dd-trace 4.16.0 → 4.17.0

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js

@@ -18,15 +18,14 @@ let onRemoveTransaction = (transactionId, iastContext) => {}
 
 function onRemoveTransactionInformationTelemetry (transactionId, iastContext) {
   const metrics = TaintedUtils.getMetrics(transactionId, iastTelemetry.verbosity)
-  if (metrics && metrics.requestCount) {
+  if (metrics?.requestCount) {
     REQUEST_TAINTED.add(metrics.requestCount, null, iastContext)
   }
 }
 
 function removeTransaction (iastContext) {
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
-
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     onRemoveTransaction(transactionId, iastContext)
 
     TaintedUtils.removeTransaction(transactionId)
@@ -36,8 +35,8 @@ function removeTransaction (iastContext) {
 
 function newTaintedString (iastContext, string, name, type) {
   let result = string
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     result = TaintedUtils.newTaintedString(transactionId, string, name, type)
   } else {
     result = string
@@ -47,15 +46,17 @@ function newTaintedString (iastContext, string, name, type) {
 
 function taintObject (iastContext, object, type, keyTainting, keyType) {
   let result = object
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     const queue = [{ parent: null, property: null, value: object }]
     const visited = new WeakSet()
+
     while (queue.length > 0) {
       const { parent, property, value, key } = queue.pop()
       if (value === null) {
         continue
       }
+
       try {
         if (typeof value === 'string') {
           const tainted = TaintedUtils.newTaintedString(transactionId, value, property, type)
@@ -71,11 +72,13 @@ function taintObject (iastContext, object, type, keyTainting, keyType) {
           }
         } else if (typeof value === 'object' && !visited.has(value)) {
           visited.add(value)
+
           const keys = Object.keys(value)
           for (let i = 0; i < keys.length; i++) {
             const key = keys[i]
             queue.push({ parent: value, property: property ? `${property}.${key}` : key, value: value[key], key })
           }
+
           if (parent && keyTainting && key) {
             const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
             parent[taintedProperty] = value
@@ -91,8 +94,8 @@ function taintObject (iastContext, object, type, keyTainting, keyType) {
 
 function isTainted (iastContext, string) {
   let result = false
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     result = TaintedUtils.isTainted(transactionId, string)
   } else {
     result = false
@@ -102,8 +105,8 @@ function isTainted (iastContext, string) {
 
 function getRanges (iastContext, string) {
   let result = []
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     result = TaintedUtils.getRanges(transactionId, string)
   } else {
     result = []
@@ -111,6 +114,15 @@ function getRanges (iastContext, string) {
   return result
 }
 
+function addSecureMark (iastContext, string, mark) {
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
+    return TaintedUtils.addSecureMarksToTaintedString(transactionId, string, mark)
+  }
+
+  return string
+}
+
 function enableTaintOperations (telemetryVerbosity) {
   if (isInfoAllowed(telemetryVerbosity)) {
     onRemoveTransaction = onRemoveTransactionInformationTelemetry
@@ -132,6 +144,7 @@ function setMaxTransactions (transactions) {
 }
 
 module.exports = {
+  addSecureMark,
   createTransaction,
   removeTransaction,
   newTaintedString,

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -11,8 +11,8 @@ const {
   HTTP_REQUEST_HEADER_VALUE,
   HTTP_REQUEST_HEADER_NAME,
   HTTP_REQUEST_PARAMETER,
-  HTTP_REQUEST_PATH,
-  HTTP_REQUEST_PATH_PARAM
+  HTTP_REQUEST_PATH_PARAM,
+  HTTP_REQUEST_URI
 } = require('./source-types')
 
 class TaintTrackingPlugin extends SourceIastPlugin {
@@ -93,9 +93,9 @@ class TaintTrackingPlugin extends SourceIastPlugin {
   taintUrl (req, iastContext) {
     this.execSource({
       handler: function () {
-        req.url = newTaintedString(iastContext, req.url, 'req.url', HTTP_REQUEST_PATH)
+        req.url = newTaintedString(iastContext, req.url, HTTP_REQUEST_URI, HTTP_REQUEST_URI)
       },
-      tag: [HTTP_REQUEST_PATH],
+      tag: [HTTP_REQUEST_URI],
       iastContext
     })
   }

package/packages/dd-trace/src/appsec/iast/taint-tracking/secure-marks-generator.js

@@ -0,0 +1,13 @@
+'use strict'
+
+let next = 0
+
+function getNextSecureMark () {
+  return 1 << next++
+}
+
+function reset () {
+  next = 0
+}
+
+module.exports = { getNextSecureMark, reset }

package/packages/dd-trace/src/appsec/iast/taint-tracking/source-types.js

@@ -8,5 +8,6 @@ module.exports = {
   HTTP_REQUEST_HEADER_VALUE: 'http.request.header',
   HTTP_REQUEST_PARAMETER: 'http.request.parameter',
   HTTP_REQUEST_PATH: 'http.request.path',
-  HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter'
+  HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter',
+  HTTP_REQUEST_URI: 'http.request.uri'
 }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/json-sensitive-analyzer.js

@@ -0,0 +1,16 @@
+'use strict'
+
+const { stringifyWithRanges } = require('../../utils')
+
+class JsonSensitiveAnalyzer {
+  extractSensitiveRanges (evidence) {
+    // expect object evidence
+    const { value, ranges, sensitiveRanges } = stringifyWithRanges(evidence.value, evidence.rangesToApply, true)
+    evidence.value = value
+    evidence.ranges = ranges
+
+    return sensitiveRanges
+  }
+}
+
+module.exports = JsonSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -5,14 +5,12 @@ const vulnerabilities = require('../../vulnerabilities')
 const { contains, intersects, remove } = require('./range-utils')
 
 const CommandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
+const JsonSensitiveAnalyzer = require('./sensitive-analyzers/json-sensitive-analyzer')
 const LdapSensitiveAnalyzer = require('./sensitive-analyzers/ldap-sensitive-analyzer')
 const SqlSensitiveAnalyzer = require('./sensitive-analyzers/sql-sensitive-analyzer')
 const UrlSensitiveAnalyzer = require('./sensitive-analyzers/url-sensitive-analyzer')
 
-// eslint-disable-next-line max-len
-const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)'
-// eslint-disable-next-line max-len
-const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,}))'
+const { DEFAULT_IAST_REDACTION_NAME_PATTERN, DEFAULT_IAST_REDACTION_VALUE_PATTERN } = require('./sensitive-regex')
 
 const REDACTED_SOURCE_BUFFER = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
 
@@ -23,6 +21,7 @@ class SensitiveHandler {
 
     this._sensitiveAnalyzers = new Map()
     this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, new CommandSensitiveAnalyzer())
+    this._sensitiveAnalyzers.set(vulnerabilities.NOSQL_MONGODB_INJECTION, new JsonSensitiveAnalyzer())
     this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, new LdapSensitiveAnalyzer())
     this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, new SqlSensitiveAnalyzer())
     const urlSensitiveAnalyzer = new UrlSensitiveAnalyzer()

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-regex.js

@@ -0,0 +1,9 @@
+// eslint-disable-next-line max-len
+const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)'
+// eslint-disable-next-line max-len
+const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,}))'
+
+module.exports = {
+  DEFAULT_IAST_REDACTION_NAME_PATTERN,
+  DEFAULT_IAST_REDACTION_VALUE_PATTERN
+}

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js

@@ -1,4 +1,7 @@
+'use strict'
+
 const sensitiveHandler = require('./evidence-redaction/sensitive-handler')
+const { stringifyWithRanges } = require('./utils')
 
 class VulnerabilityFormatter {
   constructor () {
@@ -38,6 +41,13 @@ class VulnerabilityFormatter {
   getUnredactedValueParts (evidence, sourcesIndexes) {
     const valueParts = []
     let fromIndex = 0
+
+    if (typeof evidence.value === 'object' && evidence.rangesToApply) {
+      const { value, ranges } = stringifyWithRanges(evidence.value, evidence.rangesToApply)
+      evidence.value = value
+      evidence.ranges = ranges
+    }
+
     evidence.ranges.forEach((range, rangeIndex) => {
       if (fromIndex < range.start) {
         valueParts.push({ value: evidence.value.substring(fromIndex, range.start) })
@@ -45,14 +55,16 @@ class VulnerabilityFormatter {
       valueParts.push({ value: evidence.value.substring(range.start, range.end), source: sourcesIndexes[rangeIndex] })
       fromIndex = range.end
     })
+
     if (fromIndex < evidence.value.length) {
       valueParts.push({ value: evidence.value.substring(fromIndex) })
     }
+
     return { valueParts }
   }
 
   formatEvidence (type, evidence, sourcesIndexes, sources) {
-    if (!evidence.ranges) {
+    if (!evidence.ranges && !evidence.rangesToApply) {
       if (typeof evidence.value === 'undefined') {
         return undefined
       } else {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/utils.js

@@ -0,0 +1,169 @@
+'use strict'
+
+const crypto = require('crypto')
+const { DEFAULT_IAST_REDACTION_VALUE_PATTERN } = require('./evidence-redaction/sensitive-regex')
+
+const STRINGIFY_RANGE_KEY = 'DD_' + crypto.randomBytes(20).toString('hex')
+const STRINGIFY_SENSITIVE_KEY = STRINGIFY_RANGE_KEY + 'SENSITIVE'
+const STRINGIFY_SENSITIVE_NOT_STRING_KEY = STRINGIFY_SENSITIVE_KEY + 'NOTSTRING'
+
+// eslint-disable-next-line max-len
+const KEYS_REGEX_WITH_SENSITIVE_RANGES = new RegExp(`(?:"(${STRINGIFY_RANGE_KEY}_\\d+_))|(?:"(${STRINGIFY_SENSITIVE_KEY}_\\d+_(\\d+)_))|("${STRINGIFY_SENSITIVE_NOT_STRING_KEY}_\\d+_([\\s0-9.a-zA-Z]*)")`, 'gm')
+const KEYS_REGEX_WITHOUT_SENSITIVE_RANGES = new RegExp(`"(${STRINGIFY_RANGE_KEY}_\\d+_)`, 'gm')
+
+const sensitiveValueRegex = new RegExp(DEFAULT_IAST_REDACTION_VALUE_PATTERN, 'gmi')
+
+function iterateObject (target, fn, levelKeys = [], depth = 50) {
+  Object.keys(target).forEach((key) => {
+    const nextLevelKeys = [...levelKeys, key]
+    const val = target[key]
+
+    fn(val, nextLevelKeys, target, key)
+
+    if (val !== null && typeof val === 'object') {
+      iterateObject(val, fn, nextLevelKeys, depth - 1)
+    }
+  })
+}
+
+function stringifyWithRanges (obj, objRanges, loadSensitiveRanges = false) {
+  let value
+  const ranges = []
+  const sensitiveRanges = []
+  objRanges = objRanges || {}
+
+  if (objRanges || loadSensitiveRanges) {
+    const cloneObj = Array.isArray(obj) ? [] : {}
+    let counter = 0
+    const allRanges = {}
+    const sensitiveKeysMapping = {}
+
+    iterateObject(obj, (val, levelKeys, parent, key) => {
+      let currentLevelClone = cloneObj
+      for (let i = 0; i < levelKeys.length - 1; i++) {
+        let levelKey = levelKeys[i]
+
+        if (!currentLevelClone[levelKey]) {
+          const sensitiveKey = sensitiveKeysMapping[levelKey]
+          if (currentLevelClone[sensitiveKey]) {
+            levelKey = sensitiveKey
+          }
+        }
+
+        currentLevelClone = currentLevelClone[levelKey]
+      }
+
+      if (loadSensitiveRanges) {
+        const sensitiveKey = sensitiveKeysMapping[key]
+        if (sensitiveKey) {
+          key = sensitiveKey
+        } else {
+          sensitiveValueRegex.lastIndex = 0
+
+          if (sensitiveValueRegex.test(key)) {
+            const current = counter++
+            const id = `${STRINGIFY_SENSITIVE_KEY}_${current}_${key.length}_`
+            key = `${id}${key}`
+          }
+        }
+      }
+
+      if (typeof val === 'string') {
+        const ranges = objRanges[levelKeys.join('.')]
+        if (ranges) {
+          const current = counter++
+          const id = `${STRINGIFY_RANGE_KEY}_${current}_`
+
+          allRanges[id] = ranges
+          currentLevelClone[key] = `${id}${val}`
+        } else {
+          currentLevelClone[key] = val
+        }
+        if (loadSensitiveRanges) {
+          const current = counter++
+          const id = `${STRINGIFY_SENSITIVE_KEY}_${current}_${val.length}_`
+
+          currentLevelClone[key] = `${id}${currentLevelClone[key]}`
+        }
+      } else if (typeof val !== 'object' || val === null) {
+        if (loadSensitiveRanges) {
+          const current = counter++
+          const id = `${STRINGIFY_SENSITIVE_NOT_STRING_KEY}_${current}_`
+
+          // this is special, in the final string we should modify "key_value_[null|false|true]..."
+          // by null|false|..... ignoring the beginning and ending quotes
+          currentLevelClone[key] = id + val
+        } else {
+          currentLevelClone[key] = val
+        }
+      } else if (Array.isArray(val)) {
+        currentLevelClone[key] = []
+      } else {
+        currentLevelClone[key] = {}
+      }
+    })
+
+    value = JSON.stringify(cloneObj, null, 2)
+
+    if (counter > 0) {
+      let keysRegex
+      if (loadSensitiveRanges) {
+        keysRegex = KEYS_REGEX_WITH_SENSITIVE_RANGES
+      } else {
+        keysRegex = KEYS_REGEX_WITHOUT_SENSITIVE_RANGES
+      }
+      keysRegex.lastIndex = 0
+
+      let regexRes = keysRegex.exec(value)
+      while (regexRes) {
+        const offset = regexRes.index + 1 // +1 to increase the " char
+
+        if (regexRes[1]) {
+          // is a range
+          const rangesId = regexRes[1]
+          value = value.replace(rangesId, '')
+
+          const updatedRanges = allRanges[rangesId].map(range => {
+            return {
+              ...range,
+              start: range.start + offset,
+              end: range.end + offset
+            }
+          })
+
+          ranges.push(...updatedRanges)
+        } else if (regexRes[2]) {
+          // is a sensitive string literal
+          const sensitiveId = regexRes[2]
+
+          sensitiveRanges.push({
+            start: offset,
+            end: offset + parseInt(regexRes[3])
+          })
+
+          value = value.replace(sensitiveId, '')
+        } else if (regexRes[4]) {
+          // is a sensitive value (number, null, false, ...)
+          const sensitiveId = regexRes[4]
+          const originalValue = regexRes[5]
+
+          sensitiveRanges.push({
+            start: regexRes.index,
+            end: regexRes.index + originalValue.length
+          })
+
+          value = value.replace(sensitiveId, originalValue)
+        }
+
+        keysRegex.lastIndex = 0
+        regexRes = keysRegex.exec(value)
+      }
+    }
+  } else {
+    value = JSON.stringify(obj, null, 2)
+  }
+
+  return { value, ranges, sensitiveRanges }
+}
+
+module.exports = { stringifyWithRanges }

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js

@@ -5,6 +5,7 @@ module.exports = {
   LDAP_INJECTION: 'LDAP_INJECTION',
   NO_HTTPONLY_COOKIE: 'NO_HTTPONLY_COOKIE',
   NO_SAMESITE_COOKIE: 'NO_SAMESITE_COOKIE',
+  NOSQL_MONGODB_INJECTION: 'NOSQL_MONGODB_INJECTION',
   PATH_TRAVERSAL: 'PATH_TRAVERSAL',
   SQL_INJECTION: 'SQL_INJECTION',
   SSRF: 'SSRF',

package/packages/dd-trace/src/appsec/index.js

@@ -10,7 +10,9 @@ const {
   incomingHttpRequestStart,
   incomingHttpRequestEnd,
   passportVerify,
-  queryParser
+  queryParser,
+  nextBodyParsed,
+  nextQueryParsed
 } = require('./channels')
 const waf = require('./waf')
 const addresses = require('./addresses')
@@ -30,6 +32,8 @@ function enable (_config) {
   if (isEnabled) return
 
   try {
+    appsecTelemetry.enable(_config.telemetry)
+
     setTemplates(_config)
 
     RuleManager.applyRules(_config.appsec.rules, _config.appsec)
@@ -38,11 +42,11 @@ function enable (_config) {
 
     Reporter.setRateLimit(_config.appsec.rateLimit)
 
-    appsecTelemetry.enable(_config.telemetry)
-
     incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
     incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
     bodyParser.subscribe(onRequestBodyParsed)
+    nextBodyParsed.subscribe(onRequestBodyParsed)
+    nextQueryParsed.subscribe(onRequestQueryParsed)
     queryParser.subscribe(onRequestQueryParsed)
     cookieParser.subscribe(onRequestCookieParser)
     graphqlFinishExecute.subscribe(onGraphqlFinishExecute)
@@ -117,6 +121,10 @@ function incomingHttpEndTranslator ({ req, res }) {
     payload[addresses.HTTP_INCOMING_COOKIES] = req.cookies
   }
 
+  if (req.query && typeof req.query === 'object') {
+    payload[addresses.HTTP_INCOMING_QUERY] = req.query
+  }
+
   waf.run(payload, req)
 
   waf.disposeContext(req)
@@ -124,38 +132,48 @@ function incomingHttpEndTranslator ({ req, res }) {
   Reporter.finishRequest(req, res)
 }
 
-function onRequestBodyParsed ({ req, res, abortController }) {
+function onRequestBodyParsed ({ req, res, body, abortController }) {
+  if (body === undefined || body === null) return
+
+  if (!req) {
+    const store = storage.getStore()
+    req = store?.req
+  }
+
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
-  if (req.body === undefined || req.body === null) return
-
   const results = waf.run({
-    [addresses.HTTP_INCOMING_BODY]: req.body
+    [addresses.HTTP_INCOMING_BODY]: body
   }, req)
 
   handleResults(results, req, res, rootSpan, abortController)
 }
 
-function onRequestQueryParsed ({ req, res, abortController }) {
+function onRequestQueryParsed ({ req, res, query, abortController }) {
+  if (!query || typeof query !== 'object') return
+
+  if (!req) {
+    const store = storage.getStore()
+    req = store?.req
+  }
+
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
-  if (!req.query || typeof req.query !== 'object') return
-
   const results = waf.run({
-    [addresses.HTTP_INCOMING_QUERY]: req.query
+    [addresses.HTTP_INCOMING_QUERY]: query
   }, req)
 
   handleResults(results, req, res, rootSpan, abortController)
 }
 
 function onRequestCookieParser ({ req, res, abortController, cookies }) {
+  if (!cookies || typeof cookies !== 'object') return
+
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
-  if (!cookies || typeof cookies !== 'object') return
-
   const results = waf.run({
     [addresses.HTTP_INCOMING_COOKIES]: cookies
   }, req)

package/packages/dd-trace/src/appsec/remote_config/manager.js

@@ -3,11 +3,12 @@
 const { URL, format } = require('url')
 const uuid = require('crypto-randomuuid')
 const { EventEmitter } = require('events')
-const Scheduler = require('./scheduler')
 const tracerVersion = require('../../../../../package.json').version
 const request = require('../../exporters/common/request')
 const log = require('../../log')
+const { getExtraServices } = require('../../service-naming/extra-services')
 const { UNACKNOWLEDGED, ACKNOWLEDGED, ERROR } = require('./apply_states')
+const Scheduler = require('./scheduler')
 
 const clientId = uuid()
 
@@ -57,7 +58,8 @@ class RemoteConfigManager extends EventEmitter {
           tracer_version: tracerVersion,
           service: config.service,
           env: config.env,
-          app_version: config.version
+          app_version: config.version,
+          extra_services: []
         },
         capabilities: DEFAULT_CAPABILITY // updated by `updateCapabilities()`
       },
@@ -113,8 +115,14 @@ class RemoteConfigManager extends EventEmitter {
     this.state.client.products = this.eventNames().filter(e => typeof e === 'string')
   }
 
+  getPayload () {
+    this.state.client.client_tracer.extra_services = getExtraServices()
+
+    return JSON.stringify(this.state)
+  }
+
   poll (cb) {
-    request(JSON.stringify(this.state), this.requestOptions, (err, data, statusCode) => {
+    request(this.getPayload(), this.requestOptions, (err, data, statusCode) => {
       // 404 means RC is disabled, ignore it
       if (statusCode === 404) return cb()
 

package/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js

@@ -2,6 +2,12 @@
 
 const log = require('../../log')
 const Reporter = require('../reporter')
+const addresses = require('../addresses')
+
+// TODO: remove once ephemeral addresses are implemented
+const preventDuplicateAddresses = new Set([
+  addresses.HTTP_INCOMING_QUERY
+])
 
 class WAFContextWrapper {
   constructor (ddwafContext, requiredAddresses, wafTimeout, wafVersion, rulesVersion) {
@@ -10,16 +16,21 @@ class WAFContextWrapper {
     this.wafTimeout = wafTimeout
     this.wafVersion = wafVersion
     this.rulesVersion = rulesVersion
+    this.addressesToSkip = new Set()
   }
 
   run (params) {
     const inputs = {}
     let someInputAdded = false
+    const newAddressesToSkip = new Set(this.addressesToSkip)
 
     // TODO: possible optimizaion: only send params that haven't already been sent with same value to this wafContext
     for (const key of Object.keys(params)) {
-      if (this.requiredAddresses.has(key)) {
+      if (this.requiredAddresses.has(key) && !this.addressesToSkip.has(key)) {
         inputs[key] = params[key]
+        if (preventDuplicateAddresses.has(key)) {
+          newAddressesToSkip.add(key)
+        }
         someInputAdded = true
       }
     }
@@ -33,6 +44,8 @@ class WAFContextWrapper {
 
       const end = process.hrtime.bigint()
 
+      this.addressesToSkip = newAddressesToSkip
+
       const ruleTriggered = !!result.events?.length
       const blockTriggered = result.actions?.includes('block')
 

package/packages/dd-trace/src/config.js

@@ -179,6 +179,11 @@ class Config {
       false
     )
 
+    const DD_TRACE_MEMCACHED_COMMAND_ENABLED = coalesce(
+      process.env.DD_TRACE_MEMCACHED_COMMAND_ENABLED,
+      false
+    )
+
     const DD_SERVICE = options.service ||
       process.env.DD_SERVICE ||
       process.env.DD_SERVICE_NAME ||
@@ -629,6 +634,9 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
 
     this.openaiSpanCharLimit = DD_OPENAI_SPAN_CHAR_LIMIT
 
+    // Requires an accompanying DD_APM_OBFUSCATION_MEMCACHED_KEEP_COMMAND=true in the agent
+    this.memcachedCommandEnabled = isTrue(DD_TRACE_MEMCACHED_COMMAND_ENABLED)
+
     if (this.gitMetadataEnabled) {
       this.repositoryUrl = coalesce(
         process.env.DD_GIT_REPOSITORY_URL,

package/packages/dd-trace/src/format.js

@@ -4,6 +4,7 @@ const constants = require('./constants')
 const tags = require('../../../ext/tags')
 const id = require('./id')
 const { isError } = require('./util')
+const { registerExtraService } = require('./service-naming/extra-services')
 
 const SAMPLING_PRIORITY_KEY = constants.SAMPLING_PRIORITY_KEY
 const SAMPLING_RULE_DECISION = constants.SAMPLING_RULE_DECISION
@@ -76,6 +77,8 @@ function extractTags (trace, span) {
   const tracerService = span.tracer()._service.toLowerCase()
   if (tags['service.name']?.toLowerCase() !== tracerService) {
     span.setTag(BASE_SERVICE, tracerService)
+
+    registerExtraService(tags['service.name'])
   }
 
   for (const tag in tags) {

package/packages/dd-trace/src/plugin_manager.js

@@ -136,7 +136,8 @@ module.exports = class PluginManager {
       headerTags,
       dbmPropagationMode,
       dsmEnabled,
-      clientIpEnabled
+      clientIpEnabled,
+      memcachedCommandEnabled
     } = this._tracerConfig
 
     const sharedConfig = {}
@@ -151,6 +152,7 @@ module.exports = class PluginManager {
 
     sharedConfig.dbmPropagationMode = dbmPropagationMode
     sharedConfig.dsmEnabled = dsmEnabled
+    sharedConfig.memcachedCommandEnabled = memcachedCommandEnabled
 
     if (serviceMapping && serviceMapping[name]) {
       sharedConfig.service = serviceMapping[name]