npm - dd-trace - Versions diffs - 5.18.0 → 5.20.0 - Mend

dd-trace 5.18.0 → 5.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js CHANGED Viewed

@@ -5,6 +5,7 @@ const vulnerabilities = require('../../vulnerabilities')
 const { contains, intersects, remove } = require('./range-utils')
+const codeInjectionSensitiveAnalyzer = require('./sensitive-analyzers/code-injection-sensitive-analyzer')
 const commandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
 const hardcodedPasswordAnalyzer = require('./sensitive-analyzers/hardcoded-password-analyzer')
 const headerSensitiveAnalyzer = require('./sensitive-analyzers/header-sensitive-analyzer')
@@ -23,6 +24,7 @@ class SensitiveHandler {
     this._valuePattern = new RegExp(DEFAULT_IAST_REDACTION_VALUE_PATTERN, 'gmi')
     this._sensitiveAnalyzers = new Map()
+    this._sensitiveAnalyzers.set(vulnerabilities.CODE_INJECTION, codeInjectionSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, commandSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.NOSQL_MONGODB_INJECTION, jsonSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, ldapSensitiveAnalyzer)

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-regex.js CHANGED Viewed

@@ -1,7 +1,7 @@
 // eslint-disable-next-line max-len
-const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)'
+const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?|(?:sur|last)name|user(?:name)?|address|e?mail)'
 // eslint-disable-next-line max-len
-const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,}))'
+const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,})|[\\w\\.-]+@[a-zA-Z\\d\\.-]+\\.[a-zA-Z]{2,})'
 module.exports = {
   DEFAULT_IAST_REDACTION_NAME_PATTERN,

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js CHANGED Viewed

@@ -43,6 +43,8 @@ class VulnerabilityFormatter {
     const valueParts = []
     let fromIndex = 0
+    if (evidence.value == null) return { valueParts }
     if (typeof evidence.value === 'object' && evidence.rangesToApply) {
       const { value, ranges } = stringifyWithRanges(evidence.value, evidence.rangesToApply)
       evidence.value = value
@@ -69,7 +71,7 @@ class VulnerabilityFormatter {
   }
   formatEvidence (type, evidence, sourcesIndexes, sources) {
-    if (typeof evidence.value === 'undefined') {
+    if (evidence.value === undefined) {
       return undefined
     }

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js CHANGED Viewed

@@ -1,5 +1,6 @@
 module.exports = {
   COMMAND_INJECTION: 'COMMAND_INJECTION',
+  CODE_INJECTION: 'CODE_INJECTION',
   HARDCODED_PASSWORD: 'HARDCODED_PASSWORD',
   HARDCODED_SECRET: 'HARDCODED_SECRET',
   HEADER_INJECTION: 'HEADER_INJECTION',

package/packages/dd-trace/src/appsec/index.js CHANGED Viewed

@@ -13,7 +13,8 @@ const {
   nextBodyParsed,
   nextQueryParsed,
   responseBody,
-  responseWriteHead
+  responseWriteHead,
+  responseSetHeader
 } = require('./channels')
 const waf = require('./waf')
 const addresses = require('./addresses')
@@ -23,7 +24,7 @@ const apiSecuritySampler = require('./api_security_sampler')
 const web = require('../plugins/util/web')
 const { extractIp } = require('../plugins/util/ip_extractor')
 const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
-const { block, setTemplates, getBlockingAction } = require('./blocking')
+const { isBlocked, block, setTemplates, getBlockingAction } = require('./blocking')
 const { passportTrackEvent } = require('./passport')
 const { storage } = require('../../../datadog-core')
 const graphql = require('./graphql')
@@ -62,6 +63,7 @@ function enable (_config) {
     cookieParser.subscribe(onRequestCookieParser)
     responseBody.subscribe(onResponseBody)
     responseWriteHead.subscribe(onResponseWriteHead)
+    responseSetHeader.subscribe(onResponseSetHeader)
     if (_config.appsec.eventTracking.enabled) {
       passportVerify.subscribe(onPassportVerify)
@@ -121,16 +123,16 @@ function incomingHttpEndTranslator ({ req, res }) {
   }
   // TODO: temporary express instrumentation, will use express plugin later
-  if (req.params && typeof req.params === 'object') {
+  if (req.params !== null && typeof req.params === 'object') {
     persistent[addresses.HTTP_INCOMING_PARAMS] = req.params
   }
   // we need to keep this to support other cookie parsers
-  if (req.cookies && typeof req.cookies === 'object') {
+  if (req.cookies !== null && typeof req.cookies === 'object') {
     persistent[addresses.HTTP_INCOMING_COOKIES] = req.cookies
   }
-  if (req.query && typeof req.query === 'object') {
+  if (req.query !== null && typeof req.query === 'object') {
     persistent[addresses.HTTP_INCOMING_QUERY] = req.query
   }
@@ -223,11 +225,10 @@ function onPassportVerify ({ credentials, user }) {
 }
 const responseAnalyzedSet = new WeakSet()
-const responseBlockedSet = new WeakSet()
 function onResponseWriteHead ({ req, res, abortController, statusCode, responseHeaders }) {
   // avoid "write after end" error
-  if (responseBlockedSet.has(res)) {
+  if (isBlocked(res)) {
     abortController?.abort()
     return
   }
@@ -255,15 +256,18 @@ function onResponseWriteHead ({ req, res, abortController, statusCode, responseH
   handleResults(results, req, res, rootSpan, abortController)
 }
+function onResponseSetHeader ({ res, abortController }) {
+  if (isBlocked(res)) {
+    abortController?.abort()
+  }
+}
 function handleResults (actions, req, res, rootSpan, abortController) {
   if (!actions || !req || !res || !rootSpan || !abortController) return
   const blockingAction = getBlockingAction(actions)
   if (blockingAction) {
     block(req, res, rootSpan, abortController, blockingAction)
-    if (!abortController.signal || abortController.signal.aborted) {
-      responseBlockedSet.add(res)
-    }
   }
 }
@@ -290,6 +294,7 @@ function disable () {
   if (responseBody.hasSubscribers) responseBody.unsubscribe(onResponseBody)
   if (passportVerify.hasSubscribers) passportVerify.unsubscribe(onPassportVerify)
   if (responseWriteHead.hasSubscribers) responseWriteHead.unsubscribe(onResponseWriteHead)
+  if (responseSetHeader.hasSubscribers) responseSetHeader.unsubscribe(onResponseSetHeader)
 }
 module.exports = {

package/packages/dd-trace/src/appsec/passport.js CHANGED Viewed

@@ -13,7 +13,7 @@ const regexSdkEvent = new RegExp(SDK_USER_EVENT_PATTERN, 'i')
 function isSdkCalled (tags) {
   let called = false
-  if (tags && typeof tags === 'object') {
+  if (tags !== null && typeof tags === 'object') {
     called = Object.entries(tags).some(([key, value]) => regexSdkEvent.test(key) && value === 'true')
   }

package/packages/dd-trace/src/appsec/rasp.js CHANGED Viewed

@@ -3,23 +3,118 @@
 const { storage } = require('../../../datadog-core')
 const web = require('./../plugins/util/web')
 const addresses = require('./addresses')
-const { httpClientRequestStart } = require('./channels')
+const { httpClientRequestStart, setUncaughtExceptionCaptureCallbackStart } = require('./channels')
 const { reportStackTrace } = require('./stack_trace')
 const waf = require('./waf')
+const { getBlockingAction, block } = require('./blocking')
+const log = require('../log')
 const RULE_TYPES = {
   SSRF: 'ssrf'
 }
-let config
+class DatadogRaspAbortError extends Error {
+  constructor (req, res, blockingAction) {
+    super('DatadogRaspAbortError')
+    this.name = 'DatadogRaspAbortError'
+    this.req = req
+    this.res = res
+    this.blockingAction = blockingAction
+  }
+}
+let config, abortOnUncaughtException
+function removeAllListeners (emitter, event) {
+  const listeners = emitter.listeners(event)
+  emitter.removeAllListeners(event)
+  let cleaned = false
+  return function () {
+    if (cleaned === true) {
+      return
+    }
+    cleaned = true
+    for (let i = 0; i < listeners.length; ++i) {
+      emitter.on(event, listeners[i])
+    }
+  }
+}
+function findDatadogRaspAbortError (err, deep = 10) {
+  if (err instanceof DatadogRaspAbortError) {
+    return err
+  }
+  if (err.cause && deep > 0) {
+    return findDatadogRaspAbortError(err.cause, deep - 1)
+  }
+}
+function handleUncaughtExceptionMonitor (err) {
+  const abortError = findDatadogRaspAbortError(err)
+  if (!abortError) return
+  const { req, res, blockingAction } = abortError
+  block(req, res, web.root(req), null, blockingAction)
+  if (!process.hasUncaughtExceptionCaptureCallback()) {
+    const cleanUp = removeAllListeners(process, 'uncaughtException')
+    const handler = () => {
+      process.removeListener('uncaughtException', handler)
+    }
+    setTimeout(() => {
+      process.removeListener('uncaughtException', handler)
+      cleanUp()
+    })
+    process.on('uncaughtException', handler)
+  } else {
+    // uncaughtException event is not executed when hasUncaughtExceptionCaptureCallback is true
+    let previousCb
+    const cb = ({ currentCallback, abortController }) => {
+      setUncaughtExceptionCaptureCallbackStart.unsubscribe(cb)
+      if (!currentCallback) {
+        abortController.abort()
+        return
+      }
+      previousCb = currentCallback
+    }
+    setUncaughtExceptionCaptureCallbackStart.subscribe(cb)
+    process.setUncaughtExceptionCaptureCallback(null)
+    // For some reason, previous callback was defined before the instrumentation
+    // We can not restore it, so we let the app decide
+    if (previousCb) {
+      process.setUncaughtExceptionCaptureCallback(() => {
+        process.setUncaughtExceptionCaptureCallback(null)
+        process.setUncaughtExceptionCaptureCallback(previousCb)
+      })
+    }
+  }
+}
 function enable (_config) {
   config = _config
   httpClientRequestStart.subscribe(analyzeSsrf)
+  process.on('uncaughtExceptionMonitor', handleUncaughtExceptionMonitor)
+  abortOnUncaughtException = process.execArgv?.includes('--abort-on-uncaught-exception')
+  if (abortOnUncaughtException) {
+    log.warn('The --abort-on-uncaught-exception flag is enabled. The RASP module will not block operations.')
+  }
 }
 function disable () {
   if (httpClientRequestStart.hasSubscribers) httpClientRequestStart.unsubscribe(analyzeSsrf)
+  process.off('uncaughtExceptionMonitor', handleUncaughtExceptionMonitor)
 }
 function analyzeSsrf (ctx) {
@@ -32,17 +127,18 @@ function analyzeSsrf (ctx) {
   const persistent = {
     [addresses.HTTP_OUTGOING_URL]: url
   }
-  // TODO: Currently this is only monitoring, we should
-  //     block the request if SSRF attempt
   const result = waf.run({ persistent }, req, RULE_TYPES.SSRF)
-  handleResult(result, req)
+  const res = store?.res
+  handleResult(result, req, res, ctx.abortController)
 }
 function getGenerateStackTraceAction (actions) {
   return actions?.generate_stack
 }
-function handleResult (actions, req) {
+function handleResult (actions, req, res, abortController) {
   const generateStackTraceAction = getGenerateStackTraceAction(actions)
   if (generateStackTraceAction && config.appsec.stackTrace.enabled) {
     const rootSpan = web.root(req)
@@ -53,10 +149,28 @@ function handleResult (actions, req) {
       config.appsec.stackTrace.maxStackTraces
     )
   }
+  if (!abortController || abortOnUncaughtException) return
+  const blockingAction = getBlockingAction(actions)
+  if (blockingAction) {
+    const rootSpan = web.root(req)
+    // Should block only in express
+    if (rootSpan?.context()._name === 'express.request') {
+      const abortError = new DatadogRaspAbortError(req, res, blockingAction)
+      abortController.abort(abortError)
+      // TODO Delete this when support for node 16 is removed
+      if (!abortController.signal.reason) {
+        abortController.signal.reason = abortError
+      }
+    }
+  }
 }
 module.exports = {
   enable,
   disable,
-  handleResult
+  handleResult,
+  handleUncaughtExceptionMonitor // exported only for testing purpose
 }

package/packages/dd-trace/src/appsec/recommended.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.12.0"
+    "rules_version": "1.13.0"
   },
   "rules": [
     {
@@ -6285,6 +6285,55 @@
         "stack_trace"
       ]
     },
+    {
+      "id": "rasp-932-100",
+      "name": "Shell injection exploit",
+      "enabled": false,
+      "tags": {
+        "type": "command_injection",
+        "category": "vulnerability_trigger",
+        "cwe": "77",
+        "capec": "1000/152/248/88",
+        "confidence": "0",
+        "module": "rasp"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "resource": [
+              {
+                "address": "server.sys.shell.cmd"
+              }
+            ],
+            "params": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "grpc.server.request.message"
+              },
+              {
+                "address": "graphql.server.all_resolvers"
+              },
+              {
+                "address": "graphql.server.resolver"
+              }
+            ]
+          },
+          "operator": "shi_detector"
+        }
+      ],
+      "transformers": [],
+      "on_match": [
+        "stack_trace"
+      ]
+    },
     {
       "id": "rasp-934-100",
       "name": "Server-side request forgery exploit",
@@ -8388,6 +8437,57 @@
     }
   ],
   "processors": [
+    {
+      "id": "http-endpoint-fingerprint",
+      "generator": "http_endpoint_fingerprint",
+      "conditions": [
+        {
+          "operator": "exists",
+          "parameters": {
+            "inputs": [
+              {
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
+              }
+            ]
+          }
+        }
+      ],
+      "parameters": {
+        "mappings": [
+          {
+            "method": [
+              {
+                "address": "server.request.method"
+              }
+            ],
+            "uri_raw": [
+              {
+                "address": "server.request.uri.raw"
+              }
+            ],
+            "body": [
+              {
+                "address": "server.request.body"
+              }
+            ],
+            "query": [
+              {
+                "address": "server.request.query"
+              }
+            ],
+            "output": "_dd.appsec.fp.http.endpoint"
+          }
+        ]
+      },
+      "evaluate": false,
+      "output": true
+    },
     {
       "id": "extract-content",
       "generator": "extract_schema",
@@ -8537,6 +8637,124 @@
       },
       "evaluate": false,
       "output": true
+    },
+    {
+      "id": "http-header-fingerprint",
+      "generator": "http_header_fingerprint",
+      "conditions": [
+        {
+          "operator": "exists",
+          "parameters": {
+            "inputs": [
+              {
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
+              }
+            ]
+          }
+        }
+      ],
+      "parameters": {
+        "mappings": [
+          {
+            "headers": [
+              {
+                "address": "server.request.headers.no_cookies"
+              }
+            ],
+            "output": "_dd.appsec.fp.http.header"
+          }
+        ]
+      },
+      "evaluate": false,
+      "output": true
+    },
+    {
+      "id": "http-network-fingerprint",
+      "generator": "http_network_fingerprint",
+      "conditions": [
+        {
+          "operator": "exists",
+          "parameters": {
+            "inputs": [
+              {
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
+              }
+            ]
+          }
+        }
+      ],
+      "parameters": {
+        "mappings": [
+          {
+            "headers": [
+              {
+                "address": "server.request.headers.no_cookies"
+              }
+            ],
+            "output": "_dd.appsec.fp.http.network"
+          }
+        ]
+      },
+      "evaluate": false,
+      "output": true
+    },
+    {
+      "id": "session-fingerprint",
+      "generator": "session_fingerprint",
+      "conditions": [
+        {
+          "operator": "exists",
+          "parameters": {
+            "inputs": [
+              {
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
+              }
+            ]
+          }
+        }
+      ],
+      "parameters": {
+        "mappings": [
+          {
+            "cookies": [
+              {
+                "address": "server.request.cookies"
+              }
+            ],
+            "session_id": [
+              {
+                "address": "usr.session_id"
+              }
+            ],
+            "user_id": [
+              {
+                "address": "usr.id"
+              }
+            ],
+            "output": "_dd.appsec.fp.session"
+          }
+        ]
+      },
+      "evaluate": false,
+      "output": true
     }
   ],
   "scanners": [
@@ -9562,4 +9780,4 @@
       }
     }
   ]
-}
+}

package/packages/dd-trace/src/appsec/reporter.js CHANGED Viewed

@@ -207,10 +207,6 @@ function finishRequest (req, res) {
   // collect some headers even when no attack is detected
   const mandatoryTags = filterHeaders(req.headers, REQUEST_HEADERS_MAP)
-  const ua = mandatoryTags['http.request.headers.user-agent']
-  if (ua) {
-    mandatoryTags['http.useragent'] = ua
-  }
   rootSpan.addTags(mandatoryTags)
   const tags = rootSpan.context()._tags

package/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js CHANGED Viewed

@@ -25,7 +25,7 @@ class WAFContextWrapper {
     const inputs = {}
     const newAddressesToSkip = new Set(this.addressesToSkip)
-    if (persistent && typeof persistent === 'object') {
+    if (persistent !== null && typeof persistent === 'object') {
       // TODO: possible optimization: only send params that haven't already been sent with same value to this wafContext
       for (const key of Object.keys(persistent)) {
         // TODO: requiredAddresses is no longer used due to processor addresses are not included in the list. Check on