npm - dd-trace - Versions diffs - 5.28.0 → 5.29.1 - Mend

dd-trace 5.28.0 → 5.29.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (148) hide show

package/packages/datadog-plugin-vitest/src/index.js CHANGED Viewed

@@ -17,7 +17,12 @@ const {
   TEST_SOURCE_START,
   TEST_IS_NEW,
   TEST_EARLY_FLAKE_ENABLED,
-  TEST_EARLY_FLAKE_ABORT_REASON
+  TEST_EARLY_FLAKE_ABORT_REASON,
+  TEST_NAME,
+  DI_ERROR_DEBUG_INFO_CAPTURED,
+  DI_DEBUG_ERROR_SNAPSHOT_ID,
+  DI_DEBUG_ERROR_FILE,
+  DI_DEBUG_ERROR_LINE
 } = require('../../dd-trace/src/plugins/util/test')
 const { COMPONENT } = require('../../dd-trace/src/constants')
 const {
@@ -31,6 +36,8 @@ const {
 // This is because there's some loss of resolution.
 const MILLISECONDS_TO_SUBTRACT_FROM_FAILED_TEST_DURATION = 5
+const debuggerParameterPerTest = new Map()
 class VitestPlugin extends CiPlugin {
   static get id () {
     return 'vitest'
@@ -81,6 +88,26 @@ class VitestPlugin extends CiPlugin {
         extraTags
       )
+      const debuggerParameters = debuggerParameterPerTest.get(testName)
+      if (debuggerParameters) {
+        const spanContext = span.context()
+        // TODO: handle race conditions with this.retriedTestIds
+        this.retriedTestIds = {
+          spanId: spanContext.toSpanId(),
+          traceId: spanContext.toTraceId()
+        }
+        const { snapshotId, file, line } = debuggerParameters
+        // TODO: should these be added on test:end if and only if the probe is hit?
+        // Sync issues: `hitProbePromise` might be resolved after the test ends
+        span.setTag(DI_ERROR_DEBUG_INFO_CAPTURED, 'true')
+        span.setTag(DI_DEBUG_ERROR_SNAPSHOT_ID, snapshotId)
+        span.setTag(DI_DEBUG_ERROR_FILE, file)
+        span.setTag(DI_DEBUG_ERROR_LINE, line)
+      }
       this.enter(span, store)
     })
@@ -110,11 +137,16 @@ class VitestPlugin extends CiPlugin {
       }
     })
-    this.addSub('ci:vitest:test:error', ({ duration, error }) => {
+    this.addSub('ci:vitest:test:error', ({ duration, error, willBeRetried, probe, isDiEnabled }) => {
       const store = storage.getStore()
       const span = store?.span
       if (span) {
+        if (willBeRetried && this.di && isDiEnabled) {
+          const testName = span.context()._tags[TEST_NAME]
+          const debuggerParameters = this.addDiProbe(error, probe)
+          debuggerParameterPerTest.set(testName, debuggerParameters)
+        }
         this.telemetry.ciVisEvent(TELEMETRY_EVENT_FINISHED, 'test', {
           hasCodeowners: !!span.context()._tags[TEST_CODE_OWNERS]
         })

package/packages/datadog-shimmer/src/shimmer.js CHANGED Viewed

@@ -6,8 +6,12 @@ const log = require('../../dd-trace/src/log')
 const unwrappers = new WeakMap()
 function copyProperties (original, wrapped) {
-  Object.setPrototypeOf(wrapped, original)
+  // TODO getPrototypeOf is not fast. Should we instead do this in specific
+  // instrumentations where needed?
+  const proto = Object.getPrototypeOf(original)
+  if (proto !== Function.prototype) {
+    Object.setPrototypeOf(wrapped, proto)
+  }
   const props = Object.getOwnPropertyDescriptors(original)
   const keys = Reflect.ownKeys(props)
@@ -136,7 +140,7 @@ function wrapMethod (target, name, wrapper, noAssert) {
       if (callState.completed) {
         // error was thrown after original function returned/resolved, so
         // it was us. log it.
-        log.error(e)
+        log.error('Shimmer error was thrown after original function returned/resolved', e)
         // original ran and returned something. return it.
         return callState.retVal
       }
@@ -144,7 +148,7 @@ function wrapMethod (target, name, wrapper, noAssert) {
       if (!callState.called) {
         // error was thrown before original function was called, so
         // it was us. log it.
-        log.error(e)
+        log.error('Shimmer error was thrown before original function was called', e)
         // original never ran. call it unwrapped.
         return original.apply(this, args)
       }

package/packages/dd-trace/src/appsec/addresses.js CHANGED Viewed

@@ -1,5 +1,6 @@
 'use strict'
+// TODO: reorder all this, it's a mess
 module.exports = {
   HTTP_INCOMING_BODY: 'server.request.body',
   HTTP_INCOMING_QUERY: 'server.request.query',
@@ -20,6 +21,8 @@ module.exports = {
   HTTP_CLIENT_IP: 'http.client_ip',
   USER_ID: 'usr.id',
+  USER_LOGIN: 'usr.login',
   WAF_CONTEXT_PROCESSOR: 'waf.context.processor',
   HTTP_OUTGOING_URL: 'server.io.net.url',

package/packages/dd-trace/src/appsec/blocked_templates.js CHANGED Viewed

@@ -1,4 +1,4 @@
-/* eslint-disable max-len */
+/* eslint-disable @stylistic/js/max-len */
 'use strict'
 const html = `<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>You've been blocked</title><style>a,body,div,html,span{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}body{background:-webkit-radial-gradient(26% 19%,circle,#fff,#f4f7f9);background:radial-gradient(circle at 26% 19%,#fff,#f4f7f9);display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;width:100%;min-height:100vh;line-height:1;flex-direction:column}p{display:block}main{text-align:center;flex:1;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;flex-direction:column}p{font-size:18px;line-height:normal;color:#646464;font-family:sans-serif;font-weight:400}a{color:#4842b7}footer{width:100%;text-align:center}footer p{font-size:16px}</style></head><body><main><p>Sorry, you cannot access this page. Please contact the customer service team.</p></main><footer><p>Security provided by <a href="https://www.datadoghq.com/product/security-platform/application-security-monitoring/" target="_blank">Datadog</a></p></footer></body></html>`

package/packages/dd-trace/src/appsec/channels.js CHANGED Viewed

@@ -19,6 +19,7 @@ module.exports = {
   nextBodyParsed: dc.channel('apm:next:body-parsed'),
   nextQueryParsed: dc.channel('apm:next:query-parsed'),
   expressProcessParams: dc.channel('datadog:express:process_params:start'),
+  routerParam: dc.channel('datadog:router:param:start'),
   responseBody: dc.channel('datadog:express:response:json:start'),
   responseWriteHead: dc.channel('apm:http:server:response:writeHead:start'),
   httpClientRequestStart: dc.channel('apm:http:client:request:start'),

package/packages/dd-trace/src/appsec/iast/analyzers/code-injection-analyzer.js CHANGED Viewed

@@ -11,6 +11,10 @@ class CodeInjectionAnalyzer extends InjectionAnalyzer {
   onConfigure () {
     this.addSub('datadog:eval:call', ({ script }) => this.analyze(script))
   }
+  _areRangesVulnerable () {
+    return true
+  }
 }
 module.exports = new CodeInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-password-rules.js CHANGED Viewed

@@ -1,4 +1,4 @@
-/* eslint-disable max-len */
+/* eslint-disable @stylistic/js/max-len */
 'use strict'
 const { NameAndValue } = require('./hardcoded-rule-type')

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secret-rules.js CHANGED Viewed

@@ -1,4 +1,4 @@
-/* eslint-disable max-len */
+/* eslint-disable @stylistic/js/max-len */
 'use strict'
 const { ValueOnly, NameAndValue } = require('./hardcoded-rule-type')

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secrets-rules.js CHANGED Viewed

@@ -1,4 +1,4 @@
-/* eslint-disable max-len */
+/* eslint-disable @stylistic/js/max-len */
 'use strict'
 const { ValueOnly, NameAndValue } = require('./hardcoded-rule-type')

package/packages/dd-trace/src/appsec/iast/analyzers/injection-analyzer.js CHANGED Viewed

@@ -1,12 +1,15 @@
 'use strict'
 const Analyzer = require('./vulnerability-analyzer')
-const { isTainted, getRanges } = require('../taint-tracking/operations')
+const { getRanges } = require('../taint-tracking/operations')
+const { SQL_ROW_VALUE } = require('../taint-tracking/source-types')
 class InjectionAnalyzer extends Analyzer {
   _isVulnerable (value, iastContext) {
-    if (value) {
-      return isTainted(iastContext, value)
+    const ranges = value && getRanges(iastContext, value)
+    if (ranges?.length > 0) {
+      return this._areRangesVulnerable(ranges)
     }
     return false
   }
@@ -14,6 +17,10 @@ class InjectionAnalyzer extends Analyzer {
     const ranges = getRanges(iastContext, value)
     return { value, ranges }
   }
+  _areRangesVulnerable (ranges) {
+    return ranges?.some(range => range.iinfo.type !== SQL_ROW_VALUE)
+  }
 }
 module.exports = InjectionAnalyzer

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js CHANGED Viewed

@@ -82,6 +82,10 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
       return knexDialect.toUpperCase()
     }
   }
+  _areRangesVulnerable () {
+    return true
+  }
 }
 module.exports = new SqlInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/template-injection-analyzer.js CHANGED Viewed

@@ -13,6 +13,10 @@ class TemplateInjectionAnalyzer extends InjectionAnalyzer {
     this.addSub('datadog:handlebars:register-partial:start', ({ partial }) => this.analyze(partial))
     this.addSub('datadog:pug:compile:start', ({ source }) => this.analyze(source))
   }
+  _areRangesVulnerable () {
+    return true
+  }
 }
 module.exports = new TemplateInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/iast-plugin.js CHANGED Viewed

@@ -60,24 +60,10 @@ class IastPlugin extends Plugin {
     this.pluginSubs = []
   }
-  _wrapHandler (handler) {
-    return (message, name) => {
-      try {
-        handler(message, name)
-      } catch (e) {
-        log.error('[ASM] Error executing IAST plugin handler', e)
-      }
-    }
-  }
   _getTelemetryHandler (iastSub) {
     return () => {
-      try {
-        const iastContext = getIastContext(storage.getStore())
-        iastSub.increaseExecuted(iastContext)
-      } catch (e) {
-        log.error('[ASM] Error increasing handler executed metrics', e)
-      }
+      const iastContext = getIastContext(storage.getStore())
+      iastSub.increaseExecuted(iastContext)
     }
   }
@@ -99,11 +85,11 @@ class IastPlugin extends Plugin {
   addSub (iastSub, handler) {
     if (typeof iastSub === 'string') {
-      super.addSub(iastSub, this._wrapHandler(handler))
+      super.addSub(iastSub, handler)
     } else {
       iastSub = this._getAndRegisterSubscription(iastSub)
       if (iastSub) {
-        super.addSub(iastSub.channelName, this._wrapHandler(handler))
+        super.addSub(iastSub.channelName, handler)
         if (iastTelemetry.isEnabled()) {
           super.addSub(iastSub.channelName, this._getTelemetryHandler(iastSub))
@@ -112,7 +98,8 @@ class IastPlugin extends Plugin {
     }
   }
-  enable () {
+  enable (iastConfig) {
+    this.iastConfig = iastConfig
     this.configure(true)
   }

package/packages/dd-trace/src/appsec/iast/taint-tracking/index.js CHANGED Viewed

@@ -18,10 +18,10 @@ module.exports = {
   enableTaintTracking (config, telemetryVerbosity) {
     enableRewriter(telemetryVerbosity)
     enableTaintOperations(telemetryVerbosity)
-    taintTrackingPlugin.enable()
+    taintTrackingPlugin.enable(config)
-    kafkaContextPlugin.enable()
-    kafkaConsumerPlugin.enable()
+    kafkaContextPlugin.enable(config)
+    kafkaConsumerPlugin.enable(config)
     setMaxTransactions(config.maxConcurrentRequests)
   },

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js CHANGED Viewed

@@ -12,7 +12,8 @@ const {
   HTTP_REQUEST_HEADER_NAME,
   HTTP_REQUEST_PARAMETER,
   HTTP_REQUEST_PATH_PARAM,
-  HTTP_REQUEST_URI
+  HTTP_REQUEST_URI,
+  SQL_ROW_VALUE
 } = require('./source-types')
 const { EXECUTED_SOURCE } = require('../telemetry/iast-metric')
@@ -26,6 +27,16 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     this._taintedURLs = new WeakMap()
   }
+  configure (config) {
+    super.configure(config)
+    let rowsToTaint = this.iastConfig?.dbRowsToTaint
+    if (typeof rowsToTaint !== 'number') {
+      rowsToTaint = 1
+    }
+    this._rowsToTaint = rowsToTaint
+  }
   onConfigure () {
     const onRequestBody = ({ req }) => {
       const iastContext = getIastContext(storage.getStore())
@@ -46,8 +57,13 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     )
     this.addSub(
-      { channelName: 'datadog:qs:parse:finish', tag: HTTP_REQUEST_PARAMETER },
-      ({ qs }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, qs)
+      { channelName: 'datadog:query:read:finish', tag: HTTP_REQUEST_PARAMETER },
+      ({ query }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, query)
+    )
+    this.addSub(
+      { channelName: 'datadog:express:query:finish', tag: HTTP_REQUEST_PARAMETER },
+      ({ query }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, query)
     )
     this.addSub(
@@ -68,6 +84,16 @@ class TaintTrackingPlugin extends SourceIastPlugin {
       ({ cookies }) => this._cookiesTaintTrackingHandler(cookies)
     )
+    this.addSub(
+      { channelName: 'datadog:sequelize:query:finish', tag: SQL_ROW_VALUE },
+      ({ result }) => this._taintDatabaseResult(result, 'sequelize')
+    )
+    this.addSub(
+      { channelName: 'apm:pg:query:finish', tag: SQL_ROW_VALUE },
+      ({ result }) => this._taintDatabaseResult(result, 'pg')
+    )
     this.addSub(
       { channelName: 'datadog:express:process_params:start', tag: HTTP_REQUEST_PATH_PARAM },
       ({ req }) => {
@@ -77,6 +103,15 @@ class TaintTrackingPlugin extends SourceIastPlugin {
       }
     )
+    this.addSub(
+      { channelName: 'datadog:router:param:start', tag: HTTP_REQUEST_PATH_PARAM },
+      ({ req }) => {
+        if (req && req.params !== null && typeof req.params === 'object') {
+          this._taintTrackingHandler(HTTP_REQUEST_PATH_PARAM, req, 'params')
+        }
+      }
+    )
     this.addSub(
       { channelName: 'apm:graphql:resolve:start', tag: HTTP_REQUEST_BODY },
       (data) => {
@@ -170,6 +205,32 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     this.taintHeaders(req.headers, iastContext)
     this.taintUrl(req, iastContext)
   }
+  _taintDatabaseResult (result, dbOrigin, iastContext = getIastContext(storage.getStore()), name) {
+    if (!iastContext) return result
+    if (this._rowsToTaint === 0) return result
+    if (Array.isArray(result)) {
+      for (let i = 0; i < result.length && i < this._rowsToTaint; i++) {
+        const nextName = name ? `${name}.${i}` : '' + i
+        result[i] = this._taintDatabaseResult(result[i], dbOrigin, iastContext, nextName)
+      }
+    } else if (result && typeof result === 'object') {
+      if (dbOrigin === 'sequelize' && result.dataValues) {
+        result.dataValues = this._taintDatabaseResult(result.dataValues, dbOrigin, iastContext, name)
+      } else {
+        for (const key in result) {
+          const nextName = name ? `${name}.${key}` : key
+          result[key] = this._taintDatabaseResult(result[key], dbOrigin, iastContext, nextName)
+        }
+      }
+    } else if (typeof result === 'string') {
+      result = newTaintedString(iastContext, result, name, SQL_ROW_VALUE)
+    }
+    return result
+  }
 }
 module.exports = new TaintTrackingPlugin()

package/packages/dd-trace/src/appsec/iast/taint-tracking/source-types.js CHANGED Viewed

@@ -11,5 +11,6 @@ module.exports = {
   HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter',
   HTTP_REQUEST_URI: 'http.request.uri',
   KAFKA_MESSAGE_KEY: 'kafka.message.key',
-  KAFKA_MESSAGE_VALUE: 'kafka.message.value'
+  KAFKA_MESSAGE_VALUE: 'kafka.message.value',
+  SQL_ROW_VALUE: 'sql.row.value'
 }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-regex.js CHANGED Viewed

@@ -1,6 +1,6 @@
-// eslint-disable-next-line max-len
+// eslint-disable-next-line @stylistic/js/max-len
 const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?|(?:sur|last)name|user(?:name)?|address|e?mail)'
-// eslint-disable-next-line max-len
+// eslint-disable-next-line @stylistic/js/max-len
 const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,})|[\\w\\.-]+@[a-zA-Z\\d\\.-]+\\.[a-zA-Z]{2,})'
 module.exports = {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/utils.js CHANGED Viewed

@@ -7,7 +7,7 @@ const STRINGIFY_RANGE_KEY = 'DD_' + crypto.randomBytes(20).toString('hex')
 const STRINGIFY_SENSITIVE_KEY = STRINGIFY_RANGE_KEY + 'SENSITIVE'
 const STRINGIFY_SENSITIVE_NOT_STRING_KEY = STRINGIFY_SENSITIVE_KEY + 'NOTSTRING'
-// eslint-disable-next-line max-len
+// eslint-disable-next-line @stylistic/js/max-len
 const KEYS_REGEX_WITH_SENSITIVE_RANGES = new RegExp(`(?:"(${STRINGIFY_RANGE_KEY}_\\d+_))|(?:"(${STRINGIFY_SENSITIVE_KEY}_\\d+_(\\d+)_))|("${STRINGIFY_SENSITIVE_NOT_STRING_KEY}_\\d+_([\\s0-9.a-zA-Z]*)")`, 'gm')
 const KEYS_REGEX_WITHOUT_SENSITIVE_RANGES = new RegExp(`"(${STRINGIFY_RANGE_KEY}_\\d+_)`, 'gm')

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js CHANGED Viewed

@@ -17,13 +17,36 @@ let resetVulnerabilityCacheTimer
 let deduplicationEnabled = true
 function addVulnerability (iastContext, vulnerability) {
-  if (vulnerability && vulnerability.evidence && vulnerability.type &&
-    vulnerability.location) {
-    if (iastContext && iastContext.rootSpan) {
+  if (vulnerability?.evidence && vulnerability?.type && vulnerability?.location) {
+    if (deduplicationEnabled && isDuplicatedVulnerability(vulnerability)) return
+    VULNERABILITY_HASHES.set(`${vulnerability.type}${vulnerability.hash}`, true)
+    let span = iastContext?.rootSpan
+    if (!span && tracer) {
+      span = tracer.startSpan('vulnerability', {
+        type: 'vulnerability'
+      })
+      vulnerability.location.spanId = span.context().toSpanId()
+      span.addTags({
+        [IAST_ENABLED_TAG_KEY]: 1
+      })
+    }
+    if (!span) return
+    keepTrace(span, SAMPLING_MECHANISM_APPSEC)
+    standalone.sample(span)
+    if (iastContext?.rootSpan) {
       iastContext[VULNERABILITIES_KEY] = iastContext[VULNERABILITIES_KEY] || []
       iastContext[VULNERABILITIES_KEY].push(vulnerability)
     } else {
-      sendVulnerabilities([vulnerability])
+      sendVulnerabilities([vulnerability], span)
+      span.finish()
     }
   }
 }
@@ -34,36 +57,17 @@ function isValidVulnerability (vulnerability) {
     vulnerability.location && vulnerability.location.spanId
 }
-function sendVulnerabilities (vulnerabilities, rootSpan) {
+function sendVulnerabilities (vulnerabilities, span) {
   if (vulnerabilities && vulnerabilities.length) {
-    let span = rootSpan
-    if (!span && tracer) {
-      span = tracer.startSpan('vulnerability', {
-        type: 'vulnerability'
-      })
-      vulnerabilities.forEach((vulnerability) => {
-        vulnerability.location.spanId = span.context().toSpanId()
-      })
-      span.addTags({
-        [IAST_ENABLED_TAG_KEY]: 1
-      })
-    }
     if (span && span.addTags) {
-      const validAndDedupVulnerabilities = deduplicateVulnerabilities(vulnerabilities).filter(isValidVulnerability)
-      const jsonToSend = vulnerabilitiesFormatter.toJson(validAndDedupVulnerabilities)
+      const validatedVulnerabilities = vulnerabilities.filter(isValidVulnerability)
+      const jsonToSend = vulnerabilitiesFormatter.toJson(validatedVulnerabilities)
       if (jsonToSend.vulnerabilities.length > 0) {
         const tags = {}
         // TODO: Store this outside of the span and set the tag in the exporter.
         tags[IAST_JSON_TAG_KEY] = JSON.stringify(jsonToSend)
         span.addTags(tags)
-        keepTrace(span, SAMPLING_MECHANISM_APPSEC)
-        standalone.sample(span)
-        if (!rootSpan) span.finish()
       }
     }
   }
@@ -86,17 +90,8 @@ function stopClearCacheTimer () {
   }
 }
-function deduplicateVulnerabilities (vulnerabilities) {
-  if (!deduplicationEnabled) return vulnerabilities
-  const deduplicated = vulnerabilities.filter((vulnerability) => {
-    const key = `${vulnerability.type}${vulnerability.hash}`
-    if (!VULNERABILITY_HASHES.get(key)) {
-      VULNERABILITY_HASHES.set(key, true)
-      return true
-    }
-    return false
-  })
-  return deduplicated
+function isDuplicatedVulnerability (vulnerability) {
+  return VULNERABILITY_HASHES.get(`${vulnerability.type}${vulnerability.hash}`)
 }
 function start (config, _tracer) {

package/packages/dd-trace/src/appsec/index.js CHANGED Viewed

@@ -16,7 +16,8 @@ const {
   expressProcessParams,
   responseBody,
   responseWriteHead,
-  responseSetHeader
+  responseSetHeader,
+  routerParam
 } = require('./channels')
 const waf = require('./waf')
 const addresses = require('./addresses')
@@ -27,7 +28,7 @@ const web = require('../plugins/util/web')
 const { extractIp } = require('../plugins/util/ip_extractor')
 const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
 const { isBlocked, block, setTemplates, getBlockingAction } = require('./blocking')
-const { passportTrackEvent } = require('./passport')
+const UserTracking = require('./user_tracking')
 const { storage } = require('../../../datadog-core')
 const graphql = require('./graphql')
 const rasp = require('./rasp')
@@ -58,23 +59,23 @@ function enable (_config) {
     apiSecuritySampler.configure(_config.appsec)
+    UserTracking.setCollectionMode(_config.appsec.eventTracking.mode, false)
     bodyParser.subscribe(onRequestBodyParsed)
     multerParser.subscribe(onRequestBodyParsed)
     cookieParser.subscribe(onRequestCookieParser)
     incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
     incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
+    passportVerify.subscribe(onPassportVerify) // possible optimization: only subscribe if collection mode is enabled
     queryParser.subscribe(onRequestQueryParsed)
     nextBodyParsed.subscribe(onRequestBodyParsed)
     nextQueryParsed.subscribe(onRequestQueryParsed)
     expressProcessParams.subscribe(onRequestProcessParams)
+    routerParam.subscribe(onRequestProcessParams)
     responseBody.subscribe(onResponseBody)
     responseWriteHead.subscribe(onResponseWriteHead)
     responseSetHeader.subscribe(onResponseSetHeader)
-    if (_config.appsec.eventTracking.enabled) {
-      passportVerify.subscribe(onPassportVerify)
-    }
     isEnabled = true
     config = _config
   } catch (err) {
@@ -163,8 +164,10 @@ function incomingHttpEndTranslator ({ req, res }) {
     persistent[addresses.HTTP_INCOMING_COOKIES] = req.cookies
   }
-  if (req.query !== null && typeof req.query === 'object') {
-    persistent[addresses.HTTP_INCOMING_QUERY] = req.query
+  // we need to keep this to support nextjs
+  const query = req.query
+  if (query !== null && typeof query === 'object') {
+    persistent[addresses.HTTP_INCOMING_QUERY] = query
   }
   if (apiSecuritySampler.sampleRequest(req, res, true)) {
@@ -180,7 +183,7 @@ function incomingHttpEndTranslator ({ req, res }) {
   Reporter.finishRequest(req, res)
 }
-function onPassportVerify ({ credentials, user }) {
+function onPassportVerify ({ framework, login, user, success, abortController }) {
   const store = storage.getStore()
   const rootSpan = store?.req && web.root(store.req)
@@ -189,7 +192,9 @@ function onPassportVerify ({ credentials, user }) {
     return
   }
-  passportTrackEvent(credentials, user, rootSpan, config.appsec.eventTracking.mode)
+  const results = UserTracking.trackLogin(framework, login, user, success, rootSpan)
+  handleResults(results, store.req, store.req.res, rootSpan, abortController)
 }
 function onRequestQueryParsed ({ req, res, query, abortController }) {
@@ -309,6 +314,7 @@ function disable () {
   if (nextBodyParsed.hasSubscribers) nextBodyParsed.unsubscribe(onRequestBodyParsed)
   if (nextQueryParsed.hasSubscribers) nextQueryParsed.unsubscribe(onRequestQueryParsed)
   if (expressProcessParams.hasSubscribers) expressProcessParams.unsubscribe(onRequestProcessParams)
+  if (routerParam.hasSubscribers) routerParam.unsubscribe(onRequestProcessParams)
   if (responseBody.hasSubscribers) responseBody.unsubscribe(onResponseBody)
   if (responseWriteHead.hasSubscribers) responseWriteHead.unsubscribe(onResponseWriteHead)
   if (responseSetHeader.hasSubscribers) responseSetHeader.unsubscribe(onResponseSetHeader)

package/packages/dd-trace/src/appsec/remote_config/capabilities.js CHANGED Viewed

@@ -22,6 +22,7 @@ module.exports = {
   ASM_RASP_SSRF: 1n << 23n,
   ASM_RASP_SHI: 1n << 24n,
   APM_TRACING_SAMPLE_RULES: 1n << 29n,
+  ASM_AUTO_USER_INSTRUM_MODE: 1n << 31n,
   ASM_ENDPOINT_FINGERPRINT: 1n << 32n,
   ASM_NETWORK_FINGERPRINT: 1n << 34n,
   ASM_HEADER_FINGERPRINT: 1n << 35n

package/packages/dd-trace/src/appsec/remote_config/index.js CHANGED Viewed

@@ -4,6 +4,8 @@ const Activation = require('../activation')
 const RemoteConfigManager = require('./manager')
 const RemoteConfigCapabilities = require('./capabilities')
+const { setCollectionMode } = require('../user_tracking')
+const log = require('../../log')
 let rc
@@ -23,9 +25,31 @@ function enable (config, appsec) {
       rc.updateCapabilities(RemoteConfigCapabilities.ASM_ACTIVATION, true)
     }
-    rc.setProductHandler('ASM_FEATURES', (action, rcConfig) => {
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_AUTO_USER_INSTRUM_MODE, true)
+    let autoUserInstrumModeId
+    rc.setProductHandler('ASM_FEATURES', (action, rcConfig, configId) => {
       if (!rcConfig) return
+      // this is put before other handlers because it can reject the config
+      if (typeof rcConfig.auto_user_instrum?.mode === 'string') {
+        if (action === 'apply' || action === 'modify') {
+          // check if there is already a config applied with this field
+          if (autoUserInstrumModeId && configId !== autoUserInstrumModeId) {
+            log.error('[RC] Multiple auto_user_instrum received in ASM_FEATURES. Discarding config')
+            // eslint-disable-next-line no-throw-literal
+            throw 'Multiple auto_user_instrum.mode received in ASM_FEATURES'
+          }
+          setCollectionMode(rcConfig.auto_user_instrum.mode)
+          autoUserInstrumModeId = configId
+        } else if (configId === autoUserInstrumModeId) {
+          setCollectionMode(config.appsec.eventTracking.mode)
+          autoUserInstrumModeId = null
+        }
+      }
       if (activation === Activation.ONECLICK) {
         enableOrDisableAppsec(action, rcConfig, config, appsec)
       }