Remove Async Resource from knex (#6241)

* Remove Async Resource from knex

* Tiny improvements

Author: uurien

packages/datadog-instrumentations/src/knex.js

@@ -1,10 +1,11 @@
 'use strict'
 
-const { addHook, channel, AsyncResource } = require('./helpers/instrument')
+const { addHook, channel } = require('./helpers/instrument')
 const { wrapThen } = require('./helpers/promise')
 const shimmer = require('../../datadog-shimmer')
 
 const startRawQueryCh = channel('datadog:knex:raw:start')
+const rawQuerySubscribes = channel('datadog:knex:raw:subscribes')
 const finishRawQueryCh = channel('datadog:knex:raw:finish')
 
 patch('lib/query/builder.js')
@@ -22,8 +23,8 @@ function patch (file) {
   })
 }
 
-function finish () {
-  finishRawQueryCh.publish()
+function finish (context, cb) {
+  finishRawQueryCh.runStores(context, cb)
 }
 
 addHook({
@@ -43,21 +44,18 @@ addHook({
       return raw.apply(this, arguments)
     }
 
-    const asyncResource = new AsyncResource('bound-anonymous-fn')
-
-    return asyncResource.runInAsyncScope(() => {
-      startRawQueryCh.publish({ sql, dialect: this.dialect })
-
+    const context = { sql, dialect: this.dialect }
+    return startRawQueryCh.runStores(context, () => {
       const rawResult = raw.apply(this, arguments)
       shimmer.wrap(rawResult, 'then', originalThen => function () {
-        return asyncResource.runInAsyncScope(() => {
-          arguments[0] = wrapCallbackWithFinish(arguments[0], finish)
-          if (arguments[1]) arguments[1] = wrapCallbackWithFinish(arguments[1], finish)
+        return rawQuerySubscribes.runStores(context, () => {
+          arguments[0] = wrapCallbackWithFinish(arguments[0], finish, context)
+          if (arguments[1]) arguments[1] = wrapCallbackWithFinish(arguments[1], finish, context)
 
           const originalThenResult = originalThen.apply(this, arguments)
 
           shimmer.wrap(originalThenResult, 'catch', originalCatch => function () {
-            arguments[0] = wrapCallbackWithFinish(arguments[0], finish)
+            arguments[0] = wrapCallbackWithFinish(arguments[0], finish, context)
             return originalCatch.apply(this, arguments)
           })
 
@@ -66,23 +64,23 @@ addHook({
       })
 
       shimmer.wrap(rawResult, 'asCallback', originalAsCallback => function () {
-        return asyncResource.runInAsyncScope(() => {
-          arguments[0] = wrapCallbackWithFinish(arguments[0], finish)
+        return rawQuerySubscribes.runStores(context, () => {
+          arguments[0] = wrapCallbackWithFinish(arguments[0], finish, context)
           return originalAsCallback.apply(this, arguments)
         })
       })
 
       return rawResult
     })
   })
+
   return Knex
 })
 
-function wrapCallbackWithFinish (callback, finish) {
+function wrapCallbackWithFinish (callback, finish, context) {
   if (typeof callback !== 'function') return callback
 
   return shimmer.wrapFunction(callback, callback => function () {
-    finish()
-    callback.apply(this, arguments)
+    finish(context, () => callback.apply(this, arguments))
   })
 }

packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -33,11 +33,16 @@ class SqlInjectionAnalyzer extends StoredInjectionAnalyzer {
     this.addSub('datadog:mysql:pool:query:start', ({ sql }) => this.setStoreAndAnalyze(sql, 'MYSQL'))
     this.addSub('datadog:mysql:pool:query:finish', () => this.returnToParentStore())
 
-    this.addSub('datadog:knex:raw:start', ({ sql, dialect: knexDialect }) => {
+    this.addBind('datadog:knex:raw:start', (context) => {
+      const { sql, dialect: knexDialect } = context
       const dialect = this.normalizeKnexDialect(knexDialect)
-      this.setStoreAndAnalyze(sql, dialect)
+      const currentStore = this.getStoreAndAnalyze(sql, dialect)
+      context.currentStore = currentStore
+      return currentStore
     })
-    this.addSub('datadog:knex:raw:finish', () => this.returnToParentStore())
+
+    this.addBind('datadog:knex:raw:subscribes', ({ currentStore }) => currentStore)
+    this.addBind('datadog:knex:raw:finish', ({ currentStore }) => currentStore?.sqlParentStore)
   }
 
   setStoreAndAnalyze (query, dialect) {
@@ -57,8 +62,7 @@ class SqlInjectionAnalyzer extends StoredInjectionAnalyzer {
     }
   }
 
-  returnToParentStore () {
-    const store = storage('legacy').getStore()
+  returnToParentStore (store = storage('legacy').getStore()) {
     if (store && store.sqlParentStore) {
       storage('legacy').enterWith(store.sqlParentStore)
     }

packages/dd-trace/test/appsec/iast/analyzers/resources/knex-sql-injection-methods.js

@@ -35,10 +35,25 @@ function executeKnexNestedRawQueryAsCallback (knex, taintedSql, sqlToFail, cb) {
   })
 }
 
+async function executeKnexAsyncNestedRawQuery (knex, taintedSql, notTaintedSql) {
+  await knex.raw(notTaintedSql)
+  await knex.raw(taintedSql)
+}
+
+async function executeKnexAsyncNestedRawQueryAsAsyncTryCatch (knex, taintedSql, sqlToFail) {
+  try {
+    await knex.raw(sqlToFail)
+  } catch (e) {
+    await knex.raw(taintedSql)
+  }
+}
+
 module.exports = {
   executeKnexRawQuery,
   executeKnexNestedRawQuery,
+  executeKnexAsyncNestedRawQuery,
   executeKnexNestedRawQueryOnRejectedInThen,
   executeKnexNestedRawQueryWitCatch,
-  executeKnexNestedRawQueryAsCallback
+  executeKnexNestedRawQueryAsCallback,
+  executeKnexAsyncNestedRawQueryAsAsyncTryCatch
 }

packages/dd-trace/test/appsec/iast/analyzers/sql-injection-analyzer.knex.plugin.spec.js

@@ -14,7 +14,7 @@ describe('sql-injection-analyzer with knex', () => {
   withVersions('knex', 'knex', knexVersion => {
     if (!semver.satisfies(knexVersion, '>=2')) return
 
-    withVersions('pg', 'pg', pgVersion => {
+    withVersions('pg', 'pg', () => {
       let knex
 
       prepareTestServerForIast('knex + pg',
@@ -88,6 +88,26 @@ describe('sql-injection-analyzer with knex', () => {
             })
           })
 
+          describe('nested raw query - using async instead of then', () => {
+            testThatRequestHasVulnerability(() => {
+              const store = storage('legacy').getStore()
+              const iastCtx = iastContextFunctions.getIastContext(store)
+
+              let taintedSql = 'SELECT 1'
+              taintedSql = newTaintedString(iastCtx, taintedSql, 'param', 'Request')
+
+              const notTaintedSql = 'SELECT 1'
+
+              return queryMethods.executeKnexAsyncNestedRawQuery(knex, taintedSql, notTaintedSql)
+            }, 'SQL_INJECTION', {
+              occurrences: 1,
+              location: {
+                path: 'knex-sql-injection-methods.js',
+                line: 40
+              }
+            })
+          })
+
           describe('nested raw query - onRejected as then argument', () => {
             testThatRequestHasVulnerability(() => {
               const store = storage('legacy').getStore()
@@ -128,6 +148,26 @@ describe('sql-injection-analyzer with knex', () => {
             })
           })
 
+          describe('nested raw query - async try catch', () => {
+            testThatRequestHasVulnerability(() => {
+              const store = storage('legacy').getStore()
+              const iastCtx = iastContextFunctions.getIastContext(store)
+
+              let taintedSql = 'SELECT 1'
+              taintedSql = newTaintedString(iastCtx, taintedSql, 'param', 'Request')
+
+              const sqlToFail = 'SELECT * FROM NON_EXISTSING_TABLE'
+
+              return queryMethods.executeKnexAsyncNestedRawQueryAsAsyncTryCatch(knex, taintedSql, sqlToFail)
+            }, 'SQL_INJECTION', {
+              occurrences: 1,
+              location: {
+                path: 'knex-sql-injection-methods.js',
+                line: 47
+              }
+            })
+          })
+
           describe('nested raw query - asCallback', () => {
             testThatRequestHasVulnerability(() => {
               return new Promise((resolve, reject) => {

packages/dd-trace/test/appsec/iast/analyzers/sql-injection-analyzer.spec.js

@@ -64,20 +64,21 @@ describe('sql-injection-analyzer', () => {
   sqlInjectionAnalyzer.configure(true)
 
   it('should subscribe to mysql, mysql2 and pg start query channel', () => {
-    expect(sqlInjectionAnalyzer._subscriptions).to.have.lengthOf(9)
+    expect(sqlInjectionAnalyzer._subscriptions).to.have.lengthOf(7)
     expect(sqlInjectionAnalyzer._subscriptions[0]._channel.name).to.equals('apm:mysql:query:start')
     expect(sqlInjectionAnalyzer._subscriptions[1]._channel.name).to.equals('datadog:mysql2:outerquery:start')
     expect(sqlInjectionAnalyzer._subscriptions[2]._channel.name).to.equals('apm:pg:query:start')
     expect(sqlInjectionAnalyzer._subscriptions[3]._channel.name).to.equals('datadog:sequelize:query:finish')
     expect(sqlInjectionAnalyzer._subscriptions[4]._channel.name).to.equals('datadog:pg:pool:query:finish')
     expect(sqlInjectionAnalyzer._subscriptions[5]._channel.name).to.equals('datadog:mysql:pool:query:start')
     expect(sqlInjectionAnalyzer._subscriptions[6]._channel.name).to.equals('datadog:mysql:pool:query:finish')
-    expect(sqlInjectionAnalyzer._subscriptions[7]._channel.name).to.equals('datadog:knex:raw:start')
-    expect(sqlInjectionAnalyzer._subscriptions[8]._channel.name).to.equals('datadog:knex:raw:finish')
 
-    expect(sqlInjectionAnalyzer._bindings).to.have.lengthOf(2)
+    expect(sqlInjectionAnalyzer._bindings).to.have.lengthOf(5)
     expect(sqlInjectionAnalyzer._bindings[0]._channel.name).to.equals('datadog:sequelize:query:start')
     expect(sqlInjectionAnalyzer._bindings[1]._channel.name).to.equals('datadog:pg:pool:query:start')
+    expect(sqlInjectionAnalyzer._bindings[2]._channel.name).to.equals('datadog:knex:raw:start')
+    expect(sqlInjectionAnalyzer._bindings[3]._channel.name).to.equals('datadog:knex:raw:subscribes')
+    expect(sqlInjectionAnalyzer._bindings[4]._channel.name).to.equals('datadog:knex:raw:finish')
   })
 
   it('should not detect vulnerability when no query', () => {