[asm] IAST security controls

[iunanua]

What does this PR do?

IAST security controls implementation

ST DataDog/system-tests#3872

APPSEC-56286

Motivation

Plugin Checklist

• Unit tests.
• TypeScript definitions.
• TypeScript tests.
• API documentation.
• CircleCI jobs/workflows.
• Plugin is exported.

Additional Notes

[github-actions]

Overall package size

Self size: 8.59 MB
Deduped: 94.86 MB
No deduping: 95.37 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/libdatadog | 0.4.0 | 29.44 MB | 29.44 MB | | @datadog/native-appsec | 8.4.0 | 19.25 MB | 19.26 MB | | @datadog/native-iast-taint-tracking | 3.3.0 | 13.77 MB | 13.78 MB | | @datadog/pprof | 5.5.0 | 9.8 MB | 10.17 MB | | protobufjs | 7.2.5 | 2.77 MB | 5.16 MB | | @datadog/native-iast-rewriter | 2.6.1 | 2.59 MB | 2.73 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 3.1.0 | 1.06 MB | 1.46 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | source-map | 0.7.4 | 226 kB | 226 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | lru-cache | 7.18.3 | 133.92 kB | 133.92 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | @isaacs/ttlcache | 1.4.1 | 25.2 kB | 25.2 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | ttl-set | 1.0.0 | 4.61 kB | 9.69 kB | | path-to-regexp | 0.1.12 | 6.6 kB | 6.6 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-01-29 08:39:08

Comparing candidate commit cbc2355 in PR branch igor/iast-security-controls with baseline commit c0550a0 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 911 metrics, 22 unstable metrics.

[codecov]

Codecov Report

Attention: Patch coverage is 94.97487% with 10 lines in your changes missing coverage. Please review.

Project coverage is 81.15%. Comparing base (c0550a0) to head (cbc2355).

Files with missing lines	Patch %	Lines
...d-trace/src/appsec/iast/security-controls/index.js	92.13%	7 Missing ⚠️
...-trace/src/appsec/iast/security-controls/parser.js	95.65%	2 Missing ⚠️
...iast/analyzers/nosql-injection-mongodb-analyzer.js	88.88%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5117      +/-   ##
==========================================
+ Coverage   81.05%   81.15%   +0.10%     
==========================================
  Files         478      483       +5     
  Lines       21308    21479     +171     
==========================================
+ Hits        17271    17432     +161     
- Misses       4037     4047      +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[uurien]

I don't think so, but we could log an error rather than warn to be aware when the customer is using it incorrectly.

[uurien]

too simple regex I think, what if a directory in the list has an space?

[iunanua]

good point. replacing it

[uurien]

unnecessary fs access I think.

[uurien]

why?

[iunanua]

to have unsigned ints

[uurien]

you are not giving an option to configure it programatically, intentionally or you just forgot it?

[iunanua]

added

[IlyasShabi]

Suggested change

	let controlsByFile = controls.get(control.file)
	if (!controlsByFile) {
	controlsByFile = []
	controls.set(control.file, controlsByFile)
	}
	controlsByFile.push(control)
	if (!controls.has(control.file)) {
	controls.set(control.file, [])
	}
	controls.get(control.file).push(control)

[iunanua]

your suggestion has two accesses to controls: .has() and .get() 🤔

[IlyasShabi]

Similar to what you did no ? by the end it's O(1)

[uurien]

Is this with --import relevant? nodeOptions is defined as const out of the describe

[uurien]

what is "iv"?

[uurien]

could we have problems if we have a directory called node_modules? can we modify it to something like test_node_modules that we will rename when we copy that to the temp dir?

[uurien]

I miss a test checking that the usage of the input of the sanitizer is considered vulnerable:

const untrustedData = req.query.command
const safeData = sanitize(untrustedData)
exec(untrustedData) // this is vulnerable
exec(safeData) // this is not vulnerable