Reject security control with non numeric parameters

Author: iunanua

packages/dd-trace/src/appsec/iast/security-controls/parser.js

@@ -58,7 +58,12 @@ function parseControl (control) {
 
   method = method?.trim()
 
-  parameters = getParameters(parameters)
+  try {
+    parameters = getParameters(parameters)
+  } catch (e) {
+    log.warn('[ASM] Invalid non-numeric security control parameter %s', parameters)
+    return
+  }
 
   return { type, secureMarks, file, method, parameters }
 }
@@ -72,12 +77,11 @@ function getSecureMarks (marks) {
 function getParameters (parameters) {
   return parameters?.split(SECURITY_CONTROL_ELEMENT_DELIMITER)
     .map(param => {
-      let parsedParam = parseInt(param, 10)
+      const parsedParam = parseInt(param, 10)
 
-      // TODO: should we discard the whole securityControl??
+      // discard the securityControl if there is an incorrect parameter
       if (isNaN(parsedParam)) {
-        log.warn('[ASM] Invalid non-numeric security control parameter %s', param)
-        parsedParam = undefined
+        throw new Error('Invalid non-numeric security control parameter')
       }
 
       return parsedParam

packages/dd-trace/test/appsec/iast/security-controls/parser.spec.js

@@ -42,6 +42,15 @@ describe('IAST Security Controls parser', () => {
       assert.isUndefined(civ)
     })
 
+    it('should not parse invalid parameter in security control definition', () => {
+      const conf = 'INPUT_VALIDATOR:INVALID_MARK:bar/foo/custom_input_validator.js:validate:not_numeric_parameter'
+      const securityControls = parse(conf)
+
+      const civ = securityControls.get(civFilename)
+
+      assert.isUndefined(civ)
+    })
+
     it('should parse valid simple security control definition without parameters', () => {
       const conf = 'INPUT_VALIDATOR:COMMAND_INJECTION:bar/foo/custom_input_validator.js:validate'
       const securityControls = parse(conf)