dd-trace 5.24.0 → 5.25.0

package/packages/dd-trace/src/appsec/addresses.js

@@ -28,6 +28,8 @@ module.exports = {
   DB_STATEMENT: 'server.db.statement',
   DB_SYSTEM: 'server.db.system',
 
+  SHELL_COMMAND: 'server.sys.shell.cmd',
+
   LOGIN_SUCCESS: 'server.business_logic.users.login.success',
   LOGIN_FAILURE: 'server.business_logic.users.login.failure'
 }

package/packages/dd-trace/src/appsec/channels.js

@@ -6,6 +6,7 @@ const dc = require('dc-polyfill')
 module.exports = {
   bodyParser: dc.channel('datadog:body-parser:read:finish'),
   cookieParser: dc.channel('datadog:cookie-parser:read:finish'),
+  multerParser: dc.channel('datadog:multer:read:finish'),
   startGraphqlResolve: dc.channel('datadog:graphql:resolver:start'),
   graphqlMiddlewareChannel: dc.tracingChannel('datadog:apollo:middleware'),
   apolloChannel: dc.tracingChannel('datadog:apollo:request'),
@@ -28,5 +29,6 @@ module.exports = {
   mysql2OuterQueryStart: dc.channel('datadog:mysql2:outerquery:start'),
   wafRunFinished: dc.channel('datadog:waf:run:finish'),
   fsOperationStart: dc.channel('apm:fs:operation:start'),
-  expressMiddlewareError: dc.channel('apm:express:middleware:error')
+  expressMiddlewareError: dc.channel('apm:express:middleware:error'),
+  childProcessExecutionTracingChannel: dc.tracingChannel('datadog:child_process:execution')
 }

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -23,18 +23,26 @@ class TaintTrackingPlugin extends SourceIastPlugin {
   constructor () {
     super()
     this._type = 'taint-tracking'
+    this._taintedURLs = new WeakMap()
   }
 
   onConfigure () {
+    const onRequestBody = ({ req }) => {
+      const iastContext = getIastContext(storage.getStore())
+      if (iastContext && iastContext.body !== req.body) {
+        this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
+        iastContext.body = req.body
+      }
+    }
+
     this.addSub(
       { channelName: 'datadog:body-parser:read:finish', tag: HTTP_REQUEST_BODY },
-      ({ req }) => {
-        const iastContext = getIastContext(storage.getStore())
-        if (iastContext && iastContext.body !== req.body) {
-          this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
-          iastContext.body = req.body
-        }
-      }
+      onRequestBody
+    )
+
+    this.addSub(
+      { channelName: 'datadog:multer:read:finish', tag: HTTP_REQUEST_BODY },
+      onRequestBody
     )
 
     this.addSub(
@@ -81,6 +89,46 @@ class TaintTrackingPlugin extends SourceIastPlugin {
       }
     )
 
+    const urlResultTaintedProperties = ['host', 'origin', 'hostname']
+    this.addSub(
+      { channelName: 'datadog:url:parse:finish' },
+      ({ input, base, parsed, isURL }) => {
+        const iastContext = getIastContext(storage.getStore())
+        let ranges
+
+        if (base) {
+          ranges = getRanges(iastContext, base)
+        } else {
+          ranges = getRanges(iastContext, input)
+        }
+
+        if (ranges?.length) {
+          if (isURL) {
+            this._taintedURLs.set(parsed, ranges[0])
+          } else {
+            urlResultTaintedProperties.forEach(param => {
+              this._taintTrackingHandler(ranges[0].iinfo.type, parsed, param, iastContext)
+            })
+          }
+        }
+      }
+    )
+
+    this.addSub(
+      { channelName: 'datadog:url:getter:finish' },
+      (context) => {
+        if (!urlResultTaintedProperties.includes(context.property)) return
+
+        const origRange = this._taintedURLs.get(context.urlObject)
+        if (!origRange) return
+
+        const iastContext = getIastContext(storage.getStore())
+        if (!iastContext) return
+
+        context.result =
+          newTaintedString(iastContext, context.result, origRange.iinfo.parameterName, origRange.iinfo.type)
+      })
+
     // this is a special case to increment INSTRUMENTED_SOURCE metric for header
     this.addInstrumentedSource('http', [HTTP_REQUEST_HEADER_VALUE, HTTP_REQUEST_HEADER_NAME])
   }

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -1,10 +1,11 @@
 'use strict'
 
-const { MANUAL_KEEP } = require('../../../../../ext/tags')
 const LRU = require('lru-cache')
 const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
 const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
 const standalone = require('../standalone')
+const { SAMPLING_MECHANISM_APPSEC } = require('../../constants')
+const { keepTrace } = require('../../priority_sampler')
 
 const VULNERABILITIES_KEY = 'vulnerabilities'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
@@ -56,9 +57,10 @@ function sendVulnerabilities (vulnerabilities, rootSpan) {
         const tags = {}
         // TODO: Store this outside of the span and set the tag in the exporter.
         tags[IAST_JSON_TAG_KEY] = JSON.stringify(jsonToSend)
-        tags[MANUAL_KEEP] = 'true'
         span.addTags(tags)
 
+        keepTrace(span, SAMPLING_MECHANISM_APPSEC)
+
         standalone.sample(span)
 
         if (!rootSpan) span.finish()

package/packages/dd-trace/src/appsec/index.js

@@ -6,6 +6,7 @@ const remoteConfig = require('./remote_config')
 const {
   bodyParser,
   cookieParser,
+  multerParser,
   incomingHttpRequestStart,
   incomingHttpRequestEnd,
   passportVerify,
@@ -58,6 +59,7 @@ function enable (_config) {
     apiSecuritySampler.configure(_config.appsec)
 
     bodyParser.subscribe(onRequestBodyParsed)
+    multerParser.subscribe(onRequestBodyParsed)
     cookieParser.subscribe(onRequestCookieParser)
     incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
     incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
@@ -299,6 +301,7 @@ function disable () {
 
   // Channel#unsubscribe() is undefined for non active channels
   if (bodyParser.hasSubscribers) bodyParser.unsubscribe(onRequestBodyParsed)
+  if (multerParser.hasSubscribers) multerParser.unsubscribe(onRequestBodyParsed)
   if (cookieParser.hasSubscribers) cookieParser.unsubscribe(onRequestCookieParser)
   if (incomingHttpRequestStart.hasSubscribers) incomingHttpRequestStart.unsubscribe(incomingHttpStartTranslator)
   if (incomingHttpRequestEnd.hasSubscribers) incomingHttpRequestEnd.unsubscribe(incomingHttpEndTranslator)

package/packages/dd-trace/src/appsec/rasp/command_injection.js

@@ -0,0 +1,49 @@
+'use strict'
+
+const { childProcessExecutionTracingChannel } = require('../channels')
+const { RULE_TYPES, handleResult } = require('./utils')
+const { storage } = require('../../../../datadog-core')
+const addresses = require('../addresses')
+const waf = require('../waf')
+
+let config
+
+function enable (_config) {
+  config = _config
+
+  childProcessExecutionTracingChannel.subscribe({
+    start: analyzeCommandInjection
+  })
+}
+
+function disable () {
+  if (childProcessExecutionTracingChannel.start.hasSubscribers) {
+    childProcessExecutionTracingChannel.unsubscribe({
+      start: analyzeCommandInjection
+    })
+  }
+}
+
+function analyzeCommandInjection ({ file, fileArgs, shell, abortController }) {
+  if (!file || !shell) return
+
+  const store = storage.getStore()
+  const req = store?.req
+  if (!req) return
+
+  const commandParams = fileArgs ? [file, ...fileArgs] : file
+
+  const persistent = {
+    [addresses.SHELL_COMMAND]: commandParams
+  }
+
+  const result = waf.run({ persistent }, req, RULE_TYPES.COMMAND_INJECTION)
+
+  const res = store?.res
+  handleResult(result, req, res, abortController, config)
+}
+
+module.exports = {
+  enable,
+  disable
+}

package/packages/dd-trace/src/appsec/rasp/index.js

@@ -6,6 +6,7 @@ const { block, isBlocked } = require('../blocking')
 const ssrf = require('./ssrf')
 const sqli = require('./sql_injection')
 const lfi = require('./lfi')
+const cmdi = require('./command_injection')
 
 const { DatadogRaspAbortError } = require('./utils')
 
@@ -95,6 +96,7 @@ function enable (config) {
   ssrf.enable(config)
   sqli.enable(config)
   lfi.enable(config)
+  cmdi.enable(config)
 
   process.on('uncaughtExceptionMonitor', handleUncaughtExceptionMonitor)
   expressMiddlewareError.subscribe(blockOnDatadogRaspAbortError)
@@ -104,6 +106,7 @@ function disable () {
   ssrf.disable()
   sqli.disable()
   lfi.disable()
+  cmdi.disable()
 
   process.off('uncaughtExceptionMonitor', handleUncaughtExceptionMonitor)
   if (expressMiddlewareError.hasSubscribers) expressMiddlewareError.unsubscribe(blockOnDatadogRaspAbortError)

package/packages/dd-trace/src/appsec/rasp/ssrf.js

@@ -1,5 +1,6 @@
 'use strict'
 
+const { format } = require('url')
 const { httpClientRequestStart } = require('../channels')
 const { storage } = require('../../../../datadog-core')
 const addresses = require('../addresses')
@@ -20,12 +21,12 @@ function disable () {
 function analyzeSsrf (ctx) {
   const store = storage.getStore()
   const req = store?.req
-  const url = ctx.args.uri
+  const outgoingUrl = (ctx.args.options?.uri && format(ctx.args.options.uri)) ?? ctx.args.uri
 
-  if (!req || !url) return
+  if (!req || !outgoingUrl) return
 
   const persistent = {
-    [addresses.HTTP_OUTGOING_URL]: url
+    [addresses.HTTP_OUTGOING_URL]: outgoingUrl
   }
 
   const result = waf.run({ persistent }, req, RULE_TYPES.SSRF)

package/packages/dd-trace/src/appsec/rasp/utils.js

@@ -12,9 +12,10 @@ if (abortOnUncaughtException) {
 }
 
 const RULE_TYPES = {
-  SSRF: 'ssrf',
+  COMMAND_INJECTION: 'command_injection',
+  LFI: 'lfi',
   SQL_INJECTION: 'sql_injection',
-  LFI: 'lfi'
+  SSRF: 'ssrf'
 }
 
 class DatadogRaspAbortError extends Error {

package/packages/dd-trace/src/appsec/recommended.json

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.13.1"
+    "rules_version": "1.13.2"
   },
   "rules": [
     {
@@ -6335,7 +6335,6 @@
     {
       "id": "rasp-934-100",
       "name": "Server-side request forgery exploit",
-      "enabled": false,
       "tags": {
         "type": "ssrf",
         "category": "vulnerability_trigger",
@@ -6384,7 +6383,6 @@
     {
       "id": "rasp-942-100",
       "name": "SQL injection exploit",
-      "enabled": false,
       "tags": {
         "type": "sql_injection",
         "category": "vulnerability_trigger",
@@ -6424,7 +6422,7 @@
               }
             ]
           },
-          "operator": "sqli_detector"
+          "operator": "sqli_detector@v2"
         }
       ],
       "transformers": [],

package/packages/dd-trace/src/appsec/remote_config/capabilities.js

@@ -20,6 +20,7 @@ module.exports = {
   ASM_RASP_SQLI: 1n << 21n,
   ASM_RASP_LFI: 1n << 22n,
   ASM_RASP_SSRF: 1n << 23n,
+  ASM_RASP_SHI: 1n << 24n,
   APM_TRACING_SAMPLE_RULES: 1n << 29n,
   ASM_ENDPOINT_FINGERPRINT: 1n << 32n,
   ASM_NETWORK_FINGERPRINT: 1n << 34n,

package/packages/dd-trace/src/appsec/remote_config/index.js

@@ -83,6 +83,7 @@ function enableWafUpdate (appsecConfig) {
       rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, true)
       rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
       rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_LFI, true)
+      rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SHI, true)
     }
 
     // TODO: delete noop handlers and kPreUpdate and replace with batched handlers
@@ -114,6 +115,7 @@ function disableWafUpdate () {
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, false)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, false)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_LFI, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SHI, false)
 
     rc.removeProductHandler('ASM_DATA')
     rc.removeProductHandler('ASM_DD')

package/packages/dd-trace/src/appsec/reporter.js

@@ -13,8 +13,9 @@ const {
   getRequestMetrics
 } = require('./telemetry')
 const zlib = require('zlib')
-const { MANUAL_KEEP } = require('../../../../ext/tags')
 const standalone = require('./standalone')
+const { SAMPLING_MECHANISM_APPSEC } = require('../constants')
+const { keepTrace } = require('../priority_sampler')
 
 // default limiter, configurable with setRateLimit()
 let limiter = new Limiter(100)
@@ -96,8 +97,6 @@ function reportWafInit (wafVersion, rulesVersion, diagnosticsRules = {}) {
     metricsQueue.set('_dd.appsec.event_rules.errors', JSON.stringify(diagnosticsRules.errors))
   }
 
-  metricsQueue.set(MANUAL_KEEP, 'true')
-
   incrementWafInitMetric(wafVersion, rulesVersion)
 }
 
@@ -129,7 +128,7 @@ function reportAttack (attackData) {
   }
 
   if (limiter.isAllowed()) {
-    newTags[MANUAL_KEEP] = 'true'
+    keepTrace(rootSpan, SAMPLING_MECHANISM_APPSEC)
 
     standalone.sample(rootSpan)
   }
@@ -184,6 +183,8 @@ function finishRequest (req, res) {
   if (metricsQueue.size) {
     rootSpan.addTags(Object.fromEntries(metricsQueue))
 
+    keepTrace(rootSpan, SAMPLING_MECHANISM_APPSEC)
+
     standalone.sample(rootSpan)
 
     metricsQueue.clear()

package/packages/dd-trace/src/appsec/sdk/track_event.js

@@ -2,10 +2,11 @@
 
 const log = require('../../log')
 const { getRootSpan } = require('./utils')
-const { MANUAL_KEEP } = require('../../../../../ext/tags')
 const { setUserTags } = require('./set_user')
 const standalone = require('../standalone')
 const waf = require('../waf')
+const { SAMPLING_MECHANISM_APPSEC } = require('../../constants')
+const { keepTrace } = require('../../priority_sampler')
 
 function trackUserLoginSuccessEvent (tracer, user, metadata) {
   // TODO: better user check here and in _setUser() ?
@@ -55,9 +56,10 @@ function trackEvent (eventName, fields, sdkMethodName, rootSpan, mode) {
     return
   }
 
+  keepTrace(rootSpan, SAMPLING_MECHANISM_APPSEC)
+
   const tags = {
-    [`appsec.events.${eventName}.track`]: 'true',
-    [MANUAL_KEEP]: 'true'
+    [`appsec.events.${eventName}.track`]: 'true'
   }
 
   if (mode === 'sdk') {

package/packages/dd-trace/src/appsec/waf/waf_manager.js

@@ -51,6 +51,10 @@ class WAFManager {
   update (newRules) {
     this.ddwaf.update(newRules)
 
+    if (this.ddwaf.diagnostics.ruleset_version) {
+      this.rulesVersion = this.ddwaf.diagnostics.ruleset_version
+    }
+
     Reporter.reportWafUpdate(this.ddwafVersion, this.rulesVersion)
   }
 

package/packages/dd-trace/src/azure_metadata.js

@@ -0,0 +1,120 @@
+'use strict'
+
+// eslint-disable-next-line max-len
+// Modeled after https://github.com/DataDog/libdatadog/blob/f3994857a59bb5679a65967138c5a3aec418a65f/ddcommon/src/azure_app_services.rs
+
+const os = require('os')
+const { getIsAzureFunction } = require('./serverless')
+
+function extractSubscriptionID (ownerName) {
+  if (ownerName !== undefined) {
+    const subId = ownerName.split('+')[0].trim()
+    if (subId.length > 0) {
+      return subId
+    }
+  }
+  return undefined
+}
+
+function extractResourceGroup (ownerName) {
+  return /.+\+(.+)-.+webspace(-Linux)?/.exec(ownerName)?.[1]
+}
+
+function buildResourceID (subscriptionID, siteName, resourceGroup) {
+  if (subscriptionID === undefined || siteName === undefined || resourceGroup === undefined) {
+    return undefined
+  }
+  return `/subscriptions/${subscriptionID}/resourcegroups/${resourceGroup}/providers/microsoft.web/sites/${siteName}`
+    .toLowerCase()
+}
+
+function trimObject (obj) {
+  Object.entries(obj)
+    .filter(([_, value]) => value === undefined)
+    .forEach(([key, _]) => { delete obj[key] })
+  return obj
+}
+
+function buildMetadata () {
+  const {
+    COMPUTERNAME,
+    DD_AAS_DOTNET_EXTENSION_VERSION,
+    FUNCTIONS_EXTENSION_VERSION,
+    FUNCTIONS_WORKER_RUNTIME,
+    FUNCTIONS_WORKER_RUNTIME_VERSION,
+    WEBSITE_INSTANCE_ID,
+    WEBSITE_OWNER_NAME,
+    WEBSITE_OS,
+    WEBSITE_RESOURCE_GROUP,
+    WEBSITE_SITE_NAME
+  } = process.env
+
+  const subscriptionID = extractSubscriptionID(WEBSITE_OWNER_NAME)
+
+  const siteName = WEBSITE_SITE_NAME
+
+  const [siteKind, siteType] = getIsAzureFunction()
+    ? ['functionapp', 'function']
+    : ['app', 'app']
+
+  const resourceGroup = WEBSITE_RESOURCE_GROUP ?? extractResourceGroup(WEBSITE_OWNER_NAME)
+
+  return trimObject({
+    extensionVersion: DD_AAS_DOTNET_EXTENSION_VERSION,
+    functionRuntimeVersion: FUNCTIONS_EXTENSION_VERSION,
+    instanceID: WEBSITE_INSTANCE_ID,
+    instanceName: COMPUTERNAME,
+    operatingSystem: WEBSITE_OS ?? os.platform(),
+    resourceGroup,
+    resourceID: buildResourceID(subscriptionID, siteName, resourceGroup),
+    runtime: FUNCTIONS_WORKER_RUNTIME,
+    runtimeVersion: FUNCTIONS_WORKER_RUNTIME_VERSION,
+    siteKind,
+    siteName,
+    siteType,
+    subscriptionID
+  })
+}
+
+function getAzureAppMetadata () {
+  // DD_AZURE_APP_SERVICES is an environment variable introduced by the .NET APM team and is set automatically for
+  // anyone using the Datadog APM Extensions (.NET, Java, or Node) for Windows Azure App Services
+  // eslint-disable-next-line max-len
+  // See: https://github.com/DataDog/datadog-aas-extension/blob/01f94b5c28b7fa7a9ab264ca28bd4e03be603900/node/src/applicationHost.xdt#L20-L21
+  return process.env.DD_AZURE_APP_SERVICES !== undefined ? buildMetadata() : undefined
+}
+
+function getAzureFunctionMetadata () {
+  return getIsAzureFunction() ? buildMetadata() : undefined
+}
+
+// eslint-disable-next-line max-len
+// Modeled after https://github.com/DataDog/libdatadog/blob/92272e90a7919f07178f3246ef8f82295513cfed/profiling/src/exporter/mod.rs#L187
+// eslint-disable-next-line max-len
+// and https://github.com/DataDog/libdatadog/blob/f3994857a59bb5679a65967138c5a3aec418a65f/trace-utils/src/trace_utils.rs#L533
+function getAzureTagsFromMetadata (metadata) {
+  if (metadata === undefined) {
+    return {}
+  }
+  return trimObject({
+    'aas.environment.extension_version': metadata.extensionVersion,
+    'aas.environment.function_runtime': metadata.functionRuntimeVersion,
+    'aas.environment.instance_id': metadata.instanceID,
+    'aas.environment.instance_name': metadata.instanceName,
+    'aas.environment.os': metadata.operatingSystem,
+    'aas.environment.runtime': metadata.runtime,
+    'aas.environment.runtime_version': metadata.runtimeVersion,
+    'aas.resource.group': metadata.resourceGroup,
+    'aas.resource.id': metadata.resourceID,
+    'aas.site.kind': metadata.siteKind,
+    'aas.site.name': metadata.siteName,
+    'aas.site.type': metadata.siteType,
+    'aas.subscription.id': metadata.subscriptionID
+  })
+}
+
+module.exports = {
+  getAzureAppMetadata,
+  getAzureFunctionMetadata,
+  getAzureTagsFromMetadata
+}

package/packages/dd-trace/src/ci-visibility/dynamic-instrumentation/index.js

@@ -0,0 +1,97 @@
+'use strict'
+
+const { join } = require('path')
+const { Worker } = require('worker_threads')
+const { randomUUID } = require('crypto')
+const log = require('../../log')
+
+const probeIdToResolveBreakpointSet = new Map()
+const probeIdToResolveBreakpointHit = new Map()
+
+class TestVisDynamicInstrumentation {
+  constructor () {
+    this.worker = null
+    this._readyPromise = new Promise(resolve => {
+      this._onReady = resolve
+    })
+    this.breakpointSetChannel = new MessageChannel()
+    this.breakpointHitChannel = new MessageChannel()
+  }
+
+  // Return 3 elements:
+  // 1. Snapshot ID
+  // 2. Promise that's resolved when the breakpoint is set
+  // 3. Promise that's resolved when the breakpoint is hit
+  addLineProbe ({ file, line }) {
+    const snapshotId = randomUUID()
+    const probeId = randomUUID()
+
+    this.breakpointSetChannel.port2.postMessage({
+      snapshotId,
+      probe: { id: probeId, file, line }
+    })
+
+    return [
+      snapshotId,
+      new Promise(resolve => {
+        probeIdToResolveBreakpointSet.set(probeId, resolve)
+      }),
+      new Promise(resolve => {
+        probeIdToResolveBreakpointHit.set(probeId, resolve)
+      })
+    ]
+  }
+
+  isReady () {
+    return this._readyPromise
+  }
+
+  start () {
+    if (this.worker) return
+
+    const { NODE_OPTIONS, ...envWithoutNodeOptions } = process.env
+
+    log.debug('Starting Test Visibility - Dynamic Instrumentation client...')
+
+    this.worker = new Worker(
+      join(__dirname, 'worker', 'index.js'),
+      {
+        execArgv: [],
+        env: envWithoutNodeOptions,
+        workerData: {
+          breakpointSetChannel: this.breakpointSetChannel.port1,
+          breakpointHitChannel: this.breakpointHitChannel.port1
+        },
+        transferList: [this.breakpointSetChannel.port1, this.breakpointHitChannel.port1]
+      }
+    )
+    this.worker.on('online', () => {
+      log.debug('Test Visibility - Dynamic Instrumentation client is ready')
+      this._onReady()
+    })
+
+    // Allow the parent to exit even if the worker is still running
+    this.worker.unref()
+
+    this.breakpointSetChannel.port2.on('message', (message) => {
+      const { probeId } = message
+      const resolve = probeIdToResolveBreakpointSet.get(probeId)
+      if (resolve) {
+        resolve()
+        probeIdToResolveBreakpointSet.delete(probeId)
+      }
+    }).unref()
+
+    this.breakpointHitChannel.port2.on('message', (message) => {
+      const { snapshot } = message
+      const { probe: { id: probeId } } = snapshot
+      const resolve = probeIdToResolveBreakpointHit.get(probeId)
+      if (resolve) {
+        resolve({ snapshot })
+        probeIdToResolveBreakpointHit.delete(probeId)
+      }
+    }).unref()
+  }
+}
+
+module.exports = new TestVisDynamicInstrumentation()