Refactor builtin interceptors (broken WIP)

Author: timokoessler

instrumentation-wasm/src/js_transformer/transformer.rs

@@ -132,7 +132,7 @@ impl<'a> Traverse<'a> for Transformer<'a> {
 
         if instruction.inspect_args {
             let source_text: &'a str = self.allocator.alloc_str(&format!(
-                "__instrumentInspectArgs('{}', false, arguments);",
+                "__instrumentInspectArgs('{}', arguments);",
                 instruction.identifier
             ));
 

library/agent/hooks/BuiltinModule.ts

@@ -1,11 +1,7 @@
-import { BuiltinInstrumentationInstruction } from "./instrumentation/types";
 import { RequireInterceptor } from "./RequireInterceptor";
 
 export class BuiltinModule {
   private requireInterceptors: RequireInterceptor[] = [];
-  private instrumentationInstructions:
-    | BuiltinInstrumentationInstruction
-    | undefined;
 
   constructor(private readonly name: string) {
     if (!this.name) {
@@ -24,14 +20,4 @@ export class BuiltinModule {
   getRequireInterceptors() {
     return this.requireInterceptors;
   }
-
-  setInstrumentationInstruction(
-    instruction: BuiltinInstrumentationInstruction
-  ) {
-    this.instrumentationInstructions = instruction;
-  }
-
-  getInstrumentationInstruction() {
-    return this.instrumentationInstructions;
-  }
 }

library/agent/hooks/instrumentation/builtinShim.test.ts

@@ -2,6 +2,7 @@ import * as t from "tap";
 import { generateBuildinShim } from "./builtinShim";
 
 t.test("generate fs/promises shim", async (t) => {
+  // Todo update
   const shim = generateBuildinShim("fs/promises", "fs/promises", [
     {
       name: "readFile",
@@ -10,22 +11,30 @@ t.test("generate fs/promises shim", async (t) => {
       modifyReturnValue: false,
     },
   ]);
+  if (!shim) {
+    t.fail("shim is undefined");
+    return;
+  }
 
   t.match(
-    shim?.replace(/\s+/g, " "),
+    shim.replace(/\s+/g, " "),
     `const orig = process.getBuiltinModule("fs/promises"); 
 const { __instrumentInspectArgs } = require('@aikidosec/firewall/instrument/internals');
 
-exports.readFile = function() {
-    __instrumentInspectArgs("fs/promises.readFile", true, arguments);                
+orig.readFile = function() {
+    __instrumentInspectArgs("fs/promises.readFile", arguments);                
     return orig.readFile(...arguments);                                              
 };
+
+exports = orig;
 `.replace(/\s+/g, " ")
   );
 
-  t.match(shim, "exports.rename = orig.rename;");
-  t.match(shim, "exports.rmdir = orig.rmdir;");
-  t.match(shim, "exports.rm = orig.rm;");
-  t.match(shim, "exports.stat = orig.stat;");
-  t.match(shim, "exports.symlink = orig.symlink;");
+  const modifiedShim = shim.replace(
+    "@aikidosec/firewall/instrument/internals",
+    "./injectedFunctions"
+  );
+
+  let modifiedExports = eval(modifiedShim);
+  console.log(modifiedExports);
 });

library/agent/hooks/instrumentation/builtinShim.ts

@@ -1,40 +1,22 @@
-import { getExportsForBuiltin } from "./getExportsForBuiltin";
-import { BuiltinInstrumentationInstructionJSON } from "./types";
-
 export function generateBuildinShim(
   builtinName: string,
   builtinNameWithoutPrefix: string,
-  instructions: BuiltinInstrumentationInstructionJSON["functions"]
+  format: "commonjs" | "module"
 ): string | undefined {
-  const exports = getExportsForBuiltin(builtinName);
+  // Todo fix broken with ESM
+  // Todo access unwrapped methods inside our own library to prevent infinite recursion
 
-  // Filter out non-existing exports
-  const methods = instructions.filter((m) => exports.has(m.name));
+  if (format === "module") {
+    return `const orig = process.getBuiltinModule(${JSON.stringify(builtinName)});
+    import { __wrapBuiltinExports } from '@aikidosec/firewall/instrument/internals';
 
-  if (methods.length === 0) {
-    // No methods to instrument, return undefined
-    return;
+    export default __wrapBuiltinExports("${builtinNameWithoutPrefix}", orig);
+  `;
   }
 
-  const unpatchedExports = Array.from(exports).filter(
-    (m: any) => !methods.some((method) => method.name === m.name)
-  );
-
-  // Todos: Copy over properties of patched methods?
-  // Todo check default export !!!
   return `const orig = process.getBuiltinModule(${JSON.stringify(builtinName)});
-const { __instrumentInspectArgs } = require('@aikidosec/firewall/instrument/internals');
-
-${methods
-  .map(
-    (method) => `
-  exports.${method.name} = function() {
-    ${method.inspectArgs ? `__instrumentInspectArgs("${builtinNameWithoutPrefix}.${method.name}", true, arguments);` : ""}
-    return orig.${method.name}(...arguments);
-  };`
-  )
-  .join("\n")}
+const { __wrapBuiltinExports } = require('@aikidosec/firewall/instrument/internals');
   
-  ${unpatchedExports.map((e) => `exports.${e} = orig.${e};`).join("\n")}
+module.exports = __wrapBuiltinExports("${builtinNameWithoutPrefix}", orig);
 `;
 }

library/agent/hooks/instrumentation/index.ts

@@ -1,7 +1,6 @@
 import { onModuleLoad } from "./loadHook";
 import * as mod from "node:module";
 import type { RegisterHookFunction } from "./types";
-import { Hooks } from "../Hooks";
 
 export function registerNodeHooks() {
   if (!("registerHooks" in mod) || typeof mod.registerHooks !== "function") {

library/agent/hooks/instrumentation/injectedFunctions.ts

@@ -1,31 +1,52 @@
 import { getInstance } from "../../AgentSingleton";
-import { getBuiltinCallbacks, getPackageCallbacks } from "./instructions";
+import { WrapPackageInfo } from "../WrapPackageInfo";
+import { getBuiltinInterceptors, getPackageCallbacks } from "./instructions";
 
-export function __instrumentInspectArgs(
-  id: string,
-  isBuiltin: boolean,
-  args: unknown[]
-): void {
+export function __instrumentInspectArgs(id: string, args: unknown[]): void {
   const agent = getInstance();
   if (!agent) {
     return;
   }
 
-  if (isBuiltin) {
-    const callbacks = getBuiltinCallbacks(id);
-
-    if (typeof callbacks.inspectArgs === "function") {
-      // Todo support subject?
-      callbacks.inspectArgs(args, agent, undefined);
-    }
-
-    return;
-  }
-
   const cbFuncs = getPackageCallbacks(id);
 
   if (typeof cbFuncs.inspectArgs === "function") {
     // Todo support subject?
     cbFuncs.inspectArgs(args, agent, undefined);
   }
 }
+
+export function __wrapBuiltinExports(id: string, exports: unknown): unknown {
+  const agent = getInstance();
+  if (!agent) {
+    return exports;
+  }
+
+  const interceptors = getBuiltinInterceptors(id);
+
+  if (interceptors.length === 0) {
+    return exports;
+  }
+
+  const pkgInfo: WrapPackageInfo = {
+    name: id,
+    type: "builtin",
+  };
+
+  // Todo check if cache is needed
+  for (const interceptor of interceptors) {
+    try {
+      const returnVal = interceptor(exports, pkgInfo);
+      // If the interceptor returns a value, we want to use this value as the new exports
+      if (typeof returnVal !== "undefined") {
+        exports = returnVal;
+      }
+    } catch (error) {
+      if (error instanceof Error) {
+        getInstance()?.onFailedToWrapModule(pkgInfo.name, error);
+      }
+    }
+  }
+
+  return exports;
+}

library/agent/hooks/instrumentation/instructions.ts

@@ -1,19 +1,18 @@
 import { Package } from "../Package";
 import { BuiltinModule } from "../BuiltinModule";
 import {
-  BuiltinInstrumentationInstructionJSON,
   IntereptorFunctionsObj,
   PackageFileInstrumentationInstructionJSON,
 } from "./types";
 import { satisfiesVersion } from "../../../helpers/satisfiesVersion";
+import { RequireInterceptor } from "../RequireInterceptor";
 
 // Keys are package / builtin names
 let packages = new Map<string, PackageFileInstrumentationInstructionJSON[]>();
-let builtins = new Map<string, BuiltinInstrumentationInstructionJSON>();
 
 // Stores the callbacks for the instrumented functions of builtin modules
 // Identifier for builtin is: moduleName.functionName
-let builtinCallbacks = new Map<string, IntereptorFunctionsObj>();
+let builtinRequireInterceptors = new Map<string, RequireInterceptor[]>();
 // Stores the callbacks for the instrumented functions of package files
 // Identifier for package file is: packageName.relativePath.functionName.matchingVersion
 let packageFileCallbacks = new Map<string, IntereptorFunctionsObj>();
@@ -65,58 +64,17 @@ export function setPackagesToInstrument(_packages: Package[]) {
 
 export function setBuiltinsToInstrument(builtinModules: BuiltinModule[]) {
   // Clear the previous builtins
-  builtins = new Map();
-  builtinCallbacks = new Map();
+  builtinRequireInterceptors = new Map();
 
   for (const builtin of builtinModules) {
-    const instructions = builtin.getInstrumentationInstruction();
-
-    if (
-      !instructions ||
-      !instructions.functions ||
-      instructions.functions.length === 0
-    ) {
-      continue;
-    }
+    const interceptors = builtin.getRequireInterceptors();
 
-    // Check if function is included twice
-    const functionNames = new Set<string>();
-    for (const f of instructions.functions) {
-      if (functionNames.has(f.name)) {
-        throw new Error(
-          `Function ${f.name} is included twice in the instrumentation instructions for ${builtin.getName()}`
-        );
-      }
-      functionNames.add(f.name);
+    if (interceptors.length > 0) {
+      builtinRequireInterceptors.set(builtin.getName(), interceptors);
     }
-
-    const functions = instructions.functions.map((f) => {
-      builtinCallbacks.set(`${builtin.getName()}.${f.name}`, {
-        inspectArgs: f.inspectArgs,
-        modifyArgs: f.modifyArgs,
-        modifyReturnValue: f.modifyReturnValue,
-      });
-
-      return {
-        name: f.name,
-        inspectArgs: !!f.inspectArgs,
-        modifyArgs: !!f.modifyArgs,
-        modifyReturnValue: !!f.modifyReturnValue,
-      };
-    });
-
-    builtins.set(builtin.getName(), {
-      functions,
-    });
   }
 }
 
-export function getBuiltinInstrumentationInstructions(
-  name: string
-): BuiltinInstrumentationInstructionJSON | undefined {
-  return builtins.get(name);
-}
-
 export function shouldPatchPackage(name: string): boolean {
   return packages.has(name);
 }
@@ -139,8 +97,10 @@ export function getPackageCallbacks(
   return packageFileCallbacks.get(identifier) || {};
 }
 
-export function getBuiltinCallbacks(
-  identifier: string
-): IntereptorFunctionsObj {
-  return builtinCallbacks.get(identifier) || {};
+export function getBuiltinInterceptors(name: string): RequireInterceptor[] {
+  return builtinRequireInterceptors.get(name) || [];
+}
+
+export function shouldPatchBuiltin(name: string): boolean {
+  return builtinRequireInterceptors.has(name);
 }

library/agent/hooks/instrumentation/loadHook.ts

@@ -6,8 +6,8 @@ import { getPackageVersionFromPath } from "./getPackageVersionFromPath";
 import { transformCode } from "./codeTransformation";
 import { generateBuildinShim } from "./builtinShim";
 import {
-  getBuiltinInstrumentationInstructions,
   getPackageFileInstrumentationInstructions,
+  shouldPatchBuiltin,
   shouldPatchPackage,
 } from "./instructions";
 import { removeNodePrefix } from "../../../helpers/removeNodePrefix";
@@ -41,7 +41,7 @@ export function onModuleLoad(
 
     // For Node.js builtin modules
     if (isBuiltin) {
-      return patchBuiltin(path, previousLoadResult, isModifiedBuiltin);
+      return patchBuiltin(path, previousLoadResult, context, isModifiedBuiltin);
     }
 
     return patchPackage(path, previousLoadResult);
@@ -123,6 +123,7 @@ function patchPackage(
 function patchBuiltin(
   builtinName: string,
   previousLoadResult: ReturnType<LoadFunction>,
+  context: Parameters<LoadFunction>[1],
   isAlreadyModified: boolean
 ) {
   if (isAlreadyModified) {
@@ -132,29 +133,31 @@ function patchBuiltin(
 
   const builtinNameWithoutPrefix = removeNodePrefix(builtinName);
 
-  const builtin = getBuiltinInstrumentationInstructions(
-    builtinNameWithoutPrefix
-  );
+  const builtin = shouldPatchBuiltin(builtinNameWithoutPrefix);
   if (!builtin) {
     return previousLoadResult;
   }
 
-  if (!builtin.functions || builtin.functions.length === 0) {
-    // We don't want to modify this module
-    return previousLoadResult;
-  }
+  const isCJSRequire =
+    (Array.isArray(context.conditions) &&
+      context.conditions.includes("require")) ||
+    ("has" in context.conditions &&
+      typeof context.conditions.has === "function" &&
+      context.conditions.has("require"));
+
+  const format = isCJSRequire ? "commonjs" : "module";
 
   const shim = generateBuildinShim(
     builtinName,
     builtinNameWithoutPrefix,
-    builtin.functions
+    format
   );
   if (!shim) {
     return previousLoadResult;
   }
 
   return {
-    format: "commonjs",
+    format: format,
     shortCircuit: previousLoadResult.shortCircuit,
     source: shim,
   };