linter

Author: IlyasShabi

packages/datadog-instrumentations/src/fastify.js

@@ -259,7 +259,6 @@ addHook({ name: 'fastify', versions: ['1'] }, fastify => {
   return shimmer.wrapFunction(fastify, fastify => wrapFastify(fastify, false))
 })
 
-
 function wrapReplyHeader (Reply) {
   shimmer.wrap(Reply.prototype, 'header', header => function (key, value) {
     const result = header.apply(this, arguments)

packages/dd-trace/src/appsec/iast/analyzers/set-cookies-header-interceptor.js

@@ -8,8 +8,11 @@ class SetCookiesHeaderInterceptor extends Plugin {
     super()
     this.cookiesInRequest = new WeakMap()
 
-    this.addSub('datadog:http:server:response:set-header:finish', ({ name, value, res }) => this._handleCookies(name, value, res))
-    this.addSub('datadog:fastify:set-header:finish', ({ name, value, res }) => this._handleCookies(name, value, res))
+    this.addSub('datadog:http:server:response:set-header:finish',
+      ({ name, value, res }) => this._handleCookies(name, value, res))
+
+    this.addSub('datadog:fastify:set-header:finish',
+      ({ name, value, res }) => this._handleCookies(name, value, res))
   }
 
   _handleCookies (name, value, res) {

packages/dd-trace/src/appsec/iast/index.js

@@ -123,5 +123,4 @@ function onResponseWriteHeadCollect ({ res, responseHeaders = {} }) {
   }
 }
 
-
 module.exports = { enable, disable, onIncomingHttpRequestEnd, onIncomingHttpRequestStart }

packages/dd-trace/src/appsec/rasp/fs-plugin.js

@@ -29,7 +29,10 @@ function enterWith (fsProps, store = storage('legacy').getStore()) {
 
 class AppsecFsPlugin extends Plugin {
   enable () {
-    this.addSub('apm:fs:operation:start', this._onFsOperationStart)
+    // Use bindStore so `fs.root` is set on the ALS store before any other
+    // subscriber for `apm:fs:operation:start` runs.
+    // This will help to prevents a Fastify race where IAST analyzers saw `root` still undefined.
+    this.addBind('apm:fs:operation:start', this._onFsOperationStart)
     this.addSub('apm:fs:operation:finish', this._onFsOperationFinishOrRenderEnd)
     this.addSub('tracing:datadog:express:response:render:start', this._onResponseRenderStart)
     this.addSub('tracing:datadog:express:response:render:end', this._onFsOperationFinishOrRenderEnd)
@@ -43,9 +46,18 @@ class AppsecFsPlugin extends Plugin {
 
   _onFsOperationStart () {
     const store = storage('legacy').getStore()
-    if (store) {
-      enterWith({ root: store.fs?.root === undefined }, store)
+    if (store && !store.fs?.opExcluded) {
+      return {
+        ...store,
+        fs: {
+          ...store.fs,
+          root: store.fs?.root === undefined,
+          parentStore: store
+        }
+      }
     }
+
+    return store
   }
 
   _onResponseRenderStart () {

packages/dd-trace/test/appsec/iast/analyzers/unvalidated-redirect-analyzer.spec.js

@@ -97,9 +97,11 @@ describe('unvalidated-redirect-analyzer', () => {
   unvalidatedRedirectAnalyzer.configure(true)
 
   it('should subscribe to set-header:finish channel', () => {
-    expect(unvalidatedRedirectAnalyzer._subscriptions).to.have.lengthOf(1)
+    expect(unvalidatedRedirectAnalyzer._subscriptions).to.have.lengthOf(2)
     expect(unvalidatedRedirectAnalyzer._subscriptions[0]._channel.name).to
       .equals('datadog:http:server:response:set-header:finish')
+    expect(unvalidatedRedirectAnalyzer._subscriptions[1]._channel.name).to
+      .equals('datadog:fastify:set-header:finish')
   })
 
   it('should not report headers other than Location', () => {

packages/dd-trace/test/appsec/iast/taint-tracking/plugin.fastify.plugin.spec.js

@@ -7,7 +7,7 @@ const { URL } = require('url')
 function noop () {}
 
 describe('Taint tracking plugin sources fastify tests', () => {
-  withVersions('fastify', 'fastify', version => {
+  withVersions('fastify', 'fastify', '>=2', version => {
     prepareTestServerForIastInFastify('in fastify', version,
       (testThatRequestHasVulnerability, _, config) => {
         describe('tainted body', () => {

packages/dd-trace/test/appsec/iast/taint-tracking/plugin.spec.js

@@ -49,7 +49,7 @@ describe('IAST Taint tracking plugin', () => {
   })
 
   it('Should subscribe to body parser, qs, cookie and process_params channel', () => {
-    expect(taintTrackingPlugin._subscriptions).to.have.lengthOf(16)
+    expect(taintTrackingPlugin._subscriptions).to.have.lengthOf(17)
     let i = 0
     expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('datadog:body-parser:read:finish')
     expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('datadog:multer:read:finish')
@@ -59,11 +59,12 @@ describe('IAST Taint tracking plugin', () => {
     expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('datadog:fastify:query-params:finish')
     expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('datadog:express:query:finish')
     expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('datadog:cookie:parse:finish')
+    expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('datadog:fastify-cookie:read:finish')
     expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('datadog:sequelize:query:finish')
     expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('apm:pg:query:finish')
     expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('datadog:express:process_params:start')
-    expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('datadog:fastify:path-params:finish')
     expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('datadog:router:param:start')
+    expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('datadog:fastify:path-params:finish')
     expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('apm:graphql:resolve:start')
     expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('datadog:url:parse:finish')
     expect(taintTrackingPlugin._subscriptions[i++]._channel.name).to.equals('datadog:url:getter:finish')

packages/dd-trace/test/appsec/iast/taint-tracking/sources/taint-tracking.fastify.plugin.spec.js

@@ -122,7 +122,6 @@ describe('Path params sourcing with fastify', () => {
         reply.code(200).send()
       })
 
-      
       await appInstance.listen({ port: 0 })
 
       const port = appInstance.server.address().port
@@ -132,4 +131,4 @@ describe('Path params sourcing with fastify', () => {
       expect(response.status).to.be.equal(200)
     })
   })
-}) 
+})

packages/dd-trace/test/appsec/rasp/fs-plugin.spec.js

@@ -28,6 +28,7 @@ describe('AppsecFsPlugin', () => {
       configure = sinon.stub()
       class PluginClass {
         addSub (channelName, handler) {}
+        addBind (channelName, transform) {}
 
         configure (config) {
           configure(config)
@@ -97,7 +98,8 @@ describe('AppsecFsPlugin', () => {
       const origStore = {}
       storage('legacy').enterWith(origStore)
 
-      appsecFsPlugin._onFsOperationStart()
+      const newStore = appsecFsPlugin._onFsOperationStart()
+      storage('legacy').enterWith(newStore)
 
       let store = storage('legacy').getStore()
       assert.property(store, 'fs')
@@ -115,16 +117,17 @@ describe('AppsecFsPlugin', () => {
       const origStore = { orig: true }
       storage('legacy').enterWith(origStore)
 
-      appsecFsPlugin._onFsOperationStart()
+      const rootStore = appsecFsPlugin._onFsOperationStart()
+      storage('legacy').enterWith(rootStore)
 
-      const rootStore = storage('legacy').getStore()
       assert.property(rootStore, 'fs')
       assert.propertyVal(rootStore.fs, 'parentStore', origStore)
       assert.propertyVal(rootStore.fs, 'root', true)
 
-      appsecFsPlugin._onFsOperationStart()
+      const childStore = appsecFsPlugin._onFsOperationStart()
+      storage('legacy').enterWith(childStore)
 
-      let store = storage('legacy').getStore()
+      let store = childStore
       assert.property(store, 'fs')
       assert.propertyVal(store.fs, 'parentStore', rootStore)
       assert.propertyVal(store.fs, 'root', false)