dd-trace 5.86.0 → 5.88.0

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -8,29 +8,40 @@ const { getOriginalPathAndLineFromSourceMap } = require('./taint-tracking/rewrit
 const pathLine = {
   getNodeModulesPaths,
   getRelativePath,
-  getNonDDCallSiteFrames,
+  getCallSiteFramesForLocation,
   ddBasePath, // Exported only for test purposes
 }
 
 const EXCLUDED_PATHS = [
   path.join(path.sep, 'node_modules', 'dc-polyfill'),
 ]
-const EXCLUDED_PATH_PREFIXES = [
-  'node:diagnostics_channel',
-  'diagnostics_channel',
-  'node:child_process',
-  'child_process',
-  'node:async_hooks',
-  'async_hooks',
-  'node:internal/async_local_storage',
-]
 
-function getNonDDCallSiteFrames (callSiteFrames, externallyExcludedPaths) {
+/**
+ * Processes and filters call site frames to find the best location for a vulnerability.
+ * Returns client frames if available, otherwise falls back to all processed frames.
+ * Excludes dd-trace frames and all Node.js built-in/internal modules (node:*).
+ * @param {CallSiteFrame[]} callSiteFrames
+ * @param {string[]} externallyExcludedPaths
+ * @returns {CallSiteFrame[]} Client frames if available, otherwise all processed frames
+ *
+ * @typedef {object} CallSiteFrame
+ * @property {number} id
+ * @property {string} file - Original file path
+ * @property {number} line
+ * @property {number} column
+ * @property {string} function
+ * @property {string} class_name
+ * @property {boolean} isNative
+ * @property {string} [path] - Relative path, added during processing
+ * @property {boolean} [isInternal] - Whether the frame is internal, added during processing
+ */
+function getCallSiteFramesForLocation (callSiteFrames, externallyExcludedPaths) {
   if (!callSiteFrames) {
     return []
   }
 
-  const result = []
+  const allFrames = []
+  const clientFrames = []
 
   for (const callsite of callSiteFrames) {
     let filepath = callsite.file?.startsWith('file://') ? fileURLToPath(callsite.file) : callsite.file
@@ -47,18 +58,22 @@ function getNonDDCallSiteFrames (callSiteFrames, externallyExcludedPaths) {
       callsite.column = column
     }
 
-    if (
-      !isExcluded(callsite, externallyExcludedPaths) &&
-      (!filepath.includes(pathLine.ddBasePath) || globalThis.__DD_ESBUILD_IAST_WITH_NO_SM)
-    ) {
+    if (filepath) {
       callsite.path = getRelativePath(filepath)
       callsite.isInternal = !path.isAbsolute(filepath)
 
-      result.push(callsite)
+      allFrames.push(callsite)
+
+      if (
+        !isExcluded(callsite, externallyExcludedPaths) &&
+        (!filepath.includes(pathLine.ddBasePath) || globalThis.__DD_ESBUILD_IAST_WITH_NO_SM)
+      ) {
+        clientFrames.push(callsite)
+      }
     }
   }
 
-  return result
+  return clientFrames.length > 0 ? clientFrames : allFrames
 }
 
 function getRelativePath (filepath) {
@@ -67,10 +82,12 @@ function getRelativePath (filepath) {
 
 function isExcluded (callsite, externallyExcludedPaths) {
   if (callsite.isNative) return true
+
   const filename = globalThis.__DD_ESBUILD_IAST_WITH_SM ? callsite.path : callsite.file
-  if (!filename) {
+  if (!filename || filename.startsWith('node:')) {
     return true
   }
+
   let excludedPaths = EXCLUDED_PATHS
   if (externallyExcludedPaths) {
     excludedPaths = [...excludedPaths, ...externallyExcludedPaths]
@@ -82,12 +99,6 @@ function isExcluded (callsite, externallyExcludedPaths) {
     }
   }
 
-  for (const EXCLUDED_PATH_PREFIX of EXCLUDED_PATH_PREFIXES) {
-    if (filename.indexOf(EXCLUDED_PATH_PREFIX) === 0) {
-      return true
-    }
-  }
-
   return false
 }
 

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/command-sensitive-analyzer.js

@@ -10,7 +10,7 @@ module.exports = function extractSensitiveRanges (evidence) {
     pattern.lastIndex = 0
 
     const regexResult = pattern.exec(evidence.value)
-    if (regexResult && regexResult.length > 1) {
+    if (regexResult?.length > 1) {
       const start = regexResult.index + (regexResult[0].length - regexResult[1].length)
       const end = start + regexResult[1].length
       return [{ start, end }]

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -3,6 +3,7 @@
 
 const log = require('../../../../log')
 const vulnerabilities = require('../../vulnerabilities')
+const defaults = require('../../../../config/defaults')
 
 const { contains, intersects, remove } = require('./range-utils')
 
@@ -14,14 +15,12 @@ const sqlSensitiveAnalyzer = require('./sensitive-analyzers/sql-sensitive-analyz
 const taintedRangeBasedSensitiveAnalyzer = require('./sensitive-analyzers/tainted-range-based-sensitive-analyzer')
 const urlSensitiveAnalyzer = require('./sensitive-analyzers/url-sensitive-analyzer')
 
-const { DEFAULT_IAST_REDACTION_NAME_PATTERN, DEFAULT_IAST_REDACTION_VALUE_PATTERN } = require('./sensitive-regex')
-
 const REDACTED_SOURCE_BUFFER = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
 
 class SensitiveHandler {
   constructor () {
-    this._namePattern = new RegExp(DEFAULT_IAST_REDACTION_NAME_PATTERN, 'gmi')
-    this._valuePattern = new RegExp(DEFAULT_IAST_REDACTION_VALUE_PATTERN, 'gmi')
+    this._namePattern = new RegExp(/** @type {string} */ (defaults['iast.redactionNamePattern']), 'gmi')
+    this._valuePattern = new RegExp(/** @type {string} */ (defaults['iast.redactionValuePattern']), 'gmi')
 
     this._sensitiveAnalyzers = new Map()
     this._sensitiveAnalyzers.set(vulnerabilities.CODE_INJECTION, taintedRangeBasedSensitiveAnalyzer)

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/utils.js

@@ -1,7 +1,8 @@
 'use strict'
 
 const crypto = require('crypto')
-const { DEFAULT_IAST_REDACTION_VALUE_PATTERN } = require('./evidence-redaction/sensitive-regex')
+
+const defaults = require('../../../config/defaults')
 
 const STRINGIFY_RANGE_KEY = 'DD_' + crypto.randomBytes(20).toString('hex')
 const STRINGIFY_SENSITIVE_KEY = STRINGIFY_RANGE_KEY + 'SENSITIVE'
@@ -11,7 +12,7 @@ const STRINGIFY_SENSITIVE_NOT_STRING_KEY = STRINGIFY_SENSITIVE_KEY + 'NOTSTRING'
 const KEYS_REGEX_WITH_SENSITIVE_RANGES = new RegExp(String.raw`(?:"(${STRINGIFY_RANGE_KEY}_\d+_))|(?:"(${STRINGIFY_SENSITIVE_KEY}_\d+_(\d+)_))|("${STRINGIFY_SENSITIVE_NOT_STRING_KEY}_\d+_([\s0-9.a-zA-Z]*)")`, 'gm')
 const KEYS_REGEX_WITHOUT_SENSITIVE_RANGES = new RegExp(String.raw`"(${STRINGIFY_RANGE_KEY}_\d+_)`, 'gm')
 
-const sensitiveValueRegex = new RegExp(DEFAULT_IAST_REDACTION_VALUE_PATTERN, 'gmi')
+const sensitiveValueRegex = new RegExp(/** @type {string} */ (defaults['iast.redactionValuePattern']), 'gmi')
 
 function iterateObject (target, fn, levelKeys = [], depth = 10, visited = new Set()) {
   for (const key of Object.keys(target)) {

package/packages/dd-trace/src/appsec/index.js

@@ -30,6 +30,9 @@ const {
   routerParam,
   fastifyResponseChannel,
   fastifyPathParams,
+  stripeCheckoutSessionCreate,
+  stripePaymentIntentCreate,
+  stripeConstructEvent,
 } = require('./channels')
 const waf = require('./waf')
 const addresses = require('./addresses')
@@ -92,6 +95,9 @@ function enable (_config) {
     fastifyResponseChannel.subscribe(onResponseBody)
     responseWriteHead.subscribe(onResponseWriteHead)
     responseSetHeader.subscribe(onResponseSetHeader)
+    stripeCheckoutSessionCreate.subscribe(onStripeCheckoutSessionCreate)
+    stripePaymentIntentCreate.subscribe(onStripePaymentIntentCreate)
+    stripeConstructEvent.subscribe(onStripeConstructEvent)
 
     isEnabled = true
     config = _config
@@ -382,6 +388,100 @@ function onResponseSetHeader ({ res, abortController }) {
   }
 }
 
+function onStripeCheckoutSessionCreate (payload) {
+  if (payload?.mode !== 'payment') return
+
+  waf.run({
+    persistent: {
+      [addresses.PAYMENT_CREATION]: {
+        integration: 'stripe',
+        id: payload.id,
+        amount_total: payload.amount_total,
+        client_reference_id: payload.client_reference_id,
+        currency: payload.currency,
+        'discounts.coupon': payload.discounts?.[0]?.coupon,
+        'discounts.promotion_code': payload.discounts?.[0]?.promotion_code,
+        livemode: payload.livemode,
+        'total_details.amount_discount': payload.total_details?.amount_discount,
+        'total_details.amount_shipping': payload.total_details?.amount_shipping,
+      },
+    },
+  })
+}
+
+function onStripePaymentIntentCreate (payload) {
+  if (payload === null || typeof payload !== 'object') return
+
+  waf.run({
+    persistent: {
+      [addresses.PAYMENT_CREATION]: {
+        integration: 'stripe',
+        id: payload.id,
+        amount: payload.amount,
+        currency: payload.currency,
+        livemode: payload.livemode,
+        payment_method: payload.payment_method,
+      },
+    },
+  })
+}
+
+function onStripeConstructEvent (payload) {
+  const object = payload?.data?.object
+  if (object === null || typeof object !== 'object') return
+
+  let persistent
+
+  switch (payload.type) {
+    case 'payment_intent.succeeded':
+      persistent = {
+        [addresses.PAYMENT_SUCCESS]: {
+          integration: 'stripe',
+          id: object.id,
+          amount: object.amount,
+          currency: object.currency,
+          livemode: object.livemode,
+          payment_method: object.payment_method,
+        },
+      }
+      break
+
+    case 'payment_intent.payment_failed':
+      persistent = {
+        [addresses.PAYMENT_FAILURE]: {
+          integration: 'stripe',
+          id: object.id,
+          amount: object.amount,
+          currency: object.currency,
+          'last_payment_error.code': object.last_payment_error?.code,
+          'last_payment_error.decline_code': object.last_payment_error?.decline_code,
+          'last_payment_error.payment_method.id': object.last_payment_error?.payment_method?.id,
+          'last_payment_error.payment_method.type': object.last_payment_error?.payment_method?.type,
+          livemode: object.livemode,
+        },
+      }
+      break
+
+    case 'payment_intent.canceled':
+      persistent = {
+        [addresses.PAYMENT_CANCELLATION]: {
+          integration: 'stripe',
+          id: object.id,
+          amount: object.amount,
+          cancellation_reason: object.cancellation_reason,
+          currency: object.currency,
+          livemode: object.livemode,
+        },
+      }
+      break
+
+    default:
+      return
+  }
+
+  waf.run({ persistent })
+}
+
 function handleResults (actions, req, res, rootSpan, abortController) {
   if (!actions || !req || !res || !rootSpan || !abortController) return
 
@@ -427,6 +527,9 @@ function disable () {
   if (fastifyResponseChannel.hasSubscribers) fastifyResponseChannel.unsubscribe(onResponseBody)
   if (responseWriteHead.hasSubscribers) responseWriteHead.unsubscribe(onResponseWriteHead)
   if (responseSetHeader.hasSubscribers) responseSetHeader.unsubscribe(onResponseSetHeader)
+  if (stripeCheckoutSessionCreate.hasSubscribers) stripeCheckoutSessionCreate.unsubscribe(onStripeCheckoutSessionCreate)
+  if (stripePaymentIntentCreate.hasSubscribers) stripePaymentIntentCreate.unsubscribe(onStripePaymentIntentCreate)
+  if (stripeConstructEvent.hasSubscribers) stripeConstructEvent.unsubscribe(onStripeConstructEvent)
 }
 
 // this is faster than Object.keys().length === 0

package/packages/dd-trace/src/appsec/rasp/ssrf.js

@@ -1,21 +1,32 @@
 'use strict'
 
 const { format } = require('url')
-const { httpClientRequestStart } = require('../channels')
+const {
+  httpClientRequestStart,
+  httpClientResponseFinish,
+} = require('../channels')
 const { storage } = require('../../../../datadog-core')
 const addresses = require('../addresses')
 const waf = require('../waf')
+const downstream = require('../downstream_requests')
+const { updateRaspRuleMatchMetricTags } = require('../telemetry')
 const { RULE_TYPES, handleResult } = require('./utils')
 
 let config
 
 function enable (_config) {
   config = _config
+  downstream.enable(_config)
+
   httpClientRequestStart.subscribe(analyzeSsrf)
+  httpClientResponseFinish.subscribe(handleResponseFinish)
 }
 
 function disable () {
+  downstream.disable()
+
   if (httpClientRequestStart.hasSubscribers) httpClientRequestStart.unsubscribe(analyzeSsrf)
+  if (httpClientResponseFinish.hasSubscribers) httpClientResponseFinish.unsubscribe(handleResponseFinish)
 }
 
 function analyzeSsrf (ctx) {
@@ -25,16 +36,67 @@ function analyzeSsrf (ctx) {
 
   if (!req || !outgoingUrl) return
 
+  // Determine if we should collect the response body based on sampling rate and redirect URL
+  ctx.shouldCollectBody = downstream.shouldSampleBody(req, outgoingUrl)
+
+  const requestAddresses = downstream.extractRequestData(ctx)
+
   const ephemeral = {
     [addresses.HTTP_OUTGOING_URL]: outgoingUrl,
+    ...requestAddresses,
   }
 
-  const raspRule = { type: RULE_TYPES.SSRF }
+  const raspRule = { type: RULE_TYPES.SSRF, variant: 'request' }
 
   const result = waf.run({ ephemeral }, req, raspRule)
 
-  const res = store?.res
-  handleResult(result, req, res, ctx.abortController, config, raspRule)
+  handleResult(result, req, store?.res, ctx.abortController, config, raspRule)
+
+  downstream.incrementDownstreamAnalysisCount(req)
+}
+
+/**
+ * Finalizes body collection for the response and triggers RASP analysis.
+ * @param {{
+ *   ctx: object,
+ *   res: import('http').IncomingMessage,
+ *   body: string|Buffer|null
+ * }} payload event payload from the channel.
+ */
+function handleResponseFinish ({ ctx, res, body }) {
+  // downstream response object
+  if (!res) return
+
+  const store = storage('legacy').getStore()
+  const originatingRequest = store?.req
+  if (!originatingRequest) return
+
+  // Skip body analysis for redirect responses
+  const evaluateBody = ctx.shouldCollectBody && !downstream.handleRedirectResponse(originatingRequest, res)
+  const responseBody = evaluateBody ? body : null
+  runResponseEvaluation(res, originatingRequest, responseBody)
+}
+
+/**
+ * Evaluates the downstream response and records telemetry.
+ * @param {import('http').IncomingMessage} res incoming response from downstream service.
+ * @param {import('http').IncomingMessage} req originating request.
+ * @param {string|Buffer|null} responseBody collected downstream response body.
+ */
+function runResponseEvaluation (res, req, responseBody) {
+  const responseAddresses = downstream.extractResponseData(res, responseBody)
+
+  if (!Object.keys(responseAddresses).length) return
+
+  const raspRule = { type: RULE_TYPES.SSRF, variant: 'response' }
+  const result = waf.run({ ephemeral: responseAddresses }, req, raspRule)
+
+  // TODO: this should be done in the waf functions directly instead of calling it everywhere
+  const ruleTriggered = !!result?.events?.length
+
+  if (ruleTriggered) {
+    updateRaspRuleMatchMetricTags(req, raspRule, false, false)
+  }
 }
 
 module.exports = { enable, disable }

package/packages/dd-trace/src/azure_metadata.js

@@ -58,7 +58,6 @@ function buildMetadata () {
     WEBSITE_SITE_NAME,
   } = getEnvironmentVariables()
 
-  const DD_AAS_DOTNET_EXTENSION_VERSION = getValueFromEnvSources('DD_AAS_DOTNET_EXTENSION_VERSION')
   const DD_AZURE_RESOURCE_GROUP = getValueFromEnvSources('DD_AZURE_RESOURCE_GROUP')
 
   const subscriptionID = extractSubscriptionID(WEBSITE_OWNER_NAME)
@@ -77,7 +76,6 @@ function buildMetadata () {
     : (WEBSITE_RESOURCE_GROUP ?? extractResourceGroup(WEBSITE_OWNER_NAME))
 
   return trimObject({
-    extensionVersion: DD_AAS_DOTNET_EXTENSION_VERSION,
     functionRuntimeVersion: FUNCTIONS_EXTENSION_VERSION,
     instanceID: WEBSITE_INSTANCE_ID,
     instanceName: COMPUTERNAME,

package/packages/dd-trace/src/ci-visibility/dynamic-instrumentation/worker/index.js

@@ -16,6 +16,12 @@ const session = require('../../../debugger/devtools_client/session')
 const { getGeneratedPosition } = require('../../../debugger/devtools_client/source-maps')
 // TODO: move debugger/devtools_client/snapshot to common place
 const { getLocalStateForCallFrame } = require('../../../debugger/devtools_client/snapshot')
+const {
+  DEFAULT_MAX_REFERENCE_DEPTH,
+  DEFAULT_MAX_COLLECTION_SIZE,
+  DEFAULT_MAX_FIELD_COUNT,
+  DEFAULT_MAX_LENGTH,
+} = require('../../../debugger/devtools_client/snapshot/constants')
 // TODO: move debugger/devtools_client/state to common place
 const {
   findScriptFromPartialPath,
@@ -29,6 +35,13 @@ let sessionStarted = false
 const breakpointIdToProbe = new Map()
 const probeIdToBreakpointId = new Map()
 
+const limits = {
+  maxReferenceDepth: DEFAULT_MAX_REFERENCE_DEPTH,
+  maxCollectionSize: DEFAULT_MAX_COLLECTION_SIZE,
+  maxFieldCount: DEFAULT_MAX_FIELD_COUNT,
+  maxLength: DEFAULT_MAX_LENGTH,
+}
+
 session.on('Debugger.paused', async ({ params: { hitBreakpoints: [hitBreakpoint], callFrames } }) => {
   const probe = breakpointIdToProbe.get(hitBreakpoint)
   if (!probe) {
@@ -38,7 +51,7 @@ session.on('Debugger.paused', async ({ params: { hitBreakpoints: [hitBreakpoint]
 
   const stack = await getStackFromCallFrames(callFrames)
 
-  const { processLocalState } = await getLocalStateForCallFrame(callFrames[0])
+  const { processLocalState } = await getLocalStateForCallFrame(callFrames[0], limits)
 
   await session.post('Debugger.resume')
 

package/packages/dd-trace/src/ci-visibility/early-flake-detection/get-known-tests.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const request = require('../../exporters/common/request')
+const request = require('../requests/request')
 const id = require('../../id')
 const log = require('../../log')
 const { getValueFromEnvSources } = require('../../config/helper')

package/packages/dd-trace/src/ci-visibility/exporters/ci-visibility-exporter.js

@@ -206,6 +206,7 @@ class CiVisibilityExporter extends BufferingExporter {
       requireGit,
       isEarlyFlakeDetectionEnabled,
       earlyFlakeDetectionNumRetries,
+      earlyFlakeDetectionSlowTestRetries,
       earlyFlakeDetectionFaultyThreshold,
       isFlakyTestRetriesEnabled,
       isDiEnabled,
@@ -222,6 +223,7 @@ class CiVisibilityExporter extends BufferingExporter {
       requireGit,
       isEarlyFlakeDetectionEnabled: isEarlyFlakeDetectionEnabled && this._config.isEarlyFlakeDetectionEnabled,
       earlyFlakeDetectionNumRetries,
+      earlyFlakeDetectionSlowTestRetries,
       earlyFlakeDetectionFaultyThreshold,
       isFlakyTestRetriesEnabled: isFlakyTestRetriesEnabled && this._config.isFlakyTestRetriesEnabled,
       flakyTestRetriesCount: this._config.flakyTestRetriesCount,

package/packages/dd-trace/src/ci-visibility/intelligent-test-runner/get-skippable-suites.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const request = require('../../exporters/common/request')
+const request = require('../requests/request')
 const log = require('../../log')
 const { getValueFromEnvSources } = require('../../config/helper')
 const {

package/packages/dd-trace/src/ci-visibility/requests/get-library-configuration.js

@@ -1,6 +1,5 @@
 'use strict'
 
-const request = require('../../exporters/common/request')
 const id = require('../../id')
 const log = require('../../log')
 const { getValueFromEnvSources } = require('../../config/helper')
@@ -13,8 +12,10 @@ const {
   TELEMETRY_GIT_REQUESTS_SETTINGS_RESPONSE,
 } = require('../telemetry')
 const { writeSettingsToCache } = require('../test-optimization-cache')
+const request = require('./request')
 
 const DEFAULT_EARLY_FLAKE_DETECTION_NUM_RETRIES = 2
+const DEFAULT_EARLY_FLAKE_DETECTION_SLOW_TEST_RETRIES = { '5s': 10, '10s': 5, '30s': 3, '5m': 2 }
 const DEFAULT_EARLY_FLAKE_DETECTION_ERROR_THRESHOLD = 30
 
 function getLibraryConfiguration ({
@@ -115,6 +116,8 @@ function getLibraryConfiguration ({
           isEarlyFlakeDetectionEnabled: isKnownTestsEnabled && (earlyFlakeDetectionConfig?.enabled ?? false),
           earlyFlakeDetectionNumRetries:
             earlyFlakeDetectionConfig?.slow_test_retries?.['5s'] || DEFAULT_EARLY_FLAKE_DETECTION_NUM_RETRIES,
+          earlyFlakeDetectionSlowTestRetries:
+            earlyFlakeDetectionConfig?.slow_test_retries ?? DEFAULT_EARLY_FLAKE_DETECTION_SLOW_TEST_RETRIES,
           earlyFlakeDetectionFaultyThreshold:
             earlyFlakeDetectionConfig?.faulty_session_threshold ?? DEFAULT_EARLY_FLAKE_DETECTION_ERROR_THRESHOLD,
           isFlakyTestRetriesEnabled,