dd-trace 4.2.0 → 4.3.0

package/packages/dd-trace/src/appsec/iast/tags.js

@@ -0,0 +1,6 @@
+'use strict'
+
+module.exports = {
+  IAST_ENABLED_TAG_KEY: '_dd.iast.enabled',
+  IAST_JSON_TAG_KEY: '_dd.iast.json'
+}

package/packages/dd-trace/src/appsec/iast/taint-tracking/index.js

@@ -23,5 +23,6 @@ module.exports = {
   },
   setMaxTransactions: setMaxTransactions,
   createTransaction: createTransaction,
-  removeTransaction: removeTransaction
+  removeTransaction: removeTransaction,
+  taintTrackingPlugin
 }

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js

@@ -30,14 +30,14 @@ function newTaintedString (iastContext, string, name, type) {
   return result
 }
 
-function taintObject (iastContext, object, type) {
+function taintObject (iastContext, object, type, keyTainting, keyType) {
   let result = object
   if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
     const transactionId = iastContext[IAST_TRANSACTION_ID]
     const queue = [{ parent: null, property: null, value: object }]
     const visited = new WeakSet()
     while (queue.length > 0) {
-      const { parent, property, value } = queue.pop()
+      const { parent, property, value, key } = queue.pop()
       if (value === null) {
         continue
       }
@@ -47,14 +47,23 @@ function taintObject (iastContext, object, type) {
           if (!parent) {
             result = tainted
           } else {
-            parent[property] = tainted
+            if (keyTainting && key) {
+              const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
+              parent[taintedProperty] = tainted
+            } else {
+              parent[property] = tainted
+            }
           }
         } else if (typeof value === 'object' && !visited.has(value)) {
           visited.add(value)
           const keys = Object.keys(value)
           for (let i = 0; i < keys.length; i++) {
             const key = keys[i]
-            queue.push({ parent: value, property: property ? `${property}.${key}` : key, value: value[key] })
+            queue.push({ parent: value, property: property ? `${property}.${key}` : key, value: value[key], key })
+          }
+          if (parent && keyTainting && key) {
+            const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
+            parent[taintedProperty] = value
           }
         }
       } catch (e) {

package/packages/dd-trace/src/appsec/iast/taint-tracking/origin-types.js

@@ -2,5 +2,9 @@
 
 module.exports = {
   HTTP_REQUEST_BODY: 'http.request.body',
-  HTTP_REQUEST_PARAMETER: 'http.request.parameter'
+  HTTP_REQUEST_PARAMETER: 'http.request.parameter',
+  HTTP_REQUEST_COOKIE_VALUE: 'http.request.cookie.value',
+  HTTP_REQUEST_COOKIE_NAME: 'http.request.cookie.name',
+  HTTP_REQUEST_HEADER_NAME: 'http.request.header.name',
+  HTTP_REQUEST_HEADER_VALUE: 'http.request.header'
 }

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -3,8 +3,15 @@
 const Plugin = require('../../../plugins/plugin')
 const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
-const { HTTP_REQUEST_PARAMETER, HTTP_REQUEST_BODY } = require('./origin-types')
 const { taintObject } = require('./operations')
+const {
+  HTTP_REQUEST_PARAMETER,
+  HTTP_REQUEST_BODY,
+  HTTP_REQUEST_COOKIE_VALUE,
+  HTTP_REQUEST_COOKIE_NAME,
+  HTTP_REQUEST_HEADER_VALUE,
+  HTTP_REQUEST_HEADER_NAME
+} = require('./origin-types')
 
 class TaintTrackingPlugin extends Plugin {
   constructor () {
@@ -22,8 +29,8 @@ class TaintTrackingPlugin extends Plugin {
     )
     this.addSub(
       'datadog:qs:parse:finish',
-      ({ qs }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, qs))
-
+      ({ qs }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, qs)
+    )
     this.addSub('apm:express:middleware:next', ({ req }) => {
       if (req && req.body && typeof req.body === 'object') {
         const iastContext = getIastContext(storage.getStore())
@@ -33,16 +40,29 @@ class TaintTrackingPlugin extends Plugin {
         }
       }
     })
+    this.addSub(
+      'datadog:cookie:parse:finish',
+      ({ cookies }) => this._cookiesTaintTrackingHandler(cookies)
+    )
   }
 
   _taintTrackingHandler (type, target, property, iastContext = getIastContext(storage.getStore())) {
     if (!property) {
       taintObject(iastContext, target, type)
-    } else {
+    } else if (target[property]) {
       target[property] = taintObject(iastContext, target[property], type)
     }
   }
 
+  _cookiesTaintTrackingHandler (target) {
+    const iastContext = getIastContext(storage.getStore())
+    taintObject(iastContext, target, HTTP_REQUEST_COOKIE_VALUE, true, HTTP_REQUEST_COOKIE_NAME)
+  }
+
+  taintHeaders (headers, iastContext) {
+    taintObject(iastContext, headers, HTTP_REQUEST_HEADER_VALUE, true, HTTP_REQUEST_HEADER_NAME)
+  }
+
   enable () {
     this.configure(true)
   }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -23,7 +23,9 @@ class SensitiveHandler {
     this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, new CommandSensitiveAnalyzer())
     this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, new LdapSensitiveAnalyzer())
     this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, new SqlSensitiveAnalyzer())
-    this._sensitiveAnalyzers.set(vulnerabilities.SSRF, new UrlSensitiveAnalyzer())
+    const urlSensitiveAnalyzer = new UrlSensitiveAnalyzer()
+    this._sensitiveAnalyzers.set(vulnerabilities.SSRF, urlSensitiveAnalyzer)
+    this._sensitiveAnalyzers.set(vulnerabilities.UNVALIDATED_REDIRECT, urlSensitiveAnalyzer)
   }
 
   isSensibleName (name) {

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js

@@ -2,9 +2,12 @@ module.exports = {
   COMMAND_INJECTION: 'COMMAND_INJECTION',
   INSECURE_COOKIE: 'INSECURE_COOKIE',
   LDAP_INJECTION: 'LDAP_INJECTION',
+  NO_HTTPONLY_COOKIE: 'NO_HTTPONLY_COOKIE',
+  NO_SAMESITE_COOKIE: 'NO_SAMESITE_COOKIE',
   PATH_TRAVERSAL: 'PATH_TRAVERSAL',
   SQL_INJECTION: 'SQL_INJECTION',
   SSRF: 'SSRF',
+  UNVALIDATED_REDIRECT: 'UNVALIDATED_REDIRECT',
   WEAK_CIPHER: 'WEAK_CIPHER',
   WEAK_HASH: 'WEAK_HASH'
 }

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -1,8 +1,11 @@
+'use strict'
+
 const { MANUAL_KEEP } = require('../../../../../ext/tags')
 const LRU = require('lru-cache')
 const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
+const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
+
 const VULNERABILITIES_KEY = 'vulnerabilities'
-const IAST_JSON_TAG_KEY = '_dd.iast.json'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
 const VULNERABILITY_HASHES = new LRU({ max: VULNERABILITY_HASHES_MAX_SIZE })
 const RESET_VULNERABILITY_CACHE_INTERVAL = 60 * 60 * 1000 // 1 hour
@@ -39,6 +42,9 @@ function sendVulnerabilities (vulnerabilities, rootSpan) {
       vulnerabilities.forEach((vulnerability) => {
         vulnerability.location.spanId = span.context().toSpanId()
       })
+      span.addTags({
+        [IAST_ENABLED_TAG_KEY]: 1
+      })
     }
 
     if (span && span.addTags) {

package/packages/dd-trace/src/ci-visibility/exporters/ci-visibility-exporter.js

@@ -120,7 +120,8 @@ class CiVisibilityExporter extends AgentInfoExporter {
    * CI Visibility Protocol, hence the this._canUseCiVisProtocol promise.
    */
   getItrConfiguration (testConfiguration, callback) {
-    this.sendGitMetadata()
+    const { repositoryUrl } = testConfiguration
+    this.sendGitMetadata(repositoryUrl)
     if (!this.shouldRequestItrConfiguration()) {
       return callback(null, {})
     }
@@ -147,7 +148,7 @@ class CiVisibilityExporter extends AgentInfoExporter {
     })
   }
 
-  sendGitMetadata () {
+  sendGitMetadata (repositoryUrl) {
     if (!this._config.isGitUploadEnabled) {
       return
     }
@@ -155,7 +156,7 @@ class CiVisibilityExporter extends AgentInfoExporter {
       if (!canUseCiVisProtocol) {
         return
       }
-      sendGitMetadataRequest(this._getApiUrl(), !!this._isUsingEvpProxy, (err) => {
+      sendGitMetadataRequest(this._getApiUrl(), !!this._isUsingEvpProxy, repositoryUrl, (err) => {
         if (err) {
           log.error(`Error uploading git metadata: ${err.message}`)
         } else {

package/packages/dd-trace/src/ci-visibility/exporters/git/git_metadata.js

@@ -152,8 +152,11 @@ function uploadPackFile ({ url, isEvpProxy, packFileToUpload, repositoryUrl, hea
 /**
  * This function uploads git metadata to CI Visibility's backend.
 */
-function sendGitMetadata (url, isEvpProxy, callback) {
-  const repositoryUrl = getRepositoryUrl()
+function sendGitMetadata (url, isEvpProxy, configRepositoryUrl, callback) {
+  let repositoryUrl = configRepositoryUrl
+  if (!repositoryUrl) {
+    repositoryUrl = getRepositoryUrl()
+  }
 
   if (!repositoryUrl) {
     return callback(new Error('Repository URL is empty'))

package/packages/dd-trace/src/config.js

@@ -204,6 +204,17 @@ class Config {
       false
     )
 
+    const DD_OPENAI_LOGS_ENABLED = coalesce(
+      options.openAiLogsEnabled,
+      process.env.DD_OPENAI_LOGS_ENABLED,
+      false
+    )
+
+    const DD_API_KEY = coalesce(
+      process.env.DATADOG_API_KEY,
+      process.env.DD_API_KEY
+    )
+
     const inAWSLambda = process.env.AWS_LAMBDA_FUNCTION_NAME !== undefined
 
     const isDeprecatedGCPFunction = process.env.FUNCTION_NAME !== undefined && process.env.GCP_PROJECT !== undefined
@@ -471,6 +482,8 @@ ken|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)
 
     this.tracing = !isFalse(DD_TRACING_ENABLED)
     this.dbmPropagationMode = DD_DBM_PROPAGATION_MODE
+    this.openAiLogsEnabled = DD_OPENAI_LOGS_ENABLED
+    this.apiKey = DD_API_KEY
     this.logInjection = isTrue(DD_LOGS_INJECTION)
     this.env = DD_ENV
     this.url = DD_CIVISIBILITY_AGENTLESS_URL ? new URL(DD_CIVISIBILITY_AGENTLESS_URL)

package/packages/dd-trace/src/external-logger/src/index.js

@@ -0,0 +1,126 @@
+const tracerLogger = require('../../log')// path to require tracer logger
+
+const https = require('https')
+
+class ExternalLogger {
+  // Note: these attribute names match the corresponding entry in the JSON payload.
+  constructor ({
+    ddsource, hostname, service, apiKey, site = 'datadoghq.com', interval = 10000, timeout = 2000, limit = 1000
+  }) {
+    this.ddsource = ddsource
+    this.hostname = hostname
+    this.service = service
+    this.interval = interval
+    this.timeout = timeout
+    this.queue = []
+    this.limit = limit
+    this.endpoint = '/api/v2/logs'
+    this.site = site
+    this.intake = `http-intake.logs.${this.site}`
+    this.headers = {
+      'DD-API-KEY': apiKey,
+      'Content-Type': 'application/json'
+    }
+    this.timer = setInterval(() => {
+      this.flush()
+    }, this.interval).unref()
+
+    tracerLogger.debug(`started log writer to https://${this.intake}${this.endpoint}`)
+  }
+
+  static tagString (tags) {
+    const tagArray = []
+    for (const key in tags) {
+      tagArray.push(key + ':' + tags[key])
+    }
+    return tagArray.join(',')
+  }
+
+  // Parses and enqueues a log
+  log (log, span, tags) {
+    const logTags = ExternalLogger.tagString(tags)
+
+    if (span) {
+      log['dd.trace_id'] = String(span.trace_id)
+      log['dd.span_id'] = String(span.span_id)
+    }
+
+    const payload = {
+      ...log,
+      'timestamp': Date.now(),
+      'hostname': log.hostname || this.hostname,
+      'ddsource': log.ddsource || this.ddsource,
+      'service': log.service || this.service,
+      'ddtags': logTags || undefined
+    }
+
+    this.enqueue(payload)
+  }
+
+  // Enqueues a raw, non-formatted log object
+  enqueue (log) {
+    if (this.queue.length >= this.limit) {
+      this.flush()
+    }
+    this.queue.push(log)
+  }
+
+  shutdown () {
+    clearInterval(this.timer)
+    this.flush()
+  }
+
+  // Flushes logs with optional callback for when the call is complete
+  flush (cb = () => {}) {
+    let logs
+    let numLogs
+    let encodedLogs
+
+    if (!this.queue.length) {
+      setImmediate(() => cb())
+      return
+    }
+
+    try {
+      logs = this.queue
+      this.queue = []
+
+      numLogs = logs.length
+      encodedLogs = JSON.stringify(logs)
+    } catch (error) {
+      tracerLogger.error(`failed to encode ${numLogs} logs`)
+      setImmediate(() => cb(error))
+      return
+    }
+
+    const options = {
+      hostname: this.intake,
+      port: 443,
+      path: this.endpoint,
+      method: 'POST',
+      headers: this.headers,
+      timeout: this.timeout
+    }
+
+    const req = https.request(options, (res) => {
+      tracerLogger.info(`statusCode: ${res.statusCode}`)
+    })
+    req.once('error', (e) => {
+      tracerLogger.error(`failed to send ${numLogs} log(s), with error ${e.message}`)
+      cb(e)
+    })
+    req.write(encodedLogs)
+    req.end()
+    req.once('response', (res) => {
+      if (res.statusCode >= 400) {
+        const error = new Error(`failed to send ${numLogs} logs, received response code ${res.statusCode}`)
+        tracerLogger.error(error.message)
+        cb(error)
+        return
+      }
+      cb()
+    })
+  }
+}
+
+module.exports = ExternalLogger

package/packages/dd-trace/src/external-logger/test/index.spec.js

@@ -0,0 +1,147 @@
+'use strict'
+
+require('../../../../dd-trace/test/setup/tap')
+const proxyquire = require('proxyquire')
+const { expect } = require('chai')
+const nock = require('nock')
+
+const tracerLogger = require('../../log')
+
+describe('External Logger', () => {
+  let externalLogger
+  let interceptor
+  let errorLog
+
+  beforeEach(() => {
+    errorLog = sinon.spy(tracerLogger, 'error')
+
+    const ExternalLogger = proxyquire('../src', {
+      '../../log': {
+        error: errorLog
+      }
+    })
+
+    externalLogger = new ExternalLogger({
+      ddsource: 'logging_from_space',
+      hostname: 'mac_desktop',
+      apiKey: 'API_KEY_PLACEHOLDER',
+      interval: 10000,
+      timeout: 5000,
+      limit: 10
+    })
+  })
+
+  afterEach(() => {
+    interceptor.done()
+    errorLog.restore()
+  })
+
+  it('should properly encode the log message', (done) => {
+    let request
+    const currentTime = Date.now()
+
+    interceptor = nock('https://http-intake.logs.datadoghq.com:443')
+      .post('/api/v2/logs')
+      .reply((_uri, req, cb) => {
+        request = req
+        cb(null, [202, '{}', { 'Content-Type': 'application/json' }])
+      })
+
+    const span = {
+      service: 'openAi',
+      trace_id: '000001000',
+      span_id: '9999991999'
+    }
+    const tags = {
+      env: 'external_logger',
+      version: '1.2.3',
+      service: 'external'
+    }
+    externalLogger.log({
+      message: 'oh no, something is up',
+      custom: 'field',
+      attribute: 'funky',
+      service: 'outer_space',
+      level: 'info'
+    }, span, tags)
+
+    externalLogger.flush((err) => {
+      try {
+        expect(request[0]).to.have.property('message', 'oh no, something is up')
+        expect(request[0]).to.have.property('custom', 'field')
+        expect(request[0]).to.have.property('attribute', 'funky')
+        expect(request[0]).to.have.property('service', 'outer_space')
+        expect(request[0]).to.have.property('level', 'info')
+        expect(request[0]).to.have.property('dd.trace_id', '000001000')
+        expect(request[0]).to.have.property('dd.span_id', '9999991999')
+        expect(request[0].timestamp).to.be.greaterThanOrEqual(currentTime)
+        expect(request[0]).to.have.property('ddsource', 'logging_from_space')
+        expect(request[0]).to.have.property('ddtags', 'env:external_logger,version:1.2.3,service:external')
+      } catch (e) {
+        done(e)
+        return
+      }
+
+      done(err)
+    })
+  })
+
+  it('should empty the log queue when calling flush', (done) => {
+    interceptor = nock('https://http-intake.logs.datadoghq.com:443')
+      .post('/api/v2/logs')
+      .reply(202, {})
+
+    externalLogger.enqueue({})
+    expect(externalLogger.queue.length).to.equal(1)
+
+    externalLogger.flush((err) => {
+      expect(externalLogger.queue.length).to.equal(0)
+      done(err)
+    })
+  })
+
+  it('tracer logger should handle error response codes from Logs API', (done) => {
+    interceptor = nock('https://http-intake.logs.datadoghq.com:443')
+      .post('/api/v2/logs')
+      .reply(400, {})
+
+    externalLogger.enqueue({})
+    externalLogger.flush((err) => {
+      expect(err).to.be.an.instanceOf(Error)
+      expect(errorLog.getCall(0).args[0]).to.be.equal(
+        'failed to send 1 logs, received response code 400'
+      )
+      done()
+    })
+  })
+
+  it('tracer logger should handle simulated network error', (done) => {
+    interceptor = nock('https://http-intake.logs.datadoghq.com:443')
+      .post('/api/v2/logs')
+      .replyWithError('missing API key')
+
+    externalLogger.enqueue({})
+    externalLogger.flush((err) => {
+      expect(err).to.be.an.instanceOf(Error)
+      expect(errorLog.getCall(0).args[0]).to.be.equal(
+        'failed to send 1 log(s), with error missing API key'
+      )
+      done()
+    })
+  })
+
+  it('causes a flush when exceeding log queue limit', (done) => {
+    const flusher = sinon.stub(externalLogger, 'flush')
+
+    for (let i = 0; i < 10; i++) {
+      externalLogger.enqueue({})
+    }
+    expect(flusher).to.not.have.been.called
+
+    externalLogger.enqueue({})
+    expect(flusher).to.have.been.called
+
+    flusher.restore()
+    done()
+  })
+})

package/packages/dd-trace/src/lambda/handler.js

@@ -83,21 +83,9 @@ function extractContext (args) {
  */
 exports.datadog = function datadog (lambdaHandler) {
   return (...args) => {
-    const patched = lambdaHandler.apply(this, args)
+    const context = extractContext(args)
 
-    try {
-      const context = extractContext(args)
-
-      checkTimeout(context)
-
-      if (patched) {
-        // clear the timeout as soon as a result is returned
-        patched.then(_ => clearTimeout(__lambdaTimeout))
-      }
-    } catch (e) {
-      log.debug('Error patching AWS Lambda handler. Timeout spans will not be generated.')
-    }
-
-    return patched
+    checkTimeout(context)
+    return lambdaHandler.apply(this, args).then((res) => { clearTimeout(__lambdaTimeout); return res })
   }
 }

package/packages/dd-trace/src/noop/proxy.js

@@ -75,6 +75,10 @@ class Tracer {
     this.appsec.setUser(user)
     return this
   }
+
+  get TracerProvider () {
+    return require('../opentelemetry/tracer_provider')
+  }
 }
 
 module.exports = Tracer

package/packages/dd-trace/src/opentelemetry/context_manager.js

@@ -62,7 +62,7 @@ class ContextManager {
   bind (context, target) {
     const self = this
     return function (...args) {
-      return self.with(context, target, this, args)
+      return self.with(context, target, this, ...args)
     }
   }
 

package/packages/dd-trace/src/plugin_manager.js

@@ -26,8 +26,13 @@ const disabledPlugins = new Set(
 const pluginClasses = {}
 
 loadChannel.subscribe(({ name }) => {
-  const Plugin = plugins[name]
+  maybeEnable(plugins[name])
+})
+
+// Globals
+maybeEnable(require('../../datadog-plugin-fetch/src'))
 
+function maybeEnable (Plugin) {
   if (!Plugin || typeof Plugin !== 'function') return
   if (!pluginClasses[Plugin.id]) {
     const envName = `DD_TRACE_${Plugin.id.toUpperCase()}_ENABLED`
@@ -42,7 +47,7 @@ loadChannel.subscribe(({ name }) => {
       pluginClasses[Plugin.id] = Plugin
     }
   }
-})
+}
 
 // TODO this must always be a singleton.
 module.exports = class PluginManager {
@@ -68,7 +73,7 @@ module.exports = class PluginManager {
 
     if (!Plugin) return
     if (!this._pluginsByName[name]) {
-      this._pluginsByName[name] = new Plugin(this._tracer)
+      this._pluginsByName[name] = new Plugin(this._tracer, this._tracerConfig)
     }
     if (!this._tracerConfig) return // TODO: don't wait for tracer to be initialized
 
@@ -76,6 +81,7 @@ module.exports = class PluginManager {
       enabled: this._tracerConfig.plugins !== false
     }
 
+    // extracts predetermined configuration from tracer and combines it with plugin-specific config
     this._pluginsByName[name].configure({
       ...this._getSharedConfig(name),
       ...pluginConfig
@@ -127,8 +133,7 @@ module.exports = class PluginManager {
       serviceMapping,
       queryStringObfuscation,
       site,
-      url,
-      dbmPropagationMode
+      url
     } = this._tracerConfig
 
     const sharedConfig = {}
@@ -141,8 +146,6 @@ module.exports = class PluginManager {
       sharedConfig.queryStringObfuscation = queryStringObfuscation
     }
 
-    sharedConfig.dbmPropagationMode = dbmPropagationMode
-
     if (serviceMapping && serviceMapping[name]) {
       sharedConfig.service = serviceMapping[name]
     }

package/packages/dd-trace/src/plugins/database.js

@@ -38,13 +38,17 @@ class DatabasePlugin extends StoragePlugin {
   }
 
   injectDbmQuery (query, serviceName, isPreparedStatement = false) {
-    if (this.config.dbmPropagationMode === 'disabled') {
+    const mode = this.config.dbmPropagationMode || this._tracerConfig.dbmPropagationMode
+
+    if (mode === 'disabled') {
       return query
     }
+
     const servicePropagation = this.createDBMPropagationCommentService(serviceName)
-    if (isPreparedStatement || this.config.dbmPropagationMode === 'service') {
+
+    if (isPreparedStatement || mode === 'service') {
       return `/*${servicePropagation}*/ ${query}`
-    } else if (this.config.dbmPropagationMode === 'full') {
+    } else if (mode === 'full') {
       this.activeSpan.setTag('_dd.dbm_trace_injected', 'true')
       const traceparent = this.activeSpan._spanContext.toTraceparent()
       return `/*${servicePropagation},traceparent='${traceparent}'*/ ${query}`

package/packages/dd-trace/src/plugins/plugin.js

@@ -26,10 +26,12 @@ class Subscription {
 }
 
 module.exports = class Plugin {
-  constructor (tracer) {
+  constructor (tracer, tracerConfig) {
     this._subscriptions = []
     this._enabled = false
     this._tracer = tracer
+    this.config = {} // plugin-specific configuration, unset until .configure() is called
+    this._tracerConfig = tracerConfig // global tracer configuration
   }
 
   get tracer () {

package/packages/dd-trace/src/plugins/util/exec.js

@@ -1,8 +1,8 @@
 const cp = require('child_process')
 
-const sanitizedExec = (cmd, options = {}) => {
+const sanitizedExec = (cmd, flags, options = { stdio: 'pipe' }) => {
   try {
-    return cp.execSync(cmd, options).toString().replace(/(\r\n|\n|\r)/gm, '')
+    return cp.execFileSync(cmd, flags, options).toString().replace(/(\r\n|\n|\r)/gm, '')
   } catch (e) {
     return ''
   }