npm - dd-trace - Versions diffs - 5.81.0 → 5.82.0 - Mend

dd-trace 5.81.0 → 5.82.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (321) hide show

package/packages/dd-trace/src/appsec/recommended.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.15.1"
+    "rules_version": "1.16.1"
   },
   "rules": [
     {
@@ -4376,7 +4376,7 @@
                 "address": "graphql.server.resolver"
               }
             ],
-            "regex": "java\\.lang\\.(?:runtime|processbuilder)",
+            "regex": "\\bjava\\.lang\\.(?:runtime|processbuilder)\\b",
             "options": {
               "case_sensitive": true,
               "min_length": 17
@@ -8989,7 +8989,7 @@
         "event": false,
         "keep": false,
         "attributes": {
-          "_dd.appsec.api.jwt_alg": {
+          "api.security.jwt.alg": {
             "address": "server.request.jwt",
             "key_path": [
               "header",
@@ -9091,6 +9091,233 @@
         }
       }
     },
+    {
+      "id": "api-010-100",
+      "name": "Monitor redirections to GET targets",
+      "tags": {
+        "type": "api10",
+        "category": "api_security",
+        "confidence": "0",
+        "module": "business-logic"
+      },
+      "min_version": "1.25.0",
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.response.status"
+              }
+            ],
+            "list": [
+              "301",
+              "302"
+            ]
+          },
+          "operator": "exact_match"
+        }
+      ],
+      "transformers": [],
+      "output": {
+        "event": false,
+        "keep": false,
+        "attributes": {
+          "api.security.redirection.move_target": {
+            "address": "server.io.net.response.headers",
+            "key_path": [
+              "Location"
+            ]
+          }
+        }
+      }
+    },
+    {
+      "id": "api-010-110",
+      "name": "Monitor redirections to POST targets",
+      "tags": {
+        "type": "api10",
+        "category": "api_security",
+        "confidence": "0",
+        "module": "business-logic"
+      },
+      "min_version": "1.25.0",
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.response.status"
+              }
+            ],
+            "list": [
+              "307",
+              "308"
+            ]
+          },
+          "operator": "exact_match"
+        }
+      ],
+      "transformers": [],
+      "output": {
+        "event": false,
+        "keep": false,
+        "attributes": {
+          "api.security.redirection.redirect_target": {
+            "address": "server.io.net.response.headers",
+            "key_path": [
+              "Location"
+            ]
+          }
+        }
+      }
+    },
+    {
+      "id": "api-010-200",
+      "name": "Large response bodies in downstream network calls",
+      "tags": {
+        "type": "api10",
+        "category": "api_security",
+        "confidence": "0",
+        "module": "business-logic"
+      },
+      "min_version": "1.25.0",
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.response.headers",
+                "key_path": [
+                  "content-length"
+                ]
+              }
+            ],
+            "regex": "\\d{7,}",
+            "options": {
+              "case_sensitive": true,
+              "min_length": 7
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [],
+      "output": {
+        "event": false,
+        "keep": false,
+        "attributes": {
+          "api.security.large_response.length": {
+            "address": "server.io.net.response.headers",
+            "key_path": [
+              "content-length"
+            ]
+          },
+          "api.security.large_response.url": {
+            "address": "server.io.net.url"
+          }
+        }
+      }
+    },
+    {
+      "id": "api-010-300",
+      "name": "Secrets transmitted in downstream URL parameters",
+      "tags": {
+        "type": "api10",
+        "category": "api_security",
+        "confidence": "0",
+        "module": "business-logic"
+      },
+      "min_version": "1.25.0",
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.url"
+              }
+            ],
+            "regex": "[?&](?:(?:api|access)?(_)?(?:key|secret|token|password|passwd|pwd))=",
+            "options": {
+              "case_sensitive": false
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [],
+      "output": {
+        "event": false,
+        "keep": false,
+        "attributes": {
+          "api.security.secret.disclosed_in_url_params": {
+            "value": 1
+          }
+        }
+      }
+    },
+    {
+      "id": "api-010-400",
+      "name": "Unauthenticated MCP access",
+      "tags": {
+        "type": "api10",
+        "category": "api_security",
+        "confidence": "0",
+        "module": "business-logic"
+      },
+      "min_version": "1.25.0",
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.url"
+              }
+            ],
+            "regex": "/mcp/(?:tools|resources)/",
+            "options": {
+              "case_sensitive": false
+            }
+          },
+          "operator": "match_regex"
+        },
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.request.headers",
+                "key_path": [
+                  "authorization"
+                ]
+              }
+            ]
+          },
+          "operator": "!exists"
+        },
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.io.net.response.status"
+              }
+            ],
+            "list": [
+              "401"
+            ]
+          },
+          "operator": "!exact_match"
+        }
+      ],
+      "transformers": [],
+      "output": {
+        "event": false,
+        "keep": false,
+        "attributes": {
+          "api.security.mcp.broken_auth": {
+            "value": 1
+          }
+        }
+      }
+    },
     {
       "id": "ua0-600-551",
       "name": "Datadog test scanner - scalar trace-tagging version: user-agent",

package/packages/dd-trace/src/appsec/remote_config.js ADDED Viewed

@@ -0,0 +1,177 @@
+'use strict'
+const log = require('../log')
+const { updateConfig } = require('../telemetry')
+const RemoteConfigCapabilities = require('../remote_config/capabilities')
+const { setCollectionMode } = require('./user_tracking')
+const Activation = require('./activation')
+let autoUserInstrumModeId
+let rc
+/**
+ * Configures remote config handlers for appsec features
+ *
+ * @param {object} rcInstance - RemoteConfig instance
+ * @param {object} config - Tracer config
+ * @param {object} appsec - Appsec module
+ */
+function enable (rcInstance, config, appsec) {
+  rc = rcInstance
+  const activation = Activation.fromConfig(config)
+  if (activation !== Activation.DISABLED) {
+    if (activation === Activation.ONECLICK) {
+      rc.updateCapabilities(RemoteConfigCapabilities.ASM_ACTIVATION, true)
+    }
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_AUTO_USER_INSTRUM_MODE, true)
+    rc.setProductHandler('ASM_FEATURES', (action, rcConfig, configId) => {
+      if (!rcConfig) return
+      // this is put before other handlers because it can reject the config
+      if (typeof rcConfig.auto_user_instrum?.mode === 'string') {
+        if (action === 'apply' || action === 'modify') {
+          // check if there is already a config applied with this field
+          if (autoUserInstrumModeId && configId !== autoUserInstrumModeId) {
+            log.error('[RC] Multiple auto_user_instrum received in ASM_FEATURES. Discarding config')
+            // eslint-disable-next-line no-throw-literal
+            throw 'Multiple auto_user_instrum.mode received in ASM_FEATURES'
+          }
+          setCollectionMode(rcConfig.auto_user_instrum.mode)
+          autoUserInstrumModeId = configId
+        } else if (configId === autoUserInstrumModeId) {
+          setCollectionMode(config.appsec.eventTracking.mode)
+          autoUserInstrumModeId = null
+        }
+      }
+      if (activation === Activation.ONECLICK) {
+        enableOrDisableAppsec(action, rcConfig, config, appsec)
+      }
+    })
+  }
+}
+/**
+ * Enables or disables appsec based on remote config
+ *
+ * @param {string} action - 'apply', 'modify', or 'unapply'
+ * @param {object} rcConfig - Remote config
+ * @param {object} config - Tracer config
+ * @param {object} appsec - Appsec module
+ */
+function enableOrDisableAppsec (action, rcConfig, config, appsec) {
+  if (typeof rcConfig.asm?.enabled === 'boolean') {
+    const isRemoteConfigControlling = action === 'apply' || action === 'modify'
+    const shouldEnable = isRemoteConfigControlling
+      ? rcConfig.asm.enabled // take control
+      : config.appsec.enabled // give back control to local config
+    if (shouldEnable) {
+      appsec.enable(config)
+    } else {
+      appsec.disable()
+    }
+    updateConfig([
+      {
+        name: 'appsec.enabled',
+        origin: isRemoteConfigControlling ? 'remote_config' : config.getOrigin('appsec.enabled'),
+        value: shouldEnable
+      }
+    ], config)
+  }
+}
+/**
+ * Enables WAF update capabilities for remote config
+ *
+ * @param {object} appsecConfig - Appsec config
+ */
+function enableWafUpdate (appsecConfig) {
+  if (rc && appsecConfig && !appsecConfig.rules) {
+    // dirty require to make startup faster for serverless
+    const { ASM_WAF_PRODUCTS } = require('./rc-products')
+    const RuleManager = require('./rule_manager')
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_IP_BLOCKING, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_USER_BLOCKING, true)
+    // TODO: we should have a different capability for rule override
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_DD_RULES, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_EXCLUSIONS, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_REQUEST_BLOCKING, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_RESPONSE_BLOCKING, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_RULES, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_TRUSTED_IPS, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_PROCESSOR_OVERRIDES, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_DATA_SCANNERS, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_EXCLUSION_DATA, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_ENDPOINT_FINGERPRINT, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_SESSION_FINGERPRINT, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_NETWORK_FINGERPRINT, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_HEADER_FINGERPRINT, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_DD_MULTICONFIG, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_TRACE_TAGGING_RULES, true)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_EXTENDED_DATA_COLLECTION, true)
+    if (appsecConfig.rasp?.enabled) {
+      rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, true)
+      rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, true)
+      rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_LFI, true)
+      rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SHI, true)
+      rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_CMDI, true)
+    }
+    rc.subscribeProducts(...ASM_WAF_PRODUCTS)
+    rc.setBatchHandler(ASM_WAF_PRODUCTS, RuleManager.updateWafFromRC)
+  }
+}
+/**
+ * Disables WAF update capabilities for remote config
+ */
+function disableWafUpdate () {
+  if (rc) {
+    const { ASM_WAF_PRODUCTS } = require('./rc-products')
+    const RuleManager = require('./rule_manager')
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_IP_BLOCKING, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_USER_BLOCKING, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_DD_RULES, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_EXCLUSIONS, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_REQUEST_BLOCKING, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_RESPONSE_BLOCKING, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_RULES, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_BLOCKING_RESPONSE, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_TRUSTED_IPS, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_PROCESSOR_OVERRIDES, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_CUSTOM_DATA_SCANNERS, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_EXCLUSION_DATA, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_ENDPOINT_FINGERPRINT, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_SESSION_FINGERPRINT, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_NETWORK_FINGERPRINT, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_HEADER_FINGERPRINT, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_DD_MULTICONFIG, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_TRACE_TAGGING_RULES, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_EXTENDED_DATA_COLLECTION, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SQLI, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SSRF, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_LFI, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_SHI, false)
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_RASP_CMDI, false)
+    rc.unsubscribeProducts(...ASM_WAF_PRODUCTS)
+    rc.removeBatchHandler(RuleManager.updateWafFromRC)
+  }
+}
+module.exports = {
+  enable,
+  enableWafUpdate,
+  disableWafUpdate
+}

package/packages/dd-trace/src/appsec/reporter.js CHANGED Viewed

@@ -1,11 +1,13 @@
 'use strict'
-const dc = require('dc-polyfill')
 const zlib = require('zlib')
+const dc = require('dc-polyfill')
 const { storage } = require('../../../datadog-core')
 const web = require('../plugins/util/web')
 const { ipHeaderList } = require('../plugins/util/ip_extractor')
+const { keepTrace } = require('../priority_sampler')
+const { ASM } = require('../standalone/product')
 const {
   incrementWafInitMetric,
   incrementWafUpdatesMetric,
@@ -16,8 +18,6 @@ const {
   updateRaspRuleSkippedMetricTags,
   getRequestMetrics
 } = require('./telemetry')
-const { keepTrace } = require('../priority_sampler')
-const { ASM } = require('../standalone/product')
 const { DIAGNOSTIC_KEYS } = require('./waf/diagnostics')
 const REQUEST_HEADER_TAG_PREFIX = 'http.request.headers.'

package/packages/dd-trace/src/appsec/rule_manager.js CHANGED Viewed

@@ -1,14 +1,12 @@
 'use strict'
-const fs = require('fs')
+const { readFileSync } = require('node:fs')
 const waf = require('./waf')
 const { DIAGNOSTIC_KEYS } = require('./waf/diagnostics')
-const { ACKNOWLEDGED, ERROR } = require('../remote_config/apply_states')
-const Reporter = require('./reporter')
 const blocking = require('./blocking')
-const ASM_PRODUCTS = new Set(['ASM', 'ASM_DD', 'ASM_DATA'])
+const Reporter = require('./reporter')
+const { ASM_WAF_PRODUCTS_SET } = require('./rc-products')
 /*
   ASM Actions must be tracked in order to update the defaultBlockingActions in blocking. These actions are used
@@ -16,9 +14,21 @@ const ASM_PRODUCTS = new Set(['ASM', 'ASM_DD', 'ASM_DATA'])
  */
 let appliedActions = new Map()
+/**
+ * @typedef {object} AsmConfigFile
+ * @property {Array<Record<string, unknown>>} [actions]
+ */
+/**
+ * @typedef {import('./waf').WAFConfig & { rules?: string }} AppSecConfig
+ */
+/**
+ * @param {AppSecConfig} config
+ */
 function loadRules (config) {
   const defaultRules = config.rules
-    ? JSON.parse(fs.readFileSync(config.rules))
+    ? JSON.parse(readFileSync(config.rules, 'utf8'))
     : require('./recommended.json')
   waf.init(defaultRules, config)
@@ -26,19 +36,26 @@ function loadRules (config) {
   blocking.setDefaultBlockingActionParameters(defaultRules?.actions)
 }
-function updateWafFromRC ({ toUnapply, toApply, toModify }) {
+/**
+ * Apply ASM remote-config updates to the WAF in a single batch.
+ *
+ * @param {import('../remote_config/manager').RcBatchUpdateTransaction} transaction
+ */
+function updateWafFromRC (transaction) {
+  const { toUnapply, toApply, toModify } = transaction
   const newActions = new SpyMap(appliedActions)
   let wafUpdated = false
   let wafUpdatedFailed = false
   for (const item of toUnapply) {
-    if (!ASM_PRODUCTS.has(item.product)) continue
+    if (!ASM_WAF_PRODUCTS_SET.has(item.product)) continue
     try {
       waf.removeConfig(item.path)
-      item.apply_state = ACKNOWLEDGED
+      transaction.ack(item.path)
       wafUpdated = true
       // ASM actions
@@ -46,30 +63,30 @@ function updateWafFromRC ({ toUnapply, toApply, toModify }) {
         newActions.delete(item.id)
       }
     } catch (e) {
-      item.apply_state = ERROR
-      item.apply_error = e.toString()
+      transaction.error(item.path, e)
       wafUpdatedFailed = true
     }
   }
   for (const item of [...toApply, ...toModify]) {
-    if (!ASM_PRODUCTS.has(item.product)) continue
+    if (!ASM_WAF_PRODUCTS_SET.has(item.product)) continue
     try {
       waf.updateConfig(item.product, item.id, item.path, item.file)
-      item.apply_state = ACKNOWLEDGED
+      transaction.ack(item.path)
       wafUpdated = true
       // ASM actions
-      if (item.product === 'ASM' && item.file?.actions?.length) {
-        newActions.set(item.id, item.file.actions)
+      if (item.product === 'ASM') {
+        const asmFile = /** @type {AsmConfigFile} */ (item.file)
+        if (asmFile?.actions?.length) {
+          newActions.set(item.id, asmFile.actions)
+        }
       }
     } catch (e) {
-      item.apply_state = ERROR
-      item.apply_error = e instanceof waf.WafUpdateError
-        ? JSON.stringify(extractErrors(e.diagnosticErrors))
-        : e.toString()
+      const error = e instanceof waf.WafUpdateError ? JSON.stringify(extractErrors(e.diagnosticErrors)) : e
+      transaction.error(item.path, error)
       wafUpdatedFailed = true
     }
   }

package/packages/dd-trace/src/appsec/sdk/index.js CHANGED Viewed

@@ -1,5 +1,6 @@
 'use strict'
+const { setTemplates } = require('../blocking')
 const {
   trackUserLoginSuccessEvent,
   trackUserLoginFailureEvent,
@@ -8,7 +9,6 @@ const {
   trackUserLoginFailureV2
 } = require('./track_event')
 const { checkUserAndSetUser, blockRequest } = require('./user_blocking')
-const { setTemplates } = require('../blocking')
 const { setUser } = require('./set_user')
 class EventTrackingV2 {

package/packages/dd-trace/src/appsec/sdk/set_user.js CHANGED Viewed

@@ -1,9 +1,9 @@
 'use strict'
-const { getRootSpan } = require('./utils')
 const log = require('../../log')
 const waf = require('../waf')
 const addresses = require('../addresses')
+const { getRootSpan } = require('./utils')
 function setUserTags (user, rootSpan) {
   for (const k of Object.keys(user)) {

package/packages/dd-trace/src/appsec/sdk/track_event.js CHANGED Viewed

@@ -1,13 +1,13 @@
 'use strict'
 const log = require('../../log')
-const { getRootSpan } = require('./utils')
-const { setUserTags } = require('./set_user')
 const waf = require('../waf')
 const { keepTrace } = require('../../priority_sampler')
 const addresses = require('../addresses')
 const { ASM } = require('../../standalone/product')
 const { incrementSdkEventMetric } = require('../telemetry')
+const { setUserTags } = require('./set_user')
+const { getRootSpan } = require('./utils')
 /**
  * @deprecated in favor of trackUserLoginSuccessV2

package/packages/dd-trace/src/appsec/sdk/user_blocking.js CHANGED Viewed

@@ -2,11 +2,11 @@
 const { USER_ID } = require('../addresses')
 const waf = require('../waf')
-const { getRootSpan } = require('./utils')
 const { block, getBlockingAction } = require('../blocking')
 const { storage } = require('../../../../datadog-core')
-const { setUserTags } = require('./set_user')
 const log = require('../../log')
+const { setUserTags } = require('./set_user')
+const { getRootSpan } = require('./utils')
 function isUserBlocked (user) {
   const results = waf.run({ persistent: { [USER_ID]: user.id } })

package/packages/dd-trace/src/appsec/user_tracking.js CHANGED Viewed

@@ -2,11 +2,11 @@
 const crypto = require('crypto')
 const log = require('../log')
+const { keepTrace } = require('../priority_sampler')
+const { ASM } = require('../standalone/product')
 const telemetry = require('./telemetry')
 const addresses = require('./addresses')
-const { keepTrace } = require('../priority_sampler')
 const waf = require('./waf')
-const { ASM } = require('../standalone/product')
 // the RFC doesn't include '_id', but it's common in MongoDB
 const USER_ID_FIELDS = ['id', '_id', 'email', 'username', 'login', 'user']