call site frames

Author: IlyasShabi

packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -1,7 +1,7 @@
 'use strict'
 
 const { storage } = require('../../../../../datadog-core')
-const { getFirstNonDDPathAndLine } = require('../path-line')
+const { getNonDDPathAndLineFromCallsites } = require('../path-line')
 const { addVulnerability, getVulnerabilityCallSiteList } = require('../vulnerability-reporter')
 const { getIastContext, getIastStackTraceId } = require('../iast-context')
 const overheadController = require('../overhead-controller')
@@ -29,14 +29,19 @@ class Analyzer extends SinkIastPlugin {
 
   _reportEvidence (value, context, evidence) {
     const callSiteList = getVulnerabilityCallSiteList()
-    const location = this._getLocation(value, callSiteList)
+    const nonDDCallSiteList = getNonDDPathAndLineFromCallsites(callSiteList, this._getExcludedPaths())
+
+    const location = this._getLocation(value, nonDDCallSiteList)
 
     if (!this._isExcluded(location)) {
-      const locationSourceMap = this._replaceLocationFromSourceMap(location)
+      const originalCallSiteList = nonDDCallSiteList.map(callSite => this._replaceCallsiteFromSourceMap(callSite))
+
+      const originalLocation = this._getOriginalLocation(originalCallSiteList)
       const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
       const stackId = getIastStackTraceId(context)
-      const vulnerability = this._createVulnerability(this._type, evidence, spanId, locationSourceMap, stackId)
-      addVulnerability(context, vulnerability, callSiteList, stackId)
+      const vulnerability = this._createVulnerability(this._type, evidence, spanId, originalLocation, stackId)
+
+      addVulnerability(context, vulnerability, originalCallSiteList, stackId)
     }
   }
 
@@ -53,23 +58,41 @@ class Analyzer extends SinkIastPlugin {
   }
 
   _getLocation (value, callSiteList) {
-    return getFirstNonDDPathAndLine(callSiteList, this._getExcludedPaths())
+    return callSiteList[0]
   }
 
-  _replaceLocationFromSourceMap (location) {
-    if (location) {
-      const { path, line, column } = getOriginalPathAndLineFromSourceMap(location)
+  _getOriginalLocation (originalCallSiteList) {
+    const [location] = originalCallSiteList
+    const originalLocation = {}
+
+    if (location.path) {
+      originalLocation.path = location.path
+    }
+    if (location.line) {
+      originalLocation.line = location.line
+    }
+    if (location.column) {
+      originalLocation.column = location.column
+    }
+
+    return originalLocation
+  }
+
+  _replaceCallsiteFromSourceMap (callsite) {
+    if (callsite) {
+      const { path, line, column } = getOriginalPathAndLineFromSourceMap(callsite)
       if (path) {
-        location.path = path
+        callsite.path = path
       }
       if (line) {
-        location.line = line
+        callsite.line = line
       }
       if (column) {
-        location.column = column
+        callsite.column = column
       }
     }
-    return location
+
+    return callsite
   }
 
   _getExcludedPaths () {}

packages/dd-trace/src/appsec/iast/path-line.js

@@ -4,10 +4,9 @@ const path = require('path')
 const process = require('process')
 const { calculateDDBasePath } = require('../../util')
 const pathLine = {
-  getFirstNonDDPathAndLine,
   getNodeModulesPaths,
   getRelativePath,
-  getFirstNonDDPathAndLineFromCallsites, // Exported only for test purposes
+  getNonDDPathAndLineFromCallsites,
   calculateDDBasePath, // Exported only for test purposes
   ddBasePath: calculateDDBasePath(__dirname) // Only for test purposes
 }
@@ -24,22 +23,26 @@ const EXCLUDED_PATH_PREFIXES = [
   'async_hooks'
 ]
 
-function getFirstNonDDPathAndLineFromCallsites (callsites, externallyExcludedPaths) {
-  if (callsites) {
-    for (let i = 0; i < callsites.length; i++) {
-      const callsite = callsites[i]
-      const filepath = callsite.getFileName()
-      if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) {
-        return {
-          path: getRelativePath(filepath),
-          line: callsite.getLineNumber(),
-          column: callsite.getColumnNumber(),
-          isInternal: !path.isAbsolute(filepath)
-        }
-      }
+function getNonDDPathAndLineFromCallsites (callsites, externallyExcludedPaths) {
+  if (!callsites) {
+    return []
+  }
+
+  const result = []
+
+  for (const callsite of callsites) {
+    const filepath = callsite.getFileName()
+    if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) {
+      callsite.column = callsite.getLineNumber()
+      callsite.line = callsite.getColumnNumber()
+      callsite.path = getRelativePath(filepath)
+      callsite.isInternal = !path.isAbsolute(filepath)
+
+      result.push(callsite)
     }
   }
-  return null
+
+  return result
 }
 
 function getRelativePath (filepath) {
@@ -72,10 +75,6 @@ function isExcluded (callsite, externallyExcludedPaths) {
   return false
 }
 
-function getFirstNonDDPathAndLine (callSiteList, externallyExcludedPaths) {
-  return getFirstNonDDPathAndLineFromCallsites(callSiteList, externallyExcludedPaths)
-}
-
 function getNodeModulesPaths (...paths) {
   const nodeModulesPaths = []
 

packages/dd-trace/src/appsec/stack_trace.js

@@ -50,11 +50,12 @@ function getFramesForMetaStruct (callSiteList, maxDepth = 32) {
     const callSite = filteredFrames[index]
     indexedFrames.push({
       id: index,
-      file: callSite.getFileName(),
-      line: callSite.getLineNumber(),
-      column: callSite.getColumnNumber(),
+      file: callSite.file || callSite.getFileName(),
+      line: callSite.line || callSite.getLineNumber(),
+      column: callSite.column || callSite.getColumnNumber(),
       function: callSite.getFunctionName(),
-      class_name: callSite.getTypeName()
+      class_name: callSite.getTypeName(),
+      isNative: callSite.isNative()
     })
   }
 

packages/dd-trace/test/appsec/iast/analyzers/vulnerability-analyzer.spec.js

@@ -25,7 +25,7 @@ describe('vulnerability-analyzer', () => {
       getVulnerabilityCallSiteList: sinon.stub().returns([])
     }
     pathLine = {
-      getFirstNonDDPathAndLine: sinon.stub().returns(VULNERABILITY_LOCATION)
+      getNonDDPathAndLineFromCallsites: sinon.stub().returns([VULNERABILITY_LOCATION])
     }
     overheadController = {
       hasQuota: sinon.stub()
@@ -132,7 +132,7 @@ describe('vulnerability-analyzer', () => {
         },
         hash: 5975567724
       },
-      [],
+      sinon.match.array,
       1
     )
   })
@@ -289,7 +289,7 @@ describe('vulnerability-analyzer', () => {
         ANALYZER_TYPE,
         { value: 'test' },
         SPAN_ID,
-        VULNERABILITY_LOCATION
+        VULNERABILITY_LOCATION_FROM_SOURCEMAP
       )
     })
   })