dd-trace 3.47.0 → 3.48.0

package/packages/datadog-plugin-rhea/src/consumer.js

@@ -2,6 +2,7 @@
 
 const ConsumerPlugin = require('../../dd-trace/src/plugins/consumer')
 const { storage } = require('../../datadog-core')
+const { getAmqpMessageSize, CONTEXT_PROPAGATION_KEY } = require('../../dd-trace/src/datastreams/processor')
 
 class RheaConsumerPlugin extends ConsumerPlugin {
   static get id () { return 'rhea' }
@@ -19,7 +20,7 @@ class RheaConsumerPlugin extends ConsumerPlugin {
     const name = getResourceNameFromMessage(msgObj)
     const childOf = extractTextMap(msgObj, this.tracer)
 
-    this.startSpan({
+    const span = this.startSpan({
       childOf,
       resource: name,
       type: 'worker',
@@ -29,6 +30,15 @@ class RheaConsumerPlugin extends ConsumerPlugin {
         'amqp.link.role': 'receiver'
       }
     })
+
+    if (this.config.dsmEnabled && msgObj.message) {
+      const payloadSize = getAmqpMessageSize(
+        { headers: msgObj.message.delivery_annotations, content: msgObj.message.body }
+      )
+      this.tracer.decodeDataStreamsContext(msgObj.message.delivery_annotations[CONTEXT_PROPAGATION_KEY])
+      this.tracer
+        .setCheckpoint(['direction:in', `topic:${name}`, 'type:rabbitmq'], span, payloadSize)
+    }
   }
 }
 

package/packages/datadog-plugin-rhea/src/producer.js

@@ -2,6 +2,8 @@
 
 const { CLIENT_PORT_KEY } = require('../../dd-trace/src/constants')
 const ProducerPlugin = require('../../dd-trace/src/plugins/producer')
+const { encodePathwayContext } = require('../../dd-trace/src/datastreams/pathway')
+const { getAmqpMessageSize, CONTEXT_PROPAGATION_KEY } = require('../../dd-trace/src/datastreams/processor')
 
 class RheaProducerPlugin extends ProducerPlugin {
   static get id () { return 'rhea' }
@@ -36,6 +38,15 @@ function addDeliveryAnnotations (msg, tracer, span) {
     msg.delivery_annotations = msg.delivery_annotations || {}
 
     tracer.inject(span, 'text_map', msg.delivery_annotations)
+
+    if (tracer._config.dsmEnabled) {
+      const targetName = span.context()._tags['amqp.link.target.address']
+      const payloadSize = getAmqpMessageSize({ content: msg.body, headers: msg.delivery_annotations })
+      const dataStreamsContext = tracer
+        .setCheckpoint(['direction:out', `exchange:${targetName}`, 'type:rabbitmq'], span, payloadSize)
+      const pathwayCtx = encodePathwayContext(dataStreamsContext)
+      msg.delivery_annotations[CONTEXT_PROPAGATION_KEY] = pathwayCtx
+    }
   }
 }
 

package/packages/dd-trace/src/appsec/addresses.js

@@ -15,6 +15,8 @@ module.exports = {
   HTTP_INCOMING_GRAPHQL_RESOLVERS: 'graphql.server.all_resolvers',
   HTTP_INCOMING_GRAPHQL_RESOLVER: 'graphql.server.resolver',
 
+  HTTP_OUTGOING_BODY: 'server.response.body',
+
   HTTP_CLIENT_IP: 'http.client_ip',
 
   USER_ID: 'usr.id',

package/packages/dd-trace/src/appsec/api_security_sampler.js

@@ -5,6 +5,8 @@ const log = require('../log')
 let enabled
 let requestSampling
 
+const sampledRequests = new WeakSet()
+
 function configure ({ apiSecurity }) {
   enabled = apiSecurity.enabled
   setRequestSampling(apiSecurity.requestSampling)
@@ -32,17 +34,28 @@ function parseRequestSampling (requestSampling) {
   return parsed
 }
 
-function sampleRequest () {
+function sampleRequest (req) {
   if (!enabled || !requestSampling) {
     return false
   }
 
-  return Math.random() <= requestSampling
+  const shouldSample = Math.random() <= requestSampling
+
+  if (shouldSample) {
+    sampledRequests.add(req)
+  }
+
+  return shouldSample
+}
+
+function isSampled (req) {
+  return sampledRequests.has(req)
 }
 
 module.exports = {
   configure,
   disable,
   setRequestSampling,
-  sampleRequest
+  sampleRequest,
+  isSampled
 }

package/packages/dd-trace/src/appsec/channels.js

@@ -16,5 +16,6 @@ module.exports = {
   queryParser: dc.channel('datadog:query:read:finish'),
   setCookieChannel: dc.channel('datadog:iast:set-cookie'),
   nextBodyParsed: dc.channel('apm:next:body-parsed'),
-  nextQueryParsed: dc.channel('apm:next:query-parsed')
+  nextQueryParsed: dc.channel('apm:next:query-parsed'),
+  responseBody: dc.channel('datadog:express:response:json:start')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/command-injection-analyzer.js

@@ -8,7 +8,7 @@ class CommandInjectionAnalyzer extends InjectionAnalyzer {
   }
 
   onConfigure () {
-    this.addSub('datadog:child_process:execution:start', ({ command }) => this.analyze(command))
+    this.addSub('tracing:datadog:child_process:execution:start', ({ command }) => this.analyze(command))
   }
 }
 

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -4,8 +4,6 @@ const InjectionAnalyzer = require('./injection-analyzer')
 const { SQL_INJECTION } = require('../vulnerabilities')
 const { getRanges } = require('../taint-tracking/operations')
 const { storage } = require('../../../../../datadog-core')
-const { getIastContext } = require('../iast-context')
-const { addVulnerability } = require('../vulnerability-reporter')
 const { getNodeModulesPaths } = require('../path-line')
 
 const EXCLUDED_PATHS = getNodeModulesPaths('mysql', 'mysql2', 'sequelize', 'pg-pool', 'knex')
@@ -16,9 +14,9 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
   }
 
   onConfigure () {
-    this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
-    this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
-    this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, 'POSTGRES'))
+    this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql, undefined, 'MYSQL'))
+    this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, undefined, 'MYSQL'))
+    this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, undefined, 'POSTGRES'))
 
     this.addSub(
       'datadog:sequelize:query:start',
@@ -42,7 +40,7 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
   getStoreAndAnalyze (query, dialect) {
     const parentStore = storage.getStore()
     if (parentStore) {
-      this.analyze(query, dialect, parentStore)
+      this.analyze(query, parentStore, dialect)
 
       storage.enterWith({ ...parentStore, sqlAnalyzed: true, sqlParentStore: parentStore })
     }
@@ -60,29 +58,10 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
     return { value, ranges, dialect }
   }
 
-  analyze (value, dialect, store = storage.getStore()) {
+  analyze (value, store, dialect) {
+    store = store || storage.getStore()
     if (!(store && store.sqlAnalyzed)) {
-      const iastContext = getIastContext(store)
-      if (this._isInvalidContext(store, iastContext)) return
-      this._reportIfVulnerable(value, iastContext, dialect)
-    }
-  }
-
-  _reportIfVulnerable (value, context, dialect) {
-    if (this._isVulnerable(value, context) && this._checkOCE(context)) {
-      this._report(value, context, dialect)
-      return true
-    }
-    return false
-  }
-
-  _report (value, context, dialect) {
-    const evidence = this._getEvidence(value, context, dialect)
-    const location = this._getLocation()
-    if (!this._isExcluded(location)) {
-      const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
-      const vulnerability = this._createVulnerability(this._type, evidence, spanId, location)
-      addVulnerability(context, vulnerability)
+      super.analyze(value, store, dialect)
     }
   }
 

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -22,8 +22,12 @@ class Analyzer extends SinkIastPlugin {
     return false
   }
 
-  _report (value, context) {
-    const evidence = this._getEvidence(value, context)
+  _report (value, context, meta) {
+    const evidence = this._getEvidence(value, context, meta)
+    this._reportEvidence(value, context, evidence)
+  }
+
+  _reportEvidence (value, context, evidence) {
     const location = this._getLocation(value)
     if (!this._isExcluded(location)) {
       const locationSourceMap = this._replaceLocationFromSourceMap(location)
@@ -33,9 +37,9 @@ class Analyzer extends SinkIastPlugin {
     }
   }
 
-  _reportIfVulnerable (value, context) {
+  _reportIfVulnerable (value, context, meta) {
     if (this._isVulnerable(value, context) && this._checkOCE(context, value)) {
-      this._report(value, context)
+      this._report(value, context, meta)
       return true
     }
     return false
@@ -71,11 +75,11 @@ class Analyzer extends SinkIastPlugin {
     return store && !iastContext
   }
 
-  analyze (value, store = storage.getStore()) {
+  analyze (value, store = storage.getStore(), meta) {
     const iastContext = getIastContext(store)
     if (this._isInvalidContext(store, iastContext)) return
 
-    this._reportIfVulnerable(value, iastContext)
+    this._reportIfVulnerable(value, iastContext, meta)
   }
 
   analyzeAll (...values) {

package/packages/dd-trace/src/appsec/iast/iast-plugin.js

@@ -127,10 +127,13 @@ class IastPlugin extends Plugin {
     if (!channelName && !moduleName) return
 
     if (!moduleName) {
-      const firstSep = channelName.indexOf(':')
+      let firstSep = channelName.indexOf(':')
       if (firstSep === -1) {
         moduleName = channelName
       } else {
+        if (channelName.startsWith('tracing:')) {
+          firstSep = channelName.indexOf(':', 'tracing:'.length + 1)
+        }
         const lastSep = channelName.indexOf(':', firstSep + 1)
         moduleName = channelName.substring(firstSep + 1, lastSep !== -1 ? lastSep : channelName.length)
       }

package/packages/dd-trace/src/appsec/index.js

@@ -11,7 +11,8 @@ const {
   passportVerify,
   queryParser,
   nextBodyParsed,
-  nextQueryParsed
+  nextQueryParsed,
+  responseBody
 } = require('./channels')
 const waf = require('./waf')
 const addresses = require('./addresses')
@@ -53,6 +54,7 @@ function enable (_config) {
     nextQueryParsed.subscribe(onRequestQueryParsed)
     queryParser.subscribe(onRequestQueryParsed)
     cookieParser.subscribe(onRequestCookieParser)
+    responseBody.subscribe(onResponseBody)
 
     if (_config.appsec.eventTracking.enabled) {
       passportVerify.subscribe(onPassportVerify)
@@ -93,7 +95,7 @@ function incomingHttpStartTranslator ({ req, res, abortController }) {
     persistent[addresses.HTTP_CLIENT_IP] = clientIp
   }
 
-  if (apiSecuritySampler.sampleRequest()) {
+  if (apiSecuritySampler.sampleRequest(req)) {
     persistent[addresses.WAF_CONTEXT_PROCESSOR] = { 'extract-schema': true }
   }
 
@@ -194,6 +196,18 @@ function onRequestCookieParser ({ req, res, abortController, cookies }) {
   handleResults(results, req, res, rootSpan, abortController)
 }
 
+function onResponseBody ({ req, body }) {
+  if (!body || typeof body !== 'object') return
+  if (!apiSecuritySampler.isSampled(req)) return
+
+  // we don't support blocking at this point, so no results needed
+  waf.run({
+    persistent: {
+      [addresses.HTTP_OUTGOING_BODY]: body
+    }
+  }, req)
+}
+
 function onPassportVerify ({ credentials, user }) {
   const store = storage.getStore()
   const rootSpan = store?.req && web.root(store.req)
@@ -233,6 +247,7 @@ function disable () {
   if (incomingHttpRequestEnd.hasSubscribers) incomingHttpRequestEnd.unsubscribe(incomingHttpEndTranslator)
   if (queryParser.hasSubscribers) queryParser.unsubscribe(onRequestQueryParsed)
   if (cookieParser.hasSubscribers) cookieParser.unsubscribe(onRequestCookieParser)
+  if (responseBody.hasSubscribers) responseBody.unsubscribe(onResponseBody)
   if (passportVerify.hasSubscribers) passportVerify.unsubscribe(onPassportVerify)
 }
 

package/packages/dd-trace/src/appsec/rule_manager.js

@@ -69,9 +69,9 @@ function updateWafFromRC ({ toUnapply, toApply, toModify }) {
         item.apply_error = 'Multiple ruleset received in ASM_DD'
       } else {
         if (file && file.rules && file.rules.length) {
-          const { version, metadata, rules } = file
+          const { version, metadata, rules, processors, scanners } = file
 
-          newRuleset = { version, metadata, rules }
+          newRuleset = { version, metadata, rules, processors, scanners }
           newRulesetId = id
         }
 

package/packages/dd-trace/src/ci-visibility/early-flake-detection/get-known-tests.js

@@ -0,0 +1,83 @@
+const request = require('../../exporters/common/request')
+const id = require('../../id')
+const log = require('../../log')
+
+function getKnownTests ({
+  url,
+  isEvpProxy,
+  evpProxyPrefix,
+  isGzipCompatible,
+  env,
+  service,
+  repositoryUrl,
+  sha,
+  osVersion,
+  osPlatform,
+  osArchitecture,
+  runtimeName,
+  runtimeVersion,
+  custom
+}, done) {
+  const options = {
+    path: '/api/v2/ci/libraries/tests',
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json'
+    },
+    timeout: 20000,
+    url
+  }
+
+  if (isGzipCompatible) {
+    options.headers['accept-encoding'] = 'gzip'
+  }
+
+  if (isEvpProxy) {
+    options.path = `${evpProxyPrefix}/api/v2/ci/libraries/tests`
+    options.headers['X-Datadog-EVP-Subdomain'] = 'api'
+  } else {
+    const apiKey = process.env.DATADOG_API_KEY || process.env.DD_API_KEY
+    if (!apiKey) {
+      return done(new Error('Known tests were not fetched because Datadog API key is not defined.'))
+    }
+
+    options.headers['dd-api-key'] = apiKey
+  }
+
+  const data = JSON.stringify({
+    data: {
+      id: id().toString(10),
+      type: 'ci_app_libraries_tests_request',
+      attributes: {
+        configurations: {
+          'os.platform': osPlatform,
+          'os.version': osVersion,
+          'os.architecture': osArchitecture,
+          'runtime.name': runtimeName,
+          'runtime.version': runtimeVersion,
+          custom
+        },
+        service,
+        env,
+        repository_url: repositoryUrl,
+        sha
+      }
+    }
+  })
+
+  request(data, options, (err, res) => {
+    if (err) {
+      done(err)
+    } else {
+      try {
+        const { data: { attributes: { test_full_names: knownTests } } } = JSON.parse(res)
+        log.debug(() => `Number of received known tests: ${Object.keys(knownTests).length}`)
+        done(null, knownTests)
+      } catch (err) {
+        done(err)
+      }
+    }
+  })
+}
+
+module.exports = { getKnownTests }

package/packages/dd-trace/src/ci-visibility/exporters/agent-proxy/index.js

@@ -5,10 +5,23 @@ const AgentlessWriter = require('../agentless/writer')
 const CoverageWriter = require('../agentless/coverage-writer')
 const CiVisibilityExporter = require('../ci-visibility-exporter')
 
-const AGENT_EVP_PROXY_PATH = '/evp_proxy/v2'
+const AGENT_EVP_PROXY_PATH_PREFIX = '/evp_proxy/v'
+const AGENT_EVP_PROXY_PATH_REGEX = /\/evp_proxy\/v(\d+)\/?/
 
-function getIsEvpCompatible (err, agentInfo) {
-  return !err && agentInfo.endpoints.some(url => url.includes(AGENT_EVP_PROXY_PATH))
+function getLatestEvpProxyVersion (err, agentInfo) {
+  if (err) {
+    return 0
+  }
+  return agentInfo.endpoints.reduce((acc, endpoint) => {
+    if (endpoint.includes(AGENT_EVP_PROXY_PATH_PREFIX)) {
+      const version = Number(endpoint.replace(AGENT_EVP_PROXY_PATH_REGEX, '$1'))
+      if (isNaN(version)) {
+        return acc
+      }
+      return version > acc ? version : acc
+    }
+    return acc
+  }, 0)
 }
 
 class AgentProxyCiVisibilityExporter extends CiVisibilityExporter {
@@ -25,17 +38,22 @@ class AgentProxyCiVisibilityExporter extends CiVisibilityExporter {
 
     this.getAgentInfo((err, agentInfo) => {
       this._isInitialized = true
-      const isEvpCompatible = getIsEvpCompatible(err, agentInfo)
+      const latestEvpProxyVersion = getLatestEvpProxyVersion(err, agentInfo)
+      const isEvpCompatible = latestEvpProxyVersion >= 2
+      const isGzipCompatible = latestEvpProxyVersion >= 4
+
+      const evpProxyPrefix = `${AGENT_EVP_PROXY_PATH_PREFIX}${latestEvpProxyVersion}`
       if (isEvpCompatible) {
         this._isUsingEvpProxy = true
+        this.evpProxyPrefix = evpProxyPrefix
         this._writer = new AgentlessWriter({
           url: this._url,
           tags,
-          evpProxyPrefix: AGENT_EVP_PROXY_PATH
+          evpProxyPrefix
         })
         this._coverageWriter = new CoverageWriter({
           url: this._url,
-          evpProxyPrefix: AGENT_EVP_PROXY_PATH
+          evpProxyPrefix
         })
       } else {
         this._writer = new AgentWriter({
@@ -51,6 +69,7 @@ class AgentProxyCiVisibilityExporter extends CiVisibilityExporter {
       this._resolveCanUseCiVisProtocol(isEvpCompatible)
       this.exportUncodedTraces()
       this.exportUncodedCoverages()
+      this._isGzipCompatible = isGzipCompatible
     })
   }
 

package/packages/dd-trace/src/ci-visibility/exporters/agentless/index.js

@@ -21,6 +21,8 @@ class AgentlessCiVisibilityExporter extends CiVisibilityExporter {
     this._coverageWriter = new CoverageWriter({ url: this._coverageUrl })
 
     this._apiUrl = url || new URL(`https://api.${site}`)
+    // Agentless is always gzip compatible
+    this._isGzipCompatible = true
   }
 
   setUrl (url, coverageUrl = url, apiUrl = url) {

package/packages/dd-trace/src/ci-visibility/exporters/ci-visibility-exporter.js

@@ -3,8 +3,9 @@
 const URL = require('url').URL
 
 const { sendGitMetadata: sendGitMetadataRequest } = require('./git/git_metadata')
-const { getItrConfiguration: getItrConfigurationRequest } = require('../intelligent-test-runner/get-itr-configuration')
+const { getLibraryConfiguration: getLibraryConfigurationRequest } = require('../requests/get-library-configuration')
 const { getSkippableSuites: getSkippableSuitesRequest } = require('../intelligent-test-runner/get-skippable-suites')
+const { getKnownTests: getKnownTestsRequest } = require('../early-flake-detection/get-known-tests')
 const log = require('../../log')
 const AgentInfoExporter = require('../../exporters/common/agent-info-exporter')
 
@@ -76,11 +77,18 @@ class CiVisibilityExporter extends AgentInfoExporter {
   shouldRequestSkippableSuites () {
     return !!(this._config.isIntelligentTestRunnerEnabled &&
       this._canUseCiVisProtocol &&
-      this._itrConfig &&
-      this._itrConfig.isSuitesSkippingEnabled)
+      this._libraryConfig?.isSuitesSkippingEnabled)
   }
 
-  shouldRequestItrConfiguration () {
+  shouldRequestKnownTests () {
+    return !!(
+      this._config.isEarlyFlakeDetectionEnabled &&
+      this._canUseCiVisProtocol &&
+      this._libraryConfig?.isEarlyFlakeDetectionEnabled
+    )
+  }
+
+  shouldRequestLibraryConfiguration () {
     return this._config.isIntelligentTestRunnerEnabled
   }
 
@@ -92,6 +100,19 @@ class CiVisibilityExporter extends AgentInfoExporter {
     return this._canUseCiVisProtocol
   }
 
+  getRequestConfiguration (testConfiguration) {
+    return {
+      url: this._getApiUrl(),
+      env: this._config.env,
+      service: this._config.service,
+      isEvpProxy: !!this._isUsingEvpProxy,
+      isGzipCompatible: this._isGzipCompatible,
+      evpProxyPrefix: this.evpProxyPrefix,
+      custom: getTestConfigurationTags(this._config.tags),
+      ...testConfiguration
+    }
+  }
+
   // We can't call the skippable endpoint until git upload has finished,
   // hence the this._gitUploadPromise.then
   getSkippableSuites (testConfiguration, callback) {
@@ -102,68 +123,84 @@ class CiVisibilityExporter extends AgentInfoExporter {
       if (gitUploadError) {
         return callback(gitUploadError, [])
       }
-      const configuration = {
-        url: this._getApiUrl(),
-        site: this._config.site,
-        env: this._config.env,
-        service: this._config.service,
-        isEvpProxy: !!this._isUsingEvpProxy,
-        custom: getTestConfigurationTags(this._config.tags),
-        ...testConfiguration
-      }
-      getSkippableSuitesRequest(configuration, callback)
+      getSkippableSuitesRequest(this.getRequestConfiguration(testConfiguration), callback)
     })
   }
 
+  getKnownTests (testConfiguration, callback) {
+    if (!this.shouldRequestKnownTests()) {
+      return callback(null)
+    }
+    getKnownTestsRequest(this.getRequestConfiguration(testConfiguration), callback)
+  }
+
   /**
-   * We can't request ITR configuration until we know whether we can use the
+   * We can't request library configuration until we know whether we can use the
    * CI Visibility Protocol, hence the this._canUseCiVisProtocol promise.
    */
-  getItrConfiguration (testConfiguration, callback) {
+  getLibraryConfiguration (testConfiguration, callback) {
     const { repositoryUrl } = testConfiguration
     this.sendGitMetadata(repositoryUrl)
-    if (!this.shouldRequestItrConfiguration()) {
+    if (!this.shouldRequestLibraryConfiguration()) {
       return callback(null, {})
     }
     this._canUseCiVisProtocolPromise.then((canUseCiVisProtocol) => {
       if (!canUseCiVisProtocol) {
         return callback(null, {})
       }
-      const configuration = {
-        url: this._getApiUrl(),
-        env: this._config.env,
-        service: this._config.service,
-        isEvpProxy: !!this._isUsingEvpProxy,
-        custom: getTestConfigurationTags(this._config.tags),
-        ...testConfiguration
-      }
-      getItrConfigurationRequest(configuration, (err, itrConfig) => {
+      const configuration = this.getRequestConfiguration(testConfiguration)
+
+      getLibraryConfigurationRequest(configuration, (err, libraryConfig) => {
         /**
-         * **Important**: this._itrConfig remains empty in testing frameworks
-         * where the tests run in a subprocess, because `getItrConfiguration` is called only once.
+         * **Important**: this._libraryConfig remains empty in testing frameworks
+         * where the tests run in a subprocess, like Jest,
+         * because `getLibraryConfiguration` is called only once in the main process.
          */
-        this._itrConfig = itrConfig
+        this._libraryConfig = this.filterConfiguration(libraryConfig)
 
         if (err) {
           callback(err, {})
-        } else if (itrConfig?.requireGit) {
+        } else if (libraryConfig?.requireGit) {
           // If the backend requires git, we'll wait for the upload to finish and request settings again
           this._gitUploadPromise.then(gitUploadError => {
             if (gitUploadError) {
               return callback(gitUploadError, {})
             }
-            getItrConfigurationRequest(configuration, (err, finalItrConfig) => {
-              this._itrConfig = finalItrConfig
-              callback(err, finalItrConfig)
+            getLibraryConfigurationRequest(configuration, (err, finalLibraryConfig) => {
+              this._libraryConfig = this.filterConfiguration(finalLibraryConfig)
+              callback(err, this._libraryConfig)
             })
           })
         } else {
-          callback(null, itrConfig)
+          callback(null, this._libraryConfig)
         }
       })
     })
   }
 
+  // Takes into account potential kill switches
+  filterConfiguration (remoteConfiguration) {
+    if (!remoteConfiguration) {
+      return {}
+    }
+    const {
+      isCodeCoverageEnabled,
+      isSuitesSkippingEnabled,
+      isItrEnabled,
+      requireGit,
+      isEarlyFlakeDetectionEnabled,
+      earlyFlakeDetectionNumRetries
+    } = remoteConfiguration
+    return {
+      isCodeCoverageEnabled,
+      isSuitesSkippingEnabled,
+      isItrEnabled,
+      requireGit,
+      isEarlyFlakeDetectionEnabled: isEarlyFlakeDetectionEnabled && this._config.isEarlyFlakeDetectionEnabled,
+      earlyFlakeDetectionNumRetries
+    }
+  }
+
   sendGitMetadata (repositoryUrl) {
     if (!this._config.isGitUploadEnabled) {
       return
@@ -172,14 +209,19 @@ class CiVisibilityExporter extends AgentInfoExporter {
       if (!canUseCiVisProtocol) {
         return
       }
-      sendGitMetadataRequest(this._getApiUrl(), !!this._isUsingEvpProxy, repositoryUrl, (err) => {
-        if (err) {
-          log.error(`Error uploading git metadata: ${err.message}`)
-        } else {
-          log.debug('Successfully uploaded git metadata')
+      sendGitMetadataRequest(
+        this._getApiUrl(),
+        { isEvpProxy: !!this._isUsingEvpProxy, evpProxyPrefix: this.evpProxyPrefix },
+        repositoryUrl,
+        (err) => {
+          if (err) {
+            log.error(`Error uploading git metadata: ${err.message}`)
+          } else {
+            log.debug('Successfully uploaded git metadata')
+          }
+          this._resolveGit(err)
         }
-        this._resolveGit(err)
-      })
+      )
     })
   }