMetaData.getSecurityMetaData(request, params, traceObject, secUtils.getExecutionId(), EVENT_TYPE.TRUSTBOUNDARY, EVENT_CATEGORY.TRUSTBOUNDARY)
+      const secEvent = API.generateSecEvent(secMetadata);
+      API.sendEvent(secEvent);
+    }
+
+  } catch (error) {
+    logger.debug("Error while processing trustboundary", error);
+
+  }
+
 }