dd-trace 3.14.0 → 3.15.0

package/LICENSE-3rdparty.csv

@@ -57,6 +57,7 @@ dev,multer,MIT,Copyright 2014 Hage Yaapa
 dev,msgpack-lite,MIT,Copyright 2015 Yusuke Kawasaki
 dev,nock,MIT,Copyright 2017 Pedro Teixeira and other contributors
 dev,nyc,ISC,Copyright 2015 Contributors
+dev,pprof-format,MIT,Copyright 2022 Stephen Belanger
 dev,proxyquire,MIT,Copyright 2013 Thorsten Lorenz
 dev,rimraf,ISC,Copyright Isaac Z. Schlueter and Contributors
 dev,sinon,BSD-3-Clause,Copyright 2010-2017 Christian Johansen

package/README.md

@@ -24,11 +24,11 @@ Most of the documentation for `dd-trace` is available on these webpages:
 
 ## Version Release Lines and Maintenance
 
-| Release Line                                             | Latest Version                                                                                         | Status          |Initial Release | End of Life |
-| :--:                                                     | :--:                                                                                                   | :---:           | :---:          | :---:       |
-| [`v1`](https://github.com/DataDog/dd-trace-js/tree/v1.x) | ![npm v1](https://img.shields.io/npm/v/dd-trace/legacy-v1?color=white&label=%20&style=flat-square)     | **End of Life** | 2021-07-13     | 2022-02-25  |
-| [`v2`](https://github.com/DataDog/dd-trace-js/tree/v2.x) | ![npm v2](https://img.shields.io/npm/v/dd-trace/latest-node12?color=white&label=%20&style=flat-square) | **Maintenance** | 2022-01-28     | 2023-08-15  |
-| [`v3`](https://github.com/DataDog/dd-trace-js/tree/v3.x) | ![npm v3](https://img.shields.io/npm/v/dd-trace/latest?color=white&label=%20&style=flat-square)        | **Current**     | 2022-08-15     | Unknown     |
+| Release Line                                             | Latest Version                                                                                         | Node.js  | Status          |Initial Release | End of Life |
+| :---:                                                    | :---:                                                                                                  | :---:    | :---:           | :---:          | :---:       |
+| [`v1`](https://github.com/DataDog/dd-trace-js/tree/v1.x) | ![npm v1](https://img.shields.io/npm/v/dd-trace/legacy-v1?color=white&label=%20&style=flat-square)     | `>= v12` | **End of Life** | 2021-07-13     | 2022-02-25  |
+| [`v2`](https://github.com/DataDog/dd-trace-js/tree/v2.x) | ![npm v2](https://img.shields.io/npm/v/dd-trace/latest-node12?color=white&label=%20&style=flat-square) | `>= v12` | **Maintenance** | 2022-01-28     | 2023-08-15  |
+| [`v3`](https://github.com/DataDog/dd-trace-js/tree/v3.x) | ![npm v3](https://img.shields.io/npm/v/dd-trace/latest?color=white&label=%20&style=flat-square)        | `>= v14` | **Current**     | 2022-08-15     | Unknown     |
 
 We currently maintain two release lines, namely `v2` and `v3`.
 Features and bug fixes that are merged are released to the `v3` line and, if appropriate, also the `v2` line.

package/index.d.ts

@@ -1,4 +1,4 @@
-import { ClientRequest, IncomingMessage, ServerResponse } from "http";
+import { ClientRequest, IncomingMessage, OutgoingMessage, ServerResponse } from "http";
 import { LookupFunction } from 'net';
 import * as opentracing from "opentracing";
 import { SpanOptions } from "opentracing/lib/tracer";
@@ -643,6 +643,35 @@ export declare interface Appsec {
    * @beta This method is in beta and could change in future versions.
    */
   trackCustomEvent(eventName: string, metadata?: { [key: string]: string }): void
+
+  /**
+   * Checks if the passed user should be blocked according to AppSec rules.
+   * If no user is linked to the current trace, will link the passed user to it.
+   * @param {User} user Properties of the authenticated user. Accepts custom fields.
+   * @return {boolean} Indicates whether the user should be blocked.
+   *
+   * @beta This method is in beta and could change in the future
+   */
+  isUserBlocked(user: User): boolean
+
+  /**
+   * Sends a "blocked" template response based on the request accept header and ends the response.
+   * **You should stop processing the request after calling this function!**
+   * @param {IncomingMessage} req Can be passed to force which request to act on. Optional.
+   * @param {OutgoingMessage} res Can be passed to force which response to act on. Optional.
+   * @return {boolean} Indicates if the action was successful.
+   *
+   * @beta This method is in beta and could change in the future
+   */
+  blockRequest(req?: IncomingMessage, res?: OutgoingMessage): boolean
+
+  /**
+   * Links an authenticated user to the current trace.
+   * @param {User} user Properties of the authenticated user. Accepts custom fields.
+   *
+   * @beta This method is in beta and could change in the future
+   */
+  setUser(user: User): void
 }
 
 /** @hidden */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dd-trace",
-  "version": "3.14.0",
+  "version": "3.15.0",
   "description": "Datadog APM tracing client for JavaScript",
   "main": "index.js",
   "typings": "index.d.ts",
@@ -61,10 +61,10 @@
   },
   "dependencies": {
     "@datadog/native-appsec": "2.0.0",
-    "@datadog/native-iast-rewriter": "1.1.2",
-    "@datadog/native-iast-taint-tracking": "1.1.0",
+    "@datadog/native-iast-rewriter": "2.0.1",
+    "@datadog/native-iast-taint-tracking": "1.1.1",
     "@datadog/native-metrics": "^1.5.0",
-    "@datadog/pprof": "^1.1.1",
+    "@datadog/pprof": "^2.0.0",
     "@datadog/sketches-js": "^2.1.0",
     "crypto-randomuuid": "^1.0.0",
     "diagnostics_channel": "^1.1.0",
@@ -120,6 +120,7 @@
     "multer": "^1.4.5-lts.1",
     "nock": "^11.3.3",
     "nyc": "^15.1.0",
+    "pprof-format": "^2.0.7",
     "proxyquire": "^1.8.0",
     "rimraf": "^3.0.0",
     "sinon": "^11.1.2",

package/packages/datadog-instrumentations/src/ldapjs.js

@@ -35,7 +35,7 @@ function wrapEmitter (corkedEmitter) {
       }
       arguments[1] = bindedFn
     }
-    on.apply(this, arguments)
+    return on.apply(this, arguments)
   }
   shimmer.wrap(corkedEmitter, 'on', addListener)
   shimmer.wrap(corkedEmitter, 'addListener', addListener)
@@ -47,7 +47,7 @@ function wrapEmitter (corkedEmitter) {
         arguments[1] = emitterOn
       }
     }
-    off.apply(this, arguments)
+    return off.apply(this, arguments)
   }
   shimmer.wrap(corkedEmitter, 'off', removeListener)
   shimmer.wrap(corkedEmitter, 'removeListener', removeListener)
@@ -87,5 +87,15 @@ addHook({ name: 'ldapjs', versions: ['>=2'] }, ldapjs => {
     return _send.apply(this, arguments)
   })
 
+  shimmer.wrap(ldapjs.Client.prototype, 'bind', bind => function (dn, password, controls, callback) {
+    if (typeof controls === 'function') {
+      arguments[2] = AsyncResource.bind(controls)
+    } else if (typeof callback === 'function') {
+      arguments[3] = AsyncResource.bind(callback)
+    }
+
+    return bind.apply(this, arguments)
+  })
+
   return ldapjs
 })

package/packages/datadog-instrumentations/src/mongoose.js

@@ -19,7 +19,7 @@ function wrapAddQueue (addQueue) {
 
 addHook({
   name: 'mongoose',
-  versions: ['>=4.6.4']
+  versions: ['>=4.6.4 <7'] // TODO: Mongoose v7 compat
 }, mongoose => {
   if (mongoose.Promise !== global.Promise) {
     shimmer.wrap(mongoose.Promise.prototype, 'then', wrapThen)

package/packages/datadog-instrumentations/src/next.js

@@ -127,7 +127,8 @@ function finish (req, res, result, err) {
   return result
 }
 
-addHook({ name: 'next', versions: ['>=11.1'], file: 'dist/server/next-server.js' }, nextServer => {
+// TODO: 13.2 support
+addHook({ name: 'next', versions: ['>=11.1 <13.2'], file: 'dist/server/next-server.js' }, nextServer => {
   const Server = nextServer.default
 
   shimmer.wrap(Server.prototype, 'handleRequest', wrapHandleRequest)

package/packages/datadog-instrumentations/src/playwright.js

@@ -25,6 +25,17 @@ const STATUS_TO_TEST_STATUS = {
 
 let remainingTestsByFile = {}
 
+function getTestsBySuiteFromTestGroups (testGroups) {
+  return testGroups.reduce((acc, { requireFile, tests }) => {
+    if (acc[requireFile]) {
+      acc[requireFile] = acc[requireFile].concat(tests)
+    } else {
+      acc[requireFile] = tests
+    }
+    return acc
+  }, {})
+}
+
 function getTestsBySuiteFromTestsById (testsById) {
   const testsByTestSuite = {}
   for (const { test } of testsById.values()) {
@@ -48,7 +59,7 @@ function getPlaywrightConfig (playwrightRunner) {
     try {
       return playwrightRunner._loader.fullConfig()
     } catch (e) {
-      return {}
+      return playwrightRunner._config || {}
     }
   }
 }
@@ -135,6 +146,13 @@ function dispatcherRunWrapper (run) {
   }
 }
 
+function dispatcherRunWrapperNew (run) {
+  return function () {
+    remainingTestsByFile = getTestsBySuiteFromTestGroups(arguments[0])
+    return run.apply(this, arguments)
+  }
+}
+
 function dispatcherHook (dispatcherExport) {
   shimmer.wrap(dispatcherExport.Dispatcher.prototype, 'run', dispatcherRunWrapper)
   shimmer.wrap(dispatcherExport.Dispatcher.prototype, '_createWorker', createWorker => function () {
@@ -160,8 +178,8 @@ function dispatcherHook (dispatcherExport) {
   return dispatcherExport
 }
 
-function dispatcherHookNew (dispatcherExport) {
-  shimmer.wrap(dispatcherExport.Dispatcher.prototype, 'run', dispatcherRunWrapper)
+function dispatcherHookNew (dispatcherExport, runWrapper) {
+  shimmer.wrap(dispatcherExport.Dispatcher.prototype, 'run', runWrapper)
   shimmer.wrap(dispatcherExport.Dispatcher.prototype, '_createWorker', createWorker => function () {
     const dispatcher = this
     const worker = createWorker.apply(this, arguments)
@@ -192,24 +210,23 @@ function runnerHook (runnerExport, playwrightVersion) {
       testSessionStartCh.publish({ command, frameworkVersion: playwrightVersion, rootDir })
     })
 
-    const res = await runAllTests.apply(this, arguments)
-    const sessionStatus = STATUS_TO_TEST_STATUS[res.status]
+    const runAllTestsReturn = await runAllTests.apply(this, arguments)
+    const sessionStatus = runAllTestsReturn.status || runAllTestsReturn
 
     let onDone
 
     const flushWait = new Promise(resolve => {
       onDone = resolve
     })
-
     testSessionAsyncResource.runInAsyncScope(() => {
-      testSessionFinishCh.publish({ status: sessionStatus, onDone })
+      testSessionFinishCh.publish({ status: STATUS_TO_TEST_STATUS[sessionStatus], onDone })
     })
     await flushWait
 
     startedSuites = []
     remainingTestsByFile = {}
 
-    return res
+    return runAllTestsReturn
   })
 
   return runnerExport
@@ -218,7 +235,7 @@ function runnerHook (runnerExport, playwrightVersion) {
 addHook({
   name: '@playwright/test',
   file: 'lib/runner.js',
-  versions: ['>=1.18.0']
+  versions: ['>=1.18.0 <1.30.0']
 }, runnerHook)
 
 addHook({
@@ -230,5 +247,17 @@ addHook({
 addHook({
   name: '@playwright/test',
   file: 'lib/dispatcher.js',
-  versions: ['>=1.30.0']
-}, dispatcherHookNew)
+  versions: ['>=1.30.0 <1.31.0']
+}, (dispatcher) => dispatcherHookNew(dispatcher, dispatcherRunWrapper))
+
+addHook({
+  name: '@playwright/test',
+  file: 'lib/runner/dispatcher.js',
+  versions: ['>=1.31.0']
+}, (dispatcher) => dispatcherHookNew(dispatcher, dispatcherRunWrapperNew))
+
+addHook({
+  name: '@playwright/test',
+  file: 'lib/runner/runner.js',
+  versions: ['>=1.31.0']
+}, runnerHook)

package/packages/datadog-plugin-hapi/src/index.js

@@ -26,7 +26,11 @@ class HapiPlugin extends RouterPlugin {
       web.setRoute(req, route)
     })
 
-    this.addSub(`apm:hapi:request:error`, this.addError)
+    this.addSub('apm:hapi:request:error', error => {
+      if (!error || !error.isBoom || !this.config.validateStatus(error.output.statusCode)) {
+        this.addError(error)
+      }
+    })
 
     this.addSub('apm:hapi:extension:enter', ({ req }) => {
       this.enter(this._requestSpans.get(req))

package/packages/datadog-plugin-http/src/server.js

@@ -23,7 +23,7 @@ class HttpServerPlugin extends Plugin {
       span.setTag(COMPONENT, this.constructor.name)
 
       this._parentStore = store
-      this.enter(span, { ...store, req })
+      this.enter(span, { ...store, req, res })
 
       const context = web.getContext(req)
 

package/packages/datadog-plugin-http2/src/server.js

@@ -22,7 +22,7 @@ class Http2ServerPlugin extends Plugin {
 
       span.setTag(COMPONENT, this.constructor.name)
 
-      this.enter(span, { ...store, req })
+      this.enter(span, { ...store, req, res })
 
       const context = web.getContext(req)
 

package/packages/dd-trace/src/appsec/addresses.js

@@ -16,5 +16,7 @@ module.exports = {
   HTTP_INCOMING_REMOTE_IP: 'server.request.client_ip',
   HTTP_INCOMING_REMOTE_PORT: 'server.request.client_port',
 
-  HTTP_CLIENT_IP: 'http.client_ip'
+  HTTP_CLIENT_IP: 'http.client_ip',
+
+  USER_ID: 'usr.id'
 }

package/packages/dd-trace/src/appsec/blocking.js

@@ -1,8 +1,19 @@
 'use strict'
 
+const log = require('../log')
 const fs = require('fs')
-let templateHtml, templateJson
-function block (req, res, topSpan, abortController) {
+
+// TODO: move template loading to a proper spot.
+let templateLoaded = false
+let templateHtml = ''
+let templateJson = ''
+
+function block (req, res, rootSpan, abortController) {
+  if (res.headersSent) {
+    log.warn('Cannot send blocking response when headers have already been sent')
+    return
+  }
+
   let type
   let body
 
@@ -17,7 +28,7 @@ function block (req, res, topSpan, abortController) {
     body = templateJson
   }
 
-  topSpan.addTags({
+  rootSpan.addTags({
     'appsec.blocked': 'true'
   })
 
@@ -26,19 +37,34 @@ function block (req, res, topSpan, abortController) {
   res.setHeader('Content-Length', Buffer.byteLength(body))
   res.end(body)
 
-  abortController.abort()
+  if (abortController) {
+    abortController.abort()
+  }
 }
 
 function loadTemplates (config) {
-  templateHtml = fs.readFileSync(config.appsec.blockedTemplateHtml)
-  templateJson = fs.readFileSync(config.appsec.blockedTemplateJson)
+  if (!templateLoaded) {
+    templateHtml = fs.readFileSync(config.appsec.blockedTemplateHtml)
+    templateJson = fs.readFileSync(config.appsec.blockedTemplateJson)
+    templateLoaded = true
+  }
 }
 
 async function loadTemplatesAsync (config) {
-  templateHtml = await fs.promises.readFile(config.appsec.blockedTemplateHtml)
-  templateJson = await fs.promises.readFile(config.appsec.blockedTemplateJson)
+  if (!templateLoaded) {
+    templateHtml = await fs.promises.readFile(config.appsec.blockedTemplateHtml)
+    templateJson = await fs.promises.readFile(config.appsec.blockedTemplateJson)
+    templateLoaded = true
+  }
+}
+
+function resetTemplates () {
+  templateLoaded = false
 }
 
 module.exports = {
-  block, loadTemplates, loadTemplatesAsync
+  block,
+  loadTemplates,
+  loadTemplatesAsync,
+  resetTemplates
 }

package/packages/dd-trace/src/appsec/iast/iast-context.js

@@ -1,8 +1,12 @@
 const IAST_CONTEXT_KEY = Symbol('_dd.iast.context')
 const IAST_TRANSACTION_ID = Symbol('_dd.iast.transactionId')
 
-function getIastContext (store) {
-  return store && store[IAST_CONTEXT_KEY]
+function getIastContext (store, topContext) {
+  let iastContext = store && store[IAST_CONTEXT_KEY]
+  if (!iastContext) {
+    iastContext = topContext && topContext[IAST_CONTEXT_KEY]
+  }
+  return iastContext
 }
 
 /* TODO Fix storage problem when the close event is called without

package/packages/dd-trace/src/appsec/iast/index.js

@@ -58,7 +58,8 @@ function onIncomingHttpRequestStart (data) {
 function onIncomingHttpRequestEnd (data) {
   if (data && data.req) {
     const store = storage.getStore()
-    const iastContext = iastContextFunctions.getIastContext(storage.getStore())
+    const topContext = web.getContext(data.req)
+    const iastContext = iastContextFunctions.getIastContext(store, topContext)
     if (iastContext && iastContext.rootSpan) {
       const vulnerabilities = iastContext.vulnerabilities
       const rootSpan = iastContext.rootSpan
@@ -66,7 +67,7 @@ function onIncomingHttpRequestEnd (data) {
       removeTransaction(iastContext)
     }
     // TODO web.getContext(data.req) is required when the request is aborted
-    if (iastContextFunctions.cleanIastContext(store, web.getContext(data.req), iastContext)) {
+    if (iastContextFunctions.cleanIastContext(store, topContext, iastContext)) {
       overheadController.releaseRequest()
     }
   }

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js

@@ -40,10 +40,13 @@ function getCompileMethodFn (compileMethod) {
   return function (content, filename) {
     try {
       if (isPrivateModule(filename) && isNotLibraryFile(filename)) {
-        content = rewriter.rewrite(content, filename)
+        const rewritten = rewriter.rewrite(content, filename)
+        if (rewritten && rewritten.content) {
+          return compileMethod.apply(this, [rewritten.content, filename])
+        }
       }
     } catch (e) {
-      log.debug(e)
+      log.error(e)
     }
     return compileMethod.apply(this, [content, filename])
   }

package/packages/dd-trace/src/appsec/index.js

@@ -70,12 +70,12 @@ function abortEnable (err) {
 }
 
 function incomingHttpStartTranslator ({ req, res, abortController }) {
-  const topSpan = web.root(req)
-  if (!topSpan) return
+  const rootSpan = web.root(req)
+  if (!rootSpan) return
 
   const clientIp = extractIp(config, req)
 
-  topSpan.addTags({
+  rootSpan.addTags({
     '_dd.appsec.enabled': 1,
     '_dd.runtime_family': 'nodejs',
     [HTTP_CLIENT_IP]: clientIp
@@ -97,7 +97,7 @@ function incomingHttpStartTranslator ({ req, res, abortController }) {
 
     for (const entry of results) {
       if (entry && entry.includes('block')) {
-        block(req, res, topSpan, abortController)
+        block(req, res, rootSpan, abortController)
         break
       }
     }