fix(iast): Fix stack traces when iast is enabled and application has --enable-source-maps (#6828)

Author: uurien

integration-tests/appsec/iast-stack-traces-ts-with-sourcemaps/index.ts

@@ -0,0 +1,13 @@
+import express from 'express'
+
+import notRewrittenRoutes from './not-rewritten-routes'
+import rewrittenRoutes from './rewritten-routes'
+
+const app = express()
+
+app.use('/not-rewritten', notRewrittenRoutes)
+app.use('/rewritten', rewrittenRoutes)
+
+const server = app.listen(process.env.APP_PORT || 0, () => {
+  process.send?.({ port: server.address().port })
+})

integration-tests/appsec/iast-stack-traces-ts-with-sourcemaps/init.js

@@ -0,0 +1,6 @@
+'use strict'
+const tracer = require('dd-trace')
+
+tracer.init({
+  flushInterval: 0
+})

integration-tests/appsec/iast-stack-traces-ts-with-sourcemaps/not-rewritten-routes.ts

@@ -0,0 +1,18 @@
+import express from 'express'
+import crypto from 'crypto'
+
+const router = express.Router()
+
+router.get('/stack-trace-from-unnamed-function', (req, res) => {
+  res.send((new Error('Error').stack))
+})
+
+router.get('/stack-trace-from-named-function', function namedFunctionNotRewrittenFile (req, res) {
+  res.send((new Error('Error').stack))
+})
+
+router.get('/vulnerability', (req, res) => {
+  res.send(crypto.createHash('sha1').update('test').digest('hex'))
+})
+
+export default router

integration-tests/appsec/iast-stack-traces-ts-with-sourcemaps/rewritten-routes.ts

@@ -0,0 +1,18 @@
+import express from 'express'
+import crypto from 'crypto'
+
+const router = express.Router()
+
+router.get('/stack-trace-from-unnamed-function', (req, res) => {
+  res.send((new Error('Error ' + req.query.param).stack))
+})
+
+router.get('/stack-trace-from-named-function', function namedFunctionRewrittenFile (req, res) {
+  res.send((new Error('Error ' + req.query.param).stack))
+})
+
+router.get('/vulnerability', (req, res) => {
+  res.send(crypto.createHash('sha1').update('test').digest('hex'))
+})
+
+export default router

integration-tests/appsec/iast-stack-traces-ts-with-sourcemaps/tsconfig.json

@@ -0,0 +1,24 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "commonjs",
+    "lib": ["ES2020"],
+    "outDir": "./",
+    "rootDir": "./",
+    "sourceMap": true,
+    "declaration": false,
+    "strict": false,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "moduleResolution": "node",
+    "resolveJsonModule": true
+  },
+  "include": [
+    "*.ts"
+  ],
+  "exclude": [
+    "node_modules"
+  ]
+}
+

integration-tests/appsec/iast-stack-traces-with-sourcemaps.spec.js

@@ -0,0 +1,111 @@
+'use strict'
+
+const { sandboxCwd, useSandbox, spawnProc, FakeAgent } = require('../helpers')
+const childProcess = require('child_process')
+const path = require('path')
+const Axios = require('axios')
+const { assert } = require('chai')
+
+describe('IAST stack traces and vulnerabilities with sourcemaps', () => {
+  let axios, cwd, appDir, appFile, agent, proc
+
+  useSandbox(['typescript', 'express'])
+
+  before(function () {
+    cwd = sandboxCwd()
+
+    appDir = path.join(cwd, 'appsec', 'iast-stack-traces-ts-with-sourcemaps')
+
+    childProcess.execSync('yarn', { cwd })
+    childProcess.execSync('npx tsc', {
+      cwd: appDir
+    })
+
+    appFile = path.join(appDir, 'index.js')
+  })
+
+  beforeEach(async () => {
+    agent = await new FakeAgent().start()
+
+    proc = await spawnProc(appFile, {
+      cwd,
+      env: {
+        DD_TRACE_AGENT_PORT: agent.port,
+        DD_IAST_ENABLED: 'true',
+        DD_IAST_REQUEST_SAMPLING: '100',
+        NODE_OPTIONS: `--enable-source-maps --require ${appDir}/init.js`
+      }
+    })
+
+    axios = Axios.create({ baseURL: proc.url })
+  })
+
+  afterEach(async () => {
+    proc.kill()
+    await agent.stop()
+  })
+
+  describe('in rewritten file', () => {
+    it('should detect correct stack trace in unnamed function', async () => {
+      const response = await axios.get('/rewritten/stack-trace-from-unnamed-function')
+
+      assert.include(response.data, '/rewritten-routes.ts:7:13')
+    })
+
+    it('should detect correct stack trace in named function', async () => {
+      const response = await axios.get('/rewritten/stack-trace-from-named-function')
+
+      assert.include(response.data, '/rewritten-routes.ts:11:13')
+    })
+
+    it('should detect vulnerability in the correct location', async () => {
+      await axios.get('/rewritten/vulnerability')
+
+      await agent.assertMessageReceived(({ payload }) => {
+        const spans = payload.flatMap(p => p.filter(span => span.name === 'express.request'))
+        spans.forEach(span => {
+          assert.property(span.meta, '_dd.iast.json')
+          const iastJsonObject = JSON.parse(span.meta['_dd.iast.json'])
+
+          assert.isTrue(iastJsonObject.vulnerabilities.some(vulnerability => {
+            return vulnerability.type === 'WEAK_HASH' &&
+              vulnerability.location.path === 'appsec/iast-stack-traces-ts-with-sourcemaps/rewritten-routes.ts' &&
+              vulnerability.location.line === 15
+          }))
+        })
+      }, null, 1, true)
+    })
+  })
+
+  describe('in not rewritten file', () => {
+    it('should detect correct stack trace in unnamed function', async () => {
+      const response = await axios.get('/not-rewritten/stack-trace-from-unnamed-function')
+
+      assert.include(response.data, '/not-rewritten-routes.ts:7:13')
+    })
+
+    it('should detect correct stack trace in named function', async () => {
+      const response = await axios.get('/not-rewritten/stack-trace-from-named-function')
+
+      assert.include(response.data, '/not-rewritten-routes.ts:11:13')
+    })
+
+    it('should detect vulnerability in the correct location', async () => {
+      await axios.get('/not-rewritten/vulnerability')
+
+      await agent.assertMessageReceived(({ payload }) => {
+        const spans = payload.flatMap(p => p.filter(span => span.name === 'express.request'))
+        spans.forEach(span => {
+          assert.property(span.meta, '_dd.iast.json')
+          const iastJsonObject = JSON.parse(span.meta['_dd.iast.json'])
+
+          assert.isTrue(iastJsonObject.vulnerabilities.some(vulnerability => {
+            return vulnerability.type === 'WEAK_HASH' &&
+              vulnerability.location.path === 'appsec/iast-stack-traces-ts-with-sourcemaps/not-rewritten-routes.ts' &&
+              vulnerability.location.line === 15
+          }))
+        })
+      }, null, 1, true)
+    })
+  })
+})

package.json

@@ -128,7 +128,7 @@
     "@datadog/openfeature-node-server": "0.1.0-preview.15",
     "@datadog/pprof": "5.12.0",
     "@datadog/sketches-js": "2.1.1",
-    "@datadog/wasm-js-rewriter": "4.0.1",
+    "@datadog/wasm-js-rewriter": "5.0.1",
     "@isaacs/ttlcache": "^2.0.1",
     "@opentelemetry/api": ">=1.0.0 <1.10.0",
     "@opentelemetry/api-logs": "<1.0.0",

packages/dd-trace/src/appsec/stack_trace.js

@@ -42,9 +42,9 @@ function filterOutFramesFromLibrary (callSiteList) {
     if (globalThis.__DD_ESBUILD_IAST_WITH_SM) {
       // bundled with SourceMap, get original file and line to discriminate if comes from dd-trace or not
       const callSiteLocation = {
-        path: callSite.getFileName(),
-        line: callSite.getLineNumber(),
-        column: callSite.getColumnNumber()
+        path: callSite.getTranslatedFileName?.() ?? callSite.getFileName(),
+        line: callSite.getTranslatedLineNumber?.() ?? callSite.getLineNumber(),
+        column: callSite.getTranslatedColumnNumber?.() ?? callSite.getColumnNumber()
       }
       const { path } = getOriginalPathAndLineFromSourceMap(callSiteLocation)
       return !path?.startsWith(ddBasePath)
@@ -68,9 +68,9 @@ function getCallsiteFrames (maxDepth = 32, constructorOpt = getCallsiteFrames, c
     const callSite = filteredFrames[index]
     indexedFrames.push({
       id: index,
-      file: callSite.getFileName(),
-      line: callSite.getLineNumber(),
-      column: callSite.getColumnNumber(),
+      file: callSite.getTranslatedFileName?.() ?? callSite.getFileName(),
+      line: callSite.getTranslatedLineNumber?.() ?? callSite.getLineNumber(),
+      column: callSite.getTranslatedColumnNumber?.() ?? callSite.getColumnNumber(),
       function: callSite.getFunctionName(),
       class_name: callSite.getTypeName(),
       isNative: callSite.isNative()

yarn.lock

@@ -262,10 +262,10 @@
   resolved "https://registry.yarnpkg.com/@datadog/sketches-js/-/sketches-js-2.1.1.tgz#9ec2251b3c932b4f43e1d164461fa6cb6f28b7d0"
   integrity sha512-d5RjycE+MObE/hU+8OM5Zp4VjTwiPLRa8299fj7muOmR16fb942z8byoMbCErnGh0lBevvgkGrLclQDvINbIyg==
 
-"@datadog/wasm-js-rewriter@4.0.1":
-  version "4.0.1"
-  resolved "https://registry.yarnpkg.com/@datadog/wasm-js-rewriter/-/wasm-js-rewriter-4.0.1.tgz#883535e97f6b88b15427f93b5dc5d2d3a01c02b6"
-  integrity sha512-JRa05Je6gw+9+3yZnm/BroQZrEfNwRYCxms56WCCHzOBnoPihQLB0fWy5coVJS29kneCUueUvBvxGp6NVXgdqw==
+"@datadog/wasm-js-rewriter@5.0.1":
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/@datadog/wasm-js-rewriter/-/wasm-js-rewriter-5.0.1.tgz#f227d2e3eb0f83b8a37f190a9ff8fdbde5955782"
+  integrity sha512-EzbV3Lrdt3udQEsbDOVC5gB1y7yxfpBbrSIk4jaEsGjyj0Dbv2HGj7tZjs+qXzIzNonHc8h5El2bYZOGfC2wwg==
   dependencies:
     js-yaml "^4.1.0"
     lru-cache "^7.14.0"