npm - dd-trace - Versions diffs - 2.31.0 → 2.32.0 - Mend

dd-trace 2.31.0 → 2.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (58) hide show

package/packages/dd-trace/src/appsec/index.js CHANGED Viewed

@@ -3,8 +3,13 @@
 const log = require('../log')
 const RuleManager = require('./rule_manager')
 const remoteConfig = require('./remote_config')
-const { incomingHttpRequestStart, incomingHttpRequestEnd } = require('./gateway/channels')
-const Gateway = require('./gateway/engine')
+const {
+  incomingHttpRequestStart,
+  incomingHttpRequestEnd,
+  bodyParser,
+  queryParser
+} = require('./channels')
+const waf = require('./waf')
 const addresses = require('./addresses')
 const Reporter = require('./reporter')
 const web = require('../plugins/util/web')
@@ -21,39 +26,25 @@ function enable (_config) {
   try {
     setTemplates(_config)
-    // TODO: inline this function
-    enableFromRules(_config, _config.appsec.rules)
-  } catch (err) {
-    abortEnable(err)
-  }
-}
+    RuleManager.applyRules(_config.appsec.rules, _config.appsec)
-function enableFromRules (_config, rules) {
-  RuleManager.applyRules(rules, _config.appsec)
-  remoteConfig.enableAsmData(_config.appsec)
+    remoteConfig.enableWafUpdate(_config.appsec)
-  Reporter.setRateLimit(_config.appsec.rateLimit)
+    Reporter.setRateLimit(_config.appsec.rateLimit)
-  incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
-  incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
-  // add fields needed for HTTP context reporting
-  Gateway.manager.addresses.add(addresses.HTTP_INCOMING_HEADERS)
-  Gateway.manager.addresses.add(addresses.HTTP_INCOMING_ENDPOINT)
-  Gateway.manager.addresses.add(addresses.HTTP_INCOMING_RESPONSE_HEADERS)
-  Gateway.manager.addresses.add(addresses.HTTP_INCOMING_REMOTE_IP)
-  isEnabled = true
-  config = _config
-}
+    incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
+    incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
+    bodyParser.subscribe(onRequestBodyParsed)
+    queryParser.subscribe(onRequestQueryParsed)
-function abortEnable (err) {
-  log.error('Unable to start AppSec')
-  log.error(err)
+    isEnabled = true
+    config = _config
+  } catch (err) {
+    log.error('Unable to start AppSec')
+    log.error(err)
-  // abort AppSec start
-  RuleManager.clearAllRules()
-  remoteConfig.disableAsmData()
+    disable()
+  }
 }
 function incomingHttpStartTranslator ({ req, res, abortController }) {
@@ -68,78 +59,92 @@ function incomingHttpStartTranslator ({ req, res, abortController }) {
     [HTTP_CLIENT_IP]: clientIp
   })
-  const store = Gateway.startContext()
-  store.set('req', req)
-  store.set('res', res)
+  const requestHeaders = Object.assign({}, req.headers)
+  delete requestHeaders.cookie
-  const context = store.get('context')
+  const payload = {
+    [addresses.HTTP_INCOMING_URL]: req.url,
+    [addresses.HTTP_INCOMING_HEADERS]: requestHeaders,
+    [addresses.HTTP_INCOMING_METHOD]: req.method
+  }
   if (clientIp) {
-    const results = Gateway.propagate({
-      [addresses.HTTP_CLIENT_IP]: clientIp
-    }, context)
-    if (!results || !abortController) return
-    for (const entry of results) {
-      if (entry && entry.includes('block')) {
-        block(req, res, rootSpan, abortController)
-        break
-      }
-    }
+    payload[addresses.HTTP_CLIENT_IP] = clientIp
   }
-}
-function incomingHttpEndTranslator (data) {
-  const context = Gateway.getContext()
-  if (!context) return
+  const actions = waf.run(payload, req)
-  const requestHeaders = Object.assign({}, data.req.headers)
-  delete requestHeaders.cookie
+  handleResults(actions, req, res, rootSpan, abortController)
+}
+function incomingHttpEndTranslator ({ req, res }) {
   // TODO: this doesn't support headers sent with res.writeHead()
-  const responseHeaders = Object.assign({}, data.res.getHeaders())
+  const responseHeaders = Object.assign({}, res.getHeaders())
   delete responseHeaders['set-cookie']
   const payload = {
-    [addresses.HTTP_INCOMING_URL]: data.req.url,
-    [addresses.HTTP_INCOMING_HEADERS]: requestHeaders,
-    [addresses.HTTP_INCOMING_METHOD]: data.req.method,
-    [addresses.HTTP_INCOMING_REMOTE_IP]: data.req.socket.remoteAddress,
-    [addresses.HTTP_INCOMING_REMOTE_PORT]: data.req.socket.remotePort,
-    [addresses.HTTP_INCOMING_RESPONSE_CODE]: data.res.statusCode,
+    [addresses.HTTP_INCOMING_RESPONSE_CODE]: res.statusCode,
     [addresses.HTTP_INCOMING_RESPONSE_HEADERS]: responseHeaders
   }
-  // TODO: temporary express instrumentation, will use express plugin later
-  if (data.req.body !== undefined && data.req.body !== null) {
-    payload[addresses.HTTP_INCOMING_BODY] = data.req.body
-  }
-  if (data.req.query && typeof data.req.query === 'object') {
-    payload[addresses.HTTP_INCOMING_QUERY] = data.req.query
+  // we need to keep this to support other body parsers
+  // TODO: no need to analyze it if it was already done by the body-parser hook
+  if (req.body !== undefined && req.body !== null) {
+    payload[addresses.HTTP_INCOMING_BODY] = req.body
   }
-  if (data.req.route && typeof data.req.route.path === 'string') {
-    payload[addresses.HTTP_INCOMING_ENDPOINT] = data.req.route.path
-  }
-  if (data.req.params && typeof data.req.params === 'object') {
-    payload[addresses.HTTP_INCOMING_PARAMS] = data.req.params
+  // TODO: temporary express instrumentation, will use express plugin later
+  if (req.params && typeof req.params === 'object') {
+    payload[addresses.HTTP_INCOMING_PARAMS] = req.params
   }
-  if (data.req.cookies && typeof data.req.cookies === 'object') {
+  if (req.cookies && typeof req.cookies === 'object') {
     payload[addresses.HTTP_INCOMING_COOKIES] = {}
-    for (const k of Object.keys(data.req.cookies)) {
-      payload[addresses.HTTP_INCOMING_COOKIES][k] = [data.req.cookies[k]]
+    for (const k of Object.keys(req.cookies)) {
+      payload[addresses.HTTP_INCOMING_COOKIES][k] = [req.cookies[k]]
     }
   }
-  Gateway.propagate(payload, context)
+  waf.run(payload, req)
+  waf.disposeContext(req)
+  Reporter.finishRequest(req, res)
+}
+function onRequestBodyParsed ({ req, res, abortController }) {
+  const rootSpan = web.root(req)
+  if (!rootSpan) return
+  if (req.body === undefined || req.body === null) return
+  const results = waf.run({
+    [addresses.HTTP_INCOMING_BODY]: req.body
+  }, req)
-  Reporter.finishRequest(data.req, context)
+  handleResults(results, req, res, rootSpan, abortController)
+}
+function onRequestQueryParsed ({ req, res, abortController }) {
+  const rootSpan = web.root(req)
+  if (!rootSpan) return
+  if (!req.query || typeof req.query !== 'object') return
+  const results = waf.run({
+    [addresses.HTTP_INCOMING_QUERY]: req.query
+  }, req)
+  handleResults(results, req, res, rootSpan, abortController)
+}
+function handleResults (actions, req, res, rootSpan, abortController) {
+  if (!actions || !req || !res || !rootSpan || !abortController) return
+  if (actions.includes('block')) {
+    block(req, res, rootSpan, abortController)
+  }
 }
 function disable () {
@@ -147,11 +152,14 @@ function disable () {
   config = null
   RuleManager.clearAllRules()
-  remoteConfig.disableAsmData()
+  remoteConfig.disableWafUpdate()
   // Channel#unsubscribe() is undefined for non active channels
   if (incomingHttpRequestStart.hasSubscribers) incomingHttpRequestStart.unsubscribe(incomingHttpStartTranslator)
   if (incomingHttpRequestEnd.hasSubscribers) incomingHttpRequestEnd.unsubscribe(incomingHttpEndTranslator)
+  if (bodyParser.hasSubscribers) bodyParser.unsubscribe(onRequestBodyParsed)
+  if (queryParser.hasSubscribers) queryParser.unsubscribe(onRequestQueryParsed)
 }
 module.exports = {