dd-trace 3.11.0 → 3.12.1

package/packages/dd-trace/src/appsec/recommended.json

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.4.2"
+    "rules_version": "1.4.3"
   },
   "rules": [
     {
@@ -1802,7 +1802,7 @@
                 "address": "server.request.path_params"
               }
             ],
-            "regex": "^(?i:file|ftps?|https?).*?\\?+$",
+            "regex": "^(?i:file|ftps?|http)://.*?\\?+$",
             "options": {
               "case_sensitive": true,
               "min_length": 4
@@ -2694,8 +2694,9 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|lert|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\")*\\(.*\\)",
+            "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|lert|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)",
             "options": {
+              "case_sensitive": true,
               "min_length": 5
             }
           },
@@ -3524,7 +3525,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function)\\s*\\(",
+            "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function|alert|prompt)\\s*\\([^\\)]",
             "options": {
               "case_sensitive": true,
               "min_length": 5
@@ -3770,7 +3771,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?))",
+            "regex": "(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)",
             "options": {
               "case_sensitive": true,
               "min_length": 3
@@ -3808,7 +3809,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)\\b|(?:(?:(?:trunc|cre)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\\s+\\w+|u(?:nion\\s*(?:(?:distin|sele)ct|all)\\b|pdate\\s+\\w+))|\\b(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|end\\s*?\\);)|[\\\"'`\\w]\\s+as\\b\\s*[\\\"'`\\w]+\\s*\\bfrom|[\\s(?:]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)",
+            "regex": "(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|union\\s*(?:(?:distin|sele)ct|all))\\b|\\b(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|[\\s(]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)",
             "options": {
               "min_length": 5
             }
@@ -4177,7 +4178,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "[#%$]{[^}]+[^\\w\\s][^}]+}",
+            "regex": "[#%$]{(?:[^}]+[^\\w\\s}\\-_][^}]+|\\d+-\\d+)}",
             "options": {
               "case_sensitive": true
             }
@@ -4352,6 +4353,38 @@
       ],
       "transformers": []
     },
+    {
+      "id": "dog-931-001",
+      "name": "RFI: URL Payload to well known RFI target",
+      "tags": {
+        "type": "rfi",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              }
+            ],
+            "regex": "^(?i:file|ftps?|https?).*/rfiinc\\.txt\\?+$",
+            "options": {
+              "case_sensitive": true,
+              "min_length": 17
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "nfd-000-001",
       "name": "Detect common directory discovery scans",
@@ -5160,7 +5193,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10}|localhost)(:[0-9]{1,5})?(\\/.*|)$"
+            "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10})(:[0-9]{1,5})?(\\/.*|)$"
           },
           "operator": "match_regex"
         }
@@ -6417,6 +6450,40 @@
       ],
       "transformers": []
     },
+    {
+      "id": "ua0-600-56x",
+      "name": "Datadog test scanner - blocking version: user-agent",
+      "tags": {
+        "type": "security_scanner",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              },
+              {
+                "address": "grpc.server.request.metadata",
+                "key_path": [
+                  "dd-canary"
+                ]
+              }
+            ],
+            "regex": "^dd-test-scanner-log-block$"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [],
+      "on_match": [
+        "block"
+      ]
+    },
     {
       "id": "ua0-600-5xx",
       "name": "Blind SQL Injection Brute Forcer",

package/packages/dd-trace/src/appsec/remote_config/manager.js

@@ -9,7 +9,6 @@ const log = require('../../log')
 
 const clientId = uuid()
 
-const POLL_INTERVAL = 5e3
 const DEFAULT_CAPABILITY = Buffer.alloc(1).toString('base64') // 0x00
 
 // There MUST NOT exist separate instances of RC clients in a tracer making separate ClientGetConfigsRequest
@@ -18,7 +17,8 @@ class RemoteConfigManager extends EventEmitter {
   constructor (config) {
     super()
 
-    this.scheduler = new Scheduler((cb) => this.poll(cb), POLL_INTERVAL)
+    const pollInterval = config.remoteConfig.pollInterval * 1000
+    this.scheduler = new Scheduler((cb) => this.poll(cb), pollInterval)
 
     this.requestOptions = {
       url: config.url,

package/packages/dd-trace/src/config.js

@@ -145,7 +145,12 @@ class Config {
       process.env.AWS_LAMBDA_FUNCTION_NAME ||
       pkg.name ||
       'node'
-    const DD_SERVICE_MAPPING = process.env.DD_SERVICE_MAPPING || ''
+    const DD_SERVICE_MAPPING = coalesce(
+      options.serviceMapping,
+      process.env.DD_SERVICE_MAPPING ? fromEntries(
+        process.env.DD_SERVICE_MAPPING.split(',').map(x => x.trim().split(':'))
+      ) : {}
+    )
     const DD_ENV = coalesce(
       options.env,
       process.env.DD_ENV,
@@ -274,6 +279,19 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
       path.join(__dirname, 'appsec', 'templates', 'blocked.json')
     )
 
+    const inAWSLambda = process.env.AWS_LAMBDA_FUNCTION_NAME !== undefined
+
+    const remoteConfigOptions = options.remoteConfig || {}
+    const DD_REMOTE_CONFIGURATION_ENABLED = coalesce(
+      process.env.DD_REMOTE_CONFIGURATION_ENABLED && isTrue(process.env.DD_REMOTE_CONFIGURATION_ENABLED),
+      !inAWSLambda
+    )
+    const DD_REMOTE_CONFIG_POLL_INTERVAL_SECONDS = coalesce(
+      parseInt(remoteConfigOptions.pollInterval),
+      parseInt(process.env.DD_REMOTE_CONFIG_POLL_INTERVAL_SECONDS),
+      5 // seconds
+    )
+
     const iastOptions = options.experimental && options.experimental.iast
     const DD_IAST_ENABLED = coalesce(
       iastOptions &&
@@ -339,7 +357,6 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
       })
     }
 
-    const inAWSLambda = process.env.AWS_LAMBDA_FUNCTION_NAME !== undefined
     const defaultFlushInterval = inAWSLambda ? 0 : 2000
 
     this.tracing = !isFalse(DD_TRACING_ENABLED)
@@ -358,9 +375,7 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
     this.clientIpHeader = DD_TRACE_CLIENT_IP_HEADER
     this.plugins = !!coalesce(options.plugins, true)
     this.service = DD_SERVICE
-    this.serviceMapping = DD_SERVICE_MAPPING.length ? fromEntries(
-      DD_SERVICE_MAPPING.split(',').map(x => x.trim().split(':'))
-    ) : {}
+    this.serviceMapping = DD_SERVICE_MAPPING
     this.version = DD_VERSION
     this.dogstatsd = {
       hostname: coalesce(dogstatsd.hostname, process.env.DD_DOGSTATSD_HOSTNAME, this.hostname),
@@ -398,6 +413,10 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
       blockedTemplateHtml: DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML,
       blockedTemplateJson: DD_APPSEC_HTTP_BLOCKED_TEMPLATE_JSON
     }
+    this.remoteConfig = {
+      enabled: DD_REMOTE_CONFIGURATION_ENABLED,
+      pollInterval: DD_REMOTE_CONFIG_POLL_INTERVAL_SECONDS
+    }
     this.iast = {
       enabled: isTrue(DD_IAST_ENABLED),
       requestSampling: DD_IAST_REQUEST_SAMPLING,

package/packages/dd-trace/src/exporters/common/request.js

@@ -20,16 +20,48 @@ const containerId = docker.id()
 
 let activeRequests = 0
 
+// TODO: Replace with `url.urlToHttpOptions` when supported by all versions
+function urlToOptions (url) {
+  const agent = url.agent || http.globalAgent
+  const options = {
+    protocol: url.protocol || agent.protocol,
+    hostname: typeof url.hostname === 'string' && url.hostname.startsWith('[')
+      ? url.hostname.slice(1, -1)
+      : url.hostname ||
+      url.host ||
+      'localhost',
+    hash: url.hash,
+    search: url.search,
+    pathname: url.pathname,
+    path: `${url.pathname || ''}${url.search || ''}`,
+    href: url.href
+  }
+  if (url.port !== '') {
+    options.port = Number(url.port)
+  }
+  if (url.username || url.password) {
+    options.auth = `${url.username}:${url.password}`
+  }
+  return options
+}
+
+function fromUrlString (url) {
+  return typeof urlToHttpOptions === 'function'
+    ? urlToOptions(new URL(url))
+    : urlParse(url)
+}
+
 function request (data, options, callback) {
   if (!options.headers) {
     options.headers = {}
   }
 
   if (options.url) {
-    const url = typeof options.url === 'object' ? options.url : urlParse(options.url)
+    const url = typeof options.url === 'object' ? options.url : fromUrlString(options.url)
     if (url.protocol === 'unix:') {
       options.socketPath = url.pathname
     } else {
+      if (!options.path) options.path = url.path
       options.protocol = url.protocol
       options.hostname = url.hostname
       options.port = url.port

package/packages/dd-trace/src/format.js

@@ -175,7 +175,7 @@ function addTag (meta, metrics, key, value, nested) {
         metrics[key] = value.toString()
       } else if (!Array.isArray(value) && !nested) {
         for (const prop in value) {
-          if (!value.hasOwnProperty(prop)) continue
+          if (!hasOwn(value, prop)) continue
 
           addTag(meta, metrics, `${key}.${prop}`, value[prop], true)
         }
@@ -185,6 +185,10 @@ function addTag (meta, metrics, key, value, nested) {
   }
 }
 
+function hasOwn (object, prop) {
+  return Object.prototype.hasOwnProperty.call(object, prop)
+}
+
 function isNodeBuffer (obj) {
   return obj.constructor && obj.constructor.name === 'Buffer' &&
     typeof obj.readInt8 === 'function' &&

package/packages/dd-trace/src/lambda/handler.js

@@ -0,0 +1,72 @@
+'use strict'
+
+const { channel } = require('../../../datadog-instrumentations/src/helpers/instrument')
+const { ERROR_MESSAGE, ERROR_TYPE } = require('../constants')
+const { ImpendingTimeout } = require('./runtime/errors')
+
+const globalTracer = global._ddtrace
+const tracer = globalTracer._tracer
+const timeoutChannel = channel('apm:aws:lambda:timeout')
+// Always crash the flushes when a message is received
+// from this channel.
+timeoutChannel.subscribe(_ => {
+  crashFlush()
+})
+
+let __lambdaTimeout
+
+/**
+ * Publishes to the `apm:aws:lambda:timeout` channel when
+ * the AWS Lambda run time is about to end.
+ *
+ * @param {*} context AWS Lambda context object.
+ */
+function checkTimeout (context) {
+  let remainingTimeInMillis = context.getRemainingTimeInMillis()
+  const apmFlushDeadline = parseInt(process.env.DD_APM_FLUSH_DEADLINE)
+  if (apmFlushDeadline && apmFlushDeadline <= remainingTimeInMillis) {
+    remainingTimeInMillis = apmFlushDeadline
+  }
+
+  __lambdaTimeout = setTimeout(() => {
+    timeoutChannel.publish(undefined)
+  }, remainingTimeInMillis - 50)
+}
+
+/**
+ * Grabs the current span, adds an error for an impending timeout.
+ *
+ * After that, it calls `killAll` on the tracer processor
+ * in order to kill remaining unfinished spans.
+ *
+ * Once that is done, it finishes the last span.
+ */
+function crashFlush () {
+  const activeSpan = tracer.scope().active()
+  const error = new ImpendingTimeout('Datadog detected an impending timeout')
+  activeSpan.addTags({
+    [ERROR_MESSAGE]: error.message,
+    [ERROR_TYPE]: error.name
+  })
+  tracer._processor.killAll()
+  activeSpan.finish()
+}
+
+/**
+ * Patches your AWS Lambda handler function to add some tracing support.
+ *
+ * @param {*} lambdaHandler a Lambda handler function.
+ */
+exports.datadog = function datadog (lambdaHandler) {
+  return (...args) => {
+    const context = args[1]
+    const patched = lambdaHandler.apply(this, args)
+    checkTimeout(context)
+
+    if (patched) {
+      // clear the timeout as soon as a result is returned
+      patched.then(_ => clearTimeout(__lambdaTimeout))
+    }
+    return patched
+  }
+}

package/packages/dd-trace/src/lambda/index.js

@@ -0,0 +1,5 @@
+'use strict'
+
+const { registerLambdaHook } = require('./runtime/ritm')
+
+registerLambdaHook()

package/packages/dd-trace/src/lambda/runtime/errors.js

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Defines custom error types throwable by the runtime.
+ */
+'use strict'
+
+class ExtendedError extends Error {
+  constructor (reason) {
+    super(reason)
+    Object.setPrototypeOf(this, new.target.prototype)
+  }
+}
+
+class ImpendingTimeout extends ExtendedError {}
+ImpendingTimeout.prototype.name = 'Impending Timeout'
+
+module.exports = {
+  ImpendingTimeout
+}

package/packages/dd-trace/src/lambda/runtime/patch.js

@@ -0,0 +1,74 @@
+'use strict'
+
+const path = require('path')
+
+const { _extractModuleNameAndHandlerPath, _extractModuleRootAndHandler, _getLambdaFilePath } = require('./ritm')
+const { datadog } = require('../handler')
+const { addHook } = require('../../../../datadog-instrumentations/src/helpers/instrument')
+const shimmer = require('../../../../datadog-shimmer')
+
+/**
+ * Patches a Datadog Lambda module by calling `patchDatadogLambdaHandler`
+ * with the handler name `datadog`.
+ *
+ * @param {*} datadogLambdaModule node module to be patched.
+ * @returns a Datadog Lambda module with the `datadog` function from
+ * `datadog-lambda-js` patched.
+ */
+const patchDatadogLambdaModule = (datadogLambdaModule) => {
+  shimmer.wrap(datadogLambdaModule, 'datadog', patchDatadogLambdaHandler)
+
+  return datadogLambdaModule
+}
+
+/**
+ * Patches a Datadog Lambda handler in order to do
+ * Datadog instrumentation by getting the Lambda handler from its
+ * arguments.
+ *
+ * @param {*} datadogHandler the Datadog Lambda handler to destructure.
+ * @returns the datadogHandler with its arguments patched.
+ */
+function patchDatadogLambdaHandler (datadogHandler) {
+  return (userHandler) => {
+    return datadogHandler(datadog(userHandler))
+  }
+}
+
+/**
+ * Patches a Lambda module on the given handler path.
+ *
+ * @param {string} handlerPath path of the handler to be patched.
+ * @returns a module with the given handler path patched.
+ */
+const patchLambdaModule = (handlerPath) => (lambdaModule) => {
+  shimmer.wrap(lambdaModule, handlerPath, patchLambdaHandler)
+
+  return lambdaModule
+}
+
+/**
+ * Patches a Lambda handler in order to do Datadog instrumentation.
+ *
+ * @param {*} lambdaHandler the Lambda handler to be patched.
+ * @returns a function which patches the given Lambda handler.
+ */
+function patchLambdaHandler (lambdaHandler) {
+  return datadog(lambdaHandler)
+}
+
+const lambdaTaskRoot = process.env.LAMBDA_TASK_ROOT
+const originalLambdaHandler = process.env.DD_LAMBDA_HANDLER
+
+if (originalLambdaHandler !== undefined) {
+  const [moduleRoot, moduleAndHandler] = _extractModuleRootAndHandler(originalLambdaHandler)
+  const [_module, handlerPath] = _extractModuleNameAndHandlerPath(moduleAndHandler)
+
+  const lambdaStylePath = path.resolve(lambdaTaskRoot, moduleRoot, _module)
+  const lambdaFilePath = _getLambdaFilePath(lambdaStylePath)
+
+  addHook({ name: lambdaFilePath }, patchLambdaModule(handlerPath))
+} else {
+  // Instrumentation is done manually.
+  addHook({ name: 'datadog-lambda-js' }, patchDatadogLambdaModule)
+}

package/packages/dd-trace/src/lambda/runtime/ritm.js

@@ -0,0 +1,138 @@
+/**
+ * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Modifications copyright 2022 Datadog, Inc.
+ *
+ * Some functions are part of aws-lambda-nodejs-runtime-interface-client
+ * https://github.com/aws/aws-lambda-nodejs-runtime-interface-client/blob/main/src/utils/UserFunction.ts
+ */
+'use strict'
+
+const fs = require('fs')
+const path = require('path')
+
+const log = require('../../log')
+const Hook = require('../../../../datadog-instrumentations/src/helpers/hook')
+const instrumentations = require('../../../../datadog-instrumentations/src/helpers/instrumentations')
+const {
+  filename,
+  pathSepExpr
+} = require('../../../../datadog-instrumentations/src/helpers/register')
+
+/**
+ * Breaks the full handler string into two pieces: the module root
+ * and the actual handler string.
+ *
+ * @param {string} fullHandler user's lambda handler, commonly stored in `DD_LAMBDA_HANDLER`.
+ * @returns {string[]} an array containing the module root and the handler string.
+ *
+ * ```js
+ * _extractModuleRootAndHandler('./api/src/index.nested.handler')
+ * // => ['./api/src', 'index.nested.handler']
+ * ```
+ */
+function _extractModuleRootAndHandler (fullHandler) {
+  const handlerString = path.basename(fullHandler)
+  const moduleRoot = fullHandler.substring(0, fullHandler.indexOf(handlerString))
+
+  return [moduleRoot, handlerString]
+}
+
+/**
+ * Splits the handler string into two pieces: the module name
+ * and the path to the handler function.
+ *
+ * @param {string} handler a handler string containing the module and the handler path.
+ * @returns {string[]} an array containing the module name and the handler path.
+ *
+ * ```js
+ * _extractModuleNameAndHandlerPath('index.nested.handler')
+ * // => ['index', 'nested.handler']
+ * ```
+ */
+function _extractModuleNameAndHandlerPath (handler) {
+  const FUNCTION_EXPR = /^([^.]*)\.(.*)$/
+  const match = handler.match(FUNCTION_EXPR)
+  if (!match || match.length !== 3) {
+    // Malformed Handler Name
+    return // TODO: throw error
+  }
+  return [match[1], match[2]] // [module, handler-path]
+}
+
+/**
+ * Returns the correct path of the file to be patched
+ * when required.
+ *
+ * @param {*} lambdaStylePath the path comprised of the `LAMBDA_TASK_ROOT`,
+ * the root of the module of the Lambda handler, and the module name.
+ * @returns the lambdaStylePath with the appropiate extension for the hook.
+ */
+function _getLambdaFilePath (lambdaStylePath) {
+  let lambdaFilePath = lambdaStylePath
+  if (fs.existsSync(lambdaStylePath + '.js')) {
+    lambdaFilePath += '.js'
+  } else if (fs.existsSync(lambdaStylePath + '.mjs')) {
+    lambdaFilePath += '.mjs'
+  } else if (fs.existsSync(lambdaStylePath + '.cjs')) {
+    lambdaFilePath += '.cjs'
+  }
+  return lambdaFilePath
+}
+
+/**
+ * Register a hook for the Lambda handler to be executed when
+ * the file is required.
+ */
+const registerLambdaHook = () => {
+  const lambdaTaskRoot = process.env.LAMBDA_TASK_ROOT
+  const originalLambdaHandler = process.env.DD_LAMBDA_HANDLER
+
+  if (originalLambdaHandler !== undefined) {
+    const [moduleRoot, moduleAndHandler] = _extractModuleRootAndHandler(originalLambdaHandler)
+    const [_module] = _extractModuleNameAndHandlerPath(moduleAndHandler)
+
+    const lambdaStylePath = path.resolve(lambdaTaskRoot, moduleRoot, _module)
+    const lambdaFilePath = _getLambdaFilePath(lambdaStylePath)
+
+    Hook([lambdaFilePath], (moduleExports) => {
+      require('./patch')
+
+      for (const { hook } of instrumentations[lambdaFilePath]) {
+        try {
+          moduleExports = hook(moduleExports)
+        } catch (e) {
+          log.error(e)
+        }
+      }
+
+      return moduleExports
+    })
+  } else {
+    const moduleToPatch = 'datadog-lambda-js'
+    Hook([moduleToPatch], (moduleExports, moduleName, _) => {
+      moduleName = moduleName.replace(pathSepExpr, '/')
+
+      require('./patch')
+
+      for (const { name, file, hook } of instrumentations[moduleToPatch]) {
+        const fullFilename = filename(name, file)
+        if (moduleName === fullFilename) {
+          try {
+            moduleExports = hook(moduleExports)
+          } catch (e) {
+            log.error(e)
+          }
+        }
+      }
+
+      return moduleExports
+    })
+  }
+}
+
+module.exports = {
+  _extractModuleRootAndHandler,
+  _extractModuleNameAndHandlerPath,
+  _getLambdaFilePath,
+  registerLambdaHook
+}

package/packages/dd-trace/src/plugin_manager.js

@@ -9,6 +9,10 @@ const loadChannel = channel('dd-trace:instrumentation:load')
 
 // instrument everything that needs Plugin System V2 instrumentation
 require('../../datadog-instrumentations')
+if (process.env.AWS_LAMBDA_FUNCTION_NAME !== undefined) {
+  // instrument lambda environment
+  require('./lambda')
+}
 
 const { DD_TRACE_DISABLED_PLUGINS } = process.env
 

package/packages/dd-trace/src/plugins/ci_plugin.js

@@ -16,6 +16,9 @@ module.exports = class CiPlugin extends Plugin {
     super(...args)
 
     this.addSub(`ci:${this.constructor.name}:itr-configuration`, ({ onDone }) => {
+      if (!this.tracer._exporter || !this.tracer._exporter.getItrConfiguration) {
+        return onDone({ err: new Error('CI Visibility was not initialized correctly') })
+      }
       this.tracer._exporter.getItrConfiguration(this.testConfiguration, (err, itrConfig) => {
         if (!err) {
           this.itrConfig = itrConfig
@@ -25,6 +28,9 @@ module.exports = class CiPlugin extends Plugin {
     })
 
     this.addSub(`ci:${this.constructor.name}:test-suite:skippable`, ({ onDone }) => {
+      if (!this.tracer._exporter || !this.tracer._exporter.getSkippableSuites) {
+        return onDone({ err: new Error('CI Visibility was not initialized correctly') })
+      }
       this.tracer._exporter.getSkippableSuites(this.testConfiguration, (err, skippableSuites) => {
         onDone({ err, skippableSuites })
       })