add include configuration to iitm loader hook (#6455)

Author: rochdev

LICENSE-3rdparty.csv

@@ -14,6 +14,7 @@ require,@opentelemetry/resources,Apache license 2.0,Copyright OpenTelemetry Auth
 require,@isaacs/ttlcache,ISC,Copyright (c) 2022-2023 - Isaac Z. Schlueter and Contributors
 require,crypto-randomuuid,MIT,Copyright 2021 Node.js Foundation and contributors
 require,dc-polyfill,MIT,Copyright 2023 Datadog Inc.
+require,escape-string-regexp,MIT,Copyright Sindre Sorhus
 require,ignore,MIT,Copyright 2013 Kael Zhang and contributors
 require,import-in-the-middle,Apache license 2.0,Copyright 2021 Datadog Inc.
 require,istanbul-lib-coverage,BSD-3-Clause,Copyright 2012-2015 Yahoo! Inc.

index.d.ts

@@ -2815,7 +2815,10 @@ declare namespace tracer {
     redactionValuePattern?: string,
 
     /**
-     * Allows to enable security controls.
+     * Allows to enable security controls. This option is not supported when
+     * using ESM.
+     * @deprecated Please use the DD_IAST_SECURITY_CONTROLS_CONFIGURATION
+     * environment variable instead.
      */
     securityControlsConfiguration?: string,
 

integration-tests/startup.spec.js

@@ -35,11 +35,13 @@ execArgvs.forEach(({ execArgv, skip }) => {
     let sandbox
     let cwd
     let startupTestFile
+    let unsupportedTestFile
 
     before(async () => {
-      sandbox = await createSandbox()
+      sandbox = await createSandbox(['d3-format@3.1.0'])
       cwd = sandbox.folder
       startupTestFile = path.join(cwd, 'startup/index.js')
+      unsupportedTestFile = path.join(cwd, 'startup/unsupported.js')
     })
 
     after(async () => {
@@ -218,5 +220,14 @@ execArgvs.forEach(({ execArgv, skip }) => {
         })
       })
     })
+
+    context('with unsupported module', () => {
+      it('skips the unsupported module', async () => {
+        await spawnProc(unsupportedTestFile, {
+          cwd,
+          execArgv
+        })
+      })
+    })
   })
 })

integration-tests/startup/unsupported.js

@@ -0,0 +1,11 @@
+'use strict'
+
+const assert = require('assert')
+
+/* eslint-disable-next-line n/no-missing-import */
+import('d3-format').then(({ format }) => {
+  const siFormat = format('.4~s')
+
+  // This is `1.2undefined` when unexpectedly patched by import-in-the-middle.
+  assert.equal(siFormat(1200), '1.2k')
+})

loader-hook.mjs

@@ -1 +1,52 @@
-export * from 'import-in-the-middle/hook.mjs'
+import regexpEscape from 'escape-string-regexp'
+import * as iitm from 'import-in-the-middle/hook.mjs'
+import hooks from './packages/datadog-instrumentations/src/helpers/hooks.js'
+import configHelper from './packages/dd-trace/src/config-helper.js'
+
+// For some reason `getEnvironmentVariable` is not otherwise available to ESM.
+const env = configHelper.getEnvironmentVariable
+
+function initialize (data = {}) {
+  data.include ??= []
+  data.exclude ??= []
+
+  addInstrumentations(data)
+  addSecurityControls(data)
+  addExclusions(data)
+
+  return iitm.initialize(data)
+}
+
+function addInstrumentations (data) {
+  const instrumentations = Object.keys(hooks)
+
+  for (const moduleName of instrumentations) {
+    data.include.push(new RegExp(`node_modules/${moduleName}/(?!node_modules).+`), moduleName)
+  }
+}
+
+function addSecurityControls (data) {
+  const securityControls = (env('DD_IAST_SECURITY_CONTROLS_CONFIGURATION') || '')
+    .split(';')
+    .map(sc => sc.trim().split(':')[2])
+    .filter(Boolean)
+    .map(sc => sc.trim())
+
+  for (const subpath of securityControls) {
+    data.include.push(new RegExp(regexpEscape(subpath)))
+  }
+}
+
+function addExclusions (data) {
+  data.exclude.push(
+    /middle/,
+    /langsmith/,
+    /openai\/_shims/,
+    /openai\/resources\/chat\/completions\/messages/,
+    /openai\/agents-core\/dist\/shims/,
+    /@anthropic-ai\/sdk\/_shims/
+  )
+}
+
+export { initialize }
+export { load, getFormat, resolve, getSource } from 'import-in-the-middle/hook.mjs'

package.json

@@ -136,6 +136,7 @@
     "@opentelemetry/resources": ">=1.0.0 <1.10.0",
     "crypto-randomuuid": "^1.0.0",
     "dc-polyfill": "^0.1.10",
+    "escape-string-regexp": "^5.0.0",
     "ignore": "^7.0.5",
     "import-in-the-middle": "^1.14.2",
     "istanbul-lib-coverage": "^3.2.2",

packages/dd-trace/src/config.js

@@ -19,6 +19,7 @@ const { appendRules } = require('./payload-tagging/config')
 const { getEnvironmentVariable: getEnv, getEnvironmentVariables } = require('./config-helper')
 const defaults = require('./config_defaults')
 const path = require('path')
+const { DD_MAJOR } = require('../../../version')
 
 const tracerMetrics = telemetryMetrics.manager.namespace('tracers')
 
@@ -1032,7 +1033,9 @@ class Config {
       opts['iast.requestSampling'] = iastRequestSampling
       this.#optsUnprocessed['iast.requestSampling'] = options.iast?.requestSampling
     }
-    opts['iast.securityControlsConfiguration'] = options.iast?.securityControlsConfiguration
+    if (DD_MAJOR < 6) {
+      opts['iast.securityControlsConfiguration'] = options.iast?.securityControlsConfiguration
+    }
     this.#setBoolean(opts, 'iast.stackTrace.enabled', options.iast?.stackTrace?.enabled)
     this.#setString(opts, 'iast.telemetryVerbosity', options.iast && options.iast.telemetryVerbosity)
     this.#setBoolean(opts, 'isCiVisibility', options.isCiVisibility)

packages/dd-trace/test/config.spec.js

@@ -15,6 +15,7 @@ require('./setup/core')
 const { GRPC_CLIENT_ERROR_STATUSES, GRPC_SERVER_ERROR_STATUSES } = require('../src/constants')
 const { getEnvironmentVariable, getEnvironmentVariables } = require('../src/config-helper')
 const { assertObjectContains } = require('../../../integration-tests/helpers')
+const { DD_MAJOR } = require('../../../version')
 
 describe('Config', () => {
   let Config
@@ -1170,8 +1171,12 @@ describe('Config', () => {
     expect(config).to.have.nested.property('iast.redactionNamePattern', 'REDACTION_NAME_PATTERN')
     expect(config).to.have.nested.property('iast.redactionValuePattern', 'REDACTION_VALUE_PATTERN')
     expect(config).to.have.nested.property('iast.requestSampling', 50)
-    expect(config).to.have.nested.property('iast.securityControlsConfiguration',
-      'SANITIZER:CODE_INJECTION:sanitizer.js:method')
+    if (DD_MAJOR < 6) {
+      expect(config).to.have.nested.property('iast.securityControlsConfiguration',
+        'SANITIZER:CODE_INJECTION:sanitizer.js:method')
+    } else {
+      expect(config).to.not.have.property('iast.securityControlsConfiguration')
+    }
     expect(config).to.have.nested.property('iast.stackTrace.enabled', false)
     expect(config).to.have.nested.property('iast.telemetryVerbosity', 'DEBUG')
     expect(config).to.have.nested.property('llmobs.agentlessEnabled', true)
@@ -1259,7 +1264,7 @@ describe('Config', () => {
       { name: 'iast.redactionNamePattern', value: 'REDACTION_NAME_PATTERN', origin: 'code' },
       { name: 'iast.redactionValuePattern', value: 'REDACTION_VALUE_PATTERN', origin: 'code' },
       { name: 'iast.requestSampling', value: 50, origin: 'code' },
-      {
+      DD_MAJOR < 6 && {
         name: 'iast.securityControlsConfiguration',
         value: 'SANITIZER:CODE_INJECTION:sanitizer.js:method',
         origin: 'code'
@@ -1289,7 +1294,7 @@ describe('Config', () => {
       { name: 'traceId128BitGenerationEnabled', value: true, origin: 'code' },
       { name: 'traceId128BitLoggingEnabled', value: true, origin: 'code' },
       { name: 'version', value: '0.1.0', origin: 'code' }
-    ])
+    ].filter(v => v))
   })
 
   it('should initialize from the options with url taking precedence', () => {
@@ -1684,8 +1689,13 @@ describe('Config', () => {
     expect(config).to.have.nested.property('iast.redactionNamePattern', 'REDACTION_NAME_PATTERN')
     expect(config).to.have.nested.property('iast.redactionValuePattern', 'REDACTION_VALUE_PATTERN')
     expect(config).to.have.nested.property('iast.requestSampling', 30)
-    expect(config).to.have.nested.property('iast.securityControlsConfiguration',
-      'SANITIZER:CODE_INJECTION:sanitizer.js:method2')
+    if (DD_MAJOR < 6) {
+      expect(config).to.have.nested.property('iast.securityControlsConfiguration',
+        'SANITIZER:CODE_INJECTION:sanitizer.js:method2')
+    } else {
+      expect(config).to.have.nested.property('iast.securityControlsConfiguration',
+        'SANITIZER:CODE_INJECTION:sanitizer.js:method1')
+    }
     expect(config).to.have.nested.property('iast.stackTrace.enabled', false)
     expect(config).to.have.nested.property('llmobs.agentlessEnabled', false)
     expect(config).to.have.nested.property('llmobs.mlApp', 'myOtherMlApp')

register.js

@@ -5,14 +5,4 @@
 const { register } = require('node:module')
 const { pathToFileURL } = require('node:url')
 
-register('./loader-hook.mjs', pathToFileURL(__filename), {
-  data: {
-    exclude: [
-      /langsmith/,
-      /openai\/_shims/,
-      /openai\/resources\/chat\/completions\/messages/,
-      /openai\/agents-core\/dist\/shims/,
-      /@anthropic-ai\/sdk\/_shims/
-    ]
-  }
-})
+register('./loader-hook.mjs', pathToFileURL(__filename))

yarn.lock

@@ -2014,6 +2014,11 @@ escape-string-regexp@^4.0.0:
   resolved "https://registry.yarnpkg.com/escape-string-regexp/-/escape-string-regexp-4.0.0.tgz#14ba83a5d373e3d311e5afca29cf5bfad965bf34"
   integrity sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==
 
+escape-string-regexp@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/escape-string-regexp/-/escape-string-regexp-5.0.0.tgz#4683126b500b61762f2dbebace1806e8be31b1c8"
+  integrity sha512-/veY75JbMK4j1yjvuUxuVsiS/hr/4iHs9FTT6cgTexxdE0Ly/glccBAkloH/DofkjRbZU3bnoj38mOmhkZ0lHw==
+
 eslint-compat-utils@^0.5.1:
   version "0.5.1"
   resolved "https://registry.yarnpkg.com/eslint-compat-utils/-/eslint-compat-utils-0.5.1.tgz#7fc92b776d185a70c4070d03fd26fde3d59652e4"