npm - dd-trace - Versions diffs - 5.106.0 → 5.108.0 - Mend

dd-trace 5.106.0 → 5.108.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (105) hide show

package/packages/dd-trace/src/aiguard/index.js CHANGED Viewed

@@ -44,27 +44,46 @@ function disable () {
 /**
  * Handles channel messages with pre-converted messages.
  *
- * @param {{messages: Array<object>, integration?: string, resolve: Function, reject: Function}} ctx
+ * @param {object} ctx
+ * @param {Array<object>} ctx.messages
+ * @param {string} [ctx.integration]
+ * @param {object} [ctx.parentSpan] - LLM span to parent the `ai_guard` span under.
+ * @param {AbortController} ctx.abortController
+ * @param {Array<Promise<void>>} ctx.pending - Subscribers push only when they evaluate.
  */
 function onEvaluate (ctx) {
+  // Decline to evaluate empty payloads by not pushing to pending.
   if (!ctx.messages?.length) {
-    ctx.resolve()
     return
   }
-  const opts = { block, source: SOURCE_AUTO, integration: ctx.integration || INTEGRATION_NONE }
-  aiguard.evaluate(ctx.messages, opts)
-    .then(() => {
-      ctx.resolve()
-    })
-    .catch(err => {
-      if (err.name === 'AIGuardAbortError') {
-        ctx.reject(err)
-      } else {
-        log.error('AIGuard: unexpected error during evaluation: %s', err.message)
-        ctx.resolve()
-      }
-    })
+  const opts = {
+    block,
+    source: SOURCE_AUTO,
+    integration: ctx.integration || INTEGRATION_NONE,
+    childOf: ctx.parentSpan,
+  }
+  try {
+    ctx.pending.push(aiguard.evaluate(ctx.messages, opts).catch(handleEvaluationError.bind(null, ctx)))
+  } catch (err) {
+    ctx.pending.push(Promise.resolve().then(() => handleEvaluationError(ctx, err)))
+  }
+}
+/**
+ * Handles an AI Guard evaluation failure.
+ *
+ * @param {object} ctx
+ * @param {AbortController} ctx.abortController
+ * @param {Error} err
+ */
+function handleEvaluationError (ctx, err) {
+  if (err.name === 'AIGuardAbortError') {
+    ctx.abortController.abort(err)
+  } else {
+    log.error('AIGuard: unexpected error during evaluation: %s', err.message)
+  }
 }
 module.exports = { enable, disable }

package/packages/dd-trace/src/aiguard/sdk.js CHANGED Viewed

@@ -1,7 +1,8 @@
 'use strict'
 const rfdc = require('../../../../vendor/dist/rfdc')({ proto: false, circles: false })
-const { HTTP_CLIENT_IP, NETWORK_CLIENT_IP } = require('../../../../ext/tags')
+const { HTTP_CLIENT_IP, NETWORK_CLIENT_IP, HTTP_USERAGENT } = require('../../../../ext/tags')
+const { USER_ID, USER_SESSION_ID } = require('../appsec/addresses')
 const { getActiveRequest } = require('../appsec/store')
 const log = require('../log')
 const { extractIp } = require('../plugins/util/ip_extractor')
@@ -17,6 +18,16 @@ const aiguardMetrics = telemetryMetrics.manager.namespace('ai_guard')
 const ALLOW = 'ALLOW'
+// Tags from the service entry span that must be mirrored onto every AI Guard span
+// so anomaly detection pipelines can process each span independently.
+const SERVICE_ENTRY_TAG_MAPPINGS = [
+  [HTTP_USERAGENT, TAGS.HTTP_USERAGENT_TAG_KEY],
+  [HTTP_CLIENT_IP, TAGS.HTTP_CLIENT_IP_TAG_KEY],
+  [NETWORK_CLIENT_IP, TAGS.NETWORK_CLIENT_IP_TAG_KEY],
+  [USER_ID, TAGS.USR_ID_TAG_KEY],
+  [USER_SESSION_ID, TAGS.USR_SESSION_ID_TAG_KEY],
+]
 /**
  * Reports a telemetry error
  *
@@ -181,13 +192,32 @@ class AIGuard extends NoopAIGuard {
     }
   }
+  /**
+   * Copies service entry span tags needed by anomaly detection to the AI Guard span.
+   *
+   * @param {import('../opentracing/span')} guardSpan
+   * @param {import('../opentracing/span')} rootSpan
+   */
+  #copyServiceEntryTagsToGuardSpan (guardSpan, rootSpan) {
+    const rootTags = rootSpan.context().getTags()
+    for (const [sourceTag, destTag] of SERVICE_ENTRY_TAG_MAPPINGS) {
+      const value = rootTags[sourceTag]
+      if (value !== undefined && value !== null) {
+        guardSpan.setTag(destTag, value)
+      }
+    }
+  }
   evaluate (messages, opts) {
     if (!this.#initialized) {
       return super.evaluate(messages, opts)
     }
-    const { block = true, source = TAGS.SOURCE_SDK, integration = TAGS.INTEGRATION_NONE } = opts ?? {}
+    const { block = true, source = TAGS.SOURCE_SDK, integration = TAGS.INTEGRATION_NONE, childOf } = opts ?? {}
     const telemetryTags = { source, integration }
-    return this.#tracer.trace(TAGS.RESOURCE, {}, async (span) => {
+    // Only pass `childOf` when truthy so `tracer.trace`'s default (`scope().active()`)
+    // still applies for SDK callers that don't supply an explicit parent.
+    const traceOpts = childOf ? { childOf } : {}
+    return this.#tracer.trace(TAGS.RESOURCE, traceOpts, async (span) => {
       const last = messages[messages.length - 1]
       const target = this.#isToolCall(last) ? 'tool' : 'prompt'
       span.setTag(TAGS.TARGET_TAG_KEY, target)
@@ -206,6 +236,7 @@ class AIGuard extends NoopAIGuard {
       const rootSpan = span.context()?._trace?.started?.[0]
       if (rootSpan) {
         this.#setRootSpanClientIpTags(rootSpan)
+        this.#copyServiceEntryTagsToGuardSpan(span, rootSpan)
         // keepTrace must be called before executeRequest so the sampling decision
         // is propagated correctly to outgoing HTTP client calls.
         keepTrace(rootSpan, AI_GUARD)

package/packages/dd-trace/src/aiguard/tags.js CHANGED Viewed

@@ -10,6 +10,12 @@ module.exports = {
   EVENT_TAG_KEY: 'ai_guard.event',
   META_STRUCT_KEY: 'ai_guard',
+  HTTP_USERAGENT_TAG_KEY: 'ai_guard.http.useragent',
+  HTTP_CLIENT_IP_TAG_KEY: 'ai_guard.http.client_ip',
+  NETWORK_CLIENT_IP_TAG_KEY: 'ai_guard.network.client.ip',
+  USR_ID_TAG_KEY: 'ai_guard.usr.id',
+  USR_SESSION_ID_TAG_KEY: 'ai_guard.usr.session_id',
   TELEMETRY_REQUESTS: 'requests',
   TELEMETRY_TRUNCATED: 'truncated',
   TELEMETRY_ERROR: 'error',

package/packages/dd-trace/src/appsec/downstream_requests.js CHANGED Viewed

@@ -2,6 +2,7 @@
 const web = require('../plugins/util/web')
 const log = require('../log')
+const { isEmpty } = require('../util')
 const {
   HTTP_OUTGOING_METHOD,
   HTTP_OUTGOING_HEADERS,
@@ -137,7 +138,7 @@ function extractRequestData (ctx) {
   addresses[HTTP_OUTGOING_METHOD] = getMethod(options.method)
   const headers = options?.headers
-  if (headers && Object.keys(headers).length > 0) {
+  if (headers && !isEmpty(headers)) {
     addresses[HTTP_OUTGOING_HEADERS] = lowercaseHeaderKeys(headers)
   }
@@ -177,7 +178,7 @@ function extractResponseData (res, responseBody) {
   }
   const headers = res.headers
-  if (headers && Object.keys(headers).length > 0) {
+  if (headers && !isEmpty(headers)) {
     addresses[HTTP_OUTGOING_RESPONSE_HEADERS] = headers
   }

package/packages/dd-trace/src/appsec/iast/index.js CHANGED Viewed

@@ -3,6 +3,7 @@
 const dc = require('dc-polyfill')
 const web = require('../../plugins/util/web')
 const { storage } = require('../../../../datadog-core')
+const { isEmpty } = require('../../util')
 const { enable: enableFsPlugin, disable: disableFsPlugin, IAST_MODULE } = require('../rasp/fs-plugin')
 const { incomingHttpRequestStart, incomingHttpRequestEnd, responseWriteHead } = require('../channels')
 const vulnerabilityReporter = require('./vulnerability-reporter')
@@ -96,7 +97,7 @@ function onIncomingHttpRequestEnd (data) {
       iastResponseEnd.publish({ ...data, storedHeaders })
-      if (Object.keys(storedHeaders).length) {
+      if (!isEmpty(storedHeaders)) {
         collectedResponseHeaders.delete(data.res)
       }
@@ -118,7 +119,7 @@ function onIncomingHttpRequestEnd (data) {
 function onResponseWriteHeadCollect ({ res, responseHeaders = {} }) {
   if (!res) return
-  if (Object.keys(responseHeaders).length) {
+  if (!isEmpty(responseHeaders)) {
     collectedResponseHeaders.set(res, responseHeaders)
   }
 }

package/packages/dd-trace/src/appsec/rasp/ssrf.js CHANGED Viewed

@@ -9,6 +9,7 @@ const addresses = require('../addresses')
 const web = require('../../plugins/util/web')
 const { getActiveRequest } = require('../store')
 const waf = require('../waf')
+const { isEmpty } = require('../../util')
 const downstream = require('../downstream_requests')
 const { updateRaspRuleMatchMetricTags } = require('../telemetry')
 const { RULE_TYPES, handleResult } = require('./utils')
@@ -85,7 +86,7 @@ function handleResponseFinish ({ ctx, res, body }) {
 function runResponseEvaluation (res, req, responseBody) {
   const responseAddresses = downstream.extractResponseData(res, responseBody)
-  if (!Object.keys(responseAddresses).length) return
+  if (isEmpty(responseAddresses)) return
   const raspRule = { type: RULE_TYPES.SSRF, variant: 'response' }
   const result = waf.run({ ephemeral: responseAddresses }, req, raspRule)

package/packages/dd-trace/src/appsec/reporter.js CHANGED Viewed

@@ -461,7 +461,7 @@ function truncateRequestBody (target, depth = 0) {
 }
 function reportRequestBody (rootSpan, requestBody, comesFromRaspAction = false) {
-  if (!requestBody || Object.keys(requestBody).length === 0) return
+  if (!requestBody || isEmpty(requestBody)) return
   if (!rootSpan.meta_struct) {
     rootSpan.meta_struct = {}

package/packages/dd-trace/src/ci-visibility/exporters/agentless/index.js CHANGED Viewed

@@ -9,7 +9,7 @@ const CoverageWriter = require('./coverage-writer')
 class AgentlessCiVisibilityExporter extends CiVisibilityExporter {
   constructor (config) {
     super(config)
-    const { tags, site, url, isTestDynamicInstrumentationEnabled } = config
+    const { tags, site, DD_CIVISIBILITY_AGENTLESS_URL: url, isTestDynamicInstrumentationEnabled } = config
     // we don't need to request /info because we are using agentless by configuration
     this._isInitialized = true
     this._resolveCanUseCiVisProtocol(true)

package/packages/dd-trace/src/config/defaults.js CHANGED Viewed

@@ -72,6 +72,12 @@ for (const [name, value] of Object.entries(defaults)) {
 function generateTelemetry (value = null, origin, optionName) {
   const tableEntry = configurationsTable[optionName]
   const { type, canonicalName = optionName } = tableEntry ?? { type: typeof value }
+  // Sensitive configurations are excluded from configuration telemetry: their
+  // entry is never added to `configWithOrigin`, the single source for every
+  // telemetry path (app-started and app-client-configuration-change).
+  if (sensitiveConfigurations.has(canonicalName)) {
+    return
+  }
   // TODO: Should we not send defaults to telemetry to reduce size?
   // TODO: How to handle aliases/actual names in the future? Optional fields? Normalize the name at intake?
   // TODO: Validate that space separated tags are parsed by the backend. Optimizations would be possible with that.
@@ -196,6 +202,11 @@ const fallbackConfigurations = new Map()
 const regExps = {}
+// Canonical names of configurations whose value is excluded from configuration
+// telemetry. Driven by the `sensitive: true` attribute in
+// `supported-configurations.json` so new entries opt in without code changes.
+const sensitiveConfigurations = new Set()
 for (const [canonicalName, entries] of Object.entries(supportedConfigurations)) {
   if (entries.length !== 1) {
     // TODO: Determine if we really want to support multiple entries for a canonical name.
@@ -207,6 +218,9 @@ for (const [canonicalName, entries] of Object.entries(supportedConfigurations))
     )
   }
   for (const entry of entries) {
+    if (entry.sensitive) {
+      sensitiveConfigurations.add(canonicalName)
+    }
     const configurationNames = entry.internalPropertyName ? [entry.internalPropertyName] : entry.configurationNames
     const fullPropertyName = configurationNames?.[0] ?? canonicalName
     const type = entry.type.toUpperCase()

package/packages/dd-trace/src/config/generated-config-types.d.ts CHANGED Viewed

@@ -73,7 +73,7 @@ export interface GeneratedConfig {
   DD_APP_KEY: string | undefined;
   DD_AZURE_RESOURCE_GROUP: string | undefined;
   DD_CIVISIBILITY_AGENTLESS_ENABLED: boolean;
-  DD_CIVISIBILITY_AGENTLESS_URL: string | undefined;
+  DD_CIVISIBILITY_AGENTLESS_URL: URL | undefined;
   DD_CIVISIBILITY_AUTO_INSTRUMENTATION_PROVIDER: string | undefined;
   DD_CIVISIBILITY_DANGEROUSLY_FORCE_COVERAGE: boolean;
   DD_CIVISIBILITY_DANGEROUSLY_FORCE_TEST_SKIPPING: boolean;
@@ -130,6 +130,7 @@ export interface GeneratedConfig {
   DD_MINI_AGENT_PATH: string | undefined;
   DD_PIPELINE_EXECUTION_ID: string | undefined;
   DD_PLAYWRIGHT_WORKER: string | undefined;
+  DD_PROFILING_ALLOCATION_ENABLED: boolean;
   DD_PROFILING_ASYNC_CONTEXT_FRAME_ENABLED: boolean;
   DD_PROFILING_CODEHOTSPOTS_ENABLED: boolean;
   DD_PROFILING_CPU_ENABLED: boolean;

package/packages/dd-trace/src/config/helper.js CHANGED Viewed

@@ -13,6 +13,7 @@
  * @property {string} [transform]
  * @property {string} [allowed]
  * @property {string|boolean} [deprecated]
+ * @property {boolean} [sensitive] Excludes the configuration value from configuration telemetry.
  */
 /**

package/packages/dd-trace/src/config/index.js CHANGED Viewed

@@ -2,7 +2,7 @@
 const fs = require('node:fs')
 const os = require('node:os')
-const { URL } = require('node:url')
+const { URL, format } = require('node:url')
 const rfdc = require('../../../../vendor/dist/rfdc')({ proto: false, circles: false })
 const uuid = require('../../../../vendor/dist/crypto-randomuuid') // we need to keep the old uuid dep because of cypress
@@ -322,18 +322,14 @@ class Config extends ConfigBase {
   #applyCalculated () {
     undo(this, 'calculated')
-    if (this.DD_CIVISIBILITY_AGENTLESS_URL ||
-        this.url ||
+    if (this.url ||
         os.type() !== 'Windows_NT' &&
         !trackedConfigOrigins.has('hostname') &&
         !trackedConfigOrigins.has('port') &&
-        !this.DD_CIVISIBILITY_AGENTLESS_ENABLED &&
         fs.existsSync('/var/run/datadog/apm.socket')) {
-      setAndTrack(
-        this,
-        'url',
-        new URL(this.DD_CIVISIBILITY_AGENTLESS_URL || this.url || 'unix:///var/run/datadog/apm.socket')
-      )
+      setAndTrack(this, 'url', new URL(this.url || 'unix:///var/run/datadog/apm.socket'))
+    } else {
+      setAndTrack(this, 'url', new URL(format({ protocol: 'http:', hostname: this.hostname, port: this.port })))
     }
     if (this.isCiVisibility) {

package/packages/dd-trace/src/config/parsers.js CHANGED Viewed

@@ -145,6 +145,14 @@ const transformers = {
     }
     return value.replaceAll(/\s*:\s*/g, ':')
   },
+  /**
+   * @param {string} value
+   */
+  toURL (value) {
+    try {
+      return new URL(value)
+    } catch {}
+  },
   validatePropagationStyles (value, optionName) {
     value = transformers.toLowerCase(value)
     for (let index = 0; index < value.length; index++) {

package/packages/dd-trace/src/config/supported-configurations.json CHANGED Viewed

@@ -111,7 +111,8 @@
         "aliases": [
           "DATADOG_API_KEY"
         ],
-        "internalPropertyName": "apiKey"
+        "internalPropertyName": "apiKey",
+        "sensitive": true
       }
     ],
     "DD_API_SECURITY_ENABLED": [
@@ -423,7 +424,8 @@
       {
         "implementation": "A",
         "type": "string",
-        "default": null
+        "default": null,
+        "sensitive": true
       }
     ],
     "DD_AZURE_RESOURCE_GROUP": [
@@ -444,6 +446,7 @@
       {
         "implementation": "A",
         "type": "string",
+        "transform": "toURL",
         "default": null
       }
     ],
@@ -1305,6 +1308,13 @@
         "default": null
       }
     ],
+    "DD_PROFILING_ALLOCATION_ENABLED": [
+      {
+        "implementation": "A",
+        "type": "boolean",
+        "default": "false"
+      }
+    ],
     "DD_PROFILING_ASYNC_CONTEXT_FRAME_ENABLED": [
       {
         "implementation": "A",
@@ -3913,7 +3923,8 @@
       {
         "implementation": "B",
         "type": "map",
-        "default": null
+        "default": null,
+        "sensitive": true
       }
     ],
     "OTEL_EXPORTER_OTLP_TRACES_ENDPOINT": [
@@ -3930,7 +3941,8 @@
         "default": null,
         "aliases": [
           "OTEL_EXPORTER_OTLP_HEADERS"
-        ]
+        ],
+        "sensitive": true
       }
     ],
     "OTEL_EXPORTER_OTLP_TRACES_PROTOCOL": [
@@ -3968,7 +3980,8 @@
         "default": null,
         "aliases": [
           "OTEL_EXPORTER_OTLP_HEADERS"
-        ]
+        ],
+        "sensitive": true
       }
     ],
     "OTEL_EXPORTER_OTLP_LOGS_PROTOCOL": [
@@ -4006,7 +4019,8 @@
         "default": null,
         "aliases": [
           "OTEL_EXPORTER_OTLP_HEADERS"
-        ]
+        ],
+        "sensitive": true
       }
     ],
     "OTEL_EXPORTER_OTLP_METRICS_PROTOCOL": [

package/packages/dd-trace/src/crashtracking/crashtracker.js CHANGED Viewed

@@ -7,7 +7,6 @@ const libdatadog = require('@datadog/libdatadog')
 const binding = libdatadog.load('crashtracker')
 const log = require('../log')
-const { getAgentUrl } = require('../agent/url')
 const pkg = require('../../../../package.json')
 const processTags = require('../process-tags')
@@ -68,7 +67,7 @@ class Crashtracker {
    * @param {import('../config/config-base')} config - Tracer configuration
    */
   #getConfig (config) {
-    const url = getAgentUrl(config)
+    const url = config.url
     // Out-of-process symbolication currently works on
     // Linux only, does not work on Mac.
@@ -78,6 +77,7 @@ class Crashtracker {
     return {
       additional_files: [],
+      collect_all_threads: true,
       create_alt_stack: true,
       use_alt_stack: true,
       endpoint: {

package/packages/dd-trace/src/datastreams/writer.js CHANGED Viewed

@@ -5,7 +5,6 @@ const pkg = require('../../../../package.json')
 const log = require('../log')
 const request = require('../exporters/common/request')
 const { encode: encodeMsgpack } = require('../msgpack')
-const { getAgentUrl } = require('../agent/url')
 function makeRequest (data, url, cb) {
   const options = {
@@ -29,7 +28,7 @@ function makeRequest (data, url, cb) {
 class DataStreamsWriter {
   constructor (config) {
-    this._url = getAgentUrl(config)
+    this._url = config.url
   }
   flush (payload) {

package/packages/dd-trace/src/debugger/config.js CHANGED Viewed

@@ -16,7 +16,7 @@ module.exports = function getDebuggerConfig (config, inputPath) {
     repositoryUrl,
     runtimeId: config.tags['runtime-id'],
     service: config.service,
-    url: config.url?.toString(),
+    url: config.url.toString(),
     version: config.version,
     inputPath,
   }

package/packages/dd-trace/src/debugger/devtools_client/config.js CHANGED Viewed

@@ -1,7 +1,6 @@
 'use strict'
 const { workerData: { config: parentConfig, parentThreadId, configPort } } = require('node:worker_threads')
-const { getAgentUrl } = require('../../agent/url')
 const processTags = require('../../process-tags')
 const log = require('./log')
@@ -21,6 +20,8 @@ configPort.on('messageerror', (err) =>
 )
 function updateConfig (updates) {
-  config.url = getAgentUrl(updates)
+  // The worker receives a serialized config (see ../config.js) where `url` is a string, so it is
+  // reconstructed into a URL here rather than read directly off a Config instance.
+  config.url = new URL(updates.url)
   config.dynamicInstrumentation.captureTimeoutNs = BigInt(updates.dynamicInstrumentation.captureTimeoutMs) * 1_000_000n
 }

package/packages/dd-trace/src/debugger/index.js CHANGED Viewed

@@ -6,7 +6,6 @@ const { join } = require('path')
 const { Worker, MessageChannel, threadId: parentThreadId } = require('worker_threads')
 const log = require('../log')
 const { fetchAgentInfo } = require('../agent/info')
-const { getAgentUrl } = require('../agent/url')
 const getDebuggerConfig = require('./config')
 const { DEBUGGER_DIAGNOSTICS_V1, DEBUGGER_INPUT_V2 } = require('./constants')
@@ -211,7 +210,7 @@ function cleanup (error) {
 function detectDebuggerEndpoint (config, cb) {
   log.debug('[debugger] Detecting available debugger endpoints...')
-  fetchAgentInfo(getAgentUrl(config), (err, agentInfo) => {
+  fetchAgentInfo(config.url, (err, agentInfo) => {
     if (err) {
       log.warn('[debugger] Failed to query agent %s endpoint, falling back to %s',
         DEBUGGER_INPUT_V2,

package/packages/dd-trace/src/dogstatsd.js CHANGED Viewed

@@ -6,7 +6,6 @@ const isIP = require('net').isIP
 const request = require('./exporters/common/request')
 const log = require('./log')
 const Histogram = require('./histogram')
-const { getAgentUrl } = require('./agent/url')
 const { entityId } = require('./exporters/common/docker')
 const MAX_BUFFER_SIZE = 1024 // limit from the agent
@@ -191,8 +190,8 @@ class DogStatsDClient {
       lookup: config.lookup,
     }
-    if (config.url || config.port) {
-      clientConfig.metricsProxyUrl = getAgentUrl(config)
+    if (config.url) {
+      clientConfig.metricsProxyUrl = config.url
     }
     return clientConfig