collect express endpoints (#6271)

Endpoints discovery for express

Co-authored-by: Ugaitz Urien <ugaitz.urien@datadoghq.com>
Co-authored-by: simon-id <simon.id@datadoghq.com>

Author: 3 people

integration-tests/appsec/endpoints-collection.spec.js

@@ -13,10 +13,7 @@ describe('Endpoints collection', () => {
   before(async function () {
     this.timeout(process.platform === 'win32' ? 90000 : 30000)
 
-    sandbox = await createSandbox(
-      ['fastify'],
-      false
-    )
+    sandbox = await createSandbox(['express', 'fastify'])
 
     cwd = sandbox.folder
   })
@@ -35,34 +32,16 @@ describe('Endpoints collection', () => {
       { method: 'PUT', path: '/users/:id' },
       { method: 'DELETE', path: '/users/:id' },
       { method: 'PATCH', path: '/users/:id/:name' },
-      { method: 'OPTIONS', path: '/users/:id?' },
-
-      // Route with regex
-      { method: 'DELETE', path: '/regex/:hour(^\\d{2})h:minute(^\\d{2})m' },
 
       // Additional methods
       { method: 'TRACE', path: '/trace-test' },
       { method: 'HEAD', path: '/head-test' },
 
-      // Custom method
-      { method: 'MKCOL', path: '/example/near/:lat-:lng/radius/:r' },
-
       // Using app.route()
       { method: 'POST', path: '/multi-method' },
       { method: 'PUT', path: '/multi-method' },
       { method: 'PATCH', path: '/multi-method' },
 
-      // All supported methods route
-      { method: 'GET', path: '/all-methods' },
-      { method: 'HEAD', path: '/all-methods' },
-      { method: 'TRACE', path: '/all-methods' },
-      { method: 'DELETE', path: '/all-methods' },
-      { method: 'OPTIONS', path: '/all-methods' },
-      { method: 'PATCH', path: '/all-methods' },
-      { method: 'PUT', path: '/all-methods' },
-      { method: 'POST', path: '/all-methods' },
-      { method: 'MKCOL', path: '/all-methods' }, // Added with addHttpMethod
-
       // Nested routes with Router
       { method: 'PUT', path: '/v1/nested/:id' },
 
@@ -73,16 +52,83 @@ describe('Endpoints collection', () => {
       { method: 'HEAD', path: '/api/sub/deep' },
       { method: 'POST', path: '/api/sub/deep/:id' },
 
-      // Wildcard routes
-      { method: 'GET', path: '/wildcard/*' },
-      { method: 'HEAD', path: '/wildcard/*' },
-      { method: 'GET', path: '*' },
-      { method: 'HEAD', path: '*' },
-
       { method: 'GET', path: '/later' },
       { method: 'HEAD', path: '/later' },
     ]
 
+    if (framework === 'fastify') {
+      expectedEndpoints.push(
+        // Route with regex - not supported in express5
+        { method: 'DELETE', path: '/regex/:hour(^\\d{2})h:minute(^\\d{2})m' },
+
+        { method: 'OPTIONS', path: '/users/:id?' },
+        { method: 'MKCOL', path: '/example/near/:lat-:lng/radius/:r' }, // Added with addHttpMethod
+
+        // All supported methods route
+        { method: 'GET', path: '/all-methods' },
+        { method: 'HEAD', path: '/all-methods' },
+        { method: 'TRACE', path: '/all-methods' },
+        { method: 'DELETE', path: '/all-methods' },
+        { method: 'OPTIONS', path: '/all-methods' },
+        { method: 'PATCH', path: '/all-methods' },
+        { method: 'PUT', path: '/all-methods' },
+        { method: 'POST', path: '/all-methods' },
+        { method: 'MKCOL', path: '/all-methods' }, // Added with addHttpMethod
+
+        // Wildcard routes
+        { method: 'GET', path: '/wildcard/*' },
+        { method: 'HEAD', path: '/wildcard/*' },
+        { method: 'GET', path: '*' },
+        { method: 'HEAD', path: '*' }
+      )
+    }
+
+    if (framework === 'express') {
+      expectedEndpoints.push(
+        { method: 'CONNECT', path: '/connect-test' },
+        { method: '*', path: '/multi-method' },
+        { method: '*', path: '/all-methods' },
+        { method: '*', path: '/wildcard/*name' },
+        { method: '*', path: '/^\\/login\\/.*$/i' },
+        { method: 'OPTIONS', path: '/users/:id' },
+        { method: 'PATCH', path: '/^\\/ab(cd)?$/' },
+        { method: 'POST', path: '/array-route-one' },
+        { method: 'POST', path: '/array-route-two' },
+        { method: 'POST', path: '/api/array/array-one' },
+        { method: 'POST', path: '/api/array/array-two' },
+        { method: 'PUT', path: '/api/regex/^\\/item\\/(\\d+)$/' },
+        { method: 'GET', path: '/multi-array' },
+        { method: 'HEAD', path: '/multi-array' },
+        { method: 'GET', path: '/multi-array/mounted' },
+        { method: 'HEAD', path: '/multi-array/mounted' },
+        { method: 'GET', path: '/multi-array-alt' },
+        { method: 'HEAD', path: '/multi-array-alt' },
+        { method: 'GET', path: '/multi-array-alt/mounted' },
+        { method: 'HEAD', path: '/multi-array-alt/mounted' },
+        { method: 'GET', path: '/^\\/regex-mount(?:\\/|$)/mounted' },
+        { method: 'HEAD', path: '/^\\/regex-mount(?:\\/|$)/mounted' },
+
+        // Multiple routers without mount path
+        { method: 'PUT', path: '/router1' },
+        { method: 'PUT', path: '/router2' },
+
+        // Nested routers mounted after definitions
+        { method: 'GET', path: '/root/path/path2/endpoint' },
+        { method: 'HEAD', path: '/root/path/path2/endpoint' },
+
+        // Same router mounted at multiple paths
+        { method: 'GET', path: '/api/v1/shared-before' },
+        { method: 'HEAD', path: '/api/v1/shared-before' },
+        { method: 'GET', path: '/api/v2/shared-before' },
+        { method: 'HEAD', path: '/api/v2/shared-before' },
+
+        { method: 'GET', path: '/api/v1/shared-after' },
+        { method: 'HEAD', path: '/api/v1/shared-after' },
+        { method: 'GET', path: '/api/v2/shared-after' },
+        { method: 'HEAD', path: '/api/v2/shared-after' }
+      )
+    }
+
     return expectedEndpoints
   }
 
@@ -97,6 +143,8 @@ describe('Endpoints collection', () => {
       const endpointsFound = []
       const isFirstFlags = []
 
+      const expectedMessageCount = framework === 'express' ? 7 : 4
+
       const telemetryPromise = agent.assertTelemetryReceived(({ payload }) => {
         isFirstFlags.push(Boolean(payload.payload.is_first))
 
@@ -111,7 +159,7 @@ describe('Endpoints collection', () => {
             })
           })
         }
-      }, 'app-endpoints', 5_000, 4)
+      }, 'app-endpoints', 5_000, expectedMessageCount)
 
       proc = await spawnProc(appFile, {
         cwd,
@@ -132,6 +180,7 @@ describe('Endpoints collection', () => {
         const found = endpointsFound.find(e =>
           e.method === expected.method && e.path === expected.path
         )
+
         expect(found).to.exist
         expect(found.type).to.equal('REST')
         expect(found.operation_name).to.equal('http.request')
@@ -140,12 +189,25 @@ describe('Endpoints collection', () => {
 
       // check that no additional endpoints were found
       expect(endpointsFound.length).to.equal(expectedEndpoints.length)
+
+      // Explicitly verify invalid endpoints are NOT reported
+      if (framework === 'express') {
+        const cycleEndpoints = endpointsFound.filter(e => e.path.includes('cycle'))
+        expect(cycleEndpoints).to.have.lengthOf(0, 'Cycle router endpoints should not be collected')
+
+        const invalidEndpoints = endpointsFound.filter(e => e.path.includes('invalid'))
+        expect(invalidEndpoints).to.have.lengthOf(0, 'Invalid router paths should not be collected')
+      }
     } finally {
       proc?.kill()
       await agent?.stop()
     }
   }
 
+  it('should send express endpoints via telemetry', async () => {
+    await runEndpointTest('express')
+  })
+
   it('should send fastify endpoints via telemetry', async () => {
     await runEndpointTest('fastify')
   })

integration-tests/appsec/endpoints-collection/express.js

@@ -0,0 +1,127 @@
+'use strict'
+
+const tracer = require('dd-trace')
+tracer.init({
+  flushInterval: 0
+})
+
+const express = require('express')
+const app = express()
+
+// Basic routes
+app.get('/users', (_, res) => res.send('ok'))
+app.post('/users/', (_, res) => res.send('ok'))
+app.put('/users/:id', (_, res) => res.send('ok'))
+app.delete('/users/:id', (_, res) => res.send('ok'))
+app.patch('/users/:id/:name', (_, res) => res.send('ok'))
+app.options('/users/:id', (_, res) => res.send('ok'))
+
+// Additional methods
+app.trace('/trace-test', (_, res) => res.send('ok'))
+app.head('/head-test', (_, res) => res.send('ok'))
+app.connect('/connect-test', (_, res) => res.send('ok'))
+
+// Using app.route()
+app.route('/multi-method')
+  .post((_, res) => res.send('ok'))
+  .put((_, res) => res.send('ok'))
+  .patch((_, res) => res.send('ok'))
+  .all((_, res) => res.send('ok'))
+
+app.route(/^\/ab(cd)?$/)
+  .patch((_, res) => res.send('ok'))
+
+app.route(['/array-route-one', ['/array-route-two']])
+  .post((_, res) => res.send('ok'))
+
+// All supported methods route
+app.all('/all-methods', async (_, res) => res.send('ok'))
+
+// Wildcard routes via array
+app.all(['/wildcard/*name'], (_, res) => res.send('ok'))
+
+// RegExp wildcard route
+app.all(/^\/login\/.*$/i, (_, res) => {
+  res.send('ok')
+})
+
+// Nested routes with Router
+const apiRouter = express.Router()
+app.use('/v1', apiRouter)
+apiRouter.put('/nested/:id', (_, res) => res.send('ok'))
+
+// Multiple routers without mount path
+const apiRouter1 = express.Router()
+const apiRouter2 = express.Router()
+
+apiRouter1.put('/router1', (_, res) => res.send('ok 1'))
+apiRouter2.put('/router2', (_, res) => res.send('ok 2'))
+
+app.use(apiRouter1, apiRouter2)
+
+// Test nested routers before app.use
+const router1 = express.Router()
+const router2 = express.Router()
+const router3 = express.Router()
+
+router2.use('/path2', router3)
+router3.get('/endpoint', (_, res) => res.send('ok'))
+router1.use('/path', router2)
+
+// Array mount path
+const arrayMountRouter = express.Router()
+arrayMountRouter.get('/', (_, res) => res.send('ok'))
+arrayMountRouter.get('/mounted', (_, res) => res.send('ok'))
+
+app.use(['/multi-array', '/multi-array-alt'], arrayMountRouter)
+
+// Regex mount path
+const regexMountRouter = express.Router()
+regexMountRouter.get('/mounted', (_, res) => res.send('ok'))
+
+app.use(/^\/regex-mount(?:\/|$)/, regexMountRouter)
+
+// Add endpoint during runtime
+setTimeout(() => {
+  app.use('/root', router1)
+
+  // Deeply nested routes
+  const deepRouter = express.Router()
+  deepRouter.get('/nested', (_, res) => res.send('ok'))
+  const subRouter = express.Router()
+  subRouter.get('/deep', (_, res) => res.send('ok'))
+  subRouter.post('/deep/:id', (_, res) => res.send('ok'))
+  deepRouter.use('/sub', subRouter)
+  const arrayRouter = express.Router()
+  arrayRouter.post(['/array-one', '/array-two'], (_, res) => res.send('ok'))
+  deepRouter.use('/array', arrayRouter)
+  const regexRouter = express.Router()
+  regexRouter.put(/^\/item\/(\d+)$/, (_, res) => res.send('ok'))
+  deepRouter.use('/regex', regexRouter)
+  app.use('/api', deepRouter)
+  app.get('/later', (_, res) => res.send('ok'))
+}, 1_000)
+
+// Same router mounted at multiple paths - should report both
+const sharedRouter = express.Router()
+sharedRouter.get('/shared-before', (_, res) => res.send('ok'))
+
+app.use('/api/v1', sharedRouter)
+app.use('/api/v2', sharedRouter)
+
+sharedRouter.get('/shared-after', (_, res) => res.send('ok'))
+
+// Cycle routers - should not be collected
+const cycleRouter = express.Router()
+cycleRouter.use('/cycle', cycleRouter)
+app.use('/cycle', cycleRouter)
+
+// Invalid route path - should not be collected
+const invalidRouter = express.Router()
+app.use('/invalid', invalidRouter)
+invalidRouter.get('nested', (_, res) => res.send('ok'))
+
+const server = app.listen(0, '127.0.0.1', () => {
+  const port = server.address().port
+  process.send({ port })
+})