dd-trace 5.8.0 → 5.10.0

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -1,21 +1,21 @@
 'use strict'
 
 module.exports = {
-  'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
-  'HARCODED_SECRET_ANALYZER': require('./hardcoded-secret-analyzer'),
-  'HEADER_INJECTION_ANALYZER': require('./header-injection-analyzer'),
-  'HSTS_HEADER_MISSING_ANALYZER': require('./hsts-header-missing-analyzer'),
-  'INSECURE_COOKIE_ANALYZER': require('./insecure-cookie-analyzer'),
-  'LDAP_ANALYZER': require('./ldap-injection-analyzer'),
-  'NO_HTTPONLY_COOKIE_ANALYZER': require('./no-httponly-cookie-analyzer'),
-  'NO_SAMESITE_COOKIE_ANALYZER': require('./no-samesite-cookie-analyzer'),
-  'NOSQL_MONGODB_INJECTION': require('./nosql-injection-mongodb-analyzer'),
-  'PATH_TRAVERSAL_ANALYZER': require('./path-traversal-analyzer'),
-  'SQL_INJECTION_ANALYZER': require('./sql-injection-analyzer'),
-  'SSRF': require('./ssrf-analyzer'),
-  'UNVALIDATED_REDIRECT_ANALYZER': require('./unvalidated-redirect-analyzer'),
-  'WEAK_CIPHER_ANALYZER': require('./weak-cipher-analyzer'),
-  'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer'),
-  'WEAK_RANDOMNESS_ANALYZER': require('./weak-randomness-analyzer'),
-  'XCONTENTTYPE_HEADER_MISSING_ANALYZER': require('./xcontenttype-header-missing-analyzer')
+  COMMAND_INJECTION_ANALYZER: require('./command-injection-analyzer'),
+  HARCODED_SECRET_ANALYZER: require('./hardcoded-secret-analyzer'),
+  HEADER_INJECTION_ANALYZER: require('./header-injection-analyzer'),
+  HSTS_HEADER_MISSING_ANALYZER: require('./hsts-header-missing-analyzer'),
+  INSECURE_COOKIE_ANALYZER: require('./insecure-cookie-analyzer'),
+  LDAP_ANALYZER: require('./ldap-injection-analyzer'),
+  NO_HTTPONLY_COOKIE_ANALYZER: require('./no-httponly-cookie-analyzer'),
+  NO_SAMESITE_COOKIE_ANALYZER: require('./no-samesite-cookie-analyzer'),
+  NOSQL_MONGODB_INJECTION: require('./nosql-injection-mongodb-analyzer'),
+  PATH_TRAVERSAL_ANALYZER: require('./path-traversal-analyzer'),
+  SQL_INJECTION_ANALYZER: require('./sql-injection-analyzer'),
+  SSRF: require('./ssrf-analyzer'),
+  UNVALIDATED_REDIRECT_ANALYZER: require('./unvalidated-redirect-analyzer'),
+  WEAK_CIPHER_ANALYZER: require('./weak-cipher-analyzer'),
+  WEAK_HASH_ANALYZER: require('./weak-hash-analyzer'),
+  WEAK_RANDOMNESS_ANALYZER: require('./weak-randomness-analyzer'),
+  XCONTENTTYPE_HEADER_MISSING_ANALYZER: require('./xcontenttype-header-missing-analyzer')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -34,6 +34,7 @@ class CookieAnalyzer extends Analyzer {
   _getExcludedPaths () {
     return EXCLUDED_PATHS
   }
+
   _checkOCE (context, value) {
     if (value && value.location) {
       return true

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secrets-rules.js

@@ -3,267 +3,267 @@
 
 module.exports = [
   {
-    'id': 'adobe-client-secret',
-    'regex': /\b((p8e-)[a-z0-9]{32})(?:['"\s\x60;]|$)/i
+    id: 'adobe-client-secret',
+    regex: /\b((p8e-)[a-z0-9]{32})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'age-secret-key',
-    'regex': /AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}/
+    id: 'age-secret-key',
+    regex: /AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}/
   },
   {
-    'id': 'alibaba-access-key-id',
-    'regex': /\b((LTAI)[a-z0-9]{20})(?:['"\s\x60;]|$)/i
+    id: 'alibaba-access-key-id',
+    regex: /\b((LTAI)[a-z0-9]{20})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'authress-service-client-access-key',
-    'regex': /\b((?:sc|ext|scauth|authress)_[a-z0-9]{5,30}\.[a-z0-9]{4,6}\.acc[_-][a-z0-9-]{10,32}\.[a-z0-9+/_=-]{30,120})(?:['"\s\x60;]|$)/i
+    id: 'authress-service-client-access-key',
+    regex: /\b((?:sc|ext|scauth|authress)_[a-z0-9]{5,30}\.[a-z0-9]{4,6}\.acc[_-][a-z0-9-]{10,32}\.[a-z0-9+/_=-]{30,120})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'aws-access-token',
-    'regex': /\b((A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})(?:['"\s\x60;]|$)/
+    id: 'aws-access-token',
+    regex: /\b((A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})(?:['"\s\x60;]|$)/
   },
   {
-    'id': 'clojars-api-token',
-    'regex': /(CLOJARS_)[a-z0-9]{60}/i
+    id: 'clojars-api-token',
+    regex: /(CLOJARS_)[a-z0-9]{60}/i
   },
   {
-    'id': 'databricks-api-token',
-    'regex': /\b(dapi[a-h0-9]{32})(?:['"\s\x60;]|$)/i
+    id: 'databricks-api-token',
+    regex: /\b(dapi[a-h0-9]{32})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'digitalocean-access-token',
-    'regex': /\b(doo_v1_[a-f0-9]{64})(?:['"\s\x60;]|$)/i
+    id: 'digitalocean-access-token',
+    regex: /\b(doo_v1_[a-f0-9]{64})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'digitalocean-pat',
-    'regex': /\b(dop_v1_[a-f0-9]{64})(?:['"\s\x60;]|$)/i
+    id: 'digitalocean-pat',
+    regex: /\b(dop_v1_[a-f0-9]{64})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'digitalocean-refresh-token',
-    'regex': /\b(dor_v1_[a-f0-9]{64})(?:['"\s\x60;]|$)/i
+    id: 'digitalocean-refresh-token',
+    regex: /\b(dor_v1_[a-f0-9]{64})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'doppler-api-token',
-    'regex': /(dp\.pt\.)[a-z0-9]{43}/i
+    id: 'doppler-api-token',
+    regex: /(dp\.pt\.)[a-z0-9]{43}/i
   },
   {
-    'id': 'duffel-api-token',
-    'regex': /duffel_(test|live)_[a-z0-9_\-=]{43}/i
+    id: 'duffel-api-token',
+    regex: /duffel_(test|live)_[a-z0-9_\-=]{43}/i
   },
   {
-    'id': 'dynatrace-api-token',
-    'regex': /dt0c01\.[a-z0-9]{24}\.[a-z0-9]{64}/i
+    id: 'dynatrace-api-token',
+    regex: /dt0c01\.[a-z0-9]{24}\.[a-z0-9]{64}/i
   },
   {
-    'id': 'easypost-api-token',
-    'regex': /\bEZAK[a-z0-9]{54}/i
+    id: 'easypost-api-token',
+    regex: /\bEZAK[a-z0-9]{54}/i
   },
   {
-    'id': 'flutterwave-public-key',
-    'regex': /FLWPUBK_TEST-[a-h0-9]{32}-X/i
+    id: 'flutterwave-public-key',
+    regex: /FLWPUBK_TEST-[a-h0-9]{32}-X/i
   },
   {
-    'id': 'frameio-api-token',
-    'regex': /fio-u-[a-z0-9\-_=]{64}/i
+    id: 'frameio-api-token',
+    regex: /fio-u-[a-z0-9\-_=]{64}/i
   },
   {
-    'id': 'gcp-api-key',
-    'regex': /\b(AIza[0-9a-z\-_]{35})(?:['"\s\x60;]|$)/i
+    id: 'gcp-api-key',
+    regex: /\b(AIza[0-9a-z\-_]{35})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'github-app-token',
-    'regex': /(ghu|ghs)_[0-9a-zA-Z]{36}/
+    id: 'github-app-token',
+    regex: /(ghu|ghs)_[0-9a-zA-Z]{36}/
   },
   {
-    'id': 'github-fine-grained-pat',
-    'regex': /github_pat_[0-9a-zA-Z_]{82}/
+    id: 'github-fine-grained-pat',
+    regex: /github_pat_[0-9a-zA-Z_]{82}/
   },
   {
-    'id': 'github-oauth',
-    'regex': /gho_[0-9a-zA-Z]{36}/
+    id: 'github-oauth',
+    regex: /gho_[0-9a-zA-Z]{36}/
   },
   {
-    'id': 'github-pat',
-    'regex': /ghp_[0-9a-zA-Z]{36}/
+    id: 'github-pat',
+    regex: /ghp_[0-9a-zA-Z]{36}/
   },
   {
-    'id': 'gitlab-pat',
-    'regex': /glpat-[0-9a-zA-Z\-_]{20}/
+    id: 'gitlab-pat',
+    regex: /glpat-[0-9a-zA-Z\-_]{20}/
   },
   {
-    'id': 'gitlab-ptt',
-    'regex': /glptt-[0-9a-f]{40}/
+    id: 'gitlab-ptt',
+    regex: /glptt-[0-9a-f]{40}/
   },
   {
-    'id': 'gitlab-rrt',
-    'regex': /GR1348941[0-9a-zA-Z\-_]{20}/
+    id: 'gitlab-rrt',
+    regex: /GR1348941[0-9a-zA-Z\-_]{20}/
   },
   {
-    'id': 'grafana-api-key',
-    'regex': /\b(eyJrIjoi[a-z0-9]{70,400}={0,2})(?:['"\s\x60;]|$)/i
+    id: 'grafana-api-key',
+    regex: /\b(eyJrIjoi[a-z0-9]{70,400}={0,2})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'grafana-cloud-api-token',
-    'regex': /\b(glc_[a-z0-9+/]{32,400}={0,2})(?:['"\s\x60;]|$)/i
+    id: 'grafana-cloud-api-token',
+    regex: /\b(glc_[a-z0-9+/]{32,400}={0,2})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'grafana-service-account-token',
-    'regex': /\b(glsa_[a-z0-9]{32}_[a-f0-9]{8})(?:['"\s\x60;]|$)/i
+    id: 'grafana-service-account-token',
+    regex: /\b(glsa_[a-z0-9]{32}_[a-f0-9]{8})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'hashicorp-tf-api-token',
-    'regex': /[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70}/i
+    id: 'hashicorp-tf-api-token',
+    regex: /[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70}/i
   },
   {
-    'id': 'jwt',
-    'regex': /\b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9/_-]{17,}\.(?:[a-zA-Z0-9/_-]{10,}={0,2})?)(?:['"\s\x60;]|$)/
+    id: 'jwt',
+    regex: /\b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9/_-]{17,}\.(?:[a-zA-Z0-9/_-]{10,}={0,2})?)(?:['"\s\x60;]|$)/
   },
   {
-    'id': 'linear-api-key',
-    'regex': /lin_api_[a-z0-9]{40}/i
+    id: 'linear-api-key',
+    regex: /lin_api_[a-z0-9]{40}/i
   },
   {
-    'id': 'npm-access-token',
-    'regex': /\b(npm_[a-z0-9]{36})(?:['"\s\x60;]|$)/i
+    id: 'npm-access-token',
+    regex: /\b(npm_[a-z0-9]{36})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'openai-api-key',
-    'regex': /\b(sk-[a-z0-9]{20}T3BlbkFJ[a-z0-9]{20})(?:['"\s\x60;]|$)/i
+    id: 'openai-api-key',
+    regex: /\b(sk-[a-z0-9]{20}T3BlbkFJ[a-z0-9]{20})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'planetscale-api-token',
-    'regex': /\b(pscale_tkn_[a-z0-9=\-_.]{32,64})(?:['"\s\x60;]|$)/i
+    id: 'planetscale-api-token',
+    regex: /\b(pscale_tkn_[a-z0-9=\-_.]{32,64})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'planetscale-oauth-token',
-    'regex': /\b(pscale_oauth_[a-z0-9=\-_.]{32,64})(?:['"\s\x60;]|$)/i
+    id: 'planetscale-oauth-token',
+    regex: /\b(pscale_oauth_[a-z0-9=\-_.]{32,64})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'planetscale-password',
-    'regex': /\b(pscale_pw_[a-z0-9=\-_.]{32,64})(?:['"\s\x60;]|$)/i
+    id: 'planetscale-password',
+    regex: /\b(pscale_pw_[a-z0-9=\-_.]{32,64})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'postman-api-token',
-    'regex': /\b(PMAK-[a-f0-9]{24}-[a-f0-9]{34})(?:['"\s\x60;]|$)/i
+    id: 'postman-api-token',
+    regex: /\b(PMAK-[a-f0-9]{24}-[a-f0-9]{34})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'prefect-api-token',
-    'regex': /\b(pnu_[a-z0-9]{36})(?:['"\s\x60;]|$)/i
+    id: 'prefect-api-token',
+    regex: /\b(pnu_[a-z0-9]{36})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'private-key',
-    'regex': /-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S]*KEY( BLOCK)?----/i
+    id: 'private-key',
+    regex: /-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S]*KEY( BLOCK)?----/i
   },
   {
-    'id': 'pulumi-api-token',
-    'regex': /\b(pul-[a-f0-9]{40})(?:['"\s\x60;]|$)/i
+    id: 'pulumi-api-token',
+    regex: /\b(pul-[a-f0-9]{40})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'pypi-upload-token',
-    'regex': /pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,1000}/
+    id: 'pypi-upload-token',
+    regex: /pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,1000}/
   },
   {
-    'id': 'readme-api-token',
-    'regex': /\b(rdme_[a-z0-9]{70})(?:['"\s\x60;]|$)/i
+    id: 'readme-api-token',
+    regex: /\b(rdme_[a-z0-9]{70})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'rubygems-api-token',
-    'regex': /\b(rubygems_[a-f0-9]{48})(?:['"\s\x60;]|$)/i
+    id: 'rubygems-api-token',
+    regex: /\b(rubygems_[a-f0-9]{48})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'scalingo-api-token',
-    'regex': /tk-us-[a-zA-Z0-9-_]{48}/
+    id: 'scalingo-api-token',
+    regex: /tk-us-[a-zA-Z0-9-_]{48}/
   },
   {
-    'id': 'sendgrid-api-token',
-    'regex': /\b(SG\.[a-z0-9=_\-.]{66})(?:['"\s\x60;]|$)/i
+    id: 'sendgrid-api-token',
+    regex: /\b(SG\.[a-z0-9=_\-.]{66})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'sendinblue-api-token',
-    'regex': /\b(xkeysib-[a-f0-9]{64}-[a-z0-9]{16})(?:['"\s\x60;]|$)/i
+    id: 'sendinblue-api-token',
+    regex: /\b(xkeysib-[a-f0-9]{64}-[a-z0-9]{16})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'shippo-api-token',
-    'regex': /\b(shippo_(live|test)_[a-f0-9]{40})(?:['"\s\x60;]|$)/i
+    id: 'shippo-api-token',
+    regex: /\b(shippo_(live|test)_[a-f0-9]{40})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'shopify-access-token',
-    'regex': /shpat_[a-fA-F0-9]{32}/
+    id: 'shopify-access-token',
+    regex: /shpat_[a-fA-F0-9]{32}/
   },
   {
-    'id': 'shopify-custom-access-token',
-    'regex': /shpca_[a-fA-F0-9]{32}/
+    id: 'shopify-custom-access-token',
+    regex: /shpca_[a-fA-F0-9]{32}/
   },
   {
-    'id': 'shopify-private-app-access-token',
-    'regex': /shppa_[a-fA-F0-9]{32}/
+    id: 'shopify-private-app-access-token',
+    regex: /shppa_[a-fA-F0-9]{32}/
   },
   {
-    'id': 'shopify-shared-secret',
-    'regex': /shpss_[a-fA-F0-9]{32}/
+    id: 'shopify-shared-secret',
+    regex: /shpss_[a-fA-F0-9]{32}/
   },
   {
-    'id': 'slack-app-token',
-    'regex': /(xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+)/i
+    id: 'slack-app-token',
+    regex: /(xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+)/i
   },
   {
-    'id': 'slack-bot-token',
-    'regex': /(xoxb-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*)/
+    id: 'slack-bot-token',
+    regex: /(xoxb-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*)/
   },
   {
-    'id': 'slack-config-access-token',
-    'regex': /(xoxe.xox[bp]-\d-[A-Z0-9]{163,166})/i
+    id: 'slack-config-access-token',
+    regex: /(xoxe.xox[bp]-\d-[A-Z0-9]{163,166})/i
   },
   {
-    'id': 'slack-config-refresh-token',
-    'regex': /(xoxe-\d-[A-Z0-9]{146})/i
+    id: 'slack-config-refresh-token',
+    regex: /(xoxe-\d-[A-Z0-9]{146})/i
   },
   {
-    'id': 'slack-legacy-bot-token',
-    'regex': /(xoxb-[0-9]{8,14}-[a-zA-Z0-9]{18,26})/
+    id: 'slack-legacy-bot-token',
+    regex: /(xoxb-[0-9]{8,14}-[a-zA-Z0-9]{18,26})/
   },
   {
-    'id': 'slack-legacy-token',
-    'regex': /(xox[os]-\d+-\d+-\d+-[a-fA-F\d]+)/
+    id: 'slack-legacy-token',
+    regex: /(xox[os]-\d+-\d+-\d+-[a-fA-F\d]+)/
   },
   {
-    'id': 'slack-legacy-workspace-token',
-    'regex': /(xox[ar]-(?:\d-)?[0-9a-zA-Z]{8,48})/
+    id: 'slack-legacy-workspace-token',
+    regex: /(xox[ar]-(?:\d-)?[0-9a-zA-Z]{8,48})/
   },
   {
-    'id': 'slack-user-token',
-    'regex': /(xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34})/
+    id: 'slack-user-token',
+    regex: /(xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34})/
   },
   {
-    'id': 'slack-webhook-url',
-    'regex': /(https?:\/\/)?hooks.slack.com\/(services|workflows)\/[A-Za-z0-9+/]{43,46}/
+    id: 'slack-webhook-url',
+    regex: /(https?:\/\/)?hooks.slack.com\/(services|workflows)\/[A-Za-z0-9+/]{43,46}/
   },
   {
-    'id': 'square-access-token',
-    'regex': /\b(sq0atp-[0-9a-z\-_]{22})(?:['"\s\x60;]|$)/i
+    id: 'square-access-token',
+    regex: /\b(sq0atp-[0-9a-z\-_]{22})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'square-secret',
-    'regex': /\b(sq0csp-[0-9a-z\-_]{43})(?:['"\s\x60;]|$)/i
+    id: 'square-secret',
+    regex: /\b(sq0csp-[0-9a-z\-_]{43})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'stripe-access-token',
-    'regex': /(sk|pk)_(test|live)_[0-9a-z]{10,32}/i
+    id: 'stripe-access-token',
+    regex: /(sk|pk)_(test|live)_[0-9a-z]{10,32}/i
   },
   {
-    'id': 'telegram-bot-api-token',
-    'regex': /(?:^|[^0-9])([0-9]{5,16}:A[a-z0-9_-]{34})(?:$|[^a-z0-9_-])/i
+    id: 'telegram-bot-api-token',
+    regex: /(?:^|[^0-9])([0-9]{5,16}:A[a-z0-9_-]{34})(?:$|[^a-z0-9_-])/i
   },
   {
-    'id': 'twilio-api-key',
-    'regex': /SK[0-9a-fA-F]{32}/
+    id: 'twilio-api-key',
+    regex: /SK[0-9a-fA-F]{32}/
   },
   {
-    'id': 'vault-batch-token',
-    'regex': /\b(hvb\.[a-z0-9_-]{138,212})(?:['"\s\x60;]|$)/i
+    id: 'vault-batch-token',
+    regex: /\b(hvb\.[a-z0-9_-]{138,212})(?:['"\s\x60;]|$)/i
   },
   {
-    'id': 'vault-service-token',
-    'regex': /\b(hvs\.[a-z0-9_-]{90,100})(?:['"\s\x60;]|$)/i
+    id: 'vault-service-token',
+    regex: /\b(hvs\.[a-z0-9_-]{90,100})(?:['"\s\x60;]|$)/i
   }
 ]

package/packages/dd-trace/src/appsec/iast/analyzers/hsts-header-missing-analyzer.js

@@ -9,6 +9,7 @@ class HstsHeaderMissingAnalyzer extends MissingHeaderAnalyzer {
   constructor () {
     super(HSTS_HEADER_MISSING, HSTS_HEADER_NAME)
   }
+
   _isVulnerableFromRequestAndResponse (req, res) {
     const headerValues = this._getHeaderValues(res, HSTS_HEADER_NAME)
     return this._isHttpsProtocol(req) && (

package/packages/dd-trace/src/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.js

@@ -12,7 +12,7 @@ const { HTTP_REQUEST_PARAMETER, HTTP_REQUEST_BODY } = require('../taint-tracking
 const EXCLUDED_PATHS_FROM_STACK = getNodeModulesPaths('mongodb', 'mongoose', 'mquery')
 const MONGODB_NOSQL_SECURE_MARK = getNextSecureMark()
 
-function iterateObjectStrings (target, fn, levelKeys = [], depth = 50, visited = new Set()) {
+function iterateObjectStrings (target, fn, levelKeys = [], depth = 20, visited = new Set()) {
   if (target && typeof target === 'object') {
     Object.keys(target).forEach((key) => {
       const nextLevelKeys = [...levelKeys, key]

package/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js

@@ -20,11 +20,15 @@ const EXCLUDED_LOCATIONS = getNodeModulesPaths(
   'pusher/lib/utils.js',
   'redlock/dist/cjs',
   'sqreen/lib/package-reader/index.js',
-  'ws/lib/websocket-server.js'
+  'ws/lib/websocket-server.js',
+  'google-gax/build/src/grpc.js',
+  'cookie-signature/index.js'
 )
 
 const EXCLUDED_PATHS_FROM_STACK = [
-  path.join('node_modules', 'object-hash', path.sep)
+  path.join('node_modules', 'object-hash', path.sep),
+  path.join('node_modules', 'aws-sdk', 'lib', 'util.js'),
+  path.join('node_modules', 'keygrip', path.sep)
 ]
 class WeakHashAnalyzer extends Analyzer {
   constructor () {

package/packages/dd-trace/src/appsec/iast/overhead-controller.js

@@ -54,7 +54,8 @@ function _resetGlobalContext () {
 function acquireRequest (rootSpan) {
   if (availableRequest > 0 && rootSpan) {
     const sampling = config && typeof config.requestSampling === 'number'
-      ? config.requestSampling : 30
+      ? config.requestSampling
+      : 30
     if (rootSpan.context().toSpanId().slice(-2) <= sampling) {
       availableRequest--
       return true

package/packages/dd-trace/src/appsec/iast/taint-tracking/index.js

@@ -33,8 +33,8 @@ module.exports = {
     kafkaContextPlugin.disable()
     kafkaConsumerPlugin.disable()
   },
-  setMaxTransactions: setMaxTransactions,
-  createTransaction: createTransaction,
-  removeTransaction: removeTransaction,
+  setMaxTransactions,
+  createTransaction,
+  removeTransaction,
   taintTrackingPlugin
 }

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -30,9 +30,9 @@ class TaintTrackingPlugin extends SourceIastPlugin {
       { channelName: 'datadog:body-parser:read:finish', tag: HTTP_REQUEST_BODY },
       ({ req }) => {
         const iastContext = getIastContext(storage.getStore())
-        if (iastContext && iastContext['body'] !== req.body) {
+        if (iastContext && iastContext.body !== req.body) {
           this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
-          iastContext['body'] = req.body
+          iastContext.body = req.body
         }
       }
     )
@@ -47,9 +47,9 @@ class TaintTrackingPlugin extends SourceIastPlugin {
       ({ req }) => {
         if (req && req.body && typeof req.body === 'object') {
           const iastContext = getIastContext(storage.getStore())
-          if (iastContext && iastContext['body'] !== req.body) {
+          if (iastContext && iastContext.body !== req.body) {
             this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
-            iastContext['body'] = req.body
+            iastContext.body = req.body
           }
         }
       }

package/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js

@@ -107,7 +107,7 @@ function csiMethodsOverrides (getContext) {
           return TaintedUtils.concat(transactionId, res, op1, op2)
         }
       } catch (e) {
-        iastLog.error(`Error invoking CSI plusOperator`)
+        iastLog.error('Error invoking CSI plusOperator')
           .errorAndPublish(e)
       }
       return res

package/packages/dd-trace/src/appsec/iast/telemetry/namespaces.js

@@ -2,8 +2,9 @@
 
 const log = require('../../../log')
 const { Namespace } = require('../../../telemetry/metrics')
-const { addMetricsToSpan, filterTags } = require('./span-tags')
+const { addMetricsToSpan } = require('./span-tags')
 const { IAST_TRACE_METRIC_PREFIX } = require('../tags')
+const iastLog = require('../iast-log')
 
 const DD_IAST_METRICS_NAMESPACE = Symbol('_dd.iast.request.metrics.namespace')
 
@@ -24,12 +25,11 @@ function finalizeRequestNamespace (context, rootSpan) {
     const namespace = getNamespaceFromContext(context)
     if (!namespace) return
 
-    const metrics = [...namespace.metrics.values()]
-    namespace.metrics.clear()
+    addMetricsToSpan(rootSpan, [...namespace.metrics.values()], IAST_TRACE_METRIC_PREFIX)
 
-    addMetricsToSpan(rootSpan, metrics, IAST_TRACE_METRIC_PREFIX)
+    merge(namespace)
 
-    merge(metrics)
+    namespace.clear()
   } catch (e) {
     log.error(e)
   } finally {
@@ -39,27 +39,24 @@ function finalizeRequestNamespace (context, rootSpan) {
   }
 }
 
-function merge (metrics) {
-  metrics.forEach(metric => {
-    const { metric: metricName, type, tags, points } = metric
+function merge (namespace) {
+  for (const [metricName, metricsByTagMap] of namespace.iastMetrics) {
+    for (const [tags, metric] of metricsByTagMap) {
+      const { type, points } = metric
 
-    if (points?.length && type === 'count') {
-      const gMetric = globalNamespace.count(metricName, getTagsObject(tags))
-      points.forEach(point => gMetric.inc(point[1]))
+      if (points?.length && type === 'count') {
+        const gMetric = globalNamespace.getMetric(metricName, tags)
+        points.forEach(point => gMetric.inc(point[1]))
+      }
     }
-  })
-}
-
-function getTagsObject (tags) {
-  if (tags && tags.length > 0) {
-    return filterTags(tags)
   }
 }
 
 class IastNamespace extends Namespace {
-  constructor () {
+  constructor (maxMetricTagsSize = 100) {
     super('iast')
 
+    this.maxMetricTagsSize = maxMetricTagsSize
     this.iastMetrics = new Map()
   }
 
@@ -79,6 +76,12 @@ class IastNamespace extends Namespace {
     let metric = metrics.get(tags)
     if (!metric) {
       metric = super[type](name, Array.isArray(tags) ? [...tags] : tags)
+
+      if (metrics.size === this.maxMetricTagsSize) {
+        metrics.clear()
+        iastLog.warnAndPublish(`Tags cache max size reached for metric ${name}`)
+      }
+
       metrics.set(tags, metric)
     }
 
@@ -88,6 +91,12 @@ class IastNamespace extends Namespace {
   count (name, tags) {
     return this.getMetric(name, tags, 'count')
   }
+
+  clear () {
+    this.iastMetrics.clear()
+    this.distributions.clear()
+    this.metrics.clear()
+  }
 }
 
 const globalNamespace = new IastNamespace()

package/packages/dd-trace/src/appsec/iast/telemetry/span-tags.js

@@ -40,7 +40,7 @@ function taggedMetricName (data) {
 }
 
 function filterTags (tags) {
-  return tags?.filter(tag => !tag.startsWith('lib_language') && !tag.startsWith('version'))
+  return tags?.filter(tag => !tag.startsWith('version'))
 }
 
 function processTagValue (tags) {