dd-trace 5.108.0 → 5.109.0

package/packages/dd-trace/src/appsec/downstream_requests.js

@@ -14,19 +14,32 @@ const {
 const KNUTH_FACTOR = 11400714819323199488n // eslint-disable-line unicorn/numeric-separators-style
 const UINT64_MAX = (1n << 64n) - 1n
 
+const SUPPORTED_RESPONSE_BODY_MIME_TYPES = new Set([
+  'application/json',
+  'text/json',
+  'application/x-www-form-urlencoded',
+])
+
+const RESPONSE_BODY_IGNORED_TAG_CONTENT_TYPE =
+  '_dd.appsec.downstream_request.response_body_ignored.content_type_invalid'
+const RESPONSE_BODY_IGNORED_TAG_CONTENT_LENGTH_MISSING =
+  '_dd.appsec.downstream_request.response_body_ignored.content_length_missing'
+const RESPONSE_BODY_IGNORED_TAG_CONTENT_LENGTH_TOO_BIG =
+  '_dd.appsec.downstream_request.response_body_ignored.content_length_too_big'
+
 let config
 let samplingRate
 let globalRequestCounter
 let bodyAnalysisCount
 let downstreamAnalysisCount
-let redirectBodyCollectionDecisions
+let responseBodyIgnoredCount
 
 function enable (_config) {
   config = _config
   globalRequestCounter = 0n
   bodyAnalysisCount = new WeakMap()
   downstreamAnalysisCount = new WeakMap()
-  redirectBodyCollectionDecisions = new WeakMap()
+  responseBodyIgnoredCount = new WeakMap()
 
   const bodyAnalysisSampleRate = config.appsec.apiSecurity?.downstreamBodyAnalysisSampleRate
   samplingRate = Math.min(Math.max(bodyAnalysisSampleRate, 0), 1)
@@ -43,49 +56,84 @@ function disable () {
   globalRequestCounter = null
   bodyAnalysisCount = null
   downstreamAnalysisCount = null
-  redirectBodyCollectionDecisions = null
+  responseBodyIgnoredCount = null
 }
 
 /**
- * Check we have a stored redirect body collection decision for a given URL.
- * @param {import('http').IncomingMessage} req outgoing request.
- * @param {string} outgoingUrl the URL being requested.
- * @returns {boolean} the stored decision
+ * @param {string|string[]|undefined} contentLength raw content-length header value.
+ * @returns {number|null} parsed content length or null when invalid.
  */
-function consumeRedirectBodyCollectionDecision (req, outgoingUrl) {
-  const decisions = redirectBodyCollectionDecisions.get(req)
-  if (!decisions) return false
+function parseContentLengthHeader (contentLength) {
+  if (contentLength == null) {
+    return null
+  }
+
+  const value = Array.isArray(contentLength) ? contentLength[0] : contentLength
+  const parsed = Number.parseInt(String(value), 10)
 
-  return decisions.delete(outgoingUrl)
+  if (!Number.isFinite(parsed) || parsed < 0) {
+    return null
+  }
+
+  return parsed
 }
 
 /**
- * Stores a redirect body collection decision for a follow-up request.
- * @param {import('http').IncomingMessage} req outgoing request.
- * @param {string} redirectUrl the URL to redirect to.
+ * Increments a response-body-ignored counter on the service-entry span.
+ * @param {import('http').IncomingMessage} req originating request.
+ * @param {string} tag full `_dd.appsec.downstream_request.response_body_ignored.*` span tag.
  */
-function storeRedirectBodyCollectionDecision (req, redirectUrl) {
-  let decisions = redirectBodyCollectionDecisions.get(req)
+function recordResponseBodyIgnored (req, tag) {
+  const span = web.root(req)
+  if (!span) return
 
-  if (!decisions) {
-    decisions = new Set()
-    redirectBodyCollectionDecisions.set(req, decisions)
+  let counts = responseBodyIgnoredCount.get(req)
+  if (!counts) {
+    counts = {}
+    responseBodyIgnoredCount.set(req, counts)
   }
 
-  decisions.add(redirectUrl)
+  const current = counts[tag] || 0
+  const next = current + 1
+  counts[tag] = next
+  span.setTag(tag, next)
 }
 
 /**
- * Determines whether the current downstream request/responses bodies should be sampled for analysis.
- * @param {import('http').IncomingMessage} req outgoing request.
- * @param {string} outgoingUrl the URL being requested (to check for redirect decisions).
- * @returns {boolean} true when the downstream response body should be captured.
+ * @param {import('http').IncomingMessage} originatingReq inbound request (for metrics).
+ * @param {import('http').IncomingMessage} res downstream response.
+ * @returns {boolean} whether downstream response body should be collected for AppSec.
  */
-function shouldSampleBody (req, outgoingUrl) {
-  // Check if there's a stored decision from a previous redirect
-  const storedDecision = consumeRedirectBodyCollectionDecision(req, outgoingUrl)
-  if (storedDecision) return true
+function evaluateResponseBodyCollection (originatingReq, res) {
+  const maxBytes = config.appsec.apiSecurity.maxDownstreamBodyBytes
+
+  const mime = extractMimeType(res.headers?.['content-type'])
+  if (!mime || !SUPPORTED_RESPONSE_BODY_MIME_TYPES.has(mime)) {
+    recordResponseBodyIgnored(originatingReq, RESPONSE_BODY_IGNORED_TAG_CONTENT_TYPE)
+    return false
+  }
+
+  const declaredContentLength = parseContentLengthHeader(res.headers?.['content-length'])
+  if (declaredContentLength == null || declaredContentLength === 0) {
+    recordResponseBodyIgnored(originatingReq, RESPONSE_BODY_IGNORED_TAG_CONTENT_LENGTH_MISSING)
+    return false
+  }
+
+  if (declaredContentLength > maxBytes) {
+    recordResponseBodyIgnored(originatingReq, RESPONSE_BODY_IGNORED_TAG_CONTENT_LENGTH_TOO_BIG)
+    return false
+  }
+
+  return true
+}
 
+/**
+ * Probabilistic gate for downstream response body capture (rate + per-request cap).
+ * Only used from {@link planResponseBodyCollection}; does not increment {@link bodyAnalysisCount}.
+ * @param {import('http').IncomingMessage} req originating server request.
+ * @returns {boolean}
+ */
+function shouldSampleBody (req) {
   globalRequestCounter = (globalRequestCounter + 1n) & UINT64_MAX
 
   const currentCount = bodyAnalysisCount.get(req) || 0
@@ -97,14 +145,43 @@ function shouldSampleBody (req, outgoingUrl) {
   // Replace 1000n with the accuraccy that we want to maintain
   const threshold = (UINT64_MAX * BigInt(Math.round(samplingRate * 1000))) / 1000n
 
-  const shouldCollectBody = hashed <= threshold
+  return hashed <= threshold
+}
+
+/**
+ * @param {import('http').IncomingMessage} res downstream HTTP response.
+ * @returns {boolean}
+ */
+function isRedirectResponse (res) {
+  const location = res.headers?.location || ''
+  return res.statusCode >= 300 && res.statusCode < 400 && !!location
+}
+
+/**
+ * Plans downstream response body capture on the instrumentation ctx when response headers arrive.
+ * Redirect responses (3xx + Location) are ignored; each outbound hop is evaluated independently
+ * when its own non-redirect response arrives.
+ * @param {import('http').IncomingMessage} originatingReq incoming server request.
+ * @param {import('http').IncomingMessage} res downstream response.
+ * @param {object} ctx http client instrumentation context (mutated).
+ */
+function planResponseBodyCollection (originatingReq, res, ctx) {
+  if (!config?.appsec.apiSecurity) {
+    return
+  }
 
-  // Track body analysis count if we're sampling the response body
-  if (shouldCollectBody) {
-    incrementBodyAnalysisCount(req)
+  if (isRedirectResponse(res)) {
+    return
   }
 
-  return shouldCollectBody
+  if (!shouldSampleBody(originatingReq)) {
+    return
+  }
+
+  if (evaluateResponseBodyCollection(originatingReq, res)) {
+    ctx.shouldCollectBody = true
+    incrementBodyAnalysisCount(originatingReq)
+  }
 }
 
 /**
@@ -145,25 +222,6 @@ function extractRequestData (ctx) {
   return addresses
 }
 
-/**
- * Checks if a response is a redirect
- * @param {import('http').IncomingMessage} req incoming server request.
- * @param {import('http').IncomingMessage} res downstream response object.
- * @returns {boolean} is redirect.
- */
-function handleRedirectResponse (req, res) {
-  const isRedirect = res.statusCode >= 300 && res.statusCode < 400
-  const redirectLocation = res.headers?.location || ''
-
-  if (isRedirect && redirectLocation) {
-    // Store the body collection decision for the redirect target
-    storeRedirectBodyCollectionDecision(req, redirectLocation)
-    return true
-  }
-
-  return false
-}
-
 /**
  * Extracts response data for WAF analysis.
  * @param {import('http').IncomingMessage} res downstream response object.
@@ -291,13 +349,8 @@ function extractMimeType (contentType) {
 module.exports = {
   enable,
   disable,
-  shouldSampleBody,
-  handleRedirectResponse,
+  planResponseBodyCollection,
   incrementDownstreamAnalysisCount,
   extractRequestData,
   extractResponseData,
-  // exports for tests
-  parseBody,
-  getMethod,
-  storeRedirectBodyCollectionDecision,
 }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/ldap-sensitive-analyzer.js

@@ -2,24 +2,66 @@
 
 const log = require('../../../../../log')
 
-const LDAP_PATTERN = String.raw`\(.*?(?:~=|=|<=|>=)(?<LITERAL>[^)]+)\)`
-const pattern = new RegExp(LDAP_PATTERN, 'gmi')
+const OPEN_PAREN = 0x28
+const CLOSE_PAREN = 0x29
+const EQUALS = 0x3D
+const TILDE = 0x7E
+const LESS = 0x3C
+const GREATER = 0x3E
 
+// Linear scanner for LDAP assertion-filter values. For each parenthesised group
+// "(attr <op> value)" where <op> is "=", "~=", "<=", or ">=" and no nested
+// parenthesis appears before the operator, report the value range [opEnd, ')').
+// The cursor only ever moves forward, so total work is O(input length).
 module.exports = function extractSensitiveRanges (evidence) {
   try {
-    pattern.lastIndex = 0
+    const value = evidence?.value
     const tokens = []
+    if (typeof value !== 'string') return tokens
 
-    let regexResult = pattern.exec(evidence.value)
-    while (regexResult != null) {
-      if (!regexResult.groups.LITERAL) continue
-      // Computing indices manually since Node.js 12 does not support d flag on regular expressions
-      // TODO Get indices from group by adding d flag in regular expression
-      const start = regexResult.index + (regexResult[0].length - regexResult.groups.LITERAL.length - 1)
-      const end = start + regexResult.groups.LITERAL.length
-      tokens.push({ start, end })
-      regexResult = pattern.exec(evidence.value)
+    const length = value.length
+    let cursor = 0
+
+    while (cursor < length) {
+      const open = value.indexOf('(', cursor)
+      if (open === -1) break
+
+      let scan = open + 1
+      let opStart = -1
+      let opLen = 0
+
+      while (scan < length) {
+        const code = value.charCodeAt(scan)
+        if (code === OPEN_PAREN || code === CLOSE_PAREN) break
+        if (code === EQUALS) {
+          opStart = scan
+          opLen = 1
+          break
+        }
+        if ((code === TILDE || code === LESS || code === GREATER) &&
+            scan + 1 < length && value.charCodeAt(scan + 1) === EQUALS) {
+          opStart = scan
+          opLen = 2
+          break
+        }
+        scan++
+      }
+
+      if (opStart === -1) {
+        cursor = open + 1
+        continue
+      }
+
+      const close = value.indexOf(')', opStart + opLen)
+      if (close === -1) break
+
+      const start = opStart + opLen
+      if (start < close) {
+        tokens.push({ start, end: close })
+      }
+      cursor = close + 1
     }
+
     return tokens
   } catch (e) {
     log.debug('[ASM] Error extracting sensitive ranges', e)

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/url-sensitive-analyzer.js

@@ -3,7 +3,11 @@
 const log = require('../../../../../log')
 
 const AUTHORITY = '^(?:[^:]+:)?//([^@]+)@'
-const QUERY_FRAGMENT = '[?#&]([^=&;]+)=([^?#&]+)'
+// The key class excludes `?` and `#` so the greedy quantifier is bounded per fragment.
+// Query keys cannot legitimately contain those characters (they delimit query/fragment
+// boundaries), so excluding them preserves match semantics for valid URLs while keeping
+// the regex linear on arbitrary input.
+const QUERY_FRAGMENT = '[?#&]([^=&;?#]+)=([^?#&]+)'
 const pattern = new RegExp([AUTHORITY, QUERY_FRAGMENT].join('|'), 'gmi')
 
 module.exports = function extractSensitiveRanges (evidence) {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -17,6 +17,11 @@ const urlSensitiveAnalyzer = require('./sensitive-analyzers/url-sensitive-analyz
 
 const REDACTED_SOURCE_BUFFER = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
 
+// Upper bound on the evidence-string length the redaction analyzers will scan. Oversized
+// values bypass the analyzer entirely and are emitted as a fully-redacted placeholder.
+// Counted in JS string characters (UTF-16 code units), not bytes.
+const MAX_EVIDENCE_LENGTH = 32_768
+
 class SensitiveHandler {
   constructor () {
     this._namePattern = new RegExp(/** @type {string} */ (defaults['iast.redactionNamePattern']), 'gmi')
@@ -53,11 +58,31 @@ class SensitiveHandler {
 
   scrubEvidence (vulnerabilityType, evidence, sourcesIndexes, sources) {
     const sensitiveAnalyzer = this._sensitiveAnalyzers.get(vulnerabilityType)
-    if (sensitiveAnalyzer) {
-      const sensitiveRanges = sensitiveAnalyzer(evidence)
-      if (evidence.ranges || sensitiveRanges?.length) {
-        return this.toRedactedJson(evidence, sensitiveRanges, sourcesIndexes, sources)
+    if (!sensitiveAnalyzer) {
+      return null
+    }
+
+    // Oversized evidence: skip the analyzer and emit a fully-redacted placeholder. Mark
+    // every source backing this vulnerability as redacted so the formatter strips their
+    // raw `value` before they leave the process.
+    if (typeof evidence.value === 'string' && evidence.value.length > MAX_EVIDENCE_LENGTH) {
+      const redactedSources = []
+      for (const sourceIndex of sourcesIndexes) {
+        const source = sources[sourceIndex]
+        if (source && !source.redacted) {
+          source.pattern = ''.padEnd(source.value.length, REDACTED_SOURCE_BUFFER)
+          source.redacted = true
+        }
+        if (!redactedSources.includes(sourceIndex)) {
+          redactedSources.push(sourceIndex)
+        }
       }
+      return { redactedValueParts: [{ redacted: true }], redactedSources }
+    }
+
+    const sensitiveRanges = sensitiveAnalyzer(evidence)
+    if (evidence.ranges || sensitiveRanges?.length) {
+      return this.toRedactedJson(evidence, sensitiveRanges, sourcesIndexes, sources)
     }
     return null
   }

package/packages/dd-trace/src/appsec/rasp/ssrf.js

@@ -3,6 +3,7 @@
 const { format } = require('url')
 const {
   httpClientRequestStart,
+  httpClientResponseStart,
   httpClientResponseFinish,
 } = require('../channels')
 const addresses = require('../addresses')
@@ -21,6 +22,7 @@ function enable (_config) {
   downstream.enable(_config)
 
   httpClientRequestStart.subscribe(analyzeSsrf)
+  httpClientResponseStart.subscribe(planResponseBodyCollection)
   httpClientResponseFinish.subscribe(handleResponseFinish)
 }
 
@@ -28,6 +30,7 @@ function disable () {
   downstream.disable()
 
   if (httpClientRequestStart.hasSubscribers) httpClientRequestStart.unsubscribe(analyzeSsrf)
+  if (httpClientResponseStart.hasSubscribers) httpClientResponseStart.unsubscribe(planResponseBodyCollection)
   if (httpClientResponseFinish.hasSubscribers) httpClientResponseFinish.unsubscribe(handleResponseFinish)
 }
 
@@ -37,9 +40,6 @@ function analyzeSsrf (ctx) {
 
   if (!req || !outgoingUrl) return
 
-  // Determine if we should collect the response body based on sampling rate and redirect URL
-  ctx.shouldCollectBody = downstream.shouldSampleBody(req, outgoingUrl)
-
   const requestAddresses = downstream.extractRequestData(ctx)
 
   const ephemeral = {
@@ -56,13 +56,23 @@ function analyzeSsrf (ctx) {
   downstream.incrementDownstreamAnalysisCount(req)
 }
 
+/**
+ * Channel handler: plans downstream response body capture once response headers are available.
+ * @param {{ ctx: object, res: import('http').IncomingMessage }} payload channel payload.
+ */
+function planResponseBodyCollection ({ ctx, res }) {
+  const originatingRequest = getActiveRequest()
+  if (!originatingRequest || !res) return
+
+  downstream.planResponseBodyCollection(originatingRequest, res, ctx)
+}
+
 /**
  * Finalizes body collection for the response and triggers RASP analysis.
- * @param {{
- *   ctx: object,
- *   res: import('http').IncomingMessage,
- *   body: string|Buffer|null
- * }} payload event payload from the channel.
+ * @param {object} params event payload from the channel.
+ * @param {object} params.ctx instrumentation context.
+ * @param {import('http').IncomingMessage} params.res downstream response.
+ * @param {string|Buffer|null} params.body collected body.
  */
 function handleResponseFinish ({ ctx, res, body }) {
   // downstream response object
@@ -71,9 +81,7 @@ function handleResponseFinish ({ ctx, res, body }) {
   const originatingRequest = getActiveRequest()
   if (!originatingRequest) return
 
-  // Skip body analysis for redirect responses
-  const evaluateBody = ctx.shouldCollectBody && !downstream.handleRedirectResponse(originatingRequest, res)
-  const responseBody = evaluateBody ? body : null
+  const responseBody = ctx.shouldCollectBody ? body : null
   runResponseEvaluation(res, originatingRequest, responseBody)
 }
 

package/packages/dd-trace/src/config/generated-config-types.d.ts

@@ -11,6 +11,7 @@ export interface GeneratedConfig {
       enabled: boolean;
       endpointCollectionEnabled: boolean;
       endpointCollectionMessageLimit: number;
+      maxDownstreamBodyBytes: number;
       maxDownstreamRequestBodyAnalysis: number;
       sampleDelay: number;
     };
@@ -87,6 +88,7 @@ export interface GeneratedConfig {
   DD_CRASHTRACKING_ENABLED: boolean;
   DD_CUSTOM_PARENT_ID: string | undefined;
   DD_CUSTOM_TRACE_ID: string | undefined;
+  DD_DURABLE_CROSS_INVOCATION_TRACING_ENABLED: boolean;
   DD_ENABLE_LAGE_PACKAGE_NAME: boolean;
   DD_ENABLE_NX_SERVICE_NAME: boolean;
   DD_EXPERIMENTAL_PROPAGATE_PROCESS_TAGS_ENABLED: boolean;
@@ -177,6 +179,7 @@ export interface GeneratedConfig {
   DD_TRACE_APOLLO_SUBGRAPH_ENABLED: boolean;
   DD_TRACE_AVSC_ENABLED: boolean;
   DD_TRACE_AWS_ADD_SPAN_POINTERS: boolean;
+  DD_TRACE_AWS_DURABLE_EXECUTION_SDK_JS_ENABLED: boolean;
   DD_TRACE_AWS_SDK_AWS_BATCH_PROPAGATION_ENABLED: boolean;
   DD_TRACE_AWS_SDK_AWS_ENABLED: boolean;
   DD_TRACE_AWS_SDK_BATCH_PROPAGATION_ENABLED: boolean;

package/packages/dd-trace/src/config/supported-configurations.json

@@ -167,6 +167,14 @@
         "default": "1"
       }
     ],
+    "DD_API_SECURITY_MAX_DOWNSTREAM_BODY_BYTES": [
+      {
+        "implementation": "A",
+        "type": "int",
+        "internalPropertyName": "appsec.apiSecurity.maxDownstreamBodyBytes",
+        "default": "10485760"
+      }
+    ],
     "DD_API_SECURITY_SAMPLE_DELAY": [
       {
         "implementation": "A",
@@ -1247,6 +1255,20 @@
         "default": "false"
       }
     ],
+    "DD_TRACE_AWS_DURABLE_EXECUTION_SDK_JS_ENABLED": [
+      {
+        "implementation": "A",
+        "type": "boolean",
+        "default": "true"
+      }
+    ],
+    "DD_DURABLE_CROSS_INVOCATION_TRACING_ENABLED": [
+      {
+        "implementation": "A",
+        "type": "boolean",
+        "default": "true"
+      }
+    ],
     "DD_TRACE_LOG_LEVEL": [
       {
         "implementation": "C",
@@ -2633,9 +2655,9 @@
     ],
     "DD_TRACE_FS_ENABLED": [
       {
-        "implementation": "A",
+        "implementation": "B",
         "type": "boolean",
-        "default": "true"
+        "default": "false"
       }
     ],
     "DD_TRACE_GCP_PUBSUB_PUSH_ENABLED": [

package/packages/dd-trace/src/debugger/devtools_client/breakpoints.js

@@ -269,6 +269,8 @@ async function reEvaluateProbe (probe) {
     if (probeToLocation.has(probe.id)) {
       await removeBreakpoint(probe)
     }
+    // TODO: Revisit diagnostic status handling for probes that recover during re-evaluation. A probe can initially
+    // report ERROR because no script matched, then attach successfully here without reporting INSTALLED.
     await addBreakpoint(probe)
   }
 }

package/packages/dd-trace/src/dogstatsd.js

@@ -3,11 +3,14 @@
 const dgram = require('dgram')
 const isIP = require('net').isIP
 
+const { storage } = require('../../datadog-core')
 const request = require('./exporters/common/request')
 const log = require('./log')
 const Histogram = require('./histogram')
 const { entityId } = require('./exporters/common/docker')
 
+const legacyStorage = storage('legacy')
+
 const MAX_BUFFER_SIZE = 1024 // limit from the agent
 
 const TYPE_COUNTER = 'c'
@@ -98,14 +101,18 @@ class DogStatsDClient {
   }
 
   _sendUdp (queue) {
-    if (this._family === 0) {
-      this.#lookup(this._host, (err, address, family) => {
-        if (err) return log.error('DogStatsDClient: Host not found', err)
-        this._sendUdpFromQueue(queue, address, family)
-      })
-    } else {
-      this._sendUdpFromQueue(queue, this._host, this._family)
-    }
+    // dgram resolves the local address via the instrumented dns.lookup when it
+    // binds on first send; the noop store keeps that self-traffic off the trace.
+    legacyStorage.run({ noop: true }, () => {
+      if (this._family === 0) {
+        this.#lookup(this._host, (error, address, family) => {
+          if (error) return log.error('DogStatsDClient: Host not found', error)
+          this._sendUdpFromQueue(queue, address, family)
+        })
+      } else {
+        this._sendUdpFromQueue(queue, this._host, this._family)
+      }
+    })
   }
 
   _sendUdpFromQueue (queue, address, family) {

package/packages/dd-trace/src/exporters/agentless/index.js

@@ -7,6 +7,7 @@ const log = require('../../log')
 const { entityId } = require('../common/docker')
 const tracerVersion = require('../../../../../package.json').version
 const Writer = require('./writer')
+const { computeIntakeUrl } = require('./intake')
 
 /**
  * Agentless exporter for APM trace intake.
@@ -15,6 +16,7 @@ const Writer = require('./writer')
  */
 class AgentlessExporter {
   #timer
+  #config
 
   /**
    * @param {object} config - Configuration object
@@ -24,13 +26,13 @@ class AgentlessExporter {
    * @param {object} [config.tags] - Tags including runtime-id
    */
   constructor (config) {
-    this._config = config
+    this.#config = config
     const site = config.site ?? 'datadoghq.com'
 
     try {
-      // Agentless traffic carries the Datadog API key, so the intake is always the public https
-      // endpoint; never derive it from config.url (the agent's cleartext http) or the key leaks.
-      this._url = new URL(`https://public-trace-http-intake.logs.${site}`)
+      // Agentless traffic carries the Datadog API key, so the intake is always an https endpoint
+      // derived from the site; never config.url (the agent's cleartext http) or the key leaks.
+      this._url = new URL(computeIntakeUrl(site))
     } catch (err) {
       log.error('Invalid site for agentless exporter. site=%s. Error: %s', site, err.message)
       this._url = null
@@ -89,7 +91,7 @@ class AgentlessExporter {
   export (spans) {
     this._writer.append(spans)
 
-    const { flushInterval } = this._config
+    const { flushInterval } = this.#config
 
     if (flushInterval === 0) {
       try {

package/packages/dd-trace/src/exporters/agentless/intake.js

@@ -0,0 +1,43 @@
+'use strict'
+
+// Per-site hosts for the agentless JSON span intake. Regional data centers serve it from
+// browser-intake-* hosts rather than public-trace-http-intake.logs.<site>, so a single template
+// silently drops spans on us3/us5/ap1/ap2. Mirrors dd-trace-py's AgentlessTraceWriter.INTAKE_URLS
+// (DataDog/dd-trace-py#18514).
+const INTAKE_URLS = {
+  'datadoghq.com': 'https://public-trace-http-intake.logs.datadoghq.com',
+  'datadoghq.eu': 'https://public-trace-http-intake.logs.datadoghq.eu',
+  'us3.datadoghq.com': 'https://trace.browser-intake-us3-datadoghq.com',
+  'us5.datadoghq.com': 'https://trace.browser-intake-us5-datadoghq.com',
+  'ap1.datadoghq.com': 'https://browser-intake-ap1-datadoghq.com',
+  'ap2.datadoghq.com': 'https://browser-intake-ap2-datadoghq.com',
+  'uk1.datadoghq.com': 'https://browser-intake-uk1-datadoghq.com',
+  'datad0g.com': 'https://public-trace-http-intake.logs.datad0g.com',
+}
+
+// Path of the JSON span intake on every intake host.
+const INTAKE_PATH = '/api/v2/spans'
+
+/**
+ * Resolves the agentless intake origin for a Datadog site.
+ *
+ * Unknown sites fall back to the browser-intake naming: strip the TLD, dash-join the rest, then
+ * reattach the TLD, e.g. 'us2.ddog-gov.com' -> 'https://browser-intake-us2-ddog-gov.com'.
+ *
+ * @param {string} [site] - The Datadog site, e.g. 'us3.datadoghq.com'. Defaults to 'datadoghq.com'.
+ * @returns {string} The intake origin, without a path.
+ */
+function computeIntakeUrl (site = 'datadoghq.com') {
+  const normalized = site.toLowerCase()
+  const known = INTAKE_URLS[normalized]
+  if (known !== undefined) {
+    return known
+  }
+
+  const lastDot = normalized.lastIndexOf('.')
+  const prefix = lastDot === -1 ? '' : normalized.slice(0, lastDot)
+  const tld = lastDot === -1 ? normalized : normalized.slice(lastDot + 1)
+  return `https://browser-intake-${prefix.replaceAll('.', '-')}.${tld}`
+}
+
+module.exports = { INTAKE_URLS, INTAKE_PATH, computeIntakeUrl }