dd-trace 3.19.0 → 3.21.0

package/packages/datadog-plugin-pg/src/index.js

@@ -9,7 +9,7 @@ class PGPlugin extends DatabasePlugin {
   static get system () { return 'postgres' }
 
   start ({ params = {}, query, processId }) {
-    const service = getServiceName(this.config, params)
+    const service = getServiceName(this, params)
     const originalStatement = query.text
 
     this.startSpan('pg.query', {
@@ -31,12 +31,12 @@ class PGPlugin extends DatabasePlugin {
   }
 }
 
-function getServiceName (config, params) {
-  if (typeof config.service === 'function') {
-    return config.service(params)
+function getServiceName (tracer, params) {
+  if (typeof tracer.config.service === 'function') {
+    return tracer.config.service(params)
   }
 
-  return config.service
+  return tracer.config.service || `${tracer._tracer._tracer._service}-postgres`
 }
 
 module.exports = PGPlugin

package/packages/datadog-plugin-rhea/src/consumer.js

@@ -19,10 +19,12 @@ class RheaConsumerPlugin extends ConsumerPlugin {
     const name = getResourceNameFromMessage(msgObj)
     const childOf = extractTextMap(msgObj, this.tracer)
 
-    this.startSpan({
+    this.startSpan('amqp.receive', {
       childOf,
+      service: this.config.service,
       resource: name,
       type: 'worker',
+      kind: 'consumer',
       meta: {
         'component': 'rhea',
         'amqp.link.source.address': name,

package/packages/datadog-plugin-rhea/src/producer.js

@@ -9,13 +9,17 @@ class RheaProducerPlugin extends ProducerPlugin {
 
   constructor (...args) {
     super(...args)
+
     this.addTraceSub('encode', this.encode.bind(this))
   }
 
   start ({ targetAddress, host, port }) {
     const name = targetAddress || 'amq.topic'
-    this.startSpan({
+
+    this.startSpan('amqp.send', {
+      service: this.config.service || `${this.tracer._service}-amqp-producer`,
       resource: name,
+      kind: 'producer',
       meta: {
         'component': 'rhea',
         'amqp.link.target.address': name,

package/packages/dd-trace/src/appsec/iast/analyzers/command-injection-analyzer.js

@@ -1,9 +1,10 @@
 'use strict'
 const InjectionAnalyzer = require('./injection-analyzer')
+const { COMMAND_INJECTION } = require('../vulnerabilities')
 
 class CommandInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
-    super('COMMAND_INJECTION')
+    super(COMMAND_INJECTION)
     this.addSub('datadog:child_process:execution:start', ({ command }) => this.analyze(command))
   }
 }

package/packages/dd-trace/src/appsec/iast/analyzers/ldap-injection-analyzer.js

@@ -1,9 +1,10 @@
 'use strict'
 const InjectionAnalyzer = require('./injection-analyzer')
+const { LDAP_INJECTION } = require('../vulnerabilities')
 
 class LdapInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
-    super('LDAP_INJECTION')
+    super(LDAP_INJECTION)
     this.addSub('datadog:ldapjs:client:search', ({ base, filter }) => this.analyzeAll(base, filter))
   }
 }

package/packages/dd-trace/src/appsec/iast/analyzers/path-traversal-analyzer.js

@@ -4,10 +4,11 @@ const path = require('path')
 const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
 const InjectionAnalyzer = require('./injection-analyzer')
+const { PATH_TRAVERSAL } = require('../vulnerabilities')
 
 class PathTraversalAnalyzer extends InjectionAnalyzer {
   constructor () {
-    super('PATH_TRAVERSAL')
+    super(PATH_TRAVERSAL)
     this.addSub('apm:fs:operation:start', obj => {
       const pathArguments = []
       if (obj.dest) {
@@ -40,13 +41,29 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
       this.analyze(pathArguments)
     })
 
-    this.exclusionList = [ path.join('node_modules', 'send') + path.sep ]
+    this.exclusionList = [
+      path.join('node_modules', 'send') + path.sep
+    ]
+
+    this.internalExclusionList = [
+      'node:fs',
+      'node:internal/fs',
+      'node:internal\\fs',
+      'fs.js',
+      'internal/fs',
+      'internal\\fs'
+    ]
   }
 
   _isExcluded (location) {
-    let ret = false
+    let ret = true
     if (location && location.path) {
-      ret = this.exclusionList.some(elem => location.path.includes(elem))
+      // Exclude from reporting those vulnerabilities which location is from an internal fs call
+      if (location.isInternal) {
+        ret = this.internalExclusionList.some(elem => location.path.includes(elem))
+      } else {
+        ret = this.exclusionList.some(elem => location.path.includes(elem))
+      }
     }
     return ret
   }
@@ -59,7 +76,7 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
 
     if (value && value.constructor === Array) {
       for (const val of value) {
-        if (this._isVulnerable(val, iastContext)) {
+        if (this._isVulnerable(val, iastContext) && this._checkOCE(iastContext)) {
           this._report(val, iastContext)
           // no support several evidences in the same vulnerability, just report the 1st one
           break

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -1,12 +1,48 @@
 'use strict'
+
 const InjectionAnalyzer = require('./injection-analyzer')
+const { SQL_INJECTION } = require('../vulnerabilities')
+const { getRanges } = require('../taint-tracking/operations')
+const { storage } = require('../../../../../datadog-core')
+const { getIastContext } = require('../iast-context')
+const { createVulnerability, addVulnerability } = require('../vulnerability-reporter')
 
 class SqlInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
-    super('SQL_INJECTION')
-    this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql))
-    this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql))
-    this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text))
+    super(SQL_INJECTION)
+    this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
+    this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
+    this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, 'POSTGRES'))
+  }
+
+  _getEvidence (value, iastContext, dialect) {
+    const ranges = getRanges(iastContext, value)
+    return { value, ranges, dialect }
+  }
+
+  analyze (value, dialect) {
+    const store = storage.getStore()
+    const iastContext = getIastContext(store)
+    if (store && !iastContext) return
+    this._reportIfVulnerable(value, iastContext, dialect)
+  }
+
+  _reportIfVulnerable (value, context, dialect) {
+    if (this._isVulnerable(value, context) && this._checkOCE(context)) {
+      this._report(value, context, dialect)
+      return true
+    }
+    return false
+  }
+
+  _report (value, context, dialect) {
+    const evidence = this._getEvidence(value, context, dialect)
+    const location = this._getLocation()
+    if (!this._isExcluded(location)) {
+      const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
+      const vulnerability = createVulnerability(this._type, evidence, spanId, location)
+      addVulnerability(context, vulnerability)
+    }
   }
 }
 

package/packages/dd-trace/src/appsec/iast/analyzers/weak-cipher-analyzer.js

@@ -1,5 +1,6 @@
 'use strict'
 const Analyzer = require('./vulnerability-analyzer')
+const { WEAK_CIPHER } = require('../vulnerabilities')
 
 const INSECURE_CIPHERS = new Set([
   'des', 'des-cbc', 'des-cfb', 'des-cfb1', 'des-cfb8', 'des-ecb', 'des-ede', 'des-ede-cbc', 'des-ede-cfb',
@@ -12,7 +13,7 @@ const INSECURE_CIPHERS = new Set([
 
 class WeakCipherAnalyzer extends Analyzer {
   constructor () {
-    super('WEAK_CIPHER')
+    super(WEAK_CIPHER)
     this.addSub('datadog:crypto:cipher:start', ({ algorithm }) => this.analyze(algorithm))
   }
 

package/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js

@@ -1,5 +1,6 @@
 'use strict'
 const Analyzer = require('./vulnerability-analyzer')
+const { WEAK_HASH } = require('../vulnerabilities')
 
 const INSECURE_HASH_ALGORITHMS = new Set([
   'md4', 'md4WithRSAEncryption', 'RSA-MD4',
@@ -9,7 +10,7 @@ const INSECURE_HASH_ALGORITHMS = new Set([
 
 class WeakHashAnalyzer extends Analyzer {
   constructor () {
-    super('WEAK_HASH')
+    super(WEAK_HASH)
     this.addSub('datadog:crypto:hashing:start', ({ algorithm }) => this.analyze(algorithm))
   }
 

package/packages/dd-trace/src/appsec/iast/index.js

@@ -51,7 +51,7 @@ function onIncomingHttpRequestStart (data) {
         }
         if (rootSpan.addTags) {
           rootSpan.addTags({
-            [IAST_ENABLED_TAG_KEY]: isRequestAcquired ? '1' : '0'
+            [IAST_ENABLED_TAG_KEY]: isRequestAcquired ? 1 : 0
           })
         }
       }

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -45,7 +45,8 @@ function getFirstNonDDPathAndLineFromCallsites (callsites) {
       if (!isExcluded(callsite) && filepath.indexOf(pathLine.ddBasePath) === -1) {
         return {
           path: path.relative(process.cwd(), filepath),
-          line: callsite.getLineNumber()
+          line: callsite.getLineNumber(),
+          isInternal: !path.isAbsolute(filepath)
         }
       }
     }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/range-utils.js

@@ -0,0 +1,37 @@
+'use strict'
+
+function contains (rangeContainer, rangeContained) {
+  if (rangeContainer.start > rangeContained.start) {
+    return false
+  }
+  return rangeContainer.end >= rangeContained.end
+}
+
+function intersects (rangeA, rangeB) {
+  return rangeB.start < rangeA.end && rangeB.end > rangeA.start
+}
+
+function remove (range, rangeToRemove) {
+  if (!intersects(range, rangeToRemove)) {
+    return [range]
+  } else if (contains(rangeToRemove, range)) {
+    return []
+  } else {
+    const result = []
+    if (rangeToRemove.start > range.start) {
+      const offset = rangeToRemove.start - range.start
+      result.push({ start: range.start, end: range.start + offset })
+    }
+    if (rangeToRemove.end < range.end) {
+      const offset = range.end - rangeToRemove.end
+      result.push({ start: rangeToRemove.end, end: rangeToRemove.end + offset })
+    }
+    return result
+  }
+}
+
+module.exports = {
+  contains,
+  intersects,
+  remove
+}

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/command-sensitive-analyzer.js

@@ -0,0 +1,29 @@
+'use strict'
+
+const iastLog = require('../../../iast-log')
+
+const COMMAND_PATTERN = '^(?:\\s*(?:sudo|doas)\\s+)?\\b\\S+\\b\\s(.*)'
+
+class CommandSensitiveAnalyzer {
+  constructor () {
+    this._pattern = new RegExp(COMMAND_PATTERN, 'gmi')
+  }
+
+  extractSensitiveRanges (evidence) {
+    try {
+      this._pattern.lastIndex = 0
+
+      const regexResult = this._pattern.exec(evidence.value)
+      if (regexResult && regexResult.length > 1) {
+        const start = regexResult.index + (regexResult[0].length - regexResult[1].length)
+        const end = start + regexResult[1].length
+        return [{ start, end }]
+      }
+    } catch (e) {
+      iastLog.debug(e)
+    }
+    return []
+  }
+}
+
+module.exports = CommandSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/ldap-sensitive-analyzer.js

@@ -0,0 +1,35 @@
+'use strict'
+
+const iastLog = require('../../../iast-log')
+
+const LDAP_PATTERN = '\\(.*?(?:~=|=|<=|>=)(?<LITERAL>[^)]+)\\)'
+
+class LdapSensitiveAnalyzer {
+  constructor () {
+    this._pattern = new RegExp(LDAP_PATTERN, 'gmi')
+  }
+
+  extractSensitiveRanges (evidence) {
+    try {
+      this._pattern.lastIndex = 0
+      const tokens = []
+
+      let regexResult = this._pattern.exec(evidence.value)
+      while (regexResult != null) {
+        if (!regexResult.groups.LITERAL) continue
+        // Computing indices manually since NodeJs 12 does not support d flag on regular expressions
+        // TODO Get indices from group by adding d flag in regular expression
+        const start = regexResult.index + (regexResult[0].length - regexResult.groups.LITERAL.length - 1)
+        const end = start + regexResult.groups.LITERAL.length
+        tokens.push({ start, end })
+        regexResult = this._pattern.exec(evidence.value)
+      }
+      return tokens
+    } catch (e) {
+      iastLog.debug(e)
+    }
+    return []
+  }
+}
+
+module.exports = LdapSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/sql-sensitive-analyzer.js

@@ -0,0 +1,95 @@
+'use strict'
+
+const iastLog = require('../../../iast-log')
+
+const STRING_LITERAL = '\'(?:\'\'|[^\'])*\''
+const POSTGRESQL_ESCAPED_LITERAL = '\\$([^$]*)\\$.*?\\$\\1\\$'
+const MYSQL_STRING_LITERAL = '"(?:\\\\"|[^"])*"|\'(?:\\\\\'|[^\'])*\''
+const LINE_COMMENT = '--.*$'
+const BLOCK_COMMENT = '/\\*[\\s\\S]*\\*/'
+const EXPONENT = '(?:E[-+]?\\d+[fd]?)?'
+const INTEGER_NUMBER = '(?<!\\w)\\d+'
+const DECIMAL_NUMBER = '\\d*\\.\\d+'
+const HEX_NUMBER = 'x\'[0-9a-f]+\'|0x[0-9a-f]+'
+const BIN_NUMBER = 'b\'[0-9a-f]+\'|0b[0-9a-f]+'
+const NUMERIC_LITERAL =
+  `[-+]?(?:${
+    [
+      HEX_NUMBER,
+      BIN_NUMBER,
+      DECIMAL_NUMBER + EXPONENT,
+      INTEGER_NUMBER + EXPONENT
+    ].join('|')
+  })`
+
+class SqlSensitiveAnalyzer {
+  constructor () {
+    this._patterns = {
+      MYSQL: new RegExp(
+        [
+          NUMERIC_LITERAL,
+          MYSQL_STRING_LITERAL,
+          LINE_COMMENT,
+          BLOCK_COMMENT
+        ].join('|'),
+        'gmi'
+      ),
+      POSTGRES: new RegExp(
+        [
+          NUMERIC_LITERAL,
+          POSTGRESQL_ESCAPED_LITERAL,
+          STRING_LITERAL,
+          LINE_COMMENT,
+          BLOCK_COMMENT
+        ].join('|'),
+        'gmi'
+      )
+    }
+  }
+
+  extractSensitiveRanges (evidence) {
+    try {
+      const pattern = this._patterns[evidence.dialect]
+      pattern.lastIndex = 0
+      const tokens = []
+
+      let regexResult = pattern.exec(evidence.value)
+      while (regexResult != null) {
+        let start = regexResult.index
+        let end = regexResult.index + regexResult[0].length
+        const startChar = evidence.value.charAt(start)
+        if (startChar === '\'' || startChar === '"') {
+          start++
+          end--
+        } else if (end > start + 1) {
+          const nextChar = evidence.value.charAt(start + 1)
+          if (startChar === '/' && nextChar === '*') {
+            start += 2
+            end -= 2
+          } else if (startChar === '-' && startChar === nextChar) {
+            start += 2
+          } else if (startChar.toLowerCase() === 'q' && nextChar === '\'') {
+            start += 3
+            end -= 2
+          } else if (startChar === '$') {
+            const match = regexResult[0]
+            const size = match.indexOf('$', 1) + 1
+            if (size > 1) {
+              start += size
+              end -= size
+            }
+          }
+        }
+
+        tokens.push({ start, end })
+        regexResult = pattern.exec(evidence.value)
+      }
+      return tokens
+    } catch (e) {
+      iastLog.debug(e)
+    }
+    return []
+  }
+}
+
+module.exports = SqlSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -0,0 +1,144 @@
+'use strict'
+
+const vulnerabilities = require('../../vulnerabilities')
+
+const { contains, intersects, remove } = require('./range-utils')
+
+const CommandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
+const LdapSensitiveAnalyzer = require('./sensitive-analyzers/ldap-sensitive-analyzer')
+const SqlSensitiveAnalyzer = require('./sensitive-analyzers/sql-sensitive-analyzer')
+
+// eslint-disable-next-line max-len
+const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)'
+// eslint-disable-next-line max-len
+const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,}))'
+
+class SensitiveHandler {
+  constructor () {
+    this._namePattern = new RegExp(DEFAULT_IAST_REDACTION_NAME_PATTERN, 'gmi')
+    this._valuePattern = new RegExp(DEFAULT_IAST_REDACTION_VALUE_PATTERN, 'gmi')
+
+    this._sensitiveAnalyzers = new Map()
+    this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, new CommandSensitiveAnalyzer())
+    this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, new LdapSensitiveAnalyzer())
+    this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, new SqlSensitiveAnalyzer())
+  }
+
+  isSensibleName (name) {
+    this._namePattern.lastIndex = 0
+    return this._namePattern.test(name)
+  }
+
+  isSensibleValue (value) {
+    this._valuePattern.lastIndex = 0
+    return this._valuePattern.test(value)
+  }
+
+  isSensibleSource (source) {
+    return source != null && (this.isSensibleName(source.name) || this.isSensibleValue(source.value))
+  }
+
+  scrubEvidence (vulnerabilityType, evidence, sourcesIndexes, sources) {
+    const sensitiveAnalyzer = this._sensitiveAnalyzers.get(vulnerabilityType)
+    if (sensitiveAnalyzer) {
+      const sensitiveRanges = sensitiveAnalyzer.extractSensitiveRanges(evidence)
+      return this.toRedactedJson(evidence, sensitiveRanges, sourcesIndexes, sources)
+    }
+    return null
+  }
+
+  toRedactedJson (evidence, sensitive, sourcesIndexes, sources) {
+    const valueParts = []
+    const redactedSources = []
+
+    const { value, ranges } = evidence
+
+    let start = 0
+    let nextTaintedIndex = 0
+    let sourceIndex
+
+    let nextTainted = ranges.shift()
+    let nextSensitive = sensitive.shift()
+
+    for (let i = 0; i < value.length; i++) {
+      if (nextTainted != null && nextTainted.start === i) {
+        this.writeValuePart(valueParts, value.substring(start, i), sourceIndex)
+
+        sourceIndex = sourcesIndexes[nextTaintedIndex]
+
+        while (nextSensitive != null && contains(nextTainted, nextSensitive)) {
+          sourceIndex != null && redactedSources.push(sourceIndex)
+          nextSensitive = sensitive.shift()
+        }
+
+        if (nextSensitive != null && intersects(nextSensitive, nextTainted)) {
+          sourceIndex != null && redactedSources.push(sourceIndex)
+
+          const entries = remove(nextSensitive, nextTainted)
+          nextSensitive = entries.length > 0 ? entries[0] : null
+        }
+
+        this.isSensibleSource(sources[sourceIndex]) && redactedSources.push(sourceIndex)
+
+        if (redactedSources.indexOf(sourceIndex) > -1) {
+          this.writeRedactedValuePart(valueParts, sourceIndex)
+        } else {
+          const substringEnd = Math.min(nextTainted.end, value.length)
+          this.writeValuePart(valueParts, value.substring(nextTainted.start, substringEnd), sourceIndex)
+        }
+
+        start = i + (nextTainted.end - nextTainted.start)
+        i = start - 1
+        nextTainted = ranges.shift()
+        nextTaintedIndex++
+        sourceIndex = null
+      } else if (nextSensitive != null && nextSensitive.start === i) {
+        this.writeValuePart(valueParts, value.substring(start, i), sourceIndex)
+        if (nextTainted != null && intersects(nextSensitive, nextTainted)) {
+          sourceIndex = sourcesIndexes[nextTaintedIndex]
+          sourceIndex != null && redactedSources.push(sourceIndex)
+
+          for (const entry of remove(nextSensitive, nextTainted)) {
+            if (entry.start === i) {
+              nextSensitive = entry
+            } else {
+              sensitive.push(entry)
+            }
+          }
+        }
+
+        this.writeRedactedValuePart(valueParts)
+
+        start = i + (nextSensitive.end - nextSensitive.start)
+        i = start - 1
+        nextSensitive = sensitive.shift()
+      }
+    }
+
+    if (start < value.length) {
+      this.writeValuePart(valueParts, value.substring(start))
+    }
+
+    return { redactedValueParts: valueParts, redactedSources }
+  }
+
+  writeValuePart (valueParts, value, source) {
+    if (value.length > 0) {
+      if (source != null) {
+        valueParts.push({ value, source })
+      } else {
+        valueParts.push({ value })
+      }
+    }
+  }
+
+  writeRedactedValuePart (valueParts, source) {
+    if (source != null) {
+      valueParts.push({ redacted: true, source })
+    } else {
+      valueParts.push({ redacted: true })
+    }
+  }
+}
+
+module.exports = new SensitiveHandler()