npm - dd-trace - Versions diffs - 3.12.1 → 3.15.0 - Mend

dd-trace 3.12.1 → 3.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (101) hide show

package/packages/dd-trace/src/appsec/blocking.js CHANGED Viewed

@@ -1,8 +1,19 @@
 'use strict'
+const log = require('../log')
 const fs = require('fs')
-let templateHtml, templateJson
-function block (req, res, topSpan, abortController) {
+// TODO: move template loading to a proper spot.
+let templateLoaded = false
+let templateHtml = ''
+let templateJson = ''
+function block (req, res, rootSpan, abortController) {
+  if (res.headersSent) {
+    log.warn('Cannot send blocking response when headers have already been sent')
+    return
+  }
   let type
   let body
@@ -17,7 +28,7 @@ function block (req, res, topSpan, abortController) {
     body = templateJson
   }
-  topSpan.addTags({
+  rootSpan.addTags({
     'appsec.blocked': 'true'
   })
@@ -26,19 +37,34 @@ function block (req, res, topSpan, abortController) {
   res.setHeader('Content-Length', Buffer.byteLength(body))
   res.end(body)
-  abortController.abort()
+  if (abortController) {
+    abortController.abort()
+  }
 }
 function loadTemplates (config) {
-  templateHtml = fs.readFileSync(config.appsec.blockedTemplateHtml)
-  templateJson = fs.readFileSync(config.appsec.blockedTemplateJson)
+  if (!templateLoaded) {
+    templateHtml = fs.readFileSync(config.appsec.blockedTemplateHtml)
+    templateJson = fs.readFileSync(config.appsec.blockedTemplateJson)
+    templateLoaded = true
+  }
 }
 async function loadTemplatesAsync (config) {
-  templateHtml = await fs.promises.readFile(config.appsec.blockedTemplateHtml)
-  templateJson = await fs.promises.readFile(config.appsec.blockedTemplateJson)
+  if (!templateLoaded) {
+    templateHtml = await fs.promises.readFile(config.appsec.blockedTemplateHtml)
+    templateJson = await fs.promises.readFile(config.appsec.blockedTemplateJson)
+    templateLoaded = true
+  }
+}
+function resetTemplates () {
+  templateLoaded = false
 }
 module.exports = {
-  block, loadTemplates, loadTemplatesAsync
+  block,
+  loadTemplates,
+  loadTemplatesAsync,
+  resetTemplates
 }

package/packages/dd-trace/src/appsec/callbacks/ddwaf.js CHANGED Viewed

@@ -37,7 +37,7 @@ class WAFCallback {
     Reporter.metricsQueue.set('_dd.appsec.event_rules.error_count', failed)
     if (failed) Reporter.metricsQueue.set('_dd.appsec.event_rules.errors', JSON.stringify(errors))
-    Reporter.metricsQueue.set('manual.keep', true)
+    Reporter.metricsQueue.set('manual.keep', 'true')
     this.wafContextCache = new WeakMap()

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js CHANGED Viewed

@@ -2,6 +2,7 @@ module.exports = {
   'WEAK_CIPHER_ANALYZER': require('./weak-cipher-analyzer'),
   'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer'),
   'SQL_INJECTION_ANALYZER': require('./sql-injection-analyzer'),
+  'PATH_TRAVERSAL_ANALYZER': require('./path-traversal-analyzer'),
   'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
   'LDAP_ANALYZER': require('./ldap-injection-analyzer')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/path-traversal-analyzer.js ADDED Viewed

@@ -0,0 +1,60 @@
+'use strict'
+const { getIastContext } = require('../iast-context')
+const { storage } = require('../../../../../datadog-core')
+const InjectionAnalyzer = require('./injection-analyzer')
+class PathTraversalAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super('PATH_TRAVERSAL')
+    this.addSub('apm:fs:operation:start', obj => {
+      const pathArguments = []
+      if (obj.dest) {
+        pathArguments.push(obj.dest)
+      }
+      if (obj.existingPath) {
+        pathArguments.push(obj.existingPath)
+      }
+      if (obj.file) {
+        pathArguments.push(obj.file)
+      }
+      if (obj.newPath) {
+        pathArguments.push(obj.newPath)
+      }
+      if (obj.oldPath) {
+        pathArguments.push(obj.oldPath)
+      }
+      if (obj.path) {
+        pathArguments.push(obj.path)
+      }
+      if (obj.prefix) {
+        pathArguments.push(obj.prefix)
+      }
+      if (obj.src) {
+        pathArguments.push(obj.src)
+      }
+      if (obj.target) {
+        pathArguments.push(obj.target)
+      }
+      this.analyze(pathArguments)
+    })
+  }
+  analyze (value) {
+    const iastContext = getIastContext(storage.getStore())
+    if (!iastContext) {
+      return
+    }
+    if (value && value.constructor === Array) {
+      for (const val of value) {
+        if (this._isVulnerable(val, iastContext)) {
+          this._report(val, iastContext)
+          // no support several evidences in the same vulnerability, just report the 1st one
+          break
+        }
+      }
+    }
+  }
+}
+module.exports = new PathTraversalAnalyzer()

package/packages/dd-trace/src/appsec/iast/iast-context.js CHANGED Viewed

@@ -1,8 +1,12 @@
 const IAST_CONTEXT_KEY = Symbol('_dd.iast.context')
 const IAST_TRANSACTION_ID = Symbol('_dd.iast.transactionId')
-function getIastContext (store) {
-  return store && store[IAST_CONTEXT_KEY]
+function getIastContext (store, topContext) {
+  let iastContext = store && store[IAST_CONTEXT_KEY]
+  if (!iastContext) {
+    iastContext = topContext && topContext[IAST_CONTEXT_KEY]
+  }
+  return iastContext
 }
 /* TODO Fix storage problem when the close event is called without

package/packages/dd-trace/src/appsec/iast/index.js CHANGED Viewed

@@ -58,7 +58,8 @@ function onIncomingHttpRequestStart (data) {
 function onIncomingHttpRequestEnd (data) {
   if (data && data.req) {
     const store = storage.getStore()
-    const iastContext = iastContextFunctions.getIastContext(storage.getStore())
+    const topContext = web.getContext(data.req)
+    const iastContext = iastContextFunctions.getIastContext(store, topContext)
     if (iastContext && iastContext.rootSpan) {
       const vulnerabilities = iastContext.vulnerabilities
       const rootSpan = iastContext.rootSpan
@@ -66,7 +67,7 @@ function onIncomingHttpRequestEnd (data) {
       removeTransaction(iastContext)
     }
     // TODO web.getContext(data.req) is required when the request is aborted
-    if (iastContextFunctions.cleanIastContext(store, web.getContext(data.req), iastContext)) {
+    if (iastContextFunctions.cleanIastContext(store, topContext, iastContext)) {
       overheadController.releaseRequest()
     }
   }

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js CHANGED Viewed

@@ -40,10 +40,13 @@ function getCompileMethodFn (compileMethod) {
   return function (content, filename) {
     try {
       if (isPrivateModule(filename) && isNotLibraryFile(filename)) {
-        content = rewriter.rewrite(content, filename)
+        const rewritten = rewriter.rewrite(content, filename)
+        if (rewritten && rewritten.content) {
+          return compileMethod.apply(this, [rewritten.content, filename])
+        }
       }
     } catch (e) {
-      log.debug(e)
+      log.error(e)
     }
     return compileMethod.apply(this, [content, filename])
   }

package/packages/dd-trace/src/appsec/index.js CHANGED Viewed

@@ -10,7 +10,7 @@ const Gateway = require('./gateway/engine')
 const addresses = require('./addresses')
 const Reporter = require('./reporter')
 const web = require('../plugins/util/web')
-const { extractIp } = require('./ip_extractor')
+const { extractIp } = require('../plugins/util/ip_extractor')
 const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
 const { block, loadTemplates, loadTemplatesAsync } = require('./blocking')
@@ -70,12 +70,12 @@ function abortEnable (err) {
 }
 function incomingHttpStartTranslator ({ req, res, abortController }) {
-  const topSpan = web.root(req)
-  if (!topSpan) return
+  const rootSpan = web.root(req)
+  if (!rootSpan) return
   const clientIp = extractIp(config, req)
-  topSpan.addTags({
+  rootSpan.addTags({
     '_dd.appsec.enabled': 1,
     '_dd.runtime_family': 'nodejs',
     [HTTP_CLIENT_IP]: clientIp
@@ -97,7 +97,7 @@ function incomingHttpStartTranslator ({ req, res, abortController }) {
     for (const entry of results) {
       if (entry && entry.includes('block')) {
-        block(req, res, topSpan, abortController)
+        block(req, res, rootSpan, abortController)
         break
       }
     }