diff --git a/docs/test.ts b/docs/test.ts index 2c2cbea332e..c353e90b6ca 100644 --- a/docs/test.ts +++ b/docs/test.ts @@ -136,7 +136,10 @@ tracer.init({ redactionEnabled: true, redactionNamePattern: 'password', redactionValuePattern: 'bearer', - telemetryVerbosity: 'OFF' + telemetryVerbosity: 'OFF', + stackTrace: { + enabled: true + } } }); diff --git a/index.d.ts b/index.d.ts index 8984d02f81a..8d3fdf24ded 100644 --- a/index.d.ts +++ b/index.d.ts @@ -2233,7 +2233,17 @@ declare namespace tracer { /** * Specifies the verbosity of the sent telemetry. Default 'INFORMATION' */ - telemetryVerbosity?: string + telemetryVerbosity?: string, + + /** + * Configuration for stack trace reporting + */ + stackTrace?: { + /** Whether to enable stack trace reporting. + * @default true + */ + enabled?: boolean, + } } export namespace llmobs { diff --git a/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js b/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js index a898a0a379c..836908f36e4 100644 --- a/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js +++ b/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js @@ -54,15 +54,15 @@ class CookieAnalyzer extends Analyzer { return super._checkOCE(context, value) } - _getLocation (value) { + _getLocation (value, callSiteFrames) { if (!value) { - return super._getLocation() + return super._getLocation(value, callSiteFrames) } if (value.location) { return value.location } - const location = super._getLocation(value) + const location = super._getLocation(value, callSiteFrames) value.location = location return location } diff --git a/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js b/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js index f79e7a44f71..1cb244dbbdc 100644 --- a/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js +++ b/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js @@ -1,12 +1,15 @@ 'use strict' const { storage } = require('../../../../../datadog-core') -const { getFirstNonDDPathAndLine } = require('../path-line') -const { addVulnerability } = require('../vulnerability-reporter') -const { getIastContext } = require('../iast-context') +const { getNonDDCallSiteFrames } = require('../path-line') +const { getIastContext, getIastStackTraceId } = require('../iast-context') const overheadController = require('../overhead-controller') const { SinkIastPlugin } = require('../iast-plugin') -const { getOriginalPathAndLineFromSourceMap } = require('../taint-tracking/rewriter') +const { + addVulnerability, + getVulnerabilityCallSiteFrames, + replaceCallSiteFromSourceMap +} = require('../vulnerability-reporter') class Analyzer extends SinkIastPlugin { constructor (type) { @@ -28,12 +31,24 @@ class Analyzer extends SinkIastPlugin { } _reportEvidence (value, context, evidence) { - const location = this._getLocation(value) + const callSiteFrames = getVulnerabilityCallSiteFrames() + const nonDDCallSiteFrames = getNonDDCallSiteFrames(callSiteFrames, this._getExcludedPaths()) + + const location = this._getLocation(value, nonDDCallSiteFrames) + if (!this._isExcluded(location)) { - const locationSourceMap = this._replaceLocationFromSourceMap(location) + const originalLocation = this._getOriginalLocation(location) const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId() - const vulnerability = this._createVulnerability(this._type, evidence, spanId, locationSourceMap) - addVulnerability(context, vulnerability) + const stackId = getIastStackTraceId(context) + const vulnerability = this._createVulnerability( + this._type, + evidence, + spanId, + originalLocation, + stackId + ) + + addVulnerability(context, vulnerability, nonDDCallSiteFrames) } } @@ -49,24 +64,25 @@ class Analyzer extends SinkIastPlugin { return { value } } - _getLocation () { - return getFirstNonDDPathAndLine(this._getExcludedPaths()) + _getLocation (value, callSiteFrames) { + return callSiteFrames[0] } - _replaceLocationFromSourceMap (location) { - if (location) { - const { path, line, column } = getOriginalPathAndLineFromSourceMap(location) - if (path) { - location.path = path - } - if (line) { - location.line = line - } - if (column) { - location.column = column - } + _getOriginalLocation (location) { + const locationFromSourceMap = replaceCallSiteFromSourceMap(location) + const originalLocation = {} + + if (locationFromSourceMap?.path) { + originalLocation.path = locationFromSourceMap.path + } + if (locationFromSourceMap?.line) { + originalLocation.line = locationFromSourceMap.line } - return location + if (locationFromSourceMap?.column) { + originalLocation.column = locationFromSourceMap.column + } + + return originalLocation } _getExcludedPaths () {} @@ -102,12 +118,13 @@ class Analyzer extends SinkIastPlugin { return overheadController.hasQuota(overheadController.OPERATIONS.REPORT_VULNERABILITY, context) } - _createVulnerability (type, evidence, spanId, location) { + _createVulnerability (type, evidence, spanId, location, stackId) { if (type && evidence) { const _spanId = spanId || 0 return { type, evidence, + stackId, location: { spanId: _spanId, ...location diff --git a/packages/dd-trace/src/appsec/iast/iast-context.js b/packages/dd-trace/src/appsec/iast/iast-context.js index 6d697dcf978..77c757fff8a 100644 --- a/packages/dd-trace/src/appsec/iast/iast-context.js +++ b/packages/dd-trace/src/appsec/iast/iast-context.js @@ -9,6 +9,17 @@ function getIastContext (store, topContext) { return iastContext } +function getIastStackTraceId (iastContext) { + if (!iastContext) return 0 + + if (!iastContext.stackTraceId) { + iastContext.stackTraceId = 0 + } + + iastContext.stackTraceId += 1 + return iastContext.stackTraceId +} + /* TODO Fix storage problem when the close event is called without finish event to remove `topContext` references We have to save the context in two places, because @@ -51,6 +62,7 @@ module.exports = { getIastContext, saveIastContext, cleanIastContext, + getIastStackTraceId, IAST_CONTEXT_KEY, IAST_TRANSACTION_ID } diff --git a/packages/dd-trace/src/appsec/iast/path-line.js b/packages/dd-trace/src/appsec/iast/path-line.js index bf7c3eb2d84..1163bb8d604 100644 --- a/packages/dd-trace/src/appsec/iast/path-line.js +++ b/packages/dd-trace/src/appsec/iast/path-line.js @@ -3,12 +3,10 @@ const path = require('path') const process = require('process') const { calculateDDBasePath } = require('../../util') -const { getCallSiteList } = require('../stack_trace') const pathLine = { - getFirstNonDDPathAndLine, getNodeModulesPaths, getRelativePath, - getFirstNonDDPathAndLineFromCallsites, // Exported only for test purposes + getNonDDCallSiteFrames, calculateDDBasePath, // Exported only for test purposes ddBasePath: calculateDDBasePath(__dirname) // Only for test purposes } @@ -25,22 +23,24 @@ const EXCLUDED_PATH_PREFIXES = [ 'async_hooks' ] -function getFirstNonDDPathAndLineFromCallsites (callsites, externallyExcludedPaths) { - if (callsites) { - for (let i = 0; i < callsites.length; i++) { - const callsite = callsites[i] - const filepath = callsite.getFileName() - if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) { - return { - path: getRelativePath(filepath), - line: callsite.getLineNumber(), - column: callsite.getColumnNumber(), - isInternal: !path.isAbsolute(filepath) - } - } +function getNonDDCallSiteFrames (callSiteFrames, externallyExcludedPaths) { + if (!callSiteFrames) { + return [] + } + + const result = [] + + for (const callsite of callSiteFrames) { + const filepath = callsite.file + if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) { + callsite.path = getRelativePath(filepath) + callsite.isInternal = !path.isAbsolute(filepath) + + result.push(callsite) } } - return null + + return result } function getRelativePath (filepath) { @@ -48,8 +48,8 @@ function getRelativePath (filepath) { } function isExcluded (callsite, externallyExcludedPaths) { - if (callsite.isNative()) return true - const filename = callsite.getFileName() + if (callsite.isNative) return true + const filename = callsite.file if (!filename) { return true } @@ -73,10 +73,6 @@ function isExcluded (callsite, externallyExcludedPaths) { return false } -function getFirstNonDDPathAndLine (externallyExcludedPaths) { - return getFirstNonDDPathAndLineFromCallsites(getCallSiteList(), externallyExcludedPaths) -} - function getNodeModulesPaths (...paths) { const nodeModulesPaths = [] diff --git a/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js b/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js index d704743dde4..88af720a285 100644 --- a/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js +++ b/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js @@ -84,6 +84,7 @@ class VulnerabilityFormatter { const formattedVulnerability = { type: vulnerability.type, hash: vulnerability.hash, + stackId: vulnerability.stackId, evidence: this.formatEvidence(vulnerability.type, vulnerability.evidence, sourcesIndexes, sources), location: { spanId: vulnerability.location.spanId diff --git a/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js b/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js index 05aea14cf02..4adc636e5af 100644 --- a/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js +++ b/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js @@ -6,6 +6,8 @@ const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags') const standalone = require('../standalone') const { SAMPLING_MECHANISM_APPSEC } = require('../../constants') const { keepTrace } = require('../../priority_sampler') +const { reportStackTrace, getCallsiteFrames, canReportStackTrace, STACK_TRACE_NAMESPACES } = require('../stack_trace') +const { getOriginalPathAndLineFromSourceMap } = require('./taint-tracking/rewriter') const VULNERABILITIES_KEY = 'vulnerabilities' const VULNERABILITY_HASHES_MAX_SIZE = 1000 @@ -15,39 +17,60 @@ const RESET_VULNERABILITY_CACHE_INTERVAL = 60 * 60 * 1000 // 1 hour let tracer let resetVulnerabilityCacheTimer let deduplicationEnabled = true +let stackTraceEnabled = true +let stackTraceMaxDepth +let maxStackTraces -function addVulnerability (iastContext, vulnerability) { - if (vulnerability?.evidence && vulnerability?.type && vulnerability?.location) { - if (deduplicationEnabled && isDuplicatedVulnerability(vulnerability)) return +function canAddVulnerability (vulnerability) { + const hasRequiredFields = vulnerability?.evidence && vulnerability?.type && vulnerability?.location + if (!hasRequiredFields) return false - VULNERABILITY_HASHES.set(`${vulnerability.type}${vulnerability.hash}`, true) + const isDuplicated = deduplicationEnabled && isDuplicatedVulnerability(vulnerability) - let span = iastContext?.rootSpan + return !isDuplicated +} - if (!span && tracer) { - span = tracer.startSpan('vulnerability', { - type: 'vulnerability' - }) +function addVulnerability (iastContext, vulnerability, callSiteFrames) { + if (!canAddVulnerability(vulnerability)) return - vulnerability.location.spanId = span.context().toSpanId() + VULNERABILITY_HASHES.set(`${vulnerability.type}${vulnerability.hash}`, true) - span.addTags({ - [IAST_ENABLED_TAG_KEY]: 1 - }) - } + let span = iastContext?.rootSpan - if (!span) return + if (!span && tracer) { + span = tracer.startSpan('vulnerability', { + type: 'vulnerability' + }) - keepTrace(span, SAMPLING_MECHANISM_APPSEC) - standalone.sample(span) + vulnerability.location.spanId = span.context().toSpanId() - if (iastContext?.rootSpan) { - iastContext[VULNERABILITIES_KEY] = iastContext[VULNERABILITIES_KEY] || [] - iastContext[VULNERABILITIES_KEY].push(vulnerability) - } else { - sendVulnerabilities([vulnerability], span) - span.finish() - } + span.addTags({ + [IAST_ENABLED_TAG_KEY]: 1 + }) + } + + if (!span) return + + keepTrace(span, SAMPLING_MECHANISM_APPSEC) + standalone.sample(span) + + if (stackTraceEnabled && canReportStackTrace(span, maxStackTraces, STACK_TRACE_NAMESPACES.IAST)) { + const originalCallSiteList = callSiteFrames.map(callsite => replaceCallSiteFromSourceMap(callsite)) + + reportStackTrace( + span, + vulnerability.stackId, + originalCallSiteList, + STACK_TRACE_NAMESPACES.IAST + ) + } + + if (iastContext?.rootSpan) { + iastContext[VULNERABILITIES_KEY] = iastContext[VULNERABILITIES_KEY] || [] + iastContext[VULNERABILITIES_KEY].push(vulnerability) + } else { + sendVulnerabilities([vulnerability], span) + span.finish() } } @@ -94,8 +117,34 @@ function isDuplicatedVulnerability (vulnerability) { return VULNERABILITY_HASHES.get(`${vulnerability.type}${vulnerability.hash}`) } +function getVulnerabilityCallSiteFrames () { + return getCallsiteFrames(stackTraceMaxDepth) +} + +function replaceCallSiteFromSourceMap (callsite) { + if (callsite) { + const { path, line, column } = getOriginalPathAndLineFromSourceMap(callsite) + if (path) { + callsite.file = path + callsite.path = path + } + if (line) { + callsite.line = line + } + if (column) { + callsite.column = column + } + } + + return callsite +} + function start (config, _tracer) { deduplicationEnabled = config.iast.deduplicationEnabled + stackTraceEnabled = config.iast.stackTrace.enabled + stackTraceMaxDepth = config.appsec.stackTrace.maxDepth + maxStackTraces = config.appsec.stackTrace.maxStackTraces + vulnerabilitiesFormatter.setRedactVulnerabilities( config.iast.redactionEnabled, config.iast.redactionNamePattern, @@ -114,6 +163,8 @@ function stop () { module.exports = { addVulnerability, sendVulnerabilities, + getVulnerabilityCallSiteFrames, + replaceCallSiteFromSourceMap, clearCache, start, stop diff --git a/packages/dd-trace/src/appsec/rasp/utils.js b/packages/dd-trace/src/appsec/rasp/utils.js index a454a71b8c6..17875c48c7b 100644 --- a/packages/dd-trace/src/appsec/rasp/utils.js +++ b/packages/dd-trace/src/appsec/rasp/utils.js @@ -1,7 +1,7 @@ 'use strict' const web = require('../../plugins/util/web') -const { reportStackTrace } = require('../stack_trace') +const { getCallsiteFrames, reportStackTrace, canReportStackTrace } = require('../stack_trace') const { getBlockingAction } = require('../blocking') const log = require('../../log') @@ -30,13 +30,18 @@ class DatadogRaspAbortError extends Error { function handleResult (actions, req, res, abortController, config) { const generateStackTraceAction = actions?.generate_stack - if (generateStackTraceAction && config.appsec.stackTrace.enabled) { - const rootSpan = web.root(req) + + const { enabled, maxDepth, maxStackTraces } = config.appsec.stackTrace + + const rootSpan = web.root(req) + + if (generateStackTraceAction && enabled && canReportStackTrace(rootSpan, maxStackTraces)) { + const frames = getCallsiteFrames(maxDepth) + reportStackTrace( rootSpan, generateStackTraceAction.stack_id, - config.appsec.stackTrace.maxDepth, - config.appsec.stackTrace.maxStackTraces + frames ) } diff --git a/packages/dd-trace/src/appsec/stack_trace.js b/packages/dd-trace/src/appsec/stack_trace.js index ea49ed1e877..53fc0e27811 100644 --- a/packages/dd-trace/src/appsec/stack_trace.js +++ b/packages/dd-trace/src/appsec/stack_trace.js @@ -6,11 +6,18 @@ const ddBasePath = calculateDDBasePath(__dirname) const LIBRARY_FRAMES_BUFFER = 20 +const STACK_TRACE_NAMESPACES = { + RASP: 'exploit', + IAST: 'vulnerability' +} + function getCallSiteList (maxDepth = 100) { const previousPrepareStackTrace = Error.prepareStackTrace const previousStackTraceLimit = Error.stackTraceLimit let callsiteList - Error.stackTraceLimit = maxDepth + // Since some frames will be discarded because they come from tracer codebase, a buffer is added + // to the limit in order to get as close as `maxDepth` number of frames. + Error.stackTraceLimit = maxDepth + LIBRARY_FRAMES_BUFFER try { Error.prepareStackTrace = function (_, callsites) { @@ -30,7 +37,10 @@ function filterOutFramesFromLibrary (callSiteList) { return callSiteList.filter(callSite => !callSite.getFileName()?.startsWith(ddBasePath)) } -function getFramesForMetaStruct (callSiteList, maxDepth = 32) { +function getCallsiteFrames (maxDepth = 32, callSiteListGetter = getCallSiteList) { + if (maxDepth < 1) maxDepth = Infinity + + const callSiteList = callSiteListGetter(maxDepth) const filteredFrames = filterOutFramesFromLibrary(callSiteList) const half = filteredFrames.length > maxDepth ? Math.round(maxDepth / 2) : Infinity @@ -45,46 +55,46 @@ function getFramesForMetaStruct (callSiteList, maxDepth = 32) { line: callSite.getLineNumber(), column: callSite.getColumnNumber(), function: callSite.getFunctionName(), - class_name: callSite.getTypeName() + class_name: callSite.getTypeName(), + isNative: callSite.isNative() }) } return indexedFrames } -function reportStackTrace (rootSpan, stackId, maxDepth, maxStackTraces, callSiteListGetter = getCallSiteList) { +function reportStackTrace (rootSpan, stackId, frames, namespace = STACK_TRACE_NAMESPACES.RASP) { if (!rootSpan) return + if (!Array.isArray(frames)) return - if (maxStackTraces < 1 || (rootSpan.meta_struct?.['_dd.stack']?.exploit?.length ?? 0) < maxStackTraces) { - // Since some frames will be discarded because they come from tracer codebase, a buffer is added - // to the limit in order to get as close as `maxDepth` number of frames. - if (maxDepth < 1) maxDepth = Infinity - const callSiteList = callSiteListGetter(maxDepth + LIBRARY_FRAMES_BUFFER) - if (!Array.isArray(callSiteList)) return + if (!rootSpan.meta_struct) { + rootSpan.meta_struct = {} + } - if (!rootSpan.meta_struct) { - rootSpan.meta_struct = {} - } + if (!rootSpan.meta_struct['_dd.stack']) { + rootSpan.meta_struct['_dd.stack'] = {} + } - if (!rootSpan.meta_struct['_dd.stack']) { - rootSpan.meta_struct['_dd.stack'] = {} - } + if (!rootSpan.meta_struct['_dd.stack'][namespace]) { + rootSpan.meta_struct['_dd.stack'][namespace] = [] + } - if (!rootSpan.meta_struct['_dd.stack'].exploit) { - rootSpan.meta_struct['_dd.stack'].exploit = [] - } + rootSpan.meta_struct['_dd.stack'][namespace].push({ + id: stackId, + language: 'nodejs', + frames + }) +} - const frames = getFramesForMetaStruct(callSiteList, maxDepth) +function canReportStackTrace (rootSpan, maxStackTraces, namespace = STACK_TRACE_NAMESPACES.RASP) { + if (!rootSpan) return false - rootSpan.meta_struct['_dd.stack'].exploit.push({ - id: stackId, - language: 'nodejs', - frames - }) - } + return maxStackTraces < 1 || (rootSpan.meta_struct?.['_dd.stack']?.[namespace]?.length ?? 0) < maxStackTraces } module.exports = { - getCallSiteList, - reportStackTrace + getCallsiteFrames, + reportStackTrace, + canReportStackTrace, + STACK_TRACE_NAMESPACES } diff --git a/packages/dd-trace/src/config.js b/packages/dd-trace/src/config.js index 8dd63cccdf6..f529bc635e2 100644 --- a/packages/dd-trace/src/config.js +++ b/packages/dd-trace/src/config.js @@ -497,6 +497,7 @@ class Config { this._setValue(defaults, 'iast.redactionValuePattern', null) this._setValue(defaults, 'iast.requestSampling', 30) this._setValue(defaults, 'iast.telemetryVerbosity', 'INFORMATION') + this._setValue(defaults, 'iast.stackTrace.enabled', true) this._setValue(defaults, 'injectionEnabled', []) this._setValue(defaults, 'isAzureFunction', false) this._setValue(defaults, 'isCiVisibility', false) @@ -622,6 +623,7 @@ class Config { DD_IAST_REDACTION_VALUE_PATTERN, DD_IAST_REQUEST_SAMPLING, DD_IAST_TELEMETRY_VERBOSITY, + DD_IAST_STACK_TRACE_ENABLED, DD_INJECTION_ENABLED, DD_INSTRUMENTATION_TELEMETRY_ENABLED, DD_INSTRUMENTATION_CONFIG_ID, @@ -787,6 +789,7 @@ class Config { } this._envUnprocessed['iast.requestSampling'] = DD_IAST_REQUEST_SAMPLING this._setString(env, 'iast.telemetryVerbosity', DD_IAST_TELEMETRY_VERBOSITY) + this._setBoolean(env, 'iast.stackTrace.enabled', DD_IAST_STACK_TRACE_ENABLED) this._setArray(env, 'injectionEnabled', DD_INJECTION_ENABLED) this._setBoolean(env, 'isAzureFunction', getIsAzureFunction()) this._setBoolean(env, 'isGCPFunction', getIsGCPFunction()) @@ -976,6 +979,7 @@ class Config { this._optsUnprocessed['iast.requestSampling'] = options.iast?.requestSampling } this._setString(opts, 'iast.telemetryVerbosity', options.iast && options.iast.telemetryVerbosity) + this._setBoolean(opts, 'iast.stackTrace.enabled', options.iast?.stackTrace?.enabled) this._setBoolean(opts, 'isCiVisibility', options.isCiVisibility) this._setBoolean(opts, 'legacyBaggageEnabled', options.legacyBaggageEnabled) this._setBoolean(opts, 'llmobs.agentlessEnabled', options.llmobs?.agentlessEnabled) diff --git a/packages/dd-trace/test/appsec/iast/analyzers/hardcoded-password-analyzer.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/hardcoded-password-analyzer.spec.js index e20c83ef33d..16fe264328c 100644 --- a/packages/dd-trace/test/appsec/iast/analyzers/hardcoded-password-analyzer.spec.js +++ b/packages/dd-trace/test/appsec/iast/analyzers/hardcoded-password-analyzer.spec.js @@ -10,6 +10,7 @@ const Config = require('../../../../src/config') const hardcodedPasswordAnalyzer = require('../../../../src/appsec/iast/analyzers/hardcoded-password-analyzer') const iast = require('../../../../src/appsec/iast') +const vulnerabilityReporter = require('../../../../src/appsec/iast/vulnerability-reporter') const ruleId = 'hardcoded-password' const samples = [ @@ -131,6 +132,7 @@ describe('Hardcoded Password Analyzer', () => { afterEach(() => { iast.disable() + vulnerabilityReporter.clearCache() }) afterEach(() => { diff --git a/packages/dd-trace/test/appsec/iast/analyzers/hardcoded-secret-analyzer.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/hardcoded-secret-analyzer.spec.js index 67d00a8b53a..b65aed0a614 100644 --- a/packages/dd-trace/test/appsec/iast/analyzers/hardcoded-secret-analyzer.spec.js +++ b/packages/dd-trace/test/appsec/iast/analyzers/hardcoded-secret-analyzer.spec.js @@ -11,6 +11,7 @@ const { NameAndValue, ValueOnly } = require('../../../../src/appsec/iast/analyze const hardcodedSecretAnalyzer = require('../../../../src/appsec/iast/analyzers/hardcoded-secret-analyzer') const { suite } = require('./resources/hardcoded-secrets-suite.json') const iast = require('../../../../src/appsec/iast') +const vulnerabilityReporter = require('../../../../src/appsec/iast/vulnerability-reporter') describe('Hardcoded Secret Analyzer', () => { describe('unit test', () => { @@ -101,6 +102,7 @@ describe('Hardcoded Secret Analyzer', () => { afterEach(() => { iast.disable() + vulnerabilityReporter.clearCache() }) afterEach(() => { diff --git a/packages/dd-trace/test/appsec/iast/analyzers/vulnerability-analyzer.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/vulnerability-analyzer.spec.js index b47fb95b81b..cdb7e8cc4e2 100644 --- a/packages/dd-trace/test/appsec/iast/analyzers/vulnerability-analyzer.spec.js +++ b/packages/dd-trace/test/appsec/iast/analyzers/vulnerability-analyzer.spec.js @@ -6,25 +6,20 @@ const proxyquire = require('proxyquire') describe('vulnerability-analyzer', () => { const VULNERABLE_VALUE = 'VULNERABLE_VALUE' const VULNERABILITY = 'VULNERABILITY' - const VULNERABILITY_LOCATION = { path: 'VULNERABILITY_LOCATION', line: 11 } - const VULNERABILITY_LOCATION_FROM_SOURCEMAP = { path: 'VULNERABILITY_LOCATION_FROM_SOURCEMAP', line: 42 } + const VULNERABILITY_LOCATION_FROM_SOURCEMAP = { path: 'VULNERABILITY_LOCATION_FROM_SOURCEMAP', line: 42, column: 21 } const ANALYZER_TYPE = 'TEST_ANALYZER' const SPAN_ID = '123456' let VulnerabilityAnalyzer let vulnerabilityReporter let overheadController - let pathLine let iastContextHandler - let rewriter beforeEach(() => { vulnerabilityReporter = { createVulnerability: sinon.stub().returns(VULNERABILITY), - addVulnerability: sinon.stub() - } - pathLine = { - getFirstNonDDPathAndLine: sinon.stub().returns(VULNERABILITY_LOCATION) + addVulnerability: sinon.stub(), + replaceCallSiteFromSourceMap: sinon.stub().returns(VULNERABILITY_LOCATION_FROM_SOURCEMAP) } overheadController = { hasQuota: sinon.stub() @@ -32,16 +27,11 @@ describe('vulnerability-analyzer', () => { iastContextHandler = { getIastContext: sinon.stub() } - rewriter = { - getOriginalPathAndLineFromSourceMap: sinon.stub().returns(VULNERABILITY_LOCATION_FROM_SOURCEMAP) - } VulnerabilityAnalyzer = proxyquire('../../../../src/appsec/iast/analyzers/vulnerability-analyzer', { '../vulnerability-reporter': vulnerabilityReporter, - '../path-line': pathLine, '../overhead-controller': overheadController, - '../iast-context': iastContextHandler, - '../taint-tracking/rewriter': rewriter + '../iast-context': iastContextHandler }) }) @@ -120,16 +110,17 @@ describe('vulnerability-analyzer', () => { context, { type: 'TEST_ANALYZER', + stackId: 1, evidence: { value: 'VULNERABLE_VALUE' }, location: { spanId: '123456', - path: 'VULNERABILITY_LOCATION_FROM_SOURCEMAP', - line: 42 + ...VULNERABILITY_LOCATION_FROM_SOURCEMAP }, hash: 5975567724 - } + }, + sinon.match.array ) }) @@ -160,7 +151,6 @@ describe('vulnerability-analyzer', () => { VulnerabilityAnalyzer = proxyquire('../../../../src/appsec/iast/analyzers/vulnerability-analyzer', { '../vulnerability-reporter': vulnerabilityReporter, - '../path-line': pathLine, '../overhead-controller': overheadController, '../iast-context': iastContextHandler, '../iast-plugin': { @@ -285,7 +275,7 @@ describe('vulnerability-analyzer', () => { ANALYZER_TYPE, { value: 'test' }, SPAN_ID, - VULNERABILITY_LOCATION + VULNERABILITY_LOCATION_FROM_SOURCEMAP ) }) }) diff --git a/packages/dd-trace/test/appsec/iast/path-line.spec.js b/packages/dd-trace/test/appsec/iast/path-line.spec.js index 11905bcb880..eee98c31ef9 100644 --- a/packages/dd-trace/test/appsec/iast/path-line.spec.js +++ b/packages/dd-trace/test/appsec/iast/path-line.spec.js @@ -2,27 +2,16 @@ const proxyquire = require('proxyquire') const path = require('path') const os = require('os') const { expect } = require('chai') +const { getCallsiteFrames } = require('../../../src/appsec/stack_trace') class CallSiteMock { constructor (fileName, lineNumber, columnNumber = 0) { - this.fileName = fileName - this.lineNumber = lineNumber - this.columnNumber = columnNumber + this.file = fileName + this.line = lineNumber + this.column = columnNumber } - getLineNumber () { - return this.lineNumber - } - - getColumnNumber () { - return this.columnNumber - } - - getFileName () { - return this.fileName - } - - isNative () { + get isNative () { return false } } @@ -50,13 +39,6 @@ describe('path-line', function () { }) }) - describe('getFirstNonDDPathAndLine', () => { - it('call does not fail', () => { - const obj = pathLine.getFirstNonDDPathAndLine() - expect(obj).to.not.be.null - }) - }) - describe('calculateDDBasePath', () => { it('/node_modules/dd-trace', () => { const basePath = path.join(rootPath, 'node_modules', 'dd-trace', 'packages', path.sep) @@ -78,18 +60,21 @@ describe('path-line', function () { }) }) - describe('getFirstNonDDPathAndLineFromCallsites', () => { + describe('getNonDDCallSiteFrames', () => { describe('does not fail', () => { it('with null parameter', () => { - pathLine.getFirstNonDDPathAndLineFromCallsites(null) + const result = pathLine.getNonDDCallSiteFrames(null) + expect(result).to.be.an('array').that.is.empty }) it('with empty list parameter', () => { - pathLine.getFirstNonDDPathAndLineFromCallsites([]) + const result = pathLine.getNonDDCallSiteFrames([]) + expect(result).to.be.an('array').that.is.empty }) it('without parameter', () => { - pathLine.getFirstNonDDPathAndLineFromCallsites() + const result = pathLine.getNonDDCallSiteFrames() + expect(result).to.be.an('array').that.is.empty }) }) @@ -110,52 +95,65 @@ describe('path-line', function () { pathLine.ddBasePath = prevDDBasePath }) - it('should return first non DD library when two stack are in dd-trace files and the next is the client line', - () => { - const callsites = [] - const expectedFirstFileOutOfDD = path.join('first', 'file', 'out', 'of', 'dd.js') - const firstFileOutOfDD = path.join(PROJECT_PATH, expectedFirstFileOutOfDD) - const firstFileOutOfDDLineNumber = 13 + it('should return all no DD entries when multiple stack frames are present', () => { + const callsites = [] + const expectedFilePaths = [ + path.join('first', 'file', 'out', 'of', 'dd.js'), + path.join('second', 'file', 'out', 'of', 'dd.js') + ] + const firstFileOutOfDD = path.join(PROJECT_PATH, expectedFilePaths[0]) + const secondFileOutOfDD = path.join(PROJECT_PATH, expectedFilePaths[1]) - callsites.push(new CallSiteMock(PATH_AND_LINE_PATH, PATH_AND_LINE_LINE)) - callsites.push(new CallSiteMock(path.join(DD_BASE_PATH, 'other', 'file', 'in', 'dd.js'), 89)) - callsites.push(new CallSiteMock(path.join(DD_BASE_PATH, 'other', 'file', 'in', 'dd.js'), 5)) - callsites.push(new CallSiteMock(firstFileOutOfDD, firstFileOutOfDDLineNumber, 42)) - const pathAndLine = pathLine.getFirstNonDDPathAndLineFromCallsites(callsites) - expect(pathAndLine.path).to.be.equals(expectedFirstFileOutOfDD) - expect(pathAndLine.line).to.be.equals(firstFileOutOfDDLineNumber) - expect(pathAndLine.column).to.be.equals(42) - }) + callsites.push(new CallSiteMock(PATH_AND_LINE_PATH, PATH_AND_LINE_LINE)) + callsites.push(new CallSiteMock(path.join(DD_BASE_PATH, 'other', 'file', 'in', 'dd.js'), 89)) + callsites.push(new CallSiteMock(firstFileOutOfDD, 13, 42)) + callsites.push(new CallSiteMock(secondFileOutOfDD, 20, 15)) + + const results = pathLine.getNonDDCallSiteFrames(callsites) + + expect(results).to.have.lengthOf(2) + + expect(results[0].path).to.be.equals(expectedFilePaths[0]) + expect(results[0].line).to.be.equals(13) + expect(results[0].column).to.be.equals(42) + + expect(results[1].path).to.be.equals(expectedFilePaths[1]) + expect(results[1].line).to.be.equals(20) + expect(results[1].column).to.be.equals(15) + }) - it('should return null when all stack is in dd trace', () => { + it('should return an empty array when all stack frames are in dd trace', () => { const callsites = [] callsites.push(new CallSiteMock(PATH_AND_LINE_PATH, PATH_AND_LINE_LINE)) callsites.push(new CallSiteMock(path.join(DD_BASE_PATH, 'other', 'file', 'in', 'dd.js'), 89)) - callsites.push(new CallSiteMock(path.join(DD_BASE_PATH, 'other', 'file', 'in', 'dd.js'), 5)) - const pathAndLine = pathLine.getFirstNonDDPathAndLineFromCallsites(callsites) - expect(pathAndLine).to.be.null + callsites.push(new CallSiteMock(path.join(DD_BASE_PATH, 'another', 'file', 'in', 'dd.js'), 5)) + + const results = pathLine.getNonDDCallSiteFrames(callsites) + expect(results).to.be.an('array').that.is.empty }) DIAGNOSTICS_CHANNEL_PATHS.forEach((dcPath) => { - it(`should not return ${dcPath} path`, () => { + it(`should exclude ${dcPath} from the results`, () => { const callsites = [] - const expectedFirstFileOutOfDD = path.join('first', 'file', 'out', 'of', 'dd.js') - const firstFileOutOfDD = path.join(PROJECT_PATH, expectedFirstFileOutOfDD) - const firstFileOutOfDDLineNumber = 13 + const expectedFilePath = path.join('first', 'file', 'out', 'of', 'dd.js') + const firstFileOutOfDD = path.join(PROJECT_PATH, expectedFilePath) + callsites.push(new CallSiteMock(PATH_AND_LINE_PATH, PATH_AND_LINE_LINE)) callsites.push(new CallSiteMock(path.join(DD_BASE_PATH, 'other', 'file', 'in', 'dd.js'), 89)) callsites.push(new CallSiteMock(dcPath, 25)) - callsites.push(new CallSiteMock(path.join(DD_BASE_PATH, 'other', 'file', 'in', 'dd.js'), 5)) - callsites.push(new CallSiteMock(firstFileOutOfDD, firstFileOutOfDDLineNumber, 42)) - const pathAndLine = pathLine.getFirstNonDDPathAndLineFromCallsites(callsites) - expect(pathAndLine.path).to.be.equals(expectedFirstFileOutOfDD) - expect(pathAndLine.line).to.be.equals(firstFileOutOfDDLineNumber) - expect(pathAndLine.column).to.be.equals(42) + callsites.push(new CallSiteMock(firstFileOutOfDD, 13, 42)) + + const results = pathLine.getNonDDCallSiteFrames(callsites) + expect(results).to.have.lengthOf(1) + + expect(results[0].path).to.be.equals(expectedFilePath) + expect(results[0].line).to.be.equals(13) + expect(results[0].column).to.be.equals(42) }) }) }) - describe('dd-trace is in other directory', () => { + describe('dd-trace is in another directory', () => { const PROJECT_PATH = path.join(tmpdir, 'project-path') const DD_BASE_PATH = path.join(tmpdir, 'dd-tracer-path') const PATH_AND_LINE_PATH = path.join(DD_BASE_PATH, 'packages', @@ -173,37 +171,30 @@ describe('path-line', function () { pathLine.ddBasePath = previousDDBasePath }) - it('two in dd-trace files and the next is the client line', () => { + it('should return all non-DD entries', () => { const callsites = [] - const expectedFilePath = path.join('first', 'file', 'out', 'of', 'dd.js') - const firstFileOutOfDD = path.join(PROJECT_PATH, expectedFilePath) - const firstFileOutOfDDLineNumber = 13 + const expectedFilePaths = [ + path.join('first', 'file', 'out', 'of', 'dd.js'), + path.join('second', 'file', 'out', 'of', 'dd.js') + ] + const firstFileOutOfDD = path.join(PROJECT_PATH, expectedFilePaths[0]) + const secondFileOutOfDD = path.join(PROJECT_PATH, expectedFilePaths[1]) + callsites.push(new CallSiteMock(PATH_AND_LINE_PATH, PATH_AND_LINE_LINE)) callsites.push(new CallSiteMock(path.join(DD_BASE_PATH, 'other', 'file', 'in', 'dd.js'), 89)) - callsites.push(new CallSiteMock(path.join(DD_BASE_PATH, 'other', 'file', 'in', 'dd.js'), 5)) - callsites.push(new CallSiteMock(firstFileOutOfDD, firstFileOutOfDDLineNumber, 42)) - const pathAndLine = pathLine.getFirstNonDDPathAndLineFromCallsites(callsites) - expect(pathAndLine.path).to.be.equals(expectedFilePath) - expect(pathAndLine.line).to.be.equals(firstFileOutOfDDLineNumber) - expect(pathAndLine.column).to.be.equals(42) - }) + callsites.push(new CallSiteMock(firstFileOutOfDD, 13, 42)) + callsites.push(new CallSiteMock(secondFileOutOfDD, 20, 15)) - DIAGNOSTICS_CHANNEL_PATHS.forEach((dcPath) => { - it(`should not return ${dcPath} path`, () => { - const callsites = [] - const expectedFilePath = path.join('first', 'file', 'out', 'of', 'dd.js') - const firstFileOutOfDD = path.join(PROJECT_PATH, expectedFilePath) - const firstFileOutOfDDLineNumber = 13 - callsites.push(new CallSiteMock(PATH_AND_LINE_PATH, PATH_AND_LINE_LINE)) - callsites.push(new CallSiteMock(path.join(DD_BASE_PATH, 'other', 'file', 'in', 'dd.js'), 89)) - callsites.push(new CallSiteMock(dcPath, 25)) - callsites.push(new CallSiteMock(path.join(DD_BASE_PATH, 'other', 'file', 'in', 'dd.js'), 5)) - callsites.push(new CallSiteMock(firstFileOutOfDD, firstFileOutOfDDLineNumber, 42)) - const pathAndLine = pathLine.getFirstNonDDPathAndLineFromCallsites(callsites) - expect(pathAndLine.path).to.be.equals(expectedFilePath) - expect(pathAndLine.line).to.be.equals(firstFileOutOfDDLineNumber) - expect(pathAndLine.column).to.be.equals(42) - }) + const results = pathLine.getNonDDCallSiteFrames(callsites) + expect(results).to.have.lengthOf(2) + + expect(results[0].path).to.be.equals(expectedFilePaths[0]) + expect(results[0].line).to.be.equals(13) + expect(results[0].column).to.be.equals(42) + + expect(results[1].path).to.be.equals(expectedFilePaths[1]) + expect(results[1].line).to.be.equals(20) + expect(results[1].column).to.be.equals(15) }) }) }) @@ -221,6 +212,7 @@ describe('path-line', function () { e.stack Error.prepareStackTrace = previousPrepareStackTrace Error.stackTraceLimit = previousStackTraceLimit + return callsiteList } @@ -228,11 +220,13 @@ describe('path-line', function () { const basePath = pathLine.ddBasePath pathLine.ddBasePath = path.join('test', 'base', 'path') - const list = getCallSiteInfo() - const firstNonDDPath = pathLine.getFirstNonDDPathAndLineFromCallsites(list) + const list = getCallsiteFrames(32, getCallSiteInfo) + const firstNonDDPath = pathLine.getNonDDCallSiteFrames(list)[0] + + const expectedPath = path.join('node_modules', firstNonDDPath.path) + const nodeModulesPaths = pathLine.getNodeModulesPaths(firstNonDDPath.path) - const nodeModulesPaths = pathLine.getNodeModulesPaths(__filename) - expect(nodeModulesPaths[0]).to.eq(path.join('node_modules', process.cwd(), firstNonDDPath.path)) + expect(nodeModulesPaths[0]).to.equal(expectedPath) pathLine.ddBasePath = basePath }) diff --git a/packages/dd-trace/test/appsec/iast/utils.js b/packages/dd-trace/test/appsec/iast/utils.js index 01274dd954e..5597788bd9d 100644 --- a/packages/dd-trace/test/appsec/iast/utils.js +++ b/packages/dd-trace/test/appsec/iast/utils.js @@ -3,12 +3,14 @@ const fs = require('fs') const os = require('os') const path = require('path') +const { assert } = require('chai') const agent = require('../../plugins/agent') const axios = require('axios') const iast = require('../../../src/appsec/iast') const Config = require('../../../src/config') const vulnerabilityReporter = require('../../../src/appsec/iast/vulnerability-reporter') +const { getWebSpan } = require('../utils') function testInRequest (app, tests) { let http @@ -161,6 +163,10 @@ function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb, .use(traces => { expect(traces[0][0].metrics['_dd.iast.enabled']).to.be.equal(1) expect(traces[0][0].meta).to.have.property('_dd.iast.json') + + const span = getWebSpan(traces) + assert.property(span.meta_struct, '_dd.stack') + const vulnerabilitiesTrace = JSON.parse(traces[0][0].meta['_dd.iast.json']) expect(vulnerabilitiesTrace).to.not.be.null const vulnerabilitiesCount = new Map() diff --git a/packages/dd-trace/test/appsec/iast/vulnerability-reporter.spec.js b/packages/dd-trace/test/appsec/iast/vulnerability-reporter.spec.js index 2ebe646a2d8..9cf28bdac32 100644 --- a/packages/dd-trace/test/appsec/iast/vulnerability-reporter.spec.js +++ b/packages/dd-trace/test/appsec/iast/vulnerability-reporter.spec.js @@ -28,12 +28,12 @@ describe('vulnerability-reporter', () => { describe('with rootSpan', () => { let iastContext = { - rootSpan: true + rootSpan: {} } afterEach(() => { iastContext = { - rootSpan: true + rootSpan: {} } }) @@ -47,27 +47,27 @@ describe('vulnerability-reporter', () => { it('should create vulnerability array if it does not exist', () => { addVulnerability(iastContext, - vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888)) + vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888), []) expect(iastContext).to.have.property('vulnerabilities') expect(iastContext.vulnerabilities).to.be.an('array') }) it('should deduplicate same vulnerabilities', () => { addVulnerability(iastContext, - vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, -555)) + vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, -555), []) addVulnerability(iastContext, - vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888)) + vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888), []) addVulnerability(iastContext, - vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 123)) + vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 123), []) expect(iastContext.vulnerabilities).to.have.length(1) }) it('should add in the context evidence properties', () => { addVulnerability(iastContext, - vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888)) + vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888), []) addVulnerability(iastContext, vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'md5' }, - -123, { path: 'path.js', line: 12 })) + -123, { path: 'path.js', line: 12 }), []) expect(iastContext.vulnerabilities).to.have.length(2) expect(iastContext).to.have.nested.property('vulnerabilities.0.type', 'INSECURE_HASHING') expect(iastContext).to.have.nested.property('vulnerabilities.0.evidence.value', 'sha1') @@ -106,7 +106,17 @@ describe('vulnerability-reporter', () => { } start({ iast: { - deduplicationEnabled: true + deduplicationEnabled: true, + stackTrace: { + enabled: true + } + }, + appsec: { + stackTrace: { + enabled: true, + maxStackTraces: 2, + maxDepth: 42 + } } }, fakeTracer) }) @@ -119,15 +129,15 @@ describe('vulnerability-reporter', () => { it('should create span on the fly', () => { const vulnerability = vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, undefined, - { path: 'filename.js', line: 73 }) - addVulnerability(undefined, vulnerability) + { path: 'filename.js', line: 73 }, 1) + addVulnerability(undefined, vulnerability, []) expect(fakeTracer.startSpan).to.have.been.calledOnceWithExactly('vulnerability', { type: 'vulnerability' }) expect(onTheFlySpan.addTags.firstCall).to.have.been.calledWithExactly({ '_dd.iast.enabled': 1 }) expect(onTheFlySpan.addTags.secondCall).to.have.been.calledWithExactly({ '_dd.iast.json': '{"sources":[],"vulnerabilities":[{"type":"INSECURE_HASHING","hash":3410512655,' + - '"evidence":{"value":"sha1"},"location":{"spanId":42,"path":"filename.js","line":73}}]}' + '"stackId":1,"evidence":{"value":"sha1"},"location":{"spanId":42,"path":"filename.js","line":73}}]}' }) expect(prioritySampler.setPriority) .to.have.been.calledOnceWithExactly(onTheFlySpan, USER_KEEP, SAMPLING_MECHANISM_APPSEC) @@ -138,12 +148,108 @@ describe('vulnerability-reporter', () => { const vulnerability = vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, undefined, { path: 'filename.js', line: 73 }) - addVulnerability(undefined, vulnerability) + addVulnerability(undefined, vulnerability, []) expect(vulnerability.location.spanId).to.be.equal(42) }) }) }) + describe('with maxStackTraces limit', () => { + let iastContext, vulnerability, callSiteFrames + + beforeEach(() => { + iastContext = { + rootSpan: { + meta_struct: { + '_dd.stack': {} + } + } + } + vulnerability = vulnerabilityAnalyzer._createVulnerability( + 'INSECURE_HASHING', + { value: 'sha1' }, + 888, + { path: 'test.js', line: 1 } + ) + callSiteFrames = [{ + getFileName: () => 'test.js', + getLineNumber: () => 1 + }] + }) + + afterEach(() => { + stop() + }) + + it('should report stack trace when under maxStackTraces limit', () => { + start({ + iast: { + deduplicationEnabled: true, + stackTrace: { + enabled: true + } + }, + appsec: { + stackTrace: { + enabled: true, + maxStackTraces: 2, + maxDepth: 42 + } + } + }) + addVulnerability(iastContext, vulnerability, callSiteFrames) + + expect(iastContext.rootSpan.meta_struct['_dd.stack'].vulnerability).to.have.length(1) + }) + + it('should not report stack trace when at maxStackTraces limit', () => { + start({ + iast: { + deduplicationEnabled: true, + stackTrace: { + enabled: true + } + }, + appsec: { + stackTrace: { + enabled: true, + maxStackTraces: 1, + maxDepth: 42 + } + } + }) + iastContext.rootSpan.meta_struct['_dd.stack'].vulnerability = ['existing_stack'] + + addVulnerability(iastContext, vulnerability, callSiteFrames) + + expect(iastContext.rootSpan.meta_struct['_dd.stack'].vulnerability).to.have.length(1) + expect(iastContext.rootSpan.meta_struct['_dd.stack'].vulnerability[0]).to.equal('existing_stack') + }) + + it('should always report stack trace when maxStackTraces is 0', () => { + start({ + iast: { + deduplicationEnabled: true, + stackTrace: { + enabled: true + } + }, + appsec: { + stackTrace: { + enabled: true, + maxStackTraces: 0, + maxDepth: 42 + } + } + }) + iastContext.rootSpan.meta_struct['_dd.stack'].vulnerability = ['stack1', 'stack2'] + + addVulnerability(iastContext, vulnerability, callSiteFrames) + + expect(iastContext.rootSpan.meta_struct['_dd.stack'].vulnerability).to.have.length(3) + }) + }) + describe('sendVulnerabilities', () => { let span let context @@ -161,7 +267,17 @@ describe('vulnerability-reporter', () => { } start({ iast: { - deduplicationEnabled: true + deduplicationEnabled: true, + stackTrace: { + enabled: true + } + }, + appsec: { + stackTrace: { + enabled: true, + maxStackTraces: 2, + maxDepth: 42 + } } }) }) @@ -187,7 +303,7 @@ describe('vulnerability-reporter', () => { it('should send one with one vulnerability', () => { const iastContext = { rootSpan: span } addVulnerability(iastContext, - vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888)) + vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888), []) sendVulnerabilities(iastContext.vulnerabilities, span) expect(span.addTags).to.have.been.calledOnceWithExactly({ '_dd.iast.json': '{"sources":[],"vulnerabilities":[{"type":"INSECURE_HASHING","hash":3254801297,' + @@ -199,7 +315,7 @@ describe('vulnerability-reporter', () => { it('should send only valid vulnerabilities', () => { const iastContext = { rootSpan: span } addVulnerability(iastContext, - vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888)) + vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888), []) iastContext.vulnerabilities.push({ invalid: 'vulnerability' }) sendVulnerabilities(iastContext.vulnerabilities, span) expect(span.addTags).to.have.been.calledOnceWithExactly({ @@ -227,7 +343,8 @@ describe('vulnerability-reporter', () => { } addVulnerability( iastContext, - vulnerabilityAnalyzer._createVulnerability('SQL_INJECTION', evidence1, 888, { path: 'filename.js', line: 88 }) + vulnerabilityAnalyzer._createVulnerability('SQL_INJECTION', evidence1, 888, { path: 'filename.js', line: 88 }), + [] ) const evidence2 = { @@ -246,7 +363,8 @@ describe('vulnerability-reporter', () => { } addVulnerability( iastContext, - vulnerabilityAnalyzer._createVulnerability('SQL_INJECTION', evidence2, 888, { path: 'filename.js', line: 99 }) + vulnerabilityAnalyzer._createVulnerability('SQL_INJECTION', evidence2, 888, { path: 'filename.js', line: 99 }), + [] ) sendVulnerabilities(iastContext.vulnerabilities, span) @@ -286,7 +404,8 @@ describe('vulnerability-reporter', () => { } addVulnerability( iastContext, - vulnerabilityAnalyzer._createVulnerability('SQL_INJECTION', evidence1, 888, { path: 'filename.js', line: 88 }) + vulnerabilityAnalyzer._createVulnerability('SQL_INJECTION', evidence1, 888, { path: 'filename.js', line: 88 }), + [] ) const evidence2 = { @@ -305,7 +424,8 @@ describe('vulnerability-reporter', () => { } addVulnerability( iastContext, - vulnerabilityAnalyzer._createVulnerability('SQL_INJECTION', evidence2, 888, { path: 'filename.js', line: 99 }) + vulnerabilityAnalyzer._createVulnerability('SQL_INJECTION', evidence2, 888, { path: 'filename.js', line: 99 }), + [] ) sendVulnerabilities(iastContext.vulnerabilities, span) @@ -329,11 +449,11 @@ describe('vulnerability-reporter', () => { it('should send once with multiple vulnerabilities', () => { const iastContext = { rootSpan: span } addVulnerability(iastContext, vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, - 888, { path: '/path/to/file1.js', line: 1 })) + 888, { path: '/path/to/file1.js', line: 1 }), []) addVulnerability(iastContext, vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'md5' }, 1, - { path: '/path/to/file2.js', line: 1 })) + { path: '/path/to/file2.js', line: 1 }), []) addVulnerability(iastContext, vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'md5' }, -5, - { path: '/path/to/file3.js', line: 3 })) + { path: '/path/to/file3.js', line: 3 }), []) sendVulnerabilities(iastContext.vulnerabilities, span) expect(span.addTags).to.have.been.calledOnceWithExactly({ '_dd.iast.json': '{"sources":[],"vulnerabilities":[' + @@ -357,7 +477,7 @@ describe('vulnerability-reporter', () => { const iastContext = { rootSpan: span } addVulnerability(iastContext, vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888, - { path: 'filename.js', line: 88 })) + { path: 'filename.js', line: 88 }), []) sendVulnerabilities(iastContext.vulnerabilities, span) expect(span.addTags).to.have.been.calledOnceWithExactly({ '_dd.iast.json': '{"sources":[],"vulnerabilities":[{"type":"INSECURE_HASHING","hash":3410512691,' + @@ -370,10 +490,10 @@ describe('vulnerability-reporter', () => { const iastContext = { rootSpan: span } addVulnerability(iastContext, vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888, - { path: 'filename.js', line: 88 })) + { path: 'filename.js', line: 88 }), []) addVulnerability(iastContext, vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888, - { path: 'filename.js', line: 88 })) + { path: 'filename.js', line: 88 }), []) sendVulnerabilities(iastContext.vulnerabilities, span) expect(span.addTags).to.have.been.calledOnceWithExactly({ '_dd.iast.json': '{"sources":[],"vulnerabilities":[{"type":"INSECURE_HASHING","hash":3410512691,' + @@ -385,14 +505,24 @@ describe('vulnerability-reporter', () => { it('should not deduplicate vulnerabilities if not enabled', () => { start({ iast: { - deduplicationEnabled: false + deduplicationEnabled: false, + stackTrace: { + enabled: true + } + }, + appsec: { + stackTrace: { + enabled: true, + maxStackTraces: 2, + maxDepth: 42 + } } }) const iastContext = { rootSpan: span } addVulnerability(iastContext, vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', - { value: 'sha1' }, 888, { path: 'filename.js', line: 88 })) + { value: 'sha1' }, 888, { path: 'filename.js', line: 88 }), []) addVulnerability(iastContext, vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', - { value: 'sha1' }, 888, { path: 'filename.js', line: 88 })) + { value: 'sha1' }, 888, { path: 'filename.js', line: 88 }), []) sendVulnerabilities(iastContext.vulnerabilities, span) expect(span.addTags).to.have.been.calledOnceWithExactly({ '_dd.iast.json': '{"sources":[],"vulnerabilities":[{"type":"INSECURE_HASHING","hash":3410512691,' + @@ -411,7 +541,7 @@ describe('vulnerability-reporter', () => { appsecStandalone.configure({ appsec: { standalone: { enabled: true } } }) const iastContext = { rootSpan: span } addVulnerability(iastContext, - vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 999)) + vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 999), []) sendVulnerabilities(iastContext.vulnerabilities, span) @@ -429,7 +559,7 @@ describe('vulnerability-reporter', () => { appsecStandalone.configure({ appsec: {} }) const iastContext = { rootSpan: span } addVulnerability(iastContext, - vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 999)) + vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 999), []) sendVulnerabilities(iastContext.vulnerabilities, span) @@ -477,18 +607,18 @@ describe('vulnerability-reporter', () => { const MAX = 1000 const vulnerabilityToRepeatInTheNext = vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888, - { path: 'filename.js', line: 0 }) - addVulnerability(iastContext, vulnerabilityToRepeatInTheNext) + { path: 'filename.js', line: 0 }, 1) + addVulnerability(iastContext, vulnerabilityToRepeatInTheNext, []) for (let i = 1; i <= MAX; i++) { addVulnerability(iastContext, vulnerabilityAnalyzer._createVulnerability('INSECURE_HASHING', { value: 'sha1' }, 888, - { path: 'filename.js', line: i })) + { path: 'filename.js', line: i }), []) } sendVulnerabilities(iastContext.vulnerabilities, span) expect(span.addTags).to.have.been.calledOnce const nextIastContext = { rootSpan: span } - addVulnerability(nextIastContext, vulnerabilityToRepeatInTheNext) + addVulnerability(nextIastContext, vulnerabilityToRepeatInTheNext, []) sendVulnerabilities(nextIastContext.vulnerabilities, span) expect(span.addTags).to.have.been.calledTwice }) @@ -496,7 +626,17 @@ describe('vulnerability-reporter', () => { it('should set timer to clear cache every hour if deduplication is enabled', () => { const config = { iast: { - deduplicationEnabled: true + deduplicationEnabled: true, + stackTrace: { + enabled: true + } + }, + appsec: { + stackTrace: { + enabled: true, + maxStackTraces: 2, + maxDepth: 42 + } } } start(config) @@ -506,7 +646,17 @@ describe('vulnerability-reporter', () => { it('should not set timer to clear cache every hour if deduplication is not enabled', () => { const config = { iast: { - deduplicationEnabled: false + deduplicationEnabled: false, + stackTrace: { + enabled: true + } + }, + appsec: { + stackTrace: { + enabled: true, + maxStackTraces: 2, + maxDepth: 42 + } } } start(config) @@ -516,7 +666,17 @@ describe('vulnerability-reporter', () => { it('should unset timer to clear cache every hour', () => { const config = { iast: { - deduplicationEnabled: true + deduplicationEnabled: true, + stackTrace: { + enabled: true + } + }, + appsec: { + stackTrace: { + enabled: true, + maxStackTraces: 2, + maxDepth: 42 + } } } start(config) @@ -541,7 +701,17 @@ describe('vulnerability-reporter', () => { iast: { redactionEnabled: true, redactionNamePattern: null, - redactionValuePattern: null + redactionValuePattern: null, + stackTrace: { + enabled: true + } + }, + appsec: { + stackTrace: { + enabled: true, + maxStackTraces: 2, + maxDepth: 42 + } } } start(config) diff --git a/packages/dd-trace/test/appsec/rasp/utils.js b/packages/dd-trace/test/appsec/rasp/utils.js index 0d8a3e076a4..b8834afb468 100644 --- a/packages/dd-trace/test/appsec/rasp/utils.js +++ b/packages/dd-trace/test/appsec/rasp/utils.js @@ -1,17 +1,7 @@ 'use strict' const { assert } = require('chai') - -function getWebSpan (traces) { - for (const trace of traces) { - for (const span of trace) { - if (span.type === 'web') { - return span - } - } - } - throw new Error('web span not found') -} +const { getWebSpan } = require('../utils') function checkRaspExecutedAndNotThreat (agent, checkRuleEval = true) { return agent.use((traces) => { @@ -39,7 +29,6 @@ function checkRaspExecutedAndHasThreat (agent, ruleId, ruleEvalCount = 1) { } module.exports = { - getWebSpan, checkRaspExecutedAndNotThreat, checkRaspExecutedAndHasThreat } diff --git a/packages/dd-trace/test/appsec/rasp/utils.spec.js b/packages/dd-trace/test/appsec/rasp/utils.spec.js index 255f498a117..6a74c07444d 100644 --- a/packages/dd-trace/test/appsec/rasp/utils.spec.js +++ b/packages/dd-trace/test/appsec/rasp/utils.spec.js @@ -44,7 +44,42 @@ describe('RASP - utils.js', () => { web.root.returns(rootSpan) utils.handleResult(result, req, undefined, undefined, config) - sinon.assert.calledOnceWithExactly(stackTrace.reportStackTrace, rootSpan, stackId, 42, 2) + sinon.assert.calledOnceWithExactly(stackTrace.reportStackTrace, rootSpan, stackId, sinon.match.array) + }) + + it('should not report stack trace when max stack traces limit is reached', () => { + const req = {} + const rootSpan = { + meta_struct: { + '_dd.stack': { + exploit: ['stack1', 'stack2'] + } + } + } + const result = { + generate_stack: { + stack_id: 'stackId' + } + } + + web.root.returns(rootSpan) + + utils.handleResult(result, req, undefined, undefined, config) + sinon.assert.notCalled(stackTrace.reportStackTrace) + }) + + it('should not report stack trace when rootSpan is null', () => { + const req = {} + const result = { + generate_stack: { + stack_id: 'stackId' + } + } + + web.root.returns(null) + + utils.handleResult(result, req, undefined, undefined, config) + sinon.assert.notCalled(stackTrace.reportStackTrace) }) it('should not report stack trace when no action is present in waf result', () => { diff --git a/packages/dd-trace/test/appsec/stack_trace.spec.js b/packages/dd-trace/test/appsec/stack_trace.spec.js index 1ac2ca4db5e..406944c0381 100644 --- a/packages/dd-trace/test/appsec/stack_trace.spec.js +++ b/packages/dd-trace/test/appsec/stack_trace.spec.js @@ -3,11 +3,11 @@ const { assert } = require('chai') const path = require('path') -const { reportStackTrace } = require('../../src/appsec/stack_trace') +const { reportStackTrace, getCallsiteFrames } = require('../../src/appsec/stack_trace') describe('Stack trace reporter', () => { describe('frame filtering', () => { - it('should filer out frames from library', () => { + it('should filter out frames from library', () => { const callSiteList = Array(10).fill().map((_, i) => ( { @@ -15,7 +15,8 @@ describe('Stack trace reporter', () => { getLineNumber: () => i, getColumnNumber: () => i, getFunctionName: () => `libraryFunction${i}`, - getTypeName: () => `LibraryClass${i}` + getTypeName: () => `LibraryClass${i}`, + isNative: () => false } )).concat( Array(10).fill().map((_, i) => ( @@ -24,7 +25,8 @@ describe('Stack trace reporter', () => { getLineNumber: () => i, getColumnNumber: () => i, getFunctionName: () => `function${i}`, - getTypeName: () => `Class${i}` + getTypeName: () => `Class${i}`, + isNative: () => false } )) ).concat([ @@ -33,7 +35,8 @@ describe('Stack trace reporter', () => { getLineNumber: () => null, getColumnNumber: () => null, getFunctionName: () => null, - getTypeName: () => null + getTypeName: () => null, + isNative: () => false } ]) @@ -44,7 +47,8 @@ describe('Stack trace reporter', () => { line: i, column: i, function: `function${i}`, - class_name: `Class${i}` + class_name: `Class${i}`, + isNative: false } )) .concat([ @@ -54,15 +58,17 @@ describe('Stack trace reporter', () => { line: null, column: null, function: null, - class_name: null + class_name: null, + isNative: false } ]) const rootSpan = {} const stackId = 'test_stack_id' const maxDepth = 32 - const maxStackTraces = 2 - reportStackTrace(rootSpan, stackId, maxDepth, maxStackTraces, () => callSiteList) + const frames = getCallsiteFrames(maxDepth, () => callSiteList) + + reportStackTrace(rootSpan, stackId, frames) assert.deepEqual(rootSpan.meta_struct['_dd.stack'].exploit[0].frames, expectedFrames) }) @@ -75,16 +81,16 @@ describe('Stack trace reporter', () => { getLineNumber: () => i, getColumnNumber: () => i, getFunctionName: () => `function${i}`, - getTypeName: () => `type${i}` + getTypeName: () => `type${i}`, + isNative: () => false } )) it('should not fail if no root span is passed', () => { const rootSpan = undefined const stackId = 'test_stack_id' - const maxDepth = 32 try { - reportStackTrace(rootSpan, stackId, maxDepth, 2, () => callSiteList) + reportStackTrace(rootSpan, stackId, callSiteList) } catch (e) { assert.fail() } @@ -101,11 +107,14 @@ describe('Stack trace reporter', () => { line: i, column: i, function: `function${i}`, - class_name: `type${i}` + class_name: `type${i}`, + isNative: false } )) - reportStackTrace(rootSpan, stackId, maxDepth, 2, () => callSiteList) + const frames = getCallsiteFrames(maxDepth, () => callSiteList) + + reportStackTrace(rootSpan, stackId, frames) assert.strictEqual(rootSpan.meta_struct['_dd.stack'].exploit[0].id, stackId) assert.strictEqual(rootSpan.meta_struct['_dd.stack'].exploit[0].language, 'nodejs') @@ -127,11 +136,14 @@ describe('Stack trace reporter', () => { line: i, column: i, function: `function${i}`, - class_name: `type${i}` + class_name: `type${i}`, + isNative: false } )) - reportStackTrace(rootSpan, stackId, maxDepth, 2, () => callSiteList) + const frames = getCallsiteFrames(maxDepth, () => callSiteList) + + reportStackTrace(rootSpan, stackId, frames) assert.strictEqual(rootSpan.meta_struct['_dd.stack'].exploit[0].id, stackId) assert.strictEqual(rootSpan.meta_struct['_dd.stack'].exploit[0].language, 'nodejs') @@ -157,11 +169,14 @@ describe('Stack trace reporter', () => { line: i, column: i, function: `function${i}`, - class_name: `type${i}` + class_name: `type${i}`, + isNative: false } )) - reportStackTrace(rootSpan, stackId, maxDepth, 2, () => callSiteList) + const frames = getCallsiteFrames(maxDepth, () => callSiteList) + + reportStackTrace(rootSpan, stackId, frames) assert.strictEqual(rootSpan.meta_struct['_dd.stack'].exploit[1].id, stackId) assert.strictEqual(rootSpan.meta_struct['_dd.stack'].exploit[1].language, 'nodejs') @@ -169,24 +184,6 @@ describe('Stack trace reporter', () => { assert.property(rootSpan.meta_struct, 'another_tag') }) - it('should not report stack trace when the maximum has been reached', () => { - const rootSpan = { - meta_struct: { - '_dd.stack': { - exploit: [callSiteList, callSiteList] - }, - another_tag: [] - } - } - const stackId = 'test_stack_id' - const maxDepth = 32 - - reportStackTrace(rootSpan, stackId, maxDepth, 2, () => callSiteList) - - assert.equal(rootSpan.meta_struct['_dd.stack'].exploit.length, 2) - assert.property(rootSpan.meta_struct, 'another_tag') - }) - it('should add stack trace when the max stack trace is 0', () => { const rootSpan = { meta_struct: { @@ -199,7 +196,9 @@ describe('Stack trace reporter', () => { const stackId = 'test_stack_id' const maxDepth = 32 - reportStackTrace(rootSpan, stackId, maxDepth, 0, () => callSiteList) + const frames = getCallsiteFrames(maxDepth, () => callSiteList) + + reportStackTrace(rootSpan, stackId, frames) assert.equal(rootSpan.meta_struct['_dd.stack'].exploit.length, 3) assert.property(rootSpan.meta_struct, 'another_tag') @@ -217,7 +216,9 @@ describe('Stack trace reporter', () => { const stackId = 'test_stack_id' const maxDepth = 32 - reportStackTrace(rootSpan, stackId, maxDepth, -1, () => callSiteList) + const frames = getCallsiteFrames(maxDepth, () => callSiteList) + + reportStackTrace(rootSpan, stackId, frames) assert.equal(rootSpan.meta_struct['_dd.stack'].exploit.length, 3) assert.property(rootSpan.meta_struct, 'another_tag') @@ -230,9 +231,7 @@ describe('Stack trace reporter', () => { } } const stackId = 'test_stack_id' - const maxDepth = 32 - const maxStackTraces = 2 - reportStackTrace(rootSpan, stackId, maxDepth, maxStackTraces, () => undefined) + reportStackTrace(rootSpan, stackId, undefined) assert.property(rootSpan.meta_struct, 'another_tag') assert.notProperty(rootSpan.meta_struct, '_dd.stack') }) @@ -245,7 +244,8 @@ describe('Stack trace reporter', () => { getLineNumber: () => i, getColumnNumber: () => i, getFunctionName: () => `function${i}`, - getTypeName: () => `type${i}` + getTypeName: () => `type${i}`, + isNative: () => false } )) @@ -260,11 +260,14 @@ describe('Stack trace reporter', () => { line: i, column: i, function: `function${i}`, - class_name: `type${i}` + class_name: `type${i}`, + isNative: false } )) - reportStackTrace(rootSpan, stackId, maxDepth, 2, () => callSiteList) + const frames = getCallsiteFrames(maxDepth, () => callSiteList) + + reportStackTrace(rootSpan, stackId, frames) assert.deepEqual(rootSpan.meta_struct['_dd.stack'].exploit[0].frames, expectedFrames) }) @@ -279,7 +282,8 @@ describe('Stack trace reporter', () => { getLineNumber: () => 314, getColumnNumber: () => 271, getFunctionName: () => 'libraryFunction', - getTypeName: () => 'libraryType' + getTypeName: () => 'libraryType', + isNative: () => false } ].concat(Array(120).fill().map((_, i) => ( { @@ -287,7 +291,8 @@ describe('Stack trace reporter', () => { getLineNumber: () => i, getColumnNumber: () => i, getFunctionName: () => `function${i}`, - getTypeName: () => `type${i}` + getTypeName: () => `type${i}`, + isNative: () => false } )).concat([ { @@ -295,7 +300,8 @@ describe('Stack trace reporter', () => { getLineNumber: () => 271, getColumnNumber: () => 314, getFunctionName: () => 'libraryFunction', - getTypeName: () => 'libraryType' + getTypeName: () => 'libraryType', + isNative: () => false } ])) const expectedFrames = [0, 1, 2, 118, 119].map(i => ( @@ -305,11 +311,14 @@ describe('Stack trace reporter', () => { line: i, column: i, function: `function${i}`, - class_name: `type${i}` + class_name: `type${i}`, + isNative: false } )) - reportStackTrace(rootSpan, stackId, maxDepth, 2, () => callSiteListWithLibraryFrames) + const frames = getCallsiteFrames(maxDepth, () => callSiteListWithLibraryFrames) + + reportStackTrace(rootSpan, stackId, frames) assert.deepEqual(rootSpan.meta_struct['_dd.stack'].exploit[0].frames, expectedFrames) }) @@ -325,11 +334,14 @@ describe('Stack trace reporter', () => { line: i, column: i, function: `function${i}`, - class_name: `type${i}` + class_name: `type${i}`, + isNative: false } )) - reportStackTrace(rootSpan, stackId, maxDepth, 2, () => callSiteList) + const frames = getCallsiteFrames(maxDepth, () => callSiteList) + + reportStackTrace(rootSpan, stackId, frames) assert.deepEqual(rootSpan.meta_struct['_dd.stack'].exploit[0].frames, expectedFrames) }) @@ -345,11 +357,14 @@ describe('Stack trace reporter', () => { line: i, column: i, function: `function${i}`, - class_name: `type${i}` + class_name: `type${i}`, + isNative: false } )) - reportStackTrace(rootSpan, stackId, maxDepth, 2, () => callSiteList) + const frames = getCallsiteFrames(maxDepth, () => callSiteList) + + reportStackTrace(rootSpan, stackId, frames) assert.deepEqual(rootSpan.meta_struct['_dd.stack'].exploit[0].frames, expectedFrames) }) diff --git a/packages/dd-trace/test/appsec/utils.js b/packages/dd-trace/test/appsec/utils.js new file mode 100644 index 00000000000..ec9f22ad283 --- /dev/null +++ b/packages/dd-trace/test/appsec/utils.js @@ -0,0 +1,16 @@ +'use strict' + +function getWebSpan (traces) { + for (const trace of traces) { + for (const span of trace) { + if (span.type === 'web') { + return span + } + } + } + throw new Error('web span not found') +} + +module.exports = { + getWebSpan +} diff --git a/packages/dd-trace/test/config.spec.js b/packages/dd-trace/test/config.spec.js index 6bf7bf32e98..1b43a7859b2 100644 --- a/packages/dd-trace/test/config.spec.js +++ b/packages/dd-trace/test/config.spec.js @@ -265,6 +265,7 @@ describe('Config', () => { expect(config).to.have.nested.property('iast.redactionNamePattern', null) expect(config).to.have.nested.property('iast.redactionValuePattern', null) expect(config).to.have.nested.property('iast.telemetryVerbosity', 'INFORMATION') + expect(config).to.have.nested.property('iast.stackTrace.enabled', true) expect(config).to.have.nested.property('installSignature.id', null) expect(config).to.have.nested.property('installSignature.time', null) expect(config).to.have.nested.property('installSignature.type', null) @@ -330,6 +331,7 @@ describe('Config', () => { { name: 'iast.redactionValuePattern', value: null, origin: 'default' }, { name: 'iast.requestSampling', value: 30, origin: 'default' }, { name: 'iast.telemetryVerbosity', value: 'INFORMATION', origin: 'default' }, + { name: 'iast.stackTrace.enabled', value: true, origin: 'default' }, { name: 'injectionEnabled', value: [], origin: 'default' }, { name: 'isCiVisibility', value: false, origin: 'default' }, { name: 'isEarlyFlakeDetectionEnabled', value: false, origin: 'default' }, @@ -509,6 +511,7 @@ describe('Config', () => { process.env.DD_IAST_REDACTION_NAME_PATTERN = 'REDACTION_NAME_PATTERN' process.env.DD_IAST_REDACTION_VALUE_PATTERN = 'REDACTION_VALUE_PATTERN' process.env.DD_IAST_TELEMETRY_VERBOSITY = 'DEBUG' + process.env.DD_IAST_STACK_TRACE_ENABLED = 'false' process.env.DD_TRACE_128_BIT_TRACEID_GENERATION_ENABLED = 'true' process.env.DD_TRACE_128_BIT_TRACEID_LOGGING_ENABLED = 'true' process.env.DD_PROFILING_ENABLED = 'true' @@ -623,6 +626,7 @@ describe('Config', () => { expect(config).to.have.nested.property('iast.redactionNamePattern', 'REDACTION_NAME_PATTERN') expect(config).to.have.nested.property('iast.redactionValuePattern', 'REDACTION_VALUE_PATTERN') expect(config).to.have.nested.property('iast.telemetryVerbosity', 'DEBUG') + expect(config).to.have.nested.property('iast.stackTrace.enabled', false) expect(config).to.have.deep.property('installSignature', { id: '68e75c48-57ca-4a12-adfc-575c4b05fcbe', type: 'k8s_single_step', @@ -674,6 +678,7 @@ describe('Config', () => { { name: 'iast.redactionValuePattern', value: 'REDACTION_VALUE_PATTERN', origin: 'env_var' }, { name: 'iast.requestSampling', value: '40', origin: 'env_var' }, { name: 'iast.telemetryVerbosity', value: 'DEBUG', origin: 'env_var' }, + { name: 'iast.stackTrace.enabled', value: false, origin: 'env_var' }, { name: 'instrumentation_config_id', value: 'abcdef123', origin: 'env_var' }, { name: 'injectionEnabled', value: ['profiler'], origin: 'env_var' }, { name: 'isGCPFunction', value: false, origin: 'env_var' }, @@ -872,7 +877,10 @@ describe('Config', () => { redactionEnabled: false, redactionNamePattern: 'REDACTION_NAME_PATTERN', redactionValuePattern: 'REDACTION_VALUE_PATTERN', - telemetryVerbosity: 'DEBUG' + telemetryVerbosity: 'DEBUG', + stackTrace: { + enabled: false + } }, appsec: { standalone: { @@ -948,6 +956,7 @@ describe('Config', () => { expect(config).to.have.nested.property('iast.redactionNamePattern', 'REDACTION_NAME_PATTERN') expect(config).to.have.nested.property('iast.redactionValuePattern', 'REDACTION_VALUE_PATTERN') expect(config).to.have.nested.property('iast.telemetryVerbosity', 'DEBUG') + expect(config).to.have.nested.property('iast.stackTrace.enabled', false) expect(config).to.have.deep.nested.property('sampler', { sampleRate: 0.5, rateLimit: 1000, @@ -1002,6 +1011,7 @@ describe('Config', () => { { name: 'iast.redactionValuePattern', value: 'REDACTION_VALUE_PATTERN', origin: 'code' }, { name: 'iast.requestSampling', value: 50, origin: 'code' }, { name: 'iast.telemetryVerbosity', value: 'DEBUG', origin: 'code' }, + { name: 'iast.stackTrace.enabled', value: false, origin: 'code' }, { name: 'peerServiceMapping', value: { d: 'dd' }, origin: 'code' }, { name: 'plugins', value: false, origin: 'code' }, { name: 'port', value: '6218', origin: 'code' }, @@ -1224,6 +1234,7 @@ describe('Config', () => { process.env.DD_IAST_COOKIE_FILTER_PATTERN = '.*' process.env.DD_IAST_REDACTION_NAME_PATTERN = 'name_pattern_to_be_overriden_by_options' process.env.DD_IAST_REDACTION_VALUE_PATTERN = 'value_pattern_to_be_overriden_by_options' + process.env.DD_IAST_STACK_TRACE_ENABLED = 'true' process.env.DD_TRACE_128_BIT_TRACEID_GENERATION_ENABLED = 'true' process.env.DD_TRACE_128_BIT_TRACEID_LOGGING_ENABLED = 'true' process.env.DD_LLMOBS_ML_APP = 'myMlApp' @@ -1304,7 +1315,10 @@ describe('Config', () => { cookieFilterPattern: '.{10,}', dbRowsToTaint: 3, redactionNamePattern: 'REDACTION_NAME_PATTERN', - redactionValuePattern: 'REDACTION_VALUE_PATTERN' + redactionValuePattern: 'REDACTION_VALUE_PATTERN', + stackTrace: { + enabled: false + } }, remoteConfig: { pollInterval: 42 @@ -1379,6 +1393,7 @@ describe('Config', () => { expect(config).to.have.nested.property('iast.redactionEnabled', true) expect(config).to.have.nested.property('iast.redactionNamePattern', 'REDACTION_NAME_PATTERN') expect(config).to.have.nested.property('iast.redactionValuePattern', 'REDACTION_VALUE_PATTERN') + expect(config).to.have.nested.property('iast.stackTrace.enabled', false) expect(config).to.have.nested.property('llmobs.mlApp', 'myOtherMlApp') expect(config).to.have.nested.property('llmobs.agentlessEnabled', false) }) @@ -1416,7 +1431,10 @@ describe('Config', () => { redactionEnabled: false, redactionNamePattern: 'REDACTION_NAME_PATTERN', redactionValuePattern: 'REDACTION_VALUE_PATTERN', - telemetryVerbosity: 'DEBUG' + telemetryVerbosity: 'DEBUG', + stackTrace: { + enabled: false + } }, experimental: { appsec: { @@ -1450,7 +1468,10 @@ describe('Config', () => { redactionEnabled: true, redactionNamePattern: 'IGNORED_REDACTION_NAME_PATTERN', redactionValuePattern: 'IGNORED_REDACTION_VALUE_PATTERN', - telemetryVerbosity: 'OFF' + telemetryVerbosity: 'OFF', + stackTrace: { + enabled: true + } } } }) @@ -1499,7 +1520,10 @@ describe('Config', () => { redactionEnabled: false, redactionNamePattern: 'REDACTION_NAME_PATTERN', redactionValuePattern: 'REDACTION_VALUE_PATTERN', - telemetryVerbosity: 'DEBUG' + telemetryVerbosity: 'DEBUG', + stackTrace: { + enabled: false + } }) })