dd-trace 5.34.0 → 5.35.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dd-trace",
-  "version": "5.34.0",
+  "version": "5.35.0",
   "description": "Datadog APM tracing client for JavaScript",
   "main": "index.js",
   "typings": "index.d.ts",

package/packages/datadog-instrumentations/src/aws-sdk.js

@@ -40,6 +40,18 @@ function wrapRequest (send) {
   }
 }
 
+function wrapDeserialize (deserialize, channelSuffix) {
+  const headersCh = channel(`apm:aws:response:deserialize:${channelSuffix}`)
+
+  return function (response) {
+    if (headersCh.hasSubscribers) {
+      headersCh.publish({ headers: response.headers })
+    }
+
+    return deserialize.apply(this, arguments)
+  }
+}
+
 function wrapSmithySend (send) {
   return function (command, ...args) {
     const cb = args[args.length - 1]
@@ -61,6 +73,10 @@ function wrapSmithySend (send) {
     const responseStartChannel = channel(`apm:aws:response:start:${channelSuffix}`)
     const responseFinishChannel = channel(`apm:aws:response:finish:${channelSuffix}`)
 
+    if (typeof command.deserialize === 'function') {
+      shimmer.wrap(command, 'deserialize', deserialize => wrapDeserialize(deserialize, channelSuffix))
+    }
+
     return innerAr.runInAsyncScope(() => {
       startCh.publish({
         serviceIdentifier,

package/packages/datadog-instrumentations/src/helpers/hooks.js

@@ -102,6 +102,7 @@ module.exports = {
   oracledb: () => require('../oracledb'),
   openai: () => require('../openai'),
   paperplane: () => require('../paperplane'),
+  passport: () => require('../passport'),
   'passport-http': () => require('../passport-http'),
   'passport-local': () => require('../passport-local'),
   pg: () => require('../pg'),

package/packages/datadog-instrumentations/src/passport.js

@@ -0,0 +1,45 @@
+'use strict'
+
+const shimmer = require('../../datadog-shimmer')
+const { channel, addHook } = require('./helpers/instrument')
+
+const onPassportDeserializeUserChannel = channel('datadog:passport:deserializeUser:finish')
+
+function wrapDone (done) {
+  return function wrappedDone (err, user) {
+    if (!err && user) {
+      const abortController = new AbortController()
+
+      onPassportDeserializeUserChannel.publish({ user, abortController })
+
+      if (abortController.signal.aborted) return
+    }
+
+    return done.apply(this, arguments)
+  }
+}
+
+function wrapDeserializeUser (deserializeUser) {
+  return function wrappedDeserializeUser (fn, req, done) {
+    if (typeof fn === 'function') return deserializeUser.apply(this, arguments)
+
+    if (typeof req === 'function') {
+      done = req
+      arguments[1] = wrapDone(done)
+    } else {
+      arguments[2] = wrapDone(done)
+    }
+
+    return deserializeUser.apply(this, arguments)
+  }
+}
+
+addHook({
+  name: 'passport',
+  file: 'lib/authenticator.js',
+  versions: ['>=0.3.0']
+}, Authenticator => {
+  shimmer.wrap(Authenticator.prototype, 'deserializeUser', wrapDeserializeUser)
+
+  return Authenticator
+})

package/packages/datadog-plugin-aws-sdk/src/services/bedrockruntime/utils.js

@@ -24,11 +24,23 @@ const PROVIDER = {
 }
 
 class Generation {
-  constructor ({ message = '', finishReason = '', choiceId = '' } = {}) {
+  constructor ({
+    message = '',
+    finishReason = '',
+    choiceId = '',
+    role,
+    inputTokens,
+    outputTokens
+  } = {}) {
     // stringify message as it could be a single generated message as well as a list of embeddings
     this.message = typeof message === 'string' ? message : JSON.stringify(message) || ''
     this.finishReason = finishReason || ''
     this.choiceId = choiceId || undefined
+    this.role = role
+    this.usage = {
+      inputTokens,
+      outputTokens
+    }
   }
 }
 
@@ -202,9 +214,12 @@ function extractTextAndResponseReason (response, provider, modelName) {
           if (generations.length > 0) {
             const generation = generations[0]
             return new Generation({
-              message: generation.message,
+              message: generation.message.content,
               finishReason: generation.finish_reason,
-              choiceId: shouldSetChoiceIds ? generation.id : undefined
+              choiceId: shouldSetChoiceIds ? generation.id : undefined,
+              role: generation.message.role,
+              inputTokens: body.usage?.prompt_tokens,
+              outputTokens: body.usage?.completion_tokens
             })
           }
         }
@@ -214,7 +229,9 @@ function extractTextAndResponseReason (response, provider, modelName) {
           return new Generation({
             message: completion.data?.text,
             finishReason: completion?.finishReason,
-            choiceId: shouldSetChoiceIds ? completion?.id : undefined
+            choiceId: shouldSetChoiceIds ? completion?.id : undefined,
+            inputTokens: body.usage?.prompt_tokens,
+            outputTokens: body.usage?.completion_tokens
           })
         }
         return new Generation()
@@ -226,7 +243,12 @@ function extractTextAndResponseReason (response, provider, modelName) {
         const results = body.results || []
         if (results.length > 0) {
           const result = results[0]
-          return new Generation({ message: result.outputText, finishReason: result.completionReason })
+          return new Generation({
+            message: result.outputText,
+            finishReason: result.completionReason,
+            inputTokens: body.inputTextTokenCount,
+            outputTokens: result.tokenCount
+          })
         }
         break
       }
@@ -252,7 +274,12 @@ function extractTextAndResponseReason (response, provider, modelName) {
         break
       }
       case PROVIDER.META: {
-        return new Generation({ message: body.generation, finishReason: body.stop_reason })
+        return new Generation({
+          message: body.generation,
+          finishReason: body.stop_reason,
+          inputTokens: body.prompt_token_count,
+          outputTokens: body.generation_token_count
+        })
       }
       case PROVIDER.MISTRAL: {
         const mistralGenerations = body.outputs || []

package/packages/datadog-plugin-dd-trace-api/src/index.js

@@ -0,0 +1,120 @@
+'use strict'
+
+const Plugin = require('../../dd-trace/src/plugins/plugin')
+const telemetryMetrics = require('../../dd-trace/src/telemetry/metrics')
+const apiMetrics = telemetryMetrics.manager.namespace('tracers')
+
+// api ==> here
+const objectMap = new WeakMap()
+
+const injectionEnabledTag =
+  `injection_enabled:${process.env.DD_INJECTION_ENABLED ? 'yes' : 'no'}`
+
+module.exports = class DdTraceApiPlugin extends Plugin {
+  static get id () {
+    return 'dd-trace-api'
+  }
+
+  constructor (...args) {
+    super(...args)
+
+    const tracer = this._tracer
+
+    this.addSub('datadog-api:v1:tracerinit', ({ proxy }) => {
+      const proxyVal = proxy()
+      objectMap.set(proxyVal, tracer)
+      objectMap.set(proxyVal.appsec, tracer.appsec)
+      objectMap.set(proxyVal.dogstatsd, tracer.dogstatsd)
+    })
+
+    const handleEvent = (name) => {
+      const counter = apiMetrics.count('dd_trace_api.called', [
+        `name:${name.replaceAll(':', '.')}`,
+        'api_version:v1',
+        injectionEnabledTag
+      ])
+
+      // For v1, APIs are 1:1 with their internal equivalents, so we can just
+      // call the internal method directly. That's what we do here unless we
+      // want to override. As the API evolves, this may change.
+      this.addSub(`datadog-api:v1:${name}`, ({ self, args, ret, proxy, revProxy }) => {
+        counter.inc()
+
+        if (name.includes(':')) {
+          name = name.split(':').pop()
+        }
+
+        if (objectMap.has(self)) {
+          self = objectMap.get(self)
+        }
+
+        for (let i = 0; i < args.length; i++) {
+          if (objectMap.has(args[i])) {
+            args[i] = objectMap.get(args[i])
+          }
+          if (typeof args[i] === 'function') {
+            const orig = args[i]
+            args[i] = (...fnArgs) => {
+              for (let j = 0; j < fnArgs.length; j++) {
+                if (revProxy && revProxy[j]) {
+                  const proxyVal = revProxy[j]()
+                  objectMap.set(proxyVal, fnArgs[j])
+                  fnArgs[j] = proxyVal
+                }
+              }
+              // TODO do we need to apply(this, ...) here?
+              return orig(...fnArgs)
+            }
+          }
+        }
+
+        try {
+          ret.value = self[name](...args)
+          if (proxy) {
+            const proxyVal = proxy()
+            objectMap.set(proxyVal, ret.value)
+            ret.value = proxyVal
+          } else if (ret.value && typeof ret.value === 'object') {
+            throw new TypeError(`Objects need proxies when returned via API (${name})`)
+          }
+        } catch (e) {
+          ret.error = e
+        }
+      })
+    }
+
+    // handleEvent('configure')
+    handleEvent('startSpan')
+    handleEvent('wrap')
+    handleEvent('trace')
+    handleEvent('inject')
+    handleEvent('extract')
+    handleEvent('getRumData')
+    handleEvent('profilerStarted')
+    handleEvent('context:toTraceId')
+    handleEvent('context:toSpanId')
+    handleEvent('context:toTraceparent')
+    handleEvent('span:context')
+    handleEvent('span:setTag')
+    handleEvent('span:addTags')
+    handleEvent('span:finish')
+    handleEvent('span:addLink')
+    handleEvent('scope')
+    handleEvent('scope:activate')
+    handleEvent('scope:active')
+    handleEvent('scope:bind')
+    handleEvent('appsec:blockRequest')
+    handleEvent('appsec:isUserBlocked')
+    handleEvent('appsec:setUser')
+    handleEvent('appsec:trackCustomEvent')
+    handleEvent('appsec:trackUserLoginFailureEvent')
+    handleEvent('appsec:trackUserLoginSuccessEvent')
+    handleEvent('dogstatsd:decrement')
+    handleEvent('dogstatsd:distribution')
+    handleEvent('dogstatsd:flush')
+    handleEvent('dogstatsd:gauge')
+    handleEvent('dogstatsd:histogram')
+    handleEvent('dogstatsd:increment')
+    handleEvent('use')
+  }
+}

package/packages/dd-trace/src/appsec/blocking.js

@@ -115,7 +115,10 @@ function block (req, res, rootSpan, abortController, actionParameters = defaultB
     res.removeHeader(headerName)
   }
 
-  res.writeHead(statusCode, headers).end(body)
+  res.writeHead(statusCode, headers)
+
+  // this is needed to call the original end method, since express-session replaces it
+  res.constructor.prototype.end.call(res, body)
 
   responseBlockedSet.add(res)
 

package/packages/dd-trace/src/appsec/channels.js

@@ -14,6 +14,7 @@ module.exports = {
   incomingHttpRequestStart: dc.channel('dd-trace:incomingHttpRequestStart'),
   incomingHttpRequestEnd: dc.channel('dd-trace:incomingHttpRequestEnd'),
   passportVerify: dc.channel('datadog:passport:verify:finish'),
+  passportUser: dc.channel('datadog:passport:deserializeUser:finish'),
   queryParser: dc.channel('datadog:query:read:finish'),
   setCookieChannel: dc.channel('datadog:iast:set-cookie'),
   nextBodyParsed: dc.channel('apm:next:body-parsed'),

package/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js

@@ -22,7 +22,8 @@ const EXCLUDED_LOCATIONS = getNodeModulesPaths(
   'sqreen/lib/package-reader/index.js',
   'ws/lib/websocket-server.js',
   'google-gax/build/src/grpc.js',
-  'cookie-signature/index.js'
+  'cookie-signature/index.js',
+  'express-session/index.js'
 )
 
 const EXCLUDED_PATHS_FROM_STACK = [

package/packages/dd-trace/src/appsec/index.js

@@ -10,6 +10,7 @@ const {
   incomingHttpRequestStart,
   incomingHttpRequestEnd,
   passportVerify,
+  passportUser,
   queryParser,
   nextBodyParsed,
   nextQueryParsed,
@@ -67,6 +68,7 @@ function enable (_config) {
     incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
     incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
     passportVerify.subscribe(onPassportVerify) // possible optimization: only subscribe if collection mode is enabled
+    passportUser.subscribe(onPassportDeserializeUser)
     queryParser.subscribe(onRequestQueryParsed)
     nextBodyParsed.subscribe(onRequestBodyParsed)
     nextQueryParsed.subscribe(onRequestQueryParsed)
@@ -197,6 +199,20 @@ function onPassportVerify ({ framework, login, user, success, abortController })
   handleResults(results, store.req, store.req.res, rootSpan, abortController)
 }
 
+function onPassportDeserializeUser ({ user, abortController }) {
+  const store = storage.getStore()
+  const rootSpan = store?.req && web.root(store.req)
+
+  if (!rootSpan) {
+    log.warn('[ASM] No rootSpan found in onPassportDeserializeUser')
+    return
+  }
+
+  const results = UserTracking.trackUser(user, rootSpan)
+
+  handleResults(results, store.req, store.req.res, rootSpan, abortController)
+}
+
 function onRequestQueryParsed ({ req, res, query, abortController }) {
   if (!query || typeof query !== 'object') return
 
@@ -310,6 +326,7 @@ function disable () {
   if (incomingHttpRequestStart.hasSubscribers) incomingHttpRequestStart.unsubscribe(incomingHttpStartTranslator)
   if (incomingHttpRequestEnd.hasSubscribers) incomingHttpRequestEnd.unsubscribe(incomingHttpEndTranslator)
   if (passportVerify.hasSubscribers) passportVerify.unsubscribe(onPassportVerify)
+  if (passportUser.hasSubscribers) passportUser.unsubscribe(onPassportDeserializeUser)
   if (queryParser.hasSubscribers) queryParser.unsubscribe(onRequestQueryParsed)
   if (nextBodyParsed.hasSubscribers) nextBodyParsed.unsubscribe(onRequestBodyParsed)
   if (nextQueryParsed.hasSubscribers) nextQueryParsed.unsubscribe(onRequestQueryParsed)

package/packages/dd-trace/src/appsec/sdk/set_user.js

@@ -2,6 +2,8 @@
 
 const { getRootSpan } = require('./utils')
 const log = require('../../log')
+const waf = require('../waf')
+const addresses = require('../addresses')
 
 function setUserTags (user, rootSpan) {
   for (const k of Object.keys(user)) {
@@ -22,6 +24,13 @@ function setUser (tracer, user) {
   }
 
   setUserTags(user, rootSpan)
+  rootSpan.setTag('_dd.appsec.user.collection_mode', 'sdk')
+
+  waf.run({
+    persistent: {
+      [addresses.USER_ID]: '' + user.id
+    }
+  })
 }
 
 module.exports = {

package/packages/dd-trace/src/appsec/sdk/user_blocking.js

@@ -23,6 +23,7 @@ function checkUserAndSetUser (tracer, user) {
   if (rootSpan) {
     if (!rootSpan.context()._tags['usr.id']) {
       setUserTags(user, rootSpan)
+      rootSpan.setTag('_dd.appsec.user.collection_mode', 'sdk')
     }
   } else {
     log.warn('[ASM] Root span not available in isUserBlocked')

package/packages/dd-trace/src/appsec/telemetry.js

@@ -186,6 +186,15 @@ function incrementMissingUserLoginMetric (framework, eventType) {
   }).inc()
 }
 
+function incrementMissingUserIdMetric (framework, eventType) {
+  if (!enabled) return
+
+  appsecMetrics.count('instrum.user_auth.missing_user_id', {
+    framework,
+    event_type: eventType
+  }).inc()
+}
+
 function getRequestMetrics (req) {
   if (req) {
     const store = getStore(req)
@@ -203,6 +212,7 @@ module.exports = {
   incrementWafUpdatesMetric,
   incrementWafRequestsMetric,
   incrementMissingUserLoginMetric,
+  incrementMissingUserIdMetric,
 
   getRequestMetrics
 }

package/packages/dd-trace/src/appsec/user_tracking.js

@@ -53,6 +53,8 @@ function obfuscateIfNeeded (str) {
 function getUserId (user) {
   if (!user) return
 
+  // should we iterate on user keys instead to be case insensitive ?
+  // but if we iterate over user then we're missing the inherited props ?
   for (const field of USER_ID_FIELDS) {
     let id = user[field]
 
@@ -73,11 +75,6 @@ function getUserId (user) {
 function trackLogin (framework, login, user, success, rootSpan) {
   if (!collectionMode || collectionMode === 'disabled') return
 
-  if (!rootSpan) {
-    log.error('[ASM] No rootSpan found in AppSec trackLogin')
-    return
-  }
-
   if (typeof login !== 'string') {
     log.error('[ASM] Invalid login provided to AppSec trackLogin')
 
@@ -162,7 +159,36 @@ function trackLogin (framework, login, user, success, rootSpan) {
   return waf.run({ persistent })
 }
 
+function trackUser (user, rootSpan) {
+  if (!collectionMode || collectionMode === 'disabled') return
+
+  const userId = getUserId(user)
+  if (!userId) {
+    log.error('[ASM] No valid user ID found in AppSec trackUser')
+    telemetry.incrementMissingUserIdMetric('passport', 'authenticated_request')
+    return
+  }
+
+  rootSpan.setTag('_dd.appsec.usr.id', userId)
+
+  const isSdkCalled = rootSpan.context()._tags['_dd.appsec.user.collection_mode'] === 'sdk'
+  // do not override SDK
+  if (!isSdkCalled) {
+    rootSpan.addTags({
+      'usr.id': userId,
+      '_dd.appsec.user.collection_mode': collectionMode
+    })
+
+    return waf.run({
+      persistent: {
+        [addresses.USER_ID]: userId
+      }
+    })
+  }
+}
+
 module.exports = {
   setCollectionMode,
-  trackLogin
+  trackLogin,
+  trackUser
 }

package/packages/dd-trace/src/debugger/devtools_client/state.js

@@ -21,6 +21,8 @@ module.exports = {
   findScriptFromPartialPath (path) {
     if (!path) return null // This shouldn't happen, but better safe than sorry
 
+    path = path.toLowerCase()
+
     const bestMatch = new Array(3)
     let maxMatchLength = -1
 
@@ -33,7 +35,7 @@ module.exports = {
 
       // Compare characters from the end
       while (i >= 0 && j >= 0) {
-        const urlChar = url[i]
+        const urlChar = url[i].toLowerCase()
         const pathChar = path[j]
 
         // Check if both characters is a path boundary
@@ -43,8 +45,8 @@ module.exports = {
         // If both are boundaries, or if characters match exactly
         if (isBoundary || urlChar === pathChar) {
           if (isBoundary) {
-            lastBoundaryPos = matchLength
             atBoundary = true
+            lastBoundaryPos = matchLength
           } else {
             atBoundary = false
           }
@@ -71,7 +73,10 @@ module.exports = {
       }
 
       // If we found a valid match and it's better than our previous best
-      if (atBoundary && lastBoundaryPos !== -1 && lastBoundaryPos > maxMatchLength) {
+      if (atBoundary && (
+        lastBoundaryPos > maxMatchLength ||
+        (lastBoundaryPos === maxMatchLength && url.length < bestMatch[0].length) // Prefer shorter paths
+      )) {
         maxMatchLength = lastBoundaryPos
         bestMatch[0] = url
         bestMatch[1] = scriptId

package/packages/dd-trace/src/llmobs/plugins/bedrockruntime.js

@@ -8,7 +8,9 @@ const {
   parseModelId
 } = require('../../../../datadog-plugin-aws-sdk/src/services/bedrockruntime/utils')
 
-const enabledOperations = ['invokeModel']
+const ENABLED_OPERATIONS = ['invokeModel']
+
+const requestIdsToTokens = {}
 
 class BedrockRuntimeLLMObsPlugin extends BaseLLMObsPlugin {
   constructor () {
@@ -18,7 +20,7 @@ class BedrockRuntimeLLMObsPlugin extends BaseLLMObsPlugin {
       const request = response.request
       const operation = request.operation
       // avoids instrumenting other non supported runtime operations
-      if (!enabledOperations.includes(operation)) {
+      if (!ENABLED_OPERATIONS.includes(operation)) {
         return
       }
       const { modelProvider, modelName } = parseModelId(request.params.modelId)
@@ -30,6 +32,17 @@ class BedrockRuntimeLLMObsPlugin extends BaseLLMObsPlugin {
       const span = storage.getStore()?.span
       this.setLLMObsTags({ request, span, response, modelProvider, modelName })
     })
+
+    this.addSub('apm:aws:response:deserialize:bedrockruntime', ({ headers }) => {
+      const requestId = headers['x-amzn-requestid']
+      const inputTokenCount = headers['x-amzn-bedrock-input-token-count']
+      const outputTokenCount = headers['x-amzn-bedrock-output-token-count']
+
+      requestIdsToTokens[requestId] = {
+        inputTokensFromHeaders: inputTokenCount && parseInt(inputTokenCount),
+        outputTokensFromHeaders: outputTokenCount && parseInt(outputTokenCount)
+      }
+    })
   }
 
   setLLMObsTags ({ request, span, response, modelProvider, modelName }) {
@@ -52,7 +65,39 @@ class BedrockRuntimeLLMObsPlugin extends BaseLLMObsPlugin {
     })
 
     // add I/O tags
-    this._tagger.tagLLMIO(span, requestParams.prompt, textAndResponseReason.message)
+    this._tagger.tagLLMIO(
+      span,
+      requestParams.prompt,
+      [{ content: textAndResponseReason.message, role: textAndResponseReason.role }]
+    )
+
+    // add token metrics
+    const { inputTokens, outputTokens, totalTokens } = extractTokens({
+      requestId: response.$metadata.requestId,
+      usage: textAndResponseReason.usage
+    })
+    this._tagger.tagMetrics(span, {
+      inputTokens,
+      outputTokens,
+      totalTokens
+    })
+  }
+}
+
+function extractTokens ({ requestId, usage }) {
+  const {
+    inputTokensFromHeaders,
+    outputTokensFromHeaders
+  } = requestIdsToTokens[requestId] || {}
+  delete requestIdsToTokens[requestId]
+
+  const inputTokens = usage.inputTokens || inputTokensFromHeaders || 0
+  const outputTokens = usage.outputTokens || outputTokensFromHeaders || 0
+
+  return {
+    inputTokens,
+    outputTokens,
+    totalTokens: inputTokens + outputTokens
   }
 }
 

package/packages/dd-trace/src/plugin_manager.js

@@ -31,6 +31,9 @@ loadChannel.subscribe(({ name }) => {
 // Globals
 maybeEnable(require('../../datadog-plugin-fetch/src'))
 
+// Always enabled
+maybeEnable(require('../../datadog-plugin-dd-trace-api/src'))
+
 function maybeEnable (Plugin) {
   if (!Plugin || typeof Plugin !== 'function') return
   if (!pluginClasses[Plugin.id]) {

package/packages/dd-trace/src/plugins/index.js

@@ -34,6 +34,7 @@ module.exports = {
   get couchbase () { return require('../../../datadog-plugin-couchbase/src') },
   get cypress () { return require('../../../datadog-plugin-cypress/src') },
   get dns () { return require('../../../datadog-plugin-dns/src') },
+  get 'dd-trace-api' () { return require('../../../datadog-plugin-dd-trace-api/src') },
   get elasticsearch () { return require('../../../datadog-plugin-elasticsearch/src') },
   get express () { return require('../../../datadog-plugin-express/src') },
   get fastify () { return require('../../../datadog-plugin-fastify/src') },