dd-trace 5.33.1 → 5.34.0

package/LICENSE-3rdparty.csv

@@ -35,6 +35,7 @@ dev,@apollo/server,MIT,Copyright (c) 2016-2020 Apollo Graph, Inc. (Formerly Mete
 dev,@types/node,MIT,Copyright Authors
 dev,@eslint/eslintrc,MIT,Copyright OpenJS Foundation and other contributors, <www.openjsf.org>
 dev,@eslint/js,MIT,Copyright OpenJS Foundation and other contributors, <www.openjsf.org>
+dev,@msgpack/msgpack,ISC,Copyright 2019 The MessagePack Community
 dev,@stylistic/eslint-plugin-js,MIT,Copyright OpenJS Foundation and other contributors, <www.openjsf.org>
 dev,autocannon,MIT,Copyright 2016 Matteo Collina
 dev,aws-sdk,Apache 2.0,Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
@@ -58,12 +59,10 @@ dev,get-port,MIT,Copyright Sindre Sorhus
 dev,glob,ISC,Copyright Isaac Z. Schlueter and Contributors
 dev,globals,MIT,Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
 dev,graphql,MIT,Copyright 2015 Facebook Inc.
-dev,int64-buffer,MIT,Copyright 2015-2016 Yusuke Kawasaki
 dev,jszip,MIT,Copyright 2015-2016 Stuart Knightley and contributors
 dev,knex,MIT,Copyright (c) 2013-present Tim Griesser
 dev,mkdirp,MIT,Copyright 2010 James Halliday
 dev,mocha,MIT,Copyright 2011-2018 JS Foundation and contributors https://js.foundation
-dev,msgpack-lite,MIT,Copyright 2015 Yusuke Kawasaki
 dev,multer,MIT,Copyright 2014 Hage Yaapa
 dev,nock,MIT,Copyright 2017 Pedro Teixeira and other contributors
 dev,nyc,ISC,Copyright 2015 Contributors

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dd-trace",
-  "version": "5.33.1",
+  "version": "5.34.0",
   "description": "Datadog APM tracing client for JavaScript",
   "main": "index.js",
   "typings": "index.d.ts",
@@ -118,6 +118,7 @@
     "@apollo/server": "^4.11.0",
     "@eslint/eslintrc": "^3.1.0",
     "@eslint/js": "^9.11.1",
+    "@msgpack/msgpack": "^3.0.0-beta3",
     "@stylistic/eslint-plugin-js": "^2.8.0",
     "@types/node": "^16.0.0",
     "autocannon": "^4.5.2",
@@ -142,12 +143,10 @@
     "glob": "^7.1.6",
     "globals": "^15.10.0",
     "graphql": "0.13.2",
-    "int64-buffer": "^0.1.9",
     "jszip": "^3.5.0",
     "knex": "^2.4.2",
     "mkdirp": "^3.0.1",
     "mocha": "^10",
-    "msgpack-lite": "^0.1.26",
     "multer": "^1.4.5-lts.1",
     "nock": "^11.3.3",
     "nyc": "^15.1.0",

package/packages/datadog-plugin-graphql/src/execute.js

@@ -1,6 +1,7 @@
 'use strict'
 
 const TracingPlugin = require('../../dd-trace/src/plugins/tracing')
+const { extractErrorIntoSpanEvent } = require('./utils')
 
 let tools
 
@@ -34,6 +35,11 @@ class GraphQLExecutePlugin extends TracingPlugin {
   finish ({ res, args }) {
     const span = this.activeSpan
     this.config.hooks.execute(span, args, res)
+    if (res?.errors) {
+      for (const err of res.errors) {
+        extractErrorIntoSpanEvent(this._tracerConfig, span, err)
+      }
+    }
     super.finish()
   }
 }

package/packages/datadog-plugin-graphql/src/utils.js

@@ -0,0 +1,40 @@
+function extractErrorIntoSpanEvent (config, span, exc) {
+  const attributes = {}
+
+  if (exc.name) {
+    attributes.type = exc.name
+  }
+
+  if (exc.stack) {
+    attributes.stacktrace = exc.stack
+  }
+
+  if (exc.locations) {
+    attributes.locations = []
+    for (const location of exc.locations) {
+      attributes.locations.push(`${location.line}:${location.column}`)
+    }
+  }
+
+  if (exc.path) {
+    attributes.path = exc.path.map(String)
+  }
+
+  if (exc.message) {
+    attributes.message = exc.message
+  }
+
+  if (config.graphqlErrorExtensions) {
+    for (const ext of config.graphqlErrorExtensions) {
+      if (exc.extensions?.[ext]) {
+        attributes[`extensions.${ext}`] = exc.extensions[ext].toString()
+      }
+    }
+  }
+
+  span.addEvent('dd.graphql.query.error', attributes, Date.now())
+}
+
+module.exports = {
+  extractErrorIntoSpanEvent
+}

package/packages/datadog-plugin-graphql/src/validate.js

@@ -1,6 +1,7 @@
 'use strict'
 
 const TracingPlugin = require('../../dd-trace/src/plugins/tracing')
+const { extractErrorIntoSpanEvent } = require('./utils')
 
 class GraphQLValidatePlugin extends TracingPlugin {
   static get id () { return 'graphql' }
@@ -21,6 +22,11 @@ class GraphQLValidatePlugin extends TracingPlugin {
   finish ({ document, errors }) {
     const span = this.activeSpan
     this.config.hooks.validate(span, document, errors)
+    if (errors) {
+      for (const err of errors) {
+        extractErrorIntoSpanEvent(this._tracerConfig, span, err)
+      }
+    }
     super.finish()
   }
 }

package/packages/dd-trace/src/appsec/iast/analyzers/code-injection-analyzer.js

@@ -2,14 +2,32 @@
 
 const InjectionAnalyzer = require('./injection-analyzer')
 const { CODE_INJECTION } = require('../vulnerabilities')
+const { INSTRUMENTED_SINK } = require('../telemetry/iast-metric')
+const { storage } = require('../../../../../datadog-core')
+const { getIastContext } = require('../iast-context')
 
 class CodeInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
     super(CODE_INJECTION)
+    this.evalInstrumentedInc = false
   }
 
   onConfigure () {
-    this.addSub('datadog:eval:call', ({ script }) => this.analyze(script))
+    this.addSub('datadog:eval:call', ({ script }) => {
+      if (!this.evalInstrumentedInc) {
+        const store = storage.getStore()
+        const iastContext = getIastContext(store)
+        const tags = INSTRUMENTED_SINK.formatTags(CODE_INJECTION)
+
+        for (const tag of tags) {
+          INSTRUMENTED_SINK.inc(iastContext, tag)
+        }
+
+        this.evalInstrumentedInc = true
+      }
+
+      this.analyze(script)
+    })
     this.addSub('datadog:vm:run-script:start', ({ code }) => this.analyze(code))
     this.addSub('datadog:vm:source-text-module:start', ({ code }) => this.analyze(code))
   }

package/packages/dd-trace/src/config.js

@@ -482,6 +482,7 @@ class Config {
     this._setValue(defaults, 'flushInterval', 2000)
     this._setValue(defaults, 'flushMinSpans', 1000)
     this._setValue(defaults, 'gitMetadataEnabled', true)
+    this._setValue(defaults, 'graphqlErrorExtensions', [])
     this._setValue(defaults, 'grpc.client.error.statuses', GRPC_CLIENT_ERROR_STATUSES)
     this._setValue(defaults, 'grpc.server.error.statuses', GRPC_SERVER_ERROR_STATUSES)
     this._setValue(defaults, 'headerTags', [])
@@ -521,6 +522,7 @@ class Config {
     this._setValue(defaults, 'lookup', undefined)
     this._setValue(defaults, 'inferredProxyServicesEnabled', false)
     this._setValue(defaults, 'memcachedCommandEnabled', false)
+    this._setValue(defaults, 'middlewareTracingEnabled', true)
     this._setValue(defaults, 'openAiLogsEnabled', false)
     this._setValue(defaults, 'openai.spanCharLimit', 128)
     this._setValue(defaults, 'peerServiceMapping', {})
@@ -669,9 +671,11 @@ class Config {
       DD_TRACE_EXPERIMENTAL_RUNTIME_ID_ENABLED,
       DD_TRACE_GIT_METADATA_ENABLED,
       DD_TRACE_GLOBAL_TAGS,
+      DD_TRACE_GRAPHQL_ERROR_EXTENSIONS,
       DD_TRACE_HEADER_TAGS,
       DD_TRACE_LEGACY_BAGGAGE_ENABLED,
       DD_TRACE_MEMCACHED_COMMAND_ENABLED,
+      DD_TRACE_MIDDLEWARE_TRACING_ENABLED,
       DD_TRACE_OBFUSCATION_QUERY_STRING_REGEXP,
       DD_TRACE_PARTIAL_FLUSH_MIN_SPANS,
       DD_TRACE_PEER_SERVICE_MAPPING,
@@ -804,6 +808,7 @@ class Config {
     this._setBoolean(env, 'logInjection', DD_LOGS_INJECTION)
     // Requires an accompanying DD_APM_OBFUSCATION_MEMCACHED_KEEP_COMMAND=true in the agent
     this._setBoolean(env, 'memcachedCommandEnabled', DD_TRACE_MEMCACHED_COMMAND_ENABLED)
+    this._setBoolean(env, 'middlewareTracingEnabled', DD_TRACE_MIDDLEWARE_TRACING_ENABLED)
     this._setBoolean(env, 'openAiLogsEnabled', DD_OPENAI_LOGS_ENABLED)
     this._setValue(env, 'openai.spanCharLimit', maybeInt(DD_OPENAI_SPAN_CHAR_LIMIT))
     this._envUnprocessed.openaiSpanCharLimit = DD_OPENAI_SPAN_CHAR_LIMIT
@@ -895,6 +900,7 @@ class Config {
     this._setString(env, 'version', DD_VERSION || tags.version)
     this._setBoolean(env, 'inferredProxyServicesEnabled', DD_TRACE_INFERRED_PROXY_SERVICES_ENABLED)
     this._setString(env, 'aws.dynamoDb.tablePrimaryKeys', DD_AWS_SDK_DYNAMODB_TABLE_PRIMARY_KEYS)
+    this._setArray(env, 'graphqlErrorExtensions', DD_TRACE_GRAPHQL_ERROR_EXTENSIONS)
   }
 
   _applyOptions (options) {
@@ -986,6 +992,7 @@ class Config {
     this._setString(opts, 'llmobs.mlApp', options.llmobs?.mlApp)
     this._setBoolean(opts, 'logInjection', options.logInjection)
     this._setString(opts, 'lookup', options.lookup)
+    this._setBoolean(opts, 'middlewareTracingEnabled', options.middlewareTracingEnabled)
     this._setBoolean(opts, 'openAiLogsEnabled', options.openAiLogsEnabled)
     this._setValue(opts, 'peerServiceMapping', options.peerServiceMapping)
     this._setBoolean(opts, 'plugins', options.plugins)
@@ -1020,6 +1027,7 @@ class Config {
     this._setBoolean(opts, 'traceId128BitLoggingEnabled', options.traceId128BitLoggingEnabled)
     this._setString(opts, 'version', options.version || tags.version)
     this._setBoolean(opts, 'inferredProxyServicesEnabled', options.inferredProxyServicesEnabled)
+    this._setBoolean(opts, 'graphqlErrorExtensions', options.graphqlErrorExtensions)
 
     // For LLMObs, we want the environment variable to take precedence over the options.
     // This is reliant on environment config being set before options.

package/packages/dd-trace/src/debugger/devtools_client/state.js

@@ -2,6 +2,8 @@
 
 const session = require('./session')
 
+const WINDOWS_DRIVE_LETTER_REGEX = /[a-zA-Z]/
+
 const scriptIds = []
 const scriptUrls = new Map()
 
@@ -10,26 +12,74 @@ module.exports = {
   breakpoints: new Map(),
 
   /**
-   * Find the matching script that can be inspected based on a partial path.
-   *
-   * Algorithm: Find the sortest url that ends in the requested path.
-   *
-   * Will identify the correct script as long as Node.js doesn't load a module from a `node_modules` folder outside the
-   * project root. If so, there's a risk that this path is shorter than the expected path inside the project root.
-   * Example of mismatch where path = `index.js`:
-   *
-   * Expected match:       /www/code/my-projects/demo-project1/index.js
-   * Actual shorter match: /www/node_modules/dd-trace/index.js
+   * Find the script to inspect based on a partial or absolute path. Handles both Windows and POSIX paths.
    *
-   * To fix this, specify a more unique file path, e.g `demo-project1/index.js` instead of `index.js`
-   *
-   * @param {string} path
-   * @returns {[string, string] | undefined}
+   * @param {string} path - Partial or absolute path to match against loaded scripts
+   * @returns {[string, string, string | undefined] | null} - Array containing [url, scriptId, sourceMapURL]
+   *   or null if no match
    */
   findScriptFromPartialPath (path) {
-    return scriptIds
-      .filter(([url]) => url.endsWith(path))
-      .sort(([a], [b]) => a.length - b.length)[0]
+    if (!path) return null // This shouldn't happen, but better safe than sorry
+
+    const bestMatch = new Array(3)
+    let maxMatchLength = -1
+
+    for (const [url, scriptId, sourceMapURL] of scriptIds) {
+      let i = url.length - 1
+      let j = path.length - 1
+      let matchLength = 0
+      let lastBoundaryPos = -1
+      let atBoundary = false
+
+      // Compare characters from the end
+      while (i >= 0 && j >= 0) {
+        const urlChar = url[i]
+        const pathChar = path[j]
+
+        // Check if both characters is a path boundary
+        const isBoundary = (urlChar === '/' || urlChar === '\\') && (pathChar === '/' || pathChar === '\\' ||
+          (j === 1 && pathChar === ':' && WINDOWS_DRIVE_LETTER_REGEX.test(path[0])))
+
+        // If both are boundaries, or if characters match exactly
+        if (isBoundary || urlChar === pathChar) {
+          if (isBoundary) {
+            lastBoundaryPos = matchLength
+            atBoundary = true
+          } else {
+            atBoundary = false
+          }
+          matchLength++
+          i--
+          j--
+        } else {
+          break
+        }
+      }
+
+      // If we've matched the entire path pattern, ensure it starts at a path boundary
+      if (j === -1) {
+        if (i >= 0) {
+          // If there are more characters in the URL, the next one must be a slash
+          if (url[i] === '/' || url[i] === '\\') {
+            atBoundary = true
+            lastBoundaryPos = matchLength
+          }
+        } else {
+          atBoundary = true
+          lastBoundaryPos = matchLength
+        }
+      }
+
+      // If we found a valid match and it's better than our previous best
+      if (atBoundary && lastBoundaryPos !== -1 && lastBoundaryPos > maxMatchLength) {
+        maxMatchLength = lastBoundaryPos
+        bestMatch[0] = url
+        bestMatch[1] = scriptId
+        bestMatch[2] = sourceMapURL
+      }
+    }
+
+    return maxMatchLength > -1 ? bestMatch : null
   },
 
   getStackFromCallFrames (callFrames) {

package/packages/dd-trace/src/id.js

@@ -15,7 +15,6 @@ let batch = 0
 // Internal representation of a trace or span ID.
 class Identifier {
   constructor (value, radix = 16) {
-    this._isUint64BE = true // msgpack-lite compatibility
     this._buffer = radix === 16
       ? createBuffer(value)
       : fromString(value, radix)
@@ -31,7 +30,6 @@ class Identifier {
     return this._buffer
   }
 
-  // msgpack-lite compatibility
   toArray () {
     if (this._buffer.length === 8) {
       return this._buffer

package/packages/dd-trace/src/plugin_manager.js

@@ -139,7 +139,8 @@ module.exports = class PluginManager {
       memcachedCommandEnabled,
       ciVisibilityTestSessionName,
       ciVisAgentlessLogSubmissionEnabled,
-      isTestDynamicInstrumentationEnabled
+      isTestDynamicInstrumentationEnabled,
+      middlewareTracingEnabled
     } = this._tracerConfig
 
     const sharedConfig = {
@@ -170,6 +171,13 @@ module.exports = class PluginManager {
       sharedConfig.clientIpEnabled = clientIpEnabled
     }
 
+    // For the global setting, we use the name `middlewareTracingEnabled`, but
+    // for the plugin-specific setting, we use `middleware`. They mean the same
+    // to an individual plugin, so we normalize them here.
+    if (middlewareTracingEnabled !== undefined) {
+      sharedConfig.middleware = middlewareTracingEnabled
+    }
+
     return sharedConfig
   }
 }