Fixing fs and rasp/iast problems

uurien · uurien · commit c357074925df · 2025-07-14T15:46:26.000+02:00
diff --git a/packages/dd-trace/src/appsec/rasp/fs-plugin.js b/packages/dd-trace/src/appsec/rasp/fs-plugin.js
@@ -14,25 +14,27 @@ const enabledFor = {
 
 let fsPlugin
 
-function enterWith (fsProps, store = storage('legacy').getStore()) {
+function storeToStart (fsProps, store = storage('legacy').getStore()) {
   if (store && !store.fs?.opExcluded) {
-    storage('legacy').enterWith({
+    return {
       ...store,
       fs: {
         ...store.fs,
         ...fsProps,
         parentStore: store
       }
-    })
+    }
   }
+
+  return store
 }
 
 class AppsecFsPlugin extends Plugin {
   enable () {
-    this.addSub('apm:fs:operation:start', this._onFsOperationStart)
-    this.addSub('apm:fs:operation:finish', this._onFsOperationFinishOrRenderEnd)
-    this.addSub('tracing:datadog:express:response:render:start', this._onResponseRenderStart)
-    this.addSub('tracing:datadog:express:response:render:end', this._onFsOperationFinishOrRenderEnd)
+    this.addBind('apm:fs:operation:start', this._onFsOperationStart)
+    this.addBind('apm:fs:operation:finish', this._onFsOperationFinishOrRenderEnd)
+    this.addBind('tracing:datadog:express:response:render:start', this._onResponseRenderStart)
+    this.addBind('tracing:datadog:express:response:render:end', this._onFsOperationFinishOrRenderEnd)
 
     super.configure(true)
   }
@@ -44,19 +46,20 @@ class AppsecFsPlugin extends Plugin {
   _onFsOperationStart () {
     const store = storage('legacy').getStore()
     if (store) {
-      enterWith({ root: store.fs?.root === undefined }, store)
+      return storeToStart({ root: store.fs?.root === undefined }, store)
     }
   }
 
   _onResponseRenderStart () {
-    enterWith({ opExcluded: true })
+    return storeToStart({ opExcluded: true })
   }
 
   _onFsOperationFinishOrRenderEnd () {
     const store = storage('legacy').getStore()
-    if (store?.fs?.parentStore) {
-      storage('legacy').enterWith(store.fs.parentStore)
+    if (store?.fs) {
+      return store.fs.parentStore
     }
+    return store
   }
 }
 
diff --git a/packages/dd-trace/test/appsec/iast/analyzers/path-traversal-analyzer.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/path-traversal-analyzer.spec.js
@@ -477,6 +477,26 @@ prepareTestServerForIast('integration test', (testThatRequestHasVulnerability, t
 
   describe('test stat', () => {
     runFsMethodTestThreeWay('stat', 0, null, __filename)
+
+    describe('with two calls to async method without waiting to the callback', () => {
+      const fsAsyncWayMethodPath = path.join(os.tmpdir(), 'fs-async-way-method.js')
+
+      before(() => {
+        fs.copyFileSync(path.join(__dirname, 'resources', 'fs-async-way-method.js'), fsAsyncWayMethodPath)
+      })
+
+      after(() => {
+        fs.unlinkSync(fsAsyncWayMethodPath)
+      })
+
+      testThatRequestHasVulnerability(function () {
+        const store = storage('legacy').getStore()
+        const iastCtx = iastContextFunctions.getIastContext(store)
+        const callArgs = [fsAsyncWayMethodPath]
+        callArgs[0] = newTaintedString(iastCtx, callArgs[0], 'param', 'Request')
+        return require(fsAsyncWayMethodPath).doubleCallIgnoringCb('stat', callArgs)
+      }, 'PATH_TRAVERSAL', { occurrences: 2 })
+    })
   })
 
   describe('test symlink', () => {
diff --git a/packages/dd-trace/test/appsec/iast/analyzers/resources/fs-async-way-method.js b/packages/dd-trace/test/appsec/iast/analyzers/resources/fs-async-way-method.js
@@ -2,10 +2,21 @@
 
 const fs = require('fs')
 
-module.exports = function (methodName, args, cb) {
+function main (methodName, args, cb) {
   return new Promise((resolve, reject) => {
     fs[methodName](...args, (err, res) => {
       resolve(cb(res))
     })
   })
 }
+
+main.doubleCallIgnoringCb = function (methodName, args) {
+  return new Promise((resolve) => {
+    fs[methodName](...args, () => {})
+    fs[methodName](...args, () => {
+      resolve()
+    })
+  })
+}
+
+module.exports = main
diff --git a/packages/dd-trace/test/appsec/rasp/lfi.express.plugin.spec.js b/packages/dd-trace/test/appsec/rasp/lfi.express.plugin.spec.js
@@ -296,6 +296,13 @@ describe('RASP - lfi', () => {
 
       describe('test readFile', () => {
         runFsMethodTestThreeWay('readFile', undefined, __filename)
+
+        runFsMethodTest('an async operation without callback is executed before',
+          { getAppFn: getAppSync, ruleEvalCount: 2 }, (args) => {
+            const fs = require('fs')
+            fs.readFile(path.join(__dirname, 'utils.js'), () => {}) // safe and ignored operation
+            return fs.readFileSync(...args)
+          }, __filename)
       })
 
       describe('test readlink', () => {

Original file line number	Diff line number	Diff line change
`@@ -14,25 +14,27 @@ const enabledFor = {`
`14`	`14`
`15`	`15`	`let fsPlugin`
`16`	`16`
`17`		`-function enterWith (fsProps, store = storage('legacy').getStore()) {`
	`17`	`+function storeToStart (fsProps, store = storage('legacy').getStore()) {`
`18`	`18`	`if (store && !store.fs?.opExcluded) {`
`19`		`- storage('legacy').enterWith({`
	`19`	`+ return {`
`20`	`20`	`...store,`
`21`	`21`	`fs: {`
`22`	`22`	`...store.fs,`
`23`	`23`	`...fsProps,`
`24`	`24`	`parentStore: store`
`25`	`25`	`}`
`26`		`- })`
	`26`	`+ }`
`27`	`27`	`}`
	`28`	`+`
	`29`	`+ return store`
`28`	`30`	`}`
`29`	`31`
`30`	`32`	`class AppsecFsPlugin extends Plugin {`
`31`	`33`	`enable () {`
`32`		`- this.addSub('apm:fs:operation:start', this._onFsOperationStart)`
`33`		`- this.addSub('apm:fs:operation:finish', this._onFsOperationFinishOrRenderEnd)`
`34`		`- this.addSub('tracing:datadog:express:response:render:start', this._onResponseRenderStart)`
`35`		`- this.addSub('tracing:datadog:express:response:render:end', this._onFsOperationFinishOrRenderEnd)`
	`34`	`+ this.addBind('apm:fs:operation:start', this._onFsOperationStart)`
	`35`	`+ this.addBind('apm:fs:operation:finish', this._onFsOperationFinishOrRenderEnd)`
	`36`	`+ this.addBind('tracing:datadog:express:response:render:start', this._onResponseRenderStart)`
	`37`	`+ this.addBind('tracing:datadog:express:response:render:end', this._onFsOperationFinishOrRenderEnd)`
`36`	`38`
`37`	`39`	`super.configure(true)`
`38`	`40`	`}`
`@@ -44,19 +46,20 @@ class AppsecFsPlugin extends Plugin {`
`44`	`46`	`_onFsOperationStart () {`
`45`	`47`	`const store = storage('legacy').getStore()`
`46`	`48`	`if (store) {`
`47`		`- enterWith({ root: store.fs?.root === undefined }, store)`
	`49`	`+ return storeToStart({ root: store.fs?.root === undefined }, store)`
`48`	`50`	`}`
`49`	`51`	`}`
`50`	`52`
`51`	`53`	`_onResponseRenderStart () {`
`52`		`- enterWith({ opExcluded: true })`
	`54`	`+ return storeToStart({ opExcluded: true })`
`53`	`55`	`}`
`54`	`56`
`55`	`57`	`_onFsOperationFinishOrRenderEnd () {`
`56`	`58`	`const store = storage('legacy').getStore()`
`57`		`- if (store?.fs?.parentStore) {`
`58`		`- storage('legacy').enterWith(store.fs.parentStore)`
	`59`	`+ if (store?.fs) {`
	`60`	`+ return store.fs.parentStore`
`59`	`61`	`}`
	`62`	`+ return store`
`60`	`63`	`}`
`61`	`64`	`}`
`62`	`65`