call site frames

Author: IlyasShabi

packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -54,15 +54,15 @@ class CookieAnalyzer extends Analyzer {
     return super._checkOCE(context, value)
   }
 
-  _getLocation (value, callSiteList) {
+  _getLocation (value, callSiteFrames) {
     if (!value) {
-      return super._getLocation(value, callSiteList)
+      return super._getLocation(value, callSiteFrames)
     }
 
     if (value.location) {
       return value.location
     }
-    const location = super._getLocation(value, callSiteList)
+    const location = super._getLocation(value, callSiteFrames)
     value.location = location
     return location
   }

packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -1,8 +1,8 @@
 'use strict'
 
 const { storage } = require('../../../../../datadog-core')
-const { getFirstNonDDPathAndLine } = require('../path-line')
-const { addVulnerability, getVulnerabilityCallSiteList } = require('../vulnerability-reporter')
+const { getNonDDPathAndLineCallsites } = require('../path-line')
+const { addVulnerability, getVulnerabilityCallSiteFrames } = require('../vulnerability-reporter')
 const { getIastContext, getIastStackTraceId } = require('../iast-context')
 const overheadController = require('../overhead-controller')
 const { SinkIastPlugin } = require('../iast-plugin')
@@ -28,15 +28,17 @@ class Analyzer extends SinkIastPlugin {
   }
 
   _reportEvidence (value, context, evidence) {
-    const callSiteList = getVulnerabilityCallSiteList()
-    const location = this._getLocation(value, callSiteList)
+    const callSiteFrames = getVulnerabilityCallSiteFrames()
+    const nonDDCallSiteFrames = getNonDDPathAndLineCallsites(callSiteFrames, this._getExcludedPaths())
+
+    const location = this._getLocation(null, nonDDCallSiteFrames)
 
     if (!this._isExcluded(location)) {
-      const locationSourceMap = this._replaceLocationFromSourceMap(location)
+      const originalCallSiteFrames = nonDDCallSiteFrames.map(callSite => this._replaceLocationFromSourceMap(callSite))
       const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
       const stackId = getIastStackTraceId(context)
-      const vulnerability = this._createVulnerability(this._type, evidence, spanId, locationSourceMap, stackId)
-      addVulnerability(context, vulnerability, callSiteList, stackId)
+      const vulnerability = this._createVulnerability(this._type, evidence, spanId, originalCallSiteFrames[0], stackId)
+      addVulnerability(context, vulnerability, originalCallSiteFrames, stackId)
     }
   }
 
@@ -52,15 +54,16 @@ class Analyzer extends SinkIastPlugin {
     return { value }
   }
 
-  _getLocation (value, callSiteList) {
-    return getFirstNonDDPathAndLine(callSiteList, this._getExcludedPaths())
+  _getLocation (value, callSiteFrames) {
+    return callSiteFrames[0]
   }
 
   _replaceLocationFromSourceMap (location) {
     if (location) {
       const { path, line, column } = getOriginalPathAndLineFromSourceMap(location)
       if (path) {
         location.path = path
+        location.file = path
       }
       if (line) {
         location.line = line

packages/dd-trace/src/appsec/iast/path-line.js

@@ -4,10 +4,9 @@ const path = require('path')
 const process = require('process')
 const { calculateDDBasePath } = require('../../util')
 const pathLine = {
-  getFirstNonDDPathAndLine,
   getNodeModulesPaths,
   getRelativePath,
-  getFirstNonDDPathAndLineFromCallsites, // Exported only for test purposes
+  getNonDDPathAndLineCallsites,
   calculateDDBasePath, // Exported only for test purposes
   ddBasePath: calculateDDBasePath(__dirname) // Only for test purposes
 }
@@ -24,31 +23,34 @@ const EXCLUDED_PATH_PREFIXES = [
   'async_hooks'
 ]
 
-function getFirstNonDDPathAndLineFromCallsites (callsites, externallyExcludedPaths) {
-  if (callsites) {
-    for (let i = 0; i < callsites.length; i++) {
-      const callsite = callsites[i]
-      const filepath = callsite.getFileName()
-      if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) {
-        return {
-          path: getRelativePath(filepath),
-          line: callsite.getLineNumber(),
-          column: callsite.getColumnNumber(),
-          isInternal: !path.isAbsolute(filepath)
-        }
-      }
+function getNonDDPathAndLineCallsites (callsites, externallyExcludedPaths) {
+  if (!callsites) {
+    return []
+  }
+
+  const result = []
+
+  for (const callsite of callsites) {
+    const filepath = callsite.file
+    if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) {
+      result.push({
+        ...callsite,
+        path: getRelativePath(filepath),
+        isInternal: !path.isAbsolute(filepath)
+      })
     }
   }
-  return null
+
+  return result
 }
 
 function getRelativePath (filepath) {
   return path.relative(process.cwd(), filepath)
 }
 
 function isExcluded (callsite, externallyExcludedPaths) {
-  if (callsite.isNative()) return true
-  const filename = callsite.getFileName()
+  if (callsite.isNative) return true
+  const filename = callsite.file
   if (!filename) {
     return true
   }
@@ -72,10 +74,6 @@ function isExcluded (callsite, externallyExcludedPaths) {
   return false
 }
 
-function getFirstNonDDPathAndLine (callSiteList, externallyExcludedPaths) {
-  return getFirstNonDDPathAndLineFromCallsites(callSiteList, externallyExcludedPaths)
-}
-
 function getNodeModulesPaths (...paths) {
   const nodeModulesPaths = []
 

packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -6,7 +6,7 @@ const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
 const standalone = require('../standalone')
 const { SAMPLING_MECHANISM_APPSEC } = require('../../constants')
 const { keepTrace } = require('../../priority_sampler')
-const { reportStackTrace, getCallSiteList, STACK_TRACE_NAMESPACES } = require('../stack_trace')
+const { reportStackTrace, getCallSiteFrames, STACK_TRACE_NAMESPACES } = require('../stack_trace')
 
 const VULNERABILITIES_KEY = 'vulnerabilities'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
@@ -19,7 +19,7 @@ let deduplicationEnabled = true
 let stackTraceMaxDepth
 let maxStackTraces
 
-function addVulnerability (iastContext, vulnerability, callSiteList, stackId) {
+function addVulnerability (iastContext, vulnerability, callSiteFrames, stackId) {
   if (vulnerability?.evidence && vulnerability?.type && vulnerability?.location) {
     if (deduplicationEnabled && isDuplicatedVulnerability(vulnerability)) return
 
@@ -47,9 +47,8 @@ function addVulnerability (iastContext, vulnerability, callSiteList, stackId) {
     reportStackTrace(
       iastContext?.rootSpan,
       stackId,
-      stackTraceMaxDepth,
       maxStackTraces,
-      callSiteList,
+      callSiteFrames,
       STACK_TRACE_NAMESPACES.IAST
     )
 
@@ -106,8 +105,8 @@ function isDuplicatedVulnerability (vulnerability) {
   return VULNERABILITY_HASHES.get(`${vulnerability.type}${vulnerability.hash}`)
 }
 
-function getVulnerabilityCallSiteList () {
-  return getCallSiteList(stackTraceMaxDepth)
+function getVulnerabilityCallSiteFrames () {
+  return getCallSiteFrames(stackTraceMaxDepth)
 }
 
 function start (config, _tracer) {
@@ -133,7 +132,7 @@ function stop () {
 module.exports = {
   addVulnerability,
   sendVulnerabilities,
-  getVulnerabilityCallSiteList,
+  getVulnerabilityCallSiteFrames,
   clearCache,
   start,
   stop

packages/dd-trace/src/appsec/rasp/utils.js

@@ -1,7 +1,7 @@
 'use strict'
 
 const web = require('../../plugins/util/web')
-const { getCallSiteList, reportStackTrace } = require('../stack_trace')
+const { getCallSiteFrames, reportStackTrace } = require('../stack_trace')
 const { getBlockingAction } = require('../blocking')
 const log = require('../../log')
 
@@ -34,15 +34,14 @@ function handleResult (actions, req, res, abortController, config) {
   const { enabled, maxDepth, maxStackTraces } = config.appsec.stackTrace
 
   if (generateStackTraceAction && enabled) {
-    const callSiteList = getCallSiteList(maxDepth)
+    const callSiteFrames = getCallSiteFrames(maxDepth)
 
     const rootSpan = web.root(req)
     reportStackTrace(
       rootSpan,
       generateStackTraceAction.stack_id,
-      maxDepth,
       maxStackTraces,
-      callSiteList
+      callSiteFrames
     )
   }
 

packages/dd-trace/src/appsec/stack_trace.js

@@ -39,7 +39,8 @@ function filterOutFramesFromLibrary (callSiteList) {
   return callSiteList.filter(callSite => !callSite.getFileName()?.startsWith(ddBasePath))
 }
 
-function getFramesForMetaStruct (callSiteList, maxDepth = 32) {
+function getCallSiteFrames (maxDepth = 32) {
+  const callSiteList = getCallSiteList(maxDepth)
   const filteredFrames = filterOutFramesFromLibrary(callSiteList)
 
   const half = filteredFrames.length > maxDepth ? Math.round(maxDepth / 2) : Infinity
@@ -54,20 +55,21 @@ function getFramesForMetaStruct (callSiteList, maxDepth = 32) {
       line: callSite.getLineNumber(),
       column: callSite.getColumnNumber(),
       function: callSite.getFunctionName(),
-      class_name: callSite.getTypeName()
+      class_name: callSite.getTypeName(),
+      isNative: callSite.isNative()
     })
   }
 
   return indexedFrames
 }
 
 function reportStackTrace (
-  rootSpan, stackId, maxDepth, maxStackTraces, callSiteList, namespace = STACK_TRACE_NAMESPACES.RASP) {
+  rootSpan, stackId, maxStackTraces, frames, namespace = STACK_TRACE_NAMESPACES.RASP) {
   if (!rootSpan) return
 
   if (maxStackTraces < 1 || (rootSpan.meta_struct?.['_dd.stack']?.[namespace]?.length ?? 0) < maxStackTraces) {
-    if (maxDepth < 1) maxDepth = Infinity
-    if (!Array.isArray(callSiteList)) return
+    if (!Array.isArray(frames)) return
+    if (!frames.length) return
 
     if (!rootSpan.meta_struct) {
       rootSpan.meta_struct = {}
@@ -81,8 +83,6 @@ function reportStackTrace (
       rootSpan.meta_struct['_dd.stack'][namespace] = []
     }
 
-    const frames = getFramesForMetaStruct(callSiteList, maxDepth)
-
     rootSpan.meta_struct['_dd.stack'][namespace].push({
       id: stackId,
       language: 'nodejs',
@@ -92,7 +92,7 @@ function reportStackTrace (
 }
 
 module.exports = {
-  getCallSiteList,
+  getCallSiteFrames,
   reportStackTrace,
   STACK_TRACE_NAMESPACES
 }