ESM support for iast (#5012)

Author: uurien

integration-tests/appsec/esm-app/custom-noop-hooks.mjs

@@ -0,0 +1,13 @@
+'use strict'
+
+function dummyOperation (a) {
+  return a + 'should have ' + 'dummy operation to be rewritten' + ' without crashing'
+}
+
+export async function initialize () {
+  dummyOperation('should have')
+}
+
+export async function load (url, context, nextLoad) {
+  return nextLoad(url, context)
+}

integration-tests/appsec/esm-app/index.mjs

@@ -0,0 +1,25 @@
+'use strict'
+
+import childProcess from 'node:child_process'
+import express from 'express'
+import Module from 'node:module'
+import './worker.mjs'
+
+const app = express()
+const port = process.env.APP_PORT || 3000
+
+app.get('/cmdi-vulnerable', (req, res) => {
+  childProcess.execSync(`ls ${req.query.args}`)
+
+  res.end()
+})
+
+app.use('/more', (await import('./more.mjs')).default)
+
+app.listen(port, () => {
+  process.send({ port })
+})
+
+Module.register('./custom-noop-hooks.mjs', {
+  parentURL: import.meta.url
+})

integration-tests/appsec/esm-app/more.mjs

@@ -0,0 +1,11 @@
+import express from 'express'
+import childProcess from 'node:child_process'
+
+const router = express.Router()
+router.get('/cmdi-vulnerable', (req, res) => {
+  childProcess.execSync(`ls ${req.query.args}`)
+
+  res.end()
+})
+
+export default router

integration-tests/appsec/esm-app/worker-dep.mjs

@@ -0,0 +1,7 @@
+'use strict'
+
+function dummyOperation (a) {
+  return a + 'dummy operation with concat in worker-dep'
+}
+
+dummyOperation('should not crash')

integration-tests/appsec/esm-app/worker.mjs

@@ -0,0 +1,16 @@
+import { Worker, isMainThread } from 'node:worker_threads'
+import { URL } from 'node:url'
+import './worker-dep.mjs'
+
+if (isMainThread) {
+  const worker = new Worker(new URL(import.meta.url))
+  worker.on('error', (e) => {
+    throw e
+  })
+} else {
+  function dummyOperation (a) {
+    return a + 'dummy operation with concat'
+  }
+
+  dummyOperation('should not crash')
+}

integration-tests/appsec/iast.esm.spec.js

@@ -0,0 +1,94 @@
+'use strict'
+
+const { createSandbox, spawnProc, FakeAgent } = require('../helpers')
+const path = require('path')
+const getPort = require('get-port')
+const Axios = require('axios')
+const { assert } = require('chai')
+
+describe('ESM', () => {
+  let axios, sandbox, cwd, appPort, appFile, agent, proc
+
+  before(async function () {
+    this.timeout(process.platform === 'win32' ? 90000 : 30000)
+    sandbox = await createSandbox(['express'])
+    appPort = await getPort()
+    cwd = sandbox.folder
+    appFile = path.join(cwd, 'appsec', 'esm-app', 'index.mjs')
+
+    axios = Axios.create({
+      baseURL: `http://localhost:${appPort}`
+    })
+  })
+
+  after(async function () {
+    await sandbox.remove()
+  })
+
+  const nodeOptionsList = [
+    '--import dd-trace/initialize.mjs',
+    '--require dd-trace/init.js --loader dd-trace/loader-hook.mjs'
+  ]
+
+  nodeOptionsList.forEach(nodeOptions => {
+    describe(`with NODE_OPTIONS=${nodeOptions}`, () => {
+      beforeEach(async () => {
+        agent = await new FakeAgent().start()
+
+        proc = await spawnProc(appFile, {
+          cwd,
+          env: {
+            DD_TRACE_AGENT_PORT: agent.port,
+            APP_PORT: appPort,
+            DD_IAST_ENABLED: 'true',
+            DD_IAST_REQUEST_SAMPLING: '100',
+            NODE_OPTIONS: nodeOptions
+          }
+        })
+      })
+
+      afterEach(async () => {
+        proc.kill()
+        await agent.stop()
+      })
+
+      function verifySpan (payload, verify) {
+        let err
+        for (let i = 0; i < payload.length; i++) {
+          const trace = payload[i]
+          for (let j = 0; j < trace.length; j++) {
+            try {
+              verify(trace[j])
+              return
+            } catch (e) {
+              err = err || e
+            }
+          }
+        }
+        throw err
+      }
+
+      it('should detect COMMAND_INJECTION vulnerability', async function () {
+        await axios.get('/cmdi-vulnerable?args=-la')
+
+        await agent.assertMessageReceived(({ payload }) => {
+          verifySpan(payload, span => {
+            assert.property(span.meta, '_dd.iast.json')
+            assert.include(span.meta['_dd.iast.json'], '"COMMAND_INJECTION"')
+          })
+        }, null, 1, true)
+      })
+
+      it('should detect COMMAND_INJECTION vulnerability in imported file', async () => {
+        await axios.get('/more/cmdi-vulnerable?args=-la')
+
+        await agent.assertMessageReceived(({ payload }) => {
+          verifySpan(payload, span => {
+            assert.property(span.meta, '_dd.iast.json')
+            assert.include(span.meta['_dd.iast.json'], '"COMMAND_INJECTION"')
+          })
+        }, null, 1, true)
+      })
+    })
+  })
+})

package.json

@@ -83,7 +83,7 @@
   "dependencies": {
     "@datadog/libdatadog": "^0.4.0",
     "@datadog/native-appsec": "8.4.0",
-    "@datadog/native-iast-rewriter": "2.6.1",
+    "@datadog/native-iast-rewriter": "2.8.0",
     "@datadog/native-iast-taint-tracking": "3.2.0",
     "@datadog/native-metrics": "^3.1.0",
     "@datadog/pprof": "5.5.1",

packages/dd-trace/src/appsec/iast/taint-tracking/constants.js

@@ -0,0 +1,6 @@
+'use strict'
+
+module.exports = {
+  LOG_MESSAGE: 'LOG',
+  REWRITTEN_MESSAGE: 'REWRITTEN'
+}

packages/dd-trace/src/appsec/iast/taint-tracking/rewriter-esm.mjs

@@ -0,0 +1,65 @@
+'use strict'
+
+import path from 'path'
+import { URL } from 'url'
+import { getName } from '../telemetry/verbosity.js'
+import { isNotLibraryFile, isPrivateModule } from './filter.js'
+import constants from './constants.js'
+
+const currentUrl = new URL(import.meta.url)
+const ddTraceDir = path.join(currentUrl.pathname, '..', '..', '..', '..', '..', '..')
+
+let port, rewriter
+
+export async function initialize (data) {
+  if (rewriter) return Promise.reject(new Error('ALREADY INITIALIZED'))
+
+  const { csiMethods, telemetryVerbosity, chainSourceMap } = data
+  port = data.port
+
+  const iastRewriter = await import('@datadog/native-iast-rewriter')
+
+  const { NonCacheRewriter } = iastRewriter.default
+
+  rewriter = new NonCacheRewriter({
+    csiMethods,
+    telemetryVerbosity: getName(telemetryVerbosity),
+    chainSourceMap
+  })
+}
+
+export async function load (url, context, nextLoad) {
+  const result = await nextLoad(url, context)
+
+  if (!port) return result
+  if (!result.source) return result
+  if (url.includes(ddTraceDir) || url.includes('iitm=true')) return result
+
+  try {
+    if (isPrivateModule(url) && isNotLibraryFile(url)) {
+      const rewritten = rewriter.rewrite(result.source.toString(), url)
+
+      if (rewritten?.content) {
+        result.source = rewritten.content || result.source
+        const data = { url, rewritten }
+        port.postMessage({ type: constants.REWRITTEN_MESSAGE, data })
+      }
+    }
+  } catch (e) {
+    const newErrObject = {
+      message: e.message,
+      stack: e.stack
+    }
+
+    const data = {
+      level: 'error',
+      messages: ['[ASM] Error rewriting file %s', url, newErrObject]
+    }
+    port.postMessage({
+      type: constants.LOG_MESSAGE,
+      data
+    })
+  }
+
+  return result
+}

packages/dd-trace/src/appsec/iast/taint-tracking/rewriter-telemetry.js

@@ -12,10 +12,7 @@ const telemetryRewriter = {
   information (content, filename, rewriter) {
     const response = this.off(content, filename, rewriter)
 
-    const metrics = response.metrics
-    if (metrics && metrics.instrumentedPropagation) {
-      INSTRUMENTED_PROPAGATION.inc(undefined, metrics.instrumentedPropagation)
-    }
+    incrementTelemetry(response.metrics)
 
     return response
   }
@@ -30,4 +27,16 @@ function getRewriteFunction (rewriter) {
   }
 }
 
-module.exports = { getRewriteFunction }
+function incrementTelemetry (metrics) {
+  if (metrics?.instrumentedPropagation) {
+    INSTRUMENTED_PROPAGATION.inc(undefined, metrics.instrumentedPropagation)
+  }
+}
+
+function incrementTelemetryIfNeeded (metrics) {
+  if (iastTelemetry.verbosity !== Verbosity.OFF) {
+    incrementTelemetry(metrics)
+  }
+}
+
+module.exports = { getRewriteFunction, incrementTelemetryIfNeeded }