dd-trace 5.19.0 → 5.20.0

package/packages/dd-trace/src/appsec/blocking.js

@@ -9,6 +9,8 @@ let templateHtml = blockedTemplates.html
 let templateJson = blockedTemplates.json
 let templateGraphqlJson = blockedTemplates.graphqlJson
 
+const responseBlockedSet = new WeakSet()
+
 const specificBlockingTypes = {
   GRAPHQL: 'graphql'
 }
@@ -117,6 +119,8 @@ function block (req, res, rootSpan, abortController, actionParameters) {
 
   res.writeHead(statusCode, headers).end(body)
 
+  responseBlockedSet.add(res)
+
   abortController?.abort()
 }
 
@@ -144,11 +148,16 @@ function setTemplates (config) {
   }
 }
 
+function isBlocked (res) {
+  return responseBlockedSet.has(res)
+}
+
 module.exports = {
   addSpecificEndpoint,
   block,
   specificBlockingTypes,
   getBlockingData,
   getBlockingAction,
-  setTemplates
+  setTemplates,
+  isBlocked
 }

package/packages/dd-trace/src/appsec/channels.js

@@ -19,5 +19,8 @@ module.exports = {
   nextQueryParsed: dc.channel('apm:next:query-parsed'),
   responseBody: dc.channel('datadog:express:response:json:start'),
   responseWriteHead: dc.channel('apm:http:server:response:writeHead:start'),
-  httpClientRequestStart: dc.channel('apm:http:client:request:start')
+  httpClientRequestStart: dc.channel('apm:http:client:request:start'),
+  responseSetHeader: dc.channel('datadog:http:server:response:set-header:start'),
+  setUncaughtExceptionCaptureCallbackStart: dc.channel('datadog:process:setUncaughtExceptionCaptureCallback:start')
+
 }

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -1,6 +1,7 @@
 'use strict'
 
 module.exports = {
+  CODE_INJECTION_ANALYZER: require('./code-injection-analyzer'),
   COMMAND_INJECTION_ANALYZER: require('./command-injection-analyzer'),
   HARCODED_PASSWORD_ANALYZER: require('./hardcoded-password-analyzer'),
   HARCODED_SECRET_ANALYZER: require('./hardcoded-secret-analyzer'),

package/packages/dd-trace/src/appsec/iast/analyzers/code-injection-analyzer.js

@@ -0,0 +1,16 @@
+'use strict'
+
+const InjectionAnalyzer = require('./injection-analyzer')
+const { CODE_INJECTION } = require('../vulnerabilities')
+
+class CodeInjectionAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super(CODE_INJECTION)
+  }
+
+  onConfigure () {
+    this.addSub('datadog:eval:call', ({ script }) => this.analyze(script))
+  }
+}
+
+module.exports = new CodeInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js

@@ -47,6 +47,8 @@ class WeakHashAnalyzer extends Analyzer {
   }
 
   _isExcluded (location) {
+    if (!location) return false
+
     return EXCLUDED_LOCATIONS.some(excludedLocation => {
       return location.path.includes(excludedLocation)
     })

package/packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js

@@ -14,7 +14,8 @@ const csiMethods = [
   { src: 'toUpperCase', dst: 'stringCase' },
   { src: 'trim' },
   { src: 'trimEnd' },
-  { src: 'trimStart', dst: 'trim' }
+  { src: 'trimStart', dst: 'trim' },
+  { src: 'eval', allowedWithoutCallee: true }
 ]
 
 module.exports = {

package/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js

@@ -10,6 +10,7 @@ const { isDebugAllowed } = require('../telemetry/verbosity')
 const { taintObject } = require('./operations-taint-object')
 
 const mathRandomCallCh = dc.channel('datadog:random:call')
+const evalCallCh = dc.channel('datadog:eval:call')
 
 const JSON_VALUE = 'json.value'
 
@@ -18,6 +19,7 @@ function noop (res) { return res }
 // Otherwise you may end up rewriting a method and not providing its rewritten implementation
 const TaintTrackingNoop = {
   concat: noop,
+  eval: noop,
   join: noop,
   parse: noop,
   plusOperator: noop,
@@ -136,6 +138,15 @@ function csiMethodsOverrides (getContext) {
       return res
     },
 
+    eval: function (res, fn, target, script) {
+      // eslint-disable-next-line no-eval
+      if (evalCallCh.hasSubscribers && fn === globalThis.eval) {
+        evalCallCh.publish({ script })
+      }
+
+      return res
+    },
+
     parse: function (res, fn, target, json) {
       if (fn === JSON.parse) {
         try {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/code-injection-sensitive-analyzer.js

@@ -0,0 +1,25 @@
+'use strict'
+
+module.exports = function extractSensitiveRanges (evidence) {
+  const newRanges = []
+  if (evidence.ranges[0].start > 0) {
+    newRanges.push({
+      start: 0,
+      end: evidence.ranges[0].start
+    })
+  }
+
+  for (let i = 0; i < evidence.ranges.length; i++) {
+    const currentRange = evidence.ranges[i]
+    const nextRange = evidence.ranges[i + 1]
+
+    const start = currentRange.end
+    const end = nextRange?.start || evidence.value.length
+
+    if (start < end) {
+      newRanges.push({ start, end })
+    }
+  }
+
+  return newRanges
+}

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -5,6 +5,7 @@ const vulnerabilities = require('../../vulnerabilities')
 
 const { contains, intersects, remove } = require('./range-utils')
 
+const codeInjectionSensitiveAnalyzer = require('./sensitive-analyzers/code-injection-sensitive-analyzer')
 const commandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
 const hardcodedPasswordAnalyzer = require('./sensitive-analyzers/hardcoded-password-analyzer')
 const headerSensitiveAnalyzer = require('./sensitive-analyzers/header-sensitive-analyzer')
@@ -23,6 +24,7 @@ class SensitiveHandler {
     this._valuePattern = new RegExp(DEFAULT_IAST_REDACTION_VALUE_PATTERN, 'gmi')
 
     this._sensitiveAnalyzers = new Map()
+    this._sensitiveAnalyzers.set(vulnerabilities.CODE_INJECTION, codeInjectionSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, commandSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.NOSQL_MONGODB_INJECTION, jsonSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, ldapSensitiveAnalyzer)

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-regex.js

@@ -1,7 +1,7 @@
 // eslint-disable-next-line max-len
-const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)'
+const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?|(?:sur|last)name|user(?:name)?|address|e?mail)'
 // eslint-disable-next-line max-len
-const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,}))'
+const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,})|[\\w\\.-]+@[a-zA-Z\\d\\.-]+\\.[a-zA-Z]{2,})'
 
 module.exports = {
   DEFAULT_IAST_REDACTION_NAME_PATTERN,

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js

@@ -1,5 +1,6 @@
 module.exports = {
   COMMAND_INJECTION: 'COMMAND_INJECTION',
+  CODE_INJECTION: 'CODE_INJECTION',
   HARDCODED_PASSWORD: 'HARDCODED_PASSWORD',
   HARDCODED_SECRET: 'HARDCODED_SECRET',
   HEADER_INJECTION: 'HEADER_INJECTION',

package/packages/dd-trace/src/appsec/index.js

@@ -13,7 +13,8 @@ const {
   nextBodyParsed,
   nextQueryParsed,
   responseBody,
-  responseWriteHead
+  responseWriteHead,
+  responseSetHeader
 } = require('./channels')
 const waf = require('./waf')
 const addresses = require('./addresses')
@@ -23,7 +24,7 @@ const apiSecuritySampler = require('./api_security_sampler')
 const web = require('../plugins/util/web')
 const { extractIp } = require('../plugins/util/ip_extractor')
 const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
-const { block, setTemplates, getBlockingAction } = require('./blocking')
+const { isBlocked, block, setTemplates, getBlockingAction } = require('./blocking')
 const { passportTrackEvent } = require('./passport')
 const { storage } = require('../../../datadog-core')
 const graphql = require('./graphql')
@@ -62,6 +63,7 @@ function enable (_config) {
     cookieParser.subscribe(onRequestCookieParser)
     responseBody.subscribe(onResponseBody)
     responseWriteHead.subscribe(onResponseWriteHead)
+    responseSetHeader.subscribe(onResponseSetHeader)
 
     if (_config.appsec.eventTracking.enabled) {
       passportVerify.subscribe(onPassportVerify)
@@ -223,11 +225,10 @@ function onPassportVerify ({ credentials, user }) {
 }
 
 const responseAnalyzedSet = new WeakSet()
-const responseBlockedSet = new WeakSet()
 
 function onResponseWriteHead ({ req, res, abortController, statusCode, responseHeaders }) {
   // avoid "write after end" error
-  if (responseBlockedSet.has(res)) {
+  if (isBlocked(res)) {
     abortController?.abort()
     return
   }
@@ -255,15 +256,18 @@ function onResponseWriteHead ({ req, res, abortController, statusCode, responseH
   handleResults(results, req, res, rootSpan, abortController)
 }
 
+function onResponseSetHeader ({ res, abortController }) {
+  if (isBlocked(res)) {
+    abortController?.abort()
+  }
+}
+
 function handleResults (actions, req, res, rootSpan, abortController) {
   if (!actions || !req || !res || !rootSpan || !abortController) return
 
   const blockingAction = getBlockingAction(actions)
   if (blockingAction) {
     block(req, res, rootSpan, abortController, blockingAction)
-    if (!abortController.signal || abortController.signal.aborted) {
-      responseBlockedSet.add(res)
-    }
   }
 }
 
@@ -290,6 +294,7 @@ function disable () {
   if (responseBody.hasSubscribers) responseBody.unsubscribe(onResponseBody)
   if (passportVerify.hasSubscribers) passportVerify.unsubscribe(onPassportVerify)
   if (responseWriteHead.hasSubscribers) responseWriteHead.unsubscribe(onResponseWriteHead)
+  if (responseSetHeader.hasSubscribers) responseSetHeader.unsubscribe(onResponseSetHeader)
 }
 
 module.exports = {

package/packages/dd-trace/src/appsec/rasp.js

@@ -3,23 +3,118 @@
 const { storage } = require('../../../datadog-core')
 const web = require('./../plugins/util/web')
 const addresses = require('./addresses')
-const { httpClientRequestStart } = require('./channels')
+const { httpClientRequestStart, setUncaughtExceptionCaptureCallbackStart } = require('./channels')
 const { reportStackTrace } = require('./stack_trace')
 const waf = require('./waf')
+const { getBlockingAction, block } = require('./blocking')
+const log = require('../log')
 
 const RULE_TYPES = {
   SSRF: 'ssrf'
 }
 
-let config
+class DatadogRaspAbortError extends Error {
+  constructor (req, res, blockingAction) {
+    super('DatadogRaspAbortError')
+    this.name = 'DatadogRaspAbortError'
+    this.req = req
+    this.res = res
+    this.blockingAction = blockingAction
+  }
+}
+
+let config, abortOnUncaughtException
+
+function removeAllListeners (emitter, event) {
+  const listeners = emitter.listeners(event)
+  emitter.removeAllListeners(event)
+
+  let cleaned = false
+  return function () {
+    if (cleaned === true) {
+      return
+    }
+    cleaned = true
+
+    for (let i = 0; i < listeners.length; ++i) {
+      emitter.on(event, listeners[i])
+    }
+  }
+}
+
+function findDatadogRaspAbortError (err, deep = 10) {
+  if (err instanceof DatadogRaspAbortError) {
+    return err
+  }
+
+  if (err.cause && deep > 0) {
+    return findDatadogRaspAbortError(err.cause, deep - 1)
+  }
+}
+
+function handleUncaughtExceptionMonitor (err) {
+  const abortError = findDatadogRaspAbortError(err)
+  if (!abortError) return
+
+  const { req, res, blockingAction } = abortError
+  block(req, res, web.root(req), null, blockingAction)
+
+  if (!process.hasUncaughtExceptionCaptureCallback()) {
+    const cleanUp = removeAllListeners(process, 'uncaughtException')
+    const handler = () => {
+      process.removeListener('uncaughtException', handler)
+    }
+
+    setTimeout(() => {
+      process.removeListener('uncaughtException', handler)
+      cleanUp()
+    })
+
+    process.on('uncaughtException', handler)
+  } else {
+    // uncaughtException event is not executed when hasUncaughtExceptionCaptureCallback is true
+    let previousCb
+    const cb = ({ currentCallback, abortController }) => {
+      setUncaughtExceptionCaptureCallbackStart.unsubscribe(cb)
+      if (!currentCallback) {
+        abortController.abort()
+        return
+      }
+
+      previousCb = currentCallback
+    }
+
+    setUncaughtExceptionCaptureCallbackStart.subscribe(cb)
+
+    process.setUncaughtExceptionCaptureCallback(null)
+
+    // For some reason, previous callback was defined before the instrumentation
+    // We can not restore it, so we let the app decide
+    if (previousCb) {
+      process.setUncaughtExceptionCaptureCallback(() => {
+        process.setUncaughtExceptionCaptureCallback(null)
+        process.setUncaughtExceptionCaptureCallback(previousCb)
+      })
+    }
+  }
+}
 
 function enable (_config) {
   config = _config
   httpClientRequestStart.subscribe(analyzeSsrf)
+
+  process.on('uncaughtExceptionMonitor', handleUncaughtExceptionMonitor)
+  abortOnUncaughtException = process.execArgv?.includes('--abort-on-uncaught-exception')
+
+  if (abortOnUncaughtException) {
+    log.warn('The --abort-on-uncaught-exception flag is enabled. The RASP module will not block operations.')
+  }
 }
 
 function disable () {
   if (httpClientRequestStart.hasSubscribers) httpClientRequestStart.unsubscribe(analyzeSsrf)
+
+  process.off('uncaughtExceptionMonitor', handleUncaughtExceptionMonitor)
 }
 
 function analyzeSsrf (ctx) {
@@ -32,17 +127,18 @@ function analyzeSsrf (ctx) {
   const persistent = {
     [addresses.HTTP_OUTGOING_URL]: url
   }
-  // TODO: Currently this is only monitoring, we should
-  //     block the request if SSRF attempt
+
   const result = waf.run({ persistent }, req, RULE_TYPES.SSRF)
-  handleResult(result, req)
+
+  const res = store?.res
+  handleResult(result, req, res, ctx.abortController)
 }
 
 function getGenerateStackTraceAction (actions) {
   return actions?.generate_stack
 }
 
-function handleResult (actions, req) {
+function handleResult (actions, req, res, abortController) {
   const generateStackTraceAction = getGenerateStackTraceAction(actions)
   if (generateStackTraceAction && config.appsec.stackTrace.enabled) {
     const rootSpan = web.root(req)
@@ -53,10 +149,28 @@ function handleResult (actions, req) {
       config.appsec.stackTrace.maxStackTraces
     )
   }
+
+  if (!abortController || abortOnUncaughtException) return
+
+  const blockingAction = getBlockingAction(actions)
+  if (blockingAction) {
+    const rootSpan = web.root(req)
+    // Should block only in express
+    if (rootSpan?.context()._name === 'express.request') {
+      const abortError = new DatadogRaspAbortError(req, res, blockingAction)
+      abortController.abort(abortError)
+
+      // TODO Delete this when support for node 16 is removed
+      if (!abortController.signal.reason) {
+        abortController.signal.reason = abortError
+      }
+    }
+  }
 }
 
 module.exports = {
   enable,
   disable,
-  handleResult
+  handleResult,
+  handleUncaughtExceptionMonitor // exported only for testing purpose
 }

package/packages/dd-trace/src/appsec/recommended.json

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.12.0"
+    "rules_version": "1.13.0"
   },
   "rules": [
     {
@@ -6285,6 +6285,55 @@
         "stack_trace"
       ]
     },
+    {
+      "id": "rasp-932-100",
+      "name": "Shell injection exploit",
+      "enabled": false,
+      "tags": {
+        "type": "command_injection",
+        "category": "vulnerability_trigger",
+        "cwe": "77",
+        "capec": "1000/152/248/88",
+        "confidence": "0",
+        "module": "rasp"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "resource": [
+              {
+                "address": "server.sys.shell.cmd"
+              }
+            ],
+            "params": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "grpc.server.request.message"
+              },
+              {
+                "address": "graphql.server.all_resolvers"
+              },
+              {
+                "address": "graphql.server.resolver"
+              }
+            ]
+          },
+          "operator": "shi_detector"
+        }
+      ],
+      "transformers": [],
+      "on_match": [
+        "stack_trace"
+      ]
+    },
     {
       "id": "rasp-934-100",
       "name": "Server-side request forgery exploit",
@@ -8388,6 +8437,57 @@
     }
   ],
   "processors": [
+    {
+      "id": "http-endpoint-fingerprint",
+      "generator": "http_endpoint_fingerprint",
+      "conditions": [
+        {
+          "operator": "exists",
+          "parameters": {
+            "inputs": [
+              {
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
+              }
+            ]
+          }
+        }
+      ],
+      "parameters": {
+        "mappings": [
+          {
+            "method": [
+              {
+                "address": "server.request.method"
+              }
+            ],
+            "uri_raw": [
+              {
+                "address": "server.request.uri.raw"
+              }
+            ],
+            "body": [
+              {
+                "address": "server.request.body"
+              }
+            ],
+            "query": [
+              {
+                "address": "server.request.query"
+              }
+            ],
+            "output": "_dd.appsec.fp.http.endpoint"
+          }
+        ]
+      },
+      "evaluate": false,
+      "output": true
+    },
     {
       "id": "extract-content",
       "generator": "extract_schema",
@@ -8537,6 +8637,124 @@
       },
       "evaluate": false,
       "output": true
+    },
+    {
+      "id": "http-header-fingerprint",
+      "generator": "http_header_fingerprint",
+      "conditions": [
+        {
+          "operator": "exists",
+          "parameters": {
+            "inputs": [
+              {
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
+              }
+            ]
+          }
+        }
+      ],
+      "parameters": {
+        "mappings": [
+          {
+            "headers": [
+              {
+                "address": "server.request.headers.no_cookies"
+              }
+            ],
+            "output": "_dd.appsec.fp.http.header"
+          }
+        ]
+      },
+      "evaluate": false,
+      "output": true
+    },
+    {
+      "id": "http-network-fingerprint",
+      "generator": "http_network_fingerprint",
+      "conditions": [
+        {
+          "operator": "exists",
+          "parameters": {
+            "inputs": [
+              {
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
+              }
+            ]
+          }
+        }
+      ],
+      "parameters": {
+        "mappings": [
+          {
+            "headers": [
+              {
+                "address": "server.request.headers.no_cookies"
+              }
+            ],
+            "output": "_dd.appsec.fp.http.network"
+          }
+        ]
+      },
+      "evaluate": false,
+      "output": true
+    },
+    {
+      "id": "session-fingerprint",
+      "generator": "session_fingerprint",
+      "conditions": [
+        {
+          "operator": "exists",
+          "parameters": {
+            "inputs": [
+              {
+                "address": "waf.context.event"
+              },
+              {
+                "address": "server.business_logic.users.login.failure"
+              },
+              {
+                "address": "server.business_logic.users.login.success"
+              }
+            ]
+          }
+        }
+      ],
+      "parameters": {
+        "mappings": [
+          {
+            "cookies": [
+              {
+                "address": "server.request.cookies"
+              }
+            ],
+            "session_id": [
+              {
+                "address": "usr.session_id"
+              }
+            ],
+            "user_id": [
+              {
+                "address": "usr.id"
+              }
+            ],
+            "output": "_dd.appsec.fp.session"
+          }
+        ]
+      },
+      "evaluate": false,
+      "output": true
     }
   ],
   "scanners": [
@@ -9562,4 +9780,4 @@
       }
     }
   ]
-}
+}