npm - dd-trace - Versions diffs - 5.80.0 → 5.82.0 - Mend

dd-trace 5.80.0 → 5.82.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (460) hide show

package/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js CHANGED Viewed

@@ -3,8 +3,8 @@
 const path = require('path')
 const { getNodeModulesPaths } = require('../path-line')
-const Analyzer = require('./vulnerability-analyzer')
 const { WEAK_HASH } = require('../vulnerabilities')
+const Analyzer = require('./vulnerability-analyzer')
 const INSECURE_HASH_ALGORITHMS = new Set([
   'md4', 'md4WithRSAEncryption', 'RSA-MD4',
@@ -23,7 +23,8 @@ const EXCLUDED_LOCATIONS = getNodeModulesPaths(
   'ws/lib/websocket-server.js',
   'google-gax/build/src/grpc.js',
   'cookie-signature/index.js',
-  'express-session/index.js'
+  'express-session/index.js',
+  'node-preload/preload-list-env.js'
 )
 const EXCLUDED_PATHS_FROM_STACK = [

package/packages/dd-trace/src/appsec/iast/analyzers/weak-randomness-analyzer.js CHANGED Viewed

@@ -1,6 +1,6 @@
 'use strict'
-const Analyzer = require('./vulnerability-analyzer')
 const { WEAK_RANDOMNESS } = require('../vulnerabilities')
+const Analyzer = require('./vulnerability-analyzer')
 class WeakRandomnessAnalyzer extends Analyzer {
   constructor () {

package/packages/dd-trace/src/appsec/iast/iast-plugin.js CHANGED Viewed

@@ -3,13 +3,13 @@
 const { channel } = require('dc-polyfill')
 const Plugin = require('../../plugins/plugin')
+const { storage } = require('../../../../datadog-core')
+const instrumentations = require('../../../../datadog-instrumentations/src/helpers/instrumentations')
+const log = require('../../log')
 const iastTelemetry = require('./telemetry')
 const { getInstrumentedMetric, getExecutedMetric, TagKey, EXECUTED_SOURCE, formatTags } =
   require('./telemetry/iast-metric')
-const { storage } = require('../../../../datadog-core')
 const { getIastContext } = require('./iast-context')
-const instrumentations = require('../../../../datadog-instrumentations/src/helpers/instrumentations')
-const log = require('../../log')
 /**
  * Used by vulnerability sources and sinks to subscribe diagnostic channel events

package/packages/dd-trace/src/appsec/iast/index.js CHANGED Viewed

@@ -1,11 +1,13 @@
 'use strict'
-const vulnerabilityReporter = require('./vulnerability-reporter')
-const { enableAllAnalyzers, disableAllAnalyzers } = require('./analyzers')
+const dc = require('dc-polyfill')
 const web = require('../../plugins/util/web')
 const { storage } = require('../../../../datadog-core')
+const { enable: enableFsPlugin, disable: disableFsPlugin, IAST_MODULE } = require('../rasp/fs-plugin')
+const { incomingHttpRequestStart, incomingHttpRequestEnd, responseWriteHead } = require('../channels')
+const vulnerabilityReporter = require('./vulnerability-reporter')
+const { enableAllAnalyzers, disableAllAnalyzers } = require('./analyzers')
 const overheadController = require('./overhead-controller')
-const dc = require('dc-polyfill')
 const iastContextFunctions = require('./iast-context')
 const {
   enableTaintTracking,
@@ -16,9 +18,7 @@ const {
 } = require('./taint-tracking')
 const { IAST_ENABLED_TAG_KEY } = require('./tags')
 const iastTelemetry = require('./telemetry')
-const { enable: enableFsPlugin, disable: disableFsPlugin, IAST_MODULE } = require('../rasp/fs-plugin')
 const securityControls = require('./security-controls')
-const { incomingHttpRequestStart, incomingHttpRequestEnd, responseWriteHead } = require('../channels')
 const collectedResponseHeaders = new WeakMap()

package/packages/dd-trace/src/appsec/iast/overhead-controller.js CHANGED Viewed

@@ -1,6 +1,6 @@
 'use strict'
-const { LRUCache } = require('lru-cache')
+const { LRUCache } = require('../../../../../vendor/dist/lru-cache')
 const web = require('../../plugins/util/web')
 const vulnerabilities = require('./vulnerabilities')

package/packages/dd-trace/src/appsec/iast/security-controls/index.js CHANGED Viewed

@@ -5,10 +5,10 @@ const dc = require('dc-polyfill')
 const { storage } = require('../../../../../datadog-core')
 const shimmer = require('../../../../../datadog-shimmer')
 const log = require('../../../log')
-const { parse, SANITIZER_TYPE } = require('./parser')
 const TaintTrackingOperations = require('../taint-tracking/operations')
 const { getIastContext } = require('../iast-context')
 const { iterateObjectStrings } = require('../utils')
+const { parse, SANITIZER_TYPE } = require('./parser')
 // esm
 const moduleLoadStartChannel = dc.channel('dd-trace:moduleLoadStart')

package/packages/dd-trace/src/appsec/iast/taint-tracking/index.js CHANGED Viewed

@@ -1,5 +1,6 @@
 'use strict'
+const kafkaContextPlugin = require('../context/kafka-ctx-plugin')
 const {
   createTransaction,
   removeTransaction,
@@ -11,8 +12,6 @@ const {
 const taintTrackingPlugin = require('./plugin')
 const kafkaConsumerPlugin = require('./plugins/kafka')
-const kafkaContextPlugin = require('../context/kafka-ctx-plugin')
 module.exports = {
   enableTaintTracking (config, telemetryVerbosity) {
     enableTaintOperations(telemetryVerbosity)

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations-taint-object.js CHANGED Viewed

@@ -2,8 +2,8 @@
 const TaintedUtils = require('@datadog/native-iast-taint-tracking')
 const { IAST_TRANSACTION_ID } = require('../iast-context')
-const { HTTP_REQUEST_PARAMETER } = require('./source-types')
 const log = require('../../../log')
+const { HTTP_REQUEST_PARAMETER } = require('./source-types')
 const SEPARATOR = '\u0000' // Unit Separator (cannot be in URL keys)

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js CHANGED Viewed

@@ -3,6 +3,7 @@
 const { SourceIastPlugin } = require('../iast-plugin')
 const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
+const { EXECUTED_SOURCE } = require('../telemetry/iast-metric')
 const { taintObject, newTaintedString, getRanges, taintQueryWithCache } = require('./operations')
 const {
   HTTP_REQUEST_BODY,
@@ -15,7 +16,6 @@ const {
   HTTP_REQUEST_URI,
   SQL_ROW_VALUE
 } = require('./source-types')
-const { EXECUTED_SOURCE } = require('../telemetry/iast-metric')
 const REQ_HEADER_TAGS = EXECUTED_SOURCE.formatTags(HTTP_REQUEST_HEADER_VALUE, HTTP_REQUEST_HEADER_NAME)
 const REQ_URI_TAGS = EXECUTED_SOURCE.formatTags(HTTP_REQUEST_URI)

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter-esm.mjs CHANGED Viewed

@@ -47,7 +47,7 @@ export async function load (url, context, nextLoad) {
         passes.push('iast')
       }
     } else {
-      passes = ['orchestrion']
+      passes = [] // TODO: Re-enable Orchestrion when viable.
     }
     const rewritten = rewriter.rewrite(result.source.toString(), url, passes)

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js CHANGED Viewed

@@ -5,18 +5,18 @@
 const Module = require('module')
 const { pathToFileURL } = require('url')
 const { MessageChannel } = require('worker_threads')
+const { isMainThread } = require('worker_threads')
+const dc = require('dc-polyfill')
 const shimmer = require('../../../../../datadog-shimmer')
-const { isPrivateModule, isDdTrace } = require('./filter')
-const { csiMethods } = require('./csi-methods')
 const { getName } = require('../telemetry/verbosity')
 const telemetry = require('../telemetry')
-const { incrementTelemetryIfNeeded } = require('./rewriter-telemetry')
-const dc = require('dc-polyfill')
 const log = require('../../../log')
-const { isMainThread } = require('worker_threads')
-const { LOG_MESSAGE, REWRITTEN_MESSAGE } = require('./constants')
 const orchestrionConfig = require('../../../../../datadog-instrumentations/src/orchestrion-config')
 const { getEnvironmentVariable } = require('../../../config-helper')
+const { LOG_MESSAGE, REWRITTEN_MESSAGE } = require('./constants')
+const { incrementTelemetryIfNeeded } = require('./rewriter-telemetry')
+const { csiMethods } = require('./csi-methods')
+const { isPrivateModule, isDdTrace } = require('./filter')
 let config
 const hardcodedSecretCh = dc.channel('datadog:secrets:result')
@@ -175,23 +175,18 @@ function enableRewriter (telemetryVerbosity) {
           shimmer.wrap(Module.prototype, '_compile', compileMethod => getCompileMethodFn(compileMethod))
         }
       }
+      enableEsmRewriter(telemetryVerbosity)
     }
-    enableEsmRewriter(telemetryVerbosity)
   } catch (e) {
     log.error('Error enabling Rewriter', e)
   }
 }
 function isEsmConfigured () {
-  const hasLoaderArg = isFlagPresent('--loader') || isFlagPresent('--experimental-loader')
-  if (hasLoaderArg) return true
-  // Fast path for common case when enabled
-  if (require.cache[`${process.cwd()}/node_modules/import-in-the-middle/hook.js`]) {
-    return true
-  }
-  return Object.keys(require.cache).some(file => file.endsWith('import-in-the-middle/hook.js'))
+  return (isFlagPresent('--loader') ||
+    isFlagPresent('--experimental-loader') ||
+    isFlagPresent('dd-trace/initialize.mjs')) ||
+    isFlagPresent('dd-trace/register.js')
 }
 let enableEsmRewriter = function (telemetryVerbosity) {

package/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js CHANGED Viewed

@@ -6,8 +6,8 @@ const { storage } = require('../../../../../datadog-core')
 const iastContextFunctions = require('../iast-context')
 const { EXECUTED_PROPAGATION } = require('../telemetry/iast-metric')
 const { isDebugAllowed } = require('../telemetry/verbosity')
-const { taintObject } = require('./operations-taint-object')
 const log = require('../../../log')
+const { taintObject } = require('./operations-taint-object')
 const mathRandomCallCh = dc.channel('datadog:random:call')
 const evalCallCh = dc.channel('datadog:eval:call')

package/packages/dd-trace/src/appsec/iast/telemetry/namespaces.js CHANGED Viewed

@@ -2,8 +2,8 @@
 const log = require('../../../log')
 const { Namespace } = require('../../../telemetry/metrics')
-const { addMetricsToSpan } = require('./span-tags')
 const { IAST_TRACE_METRIC_PREFIX } = require('../tags')
+const { addMetricsToSpan } = require('./span-tags')
 const DD_IAST_METRICS_NAMESPACE = Symbol('_dd.iast.request.metrics.namespace')

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js CHANGED Viewed

@@ -1,12 +1,12 @@
 'use strict'
-const { LRUCache } = require('lru-cache')
-const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
-const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
+const { LRUCache } = require('../../../../../vendor/dist/lru-cache')
 const { keepTrace } = require('../../priority_sampler')
 const { reportStackTrace, getCallsiteFrames, canReportStackTrace, STACK_TRACE_NAMESPACES } = require('../stack_trace')
-const { getOriginalPathAndLineFromSourceMap } = require('./taint-tracking/rewriter')
 const { ASM } = require('../../standalone/product')
+const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
+const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
+const { getOriginalPathAndLineFromSourceMap } = require('./taint-tracking/rewriter')
 const VULNERABILITIES_KEY = 'vulnerabilities'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000

package/packages/dd-trace/src/appsec/index.js CHANGED Viewed

@@ -1,8 +1,13 @@
 'use strict'
 const log = require('../log')
+const web = require('../plugins/util/web')
+const { extractIp } = require('../plugins/util/ip_extractor')
+const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
+const { storage } = require('../../../datadog-core')
+const { isInServerlessEnvironment } = require('../serverless')
 const RuleManager = require('./rule_manager')
-const remoteConfig = require('../remote_config')
+const appsecRemoteConfig = require('./remote_config')
 const {
   bodyParser,
   cookieParser,
@@ -31,15 +36,10 @@ const addresses = require('./addresses')
 const Reporter = require('./reporter')
 const appsecTelemetry = require('./telemetry')
 const apiSecuritySampler = require('./api_security_sampler')
-const web = require('../plugins/util/web')
-const { extractIp } = require('../plugins/util/ip_extractor')
-const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
 const { isBlocked, block, callBlockDelegation, setTemplates, getBlockingAction } = require('./blocking')
 const UserTracking = require('./user_tracking')
-const { storage } = require('../../../datadog-core')
 const graphql = require('./graphql')
 const rasp = require('./rasp')
-const { isInServerlessEnvironment } = require('../serverless')
 const responseAnalyzedSet = new WeakSet()
 const storedResponseHeaders = new WeakMap()
@@ -63,7 +63,7 @@ function enable (_config) {
     RuleManager.loadRules(_config.appsec)
-    remoteConfig.enableWafUpdate(_config.appsec)
+    appsecRemoteConfig.enableWafUpdate(_config.appsec)
     Reporter.init(_config.appsec)
@@ -373,7 +373,7 @@ function disable () {
   graphql.disable()
   rasp.disable()
-  remoteConfig.disableWafUpdate()
+  appsecRemoteConfig.disableWafUpdate()
   apiSecuritySampler.disable()

package/packages/dd-trace/src/appsec/rasp/command_injection.js CHANGED Viewed

@@ -1,10 +1,10 @@
 'use strict'
 const { childProcessExecutionTracingChannel } = require('../channels')
-const { RULE_TYPES, handleResult } = require('./utils')
 const { storage } = require('../../../../datadog-core')
 const addresses = require('../addresses')
 const waf = require('../waf')
+const { RULE_TYPES, handleResult } = require('./utils')
 let config

package/packages/dd-trace/src/appsec/rasp/index.js CHANGED Viewed

@@ -8,11 +8,11 @@ const {
   routerMiddlewareError
 } = require('../channels')
 const { block, registerBlockDelegation, isBlocked } = require('../blocking')
+const { updateRaspRuleMatchMetricTags } = require('../telemetry')
 const ssrf = require('./ssrf')
 const sqli = require('./sql_injection')
 const lfi = require('./lfi')
 const cmdi = require('./command_injection')
-const { updateRaspRuleMatchMetricTags } = require('../telemetry')
 const { DatadogRaspAbortError } = require('./utils')

package/packages/dd-trace/src/appsec/rasp/lfi.js CHANGED Viewed

@@ -4,9 +4,9 @@ const { isAbsolute } = require('path')
 const { fsOperationStart, incomingHttpRequestStart, expressResponseRenderStart } = require('../channels')
 const { storage } = require('../../../../datadog-core')
-const { enable: enableFsPlugin, disable: disableFsPlugin, RASP_MODULE } = require('./fs-plugin')
 const { FS_OPERATION_PATH } = require('../addresses')
 const waf = require('../waf')
+const { enable: enableFsPlugin, disable: disableFsPlugin, RASP_MODULE } = require('./fs-plugin')
 const { RULE_TYPES, handleResult } = require('./utils')
 let config

package/packages/dd-trace/src/appsec/rc-products.js ADDED Viewed

@@ -0,0 +1,10 @@
+'use strict'
+// Remote Config product names used by ASM/WAF.
+const ASM_WAF_PRODUCTS = ['ASM', 'ASM_DD', 'ASM_DATA']
+const ASM_WAF_PRODUCTS_SET = new Set(ASM_WAF_PRODUCTS)
+module.exports = {
+  ASM_WAF_PRODUCTS,
+  ASM_WAF_PRODUCTS_SET
+}

package/packages/dd-trace/src/appsec/recommended.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.15.1"
+    "rules_version": "1.16.1"
   },
   "rules": [
     {
@@ -4376,7 +4376,7 @@
                 "address": "graphql.server.resolver"
               }
             ],
-            "regex": "java\\.lang\\.(?:runtime|processbuilder)",
+            "regex": "\\bjava\\.lang\\.(?:runtime|processbuilder)\\b",
             "options": {
               "case_sensitive": true,
               "min_length": 17
@@ -8989,7 +8989,7 @@
         "event": false,
         "keep": false,
         "attributes": {
-          "_dd.appsec.api.jwt_alg": {
+          "api.security.jwt.alg": {
             "address": "server.request.jwt",
             "key_path": [
               "header",
@@ -9091,6 +9091,233 @@
         }
       }
     },
+    {
+      "id": "api-010-100",
+      "name": "Monitor redirections to GET targets",
+      "tags": {
+        "type": "api10",
+        "category": "api_security",
+        "confidence": "0",
+        "module": "business-logic"
+      },
+      "min_version": "1.25.0",
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.response.status"
+              }
+            ],
+            "list": [
+              "301",
+              "302"
+            ]
+          },
+          "operator": "exact_match"
+        }
+      ],
+      "transformers": [],
+      "output": {
+        "event": false,
+        "keep": false,
+        "attributes": {
+          "api.security.redirection.move_target": {
+            "address": "server.io.net.response.headers",
+            "key_path": [
+              "Location"
+            ]
+          }
+        }
+      }
+    },
+    {
+      "id": "api-010-110",
+      "name": "Monitor redirections to POST targets",
+      "tags": {
+        "type": "api10",
+        "category": "api_security",
+        "confidence": "0",
+        "module": "business-logic"
+      },
+      "min_version": "1.25.0",
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.response.status"
+              }
+            ],
+            "list": [
+              "307",
+              "308"
+            ]
+          },
+          "operator": "exact_match"
+        }
+      ],
+      "transformers": [],
+      "output": {
+        "event": false,
+        "keep": false,
+        "attributes": {
+          "api.security.redirection.redirect_target": {
+            "address": "server.io.net.response.headers",
+            "key_path": [
+              "Location"
+            ]
+          }
+        }
+      }
+    },
+    {
+      "id": "api-010-200",
+      "name": "Large response bodies in downstream network calls",
+      "tags": {
+        "type": "api10",
+        "category": "api_security",
+        "confidence": "0",
+        "module": "business-logic"
+      },
+      "min_version": "1.25.0",
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.response.headers",
+                "key_path": [
+                  "content-length"
+                ]
+              }
+            ],
+            "regex": "\\d{7,}",
+            "options": {
+              "case_sensitive": true,
+              "min_length": 7
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [],
+      "output": {
+        "event": false,
+        "keep": false,
+        "attributes": {
+          "api.security.large_response.length": {
+            "address": "server.io.net.response.headers",
+            "key_path": [
+              "content-length"
+            ]
+          },
+          "api.security.large_response.url": {
+            "address": "server.io.net.url"
+          }
+        }
+      }
+    },
+    {
+      "id": "api-010-300",
+      "name": "Secrets transmitted in downstream URL parameters",
+      "tags": {
+        "type": "api10",
+        "category": "api_security",
+        "confidence": "0",
+        "module": "business-logic"
+      },
+      "min_version": "1.25.0",
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.url"
+              }
+            ],
+            "regex": "[?&](?:(?:api|access)?(_)?(?:key|secret|token|password|passwd|pwd))=",
+            "options": {
+              "case_sensitive": false
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [],
+      "output": {
+        "event": false,
+        "keep": false,
+        "attributes": {
+          "api.security.secret.disclosed_in_url_params": {
+            "value": 1
+          }
+        }
+      }
+    },
+    {
+      "id": "api-010-400",
+      "name": "Unauthenticated MCP access",
+      "tags": {
+        "type": "api10",
+        "category": "api_security",
+        "confidence": "0",
+        "module": "business-logic"
+      },
+      "min_version": "1.25.0",
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.url"
+              }
+            ],
+            "regex": "/mcp/(?:tools|resources)/",
+            "options": {
+              "case_sensitive": false
+            }
+          },
+          "operator": "match_regex"
+        },
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.request.headers",
+                "key_path": [
+                  "authorization"
+                ]
+              }
+            ]
+          },
+          "operator": "!exists"
+        },
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.response.status"
+              }
+            ],
+            "list": [
+              "401"
+            ]
+          },
+          "operator": "!exact_match"
+        }
+      ],
+      "transformers": [],
+      "output": {
+        "event": false,
+        "keep": false,
+        "attributes": {
+          "api.security.mcp.broken_auth": {
+            "value": 1
+          }
+        }
+      }
+    },
     {
       "id": "ua0-600-551",
       "name": "Datadog test scanner - scalar trace-tagging version: user-agent",