dd-trace 5.31.0 → 5.33.0

package/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -54,15 +54,15 @@ class CookieAnalyzer extends Analyzer {
     return super._checkOCE(context, value)
   }
 
-  _getLocation (value) {
+  _getLocation (value, callSiteFrames) {
     if (!value) {
-      return super._getLocation()
+      return super._getLocation(value, callSiteFrames)
     }
 
     if (value.location) {
       return value.location
     }
-    const location = super._getLocation(value)
+    const location = super._getLocation(value, callSiteFrames)
     value.location = location
     return location
   }

package/packages/dd-trace/src/appsec/iast/analyzers/untrusted-deserialization-analyzer.js

@@ -0,0 +1,16 @@
+'use strict'
+
+const InjectionAnalyzer = require('./injection-analyzer')
+const { UNTRUSTED_DESERIALIZATION } = require('../vulnerabilities')
+
+class UntrustedDeserializationAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super(UNTRUSTED_DESERIALIZATION)
+  }
+
+  onConfigure () {
+    this.addSub('datadog:node-serialize:unserialize:start', ({ obj }) => this.analyze(obj))
+  }
+}
+
+module.exports = new UntrustedDeserializationAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -1,12 +1,15 @@
 'use strict'
 
 const { storage } = require('../../../../../datadog-core')
-const { getFirstNonDDPathAndLine } = require('../path-line')
-const { addVulnerability } = require('../vulnerability-reporter')
-const { getIastContext } = require('../iast-context')
+const { getNonDDCallSiteFrames } = require('../path-line')
+const { getIastContext, getIastStackTraceId } = require('../iast-context')
 const overheadController = require('../overhead-controller')
 const { SinkIastPlugin } = require('../iast-plugin')
-const { getOriginalPathAndLineFromSourceMap } = require('../taint-tracking/rewriter')
+const {
+  addVulnerability,
+  getVulnerabilityCallSiteFrames,
+  replaceCallSiteFromSourceMap
+} = require('../vulnerability-reporter')
 
 class Analyzer extends SinkIastPlugin {
   constructor (type) {
@@ -28,12 +31,24 @@ class Analyzer extends SinkIastPlugin {
   }
 
   _reportEvidence (value, context, evidence) {
-    const location = this._getLocation(value)
+    const callSiteFrames = getVulnerabilityCallSiteFrames()
+    const nonDDCallSiteFrames = getNonDDCallSiteFrames(callSiteFrames, this._getExcludedPaths())
+
+    const location = this._getLocation(value, nonDDCallSiteFrames)
+
     if (!this._isExcluded(location)) {
-      const locationSourceMap = this._replaceLocationFromSourceMap(location)
+      const originalLocation = this._getOriginalLocation(location)
       const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
-      const vulnerability = this._createVulnerability(this._type, evidence, spanId, locationSourceMap)
-      addVulnerability(context, vulnerability)
+      const stackId = getIastStackTraceId(context)
+      const vulnerability = this._createVulnerability(
+        this._type,
+        evidence,
+        spanId,
+        originalLocation,
+        stackId
+      )
+
+      addVulnerability(context, vulnerability, nonDDCallSiteFrames)
     }
   }
 
@@ -49,24 +64,25 @@ class Analyzer extends SinkIastPlugin {
     return { value }
   }
 
-  _getLocation () {
-    return getFirstNonDDPathAndLine(this._getExcludedPaths())
+  _getLocation (value, callSiteFrames) {
+    return callSiteFrames[0]
   }
 
-  _replaceLocationFromSourceMap (location) {
-    if (location) {
-      const { path, line, column } = getOriginalPathAndLineFromSourceMap(location)
-      if (path) {
-        location.path = path
-      }
-      if (line) {
-        location.line = line
-      }
-      if (column) {
-        location.column = column
-      }
+  _getOriginalLocation (location) {
+    const locationFromSourceMap = replaceCallSiteFromSourceMap(location)
+    const originalLocation = {}
+
+    if (locationFromSourceMap?.path) {
+      originalLocation.path = locationFromSourceMap.path
+    }
+    if (locationFromSourceMap?.line) {
+      originalLocation.line = locationFromSourceMap.line
     }
-    return location
+    if (locationFromSourceMap?.column) {
+      originalLocation.column = locationFromSourceMap.column
+    }
+
+    return originalLocation
   }
 
   _getExcludedPaths () {}
@@ -102,12 +118,13 @@ class Analyzer extends SinkIastPlugin {
     return overheadController.hasQuota(overheadController.OPERATIONS.REPORT_VULNERABILITY, context)
   }
 
-  _createVulnerability (type, evidence, spanId, location) {
+  _createVulnerability (type, evidence, spanId, location, stackId) {
     if (type && evidence) {
       const _spanId = spanId || 0
       return {
         type,
         evidence,
+        stackId,
         location: {
           spanId: _spanId,
           ...location

package/packages/dd-trace/src/appsec/iast/iast-context.js

@@ -9,6 +9,17 @@ function getIastContext (store, topContext) {
   return iastContext
 }
 
+function getIastStackTraceId (iastContext) {
+  if (!iastContext) return 0
+
+  if (!iastContext.stackTraceId) {
+    iastContext.stackTraceId = 0
+  }
+
+  iastContext.stackTraceId += 1
+  return iastContext.stackTraceId
+}
+
 /* TODO Fix storage problem when the close event is called without
         finish event to remove `topContext` references
   We have to save the context in two places, because
@@ -51,6 +62,7 @@ module.exports = {
   getIastContext,
   saveIastContext,
   cleanIastContext,
+  getIastStackTraceId,
   IAST_CONTEXT_KEY,
   IAST_TRANSACTION_ID
 }

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -3,12 +3,10 @@
 const path = require('path')
 const process = require('process')
 const { calculateDDBasePath } = require('../../util')
-const { getCallSiteList } = require('../stack_trace')
 const pathLine = {
-  getFirstNonDDPathAndLine,
   getNodeModulesPaths,
   getRelativePath,
-  getFirstNonDDPathAndLineFromCallsites, // Exported only for test purposes
+  getNonDDCallSiteFrames,
   calculateDDBasePath, // Exported only for test purposes
   ddBasePath: calculateDDBasePath(__dirname) // Only for test purposes
 }
@@ -25,22 +23,24 @@ const EXCLUDED_PATH_PREFIXES = [
   'async_hooks'
 ]
 
-function getFirstNonDDPathAndLineFromCallsites (callsites, externallyExcludedPaths) {
-  if (callsites) {
-    for (let i = 0; i < callsites.length; i++) {
-      const callsite = callsites[i]
-      const filepath = callsite.getFileName()
-      if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) {
-        return {
-          path: getRelativePath(filepath),
-          line: callsite.getLineNumber(),
-          column: callsite.getColumnNumber(),
-          isInternal: !path.isAbsolute(filepath)
-        }
-      }
+function getNonDDCallSiteFrames (callSiteFrames, externallyExcludedPaths) {
+  if (!callSiteFrames) {
+    return []
+  }
+
+  const result = []
+
+  for (const callsite of callSiteFrames) {
+    const filepath = callsite.file
+    if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) {
+      callsite.path = getRelativePath(filepath)
+      callsite.isInternal = !path.isAbsolute(filepath)
+
+      result.push(callsite)
     }
   }
-  return null
+
+  return result
 }
 
 function getRelativePath (filepath) {
@@ -48,8 +48,8 @@ function getRelativePath (filepath) {
 }
 
 function isExcluded (callsite, externallyExcludedPaths) {
-  if (callsite.isNative()) return true
-  const filename = callsite.getFileName()
+  if (callsite.isNative) return true
+  const filename = callsite.file
   if (!filename) {
     return true
   }
@@ -73,10 +73,6 @@ function isExcluded (callsite, externallyExcludedPaths) {
   return false
 }
 
-function getFirstNonDDPathAndLine (externallyExcludedPaths) {
-  return getFirstNonDDPathAndLineFromCallsites(getCallSiteList(), externallyExcludedPaths)
-}
-
 function getNodeModulesPaths (...paths) {
   const nodeModulesPaths = []
 

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -25,19 +25,20 @@ class SensitiveHandler {
 
     this._sensitiveAnalyzers = new Map()
     this._sensitiveAnalyzers.set(vulnerabilities.CODE_INJECTION, taintedRangeBasedSensitiveAnalyzer)
-    this._sensitiveAnalyzers.set(vulnerabilities.TEMPLATE_INJECTION, taintedRangeBasedSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, commandSensitiveAnalyzer)
-    this._sensitiveAnalyzers.set(vulnerabilities.NOSQL_MONGODB_INJECTION, jsonSensitiveAnalyzer)
+    this._sensitiveAnalyzers.set(vulnerabilities.HARDCODED_PASSWORD, (evidence) => {
+      return hardcodedPasswordAnalyzer(evidence, this._valuePattern)
+    })
+    this._sensitiveAnalyzers.set(vulnerabilities.HEADER_INJECTION, (evidence) => {
+      return headerSensitiveAnalyzer(evidence, this._namePattern, this._valuePattern)
+    })
     this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, ldapSensitiveAnalyzer)
+    this._sensitiveAnalyzers.set(vulnerabilities.NOSQL_MONGODB_INJECTION, jsonSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, sqlSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.SSRF, urlSensitiveAnalyzer)
+    this._sensitiveAnalyzers.set(vulnerabilities.TEMPLATE_INJECTION, taintedRangeBasedSensitiveAnalyzer)
+    this._sensitiveAnalyzers.set(vulnerabilities.UNTRUSTED_DESERIALIZATION, taintedRangeBasedSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.UNVALIDATED_REDIRECT, urlSensitiveAnalyzer)
-    this._sensitiveAnalyzers.set(vulnerabilities.HEADER_INJECTION, (evidence) => {
-      return headerSensitiveAnalyzer(evidence, this._namePattern, this._valuePattern)
-    })
-    this._sensitiveAnalyzers.set(vulnerabilities.HARDCODED_PASSWORD, (evidence) => {
-      return hardcodedPasswordAnalyzer(evidence, this._valuePattern)
-    })
   }
 
   isSensibleName (name) {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js

@@ -84,6 +84,7 @@ class VulnerabilityFormatter {
     const formattedVulnerability = {
       type: vulnerability.type,
       hash: vulnerability.hash,
+      stackId: vulnerability.stackId,
       evidence: this.formatEvidence(vulnerability.type, vulnerability.evidence, sourcesIndexes, sources),
       location: {
         spanId: vulnerability.location.spanId

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js

@@ -15,6 +15,7 @@ module.exports = {
   SSRF: 'SSRF',
   TEMPLATE_INJECTION: 'TEMPLATE_INJECTION',
   UNVALIDATED_REDIRECT: 'UNVALIDATED_REDIRECT',
+  UNTRUSTED_DESERIALIZATION: 'UNTRUSTED_DESERIALIZATION',
   WEAK_CIPHER: 'WEAK_CIPHER',
   WEAK_HASH: 'WEAK_HASH',
   WEAK_RANDOMNESS: 'WEAK_RANDOMNESS',

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -6,6 +6,8 @@ const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
 const standalone = require('../standalone')
 const { SAMPLING_MECHANISM_APPSEC } = require('../../constants')
 const { keepTrace } = require('../../priority_sampler')
+const { reportStackTrace, getCallsiteFrames, canReportStackTrace, STACK_TRACE_NAMESPACES } = require('../stack_trace')
+const { getOriginalPathAndLineFromSourceMap } = require('./taint-tracking/rewriter')
 
 const VULNERABILITIES_KEY = 'vulnerabilities'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
@@ -15,39 +17,60 @@ const RESET_VULNERABILITY_CACHE_INTERVAL = 60 * 60 * 1000 // 1 hour
 let tracer
 let resetVulnerabilityCacheTimer
 let deduplicationEnabled = true
+let stackTraceEnabled = true
+let stackTraceMaxDepth
+let maxStackTraces
 
-function addVulnerability (iastContext, vulnerability) {
-  if (vulnerability?.evidence && vulnerability?.type && vulnerability?.location) {
-    if (deduplicationEnabled && isDuplicatedVulnerability(vulnerability)) return
+function canAddVulnerability (vulnerability) {
+  const hasRequiredFields = vulnerability?.evidence && vulnerability?.type && vulnerability?.location
+  if (!hasRequiredFields) return false
 
-    VULNERABILITY_HASHES.set(`${vulnerability.type}${vulnerability.hash}`, true)
+  const isDuplicated = deduplicationEnabled && isDuplicatedVulnerability(vulnerability)
 
-    let span = iastContext?.rootSpan
+  return !isDuplicated
+}
 
-    if (!span && tracer) {
-      span = tracer.startSpan('vulnerability', {
-        type: 'vulnerability'
-      })
+function addVulnerability (iastContext, vulnerability, callSiteFrames) {
+  if (!canAddVulnerability(vulnerability)) return
 
-      vulnerability.location.spanId = span.context().toSpanId()
+  VULNERABILITY_HASHES.set(`${vulnerability.type}${vulnerability.hash}`, true)
 
-      span.addTags({
-        [IAST_ENABLED_TAG_KEY]: 1
-      })
-    }
+  let span = iastContext?.rootSpan
 
-    if (!span) return
+  if (!span && tracer) {
+    span = tracer.startSpan('vulnerability', {
+      type: 'vulnerability'
+    })
 
-    keepTrace(span, SAMPLING_MECHANISM_APPSEC)
-    standalone.sample(span)
+    vulnerability.location.spanId = span.context().toSpanId()
 
-    if (iastContext?.rootSpan) {
-      iastContext[VULNERABILITIES_KEY] = iastContext[VULNERABILITIES_KEY] || []
-      iastContext[VULNERABILITIES_KEY].push(vulnerability)
-    } else {
-      sendVulnerabilities([vulnerability], span)
-      span.finish()
-    }
+    span.addTags({
+      [IAST_ENABLED_TAG_KEY]: 1
+    })
+  }
+
+  if (!span) return
+
+  keepTrace(span, SAMPLING_MECHANISM_APPSEC)
+  standalone.sample(span)
+
+  if (stackTraceEnabled && canReportStackTrace(span, maxStackTraces, STACK_TRACE_NAMESPACES.IAST)) {
+    const originalCallSiteList = callSiteFrames.map(callsite => replaceCallSiteFromSourceMap(callsite))
+
+    reportStackTrace(
+      span,
+      vulnerability.stackId,
+      originalCallSiteList,
+      STACK_TRACE_NAMESPACES.IAST
+    )
+  }
+
+  if (iastContext?.rootSpan) {
+    iastContext[VULNERABILITIES_KEY] = iastContext[VULNERABILITIES_KEY] || []
+    iastContext[VULNERABILITIES_KEY].push(vulnerability)
+  } else {
+    sendVulnerabilities([vulnerability], span)
+    span.finish()
   }
 }
 
@@ -94,8 +117,34 @@ function isDuplicatedVulnerability (vulnerability) {
   return VULNERABILITY_HASHES.get(`${vulnerability.type}${vulnerability.hash}`)
 }
 
+function getVulnerabilityCallSiteFrames () {
+  return getCallsiteFrames(stackTraceMaxDepth)
+}
+
+function replaceCallSiteFromSourceMap (callsite) {
+  if (callsite) {
+    const { path, line, column } = getOriginalPathAndLineFromSourceMap(callsite)
+    if (path) {
+      callsite.file = path
+      callsite.path = path
+    }
+    if (line) {
+      callsite.line = line
+    }
+    if (column) {
+      callsite.column = column
+    }
+  }
+
+  return callsite
+}
+
 function start (config, _tracer) {
   deduplicationEnabled = config.iast.deduplicationEnabled
+  stackTraceEnabled = config.iast.stackTrace.enabled
+  stackTraceMaxDepth = config.appsec.stackTrace.maxDepth
+  maxStackTraces = config.appsec.stackTrace.maxStackTraces
+
   vulnerabilitiesFormatter.setRedactVulnerabilities(
     config.iast.redactionEnabled,
     config.iast.redactionNamePattern,
@@ -114,6 +163,8 @@ function stop () {
 module.exports = {
   addVulnerability,
   sendVulnerabilities,
+  getVulnerabilityCallSiteFrames,
+  replaceCallSiteFromSourceMap,
   clearCache,
   start,
   stop

package/packages/dd-trace/src/appsec/rasp/utils.js

@@ -1,7 +1,7 @@
 'use strict'
 
 const web = require('../../plugins/util/web')
-const { reportStackTrace } = require('../stack_trace')
+const { getCallsiteFrames, reportStackTrace, canReportStackTrace } = require('../stack_trace')
 const { getBlockingAction } = require('../blocking')
 const log = require('../../log')
 
@@ -30,13 +30,18 @@ class DatadogRaspAbortError extends Error {
 
 function handleResult (actions, req, res, abortController, config) {
   const generateStackTraceAction = actions?.generate_stack
-  if (generateStackTraceAction && config.appsec.stackTrace.enabled) {
-    const rootSpan = web.root(req)
+
+  const { enabled, maxDepth, maxStackTraces } = config.appsec.stackTrace
+
+  const rootSpan = web.root(req)
+
+  if (generateStackTraceAction && enabled && canReportStackTrace(rootSpan, maxStackTraces)) {
+    const frames = getCallsiteFrames(maxDepth)
+
     reportStackTrace(
       rootSpan,
       generateStackTraceAction.stack_id,
-      config.appsec.stackTrace.maxDepth,
-      config.appsec.stackTrace.maxStackTraces
+      frames
     )
   }
 

package/packages/dd-trace/src/appsec/stack_trace.js

@@ -6,11 +6,18 @@ const ddBasePath = calculateDDBasePath(__dirname)
 
 const LIBRARY_FRAMES_BUFFER = 20
 
+const STACK_TRACE_NAMESPACES = {
+  RASP: 'exploit',
+  IAST: 'vulnerability'
+}
+
 function getCallSiteList (maxDepth = 100) {
   const previousPrepareStackTrace = Error.prepareStackTrace
   const previousStackTraceLimit = Error.stackTraceLimit
   let callsiteList
-  Error.stackTraceLimit = maxDepth
+  // Since some frames will be discarded because they come from tracer codebase, a buffer is added
+  // to the limit in order to get as close as `maxDepth` number of frames.
+  Error.stackTraceLimit = maxDepth + LIBRARY_FRAMES_BUFFER
 
   try {
     Error.prepareStackTrace = function (_, callsites) {
@@ -30,7 +37,10 @@ function filterOutFramesFromLibrary (callSiteList) {
   return callSiteList.filter(callSite => !callSite.getFileName()?.startsWith(ddBasePath))
 }
 
-function getFramesForMetaStruct (callSiteList, maxDepth = 32) {
+function getCallsiteFrames (maxDepth = 32, callSiteListGetter = getCallSiteList) {
+  if (maxDepth < 1) maxDepth = Infinity
+
+  const callSiteList = callSiteListGetter(maxDepth)
   const filteredFrames = filterOutFramesFromLibrary(callSiteList)
 
   const half = filteredFrames.length > maxDepth ? Math.round(maxDepth / 2) : Infinity
@@ -45,46 +55,46 @@ function getFramesForMetaStruct (callSiteList, maxDepth = 32) {
       line: callSite.getLineNumber(),
       column: callSite.getColumnNumber(),
       function: callSite.getFunctionName(),
-      class_name: callSite.getTypeName()
+      class_name: callSite.getTypeName(),
+      isNative: callSite.isNative()
     })
   }
 
   return indexedFrames
 }
 
-function reportStackTrace (rootSpan, stackId, maxDepth, maxStackTraces, callSiteListGetter = getCallSiteList) {
+function reportStackTrace (rootSpan, stackId, frames, namespace = STACK_TRACE_NAMESPACES.RASP) {
   if (!rootSpan) return
+  if (!Array.isArray(frames)) return
 
-  if (maxStackTraces < 1 || (rootSpan.meta_struct?.['_dd.stack']?.exploit?.length ?? 0) < maxStackTraces) {
-    // Since some frames will be discarded because they come from tracer codebase, a buffer is added
-    // to the limit in order to get as close as `maxDepth` number of frames.
-    if (maxDepth < 1) maxDepth = Infinity
-    const callSiteList = callSiteListGetter(maxDepth + LIBRARY_FRAMES_BUFFER)
-    if (!Array.isArray(callSiteList)) return
+  if (!rootSpan.meta_struct) {
+    rootSpan.meta_struct = {}
+  }
 
-    if (!rootSpan.meta_struct) {
-      rootSpan.meta_struct = {}
-    }
+  if (!rootSpan.meta_struct['_dd.stack']) {
+    rootSpan.meta_struct['_dd.stack'] = {}
+  }
 
-    if (!rootSpan.meta_struct['_dd.stack']) {
-      rootSpan.meta_struct['_dd.stack'] = {}
-    }
+  if (!rootSpan.meta_struct['_dd.stack'][namespace]) {
+    rootSpan.meta_struct['_dd.stack'][namespace] = []
+  }
 
-    if (!rootSpan.meta_struct['_dd.stack'].exploit) {
-      rootSpan.meta_struct['_dd.stack'].exploit = []
-    }
+  rootSpan.meta_struct['_dd.stack'][namespace].push({
+    id: stackId,
+    language: 'nodejs',
+    frames
+  })
+}
 
-    const frames = getFramesForMetaStruct(callSiteList, maxDepth)
+function canReportStackTrace (rootSpan, maxStackTraces, namespace = STACK_TRACE_NAMESPACES.RASP) {
+  if (!rootSpan) return false
 
-    rootSpan.meta_struct['_dd.stack'].exploit.push({
-      id: stackId,
-      language: 'nodejs',
-      frames
-    })
-  }
+  return maxStackTraces < 1 || (rootSpan.meta_struct?.['_dd.stack']?.[namespace]?.length ?? 0) < maxStackTraces
 }
 
 module.exports = {
-  getCallSiteList,
-  reportStackTrace
+  getCallsiteFrames,
+  reportStackTrace,
+  canReportStackTrace,
+  STACK_TRACE_NAMESPACES
 }

package/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js

@@ -19,6 +19,7 @@ class WAFContextWrapper {
     this.rulesVersion = rulesVersion
     this.addressesToSkip = new Set()
     this.knownAddresses = knownAddresses
+    this.cachedUserIdActions = new Map()
   }
 
   run ({ persistent, ephemeral }, raspRule) {
@@ -27,6 +28,16 @@ class WAFContextWrapper {
       return
     }
 
+    // SPECIAL CASE FOR USER_ID
+    // TODO: make this universal
+    const userId = persistent?.[addresses.USER_ID] || ephemeral?.[addresses.USER_ID]
+    if (userId) {
+      const cachedAction = this.cachedUserIdActions.get(userId)
+      if (cachedAction) {
+        return cachedAction
+      }
+    }
+
     const payload = {}
     let payloadHasData = false
     const newAddressesToSkip = new Set(this.addressesToSkip)
@@ -79,6 +90,12 @@ class WAFContextWrapper {
 
       const blockTriggered = !!getBlockingAction(result.actions)
 
+      // SPECIAL CASE FOR USER_ID
+      // TODO: make this universal
+      if (userId && ruleTriggered && blockTriggered) {
+        this.setUserIdCache(userId, result)
+      }
+
       Reporter.reportMetrics({
         duration: result.totalRuntime / 1e3,
         durationExt: parseInt(end - start) / 1e3,
@@ -105,6 +122,26 @@ class WAFContextWrapper {
     }
   }
 
+  setUserIdCache (userId, result) {
+    // using old loops for speed
+    for (let i = 0; i < result.events.length; i++) {
+      const event = result.events[i]
+
+      for (let j = 0; j < event?.rule_matches?.length; j++) {
+        const match = event.rule_matches[j]
+
+        for (let k = 0; k < match?.parameters?.length; k++) {
+          const parameter = match.parameters[k]
+
+          if (parameter?.address === addresses.USER_ID) {
+            this.cachedUserIdActions.set(userId, result.actions)
+            return
+          }
+        }
+      }
+    }
+  }
+
   dispose () {
     this.ddwafContext.dispose()
   }