dd-trace 5.38.0 → 5.40.0

package/packages/datadog-plugin-mongodb-core/src/index.js

@@ -25,7 +25,7 @@ class MongodbCorePlugin extends DatabasePlugin {
         'out.port': options.port
       }
     })
-    ops = this.injectDbmCommand(span, ops, service)
+    ops.comment = this.injectDbmComment(span, ops.comment, service)
   }
 
   getPeerService (tags) {
@@ -37,28 +37,25 @@ class MongodbCorePlugin extends DatabasePlugin {
     return super.getPeerService(tags)
   }
 
-  injectDbmCommand (span, command, serviceName) {
+  injectDbmComment (span, comment, serviceName) {
     const dbmTraceComment = this.createDbmComment(span, serviceName)
 
     if (!dbmTraceComment) {
-      return command
+      return comment
     }
 
-    // create a copy of the command to avoid mutating the original
-    const dbmTracedCommand = { ...command }
-
-    if (dbmTracedCommand.comment) {
+    if (comment) {
       // if the command already has a comment, append the dbm trace comment
-      if (typeof dbmTracedCommand.comment === 'string') {
-        dbmTracedCommand.comment += `,${dbmTraceComment}`
-      } else if (Array.isArray(dbmTracedCommand.comment)) {
-        dbmTracedCommand.comment.push(dbmTraceComment)
+      if (typeof comment === 'string') {
+        comment += `,${dbmTraceComment}`
+      } else if (Array.isArray(comment)) {
+        comment.push(dbmTraceComment)
       } // do nothing if the comment is not a string or an array
     } else {
-      dbmTracedCommand.comment = dbmTraceComment
+      comment = dbmTraceComment
     }
 
-    return dbmTracedCommand
+    return comment
   }
 }
 

package/packages/datadog-plugin-protobufjs/src/schema_iterator.js

@@ -10,7 +10,7 @@ const {
 const log = require('../../dd-trace/src/log')
 const {
   SchemaBuilder
-} = require('../../dd-trace/src/datastreams/schemas/schema_builder')
+} = require('../../dd-trace/src/datastreams')
 
 class SchemaExtractor {
   constructor (schema) {

package/packages/datadog-plugin-rhea/src/consumer.js

@@ -2,7 +2,7 @@
 
 const ConsumerPlugin = require('../../dd-trace/src/plugins/consumer')
 const { storage } = require('../../datadog-core')
-const { getAmqpMessageSize } = require('../../dd-trace/src/datastreams/processor')
+const { getAmqpMessageSize } = require('../../dd-trace/src/datastreams')
 
 class RheaConsumerPlugin extends ConsumerPlugin {
   static get id () { return 'rhea' }

package/packages/datadog-plugin-rhea/src/producer.js

@@ -2,8 +2,7 @@
 
 const { CLIENT_PORT_KEY } = require('../../dd-trace/src/constants')
 const ProducerPlugin = require('../../dd-trace/src/plugins/producer')
-const { DsmPathwayCodec } = require('../../dd-trace/src/datastreams/pathway')
-const { getAmqpMessageSize } = require('../../dd-trace/src/datastreams/processor')
+const { getAmqpMessageSize, DsmPathwayCodec } = require('../../dd-trace/src/datastreams')
 
 class RheaProducerPlugin extends ProducerPlugin {
   static get id () { return 'rhea' }

package/packages/datadog-shimmer/src/shimmer.js

@@ -26,10 +26,10 @@ function copyProperties (original, wrapped) {
 
 function wrapFunction (original, wrapper) {
   if (typeof original === 'function') assertNotClass(original)
-  // TODO This needs to be re-done so that this and wrapMethod are distinct.
-  const target = { func: original }
-  wrapMethod(target, 'func', wrapper, typeof original !== 'function')
-  let delegate = target.func
+
+  let delegate = safeMode
+    ? safeWrapper(original, wrapper)
+    : wrapper(original)
 
   const shim = function shim () {
     return delegate.apply(this, arguments)
@@ -85,98 +85,10 @@ function wrapMethod (target, name, wrapper, noAssert) {
   }
 
   const original = target[name]
-  let wrapped
-
-  if (safeMode && original) {
-    // In this mode, we make a best-effort attempt to handle errors that are thrown
-    // by us, rather than wrapped code. With such errors, we log them, and then attempt
-    // to return the result as if no wrapping was done at all.
-    //
-    // Caveats:
-    //   * If the original function is called in a later iteration of the event loop,
-    //     and we throw _then_, then it won't be caught by this. In practice, we always call
-    //     the original function synchronously, so this is not a problem.
-    //   * While async errors are dealt with here, errors in callbacks are not. This
-    //     is because we don't necessarily know _for sure_ that any function arguments
-    //     are wrapped by us. We could wrap them all anyway and just make that assumption,
-    //     or just assume that the last argument is always a callback set by us if it's a
-    //     function, but those don't seem like things we can rely on. We could add a
-    //     `shimmer.markCallbackAsWrapped()` function that's a no-op outside safe-mode,
-    //     but that means modifying every instrumentation. Even then, the complexity of
-    //     this code increases because then we'd need to effectively do the reverse of
-    //     what we're doing for synchronous functions. This is a TODO.
-
-    // We're going to hold on to current callState in this variable in this scope,
-    // which is fine because any time we reference it, we're referencing it synchronously.
-    // We'll use it in the our wrapper (which, again, is called syncrhonously), and in the
-    // errorHandler, which will already have been bound to this callState.
-    let currentCallState
-
-    // Rather than calling the original function directly from the shim wrapper, we wrap
-    // it again so that we can track if it was called and if it returned. This is because
-    // we need to know if an error was thrown by the original function, or by us.
-    // We could do this inside the `wrapper` function defined below, which would simplify
-    // managing the callState, but then we'd be calling `wrapper` on each invocation, so
-    // instead we do it here, once.
-    const innerWrapped = wrapper(function (...args) {
-      // We need to stash the callState here because of recursion.
-      const callState = currentCallState
-      callState.startCall()
-      const retVal = original.apply(this, args)
-      if (isPromise(retVal)) {
-        retVal.then(callState.endCall.bind(callState))
-      } else {
-        callState.endCall(retVal)
-      }
-      return retVal
-    })
-
-    // This is the crux of what we're doing in safe mode. It handles errors
-    // that _we_ cause, by logging them, and transparently providing results
-    // as if no wrapping was done at all. That means detecting (via callState)
-    // whether the function has already run or not, and if it has, returning
-    // the result, and otherwise calling the original function unwrapped.
-    const handleError = function (args, callState, e) {
-      if (callState.completed) {
-        // error was thrown after original function returned/resolved, so
-        // it was us. log it.
-        log.error('Shimmer error was thrown after original function returned/resolved', e)
-        // original ran and returned something. return it.
-        return callState.retVal
-      }
-
-      if (!callState.called) {
-        // error was thrown before original function was called, so
-        // it was us. log it.
-        log.error('Shimmer error was thrown before original function was called', e)
-        // original never ran. call it unwrapped.
-        return original.apply(this, args)
-      }
-
-      // error was thrown during original function execution, so
-      // it was them. throw.
-      throw e
-    }
+  const wrapped = safeMode && original
+    ? safeWrapper(original, wrapper)
+    : wrapper(original)
 
-    // The wrapped function is the one that will be called by the user.
-    // It calls our version of the original function, which manages the
-    // callState. That way when we use the errorHandler, it can tell where
-    // the error originated.
-    wrapped = function (...args) {
-      currentCallState = new CallState()
-      const errorHandler = handleError.bind(this, args, currentCallState)
-
-      try {
-        const retVal = innerWrapped.apply(this, args)
-        return isPromise(retVal) ? retVal.catch(errorHandler) : retVal
-      } catch (e) {
-        return errorHandler(e)
-      }
-    }
-  } else {
-    // In non-safe mode, we just wrap the original function directly.
-    wrapped = wrapper(original)
-  }
   const descriptor = Object.getOwnPropertyDescriptor(target, name)
 
   const attributes = {
@@ -212,6 +124,94 @@ function wrapMethod (target, name, wrapper, noAssert) {
   return target
 }
 
+function safeWrapper (original, wrapper) {
+  // In this mode, we make a best-effort attempt to handle errors that are thrown
+  // by us, rather than wrapped code. With such errors, we log them, and then attempt
+  // to return the result as if no wrapping was done at all.
+  //
+  // Caveats:
+  //   * If the original function is called in a later iteration of the event loop,
+  //     and we throw _then_, then it won't be caught by this. In practice, we always call
+  //     the original function synchronously, so this is not a problem.
+  //   * While async errors are dealt with here, errors in callbacks are not. This
+  //     is because we don't necessarily know _for sure_ that any function arguments
+  //     are wrapped by us. We could wrap them all anyway and just make that assumption,
+  //     or just assume that the last argument is always a callback set by us if it's a
+  //     function, but those don't seem like things we can rely on. We could add a
+  //     `shimmer.markCallbackAsWrapped()` function that's a no-op outside safe-mode,
+  //     but that means modifying every instrumentation. Even then, the complexity of
+  //     this code increases because then we'd need to effectively do the reverse of
+  //     what we're doing for synchronous functions. This is a TODO.
+
+  // We're going to hold on to current callState in this variable in this scope,
+  // which is fine because any time we reference it, we're referencing it synchronously.
+  // We'll use it in the our wrapper (which, again, is called syncrhonously), and in the
+  // errorHandler, which will already have been bound to this callState.
+  let currentCallState
+
+  // Rather than calling the original function directly from the shim wrapper, we wrap
+  // it again so that we can track if it was called and if it returned. This is because
+  // we need to know if an error was thrown by the original function, or by us.
+  // We could do this inside the `wrapper` function defined below, which would simplify
+  // managing the callState, but then we'd be calling `wrapper` on each invocation, so
+  // instead we do it here, once.
+  const innerWrapped = wrapper(function (...args) {
+    // We need to stash the callState here because of recursion.
+    const callState = currentCallState
+    callState.startCall()
+    const retVal = original.apply(this, args)
+    if (isPromise(retVal)) {
+      retVal.then(callState.endCall.bind(callState))
+    } else {
+      callState.endCall(retVal)
+    }
+    return retVal
+  })
+
+  // This is the crux of what we're doing in safe mode. It handles errors
+  // that _we_ cause, by logging them, and transparently providing results
+  // as if no wrapping was done at all. That means detecting (via callState)
+  // whether the function has already run or not, and if it has, returning
+  // the result, and otherwise calling the original function unwrapped.
+  const handleError = function (args, callState, e) {
+    if (callState.completed) {
+      // error was thrown after original function returned/resolved, so
+      // it was us. log it.
+      log.error('Shimmer error was thrown after original function returned/resolved', e)
+      // original ran and returned something. return it.
+      return callState.retVal
+    }
+
+    if (!callState.called) {
+      // error was thrown before original function was called, so
+      // it was us. log it.
+      log.error('Shimmer error was thrown before original function was called', e)
+      // original never ran. call it unwrapped.
+      return original.apply(this, args)
+    }
+
+    // error was thrown during original function execution, so
+    // it was them. throw.
+    throw e
+  }
+
+  // The wrapped function is the one that will be called by the user.
+  // It calls our version of the original function, which manages the
+  // callState. That way when we use the errorHandler, it can tell where
+  // the error originated.
+  return function (...args) {
+    currentCallState = new CallState()
+    const errorHandler = handleError.bind(this, args, currentCallState)
+
+    try {
+      const retVal = innerWrapped.apply(this, args)
+      return isPromise(retVal) ? retVal.catch(errorHandler) : retVal
+    } catch (e) {
+      return errorHandler(e)
+    }
+  }
+}
+
 function wrap (target, name, wrapper) {
   return typeof name === 'function'
     ? wrapFn(target, name)

package/packages/dd-trace/src/appsec/addresses.js

@@ -22,6 +22,7 @@ module.exports = {
 
   USER_ID: 'usr.id',
   USER_LOGIN: 'usr.login',
+  USER_SESSION_ID: 'usr.session_id',
 
   WAF_CONTEXT_PROCESSOR: 'waf.context.processor',
 

package/packages/dd-trace/src/appsec/channels.js

@@ -15,6 +15,7 @@ module.exports = {
   incomingHttpRequestEnd: dc.channel('dd-trace:incomingHttpRequestEnd'),
   passportVerify: dc.channel('datadog:passport:verify:finish'),
   passportUser: dc.channel('datadog:passport:deserializeUser:finish'),
+  expressSession: dc.channel('datadog:express-session:middleware:finish'),
   queryParser: dc.channel('datadog:query:read:finish'),
   setCookieChannel: dc.channel('datadog:iast:set-cookie'),
   nextBodyParsed: dc.channel('apm:next:body-parsed'),

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -133,9 +133,9 @@ class Analyzer extends SinkIastPlugin {
       return {
         type,
         evidence,
-        stackId,
         location: {
           spanId: _spanId,
+          stackId,
           ...location
         },
         hash: this._createHash(this._createHashSource(type, evidence, location))

package/packages/dd-trace/src/appsec/iast/iast-context.js

@@ -10,14 +10,14 @@ function getIastContext (store, topContext) {
 }
 
 function getIastStackTraceId (iastContext) {
-  if (!iastContext) return 0
+  if (!iastContext) return '0'
 
   if (!iastContext.stackTraceId) {
     iastContext.stackTraceId = 0
   }
 
   iastContext.stackTraceId += 1
-  return iastContext.stackTraceId
+  return String(iastContext.stackTraceId)
 }
 
 /* TODO Fix storage problem when the close event is called without

package/packages/dd-trace/src/appsec/iast/index.js

@@ -22,7 +22,6 @@ const securityControls = require('./security-controls')
 const requestStart = dc.channel('dd-trace:incomingHttpRequestStart')
 const requestClose = dc.channel('dd-trace:incomingHttpRequestEnd')
 const iastResponseEnd = dc.channel('datadog:iast:response-end')
-
 let isEnabled = false
 
 function enable (config, _tracer) {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js

@@ -81,12 +81,11 @@ class VulnerabilityFormatter {
   }
 
   formatVulnerability (vulnerability, sourcesIndexes, sources) {
-    const { type, hash, stackId, evidence, location } = vulnerability
+    const { type, hash, evidence, location } = vulnerability
 
     const formattedVulnerability = {
       type,
       hash,
-      stackId,
       evidence: this.formatEvidence(type, evidence, sourcesIndexes, sources),
       location
     }

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -3,11 +3,10 @@
 const LRU = require('lru-cache')
 const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
 const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
-const standalone = require('../standalone')
-const { SAMPLING_MECHANISM_APPSEC } = require('../../constants')
 const { keepTrace } = require('../../priority_sampler')
 const { reportStackTrace, getCallsiteFrames, canReportStackTrace, STACK_TRACE_NAMESPACES } = require('../stack_trace')
 const { getOriginalPathAndLineFromSourceMap } = require('./taint-tracking/rewriter')
+const { ASM } = require('../../standalone/product')
 
 const VULNERABILITIES_KEY = 'vulnerabilities'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
@@ -51,15 +50,14 @@ function addVulnerability (iastContext, vulnerability, callSiteFrames) {
 
   if (!span) return
 
-  keepTrace(span, SAMPLING_MECHANISM_APPSEC)
-  standalone.sample(span)
+  keepTrace(span, ASM)
 
   if (stackTraceEnabled && canReportStackTrace(span, maxStackTraces, STACK_TRACE_NAMESPACES.IAST)) {
     const originalCallSiteList = callSiteFrames.map(callsite => replaceCallSiteFromSourceMap(callsite))
 
     reportStackTrace(
       span,
-      vulnerability.stackId,
+      vulnerability.location.stackId,
       originalCallSiteList,
       STACK_TRACE_NAMESPACES.IAST
     )

package/packages/dd-trace/src/appsec/index.js

@@ -2,7 +2,7 @@
 
 const log = require('../log')
 const RuleManager = require('./rule_manager')
-const remoteConfig = require('./remote_config')
+const remoteConfig = require('../remote_config')
 const {
   bodyParser,
   cookieParser,
@@ -11,6 +11,7 @@ const {
   incomingHttpRequestEnd,
   passportVerify,
   passportUser,
+  expressSession,
   queryParser,
   nextBodyParsed,
   nextQueryParsed,
@@ -69,6 +70,7 @@ function enable (_config) {
     incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
     passportVerify.subscribe(onPassportVerify) // possible optimization: only subscribe if collection mode is enabled
     passportUser.subscribe(onPassportDeserializeUser)
+    expressSession.subscribe(onExpressSession)
     queryParser.subscribe(onRequestQueryParsed)
     nextBodyParsed.subscribe(onRequestBodyParsed)
     nextQueryParsed.subscribe(onRequestQueryParsed)
@@ -213,6 +215,25 @@ function onPassportDeserializeUser ({ user, abortController }) {
   handleResults(results, store.req, store.req.res, rootSpan, abortController)
 }
 
+function onExpressSession ({ req, res, sessionId, abortController }) {
+  const rootSpan = web.root(req)
+  if (!rootSpan) {
+    log.warn('[ASM] No rootSpan found in onExpressSession')
+    return
+  }
+
+  const isSdkCalled = rootSpan.context()._tags['usr.session_id']
+  if (isSdkCalled) return
+
+  const results = waf.run({
+    persistent: {
+      [addresses.USER_SESSION_ID]: sessionId
+    }
+  }, req)
+
+  handleResults(results, req, res, rootSpan, abortController)
+}
+
 function onRequestQueryParsed ({ req, res, query, abortController }) {
   if (!query || typeof query !== 'object') return
 
@@ -327,6 +348,7 @@ function disable () {
   if (incomingHttpRequestEnd.hasSubscribers) incomingHttpRequestEnd.unsubscribe(incomingHttpEndTranslator)
   if (passportVerify.hasSubscribers) passportVerify.unsubscribe(onPassportVerify)
   if (passportUser.hasSubscribers) passportUser.unsubscribe(onPassportDeserializeUser)
+  if (expressSession.hasSubscribers) expressSession.unsubscribe(onExpressSession)
   if (queryParser.hasSubscribers) queryParser.unsubscribe(onRequestQueryParsed)
   if (nextBodyParsed.hasSubscribers) nextBodyParsed.unsubscribe(onRequestBodyParsed)
   if (nextQueryParsed.hasSubscribers) nextQueryParsed.unsubscribe(onRequestQueryParsed)

package/packages/dd-trace/src/appsec/reporter.js

@@ -13,9 +13,8 @@ const {
   getRequestMetrics
 } = require('./telemetry')
 const zlib = require('zlib')
-const standalone = require('./standalone')
-const { SAMPLING_MECHANISM_APPSEC } = require('../constants')
 const { keepTrace } = require('../priority_sampler')
+const { ASM } = require('../standalone/product')
 
 // default limiter, configurable with setRateLimit()
 let limiter = new Limiter(100)
@@ -129,9 +128,7 @@ function reportAttack (attackData) {
   }
 
   if (limiter.isAllowed()) {
-    keepTrace(rootSpan, SAMPLING_MECHANISM_APPSEC)
-
-    standalone.sample(rootSpan)
+    keepTrace(rootSpan, ASM)
   }
 
   // TODO: maybe add this to format.js later (to take decision as late as possible)
@@ -186,9 +183,7 @@ function finishRequest (req, res) {
   if (metricsQueue.size) {
     rootSpan.addTags(Object.fromEntries(metricsQueue))
 
-    keepTrace(rootSpan, SAMPLING_MECHANISM_APPSEC)
-
-    standalone.sample(rootSpan)
+    keepTrace(rootSpan, ASM)
 
     metricsQueue.clear()
   }

package/packages/dd-trace/src/appsec/rule_manager.js

@@ -2,7 +2,7 @@
 
 const fs = require('fs')
 const waf = require('./waf')
-const { ACKNOWLEDGED, ERROR } = require('./remote_config/apply_states')
+const { ACKNOWLEDGED, ERROR } = require('../remote_config/apply_states')
 
 const blocking = require('./blocking')
 

package/packages/dd-trace/src/appsec/sdk/set_user.js

@@ -26,11 +26,15 @@ function setUser (tracer, user) {
   setUserTags(user, rootSpan)
   rootSpan.setTag('_dd.appsec.user.collection_mode', 'sdk')
 
-  waf.run({
-    persistent: {
-      [addresses.USER_ID]: '' + user.id
-    }
-  })
+  const persistent = {
+    [addresses.USER_ID]: '' + user.id
+  }
+
+  if (user.session_id && typeof user.session_id === 'string') {
+    persistent[addresses.USER_SESSION_ID] = user.session_id
+  }
+
+  waf.run({ persistent })
 }
 
 module.exports = {

package/packages/dd-trace/src/appsec/sdk/track_event.js

@@ -3,11 +3,10 @@
 const log = require('../../log')
 const { getRootSpan } = require('./utils')
 const { setUserTags } = require('./set_user')
-const standalone = require('../standalone')
 const waf = require('../waf')
-const { SAMPLING_MECHANISM_APPSEC } = require('../../constants')
 const { keepTrace } = require('../../priority_sampler')
 const addresses = require('../addresses')
+const { ASM } = require('../../standalone/product')
 
 function trackUserLoginSuccessEvent (tracer, user, metadata) {
   // TODO: better user check here and in _setUser() ?
@@ -79,8 +78,7 @@ function trackEvent (eventName, fields, sdkMethodName, rootSpan) {
 
   rootSpan.addTags(tags)
 
-  keepTrace(rootSpan, SAMPLING_MECHANISM_APPSEC)
-  standalone.sample(rootSpan)
+  keepTrace(rootSpan, ASM)
 }
 
 function runWaf (eventName, user) {

package/packages/dd-trace/src/appsec/telemetry/common.js

@@ -0,0 +1,24 @@
+'use strinct'
+
+const DD_TELEMETRY_REQUEST_METRICS = Symbol('_dd.appsec.telemetry.request.metrics')
+
+const tags = {
+  REQUEST_BLOCKED: 'request_blocked',
+  RULE_TRIGGERED: 'rule_triggered',
+  WAF_TIMEOUT: 'waf_timeout',
+  WAF_VERSION: 'waf_version',
+  EVENT_RULES_VERSION: 'event_rules_version'
+}
+
+function getVersionsTags (wafVersion, rulesVersion) {
+  return {
+    [tags.WAF_VERSION]: wafVersion,
+    [tags.EVENT_RULES_VERSION]: rulesVersion
+  }
+}
+
+module.exports = {
+  tags,
+  getVersionsTags,
+  DD_TELEMETRY_REQUEST_METRICS
+}