DataDog · hoolioh · Dec 20, 2023 · Nov 23, 2023 · Nov 23, 2023 · Nov 24, 2023
@@ -135,6 +135,20 @@ jobs:
       - run: yarn test:appsec:plugins:ci
       - uses: codecov/codecov-action@v2
 
+  graphql:
+    runs-on: ubuntu-latest
+    env:
+      PLUGINS: apollo-server|apollo-server-express|apollo-server-fastify|apollo-server-core
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/actions/node/setup
+      - run: yarn install
+      - uses: ./.github/actions/node/oldest
+      - run: yarn test:appsec:plugins:ci
+      - uses: ./.github/actions/node/latest
+      - run: yarn test:appsec:plugins:ci
+      - uses: codecov/codecov-action@v2
+
   mongodb-core:
     runs-on: ubuntu-latest
     services:

@@ -108,6 +108,7 @@ tracer.init({
     obfuscatorValueRegex: '.*',
     blockedTemplateHtml: './blocked.html',
     blockedTemplateJson: './blocked.json',
+    blockedTemplateGraphql: './blockedgraphql.json',
     eventTracking: {
       mode: 'safe'
     },

@@ -567,6 +567,11 @@ export declare interface TracerOptions {
      */
     blockedTemplateJson?: string,
 
+    /**
+     * Specifies a path to a custom blocking template json file for graphql requests
+     */
+    blockedTemplateGraphql?: string,
+
     /**
      * Controls the automated user event tracking configuration
      */

@@ -79,7 +79,6 @@ describe('graphql', () => {
           {
             id: 'test-rule-id-1',
             name: 'test-rule-name-1',
-            on_match: ['block'],
             tags:
             {
               category: 'attack_attempt',
@@ -92,8 +91,8 @@ describe('graphql', () => {
               operator_value: '',
               parameters: [
                 {
-                  address: 'graphql.server.all_resolvers',
-                  key_path: ['images', '0', 'category'],
+                  address: 'graphql.server.resolver',
+                  key_path: ['images', 'category'],
                   value: 'testattack',
                   highlight: ['testattack']
                 }

@@ -17,6 +17,9 @@
               "inputs": [
                 {
                   "address": "graphql.server.all_resolvers"
+                },
+                {
+                  "address": "graphql.server.resolver"
                 }
               ],
               "list": [
@@ -27,7 +30,7 @@
           }
         ],
         "transformers": ["lowercase"],
-        "on_match": ["block"]
+        "on_match": []
       }
     ]
 }
@@ -0,0 +1,40 @@
+'use strict'
+
+const { AbortController } = require('node-abort-controller')
+const { addHook } = require('./helpers/instrument')
+const shimmer = require('../../datadog-shimmer')
+const dc = require('dc-polyfill')
+
+const requestChannel = dc.tracingChannel('datadog:apollo-server-core:request')
+
+addHook({ name: 'apollo-server-core', file: 'dist/runHttpQuery.js', versions: ['>3.0.0'] }, runHttpQueryModule => {
+  const HttpQueryError = runHttpQueryModule.HttpQueryError
+
+  shimmer.wrap(runHttpQueryModule, 'runHttpQuery', function wrapRunHttpQuery (originalRunHttpQuery) {
+    return async function runHttpQuery () {
+      if (!requestChannel.start.hasSubscribers) {
+        return originalRunHttpQuery.apply(this, arguments)
+      }
+
+      const abortController = new AbortController()
+      const abortData = {}
+
+      const runHttpQueryResult = requestChannel.tracePromise(
+        originalRunHttpQuery,
+        { abortController, abortData },
+        this,
+        ...arguments)
+
+      return Promise.race([runHttpQueryResult]).then((value) => {
+        if (abortController.signal.aborted) {
+          // runHttpQuery callbacks are writing the response on resolve/reject.
+          // We should return blocking data in the apollo-server-core HttpQueryError object
+          return Promise.reject(new HttpQueryError(abortData.statusCode, abortData.message, true, abortData.headers))
+        }
+        return value
+      })
+    }
+  })
+
+  return runHttpQueryModule
+})
@@ -0,0 +1,83 @@
+'use strict'
+
+const { AbortController } = require('node-abort-controller')
+const dc = require('dc-polyfill')
+
+const { addHook } = require('./helpers/instrument')
+const shimmer = require('../../datadog-shimmer')
+
+const graphqlMiddlewareChannel = dc.tracingChannel('datadog:apollo:middleware')
+
+const requestChannel = dc.tracingChannel('datadog:apollo:request')
+
+let HeaderMap
+
+function wrapExecuteHTTPGraphQLRequest (originalExecuteHTTPGraphQLRequest) {
+  return async function executeHTTPGraphQLRequest () {
+    if (!HeaderMap || !requestChannel.start.hasSubscribers) {
+      return originalExecuteHTTPGraphQLRequest.apply(this, arguments)
+    }
+
+    const abortController = new AbortController()
+    const abortData = {}
+
+    const graphqlResponseData = requestChannel.tracePromise(
+      originalExecuteHTTPGraphQLRequest,
+      { abortController, abortData },
+      this,
+      ...arguments)
+
+    return Promise.race([graphqlResponseData]).then((value) => {
+      if (abortController.signal.aborted) {
+        // This method is expected to return response data
+        // with headers, status and body
+        const headers = new HeaderMap()
+        Object.keys(abortData.headers).forEach(key => {
+          headers.set(key, abortData.headers[key])
+        })
+
+        return {
+          headers: headers,
+          status: abortData.statusCode,
+          body: {
+            kind: 'complete',
+            string: abortData.message
+          }
+        }
+      }
+
+      return graphqlResponseData
+    })
+  }
+}
+
+function apolloExpress4Hook (express4) {
+  shimmer.wrap(express4, 'expressMiddleware', function wrapExpressMiddleware (originalExpressMiddleware) {
+    return function expressMiddleware (server, options) {
+      const originalMiddleware = originalExpressMiddleware.apply(this, arguments)
+
+      return shimmer.wrap(originalMiddleware, function (req, res, next) {
+        if (!graphqlMiddlewareChannel.start.hasSubscribers) {
+          return originalMiddleware.apply(this, arguments)
+        }
+
+        return graphqlMiddlewareChannel.traceSync(originalMiddleware, { req }, this, ...arguments)
+      })
+    }
+  })
+  return express4
+}
+
+function apolloHeaderMapHook (headerMap) {
+  HeaderMap = headerMap.HeaderMap
+  return headerMap
+}
+
+function apolloServerHook (apolloServer) {
+  shimmer.wrap(apolloServer.ApolloServer.prototype, 'executeHTTPGraphQLRequest', wrapExecuteHTTPGraphQLRequest)
+  return apolloServer
+}
+
+addHook({ name: '@apollo/server', file: 'dist/cjs/ApolloServer.js', versions: ['>=4.0.0'] }, apolloServerHook)
+addHook({ name: '@apollo/server', file: 'dist/cjs/express4/index.js', versions: ['>=4.0.0'] }, apolloExpress4Hook)
+addHook({ name: '@apollo/server', file: 'dist/cjs/utils/HeaderMap.js', versions: ['>=4.0.0'] }, apolloHeaderMapHook)
@@ -1,5 +1,7 @@
 'use strict'
 
+const { AbortController } = require('node-abort-controller')
+
 const {
   addHook,
   channel,
@@ -37,6 +39,13 @@ const validateStartCh = channel('apm:graphql:validate:start')
 const validateFinishCh = channel('apm:graphql:validate:finish')
 const validateErrorCh = channel('apm:graphql:validate:error')
 
+class AbortError extends Error {
+  constructor (message) {
+    super(message)
+    this.name = 'AbortError'
+  }
+}
+
 function getOperation (document, operationName) {
   if (!document || !Array.isArray(document.definitions)) {
     return
@@ -175,11 +184,11 @@ function wrapExecute (execute) {
           docSource: documentSources.get(document)
         })
 
-        const context = { source, asyncResource, fields: {} }
+        const context = { source, asyncResource, fields: {}, abortController: new AbortController() }
 
         contexts.set(contextValue, context)
 
-        return callInAsyncScope(exe, asyncResource, this, arguments, (err, res) => {
+        return callInAsyncScope(exe, asyncResource, this, arguments, context.abortController, (err, res) => {
           if (finishResolveCh.hasSubscribers) finishResolvers(context)
 
           const error = err || (res && res.errors && res.errors[0])
@@ -207,7 +216,7 @@ function wrapResolve (resolve) {
 
     const field = assertField(context, info, args)
 
-    return callInAsyncScope(resolve, field.asyncResource, this, arguments, (err) => {
+    return callInAsyncScope(resolve, field.asyncResource, this, arguments, context.abortController, (err) => {
       updateFieldCh.publish({ field, info, err })
     })
   }
@@ -217,10 +226,15 @@ function wrapResolve (resolve) {
   return resolveAsync
 }
 
-function callInAsyncScope (fn, aR, thisArg, args, cb) {
+function callInAsyncScope (fn, aR, thisArg, args, abortController, cb) {
   cb = cb || (() => {})
 
   return aR.runInAsyncScope(() => {
+    if (abortController?.signal.aborted) {
+      cb(null, null)
+      throw new AbortError('Aborted')
+    }
+
     try {
       const result = fn.apply(thisArg, args)
       if (result && typeof result.then === 'function') {

@@ -1,6 +1,8 @@
 'use strict'
 
 module.exports = {
+  '@apollo/server': () => require('../apollo-server'),
+  'apollo-server-core': () => require('../apollo-server-core'),
   '@aws-sdk/smithy-client': () => require('../aws-sdk'),
   '@cucumber/cucumber': () => require('../cucumber'),
   '@playwright/test': () => require('../playwright'),

@@ -1,6 +1,7 @@
 'use strict'
 
 const TracingPlugin = require('../../dd-trace/src/plugins/tracing')
+const dc = require('dc-polyfill')
 
 const collapsedPathSym = Symbol('collapsedPaths')
 
@@ -14,8 +15,6 @@ class GraphQLResolvePlugin extends TracingPlugin {
     if (!shouldInstrument(this.config, path)) return
     const computedPathString = path.join('.')
 
-    addResolver(context, info, args)
-
     if (this.config.collapse) {
       if (!context[collapsedPathSym]) {
         context[collapsedPathSym] = {}
@@ -55,6 +54,10 @@ class GraphQLResolvePlugin extends TracingPlugin {
           span.setTag(`graphql.variables.${name}`, variables[name])
         })
     }
+
+    if (this.resolverStartCh.hasSubscribers) {
+      this.resolverStartCh.publish({ context, resolverInfo: getResolverInfo(info, args) })
+    }
   }
 
   constructor (...args) {
@@ -69,6 +72,8 @@ class GraphQLResolvePlugin extends TracingPlugin {
       field.finishTime = span._getTime ? span._getTime() : 0
       field.error = field.error || err
     })
+
+    this.resolverStartCh = dc.channel('datadog:graphql:resolver:start')
   }
 
   configure (config) {
@@ -109,28 +114,31 @@ function withCollapse (responsePathAsArray) {
   }
 }
 
-function addResolver (context, info, args) {
-  if (info.rootValue && !info.rootValue[info.fieldName]) {
-    return
-  }
+function getResolverInfo (info, args) {
+  let resolverInfo = null
+  const resolverVars = {}
 
-  if (!context.resolvers) {
-    context.resolvers = {}
+  if (args && Object.keys(args).length) {
+    Object.assign(resolverVars, args)
   }
 
-  const resolvers = context.resolvers
-
-  if (!resolvers[info.fieldName]) {
-    if (args && Object.keys(args).length) {
-      resolvers[info.fieldName] = [args]
-    } else {
-      resolvers[info.fieldName] = []
+  const directives = info.fieldNodes[0].directives
+  for (const directive of directives) {
+    const argList = {}
+    for (const argument of directive['arguments']) {
+      argList[argument.name.value] = argument.value.value
     }
-  } else {
-    if (args && Object.keys(args).length) {
-      resolvers[info.fieldName].push(args)
+
+    if (Object.keys(argList).length) {
+      resolverVars[directive.name.value] = argList
     }
   }
+
+  if (Object.keys(resolverVars).length) {
+    resolverInfo = { [info.fieldName]: resolverVars }
+  }
+
+  return resolverInfo
 }
 
 module.exports = GraphQLResolvePlugin
@@ -13,6 +13,7 @@ module.exports = {
   HTTP_INCOMING_RESPONSE_HEADERS: 'server.response.headers.no_cookies',
   // TODO: 'server.response.trailers',
   HTTP_INCOMING_GRAPHQL_RESOLVERS: 'graphql.server.all_resolvers',
+  HTTP_INCOMING_GRAPHQL_RESOLVER: 'graphql.server.resolver',
 
   HTTP_CLIENT_IP: 'http.client_ip',