dd-trace 4.47.1 → 4.48.0

package/packages/datadog-plugin-fastify/src/index.js

@@ -1,18 +1,16 @@
 'use strict'
 
-const RouterPlugin = require('../../datadog-plugin-router/src')
+const FastifyTracingPlugin = require('./tracing')
+const FastifyCodeOriginForSpansPlugin = require('./code_origin')
+const CompositePlugin = require('../../dd-trace/src/plugins/composite')
 
-class FastifyPlugin extends RouterPlugin {
-  static get id () {
-    return 'fastify'
-  }
-
-  constructor (...args) {
-    super(...args)
-
-    this.addSub('apm:fastify:request:handle', ({ req }) => {
-      this.setFramework(req, 'fastify', this.config)
-    })
+class FastifyPlugin extends CompositePlugin {
+  static get id () { return 'fastify' }
+  static get plugins () {
+    return {
+      tracing: FastifyTracingPlugin,
+      codeOriginForSpans: FastifyCodeOriginForSpansPlugin
+    }
   }
 }
 

package/packages/datadog-plugin-fastify/src/tracing.js

@@ -0,0 +1,19 @@
+'use strict'
+
+const RouterPlugin = require('../../datadog-plugin-router/src')
+
+class FastifyTracingPlugin extends RouterPlugin {
+  static get id () {
+    return 'fastify'
+  }
+
+  constructor (...args) {
+    super(...args)
+
+    this.addSub('apm:fastify:request:handle', ({ req }) => {
+      this.setFramework(req, 'fastify', this.config)
+    })
+  }
+}
+
+module.exports = FastifyTracingPlugin

package/packages/datadog-plugin-protobufjs/src/index.js

@@ -0,0 +1,14 @@
+const SchemaPlugin = require('../../dd-trace/src/plugins/schema')
+const SchemaExtractor = require('./schema_iterator')
+
+class ProtobufjsPlugin extends SchemaPlugin {
+  static get id () {
+    return 'protobufjs'
+  }
+
+  static get schemaExtractor () {
+    return SchemaExtractor
+  }
+}
+
+module.exports = ProtobufjsPlugin

package/packages/datadog-plugin-protobufjs/src/schema_iterator.js

@@ -0,0 +1,180 @@
+const PROTOBUF = 'protobuf'
+const {
+  SCHEMA_DEFINITION,
+  SCHEMA_ID,
+  SCHEMA_NAME,
+  SCHEMA_OPERATION,
+  SCHEMA_WEIGHT,
+  SCHEMA_TYPE
+} = require('../../dd-trace/src/constants')
+const log = require('../../dd-trace/src/log')
+const {
+  SchemaBuilder
+} = require('../../dd-trace/src/datastreams/schemas/schema_builder')
+
+class SchemaExtractor {
+  constructor (schema) {
+    this.schema = schema
+  }
+
+  static getTypeAndFormat (type) {
+    const typeFormatMapping = {
+      int32: ['integer', 'int32'],
+      int64: ['integer', 'int64'],
+      uint32: ['integer', 'uint32'],
+      uint64: ['integer', 'uint64'],
+      sint32: ['integer', 'sint32'],
+      sint64: ['integer', 'sint64'],
+      fixed32: ['integer', 'fixed32'],
+      fixed64: ['integer', 'fixed64'],
+      sfixed32: ['integer', 'sfixed32'],
+      sfixed64: ['integer', 'sfixed64'],
+      float: ['number', 'float'],
+      double: ['number', 'double'],
+      bool: ['boolean', null],
+      string: ['string', null],
+      bytes: ['string', 'byte'],
+      Enum: ['enum', null],
+      Type: ['type', null],
+      map: ['map', null],
+      repeated: ['array', null]
+    }
+
+    return typeFormatMapping[type] || ['string', null]
+  }
+
+  static extractProperty (field, schemaName, fieldName, builder, depth) {
+    let array = false
+    let description
+    let ref
+    let enumValues
+
+    const resolvedType = field.resolvedType ? field.resolvedType.constructor.name : field.type
+
+    const isRepeatedField = field.rule === 'repeated'
+
+    let typeFormat = this.getTypeAndFormat(isRepeatedField ? 'repeated' : resolvedType)
+    let type = typeFormat[0]
+    let format = typeFormat[1]
+
+    if (type === 'array') {
+      array = true
+      typeFormat = this.getTypeAndFormat(resolvedType)
+      type = typeFormat[0]
+      format = typeFormat[1]
+    }
+
+    if (type === 'type') {
+      format = null
+      ref = `#/components/schemas/${removeLeadingPeriod(field.resolvedType.fullName)}`
+      // keep a reference to the original builder iterator since when we recurse this reference will get reset to
+      // deeper schemas
+      const originalSchemaExtractor = builder.iterator
+      if (!this.extractSchema(field.resolvedType, builder, depth, this)) {
+        return false
+      }
+      type = 'object'
+      builder.iterator = originalSchemaExtractor
+    } else if (type === 'enum') {
+      enumValues = []
+      let i = 0
+      while (field.resolvedType.valuesById[i]) {
+        enumValues.push(field.resolvedType.valuesById[i])
+        i += 1
+      }
+    }
+    return builder.addProperty(schemaName, fieldName, array, type, description, ref, format, enumValues)
+  }
+
+  static extractSchema (schema, builder, depth, extractor) {
+    depth += 1
+    const schemaName = removeLeadingPeriod(schema.resolvedType ? schema.resolvedType.fullName : schema.fullName)
+    if (extractor) {
+      // if we already have a defined extractor, this is a nested schema. create a new extractor for the nested
+      // schema, ensure it is added to our schema builder's cache, and replace the builders iterator with our
+      // nested schema iterator / extractor. Once complete, add the new schema to our builder's schemas.
+      const nestedSchemaExtractor = new SchemaExtractor(schema)
+      builder.iterator = nestedSchemaExtractor
+      const nestedSchema = SchemaBuilder.getSchema(schemaName, nestedSchemaExtractor, builder)
+      for (const nestedSubSchemaName in nestedSchema.components.schemas) {
+        if (nestedSchema.components.schemas.hasOwnProperty(nestedSubSchemaName)) {
+          builder.schema.components.schemas[nestedSubSchemaName] = nestedSchema.components.schemas[nestedSubSchemaName]
+        }
+      }
+      return true
+    } else {
+      if (!builder.shouldExtractSchema(schemaName, depth)) {
+        return false
+      }
+      for (const field of schema.fieldsArray) {
+        if (!this.extractProperty(field, schemaName, field.name, builder, depth)) {
+          log.warn(`DSM: Unable to extract field with name: ${field.name} from Avro schema with name: ${schemaName}`)
+        }
+      }
+      return true
+    }
+  }
+
+  static extractSchemas (descriptor, dataStreamsProcessor) {
+    const schemaName = removeLeadingPeriod(
+      descriptor.resolvedType ? descriptor.resolvedType.fullName : descriptor.fullName
+    )
+    return dataStreamsProcessor.getSchema(schemaName, new SchemaExtractor(descriptor))
+  }
+
+  iterateOverSchema (builder) {
+    this.constructor.extractSchema(this.schema, builder, 0)
+  }
+
+  static attachSchemaOnSpan (args, span, operation, tracer) {
+    const { messageClass } = args
+    const descriptor = messageClass.$type ?? messageClass
+
+    if (!descriptor || !span) {
+      return
+    }
+
+    if (span.context()._tags[SCHEMA_TYPE] && operation === 'serialization') {
+      // we have already added a schema to this span, this call is an encode of nested schema types
+      return
+    }
+
+    span.setTag(SCHEMA_TYPE, PROTOBUF)
+    span.setTag(SCHEMA_NAME, removeLeadingPeriod(descriptor.fullName))
+    span.setTag(SCHEMA_OPERATION, operation)
+
+    if (!tracer._dataStreamsProcessor.canSampleSchema(operation)) {
+      return
+    }
+
+    // if the span is unsampled, do not sample the schema
+    if (!tracer._prioritySampler.isSampled(span)) {
+      return
+    }
+
+    const weight = tracer._dataStreamsProcessor.trySampleSchema(operation)
+    if (weight === 0) {
+      return
+    }
+
+    const schemaData = SchemaBuilder.getSchemaDefinition(
+      this.extractSchemas(descriptor, tracer._dataStreamsProcessor)
+    )
+
+    span.setTag(SCHEMA_DEFINITION, schemaData.definition)
+    span.setTag(SCHEMA_WEIGHT, weight)
+    span.setTag(SCHEMA_ID, schemaData.id)
+  }
+}
+
+function removeLeadingPeriod (str) {
+  // Check if the first character is a period
+  if (str.charAt(0) === '.') {
+    // Remove the first character
+    return str.slice(1)
+  }
+  // Return the original string if the first character is not a period
+  return str
+}
+
+module.exports = SchemaExtractor

package/packages/dd-trace/src/appsec/addresses.js

@@ -23,6 +23,11 @@ module.exports = {
   WAF_CONTEXT_PROCESSOR: 'waf.context.processor',
 
   HTTP_OUTGOING_URL: 'server.io.net.url',
+  FS_OPERATION_PATH: 'server.io.fs.file',
+
   DB_STATEMENT: 'server.db.statement',
-  DB_SYSTEM: 'server.db.system'
+  DB_SYSTEM: 'server.db.system',
+
+  LOGIN_SUCCESS: 'server.business_logic.users.login.success',
+  LOGIN_FAILURE: 'server.business_logic.users.login.failure'
 }

package/packages/dd-trace/src/appsec/channels.js

@@ -17,6 +17,7 @@ module.exports = {
   setCookieChannel: dc.channel('datadog:iast:set-cookie'),
   nextBodyParsed: dc.channel('apm:next:body-parsed'),
   nextQueryParsed: dc.channel('apm:next:query-parsed'),
+  expressProcessParams: dc.channel('datadog:express:process_params:start'),
   responseBody: dc.channel('datadog:express:response:json:start'),
   responseWriteHead: dc.channel('apm:http:server:response:writeHead:start'),
   httpClientRequestStart: dc.channel('apm:http:client:request:start'),
@@ -24,5 +25,8 @@ module.exports = {
   setUncaughtExceptionCaptureCallbackStart: dc.channel('datadog:process:setUncaughtExceptionCaptureCallback:start'),
   pgQueryStart: dc.channel('apm:pg:query:start'),
   pgPoolQueryStart: dc.channel('datadog:pg:pool:query:start'),
-  wafRunFinished: dc.channel('datadog:waf:run:finish')
+  mysql2OuterQueryStart: dc.channel('datadog:mysql2:outerquery:start'),
+  wafRunFinished: dc.channel('datadog:waf:run:finish'),
+  fsOperationStart: dc.channel('apm:fs:operation:start'),
+  expressMiddlewareError: dc.channel('apm:express:middleware:error')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -2,6 +2,7 @@
 
 const Analyzer = require('./vulnerability-analyzer')
 const { getNodeModulesPaths } = require('../path-line')
+const iastLog = require('../iast-log')
 
 const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
 
@@ -11,7 +12,14 @@ class CookieAnalyzer extends Analyzer {
     this.propertyToBeSafe = propertyToBeSafe.toLowerCase()
   }
 
-  onConfigure () {
+  onConfigure (config) {
+    try {
+      this.cookieFilterRegExp = new RegExp(config.iast.cookieFilterPattern)
+    } catch {
+      iastLog.error('Invalid regex in cookieFilterPattern')
+      this.cookieFilterRegExp = /.{32,}/
+    }
+
     this.addSub(
       { channelName: 'datadog:iast:set-cookie', moduleName: 'http' },
       (cookieInfo) => this.analyze(cookieInfo)
@@ -28,6 +36,10 @@ class CookieAnalyzer extends Analyzer {
   }
 
   _createHashSource (type, evidence, location) {
+    if (typeof evidence.value === 'string' && evidence.value.match(this.cookieFilterRegExp)) {
+      return 'FILTERED_' + this._type
+    }
+
     return `${type}:${evidence.value}`
   }
 

package/packages/dd-trace/src/appsec/iast/analyzers/path-traversal-analyzer.js

@@ -29,7 +29,14 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
 
   onConfigure () {
     this.addSub('apm:fs:operation:start', (obj) => {
-      if (ignoredOperations.includes(obj.operation)) return
+      const store = storage.getStore()
+      const outOfReqOrChild = !store?.fs?.root
+
+      // we could filter out all the nested fs.operations based on store.fs.root
+      // but if we spect a store in the context to be present we are going to exclude
+      // all out_of_the_request fs.operations
+      // AppsecFsPlugin must be enabled
+      if (ignoredOperations.includes(obj.operation) || outOfReqOrChild) return
 
       const pathArguments = []
       if (obj.dest) {

package/packages/dd-trace/src/appsec/iast/iast-plugin.js

@@ -127,7 +127,7 @@ class IastPlugin extends Plugin {
       config = { enabled: config }
     }
     if (config.enabled && !this.configured) {
-      this.onConfigure()
+      this.onConfigure(config.tracerConfig)
       this.configured = true
     }
 

package/packages/dd-trace/src/appsec/iast/index.js

@@ -14,6 +14,7 @@ const {
 } = require('./taint-tracking')
 const { IAST_ENABLED_TAG_KEY } = require('./tags')
 const iastTelemetry = require('./telemetry')
+const { enable: enableFsPlugin, disable: disableFsPlugin, IAST_MODULE } = require('../rasp/fs-plugin')
 
 // TODO Change to `apm:http:server:request:[start|close]` when the subscription
 //  order of the callbacks can be enforce
@@ -27,6 +28,7 @@ function enable (config, _tracer) {
   if (isEnabled) return
 
   iastTelemetry.configure(config, config.iast?.telemetryVerbosity)
+  enableFsPlugin(IAST_MODULE)
   enableAllAnalyzers(config)
   enableTaintTracking(config.iast, iastTelemetry.verbosity)
   requestStart.subscribe(onIncomingHttpRequestStart)
@@ -44,6 +46,7 @@ function disable () {
   isEnabled = false
 
   iastTelemetry.stop()
+  disableFsPlugin(IAST_MODULE)
   disableAllAnalyzers()
   disableTaintTracking()
   overheadController.finishGlobalContext()

package/packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js

@@ -12,6 +12,7 @@ const csiMethods = [
   { src: 'substring' },
   { src: 'toLowerCase', dst: 'stringCase' },
   { src: 'toUpperCase', dst: 'stringCase' },
+  { src: 'tplOperator', operator: true },
   { src: 'trim' },
   { src: 'trimEnd' },
   { src: 'trimStart', dst: 'trim' },

package/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js

@@ -29,6 +29,7 @@ const TaintTrackingNoop = {
   substr: noop,
   substring: noop,
   stringCase: noop,
+  tplOperator: noop,
   trim: noop,
   trimEnd: noop
 }
@@ -117,6 +118,20 @@ function csiMethodsOverrides (getContext) {
       return res
     },
 
+    tplOperator: function (res, ...rest) {
+      try {
+        const iastContext = getContext()
+        const transactionId = getTransactionId(iastContext)
+        if (transactionId) {
+          return TaintedUtils.concat(transactionId, res, ...rest)
+        }
+      } catch (e) {
+        iastLog.error('Error invoking CSI tplOperator')
+          .errorAndPublish(e)
+      }
+      return res
+    },
+
     stringCase: getCsiFn(
       (transactionId, res, target) => TaintedUtils.stringCase(transactionId, res, target),
       getContext,

package/packages/dd-trace/src/appsec/index.js

@@ -12,6 +12,7 @@ const {
   queryParser,
   nextBodyParsed,
   nextQueryParsed,
+  expressProcessParams,
   responseBody,
   responseWriteHead,
   responseSetHeader
@@ -30,6 +31,8 @@ const { storage } = require('../../../datadog-core')
 const graphql = require('./graphql')
 const rasp = require('./rasp')
 
+const responseAnalyzedSet = new WeakSet()
+
 let isEnabled = false
 let config
 
@@ -54,13 +57,14 @@ function enable (_config) {
 
     apiSecuritySampler.configure(_config.appsec)
 
+    bodyParser.subscribe(onRequestBodyParsed)
+    cookieParser.subscribe(onRequestCookieParser)
     incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
     incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
-    bodyParser.subscribe(onRequestBodyParsed)
+    queryParser.subscribe(onRequestQueryParsed)
     nextBodyParsed.subscribe(onRequestBodyParsed)
     nextQueryParsed.subscribe(onRequestQueryParsed)
-    queryParser.subscribe(onRequestQueryParsed)
-    cookieParser.subscribe(onRequestCookieParser)
+    expressProcessParams.subscribe(onRequestProcessParams)
     responseBody.subscribe(onResponseBody)
     responseWriteHead.subscribe(onResponseWriteHead)
     responseSetHeader.subscribe(onResponseSetHeader)
@@ -79,6 +83,41 @@ function enable (_config) {
   }
 }
 
+function onRequestBodyParsed ({ req, res, body, abortController }) {
+  if (body === undefined || body === null) return
+
+  if (!req) {
+    const store = storage.getStore()
+    req = store?.req
+  }
+
+  const rootSpan = web.root(req)
+  if (!rootSpan) return
+
+  const results = waf.run({
+    persistent: {
+      [addresses.HTTP_INCOMING_BODY]: body
+    }
+  }, req)
+
+  handleResults(results, req, res, rootSpan, abortController)
+}
+
+function onRequestCookieParser ({ req, res, abortController, cookies }) {
+  if (!cookies || typeof cookies !== 'object') return
+
+  const rootSpan = web.root(req)
+  if (!rootSpan) return
+
+  const results = waf.run({
+    persistent: {
+      [addresses.HTTP_INCOMING_COOKIES]: cookies
+    }
+  }, req)
+
+  handleResults(results, req, res, rootSpan, abortController)
+}
+
 function incomingHttpStartTranslator ({ req, res, abortController }) {
   const rootSpan = web.root(req)
   if (!rootSpan) return
@@ -122,11 +161,6 @@ function incomingHttpEndTranslator ({ req, res }) {
     persistent[addresses.HTTP_INCOMING_BODY] = req.body
   }
 
-  // TODO: temporary express instrumentation, will use express plugin later
-  if (req.params !== null && typeof req.params === 'object') {
-    persistent[addresses.HTTP_INCOMING_PARAMS] = req.params
-  }
-
   // we need to keep this to support other cookie parsers
   if (req.cookies !== null && typeof req.cookies === 'object') {
     persistent[addresses.HTTP_INCOMING_COOKIES] = req.cookies
@@ -145,24 +179,16 @@ function incomingHttpEndTranslator ({ req, res }) {
   Reporter.finishRequest(req, res)
 }
 
-function onRequestBodyParsed ({ req, res, body, abortController }) {
-  if (body === undefined || body === null) return
+function onPassportVerify ({ credentials, user }) {
+  const store = storage.getStore()
+  const rootSpan = store?.req && web.root(store.req)
 
-  if (!req) {
-    const store = storage.getStore()
-    req = store?.req
+  if (!rootSpan) {
+    log.warn('No rootSpan found in onPassportVerify')
+    return
   }
 
-  const rootSpan = web.root(req)
-  if (!rootSpan) return
-
-  const results = waf.run({
-    persistent: {
-      [addresses.HTTP_INCOMING_BODY]: body
-    }
-  }, req)
-
-  handleResults(results, req, res, rootSpan, abortController)
+  passportTrackEvent(credentials, user, rootSpan, config.appsec.eventTracking.mode)
 }
 
 function onRequestQueryParsed ({ req, res, query, abortController }) {
@@ -185,15 +211,15 @@ function onRequestQueryParsed ({ req, res, query, abortController }) {
   handleResults(results, req, res, rootSpan, abortController)
 }
 
-function onRequestCookieParser ({ req, res, abortController, cookies }) {
-  if (!cookies || typeof cookies !== 'object') return
-
+function onRequestProcessParams ({ req, res, abortController, params }) {
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
+  if (!params || typeof params !== 'object' || !Object.keys(params).length) return
+
   const results = waf.run({
     persistent: {
-      [addresses.HTTP_INCOMING_COOKIES]: cookies
+      [addresses.HTTP_INCOMING_PARAMS]: params
     }
   }, req)
 
@@ -212,20 +238,6 @@ function onResponseBody ({ req, body }) {
   }, req)
 }
 
-function onPassportVerify ({ credentials, user }) {
-  const store = storage.getStore()
-  const rootSpan = store?.req && web.root(store.req)
-
-  if (!rootSpan) {
-    log.warn('No rootSpan found in onPassportVerify')
-    return
-  }
-
-  passportTrackEvent(credentials, user, rootSpan, config.appsec.eventTracking.mode)
-}
-
-const responseAnalyzedSet = new WeakSet()
-
 function onResponseWriteHead ({ req, res, abortController, statusCode, responseHeaders }) {
   // avoid "write after end" error
   if (isBlocked(res)) {
@@ -287,12 +299,15 @@ function disable () {
 
   // Channel#unsubscribe() is undefined for non active channels
   if (bodyParser.hasSubscribers) bodyParser.unsubscribe(onRequestBodyParsed)
+  if (cookieParser.hasSubscribers) cookieParser.unsubscribe(onRequestCookieParser)
   if (incomingHttpRequestStart.hasSubscribers) incomingHttpRequestStart.unsubscribe(incomingHttpStartTranslator)
   if (incomingHttpRequestEnd.hasSubscribers) incomingHttpRequestEnd.unsubscribe(incomingHttpEndTranslator)
+  if (passportVerify.hasSubscribers) passportVerify.unsubscribe(onPassportVerify)
   if (queryParser.hasSubscribers) queryParser.unsubscribe(onRequestQueryParsed)
-  if (cookieParser.hasSubscribers) cookieParser.unsubscribe(onRequestCookieParser)
+  if (nextBodyParsed.hasSubscribers) nextBodyParsed.unsubscribe(onRequestBodyParsed)
+  if (nextQueryParsed.hasSubscribers) nextQueryParsed.unsubscribe(onRequestQueryParsed)
+  if (expressProcessParams.hasSubscribers) expressProcessParams.unsubscribe(onRequestProcessParams)
   if (responseBody.hasSubscribers) responseBody.unsubscribe(onResponseBody)
-  if (passportVerify.hasSubscribers) passportVerify.unsubscribe(onPassportVerify)
   if (responseWriteHead.hasSubscribers) responseWriteHead.unsubscribe(onResponseWriteHead)
   if (responseSetHeader.hasSubscribers) responseSetHeader.unsubscribe(onResponseSetHeader)
 }

package/packages/dd-trace/src/appsec/rasp/fs-plugin.js

@@ -0,0 +1,99 @@
+'use strict'
+
+const Plugin = require('../../plugins/plugin')
+const { storage } = require('../../../../datadog-core')
+const log = require('../../log')
+
+const RASP_MODULE = 'rasp'
+const IAST_MODULE = 'iast'
+
+const enabledFor = {
+  [RASP_MODULE]: false,
+  [IAST_MODULE]: false
+}
+
+let fsPlugin
+
+function enterWith (fsProps, store = storage.getStore()) {
+  if (store && !store.fs?.opExcluded) {
+    storage.enterWith({
+      ...store,
+      fs: {
+        ...store.fs,
+        ...fsProps,
+        parentStore: store
+      }
+    })
+  }
+}
+
+class AppsecFsPlugin extends Plugin {
+  enable () {
+    this.addSub('apm:fs:operation:start', this._onFsOperationStart)
+    this.addSub('apm:fs:operation:finish', this._onFsOperationFinishOrRenderEnd)
+    this.addSub('tracing:datadog:express:response:render:start', this._onResponseRenderStart)
+    this.addSub('tracing:datadog:express:response:render:end', this._onFsOperationFinishOrRenderEnd)
+
+    super.configure(true)
+  }
+
+  disable () {
+    super.configure(false)
+  }
+
+  _onFsOperationStart () {
+    const store = storage.getStore()
+    if (store) {
+      enterWith({ root: store.fs?.root === undefined }, store)
+    }
+  }
+
+  _onResponseRenderStart () {
+    enterWith({ opExcluded: true })
+  }
+
+  _onFsOperationFinishOrRenderEnd () {
+    const store = storage.getStore()
+    if (store?.fs?.parentStore) {
+      storage.enterWith(store.fs.parentStore)
+    }
+  }
+}
+
+function enable (mod) {
+  if (enabledFor[mod] !== false) return
+
+  enabledFor[mod] = true
+
+  if (!fsPlugin) {
+    fsPlugin = new AppsecFsPlugin()
+    fsPlugin.enable()
+  }
+
+  log.info(`Enabled AppsecFsPlugin for ${mod}`)
+}
+
+function disable (mod) {
+  if (!mod || !enabledFor[mod]) return
+
+  enabledFor[mod] = false
+
+  const allDisabled = Object.values(enabledFor).every(val => val === false)
+  if (allDisabled) {
+    fsPlugin?.disable()
+
+    fsPlugin = undefined
+  }
+
+  log.info(`Disabled AppsecFsPlugin for ${mod}`)
+}
+
+module.exports = {
+  enable,
+  disable,
+
+  AppsecFsPlugin,
+
+  RASP_MODULE,
+  IAST_MODULE
+}