Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V5.24.0 proposal #4788

Merged
merged 37 commits into from
Oct 17, 2024
Merged

V5.24.0 proposal #4788

merged 37 commits into from
Oct 17, 2024

Conversation

bengl
Copy link
Collaborator

@bengl bengl commented Oct 16, 2024

  • [89619bdf46] - (SEMVER-PATCH) update body-parser (Bryan English) #4790
  • [d7b1dad805] - (SEMVER-PATCH) pin latest to 22 (Bryan English) #4793
  • [f8515ec28b] - (SEMVER-PATCH) Remove old debug option from docs (simon-id) #4786
  • [59eb9a724a] - (SEMVER-PATCH) Don't stop the profiler if encoding a profile fails (Attila Szegedi) #4779
  • [8969e05336] - (SEMVER-PATCH) vendor jsonpath-plus (Bryan English) #4785
  • [501ff2fbfb] - (SEMVER-MINOR) Suspicious request blocking - Express Path Parameters (Carles Capell) #4769
  • [e4532439c2] - (SEMVER-PATCH) Upgrading jsonpath-plus to v10 to resolve CVE-2024-21534 (Thomas Watson) #4782
  • [944f57d5d4] - (SEMVER-PATCH) [DI] Refactor unit tests (Thomas Watson) #4777
  • [f62cbfadc7] - (SEMVER-PATCH) Unsubscribe NextJS body and query channels on appsec disable (Carles Capell) #4776
  • [c085df1eae] - (SEMVER-MINOR) Add support for Fastify entry spans for Code Origin for Spans (Thomas Watson) #4449
  • [bd4aff563f] - (SEMVER-MINOR) Update waf rules to 1.13.1 (Ugaitz Urien) #4768
  • [5a113b2bcd] - (SEMVER-MINOR) Add Plugin for @azure/functions (Duncan Harvey) #4716
  • [ce0bdcea6e] - (SEMVER-MINOR) Fix capability identifier (Igor Unanua) #4767
  • [60529442d2] - (SEMVER-MINOR) Use static vulnerability hash source when the cookie name is too long (Ugaitz Urien) #4764
  • [5eea208392] - (SEMVER-MINOR) [test visibility] Add option to automatically report logs within tests when using winston (Juan Antonio Fernández de Alba) #4762
  • [2d175d30d5] - (SEMVER-MINOR) Keep a profiling context object in spans (Attila Szegedi) #4763
  • [a2b318df27] - (SEMVER-MINOR) [ASM] Add support for attacker fingerprinting (Carles Capell) #4698
  • [111a156693] - (SEMVER-PATCH) Exploit Prevention LFI (Igor Unanua) #4715
  • [a11a1fd20e] - (SEMVER-MINOR) Upgrade iast rewriter to 2.5.0 (Igor Unanua) #4761
  • [7f93d36b79] - (SEMVER-PATCH) use AsyncLocalStorage instead of our home-grown solutions (Bryan English) #4201
  • [bba5f3ddb3] - (SEMVER-MINOR) feat(dsm): implement avro schemas for avsc package (William Conti) #4726
  • [08525d4c3c] - (SEMVER-MINOR) feat(tracing): implement protobufjs DSM schema support (William Conti) #4701
  • [d024777515] - (SEMVER-MINOR) [DI] Add ability to take state snapshot feature (Thomas Watson) #4549
  • [a00c9c8361] - (SEMVER-MINOR) Sql injection Exploit Prevention implementation for mysql2 library (Ugaitz Urien) #4712
  • [d1abcab7a1] - (SEMVER-MINOR) [DI] Add hostname to probe result (Thomas Watson) #4756
  • [d1f29dba99] - (SEMVER-PATCH) Fix appsec rate limiter flaky test (Ugaitz Urien) #4754
  • [eef6711411] - (SEMVER-PATCH) Fix child process not maintaining previous parent span after execution (Ugaitz Urien) #4752
  • [c700341689] - (SEMVER-PATCH) prefix system-tests env var names (William Conti) #4746
  • [f988e003bf] - (SEMVER-MINOR) [DI] Add GitHub repo and SHA tags to probe results (Thomas Watson) #4751
  • [e09305d366] - (SEMVER-PATCH) [DI] Fix probe.location.lines to be string[] instead of number[] (Thomas Watson) #4750
  • [748ef616c3] - (SEMVER-PATCH) [DI] Switch unit tests to Mocha instead of Tap (Thomas Watson) #4728
  • [70d5591d9b] - (SEMVER-MINOR) [test visibility] Read pull_request and pull_request_target event info from GHA (Juan Antonio Fernández de Alba) #4745
  • [4d2f5b86a0] - (SEMVER-PATCH) Don't use deprecated url.parse function (Thomas Watson) #4743
  • [92515a65e3] - (SEMVER-MINOR) [DI] Add stack trace to log probe results (Thomas Watson) #4727

watson and others added 30 commits October 16, 2024 09:41
#4752)

* Fix child process not maintaining previous parent span after execution

* adding some tests @bengl had written

#4540

---------

Co-authored-by: Thomas Hunter II <[email protected]>
Take a "snapshot" of the variables that are in scope when a probe is hit
(except the global scope, which intentionally have been omitted since it's too
noisy):

- For each variable in scope, we traverse objects and their properties up to
  `maxReferenceDepth` deep (default is 3 levels).
- Strings are truncated to `maxLength` (default is 255 characters).
- Binary data is converted to strings with appropriate escaping of non
  printable characters (the `maxLength` limit is also applied)

Out of scope:
- Information about `this` is not captured.
- maxCollectionSize limit
- maxFieldCount limit
- Special handling for snapshots larger than 1MB (e.g. snapshot pruning or
  something simpler)
- PII redaction
* add avro (avsc) schemas support for DSM
* use AsyncLocalStorage instead of our home-grown solutions

The comment in the file that selected a storage implementation suggested
just using AsyncLocalStorage once it supports triggerAsyncResource().
That said, literally zero of our code uses triggerAsyncResource(), so
this is assumed to be historical and no longer relevant.

Switching to stock AsyncLocalStorage will enable the usage of
TracingChannel in the future.

* self-contain profiling's AsyncLocalStorage channel usage

* remove flag detection
* Upgrade iast rewriter version to 2.5.0

* Implement tplOperator tracking method
* rasp lfi and iast using rasp fs-plugin

* Add rasp lfi capability in RC

* Handle aborted operations in fs instrumentation

* enable test without express

* cleanup and console log to debug test error

* Do not throw

* another test

* Try increasing timeout

* Enable debug again

* Enable debug again

* increase timeout a lot

* increase timeout more

* New lfi test

* Increase test timeout

* print all errors

* remote debug info

* Handle the different invocation cases

* Handle non string properties

* specify types to be analyzed

* a bunch of tests

* clean up

* rasp lfi subs delayed (#4715)

* Delay Appsec fs plugin subscription to fs:operations until the first req is received

* disable rasp in tests

* fix tests recursive call

* Avoid multiple subscriptions to incomingHttpRequestStart

* another try

* replace spy with stub

* execute unsubscribe asynchronously

* sinon.assert async

* clarify comment

* Use a constant

* Do not enable rasp in some tests

* Remove not needed config property

* Rename properties

* Test iast and rasp fs-plugin subscription order

* Avoid multiple analyzeLfi subscriptions

* Block synchronous operations

* Include synchronous blocking integration test

* Test refactor

* rename test file

* Cleanup
* Report WAF fingerprints

* WAF fingerprint RC capabilities

* Linting

* Remove useless file

* Add blank line

* Remove unused capability

* Generate fingerprint on user login events

* Fix linting

* Add passport plugin test to GHA

* Add business logic addressses

* Add body-parser dep to passport plugin test

* Reformat test

* Refactor report derivatives

* Move method to its right place

* Unify reportSchemas and reportFingerprint test in one suite

* Unify reportSchemas and reportFingerprint test in one suite
Allows for cheapest sampling context updates on async context switches and opens the path for profiling custom context.
* adds azure functions plugin

* adds azure_functions plugin to API documentation

* add typescript test for azure functions plugin

* adds integration test for azure-functions plugin

* add licenses for added dev packages

* add azure-functions plugin to github workflow

* use pipe for azure-functions integration test child process

* update azure-functions integration test api route

* refactor azure-functions integration test

* add azure func command to path

* remove yarn.lock file from azure-functions integration test

* allow span kind to be server for azure functions

* Update index.d.ts

Co-authored-by: Roch Devost <[email protected]>

* add serverless util

* use built in url parser

* remove serverless logic from web util

* remove wait-on dependency

* remove find-process dependency

* Revert "remove find-process dependency"

This reverts commit 3c004c5.

* call func start directly and remove find-process dependency

* simplify serverless util

* Revert "simplify serverless util"

This reverts commit 91a2dd9.

* simplify serverless util

---------

Co-authored-by: Roch Devost <[email protected]>
This commit does two things:

- It lays the groundwork for an upcoming feature called "Code Origin for
  Spans".
- To showcase this feature, it adds limited support for just Fastify
  entry-spans.

To enable, set `DD_CODE_ORIGIN_FOR_SPANS_ENABLED=true`.
Split inspected code into multiple files. This makes adding new tests
easier, as changes related to one inspected file doesn't influence
unrelated tests.
* Path Parameters blocking

* Lint

* Change expect to assert in SRB tests

* Change expect to assert in API Sec tests

* Improve test naming

* Correct spacing in tests

Co-authored-by: Ugaitz Urien <[email protected]>

* Keep consistency of order in appsec channels

* Better wrap fn naming in express instrumentation

* Keep consistency of order in appsec channels handlers

* Keep consistency of order in appsec channels handlers - test

* Refactor express plugin test - use axios.create and getPort

* Update packages/datadog-instrumentations/src/express.js

Co-authored-by: simon-id <[email protected]>

---------

Co-authored-by: Ugaitz Urien <[email protected]>
Co-authored-by: simon-id <[email protected]>
* vendor jsonpath-plus

We need the latest version (10.0.0) so that it doesn't have
vulnerabilities, but we need it to be compatible with Node.js 16.0.0, so
we needed to vendor it and make slight adjustments.

* more clarity in comment, and add the license
@bengl bengl requested a review from a team as a code owner October 16, 2024 14:21
Copy link

github-actions bot commented Oct 16, 2024

Overall package size

Self size: 7.54 MB
Deduped: 62.28 MB
No deduping: 62.56 MB

Dependency sizes | name | version | self size | total size | |------|---------|-----------|------------| | @datadog/native-appsec | 8.1.1 | 18.67 MB | 18.68 MB | | @datadog/native-iast-taint-tracking | 3.1.0 | 12.27 MB | 12.28 MB | | @datadog/pprof | 5.3.0 | 9.85 MB | 10.22 MB | | protobufjs | 7.2.5 | 2.77 MB | 5.16 MB | | @datadog/native-iast-rewriter | 2.5.0 | 2.51 MB | 2.59 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 2.0.0 | 898.77 kB | 1.3 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | msgpack-lite | 0.1.26 | 201.16 kB | 281.59 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | lru-cache | 7.14.0 | 74.95 kB | 74.95 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | int64-buffer | 0.1.10 | 49.18 kB | 49.18 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | path-to-regexp | 0.1.10 | 6.38 kB | 6.38 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |

🤖 This report was automatically generated by heaviest-objects-in-the-universe

simon-id
simon-id previously approved these changes Oct 16, 2024
juan-fernandez
juan-fernandez previously approved these changes Oct 16, 2024
Copy link
Collaborator

@juan-fernandez juan-fernandez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good from test visibility's perspective. Could we please remove this line from the release notes though:

[fd0f5705fb] - (SEMVER-PATCH) [test visibility] Fix num tests reported by EFD (Juan Antonio Fernández de Alba) #4783

szegedi
szegedi previously approved these changes Oct 16, 2024
Copy link
Contributor

@szegedi szegedi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shipit from profiling

@rochdev rochdev dismissed stale reviews from szegedi, juan-fernandez, and simon-id via 2372a79 October 16, 2024 20:50
@pr-commenter
Copy link

pr-commenter bot commented Oct 16, 2024

Benchmarks

Benchmark execution time: 2024-10-16 21:00:21

Comparing candidate commit 2372a79 in PR branch v5.24.0-proposal with baseline commit b069102 in branch v5.x.

Found 9 performance improvements and 0 performance regressions! Performance is the same for 148 metrics, 9 unstable metrics.

scenario:async_hooks-all-hooks-18

  • 🟩 cpu_user_time [-140.829ms; -95.963ms] or [-8.153%; -5.556%]
  • 🟩 execution_time [-212.926ms; -128.672ms] or [-8.618%; -5.208%]
  • 🟩 max_event_loop_delay [-53.922ms; -32.346ms] or [-10.805%; -6.481%]
  • 🟩 max_gc_pause [-24.077ms; -15.059ms] or [-13.949%; -8.724%]

scenario:async_hooks-no-hooks-18

  • 🟩 execution_time [-65.922ms; -47.445ms] or [-7.361%; -5.298%]

scenario:plugin-graphql-with-depth-and-collapse-off-18

  • 🟩 instructions [-3.4G instructions; -3.3G instructions] or [-8.237%; -7.984%]

scenario:plugin-graphql-with-depth-and-collapse-on-18

  • 🟩 instructions [-3.5G instructions; -3.4G instructions] or [-14.532%; -14.189%]

scenario:plugin-graphql-with-depth-off-18

  • 🟩 instructions [-3.7G instructions; -3.4G instructions] or [-14.586%; -13.546%]

scenario:plugin-graphql-with-depth-on-max-18

  • 🟩 instructions [-3.6G instructions; -3.3G instructions] or [-14.922%; -13.634%]

@themagickoala
Copy link

Is the plan to release this version today? I'm conveniently working on resolving CVEs in our application and would love to include the jsonpath-plus vuln!

@bengl
Copy link
Collaborator Author

bengl commented Oct 17, 2024

@themagickoala yes, hopefully before noon US eastern time.

@uurien uurien merged commit 2372a79 into v5.x Oct 17, 2024
198 checks passed
@uurien uurien deleted the v5.24.0-proposal branch October 17, 2024 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.