npm - dd-trace - Versions diffs - 5.54.0 → 5.56.0 - Mend

dd-trace 5.54.0 → 5.56.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (191) hide show

package/packages/datadog-plugin-http2/src/client.js CHANGED Viewed

@@ -124,9 +124,9 @@ function extractSessionDetails (authority, options) {
   }
   const protocol = authority.protocol || options.protocol || 'https:'
-  let port = '' + (authority.port === ''
-    ? (authority.protocol === 'http:' ? 80 : 443)
-    : authority.port)
+  let port = authority.port === ''
+    ? authority.protocol === 'http:' ? '80' : '443'
+    : String(authority.port)
   let host = authority.hostname || authority.host || 'localhost'
   if (protocol === 'https:' && options) {
@@ -174,17 +174,16 @@ function normalizeConfig (config) {
   const filter = getFilter(config)
   const headers = getHeaders(config)
-  return Object.assign({}, config, {
+  return {
+    ...config,
     validateStatus,
     filter,
     headers
-  })
+  }
 }
 function getFilter (config) {
-  config = Object.assign({}, config, {
-    blocklist: config.blocklist || []
-  })
+  config = { ...config, blocklist: config.blocklist || [] }
   return urlFilter.getFilter(config)
 }

package/packages/datadog-plugin-jest/src/index.js CHANGED Viewed

@@ -1,5 +1,6 @@
 const CiPlugin = require('../../dd-trace/src/plugins/ci_plugin')
 const { storage } = require('../../datadog-core')
+const { getEnvironmentVariable } = require('../../dd-trace/src/config-helper')
 const {
   TEST_STATUS,
@@ -48,7 +49,7 @@ const {
   TELEMETRY_TEST_SESSION
 } = require('../../dd-trace/src/ci-visibility/telemetry')
-const isJestWorker = !!process.env.JEST_WORKER_ID
+const isJestWorker = !!getEnvironmentVariable('JEST_WORKER_ID')
 // https://github.com/facebook/jest/blob/d6ad15b0f88a05816c2fe034dd6900d28315d570/packages/jest-worker/src/types.ts#L38
 const CHILD_MESSAGE_END = 2
@@ -158,7 +159,7 @@ class JestPlugin extends CiPlugin {
       this.telemetry.count(TELEMETRY_TEST_SESSION, {
         provider: this.ciProviderName,
-        autoInjected: !!process.env.DD_CIVISIBILITY_AUTO_INSTRUMENTATION_PROVIDER
+        autoInjected: !!getEnvironmentVariable('DD_CIVISIBILITY_AUTO_INSTRUMENTATION_PROVIDER')
       })
       this.tracer._exporter.flush(() => {

package/packages/datadog-plugin-mocha/src/index.js CHANGED Viewed

@@ -2,6 +2,7 @@
 const CiPlugin = require('../../dd-trace/src/plugins/ci_plugin')
 const { storage } = require('../../datadog-core')
+const { getEnvironmentVariable } = require('../../dd-trace/src/config-helper')
 const {
   TEST_STATUS,
@@ -429,7 +430,7 @@ class MochaPlugin extends CiPlugin {
         finishAllTraceSpans(this.testSessionSpan)
         this.telemetry.count(TELEMETRY_TEST_SESSION, {
           provider: this.ciProviderName,
-          autoInjected: !!process.env.DD_CIVISIBILITY_AUTO_INSTRUMENTATION_PROVIDER
+          autoInjected: !!getEnvironmentVariable('DD_CIVISIBILITY_AUTO_INSTRUMENTATION_PROVIDER')
         })
       }
       this.libraryConfig = null
@@ -466,6 +467,10 @@ class MochaPlugin extends CiPlugin {
         this.tracer._exporter.export(trace)
       })
     })
+    this.addBind('ci:mocha:global:run', (ctx) => {
+      return ctx.currentStore
+    })
   }
   startTestSpan (testInfo) {

package/packages/datadog-plugin-mongodb-core/src/index.js CHANGED Viewed

@@ -3,6 +3,7 @@
 const { isTrue } = require('../../dd-trace/src/util')
 const DatabasePlugin = require('../../dd-trace/src/plugins/database')
 const coalesce = require('koalas')
+const { getEnvironmentVariable } = require('../../dd-trace/src/config-helper')
 class MongodbCorePlugin extends DatabasePlugin {
   static get id () { return 'mongodb-core' }
@@ -14,7 +15,7 @@ class MongodbCorePlugin extends DatabasePlugin {
   configure (config) {
     super.configure(config)
-    const heartbeatFromEnv = process.env.DD_TRACE_MONGODB_HEARTBEAT_ENABLED
+    const heartbeatFromEnv = getEnvironmentVariable('DD_TRACE_MONGODB_HEARTBEAT_ENABLED')
     this.config.heartbeatEnabled = coalesce(
       config.heartbeatEnabled,

package/packages/datadog-plugin-mysql/src/index.js CHANGED Viewed

@@ -1,5 +1,6 @@
 'use strict'
+const { storage } = require('../../datadog-core')
 const CLIENT_PORT_KEY = require('../../dd-trace/src/constants')
 const DatabasePlugin = require('../../dd-trace/src/plugins/database')
@@ -7,6 +8,16 @@ class MySQLPlugin extends DatabasePlugin {
   static get id () { return 'mysql' }
   static get system () { return 'mysql' }
+  constructor () {
+    super(...arguments)
+    this.addSub(`apm:${this.component}:connection:start`, ctx => {
+      ctx.parentStore = storage('legacy').getStore()
+    })
+    this.addBind(`apm:${this.component}:connection:finish`, ctx => ctx.parentStore)
+  }
   bindStart (ctx) {
     const service = this.serviceName({ pluginConfig: this.config, dbConfig: ctx.conf, system: this.system })
     const span = this.startSpan(this.operationName(), {

package/packages/datadog-plugin-next/src/index.js CHANGED Viewed

@@ -134,7 +134,7 @@ function normalizeConfig (config) {
     ? config.validateStatus
     : code => code < 500
-  return Object.assign({}, config, { hooks, validateStatus })
+  return { ...config, hooks, validateStatus }
 }
 const noop = () => {}

package/packages/datadog-plugin-openai/src/tracing.js CHANGED Viewed

@@ -766,19 +766,17 @@ function usageExtraction (tags, body, methodName, openaiStore) {
   } else if (body.model && ['chat.completions.create', 'completions.create'].includes(methodName)) {
     // estimate tokens based on method name for completions and chat completions
     const { model } = body
-    let promptEstimated = false
-    let completionEstimated = false
     // prompt tokens
     const payload = openaiStore
     const promptTokensCount = countPromptTokens(methodName, payload, model)
     promptTokens = promptTokensCount.promptTokens
-    promptEstimated = promptTokensCount.promptEstimated
+    const promptEstimated = promptTokensCount.promptEstimated
     // completion tokens
     const completionTokensCount = countCompletionTokens(body, model)
     completionTokens = completionTokensCount.completionTokens
-    completionEstimated = completionTokensCount.completionEstimated
+    const completionEstimated = completionTokensCount.completionEstimated
     // total tokens
     totalTokens = promptTokens + completionTokens

package/packages/datadog-plugin-oracledb/src/index.js CHANGED Viewed

@@ -11,7 +11,8 @@ class OracledbPlugin extends DatabasePlugin {
   start ({ query, connAttrs }) {
     const service = this.serviceName({ pluginConfig: this.config, params: connAttrs })
-    const url = getUrl(connAttrs.connectString)
+    // Users can pass either connectString or connectionString
+    const url = getUrl(connAttrs.connectString || connAttrs.connectionString)
     this.startSpan(this.operationName(), {
       service,

package/packages/datadog-plugin-playwright/src/index.js CHANGED Viewed

@@ -3,6 +3,7 @@
 const { storage } = require('../../datadog-core')
 const id = require('../../dd-trace/src/id')
 const CiPlugin = require('../../dd-trace/src/plugins/ci_plugin')
+const { getEnvironmentVariable } = require('../../dd-trace/src/config-helper')
 const {
   TEST_STATUS,
@@ -102,7 +103,7 @@ class PlaywrightPlugin extends CiPlugin {
       finishAllTraceSpans(this.testSessionSpan)
       this.telemetry.count(TELEMETRY_TEST_SESSION, {
         provider: this.ciProviderName,
-        autoInjected: !!process.env.DD_CIVISIBILITY_AUTO_INSTRUMENTATION_PROVIDER
+        autoInjected: !!getEnvironmentVariable('DD_CIVISIBILITY_AUTO_INSTRUMENTATION_PROVIDER')
       })
       appClosingTelemetry()
       this.tracer._exporter.flush(onDone)
@@ -384,7 +385,7 @@ class PlaywrightPlugin extends CiPlugin {
       span.finish()
       finishAllTraceSpans(span)
-      if (process.env.DD_PLAYWRIGHT_WORKER) {
+      if (getEnvironmentVariable('DD_PLAYWRIGHT_WORKER')) {
         this.tracer._exporter.flush(onDone)
       }
     })

package/packages/datadog-plugin-protobufjs/src/schema_iterator.js CHANGED Viewed

@@ -102,17 +102,16 @@ class SchemaExtractor {
         }
       }
       return true
-    } else {
-      if (!builder.shouldExtractSchema(schemaName, depth)) {
-        return false
-      }
-      for (const field of schema.fieldsArray) {
-        if (!this.extractProperty(field, schemaName, field.name, builder, depth)) {
-          log.warn(`DSM: Unable to extract field with name: ${field.name} from Avro schema with name: ${schemaName}`)
-        }
+    }
+    if (!builder.shouldExtractSchema(schemaName, depth)) {
+      return false
+    }
+    for (const field of schema.fieldsArray) {
+      if (!this.extractProperty(field, schemaName, field.name, builder, depth)) {
+        log.warn(`DSM: Unable to extract field with name: ${field.name} from Avro schema with name: ${schemaName}`)
       }
-      return true
     }
+    return true
   }
   static extractSchemas (descriptor, dataStreamsProcessor) {

package/packages/datadog-plugin-redis/src/index.js CHANGED Viewed

@@ -77,9 +77,7 @@ function normalizeConfig (config) {
   const filter = urlFilter.getFilter(config)
-  return Object.assign({}, config, {
-    filter
-  })
+  return { ...config, filter }
 }
 function uppercaseAllEntries (entries) {

package/packages/datadog-plugin-vitest/src/index.js CHANGED Viewed

@@ -1,5 +1,6 @@
 const CiPlugin = require('../../dd-trace/src/plugins/ci_plugin')
 const { storage } = require('../../datadog-core')
+const { getEnvironmentVariable } = require('../../dd-trace/src/config-helper')
 const {
   TEST_STATUS,
@@ -275,11 +276,11 @@ class VitestPlugin extends CiPlugin {
     this.addBind('ci:vitest:test-suite:start', (ctx) => {
       const { testSuiteAbsolutePath, frameworkVersion } = ctx
-      this.command = process.env.DD_CIVISIBILITY_TEST_COMMAND
+      this.command = getEnvironmentVariable('DD_CIVISIBILITY_TEST_COMMAND')
       this.frameworkVersion = frameworkVersion
       const testSessionSpanContext = this.tracer.extract('text_map', {
-        'x-datadog-trace-id': process.env.DD_CIVISIBILITY_TEST_SESSION_ID,
-        'x-datadog-parent-id': process.env.DD_CIVISIBILITY_TEST_MODULE_ID
+        'x-datadog-trace-id': getEnvironmentVariable('DD_CIVISIBILITY_TEST_SESSION_ID'),
+        'x-datadog-parent-id': getEnvironmentVariable('DD_CIVISIBILITY_TEST_MODULE_ID')
       })
       const trimmedCommand = DD_MAJOR < 6 ? this.command : 'vitest run'
@@ -396,7 +397,7 @@ class VitestPlugin extends CiPlugin {
       finishAllTraceSpans(this.testSessionSpan)
       this.telemetry.count(TELEMETRY_TEST_SESSION, {
         provider: this.ciProviderName,
-        autoInjected: !!process.env.DD_CIVISIBILITY_AUTO_INSTRUMENTATION_PROVIDER
+        autoInjected: !!getEnvironmentVariable('DD_CIVISIBILITY_AUTO_INSTRUMENTATION_PROVIDER')
       })
       this.tracer._exporter.flush(onFinish)
     })

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js CHANGED Viewed

@@ -5,7 +5,6 @@ module.exports = {
   COMMAND_INJECTION_ANALYZER: require('./command-injection-analyzer'),
   HARCODED_PASSWORD_ANALYZER: require('./hardcoded-password-analyzer'),
   HARCODED_SECRET_ANALYZER: require('./hardcoded-secret-analyzer'),
-  HEADER_INJECTION_ANALYZER: require('./header-injection-analyzer'),
   HSTS_HEADER_MISSING_ANALYZER: require('./hsts-header-missing-analyzer'),
   INSECURE_COOKIE_ANALYZER: require('./insecure-cookie-analyzer'),
   LDAP_ANALYZER: require('./ldap-injection-analyzer'),

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-password-rules.js CHANGED Viewed

@@ -1,4 +1,3 @@
-/* eslint-disable @stylistic/max-len */
 'use strict'
 const { NameAndValue } = require('./hardcoded-rule-type')

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secret-rules.js CHANGED Viewed

@@ -1,4 +1,3 @@
-/* eslint-disable @stylistic/max-len */
 'use strict'
 const { ValueOnly, NameAndValue } = require('./hardcoded-rule-type')

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secrets-rules.js CHANGED Viewed

@@ -1,4 +1,3 @@
-/* eslint-disable @stylistic/max-len */
 'use strict'
 const { ValueOnly, NameAndValue } = require('./hardcoded-rule-type')

package/packages/dd-trace/src/appsec/iast/analyzers/missing-header-analyzer.js CHANGED Viewed

@@ -32,9 +32,8 @@ class MissingHeaderAnalyzer extends Analyzer {
     const headerValue = res.getHeader(headerName)
     if (Array.isArray(headerValue)) {
       return headerValue
-    } else {
-      return headerValue ? [headerValue.toString()] : []
     }
+    return headerValue ? [headerValue.toString()] : []
   }
   _getLocation () {}

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js CHANGED Viewed

@@ -15,7 +15,7 @@ class SqlInjectionAnalyzer extends StoredInjectionAnalyzer {
   onConfigure () {
     this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql, undefined, 'MYSQL'))
-    this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql, undefined, 'MYSQL'))
+    this.addSub('datadog:mysql2:outerquery:start', ({ sql }) => this.analyze(sql, undefined, 'MYSQL'))
     this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, undefined, 'POSTGRES'))
     this.addSub(

package/packages/dd-trace/src/appsec/iast/security-controls/index.js CHANGED Viewed

@@ -85,7 +85,7 @@ function hookModule (filename, module, controlsByFile) {
       }
     })
   } catch (e) {
-    log.error('[ASM] Error initializing IAST security control for %', filename, e)
+    log.error('[ASM] Error initializing IAST security control for %s', filename, e)
   }
   return module
@@ -150,19 +150,18 @@ function addSecureMarks (value, secureMarks, createNewTainted = true) {
   if (typeof value === 'string') {
     return TaintTrackingOperations.addSecureMark(iastContext, value, secureMarks, createNewTainted)
-  } else {
-    iterateObjectStrings(value, (value, levelKeys, parent, lastKey) => {
-      try {
-        const securedTainted = TaintTrackingOperations.addSecureMark(iastContext, value, secureMarks, createNewTainted)
-        if (createNewTainted) {
-          parent[lastKey] = securedTainted
-        }
-      } catch {
-        // if it is a readonly property, do nothing
-      }
-    })
-    return value
   }
+  iterateObjectStrings(value, (value, levelKeys, parent, lastKey) => {
+    try {
+      const securedTainted = TaintTrackingOperations.addSecureMark(iastContext, value, secureMarks, createNewTainted)
+      if (createNewTainted) {
+        parent[lastKey] = securedTainted
+      }
+    } catch {
+      // if it is a readonly property, do nothing
+    }
+  })
+  return value
 }
 function disable () {

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations-taint-object.js CHANGED Viewed

@@ -2,8 +2,11 @@
 const TaintedUtils = require('@datadog/native-iast-taint-tracking')
 const { IAST_TRANSACTION_ID } = require('../iast-context')
+const { HTTP_REQUEST_PARAMETER } = require('./source-types')
 const log = require('../../../log')
+const SEPARATOR = '\u0000' // Unit Separator (cannot be in URL keys)
 function taintObject (iastContext, object, type) {
   let result = object
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
@@ -40,6 +43,46 @@ function taintObject (iastContext, object, type) {
   return result
 }
+function taintQueryWithCache (iastContext, query) {
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (!transactionId || !query) return query
+  iastContext.queryCache ??= new Map() // key: "a.b.c", value: tainted string
+  traverseAndTaint(query, '', iastContext.queryCache, transactionId)
+  return query
+}
+function traverseAndTaint (node, path, cache, transactionId) {
+  if (node == null) return node
+  if (typeof node === 'string') {
+    const cachedValue = cache.get(path)
+    if (cachedValue === node) {
+      return cachedValue
+    }
+    const tainted = TaintedUtils.newTaintedString(transactionId, node, path, HTTP_REQUEST_PARAMETER)
+    cache.set(path, tainted)
+    return tainted
+  }
+  if (typeof node === 'object') {
+    const keys = Array.isArray(node) ? node.keys() : Object.keys(node)
+    for (const key of keys) {
+      const childPath = path ? `${path}${SEPARATOR}${key}` : String(key)
+      const tainted = traverseAndTaint(node[key], childPath, cache, transactionId)
+      node[key] = tainted
+    }
+  }
+  return node
+}
 module.exports = {
-  taintObject
+  taintObject,
+  taintQueryWithCache
 }

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js CHANGED Viewed

@@ -11,7 +11,7 @@ const {
   getTaintTrackingNoop,
   lodashTaintTrackingHandler
 } = require('./taint-tracking-impl')
-const { taintObject } = require('./operations-taint-object')
+const { taintObject, taintQueryWithCache } = require('./operations-taint-object')
 const lodashOperationCh = dc.channel('datadog:lodash:operation')
@@ -98,6 +98,7 @@ module.exports = {
   newTaintedString,
   newTaintedObject,
   taintObject,
+  taintQueryWithCache,
   isTainted,
   getRanges,
   enableTaintOperations,

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js CHANGED Viewed

@@ -3,7 +3,7 @@
 const { SourceIastPlugin } = require('../iast-plugin')
 const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
-const { taintObject, newTaintedString, getRanges } = require('./operations')
+const { taintObject, newTaintedString, getRanges, taintQueryWithCache } = require('./operations')
 const {
   HTTP_REQUEST_BODY,
   HTTP_REQUEST_COOKIE_VALUE,
@@ -63,7 +63,12 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     this.addSub(
       { channelName: 'datadog:express:query:finish', tag: HTTP_REQUEST_PARAMETER },
-      ({ query }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, query)
+      ({ query }) => {
+        const iastContext = getIastContext(storage('legacy').getStore())
+        if (!iastContext || !query) return
+        taintQueryWithCache(iastContext, query)
+      }
     )
     this.addSub(
@@ -207,7 +212,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     if (Array.isArray(result)) {
       for (let i = 0; i < result.length && i < this._rowsToTaint; i++) {
-        const nextName = name ? `${name}.${i}` : '' + i
+        const nextName = name ? `${name}.${i}` : String(i)
         result[i] = this._taintDatabaseResult(result[i], dbOrigin, iastContext, nextName)
       }
     } else if (result && typeof result === 'object') {

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js CHANGED Viewed

@@ -14,6 +14,7 @@ const log = require('../../../log')
 const { isMainThread } = require('worker_threads')
 const { LOG_MESSAGE, REWRITTEN_MESSAGE } = require('./constants')
 const orchestrionConfig = require('../../../../../datadog-instrumentations/src/orchestrion-config')
+const { getEnvironmentVariable } = require('../../../config-helper')
 let config
 const hardcodedSecretCh = dc.channel('datadog:secrets:result')
@@ -26,7 +27,7 @@ let kSymbolPrepareStackTrace
 function noop () {}
 function isFlagPresent (flag) {
-  return process.env.NODE_OPTIONS?.includes(flag) ||
+  return getEnvironmentVariable('NODE_OPTIONS')?.includes(flag) ||
     process.execArgv?.some(arg => arg.includes(flag))
 }

package/packages/dd-trace/src/appsec/iast/telemetry/span-tags.js CHANGED Viewed

@@ -45,7 +45,7 @@ function filterTags (tags) {
 function processTagValue (tags) {
   return tags.map(tag => tag.includes(':') ? tag.split(':')[1] : tag)
-    .join('_').replace(/\./g, '_')
+    .join('_').replaceAll('.', '_')
 }
 module.exports = {

package/packages/dd-trace/src/appsec/iast/telemetry/verbosity.js CHANGED Viewed

@@ -19,9 +19,8 @@ function getVerbosity (verbosity) {
   if (verbosity) {
     verbosity = verbosity.toUpperCase()
     return Verbosity[verbosity] === undefined ? Verbosity.INFORMATION : Verbosity[verbosity]
-  } else {
-    return Verbosity.INFORMATION
   }
+  return Verbosity.INFORMATION
 }
 function getName (verbosityValue) {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/range-utils.js CHANGED Viewed

@@ -16,18 +16,17 @@ function remove (range, rangeToRemove) {
     return [range]
   } else if (contains(rangeToRemove, range)) {
     return []
-  } else {
-    const result = []
-    if (rangeToRemove.start > range.start) {
-      const offset = rangeToRemove.start - range.start
-      result.push({ start: range.start, end: range.start + offset })
-    }
-    if (rangeToRemove.end < range.end) {
-      const offset = range.end - rangeToRemove.end
-      result.push({ start: rangeToRemove.end, end: rangeToRemove.end + offset })
-    }
-    return result
   }
+  const result = []
+  if (rangeToRemove.start > range.start) {
+    const offset = rangeToRemove.start - range.start
+    result.push({ start: range.start, end: range.start + offset })
+  }
+  if (rangeToRemove.end < range.end) {
+    const offset = range.end - rangeToRemove.end
+    result.push({ start: rangeToRemove.end, end: rangeToRemove.end + offset })
+  }
+  return result
 }
 module.exports = {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js CHANGED Viewed

@@ -8,7 +8,6 @@ const { contains, intersects, remove } = require('./range-utils')
 const commandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
 const hardcodedPasswordAnalyzer = require('./sensitive-analyzers/hardcoded-password-analyzer')
-const headerSensitiveAnalyzer = require('./sensitive-analyzers/header-sensitive-analyzer')
 const jsonSensitiveAnalyzer = require('./sensitive-analyzers/json-sensitive-analyzer')
 const ldapSensitiveAnalyzer = require('./sensitive-analyzers/ldap-sensitive-analyzer')
 const sqlSensitiveAnalyzer = require('./sensitive-analyzers/sql-sensitive-analyzer')
@@ -30,9 +29,6 @@ class SensitiveHandler {
     this._sensitiveAnalyzers.set(vulnerabilities.HARDCODED_PASSWORD, (evidence) => {
       return hardcodedPasswordAnalyzer(evidence, this._valuePattern)
     })
-    this._sensitiveAnalyzers.set(vulnerabilities.HEADER_INJECTION, (evidence) => {
-      return headerSensitiveAnalyzer(evidence, this._namePattern, this._valuePattern)
-    })
     this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, ldapSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.NOSQL_MONGODB_INJECTION, jsonSensitiveAnalyzer)
     this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, sqlSensitiveAnalyzer)

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js CHANGED Viewed

@@ -3,7 +3,6 @@ module.exports = {
   CODE_INJECTION: 'CODE_INJECTION',
   HARDCODED_PASSWORD: 'HARDCODED_PASSWORD',
   HARDCODED_SECRET: 'HARDCODED_SECRET',
-  HEADER_INJECTION: 'HEADER_INJECTION',
   HSTS_HEADER_MISSING: 'HSTS_HEADER_MISSING',
   INSECURE_COOKIE: 'INSECURE_COOKIE',
   LDAP_INJECTION: 'LDAP_INJECTION',

package/packages/dd-trace/src/appsec/index.js CHANGED Viewed

@@ -37,6 +37,7 @@ const rasp = require('./rasp')
 const { isInServerlessEnvironment } = require('../serverless')
 const responseAnalyzedSet = new WeakSet()
+const storedResponseHeaders = new WeakMap()
 let isEnabled = false
 let config
@@ -45,7 +46,7 @@ function enable (_config) {
   if (isEnabled) return
   try {
-    appsecTelemetry.enable(_config.telemetry)
+    appsecTelemetry.enable(_config)
     graphql.enable()
     if (_config.appsec.rasp.enabled) {
@@ -139,7 +140,7 @@ function incomingHttpStartTranslator ({ req, res, abortController }) {
     [HTTP_CLIENT_IP]: clientIp
   })
-  const requestHeaders = Object.assign({}, req.headers)
+  const requestHeaders = { ...req.headers }
   delete requestHeaders.cookie
   const persistent = {
@@ -187,7 +188,13 @@ function incomingHttpEndTranslator ({ req, res }) {
   waf.disposeContext(req)
-  Reporter.finishRequest(req, res)
+  const storedHeaders = storedResponseHeaders.get(req) || {}
+  Reporter.finishRequest(req, res, storedHeaders)
+  if (storedHeaders) {
+    storedResponseHeaders.delete(req)
+  }
 }
 function onPassportVerify ({ framework, login, user, success, abortController }) {
@@ -285,6 +292,10 @@ function onResponseBody ({ req, res, body }) {
 }
 function onResponseWriteHead ({ req, res, abortController, statusCode, responseHeaders }) {
+  if (Object.keys(responseHeaders).length) {
+    storedResponseHeaders.set(req, responseHeaders)
+  }
   // avoid "write after end" error
   if (isBlocked(res)) {
     abortController?.abort()
@@ -299,12 +310,12 @@ function onResponseWriteHead ({ req, res, abortController, statusCode, responseH
   const rootSpan = web.root(req)
   if (!rootSpan) return
-  responseHeaders = Object.assign({}, responseHeaders)
+  responseHeaders = { ...responseHeaders }
   delete responseHeaders['set-cookie']
   const results = waf.run({
     persistent: {
-      [addresses.HTTP_INCOMING_RESPONSE_CODE]: '' + statusCode,
+      [addresses.HTTP_INCOMING_RESPONSE_CODE]: String(statusCode),
       [addresses.HTTP_INCOMING_RESPONSE_HEADERS]: responseHeaders
     }
   }, req)