feat: @elastic/elasticsearch support in IAST

lib/instrumentation-security/core/event-constants.js

@@ -40,7 +40,8 @@ const EVENT_CATEGORY = {
  UNVALIDATED_REDIRECT: 'UNVALIDATED_REDIRECT',
  REFLECTED_XSS: 'REFLECTED_XSS',
  XPATH: 'XPATH',
- LDAP: 'LDAP'
+ LDAP: 'LDAP',
+ ELASTIC_SEARCH: 'ELASTIC_SEARCH',
 }
 
 module.exports = {

lib/instrumentation-security/hooks/@elastic/nr-@elastic.js

@@ -0,0 +1,177 @@
+/*
+ * Copyright 2023 New Relic Corporation. All rights reserved.
+ * SPDX-License-Identifier: New Relic Pre-Release
+ */
+
+const requestManager = require("../../core/request-manager");
+
+const secUtils = require('../../core/sec-utils');
+const API = require("../../../nr-security-api");
+const securityMetaData = require('../../core/security-metadata');
+const { EVENT_TYPE, EVENT_CATEGORY } = require('../../core/event-constants');
+const { NR_CSEC_FUZZ_REQUEST_ID } = require('../../core/constants');
+const logger = API.getLogger();
+const semver = require('semver');
+
+
+module.exports = initialize;
+
+/**
+ * Entry point of mysql and msyql2 module hooks
+ * @param {*} shim 
+ * @param {*} mysql 
+ * @param {*} moduleName 
+ */
+function initialize(shim, elastic, moduleName) {
+ logger.info("Instrumenting", moduleName);
+
+ const pkgVersion = shim.require('./package.json').version
+ if (semver.lt(pkgVersion, '7.13.0')) {
+ logger.debug(`ElasticSearch support is for versions 7.13.0 and above. Not instrumenting ${pkgVersion}.`)
+ return;
+ }
+ requestHook(shim, elastic.Transport.prototype, 'request');
+
+}
+
+function requestHook(shim, mod, methodName) {
+ shim.wrap(mod, methodName, function makeWrapper(shim, fn) {
+ return function wrapper() {
+ try {
+ let args = arguments[0];
+ let extractedReq = queryParser(args);
+ let payloadData = {
+ payload: extractedReq.query,
+ payloadType: extractedReq.operation,
+ collection: extractedReq.collection
+ }
+
+ shim.interceptedArgs = payloadData;
+ const request = requestManager.getRequest(shim);
+ if (request) {
+ const traceObject = secUtils.getTraceObject(shim);
+ const secMetadata = securityMetaData.getSecurityMetaData(request, payloadData, traceObject, secUtils.getExecutionId(), EVENT_TYPE.NOSQL_DB_COMMAND, EVENT_CATEGORY.ELASTIC_SEARCH)
+ const secEvent = API.generateSecEvent(secMetadata);
+ API.sendEvent(secEvent);
+ }
+ } catch (error) {
+ logger.debug("Error in request hook of elastic serach:",error);
+ }
+
+ return fn.apply(this, arguments);
+ };
+ });
+}
+
+/**
+ * Convenience function to test if a value is a non-null object
+ *
+ * @param {object} thing Value to be tested
+ * @returns {boolean} whether or not the value is an object and not null
+ */
+function isSimpleObject(thing) {
+ return Object.prototype.toString.call(thing) === '[object Object]' && thing !== null
+}
+
+/**
+ * Convenience function to test if an object is not empty
+ *
+ * @param {object} thing Value to be tested
+ * @returns {boolean} true if the value is an object, not null, and has keys
+ */
+function isNotEmpty(thing) {
+ return isSimpleObject(thing) && Object.keys(thing).length > 0
+}
+
+/**
+ * Parses the parameters sent to elasticsearch for collection,
+ * method, and query
+ *
+ * @param {object} params Query object received by the datashim.
+ * Required properties: path {string}, method {string}.
+ * Optional properties: querystring {string}, body {object}, and
+ * bulkBody {object}
+ * @returns {object} consisting of collection {string}, operation {string},
+ * and query {string}
+ */
+function queryParser(params) {
+ const { collection, operation } = parsePath(params.path, params.method)
+
+ // the substance of the query may be in querystring or in body.
+ let queryParam = {}
+ if (isNotEmpty(params.querystring)) {
+ queryParam = params.querystring
+ }
+ // let body or bulkBody override querystring, as some requests have both
+ if (isNotEmpty(params.body)) {
+ queryParam = params.body
+ } else if (Array.isArray(params.bulkBody) && params.bulkBody.length) {
+ queryParam = params.bulkBody
+ }
+ const clonedParams = Object.assign({}, queryParam);
+ let query = clonedParams;
+ query.path = params.path;
+
+ return {
+ collection,
+ operation,
+ query,
+ }
+}
+
+
+/**
+ * Convenience function for parsing the params.path sent to the queryParser
+ * for normalized collection and operation
+ *
+ * @param {string} pathString params.path supplied to the query parser
+ * @param {string} method http method called by @elastic/elasticsearch
+ * @returns {object} consisting of collection {string} and operation {string}
+ */
+function parsePath(pathString, method) {
+ let collection
+ let operation
+ const defaultCollection = 'any'
+ const actions = {
+ GET: 'get',
+ PUT: 'create',
+ POST: 'create',
+ DELETE: 'delete',
+ HEAD: 'exists'
+ }
+ const suffix = actions[method]
+
+ try {
+ const path = pathString.split('/')
+ if (method === 'PUT' && path.length === 2) {
+ collection = path?.[1] || defaultCollection
+ operation = `index.create`
+ return { collection, operation }
+ }
+ path.forEach((segment, idx) => {
+ const prev = idx - 1
+ let opname
+ if (segment === '_search') {
+ collection = path?.[prev] || defaultCollection
+ operation = `search`
+ } else if (segment[0] === '_') {
+ opname = segment.substring(1)
+ collection = path?.[prev] || defaultCollection
+ operation = `${opname}.${suffix}`
+ }
+ })
+ if (!operation && !collection) {
+ // likely creating an index--no underscore segments
+ collection = path?.[1] || defaultCollection
+ operation = `index.${suffix}`
+ }
+ } catch (e) {
+ logger.warn('Failed to parse path for operation and collection. Using defaults')
+ logger.warn(e)
+ collection = defaultCollection
+ operation = 'unknown'
+ }
+
+ return { collection, operation }
+}
+

lib/instrumentation-security/index.js

@@ -190,6 +190,14 @@ newrelic.instrumentWebframework({
  }
 })
 
+newrelic.instrumentWebframework({
+ moduleName: '@elastic/elasticsearch',
+ isEsm: true,
+ onRequire: require('./hooks/@elastic/nr-@elastic'),
+ onError: function intrumentErrorHandler(err) {
+ logger.error(err.message, err.stack)
+ }
+})