dd-trace 4.21.0 → 4.23.0

package/packages/dd-trace/src/appsec/activation.js

@@ -0,0 +1,29 @@
+'use strict'
+
+const Activation = {
+  ONECLICK: 'OneClick',
+  ENABLED: 'Enabled',
+  DISABLED: 'Disabled',
+
+  fromConfig (config) {
+    switch (config.appsec.enabled) {
+      // ASM is activated by an env var DD_APPSEC_ENABLED=true
+      case true:
+        return Activation.ENABLED
+
+      // ASM is disabled by an env var DD_APPSEC_ENABLED=false
+      case false:
+        return Activation.DISABLED
+
+      // ASM is activated by one click remote config
+      case undefined:
+        return Activation.ONECLICK
+
+      // Any other value should never occur
+      default:
+        return Activation.DISABLED
+    }
+  }
+}
+
+module.exports = Activation

package/packages/dd-trace/src/appsec/addresses.js

@@ -13,6 +13,7 @@ module.exports = {
   HTTP_INCOMING_RESPONSE_HEADERS: 'server.response.headers.no_cookies',
   // TODO: 'server.response.trailers',
   HTTP_INCOMING_GRAPHQL_RESOLVERS: 'graphql.server.all_resolvers',
+  HTTP_INCOMING_GRAPHQL_RESOLVER: 'graphql.server.resolver',
 
   HTTP_CLIENT_IP: 'http.client_ip',
 

package/packages/dd-trace/src/appsec/api_security_sampler.js

@@ -0,0 +1,48 @@
+'use strict'
+
+const log = require('../log')
+
+let enabled
+let requestSampling
+
+function configure ({ apiSecurity }) {
+  enabled = apiSecurity.enabled
+  setRequestSampling(apiSecurity.requestSampling)
+}
+
+function disable () {
+  enabled = false
+}
+
+function setRequestSampling (sampling) {
+  requestSampling = parseRequestSampling(sampling)
+}
+
+function parseRequestSampling (requestSampling) {
+  let parsed = parseFloat(requestSampling)
+
+  if (isNaN(parsed)) {
+    log.warn(`Incorrect API Security request sampling value: ${requestSampling}`)
+
+    parsed = 0
+  } else {
+    parsed = Math.min(1, Math.max(0, parsed))
+  }
+
+  return parsed
+}
+
+function sampleRequest () {
+  if (!enabled || !requestSampling) {
+    return false
+  }
+
+  return Math.random() <= requestSampling
+}
+
+module.exports = {
+  configure,
+  disable,
+  setRequestSampling,
+  sampleRequest
+}

package/packages/dd-trace/src/appsec/blocked_templates.js

@@ -5,7 +5,10 @@ const html = `<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta n
 
 const json = `{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}`
 
+const graphqlJson = `{"errors":[{"message":"You've been blocked","extensions":{"detail":"Sorry, you cannot perform this operation. Please contact the customer service team. Security provided by Datadog."}}]}`
+
 module.exports = {
   html,
-  json
+  json,
+  graphqlJson
 }

package/packages/dd-trace/src/appsec/blocking.js

@@ -3,93 +3,142 @@
 const log = require('../log')
 const blockedTemplates = require('./blocked_templates')
 
+const detectedSpecificEndpoints = {}
+
 let templateHtml = blockedTemplates.html
 let templateJson = blockedTemplates.json
+let templateGraphqlJson = blockedTemplates.graphqlJson
 let blockingConfiguration
 
-function blockWithRedirect (res, rootSpan, abortController) {
-  rootSpan.addTags({
-    'appsec.blocked': 'true'
-  })
+const specificBlockingTypes = {
+  GRAPHQL: 'graphql'
+}
 
+function getSpecificKey (method, url) {
+  return `${method}+${url}`
+}
+
+function addSpecificEndpoint (method, url, type) {
+  detectedSpecificEndpoints[getSpecificKey(method, url)] = type
+}
+
+function getBlockWithRedirectData (rootSpan) {
   let statusCode = blockingConfiguration.parameters.status_code
   if (!statusCode || statusCode < 300 || statusCode >= 400) {
     statusCode = 303
   }
-
-  res.writeHead(statusCode, {
+  const headers = {
     'Location': blockingConfiguration.parameters.location
-  }).end()
+  }
+
+  rootSpan.addTags({
+    'appsec.blocked': 'true'
+  })
 
-  if (abortController) {
-    abortController.abort()
+  return { headers, statusCode }
+}
+
+function getSpecificBlockingData (type) {
+  switch (type) {
+    case specificBlockingTypes.GRAPHQL:
+      return {
+        type: 'application/json',
+        body: templateGraphqlJson
+      }
   }
 }
 
-function blockWithContent (req, res, rootSpan, abortController) {
+function getBlockWithContentData (req, specificType, rootSpan) {
   let type
   let body
+  let statusCode
 
-  // parse the Accept header, ex: Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8
-  const accept = req.headers.accept && req.headers.accept.split(',').map((str) => str.split(';', 1)[0].trim())
+  const specificBlockingType = specificType || detectedSpecificEndpoints[getSpecificKey(req.method, req.url)]
+  if (specificBlockingType) {
+    const specificBlockingContent = getSpecificBlockingData(specificBlockingType)
+    type = specificBlockingContent?.type
+    body = specificBlockingContent?.body
+  }
 
-  if (!blockingConfiguration || blockingConfiguration.parameters.type === 'auto') {
-    if (accept && accept.includes('text/html') && !accept.includes('application/json')) {
-      type = 'text/html; charset=utf-8'
-      body = templateHtml
+  if (!type) {
+    // parse the Accept header, ex: Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8
+    const accept = req.headers.accept?.split(',').map((str) => str.split(';', 1)[0].trim())
+
+    if (!blockingConfiguration || blockingConfiguration.parameters.type === 'auto') {
+      if (accept?.includes('text/html') && !accept.includes('application/json')) {
+        type = 'text/html; charset=utf-8'
+        body = templateHtml
+      } else {
+        type = 'application/json'
+        body = templateJson
+      }
     } else {
-      type = 'application/json'
-      body = templateJson
+      if (blockingConfiguration.parameters.type === 'html') {
+        type = 'text/html; charset=utf-8'
+        body = templateHtml
+      } else {
+        type = 'application/json'
+        body = templateJson
+      }
     }
+  }
+
+  if (blockingConfiguration?.type === 'block_request' && blockingConfiguration.parameters.status_code) {
+    statusCode = blockingConfiguration.parameters.status_code
   } else {
-    if (blockingConfiguration.parameters.type === 'html') {
-      type = 'text/html; charset=utf-8'
-      body = templateHtml
-    } else {
-      type = 'application/json'
-      body = templateJson
-    }
+    statusCode = 403
+  }
+
+  const headers = {
+    'Content-Type': type,
+    'Content-Length': Buffer.byteLength(body)
   }
 
   rootSpan.addTags({
     'appsec.blocked': 'true'
   })
 
-  if (blockingConfiguration && blockingConfiguration.type === 'block_request' &&
-    blockingConfiguration.parameters.status_code) {
-    res.statusCode = blockingConfiguration.parameters.status_code
-  } else {
-    res.statusCode = 403
-  }
-  res.setHeader('Content-Type', type)
-  res.setHeader('Content-Length', Buffer.byteLength(body))
-  res.end(body)
+  return { body, statusCode, headers }
+}
 
-  if (abortController) {
-    abortController.abort()
+function getBlockingData (req, specificType, rootSpan) {
+  if (blockingConfiguration?.type === 'redirect_request' && blockingConfiguration.parameters.location) {
+    return getBlockWithRedirectData(rootSpan)
+  } else {
+    return getBlockWithContentData(req, specificType, rootSpan)
   }
 }
 
-function block (req, res, rootSpan, abortController) {
+function block (req, res, rootSpan, abortController, type) {
   if (res.headersSent) {
     log.warn('Cannot send blocking response when headers have already been sent')
     return
   }
 
-  if (blockingConfiguration && blockingConfiguration.type === 'redirect_request' &&
-      blockingConfiguration.parameters.location) {
-    blockWithRedirect(res, rootSpan, abortController)
-  } else {
-    blockWithContent(req, res, rootSpan, abortController)
-  }
+  const { body, headers, statusCode } = getBlockingData(req, type, rootSpan)
+
+  res.writeHead(statusCode, headers).end(body)
+
+  abortController?.abort()
 }
 
 function setTemplates (config) {
   if (config.appsec.blockedTemplateHtml) {
     templateHtml = config.appsec.blockedTemplateHtml
+  } else {
+    templateHtml = blockedTemplates.html
   }
+
   if (config.appsec.blockedTemplateJson) {
     templateJson = config.appsec.blockedTemplateJson
+  } else {
+    templateJson = blockedTemplates.json
+  }
+
+  if (config.appsec.blockedTemplateGraphql) {
+    templateGraphqlJson = config.appsec.blockedTemplateGraphql
+  } else {
+    templateGraphqlJson = blockedTemplates.graphqlJson
   }
 }
 
@@ -98,7 +147,10 @@ function updateBlockingConfiguration (newBlockingConfiguration) {
 }
 
 module.exports = {
+  addSpecificEndpoint,
   block,
+  specificBlockingTypes,
+  getBlockingData,
   setTemplates,
   updateBlockingConfiguration
 }

package/packages/dd-trace/src/appsec/channels.js

@@ -6,7 +6,10 @@ const dc = require('dc-polyfill')
 module.exports = {
   bodyParser: dc.channel('datadog:body-parser:read:finish'),
   cookieParser: dc.channel('datadog:cookie-parser:read:finish'),
-  graphqlFinishExecute: dc.channel('apm:graphql:execute:finish'),
+  startGraphqlResolve: dc.channel('datadog:graphql:resolver:start'),
+  graphqlMiddlewareChannel: dc.tracingChannel('datadog:apollo:middleware'),
+  apolloChannel: dc.tracingChannel('datadog:apollo:request'),
+  apolloServerCoreChannel: dc.tracingChannel('datadog:apollo-server-core:request'),
   incomingHttpRequestStart: dc.channel('dd-trace:incomingHttpRequestStart'),
   incomingHttpRequestEnd: dc.channel('dd-trace:incomingHttpRequestEnd'),
   passportVerify: dc.channel('datadog:passport:verify:finish'),

package/packages/dd-trace/src/appsec/graphql.js

@@ -0,0 +1,146 @@
+'use strict'
+
+const { storage } = require('../../../datadog-core')
+const { addSpecificEndpoint, specificBlockingTypes, getBlockingData } = require('./blocking')
+const waf = require('./waf')
+const addresses = require('./addresses')
+const web = require('../plugins/util/web')
+const {
+  startGraphqlResolve,
+  graphqlMiddlewareChannel,
+  apolloChannel,
+  apolloServerCoreChannel
+} = require('./channels')
+
+const graphqlRequestData = new WeakMap()
+
+function enable () {
+  enableApollo()
+  enableGraphql()
+}
+
+function disable () {
+  disableApollo()
+  disableGraphql()
+}
+
+function onGraphqlStartResolve ({ context, resolverInfo }) {
+  const req = storage.getStore()?.req
+
+  if (!req) return
+
+  if (!resolverInfo || typeof resolverInfo !== 'object') return
+
+  const actions = waf.run({ ephemeral: { [addresses.HTTP_INCOMING_GRAPHQL_RESOLVER]: resolverInfo } }, req)
+  if (actions?.includes('block')) {
+    const requestData = graphqlRequestData.get(req)
+    if (requestData?.isInGraphqlRequest) {
+      requestData.blocked = true
+      context?.abortController?.abort()
+    }
+  }
+}
+
+function enterInApolloMiddleware (data) {
+  const req = data?.req || storage.getStore()?.req
+  if (!req) return
+
+  graphqlRequestData.set(req, {
+    inApolloMiddleware: true,
+    blocked: false
+  })
+}
+
+function enterInApolloServerCoreRequest () {
+  const req = storage.getStore()?.req
+  if (!req) return
+
+  graphqlRequestData.set(req, {
+    isInGraphqlRequest: true,
+    blocked: false
+  })
+}
+
+function exitFromApolloMiddleware (data) {
+  const req = data?.req || storage.getStore()?.req
+  const requestData = graphqlRequestData.get(req)
+  if (requestData) requestData.inApolloMiddleware = false
+}
+
+function enterInApolloRequest () {
+  const req = storage.getStore()?.req
+
+  const requestData = graphqlRequestData.get(req)
+  if (requestData?.inApolloMiddleware) {
+    requestData.isInGraphqlRequest = true
+    addSpecificEndpoint(req.method, req.originalUrl || req.url, specificBlockingTypes.GRAPHQL)
+  }
+}
+
+function beforeWriteApolloGraphqlResponse ({ abortController, abortData }) {
+  const req = storage.getStore()?.req
+  if (!req) return
+
+  const requestData = graphqlRequestData.get(req)
+
+  if (requestData?.blocked) {
+    const rootSpan = web.root(req)
+    if (!rootSpan) return
+
+    const blockingData = getBlockingData(req, specificBlockingTypes.GRAPHQL, rootSpan)
+    abortData.statusCode = blockingData.statusCode
+    abortData.headers = blockingData.headers
+    abortData.message = blockingData.body
+
+    abortController?.abort()
+  }
+
+  graphqlRequestData.delete(req)
+}
+
+function enableApollo () {
+  graphqlMiddlewareChannel.subscribe({
+    start: enterInApolloMiddleware,
+    end: exitFromApolloMiddleware
+  })
+
+  apolloServerCoreChannel.subscribe({
+    start: enterInApolloServerCoreRequest,
+    asyncEnd: beforeWriteApolloGraphqlResponse
+  })
+
+  apolloChannel.subscribe({
+    start: enterInApolloRequest,
+    asyncEnd: beforeWriteApolloGraphqlResponse
+  })
+}
+
+function disableApollo () {
+  graphqlMiddlewareChannel.unsubscribe({
+    start: enterInApolloMiddleware,
+    end: exitFromApolloMiddleware
+  })
+
+  apolloServerCoreChannel.unsubscribe({
+    start: enterInApolloServerCoreRequest,
+    asyncEnd: beforeWriteApolloGraphqlResponse
+  })
+
+  apolloChannel.unsubscribe({
+    start: enterInApolloRequest,
+    asyncEnd: beforeWriteApolloGraphqlResponse
+  })
+}
+
+function enableGraphql () {
+  startGraphqlResolve.subscribe(onGraphqlStartResolve)
+}
+
+function disableGraphql () {
+  if (startGraphqlResolve.hasSubscribers) startGraphqlResolve.unsubscribe(onGraphqlStartResolve)
+}
+
+module.exports = {
+  enable,
+  disable
+}

package/packages/dd-trace/src/appsec/index.js

@@ -6,7 +6,6 @@ const remoteConfig = require('./remote_config')
 const {
   bodyParser,
   cookieParser,
-  graphqlFinishExecute,
   incomingHttpRequestStart,
   incomingHttpRequestEnd,
   passportVerify,
@@ -18,29 +17,24 @@ const waf = require('./waf')
 const addresses = require('./addresses')
 const Reporter = require('./reporter')
 const appsecTelemetry = require('./telemetry')
+const apiSecuritySampler = require('./api_security_sampler')
 const web = require('../plugins/util/web')
 const { extractIp } = require('../plugins/util/ip_extractor')
 const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
 const { block, setTemplates } = require('./blocking')
 const { passportTrackEvent } = require('./passport')
 const { storage } = require('../../../datadog-core')
+const graphql = require('./graphql')
 
 let isEnabled = false
 let config
 
-function sampleRequest ({ enabled, requestSampling }) {
-  if (!enabled || !requestSampling) {
-    return false
-  }
-
-  return Math.random() <= requestSampling
-}
-
 function enable (_config) {
   if (isEnabled) return
 
   try {
     appsecTelemetry.enable(_config.telemetry)
+    graphql.enable()
 
     setTemplates(_config)
 
@@ -50,6 +44,8 @@ function enable (_config) {
 
     Reporter.setRateLimit(_config.appsec.rateLimit)
 
+    apiSecuritySampler.configure(_config.appsec)
+
     incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
     incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
     bodyParser.subscribe(onRequestBodyParsed)
@@ -57,7 +53,6 @@ function enable (_config) {
     nextQueryParsed.subscribe(onRequestQueryParsed)
     queryParser.subscribe(onRequestQueryParsed)
     cookieParser.subscribe(onRequestCookieParser)
-    graphqlFinishExecute.subscribe(onGraphqlFinishExecute)
 
     if (_config.appsec.eventTracking.enabled) {
       passportVerify.subscribe(onPassportVerify)
@@ -88,21 +83,21 @@ function incomingHttpStartTranslator ({ req, res, abortController }) {
   const requestHeaders = Object.assign({}, req.headers)
   delete requestHeaders.cookie
 
-  const payload = {
+  const persistent = {
     [addresses.HTTP_INCOMING_URL]: req.url,
     [addresses.HTTP_INCOMING_HEADERS]: requestHeaders,
     [addresses.HTTP_INCOMING_METHOD]: req.method
   }
 
   if (clientIp) {
-    payload[addresses.HTTP_CLIENT_IP] = clientIp
+    persistent[addresses.HTTP_CLIENT_IP] = clientIp
   }
 
-  if (sampleRequest(config.appsec.apiSecurity)) {
-    payload[addresses.WAF_CONTEXT_PROCESSOR] = { 'extract-schema': true }
+  if (apiSecuritySampler.sampleRequest()) {
+    persistent[addresses.WAF_CONTEXT_PROCESSOR] = { 'extract-schema': true }
   }
 
-  const actions = waf.run(payload, req)
+  const actions = waf.run({ persistent }, req)
 
   handleResults(actions, req, res, rootSpan, abortController)
 }
@@ -112,7 +107,7 @@ function incomingHttpEndTranslator ({ req, res }) {
   const responseHeaders = Object.assign({}, res.getHeaders())
   delete responseHeaders['set-cookie']
 
-  const payload = {
+  const persistent = {
     [addresses.HTTP_INCOMING_RESPONSE_CODE]: '' + res.statusCode,
     [addresses.HTTP_INCOMING_RESPONSE_HEADERS]: responseHeaders
   }
@@ -120,24 +115,24 @@ function incomingHttpEndTranslator ({ req, res }) {
   // we need to keep this to support other body parsers
   // TODO: no need to analyze it if it was already done by the body-parser hook
   if (req.body !== undefined && req.body !== null) {
-    payload[addresses.HTTP_INCOMING_BODY] = req.body
+    persistent[addresses.HTTP_INCOMING_BODY] = req.body
   }
 
   // TODO: temporary express instrumentation, will use express plugin later
   if (req.params && typeof req.params === 'object') {
-    payload[addresses.HTTP_INCOMING_PARAMS] = req.params
+    persistent[addresses.HTTP_INCOMING_PARAMS] = req.params
   }
 
   // we need to keep this to support other cookie parsers
   if (req.cookies && typeof req.cookies === 'object') {
-    payload[addresses.HTTP_INCOMING_COOKIES] = req.cookies
+    persistent[addresses.HTTP_INCOMING_COOKIES] = req.cookies
   }
 
   if (req.query && typeof req.query === 'object') {
-    payload[addresses.HTTP_INCOMING_QUERY] = req.query
+    persistent[addresses.HTTP_INCOMING_QUERY] = req.query
   }
 
-  waf.run(payload, req)
+  waf.run({ persistent }, req)
 
   waf.disposeContext(req)
 
@@ -156,7 +151,9 @@ function onRequestBodyParsed ({ req, res, body, abortController }) {
   if (!rootSpan) return
 
   const results = waf.run({
-    [addresses.HTTP_INCOMING_BODY]: body
+    persistent: {
+      [addresses.HTTP_INCOMING_BODY]: body
+    }
   }, req)
 
   handleResults(results, req, res, rootSpan, abortController)
@@ -174,7 +171,9 @@ function onRequestQueryParsed ({ req, res, query, abortController }) {
   if (!rootSpan) return
 
   const results = waf.run({
-    [addresses.HTTP_INCOMING_QUERY]: query
+    persistent: {
+      [addresses.HTTP_INCOMING_QUERY]: query
+    }
   }, req)
 
   handleResults(results, req, res, rootSpan, abortController)
@@ -187,7 +186,9 @@ function onRequestCookieParser ({ req, res, abortController, cookies }) {
   if (!rootSpan) return
 
   const results = waf.run({
-    [addresses.HTTP_INCOMING_COOKIES]: cookies
+    persistent: {
+      [addresses.HTTP_INCOMING_COOKIES]: cookies
+    }
   }, req)
 
   handleResults(results, req, res, rootSpan, abortController)
@@ -195,7 +196,7 @@ function onRequestCookieParser ({ req, res, abortController, cookies }) {
 
 function onPassportVerify ({ credentials, user }) {
   const store = storage.getStore()
-  const rootSpan = store && store.req && web.root(store.req)
+  const rootSpan = store?.req && web.root(store.req)
 
   if (!rootSpan) {
     log.warn('No rootSpan found in onPassportVerify')
@@ -205,20 +206,6 @@ function onPassportVerify ({ credentials, user }) {
   passportTrackEvent(credentials, user, rootSpan, config.appsec.eventTracking.mode)
 }
 
-function onGraphqlFinishExecute ({ context }) {
-  const store = storage.getStore()
-  const req = store?.req
-
-  if (!req) return
-
-  const resolvers = context?.resolvers
-
-  if (!resolvers || typeof resolvers !== 'object') return
-
-  // Don't collect blocking result because it only works in monitor mode.
-  waf.run({ [addresses.HTTP_INCOMING_GRAPHQL_RESOLVERS]: resolvers }, req)
-}
-
 function handleResults (actions, req, res, rootSpan, abortController) {
   if (!actions || !req || !res || !rootSpan || !abortController) return
 
@@ -234,12 +221,14 @@ function disable () {
   RuleManager.clearAllRules()
 
   appsecTelemetry.disable()
+  graphql.disable()
 
   remoteConfig.disableWafUpdate()
 
+  apiSecuritySampler.disable()
+
   // Channel#unsubscribe() is undefined for non active channels
   if (bodyParser.hasSubscribers) bodyParser.unsubscribe(onRequestBodyParsed)
-  if (graphqlFinishExecute.hasSubscribers) graphqlFinishExecute.unsubscribe(onGraphqlFinishExecute)
   if (incomingHttpRequestStart.hasSubscribers) incomingHttpRequestStart.unsubscribe(incomingHttpStartTranslator)
   if (incomingHttpRequestEnd.hasSubscribers) incomingHttpRequestEnd.unsubscribe(incomingHttpEndTranslator)
   if (queryParser.hasSubscribers) queryParser.unsubscribe(onRequestQueryParsed)

package/packages/dd-trace/src/appsec/remote_config/capabilities.js

@@ -9,5 +9,10 @@ module.exports = {
   ASM_USER_BLOCKING: 1n << 7n,
   ASM_CUSTOM_RULES: 1n << 8n,
   ASM_CUSTOM_BLOCKING_RESPONSE: 1n << 9n,
-  ASM_TRUSTED_IPS: 1n << 10n
+  ASM_TRUSTED_IPS: 1n << 10n,
+  ASM_API_SECURITY_SAMPLE_RATE: 1n << 11n,
+  APM_TRACING_SAMPLE_RATE: 1n << 12n,
+  APM_TRACING_LOGS_INJECTION: 1n << 13n,
+  APM_TRACING_HTTP_HEADER_TAGS: 1n << 14n,
+  APM_TRACING_CUSTOM_TAGS: 1n << 15n
 }