npm - dd-trace - Versions diffs - 5.29.1 → 5.30.0 - Mend

dd-trace 5.29.1 → 5.30.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "dd-trace",
-  "version": "5.29.1",
+  "version": "5.30.0",
   "description": "Datadog APM tracing client for JavaScript",
   "main": "index.js",
   "typings": "index.d.ts",

package/packages/datadog-instrumentations/src/fs.js CHANGED Viewed

@@ -13,6 +13,9 @@ const errorChannel = channel('apm:fs:operation:error')
 const ddFhSym = Symbol('ddFileHandle')
 let kHandle, kDirReadPromisified, kDirClosePromisified
+// Update packages/dd-trace/src/profiling/profilers/event_plugins/fs.js if you make changes to param names in any of
+// the following objects.
 const paramsByMethod = {
   access: ['path', 'mode'],
   appendFile: ['path', 'data', 'options'],

package/packages/dd-trace/src/appsec/addresses.js CHANGED Viewed

@@ -31,6 +31,7 @@ module.exports = {
   DB_STATEMENT: 'server.db.statement',
   DB_SYSTEM: 'server.db.system',
+  EXEC_COMMAND: 'server.sys.exec.cmd',
   SHELL_COMMAND: 'server.sys.shell.cmd',
   LOGIN_SUCCESS: 'server.business_logic.users.login.success',

package/packages/dd-trace/src/appsec/rasp/command_injection.js CHANGED Viewed

@@ -25,19 +25,26 @@ function disable () {
 }
 function analyzeCommandInjection ({ file, fileArgs, shell, abortController }) {
-  if (!file || !shell) return
+  if (!file) return
   const store = storage.getStore()
   const req = store?.req
   if (!req) return
-  const commandParams = fileArgs ? [file, ...fileArgs] : file
-  const persistent = {
-    [addresses.SHELL_COMMAND]: commandParams
+  const persistent = {}
+  const raspRule = { type: RULE_TYPES.COMMAND_INJECTION }
+  const params = fileArgs ? [file, ...fileArgs] : file
+  if (shell) {
+    persistent[addresses.SHELL_COMMAND] = params
+    raspRule.variant = 'shell'
+  } else {
+    const commandParams = Array.isArray(params) ? params : [params]
+    persistent[addresses.EXEC_COMMAND] = commandParams
+    raspRule.variant = 'exec'
   }
-  const result = waf.run({ persistent }, req, RULE_TYPES.COMMAND_INJECTION)
+  const result = waf.run({ persistent }, req, raspRule)
   const res = store?.res
   handleResult(result, req, res, abortController, config)

package/packages/dd-trace/src/appsec/rasp/lfi.js CHANGED Viewed

@@ -58,7 +58,9 @@ function analyzeLfi (ctx) {
       [FS_OPERATION_PATH]: path
     }
-    const result = waf.run({ persistent }, req, RULE_TYPES.LFI)
+    const raspRule = { type: RULE_TYPES.LFI }
+    const result = waf.run({ persistent }, req, raspRule)
     handleResult(result, req, res, ctx.abortController, config)
   })
 }

package/packages/dd-trace/src/appsec/rasp/sql_injection.js CHANGED Viewed

@@ -72,7 +72,9 @@ function analyzeSqlInjection (query, dbSystem, abortController) {
     [addresses.DB_SYSTEM]: dbSystem
   }
-  const result = waf.run({ persistent }, req, RULE_TYPES.SQL_INJECTION)
+  const raspRule = { type: RULE_TYPES.SQL_INJECTION }
+  const result = waf.run({ persistent }, req, raspRule)
   handleResult(result, req, res, abortController, config)
 }

package/packages/dd-trace/src/appsec/rasp/ssrf.js CHANGED Viewed

@@ -29,7 +29,9 @@ function analyzeSsrf (ctx) {
     [addresses.HTTP_OUTGOING_URL]: outgoingUrl
   }
-  const result = waf.run({ persistent }, req, RULE_TYPES.SSRF)
+  const raspRule = { type: RULE_TYPES.SSRF }
+  const result = waf.run({ persistent }, req, raspRule)
   const res = store?.res
   handleResult(result, req, res, ctx.abortController, config)

package/packages/dd-trace/src/appsec/remote_config/capabilities.js CHANGED Viewed

@@ -25,5 +25,6 @@ module.exports = {
   ASM_AUTO_USER_INSTRUM_MODE: 1n << 31n,
   ASM_ENDPOINT_FINGERPRINT: 1n << 32n,
   ASM_NETWORK_FINGERPRINT: 1n << 34n,
-  ASM_HEADER_FINGERPRINT: 1n << 35n
+  ASM_HEADER_FINGERPRINT: 1n << 35n,
+  ASM_RASP_CMDI: 1n << 37n
 }

package/packages/dd-trace/src/appsec/remote_config/index.js CHANGED Viewed

@@ -101,6 +101,7 @@ function enableWafUpdate (appsecConfig) {
       rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
       rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_LFI, true)
       rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SHI, true)
+      rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_CMDI, true)
     }
     // TODO: delete noop handlers and kPreUpdate and replace with batched handlers
@@ -133,6 +134,7 @@ function disableWafUpdate () {
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, false)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_LFI, false)
     rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SHI, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_CMDI, false)
     rc.removeProductHandler('ASM_DATA')
     rc.removeProductHandler('ASM_DD')

package/packages/dd-trace/src/appsec/reporter.js CHANGED Viewed

@@ -101,7 +101,7 @@ function reportWafInit (wafVersion, rulesVersion, diagnosticsRules = {}) {
   incrementWafInitMetric(wafVersion, rulesVersion)
 }
-function reportMetrics (metrics, raspRuleType) {
+function reportMetrics (metrics, raspRule) {
   const store = storage.getStore()
   const rootSpan = store?.req && web.root(store.req)
   if (!rootSpan) return
@@ -109,8 +109,8 @@ function reportMetrics (metrics, raspRuleType) {
   if (metrics.rulesVersion) {
     rootSpan.setTag('_dd.appsec.event_rules.version', metrics.rulesVersion)
   }
-  if (raspRuleType) {
-    updateRaspRequestsMetricTags(metrics, store.req, raspRuleType)
+  if (raspRule) {
+    updateRaspRequestsMetricTags(metrics, store.req, raspRule)
   } else {
     updateWafRequestsMetricTags(metrics, store.req)
   }

package/packages/dd-trace/src/appsec/telemetry.js CHANGED Viewed

@@ -79,7 +79,7 @@ function getOrCreateMetricTags (store, versionsTags) {
   return metricTags
 }
-function updateRaspRequestsMetricTags (metrics, req, raspRuleType) {
+function updateRaspRequestsMetricTags (metrics, req, raspRule) {
   if (!req) return
   const store = getStore(req)
@@ -89,7 +89,12 @@ function updateRaspRequestsMetricTags (metrics, req, raspRuleType) {
   if (!enabled) return
-  const tags = { rule_type: raspRuleType, waf_version: metrics.wafVersion }
+  const tags = { rule_type: raspRule.type, waf_version: metrics.wafVersion }
+  if (raspRule.variant) {
+    tags.rule_variant = raspRule.variant
+  }
   appsecMetrics.count('rasp.rule.eval', tags).inc(1)
   if (metrics.wafTimeout) {

package/packages/dd-trace/src/appsec/waf/index.js CHANGED Viewed

@@ -46,7 +46,7 @@ function update (newRules) {
   }
 }
-function run (data, req, raspRuleType) {
+function run (data, req, raspRule) {
   if (!req) {
     const store = storage.getStore()
     if (!store || !store.req) {
@@ -59,7 +59,7 @@ function run (data, req, raspRuleType) {
   const wafContext = waf.wafManager.getWAFContext(req)
-  return wafContext.run(data, raspRuleType)
+  return wafContext.run(data, raspRule)
 }
 function disposeContext (req) {

package/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js CHANGED Viewed

@@ -21,7 +21,7 @@ class WAFContextWrapper {
     this.knownAddresses = knownAddresses
   }
-  run ({ persistent, ephemeral }, raspRuleType) {
+  run ({ persistent, ephemeral }, raspRule) {
     if (this.ddwafContext.disposed) {
       log.warn('[ASM] Calling run on a disposed context')
       return
@@ -87,7 +87,7 @@ class WAFContextWrapper {
         blockTriggered,
         wafVersion: this.wafVersion,
         wafTimeout: result.timeout
-      }, raspRuleType)
+      }, raspRule)
       if (ruleTriggered) {
         Reporter.reportAttack(JSON.stringify(result.events))

package/packages/dd-trace/src/log/index.js CHANGED Viewed

@@ -1,6 +1,7 @@
 'use strict'
 const coalesce = require('koalas')
+const { inspect } = require('util')
 const { isTrue } = require('../util')
 const { traceChannel, debugChannel, infoChannel, warnChannel, errorChannel } = require('./channels')
 const logWriter = require('./writer')
@@ -59,9 +60,18 @@ const log = {
   trace (...args) {
     if (traceChannel.hasSubscribers) {
       const logRecord = {}
       Error.captureStackTrace(logRecord, this.trace)
-      const stack = logRecord.stack.split('\n')[1].replace(/^\s+at ([^\s]) .+/, '$1')
-      traceChannel.publish(Log.parse('Trace', args, { stack }))
+      const fn = logRecord.stack.split('\n')[1].replace(/^\s+at ([^\s]+) .+/, '$1')
+      const params = args.map(a => {
+        return a && a.hasOwnProperty('toString') && typeof a.toString === 'function'
+          ? a.toString()
+          : inspect(a, { depth: 3, breakLength: Infinity, compact: true })
+      }).join(', ')
+      const formatted = logRecord.stack.replace('Error: ', `Trace: ${fn}(${params})`)
+      traceChannel.publish(Log.parse(formatted))
     }
     return this
   },

package/packages/dd-trace/src/log/writer.js CHANGED Viewed

@@ -4,7 +4,6 @@ const { storage } = require('../../../datadog-core')
 const { LogChannel } = require('./channels')
 const { Log } = require('./log')
 const defaultLogger = {
-  trace: msg => console.trace(msg), /* eslint-disable-line no-console */
   debug: msg => console.debug(msg), /* eslint-disable-line no-console */
   info: msg => console.info(msg), /* eslint-disable-line no-console */
   warn: msg => console.warn(msg), /* eslint-disable-line no-console */
@@ -91,8 +90,10 @@ function onDebug (log) {
 function onTrace (log) {
   const { formatted, cause } = getErrorLog(log)
-  if (formatted) withNoop(() => logger.trace(formatted))
-  if (cause) withNoop(() => logger.trace(cause))
+  // Using logger.debug() because not all loggers have trace level,
+  // and console.trace() has a completely different meaning.
+  if (formatted) withNoop(() => logger.debug(formatted))
+  if (cause) withNoop(() => logger.debug(cause))
 }
 function error (...args) {

package/packages/dd-trace/src/opentracing/span.js CHANGED Viewed

@@ -107,7 +107,7 @@ class DatadogSpan {
   toString () {
     const spanContext = this.context()
-    const resourceName = spanContext._tags['resource.name']
+    const resourceName = spanContext._tags['resource.name'] || ''
     const resource = resourceName.length > 100
       ? `${resourceName.substring(0, 97)}...`
       : resourceName

package/packages/dd-trace/src/profiling/profilers/event_plugins/event.js CHANGED Viewed

@@ -32,11 +32,11 @@ class EventPlugin extends TracingPlugin {
     if (!store) return
     const { startEvent, startTime, error } = store
-    if (error) {
-      return // don't emit perf events for failed operations
+    if (error || this.ignoreEvent(startEvent)) {
+      return // don't emit perf events for failed operations or ignored events
     }
-    const duration = performance.now() - startTime
+    const duration = performance.now() - startTime
     const event = {
       entryType: this.entryType,
       startTime,
@@ -53,6 +53,10 @@ class EventPlugin extends TracingPlugin {
     this.eventHandler(this.extendEvent(event, startEvent))
   }
+  ignoreEvent () {
+    return false
+  }
 }
 module.exports = EventPlugin

package/packages/dd-trace/src/profiling/profilers/event_plugins/fs.js ADDED Viewed

@@ -0,0 +1,49 @@
+const EventPlugin = require('./event')
+// Values taken from parameter names in datadog-instrumentations/src/fs.js.
+// Known param names that are disallowed because they can be strings and have arbitrary sizes:
+// 'data'
+// Known param names that are disallowed because they are never a string or number:
+// 'buffer', 'buffers', 'listener'
+const allowedParams = new Set([
+  'atime', 'dest',
+  'existingPath', 'fd', 'file',
+  'flag', 'gid', 'len',
+  'length', 'mode', 'mtime',
+  'newPath', 'offset', 'oldPath',
+  'operation', 'options', 'path',
+  'position', 'prefix', 'src',
+  'target', 'type', 'uid'
+])
+class FilesystemPlugin extends EventPlugin {
+  static get id () {
+    return 'fs'
+  }
+  static get operation () {
+    return 'operation'
+  }
+  static get entryType () {
+    return 'fs'
+  }
+  ignoreEvent (event) {
+    // Don't care about sync events, they show up in the event loop samples anyway
+    return event.operation?.endsWith('Sync')
+  }
+  extendEvent (event, detail) {
+    const d = { ...detail }
+    Object.entries(d).forEach(([k, v]) => {
+      if (!(allowedParams.has(k) && (typeof v === 'string' || typeof v === 'number'))) {
+        delete d[k]
+      }
+    })
+    event.detail = d
+    return event
+  }
+}
+module.exports = FilesystemPlugin

package/packages/dd-trace/src/profiling/profilers/events.js CHANGED Viewed

@@ -133,11 +133,32 @@ class NetDecorator {
   }
 }
+class FilesystemDecorator {
+  constructor (stringTable) {
+    this.stringTable = stringTable
+  }
+  decorateSample (sampleInput, item) {
+    const labels = sampleInput.label
+    const stringTable = this.stringTable
+    Object.entries(item.detail).forEach(([k, v]) => {
+      switch (typeof v) {
+        case 'string':
+          labels.push(labelFromStrStr(stringTable, k, v))
+          break
+        case 'number':
+          labels.push(new Label({ key: stringTable.dedup(k), num: v }))
+      }
+    })
+  }
+}
 // Keys correspond to PerformanceEntry.entryType, values are constructor
 // functions for type-specific decorators.
 const decoratorTypes = {
-  gc: GCDecorator,
+  fs: FilesystemDecorator,
   dns: DNSDecorator,
+  gc: GCDecorator,
   net: NetDecorator
 }
@@ -255,7 +276,7 @@ class NodeApiEventSource {
 class DatadogInstrumentationEventSource {
   constructor (eventHandler, eventFilter) {
-    this.plugins = ['dns_lookup', 'dns_lookupservice', 'dns_resolve', 'dns_reverse', 'net'].map(m => {
+    this.plugins = ['dns_lookup', 'dns_lookupservice', 'dns_resolve', 'dns_reverse', 'fs', 'net'].map(m => {
       const Plugin = require(`./event_plugins/${m}`)
       return new Plugin(eventHandler, eventFilter)
     })