dd-trace 2.3.1 → 2.4.0

package/packages/dd-trace/src/appsec/recommended.json

@@ -1,9 +1,12 @@
 {
-  "version": "2.1",
+  "version": "2.2",
+  "metadata": {
+    "rules_version": "1.2.6"
+  },
   "rules": [
     {
       "id": "crs-913-110",
-      "name": "Found request header associated with Acunetix security scanner",
+      "name": "Acunetix",
       "tags": {
         "type": "security_scanner",
         "crs_id": "913110",
@@ -21,7 +24,8 @@
               "acunetix-product",
               "(acunetix web vulnerability scanner",
               "acunetix-scanning-agreement",
-              "acunetix-user-agreement"
+              "acunetix-user-agreement",
+              "md5(acunetix_wvs_security_test)"
             ]
           },
           "operator": "phrase_match"
@@ -33,7 +37,7 @@
     },
     {
       "id": "crs-913-120",
-      "name": "Found request filename/argument associated with security scanner",
+      "name": "Known security scanner filename/argument",
       "tags": {
         "type": "security_scanner",
         "crs_id": "913120",
@@ -228,7 +232,9 @@
           "operator": "match_regex"
         }
       ],
-      "transformers": []
+      "transformers": [
+        "normalizePath"
+      ]
     },
     {
       "id": "crs-930-110",
@@ -1400,12 +1406,13 @@
         }
       ],
       "transformers": [
-        "lowercase"
+        "lowercase",
+        "normalizePath"
       ]
     },
     {
       "id": "crs-931-110",
-      "name": "Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload",
+      "name": "RFI: Common RFI Vulnerable Parameter Name used w/ URL Payload",
       "tags": {
         "type": "rfi",
         "crs_id": "931110",
@@ -1431,7 +1438,7 @@
     },
     {
       "id": "crs-931-120",
-      "name": "Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)",
+      "name": "RFI: URL Payload Used w/Trailing Question Mark Character (?)",
       "tags": {
         "type": "rfi",
         "crs_id": "931120",
@@ -2867,44 +2874,6 @@
         "removeNulls"
       ]
     },
-    {
-      "id": "crs-942-140",
-      "name": "SQL Injection Attack: Common DB Names Detected",
-      "tags": {
-        "type": "sql_injection",
-        "crs_id": "942140",
-        "category": "attack_attempt"
-      },
-      "conditions": [
-        {
-          "parameters": {
-            "inputs": [
-              {
-                "address": "server.request.cookies"
-              },
-              {
-                "address": "server.request.query"
-              },
-              {
-                "address": "server.request.body"
-              },
-              {
-                "address": "server.request.path_params"
-              },
-              {
-                "address": "grpc.server.request.message"
-              }
-            ],
-            "regex": "\\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)|db)|aster\\.\\.sysdatabases|ysql\\.db)|pg_(?:catalog|toast)|information_schema|northwind|tempdb)\\b|s(?:(?:ys(?:\\.database_name|aux)|qlite(?:_temp)?_master)\\b|chema(?:_name\\b|\\W*\\())|d(?:atabas|b_nam)e\\W*\\()",
-            "options": {
-              "min_length": 4
-            }
-          },
-          "operator": "match_regex"
-        }
-      ],
-      "transformers": []
-    },
     {
       "id": "crs-942-160",
       "name": "Detects blind sqli tests using sleep() or benchmark()",
@@ -2982,45 +2951,6 @@
       ],
       "transformers": []
     },
-    {
-      "id": "crs-942-220",
-      "name": "Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the \\\"magic number\\\" crash",
-      "tags": {
-        "type": "sql_injection",
-        "crs_id": "942220",
-        "category": "attack_attempt"
-      },
-      "conditions": [
-        {
-          "parameters": {
-            "inputs": [
-              {
-                "address": "server.request.cookies"
-              },
-              {
-                "address": "server.request.query"
-              },
-              {
-                "address": "server.request.body"
-              },
-              {
-                "address": "server.request.path_params"
-              },
-              {
-                "address": "grpc.server.request.message"
-              }
-            ],
-            "regex": "^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$",
-            "options": {
-              "case_sensitive": true,
-              "min_length": 5
-            }
-          },
-          "operator": "match_regex"
-        }
-      ],
-      "transformers": []
-    },
     {
       "id": "crs-942-240",
       "name": "Detects MySQL charset switch and MSSQL DoS attempts",
@@ -3100,7 +3030,7 @@
     },
     {
       "id": "crs-942-270",
-      "name": "Looking for basic sql injection. Common attack string for mysql, oracle and others",
+      "name": "Basic SQL injection",
       "tags": {
         "type": "sql_injection",
         "crs_id": "942270",
@@ -3138,7 +3068,7 @@
     },
     {
       "id": "crs-942-280",
-      "name": "Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts",
+      "name": "SQL Injection with delay functions",
       "tags": {
         "type": "sql_injection",
         "crs_id": "942280",
@@ -3528,6 +3458,116 @@
         "lowercase"
       ]
     },
+    {
+      "id": "dog-000-001",
+      "name": "Look for Cassandra injections",
+      "tags": {
+        "type": "nosql_injection",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              }
+            ],
+            "regex": "\\ballow\\s+filtering\\b"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [
+        "removeComments"
+      ]
+    },
+    {
+      "id": "dog-000-002",
+      "name": "OGNL - Look for formatting injection patterns",
+      "tags": {
+        "type": "java_code_injection",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "operator": "match_regex",
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.cookies"
+              },
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "[#%$]{[^}]+[^\\w\\s][^}]+}",
+            "options": {
+              "case_sensitive": true
+            }
+          }
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "dog-000-003",
+      "name": "OGNL - Detect OGNL exploitation primitives",
+      "tags": {
+        "type": "java_code_injection",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "operator": "match_regex",
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.cookies"
+              },
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "[@#]ognl",
+            "options": {
+              "case_sensitive": true
+            }
+          }
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "nfd-000-001",
       "name": "Detect common directory discovery scans",
@@ -5229,31 +5269,6 @@
       ],
       "transformers": []
     },
-    {
-      "id": "ua0-600-41x",
-      "name": "Acunetix",
-      "tags": {
-        "type": "security_scanner",
-        "category": "attack_attempt"
-      },
-      "conditions": [
-        {
-          "parameters": {
-            "inputs": [
-              {
-                "address": "server.request.headers.no_cookies",
-                "key_path": [
-                  "user-agent"
-                ]
-              }
-            ],
-            "regex": "md5\\(acunetix_wvs_security_test\\)"
-          },
-          "operator": "match_regex"
-        }
-      ],
-      "transformers": []
-    },
     {
       "id": "ua0-600-42x",
       "name": "OpenVAS",
@@ -5506,7 +5521,7 @@
     },
     {
       "id": "ua0-600-52x",
-      "name": "Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use",
+      "name": "Nuclei",
       "tags": {
         "type": "security_scanner",
         "category": "attack_attempt"
@@ -5531,7 +5546,7 @@
     },
     {
       "id": "ua0-600-53x",
-      "name": "Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence",
+      "name": "Tsunami",
       "tags": {
         "type": "security_scanner",
         "category": "attack_attempt"
@@ -5556,7 +5571,7 @@
     },
     {
       "id": "ua0-600-54x",
-      "name": "Nimbostratus is a vulnerability scanner that scan websites unprompted",
+      "name": "Nimbostratus",
       "tags": {
         "type": "security_scanner",
         "category": "attack_attempt"
@@ -5595,6 +5610,12 @@
                 "key_path": [
                   "user-agent"
                 ]
+              },
+              {
+                "address": "grpc.server.request.metadata",
+                "key_path": [
+                  "dd-canary"
+                ]
               }
             ],
             "regex": "^dd-test-scanner-log$"
@@ -5606,7 +5627,7 @@
     },
     {
       "id": "ua0-600-5xx",
-      "name": "Blind Sql Injection Brute Forcer",
+      "name": "Blind SQL Injection Brute Forcer",
       "tags": {
         "type": "security_scanner",
         "category": "attack_attempt"

package/packages/dd-trace/src/config.js

@@ -109,6 +109,11 @@ class Config {
       process.env.DD_TRACE_EXPERIMENTAL_B3_ENABLED,
       false
     )
+    const DD_TRACE_TRACEPARENT_ENABLED = coalesce(
+      options.experimental && options.experimental.traceparent,
+      process.env.DD_TRACE_EXPERIMENTAL_TRACEPARENT_ENABLED,
+      false
+    )
     const DD_TRACE_RUNTIME_ID_ENABLED = coalesce(
       options.experimental && options.experimental.runtimeId,
       process.env.DD_TRACE_EXPERIMENTAL_RUNTIME_ID_ENABLED,
@@ -187,6 +192,7 @@ class Config {
     this.runtimeMetrics = isTrue(DD_RUNTIME_METRICS_ENABLED)
     this.experimental = {
       b3: isTrue(DD_TRACE_B3_ENABLED),
+      traceparent: isTrue(DD_TRACE_TRACEPARENT_ENABLED),
       runtimeId: isTrue(DD_TRACE_RUNTIME_ID_ENABLED),
       exporter: DD_TRACE_EXPORTER,
       enableGetRumData: isTrue(DD_TRACE_GET_RUM_DATA_ENABLED),

package/packages/dd-trace/src/noop/tracer.js

@@ -38,6 +38,10 @@ class NoopTracer extends Tracer {
   _startSpan (name, options) {
     return this._span
   }
+
+  setUser () {
+    return this
+  }
 }
 
 module.exports = NoopTracer

package/packages/dd-trace/src/opentracing/propagation/text_map.js

@@ -26,6 +26,8 @@ const baggageExpr = new RegExp(`^${baggagePrefix}(.+)$`)
 const ddKeys = [traceKey, spanKey, samplingKey, originKey]
 const b3Keys = [b3TraceKey, b3SpanKey, b3ParentKey, b3SampledKey, b3FlagsKey, b3HeaderKey]
 const logKeys = ddKeys.concat(b3Keys)
+const traceparentExpr = /^(\d{2})-([A-Fa-f0-9]{32})-([A-Fa-f0-9]{16})-(\d{2})$/i
+const traceparentKey = 'traceparent'
 
 class TextMapPropagator {
   constructor (config) {
@@ -40,6 +42,7 @@ class TextMapPropagator {
     this._injectSamplingPriority(spanContext, carrier)
     this._injectBaggageItems(spanContext, carrier)
     this._injectB3(spanContext, carrier)
+    this._injectTraceparent(spanContext, carrier)
 
     log.debug(() => `Inject into carrier: ${JSON.stringify(pick(carrier, logKeys))}.`)
   }
@@ -92,8 +95,20 @@ class TextMapPropagator {
     }
   }
 
+  _injectTraceparent (spanContext, carrier) {
+    if (!this._config.experimental.traceparent) return
+
+    const sampling = spanContext._sampling.priority >= AUTO_KEEP ? '01' : '00'
+    const traceId = spanContext._traceId.toString('hex').padStart(32, '0')
+    const spanId = spanContext._spanId.toString('hex').padStart(16, '0')
+    carrier[traceparentKey] = `01-${traceId}-${spanId}-${sampling}`
+  }
+
   _extractSpanContext (carrier) {
-    return this._extractDatadogContext(carrier) || this._extractB3Context(carrier) || this._extractSqsdContext(carrier)
+    return this._extractDatadogContext(carrier) ||
+      this._extractTraceparentContext(carrier) ||
+      this._extractB3Context(carrier) ||
+      this._extractSqsdContext(carrier)
   }
 
   _extractDatadogContext (carrier) {
@@ -146,6 +161,24 @@ class TextMapPropagator {
     return this._extractDatadogContext(parsed)
   }
 
+  _extractTraceparentContext (carrier) {
+    if (!this._config.experimental.traceparent) return null
+
+    const headerValue = carrier[traceparentKey]
+    if (!headerValue) {
+      return null
+    }
+    const matches = headerValue.match(traceparentExpr)
+    if (matches.length) {
+      return new DatadogSpanContext({
+        traceId: id(matches[2], 16),
+        spanId: id(matches[3], 16),
+        sampling: { priority: matches[4] === '01' ? 1 : 0 }
+      })
+    }
+    return null
+  }
+
   _extractGenericContext (carrier, traceKey, spanKey, radix) {
     if (carrier[traceKey] && carrier[spanKey]) {
       return new DatadogSpanContext({

package/packages/dd-trace/src/proxy.js

@@ -141,6 +141,10 @@ class Tracer extends BaseTracer {
   getRumData () {
     return this._tracer.getRumData.apply(this._tracer, arguments)
   }
+
+  setUser () {
+    return this._tracer.setUser.apply(this.tracer, arguments)
+  }
 }
 
 module.exports = Tracer

package/packages/dd-trace/src/tracer.js

@@ -122,6 +122,22 @@ class DatadogTracer extends Tracer {
 <meta name="dd-trace-id" content="${traceId}" />\
 <meta name="dd-trace-time" content="${traceTime}" />`
   }
+
+  setUser (user) {
+    if (!user || !user.id) return this
+
+    const span = this.scope().active()
+    if (!span) return this
+
+    const rootSpan = span._spanContext._trace.started[0]
+    if (!rootSpan) return this
+
+    for (const k of Object.keys(user)) {
+      rootSpan.setTag(`usr.${k}`, '' + user[k])
+    }
+
+    return this
+  }
 }
 
 function addError (span, error) {

package/packages/datadog-plugin-mongodb-core/src/legacy.js

@@ -1,59 +0,0 @@
-'use strict'
-
-const { instrument } = require('./util')
-
-function createWrapCommand (tracer, config, name) {
-  return function wrapCommand (command) {
-    return function commandWithTrace (ns, ops) {
-      return instrument(command, this, arguments, this, ns, ops, tracer, config, { name })
-    }
-  }
-}
-
-function createWrapQuery (tracer, config) {
-  return function wrapQuery (query) {
-    return function queryWithTrace () {
-      const pool = this.server.s.pool
-      const ns = this.ns
-      const ops = this.cmd
-
-      return instrument(query, this, arguments, pool, ns, ops, tracer, config)
-    }
-  }
-}
-
-function createWrapCursor (tracer, config, name) {
-  return function wrapCursor (cursor) {
-    return function cursorWithTrace () {
-      const pool = this.server.s.pool
-      const ns = this.ns
-
-      return instrument(cursor, this, arguments, pool, ns, {}, tracer, config, { name })
-    }
-  }
-}
-
-module.exports = [
-  {
-    name: 'mongodb-core',
-    versions: ['2 - 3.1.9'],
-    patch ({ Cursor, Server }, tracer, config) {
-      this.wrap(Server.prototype, 'command', createWrapCommand(tracer, config))
-      this.wrap(Server.prototype, 'insert', createWrapCommand(tracer, config, 'insert'))
-      this.wrap(Server.prototype, 'update', createWrapCommand(tracer, config, 'update'))
-      this.wrap(Server.prototype, 'remove', createWrapCommand(tracer, config, 'remove'))
-      this.wrap(Cursor.prototype, '_getmore', createWrapCursor(tracer, config, 'getMore'))
-      this.wrap(Cursor.prototype, '_find', createWrapQuery(tracer, config))
-      this.wrap(Cursor.prototype, 'kill', createWrapCursor(tracer, config, 'killCursors'))
-    },
-    unpatch ({ Cursor, Server }) {
-      this.unwrap(Server.prototype, 'command')
-      this.unwrap(Server.prototype, 'insert')
-      this.unwrap(Server.prototype, 'update')
-      this.unwrap(Server.prototype, 'remove')
-      this.unwrap(Cursor.prototype, '_getmore')
-      this.unwrap(Cursor.prototype, '_find')
-      this.unwrap(Cursor.prototype, 'kill')
-    }
-  }
-]

package/packages/datadog-plugin-mongodb-core/src/unified.js

@@ -1,138 +0,0 @@
-'use strict'
-
-const { instrument } = require('./util')
-
-function createWrapConnectionCommand (tracer, config, name) {
-  return function wrapCommand (command) {
-    return function commandWithTrace (ns, ops) {
-      const hostParts = typeof this.address === 'string' ? this.address.split(':') : ''
-      const options = hostParts.length === 2
-        ? { host: hostParts[0], port: hostParts[1] }
-        : {} // no port means the address is a random UUID so no host either
-      const topology = { s: { options } }
-
-      ns = `${ns.db}.${ns.collection}`
-
-      return instrument(command, this, arguments, topology, ns, ops, tracer, config, { name })
-    }
-  }
-}
-
-function createWrapCommand (tracer, config, name) {
-  return function wrapCommand (command) {
-    return function commandWithTrace (server, ns, ops) {
-      return instrument(command, this, arguments, server, ns, ops, tracer, config, { name })
-    }
-  }
-}
-
-function createWrapMaybePromise (tracer, config) {
-  return function wrapMaybePromise (maybePromise) {
-    return function maybePromiseWithTrace (parent, callback, fn) {
-      const callbackIndex = arguments.length - 2
-
-      callback = arguments[callbackIndex]
-
-      if (typeof callback === 'function') {
-        arguments[callbackIndex] = tracer.scope().bind(callback)
-      }
-
-      return maybePromise.apply(this, arguments)
-    }
-  }
-}
-
-function patch (wp, tracer, config) {
-  this.wrap(wp, 'command', createWrapCommand(tracer, config))
-  this.wrap(wp, 'insert', createWrapCommand(tracer, config, 'insert'))
-  this.wrap(wp, 'update', createWrapCommand(tracer, config, 'update'))
-  this.wrap(wp, 'remove', createWrapCommand(tracer, config, 'remove'))
-  this.wrap(wp, 'query', createWrapCommand(tracer, config))
-  this.wrap(wp, 'getMore', createWrapCommand(tracer, config, 'getMore'))
-  this.wrap(wp, 'killCursors', createWrapCommand(tracer, config, 'killCursors'))
-}
-
-function unpatch (wp) {
-  this.unwrap(wp, 'command')
-  this.unwrap(wp, 'insert')
-  this.unwrap(wp, 'update')
-  this.unwrap(wp, 'remove')
-  this.unwrap(wp, 'query')
-  this.unwrap(wp, 'getMore')
-  this.unwrap(wp, 'killCursors')
-}
-
-function patchConnection ({ Connection }, tracer, config) {
-  const proto = Connection.prototype
-
-  this.wrap(proto, 'command', createWrapConnectionCommand(tracer, config))
-  this.wrap(proto, 'query', createWrapConnectionCommand(tracer, config))
-  this.wrap(proto, 'getMore', createWrapConnectionCommand(tracer, config, 'getMore'))
-  this.wrap(proto, 'killCursors', createWrapConnectionCommand(tracer, config, 'killCursors'))
-}
-
-function unpatchConnection ({ Connection }) {
-  const proto = Connection.prototype
-
-  this.unwrap(proto, 'command')
-  this.unwrap(proto, 'query')
-  this.unwrap(proto, 'getMore')
-  this.unwrap(proto, 'killCursors')
-}
-
-function patchClass (WireProtocol, tracer, config) {
-  this.wrap(WireProtocol.prototype, 'command', createWrapCommand(tracer, config))
-}
-
-function unpatchClass (WireProtocol) {
-  this.unwrap(WireProtocol.prototype, 'command')
-}
-
-module.exports = [
-  {
-    name: 'mongodb',
-    versions: ['>=4'],
-    file: 'lib/cmap/connection.js',
-    patch: patchConnection,
-    unpatch: unpatchConnection
-  },
-  {
-    name: 'mongodb',
-    versions: ['>=3.5.4'],
-    file: 'lib/utils.js',
-    patch (util, tracer, config) {
-      this.wrap(util, 'maybePromise', createWrapMaybePromise(tracer, config))
-    },
-    unpatch (util) {
-      this.unwrap(util, 'maybePromise')
-    }
-  },
-  {
-    name: 'mongodb',
-    versions: ['>=3.3 <4'],
-    file: 'lib/core/wireprotocol/index.js',
-    patch,
-    unpatch
-  },
-  {
-    name: 'mongodb-core',
-    versions: ['>=3.2'],
-    file: 'lib/wireprotocol/index.js',
-    patch,
-    unpatch
-  },
-  {
-    name: 'mongodb-core',
-    versions: ['~3.1.10'],
-    file: 'lib/wireprotocol/3_2_support.js',
-    patch: patchClass,
-    unpatch: unpatchClass
-  },
-  {
-    name: 'mongodb-core',
-    versions: ['~3.1.10'],
-    file: 'lib/wireprotocol/2_6_support.js',
-    patch: patchClass,
-    unpatch: unpatchClass
-  }
-]