Merge branch 'master' into appsec_session_id

.github/workflows/datadog-static-analysis.yml

@@ -18,7 +18,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Check code meets quality and security standards
       id: datadog-static-analysis
-      uses: DataDog/datadog-static-analyzer-github-action@06d501a75f56e4075c67a7dbc61a74b6539a05c8 # v1.2.1
+      uses: DataDog/datadog-static-analyzer-github-action@v1
       with:
         dd_api_key: ${{ secrets.DD_STATIC_ANALYSIS_API_KEY }}
         dd_app_key: ${{ secrets.DD_STATIC_ANALYSIS_APP_KEY }}

.github/workflows/serverless-integration-test.yml

@@ -13,8 +13,8 @@ jobs:
   integration:
     # Google Auth permissions
     permissions:
-      contents: "read"
-      id-token: "write"
+      contents: 'read'
+      id-token: 'write'
     strategy:
       matrix:
         version: [18, latest]

.github/workflows/system-tests.yml

@@ -28,7 +28,7 @@ jobs:
 
   get-scenarios:
     name: Get parameters
-    uses: DataDog/system-tests/.github/workflows/compute-workflow-parameters.yml@994e6f9976f16c13c1cb15c02714d786e0eb8eb1 # main
+    uses: DataDog/system-tests/.github/workflows/compute-workflow-parameters.yml@main
     with:
       library: nodejs
       scenarios_groups: essentials,appsec_rasp
@@ -87,7 +87,7 @@ jobs:
   parametric:
     needs:
       - build-artifacts
-    uses: DataDog/system-tests/.github/workflows/run-parametric.yml@994e6f9976f16c13c1cb15c02714d786e0eb8eb1 # main
+    uses: DataDog/system-tests/.github/workflows/run-parametric.yml@main
     secrets: inherit
     with:
       library: nodejs

LICENSE-3rdparty.csv

@@ -27,7 +27,7 @@ require,protobufjs,BSD-3-Clause,Copyright 2016 Daniel Wirtz
 require,tlhunter-sorted-set,MIT,Copyright (c) 2023 Datadog Inc.
 require,retry,MIT,Copyright 2011 Tim Koschützki Felix Geisendörfer
 require,rfdc,MIT,Copyright 2019 David Mark Clements
-require,semver,ISC,Copyright Isaac Z. Schlueter and Contributors
+require,semifies,Apache license 2.0,Copyright Authors
 require,shell-quote,mit,Copyright (c) 2013 James Halliday
 require,source-map,BSD-3-Clause,Copyright (c) 2009-2011, Mozilla Foundation and contributors
 require,ttl-set,MIT,Copyright (c) 2024 Thomas Watson
@@ -68,6 +68,7 @@ dev,nock,MIT,Copyright 2017 Pedro Teixeira and other contributors
 dev,nyc,ISC,Copyright 2015 Contributors
 dev,proxyquire,MIT,Copyright 2013 Thorsten Lorenz
 dev,rimraf,ISC,Copyright Isaac Z. Schlueter and Contributors
+dev,semver,ISC,Copyright Isaac Z. Schlueter and Contributors
 dev,sinon,BSD-3-Clause,Copyright 2010-2017 Christian Johansen
 dev,sinon-chai,WTFPL and BSD-2-Clause,Copyright 2004 Sam Hocevar 2012–2017 Domenic Denicola
 dev,tap,ISC,Copyright 2011-2022 Isaac Z. Schlueter and Contributors

benchmark/sirun/appsec-iast/insecure-bank.js

@@ -1,5 +1,5 @@
 const http = require('http')
-const app = require('/opt/insecure-bank-js/app')
+const app = require('/opt/insecure-bank-js/app') // eslint-disable-line import/no-absolute-path
 
 const { port } = require('./common')
 

benchmark/sirun/appsec/insecure-bank.js

@@ -1,5 +1,5 @@
 const http = require('http')
-const app = require('/opt/insecure-bank-js/app')
+const app = require('/opt/insecure-bank-js/app') // eslint-disable-line import/no-absolute-path
 
 const { port } = require('./common')
 

docker-compose.yml

@@ -37,7 +37,7 @@ services:
     ports:
       - "127.0.0.1:6379:6379"
   mongo:
-    image: circleci/mongo:3.6
+    image: circleci/mongo:4.4
     platform: linux/amd64
     ports:
       - "127.0.0.1:27017:27017"

eslint.config.mjs

@@ -1,22 +1,37 @@
-import mocha from 'eslint-plugin-mocha'
-import n from 'eslint-plugin-n'
-import stylistic from '@stylistic/eslint-plugin-js'
-import globals from 'globals'
 import path from 'node:path'
 import { fileURLToPath } from 'node:url'
-import js from '@eslint/js'
+
 import { FlatCompat } from '@eslint/eslintrc'
+import js from '@eslint/js'
+import stylistic from '@stylistic/eslint-plugin-js'
+import mocha from 'eslint-plugin-mocha'
+import n from 'eslint-plugin-n'
+import globals from 'globals'
 
 const __filename = fileURLToPath(import.meta.url)
 const __dirname = path.dirname(__filename)
-const compat = new FlatCompat({
-  baseDirectory: __dirname,
-  recommendedConfig: js.configs.recommended,
-  allConfig: js.configs.all
-})
+const compat = new FlatCompat({ baseDirectory: __dirname })
+
+const SRC_FILES = [
+  '*.js',
+  '*.mjs',
+  'ext/**/*.js',
+  'ext/**/*.mjs',
+  'packages/*/src/**/*.js',
+  'packages/*/src/**/*.mjs'
+]
+
+const TEST_FILES = [
+  'packages/*/test/**/*.js',
+  'packages/*/test/**/*.mjs',
+  'integration-tests/**/*.js',
+  'integration-tests/**/*.mjs',
+  '**/*.spec.js'
+]
 
 export default [
   {
+    name: 'dd-trace/global-ignore',
     ignores: [
       '**/coverage', // Just coverage reports.
       '**/dist', // Generated
@@ -26,14 +41,19 @@ export default [
       '**/versions', // This is effectively a node_modules tree.
       '**/acmeair-nodejs', // We don't own this.
       '**/vendor', // Generally, we didn't author this code.
+      'integration-tests/debugger/target-app/source-map-support/minify.min.js', // Generated
+      'integration-tests/debugger/target-app/source-map-support/typescript.js', // Generated
       'integration-tests/esbuild/out.js', // Generated
       'integration-tests/esbuild/aws-sdk-out.js', // Generated
-      'packages/dd-trace/src/appsec/blocked_templates.js', // TODO Why is this ignored?
       'packages/dd-trace/src/payload-tagging/jsonpath-plus.js' // Vendored
     ]
-  }, ...compat.extends('eslint:recommended', 'standard', 'plugin:mocha/recommended'), {
+  },
+  { name: '@eslint/js/recommnded', ...js.configs.recommended },
+  ...compat.extends('standard').map((config, i) => ({ name: config.name || `standard/${i + 1}`, ...config })),
+  {
+    name: 'dd-trace/defaults',
+
     plugins: {
-      mocha,
       n,
       '@stylistic/js': stylistic
     },
@@ -48,47 +68,59 @@ export default [
 
     settings: {
       node: {
-        version: '>=16.0.0'
+        // Used by `eslint-plugin-n` to determine the minimum version of Node.js to support.
+        // Normally setting this in the `package.json` engines field is enough, but when we have more than one active
+        // major release line at the same time, we need to specify the lowest version here to ensure backporting will
+        // not fail.
+        version: '>=18.0.0'
       }
     },
 
     rules: {
       '@stylistic/js/max-len': ['error', { code: 120, tabWidth: 2 }],
-      '@stylistic/js/object-curly-newline': ['error', {
-        multiline: true,
-        consistent: true
-      }],
+      '@stylistic/js/object-curly-newline': ['error', { multiline: true, consistent: true }],
       '@stylistic/js/object-curly-spacing': ['error', 'always'],
-      'import/no-absolute-path': 'off',
       'import/no-extraneous-dependencies': 'error',
-      'n/no-callback-literal': 'off',
       'n/no-restricted-require': ['error', ['diagnostics_channel']],
       'no-console': 'error',
-      'no-prototype-builtins': 'off',
-      'no-unused-expressions': 'off',
-      'no-var': 'error',
-      'prefer-const': 'error',
-      'standard/no-callback-literal': 'off'
+      'no-prototype-builtins': 'off', // Override (turned on by @eslint/js/recommnded)
+      'no-unused-expressions': 'off', // Override (turned on by standard)
+      'no-var': 'error' // Override (set to warn in standard)
     }
   },
   {
-    files: [
-      'packages/*/test/**/*.js',
-      'packages/*/test/**/*.mjs',
-      'integration-tests/**/*.js',
-      'integration-tests/**/*.mjs',
-      '**/*.spec.js'
-    ],
+    name: 'mocha/recommnded',
+    ...mocha.configs.flat.recommended,
+    files: TEST_FILES
+  },
+  {
+    name: 'dd-trace/src/all',
+    files: SRC_FILES,
+    rules: {
+      'n/no-restricted-require': ['error', [
+        {
+          name: 'diagnostics_channel',
+          message: 'Please use dc-polyfill instead.'
+        },
+        {
+          name: 'semver',
+          message: 'Please use semifies instead.'
+        }
+      ]]
+    }
+  },
+  {
+    name: 'dd-trace/tests/all',
+    files: TEST_FILES,
     languageOptions: {
       globals: {
-        ...globals.mocha,
-        sinon: false,
-        expect: false,
-        proxyquire: false,
-        withVersions: false,
-        withPeerService: false,
-        withNamingSchema: false,
-        withExports: false
+        sinon: 'readonly',
+        expect: 'readonly',
+        proxyquire: 'readonly',
+        withVersions: 'readonly',
+        withPeerService: 'readonly',
+        withNamingSchema: 'readonly',
+        withExports: 'readonly'
       }
     },
     rules: {
@@ -101,11 +133,11 @@ export default [
       'mocha/no-sibling-hooks': 'off',
       'mocha/no-skipped-tests': 'off',
       'mocha/no-top-level-hooks': 'off',
-      'n/handle-callback-err': 'off',
-      'no-loss-of-precision': 'off'
+      'n/handle-callback-err': 'off'
     }
   },
   {
+    name: 'dd-trace/tests/integration',
     files: [
       'integration-tests/**/*.js',
       'integration-tests/**/*.mjs',

index.d.ts

@@ -2226,6 +2226,11 @@ declare namespace tracer {
      */
     redactionValuePattern?: string,
 
+    /**
+     * Allows to enable security controls.
+     */
+    securityControlsConfiguration?: string,
+
     /**
      * Specifies the verbosity of the sent telemetry. Default 'INFORMATION'
      */

integration-tests/appsec/esm-app/worker.mjs

@@ -8,9 +8,9 @@ if (isMainThread) {
     throw e
   })
 } else {
-  function dummyOperation (a) {
-    return a + 'dummy operation with concat'
-  }
-
   dummyOperation('should not crash')
 }
+
+function dummyOperation (a) {
+  return a + 'dummy operation with concat'
+}

integration-tests/appsec/esm-security-controls/index.mjs

@@ -0,0 +1,69 @@
+'use strict'
+
+import childProcess from 'node:child_process'
+import express from 'express'
+import { sanitize } from './sanitizer.mjs'
+import sanitizeDefault from './sanitizer-default.mjs'
+import { validate, validateNotConfigured } from './validator.mjs'
+
+const app = express()
+const port = process.env.APP_PORT || 3000
+
+app.get('/cmdi-s-secure', (req, res) => {
+  const command = sanitize(req.query.command)
+  try {
+    childProcess.execSync(command)
+  } catch (e) {
+    // ignore
+  }
+
+  res.end()
+})
+
+app.get('/cmdi-s-secure-comparison', (req, res) => {
+  const command = sanitize(req.query.command)
+  try {
+    childProcess.execSync(command)
+  } catch (e) {
+    // ignore
+  }
+
+  try {
+    childProcess.execSync(req.query.command)
+  } catch (e) {
+    // ignore
+  }
+
+  res.end()
+})
+
+app.get('/cmdi-s-secure-default', (req, res) => {
+  const command = sanitizeDefault(req.query.command)
+  try {
+    childProcess.execSync(command)
+  } catch (e) {
+    // ignore
+  }
+
+  res.end()
+})
+
+app.get('/cmdi-iv-insecure', (req, res) => {
+  if (validateNotConfigured(req.query.command)) {
+    childProcess.execSync(req.query.command)
+  }
+
+  res.end()
+})
+
+app.get('/cmdi-iv-secure', (req, res) => {
+  if (validate(req.query.command)) {
+    childProcess.execSync(req.query.command)
+  }
+
+  res.end()
+})
+
+app.listen(port, () => {
+  process.send({ port })
+})

integration-tests/appsec/esm-security-controls/sanitizer-default.mjs

@@ -0,0 +1,7 @@
+'use strict'
+
+function sanitizeDefault (input) {
+  return input
+}
+
+export default sanitizeDefault

integration-tests/appsec/esm-security-controls/sanitizer.mjs

@@ -0,0 +1,5 @@
+'use strict'
+
+export function sanitize (input) {
+  return input
+}

integration-tests/appsec/esm-security-controls/validator.mjs

@@ -0,0 +1,9 @@
+'use strict'
+
+export function validate (input) {
+  return true
+}
+
+export function validateNotConfigured (input) {
+  return true
+}