npm - dd-trace - Versions diffs - 5.35.0 → 5.37.0 - Mend

dd-trace 5.35.0 → 5.37.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (125) hide show

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js CHANGED Viewed

@@ -10,11 +10,14 @@ const {
   getVulnerabilityCallSiteFrames,
   replaceCallSiteFromSourceMap
 } = require('../vulnerability-reporter')
+const { getMarkFromVulnerabilityType } = require('../taint-tracking/secure-marks')
+const { SUPPRESSED_VULNERABILITIES } = require('../telemetry/iast-metric')
 class Analyzer extends SinkIastPlugin {
   constructor (type) {
     super()
     this._type = type
+    this._secureMark = getMarkFromVulnerabilityType(type)
   }
   _isVulnerable (value, context) {
@@ -75,11 +78,17 @@ class Analyzer extends SinkIastPlugin {
     if (locationFromSourceMap?.path) {
       originalLocation.path = locationFromSourceMap.path
     }
     if (locationFromSourceMap?.line) {
       originalLocation.line = locationFromSourceMap.line
     }
-    if (locationFromSourceMap?.column) {
-      originalLocation.column = locationFromSourceMap.column
+    if (location?.class_name) {
+      originalLocation.class = location.class_name
+    }
+    if (location?.function) {
+      originalLocation.method = location.function
     }
     return originalLocation
@@ -91,7 +100,7 @@ class Analyzer extends SinkIastPlugin {
     return store && !iastContext
   }
-  analyze (value, store = storage.getStore(), meta) {
+  analyze (value, store = storage('legacy').getStore(), meta) {
     const iastContext = getIastContext(store)
     if (this._isInvalidContext(store, iastContext)) return
@@ -99,7 +108,7 @@ class Analyzer extends SinkIastPlugin {
   }
   analyzeAll (...values) {
-    const store = storage.getStore()
+    const store = storage('legacy').getStore()
     const iastContext = getIastContext(store)
     if (this._isInvalidContext(store, iastContext)) return
@@ -149,6 +158,17 @@ class Analyzer extends SinkIastPlugin {
     return hash
   }
+  _getSuppressedMetricTag () {
+    if (!this._suppressedMetricTag) {
+      this._suppressedMetricTag = SUPPRESSED_VULNERABILITIES.formatTags(this._type)[0]
+    }
+    return this._suppressedMetricTag
+  }
+  _incrementSuppressedMetric (iastContext) {
+    SUPPRESSED_VULNERABILITIES.inc(iastContext, this._getSuppressedMetricTag())
+  }
   addSub (iastSubOrChannelName, handler) {
     const iastSub = typeof iastSubOrChannelName === 'string'
       ? { channelName: iastSubOrChannelName }

package/packages/dd-trace/src/appsec/iast/context/context-plugin.js CHANGED Viewed

@@ -48,7 +48,7 @@ class IastContextPlugin extends IastPlugin {
     let isRequestAcquired = false
     let iastContext
-    const store = storage.getStore()
+    const store = storage('legacy').getStore()
     if (store) {
       const topContext = this.getTopContext()
       const rootSpan = this.getRootSpan(store)
@@ -70,7 +70,7 @@ class IastContextPlugin extends IastPlugin {
   }
   finishContext () {
-    const store = storage.getStore()
+    const store = storage('legacy').getStore()
     if (store) {
       const topContext = this.getTopContext()
       const iastContext = iastContextFunctions.getIastContext(store, topContext)

package/packages/dd-trace/src/appsec/iast/iast-plugin.js CHANGED Viewed

@@ -62,12 +62,12 @@ class IastPlugin extends Plugin {
   _getTelemetryHandler (iastSub) {
     return () => {
-      const iastContext = getIastContext(storage.getStore())
+      const iastContext = getIastContext(storage('legacy').getStore())
       iastSub.increaseExecuted(iastContext)
     }
   }
-  _execHandlerAndIncMetric ({ handler, metric, tags, iastContext = getIastContext(storage.getStore()) }) {
+  _execHandlerAndIncMetric ({ handler, metric, tags, iastContext = getIastContext(storage('legacy').getStore()) }) {
     try {
       const result = handler()
       if (iastTelemetry.isEnabled()) {

package/packages/dd-trace/src/appsec/iast/index.js CHANGED Viewed

@@ -15,6 +15,7 @@ const {
 const { IAST_ENABLED_TAG_KEY } = require('./tags')
 const iastTelemetry = require('./telemetry')
 const { enable: enableFsPlugin, disable: disableFsPlugin, IAST_MODULE } = require('../rasp/fs-plugin')
+const securityControls = require('./security-controls')
 // TODO Change to `apm:http:server:request:[start|close]` when the subscription
 //  order of the callbacks can be enforce
@@ -35,6 +36,7 @@ function enable (config, _tracer) {
   requestClose.subscribe(onIncomingHttpRequestEnd)
   overheadController.configure(config.iast)
   overheadController.startGlobalContext()
+  securityControls.configure(config.iast)
   vulnerabilityReporter.start(config, _tracer)
   isEnabled = true
@@ -57,7 +59,7 @@ function disable () {
 function onIncomingHttpRequestStart (data) {
   if (data?.req) {
-    const store = storage.getStore()
+    const store = storage('legacy').getStore()
     if (store) {
       const topContext = web.getContext(data.req)
       if (topContext) {
@@ -82,7 +84,7 @@ function onIncomingHttpRequestStart (data) {
 function onIncomingHttpRequestEnd (data) {
   if (data?.req) {
-    const store = storage.getStore()
+    const store = storage('legacy').getStore()
     const topContext = web.getContext(data.req)
     const iastContext = iastContextFunctions.getIastContext(store, topContext)
     if (iastContext?.rootSpan) {

package/packages/dd-trace/src/appsec/iast/security-controls/index.js ADDED Viewed

@@ -0,0 +1,187 @@
+'use strict'
+const path = require('path')
+const dc = require('dc-polyfill')
+const { storage } = require('../../../../../datadog-core')
+const shimmer = require('../../../../../datadog-shimmer')
+const log = require('../../../log')
+const { parse, SANITIZER_TYPE } = require('./parser')
+const TaintTrackingOperations = require('../taint-tracking/operations')
+const { getIastContext } = require('../iast-context')
+const { iterateObjectStrings } = require('../utils')
+// esm
+const moduleLoadStartChannel = dc.channel('dd-trace:moduleLoadStart')
+// cjs
+const moduleLoadEndChannel = dc.channel('dd-trace:moduleLoadEnd')
+let controls
+let controlsKeys
+let hooks
+function configure (iastConfig) {
+  if (!iastConfig?.securityControlsConfiguration) return
+  try {
+    controls = parse(iastConfig.securityControlsConfiguration)
+    if (controls?.size > 0) {
+      hooks = new WeakSet()
+      controlsKeys = [...controls.keys()]
+      moduleLoadStartChannel.subscribe(onModuleLoaded)
+      moduleLoadEndChannel.subscribe(onModuleLoaded)
+    }
+  } catch (e) {
+    log.error('[ASM] Error configuring IAST Security Controls', e)
+  }
+}
+function onModuleLoaded (payload) {
+  if (!payload?.module || hooks?.has(payload.module)) return
+  const { filename, module } = payload
+  const controlsByFile = getControls(filename)
+  if (controlsByFile) {
+    const hook = hookModule(filename, module, controlsByFile)
+    payload.module = hook
+    hooks.add(hook)
+  }
+}
+function getControls (filename) {
+  if (filename.startsWith('file://')) {
+    filename = filename.substring(7)
+  }
+  let key = path.isAbsolute(filename) ? path.relative(process.cwd(), filename) : filename
+  key = key.replaceAll(path.sep, path.posix.sep)
+  if (key.includes('node_modules')) {
+    key = controlsKeys.find(file => key.endsWith(file))
+  }
+  return controls.get(key)
+}
+function hookModule (filename, module, controlsByFile) {
+  try {
+    controlsByFile.forEach(({ type, method, parameters, secureMarks }) => {
+      const { target, parent, methodName } = resolve(method, module)
+      if (!target) {
+        log.error('[ASM] Unable to resolve IAST security control %s:%s', filename, method)
+        return
+      }
+      let wrapper
+      if (type === SANITIZER_TYPE) {
+        wrapper = wrapSanitizer(target, secureMarks)
+      } else {
+        wrapper = wrapInputValidator(target, parameters, secureMarks)
+      }
+      if (methodName) {
+        parent[methodName] = wrapper
+      } else {
+        module = wrapper
+      }
+    })
+  } catch (e) {
+    log.error('[ASM] Error initializing IAST security control for %', filename, e)
+  }
+  return module
+}
+function resolve (path, obj, separator = '.') {
+  if (!path) {
+    // esm module with default export
+    if (obj?.default) {
+      return { target: obj.default, parent: obj, methodName: 'default' }
+    } else {
+      return { target: obj, parent: obj }
+    }
+  }
+  const properties = path.split(separator)
+  let parent
+  let methodName
+  const target = properties.reduce((prev, curr) => {
+    parent = prev
+    methodName = curr
+    return prev?.[curr]
+  }, obj)
+  return { target, parent, methodName }
+}
+function wrapSanitizer (target, secureMarks) {
+  return shimmer.wrapFunction(target, orig => function () {
+    const result = orig.apply(this, arguments)
+    try {
+      return addSecureMarks(result, secureMarks)
+    } catch (e) {
+      log.error('[ASM] Error adding Secure mark for sanitizer', e)
+    }
+    return result
+  })
+}
+function wrapInputValidator (target, parameters, secureMarks) {
+  const allParameters = !parameters?.length
+  return shimmer.wrapFunction(target, orig => function () {
+    try {
+      [...arguments].forEach((arg, index) => {
+        if (allParameters || parameters.includes(index)) {
+          addSecureMarks(arg, secureMarks, false)
+        }
+      })
+    } catch (e) {
+      log.error('[ASM] Error adding Secure mark for input validator', e)
+    }
+    return orig.apply(this, arguments)
+  })
+}
+function addSecureMarks (value, secureMarks, createNewTainted = true) {
+  if (!value) return
+  const store = storage('legacy').getStore()
+  const iastContext = getIastContext(store)
+  if (typeof value === 'string') {
+    return TaintTrackingOperations.addSecureMark(iastContext, value, secureMarks, createNewTainted)
+  } else {
+    iterateObjectStrings(value, (value, levelKeys, parent, lastKey) => {
+      try {
+        const securedTainted = TaintTrackingOperations.addSecureMark(iastContext, value, secureMarks, createNewTainted)
+        if (createNewTainted) {
+          parent[lastKey] = securedTainted
+        }
+      } catch (e) {
+        // if it is a readonly property, do nothing
+      }
+    })
+    return value
+  }
+}
+function disable () {
+  if (moduleLoadStartChannel.hasSubscribers) moduleLoadStartChannel.unsubscribe(onModuleLoaded)
+  if (moduleLoadEndChannel.hasSubscribers) moduleLoadEndChannel.unsubscribe(onModuleLoaded)
+  controls = undefined
+  controlsKeys = undefined
+  hooks = undefined
+}
+module.exports = {
+  configure,
+  disable
+}

package/packages/dd-trace/src/appsec/iast/security-controls/parser.js ADDED Viewed

@@ -0,0 +1,96 @@
+'use strict'
+const log = require('../../../log')
+const { getMarkFromVulnerabilityType, CUSTOM_SECURE_MARK } = require('../taint-tracking/secure-marks')
+const SECURITY_CONTROL_DELIMITER = ';'
+const SECURITY_CONTROL_FIELD_DELIMITER = ':'
+const SECURITY_CONTROL_ELEMENT_DELIMITER = ','
+const INPUT_VALIDATOR_TYPE = 'INPUT_VALIDATOR'
+const SANITIZER_TYPE = 'SANITIZER'
+const validTypes = [INPUT_VALIDATOR_TYPE, SANITIZER_TYPE]
+function parse (securityControlsConfiguration) {
+  const controls = new Map()
+  securityControlsConfiguration?.replace(/[\r\n\t\v\f]*/g, '')
+    .split(SECURITY_CONTROL_DELIMITER)
+    .map(parseControl)
+    .filter(control => !!control)
+    .forEach(control => {
+      if (!controls.has(control.file)) {
+        controls.set(control.file, [])
+      }
+      controls.get(control.file).push(control)
+    })
+  return controls
+}
+function parseControl (control) {
+  if (!control) return
+  const fields = control.split(SECURITY_CONTROL_FIELD_DELIMITER)
+  if (fields.length < 3 || fields.length > 5) {
+    log.warn('[ASM] Security control configuration is invalid: %s', control)
+    return
+  }
+  let [type, marks, file, method, parameters] = fields
+  type = type.trim().toUpperCase()
+  if (!validTypes.includes(type)) {
+    log.warn('[ASM] Invalid security control type: %s', type)
+    return
+  }
+  let secureMarks = CUSTOM_SECURE_MARK
+  getSecureMarks(marks).forEach(mark => { secureMarks |= mark })
+  if (secureMarks === CUSTOM_SECURE_MARK) {
+    log.warn('[ASM] Invalid security control mark: %s', marks)
+    return
+  }
+  file = file?.trim()
+  method = method?.trim()
+  try {
+    parameters = getParameters(parameters)
+  } catch (e) {
+    log.warn('[ASM] Invalid non-numeric security control parameter %s', parameters)
+    return
+  }
+  return { type, secureMarks, file, method, parameters }
+}
+function getSecureMarks (marks) {
+  return marks?.split(SECURITY_CONTROL_ELEMENT_DELIMITER)
+    .map(getMarkFromVulnerabilityType)
+    .filter(mark => !!mark)
+}
+function getParameters (parameters) {
+  return parameters?.split(SECURITY_CONTROL_ELEMENT_DELIMITER)
+    .map(param => {
+      const parsedParam = parseInt(param, 10)
+      // discard the securityControl if there is an incorrect parameter
+      if (isNaN(parsedParam)) {
+        throw new Error('Invalid non-numeric security control parameter')
+      }
+      return parsedParam
+    })
+}
+module.exports = {
+  parse,
+  INPUT_VALIDATOR_TYPE,
+  SANITIZER_TYPE
+}

package/packages/dd-trace/src/appsec/iast/taint-tracking/constants.js ADDED Viewed

@@ -0,0 +1,6 @@
+'use strict'
+module.exports = {
+  LOG_MESSAGE: 'LOG',
+  REWRITTEN_MESSAGE: 'REWRITTEN'
+}

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js CHANGED Viewed

@@ -84,10 +84,10 @@ function getRanges (iastContext, string) {
   return result
 }
-function addSecureMark (iastContext, string, mark) {
+function addSecureMark (iastContext, string, mark, createNewTainted = true) {
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
   if (transactionId) {
-    return TaintedUtils.addSecureMarksToTaintedString(transactionId, string, mark)
+    return TaintedUtils.addSecureMarksToTaintedString(transactionId, string, mark, createNewTainted)
   }
   return string

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js CHANGED Viewed

@@ -39,7 +39,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
   onConfigure () {
     const onRequestBody = ({ req }) => {
-      const iastContext = getIastContext(storage.getStore())
+      const iastContext = getIastContext(storage('legacy').getStore())
       if (iastContext && iastContext.body !== req.body) {
         this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
         iastContext.body = req.body
@@ -70,7 +70,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
       { channelName: 'apm:express:middleware:next', tag: HTTP_REQUEST_BODY },
       ({ req }) => {
         if (req && req.body !== null && typeof req.body === 'object') {
-          const iastContext = getIastContext(storage.getStore())
+          const iastContext = getIastContext(storage('legacy').getStore())
           if (iastContext && iastContext.body !== req.body) {
             this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
             iastContext.body = req.body
@@ -115,7 +115,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     this.addSub(
       { channelName: 'apm:graphql:resolve:start', tag: HTTP_REQUEST_BODY },
       (data) => {
-        const iastContext = getIastContext(storage.getStore())
+        const iastContext = getIastContext(storage('legacy').getStore())
         const source = data.context?.source
         const ranges = source && getRanges(iastContext, source)
         if (ranges?.length) {
@@ -128,7 +128,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     this.addSub(
       { channelName: 'datadog:url:parse:finish' },
       ({ input, base, parsed, isURL }) => {
-        const iastContext = getIastContext(storage.getStore())
+        const iastContext = getIastContext(storage('legacy').getStore())
         let ranges
         if (base) {
@@ -157,7 +157,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
         const origRange = this._taintedURLs.get(context.urlObject)
         if (!origRange) return
-        const iastContext = getIastContext(storage.getStore())
+        const iastContext = getIastContext(storage('legacy').getStore())
         if (!iastContext) return
         context.result =
@@ -168,7 +168,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     this.addInstrumentedSource('http', [HTTP_REQUEST_HEADER_VALUE, HTTP_REQUEST_HEADER_NAME])
   }
-  _taintTrackingHandler (type, target, property, iastContext = getIastContext(storage.getStore())) {
+  _taintTrackingHandler (type, target, property, iastContext = getIastContext(storage('legacy').getStore())) {
     if (!property) {
       taintObject(iastContext, target, type)
     } else if (target[property]) {
@@ -177,7 +177,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
   }
   _cookiesTaintTrackingHandler (target) {
-    const iastContext = getIastContext(storage.getStore())
+    const iastContext = getIastContext(storage('legacy').getStore())
     // Prevent tainting cookie names since it leads to taint literal string with same value.
     taintObject(iastContext, target, HTTP_REQUEST_COOKIE_VALUE)
   }
@@ -206,7 +206,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     this.taintUrl(req, iastContext)
   }
-  _taintDatabaseResult (result, dbOrigin, iastContext = getIastContext(storage.getStore()), name) {
+  _taintDatabaseResult (result, dbOrigin, iastContext = getIastContext(storage('legacy').getStore()), name) {
     if (!iastContext) return result
     if (this._rowsToTaint === 0) return result

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugins/kafka.js CHANGED Viewed

@@ -22,7 +22,7 @@ class KafkaConsumerIastPlugin extends SourceIastPlugin {
   }
   taintKafkaMessage (message) {
-    const iastContext = getIastContext(storage.getStore())
+    const iastContext = getIastContext(storage('legacy').getStore())
     if (iastContext && message) {
       const { key, value } = message

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter-esm.mjs ADDED Viewed

@@ -0,0 +1,65 @@
+'use strict'
+import path from 'path'
+import { URL } from 'url'
+import { getName } from '../telemetry/verbosity.js'
+import { isNotLibraryFile, isPrivateModule } from './filter.js'
+import constants from './constants.js'
+const currentUrl = new URL(import.meta.url)
+const ddTraceDir = path.join(currentUrl.pathname, '..', '..', '..', '..', '..', '..')
+let port, rewriter
+export async function initialize (data) {
+  if (rewriter) return Promise.reject(new Error('ALREADY INITIALIZED'))
+  const { csiMethods, telemetryVerbosity, chainSourceMap } = data
+  port = data.port
+  const iastRewriter = await import('@datadog/native-iast-rewriter')
+  const { NonCacheRewriter } = iastRewriter.default
+  rewriter = new NonCacheRewriter({
+    csiMethods,
+    telemetryVerbosity: getName(telemetryVerbosity),
+    chainSourceMap
+  })
+}
+export async function load (url, context, nextLoad) {
+  const result = await nextLoad(url, context)
+  if (!port) return result
+  if (!result.source) return result
+  if (url.includes(ddTraceDir) || url.includes('iitm=true')) return result
+  try {
+    if (isPrivateModule(url) && isNotLibraryFile(url)) {
+      const rewritten = rewriter.rewrite(result.source.toString(), url)
+      if (rewritten?.content) {
+        result.source = rewritten.content || result.source
+        const data = { url, rewritten }
+        port.postMessage({ type: constants.REWRITTEN_MESSAGE, data })
+      }
+    }
+  } catch (e) {
+    const newErrObject = {
+      message: e.message,
+      stack: e.stack
+    }
+    const data = {
+      level: 'error',
+      messages: ['[ASM] Error rewriting file %s', url, newErrObject]
+    }
+    port.postMessage({
+      type: constants.LOG_MESSAGE,
+      data
+    })
+  }
+  return result
+}

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter-telemetry.js CHANGED Viewed

@@ -12,10 +12,7 @@ const telemetryRewriter = {
   information (content, filename, rewriter) {
     const response = this.off(content, filename, rewriter)
-    const metrics = response.metrics
-    if (metrics && metrics.instrumentedPropagation) {
-      INSTRUMENTED_PROPAGATION.inc(undefined, metrics.instrumentedPropagation)
-    }
+    incrementTelemetry(response.metrics)
     return response
   }
@@ -30,4 +27,16 @@ function getRewriteFunction (rewriter) {
   }
 }
-module.exports = { getRewriteFunction }
+function incrementTelemetry (metrics) {
+  if (metrics?.instrumentedPropagation) {
+    INSTRUMENTED_PROPAGATION.inc(undefined, metrics.instrumentedPropagation)
+  }
+}
+function incrementTelemetryIfNeeded (metrics) {
+  if (iastTelemetry.verbosity !== Verbosity.OFF) {
+    incrementTelemetry(metrics)
+  }
+}
+module.exports = { getRewriteFunction, incrementTelemetryIfNeeded }