dd-trace 2.36.0 → 2.37.0

package/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -0,0 +1,52 @@
+'use strict'
+
+const Analyzer = require('./vulnerability-analyzer')
+const { getNodeModulesPaths } = require('../path-line')
+
+const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
+
+class CookieAnalyzer extends Analyzer {
+  constructor (type, propertyToBeSafe) {
+    super(type)
+    this.propertyToBeSafe = propertyToBeSafe.toLowerCase()
+    this.addSub('datadog:iast:set-cookie', (cookieInfo) => this.analyze(cookieInfo))
+  }
+
+  _isVulnerable ({ cookieProperties, cookieValue }) {
+    return cookieValue && !(cookieProperties && cookieProperties
+      .map(x => x.toLowerCase().trim()).includes(this.propertyToBeSafe))
+  }
+
+  _getEvidence ({ cookieName }) {
+    return { value: cookieName }
+  }
+
+  _createHashSource (type, evidence, location) {
+    return `${type}:${evidence.value}`
+  }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
+  _checkOCE (context, value) {
+    if (value && value.location) {
+      return true
+    }
+    return super._checkOCE(context, value)
+  }
+
+  _getLocation (value) {
+    if (!value) {
+      return super._getLocation()
+    }
+
+    if (value.location) {
+      return value.location
+    }
+    const location = super._getLocation(value)
+    value.location = location
+    return location
+  }
+}
+
+module.exports = CookieAnalyzer

package/packages/dd-trace/src/appsec/iast/analyzers/insecure-cookie-analyzer.js

@@ -1,30 +1,11 @@
 'use strict'
 
-const Analyzer = require('./vulnerability-analyzer')
 const { INSECURE_COOKIE } = require('../vulnerabilities')
+const CookieAnalyzer = require('./cookie-analyzer')
 
-const EXCLUDED_PATHS = ['node_modules/express/lib/response.js', 'node_modules\\express\\lib\\response.js']
-
-class InsecureCookieAnalyzer extends Analyzer {
+class InsecureCookieAnalyzer extends CookieAnalyzer {
   constructor () {
-    super(INSECURE_COOKIE)
-    this.addSub('datadog:iast:set-cookie', (cookieInfo) => this.analyze(cookieInfo))
-  }
-
-  _isVulnerable ({ cookieProperties, cookieValue }) {
-    return cookieValue && !(cookieProperties && cookieProperties.map(x => x.toLowerCase().trim()).includes('secure'))
-  }
-
-  _getEvidence ({ cookieName }) {
-    return { value: cookieName }
-  }
-
-  _createHashSource (type, evidence, location) {
-    return `${type}:${evidence.value}`
-  }
-
-  _getExcludedPaths () {
-    return EXCLUDED_PATHS
+    super(INSECURE_COOKIE, 'secure')
   }
 }
 

package/packages/dd-trace/src/appsec/iast/analyzers/no-httponly-cookie-analyzer.js

@@ -0,0 +1,12 @@
+'use strict'
+
+const { NO_HTTPONLY_COOKIE } = require('../vulnerabilities')
+const CookieAnalyzer = require('./cookie-analyzer')
+
+class NoHttponlyCookieAnalyzer extends CookieAnalyzer {
+  constructor () {
+    super(NO_HTTPONLY_COOKIE, 'HttpOnly')
+  }
+}
+
+module.exports = new NoHttponlyCookieAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/no-samesite-cookie-analyzer.js

@@ -0,0 +1,12 @@
+'use strict'
+
+const { NO_SAMESITE_COOKIE } = require('../vulnerabilities')
+const CookieAnalyzer = require('./cookie-analyzer')
+
+class NoSamesiteCookieAnalyzer extends CookieAnalyzer {
+  constructor () {
+    super(NO_SAMESITE_COOKIE, 'SameSite=strict')
+  }
+}
+
+module.exports = new NoSamesiteCookieAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/set-cookies-header-interceptor.js

@@ -14,24 +14,28 @@ class SetCookiesHeaderInterceptor extends Plugin {
           allCookies = [value]
         }
         const alreadyCheckedCookies = this._getAlreadyCheckedCookiesInResponse(res)
+
+        let location
         allCookies.forEach(cookieString => {
           if (!alreadyCheckedCookies.includes(cookieString)) {
             alreadyCheckedCookies.push(cookieString)
-            setCookieChannel.publish(this._parseCookie(cookieString))
+            const parsedCookie = this._parseCookie(cookieString, location)
+            setCookieChannel.publish(parsedCookie)
+            location = parsedCookie.location
           }
         })
       }
     })
   }
 
-  _parseCookie (cookieString) {
+  _parseCookie (cookieString, location) {
     const cookieParts = cookieString.split(';')
     const nameValueParts = cookieParts[0].split('=')
     const cookieName = nameValueParts[0]
     const cookieValue = nameValueParts.slice(1).join('=')
     const cookieProperties = cookieParts.slice(1).map(part => part.trim())
 
-    return { cookieName, cookieValue, cookieProperties, cookieString }
+    return { cookieName, cookieValue, cookieProperties, cookieString, location }
   }
 
   _getAlreadyCheckedCookiesInResponse (res) {

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -6,9 +6,9 @@ const { getRanges } = require('../taint-tracking/operations')
 const { storage } = require('../../../../../datadog-core')
 const { getIastContext } = require('../iast-context')
 const { addVulnerability } = require('../vulnerability-reporter')
+const { getNodeModulesPaths } = require('../path-line')
 
-const EXCLUDED_PATHS = ['node_modules/mysql2', 'node_modules/sequelize', 'node_modules\\mysql2',
-  'node_modules\\sequelize']
+const EXCLUDED_PATHS = getNodeModulesPaths('mysql2', 'sequelize')
 
 class SqlInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -28,7 +28,7 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
 
     this.addSub('datadog:sequelize:query:finish', () => {
       const store = storage.getStore()
-      if (store.sequelizeParentStore) {
+      if (store && store.sequelizeParentStore) {
         storage.enterWith(store.sequelizeParentStore)
       }
     })

package/packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js

@@ -0,0 +1,48 @@
+'use strict'
+
+const InjectionAnalyzer = require('./injection-analyzer')
+const { UNVALIDATED_REDIRECT } = require('../vulnerabilities')
+const { getNodeModulesPaths } = require('../path-line')
+const { getRanges } = require('../taint-tracking/operations')
+const { HTTP_REQUEST_HEADER_VALUE } = require('../taint-tracking/origin-types')
+
+const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
+
+class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super(UNVALIDATED_REDIRECT)
+
+    this.addSub('datadog:http:server:response:set-header:finish', ({ name, value }) => this.analyze(name, value))
+  }
+
+  // TODO: In case the location header value is tainted, this analyzer should check the ranges of the tainted.
+  // And do not report a vulnerability if source of the ranges (range.iinfo.type) are exclusively url or path params
+  // to avoid false positives.
+  analyze (name, value) {
+    if (!this.isLocationHeader(name) || typeof value !== 'string') return
+
+    super.analyze(value)
+  }
+
+  isLocationHeader (name) {
+    return name && name.trim().toLowerCase() === 'location'
+  }
+
+  _isVulnerable (value, iastContext) {
+    if (!value) return false
+
+    const ranges = getRanges(iastContext, value)
+    return ranges && ranges.length > 0 && !this._isRefererHeader(ranges)
+  }
+
+  _isRefererHeader (ranges) {
+    return ranges && ranges.every(range => range.iinfo.type === HTTP_REQUEST_HEADER_VALUE &&
+      range.iinfo.parameterName && range.iinfo.parameterName.toLowerCase() === 'referer')
+  }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
+}
+
+module.exports = new UnvalidatedRedirectAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -38,7 +38,7 @@ class Analyzer extends Plugin {
 
   _report (value, context) {
     const evidence = this._getEvidence(value, context)
-    const location = this._getLocation()
+    const location = this._getLocation(value)
     if (!this._isExcluded(location)) {
       const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
       const vulnerability = this._createVulnerability(this._type, evidence, spanId, location)
@@ -47,7 +47,7 @@ class Analyzer extends Plugin {
   }
 
   _reportIfVulnerable (value, context) {
-    if (this._isVulnerable(value, context) && this._checkOCE(context)) {
+    if (this._isVulnerable(value, context) && this._checkOCE(context, value)) {
       this._report(value, context)
       return true
     }
@@ -78,7 +78,7 @@ class Analyzer extends Plugin {
     for (let i = 0; i < values.length; i++) {
       const value = values[i]
       if (this._isVulnerable(value, iastContext)) {
-        if (this._checkOCE(iastContext)) {
+        if (this._checkOCE(iastContext, value)) {
           this._report(value, iastContext)
         }
         break

package/packages/dd-trace/src/appsec/iast/index.js

@@ -5,10 +5,16 @@ const { storage } = require('../../../../datadog-core')
 const overheadController = require('./overhead-controller')
 const dc = require('../../../../diagnostics_channel')
 const iastContextFunctions = require('./iast-context')
-const { enableTaintTracking, disableTaintTracking, createTransaction, removeTransaction } = require('./taint-tracking')
+const {
+  enableTaintTracking,
+  disableTaintTracking,
+  createTransaction,
+  removeTransaction,
+  taintTrackingPlugin
+} = require('./taint-tracking')
+const { IAST_ENABLED_TAG_KEY } = require('./tags')
 
 const telemetryLogs = require('./telemetry/logs')
-const IAST_ENABLED_TAG_KEY = '_dd.iast.enabled'
 
 // TODO Change to `apm:http:server:request:[start|close]` when the subscription
 //  order of the callbacks can be enforce
@@ -48,6 +54,7 @@ function onIncomingHttpRequestStart (data) {
           const iastContext = iastContextFunctions.saveIastContext(store, topContext, { rootSpan, req: data.req })
           createTransaction(rootSpan.context().toSpanId(), iastContext)
           overheadController.initializeRequestContext(iastContext)
+          taintTrackingPlugin.taintHeaders(data.req.headers, iastContext)
         }
         if (rootSpan.addTags) {
           rootSpan.addTags({

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -5,6 +5,7 @@ const process = require('process')
 const { calculateDDBasePath } = require('../../util')
 const pathLine = {
   getFirstNonDDPathAndLine,
+  getNodeModulesPaths,
   getFirstNonDDPathAndLineFromCallsites, // Exported only for test purposes
   calculateDDBasePath, // Exported only for test purposes
   ddBasePath: calculateDDBasePath(__dirname) // Only for test purposes
@@ -83,4 +84,16 @@ function isExcluded (callsite, externallyExcludedPaths) {
 function getFirstNonDDPathAndLine (externallyExcludedPaths) {
   return getFirstNonDDPathAndLineFromCallsites(getCallSiteInfo(), externallyExcludedPaths)
 }
+
+function getNodeModulesPaths (...paths) {
+  const nodeModulesPaths = []
+
+  paths.forEach(p => {
+    const pathParts = p.split('/')
+    nodeModulesPaths.push(path.join('node_modules', ...pathParts))
+  })
+
+  return nodeModulesPaths
+}
+
 module.exports = pathLine

package/packages/dd-trace/src/appsec/iast/tags.js

@@ -0,0 +1,6 @@
+'use strict'
+
+module.exports = {
+  IAST_ENABLED_TAG_KEY: '_dd.iast.enabled',
+  IAST_JSON_TAG_KEY: '_dd.iast.json'
+}

package/packages/dd-trace/src/appsec/iast/taint-tracking/index.js

@@ -23,5 +23,6 @@ module.exports = {
   },
   setMaxTransactions: setMaxTransactions,
   createTransaction: createTransaction,
-  removeTransaction: removeTransaction
+  removeTransaction: removeTransaction,
+  taintTrackingPlugin
 }

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js

@@ -30,14 +30,14 @@ function newTaintedString (iastContext, string, name, type) {
   return result
 }
 
-function taintObject (iastContext, object, type) {
+function taintObject (iastContext, object, type, keyTainting, keyType) {
   let result = object
   if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
     const transactionId = iastContext[IAST_TRANSACTION_ID]
     const queue = [{ parent: null, property: null, value: object }]
     const visited = new WeakSet()
     while (queue.length > 0) {
-      const { parent, property, value } = queue.pop()
+      const { parent, property, value, key } = queue.pop()
       if (value === null) {
         continue
       }
@@ -47,14 +47,23 @@ function taintObject (iastContext, object, type) {
           if (!parent) {
             result = tainted
           } else {
-            parent[property] = tainted
+            if (keyTainting && key) {
+              const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
+              parent[taintedProperty] = tainted
+            } else {
+              parent[property] = tainted
+            }
           }
         } else if (typeof value === 'object' && !visited.has(value)) {
           visited.add(value)
           const keys = Object.keys(value)
           for (let i = 0; i < keys.length; i++) {
             const key = keys[i]
-            queue.push({ parent: value, property: property ? `${property}.${key}` : key, value: value[key] })
+            queue.push({ parent: value, property: property ? `${property}.${key}` : key, value: value[key], key })
+          }
+          if (parent && keyTainting && key) {
+            const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
+            parent[taintedProperty] = value
           }
         }
       } catch (e) {

package/packages/dd-trace/src/appsec/iast/taint-tracking/origin-types.js

@@ -2,5 +2,9 @@
 
 module.exports = {
   HTTP_REQUEST_BODY: 'http.request.body',
-  HTTP_REQUEST_PARAMETER: 'http.request.parameter'
+  HTTP_REQUEST_PARAMETER: 'http.request.parameter',
+  HTTP_REQUEST_COOKIE_VALUE: 'http.request.cookie.value',
+  HTTP_REQUEST_COOKIE_NAME: 'http.request.cookie.name',
+  HTTP_REQUEST_HEADER_NAME: 'http.request.header.name',
+  HTTP_REQUEST_HEADER_VALUE: 'http.request.header'
 }

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -3,8 +3,15 @@
 const Plugin = require('../../../plugins/plugin')
 const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
-const { HTTP_REQUEST_PARAMETER, HTTP_REQUEST_BODY } = require('./origin-types')
 const { taintObject } = require('./operations')
+const {
+  HTTP_REQUEST_PARAMETER,
+  HTTP_REQUEST_BODY,
+  HTTP_REQUEST_COOKIE_VALUE,
+  HTTP_REQUEST_COOKIE_NAME,
+  HTTP_REQUEST_HEADER_VALUE,
+  HTTP_REQUEST_HEADER_NAME
+} = require('./origin-types')
 
 class TaintTrackingPlugin extends Plugin {
   constructor () {
@@ -22,8 +29,8 @@ class TaintTrackingPlugin extends Plugin {
     )
     this.addSub(
       'datadog:qs:parse:finish',
-      ({ qs }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, qs))
-
+      ({ qs }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, qs)
+    )
     this.addSub('apm:express:middleware:next', ({ req }) => {
       if (req && req.body && typeof req.body === 'object') {
         const iastContext = getIastContext(storage.getStore())
@@ -33,16 +40,29 @@ class TaintTrackingPlugin extends Plugin {
         }
       }
     })
+    this.addSub(
+      'datadog:cookie:parse:finish',
+      ({ cookies }) => this._cookiesTaintTrackingHandler(cookies)
+    )
   }
 
   _taintTrackingHandler (type, target, property, iastContext = getIastContext(storage.getStore())) {
     if (!property) {
       taintObject(iastContext, target, type)
-    } else {
+    } else if (target[property]) {
       target[property] = taintObject(iastContext, target[property], type)
     }
   }
 
+  _cookiesTaintTrackingHandler (target) {
+    const iastContext = getIastContext(storage.getStore())
+    taintObject(iastContext, target, HTTP_REQUEST_COOKIE_VALUE, true, HTTP_REQUEST_COOKIE_NAME)
+  }
+
+  taintHeaders (headers, iastContext) {
+    taintObject(iastContext, headers, HTTP_REQUEST_HEADER_VALUE, true, HTTP_REQUEST_HEADER_NAME)
+  }
+
   enable () {
     this.configure(true)
   }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -23,7 +23,9 @@ class SensitiveHandler {
     this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, new CommandSensitiveAnalyzer())
     this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, new LdapSensitiveAnalyzer())
     this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, new SqlSensitiveAnalyzer())
-    this._sensitiveAnalyzers.set(vulnerabilities.SSRF, new UrlSensitiveAnalyzer())
+    const urlSensitiveAnalyzer = new UrlSensitiveAnalyzer()
+    this._sensitiveAnalyzers.set(vulnerabilities.SSRF, urlSensitiveAnalyzer)
+    this._sensitiveAnalyzers.set(vulnerabilities.UNVALIDATED_REDIRECT, urlSensitiveAnalyzer)
   }
 
   isSensibleName (name) {

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js

@@ -2,9 +2,12 @@ module.exports = {
   COMMAND_INJECTION: 'COMMAND_INJECTION',
   INSECURE_COOKIE: 'INSECURE_COOKIE',
   LDAP_INJECTION: 'LDAP_INJECTION',
+  NO_HTTPONLY_COOKIE: 'NO_HTTPONLY_COOKIE',
+  NO_SAMESITE_COOKIE: 'NO_SAMESITE_COOKIE',
   PATH_TRAVERSAL: 'PATH_TRAVERSAL',
   SQL_INJECTION: 'SQL_INJECTION',
   SSRF: 'SSRF',
+  UNVALIDATED_REDIRECT: 'UNVALIDATED_REDIRECT',
   WEAK_CIPHER: 'WEAK_CIPHER',
   WEAK_HASH: 'WEAK_HASH'
 }

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -1,8 +1,11 @@
+'use strict'
+
 const { MANUAL_KEEP } = require('../../../../../ext/tags')
 const LRU = require('lru-cache')
 const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
+const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
+
 const VULNERABILITIES_KEY = 'vulnerabilities'
-const IAST_JSON_TAG_KEY = '_dd.iast.json'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
 const VULNERABILITY_HASHES = new LRU({ max: VULNERABILITY_HASHES_MAX_SIZE })
 const RESET_VULNERABILITY_CACHE_INTERVAL = 60 * 60 * 1000 // 1 hour
@@ -39,6 +42,9 @@ function sendVulnerabilities (vulnerabilities, rootSpan) {
       vulnerabilities.forEach((vulnerability) => {
         vulnerability.location.spanId = span.context().toSpanId()
       })
+      span.addTags({
+        [IAST_ENABLED_TAG_KEY]: 1
+      })
     }
 
     if (span && span.addTags) {

package/packages/dd-trace/src/ci-visibility/exporters/ci-visibility-exporter.js

@@ -120,7 +120,8 @@ class CiVisibilityExporter extends AgentInfoExporter {
    * CI Visibility Protocol, hence the this._canUseCiVisProtocol promise.
    */
   getItrConfiguration (testConfiguration, callback) {
-    this.sendGitMetadata()
+    const { repositoryUrl } = testConfiguration
+    this.sendGitMetadata(repositoryUrl)
     if (!this.shouldRequestItrConfiguration()) {
       return callback(null, {})
     }
@@ -147,7 +148,7 @@ class CiVisibilityExporter extends AgentInfoExporter {
     })
   }
 
-  sendGitMetadata () {
+  sendGitMetadata (repositoryUrl) {
     if (!this._config.isGitUploadEnabled) {
       return
     }
@@ -155,7 +156,7 @@ class CiVisibilityExporter extends AgentInfoExporter {
       if (!canUseCiVisProtocol) {
         return
       }
-      sendGitMetadataRequest(this._getApiUrl(), !!this._isUsingEvpProxy, (err) => {
+      sendGitMetadataRequest(this._getApiUrl(), !!this._isUsingEvpProxy, repositoryUrl, (err) => {
         if (err) {
           log.error(`Error uploading git metadata: ${err.message}`)
         } else {

package/packages/dd-trace/src/ci-visibility/exporters/git/git_metadata.js

@@ -152,8 +152,11 @@ function uploadPackFile ({ url, isEvpProxy, packFileToUpload, repositoryUrl, hea
 /**
  * This function uploads git metadata to CI Visibility's backend.
 */
-function sendGitMetadata (url, isEvpProxy, callback) {
-  const repositoryUrl = getRepositoryUrl()
+function sendGitMetadata (url, isEvpProxy, configRepositoryUrl, callback) {
+  let repositoryUrl = configRepositoryUrl
+  if (!repositoryUrl) {
+    repositoryUrl = getRepositoryUrl()
+  }
 
   if (!repositoryUrl) {
     return callback(new Error('Repository URL is empty'))

package/packages/dd-trace/src/config.js

@@ -201,6 +201,17 @@ class Config {
       false
     )
 
+    const DD_OPENAI_LOGS_ENABLED = coalesce(
+      options.openAiLogsEnabled,
+      process.env.DD_OPENAI_LOGS_ENABLED,
+      false
+    )
+
+    const DD_API_KEY = coalesce(
+      process.env.DATADOG_API_KEY,
+      process.env.DD_API_KEY
+    )
+
     const inAWSLambda = process.env.AWS_LAMBDA_FUNCTION_NAME !== undefined
 
     const isDeprecatedGCPFunction = process.env.FUNCTION_NAME !== undefined && process.env.GCP_PROJECT !== undefined
@@ -468,6 +479,8 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
 
     this.tracing = !isFalse(DD_TRACING_ENABLED)
     this.dbmPropagationMode = DD_DBM_PROPAGATION_MODE
+    this.openAiLogsEnabled = DD_OPENAI_LOGS_ENABLED
+    this.apiKey = DD_API_KEY
     this.logInjection = isTrue(DD_LOGS_INJECTION)
     this.env = DD_ENV
     this.url = DD_CIVISIBILITY_AGENTLESS_URL ? new URL(DD_CIVISIBILITY_AGENTLESS_URL)

package/packages/dd-trace/src/external-logger/src/index.js

@@ -0,0 +1,126 @@
+const tracerLogger = require('../../log')// path to require tracer logger
+
+const https = require('https')
+
+class ExternalLogger {
+  // Note: these attribute names match the corresponding entry in the JSON payload.
+  constructor ({
+    ddsource, hostname, service, apiKey, site = 'datadoghq.com', interval = 10000, timeout = 2000, limit = 1000
+  }) {
+    this.ddsource = ddsource
+    this.hostname = hostname
+    this.service = service
+    this.interval = interval
+    this.timeout = timeout
+    this.queue = []
+    this.limit = limit
+    this.endpoint = '/api/v2/logs'
+    this.site = site
+    this.intake = `http-intake.logs.${this.site}`
+    this.headers = {
+      'DD-API-KEY': apiKey,
+      'Content-Type': 'application/json'
+    }
+    this.timer = setInterval(() => {
+      this.flush()
+    }, this.interval).unref()
+
+    tracerLogger.debug(`started log writer to https://${this.intake}${this.endpoint}`)
+  }
+
+  static tagString (tags) {
+    const tagArray = []
+    for (const key in tags) {
+      tagArray.push(key + ':' + tags[key])
+    }
+    return tagArray.join(',')
+  }
+
+  // Parses and enqueues a log
+  log (log, span, tags) {
+    const logTags = ExternalLogger.tagString(tags)
+
+    if (span) {
+      log['dd.trace_id'] = String(span.trace_id)
+      log['dd.span_id'] = String(span.span_id)
+    }
+
+    const payload = {
+      ...log,
+      'timestamp': Date.now(),
+      'hostname': log.hostname || this.hostname,
+      'ddsource': log.ddsource || this.ddsource,
+      'service': log.service || this.service,
+      'ddtags': logTags || undefined
+    }
+
+    this.enqueue(payload)
+  }
+
+  // Enqueues a raw, non-formatted log object
+  enqueue (log) {
+    if (this.queue.length >= this.limit) {
+      this.flush()
+    }
+    this.queue.push(log)
+  }
+
+  shutdown () {
+    clearInterval(this.timer)
+    this.flush()
+  }
+
+  // Flushes logs with optional callback for when the call is complete
+  flush (cb = () => {}) {
+    let logs
+    let numLogs
+    let encodedLogs
+
+    if (!this.queue.length) {
+      setImmediate(() => cb())
+      return
+    }
+
+    try {
+      logs = this.queue
+      this.queue = []
+
+      numLogs = logs.length
+      encodedLogs = JSON.stringify(logs)
+    } catch (error) {
+      tracerLogger.error(`failed to encode ${numLogs} logs`)
+      setImmediate(() => cb(error))
+      return
+    }
+
+    const options = {
+      hostname: this.intake,
+      port: 443,
+      path: this.endpoint,
+      method: 'POST',
+      headers: this.headers,
+      timeout: this.timeout
+    }
+
+    const req = https.request(options, (res) => {
+      tracerLogger.info(`statusCode: ${res.statusCode}`)
+    })
+    req.once('error', (e) => {
+      tracerLogger.error(`failed to send ${numLogs} log(s), with error ${e.message}`)
+      cb(e)
+    })
+    req.write(encodedLogs)
+    req.end()
+    req.once('response', (res) => {
+      if (res.statusCode >= 400) {
+        const error = new Error(`failed to send ${numLogs} logs, received response code ${res.statusCode}`)
+        tracerLogger.error(error.message)
+        cb(error)
+        return
+      }
+      cb()
+    })
+  }
+}
+
+module.exports = ExternalLogger