dd-trace 5.86.0 → 5.87.0

package/packages/dd-trace/src/appsec/downstream_requests.js

@@ -0,0 +1,302 @@
+'use strict'
+
+const web = require('../plugins/util/web')
+const log = require('../log')
+const {
+  HTTP_OUTGOING_METHOD,
+  HTTP_OUTGOING_HEADERS,
+  HTTP_OUTGOING_RESPONSE_STATUS,
+  HTTP_OUTGOING_RESPONSE_HEADERS,
+  HTTP_OUTGOING_RESPONSE_BODY,
+} = require('./addresses')
+
+const KNUTH_FACTOR = 11400714819323199488n // eslint-disable-line unicorn/numeric-separators-style
+const UINT64_MAX = (1n << 64n) - 1n
+
+let config
+let samplingRate
+let globalRequestCounter
+let bodyAnalysisCount
+let downstreamAnalysisCount
+let redirectBodyCollectionDecisions
+
+function enable (_config) {
+  config = _config
+  globalRequestCounter = 0n
+  bodyAnalysisCount = new WeakMap()
+  downstreamAnalysisCount = new WeakMap()
+  redirectBodyCollectionDecisions = new WeakMap()
+
+  const bodyAnalysisSampleRate = config.appsec.apiSecurity?.downstreamBodyAnalysisSampleRate
+  samplingRate = Math.min(Math.max(bodyAnalysisSampleRate, 0), 1)
+
+  if (samplingRate !== bodyAnalysisSampleRate) {
+    log.warn(
+      'DD_API_SECURITY_DOWNSTREAM_BODY_ANALYSIS_SAMPLE_RATE value is %s and it\'s out of range',
+      bodyAnalysisSampleRate)
+  }
+}
+
+function disable () {
+  config = null
+  globalRequestCounter = null
+  bodyAnalysisCount = null
+  downstreamAnalysisCount = null
+  redirectBodyCollectionDecisions = null
+}
+
+/**
+ * Check we have a stored redirect body collection decision for a given URL.
+ * @param {import('http').IncomingMessage} req outgoing request.
+ * @param {string} outgoingUrl the URL being requested.
+ * @returns {boolean} the stored decision
+ */
+function consumeRedirectBodyCollectionDecision (req, outgoingUrl) {
+  const decisions = redirectBodyCollectionDecisions.get(req)
+  if (!decisions) return false
+
+  return decisions.delete(outgoingUrl)
+}
+
+/**
+ * Stores a redirect body collection decision for a follow-up request.
+ * @param {import('http').IncomingMessage} req outgoing request.
+ * @param {string} redirectUrl the URL to redirect to.
+ */
+function storeRedirectBodyCollectionDecision (req, redirectUrl) {
+  let decisions = redirectBodyCollectionDecisions.get(req)
+
+  if (!decisions) {
+    decisions = new Set()
+    redirectBodyCollectionDecisions.set(req, decisions)
+  }
+
+  decisions.add(redirectUrl)
+}
+
+/**
+ * Determines whether the current downstream request/responses bodies should be sampled for analysis.
+ * @param {import('http').IncomingMessage} req outgoing request.
+ * @param {string} outgoingUrl the URL being requested (to check for redirect decisions).
+ * @returns {boolean} true when the downstream response body should be captured.
+ */
+function shouldSampleBody (req, outgoingUrl) {
+  // Check if there's a stored decision from a previous redirect
+  const storedDecision = consumeRedirectBodyCollectionDecision(req, outgoingUrl)
+  if (storedDecision) return true
+
+  globalRequestCounter = (globalRequestCounter + 1n) & UINT64_MAX
+
+  const currentCount = bodyAnalysisCount.get(req) || 0
+  if (currentCount >= config.appsec.apiSecurity?.maxDownstreamRequestBodyAnalysis) {
+    return false
+  }
+
+  const hashed = (globalRequestCounter * KNUTH_FACTOR) % UINT64_MAX
+  // Replace 1000n with the accuraccy that we want to maintain
+  const threshold = (UINT64_MAX * BigInt(Math.round(samplingRate * 1000))) / 1000n
+
+  const shouldCollectBody = hashed <= threshold
+
+  // Track body analysis count if we're sampling the response body
+  if (shouldCollectBody) {
+    incrementBodyAnalysisCount(req)
+  }
+
+  return shouldCollectBody
+}
+
+/**
+ * Increments the number of downstream body analyses performed for the given request.
+ * @param {import('http').IncomingMessage} req outgoing request.
+ */
+function incrementBodyAnalysisCount (req) {
+  const currentCount = bodyAnalysisCount.get(req) || 0
+  bodyAnalysisCount.set(req, currentCount + 1)
+}
+
+/**
+ *
+ * @param {object} headers
+ * @returns {object} the headers with all keys converted to lowercase
+ */
+function lowercaseHeaderKeys (headers) {
+  return Object.fromEntries(Object.entries(headers).map(([key, value]) => [key.toLowerCase(), value]))
+}
+
+/**
+ * Extracts request data from the context for WAF analysis
+ * @param {object} ctx context for the outgoing downstream request.
+ * @returns {object} a map of addresses and request data.
+ */
+function extractRequestData (ctx) {
+  const addresses = {}
+
+  const options = ctx?.args?.options || {}
+
+  addresses[HTTP_OUTGOING_METHOD] = getMethod(options.method)
+
+  const headers = options?.headers
+  if (headers && Object.keys(headers).length > 0) {
+    addresses[HTTP_OUTGOING_HEADERS] = lowercaseHeaderKeys(headers)
+  }
+
+  return addresses
+}
+
+/**
+ * Checks if a response is a redirect
+ * @param {import('http').IncomingMessage} req incoming server request.
+ * @param {import('http').IncomingMessage} res downstream response object.
+ * @returns {boolean} is redirect.
+ */
+function handleRedirectResponse (req, res) {
+  const isRedirect = res.statusCode >= 300 && res.statusCode < 400
+  const redirectLocation = res.headers?.location || ''
+
+  if (isRedirect && redirectLocation) {
+    // Store the body collection decision for the redirect target
+    storeRedirectBodyCollectionDecision(req, redirectLocation)
+    return true
+  }
+
+  return false
+}
+
+/**
+ * Extracts response data for WAF analysis.
+ * @param {import('http').IncomingMessage} res downstream response object.
+ * @param {Buffer|string|object|null} responseBody response body.
+ * @returns {object} a map of addresses and response data.
+ */
+function extractResponseData (res, responseBody) {
+  const addresses = {}
+
+  if (res.statusCode) {
+    addresses[HTTP_OUTGOING_RESPONSE_STATUS] = String(res.statusCode)
+  }
+
+  const headers = res.headers
+  if (headers && Object.keys(headers).length > 0) {
+    addresses[HTTP_OUTGOING_RESPONSE_HEADERS] = headers
+  }
+
+  if (responseBody) {
+    // Parse the body based on content-type
+    const contentType = res.headers?.['content-type']
+    const body = parseBody(responseBody, contentType)
+
+    if (body) {
+      addresses[HTTP_OUTGOING_RESPONSE_BODY] = body
+    }
+  }
+
+  return addresses
+}
+
+/**
+ * Tracks how many downstream analyses were executed for a given request and updates tracing tags.
+ * @param {import('http').IncomingMessage} req outgoing request.
+ */
+function incrementDownstreamAnalysisCount (req) {
+  const currentCount = downstreamAnalysisCount.get(req) || 0
+  downstreamAnalysisCount.set(req, currentCount + 1)
+
+  const span = web.root(req)
+
+  if (span) {
+    span.setTag('_dd.appsec.downstream_request', currentCount + 1)
+  }
+}
+
+/**
+ * Returns the HTTP method to use for a downstream request, defaulting to GET.
+ * @param {string} method method supplied in the outgoing request options.
+ * @returns {string} validated HTTP method.
+ */
+function getMethod (method) {
+  return typeof method === 'string' && method ? method : 'GET'
+}
+
+/**
+ * Parses a downstream response body.
+ * @param {Buffer|string|object|null} body raw response body
+ * @param {string|null} contentType response content-type used to select the parser.
+ * @returns {object|null} parsed body object or null when not supported.
+ */
+function parseBody (body, contentType) {
+  if (!body || !contentType) {
+    return null
+  }
+
+  const mime = extractMimeType(contentType)
+
+  try {
+    if (mime === 'application/json' || mime === 'text/json') {
+      if (typeof body === 'string') {
+        return JSON.parse(body)
+      }
+
+      if (Buffer.isBuffer(body)) {
+        return JSON.parse(body.toString('utf8'))
+      }
+
+      return null
+    }
+
+    if (mime === 'application/x-www-form-urlencoded') {
+      const formBody = Buffer.isBuffer(body) ? body.toString('utf8') : String(body)
+      const params = new URLSearchParams(formBody)
+      const result = {}
+      for (const [key, value] of params.entries()) {
+        if (key in result) {
+          const existing = result[key]
+          if (Array.isArray(existing)) {
+            existing.push(value)
+          } else {
+            result[key] = [existing, value]
+          }
+        } else {
+          result[key] = value
+        }
+      }
+
+      return result
+    }
+
+    // multipart/form-data is mentioned in RFC but parsing is complex.
+    // Other content-types also discarded per RFC
+
+    return null
+  } catch {
+    // Parsing failed: return null to avoid sending malformed body to WAF
+    return null
+  }
+}
+
+/**
+ * Extracts the MIME type portion of a content-type header value.
+ * @param {string|null} contentType raw content-type header value.
+ * @returns {string|null} lowercase mime type
+ */
+function extractMimeType (contentType) {
+  if (typeof contentType !== 'string') {
+    return null
+  }
+
+  return contentType.split(';', 1)[0].trim().toLowerCase()
+}
+
+module.exports = {
+  enable,
+  disable,
+  shouldSampleBody,
+  handleRedirectResponse,
+  incrementDownstreamAnalysisCount,
+  extractRequestData,
+  extractResponseData,
+  // exports for tests
+  parseBody,
+  getMethod,
+  storeRedirectBodyCollectionDecision,
+}

package/packages/dd-trace/src/appsec/index.js

@@ -30,6 +30,9 @@ const {
   routerParam,
   fastifyResponseChannel,
   fastifyPathParams,
+  stripeCheckoutSessionCreate,
+  stripePaymentIntentCreate,
+  stripeConstructEvent,
 } = require('./channels')
 const waf = require('./waf')
 const addresses = require('./addresses')
@@ -92,6 +95,9 @@ function enable (_config) {
     fastifyResponseChannel.subscribe(onResponseBody)
     responseWriteHead.subscribe(onResponseWriteHead)
     responseSetHeader.subscribe(onResponseSetHeader)
+    stripeCheckoutSessionCreate.subscribe(onStripeCheckoutSessionCreate)
+    stripePaymentIntentCreate.subscribe(onStripePaymentIntentCreate)
+    stripeConstructEvent.subscribe(onStripeConstructEvent)
 
     isEnabled = true
     config = _config
@@ -382,6 +388,100 @@ function onResponseSetHeader ({ res, abortController }) {
   }
 }
 
+function onStripeCheckoutSessionCreate (payload) {
+  if (payload?.mode !== 'payment') return
+
+  waf.run({
+    persistent: {
+      [addresses.PAYMENT_CREATION]: {
+        integration: 'stripe',
+        id: payload.id,
+        amount_total: payload.amount_total,
+        client_reference_id: payload.client_reference_id,
+        currency: payload.currency,
+        'discounts.coupon': payload.discounts?.[0]?.coupon,
+        'discounts.promotion_code': payload.discounts?.[0]?.promotion_code,
+        livemode: payload.livemode,
+        'total_details.amount_discount': payload.total_details?.amount_discount,
+        'total_details.amount_shipping': payload.total_details?.amount_shipping,
+      },
+    },
+  })
+}
+
+function onStripePaymentIntentCreate (payload) {
+  if (payload === null || typeof payload !== 'object') return
+
+  waf.run({
+    persistent: {
+      [addresses.PAYMENT_CREATION]: {
+        integration: 'stripe',
+        id: payload.id,
+        amount: payload.amount,
+        currency: payload.currency,
+        livemode: payload.livemode,
+        payment_method: payload.payment_method,
+      },
+    },
+  })
+}
+
+function onStripeConstructEvent (payload) {
+  const object = payload?.data?.object
+  if (object === null || typeof object !== 'object') return
+
+  let persistent
+
+  switch (payload.type) {
+    case 'payment_intent.succeeded':
+      persistent = {
+        [addresses.PAYMENT_SUCCESS]: {
+          integration: 'stripe',
+          id: object.id,
+          amount: object.amount,
+          currency: object.currency,
+          livemode: object.livemode,
+          payment_method: object.payment_method,
+        },
+      }
+      break
+
+    case 'payment_intent.payment_failed':
+      persistent = {
+        [addresses.PAYMENT_FAILURE]: {
+          integration: 'stripe',
+          id: object.id,
+          amount: object.amount,
+          currency: object.currency,
+          'last_payment_error.code': object.last_payment_error?.code,
+          'last_payment_error.decline_code': object.last_payment_error?.decline_code,
+          'last_payment_error.payment_method.id': object.last_payment_error?.payment_method?.id,
+          'last_payment_error.payment_method.type': object.last_payment_error?.payment_method?.type,
+          livemode: object.livemode,
+        },
+      }
+      break
+
+    case 'payment_intent.canceled':
+      persistent = {
+        [addresses.PAYMENT_CANCELLATION]: {
+          integration: 'stripe',
+          id: object.id,
+          amount: object.amount,
+          cancellation_reason: object.cancellation_reason,
+          currency: object.currency,
+          livemode: object.livemode,
+        },
+      }
+      break
+
+    default:
+      return
+  }
+
+  waf.run({ persistent })
+}
+
 function handleResults (actions, req, res, rootSpan, abortController) {
   if (!actions || !req || !res || !rootSpan || !abortController) return
 
@@ -427,6 +527,9 @@ function disable () {
   if (fastifyResponseChannel.hasSubscribers) fastifyResponseChannel.unsubscribe(onResponseBody)
   if (responseWriteHead.hasSubscribers) responseWriteHead.unsubscribe(onResponseWriteHead)
   if (responseSetHeader.hasSubscribers) responseSetHeader.unsubscribe(onResponseSetHeader)
+  if (stripeCheckoutSessionCreate.hasSubscribers) stripeCheckoutSessionCreate.unsubscribe(onStripeCheckoutSessionCreate)
+  if (stripePaymentIntentCreate.hasSubscribers) stripePaymentIntentCreate.unsubscribe(onStripePaymentIntentCreate)
+  if (stripeConstructEvent.hasSubscribers) stripeConstructEvent.unsubscribe(onStripeConstructEvent)
 }
 
 // this is faster than Object.keys().length === 0

package/packages/dd-trace/src/appsec/rasp/ssrf.js

@@ -1,21 +1,32 @@
 'use strict'
 
 const { format } = require('url')
-const { httpClientRequestStart } = require('../channels')
+const {
+  httpClientRequestStart,
+  httpClientResponseFinish,
+} = require('../channels')
 const { storage } = require('../../../../datadog-core')
 const addresses = require('../addresses')
 const waf = require('../waf')
+const downstream = require('../downstream_requests')
+const { updateRaspRuleMatchMetricTags } = require('../telemetry')
 const { RULE_TYPES, handleResult } = require('./utils')
 
 let config
 
 function enable (_config) {
   config = _config
+  downstream.enable(_config)
+
   httpClientRequestStart.subscribe(analyzeSsrf)
+  httpClientResponseFinish.subscribe(handleResponseFinish)
 }
 
 function disable () {
+  downstream.disable()
+
   if (httpClientRequestStart.hasSubscribers) httpClientRequestStart.unsubscribe(analyzeSsrf)
+  if (httpClientResponseFinish.hasSubscribers) httpClientResponseFinish.unsubscribe(handleResponseFinish)
 }
 
 function analyzeSsrf (ctx) {
@@ -25,16 +36,67 @@ function analyzeSsrf (ctx) {
 
   if (!req || !outgoingUrl) return
 
+  // Determine if we should collect the response body based on sampling rate and redirect URL
+  ctx.shouldCollectBody = downstream.shouldSampleBody(req, outgoingUrl)
+
+  const requestAddresses = downstream.extractRequestData(ctx)
+
   const ephemeral = {
     [addresses.HTTP_OUTGOING_URL]: outgoingUrl,
+    ...requestAddresses,
   }
 
-  const raspRule = { type: RULE_TYPES.SSRF }
+  const raspRule = { type: RULE_TYPES.SSRF, variant: 'request' }
 
   const result = waf.run({ ephemeral }, req, raspRule)
 
-  const res = store?.res
-  handleResult(result, req, res, ctx.abortController, config, raspRule)
+  handleResult(result, req, store?.res, ctx.abortController, config, raspRule)
+
+  downstream.incrementDownstreamAnalysisCount(req)
+}
+
+/**
+ * Finalizes body collection for the response and triggers RASP analysis.
+ * @param {{
+ *   ctx: object,
+ *   res: import('http').IncomingMessage,
+ *   body: string|Buffer|null
+ * }} payload event payload from the channel.
+ */
+function handleResponseFinish ({ ctx, res, body }) {
+  // downstream response object
+  if (!res) return
+
+  const store = storage('legacy').getStore()
+  const originatingRequest = store?.req
+  if (!originatingRequest) return
+
+  // Skip body analysis for redirect responses
+  const evaluateBody = ctx.shouldCollectBody && !downstream.handleRedirectResponse(originatingRequest, res)
+  const responseBody = evaluateBody ? body : null
+  runResponseEvaluation(res, originatingRequest, responseBody)
+}
+
+/**
+ * Evaluates the downstream response and records telemetry.
+ * @param {import('http').IncomingMessage} res incoming response from downstream service.
+ * @param {import('http').IncomingMessage} req originating request.
+ * @param {string|Buffer|null} responseBody collected downstream response body.
+ */
+function runResponseEvaluation (res, req, responseBody) {
+  const responseAddresses = downstream.extractResponseData(res, responseBody)
+
+  if (!Object.keys(responseAddresses).length) return
+
+  const raspRule = { type: RULE_TYPES.SSRF, variant: 'response' }
+  const result = waf.run({ ephemeral: responseAddresses }, req, raspRule)
+
+  // TODO: this should be done in the waf functions directly instead of calling it everywhere
+  const ruleTriggered = !!result?.events?.length
+
+  if (ruleTriggered) {
+    updateRaspRuleMatchMetricTags(req, raspRule, false, false)
+  }
 }
 
 module.exports = { enable, disable }

package/packages/dd-trace/src/ci-visibility/dynamic-instrumentation/worker/index.js

@@ -16,6 +16,12 @@ const session = require('../../../debugger/devtools_client/session')
 const { getGeneratedPosition } = require('../../../debugger/devtools_client/source-maps')
 // TODO: move debugger/devtools_client/snapshot to common place
 const { getLocalStateForCallFrame } = require('../../../debugger/devtools_client/snapshot')
+const {
+  DEFAULT_MAX_REFERENCE_DEPTH,
+  DEFAULT_MAX_COLLECTION_SIZE,
+  DEFAULT_MAX_FIELD_COUNT,
+  DEFAULT_MAX_LENGTH,
+} = require('../../../debugger/devtools_client/snapshot/constants')
 // TODO: move debugger/devtools_client/state to common place
 const {
   findScriptFromPartialPath,
@@ -29,6 +35,13 @@ let sessionStarted = false
 const breakpointIdToProbe = new Map()
 const probeIdToBreakpointId = new Map()
 
+const limits = {
+  maxReferenceDepth: DEFAULT_MAX_REFERENCE_DEPTH,
+  maxCollectionSize: DEFAULT_MAX_COLLECTION_SIZE,
+  maxFieldCount: DEFAULT_MAX_FIELD_COUNT,
+  maxLength: DEFAULT_MAX_LENGTH,
+}
+
 session.on('Debugger.paused', async ({ params: { hitBreakpoints: [hitBreakpoint], callFrames } }) => {
   const probe = breakpointIdToProbe.get(hitBreakpoint)
   if (!probe) {
@@ -38,7 +51,7 @@ session.on('Debugger.paused', async ({ params: { hitBreakpoints: [hitBreakpoint]
 
   const stack = await getStackFromCallFrames(callFrames)
 
-  const { processLocalState } = await getLocalStateForCallFrame(callFrames[0])
+  const { processLocalState } = await getLocalStateForCallFrame(callFrames[0], limits)
 
   await session.post('Debugger.resume')
 

package/packages/dd-trace/src/config/defaults.js

@@ -26,6 +26,8 @@ module.exports = {
   'appsec.apiSecurity.sampleDelay': 30,
   'appsec.apiSecurity.endpointCollectionEnabled': true,
   'appsec.apiSecurity.endpointCollectionMessageLimit': 300,
+  'appsec.apiSecurity.downstreamBodyAnalysisSampleRate': 0.5,
+  'appsec.apiSecurity.maxDownstreamRequestBodyAnalysis': 1,
   'appsec.blockedTemplateGraphql': undefined,
   'appsec.blockedTemplateHtml': undefined,
   'appsec.blockedTemplateJson': undefined,

package/packages/dd-trace/src/config/index.js

@@ -255,6 +255,8 @@ class Config {
       DD_API_SECURITY_SAMPLE_DELAY,
       DD_API_SECURITY_ENDPOINT_COLLECTION_ENABLED,
       DD_API_SECURITY_ENDPOINT_COLLECTION_MESSAGE_LIMIT,
+      DD_API_SECURITY_DOWNSTREAM_BODY_ANALYSIS_SAMPLE_RATE,
+      DD_API_SECURITY_MAX_DOWNSTREAM_REQUEST_BODY_ANALYSIS,
       DD_APM_TRACING_ENABLED,
       DD_APP_KEY,
       DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE,
@@ -540,6 +542,10 @@ class Config {
     unprocessedTarget['appsec.stackTrace.maxStackTraces'] = DD_APPSEC_MAX_STACK_TRACES
     target['appsec.wafTimeout'] = maybeInt(DD_APPSEC_WAF_TIMEOUT)
     unprocessedTarget['appsec.wafTimeout'] = DD_APPSEC_WAF_TIMEOUT
+    target['appsec.apiSecurity.downstreamBodyAnalysisSampleRate'] =
+      maybeFloat(DD_API_SECURITY_DOWNSTREAM_BODY_ANALYSIS_SAMPLE_RATE)
+    target['appsec.apiSecurity.maxDownstreamRequestBodyAnalysis'] =
+      maybeInt(DD_API_SECURITY_MAX_DOWNSTREAM_REQUEST_BODY_ANALYSIS)
     target.baggageMaxBytes = DD_TRACE_BAGGAGE_MAX_BYTES
     target.baggageMaxItems = DD_TRACE_BAGGAGE_MAX_ITEMS
     target.baggageTagKeys = DD_TRACE_BAGGAGE_TAG_KEYS

package/packages/dd-trace/src/config/supported-configurations.json

@@ -15,6 +15,8 @@
     "DD_API_SECURITY_SAMPLE_DELAY": ["A"],
     "DD_API_SECURITY_ENDPOINT_COLLECTION_ENABLED": ["A"],
     "DD_API_SECURITY_ENDPOINT_COLLECTION_MESSAGE_LIMIT": ["A"],
+    "DD_API_SECURITY_DOWNSTREAM_BODY_ANALYSIS_SAMPLE_RATE": ["A"],
+    "DD_API_SECURITY_MAX_DOWNSTREAM_REQUEST_BODY_ANALYSIS": ["A"],
     "DD_APM_FLUSH_DEADLINE_MILLISECONDS": ["A"],
     "DD_APM_TRACING_ENABLED": ["A"],
     "DD_APP_KEY": ["A"],

package/packages/dd-trace/src/debugger/devtools_client/breakpoints.js

@@ -3,8 +3,14 @@
 const mutex = require('../../../../../vendor/dist/mutexify/promise')()
 const { getGeneratedPosition } = require('./source-maps')
 const session = require('./session')
-const { compile: compileCondition, compileSegments, templateRequiresEvaluation } = require('./condition')
+const { compile, compileSegments, templateRequiresEvaluation } = require('./condition')
 const { MAX_SNAPSHOTS_PER_SECOND_PER_PROBE, MAX_NON_SNAPSHOTS_PER_SECOND_PER_PROBE } = require('./defaults')
+const {
+  DEFAULT_MAX_REFERENCE_DEPTH,
+  DEFAULT_MAX_COLLECTION_SIZE,
+  DEFAULT_MAX_FIELD_COUNT,
+  DEFAULT_MAX_LENGTH,
+} = require('./snapshot/constants')
 const {
   findScriptFromPartialPath,
   clearState,
@@ -99,7 +105,7 @@ async function addBreakpoint (probe) {
   }
 
   try {
-    probe.condition = probe.when?.json && compileCondition(probe.when.json)
+    probe.condition = probe.when?.json && compile(probe.when.json)
   } catch (err) {
     throw new Error(
       `Cannot compile expression: ${probe.when.dsl} (probe: ${probe.id}, version: ${probe.version})`,
@@ -107,6 +113,45 @@ async function addBreakpoint (probe) {
     )
   }
 
+  if (probe.captureSnapshot) {
+    probe.capture = {
+      maxReferenceDepth: probe.capture?.maxReferenceDepth ?? DEFAULT_MAX_REFERENCE_DEPTH,
+      maxCollectionSize: probe.capture?.maxCollectionSize ?? DEFAULT_MAX_COLLECTION_SIZE,
+      maxFieldCount: probe.capture?.maxFieldCount ?? DEFAULT_MAX_FIELD_COUNT,
+      maxLength: probe.capture?.maxLength ?? DEFAULT_MAX_LENGTH,
+    }
+  }
+
+  if (probe.captureExpressions?.length > 0) {
+    probe.compiledCaptureExpressions = []
+    for (const captureExpr of probe.captureExpressions) {
+      let expression
+      try {
+        expression = compile(captureExpr.expr.json)
+      } catch (err) {
+        throw new Error(
+          `Cannot compile capture expression: ${captureExpr.name} (probe: ${probe.id}, version: ${probe.version})`,
+          { cause: err }
+        )
+      }
+
+      probe.compiledCaptureExpressions.push({
+        name: captureExpr.name,
+        expression,
+        limits: {
+          maxReferenceDepth: captureExpr.capture?.maxReferenceDepth ??
+            probe.capture?.maxReferenceDepth ?? DEFAULT_MAX_REFERENCE_DEPTH,
+          maxCollectionSize: captureExpr.capture?.maxCollectionSize ??
+            probe.capture?.maxCollectionSize ?? DEFAULT_MAX_COLLECTION_SIZE,
+          maxFieldCount: captureExpr.capture?.maxFieldCount ??
+            probe.capture?.maxFieldCount ?? DEFAULT_MAX_FIELD_COUNT,
+          maxLength: captureExpr.capture?.maxLength ??
+            probe.capture?.maxLength ?? DEFAULT_MAX_LENGTH,
+        },
+      })
+    }
+  }
+
   const locationKey = generateLocationKey(scriptId, lineNumber, columnNumber)
   const breakpoint = locationToBreakpoint.get(locationKey)