dd-trace 5.101.0 → 5.102.0

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js

@@ -83,14 +83,12 @@ class VulnerabilityFormatter {
   formatVulnerability (vulnerability, sourcesIndexes, sources) {
     const { type, hash, evidence, location } = vulnerability
 
-    const formattedVulnerability = {
+    return {
       type,
       hash,
       evidence: this.formatEvidence(type, evidence, sourcesIndexes, sources),
       location,
     }
-
-    return formattedVulnerability
   }
 
   toJson (vulnerabilitiesToFormat) {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/utils.js

@@ -9,8 +9,9 @@ const STRINGIFY_SENSITIVE_KEY = STRINGIFY_RANGE_KEY + 'SENSITIVE'
 const STRINGIFY_SENSITIVE_NOT_STRING_KEY = STRINGIFY_SENSITIVE_KEY + 'NOTSTRING'
 
 // eslint-disable-next-line @stylistic/max-len
-const KEYS_REGEX_WITH_SENSITIVE_RANGES = new RegExp(String.raw`(?:"(${STRINGIFY_RANGE_KEY}_\d+_))|(?:"(${STRINGIFY_SENSITIVE_KEY}_\d+_(\d+)_))|("${STRINGIFY_SENSITIVE_NOT_STRING_KEY}_\d+_([\s0-9.a-zA-Z]*)")`, 'gm')
-const KEYS_REGEX_WITHOUT_SENSITIVE_RANGES = new RegExp(String.raw`"(${STRINGIFY_RANGE_KEY}_\d+_)`, 'gm')
+const REGEX_FOR_STRINGIFY_SENSITIVE_NOT_STRING = new RegExp(String.raw`"${STRINGIFY_SENSITIVE_NOT_STRING_KEY}_\d+_([\s\-+0-9.a-zA-Z]*)"`)
+const REGEX_FOR_STRINGIFY_SENSITIVE = new RegExp(String.raw`${STRINGIFY_SENSITIVE_KEY}_\d+_(\d+)_`)
+const REGEX_FOR_STRINGIFY_RANGE = new RegExp(String.raw`(${STRINGIFY_RANGE_KEY}_\d+_)`)
 
 const sensitiveValueRegex = new RegExp(/** @type {string} */ (defaults['iast.redactionValuePattern']), 'gmi')
 
@@ -41,7 +42,6 @@ function stringifyWithRanges (obj, objRanges, loadSensitiveRanges = false) {
     let counter = 0
     const allRanges = {}
     const sensitiveKeysMapping = {}
-
     iterateObject(obj, (val, levelKeys, parent, key) => {
       let currentLevelClone = cloneObj
       for (let i = 0; i < levelKeys.length - 1; i++) {
@@ -108,55 +108,90 @@ function stringifyWithRanges (obj, objRanges, loadSensitiveRanges = false) {
     value = JSON.stringify(cloneObj, null, 2)
 
     if (counter > 0) {
-      const keysRegex = loadSensitiveRanges
-        ? KEYS_REGEX_WITH_SENSITIVE_RANGES
-        : KEYS_REGEX_WITHOUT_SENSITIVE_RANGES
-      keysRegex.lastIndex = 0
-
-      let regexRes = keysRegex.exec(value)
-      while (regexRes) {
-        const offset = regexRes.index + 1 // +1 to increase the " char
-
-        if (regexRes[1]) {
-          // is a range
-          const rangesId = regexRes[1]
-          value = value.replace(rangesId, '')
-
-          const updatedRanges = allRanges[rangesId].map(range => {
-            return {
+      const segments = []
+      let outputLength = 0
+      let pos = 0
+      let rangeKeyIndex = value.indexOf(STRINGIFY_RANGE_KEY)
+
+      while (rangeKeyIndex > -1) {
+        let remainingStringValue = value.slice(rangeKeyIndex)
+        let cleanLength = rangeKeyIndex - pos
+
+        if (remainingStringValue.startsWith(STRINGIFY_SENSITIVE_NOT_STRING_KEY)) {
+          // In this case, we want to remove also the previous " char, because the value is not an string
+          rangeKeyIndex--
+          cleanLength--
+          remainingStringValue = value.slice(rangeKeyIndex)
+          const regexRes = REGEX_FOR_STRINGIFY_SENSITIVE_NOT_STRING.exec(remainingStringValue)
+
+          if (regexRes?.index === 0) {
+            const matchValue = regexRes[0]
+            const originalValue = regexRes[1]
+            const start = outputLength + cleanLength
+
+            sensitiveRanges.push({
+              start,
+              end: start + originalValue.length,
+            })
+            segments.push(value.slice(pos, rangeKeyIndex), originalValue)
+            outputLength += cleanLength + originalValue.length
+            pos = rangeKeyIndex + matchValue.length
+          } else {
+            // can't happen, the only way to this to happen is
+            // if the JSON has a value starting with the value of STRINGIFY_SENSITIVE_NOT_STRING_KEY
+            segments.push(value.slice(pos, rangeKeyIndex + STRINGIFY_SENSITIVE_NOT_STRING_KEY.length + 1))
+            outputLength += cleanLength + STRINGIFY_SENSITIVE_NOT_STRING_KEY.length + 1
+            pos = rangeKeyIndex + STRINGIFY_SENSITIVE_NOT_STRING_KEY.length + 1
+          }
+        } else if (remainingStringValue.startsWith(STRINGIFY_SENSITIVE_KEY)) {
+          const regexRes = REGEX_FOR_STRINGIFY_SENSITIVE.exec(remainingStringValue)
+          if (regexRes?.index === 0) {
+            const start = outputLength + cleanLength
+
+            sensitiveRanges.push({
+              start,
+              end: start + Number.parseInt(regexRes[1]),
+            })
+            segments.push(value.slice(pos, rangeKeyIndex))
+            outputLength += cleanLength
+            pos = rangeKeyIndex + regexRes[0].length
+          } else {
+            // can't happen, the only way to this to happen is
+            // if the JSON has a value starting with the value of STRINGIFY_SENSITIVE_KEY
+            segments.push(value.slice(pos, rangeKeyIndex + STRINGIFY_SENSITIVE_KEY.length))
+            outputLength += cleanLength + STRINGIFY_SENSITIVE_KEY.length
+            pos = rangeKeyIndex + STRINGIFY_SENSITIVE_KEY.length
+          }
+        } else {
+          const regexRes = REGEX_FOR_STRINGIFY_RANGE.exec(remainingStringValue)
+          if (regexRes?.index === 0) {
+            const start = outputLength + cleanLength
+            const rangesId = regexRes[1]
+
+            const updatedRanges = allRanges[rangesId].map(range => ({
               ...range,
-              start: range.start + offset,
-              end: range.end + offset,
-            }
-          })
-
-          ranges.push(...updatedRanges)
-        } else if (regexRes[2]) {
-          // is a sensitive string literal
-          const sensitiveId = regexRes[2]
-
-          sensitiveRanges.push({
-            start: offset,
-            end: offset + Number.parseInt(regexRes[3]),
-          })
-
-          value = value.replace(sensitiveId, '')
-        } else if (regexRes[4]) {
-          // is a sensitive value (number, null, false, ...)
-          const sensitiveId = regexRes[4]
-          const originalValue = regexRes[5]
-
-          sensitiveRanges.push({
-            start: regexRes.index,
-            end: regexRes.index + originalValue.length,
-          })
-
-          value = value.replace(sensitiveId, originalValue)
+              start: range.start + start,
+              end: range.end + start,
+            }))
+            ranges.push(...updatedRanges)
+
+            segments.push(value.slice(pos, rangeKeyIndex))
+            outputLength += cleanLength
+            pos = rangeKeyIndex + regexRes[0].length
+          } else {
+            // can't happen, the only way to this to happen is
+            // if the JSON has a value starting with the value of STRINGIFY_RANGE_KEY
+            segments.push(value.slice(pos, rangeKeyIndex + STRINGIFY_RANGE_KEY.length))
+            outputLength += cleanLength + STRINGIFY_RANGE_KEY.length
+            pos = rangeKeyIndex + STRINGIFY_RANGE_KEY.length
+          }
         }
 
-        keysRegex.lastIndex = 0
-        regexRes = keysRegex.exec(value)
+        rangeKeyIndex = value.indexOf(STRINGIFY_RANGE_KEY, pos)
       }
+
+      segments.push(value.slice(pos))
+      value = segments.join('')
     }
   } else {
     value = JSON.stringify(obj, null, 2)

package/packages/dd-trace/src/appsec/index.js

@@ -5,6 +5,7 @@ const web = require('../plugins/util/web')
 const { extractIp } = require('../plugins/util/ip_extractor')
 const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
 const { IS_SERVERLESS } = require('../serverless')
+const { isEmpty } = require('../util')
 const RuleManager = require('./rule_manager')
 const appsecRemoteConfig = require('./remote_config')
 const {
@@ -128,7 +129,7 @@ function onRequestBodyParsed ({ req, res, body, abortController }) {
   }
 
   if (typeof body === 'object') {
-    if (isEmptyObject(body)) return
+    if (isEmpty(body)) return
     analyzedBodies.add(body)
   }
 
@@ -149,7 +150,7 @@ function onRequestCookieParser ({ req, res, abortController, cookies }) {
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
-  if (isEmptyObject(cookies)) return
+  if (isEmpty(cookies)) return
   analyzedCookies.add(cookies)
 
   const results = waf.run({
@@ -180,12 +181,9 @@ function incomingHttpStartTranslator ({ req, res, abortController }) {
     }
   }
 
-  const requestHeaders = { ...req.headers }
-  delete requestHeaders.cookie
-
   const persistent = {
     [addresses.HTTP_INCOMING_URL]: req.url,
-    [addresses.HTTP_INCOMING_HEADERS]: requestHeaders,
+    [addresses.HTTP_INCOMING_HEADERS]: copyHeadersOmitting(req.headers, 'cookie'),
     [addresses.HTTP_INCOMING_METHOD]: req.method,
   }
 
@@ -204,7 +202,7 @@ function incomingHttpEndTranslator ({ req, res }) {
   // we need to keep this to support other body parsers
   if (req.body !== undefined && req.body !== null) {
     if (typeof req.body === 'object') {
-      if (!isEmptyObject(req.body) && !analyzedBodies.has(req.body)) {
+      if (!isEmpty(req.body) && !analyzedBodies.has(req.body)) {
         persistent[addresses.HTTP_INCOMING_BODY] = req.body
       }
     } else {
@@ -216,7 +214,7 @@ function incomingHttpEndTranslator ({ req, res }) {
   if (
     req.cookies !== null &&
     typeof req.cookies === 'object' &&
-    !isEmptyObject(req.cookies) &&
+    !isEmpty(req.cookies) &&
     !analyzedCookies.has(req.cookies)
   ) {
     persistent[addresses.HTTP_INCOMING_COOKIES] = req.cookies
@@ -227,7 +225,7 @@ function incomingHttpEndTranslator ({ req, res }) {
   if (
     query !== null &&
     typeof query === 'object' &&
-    !isEmptyObject(query)
+    !isEmpty(query)
   ) {
     persistent[addresses.HTTP_INCOMING_QUERY] = query
   }
@@ -239,7 +237,7 @@ function incomingHttpEndTranslator ({ req, res }) {
     persistent[addresses.WAF_CONTEXT_PROCESSOR] = { 'extract-schema': true }
   }
 
-  if (!isEmptyObject(persistent)) {
+  if (!isEmpty(persistent)) {
     waf.run({ persistent }, req)
   }
 
@@ -313,7 +311,7 @@ function onRequestQueryParsed ({ req, res, query, abortController }) {
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
-  if (isEmptyObject(query)) return
+  if (isEmpty(query)) return
 
   const results = waf.run({
     persistent: {
@@ -328,7 +326,7 @@ function onRequestProcessParams ({ req, res, abortController, params }) {
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
-  if (!params || typeof params !== 'object' || isEmptyObject(params)) return
+  if (!params || typeof params !== 'object' || isEmpty(params)) return
 
   const results = waf.run({
     persistent: {
@@ -352,7 +350,7 @@ function onResponseBody ({ req, res, body }) {
 }
 
 function onResponseWriteHead ({ req, res, abortController, statusCode, responseHeaders }) {
-  if (!isEmptyObject(responseHeaders)) {
+  if (!isEmpty(responseHeaders)) {
     storedResponseHeaders.set(req, responseHeaders)
   }
 
@@ -375,13 +373,10 @@ function onResponseWriteHead ({ req, res, abortController, statusCode, responseH
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
-  responseHeaders = { ...responseHeaders }
-  delete responseHeaders['set-cookie']
-
   const results = waf.run({
     persistent: {
       [addresses.HTTP_INCOMING_RESPONSE_CODE]: String(statusCode),
-      [addresses.HTTP_INCOMING_RESPONSE_HEADERS]: responseHeaders,
+      [addresses.HTTP_INCOMING_RESPONSE_HEADERS]: copyHeadersOmitting(responseHeaders, 'set-cookie'),
     },
   }, req)
 
@@ -540,14 +535,16 @@ function disable () {
   if (stripeConstructEvent.hasSubscribers) stripeConstructEvent.unsubscribe(onStripeConstructEvent)
 }
 
-// this is faster than Object.keys().length === 0
-function isEmptyObject (obj) {
-  // eslint-disable-next-line no-unreachable-loop
-  for (const _ in obj) {
-    return false
+/**
+ * @param {Record<string, unknown>} src
+ * @param {string} omit
+ */
+function copyHeadersOmitting (src, omit) {
+  const filtered = {}
+  for (const key of Object.keys(src)) {
+    if (key !== omit) filtered[key] = src[key]
   }
-
-  return true
+  return filtered
 }
 
 module.exports = {

package/packages/dd-trace/src/appsec/reporter.js

@@ -509,7 +509,9 @@ function finishRequest (req, res, storedResponseHeaders, requestBody) {
   if (!rootSpan) return
 
   if (metricsQueue.size) {
-    rootSpan.addTags(Object.fromEntries(metricsQueue))
+    for (const [key, value] of metricsQueue) {
+      rootSpan.setTag(key, value)
+    }
 
     keepTrace(rootSpan, ASM)
 

package/packages/dd-trace/src/appsec/rule_manager.js

@@ -142,12 +142,14 @@ function extractErrors (diagnostics) {
 
   for (const diagnosticKey of DIAGNOSTIC_KEYS) {
     if (diagnostics[diagnosticKey]?.error) {
-      (result[diagnosticKey] ??= {}).error = diagnostics[diagnosticKey]?.error
+      result[diagnosticKey] ??= {}
+      result[diagnosticKey].error = diagnostics[diagnosticKey]?.error
       isResultPopulated = true
     }
 
     if (diagnostics[diagnosticKey]?.errors) {
-      (result[diagnosticKey] ??= {}).errors = diagnostics[diagnosticKey]?.errors
+      result[diagnosticKey] ??= {}
+      result[diagnosticKey].errors = diagnostics[diagnosticKey]?.errors
       isResultPopulated = true
     }
   }

package/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js

@@ -20,6 +20,20 @@ class WAFContextWrapper {
     this.knownAddresses = knownAddresses
     this.addressesToSkip = new Set()
     this.cachedUserIdResults = new Map()
+    // Reused across run() calls; Reporter.reportMetrics consumes it synchronously.
+    this.metrics = {
+      rulesVersion,
+      wafVersion,
+      wafTimeout: false,
+      duration: 0,
+      durationExt: 0,
+      blockTriggered: false,
+      ruleTriggered: false,
+      errorCode: null,
+      maxTruncatedString: null,
+      maxTruncatedContainerSize: null,
+      maxTruncatedContainerDepth: null,
+    }
   }
 
   run ({ persistent, ephemeral }, raspRule, req) {
@@ -44,7 +58,8 @@ class WAFContextWrapper {
 
     const payload = {}
     let payloadHasData = false
-    const newAddressesToSkip = new Set(this.addressesToSkip)
+    // Cloned lazily; only the preventDuplicateAddresses branch below adds to it.
+    let newAddressesToSkip
 
     if (persistent !== null && typeof persistent === 'object') {
       const persistentInputs = {}
@@ -55,6 +70,7 @@ class WAFContextWrapper {
           hasPersistentInputs = true
           persistentInputs[key] = persistent[key]
           if (preventDuplicateAddresses.has(key)) {
+            newAddressesToSkip ??= new Set(this.addressesToSkip)
             newAddressesToSkip.add(key)
           }
         }
@@ -85,19 +101,16 @@ class WAFContextWrapper {
 
     if (!payloadHasData) return
 
-    const metrics = {
-      rulesVersion: this.rulesVersion,
-      wafVersion: this.wafVersion,
-      wafTimeout: false,
-      duration: 0,
-      durationExt: 0,
-      blockTriggered: false,
-      ruleTriggered: false,
-      errorCode: null,
-      maxTruncatedString: null,
-      maxTruncatedContainerSize: null,
-      maxTruncatedContainerDepth: null,
-    }
+    const metrics = this.metrics
+    metrics.wafTimeout = false
+    metrics.duration = 0
+    metrics.durationExt = 0
+    metrics.blockTriggered = false
+    metrics.ruleTriggered = false
+    metrics.errorCode = null
+    metrics.maxTruncatedString = null
+    metrics.maxTruncatedContainerSize = null
+    metrics.maxTruncatedContainerDepth = null
 
     try {
       const start = process.hrtime.bigint()
@@ -106,7 +119,7 @@ class WAFContextWrapper {
 
       const end = process.hrtime.bigint()
 
-      metrics.durationExt = Number.parseInt(end - start) / 1e3
+      metrics.durationExt = Number(end - start) / 1e3
 
       if (typeof result.errorCode === 'number' && result.errorCode < 0) {
         const error = new Error('WAF code error')
@@ -123,7 +136,9 @@ class WAFContextWrapper {
         if (maxTruncatedContainerDepth) metrics.maxTruncatedContainerDepth = maxTruncatedContainerDepth
       }
 
-      this.addressesToSkip = newAddressesToSkip
+      if (newAddressesToSkip !== undefined) {
+        this.addressesToSkip = newAddressesToSkip
+      }
 
       const ruleTriggered = !!result.events?.length
 

package/packages/dd-trace/src/config/git_properties.js

@@ -4,8 +4,8 @@ const fs = require('fs')
 const path = require('path')
 
 const gitPropertiesCommitSHARegex = /git\.commit\.sha=([a-f\d]{40})/
-const gitPropertiesRepositoryUrlRegex = /git\.repository_url=([\w\d:@/.-]+)/
-const repositoryUrlRegex = /^([\w\d:@/.-]+)$/
+const gitPropertiesRepositoryUrlRegex = /git\.repository_url=([\w:@/.-]+)/
+const repositoryUrlRegex = /^([\w:@/.-]+)$/
 const remoteOriginRegex = /^\[remote\s+"origin"\]/i
 const gitHeadRefRegex = /ref:\s+(refs\/[A-Za-z0-9._/-]+)/
 const commitSHARegex = /^[0-9a-f]{40}$/

package/packages/dd-trace/src/datastreams/index.js

@@ -28,7 +28,8 @@ function lazyClass (classGetter, methods = [], staticMethods = []) {
   }
 
   const activate = () => {
-    return (ActiveClass = ActiveClass || classGetter())
+    ActiveClass ??= classGetter()
+    return ActiveClass
   }
 
   for (const method of methods) {

package/packages/dd-trace/src/datastreams/processor.js

@@ -271,8 +271,7 @@ class DataStreamsProcessor {
    */
   bucketFromTimestamp (timestamp) {
     const bucketTime = Math.round(timestamp - (timestamp % this.bucketSizeNs))
-    const bucket = this.buckets.forTime(bucketTime)
-    return bucket
+    return this.buckets.forTime(bucketTime)
   }
 
   recordCheckpoint (checkpoint, span = null) {

package/packages/dd-trace/src/debugger/devtools_client/snapshot-pruner.js

@@ -175,6 +175,7 @@ function parseJsonToTree (json) {
     switch (json.charCodeAt(index)) {
       case 34: { // 34: double quote
         const stringStart = index + 1
+        // eslint-disable-next-line sonarjs/updated-loop-counter -- skip past the string token
         index = skipString(json, index)
         const stringLength = index - stringStart