npm - dd-trace - Versions diffs - 5.52.0 → 5.54.0 - Mend

dd-trace 5.52.0 → 5.54.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (332) hide show

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js CHANGED Viewed

@@ -1,4 +1,5 @@
 'use strict'
+/* eslint-disable unicorn/prefer-string-slice */
 const log = require('../../../../log')
 const vulnerabilities = require('../../vulnerabilities')
@@ -82,7 +83,7 @@ class SensitiveHandler {
     for (let i = 0; i < value.length; i++) {
       if (nextTainted != null && nextTainted.start === i) {
-        this.writeValuePart(valueParts, value.substring(start, i), sourceIndex)
+        this.writeValuePart(valueParts, value.slice(start, i), sourceIndex)
         sourceIndex = sourcesIndexes[nextTaintedIndex]
@@ -113,16 +114,14 @@ class SensitiveHandler {
           nextSensitive = entries.length > 0 ? entries[0] : null
         }
-        if (this.isSensibleSource(sources[sourceIndex])) {
-          if (!sources[sourceIndex].redacted) {
-            redactedSources.push(sourceIndex)
-            sources[sourceIndex].pattern = ''.padEnd(sources[sourceIndex].value.length, REDACTED_SOURCE_BUFFER)
-            sources[sourceIndex].redacted = true
-          }
+        if (this.isSensibleSource(sources[sourceIndex]) && !sources[sourceIndex].redacted) {
+          redactedSources.push(sourceIndex)
+          sources[sourceIndex].pattern = ''.padEnd(sources[sourceIndex].value.length, REDACTED_SOURCE_BUFFER)
+          sources[sourceIndex].redacted = true
         }
-        if (redactedSources.indexOf(sourceIndex) > -1) {
-          const partValue = value.substring(i, i + (nextTainted.end - nextTainted.start))
+        if (redactedSources.includes(sourceIndex)) {
+          const partValue = value.slice(i, i + (nextTainted.end - nextTainted.start))
           this.writeRedactedValuePart(
             valueParts,
             partValue.length,
@@ -135,7 +134,7 @@ class SensitiveHandler {
           redactedSourcesContext[sourceIndex] = []
         } else {
           const substringEnd = Math.min(nextTainted.end, value.length)
-          this.writeValuePart(valueParts, value.substring(nextTainted.start, substringEnd), sourceIndex)
+          this.writeValuePart(valueParts, value.slice(nextTainted.start, substringEnd), sourceIndex)
         }
         start = i + (nextTainted.end - nextTainted.start)
@@ -144,7 +143,7 @@ class SensitiveHandler {
         nextTaintedIndex++
         sourceIndex = null
       } else if (nextSensitive != null && nextSensitive.start === i) {
-        this.writeValuePart(valueParts, value.substring(start, i), sourceIndex)
+        this.writeValuePart(valueParts, value.slice(start, i), sourceIndex)
         if (nextTainted != null && intersects(nextSensitive, nextTainted)) {
           sourceIndex = sourcesIndexes[nextTaintedIndex]
@@ -171,7 +170,7 @@ class SensitiveHandler {
     }
     if (start < value.length) {
-      this.writeValuePart(valueParts, value.substring(start))
+      this.writeValuePart(valueParts, value.slice(start))
     }
     return { redactedValueParts: valueParts, redactedSources }
@@ -197,10 +196,10 @@ class SensitiveHandler {
   writeValuePart (valueParts, value, source) {
     if (value.length > 0) {
-      if (source != null) {
-        valueParts.push({ value, source })
-      } else {
+      if (source == null) {
         valueParts.push({ value })
+      } else {
+        valueParts.push({ value, source })
       }
     }
   }
@@ -214,7 +213,9 @@ class SensitiveHandler {
     sourceRedactionContext,
     isSensibleSource
   ) {
-    if (sourceIndex != null) {
+    if (sourceIndex == null) {
+      valueParts.push({ redacted: true })
+    } else {
       const placeholder = source.value.includes(partValue)
         ? source.pattern
         : '*'.repeat(length)
@@ -252,9 +253,9 @@ class SensitiveHandler {
             _value.substring(_sourceRedactionContext.start - offset, _sourceRedactionContext.end - offset)
           const indexOfPartValueInPattern = source.value.indexOf(sensitive)
-          const pattern = indexOfPartValueInPattern > -1
-            ? placeholder.substring(indexOfPartValueInPattern, indexOfPartValueInPattern + sensitive.length)
-            : placeholder.substring(_sourceRedactionContext.start, _sourceRedactionContext.end)
+          const pattern = indexOfPartValueInPattern === -1
+            ? placeholder.substring(_sourceRedactionContext.start, _sourceRedactionContext.end)
+            : placeholder.substring(indexOfPartValueInPattern, indexOfPartValueInPattern + sensitive.length)
           valueParts.push({
             redacted: true,
@@ -262,7 +263,7 @@ class SensitiveHandler {
             pattern
           })
-          _value = _value.substring(pattern.length)
+          _value = _value.slice(pattern.length)
           offset += pattern.length
         })
@@ -273,8 +274,6 @@ class SensitiveHandler {
           })
         }
       }
-    } else {
-      valueParts.push({ redacted: true })
     }
   }
@@ -282,7 +281,7 @@ class SensitiveHandler {
     if (redactionNamePattern) {
       try {
         this._namePattern = new RegExp(redactionNamePattern, 'gmi')
-      } catch (e) {
+      } catch {
         log.warn('[ASM] Redaction name pattern is not valid')
       }
     }
@@ -290,7 +289,7 @@ class SensitiveHandler {
     if (redactionValuePattern) {
       try {
         this._valuePattern = new RegExp(redactionValuePattern, 'gmi')
-      } catch (e) {
+      } catch {
         log.warn('[ASM] Redaction value pattern is not valid')
       }
     }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-regex.js CHANGED Viewed

@@ -1,7 +1,7 @@
-// eslint-disable-next-line @stylistic/js/max-len
+// eslint-disable-next-line @stylistic/max-len
 const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?|(?:sur|last)name|user(?:name)?|address|e?mail)'
-// eslint-disable-next-line @stylistic/js/max-len
-const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,})|[\\w\\.-]+@[a-zA-Z\\d\\.-]+\\.[a-zA-Z]{2,})'
+// eslint-disable-next-line @stylistic/max-len
+const DEFAULT_IAST_REDACTION_VALUE_PATTERN = String.raw`(?:bearer\s+[a-z0-9\._\-]+|glpat-[\w\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\w=\-]+\.ey[I-L][\w=\-]+(?:\.[\w.+/=\-]+)?|(?:[\-]{5}BEGIN[a-z\s]+PRIVATE\sKEY[\-]{5}[^\-]+[\-]{5}END[a-z\s]+PRIVATE\sKEY[\-]{5}|ssh-rsa\s*[a-z0-9/\.+]{100,})|[\w\.-]+@[a-zA-Z\d\.-]+\.[a-zA-Z]{2,})`
 module.exports = {
   DEFAULT_IAST_REDACTION_NAME_PATTERN,

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js CHANGED Viewed

@@ -57,14 +57,14 @@ class VulnerabilityFormatter {
     evidence.ranges.forEach((range, rangeIndex) => {
       if (fromIndex < range.start) {
-        valueParts.push({ value: evidence.value.substring(fromIndex, range.start) })
+        valueParts.push({ value: evidence.value.slice(fromIndex, range.start) })
       }
-      valueParts.push({ value: evidence.value.substring(range.start, range.end), source: sourcesIndexes[rangeIndex] })
+      valueParts.push({ value: evidence.value.slice(range.start, range.end), source: sourcesIndexes[rangeIndex] })
       fromIndex = range.end
     })
     if (fromIndex < evidence.value.length) {
-      valueParts.push({ value: evidence.value.substring(fromIndex) })
+      valueParts.push({ value: evidence.value.slice(fromIndex) })
     }
     return { valueParts }
@@ -72,7 +72,7 @@ class VulnerabilityFormatter {
   formatEvidence (type, evidence, sourcesIndexes, sources) {
     if (evidence.value === undefined) {
-      return undefined
+      return
     }
     return this._redactVulnearbilities

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/utils.js CHANGED Viewed

@@ -7,7 +7,7 @@ const STRINGIFY_RANGE_KEY = 'DD_' + crypto.randomBytes(20).toString('hex')
 const STRINGIFY_SENSITIVE_KEY = STRINGIFY_RANGE_KEY + 'SENSITIVE'
 const STRINGIFY_SENSITIVE_NOT_STRING_KEY = STRINGIFY_SENSITIVE_KEY + 'NOTSTRING'
-// eslint-disable-next-line @stylistic/js/max-len
+// eslint-disable-next-line @stylistic/max-len
 const KEYS_REGEX_WITH_SENSITIVE_RANGES = new RegExp(`(?:"(${STRINGIFY_RANGE_KEY}_\\d+_))|(?:"(${STRINGIFY_SENSITIVE_KEY}_\\d+_(\\d+)_))|("${STRINGIFY_SENSITIVE_NOT_STRING_KEY}_\\d+_([\\s0-9.a-zA-Z]*)")`, 'gm')
 const KEYS_REGEX_WITHOUT_SENSITIVE_RANGES = new RegExp(`"(${STRINGIFY_RANGE_KEY}_\\d+_)`, 'gm')
@@ -99,22 +99,17 @@ function stringifyWithRanges (obj, objRanges, loadSensitiveRanges = false) {
         } else {
           currentLevelClone[key] = val
         }
-      } else if (Array.isArray(val)) {
-        currentLevelClone[key] = []
       } else {
-        currentLevelClone[key] = {}
+        currentLevelClone[key] = Array.isArray(val) ? [] : {}
       }
     })
     value = JSON.stringify(cloneObj, null, 2)
     if (counter > 0) {
-      let keysRegex
-      if (loadSensitiveRanges) {
-        keysRegex = KEYS_REGEX_WITH_SENSITIVE_RANGES
-      } else {
-        keysRegex = KEYS_REGEX_WITHOUT_SENSITIVE_RANGES
-      }
+      const keysRegex = loadSensitiveRanges
+        ? KEYS_REGEX_WITH_SENSITIVE_RANGES
+        : KEYS_REGEX_WITHOUT_SENSITIVE_RANGES
       keysRegex.lastIndex = 0
       let regexRes = keysRegex.exec(value)
@@ -141,7 +136,7 @@ function stringifyWithRanges (obj, objRanges, loadSensitiveRanges = false) {
           sensitiveRanges.push({
             start: offset,
-            end: offset + parseInt(regexRes[3])
+            end: offset + Number.parseInt(regexRes[3])
           })
           value = value.replace(sensitiveId, '')

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js CHANGED Viewed

@@ -79,17 +79,15 @@ function isValidVulnerability (vulnerability) {
 }
 function sendVulnerabilities (vulnerabilities, span) {
-  if (vulnerabilities && vulnerabilities.length) {
-    if (span && span.addTags) {
-      const validatedVulnerabilities = vulnerabilities.filter(isValidVulnerability)
-      const jsonToSend = vulnerabilitiesFormatter.toJson(validatedVulnerabilities)
-      if (jsonToSend.vulnerabilities.length > 0) {
-        const tags = {}
-        // TODO: Store this outside of the span and set the tag in the exporter.
-        tags[IAST_JSON_TAG_KEY] = JSON.stringify(jsonToSend)
-        span.addTags(tags)
-      }
+  if (vulnerabilities?.length && span?.addTags) {
+    const validatedVulnerabilities = vulnerabilities.filter(isValidVulnerability)
+    const jsonToSend = vulnerabilitiesFormatter.toJson(validatedVulnerabilities)
+    if (jsonToSend.vulnerabilities.length > 0) {
+      const tags = {}
+      // TODO: Store this outside of the span and set the tag in the exporter.
+      tags[IAST_JSON_TAG_KEY] = JSON.stringify(jsonToSend)
+      span.addTags(tags)
     }
   }
   return IAST_JSON_TAG_KEY

package/packages/dd-trace/src/appsec/index.js CHANGED Viewed

@@ -34,6 +34,7 @@ const UserTracking = require('./user_tracking')
 const { storage } = require('../../../datadog-core')
 const graphql = require('./graphql')
 const rasp = require('./rasp')
+const { isInServerlessEnvironment } = require('../serverless')
 const responseAnalyzedSet = new WeakSet()
@@ -57,7 +58,7 @@ function enable (_config) {
     remoteConfig.enableWafUpdate(_config.appsec)
-    Reporter.setRateLimit(_config.appsec.rateLimit)
+    Reporter.init(_config.appsec)
     apiSecuritySampler.configure(_config)
@@ -83,7 +84,9 @@ function enable (_config) {
     isEnabled = true
     config = _config
   } catch (err) {
-    log.error('[ASM] Unable to start AppSec', err)
+    if (!isInServerlessEnvironment()) {
+      log.error('[ASM] Unable to start AppSec', err)
+    }
     disable()
   }
@@ -106,7 +109,7 @@ function onRequestBodyParsed ({ req, res, body, abortController }) {
     }
   }, req)
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 function onRequestCookieParser ({ req, res, abortController, cookies }) {
@@ -121,7 +124,7 @@ function onRequestCookieParser ({ req, res, abortController, cookies }) {
     }
   }, req)
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 function incomingHttpStartTranslator ({ req, res, abortController }) {
@@ -149,9 +152,9 @@ function incomingHttpStartTranslator ({ req, res, abortController }) {
     persistent[addresses.HTTP_CLIENT_IP] = clientIp
   }
-  const actions = waf.run({ persistent }, req)
+  const results = waf.run({ persistent }, req)
-  handleResults(actions, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 function incomingHttpEndTranslator ({ req, res }) {
@@ -198,7 +201,7 @@ function onPassportVerify ({ framework, login, user, success, abortController })
   const results = UserTracking.trackLogin(framework, login, user, success, rootSpan)
-  handleResults(results, store.req, store.req.res, rootSpan, abortController)
+  handleResults(results?.actions, store.req, store.req.res, rootSpan, abortController)
 }
 function onPassportDeserializeUser ({ user, abortController }) {
@@ -212,7 +215,7 @@ function onPassportDeserializeUser ({ user, abortController }) {
   const results = UserTracking.trackUser(user, rootSpan)
-  handleResults(results, store.req, store.req.res, rootSpan, abortController)
+  handleResults(results?.actions, store.req, store.req.res, rootSpan, abortController)
 }
 function onExpressSession ({ req, res, sessionId, abortController }) {
@@ -231,7 +234,7 @@ function onExpressSession ({ req, res, sessionId, abortController }) {
     }
   }, req)
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 function onRequestQueryParsed ({ req, res, query, abortController }) {
@@ -251,7 +254,7 @@ function onRequestQueryParsed ({ req, res, query, abortController }) {
     }
   }, req)
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 function onRequestProcessParams ({ req, res, abortController, params }) {
@@ -266,7 +269,7 @@ function onRequestProcessParams ({ req, res, abortController, params }) {
     }
   }, req)
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 function onResponseBody ({ req, res, body }) {
@@ -308,7 +311,7 @@ function onResponseWriteHead ({ req, res, abortController, statusCode, responseH
   responseAnalyzedSet.add(res)
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 function onResponseSetHeader ({ res, abortController }) {

package/packages/dd-trace/src/appsec/rasp/index.js CHANGED Viewed

@@ -22,8 +22,8 @@ function removeAllListeners (emitter, event) {
     }
     cleaned = true
-    for (let i = 0; i < listeners.length; ++i) {
-      emitter.on(event, listeners[i])
+    for (const listener of listeners) {
+      emitter.on(event, listener)
     }
   }
 }
@@ -41,19 +41,7 @@ function findDatadogRaspAbortError (err, deep = 10) {
 function handleUncaughtExceptionMonitor (error) {
   if (!blockOnDatadogRaspAbortError({ error })) return
-  if (!process.hasUncaughtExceptionCaptureCallback()) {
-    const cleanUp = removeAllListeners(process, 'uncaughtException')
-    const handler = () => {
-      process.removeListener('uncaughtException', handler)
-    }
-    setTimeout(() => {
-      process.removeListener('uncaughtException', handler)
-      cleanUp()
-    })
-    process.on('uncaughtException', handler)
-  } else {
+  if (process.hasUncaughtExceptionCaptureCallback()) {
     // uncaughtException event is not executed when hasUncaughtExceptionCaptureCallback is true
     let previousCb
     const cb = ({ currentCallback, abortController }) => {
@@ -78,6 +66,18 @@ function handleUncaughtExceptionMonitor (error) {
         process.setUncaughtExceptionCaptureCallback(previousCb)
       })
     }
+  } else {
+    const cleanUp = removeAllListeners(process, 'uncaughtException')
+    const handler = () => {
+      process.removeListener('uncaughtException', handler)
+    }
+    setTimeout(() => {
+      process.removeListener('uncaughtException', handler)
+      cleanUp()
+    })
+    process.on('uncaughtException', handler)
   }
 }
@@ -85,10 +85,12 @@ function blockOnDatadogRaspAbortError ({ error }) {
   const abortError = findDatadogRaspAbortError(error)
   if (!abortError) return false
-  const { req, res, blockingAction, raspRule } = abortError
+  const { req, res, blockingAction, raspRule, ruleTriggered } = abortError
   if (!isBlocked(res)) {
     const blocked = block(req, res, web.root(req), null, blockingAction)
-    updateRaspRuleMatchMetricTags(req, raspRule, true, blocked)
+    if (ruleTriggered) {
+      updateRaspRuleMatchMetricTags(req, raspRule, true, blocked)
+    }
   }
   return true

package/packages/dd-trace/src/appsec/rasp/lfi.js CHANGED Viewed

@@ -88,6 +88,7 @@ function pathToStr (path) {
   if (!path) return
   if (typeof path === 'string' ||
+      // eslint-disable-next-line unicorn/no-instanceof-builtins
       path instanceof String ||
       path instanceof Buffer ||
       path instanceof URL) {
@@ -104,7 +105,7 @@ function shouldAnalyze (path, fs) {
 function shouldAnalyzeURLFile (path, fs) {
   if (path.startsWith('file://')) {
-    return shouldAnalyze(path.substring(7), fs)
+    return shouldAnalyze(path.slice(7), fs)
   }
 }

package/packages/dd-trace/src/appsec/rasp/utils.js CHANGED Viewed

@@ -20,23 +20,26 @@ const RULE_TYPES = {
 }
 class DatadogRaspAbortError extends Error {
-  constructor (req, res, blockingAction, raspRule) {
+  constructor (req, res, blockingAction, raspRule, ruleTriggered) {
     super('DatadogRaspAbortError')
     this.name = 'DatadogRaspAbortError'
     this.req = req
     this.res = res
     this.blockingAction = blockingAction
     this.raspRule = raspRule
+    this.ruleTriggered = ruleTriggered
   }
 }
-function handleResult (actions, req, res, abortController, config, raspRule) {
-  const generateStackTraceAction = actions?.generate_stack
+function handleResult (result, req, res, abortController, config, raspRule) {
+  const generateStackTraceAction = result?.actions?.generate_stack
   const { enabled, maxDepth, maxStackTraces } = config.appsec.stackTrace
   const rootSpan = web.root(req)
+  const ruleTriggered = !!result?.events?.length
   if (generateStackTraceAction && enabled && canReportStackTrace(rootSpan, maxStackTraces)) {
     const frames = getCallsiteFrames(maxDepth)
@@ -48,11 +51,11 @@ function handleResult (actions, req, res, abortController, config, raspRule) {
   }
   if (abortController && !abortOnUncaughtException) {
-    const blockingAction = getBlockingAction(actions)
+    const blockingAction = getBlockingAction(result?.actions)
     // Should block only in express
     if (blockingAction && rootSpan?.context()._name === 'express.request') {
-      const abortError = new DatadogRaspAbortError(req, res, blockingAction, raspRule)
+      const abortError = new DatadogRaspAbortError(req, res, blockingAction, raspRule, ruleTriggered)
       abortController.abort(abortError)
       // TODO Delete this when support for node 16 is removed
@@ -64,7 +67,9 @@ function handleResult (actions, req, res, abortController, config, raspRule) {
     }
   }
-  updateRaspRuleMatchMetricTags(req, raspRule, false, false)
+  if (ruleTriggered) {
+    updateRaspRuleMatchMetricTags(req, raspRule, false, false)
+  }
 }
 module.exports = {