npm - dd-trace - Versions diffs - 5.52.0 → 5.54.0 - Mend

dd-trace 5.52.0 → 5.54.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (332) hide show

package/packages/dd-trace/src/appsec/iast/overhead-controller.js CHANGED Viewed

@@ -1,5 +1,9 @@
 'use strict'
+const LRUCache = require('lru-cache')
+const web = require('../../plugins/util/web')
+const vulnerabilities = require('./vulnerabilities')
 const OVERHEAD_CONTROLLER_CONTEXT_KEY = 'oce'
 const REPORT_VULNERABILITY = 'REPORT_VULNERABILITY'
 const INTERVAL_RESET_GLOBAL_CONTEXT = 60 * 1000
@@ -9,13 +13,62 @@ const GLOBAL_OCE_CONTEXT = {}
 let resetGlobalContextInterval
 let config = {}
 let availableRequest = 0
+const globalRouteMap = new LRUCache({ max: 4096 })
+let vulnerabilitiesSize = 0
+const vulnerabilityIndexes = Object.values(vulnerabilities).reduce((obj, item, index) => {
+  obj[item] = index
+  vulnerabilitiesSize++
+  return obj
+}, {})
+function newCountersArray () {
+  return (new Array(vulnerabilitiesSize)).fill(0)
+}
+function copyFromGlobalMap (route) {
+  const vulnerabilityCounters = globalRouteMap.get(route)
+  return vulnerabilityCounters ? [...vulnerabilityCounters] : newCountersArray()
+}
+// for testing purposes
+function clearGlobalRouteMap () {
+  globalRouteMap.clear()
+}
 const OPERATIONS = {
   REPORT_VULNERABILITY: {
-    hasQuota: (context) => {
-      const reserved = context && context.tokens && context.tokens[REPORT_VULNERABILITY] > 0
+    hasQuota: (context, vulnerabilityType) => {
+      const reserved = context?.tokens?.[REPORT_VULNERABILITY] > 0
+      if (reserved && context.route != null) {
+        let copyMap = context.copyMap
+        let localMap = context.localMap
+        if (context.loadedRoute !== context.route) {
+          context.copyMaps ??= {}
+          context.copyMaps[context.route] ??= copyFromGlobalMap(context.route)
+          context.localMaps ??= {}
+          context.localMaps[context.route] ??= newCountersArray()
+          context.loadedRoute = context.route
+          copyMap = context.copyMaps[context.route]
+          localMap = context.localMaps[context.route]
+          context.copyMap = copyMap
+          context.localMap = localMap
+        }
+        const vulnerabilityIndex = vulnerabilityIndexes[vulnerabilityType]
+        const counter = localMap[vulnerabilityIndex]++
+        const storedCounter = copyMap[vulnerabilityIndex]
+        if (counter < storedCounter) {
+          return false
+        }
+      }
       if (reserved) {
         context.tokens[REPORT_VULNERABILITY]--
       }
       return reserved
     },
     name: REPORT_VULNERABILITY,
@@ -41,12 +94,52 @@ function _getNewContext () {
 }
 function _getContext (iastContext) {
-  if (iastContext && iastContext[OVERHEAD_CONTROLLER_CONTEXT_KEY]) {
+  if (iastContext?.[OVERHEAD_CONTROLLER_CONTEXT_KEY]) {
+    const oceContext = iastContext[OVERHEAD_CONTROLLER_CONTEXT_KEY]
+    if (!oceContext.webContext) {
+      oceContext.webContext = web.getContext(iastContext.req)
+      oceContext.method = iastContext.req?.method
+    }
+    const currentPaths = oceContext.webContext?.paths
+    if (currentPaths !== oceContext.paths || !oceContext.route) {
+      oceContext.paths = currentPaths
+      oceContext.route = '#' + oceContext.method + '#' + (currentPaths?.join('') || '')
+    }
     return iastContext[OVERHEAD_CONTROLLER_CONTEXT_KEY]
   }
   return GLOBAL_OCE_CONTEXT
 }
+function consolidateVulnerabilities (iastContext) {
+  const context = _getContext(iastContext)
+  if (!context.localMaps) return
+  const reserved = context.tokens?.[REPORT_VULNERABILITY] > 0
+  if (reserved) { // still a bit of budget available
+    Object.keys(context.localMaps).forEach(route => {
+      globalRouteMap.set(route, newCountersArray())
+    })
+  } else {
+    Object.keys(context.localMaps).forEach(route => {
+      const localMap = context.localMaps[route]
+      const globalMap = globalRouteMap.get(route)
+      if (!globalMap) {
+        globalRouteMap.set(route, localMap)
+        return
+      }
+      for (let i = 0; i < vulnerabilitiesSize; i++) {
+        if (localMap[i] > globalMap[i]) {
+          globalMap[i] = localMap[i]
+        }
+      }
+    })
+  }
+}
 function _resetGlobalContext () {
   Object.assign(GLOBAL_OCE_CONTEXT, _getNewContext())
 }
@@ -70,9 +163,9 @@ function releaseRequest () {
   }
 }
-function hasQuota (operation, iastContext) {
+function hasQuota (operation, iastContext, vulnerabilityType) {
   const oceContext = _getContext(iastContext)
-  return operation.hasQuota(oceContext)
+  return operation.hasQuota(oceContext, vulnerabilityType)
 }
 function initializeRequestContext (iastContext) {
@@ -90,7 +183,7 @@ function startGlobalContext () {
   resetGlobalContextInterval = setInterval(() => {
     _resetGlobalContext()
   }, INTERVAL_RESET_GLOBAL_CONTEXT)
-  resetGlobalContextInterval.unref && resetGlobalContextInterval.unref()
+  resetGlobalContextInterval.unref?.()
 }
 function finishGlobalContext () {
@@ -110,5 +203,7 @@ module.exports = {
   hasQuota,
   acquireRequest,
   releaseRequest,
-  configure
+  configure,
+  consolidateVulnerabilities,
+  clearGlobalRouteMap
 }

package/packages/dd-trace/src/appsec/iast/path-line.js CHANGED Viewed

@@ -2,13 +2,12 @@
 const path = require('path')
 const process = require('process')
-const { calculateDDBasePath } = require('../../util')
+const { ddBasePath } = require('../../util')
 const pathLine = {
   getNodeModulesPaths,
   getRelativePath,
   getNonDDCallSiteFrames,
-  calculateDDBasePath, // Exported only for test purposes
-  ddBasePath: calculateDDBasePath(__dirname) // Only for test purposes
+  ddBasePath // Exported only for test purposes
 }
 const EXCLUDED_PATHS = [
@@ -32,7 +31,7 @@ function getNonDDCallSiteFrames (callSiteFrames, externallyExcludedPaths) {
   for (const callsite of callSiteFrames) {
     const filepath = callsite.file
-    if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) {
+    if (!isExcluded(callsite, externallyExcludedPaths) && !filepath.includes(pathLine.ddBasePath)) {
       callsite.path = getRelativePath(filepath)
       callsite.isInternal = !path.isAbsolute(filepath)
@@ -58,14 +57,14 @@ function isExcluded (callsite, externallyExcludedPaths) {
     excludedPaths = [...excludedPaths, ...externallyExcludedPaths]
   }
-  for (let i = 0; i < excludedPaths.length; i++) {
-    if (filename.indexOf(excludedPaths[i]) > -1) {
+  for (const excludedPath of excludedPaths) {
+    if (filename.includes(excludedPath)) {
       return true
     }
   }
-  for (let i = 0; i < EXCLUDED_PATH_PREFIXES.length; i++) {
-    if (filename.indexOf(EXCLUDED_PATH_PREFIXES[i]) === 0) {
+  for (const EXCLUDED_PATH_PREFIX of EXCLUDED_PATH_PREFIXES) {
+    if (filename.indexOf(EXCLUDED_PATH_PREFIX) === 0) {
       return true
     }
   }

package/packages/dd-trace/src/appsec/iast/security-controls/index.js CHANGED Viewed

@@ -52,7 +52,7 @@ function onModuleLoaded (payload) {
 function getControls (filename) {
   if (filename.startsWith('file://')) {
-    filename = filename.substring(7)
+    filename = filename.slice(7)
   }
   let key = path.isAbsolute(filename) ? path.relative(process.cwd(), filename) : filename
@@ -74,12 +74,9 @@ function hookModule (filename, module, controlsByFile) {
         return
       }
-      let wrapper
-      if (type === SANITIZER_TYPE) {
-        wrapper = wrapSanitizer(target, secureMarks)
-      } else {
-        wrapper = wrapInputValidator(target, parameters, secureMarks)
-      }
+      const wrapper = type === SANITIZER_TYPE
+        ? wrapSanitizer(target, secureMarks)
+        : wrapInputValidator(target, parameters, secureMarks)
       if (methodName) {
         parent[methodName] = wrapper
@@ -97,11 +94,7 @@ function hookModule (filename, module, controlsByFile) {
 function resolve (path, obj, separator = '.') {
   if (!path) {
     // esm module with default export
-    if (obj?.default) {
-      return { target: obj.default, parent: obj, methodName: 'default' }
-    } else {
-      return { target: obj, parent: obj }
-    }
+    return obj?.default ? { target: obj.default, parent: obj, methodName: 'default' } : { target: obj, parent: obj }
   }
   const properties = path.split(separator)
@@ -164,7 +157,7 @@ function addSecureMarks (value, secureMarks, createNewTainted = true) {
         if (createNewTainted) {
           parent[lastKey] = securedTainted
         }
-      } catch (e) {
+      } catch {
         // if it is a readonly property, do nothing
       }
     })

package/packages/dd-trace/src/appsec/iast/security-controls/parser.js CHANGED Viewed

@@ -10,7 +10,7 @@ const SECURITY_CONTROL_ELEMENT_DELIMITER = ','
 const INPUT_VALIDATOR_TYPE = 'INPUT_VALIDATOR'
 const SANITIZER_TYPE = 'SANITIZER'
-const validTypes = [INPUT_VALIDATOR_TYPE, SANITIZER_TYPE]
+const validTypes = new Set([INPUT_VALIDATOR_TYPE, SANITIZER_TYPE])
 function parse (securityControlsConfiguration) {
   const controls = new Map()
@@ -42,7 +42,7 @@ function parseControl (control) {
   let [type, marks, file, method, parameters] = fields
   type = type.trim().toUpperCase()
-  if (!validTypes.includes(type)) {
+  if (!validTypes.has(type)) {
     log.warn('[ASM] Invalid security control type: %s', type)
     return
   }
@@ -60,7 +60,7 @@ function parseControl (control) {
   try {
     parameters = getParameters(parameters)
-  } catch (e) {
+  } catch {
     log.warn('[ASM] Invalid non-numeric security control parameter %s', parameters)
     return
   }
@@ -77,11 +77,11 @@ function getSecureMarks (marks) {
 function getParameters (parameters) {
   return parameters?.split(SECURITY_CONTROL_ELEMENT_DELIMITER)
     .map(param => {
-      const parsedParam = parseInt(param, 10)
+      const parsedParam = Number.parseInt(param, 10)
       // discard the securityControl if there is an incorrect parameter
-      if (isNaN(parsedParam)) {
-        throw new Error('Invalid non-numeric security control parameter')
+      if (Number.isNaN(parsedParam)) {
+        throw new TypeError('Invalid non-numeric security control parameter')
       }
       return parsedParam

package/packages/dd-trace/src/appsec/iast/taint-tracking/filter.js CHANGED Viewed

@@ -3,11 +3,11 @@
 const NODE_MODULES = 'node_modules'
 const isPrivateModule = function (file) {
-  return file && file.indexOf(NODE_MODULES) === -1
+  return file && !file.includes(NODE_MODULES)
 }
 const isDdTrace = function (file) {
-  return file && (file.indexOf('dd-trace-js') !== -1 || file.indexOf('dd-trace') !== -1)
+  return Boolean(file?.includes('dd-trace'))
 }
 module.exports = {

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations-taint-object.js CHANGED Viewed

@@ -20,10 +20,10 @@ function taintObject (iastContext, object, type) {
       try {
         if (typeof value === 'string') {
           const tainted = TaintedUtils.newTaintedString(transactionId, value, property, type)
-          if (!parent) {
-            result = tainted
-          } else {
+          if (parent) {
             parent[key] = tainted
+          } else {
+            result = tainted
           }
         } else if (typeof value === 'object' && !visited.has(value)) {
           visited.add(value)

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js CHANGED Viewed

@@ -41,47 +41,23 @@ function removeTransaction (iastContext) {
 }
 function newTaintedString (iastContext, string, name, type) {
-  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
-  if (transactionId) {
-    result = TaintedUtils.newTaintedString(transactionId, string, name, type)
-  } else {
-    result = string
-  }
-  return result
+  return transactionId ? TaintedUtils.newTaintedString(transactionId, string, name, type) : string
 }
 function newTaintedObject (iastContext, obj, name, type) {
-  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
-  if (transactionId) {
-    result = TaintedUtils.newTaintedObject(transactionId, obj, name, type)
-  } else {
-    result = obj
-  }
-  return result
+  return transactionId ? TaintedUtils.newTaintedObject(transactionId, obj, name, type) : obj
 }
 function isTainted (iastContext, string) {
-  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
-  if (transactionId) {
-    result = TaintedUtils.isTainted(transactionId, string)
-  } else {
-    result = false
-  }
-  return result
+  return transactionId ? TaintedUtils.isTainted(transactionId, string) : false
 }
 function getRanges (iastContext, string) {
-  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
-  if (transactionId) {
-    result = TaintedUtils.getRanges(transactionId, string)
-  } else {
-    result = []
-  }
-  return result
+  return transactionId ? TaintedUtils.getRanges(transactionId, string) : []
 }
 function addSecureMark (iastContext, string, mark, createNewTainted = true) {

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js CHANGED Viewed

@@ -129,13 +129,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
       { channelName: 'datadog:url:parse:finish' },
       ({ input, base, parsed, isURL }) => {
         const iastContext = getIastContext(storage('legacy').getStore())
-        let ranges
-        if (base) {
-          ranges = getRanges(iastContext, base)
-        } else {
-          ranges = getRanges(iastContext, input)
-        }
+        const ranges = getRanges(iastContext, base || input)
         if (ranges?.length) {
           if (isURL) {

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugins/kafka.js CHANGED Viewed

@@ -1,7 +1,6 @@
 'use strict'
 const shimmer = require('../../../../../../datadog-shimmer')
-const { storage } = require('../../../../../../datadog-core')
 const { getIastContext } = require('../../iast-context')
 const { KAFKA_MESSAGE_KEY, KAFKA_MESSAGE_VALUE } = require('../source-types')
 const { newTaintedObject, newTaintedString } = require('../operations')
@@ -10,7 +9,7 @@ const { SourceIastPlugin } = require('../../iast-plugin')
 class KafkaConsumerIastPlugin extends SourceIastPlugin {
   onConfigure () {
     this.addSub({ channelName: 'dd-trace:kafkajs:consumer:afterStart', tag: [KAFKA_MESSAGE_KEY, KAFKA_MESSAGE_VALUE] },
-      ({ message }) => this.taintKafkaMessage(message)
+      ({ message, currentStore }) => this.taintKafkaMessage(message, currentStore)
     )
   }
@@ -21,8 +20,8 @@ class KafkaConsumerIastPlugin extends SourceIastPlugin {
     }
   }
-  taintKafkaMessage (message) {
-    const iastContext = getIastContext(storage('legacy').getStore())
+  taintKafkaMessage (message, currentStore) {
+    const iastContext = getIastContext(currentStore)
     if (iastContext && message) {
       const { key, value } = message

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter-esm.mjs CHANGED Viewed

@@ -12,7 +12,7 @@ const ddTraceDir = path.join(currentUrl.pathname, '..', '..', '..', '..', '..',
 let port, rewriter, iastEnabled
 export async function initialize (data) {
-  if (rewriter) return Promise.reject(new Error('ALREADY INITIALIZED'))
+  if (rewriter) throw new Error('ALREADY INITIALIZED')
   const { csiMethods, telemetryVerbosity, chainSourceMap, orchestrionConfig } = data
   port = data.port

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js CHANGED Viewed

@@ -41,11 +41,9 @@ function setGetOriginalPathAndLineFromSourceMapFunction (chainSourceMap, { getOr
     ? (path, line, column) => {
       // if --enable-source-maps is present stacktraces of the rewritten files contain the original path, file and
       // column because the sourcemap chaining is done during the rewriting process so we can skip it
-        if (isPrivateModule(path) && !isDdTrace(path)) {
-          return { path, line, column }
-        } else {
-          return getOriginalPathAndLineFromSourceMap(path, line, column)
-        }
+        return isPrivateModule(path) && !isDdTrace(path)
+          ? { path, line, column }
+          : getOriginalPathAndLineFromSourceMap(path, line, column)
       }
     : getOriginalPathAndLineFromSourceMap
 }
@@ -138,7 +136,7 @@ function esmRewritePostProcess (rewritten, filename) {
   if (metrics?.status === 'modified') {
     if (filename.startsWith('file://')) {
-      filename = filename.substring(7)
+      filename = filename.slice(7)
     }
     cacheRewrittenSourceMap(filename, rewritten.content)
@@ -157,7 +155,7 @@ function shimPrepareStackTrace () {
     return
   }
   const pstDescriptor = Object.getOwnPropertyDescriptor(global.Error, 'prepareStackTrace')
-  if (pstDescriptor?.configurable || pstDescriptor?.writable) {
+  if (!pstDescriptor || pstDescriptor.configurable || pstDescriptor.writable) {
     Object.defineProperty(global.Error, 'prepareStackTrace', getPrepareStackTraceAccessor())
   }
   shimmedPrepareStackTrace = true

package/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js CHANGED Viewed

@@ -71,7 +71,7 @@ function notString () {
 }
 function isValidCsiMethod (fn, protos) {
-  return protos.some(proto => fn === proto)
+  return protos.includes(fn)
 }
 function getCsiFn (cb, getContext, ...protos) {
@@ -90,7 +90,7 @@ function getCsiFn (cb, getContext, ...protos) {
 function csiMethodsDefaults (names, excluded, getContext) {
   const impl = {}
   names.forEach(name => {
-    if (excluded.indexOf(name) !== -1) return
+    if (excluded.includes(name)) return
     impl[name] = getCsiFn(
       (transactionId, res, target, ...rest) => TaintedUtils[name](transactionId, res, target, ...rest),
       getContext,

package/packages/dd-trace/src/appsec/iast/telemetry/span-tags.js CHANGED Viewed

@@ -10,10 +10,10 @@ function addMetricsToSpan (rootSpan, metrics, tagPrefix) {
       const name = taggedMetricName(data)
       let total = flattenMap.get(name)
       const value = flatten(data)
-      if (!total) {
-        total = value
-      } else {
+      if (total) {
         total += value
+      } else {
+        total = value
       }
       flattenMap.set(name, total)
     })
@@ -34,9 +34,9 @@ function flatten (metricData) {
 function taggedMetricName (data) {
   const metric = data.metric
   const tags = filterTags(data.tags)
-  return !tags?.length
-    ? metric
-    : `${metric}.${processTagValue(tags)}`
+  return tags?.length
+    ? `${metric}.${processTagValue(tags)}`
+    : metric
 }
 function filterTags (tags) {

package/packages/dd-trace/src/appsec/iast/telemetry/verbosity.js CHANGED Viewed

@@ -18,7 +18,7 @@ function isInfoAllowed (value) {
 function getVerbosity (verbosity) {
   if (verbosity) {
     verbosity = verbosity.toUpperCase()
-    return Verbosity[verbosity] !== undefined ? Verbosity[verbosity] : Verbosity.INFORMATION
+    return Verbosity[verbosity] === undefined ? Verbosity.INFORMATION : Verbosity[verbosity]
   } else {
     return Verbosity.INFORMATION
   }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/command-sensitive-analyzer.js CHANGED Viewed

@@ -2,7 +2,7 @@
 const log = require('../../../../../log')
-const COMMAND_PATTERN = '^(?:\\s*(?:sudo|doas)\\s+)?\\b\\S+\\b\\s(.*)'
+const COMMAND_PATTERN = String.raw`^(?:\s*(?:sudo|doas)\s+)?\b\S+\b\s(.*)`
 const pattern = new RegExp(COMMAND_PATTERN, 'gmi')
 module.exports = function extractSensitiveRanges (evidence) {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/ldap-sensitive-analyzer.js CHANGED Viewed

@@ -2,7 +2,7 @@
 const log = require('../../../../../log')
-const LDAP_PATTERN = '\\(.*?(?:~=|=|<=|>=)(?<LITERAL>[^)]+)\\)'
+const LDAP_PATTERN = String.raw`\(.*?(?:~=|=|<=|>=)(?<LITERAL>[^)]+)\)`
 const pattern = new RegExp(LDAP_PATTERN, 'gmi')
 module.exports = function extractSensitiveRanges (evidence) {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/sql-sensitive-analyzer.js CHANGED Viewed

@@ -3,13 +3,13 @@
 const log = require('../../../../../log')
 const STRING_LITERAL = '\'(?:\'\'|[^\'])*\''
-const POSTGRESQL_ESCAPED_LITERAL = '\\$([^$]*)\\$.*?\\$\\1\\$'
-const MYSQL_STRING_LITERAL = '"(?:\\\\"|[^"])*"|\'(?:\\\\\'|[^\'])*\''
+const POSTGRESQL_ESCAPED_LITERAL = String.raw`\$([^$]*)\$.*?\$\1\$`
+const MYSQL_STRING_LITERAL = String.raw`"(?:\\"|[^"])*"|'(?:\\'|[^'])*'`
 const LINE_COMMENT = '--.*$'
-const BLOCK_COMMENT = '/\\*[\\s\\S]*\\*/'
-const EXPONENT = '(?:E[-+]?\\d+[fd]?)?'
-const INTEGER_NUMBER = '(?<!\\w)\\d+'
-const DECIMAL_NUMBER = '\\d*\\.\\d+'
+const BLOCK_COMMENT = String.raw`/\*[\s\S]*\*/`
+const EXPONENT = String.raw`(?:E[-+]?\d+[fd]?)?`
+const INTEGER_NUMBER = String.raw`(?<!\w)\d+`
+const DECIMAL_NUMBER = String.raw`\d*\.\d+`
 const HEX_NUMBER = 'x\'[0-9a-f]+\'|0x[0-9a-f]+'
 const BIN_NUMBER = 'b\'[0-9a-f]+\'|0b[0-9a-f]+'
 const NUMERIC_LITERAL =
@@ -21,7 +21,7 @@ const NUMERIC_LITERAL =
       INTEGER_NUMBER + EXPONENT
     ].join('|')
   })`
-const ORACLE_ESCAPED_LITERAL = 'q\'<.*?>\'|q\'\\(.*?\\)\'|q\'\\{.*?\\}\'|q\'\\[.*?\\]\'|q\'(?<ESCAPE>.).*?\\k<ESCAPE>\''
+const ORACLE_ESCAPED_LITERAL = String.raw`q'<.*?>'|q'\(.*?\)'|q'\{.*?\}'|q'\[.*?\]'|q'(?<ESCAPE>.).*?\k<ESCAPE>'`
 const patterns = {
   ANSI: new RegExp( // Default