dd-trace 4.26.0 → 4.28.0

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -4,8 +4,6 @@ const InjectionAnalyzer = require('./injection-analyzer')
 const { SQL_INJECTION } = require('../vulnerabilities')
 const { getRanges } = require('../taint-tracking/operations')
 const { storage } = require('../../../../../datadog-core')
-const { getIastContext } = require('../iast-context')
-const { addVulnerability } = require('../vulnerability-reporter')
 const { getNodeModulesPaths } = require('../path-line')
 
 const EXCLUDED_PATHS = getNodeModulesPaths('mysql', 'mysql2', 'sequelize', 'pg-pool', 'knex')
@@ -16,9 +14,9 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
   }
 
   onConfigure () {
-    this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
-    this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, 'MYSQL'))
-    this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, 'POSTGRES'))
+    this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql, undefined, 'MYSQL'))
+    this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, undefined, 'MYSQL'))
+    this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, undefined, 'POSTGRES'))
 
     this.addSub(
       'datadog:sequelize:query:start',
@@ -42,7 +40,7 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
   getStoreAndAnalyze (query, dialect) {
     const parentStore = storage.getStore()
     if (parentStore) {
-      this.analyze(query, dialect, parentStore)
+      this.analyze(query, parentStore, dialect)
 
       storage.enterWith({ ...parentStore, sqlAnalyzed: true, sqlParentStore: parentStore })
     }
@@ -60,29 +58,10 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
     return { value, ranges, dialect }
   }
 
-  analyze (value, dialect, store = storage.getStore()) {
+  analyze (value, store, dialect) {
+    store = store || storage.getStore()
     if (!(store && store.sqlAnalyzed)) {
-      const iastContext = getIastContext(store)
-      if (this._isInvalidContext(store, iastContext)) return
-      this._reportIfVulnerable(value, iastContext, dialect)
-    }
-  }
-
-  _reportIfVulnerable (value, context, dialect) {
-    if (this._isVulnerable(value, context) && this._checkOCE(context)) {
-      this._report(value, context, dialect)
-      return true
-    }
-    return false
-  }
-
-  _report (value, context, dialect) {
-    const evidence = this._getEvidence(value, context, dialect)
-    const location = this._getLocation()
-    if (!this._isExcluded(location)) {
-      const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
-      const vulnerability = this._createVulnerability(this._type, evidence, spanId, location)
-      addVulnerability(context, vulnerability)
+      super.analyze(value, store, dialect)
     }
   }
 

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -22,8 +22,12 @@ class Analyzer extends SinkIastPlugin {
     return false
   }
 
-  _report (value, context) {
-    const evidence = this._getEvidence(value, context)
+  _report (value, context, meta) {
+    const evidence = this._getEvidence(value, context, meta)
+    this._reportEvidence(value, context, evidence)
+  }
+
+  _reportEvidence (value, context, evidence) {
     const location = this._getLocation(value)
     if (!this._isExcluded(location)) {
       const locationSourceMap = this._replaceLocationFromSourceMap(location)
@@ -33,9 +37,9 @@ class Analyzer extends SinkIastPlugin {
     }
   }
 
-  _reportIfVulnerable (value, context) {
+  _reportIfVulnerable (value, context, meta) {
     if (this._isVulnerable(value, context) && this._checkOCE(context, value)) {
-      this._report(value, context)
+      this._report(value, context, meta)
       return true
     }
     return false
@@ -71,11 +75,11 @@ class Analyzer extends SinkIastPlugin {
     return store && !iastContext
   }
 
-  analyze (value, store = storage.getStore()) {
+  analyze (value, store = storage.getStore(), meta) {
     const iastContext = getIastContext(store)
     if (this._isInvalidContext(store, iastContext)) return
 
-    this._reportIfVulnerable(value, iastContext)
+    this._reportIfVulnerable(value, iastContext, meta)
   }
 
   analyzeAll (...values) {

package/packages/dd-trace/src/appsec/iast/context/context-plugin.js

@@ -0,0 +1,90 @@
+'use strict'
+
+const { storage } = require('../../../../../datadog-core')
+const iastContextFunctions = require('../iast-context')
+const overheadController = require('../overhead-controller')
+const { IastPlugin } = require('../iast-plugin')
+const { IAST_ENABLED_TAG_KEY } = require('../tags')
+const { createTransaction, removeTransaction } = require('../taint-tracking/operations')
+const vulnerabilityReporter = require('../vulnerability-reporter')
+const { TagKey } = require('../telemetry/iast-metric')
+
+class IastContextPlugin extends IastPlugin {
+  startCtxOn (channelName, tag) {
+    super.addSub(channelName, (message) => this.startContext())
+
+    this._getAndRegisterSubscription({
+      channelName,
+      tag,
+      tagKey: TagKey.SOURCE_TYPE
+    })
+  }
+
+  finishCtxOn (channelName) {
+    super.addSub(channelName, (message) => this.finishContext())
+  }
+
+  getRootSpan (store) {
+    return store?.span
+  }
+
+  getTopContext () {
+    return {}
+  }
+
+  newIastContext (rootSpan) {
+    return { rootSpan }
+  }
+
+  addIastEnabledTag (isRequestAcquired, rootSpan) {
+    if (rootSpan?.addTags) {
+      rootSpan.addTags({
+        [IAST_ENABLED_TAG_KEY]: isRequestAcquired ? 1 : 0
+      })
+    }
+  }
+
+  startContext () {
+    let isRequestAcquired = false
+    let iastContext
+
+    const store = storage.getStore()
+    if (store) {
+      const topContext = this.getTopContext()
+      const rootSpan = this.getRootSpan(store)
+
+      isRequestAcquired = overheadController.acquireRequest(rootSpan)
+      if (isRequestAcquired) {
+        iastContext = iastContextFunctions.saveIastContext(store, topContext, this.newIastContext(rootSpan))
+        createTransaction(rootSpan.context().toSpanId(), iastContext)
+        overheadController.initializeRequestContext(iastContext)
+      }
+      this.addIastEnabledTag(isRequestAcquired, rootSpan)
+    }
+
+    return {
+      isRequestAcquired,
+      iastContext,
+      store
+    }
+  }
+
+  finishContext () {
+    const store = storage.getStore()
+    if (store) {
+      const topContext = this.getTopContext()
+      const iastContext = iastContextFunctions.getIastContext(store, topContext)
+      const rootSpan = iastContext?.rootSpan
+      if (iastContext && rootSpan) {
+        vulnerabilityReporter.sendVulnerabilities(iastContext.vulnerabilities, rootSpan)
+        removeTransaction(iastContext)
+      }
+
+      if (iastContextFunctions.cleanIastContext(store, topContext, iastContext)) {
+        overheadController.releaseRequest()
+      }
+    }
+  }
+}
+
+module.exports = IastContextPlugin

package/packages/dd-trace/src/appsec/iast/context/kafka-ctx-plugin.js

@@ -0,0 +1,14 @@
+'use strict'
+
+const { KAFKA_MESSAGE_KEY, KAFKA_MESSAGE_VALUE } = require('../taint-tracking/source-types')
+const IastContextPlugin = require('./context-plugin')
+
+class KafkaContextPlugin extends IastContextPlugin {
+  onConfigure () {
+    this.startCtxOn('dd-trace:kafkajs:consumer:afterStart', [KAFKA_MESSAGE_KEY, KAFKA_MESSAGE_VALUE])
+
+    this.finishCtxOn('dd-trace:kafkajs:consumer:beforeFinish')
+  }
+}
+
+module.exports = new KafkaContextPlugin()

package/packages/dd-trace/src/appsec/iast/iast-plugin.js

@@ -101,6 +101,14 @@ class IastPlugin extends Plugin {
     }
   }
 
+  enable () {
+    this.configure(true)
+  }
+
+  disable () {
+    this.configure(false)
+  }
+
   onConfigure () {}
 
   configure (config) {
@@ -127,10 +135,13 @@ class IastPlugin extends Plugin {
     if (!channelName && !moduleName) return
 
     if (!moduleName) {
-      const firstSep = channelName.indexOf(':')
+      let firstSep = channelName.indexOf(':')
       if (firstSep === -1) {
         moduleName = channelName
       } else {
+        if (channelName.startsWith('tracing:')) {
+          firstSep = channelName.indexOf(':', 'tracing:'.length + 1)
+        }
         const lastSep = channelName.indexOf(':', firstSep + 1)
         moduleName = channelName.substring(firstSep + 1, lastSep !== -1 ? lastSep : channelName.length)
       }

package/packages/dd-trace/src/appsec/iast/index.js

@@ -22,7 +22,7 @@ const requestClose = dc.channel('dd-trace:incomingHttpRequestEnd')
 const iastResponseEnd = dc.channel('datadog:iast:response-end')
 
 function enable (config, _tracer) {
-  iastTelemetry.configure(config, config.iast && config.iast.telemetryVerbosity)
+  iastTelemetry.configure(config, config.iast?.telemetryVerbosity)
   enableAllAnalyzers(config)
   enableTaintTracking(config.iast, iastTelemetry.verbosity)
   requestStart.subscribe(onIncomingHttpRequestStart)
@@ -43,7 +43,7 @@ function disable () {
 }
 
 function onIncomingHttpRequestStart (data) {
-  if (data && data.req) {
+  if (data?.req) {
     const store = storage.getStore()
     if (store) {
       const topContext = web.getContext(data.req)
@@ -68,11 +68,11 @@ function onIncomingHttpRequestStart (data) {
 }
 
 function onIncomingHttpRequestEnd (data) {
-  if (data && data.req) {
+  if (data?.req) {
     const store = storage.getStore()
     const topContext = web.getContext(data.req)
     const iastContext = iastContextFunctions.getIastContext(store, topContext)
-    if (iastContext && iastContext.rootSpan) {
+    if (iastContext?.rootSpan) {
       iastResponseEnd.publish(data)
 
       const vulnerabilities = iastContext.vulnerabilities

package/packages/dd-trace/src/appsec/iast/overhead-controller.js

@@ -52,7 +52,7 @@ function _resetGlobalContext () {
 }
 
 function acquireRequest (rootSpan) {
-  if (availableRequest > 0) {
+  if (availableRequest > 0 && rootSpan) {
     const sampling = config && typeof config.requestSampling === 'number'
       ? config.requestSampling : 30
     if (rootSpan.context().toSpanId().slice(-2) <= sampling) {

package/packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js

@@ -2,6 +2,7 @@
 
 const csiMethods = [
   { src: 'concat' },
+  { src: 'parse' },
   { src: 'plusOperator', operator: true },
   { src: 'random' },
   { src: 'replace' },

package/packages/dd-trace/src/appsec/iast/taint-tracking/index.js

@@ -10,18 +10,28 @@ const {
 } = require('./operations')
 
 const taintTrackingPlugin = require('./plugin')
+const kafkaConsumerPlugin = require('./plugins/kafka')
+
+const kafkaContextPlugin = require('../context/kafka-ctx-plugin')
 
 module.exports = {
   enableTaintTracking (config, telemetryVerbosity) {
     enableRewriter(telemetryVerbosity)
     enableTaintOperations(telemetryVerbosity)
     taintTrackingPlugin.enable()
+
+    kafkaContextPlugin.enable()
+    kafkaConsumerPlugin.enable()
+
     setMaxTransactions(config.maxConcurrentRequests)
   },
   disableTaintTracking () {
     disableRewriter()
     disableTaintOperations()
     taintTrackingPlugin.disable()
+
+    kafkaContextPlugin.disable()
+    kafkaConsumerPlugin.disable()
   },
   setMaxTransactions: setMaxTransactions,
   createTransaction: createTransaction,

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations-taint-object.js

@@ -0,0 +1,53 @@
+'use strict'
+
+const TaintedUtils = require('@datadog/native-iast-taint-tracking')
+const { IAST_TRANSACTION_ID } = require('../iast-context')
+const iastLog = require('../iast-log')
+
+function taintObject (iastContext, object, type, keyTainting, keyType) {
+  let result = object
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
+    const queue = [{ parent: null, property: null, value: object }]
+    const visited = new WeakSet()
+
+    while (queue.length > 0) {
+      const { parent, property, value, key } = queue.pop()
+      if (value === null) {
+        continue
+      }
+
+      try {
+        if (typeof value === 'string') {
+          const tainted = TaintedUtils.newTaintedString(transactionId, value, property, type)
+          if (!parent) {
+            result = tainted
+          } else if (keyTainting && key) {
+            const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
+            parent[taintedProperty] = tainted
+          } else {
+            parent[key] = tainted
+          }
+        } else if (typeof value === 'object' && !visited.has(value)) {
+          visited.add(value)
+
+          for (const key of Object.keys(value)) {
+            queue.push({ parent: value, property: property ? `${property}.${key}` : key, value: value[key], key })
+          }
+
+          if (parent && keyTainting && key) {
+            const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
+            parent[taintedProperty] = value
+          }
+        }
+      } catch (e) {
+        iastLog.error(`Error visiting property : ${property}`).errorAndPublish(e)
+      }
+    }
+  }
+  return result
+}
+
+module.exports = {
+  taintObject
+}

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js

@@ -2,11 +2,11 @@
 
 const TaintedUtils = require('@datadog/native-iast-taint-tracking')
 const { IAST_TRANSACTION_ID } = require('../iast-context')
-const iastLog = require('../iast-log')
 const iastTelemetry = require('../telemetry')
 const { REQUEST_TAINTED } = require('../telemetry/iast-metric')
 const { isInfoAllowed } = require('../telemetry/verbosity')
 const { getTaintTrackingImpl, getTaintTrackingNoop } = require('./taint-tracking-impl')
+const { taintObject } = require('./operations-taint-object')
 
 function createTransaction (id, iastContext) {
   if (id && iastContext) {
@@ -34,7 +34,7 @@ function removeTransaction (iastContext) {
 }
 
 function newTaintedString (iastContext, string, name, type) {
-  let result = string
+  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
   if (transactionId) {
     result = TaintedUtils.newTaintedString(transactionId, string, name, type)
@@ -44,56 +44,19 @@ function newTaintedString (iastContext, string, name, type) {
   return result
 }
 
-function taintObject (iastContext, object, type, keyTainting, keyType) {
-  let result = object
+function newTaintedObject (iastContext, obj, name, type) {
+  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
   if (transactionId) {
-    const queue = [{ parent: null, property: null, value: object }]
-    const visited = new WeakSet()
-
-    while (queue.length > 0) {
-      const { parent, property, value, key } = queue.pop()
-      if (value === null) {
-        continue
-      }
-
-      try {
-        if (typeof value === 'string') {
-          const tainted = TaintedUtils.newTaintedString(transactionId, value, property, type)
-          if (!parent) {
-            result = tainted
-          } else {
-            if (keyTainting && key) {
-              const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
-              parent[taintedProperty] = tainted
-            } else {
-              parent[key] = tainted
-            }
-          }
-        } else if (typeof value === 'object' && !visited.has(value)) {
-          visited.add(value)
-
-          const keys = Object.keys(value)
-          for (let i = 0; i < keys.length; i++) {
-            const key = keys[i]
-            queue.push({ parent: value, property: property ? `${property}.${key}` : key, value: value[key], key })
-          }
-
-          if (parent && keyTainting && key) {
-            const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
-            parent[taintedProperty] = value
-          }
-        }
-      } catch (e) {
-        iastLog.error(`Error visiting property : ${property}`).errorAndPublish(e)
-      }
-    }
+    result = TaintedUtils.newTaintedObject(transactionId, obj, name, type)
+  } else {
+    result = obj
   }
   return result
 }
 
 function isTainted (iastContext, string) {
-  let result = false
+  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
   if (transactionId) {
     result = TaintedUtils.isTainted(transactionId, string)
@@ -104,7 +67,7 @@ function isTainted (iastContext, string) {
 }
 
 function getRanges (iastContext, string) {
-  let result = []
+  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
   if (transactionId) {
     result = TaintedUtils.getRanges(transactionId, string)
@@ -148,6 +111,7 @@ module.exports = {
   createTransaction,
   removeTransaction,
   newTaintedString,
+  newTaintedObject,
   taintObject,
   isTainted,
   getRanges,

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -3,7 +3,7 @@
 const { SourceIastPlugin } = require('../iast-plugin')
 const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
-const { taintObject, newTaintedString } = require('./operations')
+const { taintObject, newTaintedString, getRanges } = require('./operations')
 const {
   HTTP_REQUEST_BODY,
   HTTP_REQUEST_COOKIE_VALUE,
@@ -65,6 +65,18 @@ class TaintTrackingPlugin extends SourceIastPlugin {
       }
     )
 
+    this.addSub(
+      { channelName: 'apm:graphql:resolve:start', tag: HTTP_REQUEST_BODY },
+      (data) => {
+        const iastContext = getIastContext(storage.getStore())
+        const source = data.context?.source
+        const ranges = source && getRanges(iastContext, source)
+        if (ranges?.length) {
+          this._taintTrackingHandler(ranges[0].iinfo.type, data.args, null, iastContext)
+        }
+      }
+    )
+
     // this is a special case to increment INSTRUMENTED_SOURCE metric for header
     this.addInstrumentedSource('http', [HTTP_REQUEST_HEADER_VALUE, HTTP_REQUEST_HEADER_NAME])
   }
@@ -104,14 +116,6 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     this.taintHeaders(req.headers, iastContext)
     this.taintUrl(req, iastContext)
   }
-
-  enable () {
-    this.configure(true)
-  }
-
-  disable () {
-    this.configure(false)
-  }
 }
 
 module.exports = new TaintTrackingPlugin()

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugins/kafka.js

@@ -0,0 +1,47 @@
+'use strict'
+
+const shimmer = require('../../../../../../datadog-shimmer')
+const { storage } = require('../../../../../../datadog-core')
+const { getIastContext } = require('../../iast-context')
+const { KAFKA_MESSAGE_KEY, KAFKA_MESSAGE_VALUE } = require('../source-types')
+const { newTaintedObject, newTaintedString } = require('../operations')
+const { SourceIastPlugin } = require('../../iast-plugin')
+
+class KafkaConsumerIastPlugin extends SourceIastPlugin {
+  onConfigure () {
+    this.addSub({ channelName: 'dd-trace:kafkajs:consumer:afterStart', tag: [KAFKA_MESSAGE_KEY, KAFKA_MESSAGE_VALUE] },
+      ({ message }) => this.taintKafkaMessage(message)
+    )
+  }
+
+  getToStringWrap (toString, iastContext, type) {
+    return function () {
+      const res = toString.apply(this, arguments)
+      return newTaintedString(iastContext, res, undefined, type)
+    }
+  }
+
+  taintKafkaMessage (message) {
+    const iastContext = getIastContext(storage.getStore())
+
+    if (iastContext && message) {
+      const { key, value } = message
+
+      if (key && typeof key === 'object') {
+        shimmer.wrap(key, 'toString',
+          toString => this.getToStringWrap(toString, iastContext, KAFKA_MESSAGE_KEY))
+
+        newTaintedObject(iastContext, key, undefined, KAFKA_MESSAGE_KEY)
+      }
+
+      if (value && typeof value === 'object') {
+        shimmer.wrap(value, 'toString',
+          toString => this.getToStringWrap(toString, iastContext, KAFKA_MESSAGE_VALUE))
+
+        newTaintedObject(iastContext, value, undefined, KAFKA_MESSAGE_VALUE)
+      }
+    }
+  }
+}
+
+module.exports = new KafkaConsumerIastPlugin()

package/packages/dd-trace/src/appsec/iast/taint-tracking/source-types.js

@@ -9,5 +9,7 @@ module.exports = {
   HTTP_REQUEST_PARAMETER: 'http.request.parameter',
   HTTP_REQUEST_PATH: 'http.request.path',
   HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter',
-  HTTP_REQUEST_URI: 'http.request.uri'
+  HTTP_REQUEST_URI: 'http.request.uri',
+  KAFKA_MESSAGE_KEY: 'kafka.message.key',
+  KAFKA_MESSAGE_VALUE: 'kafka.message.value'
 }

package/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js

@@ -7,15 +7,19 @@ const iastContextFunctions = require('../iast-context')
 const iastLog = require('../iast-log')
 const { EXECUTED_PROPAGATION } = require('../telemetry/iast-metric')
 const { isDebugAllowed } = require('../telemetry/verbosity')
+const { taintObject } = require('./operations-taint-object')
 
 const mathRandomCallCh = dc.channel('datadog:random:call')
 
+const JSON_VALUE = 'json.value'
+
 function noop (res) { return res }
 // NOTE: methods of this object must be synchronized with csi-methods.js file definitions!
 // Otherwise you may end up rewriting a method and not providing its rewritten implementation
 const TaintTrackingNoop = {
-  plusOperator: noop,
   concat: noop,
+  parse: noop,
+  plusOperator: noop,
   random: noop,
   replace: noop,
   slice: noop,
@@ -26,7 +30,7 @@ const TaintTrackingNoop = {
 }
 
 function getTransactionId (iastContext) {
-  return iastContext && iastContext[iastContextFunctions.IAST_TRANSACTION_ID]
+  return iastContext?.[iastContextFunctions.IAST_TRANSACTION_ID]
 }
 
 function getContextDefault () {
@@ -120,6 +124,29 @@ function csiMethodsOverrides (getContext) {
       if (mathRandomCallCh.hasSubscribers) {
         mathRandomCallCh.publish({ fn })
       }
+      return res
+    },
+
+    parse: function (res, fn, target, json) {
+      if (fn === JSON.parse) {
+        try {
+          const iastContext = getContext()
+          const transactionId = getTransactionId(iastContext)
+          if (transactionId) {
+            const ranges = TaintedUtils.getRanges(transactionId, json)
+
+            // TODO: first version.
+            // here we are losing the original source because taintObject always creates a new tainted
+            if (ranges?.length > 0) {
+              const range = ranges.find(range => range.iinfo?.type)
+              res = taintObject(iastContext, res, range?.iinfo.type || JSON_VALUE)
+            }
+          }
+        } catch (e) {
+          iastLog.error(e)
+        }
+      }
+
       return res
     }
   }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/utils.js

@@ -20,7 +20,7 @@ function iterateObject (target, fn, levelKeys = [], depth = 50) {
 
     fn(val, nextLevelKeys, target, key)
 
-    if (val !== null && typeof val === 'object') {
+    if (val !== null && typeof val === 'object' && depth > 0) {
       iterateObject(val, fn, nextLevelKeys, depth - 1)
     }
   })