dd-trace 3.27.0 → 3.29.0

package/packages/datadog-plugin-grpc/src/client.js

@@ -1,5 +1,6 @@
 'use strict'
 
+const { storage } = require('../../datadog-core')
 const ClientPlugin = require('../../dd-trace/src/plugins/client')
 const { TEXT_MAP } = require('../../../ext/formats')
 const { addMetadataTags, getFilter, getMethodMetadata } = require('./util')
@@ -7,9 +8,20 @@ const { addMetadataTags, getFilter, getMethodMetadata } = require('./util')
 class GrpcClientPlugin extends ClientPlugin {
   static get id () { return 'grpc' }
   static get operation () { return 'client:request' }
+  static get prefix () { return `apm:grpc:client:request` }
   static get peerServicePrecursors () { return ['rpc.service'] }
 
-  start ({ metadata, path, type }) {
+  constructor (...args) {
+    super(...args)
+
+    this.addTraceBind('emit', ({ parentStore }) => {
+      return parentStore
+    })
+  }
+
+  bindStart (message) {
+    const store = storage.getStore()
+    const { metadata, path, type } = message
     const metadataFilter = this.config.metadataFilter
     const method = getMethodMetadata(path, type)
     const span = this.startSpan(this.operationName(), {
@@ -28,7 +40,7 @@ class GrpcClientPlugin extends ClientPlugin {
       metrics: {
         'grpc.status.code': 0
       }
-    })
+    }, false)
 
     // needed as precursor for peer.service
     if (method.service && method.package) {
@@ -39,22 +51,27 @@ class GrpcClientPlugin extends ClientPlugin {
       addMetadataTags(span, metadata, metadataFilter, 'request')
       inject(this.tracer, span, metadata)
     }
-  }
 
-  error (error) {
-    const span = this.activeSpan
+    message.span = span
+    message.parentStore = store
+    message.currentStore = { ...store, span }
 
-    if (!span) return
+    return message.currentStore
+  }
 
-    this.addCode(span, error.code)
-    this.addError(error)
+  bindAsyncStart ({ parentStore }) {
+    return parentStore
   }
 
-  finish ({ code, metadata }) {
-    const span = this.activeSpan
+  error ({ span, error }) {
+    this.addCode(span, error.code)
+    this.addError(error, span)
+  }
 
+  finish ({ span, result }) {
     if (!span) return
 
+    const { code, metadata } = result || {}
     const metadataFilter = this.config.metadataFilter
 
     this.addCode(span, code)
@@ -63,7 +80,8 @@ class GrpcClientPlugin extends ClientPlugin {
       addMetadataTags(span, metadata, metadataFilter, 'response')
     }
 
-    super.finish()
+    this.tagPeerService(span)
+    span.finish()
   }
 
   configure (config) {

package/packages/datadog-plugin-grpc/src/server.js

@@ -1,5 +1,6 @@
 'use strict'
 
+const { storage } = require('../../datadog-core')
 const ServerPlugin = require('../../dd-trace/src/plugins/server')
 const { TEXT_MAP } = require('../../../ext/formats')
 const { addMetadataTags, getFilter, getMethodMetadata } = require('./util')
@@ -7,6 +8,7 @@ const { addMetadataTags, getFilter, getMethodMetadata } = require('./util')
 class GrpcServerPlugin extends ServerPlugin {
   static get id () { return 'grpc' }
   static get operation () { return 'server:request' }
+  static get prefix () { return `apm:grpc:server:request` }
 
   constructor (...args) {
     super(...args)
@@ -18,9 +20,15 @@ class GrpcServerPlugin extends ServerPlugin {
 
       this.addCode(span, code)
     })
+
+    this.addTraceBind('emit', ({ currentStore }) => {
+      return currentStore
+    })
   }
 
-  start ({ name, metadata, type }) {
+  bindStart (message) {
+    const store = storage.getStore()
+    const { name, metadata, type } = message
     const metadataFilter = this.config.metadataFilter
     const childOf = extract(this.tracer, metadata)
     const method = getMethodMetadata(name, type)
@@ -44,9 +52,19 @@ class GrpcServerPlugin extends ServerPlugin {
     })
 
     addMetadataTags(span, metadata, metadataFilter, 'request')
+
+    message.span = span
+    message.parentStore = store
+    message.currentStore = { ...store, span }
+
+    return message.currentStore
   }
 
-  error (error) {
+  bindAsyncStart ({ parentStore }) {
+    return parentStore
+  }
+
+  error ({ error }) {
     const span = this.activeSpan
 
     if (!span) return
@@ -55,9 +73,7 @@ class GrpcServerPlugin extends ServerPlugin {
     this.addError(error)
   }
 
-  finish ({ code, trailer } = {}) {
-    const span = this.activeSpan
-
+  finish ({ span, code, trailer }) {
     if (!span) return
 
     const metadataFilter = this.config.metadataFilter
@@ -68,7 +84,7 @@ class GrpcServerPlugin extends ServerPlugin {
       addMetadataTags(span, trailer, metadataFilter, 'response')
     }
 
-    super.finish()
+    span.finish()
   }
 
   configure (config) {

package/packages/datadog-plugin-http2/src/client.js

@@ -8,7 +8,6 @@ const log = require('../../dd-trace/src/log')
 const tags = require('../../../ext/tags')
 const kinds = require('../../../ext/kinds')
 const formats = require('../../../ext/formats')
-const analyticsSampler = require('../../dd-trace/src/analytics_sampler')
 const { COMPONENT, CLIENT_PORT_KEY } = require('../../dd-trace/src/constants')
 const urlFilter = require('../../dd-trace/src/plugins/util/urlfilter')
 
@@ -25,32 +24,11 @@ const HTTP2_HEADER_STATUS = ':status'
 const HTTP2_METHOD_GET = 'GET'
 
 class Http2ClientPlugin extends ClientPlugin {
-  static get id () {
-    return 'http2'
-  }
-
-  constructor (...args) {
-    super(...args)
-
-    this.addSub('apm:http2:client:response', (headers) => {
-      const span = storage.getStore().span
-      const status = headers && headers[HTTP2_HEADER_STATUS]
-
-      span.setTag(HTTP_STATUS_CODE, status)
-
-      if (!this.config.validateStatus(status)) {
-        this.addError()
-      }
+  static get id () { return 'http2' }
+  static get prefix () { return `apm:http2:client:request` }
 
-      addHeaderTags(span, headers, HTTP_RESPONSE_HEADERS, this.config)
-    })
-  }
-
-  addTraceSub (eventName, handler) {
-    this.addSub(`apm:${this.constructor.id}:client:${this.operation}:${eventName}`, handler)
-  }
-
-  start ({ authority, options, headers = {} }) {
+  bindStart (message) {
+    const { authority, options, headers = {} } = message
     const sessionDetails = extractSessionDetails(authority, options)
     const path = headers[HTTP2_HEADER_PATH] || '/'
     const pathname = path.split(/[?#]/)[0]
@@ -75,7 +53,7 @@ class Http2ClientPlugin extends ClientPlugin {
       metrics: {
         [CLIENT_PORT_KEY]: parseInt(sessionDetails.port)
       }
-    })
+    }, false)
 
     // TODO: Figure out a better way to do this for any span.
     if (!allowed) {
@@ -88,14 +66,53 @@ class Http2ClientPlugin extends ClientPlugin {
       this.tracer.inject(span, HTTP_HEADERS, headers)
     }
 
-    analyticsSampler.sample(span, this.config.measured)
+    message.parentStore = store
+    message.currentStore = { ...store, span }
+
+    return message.currentStore
+  }
+
+  bindAsyncStart ({ eventName, eventData, currentStore, parentStore }) {
+    switch (eventName) {
+      case 'response':
+        this._onResponse(currentStore, eventData)
+        return parentStore
+      case 'error':
+        this._onError(currentStore, eventData)
+        return parentStore
+      case 'close':
+        this._onClose(currentStore, eventData)
+        return parentStore
+    }
 
-    this.enter(span, store)
+    return storage.getStore()
   }
 
   configure (config) {
     return super.configure(normalizeConfig(config))
   }
+
+  _onResponse (store, headers) {
+    const status = headers && headers[HTTP2_HEADER_STATUS]
+
+    store.span.setTag(HTTP_STATUS_CODE, status)
+
+    if (!this.config.validateStatus(status)) {
+      storage.run(store, () => this.addError())
+    }
+
+    addHeaderTags(store.span, headers, HTTP_RESPONSE_HEADERS, this.config)
+  }
+
+  _onError ({ span }, error) {
+    span.setTag('error', error)
+    span.finish()
+  }
+
+  _onClose ({ span }) {
+    this.tagPeerService(span)
+    span.finish()
+  }
 }
 
 function extractSessionDetails (authority, options) {

package/packages/datadog-plugin-jest/src/index.js

@@ -166,9 +166,12 @@ class JestPlugin extends CiPlugin {
       this.enter(span, store)
     })
 
-    this.addSub('ci:jest:test:finish', (status) => {
+    this.addSub('ci:jest:test:finish', ({ status, testStartLine }) => {
       const span = storage.getStore().span
       span.setTag(TEST_STATUS, status)
+      if (testStartLine) {
+        span.setTag(TEST_SOURCE_START, testStartLine)
+      }
       span.finish()
       finishAllTraceSpans(span)
     })
@@ -197,8 +200,10 @@ class JestPlugin extends CiPlugin {
     const extraTags = {
       [JEST_TEST_RUNNER]: runner,
       [TEST_PARAMETERS]: testParameters,
-      [TEST_FRAMEWORK_VERSION]: frameworkVersion,
-      [TEST_SOURCE_START]: testStartLine
+      [TEST_FRAMEWORK_VERSION]: frameworkVersion
+    }
+    if (testStartLine) {
+      extraTags[TEST_SOURCE_START] = testStartLine
     }
 
     return super.startTestSpan(name, suite, this.testSuiteSpan, extraTags)

package/packages/datadog-plugin-openai/src/index.js

@@ -8,6 +8,10 @@ const services = require('./services')
 const Sampler = require('../../dd-trace/src/sampler')
 const { MEASURED } = require('../../../ext/tags')
 
+// String#replaceAll unavailable on Node.js@v14 (dd-trace@<=v3)
+const RE_NEWLINE = /\n/g
+const RE_TAB = /\t/g
+
 // TODO: In the future we should refactor config.js to make it requirable
 let MAX_TEXT_LEN = 128
 
@@ -26,7 +30,9 @@ class OpenApiPlugin extends TracingPlugin {
     this.sampler = new Sampler(0.1) // default 10% log sampling
 
     // hoist the max length env var to avoid making all of these functions a class method
-    MAX_TEXT_LEN = this._tracerConfig.openaiSpanCharLimit
+    if (this._tracerConfig) {
+      MAX_TEXT_LEN = this._tracerConfig.openaiSpanCharLimit
+    }
   }
 
   configure (config) {
@@ -83,11 +89,11 @@ class OpenApiPlugin extends TracingPlugin {
       store.prompt = prompt
       if (typeof prompt === 'string' || (Array.isArray(prompt) && typeof prompt[0] === 'number')) {
         // This is a single prompt, either String or [Number]
-        tags[`openai.request.prompt`] = normalizeStringOrTokenArray(prompt)
+        tags[`openai.request.prompt`] = normalizeStringOrTokenArray(prompt, true)
       } else if (Array.isArray(prompt)) {
         // This is multiple prompts, either [String] or [[Number]]
         for (let i = 0; i < prompt.length; i++) {
-          tags[`openai.request.prompt.${i}`] = normalizeStringOrTokenArray(prompt[i])
+          tags[`openai.request.prompt.${i}`] = normalizeStringOrTokenArray(prompt[i], true)
         }
       }
     }
@@ -363,6 +369,8 @@ function retrieveModelResponseExtraction (tags, body) {
   tags['openai.response.parent'] = body.parent
   tags['openai.response.root'] = body.root
 
+  if (!body.permission) return
+
   tags['openai.response.permission.id'] = body.permission[0].id
   tags['openai.response.permission.created'] = body.permission[0].created
   tags['openai.response.permission.allow_create_engine'] = body.permission[0].allow_create_engine
@@ -382,10 +390,14 @@ function commonLookupFineTuneRequestExtraction (tags, body) {
 }
 
 function listModelsResponseExtraction (tags, body) {
+  if (!body.data) return
+
   tags['openai.response.count'] = body.data.length
 }
 
 function commonImageResponseExtraction (tags, body) {
+  if (!body.data) return
+
   tags['openai.response.images_count'] = body.data.length
 
   for (let i = 0; i < body.data.length; i++) {
@@ -400,7 +412,7 @@ function createAudioResponseExtraction (tags, body) {
   tags['openai.response.text'] = body.text
   tags['openai.response.language'] = body.language
   tags['openai.response.duration'] = body.duration
-  tags['openai.response.segments_count'] = body.segments.length
+  tags['openai.response.segments_count'] = defensiveArrayLength(body.segments)
 }
 
 function createFineTuneRequestExtraction (tags, body) {
@@ -417,21 +429,24 @@ function createFineTuneRequestExtraction (tags, body) {
 }
 
 function commonFineTuneResponseExtraction (tags, body) {
-  tags['openai.response.events_count'] = body.events.length
+  tags['openai.response.events_count'] = defensiveArrayLength(body.events)
   tags['openai.response.fine_tuned_model'] = body.fine_tuned_model
-  tags['openai.response.hyperparams.n_epochs'] = body.hyperparams.n_epochs
-  tags['openai.response.hyperparams.batch_size'] = body.hyperparams.batch_size
-  tags['openai.response.hyperparams.prompt_loss_weight'] = body.hyperparams.prompt_loss_weight
-  tags['openai.response.hyperparams.learning_rate_multiplier'] = body.hyperparams.learning_rate_multiplier
-  tags['openai.response.training_files_count'] = body.training_files.length
-  tags['openai.response.result_files_count'] = body.result_files.length
-  tags['openai.response.validation_files_count'] = body.validation_files.length
+  if (body.hyperparams) {
+    tags['openai.response.hyperparams.n_epochs'] = body.hyperparams.n_epochs
+    tags['openai.response.hyperparams.batch_size'] = body.hyperparams.batch_size
+    tags['openai.response.hyperparams.prompt_loss_weight'] = body.hyperparams.prompt_loss_weight
+    tags['openai.response.hyperparams.learning_rate_multiplier'] = body.hyperparams.learning_rate_multiplier
+  }
+  tags['openai.response.training_files_count'] = defensiveArrayLength(body.training_files)
+  tags['openai.response.result_files_count'] = defensiveArrayLength(body.result_files)
+  tags['openai.response.validation_files_count'] = defensiveArrayLength(body.validation_files)
   tags['openai.response.updated_at'] = body.updated_at
   tags['openai.response.status'] = body.status
 }
 
 // the OpenAI package appears to stream the content download then provide it all as a singular string
 function downloadFileResponseExtraction (tags, body) {
+  if (!body.file) return
   tags['openai.response.total_bytes'] = body.file.length
 }
 
@@ -472,6 +487,8 @@ function createRetrieveFileResponseExtraction (tags, body) {
 function createEmbeddingResponseExtraction (tags, body) {
   usageExtraction(tags, body)
 
+  if (!body.data) return
+
   tags['openai.response.embeddings_count'] = body.data.length
   for (let i = 0; i < body.data.length; i++) {
     tags[`openai.response.embedding.${i}.embedding_length`] = body.data[i].embedding.length
@@ -479,6 +496,7 @@ function createEmbeddingResponseExtraction (tags, body) {
 }
 
 function commonListCountResponseExtraction (tags, body) {
+  if (!body.data) return
   tags['openai.response.count'] = body.data.length
 }
 
@@ -486,6 +504,9 @@ function commonListCountResponseExtraction (tags, body) {
 function createModerationResponseExtraction (tags, body) {
   tags['openai.response.id'] = body.id
   // tags[`openai.response.model`] = body.model // redundant, already extracted globally
+
+  if (!body.results) return
+
   tags['openai.response.flagged'] = body.results[0].flagged
 
   for (const [category, match] of Object.entries(body.results[0].categories)) {
@@ -501,6 +522,8 @@ function createModerationResponseExtraction (tags, body) {
 function commonCreateResponseExtraction (tags, body, store) {
   usageExtraction(tags, body)
 
+  if (!body.choices) return
+
   tags['openai.response.choices_count'] = body.choices.length
 
   store.choices = body.choices
@@ -530,7 +553,7 @@ function usageExtraction (tags, body) {
 }
 
 function truncateApiKey (apiKey) {
-  return `sk-...${apiKey.substr(apiKey.length - 4)}`
+  return apiKey && `sk-...${apiKey.substr(apiKey.length - 4)}`
 }
 
 /**
@@ -540,8 +563,8 @@ function truncateText (text) {
   if (!text) return
 
   text = text
-    .replaceAll('\n', '\\n')
-    .replaceAll('\t', '\\t')
+    .replace(RE_NEWLINE, '\\n')
+    .replace(RE_TAB, '\\t')
 
   if (text.length > MAX_TEXT_LEN) {
     return text.substring(0, MAX_TEXT_LEN) + '...'
@@ -671,7 +694,7 @@ function normalizeRequestPayload (methodName, args) {
  * "foo" -> "foo"
  * [1,2,3] -> "[1, 2, 3]"
  */
-function normalizeStringOrTokenArray (input, truncate = true) {
+function normalizeStringOrTokenArray (input, truncate) {
   const normalized = Array.isArray(input)
     ? `[${input.join(', ')}]` // "[1, 2, 999]"
     : input // "foo"

package/packages/datadog-plugin-openai/src/services.js

@@ -1,7 +1,7 @@
 'use strict'
 
 const { DogStatsDClient, NoopDogStatsDClient } = require('../../dd-trace/src/dogstatsd')
-const ExternalLogger = require('../../dd-trace/src/external-logger/src')
+const { ExternalLogger, NoopExternalLogger } = require('../../dd-trace/src/external-logger/src')
 
 const FLUSH_INTERVAL = 10 * 1000
 
@@ -10,7 +10,7 @@ let logger = null
 let interval = null
 
 module.exports.init = function (tracerConfig) {
-  if (tracerConfig.dogstatsd) {
+  if (tracerConfig && tracerConfig.dogstatsd) {
     metrics = new DogStatsDClient({
       host: tracerConfig.dogstatsd.hostname,
       port: tracerConfig.dogstatsd.port,
@@ -24,13 +24,17 @@ module.exports.init = function (tracerConfig) {
     metrics = new NoopDogStatsDClient()
   }
 
-  logger = new ExternalLogger({
-    ddsource: 'openai',
-    hostname: tracerConfig.hostname,
-    service: tracerConfig.service,
-    apiKey: tracerConfig.apiKey,
-    interval: FLUSH_INTERVAL
-  })
+  if (tracerConfig && tracerConfig.apiKey) {
+    logger = new ExternalLogger({
+      ddsource: 'openai',
+      hostname: tracerConfig.hostname,
+      service: tracerConfig.service,
+      apiKey: tracerConfig.apiKey,
+      interval: FLUSH_INTERVAL
+    })
+  } else {
+    logger = new NoopExternalLogger()
+  }
 
   interval = setInterval(() => {
     metrics.flush()

package/packages/datadog-plugin-router/src/index.js

@@ -156,7 +156,7 @@ function isMoreSpecificThan (routeA, routeB) {
 }
 
 function routeIsRegex (route) {
-  return route.includes('(/') && route.includes('/)')
+  return route.includes('(/')
 }
 
 module.exports = RouterPlugin

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -2,6 +2,7 @@
 
 module.exports = {
   'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
+  'HSTS_HEADER_MISSING_ANALYZER': require('./hsts-header-missing-analyzer'),
   'INSECURE_COOKIE_ANALYZER': require('./insecure-cookie-analyzer'),
   'LDAP_ANALYZER': require('./ldap-injection-analyzer'),
   'NO_HTTPONLY_COOKIE_ANALYZER': require('./no-httponly-cookie-analyzer'),
@@ -11,5 +12,6 @@ module.exports = {
   'SSRF': require('./ssrf-analyzer'),
   'UNVALIDATED_REDIRECT_ANALYZER': require('./unvalidated-redirect-analyzer'),
   'WEAK_CIPHER_ANALYZER': require('./weak-cipher-analyzer'),
-  'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer')
+  'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer'),
+  'XCONTENTTYPE_HEADER_MISSING_ANALYZER': require('./xcontenttype-header-missing-analyzer')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/command-injection-analyzer.js

@@ -5,6 +5,9 @@ const { COMMAND_INJECTION } = require('../vulnerabilities')
 class CommandInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
     super(COMMAND_INJECTION)
+  }
+
+  onConfigure () {
     this.addSub('datadog:child_process:execution:start', ({ command }) => this.analyze(command))
   }
 }

package/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -9,7 +9,13 @@ class CookieAnalyzer extends Analyzer {
   constructor (type, propertyToBeSafe) {
     super(type)
     this.propertyToBeSafe = propertyToBeSafe.toLowerCase()
-    this.addSub('datadog:iast:set-cookie', (cookieInfo) => this.analyze(cookieInfo))
+  }
+
+  onConfigure () {
+    this.addSub(
+      { channelName: 'datadog:iast:set-cookie', moduleName: 'http' },
+      (cookieInfo) => this.analyze(cookieInfo)
+    )
   }
 
   _isVulnerable ({ cookieProperties, cookieValue }) {

package/packages/dd-trace/src/appsec/iast/analyzers/hsts-header-missing-analyzer.js

@@ -0,0 +1,45 @@
+'use strict'
+
+const { HSTS_HEADER_MISSING } = require('../vulnerabilities')
+const { MissingHeaderAnalyzer } = require('./missing-header-analyzer')
+
+const HSTS_HEADER_NAME = 'Strict-Transport-Security'
+const HEADER_VALID_PREFIX = 'max-age'
+class HstsHeaderMissingAnalyzer extends MissingHeaderAnalyzer {
+  constructor () {
+    super(HSTS_HEADER_MISSING, HSTS_HEADER_NAME)
+  }
+  _isVulnerableFromRequestAndResponse (req, res) {
+    const headerToCheck = res.getHeader(HSTS_HEADER_NAME)
+    return !this._isHeaderValid(headerToCheck) && this._isHttpsProtocol(req)
+  }
+
+  _isHeaderValid (headerValue) {
+    if (!headerValue) {
+      return false
+    }
+    headerValue = headerValue.trim()
+
+    if (!headerValue.startsWith(HEADER_VALID_PREFIX)) {
+      return false
+    }
+
+    const semicolonIndex = headerValue.indexOf(';')
+    let timestampString
+    if (semicolonIndex > -1) {
+      timestampString = headerValue.substring(HEADER_VALID_PREFIX.length + 1, semicolonIndex)
+    } else {
+      timestampString = headerValue.substring(HEADER_VALID_PREFIX.length + 1)
+    }
+
+    const timestamp = parseInt(timestampString)
+    // eslint-disable-next-line eqeqeq
+    return timestamp == timestampString && timestamp > 0
+  }
+
+  _isHttpsProtocol (req) {
+    return req.protocol === 'https' || req.headers['x-forwarded-proto'] === 'https'
+  }
+}
+
+module.exports = new HstsHeaderMissingAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/index.js

@@ -3,10 +3,10 @@
 const analyzers = require('./analyzers')
 const setCookiesHeaderInterceptor = require('./set-cookies-header-interceptor')
 
-function enableAllAnalyzers () {
-  setCookiesHeaderInterceptor.configure(true)
+function enableAllAnalyzers (tracerConfig) {
+  setCookiesHeaderInterceptor.configure({ enabled: true, tracerConfig })
   for (const analyzer in analyzers) {
-    analyzers[analyzer].configure(true)
+    analyzers[analyzer].configure({ enabled: true, tracerConfig })
   }
 }
 

package/packages/dd-trace/src/appsec/iast/analyzers/ldap-injection-analyzer.js

@@ -5,6 +5,9 @@ const { LDAP_INJECTION } = require('../vulnerabilities')
 class LdapInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
     super(LDAP_INJECTION)
+  }
+
+  onConfigure () {
     this.addSub('datadog:ldapjs:client:search', ({ base, filter }) => this.analyzeAll(base, filter))
   }
 }