dd-trace 5.57.1 → 5.58.0

package/packages/dd-trace/src/appsec/waf/index.js

@@ -2,14 +2,26 @@
 
 const { storage } = require('../../../../datadog-core')
 const log = require('../../log')
+const Reporter = require('../reporter')
+
+class WafUpdateError extends Error {
+  constructor (diagnosticErrors) {
+    super('WafUpdateError')
+    this.name = 'WafUpdateError'
+    this.diagnosticErrors = diagnosticErrors
+  }
+}
 
 const waf = {
   wafManager: null,
   init,
   destroy,
-  update,
+  updateConfig,
+  removeConfig,
+  checkAsmDdFallback,
   run: noop,
-  disposeContext: noop
+  disposeContext: noop,
+  WafUpdateError
 }
 
 function init (rules, config) {
@@ -34,14 +46,43 @@ function destroy () {
   waf.disposeContext = noop
 }
 
-function update (newRules) {
-  // TODO: check race conditions between Appsec enable/disable and WAF updates, the whole RC state management in general
+function checkAsmDdFallback () {
+  if (!waf.wafManager) throw new Error('Cannot update disabled WAF')
+
+  try {
+    waf.wafManager.setAsmDdFallbackConfig()
+  } catch {
+    log.error('[ASM] Could not apply default ruleset back as fallback')
+  }
+}
+
+function updateConfig (product, configId, configPath, config) {
+  if (!waf.wafManager) throw new Error('Cannot update disabled WAF')
+
+  try {
+    if (product === 'ASM_DD') {
+      waf.wafManager.removeConfig(waf.wafManager.constructor.defaultWafConfigPath)
+    }
+
+    const updateSucceeded = waf.wafManager.updateConfig(configPath, config)
+    Reporter.reportWafConfigUpdate(product, configId, waf.wafManager.ddwaf.diagnostics, waf.wafManager.ddwafVersion)
+
+    if (!updateSucceeded) {
+      throw new WafUpdateError(waf.wafManager.ddwaf.diagnostics)
+    }
+  } catch (err) {
+    log.error('[ASM] Could not update config from RC')
+    throw err
+  }
+}
+
+function removeConfig (configPath) {
   if (!waf.wafManager) throw new Error('Cannot update disabled WAF')
 
   try {
-    waf.wafManager.update(newRules)
+    waf.wafManager.removeConfig(configPath)
   } catch (err) {
-    log.error('[ASM] Could not apply rules from remote config')
+    log.error('[ASM] Could not remove config from RC')
     throw err
   }
 }

package/packages/dd-trace/src/appsec/waf/waf_manager.js

@@ -7,11 +7,14 @@ const WAFContextWrapper = require('./waf_context_wrapper')
 const contexts = new WeakMap()
 
 class WAFManager {
+  static get defaultWafConfigPath () { return 'datadog/00/ASM_DD/default/config' }
+
   constructor (rules, config) {
     this.config = config
     this.wafTimeout = config.wafTimeout
     this.ddwaf = this._loadDDWAF(rules)
     this.rulesVersion = this.ddwaf.diagnostics.ruleset_version
+    this.defaultRules = rules
 
     Reporter.reportWafInit(this.ddwafVersion, this.rulesVersion, this.ddwaf.diagnostics.rules, true)
   }
@@ -23,7 +26,7 @@ class WAFManager {
       this.ddwafVersion = DDWAF.version()
 
       const { obfuscatorKeyRegex, obfuscatorValueRegex } = this.config
-      return new DDWAF(rules, { obfuscatorKeyRegex, obfuscatorValueRegex })
+      return new DDWAF(rules, WAFManager.defaultWafConfigPath, { obfuscatorKeyRegex, obfuscatorValueRegex })
     } catch (err) {
       this.ddwafVersion = this.ddwafVersion || 'unknown'
       Reporter.reportWafInit(this.ddwafVersion, 'unknown')
@@ -51,20 +54,27 @@ class WAFManager {
     return wafContext
   }
 
-  update (newRules) {
-    try {
-      this.ddwaf.update(newRules)
+  setRulesVersion () {
+    if (this.ddwaf.diagnostics.ruleset_version) {
+      this.rulesVersion = this.ddwaf.diagnostics.ruleset_version
+    }
+  }
 
-      if (this.ddwaf.diagnostics.ruleset_version) {
-        this.rulesVersion = this.ddwaf.diagnostics.ruleset_version
-      }
+  setAsmDdFallbackConfig () {
+    if (!this.ddwaf.configPaths.some(cp => cp.includes('ASM_DD'))) {
+      this.updateConfig(WAFManager.defaultWafConfigPath, this.defaultRules)
+    }
+  }
 
-      Reporter.reportWafUpdate(this.ddwafVersion, this.rulesVersion, true)
-    } catch (error) {
-      Reporter.reportWafUpdate(this.ddwafVersion, 'unknown', false)
+  updateConfig (path, rules) {
+    const updateResult = this.ddwaf.createOrUpdateConfig(rules, path)
+    this.setRulesVersion()
+    return updateResult
+  }
 
-      throw error
-    }
+  removeConfig (path) {
+    this.ddwaf.removeConfig(path)
+    this.setRulesVersion()
   }
 
   destroy () {

package/packages/dd-trace/src/config.js

@@ -16,7 +16,7 @@ const { updateConfig } = require('./telemetry')
 const telemetryMetrics = require('./telemetry/metrics')
 const { isInServerlessEnvironment, getIsGCPFunction, getIsAzureFunction } = require('./serverless')
 const {
-  ORIGIN_KEY, GRPC_CLIENT_ERROR_STATUSES, GRPC_SERVER_ERROR_STATUSES, INSTRUMENTED_BY_SSI
+  ORIGIN_KEY, GRPC_CLIENT_ERROR_STATUSES, GRPC_SERVER_ERROR_STATUSES
 } = require('./constants')
 const { appendRules } = require('./payload-tagging/config')
 const { getEnvironmentVariable, getEnvironmentVariables } = require('./config-helper')
@@ -529,6 +529,9 @@ class Config {
     defaults['grpc.client.error.statuses'] = GRPC_CLIENT_ERROR_STATUSES
     defaults['grpc.server.error.statuses'] = GRPC_SERVER_ERROR_STATUSES
     defaults.headerTags = []
+    defaults['heapSnapshot.count'] = 0
+    defaults['heapSnapshot.destination'] = ''
+    defaults['heapSnapshot.interval'] = 3600
     defaults.hostname = '127.0.0.1'
     defaults['iast.dbRowsToTaint'] = 1
     defaults['iast.deduplicationEnabled'] = true
@@ -713,6 +716,9 @@ class Config {
       DD_GRPC_CLIENT_ERROR_STATUSES,
       DD_GRPC_SERVER_ERROR_STATUSES,
       JEST_WORKER_ID,
+      DD_HEAP_SNAPSHOT_COUNT,
+      DD_HEAP_SNAPSHOT_DESTINATION,
+      DD_HEAP_SNAPSHOT_INTERVAL,
       DD_IAST_DB_ROWS_TO_TAINT,
       DD_IAST_DEDUPLICATION_ENABLED,
       DD_IAST_ENABLED,
@@ -896,6 +902,9 @@ class Config {
     this._setIntegerRangeSet(env, 'grpc.client.error.statuses', DD_GRPC_CLIENT_ERROR_STATUSES)
     this._setIntegerRangeSet(env, 'grpc.server.error.statuses', DD_GRPC_SERVER_ERROR_STATUSES)
     this._setArray(env, 'headerTags', DD_TRACE_HEADER_TAGS)
+    env['heapSnapshot.count'] = maybeInt(DD_HEAP_SNAPSHOT_COUNT)
+    this._setString(env, 'heapSnapshot.destination', DD_HEAP_SNAPSHOT_DESTINATION)
+    env['heapSnapshot.interval'] = maybeInt(DD_HEAP_SNAPSHOT_INTERVAL)
     this._setString(env, 'hostname', DD_AGENT_HOST)
     env['iast.dbRowsToTaint'] = maybeInt(DD_IAST_DB_ROWS_TO_TAINT)
     this._setBoolean(env, 'iast.deduplicationEnabled', DD_IAST_DEDUPLICATION_ENABLED)
@@ -916,6 +925,7 @@ class Config {
     this._setString(env, 'iast.telemetryVerbosity', DD_IAST_TELEMETRY_VERBOSITY)
     this._setBoolean(env, 'iast.stackTrace.enabled', DD_IAST_STACK_TRACE_ENABLED)
     this._setArray(env, 'injectionEnabled', DD_INJECTION_ENABLED)
+    this._setString(env, 'instrumentationSource', DD_INJECTION_ENABLED ? 'ssi' : 'manual')
     this._setBoolean(env, 'injectForce', DD_INJECT_FORCE)
     this._setBoolean(env, 'isAzureFunction', getIsAzureFunction())
     this._setBoolean(env, 'isGCPFunction', getIsGCPFunction())
@@ -1141,9 +1151,6 @@ class Config {
     opts['iast.securityControlsConfiguration'] = options.iast?.securityControlsConfiguration
     this._setBoolean(opts, 'iast.stackTrace.enabled', options.iast?.stackTrace?.enabled)
     this._setString(opts, 'iast.telemetryVerbosity', options.iast && options.iast.telemetryVerbosity)
-    if (options[INSTRUMENTED_BY_SSI]) {
-      this._setString(opts, 'instrumentationSource', options[INSTRUMENTED_BY_SSI])
-    }
     this._setBoolean(opts, 'isCiVisibility', options.isCiVisibility)
     this._setBoolean(opts, 'legacyBaggageEnabled', options.legacyBaggageEnabled)
     this._setBoolean(opts, 'llmobs.agentlessEnabled', options.llmobs?.agentlessEnabled)

package/packages/dd-trace/src/constants.js

@@ -53,6 +53,5 @@ module.exports = {
   SPAN_POINTER_DIRECTION: Object.freeze({
     UPSTREAM: 'u',
     DOWNSTREAM: 'd'
-  }),
-  INSTRUMENTED_BY_SSI: Symbol('_dd.instrumented.by.ssi')
+  })
 }

package/packages/dd-trace/src/exporters/common/request.js

@@ -19,7 +19,7 @@ const maxActiveRequests = 8
 let activeRequests = 0
 
 function parseUrl (urlObjOrString) {
-  if (typeof urlObjOrString === 'object') return urlToHttpOptions(urlObjOrString)
+  if (urlObjOrString !== null && typeof urlObjOrString === 'object') return urlToHttpOptions(urlObjOrString)
 
   const url = urlToHttpOptions(new URL(urlObjOrString))
 

package/packages/dd-trace/src/heap_snapshots.js

@@ -0,0 +1,58 @@
+'use strict'
+
+const { join } = require('path')
+const { setImmediate, setTimeout } = require('timers/promises')
+const { format } = require('util')
+const { writeHeapSnapshot } = require('v8')
+const { threadId } = require('worker_threads')
+const log = require('./log')
+
+async function scheduleSnapshot (config, total) {
+  if (total > config.heapSnapshot.count) return
+
+  await setTimeout(config.heapSnapshot.interval * 1000, null, { ref: false })
+  await clearMemory()
+  writeHeapSnapshot(getName(config.heapSnapshot.destination))
+  await scheduleSnapshot(config, total + 1)
+}
+
+async function clearMemory () {
+  if (!globalThis.gc) return
+  globalThis.gc()
+  await setImmediate()
+  globalThis.gc() // Run full GC a second time for anything missed in first GC.
+}
+
+function pad (value) {
+  return String(value).padStart(2, 0)
+}
+
+function getName (destination) {
+  const date = new Date()
+  const filename = format(
+    'Heap-%s%s%s-%s%s%s-%s-%s.heapsnapshot',
+    date.getFullYear(),
+    pad(date.getMonth()),
+    pad(date.getDate()),
+    pad(date.getHours()),
+    pad(date.getMinutes()),
+    pad(date.getSeconds()),
+    process.pid,
+    threadId
+  )
+
+  return join(destination, filename)
+}
+
+module.exports = {
+  async start (config) {
+    const destination = config.heapSnapshot.destination
+
+    try {
+      await scheduleSnapshot(config, 1)
+      log.debug('Wrote heap snapshots to %s.', destination)
+    } catch (e) {
+      log.error('Failed to write heap snapshots to %s.', destination, e)
+    }
+  }
+}

package/packages/dd-trace/src/llmobs/noop.js

@@ -39,7 +39,7 @@ class NoopLLMObs {
     const llmobs = this
     return function (target, ctxOrPropertyKey, descriptor) {
       if (!ctxOrPropertyKey) return target
-      if (typeof ctxOrPropertyKey === 'object') {
+      if (typeof ctxOrPropertyKey === 'object') { // eslint-disable-line eslint-rules/eslint-safe-typeof-object
         const ctx = ctxOrPropertyKey
         if (ctx.kind !== 'method') return target
 

package/packages/dd-trace/src/llmobs/span_processor.js

@@ -165,7 +165,7 @@ class LLMObsSpanProcessor {
           carrier[key] = UNSERIALIZABLE_VALUE_TEXT
           continue
         }
-        if (typeof value === 'object') {
+        if (value !== null && typeof value === 'object') {
           add(value, carrier[key] = {})
         } else {
           carrier[key] = value

package/packages/dd-trace/src/log/log.js

@@ -32,7 +32,7 @@ class Log {
     if (firstArg) {
       if (typeof firstArg === 'string') {
         message = firstArg
-      } else if (typeof firstArg === 'object') {
+      } else if (typeof firstArg === 'object') { // eslint-disable-line eslint-rules/eslint-safe-typeof-object
         message = String(firstArg.message || firstArg)
       } else if (typeof firstArg === 'function') {
         delegate = firstArg

package/packages/dd-trace/src/opentracing/span.js

@@ -220,7 +220,7 @@ class DatadogSpan {
   addEvent (name, attributesOrStartTime, startTime) {
     const event = { name }
     if (attributesOrStartTime) {
-      if (typeof attributesOrStartTime === 'object') {
+      if (typeof attributesOrStartTime === 'object') { // eslint-disable-line eslint-rules/eslint-safe-typeof-object
         event.attributes = this._sanitizeEventAttributes(attributesOrStartTime)
       } else {
         startTime = attributesOrStartTime

package/packages/dd-trace/src/payload-tagging/index.js

@@ -5,7 +5,7 @@ const {
   PAYLOAD_TAG_RESPONSE_PREFIX
 } = require('../constants')
 
-const jsonpath = require('./jsonpath-plus.js').JSONPath
+const jsonpath = require('jsonpath-plus').JSONPath
 
 const { tagsFromObject } = require('./tagging')
 

package/packages/dd-trace/src/payload-tagging/tagging.js

@@ -36,7 +36,7 @@ function tagsFromObject (object, opts) {
       return
     }
 
-    if (depth >= maxDepth && typeof object === 'object') {
+    if (depth >= maxDepth && object !== null && typeof object === 'object') {
       tagCount += 1
       result[prefix] = truncated
       return
@@ -65,7 +65,7 @@ function tagsFromObject (object, opts) {
       result[prefix] = object.slice(0, 5000)
     }
 
-    if (typeof object === 'object') {
+    if (typeof object === 'object') { // eslint-disable-line eslint-rules/eslint-safe-typeof-object
       for (const [key, value] of Object.entries(object)) {
         if (redactedKeys.has(key.toLowerCase())) {
           tagCount += 1

package/packages/dd-trace/src/plugins/outbound.js

@@ -8,6 +8,7 @@ const {
 } = require('../constants')
 const TracingPlugin = require('./tracing')
 const { exitTags } = require('../../../datadog-code-origin')
+const { storage } = require('../../../datadog-core')
 
 const COMMON_PEER_SVC_SOURCE_TAGS = [
   'net.peer.name',
@@ -93,6 +94,12 @@ class OutboundPlugin extends TracingPlugin {
   finish (ctx) {
     const span = ctx?.currentStore?.span || this.activeSpan
     this.tagPeerService(span)
+
+    if (this._tracerConfig?._isInServerlessEnvironment()) {
+      const peerHostname = storage('peerServerless').getStore()?.peerHostname
+      if (peerHostname) span.setTag('peer.service', peerHostname)
+    }
+
     super.finish(...arguments)
   }
 

package/packages/dd-trace/src/profiling/profilers/wall.js

@@ -213,10 +213,10 @@ class NativeWallProfiler {
   }
 
   _updateContext (context) {
-    if (typeof context.spanId === 'object') {
+    if (context.spanId !== null && typeof context.spanId === 'object') {
       context.spanId = context.spanId.toString(10)
     }
-    if (typeof context.rootSpanId === 'object') {
+    if (context.rootSpanId !== null && typeof context.rootSpanId === 'object') {
       context.rootSpanId = context.rootSpanId.toString(10)
     }
     if (context.webTags !== undefined && context.endpoint === undefined) {

package/packages/dd-trace/src/proxy.js

@@ -100,6 +100,10 @@ class Tracer extends NoopProxy {
         require('./crashtracking').start(config)
       }
 
+      if (config.heapSnapshot.count > 0) {
+        require('./heap_snapshots').start(config)
+      }
+
       telemetry.start(config, this._pluginManager)
 
       if (config.dogstatsd) {

package/packages/dd-trace/src/service-naming/schemas/definition.js

@@ -3,20 +3,13 @@ class SchemaDefinition {
     this.schema = schema
   }
 
-  getSchemaItem (type, kind, plugin) {
-    const schema = this.schema
-    if (schema && schema[type] && schema[type][kind] && schema[type][kind][plugin]) {
-      return schema[type][kind][plugin]
-    }
-  }
-
   getOpName (type, kind, plugin, opts) {
-    const item = this.getSchemaItem(type, kind, plugin)
+    const item = this.schema[type][kind][plugin]
     return item.opName(opts)
   }
 
   getServiceName (type, kind, plugin, opts) {
-    const item = this.getSchemaItem(type, kind, plugin)
+    const item = this.schema[type][kind][plugin]
     return item.serviceName(opts)
   }
 }

package/packages/dd-trace/src/service-naming/schemas/v1/storage.js

@@ -14,7 +14,8 @@ const mySQLNaming = {
 
 function withFunction ({ tracerService, pluginConfig, params }) {
   if (typeof pluginConfig.service === 'function') {
-    return pluginConfig.service(params)
+    const result = pluginConfig.service(params)
+    return typeof result === 'string' && result.length > 0 ? result : tracerService
   }
   return configWithFallback({ tracerService, pluginConfig })
 }

package/packages/dd-trace/src/supported-configurations.json

@@ -78,6 +78,9 @@
     "DD_GIT_PULL_REQUEST_BASE_BRANCH_SHA": ["A"],
     "DD_GRPC_CLIENT_ERROR_STATUSES": ["A"],
     "DD_GRPC_SERVER_ERROR_STATUSES": ["A"],
+    "DD_HEAP_SNAPSHOT_COUNT": ["A"],
+    "DD_HEAP_SNAPSHOT_INTERVAL": ["A"],
+    "DD_HEAP_SNAPSHOT_DESTINATION": ["A"],
     "DD_IAST_DB_ROWS_TO_TAINT": ["A"],
     "DD_IAST_DEDUPLICATION_ENABLED": ["A"],
     "DD_IAST_ENABLED": ["A"],