Report stack trace in iast

packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -54,15 +54,15 @@ class CookieAnalyzer extends Analyzer {
     return super._checkOCE(context, value)
   }
 
-  _getLocation (value) {
+  _getLocation (value, callSiteList) {
     if (!value) {
-      return super._getLocation()
+      return super._getLocation(value, callSiteList)
     }
 
     if (value.location) {
       return value.location
     }
-    const location = super._getLocation(value)
+    const location = super._getLocation(value, callSiteList)
     value.location = location
     return location
   }

packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -2,7 +2,7 @@
 
 const { storage } = require('../../../../../datadog-core')
 const { getFirstNonDDPathAndLine } = require('../path-line')
-const { addVulnerability } = require('../vulnerability-reporter')
+const { addVulnerability, getVulnerabilityCallSiteList } = require('../vulnerability-reporter')
 const { getIastContext } = require('../iast-context')
 const overheadController = require('../overhead-controller')
 const { SinkIastPlugin } = require('../iast-plugin')
@@ -28,12 +28,14 @@ class Analyzer extends SinkIastPlugin {
   }
 
   _reportEvidence (value, context, evidence) {
-    const location = this._getLocation(value)
+    const callSiteList = getVulnerabilityCallSiteList()
+    const location = this._getLocation(value, callSiteList)
+
     if (!this._isExcluded(location)) {
       const locationSourceMap = this._replaceLocationFromSourceMap(location)
       const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
       const vulnerability = this._createVulnerability(this._type, evidence, spanId, locationSourceMap)
-      addVulnerability(context, vulnerability)
+      addVulnerability(context, vulnerability, callSiteList)
     }
   }
 
@@ -49,8 +51,8 @@ class Analyzer extends SinkIastPlugin {
     return { value }
   }
 
-  _getLocation () {
-    return getFirstNonDDPathAndLine(this._getExcludedPaths())
+  _getLocation (value, callSiteList) {
+    return getFirstNonDDPathAndLine(callSiteList, this._getExcludedPaths())
   }
 
   _replaceLocationFromSourceMap (location) {

packages/dd-trace/src/appsec/iast/iast-context.js

@@ -9,6 +9,17 @@ function getIastContext (store, topContext) {
   return iastContext
 }
 
+function getIastStackTraceId (iastContext) {
+  if (!iastContext) return 0
+
+  if (!iastContext.iastStackTraceId) {
+    iastContext.iastStackTraceId = 0
+  }
+
+  iastContext.iastStackTraceId += 1
+  return iastContext.iastStackTraceId
+}
+
 /* TODO Fix storage problem when the close event is called without
         finish event to remove `topContext` references
   We have to save the context in two places, because
@@ -51,6 +62,7 @@ module.exports = {
   getIastContext,
   saveIastContext,
   cleanIastContext,
+  getIastStackTraceId,
   IAST_CONTEXT_KEY,
   IAST_TRANSACTION_ID
 }

packages/dd-trace/src/appsec/iast/path-line.js

@@ -3,7 +3,6 @@
 const path = require('path')
 const process = require('process')
 const { calculateDDBasePath } = require('../../util')
-const { getCallSiteList } = require('../stack_trace')
 const pathLine = {
   getFirstNonDDPathAndLine,
   getNodeModulesPaths,
@@ -73,8 +72,8 @@ function isExcluded (callsite, externallyExcludedPaths) {
   return false
 }
 
-function getFirstNonDDPathAndLine (externallyExcludedPaths) {
-  return getFirstNonDDPathAndLineFromCallsites(getCallSiteList(), externallyExcludedPaths)
+function getFirstNonDDPathAndLine (callSiteList, externallyExcludedPaths) {
+  return getFirstNonDDPathAndLineFromCallsites(callSiteList, externallyExcludedPaths)
 }
 
 function getNodeModulesPaths (...paths) {

packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js

@@ -84,6 +84,7 @@ class VulnerabilityFormatter {
     const formattedVulnerability = {
       type: vulnerability.type,
       hash: vulnerability.hash,
+      stackId: vulnerability.stackId,
       evidence: this.formatEvidence(vulnerability.type, vulnerability.evidence, sourcesIndexes, sources),
       location: {
         spanId: vulnerability.location.spanId

packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -6,6 +6,8 @@ const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
 const standalone = require('../standalone')
 const { SAMPLING_MECHANISM_APPSEC } = require('../../constants')
 const { keepTrace } = require('../../priority_sampler')
+const { reportStackTrace, getCallSiteList, STACK_TRACE_NAMESPACES } = require('../stack_trace')
+const { getIastStackTraceId } = require('./iast-context')
 
 const VULNERABILITIES_KEY = 'vulnerabilities'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
@@ -15,8 +17,10 @@ const RESET_VULNERABILITY_CACHE_INTERVAL = 60 * 60 * 1000 // 1 hour
 let tracer
 let resetVulnerabilityCacheTimer
 let deduplicationEnabled = true
+let stackTraceMaxDepth
+let maxStackTraces
 
-function addVulnerability (iastContext, vulnerability) {
+function addVulnerability (iastContext, vulnerability, callSiteList) {
   if (vulnerability?.evidence && vulnerability?.type && vulnerability?.location) {
     if (deduplicationEnabled && isDuplicatedVulnerability(vulnerability)) return
 
@@ -41,6 +45,18 @@ function addVulnerability (iastContext, vulnerability) {
     keepTrace(span, SAMPLING_MECHANISM_APPSEC)
     standalone.sample(span)
 
+    const stackId = getIastStackTraceId(iastContext)
+    vulnerability.stackId = stackId
+
+    reportStackTrace(
+      iastContext?.rootSpan,
+      stackId,
+      stackTraceMaxDepth,
+      maxStackTraces,
+      callSiteList,
+      STACK_TRACE_NAMESPACES.IAST
+    )
+
     if (iastContext?.rootSpan) {
       iastContext[VULNERABILITIES_KEY] = iastContext[VULNERABILITIES_KEY] || []
       iastContext[VULNERABILITIES_KEY].push(vulnerability)
@@ -91,11 +107,18 @@ function stopClearCacheTimer () {
 }
 
 function isDuplicatedVulnerability (vulnerability) {
-  return VULNERABILITY_HASHES.get(`${vulnerability.type}${vulnerability.hash}`)
+  return VULNERABILITY_HASHES.has(`${vulnerability.type}${vulnerability.hash}`)
+}
+
+function getVulnerabilityCallSiteList () {
+  return getCallSiteList(stackTraceMaxDepth)
 }
 
 function start (config, _tracer) {
   deduplicationEnabled = config.iast.deduplicationEnabled
+  stackTraceMaxDepth = config.appsec.stackTrace.maxDepth
+  maxStackTraces = config.appsec.stackTrace.maxStackTraces
+
   vulnerabilitiesFormatter.setRedactVulnerabilities(
     config.iast.redactionEnabled,
     config.iast.redactionNamePattern,
@@ -114,6 +137,7 @@ function stop () {
 module.exports = {
   addVulnerability,
   sendVulnerabilities,
+  getVulnerabilityCallSiteList,
   clearCache,
   start,
   stop

packages/dd-trace/src/appsec/rasp/utils.js

@@ -1,7 +1,7 @@
 'use strict'
 
 const web = require('../../plugins/util/web')
-const { reportStackTrace } = require('../stack_trace')
+const { getCallSiteList, reportStackTrace } = require('../stack_trace')
 const { getBlockingAction } = require('../blocking')
 const log = require('../../log')
 
@@ -30,13 +30,19 @@ class DatadogRaspAbortError extends Error {
 
 function handleResult (actions, req, res, abortController, config) {
   const generateStackTraceAction = actions?.generate_stack
+
+  const { maxDepth, maxStackTraces } = config.appsec.stackTrace
+
+  const callSiteList = getCallSiteList(maxDepth)
+
   if (generateStackTraceAction && config.appsec.stackTrace.enabled) {
     const rootSpan = web.root(req)
     reportStackTrace(
       rootSpan,
       generateStackTraceAction.stack_id,
-      config.appsec.stackTrace.maxDepth,
-      config.appsec.stackTrace.maxStackTraces
+      maxDepth,
+      maxStackTraces,
+      callSiteList
     )
   }
 

packages/dd-trace/src/appsec/stack_trace.js

@@ -6,11 +6,22 @@ const ddBasePath = calculateDDBasePath(__dirname)
 
 const LIBRARY_FRAMES_BUFFER = 20
 
+const STACK_TRACE_NAMESPACES = {
+  RASP: 'exploit',
+  IAST: 'vulnerability'
+}
+
 function getCallSiteList (maxDepth = 100) {
+  if (maxDepth < 1) {
+    maxDepth = Infinity
+  }
+
   const previousPrepareStackTrace = Error.prepareStackTrace
   const previousStackTraceLimit = Error.stackTraceLimit
   let callsiteList
-  Error.stackTraceLimit = maxDepth
+  // Since some frames will be discarded because they come from tracer codebase, a buffer is added
+  // to the limit in order to get as close as `maxDepth` number of frames.
+  Error.stackTraceLimit = maxDepth + LIBRARY_FRAMES_BUFFER
 
   try {
     Error.prepareStackTrace = function (_, callsites) {
@@ -52,14 +63,11 @@ function getFramesForMetaStruct (callSiteList, maxDepth = 32) {
   return indexedFrames
 }
 
-function reportStackTrace (rootSpan, stackId, maxDepth, maxStackTraces, callSiteListGetter = getCallSiteList) {
+function reportStackTrace (
+  rootSpan, stackId, maxDepth, maxStackTraces, callSiteList, namespace = STACK_TRACE_NAMESPACES.RASP) {
   if (!rootSpan) return
 
-  if (maxStackTraces < 1 || (rootSpan.meta_struct?.['_dd.stack']?.exploit?.length ?? 0) < maxStackTraces) {
-    // Since some frames will be discarded because they come from tracer codebase, a buffer is added
-    // to the limit in order to get as close as `maxDepth` number of frames.
-    if (maxDepth < 1) maxDepth = Infinity
-    const callSiteList = callSiteListGetter(maxDepth + LIBRARY_FRAMES_BUFFER)
+  if (maxStackTraces < 1 || (rootSpan.meta_struct?.['_dd.stack']?.[namespace]?.length ?? 0) < maxStackTraces) {
     if (!Array.isArray(callSiteList)) return
 
     if (!rootSpan.meta_struct) {
@@ -70,13 +78,13 @@ function reportStackTrace (rootSpan, stackId, maxDepth, maxStackTraces, callSite
       rootSpan.meta_struct['_dd.stack'] = {}
     }
 
-    if (!rootSpan.meta_struct['_dd.stack'].exploit) {
-      rootSpan.meta_struct['_dd.stack'].exploit = []
+    if (!rootSpan.meta_struct['_dd.stack'][namespace]) {
+      rootSpan.meta_struct['_dd.stack'][namespace] = []
     }
 
     const frames = getFramesForMetaStruct(callSiteList, maxDepth)
 
-    rootSpan.meta_struct['_dd.stack'].exploit.push({
+    rootSpan.meta_struct['_dd.stack'][namespace].push({
       id: stackId,
       language: 'nodejs',
       frames
@@ -86,5 +94,6 @@ function reportStackTrace (rootSpan, stackId, maxDepth, maxStackTraces, callSite
 
 module.exports = {
   getCallSiteList,
-  reportStackTrace
+  reportStackTrace,
+  STACK_TRACE_NAMESPACES
 }

packages/dd-trace/test/appsec/iast/utils.js

@@ -3,13 +3,25 @@
 const fs = require('fs')
 const os = require('os')
 const path = require('path')
+const { assert } = require('chai')
 
 const agent = require('../../plugins/agent')
 const axios = require('axios')
 const iast = require('../../../src/appsec/iast')
 const Config = require('../../../src/config')
 const vulnerabilityReporter = require('../../../src/appsec/iast/vulnerability-reporter')
 
+function getWebSpan (traces) {
+  for (const trace of traces) {
+    for (const span of trace) {
+      if (span.type === 'web') {
+        return span
+      }
+    }
+  }
+  throw new Error('web span not found')
+}
+
 function testInRequest (app, tests) {
   let http
   let listener
@@ -161,6 +173,10 @@ function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb,
     .use(traces => {
       expect(traces[0][0].metrics['_dd.iast.enabled']).to.be.equal(1)
       expect(traces[0][0].meta).to.have.property('_dd.iast.json')
+
+      const span = getWebSpan(traces)
+      assert.property(span.meta_struct, '_dd.stack')
+
       const vulnerabilitiesTrace = JSON.parse(traces[0][0].meta['_dd.iast.json'])
       expect(vulnerabilitiesTrace).to.not.be.null
       const vulnerabilitiesCount = new Map()