dd-trace 5.19.0 → 5.21.0

package/packages/datadog-plugin-vitest/src/index.js

@@ -7,9 +7,16 @@ const {
   getTestSuitePath,
   getTestSuiteCommonTags,
   TEST_SOURCE_FILE,
-  TEST_IS_RETRY
+  TEST_IS_RETRY,
+  TEST_CODE_COVERAGE_LINES_PCT,
+  TEST_CODE_OWNERS
 } = require('../../dd-trace/src/plugins/util/test')
 const { COMPONENT } = require('../../dd-trace/src/constants')
+const {
+  TELEMETRY_EVENT_CREATED,
+  TELEMETRY_EVENT_FINISHED,
+  TELEMETRY_TEST_SESSION
+} = require('../../dd-trace/src/ci-visibility/telemetry')
 
 // Milliseconds that we subtract from the error test duration
 // so that they do not overlap with the following test
@@ -64,6 +71,9 @@ class VitestPlugin extends CiPlugin {
       const span = store?.span
 
       if (span) {
+        this.telemetry.ciVisEvent(TELEMETRY_EVENT_FINISHED, 'test', {
+          hasCodeowners: !!span.context()._tags[TEST_CODE_OWNERS]
+        })
         span.setTag(TEST_STATUS, 'pass')
         span.finish(this.taskToFinishTime.get(task))
         finishAllTraceSpans(span)
@@ -75,6 +85,9 @@ class VitestPlugin extends CiPlugin {
       const span = store?.span
 
       if (span) {
+        this.telemetry.ciVisEvent(TELEMETRY_EVENT_FINISHED, 'test', {
+          hasCodeowners: !!span.context()._tags[TEST_CODE_OWNERS]
+        })
         span.setTag(TEST_STATUS, 'fail')
 
         if (error) {
@@ -91,7 +104,7 @@ class VitestPlugin extends CiPlugin {
 
     this.addSub('ci:vitest:test:skip', ({ testName, testSuiteAbsolutePath }) => {
       const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
-      this.startTestSpan(
+      const testSpan = this.startTestSpan(
         testName,
         testSuite,
         this.testSuiteSpan,
@@ -99,10 +112,15 @@ class VitestPlugin extends CiPlugin {
           [TEST_SOURCE_FILE]: testSuite,
           [TEST_STATUS]: 'skip'
         }
-      ).finish()
+      )
+      this.telemetry.ciVisEvent(TELEMETRY_EVENT_FINISHED, 'test', {
+        hasCodeowners: !!testSpan.context()._tags[TEST_CODE_OWNERS]
+      })
+      testSpan.finish()
     })
 
-    this.addSub('ci:vitest:test-suite:start', (testSuiteAbsolutePath) => {
+    this.addSub('ci:vitest:test-suite:start', ({ testSuiteAbsolutePath, frameworkVersion }) => {
+      this.frameworkVersion = frameworkVersion
       const testSessionSpanContext = this.tracer.extract('text_map', {
         'x-datadog-trace-id': process.env.DD_CIVISIBILITY_TEST_SESSION_ID,
         'x-datadog-parent-id': process.env.DD_CIVISIBILITY_TEST_MODULE_ID
@@ -123,6 +141,7 @@ class VitestPlugin extends CiPlugin {
           ...testSuiteMetadata
         }
       })
+      this.telemetry.ciVisEvent(TELEMETRY_EVENT_CREATED, 'suite')
       const store = storage.getStore()
       this.enter(testSuiteSpan, store)
       this.testSuiteSpan = testSuiteSpan
@@ -136,6 +155,7 @@ class VitestPlugin extends CiPlugin {
         span.finish()
         finishAllTraceSpans(span)
       }
+      this.telemetry.ciVisEvent(TELEMETRY_EVENT_FINISHED, 'suite')
       // TODO: too frequent flush - find for method in worker to decrease frequency
       this.tracer._exporter.flush(onFinish)
     })
@@ -149,16 +169,23 @@ class VitestPlugin extends CiPlugin {
       }
     })
 
-    this.addSub('ci:vitest:session:finish', ({ status, onFinish, error }) => {
+    this.addSub('ci:vitest:session:finish', ({ status, onFinish, error, testCodeCoverageLinesTotal }) => {
       this.testSessionSpan.setTag(TEST_STATUS, status)
       this.testModuleSpan.setTag(TEST_STATUS, status)
       if (error) {
         this.testModuleSpan.setTag('error', error)
         this.testSessionSpan.setTag('error', error)
       }
+      if (testCodeCoverageLinesTotal) {
+        this.testModuleSpan.setTag(TEST_CODE_COVERAGE_LINES_PCT, testCodeCoverageLinesTotal)
+        this.testSessionSpan.setTag(TEST_CODE_COVERAGE_LINES_PCT, testCodeCoverageLinesTotal)
+      }
       this.testModuleSpan.finish()
+      this.telemetry.ciVisEvent(TELEMETRY_EVENT_FINISHED, 'module')
       this.testSessionSpan.finish()
+      this.telemetry.ciVisEvent(TELEMETRY_EVENT_FINISHED, 'session')
       finishAllTraceSpans(this.testSessionSpan)
+      this.telemetry.count(TELEMETRY_TEST_SESSION, { provider: this.ciProviderName })
       this.tracer._exporter.flush(onFinish)
     })
   }

package/packages/dd-trace/src/appsec/blocking.js

@@ -9,6 +9,8 @@ let templateHtml = blockedTemplates.html
 let templateJson = blockedTemplates.json
 let templateGraphqlJson = blockedTemplates.graphqlJson
 
+const responseBlockedSet = new WeakSet()
+
 const specificBlockingTypes = {
   GRAPHQL: 'graphql'
 }
@@ -117,6 +119,8 @@ function block (req, res, rootSpan, abortController, actionParameters) {
 
   res.writeHead(statusCode, headers).end(body)
 
+  responseBlockedSet.add(res)
+
   abortController?.abort()
 }
 
@@ -144,11 +148,16 @@ function setTemplates (config) {
   }
 }
 
+function isBlocked (res) {
+  return responseBlockedSet.has(res)
+}
+
 module.exports = {
   addSpecificEndpoint,
   block,
   specificBlockingTypes,
   getBlockingData,
   getBlockingAction,
-  setTemplates
+  setTemplates,
+  isBlocked
 }

package/packages/dd-trace/src/appsec/channels.js

@@ -19,5 +19,8 @@ module.exports = {
   nextQueryParsed: dc.channel('apm:next:query-parsed'),
   responseBody: dc.channel('datadog:express:response:json:start'),
   responseWriteHead: dc.channel('apm:http:server:response:writeHead:start'),
-  httpClientRequestStart: dc.channel('apm:http:client:request:start')
+  httpClientRequestStart: dc.channel('apm:http:client:request:start'),
+  responseSetHeader: dc.channel('datadog:http:server:response:set-header:start'),
+  setUncaughtExceptionCaptureCallbackStart: dc.channel('datadog:process:setUncaughtExceptionCaptureCallback:start')
+
 }

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -1,6 +1,7 @@
 'use strict'
 
 module.exports = {
+  CODE_INJECTION_ANALYZER: require('./code-injection-analyzer'),
   COMMAND_INJECTION_ANALYZER: require('./command-injection-analyzer'),
   HARCODED_PASSWORD_ANALYZER: require('./hardcoded-password-analyzer'),
   HARCODED_SECRET_ANALYZER: require('./hardcoded-secret-analyzer'),

package/packages/dd-trace/src/appsec/iast/analyzers/code-injection-analyzer.js

@@ -0,0 +1,16 @@
+'use strict'
+
+const InjectionAnalyzer = require('./injection-analyzer')
+const { CODE_INJECTION } = require('../vulnerabilities')
+
+class CodeInjectionAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super(CODE_INJECTION)
+  }
+
+  onConfigure () {
+    this.addSub('datadog:eval:call', ({ script }) => this.analyze(script))
+  }
+}
+
+module.exports = new CodeInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js

@@ -47,6 +47,8 @@ class WeakHashAnalyzer extends Analyzer {
   }
 
   _isExcluded (location) {
+    if (!location) return false
+
     return EXCLUDED_LOCATIONS.some(excludedLocation => {
       return location.path.includes(excludedLocation)
     })

package/packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js

@@ -14,7 +14,8 @@ const csiMethods = [
   { src: 'toUpperCase', dst: 'stringCase' },
   { src: 'trim' },
   { src: 'trimEnd' },
-  { src: 'trimStart', dst: 'trim' }
+  { src: 'trimStart', dst: 'trim' },
+  { src: 'eval', allowedWithoutCallee: true }
 ]
 
 module.exports = {

package/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js

@@ -10,6 +10,7 @@ const { isDebugAllowed } = require('../telemetry/verbosity')
 const { taintObject } = require('./operations-taint-object')
 
 const mathRandomCallCh = dc.channel('datadog:random:call')
+const evalCallCh = dc.channel('datadog:eval:call')
 
 const JSON_VALUE = 'json.value'
 
@@ -18,6 +19,7 @@ function noop (res) { return res }
 // Otherwise you may end up rewriting a method and not providing its rewritten implementation
 const TaintTrackingNoop = {
   concat: noop,
+  eval: noop,
   join: noop,
   parse: noop,
   plusOperator: noop,
@@ -136,6 +138,15 @@ function csiMethodsOverrides (getContext) {
       return res
     },
 
+    eval: function (res, fn, target, script) {
+      // eslint-disable-next-line no-eval
+      if (evalCallCh.hasSubscribers && fn === globalThis.eval) {
+        evalCallCh.publish({ script })
+      }
+
+      return res
+    },
+
     parse: function (res, fn, target, json) {
       if (fn === JSON.parse) {
         try {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/code-injection-sensitive-analyzer.js

@@ -0,0 +1,25 @@
+'use strict'
+
+module.exports = function extractSensitiveRanges (evidence) {
+  const newRanges = []
+  if (evidence.ranges[0].start > 0) {
+    newRanges.push({
+      start: 0,
+      end: evidence.ranges[0].start
+    })
+  }
+
+  for (let i = 0; i < evidence.ranges.length; i++) {
+    const currentRange = evidence.ranges[i]
+    const nextRange = evidence.ranges[i + 1]
+
+    const start = currentRange.end
+    const end = nextRange?.start || evidence.value.length
+
+    if (start < end) {
+      newRanges.push({ start, end })
+    }
+  }
+
+  return newRanges
+}

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -5,6 +5,7 @@ const vulnerabilities = require('../../vulnerabilities')
 
 const { contains, intersects, remove } = require('./range-utils')
 
+const codeInjectionSensitiveAnalyzer = require('./sensitive-analyzers/code-injection-sensitive-analyzer')
 const commandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
 const hardcodedPasswordAnalyzer = require('./sensitive-analyzers/hardcoded-password-analyzer')
 const headerSensitiveAnalyzer = require('./sensitive-analyzers/header-sensitive-analyzer')
@@ -23,6 +24,7 @@ class SensitiveHandler {
     this._valuePattern = new RegExp(DEFAULT_IAST_REDACTION_VALUE_PATTERN, 'gmi')
 
     this._sensitiveAnalyzers = new Map()
+    this._sensitiveAnalyzers.set(vulnerabilities.CODE_INJECTION, codeInjectionSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, commandSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.NOSQL_MONGODB_INJECTION, jsonSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, ldapSensitiveAnalyzer)

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-regex.js

@@ -1,7 +1,7 @@
 // eslint-disable-next-line max-len
-const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)'
+const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?|(?:sur|last)name|user(?:name)?|address|e?mail)'
 // eslint-disable-next-line max-len
-const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,}))'
+const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,})|[\\w\\.-]+@[a-zA-Z\\d\\.-]+\\.[a-zA-Z]{2,})'
 
 module.exports = {
   DEFAULT_IAST_REDACTION_NAME_PATTERN,

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js

@@ -1,5 +1,6 @@
 module.exports = {
   COMMAND_INJECTION: 'COMMAND_INJECTION',
+  CODE_INJECTION: 'CODE_INJECTION',
   HARDCODED_PASSWORD: 'HARDCODED_PASSWORD',
   HARDCODED_SECRET: 'HARDCODED_SECRET',
   HEADER_INJECTION: 'HEADER_INJECTION',

package/packages/dd-trace/src/appsec/index.js

@@ -13,7 +13,8 @@ const {
   nextBodyParsed,
   nextQueryParsed,
   responseBody,
-  responseWriteHead
+  responseWriteHead,
+  responseSetHeader
 } = require('./channels')
 const waf = require('./waf')
 const addresses = require('./addresses')
@@ -23,7 +24,7 @@ const apiSecuritySampler = require('./api_security_sampler')
 const web = require('../plugins/util/web')
 const { extractIp } = require('../plugins/util/ip_extractor')
 const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
-const { block, setTemplates, getBlockingAction } = require('./blocking')
+const { isBlocked, block, setTemplates, getBlockingAction } = require('./blocking')
 const { passportTrackEvent } = require('./passport')
 const { storage } = require('../../../datadog-core')
 const graphql = require('./graphql')
@@ -62,6 +63,7 @@ function enable (_config) {
     cookieParser.subscribe(onRequestCookieParser)
     responseBody.subscribe(onResponseBody)
     responseWriteHead.subscribe(onResponseWriteHead)
+    responseSetHeader.subscribe(onResponseSetHeader)
 
     if (_config.appsec.eventTracking.enabled) {
       passportVerify.subscribe(onPassportVerify)
@@ -223,11 +225,10 @@ function onPassportVerify ({ credentials, user }) {
 }
 
 const responseAnalyzedSet = new WeakSet()
-const responseBlockedSet = new WeakSet()
 
 function onResponseWriteHead ({ req, res, abortController, statusCode, responseHeaders }) {
   // avoid "write after end" error
-  if (responseBlockedSet.has(res)) {
+  if (isBlocked(res)) {
     abortController?.abort()
     return
   }
@@ -255,15 +256,18 @@ function onResponseWriteHead ({ req, res, abortController, statusCode, responseH
   handleResults(results, req, res, rootSpan, abortController)
 }
 
+function onResponseSetHeader ({ res, abortController }) {
+  if (isBlocked(res)) {
+    abortController?.abort()
+  }
+}
+
 function handleResults (actions, req, res, rootSpan, abortController) {
   if (!actions || !req || !res || !rootSpan || !abortController) return
 
   const blockingAction = getBlockingAction(actions)
   if (blockingAction) {
     block(req, res, rootSpan, abortController, blockingAction)
-    if (!abortController.signal || abortController.signal.aborted) {
-      responseBlockedSet.add(res)
-    }
   }
 }
 
@@ -290,6 +294,7 @@ function disable () {
   if (responseBody.hasSubscribers) responseBody.unsubscribe(onResponseBody)
   if (passportVerify.hasSubscribers) passportVerify.unsubscribe(onPassportVerify)
   if (responseWriteHead.hasSubscribers) responseWriteHead.unsubscribe(onResponseWriteHead)
+  if (responseSetHeader.hasSubscribers) responseSetHeader.unsubscribe(onResponseSetHeader)
 }
 
 module.exports = {

package/packages/dd-trace/src/appsec/rasp.js

@@ -3,23 +3,118 @@
 const { storage } = require('../../../datadog-core')
 const web = require('./../plugins/util/web')
 const addresses = require('./addresses')
-const { httpClientRequestStart } = require('./channels')
+const { httpClientRequestStart, setUncaughtExceptionCaptureCallbackStart } = require('./channels')
 const { reportStackTrace } = require('./stack_trace')
 const waf = require('./waf')
+const { getBlockingAction, block } = require('./blocking')
+const log = require('../log')
 
 const RULE_TYPES = {
   SSRF: 'ssrf'
 }
 
-let config
+class DatadogRaspAbortError extends Error {
+  constructor (req, res, blockingAction) {
+    super('DatadogRaspAbortError')
+    this.name = 'DatadogRaspAbortError'
+    this.req = req
+    this.res = res
+    this.blockingAction = blockingAction
+  }
+}
+
+let config, abortOnUncaughtException
+
+function removeAllListeners (emitter, event) {
+  const listeners = emitter.listeners(event)
+  emitter.removeAllListeners(event)
+
+  let cleaned = false
+  return function () {
+    if (cleaned === true) {
+      return
+    }
+    cleaned = true
+
+    for (let i = 0; i < listeners.length; ++i) {
+      emitter.on(event, listeners[i])
+    }
+  }
+}
+
+function findDatadogRaspAbortError (err, deep = 10) {
+  if (err instanceof DatadogRaspAbortError) {
+    return err
+  }
+
+  if (err.cause && deep > 0) {
+    return findDatadogRaspAbortError(err.cause, deep - 1)
+  }
+}
+
+function handleUncaughtExceptionMonitor (err) {
+  const abortError = findDatadogRaspAbortError(err)
+  if (!abortError) return
+
+  const { req, res, blockingAction } = abortError
+  block(req, res, web.root(req), null, blockingAction)
+
+  if (!process.hasUncaughtExceptionCaptureCallback()) {
+    const cleanUp = removeAllListeners(process, 'uncaughtException')
+    const handler = () => {
+      process.removeListener('uncaughtException', handler)
+    }
+
+    setTimeout(() => {
+      process.removeListener('uncaughtException', handler)
+      cleanUp()
+    })
+
+    process.on('uncaughtException', handler)
+  } else {
+    // uncaughtException event is not executed when hasUncaughtExceptionCaptureCallback is true
+    let previousCb
+    const cb = ({ currentCallback, abortController }) => {
+      setUncaughtExceptionCaptureCallbackStart.unsubscribe(cb)
+      if (!currentCallback) {
+        abortController.abort()
+        return
+      }
+
+      previousCb = currentCallback
+    }
+
+    setUncaughtExceptionCaptureCallbackStart.subscribe(cb)
+
+    process.setUncaughtExceptionCaptureCallback(null)
+
+    // For some reason, previous callback was defined before the instrumentation
+    // We can not restore it, so we let the app decide
+    if (previousCb) {
+      process.setUncaughtExceptionCaptureCallback(() => {
+        process.setUncaughtExceptionCaptureCallback(null)
+        process.setUncaughtExceptionCaptureCallback(previousCb)
+      })
+    }
+  }
+}
 
 function enable (_config) {
   config = _config
   httpClientRequestStart.subscribe(analyzeSsrf)
+
+  process.on('uncaughtExceptionMonitor', handleUncaughtExceptionMonitor)
+  abortOnUncaughtException = process.execArgv?.includes('--abort-on-uncaught-exception')
+
+  if (abortOnUncaughtException) {
+    log.warn('The --abort-on-uncaught-exception flag is enabled. The RASP module will not block operations.')
+  }
 }
 
 function disable () {
   if (httpClientRequestStart.hasSubscribers) httpClientRequestStart.unsubscribe(analyzeSsrf)
+
+  process.off('uncaughtExceptionMonitor', handleUncaughtExceptionMonitor)
 }
 
 function analyzeSsrf (ctx) {
@@ -32,17 +127,18 @@ function analyzeSsrf (ctx) {
   const persistent = {
     [addresses.HTTP_OUTGOING_URL]: url
   }
-  // TODO: Currently this is only monitoring, we should
-  //     block the request if SSRF attempt
+
   const result = waf.run({ persistent }, req, RULE_TYPES.SSRF)
-  handleResult(result, req)
+
+  const res = store?.res
+  handleResult(result, req, res, ctx.abortController)
 }
 
 function getGenerateStackTraceAction (actions) {
   return actions?.generate_stack
 }
 
-function handleResult (actions, req) {
+function handleResult (actions, req, res, abortController) {
   const generateStackTraceAction = getGenerateStackTraceAction(actions)
   if (generateStackTraceAction && config.appsec.stackTrace.enabled) {
     const rootSpan = web.root(req)
@@ -53,10 +149,28 @@ function handleResult (actions, req) {
       config.appsec.stackTrace.maxStackTraces
     )
   }
+
+  if (!abortController || abortOnUncaughtException) return
+
+  const blockingAction = getBlockingAction(actions)
+  if (blockingAction) {
+    const rootSpan = web.root(req)
+    // Should block only in express
+    if (rootSpan?.context()._name === 'express.request') {
+      const abortError = new DatadogRaspAbortError(req, res, blockingAction)
+      abortController.abort(abortError)
+
+      // TODO Delete this when support for node 16 is removed
+      if (!abortController.signal.reason) {
+        abortController.signal.reason = abortError
+      }
+    }
+  }
 }
 
 module.exports = {
   enable,
   disable,
-  handleResult
+  handleResult,
+  handleUncaughtExceptionMonitor // exported only for testing purpose
 }