Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add express-session instrumentation #5060

Draft
wants to merge 9 commits into
base: automatic_userid_blocking
Choose a base branch
from
+69 −0
Draft

add express-session instrumentation #5060

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
1c5abac
add express-session instrumentation
simon-id Dec 27, 2024
b61edcd
add rc capability
simon-id Jan 13, 2025
721574d
add session id tracking in sdk
simon-id Jan 15, 2025
a79fdb9
add comment
simon-id Jan 15, 2025
a022df5
add instrum hook
simon-id Jan 17, 2025
e487811
cleanup instrum
simon-id Jan 17, 2025
1914a35
add session blocking
simon-id Jan 18, 2025
2e652bb
cleanup
simon-id Jan 18, 2025
a0031d6
Merge branch 'automatic_userid_blocking' into appsec_session_id
simon-id Jan 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions packages/datadog-instrumentations/src/express-session.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
'use strict'

const shimmer = require('../../datadog-shimmer')
const { channel, addHook } = require('./helpers/instrument')

const sessionMiddlewareFinishCh = channel('datadog:express-session:middleware:finish')

function wrapSessionMiddleware (sessionMiddleware) {
return function wrappedSessionMiddleware (req, res, next) {
shimmer.wrap(arguments, 2, function wrapNext (next) {
return function wrappedNext () {
if (sessionMiddlewareFinishCh.hasSubscribers) {
const abortController = new AbortController()

sessionMiddlewareFinishCh.publish({ req, res, sessionId: req.sessionID, abortController })
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
sessionMiddlewareFinishCh.publish({ req, res, sessionId: req.sessionID, abortController })
// what if session IDs are using rolling sessions or always changing or something idk ?
sessionMiddlewareFinishCh.publish({ req, res, sessionId: req.sessionID, abortController })


if (abortController.signal.aborted) return
}

return next.apply(this, arguments)
}
})

return sessionMiddleware.apply(this, arguments)
}
}

function wrapSession (session) {
return function wrappedSession () {
const sessionMiddleware = session.apply(this, arguments)

return shimmer.wrapFunction(sessionMiddleware, wrapSessionMiddleware)
}
}

addHook({
name: 'express-session',
versions: ['>=1.0.1']
}, session => {
return shimmer.wrapFunction(session, wrapSession)
})
1 change: 1 addition & 0 deletions packages/datadog-instrumentations/src/helpers/hooks.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ module.exports = {
elasticsearch: () => require('../elasticsearch'),
express: () => require('../express'),
'express-mongo-sanitize': () => require('../express-mongo-sanitize'),
'express-session': () => require('../express-session'),
fastify: () => require('../fastify'),
'find-my-way': () => require('../find-my-way'),
fs: () => require('../fs'),
Expand Down
1 change: 1 addition & 0 deletions packages/dd-trace/src/appsec/addresses.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ module.exports = {

USER_ID: 'usr.id',
USER_LOGIN: 'usr.login',
USER_SESSION_ID: 'usr.session_id',

WAF_CONTEXT_PROCESSOR: 'waf.context.processor',

Expand Down
1 change: 1 addition & 0 deletions packages/dd-trace/src/appsec/channels.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ module.exports = {
incomingHttpRequestEnd: dc.channel('dd-trace:incomingHttpRequestEnd'),
passportVerify: dc.channel('datadog:passport:verify:finish'),
passportUser: dc.channel('datadog:passport:deserializeUser:finish'),
expressSession: dc.channel('datadog:express-session:middleware:finish'),
queryParser: dc.channel('datadog:query:read:finish'),
setCookieChannel: dc.channel('datadog:iast:set-cookie'),
nextBodyParsed: dc.channel('apm:next:body-parsed'),
Expand Down
20 changes: 20 additions & 0 deletions packages/dd-trace/src/appsec/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ const {
incomingHttpRequestEnd,
passportVerify,
passportUser,
expressSession,
queryParser,
nextBodyParsed,
nextQueryParsed,
Expand Down Expand Up @@ -69,6 +70,7 @@ function enable (_config) {
incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
passportVerify.subscribe(onPassportVerify) // possible optimization: only subscribe if collection mode is enabled
passportUser.subscribe(onPassportDeserializeUser)
expressSession.subscribe(onExpressSession)
queryParser.subscribe(onRequestQueryParsed)
nextBodyParsed.subscribe(onRequestBodyParsed)
nextQueryParsed.subscribe(onRequestQueryParsed)
Expand Down Expand Up @@ -213,6 +215,23 @@ function onPassportDeserializeUser ({ user, abortController }) {
handleResults(results, store.req, store.req.res, rootSpan, abortController)
}

function onExpressSession ({ req, res, sessionId, abortController }) {
const rootSpan = web.root(req)
if (!rootSpan) {
log.warn('[ASM] No rootSpan found in onExpressSession')
return
}

// do not call this if the SDK already called it
const results = waf.run({
persistent: {
[addresses.USER_SESSION_ID]: sessionId
}
}, req)

handleResults(results, req, res, rootSpan, abortController)
}

function onRequestQueryParsed ({ req, res, query, abortController }) {
if (!query || typeof query !== 'object') return

Expand Down Expand Up @@ -327,6 +346,7 @@ function disable () {
if (incomingHttpRequestEnd.hasSubscribers) incomingHttpRequestEnd.unsubscribe(incomingHttpEndTranslator)
if (passportVerify.hasSubscribers) passportVerify.unsubscribe(onPassportVerify)
if (passportUser.hasSubscribers) passportUser.unsubscribe(onPassportDeserializeUser)
if (expressSession.hasSubscribers) expressSession.unsubscribe(onExpressSession)
if (queryParser.hasSubscribers) queryParser.unsubscribe(onRequestQueryParsed)
if (nextBodyParsed.hasSubscribers) nextBodyParsed.unsubscribe(onRequestBodyParsed)
if (nextQueryParsed.hasSubscribers) nextQueryParsed.unsubscribe(onRequestQueryParsed)
Expand Down
1 change: 1 addition & 0 deletions packages/dd-trace/src/appsec/remote_config/capabilities.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ module.exports = {
APM_TRACING_SAMPLE_RULES: 1n << 29n,
ASM_AUTO_USER_INSTRUM_MODE: 1n << 31n,
ASM_ENDPOINT_FINGERPRINT: 1n << 32n,
ASM_SESSION_FINGERPRINT: 1n << 33n, // should we only send this if app uses express-session ?
ASM_NETWORK_FINGERPRINT: 1n << 34n,
ASM_HEADER_FINGERPRINT: 1n << 35n,
ASM_RASP_CMDI: 1n << 37n
Expand Down
4 changes: 4 additions & 0 deletions packages/dd-trace/src/appsec/sdk/set_user.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@
return
}

if (user.session_id && typeof user.session_id === 'string') {
persistent['usr.session_id'] = user.session_id

Check failure on line 27 in packages/dd-trace/src/appsec/sdk/set_user.js

View workflow job for this annotation

GitHub Actions / lint 

'persistent' was used before it was defined
}

setUserTags(user, rootSpan)
rootSpan.setTag('_dd.appsec.user.collection_mode', 'sdk')

Expand Down
Loading