Use separate cache for path traversal check

We have to check every user input strings, we can reduce the amount of
strings with a separate cache specifically for file system checks. The
string needs to include at least a slash. Otherwise it can be never be
abused.

Something we could apply to other vulnerability checks :)

Author: hansott

library/agent/Context.ts

@@ -25,6 +25,7 @@ export type Context = {
   subdomains?: string[]; // https://expressjs.com/en/5x/api.html#req.subdomains
   markUnsafe?: unknown[];
   cache?: ReturnType<typeof extractStringsFromUserInput>;
+  cachePathTraversal?: ReturnType<typeof extractStringsFromUserInput>;
   /**
    * Used to store redirects in outgoing http(s) requests that are started by a user-supplied input (hostname and port / url) to prevent SSRF redirect attacks.
    */
@@ -53,6 +54,7 @@ export function updateContext<K extends keyof Context>(
 
   // Clear all the cached user input strings
   delete context.cache;
+  delete context.cachePathTraversal;
 }
 
 /**
@@ -94,6 +96,7 @@ export function runWithContext<T>(context: Context, fn: () => T) {
   // In tests the context is often passed by reference
   // Make sure to clean up the cache before running the function
   delete context.cache;
+  delete context.cachePathTraversal;
 
   // If there's no context yet, we create a new context and run the function with it
   return ContextStorage.run(context, fn);

library/helpers/extractPathTraversalStringsFromUserInputCached.ts

@@ -0,0 +1,31 @@
+import { Context } from "../agent/Context";
+import { SOURCES } from "../agent/Source";
+import { extractStringsFromUserInput } from "./extractStringsFromUserInput";
+
+type ReturnValue = ReturnType<typeof extractStringsFromUserInput>;
+
+export function extractPathTraversalStringsFromUserInputCached(
+  context: Context
+): ReturnValue {
+  if (context.cachePathTraversal) {
+    return context.cachePathTraversal;
+  }
+
+  const userStrings: ReturnValue = new Set();
+
+  for (const source of SOURCES) {
+    if (!context[source]) {
+      continue;
+    }
+
+    for (const item of extractStringsFromUserInput(context[source])) {
+      if (item.includes("/")) {
+        userStrings.add(item);
+      }
+    }
+  }
+
+  context.cachePathTraversal = userStrings;
+
+  return userStrings;
+}

library/vulnerabilities/path-traversal/checkContextForPathTraversal.ts

@@ -1,6 +1,7 @@
 import { Context } from "../../agent/Context";
 import { InterceptorResult } from "../../agent/hooks/InterceptorResult";
 import { getPathsToPayload } from "../../helpers/attackPath";
+import { extractPathTraversalStringsFromUserInputCached } from "../../helpers/extractPathTraversalStringsFromUserInputCached";
 import { extractStringsFromUserInputCached } from "../../helpers/extractStringsFromUserInputCached";
 import { getSourceForUserString } from "../../helpers/getSourceForUserString";
 import { detectPathTraversal } from "./detectPathTraversal";
@@ -26,7 +27,7 @@ export function checkContextForPathTraversal({
     return;
   }
 
-  for (const str of extractStringsFromUserInputCached(context)) {
+  for (const str of extractPathTraversalStringsFromUserInputCached(context)) {
     if (detectPathTraversal(pathString, str, checkPathStart, isUrl)) {
       const source = getSourceForUserString(context, str);
       if (source) {