Merge branch 'event-based-tracing-koa' of github.com:DataDog/dd-trace-js into event-based-tracing-koa

rochdev · rochdev · commit cd7c187489c2 · 2023-03-03T13:07:20.000-05:00
diff --git a/.gitlab/benchmarks.yml b/.gitlab/benchmarks.yml
@@ -48,6 +48,24 @@ benchmarks-pr-comment:
 
     KUBERNETES_SERVICE_ACCOUNT_OVERWRITE: dd-trace-js
 
+check-big-regressions:
+  stage: benchmarks-pr-comment
+  when: on_success
+  tags: ["arch:amd64"]
+  image: $BASE_CI_IMAGE
+  script:
+    - export REPORTS_DIR="$(pwd)/reports/" && (mkdir "${REPORTS_DIR}" || :)
+    - git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.ddbuild.io/DataDog/".insteadOf "https://github.com/DataDog/"
+    - git clone --branch dd-trace-js https://github.com/DataDog/relenv-microbenchmarking-platform /platform && cd /platform
+    - ./steps/fail-on-regression.sh
+  variables:
+    UPSTREAM_PROJECT_ID: $CI_PROJECT_ID # The ID of the current project. This ID is unique across all projects on the GitLab instance.
+    UPSTREAM_PROJECT_NAME: $CI_PROJECT_NAME # "dd-trace-js"
+    UPSTREAM_BRANCH: $CI_COMMIT_REF_NAME # The branch or tag name for which project is built.
+    UPSTREAM_COMMIT_SHA: $CI_COMMIT_SHA # The commit revision the project is built for.
+
+    KUBERNETES_SERVICE_ACCOUNT_OVERWRITE: dd-trace-js
+
 benchmark-v14:
   extends: .benchmarks
   variables:
diff --git a/integration-tests/cucumber.spec.js b/integration-tests/cucumber.spec.js
@@ -3,6 +3,7 @@
 const { exec } = require('child_process')
 
 const getPort = require('get-port')
+const semver = require('semver')
 const { assert } = require('chai')
 
 const {
@@ -13,13 +14,14 @@ const {
 const { FakeCiVisIntake } = require('./ci-visibility-intake')
 const { TEST_STATUS, TEST_COMMAND, TEST_BUNDLE } = require('../packages/dd-trace/src/plugins/util/test')
 
-const versions = ['7.0.0', 'latest']
+const isOldNode = semver.satisfies(process.version, '<=12')
+const versions = ['7.0.0', isOldNode ? '8' : 'latest']
 
 versions.forEach(version => {
   describe(`cucumber@${version}`, () => {
     let sandbox, cwd, receiver, childProcess
     before(async () => {
-      sandbox = await createSandbox(['@cucumber/cucumber', 'assert'], true)
+      sandbox = await createSandbox([`@cucumber/cucumber@${version}`, 'assert'], true)
       cwd = sandbox.folder
     })
 
diff --git a/package.json b/package.json
@@ -61,7 +61,7 @@
   },
   "dependencies": {
     "@datadog/native-appsec": "2.0.0",
-    "@datadog/native-iast-rewriter": "1.1.2",
+    "@datadog/native-iast-rewriter": "2.0.1",
     "@datadog/native-iast-taint-tracking": "1.1.1",
     "@datadog/native-metrics": "^1.5.0",
     "@datadog/pprof": "^2.0.0",
diff --git a/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js b/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js
@@ -40,10 +40,13 @@ function getCompileMethodFn (compileMethod) {
   return function (content, filename) {
     try {
       if (isPrivateModule(filename) && isNotLibraryFile(filename)) {
-        content = rewriter.rewrite(content, filename)
+        const rewritten = rewriter.rewrite(content, filename)
+        if (rewritten && rewritten.content) {
+          return compileMethod.apply(this, [rewritten.content, filename])
+        }
       }
     } catch (e) {
-      log.debug(e)
+      log.error(e)
     }
     return compileMethod.apply(this, [content, filename])
   }
diff --git a/packages/dd-trace/src/appsec/recommended.json b/packages/dd-trace/src/appsec/recommended.json
@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.5.1"
+    "rules_version": "1.5.2"
   },
   "rules": [
     {
@@ -1351,16 +1351,11 @@
               "etc/timezone",
               "etc/modules",
               "etc/passwd",
-              "etc/passwd~",
-              "etc/passwd-",
               "etc/shadow",
-              "etc/shadow~",
-              "etc/shadow-",
               "etc/fstab",
               "etc/motd",
               "etc/hosts",
               "etc/group",
-              "etc/group-",
               "etc/alias",
               "etc/crontab",
               "etc/crypttab",
@@ -1871,11 +1866,8 @@
               "dev/tcp/",
               "dev/udp/",
               "dev/zero",
-              "etc/group",
               "etc/master.passwd",
-              "etc/passwd",
               "etc/pwd.db",
-              "etc/shadow",
               "etc/shells",
               "etc/spwd.db",
               "proc/self/",
@@ -4090,9 +4082,7 @@
               "java.lang.number",
               "java.lang.object",
               "java.lang.process",
-              "java.lang.processbuilder",
               "java.lang.reflect",
-              "java.lang.runtime",
               "java.lang.string",
               "java.lang.stringbuilder",
               "java.lang.system",
@@ -4455,6 +4445,44 @@
       ],
       "transformers": []
     },
+    {
+      "id": "dog-942-001",
+      "name": "Blind XSS callback domains",
+      "tags": {
+        "type": "xss",
+        "category": "attack_attempt",
+        "confidence": "1"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "https?:\\/\\/(?:.*\\.)?(?:bxss\\.in|xss\\.ht|js\\.rip)",
+            "options": {
+              "case_sensitive": false
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "nfd-000-001",
       "name": "Detect common directory discovery scans",
@@ -5083,36 +5111,6 @@
         "removeNulls"
       ]
     },
-    {
-      "id": "sqr-000-007",
-      "name": "NoSQL: Detect common exploitation strategy",
-      "tags": {
-        "type": "nosql_injection",
-        "category": "attack_attempt"
-      },
-      "conditions": [
-        {
-          "parameters": {
-            "inputs": [
-              {
-                "address": "server.request.query"
-              },
-              {
-                "address": "server.request.body"
-              },
-              {
-                "address": "server.request.path_params"
-              }
-            ],
-            "regex": "^\\$(eq|ne|(l|g)te?|n?in|not|(n|x|)or|and|regex|where|expr|exists)$"
-          },
-          "operator": "match_regex"
-        }
-      ],
-      "transformers": [
-        "keys_only"
-      ]
-    },
     {
       "id": "sqr-000-008",
       "name": "Windows: Detect attempts to exfiltrate .ini files",
@@ -5312,7 +5310,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/.*)?$"
+            "regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/[^:@]*)?$"
           },
           "operator": "match_regex"
         }
@@ -5349,7 +5347,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click)"
+            "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com)"
           },
           "operator": "match_regex"
         }
@@ -6723,4 +6721,4 @@
       "transformers": []
     }
   ]
-}
+}
diff --git a/packages/dd-trace/src/lambda/handler.js b/packages/dd-trace/src/lambda/handler.js
@@ -22,15 +22,14 @@ let __lambdaTimeout
  * @param {*} context AWS Lambda context object.
  */
 function checkTimeout (context) {
-  let remainingTimeInMillis = context.getRemainingTimeInMillis()
-  const apmFlushDeadline = parseInt(process.env.DD_APM_FLUSH_DEADLINE)
-  if (apmFlushDeadline && apmFlushDeadline <= remainingTimeInMillis) {
-    remainingTimeInMillis = apmFlushDeadline
-  }
+  const remainingTimeInMillis = context.getRemainingTimeInMillis()
+
+  let apmFlushDeadline = parseInt(process.env.DD_APM_FLUSH_DEADLINE_MILLISECONDS) || 100
+  apmFlushDeadline = apmFlushDeadline < 0 ? 100 : apmFlushDeadline
 
   __lambdaTimeout = setTimeout(() => {
     timeoutChannel.publish(undefined)
-  }, remainingTimeInMillis - 50)
+  }, remainingTimeInMillis - apmFlushDeadline)
 }
 
 /**
diff --git a/packages/dd-trace/test/lambda/fixtures/handler.js b/packages/dd-trace/test/lambda/fixtures/handler.js
@@ -4,8 +4,7 @@ const _tracer = require('../../../../dd-trace')
 exports.handler = async (...args) => {
   const sleep = ms => new Promise(resolve => setTimeout(resolve, ms))
 
-  await _tracer.trace('self.sleepy', () => sleep(200))
-
+  await _tracer.trace('self.sleepy', () => sleep(50))
   const response = {
     statusCode: 200,
     body: JSON.stringify(
diff --git a/packages/dd-trace/test/lambda/index.spec.js b/packages/dd-trace/test/lambda/index.spec.js
@@ -32,7 +32,7 @@ describe('lambda', () => {
 
     it('patches lambda function correctly', async () => {
       const _context = {
-        getRemainingTimeInMillis: () => 300
+        getRemainingTimeInMillis: () => 150
       }
       const _event = {}
       const _handlerPath = path.resolve(__dirname, './fixtures/handler.js')
@@ -53,26 +53,54 @@ describe('lambda', () => {
       await checkTraces
     })
 
-    it('returns traces with error when handler is about to timeout', async () => {
-      const _context = {
-        getRemainingTimeInMillis: () => 150
-      }
-      const _event = {}
-      const _handlerPath = path.resolve(__dirname, './fixtures/handler.js')
-      const app = require(_handlerPath)
-      datadog = require('./fixtures/datadog-lambda')
-      let result
-      (datadog(app.handler)(_event, _context)).then((data) => { result = data })
-      setTimeout(() => {
-        expect(result).to.equal(undefined)
-      }, _context.getRemainingTimeInMillis())
+    describe('timeout spans', () => {
+      const deadlines = [
+        {
+          envVar: 'default'
+          // will use default remaining time
+        },
+        {
+          envVar: 'DD_APM_FLUSH_DEADLINE_MILLISECONDS',
+          value: '-100' // will default to 0
+        },
+        {
+          envVar: 'DD_APM_FLUSH_DEADLINE_MILLISECONDS',
+          value: '10' // subtract 10 from the remaining time
+        }
+      ]
 
-      const checkTraces = agent.use((_traces) => {
-        const trace = _traces[0][0]
-        expect(trace.error).to.equal(1)
-        expect(trace.meta['error.type']).to.equal('Impending Timeout')
+      deadlines.forEach(deadline => {
+        const flushDeadlineEnvVar = deadline.envVar
+        const customDeadline = deadline.value ? deadline.value : ''
+
+        it(`traces error on impending timeout using ${flushDeadlineEnvVar} ${customDeadline} deadline`, (done) => {
+          process.env[flushDeadlineEnvVar] = customDeadline
+
+          const _context = {
+            getRemainingTimeInMillis: () => 25
+          }
+          const _event = {}
+
+          const _handlerPath = path.resolve(__dirname, './fixtures/handler.js')
+          const app = require(_handlerPath)
+          datadog = require('./fixtures/datadog-lambda')
+
+          let error = false
+          agent.use((_traces) => {
+            // First trace, since errors are tagged at root span level.
+            const trace = _traces[0][0]
+            expect(trace.error).to.equal(1)
+            error = true
+            expect(trace.meta['error.type']).to.equal('Impending Timeout')
+            // Ensure that once this finish, an error was tagged.
+          }).then(() => expect(error).to.equal(true))
+
+          // Since these are expected to timeout and one can't kill the
+          // environment, one has to wait for the result to come in so
+          // the traces are verified above.
+          datadog(app.handler)(_event, _context).then(_ => done(), done)
+        })
       })
-      await checkTraces
     })
   })
 })
diff --git a/yarn.lock b/yarn.lock
@@ -196,10 +196,10 @@
   dependencies:
     node-gyp-build "^3.9.0"
 
-"@datadog/native-iast-rewriter@1.1.2":
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/@datadog/native-iast-rewriter/-/native-iast-rewriter-1.1.2.tgz#793cbf92d218ec80d645be0830023656b81018ea"
-  integrity sha512-pigRfRtAjZjMjqIXyXb98S4aDnuHz/EmqpoxAajFZsNjBLM87YonwSY5zoBdCsOyA46ddKOJRoCQd5ZalpOFMQ==
+"@datadog/native-iast-rewriter@2.0.1":
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/@datadog/native-iast-rewriter/-/native-iast-rewriter-2.0.1.tgz#dc4a23796870f2d840053ae879c61547eda6bb89"
+  integrity sha512-Mm+FG3XxEbPrAfJQPOMHts7iZZXRvg9gnGeeFRGkyirmRcQcOpZO4wFe/8K61DUVa5pXpgAJQ2ZkBGYF1O9STg==
   dependencies:
     node-gyp-build "^4.5.0"
 

Original file line number	Diff line number	Diff line change
`@@ -40,10 +40,13 @@ function getCompileMethodFn (compileMethod) {`
`40`	`40`	`return function (content, filename) {`
`41`	`41`	`try {`
`42`	`42`	`if (isPrivateModule(filename) && isNotLibraryFile(filename)) {`
`43`		`- content = rewriter.rewrite(content, filename)`
	`43`	`+ const rewritten = rewriter.rewrite(content, filename)`
	`44`	`+ if (rewritten && rewritten.content) {`
	`45`	`+ return compileMethod.apply(this, [rewritten.content, filename])`
	`46`	`+ }`
`44`	`47`	`}`
`45`	`48`	`} catch (e) {`
`46`		`- log.debug(e)`
	`49`	`+ log.error(e)`
`47`	`50`	`}`
`48`	`51`	`return compileMethod.apply(this, [content, filename])`
`49`	`52`	`}`