feat: http method checker workflow

[GangGreenTemperTatum]

http method checker workflow

• Follow the same folder structure as other workflows (see template).
• Has a proper author name and workflow description.
• If using compiled code in JS Nodes, provide the source code for each.
• If using a 3rd party library, include its license as a comment in the source code.

This change introduces an asynchronous function run designed to perform a dynamic security check against an HTTP endpoint by probing its supported HTTP methods via an OPTIONS request.

Detailed Behavior:

The function accepts an input context containing the original HTTP request and a response handler, along with an SDK instance for sending requests and creating findings.

• It immediately returns if no request is provided.
• It extracts the original HTTP method of the incoming request (orig).
• A clone of the original request’s specification is created (spec), with its method forcibly set to OPTIONS.
• Using the SDK, it sends this modified OPTIONS request (probe) to the same host and path as the original request.
• Upon receiving a response to the OPTIONS probe, it inspects the headers for allowed HTTP methods from either the Allow or Access-Control-Allow-Methods headers.

The allowed methods are parsed and compared against the original request method.

If the original method is not included in the allowed methods list returned by the server, the function creates a finding via the SDK, flagging the discrepancy as "Extraneous HTTP methods exposed."

The finding includes a descriptive message, the original request, the probe response, and a deduplication key to avoid duplicate reports.

Deduplication Key:

The deduplication key is constructed as:

`${host}|${path}|${origMethod}|${allowHeader}`

• host is the request host,
• path is the request path,
• origMethod is the original HTTP method of the request,
• allowHeader is the raw value from the Allow or Access-Control-Allow-Methods header.

This key ensures unique identification of discrepancies per endpoint and method mismatch, preventing redundant findings.

Example Report:

Title: Extraneous HTTP methods exposed
Description: OPTIONS listed methods [GET, POST, PUT], original: DELETE
Host: example.com
Path: /api/resource
Original Method: DELETE
Allowed Methods: GET, POST, PUT

Deduplication Key: example.com|/api/resource|DELETE|GET,POST,PUT

This report indicates that the original HTTP method (DELETE) is not advertised as allowed by the server’s OPTIONS response, highlighting a potential security or configuration issue.

[bebiksior]

Hey @GangGreenTemperTatum, thanks for contributing!! Could you move source code from the definition to a external javascript.ts file just like you did in #43? This would make this workflow more maintainable

Thanks again, we really apprieciate it :D

[GangGreenTemperTatum]

Hey @GangGreenTemperTatum, thanks for contributing!! Could you move source code from the definition to a external javascript.ts file just like you did in #43? This would make this workflow more maintainable

Thanks again, we really apprieciate it :D

thanks again @bebiksior ! :) super appreciate your quick anowledgement and assistance on this one!

chore: refactor definition to a external javascript.ts file

hopefully i believe this should achieve that request :) plmk if i can help with anything else!

[bebiksior]

LGTM, thanks! Note that this one will be included in the workflows store once we push a new release including your other PR : D