Skip to content

Fastify RASP #6081

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
+10 −4
Draft

Fastify RASP #6081

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cd9817b
push repro
simon-id Jul 11, 2025
20650c1
remove the bug reproduction
simon-id Jul 16, 2025
a1f4453
put back newline
simon-id Jul 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions packages/datadog-instrumentations/src/fastify.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,7 +213,7 @@ function preParsing (request, reply, payload, done) {
function wrapSend (send, req) {
return function sendWithTrace (payload) {
if (payload instanceof Error) {
errorChannel.publish({ req, error: payload })
errorChannel.publish({ req, error: payload, res: req.res })
} else if (canPublishResponsePayload(payload)) {
const res = getRes(this)
responsePayloadReadCh.publish({ req, res, body: payload })
Expand All @@ -237,7 +237,7 @@ function getRouteConfig (request) {

function publishError (error, req) {
if (error) {
errorChannel.publish({ error, req })
errorChannel.publish({ error, req, res: req.res })
}

return error
Expand Down
1 change: 1 addition & 0 deletions packages/dd-trace/src/appsec/rasp/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ function enable (config) {

process.on('uncaughtExceptionMonitor', handleUncaughtExceptionMonitor)
expressMiddlewareError.subscribe(blockOnDatadogRaspAbortError)
require('dc-polyfill').channel('apm:fastify:middleware:error').subscribe(blockOnDatadogRaspAbortError)
}

function disable () {
Expand Down
4 changes: 3 additions & 1 deletion packages/dd-trace/src/appsec/rasp/lfi.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
const { FS_OPERATION_PATH } = require('../addresses')
const waf = require('../waf')
const { RULE_TYPES, handleResult } = require('./utils')
const { isAbsolute } = require('path')

Check failure on line 9 in packages/dd-trace/src/appsec/rasp/lfi.js

View workflow job for this annotation

GitHub Actions / lint 

'isAbsolute' is assigned a value but never used

let config
let enabled
Expand Down Expand Up @@ -98,12 +98,14 @@

function shouldAnalyze (path, fs) {
if (!path) return
console.log('path', path)

Check failure on line 101 in packages/dd-trace/src/appsec/rasp/lfi.js

View workflow job for this annotation

GitHub Actions / lint 

Unexpected console statement

const notExcludedRootOp = !fs.opExcluded && fs.root
return notExcludedRootOp && (isAbsolute(path) || path.includes('../') || shouldAnalyzeURLFile(path, fs))
console.log('notExcludedRootOp', notExcludedRootOp)

Check failure on line 104 in packages/dd-trace/src/appsec/rasp/lfi.js

View workflow job for this annotation

GitHub Actions / lint 

Unexpected console statement
return true //notExcludedRootOp && (isAbsolute(path) || path.includes('../') || shouldAnalyzeURLFile(path, fs))

Check failure on line 105 in packages/dd-trace/src/appsec/rasp/lfi.js

View workflow job for this annotation

GitHub Actions / lint 

Expected space or tab after '//' in comment
}

function shouldAnalyzeURLFile (path, fs) {

Check failure on line 108 in packages/dd-trace/src/appsec/rasp/lfi.js

View workflow job for this annotation

GitHub Actions / lint 

'shouldAnalyzeURLFile' is defined but never used
if (path.startsWith('file://')) {
return shouldAnalyze(path.slice(7), fs)
}
Expand Down
5 changes: 4 additions & 1 deletion packages/dd-trace/src/appsec/rasp/utils.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,13 @@
}

if (abortController && !abortOnUncaughtException) {
console.log('blockity')

Check failure on line 54 in packages/dd-trace/src/appsec/rasp/utils.js

View workflow job for this annotation

GitHub Actions / lint 

Unexpected console statement
const blockingAction = getBlockingAction(result?.actions)

console.log('blockingAction', blockingAction)

Check failure on line 57 in packages/dd-trace/src/appsec/rasp/utils.js

View workflow job for this annotation

GitHub Actions / lint 

Unexpected console statement

Check failure on line 57 in packages/dd-trace/src/appsec/rasp/utils.js

View workflow job for this annotation

GitHub Actions / lint 

Expected indentation of 4 spaces but found 1

// Should block only in express
if (blockingAction && rootSpan?.context()._name === 'express.request') {
if (blockingAction) { // && rootSpan?.context()._name === 'express.request') {
const abortError = new DatadogRaspAbortError(req, res, blockingAction, raspRule, ruleTriggered)
abortController.abort(abortError)

Expand Down
Loading