dd-trace 4.41.0 → 4.43.0

package/packages/datadog-plugin-vitest/src/index.js

@@ -0,0 +1,167 @@
+const CiPlugin = require('../../dd-trace/src/plugins/ci_plugin')
+const { storage } = require('../../datadog-core')
+
+const {
+  TEST_STATUS,
+  finishAllTraceSpans,
+  getTestSuitePath,
+  getTestSuiteCommonTags,
+  TEST_SOURCE_FILE,
+  TEST_IS_RETRY
+} = require('../../dd-trace/src/plugins/util/test')
+const { COMPONENT } = require('../../dd-trace/src/constants')
+
+// Milliseconds that we subtract from the error test duration
+// so that they do not overlap with the following test
+// This is because there's some loss of resolution.
+const MILLISECONDS_TO_SUBTRACT_FROM_FAILED_TEST_DURATION = 5
+
+class VitestPlugin extends CiPlugin {
+  static get id () {
+    return 'vitest'
+  }
+
+  constructor (...args) {
+    super(...args)
+
+    this.taskToFinishTime = new WeakMap()
+
+    this.addSub('ci:vitest:test:start', ({ testName, testSuiteAbsolutePath, isRetry }) => {
+      const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
+      const store = storage.getStore()
+
+      const extraTags = {
+        [TEST_SOURCE_FILE]: testSuite
+      }
+      if (isRetry) {
+        extraTags[TEST_IS_RETRY] = 'true'
+      }
+
+      const span = this.startTestSpan(
+        testName,
+        testSuite,
+        this.testSuiteSpan,
+        extraTags
+      )
+
+      this.enter(span, store)
+    })
+
+    this.addSub('ci:vitest:test:finish-time', ({ status, task }) => {
+      const store = storage.getStore()
+      const span = store?.span
+
+      // we store the finish time to finish at a later hook
+      // this is because the test might fail at a `afterEach` hook
+      if (span) {
+        span.setTag(TEST_STATUS, status)
+        this.taskToFinishTime.set(task, span._getTime())
+      }
+    })
+
+    this.addSub('ci:vitest:test:pass', ({ task }) => {
+      const store = storage.getStore()
+      const span = store?.span
+
+      if (span) {
+        span.setTag(TEST_STATUS, 'pass')
+        span.finish(this.taskToFinishTime.get(task))
+        finishAllTraceSpans(span)
+      }
+    })
+
+    this.addSub('ci:vitest:test:error', ({ duration, error }) => {
+      const store = storage.getStore()
+      const span = store?.span
+
+      if (span) {
+        span.setTag(TEST_STATUS, 'fail')
+
+        if (error) {
+          span.setTag('error', error)
+        }
+        if (duration) {
+          span.finish(span._startTime + duration - MILLISECONDS_TO_SUBTRACT_FROM_FAILED_TEST_DURATION) // milliseconds
+        } else {
+          span.finish() // retries will not have a duration
+        }
+        finishAllTraceSpans(span)
+      }
+    })
+
+    this.addSub('ci:vitest:test:skip', ({ testName, testSuiteAbsolutePath }) => {
+      const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
+      this.startTestSpan(
+        testName,
+        testSuite,
+        this.testSuiteSpan,
+        {
+          [TEST_SOURCE_FILE]: testSuite,
+          [TEST_STATUS]: 'skip'
+        }
+      ).finish()
+    })
+
+    this.addSub('ci:vitest:test-suite:start', (testSuiteAbsolutePath) => {
+      const testSessionSpanContext = this.tracer.extract('text_map', {
+        'x-datadog-trace-id': process.env.DD_CIVISIBILITY_TEST_SESSION_ID,
+        'x-datadog-parent-id': process.env.DD_CIVISIBILITY_TEST_MODULE_ID
+      })
+
+      const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
+      const testSuiteMetadata = getTestSuiteCommonTags(
+        this.command,
+        this.frameworkVersion,
+        testSuite,
+        'vitest'
+      )
+      const testSuiteSpan = this.tracer.startSpan('vitest.test_suite', {
+        childOf: testSessionSpanContext,
+        tags: {
+          [COMPONENT]: this.constructor.id,
+          ...this.testEnvironmentMetadata,
+          ...testSuiteMetadata
+        }
+      })
+      const store = storage.getStore()
+      this.enter(testSuiteSpan, store)
+      this.testSuiteSpan = testSuiteSpan
+    })
+
+    this.addSub('ci:vitest:test-suite:finish', ({ status, onFinish }) => {
+      const store = storage.getStore()
+      const span = store?.span
+      if (span) {
+        span.setTag(TEST_STATUS, status)
+        span.finish()
+        finishAllTraceSpans(span)
+      }
+      // TODO: too frequent flush - find for method in worker to decrease frequency
+      this.tracer._exporter.flush(onFinish)
+    })
+
+    this.addSub('ci:vitest:test-suite:error', ({ error }) => {
+      const store = storage.getStore()
+      const span = store?.span
+      if (span && error) {
+        span.setTag('error', error)
+        span.setTag(TEST_STATUS, 'fail')
+      }
+    })
+
+    this.addSub('ci:vitest:session:finish', ({ status, onFinish, error }) => {
+      this.testSessionSpan.setTag(TEST_STATUS, status)
+      this.testModuleSpan.setTag(TEST_STATUS, status)
+      if (error) {
+        this.testModuleSpan.setTag('error', error)
+        this.testSessionSpan.setTag('error', error)
+      }
+      this.testModuleSpan.finish()
+      this.testSessionSpan.finish()
+      finishAllTraceSpans(this.testSessionSpan)
+      this.tracer._exporter.flush(onFinish)
+    })
+  }
+}
+
+module.exports = VitestPlugin

package/packages/dd-trace/src/analytics_sampler.js

@@ -4,7 +4,7 @@ const { MEASURED } = require('../../../ext/tags')
 
 module.exports = {
   sample (span, measured, measuredByDefault) {
-    if (typeof measured === 'object') {
+    if (measured !== null && typeof measured === 'object') {
       this.sample(span, measured[span.context()._name], measuredByDefault)
     } else if (measured !== undefined) {
       span.setTag(MEASURED, !!measured)

package/packages/dd-trace/src/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.js

@@ -13,7 +13,7 @@ const EXCLUDED_PATHS_FROM_STACK = getNodeModulesPaths('mongodb', 'mongoose', 'mq
 const MONGODB_NOSQL_SECURE_MARK = getNextSecureMark()
 
 function iterateObjectStrings (target, fn, levelKeys = [], depth = 20, visited = new Set()) {
-  if (target && typeof target === 'object') {
+  if (target !== null && typeof target === 'object') {
     Object.keys(target).forEach((key) => {
       const nextLevelKeys = [...levelKeys, key]
       const val = target[key]

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -3,6 +3,7 @@
 const path = require('path')
 const process = require('process')
 const { calculateDDBasePath } = require('../../util')
+const { getCallSiteList } = require('../stack_trace')
 const pathLine = {
   getFirstNonDDPathAndLine,
   getNodeModulesPaths,
@@ -24,24 +25,6 @@ const EXCLUDED_PATH_PREFIXES = [
   'async_hooks'
 ]
 
-function getCallSiteInfo () {
-  const previousPrepareStackTrace = Error.prepareStackTrace
-  const previousStackTraceLimit = Error.stackTraceLimit
-  let callsiteList
-  Error.stackTraceLimit = 100
-  try {
-    Error.prepareStackTrace = function (_, callsites) {
-      callsiteList = callsites
-    }
-    const e = new Error()
-    e.stack
-  } finally {
-    Error.prepareStackTrace = previousPrepareStackTrace
-    Error.stackTraceLimit = previousStackTraceLimit
-  }
-  return callsiteList
-}
-
 function getFirstNonDDPathAndLineFromCallsites (callsites, externallyExcludedPaths) {
   if (callsites) {
     for (let i = 0; i < callsites.length; i++) {
@@ -91,7 +74,7 @@ function isExcluded (callsite, externallyExcludedPaths) {
 }
 
 function getFirstNonDDPathAndLine (externallyExcludedPaths) {
-  return getFirstNonDDPathAndLineFromCallsites(getCallSiteInfo(), externallyExcludedPaths)
+  return getFirstNonDDPathAndLineFromCallsites(getCallSiteList(), externallyExcludedPaths)
 }
 
 function getNodeModulesPaths (...paths) {

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -45,7 +45,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     this.addSub(
       { channelName: 'apm:express:middleware:next', tag: HTTP_REQUEST_BODY },
       ({ req }) => {
-        if (req && req.body && typeof req.body === 'object') {
+        if (req && req.body !== null && typeof req.body === 'object') {
           const iastContext = getIastContext(storage.getStore())
           if (iastContext && iastContext.body !== req.body) {
             this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
@@ -63,7 +63,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     this.addSub(
       { channelName: 'datadog:express:process_params:start', tag: HTTP_REQUEST_PATH_PARAM },
       ({ req }) => {
-        if (req && req.params && typeof req.params === 'object') {
+        if (req && req.params !== null && typeof req.params === 'object') {
           this._taintTrackingHandler(HTTP_REQUEST_PATH_PARAM, req, 'params')
         }
       }

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugins/kafka.js

@@ -27,14 +27,14 @@ class KafkaConsumerIastPlugin extends SourceIastPlugin {
     if (iastContext && message) {
       const { key, value } = message
 
-      if (key && typeof key === 'object') {
+      if (key !== null && typeof key === 'object') {
         shimmer.wrap(key, 'toString',
           toString => this.getToStringWrap(toString, iastContext, KAFKA_MESSAGE_KEY))
 
         newTaintedObject(iastContext, key, undefined, KAFKA_MESSAGE_KEY)
       }
 
-      if (value && typeof value === 'object') {
+      if (value !== null && typeof value === 'object') {
         shimmer.wrap(value, 'toString',
           toString => this.getToStringWrap(toString, iastContext, KAFKA_MESSAGE_VALUE))
 

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js

@@ -43,6 +43,8 @@ class VulnerabilityFormatter {
     const valueParts = []
     let fromIndex = 0
 
+    if (evidence.value == null) return { valueParts }
+
     if (typeof evidence.value === 'object' && evidence.rangesToApply) {
       const { value, ranges } = stringifyWithRanges(evidence.value, evidence.rangesToApply)
       evidence.value = value
@@ -69,7 +71,7 @@ class VulnerabilityFormatter {
   }
 
   formatEvidence (type, evidence, sourcesIndexes, sources) {
-    if (typeof evidence.value === 'undefined') {
+    if (evidence.value === undefined) {
       return undefined
     }
 

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -4,6 +4,7 @@ const { MANUAL_KEEP } = require('../../../../../ext/tags')
 const LRU = require('lru-cache')
 const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
 const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
+const standalone = require('../standalone')
 
 const VULNERABILITIES_KEY = 'vulnerabilities'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
@@ -57,6 +58,9 @@ function sendVulnerabilities (vulnerabilities, rootSpan) {
         tags[IAST_JSON_TAG_KEY] = JSON.stringify(jsonToSend)
         tags[MANUAL_KEEP] = 'true'
         span.addTags(tags)
+
+        standalone.sample(span)
+
         if (!rootSpan) span.finish()
       }
     }

package/packages/dd-trace/src/appsec/index.js

@@ -40,7 +40,7 @@ function enable (_config) {
     graphql.enable()
 
     if (_config.appsec.rasp.enabled) {
-      rasp.enable()
+      rasp.enable(_config)
     }
 
     setTemplates(_config)
@@ -121,16 +121,16 @@ function incomingHttpEndTranslator ({ req, res }) {
   }
 
   // TODO: temporary express instrumentation, will use express plugin later
-  if (req.params && typeof req.params === 'object') {
+  if (req.params !== null && typeof req.params === 'object') {
     persistent[addresses.HTTP_INCOMING_PARAMS] = req.params
   }
 
   // we need to keep this to support other cookie parsers
-  if (req.cookies && typeof req.cookies === 'object') {
+  if (req.cookies !== null && typeof req.cookies === 'object') {
     persistent[addresses.HTTP_INCOMING_COOKIES] = req.cookies
   }
 
-  if (req.query && typeof req.query === 'object') {
+  if (req.query !== null && typeof req.query === 'object') {
     persistent[addresses.HTTP_INCOMING_QUERY] = req.query
   }
 

package/packages/dd-trace/src/appsec/passport.js

@@ -13,7 +13,7 @@ const regexSdkEvent = new RegExp(SDK_USER_EVENT_PATTERN, 'i')
 function isSdkCalled (tags) {
   let called = false
 
-  if (tags && typeof tags === 'object') {
+  if (tags !== null && typeof tags === 'object') {
     called = Object.entries(tags).some(([key, value]) => regexSdkEvent.test(key) && value === 'true')
   }
 

package/packages/dd-trace/src/appsec/rasp.js

@@ -1,11 +1,20 @@
 'use strict'
 
 const { storage } = require('../../../datadog-core')
+const web = require('./../plugins/util/web')
 const addresses = require('./addresses')
 const { httpClientRequestStart } = require('./channels')
+const { reportStackTrace } = require('./stack_trace')
 const waf = require('./waf')
 
-function enable () {
+const RULE_TYPES = {
+  SSRF: 'ssrf'
+}
+
+let config
+
+function enable (_config) {
+  config = _config
   httpClientRequestStart.subscribe(analyzeSsrf)
 }
 
@@ -24,12 +33,30 @@ function analyzeSsrf (ctx) {
     [addresses.HTTP_OUTGOING_URL]: url
   }
   // TODO: Currently this is only monitoring, we should
-  //     block the request if SSRF attempt and
-  //     generate stack traces
-  waf.run({ persistent }, req)
+  //     block the request if SSRF attempt
+  const result = waf.run({ persistent }, req, RULE_TYPES.SSRF)
+  handleResult(result, req)
+}
+
+function getGenerateStackTraceAction (actions) {
+  return actions?.generate_stack
+}
+
+function handleResult (actions, req) {
+  const generateStackTraceAction = getGenerateStackTraceAction(actions)
+  if (generateStackTraceAction && config.appsec.stackTrace.enabled) {
+    const rootSpan = web.root(req)
+    reportStackTrace(
+      rootSpan,
+      generateStackTraceAction.stack_id,
+      config.appsec.stackTrace.maxDepth,
+      config.appsec.stackTrace.maxStackTraces
+    )
+  }
 }
 
 module.exports = {
   enable,
-  disable
+  disable,
+  handleResult
 }

package/packages/dd-trace/src/appsec/recommended.json

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.11.0"
+    "rules_version": "1.12.0"
   },
   "rules": [
     {
@@ -1921,7 +1921,6 @@
               "$ifs",
               "$oldpwd",
               "$ostype",
-              "$path",
               "$pwd",
               "dev/fd/",
               "dev/null",
@@ -5849,7 +5848,8 @@
               "/website.php",
               "/stats.php",
               "/assets/plugins/mp3_id/mp3_id.php",
-              "/siteminderagent/forms/smpwservices.fcc"
+              "/siteminderagent/forms/smpwservices.fcc",
+              "/eval-stdin.php"
             ]
           }
         }
@@ -6236,6 +6236,155 @@
       ],
       "transformers": []
     },
+    {
+      "id": "rasp-930-100",
+      "name": "Local file inclusion exploit",
+      "enabled": false,
+      "tags": {
+        "type": "lfi",
+        "category": "vulnerability_trigger",
+        "cwe": "22",
+        "capec": "1000/255/153/126",
+        "confidence": "0",
+        "module": "rasp"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "resource": [
+              {
+                "address": "server.io.fs.file"
+              }
+            ],
+            "params": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "grpc.server.request.message"
+              },
+              {
+                "address": "graphql.server.all_resolvers"
+              },
+              {
+                "address": "graphql.server.resolver"
+              }
+            ]
+          },
+          "operator": "lfi_detector"
+        }
+      ],
+      "transformers": [],
+      "on_match": [
+        "stack_trace"
+      ]
+    },
+    {
+      "id": "rasp-934-100",
+      "name": "Server-side request forgery exploit",
+      "enabled": false,
+      "tags": {
+        "type": "ssrf",
+        "category": "vulnerability_trigger",
+        "cwe": "918",
+        "capec": "1000/225/115/664",
+        "confidence": "0",
+        "module": "rasp"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "resource": [
+              {
+                "address": "server.io.net.url"
+              }
+            ],
+            "params": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "grpc.server.request.message"
+              },
+              {
+                "address": "graphql.server.all_resolvers"
+              },
+              {
+                "address": "graphql.server.resolver"
+              }
+            ]
+          },
+          "operator": "ssrf_detector"
+        }
+      ],
+      "transformers": [],
+      "on_match": [
+        "stack_trace"
+      ]
+    },
+    {
+      "id": "rasp-942-100",
+      "name": "SQL injection exploit",
+      "enabled": false,
+      "tags": {
+        "type": "sql_injection",
+        "category": "vulnerability_trigger",
+        "cwe": "89",
+        "capec": "1000/152/248/66",
+        "confidence": "0",
+        "module": "rasp"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "resource": [
+              {
+                "address": "server.db.statement"
+              }
+            ],
+            "params": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "graphql.server.all_resolvers"
+              },
+              {
+                "address": "graphql.server.resolver"
+              }
+            ],
+            "db_type": [
+              {
+                "address": "server.db.system"
+              }
+            ]
+          },
+          "operator": "sqli_detector"
+        }
+      ],
+      "transformers": [],
+      "on_match": [
+        "stack_trace"
+      ]
+    },
     {
       "id": "sqr-000-001",
       "name": "SSRF: Try to access the credential manager of the main cloud services",
@@ -8391,6 +8540,34 @@
     }
   ],
   "scanners": [
+    {
+      "id": "406f8606-52c4-4663-8db9-df70f9e8766c",
+      "name": "ZIP Code",
+      "key": {
+        "operator": "match_regex",
+        "parameters": {
+          "regex": "\\b(?:zip|postal)\\b",
+          "options": {
+            "case_sensitive": false,
+            "min_length": 3
+          }
+        }
+      },
+      "value": {
+        "operator": "match_regex",
+        "parameters": {
+          "regex": "^[0-9]{5}(?:-[0-9]{4})?$",
+          "options": {
+            "case_sensitive": true,
+            "min_length": 5
+          }
+        }
+      },
+      "tags": {
+        "type": "zipcode",
+        "category": "address"
+      }
+    },
     {
       "id": "JU1sRk3mSzqSUJn6GrVn7g",
       "name": "American Express Card Scanner (4+4+4+3 digits)",
@@ -9157,6 +9334,34 @@
         "category": "payment"
       }
     },
+    {
+      "id": "18b608bd7a764bff5b2344c0",
+      "name": "Phone number",
+      "key": {
+        "operator": "match_regex",
+        "parameters": {
+          "regex": "\\bphone|number|mobile\\b",
+          "options": {
+            "case_sensitive": false,
+            "min_length": 3
+          }
+        }
+      },
+      "value": {
+        "operator": "match_regex",
+        "parameters": {
+          "regex": "^(?:\\(\\+\\d{1,3}\\)|\\+\\d{1,3}|00\\d{1,3})?[-\\s\\.]?(?:\\(\\d{3}\\)[-\\s\\.]?)?(?:\\d[-\\s\\.]?){6,10}$",
+          "options": {
+            "case_sensitive": false,
+            "min_length": 6
+          }
+        }
+      },
+      "tags": {
+        "type": "phone",
+        "category": "pii"
+      }
+    },
     {
       "id": "de0899e0cbaaa812bb624cf04c912071012f616d-mod",
       "name": "UK National Insurance Number Scanner",