npm - dd-trace - Versions diffs - 5.81.0 → 5.82.0 - Mend

dd-trace 5.81.0 → 5.82.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (321) hide show

package/packages/dd-trace/src/aiguard/sdk.js CHANGED Viewed

@@ -1,6 +1,9 @@
 'use strict'
 const rfdc = require('../../../../vendor/dist/rfdc')({ proto: false, circles: false })
+const log = require('../log')
+const telemetryMetrics = require('../telemetry/metrics')
+const tracerVersion = require('../../../../package.json').version
 const NoopAIGuard = require('./noop')
 const executeRequest = require('./client')
 const {
@@ -14,9 +17,6 @@ const {
   AI_GUARD_TELEMETRY_REQUESTS,
   AI_GUARD_TELEMETRY_TRUNCATED
 } = require('./tags')
-const log = require('../log')
-const telemetryMetrics = require('../telemetry/metrics')
-const tracerVersion = require('../../../../package.json').version
 const appsecMetrics = telemetryMetrics.manager.namespace('appsec')

package/packages/dd-trace/src/appsec/graphql.js CHANGED Viewed

@@ -1,16 +1,16 @@
 'use strict'
 const { storage } = require('../../../datadog-core')
+const log = require('../log')
+const web = require('../plugins/util/web')
 const {
   addSpecificEndpoint,
   specificBlockingTypes,
   getBlockingData,
   getBlockingAction
 } = require('./blocking')
-const log = require('../log')
 const waf = require('./waf')
 const addresses = require('./addresses')
-const web = require('../plugins/util/web')
 const {
   startGraphqlResolve,
   graphqlMiddlewareChannel,

package/packages/dd-trace/src/appsec/iast/analyzers/code-injection-analyzer.js CHANGED Viewed

@@ -1,10 +1,10 @@
 'use strict'
 const { CODE_INJECTION } = require('../vulnerabilities')
-const StoredInjectionAnalyzer = require('./stored-injection-analyzer')
 const { INSTRUMENTED_SINK } = require('../telemetry/iast-metric')
 const { storage } = require('../../../../../datadog-core')
 const { getIastContext } = require('../iast-context')
+const StoredInjectionAnalyzer = require('./stored-injection-analyzer')
 class CodeInjectionAnalyzer extends StoredInjectionAnalyzer {
   constructor () {

package/packages/dd-trace/src/appsec/iast/analyzers/command-injection-analyzer.js CHANGED Viewed

@@ -1,6 +1,6 @@
 'use strict'
-const InjectionAnalyzer = require('./injection-analyzer')
 const { COMMAND_INJECTION } = require('../vulnerabilities')
+const InjectionAnalyzer = require('./injection-analyzer')
 class CommandInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {

package/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js CHANGED Viewed

@@ -1,7 +1,7 @@
 'use strict'
-const Analyzer = require('./vulnerability-analyzer')
 const { getNodeModulesPaths } = require('../path-line')
+const Analyzer = require('./vulnerability-analyzer')
 const EXCLUDED_PATHS = [
   // Express

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-base-analyzer.js CHANGED Viewed

@@ -1,7 +1,7 @@
 'use strict'
-const Analyzer = require('./vulnerability-analyzer')
 const { getRelativePath } = require('../path-line')
+const Analyzer = require('./vulnerability-analyzer')
 class HardcodedBaseAnalyzer extends Analyzer {
   constructor (type, allRules = [], valueOnlyRules = []) {

package/packages/dd-trace/src/appsec/iast/analyzers/injection-analyzer.js CHANGED Viewed

@@ -1,7 +1,7 @@
 'use strict'
-const Analyzer = require('./vulnerability-analyzer')
 const { getRanges } = require('../taint-tracking/operations')
 const { SQL_ROW_VALUE } = require('../taint-tracking/source-types')
+const Analyzer = require('./vulnerability-analyzer')
 class InjectionAnalyzer extends Analyzer {
   _isVulnerable (value, iastContext) {

package/packages/dd-trace/src/appsec/iast/analyzers/ldap-injection-analyzer.js CHANGED Viewed

@@ -1,7 +1,7 @@
 'use strict'
-const InjectionAnalyzer = require('./injection-analyzer')
 const { LDAP_INJECTION } = require('../vulnerabilities')
 const { getNodeModulesPaths } = require('../path-line')
+const InjectionAnalyzer = require('./injection-analyzer')
 const EXCLUDED_PATHS = getNodeModulesPaths('ldapjs-promise')

package/packages/dd-trace/src/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.js CHANGED Viewed

@@ -1,16 +1,16 @@
 'use strict'
-const InjectionAnalyzer = require('./injection-analyzer')
 const { NOSQL_MONGODB_INJECTION } = require('../vulnerabilities')
 const { getRanges, addSecureMark } = require('../taint-tracking/operations')
 const { getNodeModulesPaths } = require('../path-line')
 const { storage } = require('../../../../../datadog-core')
 const { getIastContext } = require('../iast-context')
 const { HTTP_REQUEST_PARAMETER, HTTP_REQUEST_BODY } = require('../taint-tracking/source-types')
-const EXCLUDED_PATHS_FROM_STACK = getNodeModulesPaths('mongodb', 'mongoose', 'mquery')
 const { NOSQL_MONGODB_INJECTION_MARK } = require('../taint-tracking/secure-marks')
 const { iterateObjectStrings } = require('../utils')
+const InjectionAnalyzer = require('./injection-analyzer')
+const EXCLUDED_PATHS_FROM_STACK = getNodeModulesPaths('mongodb', 'mongoose', 'mquery')
 const SAFE_OPERATORS = new Set(['$eq', '$gt', '$gte', '$in', '$lt', '$lte', '$ne', '$nin',
   '$exists', '$type', '$mod', '$bitsAllClear', '$bitsAllSet', '$bitsAnyClear', '$bitsAnySet'])

package/packages/dd-trace/src/appsec/iast/analyzers/path-traversal-analyzer.js CHANGED Viewed

@@ -2,10 +2,10 @@
 const path = require('path')
-const InjectionAnalyzer = require('./injection-analyzer')
 const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
 const { PATH_TRAVERSAL } = require('../vulnerabilities')
+const InjectionAnalyzer = require('./injection-analyzer')
 const ignoredOperations = new Set(['dir.close', 'close'])

package/packages/dd-trace/src/appsec/iast/analyzers/ssrf-analyzer.js CHANGED Viewed

@@ -1,7 +1,7 @@
 'use strict'
-const InjectionAnalyzer = require('./injection-analyzer')
 const { SSRF } = require('../vulnerabilities')
+const InjectionAnalyzer = require('./injection-analyzer')
 class SSRFAnalyzer extends InjectionAnalyzer {
   constructor () {

package/packages/dd-trace/src/appsec/iast/analyzers/untrusted-deserialization-analyzer.js CHANGED Viewed

@@ -1,7 +1,7 @@
 'use strict'
-const InjectionAnalyzer = require('./injection-analyzer')
 const { UNTRUSTED_DESERIALIZATION } = require('../vulnerabilities')
+const InjectionAnalyzer = require('./injection-analyzer')
 class UntrustedDeserializationAnalyzer extends InjectionAnalyzer {
   constructor () {

package/packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js CHANGED Viewed

@@ -1,6 +1,5 @@
 'use strict'
-const InjectionAnalyzer = require('./injection-analyzer')
 const { UNVALIDATED_REDIRECT } = require('../vulnerabilities')
 const { getNodeModulesPaths } = require('../path-line')
 const { getRanges } = require('../taint-tracking/operations')
@@ -8,6 +7,7 @@ const {
   HTTP_REQUEST_BODY,
   HTTP_REQUEST_PARAMETER
 } = require('../taint-tracking/source-types')
+const InjectionAnalyzer = require('./injection-analyzer')
 const EXCLUDED_PATHS = [
   getNodeModulesPaths('express/lib/response.js'),

package/packages/dd-trace/src/appsec/iast/analyzers/weak-cipher-analyzer.js CHANGED Viewed

@@ -1,6 +1,6 @@
 'use strict'
-const Analyzer = require('./vulnerability-analyzer')
 const { WEAK_CIPHER } = require('../vulnerabilities')
+const Analyzer = require('./vulnerability-analyzer')
 const INSECURE_CIPHERS = new Set([
   'des', 'des-cbc', 'des-cfb', 'des-cfb1', 'des-cfb8', 'des-ecb', 'des-ede', 'des-ede-cbc', 'des-ede-cfb',

package/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js CHANGED Viewed

@@ -3,8 +3,8 @@
 const path = require('path')
 const { getNodeModulesPaths } = require('../path-line')
-const Analyzer = require('./vulnerability-analyzer')
 const { WEAK_HASH } = require('../vulnerabilities')
+const Analyzer = require('./vulnerability-analyzer')
 const INSECURE_HASH_ALGORITHMS = new Set([
   'md4', 'md4WithRSAEncryption', 'RSA-MD4',
@@ -23,7 +23,8 @@ const EXCLUDED_LOCATIONS = getNodeModulesPaths(
   'ws/lib/websocket-server.js',
   'google-gax/build/src/grpc.js',
   'cookie-signature/index.js',
-  'express-session/index.js'
+  'express-session/index.js',
+  'node-preload/preload-list-env.js'
 )
 const EXCLUDED_PATHS_FROM_STACK = [

package/packages/dd-trace/src/appsec/iast/analyzers/weak-randomness-analyzer.js CHANGED Viewed

@@ -1,6 +1,6 @@
 'use strict'
-const Analyzer = require('./vulnerability-analyzer')
 const { WEAK_RANDOMNESS } = require('../vulnerabilities')
+const Analyzer = require('./vulnerability-analyzer')
 class WeakRandomnessAnalyzer extends Analyzer {
   constructor () {

package/packages/dd-trace/src/appsec/iast/iast-plugin.js CHANGED Viewed

@@ -3,13 +3,13 @@
 const { channel } = require('dc-polyfill')
 const Plugin = require('../../plugins/plugin')
+const { storage } = require('../../../../datadog-core')
+const instrumentations = require('../../../../datadog-instrumentations/src/helpers/instrumentations')
+const log = require('../../log')
 const iastTelemetry = require('./telemetry')
 const { getInstrumentedMetric, getExecutedMetric, TagKey, EXECUTED_SOURCE, formatTags } =
   require('./telemetry/iast-metric')
-const { storage } = require('../../../../datadog-core')
 const { getIastContext } = require('./iast-context')
-const instrumentations = require('../../../../datadog-instrumentations/src/helpers/instrumentations')
-const log = require('../../log')
 /**
  * Used by vulnerability sources and sinks to subscribe diagnostic channel events

package/packages/dd-trace/src/appsec/iast/index.js CHANGED Viewed

@@ -1,11 +1,13 @@
 'use strict'
-const vulnerabilityReporter = require('./vulnerability-reporter')
-const { enableAllAnalyzers, disableAllAnalyzers } = require('./analyzers')
+const dc = require('dc-polyfill')
 const web = require('../../plugins/util/web')
 const { storage } = require('../../../../datadog-core')
+const { enable: enableFsPlugin, disable: disableFsPlugin, IAST_MODULE } = require('../rasp/fs-plugin')
+const { incomingHttpRequestStart, incomingHttpRequestEnd, responseWriteHead } = require('../channels')
+const vulnerabilityReporter = require('./vulnerability-reporter')
+const { enableAllAnalyzers, disableAllAnalyzers } = require('./analyzers')
 const overheadController = require('./overhead-controller')
-const dc = require('dc-polyfill')
 const iastContextFunctions = require('./iast-context')
 const {
   enableTaintTracking,
@@ -16,9 +18,7 @@ const {
 } = require('./taint-tracking')
 const { IAST_ENABLED_TAG_KEY } = require('./tags')
 const iastTelemetry = require('./telemetry')
-const { enable: enableFsPlugin, disable: disableFsPlugin, IAST_MODULE } = require('../rasp/fs-plugin')
 const securityControls = require('./security-controls')
-const { incomingHttpRequestStart, incomingHttpRequestEnd, responseWriteHead } = require('../channels')
 const collectedResponseHeaders = new WeakMap()

package/packages/dd-trace/src/appsec/iast/security-controls/index.js CHANGED Viewed

@@ -5,10 +5,10 @@ const dc = require('dc-polyfill')
 const { storage } = require('../../../../../datadog-core')
 const shimmer = require('../../../../../datadog-shimmer')
 const log = require('../../../log')
-const { parse, SANITIZER_TYPE } = require('./parser')
 const TaintTrackingOperations = require('../taint-tracking/operations')
 const { getIastContext } = require('../iast-context')
 const { iterateObjectStrings } = require('../utils')
+const { parse, SANITIZER_TYPE } = require('./parser')
 // esm
 const moduleLoadStartChannel = dc.channel('dd-trace:moduleLoadStart')

package/packages/dd-trace/src/appsec/iast/taint-tracking/index.js CHANGED Viewed

@@ -1,5 +1,6 @@
 'use strict'
+const kafkaContextPlugin = require('../context/kafka-ctx-plugin')
 const {
   createTransaction,
   removeTransaction,
@@ -11,8 +12,6 @@ const {
 const taintTrackingPlugin = require('./plugin')
 const kafkaConsumerPlugin = require('./plugins/kafka')
-const kafkaContextPlugin = require('../context/kafka-ctx-plugin')
 module.exports = {
   enableTaintTracking (config, telemetryVerbosity) {
     enableTaintOperations(telemetryVerbosity)

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations-taint-object.js CHANGED Viewed

@@ -2,8 +2,8 @@
 const TaintedUtils = require('@datadog/native-iast-taint-tracking')
 const { IAST_TRANSACTION_ID } = require('../iast-context')
-const { HTTP_REQUEST_PARAMETER } = require('./source-types')
 const log = require('../../../log')
+const { HTTP_REQUEST_PARAMETER } = require('./source-types')
 const SEPARATOR = '\u0000' // Unit Separator (cannot be in URL keys)

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js CHANGED Viewed

@@ -3,6 +3,7 @@
 const { SourceIastPlugin } = require('../iast-plugin')
 const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
+const { EXECUTED_SOURCE } = require('../telemetry/iast-metric')
 const { taintObject, newTaintedString, getRanges, taintQueryWithCache } = require('./operations')
 const {
   HTTP_REQUEST_BODY,
@@ -15,7 +16,6 @@ const {
   HTTP_REQUEST_URI,
   SQL_ROW_VALUE
 } = require('./source-types')
-const { EXECUTED_SOURCE } = require('../telemetry/iast-metric')
 const REQ_HEADER_TAGS = EXECUTED_SOURCE.formatTags(HTTP_REQUEST_HEADER_VALUE, HTTP_REQUEST_HEADER_NAME)
 const REQ_URI_TAGS = EXECUTED_SOURCE.formatTags(HTTP_REQUEST_URI)

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js CHANGED Viewed

@@ -5,18 +5,18 @@
 const Module = require('module')
 const { pathToFileURL } = require('url')
 const { MessageChannel } = require('worker_threads')
+const { isMainThread } = require('worker_threads')
+const dc = require('dc-polyfill')
 const shimmer = require('../../../../../datadog-shimmer')
-const { isPrivateModule, isDdTrace } = require('./filter')
-const { csiMethods } = require('./csi-methods')
 const { getName } = require('../telemetry/verbosity')
 const telemetry = require('../telemetry')
-const { incrementTelemetryIfNeeded } = require('./rewriter-telemetry')
-const dc = require('dc-polyfill')
 const log = require('../../../log')
-const { isMainThread } = require('worker_threads')
-const { LOG_MESSAGE, REWRITTEN_MESSAGE } = require('./constants')
 const orchestrionConfig = require('../../../../../datadog-instrumentations/src/orchestrion-config')
 const { getEnvironmentVariable } = require('../../../config-helper')
+const { LOG_MESSAGE, REWRITTEN_MESSAGE } = require('./constants')
+const { incrementTelemetryIfNeeded } = require('./rewriter-telemetry')
+const { csiMethods } = require('./csi-methods')
+const { isPrivateModule, isDdTrace } = require('./filter')
 let config
 const hardcodedSecretCh = dc.channel('datadog:secrets:result')
@@ -183,14 +183,10 @@ function enableRewriter (telemetryVerbosity) {
 }
 function isEsmConfigured () {
-  const hasLoaderArg = isFlagPresent('--loader') || isFlagPresent('--experimental-loader')
-  if (hasLoaderArg) return true
-  // Fast path for common case when enabled
-  if (require.cache[`${process.cwd()}/node_modules/import-in-the-middle/hook.js`]) {
-    return true
-  }
-  return Object.keys(require.cache).some(file => file.endsWith('import-in-the-middle/hook.js'))
+  return (isFlagPresent('--loader') ||
+    isFlagPresent('--experimental-loader') ||
+    isFlagPresent('dd-trace/initialize.mjs')) ||
+    isFlagPresent('dd-trace/register.js')
 }
 let enableEsmRewriter = function (telemetryVerbosity) {

package/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js CHANGED Viewed

@@ -6,8 +6,8 @@ const { storage } = require('../../../../../datadog-core')
 const iastContextFunctions = require('../iast-context')
 const { EXECUTED_PROPAGATION } = require('../telemetry/iast-metric')
 const { isDebugAllowed } = require('../telemetry/verbosity')
-const { taintObject } = require('./operations-taint-object')
 const log = require('../../../log')
+const { taintObject } = require('./operations-taint-object')
 const mathRandomCallCh = dc.channel('datadog:random:call')
 const evalCallCh = dc.channel('datadog:eval:call')

package/packages/dd-trace/src/appsec/iast/telemetry/namespaces.js CHANGED Viewed

@@ -2,8 +2,8 @@
 const log = require('../../../log')
 const { Namespace } = require('../../../telemetry/metrics')
-const { addMetricsToSpan } = require('./span-tags')
 const { IAST_TRACE_METRIC_PREFIX } = require('../tags')
+const { addMetricsToSpan } = require('./span-tags')
 const DD_IAST_METRICS_NAMESPACE = Symbol('_dd.iast.request.metrics.namespace')

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js CHANGED Viewed

@@ -1,12 +1,12 @@
 'use strict'
 const { LRUCache } = require('../../../../../vendor/dist/lru-cache')
-const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
-const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
 const { keepTrace } = require('../../priority_sampler')
 const { reportStackTrace, getCallsiteFrames, canReportStackTrace, STACK_TRACE_NAMESPACES } = require('../stack_trace')
-const { getOriginalPathAndLineFromSourceMap } = require('./taint-tracking/rewriter')
 const { ASM } = require('../../standalone/product')
+const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
+const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
+const { getOriginalPathAndLineFromSourceMap } = require('./taint-tracking/rewriter')
 const VULNERABILITIES_KEY = 'vulnerabilities'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000

package/packages/dd-trace/src/appsec/index.js CHANGED Viewed

@@ -1,8 +1,13 @@
 'use strict'
 const log = require('../log')
+const web = require('../plugins/util/web')
+const { extractIp } = require('../plugins/util/ip_extractor')
+const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
+const { storage } = require('../../../datadog-core')
+const { isInServerlessEnvironment } = require('../serverless')
 const RuleManager = require('./rule_manager')
-const remoteConfig = require('../remote_config')
+const appsecRemoteConfig = require('./remote_config')
 const {
   bodyParser,
   cookieParser,
@@ -31,15 +36,10 @@ const addresses = require('./addresses')
 const Reporter = require('./reporter')
 const appsecTelemetry = require('./telemetry')
 const apiSecuritySampler = require('./api_security_sampler')
-const web = require('../plugins/util/web')
-const { extractIp } = require('../plugins/util/ip_extractor')
-const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
 const { isBlocked, block, callBlockDelegation, setTemplates, getBlockingAction } = require('./blocking')
 const UserTracking = require('./user_tracking')
-const { storage } = require('../../../datadog-core')
 const graphql = require('./graphql')
 const rasp = require('./rasp')
-const { isInServerlessEnvironment } = require('../serverless')
 const responseAnalyzedSet = new WeakSet()
 const storedResponseHeaders = new WeakMap()
@@ -63,7 +63,7 @@ function enable (_config) {
     RuleManager.loadRules(_config.appsec)
-    remoteConfig.enableWafUpdate(_config.appsec)
+    appsecRemoteConfig.enableWafUpdate(_config.appsec)
     Reporter.init(_config.appsec)
@@ -373,7 +373,7 @@ function disable () {
   graphql.disable()
   rasp.disable()
-  remoteConfig.disableWafUpdate()
+  appsecRemoteConfig.disableWafUpdate()
   apiSecuritySampler.disable()

package/packages/dd-trace/src/appsec/rasp/command_injection.js CHANGED Viewed

@@ -1,10 +1,10 @@
 'use strict'
 const { childProcessExecutionTracingChannel } = require('../channels')
-const { RULE_TYPES, handleResult } = require('./utils')
 const { storage } = require('../../../../datadog-core')
 const addresses = require('../addresses')
 const waf = require('../waf')
+const { RULE_TYPES, handleResult } = require('./utils')
 let config

package/packages/dd-trace/src/appsec/rasp/index.js CHANGED Viewed

@@ -8,11 +8,11 @@ const {
   routerMiddlewareError
 } = require('../channels')
 const { block, registerBlockDelegation, isBlocked } = require('../blocking')
+const { updateRaspRuleMatchMetricTags } = require('../telemetry')
 const ssrf = require('./ssrf')
 const sqli = require('./sql_injection')
 const lfi = require('./lfi')
 const cmdi = require('./command_injection')
-const { updateRaspRuleMatchMetricTags } = require('../telemetry')
 const { DatadogRaspAbortError } = require('./utils')

package/packages/dd-trace/src/appsec/rasp/lfi.js CHANGED Viewed

@@ -4,9 +4,9 @@ const { isAbsolute } = require('path')
 const { fsOperationStart, incomingHttpRequestStart, expressResponseRenderStart } = require('../channels')
 const { storage } = require('../../../../datadog-core')
-const { enable: enableFsPlugin, disable: disableFsPlugin, RASP_MODULE } = require('./fs-plugin')
 const { FS_OPERATION_PATH } = require('../addresses')
 const waf = require('../waf')
+const { enable: enableFsPlugin, disable: disableFsPlugin, RASP_MODULE } = require('./fs-plugin')
 const { RULE_TYPES, handleResult } = require('./utils')
 let config

package/packages/dd-trace/src/appsec/rc-products.js ADDED Viewed

@@ -0,0 +1,10 @@
+'use strict'
+// Remote Config product names used by ASM/WAF.
+const ASM_WAF_PRODUCTS = ['ASM', 'ASM_DD', 'ASM_DATA']
+const ASM_WAF_PRODUCTS_SET = new Set(ASM_WAF_PRODUCTS)
+module.exports = {
+  ASM_WAF_PRODUCTS,
+  ASM_WAF_PRODUCTS_SET
+}