search

Santandersecurityresearch / DrHeader

drHEADer helps with the audit of security headers received in response to a single request or a list of requests.
MIT License
105 stars 26 forks source link

Custom header Must-* rule not working #375

Open popuku-dog opened 1 month ago

popuku-dog commented 1 month ago

Description

Custom header or header other than policy headers can't work with Must-* rule.

What I Did

I found this issue when I was using drheader with custom header rule below

# rule.yaml
X-Custom-Header:
    Required: Optional
    Must-Avoid:
        - item_1
        - item_2
    Item-Delimiter: ';'
    Key-Delimiter: '='
    Value-Delimiter: ','

and the headers json file

# headers.json
{
    "X-Custom-Header": "item_1 = value_1, value_2; item_2 = value_1; item_3"
}

I apply the rule on the header json file with command

drheader compare single headers.json -rf rule.yaml

and it outputs image

Then I trace the source code for a while, I found that in core.py L111 gives config['delimiters'] value get from _DELIMITERS, which will be None if the header not the keys in resources/delimiters.json. Therefore, when passing **config.get('delimiters', {}) to utils.parse_policy in header_validator.py L112, the error occur. To the point of implementation, the meaning of **config.get('delimiters', {}) make the default value of delimiters a empty dict, but this will be None instead, which is expected.

Request

Can you fix this little bug? Or I can pull request to fix this error. This enables drheader to filter header based on values even if the header is not policy header. For example, you want to report the issue when some headers is in obselete values.