npm - dd-trace - Versions diffs - 4.7.0 → 4.8.0 - Mend

dd-trace 4.7.0 → 4.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (46) hide show

package/README.md CHANGED Viewed

@@ -143,8 +143,8 @@ $ yarn leak:plugins
 ### Linting
-We use [ESLint](https://eslint.org) to make sure that new code is
-conform to our coding standards.
+We use [ESLint](https://eslint.org) to make sure that new code
+conforms to our coding standards.
 To run the linter, use:

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "dd-trace",
-  "version": "4.7.0",
+  "version": "4.8.0",
   "description": "Datadog APM tracing client for JavaScript",
   "main": "index.js",
   "typings": "index.d.ts",
@@ -68,9 +68,9 @@
   "dependencies": {
     "@datadog/native-appsec": "^3.2.0",
     "@datadog/native-iast-rewriter": "2.0.1",
-    "@datadog/native-iast-taint-tracking": "^1.5.0",
+    "@datadog/native-iast-taint-tracking": "1.5.0",
     "@datadog/native-metrics": "^2.0.0",
-    "@datadog/pprof": "3.0.0",
+    "@datadog/pprof": "3.1.0",
     "@datadog/sketches-js": "^2.1.0",
     "@opentelemetry/api": "^1.0.0",
     "@opentelemetry/core": "^1.14.0",

package/packages/datadog-core/src/storage/async_resource.js CHANGED Viewed

@@ -5,6 +5,7 @@ const { channel } = require('../../../diagnostics_channel')
 const beforeCh = channel('dd-trace:storage:before')
 const afterCh = channel('dd-trace:storage:after')
+const enterCh = channel('dd-trace:storage:enter')
 let PrivateSymbol = Symbol
 function makePrivateSymbol () {
@@ -52,6 +53,7 @@ class AsyncResourceStorage {
     const resource = this._executionAsyncResource()
     resource[this._ddResourceStore] = store
+    enterCh.publish()
   }
   run (store, callback, ...args) {
@@ -61,11 +63,13 @@ class AsyncResourceStorage {
     const oldStore = resource[this._ddResourceStore]
     resource[this._ddResourceStore] = store
+    enterCh.publish()
     try {
       return callback(...args)
     } finally {
       resource[this._ddResourceStore] = oldStore
+      enterCh.publish()
     }
   }

package/packages/datadog-instrumentations/src/couchbase.js CHANGED Viewed

@@ -160,7 +160,7 @@ function wrapV3Query (query) {
 }
 // semver >=2 <3
-addHook({ name: 'couchbase', file: 'lib/bucket.js', versions: ['^2.6.5'] }, Bucket => {
+addHook({ name: 'couchbase', file: 'lib/bucket.js', versions: ['^2.6.12'] }, Bucket => {
   const startCh = channel('apm:couchbase:query:start')
   const finishCh = channel('apm:couchbase:query:finish')
   const errorCh = channel('apm:couchbase:query:error')
@@ -208,7 +208,7 @@ addHook({ name: 'couchbase', file: 'lib/bucket.js', versions: ['^2.6.5'] }, Buck
   return Bucket
 })
-addHook({ name: 'couchbase', file: 'lib/cluster.js', versions: ['^2.6.5'] }, Cluster => {
+addHook({ name: 'couchbase', file: 'lib/cluster.js', versions: ['^2.6.12'] }, Cluster => {
   Cluster.prototype._maybeInvoke = wrapMaybeInvoke(Cluster.prototype._maybeInvoke)
   Cluster.prototype.query = wrapQuery(Cluster.prototype.query)
@@ -217,7 +217,7 @@ addHook({ name: 'couchbase', file: 'lib/cluster.js', versions: ['^2.6.5'] }, Clu
 // semver >=3 <3.2.0
-addHook({ name: 'couchbase', file: 'lib/collection.js', versions: ['>=3.0.0 <3.2.0'] }, Collection => {
+addHook({ name: 'couchbase', file: 'lib/collection.js', versions: ['^3.0.7', '^3.1.3'] }, Collection => {
   wrapAllNames(['upsert', 'insert', 'replace'], name => {
     shimmer.wrap(Collection.prototype, name, wrapWithName(name))
   })
@@ -225,7 +225,7 @@ addHook({ name: 'couchbase', file: 'lib/collection.js', versions: ['>=3.0.0 <3.2
   return Collection
 })
-addHook({ name: 'couchbase', file: 'lib/cluster.js', versions: ['>=3.0.0 <3.2.0'] }, Cluster => {
+addHook({ name: 'couchbase', file: 'lib/cluster.js', versions: ['^3.0.7', '^3.1.3'] }, Cluster => {
   shimmer.wrap(Cluster.prototype, 'query', wrapV3Query)
   return Cluster
 })

package/packages/datadog-instrumentations/src/jest.js CHANGED Viewed

@@ -129,8 +129,7 @@ function getWrappedEnvironment (BaseEnvironment, jestVersion) {
             suite: this.testSuite,
             runner: 'jest-circus',
             testParameters,
-            frameworkVersion: jestVersion,
-            testStartLine: getTestLineStart(event.test.asyncError, this.testSuite)
+            frameworkVersion: jestVersion
           })
           originalTestFns.set(event.test, event.test.fn)
           event.test.fn = asyncResource.bind(event.test.fn)
@@ -145,7 +144,10 @@ function getWrappedEnvironment (BaseEnvironment, jestVersion) {
             const formattedError = formatJestError(event.test.errors[0])
             testErrCh.publish(formattedError)
           }
-          testRunFinishCh.publish(status)
+          testRunFinishCh.publish({
+            status,
+            testStartLine: getTestLineStart(event.test.asyncError, this.testSuite)
+          })
           // restore in case it is retried
           event.test.fn = originalTestFns.get(event.test)
         })
@@ -471,7 +473,7 @@ function jasmineAsyncInstallWraper (jasmineAsyncInstallExport, jestVersion) {
             const formattedError = formatJestError(spec.result.failedExpectations[0].error)
             testErrCh.publish(formattedError)
           }
-          testRunFinishCh.publish(specStatusToTestStatus[spec.result.status])
+          testRunFinishCh.publish({ status: specStatusToTestStatus[spec.result.status] })
           onComplete.apply(this, arguments)
         })
         arguments[0] = callback

package/packages/datadog-plugin-graphql/src/execute.js CHANGED Viewed

@@ -7,6 +7,8 @@ let tools
 class GraphQLExecutePlugin extends TracingPlugin {
   static get id () { return 'graphql' }
   static get operation () { return 'execute' }
+  static get type () { return 'graphql' }
+  static get kind () { return 'server' }
   start ({ operation, args, docSource }) {
     const type = operation && operation.operation
@@ -14,11 +16,11 @@ class GraphQLExecutePlugin extends TracingPlugin {
     const document = args.document
     const source = this.config.source && document && docSource
-    const span = this.startSpan('graphql.execute', {
-      service: this.config.service,
+    const span = this.startSpan(this.operationName(), {
+      service: this.config.service || this.serviceName(),
       resource: getSignature(document, name, type, this.config.signature),
-      kind: 'server',
-      type: 'graphql',
+      kind: this.constructor.kind,
+      type: this.constructor.type,
       meta: {
         'graphql.operation.type': type,
         'graphql.operation.name': name,

package/packages/datadog-plugin-jest/src/index.js CHANGED Viewed

@@ -166,9 +166,12 @@ class JestPlugin extends CiPlugin {
       this.enter(span, store)
     })
-    this.addSub('ci:jest:test:finish', (status) => {
+    this.addSub('ci:jest:test:finish', ({ status, testStartLine }) => {
       const span = storage.getStore().span
       span.setTag(TEST_STATUS, status)
+      if (testStartLine) {
+        span.setTag(TEST_SOURCE_START, testStartLine)
+      }
       span.finish()
       finishAllTraceSpans(span)
     })
@@ -197,8 +200,10 @@ class JestPlugin extends CiPlugin {
     const extraTags = {
       [JEST_TEST_RUNNER]: runner,
       [TEST_PARAMETERS]: testParameters,
-      [TEST_FRAMEWORK_VERSION]: frameworkVersion,
-      [TEST_SOURCE_START]: testStartLine
+      [TEST_FRAMEWORK_VERSION]: frameworkVersion
+    }
+    if (testStartLine) {
+      extraTags[TEST_SOURCE_START] = testStartLine
     }
     return super.startTestSpan(name, suite, this.testSuiteSpan, extraTags)

package/packages/datadog-plugin-openai/src/index.js CHANGED Viewed

@@ -8,6 +8,10 @@ const services = require('./services')
 const Sampler = require('../../dd-trace/src/sampler')
 const { MEASURED } = require('../../../ext/tags')
+// String#replaceAll unavailable on Node.js@v14 (dd-trace@<=v3)
+const RE_NEWLINE = /\n/g
+const RE_TAB = /\t/g
 // TODO: In the future we should refactor config.js to make it requirable
 let MAX_TEXT_LEN = 128
@@ -26,7 +30,9 @@ class OpenApiPlugin extends TracingPlugin {
     this.sampler = new Sampler(0.1) // default 10% log sampling
     // hoist the max length env var to avoid making all of these functions a class method
-    MAX_TEXT_LEN = this._tracerConfig.openaiSpanCharLimit
+    if (this._tracerConfig) {
+      MAX_TEXT_LEN = this._tracerConfig.openaiSpanCharLimit
+    }
   }
   configure (config) {
@@ -83,11 +89,11 @@ class OpenApiPlugin extends TracingPlugin {
       store.prompt = prompt
       if (typeof prompt === 'string' || (Array.isArray(prompt) && typeof prompt[0] === 'number')) {
         // This is a single prompt, either String or [Number]
-        tags[`openai.request.prompt`] = normalizeStringOrTokenArray(prompt)
+        tags[`openai.request.prompt`] = normalizeStringOrTokenArray(prompt, true)
       } else if (Array.isArray(prompt)) {
         // This is multiple prompts, either [String] or [[Number]]
         for (let i = 0; i < prompt.length; i++) {
-          tags[`openai.request.prompt.${i}`] = normalizeStringOrTokenArray(prompt[i])
+          tags[`openai.request.prompt.${i}`] = normalizeStringOrTokenArray(prompt[i], true)
         }
       }
     }
@@ -363,6 +369,8 @@ function retrieveModelResponseExtraction (tags, body) {
   tags['openai.response.parent'] = body.parent
   tags['openai.response.root'] = body.root
+  if (!body.permission) return
   tags['openai.response.permission.id'] = body.permission[0].id
   tags['openai.response.permission.created'] = body.permission[0].created
   tags['openai.response.permission.allow_create_engine'] = body.permission[0].allow_create_engine
@@ -382,10 +390,14 @@ function commonLookupFineTuneRequestExtraction (tags, body) {
 }
 function listModelsResponseExtraction (tags, body) {
+  if (!body.data) return
   tags['openai.response.count'] = body.data.length
 }
 function commonImageResponseExtraction (tags, body) {
+  if (!body.data) return
   tags['openai.response.images_count'] = body.data.length
   for (let i = 0; i < body.data.length; i++) {
@@ -400,7 +412,7 @@ function createAudioResponseExtraction (tags, body) {
   tags['openai.response.text'] = body.text
   tags['openai.response.language'] = body.language
   tags['openai.response.duration'] = body.duration
-  tags['openai.response.segments_count'] = body.segments.length
+  tags['openai.response.segments_count'] = defensiveArrayLength(body.segments)
 }
 function createFineTuneRequestExtraction (tags, body) {
@@ -417,21 +429,24 @@ function createFineTuneRequestExtraction (tags, body) {
 }
 function commonFineTuneResponseExtraction (tags, body) {
-  tags['openai.response.events_count'] = body.events.length
+  tags['openai.response.events_count'] = defensiveArrayLength(body.events)
   tags['openai.response.fine_tuned_model'] = body.fine_tuned_model
-  tags['openai.response.hyperparams.n_epochs'] = body.hyperparams.n_epochs
-  tags['openai.response.hyperparams.batch_size'] = body.hyperparams.batch_size
-  tags['openai.response.hyperparams.prompt_loss_weight'] = body.hyperparams.prompt_loss_weight
-  tags['openai.response.hyperparams.learning_rate_multiplier'] = body.hyperparams.learning_rate_multiplier
-  tags['openai.response.training_files_count'] = body.training_files.length
-  tags['openai.response.result_files_count'] = body.result_files.length
-  tags['openai.response.validation_files_count'] = body.validation_files.length
+  if (body.hyperparams) {
+    tags['openai.response.hyperparams.n_epochs'] = body.hyperparams.n_epochs
+    tags['openai.response.hyperparams.batch_size'] = body.hyperparams.batch_size
+    tags['openai.response.hyperparams.prompt_loss_weight'] = body.hyperparams.prompt_loss_weight
+    tags['openai.response.hyperparams.learning_rate_multiplier'] = body.hyperparams.learning_rate_multiplier
+  }
+  tags['openai.response.training_files_count'] = defensiveArrayLength(body.training_files)
+  tags['openai.response.result_files_count'] = defensiveArrayLength(body.result_files)
+  tags['openai.response.validation_files_count'] = defensiveArrayLength(body.validation_files)
   tags['openai.response.updated_at'] = body.updated_at
   tags['openai.response.status'] = body.status
 }
 // the OpenAI package appears to stream the content download then provide it all as a singular string
 function downloadFileResponseExtraction (tags, body) {
+  if (!body.file) return
   tags['openai.response.total_bytes'] = body.file.length
 }
@@ -472,6 +487,8 @@ function createRetrieveFileResponseExtraction (tags, body) {
 function createEmbeddingResponseExtraction (tags, body) {
   usageExtraction(tags, body)
+  if (!body.data) return
   tags['openai.response.embeddings_count'] = body.data.length
   for (let i = 0; i < body.data.length; i++) {
     tags[`openai.response.embedding.${i}.embedding_length`] = body.data[i].embedding.length
@@ -479,6 +496,7 @@ function createEmbeddingResponseExtraction (tags, body) {
 }
 function commonListCountResponseExtraction (tags, body) {
+  if (!body.data) return
   tags['openai.response.count'] = body.data.length
 }
@@ -486,6 +504,9 @@ function commonListCountResponseExtraction (tags, body) {
 function createModerationResponseExtraction (tags, body) {
   tags['openai.response.id'] = body.id
   // tags[`openai.response.model`] = body.model // redundant, already extracted globally
+  if (!body.results) return
   tags['openai.response.flagged'] = body.results[0].flagged
   for (const [category, match] of Object.entries(body.results[0].categories)) {
@@ -501,6 +522,8 @@ function createModerationResponseExtraction (tags, body) {
 function commonCreateResponseExtraction (tags, body, store) {
   usageExtraction(tags, body)
+  if (!body.choices) return
   tags['openai.response.choices_count'] = body.choices.length
   store.choices = body.choices
@@ -530,7 +553,7 @@ function usageExtraction (tags, body) {
 }
 function truncateApiKey (apiKey) {
-  return `sk-...${apiKey.substr(apiKey.length - 4)}`
+  return apiKey && `sk-...${apiKey.substr(apiKey.length - 4)}`
 }
 /**
@@ -540,8 +563,8 @@ function truncateText (text) {
   if (!text) return
   text = text
-    .replaceAll('\n', '\\n')
-    .replaceAll('\t', '\\t')
+    .replace(RE_NEWLINE, '\\n')
+    .replace(RE_TAB, '\\t')
   if (text.length > MAX_TEXT_LEN) {
     return text.substring(0, MAX_TEXT_LEN) + '...'
@@ -671,7 +694,7 @@ function normalizeRequestPayload (methodName, args) {
  * "foo" -> "foo"
  * [1,2,3] -> "[1, 2, 3]"
  */
-function normalizeStringOrTokenArray (input, truncate = true) {
+function normalizeStringOrTokenArray (input, truncate) {
   const normalized = Array.isArray(input)
     ? `[${input.join(', ')}]` // "[1, 2, 999]"
     : input // "foo"

package/packages/datadog-plugin-openai/src/services.js CHANGED Viewed

@@ -1,7 +1,7 @@
 'use strict'
 const { DogStatsDClient, NoopDogStatsDClient } = require('../../dd-trace/src/dogstatsd')
-const ExternalLogger = require('../../dd-trace/src/external-logger/src')
+const { ExternalLogger, NoopExternalLogger } = require('../../dd-trace/src/external-logger/src')
 const FLUSH_INTERVAL = 10 * 1000
@@ -10,7 +10,7 @@ let logger = null
 let interval = null
 module.exports.init = function (tracerConfig) {
-  if (tracerConfig.dogstatsd) {
+  if (tracerConfig && tracerConfig.dogstatsd) {
     metrics = new DogStatsDClient({
       host: tracerConfig.dogstatsd.hostname,
       port: tracerConfig.dogstatsd.port,
@@ -24,13 +24,17 @@ module.exports.init = function (tracerConfig) {
     metrics = new NoopDogStatsDClient()
   }
-  logger = new ExternalLogger({
-    ddsource: 'openai',
-    hostname: tracerConfig.hostname,
-    service: tracerConfig.service,
-    apiKey: tracerConfig.apiKey,
-    interval: FLUSH_INTERVAL
-  })
+  if (tracerConfig && tracerConfig.apiKey) {
+    logger = new ExternalLogger({
+      ddsource: 'openai',
+      hostname: tracerConfig.hostname,
+      service: tracerConfig.service,
+      apiKey: tracerConfig.apiKey,
+      interval: FLUSH_INTERVAL
+    })
+  } else {
+    logger = new NoopExternalLogger()
+  }
   interval = setInterval(() => {
     metrics.flush()

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js CHANGED Viewed

@@ -2,6 +2,7 @@
 module.exports = {
   'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
+  'HSTS_HEADER_MISSING_ANALYZER': require('./hsts-header-missing-analyzer'),
   'INSECURE_COOKIE_ANALYZER': require('./insecure-cookie-analyzer'),
   'LDAP_ANALYZER': require('./ldap-injection-analyzer'),
   'NO_HTTPONLY_COOKIE_ANALYZER': require('./no-httponly-cookie-analyzer'),
@@ -11,5 +12,6 @@ module.exports = {
   'SSRF': require('./ssrf-analyzer'),
   'UNVALIDATED_REDIRECT_ANALYZER': require('./unvalidated-redirect-analyzer'),
   'WEAK_CIPHER_ANALYZER': require('./weak-cipher-analyzer'),
-  'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer')
+  'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer'),
+  'XCONTENTTYPE_HEADER_MISSING_ANALYZER': require('./xcontenttype-header-missing-analyzer')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/hsts-header-missing-analyzer.js ADDED Viewed

@@ -0,0 +1,45 @@
+'use strict'
+const { HSTS_HEADER_MISSING } = require('../vulnerabilities')
+const { MissingHeaderAnalyzer } = require('./missing-header-analyzer')
+const HSTS_HEADER_NAME = 'Strict-Transport-Security'
+const HEADER_VALID_PREFIX = 'max-age'
+class HstsHeaderMissingAnalyzer extends MissingHeaderAnalyzer {
+  constructor () {
+    super(HSTS_HEADER_MISSING, HSTS_HEADER_NAME)
+  }
+  _isVulnerableFromRequestAndResponse (req, res) {
+    const headerToCheck = res.getHeader(HSTS_HEADER_NAME)
+    return !this._isHeaderValid(headerToCheck) && this._isHttpsProtocol(req)
+  }
+  _isHeaderValid (headerValue) {
+    if (!headerValue) {
+      return false
+    }
+    headerValue = headerValue.trim()
+    if (!headerValue.startsWith(HEADER_VALID_PREFIX)) {
+      return false
+    }
+    const semicolonIndex = headerValue.indexOf(';')
+    let timestampString
+    if (semicolonIndex > -1) {
+      timestampString = headerValue.substring(HEADER_VALID_PREFIX.length + 1, semicolonIndex)
+    } else {
+      timestampString = headerValue.substring(HEADER_VALID_PREFIX.length + 1)
+    }
+    const timestamp = parseInt(timestampString)
+    // eslint-disable-next-line eqeqeq
+    return timestamp == timestampString && timestamp > 0
+  }
+  _isHttpsProtocol (req) {
+    return req.protocol === 'https' || req.headers['x-forwarded-proto'] === 'https'
+  }
+}
+module.exports = new HstsHeaderMissingAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/index.js CHANGED Viewed

@@ -3,10 +3,10 @@
 const analyzers = require('./analyzers')
 const setCookiesHeaderInterceptor = require('./set-cookies-header-interceptor')
-function enableAllAnalyzers () {
-  setCookiesHeaderInterceptor.configure(true)
+function enableAllAnalyzers (tracerConfig) {
+  setCookiesHeaderInterceptor.configure({ enabled: true, tracerConfig })
   for (const analyzer in analyzers) {
-    analyzers[analyzer].configure(true)
+    analyzers[analyzer].configure({ enabled: true, tracerConfig })
   }
 }

package/packages/dd-trace/src/appsec/iast/analyzers/missing-header-analyzer.js ADDED Viewed

@@ -0,0 +1,66 @@
+'use strict'
+const Analyzer = require('./vulnerability-analyzer')
+const SC_MOVED_PERMANENTLY = 301
+const SC_MOVED_TEMPORARILY = 302
+const SC_NOT_MODIFIED = 304
+const SC_TEMPORARY_REDIRECT = 307
+const SC_NOT_FOUND = 404
+const SC_GONE = 410
+const SC_INTERNAL_SERVER_ERROR = 500
+const IGNORED_RESPONSE_STATUS_LIST = [SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_NOT_MODIFIED,
+  SC_TEMPORARY_REDIRECT, SC_NOT_FOUND, SC_GONE, SC_INTERNAL_SERVER_ERROR]
+const HTML_CONTENT_TYPES = ['text/html', 'application/xhtml+xml']
+class MissingHeaderAnalyzer extends Analyzer {
+  constructor (type, headerName) {
+    super(type)
+    this.headerName = headerName
+  }
+  onConfigure () {
+    this.addSub({
+      channelName: 'datadog:iast:response-end',
+      moduleName: 'http'
+    }, (data) => this.analyze(data))
+  }
+  _getLocation () {
+    return undefined
+  }
+  _checkOCE (context) {
+    return true
+  }
+  _createHashSource (type, evidence, location) {
+    return `${type}:${this.config.tracerConfig.service}`
+  }
+  _getEvidence ({ res }) {
+    return { value: res.getHeader(this.headerName) }
+  }
+  _isVulnerable ({ req, res }, context) {
+    if (!IGNORED_RESPONSE_STATUS_LIST.includes(res.statusCode) && this._isResponseHtml(res)) {
+      return this._isVulnerableFromRequestAndResponse(req, res)
+    }
+    return false
+  }
+  _isVulnerableFromRequestAndResponse (req, res) {
+    return false
+  }
+  _isResponseHtml (res) {
+    const contentType = res.getHeader('content-type')
+    return contentType && HTML_CONTENT_TYPES.some(htmlContentType => {
+      return htmlContentType === contentType || contentType.startsWith(htmlContentType + ';')
+    })
+  }
+}
+module.exports = { MissingHeaderAnalyzer }

package/packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js CHANGED Viewed

@@ -4,7 +4,11 @@ const InjectionAnalyzer = require('./injection-analyzer')
 const { UNVALIDATED_REDIRECT } = require('../vulnerabilities')
 const { getNodeModulesPaths } = require('../path-line')
 const { getRanges } = require('../taint-tracking/operations')
-const { HTTP_REQUEST_HEADER_VALUE } = require('../taint-tracking/source-types')
+const {
+  HTTP_REQUEST_HEADER_VALUE,
+  HTTP_REQUEST_PATH,
+  HTTP_REQUEST_PATH_PARAM
+} = require('../taint-tracking/source-types')
 const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
@@ -17,9 +21,6 @@ class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
     this.addSub('datadog:http:server:response:set-header:finish', ({ name, value }) => this.analyze(name, value))
   }
-  // TODO: In case the location header value is tainted, this analyzer should check the ranges of the tainted.
-  // And do not report a vulnerability if source of the ranges (range.iinfo.type) are exclusively url or path params
-  // to avoid false positives.
   analyze (name, value) {
     if (!this.isLocationHeader(name) || typeof value !== 'string') return
@@ -34,12 +35,28 @@ class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
     if (!value) return false
     const ranges = getRanges(iastContext, value)
-    return ranges && ranges.length > 0 && !this._isRefererHeader(ranges)
+    return ranges && ranges.length > 0 && !this._areSafeRanges(ranges)
   }
-  _isRefererHeader (ranges) {
-    return ranges && ranges.every(range => range.iinfo.type === HTTP_REQUEST_HEADER_VALUE &&
-      range.iinfo.parameterName && range.iinfo.parameterName.toLowerCase() === 'referer')
+  // Do not report vulnerability if ranges sources are exclusively url,
+  // path params or referer header to avoid false positives.
+  _areSafeRanges (ranges) {
+    return ranges && ranges.every(
+      range => this._isPathParam(range) || this._isUrl(range) || this._isRefererHeader(range)
+    )
+  }
+  _isRefererHeader (range) {
+    return range.iinfo.type === HTTP_REQUEST_HEADER_VALUE &&
+      range.iinfo.parameterName && range.iinfo.parameterName.toLowerCase() === 'referer'
+  }
+  _isPathParam (range) {
+    return range.iinfo.type === HTTP_REQUEST_PATH_PARAM
+  }
+  _isUrl (range) {
+    return range.iinfo.type === HTTP_REQUEST_PATH
   }
   _getExcludedPaths () {

package/packages/dd-trace/src/appsec/iast/analyzers/xcontenttype-header-missing-analyzer.js ADDED Viewed

@@ -0,0 +1,19 @@
+'use strict'
+const { XCONTENTTYPE_HEADER_MISSING } = require('../vulnerabilities')
+const { MissingHeaderAnalyzer } = require('./missing-header-analyzer')
+const XCONTENTTYPEOPTIONS_HEADER_NAME = 'X-Content-Type-Options'
+class XcontenttypeHeaderMissingAnalyzer extends MissingHeaderAnalyzer {
+  constructor () {
+    super(XCONTENTTYPE_HEADER_MISSING, XCONTENTTYPEOPTIONS_HEADER_NAME)
+  }
+  _isVulnerableFromRequestAndResponse (req, res) {
+    const headerToCheck = res.getHeader(XCONTENTTYPEOPTIONS_HEADER_NAME)
+    return !headerToCheck || headerToCheck.trim().toLowerCase() !== 'nosniff'
+  }
+}
+module.exports = new XcontenttypeHeaderMissingAnalyzer()

package/packages/dd-trace/src/appsec/iast/index.js CHANGED Viewed

@@ -19,10 +19,11 @@ const iastTelemetry = require('./telemetry')
 //  order of the callbacks can be enforce
 const requestStart = dc.channel('dd-trace:incomingHttpRequestStart')
 const requestClose = dc.channel('dd-trace:incomingHttpRequestEnd')
+const iastResponseEnd = dc.channel('datadog:iast:response-end')
 function enable (config, _tracer) {
   iastTelemetry.configure(config, config.iast && config.iast.telemetryVerbosity)
-  enableAllAnalyzers()
+  enableAllAnalyzers(config)
   enableTaintTracking(config.iast, iastTelemetry.verbosity)
   requestStart.subscribe(onIncomingHttpRequestStart)
   requestClose.subscribe(onIncomingHttpRequestEnd)
@@ -54,7 +55,7 @@ function onIncomingHttpRequestStart (data) {
           createTransaction(rootSpan.context().toSpanId(), iastContext)
           overheadController.initializeRequestContext(iastContext)
           iastTelemetry.onRequestStart(iastContext)
-          taintTrackingPlugin.taintHeaders(data.req.headers, iastContext)
+          taintTrackingPlugin.taintRequest(data.req, iastContext)
         }
         if (rootSpan.addTags) {
           rootSpan.addTags({
@@ -72,6 +73,8 @@ function onIncomingHttpRequestEnd (data) {
     const topContext = web.getContext(data.req)
     const iastContext = iastContextFunctions.getIastContext(store, topContext)
     if (iastContext && iastContext.rootSpan) {
+      iastResponseEnd.publish(data)
       const vulnerabilities = iastContext.vulnerabilities
       const rootSpan = iastContext.rootSpan
       vulnerabilityReporter.sendVulnerabilities(vulnerabilities, rootSpan)

package/packages/dd-trace/src/appsec/iast/taint-tracking/index.js CHANGED Viewed

@@ -1,11 +1,13 @@
 'use strict'
 const { enableRewriter, disableRewriter } = require('./rewriter')
-const { createTransaction,
+const {
+  createTransaction,
   removeTransaction,
   setMaxTransactions,
   enableTaintOperations,
-  disableTaintOperations } = require('./operations')
+  disableTaintOperations
+} = require('./operations')
 const taintTrackingPlugin = require('./plugin')