dd-trace 4.16.0 → 4.18.0

package/packages/dd-trace/src/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.js

@@ -0,0 +1,173 @@
+'use strict'
+
+const InjectionAnalyzer = require('./injection-analyzer')
+const { NOSQL_MONGODB_INJECTION } = require('../vulnerabilities')
+const { getRanges, addSecureMark } = require('../taint-tracking/operations')
+const { getNodeModulesPaths } = require('../path-line')
+const { getNextSecureMark } = require('../taint-tracking/secure-marks-generator')
+const { storage } = require('../../../../../datadog-core')
+const { getIastContext } = require('../iast-context')
+const { HTTP_REQUEST_PARAMETER, HTTP_REQUEST_BODY } = require('../taint-tracking/source-types')
+
+const EXCLUDED_PATHS_FROM_STACK = getNodeModulesPaths('mongodb', 'mongoose')
+const MONGODB_NOSQL_SECURE_MARK = getNextSecureMark()
+
+function iterateObjectStrings (target, fn, levelKeys = [], depth = 50, visited = new Set()) {
+  if (target && typeof target === 'object') {
+    Object.keys(target).forEach((key) => {
+      const nextLevelKeys = [...levelKeys, key]
+      const val = target[key]
+
+      if (typeof val === 'string') {
+        fn(val, nextLevelKeys, target, key)
+      } else if (depth > 0 && !visited.has(val)) {
+        iterateObjectStrings(val, fn, nextLevelKeys, depth - 1, visited)
+        visited.add(val)
+      }
+    })
+  }
+}
+
+class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super(NOSQL_MONGODB_INJECTION)
+    this.sanitizedObjects = new WeakSet()
+  }
+
+  onConfigure () {
+    this.configureSanitizers()
+
+    this.addSub('datadog:mongodb:collection:filter:start', ({ filters }) => {
+      const store = storage.getStore()
+      if (store && !store.nosqlAnalyzed && filters?.length) {
+        filters.forEach(filter => {
+          this.analyze({ filter }, store)
+        })
+      }
+    })
+
+    this.addSub('datadog:mongoose:model:filter:start', ({ filters }) => {
+      const store = storage.getStore()
+      if (!store) return
+
+      if (filters?.length) {
+        filters.forEach(filter => {
+          this.analyze({ filter }, store)
+        })
+      }
+
+      storage.enterWith({ ...store, nosqlAnalyzed: true, mongooseParentStore: store })
+    })
+
+    this.addSub('datadog:mongoose:model:filter:finish', () => {
+      const store = storage.getStore()
+      if (store?.mongooseParentStore) {
+        storage.enterWith(store.mongooseParentStore)
+      }
+    })
+  }
+
+  configureSanitizers () {
+    this.addNotSinkSub('datadog:express-mongo-sanitize:filter:finish', ({ sanitizedProperties, req }) => {
+      const store = storage.getStore()
+      const iastContext = getIastContext(store)
+
+      if (iastContext) { // do nothing if we are not in an iast request
+        sanitizedProperties.forEach(key => {
+          iterateObjectStrings(req[key], function (value, levelKeys) {
+            if (typeof value === 'string') {
+              let parentObj = req[key]
+              const levelsLength = levelKeys.length
+
+              for (let i = 0; i < levelsLength; i++) {
+                const currentLevelKey = levelKeys[i]
+
+                if (i === levelsLength - 1) {
+                  parentObj[currentLevelKey] = addSecureMark(iastContext, value, MONGODB_NOSQL_SECURE_MARK)
+                } else {
+                  parentObj = parentObj[currentLevelKey]
+                }
+              }
+            }
+          })
+        })
+      }
+    })
+
+    this.addNotSinkSub('datadog:express-mongo-sanitize:sanitize:finish', ({ sanitizedObject }) => {
+      const store = storage.getStore()
+      const iastContext = getIastContext(store)
+
+      if (iastContext) { // do nothing if we are not in an iast request
+        iterateObjectStrings(sanitizedObject, function (value, levelKeys, parent, lastKey) {
+          try {
+            parent[lastKey] = addSecureMark(iastContext, value, MONGODB_NOSQL_SECURE_MARK)
+          } catch {
+            // if it is a readonly property, do nothing
+          }
+        })
+      }
+    })
+
+    this.addNotSinkSub('datadog:mongoose:sanitize-filter:finish', ({ sanitizedObject }) => {
+      this.sanitizedObjects.add(sanitizedObject)
+    })
+  }
+
+  _isVulnerableRange (range) {
+    const rangeType = range?.iinfo?.type
+    const isVulnerableType = rangeType === HTTP_REQUEST_PARAMETER || rangeType === HTTP_REQUEST_BODY
+    return isVulnerableType && (range.secureMarks & MONGODB_NOSQL_SECURE_MARK) !== MONGODB_NOSQL_SECURE_MARK
+  }
+
+  _isVulnerable (value, iastContext) {
+    if (value?.filter && iastContext) {
+      let isVulnerable = false
+
+      if (this.sanitizedObjects.has(value.filter)) {
+        return false
+      }
+
+      const rangesByKey = {}
+      const allRanges = []
+
+      iterateObjectStrings(value.filter, (val, nextLevelKeys) => {
+        const ranges = getRanges(iastContext, val)
+        if (ranges?.length) {
+          const filteredRanges = []
+
+          for (const range of ranges) {
+            if (this._isVulnerableRange(range)) {
+              isVulnerable = true
+              filteredRanges.push(range)
+            }
+          }
+
+          if (filteredRanges.length > 0) {
+            rangesByKey[nextLevelKeys.join('.')] = filteredRanges
+            allRanges.push(...filteredRanges)
+          }
+        }
+      }, [], 4)
+
+      if (isVulnerable) {
+        value.rangesToApply = rangesByKey
+        value.ranges = allRanges
+      }
+
+      return isVulnerable
+    }
+    return false
+  }
+
+  _getEvidence (value, iastContext) {
+    return { value: value.filter, rangesToApply: value.rangesToApply, ranges: value.ranges }
+  }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS_FROM_STACK
+  }
+}
+
+module.exports = new NosqlInjectionMongodbAnalyzer()
+module.exports.MONGODB_NOSQL_SECURE_MARK = MONGODB_NOSQL_SECURE_MARK

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -8,7 +8,7 @@ const { getIastContext } = require('../iast-context')
 const { addVulnerability } = require('../vulnerability-reporter')
 const { getNodeModulesPaths } = require('../path-line')
 
-const EXCLUDED_PATHS = getNodeModulesPaths('mysql', 'mysql2', 'sequelize', 'pg-pool')
+const EXCLUDED_PATHS = getNodeModulesPaths('mysql', 'mysql2', 'sequelize', 'pg-pool', 'knex')
 
 class SqlInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -31,6 +31,12 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
 
     this.addSub('datadog:mysql:pool:query:start', ({ sql }) => this.getStoreAndAnalyze(sql, 'MYSQL'))
     this.addSub('datadog:mysql:pool:query:finish', () => this.returnToParentStore())
+
+    this.addSub('datadog:knex:raw:start', ({ sql, dialect: knexDialect }) => {
+      const dialect = this.normalizeKnexDialect(knexDialect)
+      this.getStoreAndAnalyze(sql, dialect)
+    })
+    this.addSub('datadog:knex:raw:finish', () => this.returnToParentStore())
   }
 
   getStoreAndAnalyze (query, dialect) {
@@ -83,6 +89,20 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
   _getExcludedPaths () {
     return EXCLUDED_PATHS
   }
+
+  normalizeKnexDialect (knexDialect) {
+    if (knexDialect === 'postgresql') {
+      return 'POSTGRES'
+    }
+
+    if (knexDialect === 'sqlite3') {
+      return 'SQLITE'
+    }
+
+    if (typeof knexDialect === 'string') {
+      return knexDialect.toUpperCase()
+    }
+  }
 }
 
 module.exports = new SqlInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js

@@ -6,8 +6,8 @@ const { getNodeModulesPaths } = require('../path-line')
 const { getRanges } = require('../taint-tracking/operations')
 const {
   HTTP_REQUEST_HEADER_VALUE,
-  HTTP_REQUEST_PATH,
-  HTTP_REQUEST_PATH_PARAM
+  HTTP_REQUEST_PATH_PARAM,
+  HTTP_REQUEST_URI
 } = require('../taint-tracking/source-types')
 
 const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
@@ -56,7 +56,7 @@ class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
   }
 
   _isUrl (range) {
-    return range.iinfo.type === HTTP_REQUEST_PATH
+    return range.iinfo.type === HTTP_REQUEST_URI
   }
 
   _getExcludedPaths () {

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -71,8 +71,7 @@ class Analyzer extends SinkIastPlugin {
     return store && !iastContext
   }
 
-  analyze (value) {
-    const store = storage.getStore()
+  analyze (value, store = storage.getStore()) {
     const iastContext = getIastContext(store)
     if (this._isInvalidContext(store, iastContext)) return
 

package/packages/dd-trace/src/appsec/iast/analyzers/xcontenttype-header-missing-analyzer.js

@@ -11,8 +11,8 @@ class XcontenttypeHeaderMissingAnalyzer extends MissingHeaderAnalyzer {
   }
 
   _isVulnerableFromRequestAndResponse (req, res) {
-    const headerToCheck = res.getHeader(XCONTENTTYPEOPTIONS_HEADER_NAME)
-    return !headerToCheck || headerToCheck.trim().toLowerCase() !== 'nosniff'
+    const headerValues = this._getHeaderValues(res, XCONTENTTYPEOPTIONS_HEADER_NAME)
+    return headerValues.length === 0 || headerValues.some(headerValue => headerValue.trim().toLowerCase() !== 'nosniff')
   }
 }
 

package/packages/dd-trace/src/appsec/iast/iast-log.js

@@ -1,9 +1,11 @@
 'use strict'
 
+const dc = require('../../../../diagnostics_channel')
 const log = require('../../log')
-const telemetryLogs = require('./telemetry/log')
 const { calculateDDBasePath } = require('../../util')
 
+const telemetryLog = dc.channel('datadog:telemetry:log')
+
 const ddBasePath = calculateDDBasePath(__dirname)
 const EOL = '\n'
 const STACK_FRAME_LINE_REGEX = /^\s*at\s/gm
@@ -80,9 +82,8 @@ const iastLog = {
   },
 
   publish (data, level) {
-    if (telemetryLogs.isLevelEnabled(level)) {
-      const telemetryLog = getTelemetryLog(data, level)
-      telemetryLogs.publish(telemetryLog)
+    if (telemetryLog.hasSubscribers) {
+      telemetryLog.publish(getTelemetryLog(data, level))
     }
     return this
   },
@@ -92,6 +93,10 @@ const iastLog = {
     return this.publish(data, 'DEBUG')
   },
 
+  /**
+   * forward 'INFO' log level to 'DEBUG' telemetry log level
+   * see also {@link ../../telemetry/logs#isLevelEnabled } method
+   */
   infoAndPublish (data) {
     this.info(data)
     return this.publish(data, 'DEBUG')

package/packages/dd-trace/src/appsec/iast/iast-plugin.js

@@ -196,6 +196,10 @@ class SinkIastPlugin extends IastPlugin {
   addSub (iastPluginSub, handler) {
     return super.addSub({ tagKey: TagKey.VULNERABILITY_TYPE, ...iastPluginSub }, handler)
   }
+
+  addNotSinkSub (iastPluginSub, handler) {
+    return super.addSub(iastPluginSub, handler)
+  }
 }
 
 module.exports = {

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -6,6 +6,7 @@ const { calculateDDBasePath } = require('../../util')
 const pathLine = {
   getFirstNonDDPathAndLine,
   getNodeModulesPaths,
+  getRelativePath,
   getFirstNonDDPathAndLineFromCallsites, // Exported only for test purposes
   calculateDDBasePath, // Exported only for test purposes
   ddBasePath: calculateDDBasePath(__dirname) // Only for test purposes
@@ -45,7 +46,7 @@ function getFirstNonDDPathAndLineFromCallsites (callsites, externallyExcludedPat
       const filepath = callsite.getFileName()
       if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) {
         return {
-          path: path.relative(process.cwd(), filepath),
+          path: getRelativePath(filepath),
           line: callsite.getLineNumber(),
           column: callsite.getColumnNumber(),
           isInternal: !path.isAbsolute(filepath)
@@ -56,6 +57,10 @@ function getFirstNonDDPathAndLineFromCallsites (callsites, externallyExcludedPat
   return null
 }
 
+function getRelativePath (filepath) {
+  return path.relative(process.cwd(), filepath)
+}
+
 function isExcluded (callsite, externallyExcludedPaths) {
   if (callsite.isNative()) return true
   const filename = callsite.getFileName()

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js

@@ -18,15 +18,14 @@ let onRemoveTransaction = (transactionId, iastContext) => {}
 
 function onRemoveTransactionInformationTelemetry (transactionId, iastContext) {
   const metrics = TaintedUtils.getMetrics(transactionId, iastTelemetry.verbosity)
-  if (metrics && metrics.requestCount) {
+  if (metrics?.requestCount) {
     REQUEST_TAINTED.add(metrics.requestCount, null, iastContext)
   }
 }
 
 function removeTransaction (iastContext) {
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
-
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     onRemoveTransaction(transactionId, iastContext)
 
     TaintedUtils.removeTransaction(transactionId)
@@ -36,8 +35,8 @@ function removeTransaction (iastContext) {
 
 function newTaintedString (iastContext, string, name, type) {
   let result = string
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     result = TaintedUtils.newTaintedString(transactionId, string, name, type)
   } else {
     result = string
@@ -47,15 +46,17 @@ function newTaintedString (iastContext, string, name, type) {
 
 function taintObject (iastContext, object, type, keyTainting, keyType) {
   let result = object
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     const queue = [{ parent: null, property: null, value: object }]
     const visited = new WeakSet()
+
     while (queue.length > 0) {
       const { parent, property, value, key } = queue.pop()
       if (value === null) {
         continue
       }
+
       try {
         if (typeof value === 'string') {
           const tainted = TaintedUtils.newTaintedString(transactionId, value, property, type)
@@ -71,11 +72,13 @@ function taintObject (iastContext, object, type, keyTainting, keyType) {
           }
         } else if (typeof value === 'object' && !visited.has(value)) {
           visited.add(value)
+
           const keys = Object.keys(value)
           for (let i = 0; i < keys.length; i++) {
             const key = keys[i]
             queue.push({ parent: value, property: property ? `${property}.${key}` : key, value: value[key], key })
           }
+
           if (parent && keyTainting && key) {
             const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
             parent[taintedProperty] = value
@@ -91,8 +94,8 @@ function taintObject (iastContext, object, type, keyTainting, keyType) {
 
 function isTainted (iastContext, string) {
   let result = false
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     result = TaintedUtils.isTainted(transactionId, string)
   } else {
     result = false
@@ -102,8 +105,8 @@ function isTainted (iastContext, string) {
 
 function getRanges (iastContext, string) {
   let result = []
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     result = TaintedUtils.getRanges(transactionId, string)
   } else {
     result = []
@@ -111,6 +114,15 @@ function getRanges (iastContext, string) {
   return result
 }
 
+function addSecureMark (iastContext, string, mark) {
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
+    return TaintedUtils.addSecureMarksToTaintedString(transactionId, string, mark)
+  }
+
+  return string
+}
+
 function enableTaintOperations (telemetryVerbosity) {
   if (isInfoAllowed(telemetryVerbosity)) {
     onRemoveTransaction = onRemoveTransactionInformationTelemetry
@@ -132,6 +144,7 @@ function setMaxTransactions (transactions) {
 }
 
 module.exports = {
+  addSecureMark,
   createTransaction,
   removeTransaction,
   newTaintedString,

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -11,8 +11,8 @@ const {
   HTTP_REQUEST_HEADER_VALUE,
   HTTP_REQUEST_HEADER_NAME,
   HTTP_REQUEST_PARAMETER,
-  HTTP_REQUEST_PATH,
-  HTTP_REQUEST_PATH_PARAM
+  HTTP_REQUEST_PATH_PARAM,
+  HTTP_REQUEST_URI
 } = require('./source-types')
 
 class TaintTrackingPlugin extends SourceIastPlugin {
@@ -93,9 +93,9 @@ class TaintTrackingPlugin extends SourceIastPlugin {
   taintUrl (req, iastContext) {
     this.execSource({
       handler: function () {
-        req.url = newTaintedString(iastContext, req.url, 'req.url', HTTP_REQUEST_PATH)
+        req.url = newTaintedString(iastContext, req.url, HTTP_REQUEST_URI, HTTP_REQUEST_URI)
       },
-      tag: [HTTP_REQUEST_PATH],
+      tag: [HTTP_REQUEST_URI],
       iastContext
     })
   }

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js

@@ -7,7 +7,9 @@ const { isPrivateModule, isNotLibraryFile } = require('./filter')
 const { csiMethods } = require('./csi-methods')
 const { getName } = require('../telemetry/verbosity')
 const { getRewriteFunction } = require('./rewriter-telemetry')
+const dc = require('../../../../../diagnostics_channel')
 
+const hardcodedSecretCh = dc.channel('datadog:secrets:result')
 let rewriter
 let getPrepareStackTrace
 
@@ -50,7 +52,11 @@ function getRewriter (telemetryVerbosity) {
           getGetOriginalPathAndLineFromSourceMapFunction(chainSourceMap, getOriginalPathAndLineFromSourceMap)
       }
 
-      rewriter = new Rewriter({ csiMethods, telemetryVerbosity: getName(telemetryVerbosity), chainSourceMap })
+      rewriter = new Rewriter({
+        csiMethods,
+        telemetryVerbosity: getName(telemetryVerbosity),
+        chainSourceMap
+      })
     } catch (e) {
       iastLog.error('Unable to initialize TaintTracking Rewriter')
         .errorAndPublish(e)
@@ -80,7 +86,12 @@ function getCompileMethodFn (compileMethod) {
     try {
       if (isPrivateModule(filename) && isNotLibraryFile(filename)) {
         const rewritten = rewriteFn(content, filename)
-        if (rewritten && rewritten.content) {
+
+        if (rewritten?.literalsResult && hardcodedSecretCh.hasSubscribers) {
+          hardcodedSecretCh.publish(rewritten.literalsResult)
+        }
+
+        if (rewritten?.content) {
           return compileMethod.apply(this, [rewritten.content, filename])
         }
       }

package/packages/dd-trace/src/appsec/iast/taint-tracking/secure-marks-generator.js

@@ -0,0 +1,13 @@
+'use strict'
+
+let next = 0
+
+function getNextSecureMark () {
+  return 1 << next++
+}
+
+function reset () {
+  next = 0
+}
+
+module.exports = { getNextSecureMark, reset }

package/packages/dd-trace/src/appsec/iast/taint-tracking/source-types.js

@@ -8,5 +8,6 @@ module.exports = {
   HTTP_REQUEST_HEADER_VALUE: 'http.request.header',
   HTTP_REQUEST_PARAMETER: 'http.request.parameter',
   HTTP_REQUEST_PATH: 'http.request.path',
-  HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter'
+  HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter',
+  HTTP_REQUEST_URI: 'http.request.uri'
 }

package/packages/dd-trace/src/appsec/iast/telemetry/index.js

@@ -1,21 +1,12 @@
 'use strict'
 
 const telemetryMetrics = require('../../../telemetry/metrics')
-const telemetryLogs = require('./log')
 const { Verbosity, getVerbosity } = require('./verbosity')
 const { initRequestNamespace, finalizeRequestNamespace, globalNamespace } = require('./namespaces')
 
-function isIastMetricsEnabled (metrics) {
-  // TODO: let DD_TELEMETRY_METRICS_ENABLED as undefined in config.js to avoid read here the env property
-  return process.env.DD_TELEMETRY_METRICS_ENABLED !== undefined ? metrics : true
-}
-
 class Telemetry {
   configure (config, verbosity) {
-    const telemetryAndMetricsEnabled = config &&
-      config.telemetry &&
-      config.telemetry.enabled &&
-      isIastMetricsEnabled(config.telemetry.metrics)
+    const telemetryAndMetricsEnabled = config?.telemetry?.enabled && config.telemetry.metrics
 
     this.verbosity = telemetryAndMetricsEnabled ? getVerbosity(verbosity) : Verbosity.OFF
     this.enabled = this.verbosity !== Verbosity.OFF
@@ -23,15 +14,11 @@ class Telemetry {
     if (this.enabled) {
       telemetryMetrics.manager.set('iast', globalNamespace)
     }
-
-    telemetryLogs.start()
   }
 
   stop () {
     this.enabled = false
     telemetryMetrics.manager.delete('iast')
-
-    telemetryLogs.stop()
   }
 
   isEnabled () {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/json-sensitive-analyzer.js

@@ -0,0 +1,16 @@
+'use strict'
+
+const { stringifyWithRanges } = require('../../utils')
+
+class JsonSensitiveAnalyzer {
+  extractSensitiveRanges (evidence) {
+    // expect object evidence
+    const { value, ranges, sensitiveRanges } = stringifyWithRanges(evidence.value, evidence.rangesToApply, true)
+    evidence.value = value
+    evidence.ranges = ranges
+
+    return sensitiveRanges
+  }
+}
+
+module.exports = JsonSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -1,18 +1,17 @@
 'use strict'
 
+const iastLog = require('../../iast-log')
 const vulnerabilities = require('../../vulnerabilities')
 
 const { contains, intersects, remove } = require('./range-utils')
 
 const CommandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
+const JsonSensitiveAnalyzer = require('./sensitive-analyzers/json-sensitive-analyzer')
 const LdapSensitiveAnalyzer = require('./sensitive-analyzers/ldap-sensitive-analyzer')
 const SqlSensitiveAnalyzer = require('./sensitive-analyzers/sql-sensitive-analyzer')
 const UrlSensitiveAnalyzer = require('./sensitive-analyzers/url-sensitive-analyzer')
 
-// eslint-disable-next-line max-len
-const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)'
-// eslint-disable-next-line max-len
-const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,}))'
+const { DEFAULT_IAST_REDACTION_NAME_PATTERN, DEFAULT_IAST_REDACTION_VALUE_PATTERN } = require('./sensitive-regex')
 
 const REDACTED_SOURCE_BUFFER = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
 
@@ -23,6 +22,7 @@ class SensitiveHandler {
 
     this._sensitiveAnalyzers = new Map()
     this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, new CommandSensitiveAnalyzer())
+    this._sensitiveAnalyzers.set(vulnerabilities.NOSQL_MONGODB_INJECTION, new JsonSensitiveAnalyzer())
     this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, new LdapSensitiveAnalyzer())
     this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, new SqlSensitiveAnalyzer())
     const urlSensitiveAnalyzer = new UrlSensitiveAnalyzer()
@@ -264,6 +264,24 @@ class SensitiveHandler {
       valueParts.push({ redacted: true })
     }
   }
+
+  setRedactionPatterns (redactionNamePattern, redactionValuePattern) {
+    if (redactionNamePattern) {
+      try {
+        this._namePattern = new RegExp(redactionNamePattern, 'gmi')
+      } catch (e) {
+        iastLog.warn('Redaction name pattern is not valid')
+      }
+    }
+
+    if (redactionValuePattern) {
+      try {
+        this._valuePattern = new RegExp(redactionValuePattern, 'gmi')
+      } catch (e) {
+        iastLog.warn('Redaction value pattern is not valid')
+      }
+    }
+  }
 }
 
 module.exports = new SensitiveHandler()

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-regex.js

@@ -0,0 +1,9 @@
+// eslint-disable-next-line max-len
+const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)'
+// eslint-disable-next-line max-len
+const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,}))'
+
+module.exports = {
+  DEFAULT_IAST_REDACTION_NAME_PATTERN,
+  DEFAULT_IAST_REDACTION_VALUE_PATTERN
+}