dd-trace 2.40.0 → 2.41.0

package/packages/datadog-plugin-grpc/src/server.js

@@ -1,5 +1,6 @@
 'use strict'
 
+const { storage } = require('../../datadog-core')
 const ServerPlugin = require('../../dd-trace/src/plugins/server')
 const { TEXT_MAP } = require('../../../ext/formats')
 const { addMetadataTags, getFilter, getMethodMetadata } = require('./util')
@@ -7,6 +8,7 @@ const { addMetadataTags, getFilter, getMethodMetadata } = require('./util')
 class GrpcServerPlugin extends ServerPlugin {
   static get id () { return 'grpc' }
   static get operation () { return 'server:request' }
+  static get prefix () { return `apm:grpc:server:request` }
 
   constructor (...args) {
     super(...args)
@@ -18,9 +20,15 @@ class GrpcServerPlugin extends ServerPlugin {
 
       this.addCode(span, code)
     })
+
+    this.addTraceBind('emit', ({ currentStore }) => {
+      return currentStore
+    })
   }
 
-  start ({ name, metadata, type }) {
+  bindStart (message) {
+    const store = storage.getStore()
+    const { name, metadata, type } = message
     const metadataFilter = this.config.metadataFilter
     const childOf = extract(this.tracer, metadata)
     const method = getMethodMetadata(name, type)
@@ -44,9 +52,19 @@ class GrpcServerPlugin extends ServerPlugin {
     })
 
     addMetadataTags(span, metadata, metadataFilter, 'request')
+
+    message.span = span
+    message.parentStore = store
+    message.currentStore = { ...store, span }
+
+    return message.currentStore
   }
 
-  error (error) {
+  bindAsyncStart ({ parentStore }) {
+    return parentStore
+  }
+
+  error ({ error }) {
     const span = this.activeSpan
 
     if (!span) return
@@ -55,9 +73,7 @@ class GrpcServerPlugin extends ServerPlugin {
     this.addError(error)
   }
 
-  finish ({ code, trailer } = {}) {
-    const span = this.activeSpan
-
+  finish ({ span, code, trailer }) {
     if (!span) return
 
     const metadataFilter = this.config.metadataFilter
@@ -68,7 +84,7 @@ class GrpcServerPlugin extends ServerPlugin {
       addMetadataTags(span, trailer, metadataFilter, 'response')
     }
 
-    super.finish()
+    span.finish()
   }
 
   configure (config) {

package/packages/datadog-plugin-http2/src/client.js

@@ -8,7 +8,6 @@ const log = require('../../dd-trace/src/log')
 const tags = require('../../../ext/tags')
 const kinds = require('../../../ext/kinds')
 const formats = require('../../../ext/formats')
-const analyticsSampler = require('../../dd-trace/src/analytics_sampler')
 const { COMPONENT, CLIENT_PORT_KEY } = require('../../dd-trace/src/constants')
 const urlFilter = require('../../dd-trace/src/plugins/util/urlfilter')
 
@@ -25,32 +24,11 @@ const HTTP2_HEADER_STATUS = ':status'
 const HTTP2_METHOD_GET = 'GET'
 
 class Http2ClientPlugin extends ClientPlugin {
-  static get id () {
-    return 'http2'
-  }
-
-  constructor (...args) {
-    super(...args)
-
-    this.addSub('apm:http2:client:response', (headers) => {
-      const span = storage.getStore().span
-      const status = headers && headers[HTTP2_HEADER_STATUS]
-
-      span.setTag(HTTP_STATUS_CODE, status)
-
-      if (!this.config.validateStatus(status)) {
-        this.addError()
-      }
+  static get id () { return 'http2' }
+  static get prefix () { return `apm:http2:client:request` }
 
-      addHeaderTags(span, headers, HTTP_RESPONSE_HEADERS, this.config)
-    })
-  }
-
-  addTraceSub (eventName, handler) {
-    this.addSub(`apm:${this.constructor.id}:client:${this.operation}:${eventName}`, handler)
-  }
-
-  start ({ authority, options, headers = {} }) {
+  bindStart (message) {
+    const { authority, options, headers = {} } = message
     const sessionDetails = extractSessionDetails(authority, options)
     const path = headers[HTTP2_HEADER_PATH] || '/'
     const pathname = path.split(/[?#]/)[0]
@@ -75,7 +53,7 @@ class Http2ClientPlugin extends ClientPlugin {
       metrics: {
         [CLIENT_PORT_KEY]: parseInt(sessionDetails.port)
       }
-    })
+    }, false)
 
     // TODO: Figure out a better way to do this for any span.
     if (!allowed) {
@@ -88,14 +66,53 @@ class Http2ClientPlugin extends ClientPlugin {
       this.tracer.inject(span, HTTP_HEADERS, headers)
     }
 
-    analyticsSampler.sample(span, this.config.measured)
+    message.parentStore = store
+    message.currentStore = { ...store, span }
+
+    return message.currentStore
+  }
+
+  bindAsyncStart ({ eventName, eventData, currentStore, parentStore }) {
+    switch (eventName) {
+      case 'response':
+        this._onResponse(currentStore, eventData)
+        return parentStore
+      case 'error':
+        this._onError(currentStore, eventData)
+        return parentStore
+      case 'close':
+        this._onClose(currentStore, eventData)
+        return parentStore
+    }
 
-    this.enter(span, store)
+    return storage.getStore()
   }
 
   configure (config) {
     return super.configure(normalizeConfig(config))
   }
+
+  _onResponse (store, headers) {
+    const status = headers && headers[HTTP2_HEADER_STATUS]
+
+    store.span.setTag(HTTP_STATUS_CODE, status)
+
+    if (!this.config.validateStatus(status)) {
+      storage.run(store, () => this.addError())
+    }
+
+    addHeaderTags(store.span, headers, HTTP_RESPONSE_HEADERS, this.config)
+  }
+
+  _onError ({ span }, error) {
+    span.setTag('error', error)
+    span.finish()
+  }
+
+  _onClose ({ span }) {
+    this.tagPeerService(span)
+    span.finish()
+  }
 }
 
 function extractSessionDetails (authority, options) {

package/packages/datadog-plugin-router/src/index.js

@@ -156,7 +156,7 @@ function isMoreSpecificThan (routeA, routeB) {
 }
 
 function routeIsRegex (route) {
-  return route.includes('(/') && route.includes('/)')
+  return route.includes('(/')
 }
 
 module.exports = RouterPlugin

package/packages/dd-trace/src/appsec/iast/analyzers/command-injection-analyzer.js

@@ -5,6 +5,9 @@ const { COMMAND_INJECTION } = require('../vulnerabilities')
 class CommandInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
     super(COMMAND_INJECTION)
+  }
+
+  onConfigure () {
     this.addSub('datadog:child_process:execution:start', ({ command }) => this.analyze(command))
   }
 }

package/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -9,7 +9,13 @@ class CookieAnalyzer extends Analyzer {
   constructor (type, propertyToBeSafe) {
     super(type)
     this.propertyToBeSafe = propertyToBeSafe.toLowerCase()
-    this.addSub('datadog:iast:set-cookie', (cookieInfo) => this.analyze(cookieInfo))
+  }
+
+  onConfigure () {
+    this.addSub(
+      { channelName: 'datadog:iast:set-cookie', moduleName: 'http' },
+      (cookieInfo) => this.analyze(cookieInfo)
+    )
   }
 
   _isVulnerable ({ cookieProperties, cookieValue }) {

package/packages/dd-trace/src/appsec/iast/analyzers/ldap-injection-analyzer.js

@@ -5,6 +5,9 @@ const { LDAP_INJECTION } = require('../vulnerabilities')
 class LdapInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
     super(LDAP_INJECTION)
+  }
+
+  onConfigure () {
     this.addSub('datadog:ldapjs:client:search', ({ base, filter }) => this.analyzeAll(base, filter))
   }
 }

package/packages/dd-trace/src/appsec/iast/analyzers/path-traversal-analyzer.js

@@ -1,9 +1,10 @@
 'use strict'
 
 const path = require('path')
+
+const InjectionAnalyzer = require('./injection-analyzer')
 const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
-const InjectionAnalyzer = require('./injection-analyzer')
 const { PATH_TRAVERSAL } = require('../vulnerabilities')
 
 const ignoredOperations = ['dir.close', 'close']
@@ -11,7 +12,23 @@ const ignoredOperations = ['dir.close', 'close']
 class PathTraversalAnalyzer extends InjectionAnalyzer {
   constructor () {
     super(PATH_TRAVERSAL)
-    this.addSub('apm:fs:operation:start', obj => {
+
+    this.exclusionList = [
+      path.join('node_modules', 'send') + path.sep
+    ]
+
+    this.internalExclusionList = [
+      'node:fs',
+      'node:internal/fs',
+      'node:internal\\fs',
+      'fs.js',
+      'internal/fs',
+      'internal\\fs'
+    ]
+  }
+
+  onConfigure () {
+    this.addSub('apm:fs:operation:start', (obj) => {
       if (ignoredOperations.includes(obj.operation)) return
 
       const pathArguments = []
@@ -44,19 +61,6 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
       }
       this.analyze(pathArguments)
     })
-
-    this.exclusionList = [
-      path.join('node_modules', 'send') + path.sep
-    ]
-
-    this.internalExclusionList = [
-      'node:fs',
-      'node:internal/fs',
-      'node:internal\\fs',
-      'fs.js',
-      'internal/fs',
-      'internal\\fs'
-    ]
   }
 
   _isExcluded (location) {

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -13,6 +13,9 @@ const EXCLUDED_PATHS = getNodeModulesPaths('mysql2', 'sequelize')
 class SqlInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
     super(SQL_INJECTION)
+  }
+
+  onConfigure () {
     this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
     this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
     this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, 'POSTGRES'))
@@ -41,10 +44,9 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
 
   analyze (value, dialect) {
     const store = storage.getStore()
-
     if (!(store && store.sqlAnalyzed)) {
       const iastContext = getIastContext(store)
-      if (store && !iastContext) return
+      if (this._isInvalidContext(store, iastContext)) return
       this._reportIfVulnerable(value, iastContext, dialect)
     }
   }
@@ -66,6 +68,7 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
       addVulnerability(context, vulnerability)
     }
   }
+
   _getExcludedPaths () {
     return EXCLUDED_PATHS
   }

package/packages/dd-trace/src/appsec/iast/analyzers/ssrf-analyzer.js

@@ -6,7 +6,9 @@ const { SSRF } = require('../vulnerabilities')
 class SSRFAnalyzer extends InjectionAnalyzer {
   constructor () {
     super(SSRF)
+  }
 
+  onConfigure () {
     this.addSub('apm:http:client:request:start', ({ args }) => {
       if (typeof args.originalUrl === 'string') {
         this.analyze(args.originalUrl)

package/packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js

@@ -4,14 +4,16 @@ const InjectionAnalyzer = require('./injection-analyzer')
 const { UNVALIDATED_REDIRECT } = require('../vulnerabilities')
 const { getNodeModulesPaths } = require('../path-line')
 const { getRanges } = require('../taint-tracking/operations')
-const { HTTP_REQUEST_HEADER_VALUE } = require('../taint-tracking/origin-types')
+const { HTTP_REQUEST_HEADER_VALUE } = require('../taint-tracking/source-types')
 
 const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
 
 class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
   constructor () {
     super(UNVALIDATED_REDIRECT)
+  }
 
+  onConfigure () {
     this.addSub('datadog:http:server:response:set-header:finish', ({ name, value }) => this.analyze(name, value))
   }
 

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -1,33 +1,18 @@
 'use strict'
 
-const Plugin = require('../../../../src/plugins/plugin')
 const { storage } = require('../../../../../datadog-core')
-const iastLog = require('../iast-log')
 const { getFirstNonDDPathAndLine } = require('../path-line')
 const { addVulnerability } = require('../vulnerability-reporter')
 const { getIastContext } = require('../iast-context')
 const overheadController = require('../overhead-controller')
+const { SinkIastPlugin } = require('../iast-plugin')
 
-class Analyzer extends Plugin {
+class Analyzer extends SinkIastPlugin {
   constructor (type) {
     super()
     this._type = type
   }
 
-  _wrapHandler (handler) {
-    return (message, name) => {
-      try {
-        handler(message, name)
-      } catch (e) {
-        iastLog.errorAndPublish(e)
-      }
-    }
-  }
-
-  addSub (channelName, handler) {
-    super.addSub(channelName, this._wrapHandler(handler))
-  }
-
   _isVulnerable (value, context) {
     return false
   }
@@ -64,17 +49,23 @@ class Analyzer extends Plugin {
 
   _getExcludedPaths () {}
 
+  _isInvalidContext (store, iastContext) {
+    return store && !iastContext
+  }
+
   analyze (value) {
     const store = storage.getStore()
     const iastContext = getIastContext(store)
-    if (store && !iastContext) return
+    if (this._isInvalidContext(store, iastContext)) return
+
     this._reportIfVulnerable(value, iastContext)
   }
 
   analyzeAll (...values) {
     const store = storage.getStore()
     const iastContext = getIastContext(store)
-    if (store && !iastContext) return
+    if (this._isInvalidContext(store, iastContext)) return
+
     for (let i = 0; i < values.length; i++) {
       const value = values[i]
       if (this._isVulnerable(value, iastContext)) {
@@ -119,6 +110,14 @@ class Analyzer extends Plugin {
     }
     return hash
   }
+
+  addSub (iastSubOrChannelName, handler) {
+    const iastSub = typeof iastSubOrChannelName === 'string'
+      ? { channelName: iastSubOrChannelName }
+      : iastSubOrChannelName
+
+    super.addSub({ tag: this._type, ...iastSub }, handler)
+  }
 }
 
 module.exports = Analyzer

package/packages/dd-trace/src/appsec/iast/analyzers/weak-cipher-analyzer.js

@@ -14,6 +14,9 @@ const INSECURE_CIPHERS = new Set([
 class WeakCipherAnalyzer extends Analyzer {
   constructor () {
     super(WEAK_CIPHER)
+  }
+
+  onConfigure () {
     this.addSub('datadog:crypto:cipher:start', ({ algorithm }) => this.analyze(algorithm))
   }
 

package/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js

@@ -25,6 +25,9 @@ const EXCLUDED_PATHS_FROM_STACK = [
 class WeakHashAnalyzer extends Analyzer {
   constructor () {
     super(WEAK_HASH)
+  }
+
+  onConfigure () {
     this.addSub('datadog:crypto:hashing:start', ({ algorithm }) => this.analyze(algorithm))
   }
 

package/packages/dd-trace/src/appsec/iast/iast-log.js

@@ -1,7 +1,7 @@
 'use strict'
 
 const log = require('../../log')
-const telemetryLogs = require('./telemetry/logs')
+const telemetryLogs = require('./telemetry/log')
 const { calculateDDBasePath } = require('../../util')
 
 const ddBasePath = calculateDDBasePath(__dirname)

package/packages/dd-trace/src/appsec/iast/iast-plugin.js

@@ -0,0 +1,205 @@
+'use strict'
+
+const { channel } = require('../../../../diagnostics_channel')
+
+const iastLog = require('./iast-log')
+const Plugin = require('../../plugins/plugin')
+const iastTelemetry = require('./telemetry')
+const { getInstrumentedMetric, getExecutedMetric, TagKey, EXECUTED_SOURCE } = require('./telemetry/iast-metric')
+const { storage } = require('../../../../datadog-core')
+const { getIastContext } = require('./iast-context')
+const instrumentations = require('../../../../datadog-instrumentations/src/helpers/instrumentations')
+
+/**
+ * Used by vulnerability sources and sinks to subscribe diagnostic channel events
+ * and indicate what kind of metrics the subscription provides
+ * - moduleName is used identify when a module is loaded and
+ *    to increment the INSTRUMENTED_[SINK|SOURCE] metric when it occurs
+ * - channelName is the channel used by the hook to publish execution events
+ * - tag indicates the name of the metric: taint-tracking/source-types for Sources and analyzers type for Sinks
+ * - tagKey can be only SOURCE_TYPE (Source) or VULNERABILITY_TYPE (Sink)
+ */
+class IastPluginSubscription {
+  constructor (moduleName, channelName, tag, tagKey = TagKey.VULNERABILITY_TYPE) {
+    this.moduleName = moduleName
+    this.channelName = channelName
+    this.tag = tag
+    this.tagKey = tagKey
+    this.executedMetric = getExecutedMetric(this.tagKey)
+    this.instrumentedMetric = getInstrumentedMetric(this.tagKey)
+    this.moduleInstrumented = false
+  }
+
+  increaseInstrumented () {
+    if (this.moduleInstrumented) return
+
+    this.moduleInstrumented = true
+    this.instrumentedMetric.inc(this.tag)
+  }
+
+  increaseExecuted (iastContext) {
+    this.executedMetric.inc(this.tag, iastContext)
+  }
+
+  matchesModuleInstrumented (name) {
+    // https module is a special case because it's events are published as http
+    name = name === 'https' ? 'http' : name
+    return this.moduleName === name
+  }
+}
+
+class IastPlugin extends Plugin {
+  constructor () {
+    super()
+    this.configured = false
+    this.pluginSubs = []
+  }
+
+  _wrapHandler (handler) {
+    return (message, name) => {
+      try {
+        handler(message, name)
+      } catch (e) {
+        iastLog.errorAndPublish(e)
+      }
+    }
+  }
+
+  _getTelemetryHandler (iastSub) {
+    return () => {
+      try {
+        const iastContext = getIastContext(storage.getStore())
+        iastSub.increaseExecuted(iastContext)
+      } catch (e) {
+        iastLog.errorAndPublish(e)
+      }
+    }
+  }
+
+  _execHandlerAndIncMetric ({ handler, metric, tag, iastContext = getIastContext(storage.getStore()) }) {
+    try {
+      const result = handler()
+      iastTelemetry.isEnabled() && metric.inc(tag, iastContext)
+      return result
+    } catch (e) {
+      iastLog.errorAndPublish(e)
+    }
+  }
+
+  addSub (iastSub, handler) {
+    if (typeof iastSub === 'string') {
+      super.addSub(iastSub, this._wrapHandler(handler))
+    } else {
+      iastSub = this._getAndRegisterSubscription(iastSub)
+      if (iastSub) {
+        super.addSub(iastSub.channelName, this._wrapHandler(handler))
+
+        if (iastTelemetry.isEnabled()) {
+          super.addSub(iastSub.channelName, this._getTelemetryHandler(iastSub))
+        }
+      }
+    }
+  }
+
+  onConfigure () {}
+
+  configure (config) {
+    if (typeof config !== 'object') {
+      config = { enabled: config }
+    }
+    if (config.enabled && !this.configured) {
+      this.onConfigure()
+      this.configured = true
+    }
+
+    if (iastTelemetry.isEnabled()) {
+      if (config.enabled) {
+        this.enableTelemetry()
+      } else {
+        this.disableTelemetry()
+      }
+    }
+
+    super.configure(config)
+  }
+
+  _getAndRegisterSubscription ({ moduleName, channelName, tag, tagKey }) {
+    if (!channelName && !moduleName) return
+
+    if (!moduleName) {
+      const firstSep = channelName.indexOf(':')
+      if (firstSep === -1) {
+        moduleName = channelName
+      } else {
+        const lastSep = channelName.indexOf(':', firstSep + 1)
+        moduleName = channelName.substring(firstSep + 1, lastSep !== -1 ? lastSep : channelName.length)
+      }
+    }
+
+    const iastSub = new IastPluginSubscription(moduleName, channelName, tag, tagKey)
+    this.pluginSubs.push(iastSub)
+    return iastSub
+  }
+
+  enableTelemetry () {
+    if (this.onInstrumentationLoadedListener) return
+
+    this.onInstrumentationLoadedListener = ({ name }) => this._onInstrumentationLoaded(name)
+    const loadChannel = channel('dd-trace:instrumentation:load')
+    loadChannel.subscribe(this.onInstrumentationLoadedListener)
+
+    // check for already instrumented modules
+    for (const name in instrumentations) {
+      this._onInstrumentationLoaded(name)
+    }
+  }
+
+  disableTelemetry () {
+    if (!this.onInstrumentationLoadedListener) return
+
+    const loadChannel = channel('dd-trace:instrumentation:load')
+    if (loadChannel.hasSubscribers) {
+      loadChannel.unsubscribe(this.onInstrumentationLoadedListener)
+    }
+    this.onInstrumentationLoadedListener = null
+  }
+
+  _onInstrumentationLoaded (name) {
+    this.pluginSubs
+      .filter(sub => sub.matchesModuleInstrumented(name))
+      .forEach(sub => sub.increaseInstrumented())
+  }
+}
+
+class SourceIastPlugin extends IastPlugin {
+  addSub (iastPluginSub, handler) {
+    return super.addSub({ tagKey: TagKey.SOURCE_TYPE, ...iastPluginSub }, handler)
+  }
+
+  addInstrumentedSource (moduleName, tag) {
+    this._getAndRegisterSubscription({
+      moduleName,
+      tag,
+      tagKey: TagKey.SOURCE_TYPE
+    })
+  }
+
+  execSource (sourceHandlerInfo) {
+    this._execHandlerAndIncMetric({
+      metric: EXECUTED_SOURCE,
+      ...sourceHandlerInfo
+    })
+  }
+}
+
+class SinkIastPlugin extends IastPlugin {
+  addSub (iastPluginSub, handler) {
+    return super.addSub({ tagKey: TagKey.VULNERABILITY_TYPE, ...iastPluginSub }, handler)
+  }
+}
+
+module.exports = {
+  SourceIastPlugin,
+  SinkIastPlugin,
+  IastPlugin
+}