Remove AsyncResource from sequelize (#6125)

uurien · web-flow · commit fe5bf3194706 · 2025-07-22T16:05:50.000Z
diff --git a/packages/datadog-instrumentations/src/sequelize.js b/packages/datadog-instrumentations/src/sequelize.js
@@ -2,8 +2,7 @@
 
 const {
   channel,
-  addHook,
-  AsyncResource
+  addHook
 } = require('./helpers/instrument')
 
 const shimmer = require('../../datadog-shimmer')
@@ -18,8 +17,6 @@ addHook({ name: 'sequelize', versions: ['>=4'] }, Sequelize => {
         return query.apply(this, arguments)
       }
 
-      const asyncResource = new AsyncResource('bound-anonymous-fn')
-
       let dialect
       if (this.options && this.options.dialect) {
         dialect = this.options.dialect
@@ -33,22 +30,15 @@ addHook({ name: 'sequelize', versions: ['>=4'] }, Sequelize => {
           result = result[0]
         }
 
-        asyncResource.bind(function () {
-          finishCh.publish({ result })
-        }, this).apply(this)
+        finishCh.runStores({ result }, () => {})
       }
 
-      return asyncResource.bind(function () {
-        startCh.publish({
-          sql,
-          dialect
-        })
-
+      return startCh.runStores({ sql, dialect }, () => {
         const promise = query.apply(this, arguments)
         promise.then(onFinish, () => { onFinish() })
 
         return promise
-      }, this).apply(this, arguments)
+      })
     }
   })
 
diff --git a/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js b/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js
@@ -18,31 +18,39 @@ class SqlInjectionAnalyzer extends StoredInjectionAnalyzer {
     this.addSub('datadog:mysql2:outerquery:start', ({ sql }) => this.analyze(sql, undefined, 'MYSQL'))
     this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, undefined, 'POSTGRES'))
 
-    this.addSub(
+    this.addBind(
       'datadog:sequelize:query:start',
       ({ sql, dialect }) => this.getStoreAndAnalyze(sql, dialect.toUpperCase())
     )
     this.addSub('datadog:sequelize:query:finish', () => this.returnToParentStore())
 
-    this.addSub('datadog:pg:pool:query:start', ({ query }) => this.getStoreAndAnalyze(query.text, 'POSTGRES'))
+    this.addSub('datadog:pg:pool:query:start', ({ query }) => this.setStoreAndAnalyze(query.text, 'POSTGRES'))
     this.addSub('datadog:pg:pool:query:finish', () => this.returnToParentStore())
 
-    this.addSub('datadog:mysql:pool:query:start', ({ sql }) => this.getStoreAndAnalyze(sql, 'MYSQL'))
+    this.addSub('datadog:mysql:pool:query:start', ({ sql }) => this.setStoreAndAnalyze(sql, 'MYSQL'))
     this.addSub('datadog:mysql:pool:query:finish', () => this.returnToParentStore())
 
     this.addSub('datadog:knex:raw:start', ({ sql, dialect: knexDialect }) => {
       const dialect = this.normalizeKnexDialect(knexDialect)
-      this.getStoreAndAnalyze(sql, dialect)
+      this.setStoreAndAnalyze(sql, dialect)
     })
     this.addSub('datadog:knex:raw:finish', () => this.returnToParentStore())
   }
 
+  setStoreAndAnalyze (query, dialect) {
+    const store = this.getStoreAndAnalyze(query, dialect)
+
+    if (store) {
+      storage('legacy').enterWith(store)
+    }
+  }
+
   getStoreAndAnalyze (query, dialect) {
     const parentStore = storage('legacy').getStore()
     if (parentStore) {
       this.analyze(query, parentStore, dialect)
 
-      storage('legacy').enterWith({ ...parentStore, sqlAnalyzed: true, sqlParentStore: parentStore })
+      return { ...parentStore, sqlAnalyzed: true, sqlParentStore: parentStore }
     }
   }
 
diff --git a/packages/dd-trace/test/appsec/iast/analyzers/sql-injection-analyzer.sequelize.plugin.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/sql-injection-analyzer.sequelize.plugin.spec.js
@@ -33,6 +33,10 @@ describe('sql-injection-analyzer with sequelize', () => {
             return sequelize.authenticate()
           })
 
+          afterEach(() => {
+            sequelize.close()
+          })
+
           testThatRequestHasVulnerability(() => {
             const store = storage('legacy').getStore()
             const iastCtx = iastContextFunctions.getIastContext(store)
@@ -45,9 +49,21 @@ describe('sql-injection-analyzer with sequelize', () => {
 
           const externalFileContent = `'use strict'
 
-module.exports = function (sequelize, sql) {
+function main (sequelize, sql) {
+  return sequelize.query(sql)
+}
+
+function doubleCall (sequelize, sql) {
+  sequelize.query(sql)
   return sequelize.query(sql)
 }
+
+async function doubleChainedCall (sequelize, sql) {
+  await sequelize.query(sql)
+  return sequelize.query(sql)
+}
+
+module.exports = { main, doubleCall, doubleChainedCall }
 `
           testThatRequestHasVulnerability(() => {
             const filepath = path.join(os.tmpdir(), 'test-sequelize-sqli.js')
@@ -59,7 +75,7 @@ module.exports = function (sequelize, sql) {
             let sql = 'SELECT 1'
             sql = newTaintedString(iastCtx, sql, 'param', 'Request')
 
-            return require(filepath)(sequelize, sql)
+            return require(filepath).main(sequelize, sql)
           }, 'SQL_INJECTION', {
             occurrences: 1,
             location: {
@@ -68,6 +84,36 @@ module.exports = function (sequelize, sql) {
             }
           })
 
+          testThatRequestHasVulnerability(() => {
+            const filepath = path.join(os.tmpdir(), 'test-sequelize-sqli.js')
+            fs.writeFileSync(filepath, externalFileContent)
+
+            const store = storage('legacy').getStore()
+            const iastCtx = iastContextFunctions.getIastContext(store)
+
+            let sql = 'SELECT 1'
+            sql = newTaintedString(iastCtx, sql, 'param', 'Request')
+
+            return require(filepath).doubleCall(sequelize, sql)
+          }, 'SQL_INJECTION', {
+            occurrences: 2
+          })
+
+          testThatRequestHasVulnerability(() => {
+            const filepath = path.join(os.tmpdir(), 'test-sequelize-sqli.js')
+            fs.writeFileSync(filepath, externalFileContent)
+
+            const store = storage('legacy').getStore()
+            const iastCtx = iastContextFunctions.getIastContext(store)
+
+            let sql = 'SELECT 1'
+            sql = newTaintedString(iastCtx, sql, 'param', 'Request')
+
+            return require(filepath).doubleChainedCall(sequelize, sql)
+          }, 'SQL_INJECTION', {
+            occurrences: 2
+          })
+
           testThatRequestHasNoVulnerability(() => {
             return sequelize.query('SELECT 1')
           }, 'SQL_INJECTION')
diff --git a/packages/dd-trace/test/appsec/iast/analyzers/sql-injection-analyzer.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/sql-injection-analyzer.spec.js
@@ -64,18 +64,20 @@ describe('sql-injection-analyzer', () => {
   sqlInjectionAnalyzer.configure(true)
 
   it('should subscribe to mysql, mysql2 and pg start query channel', () => {
-    expect(sqlInjectionAnalyzer._subscriptions).to.have.lengthOf(11)
+    expect(sqlInjectionAnalyzer._subscriptions).to.have.lengthOf(10)
     expect(sqlInjectionAnalyzer._subscriptions[0]._channel.name).to.equals('apm:mysql:query:start')
     expect(sqlInjectionAnalyzer._subscriptions[1]._channel.name).to.equals('datadog:mysql2:outerquery:start')
     expect(sqlInjectionAnalyzer._subscriptions[2]._channel.name).to.equals('apm:pg:query:start')
-    expect(sqlInjectionAnalyzer._subscriptions[3]._channel.name).to.equals('datadog:sequelize:query:start')
-    expect(sqlInjectionAnalyzer._subscriptions[4]._channel.name).to.equals('datadog:sequelize:query:finish')
-    expect(sqlInjectionAnalyzer._subscriptions[5]._channel.name).to.equals('datadog:pg:pool:query:start')
-    expect(sqlInjectionAnalyzer._subscriptions[6]._channel.name).to.equals('datadog:pg:pool:query:finish')
-    expect(sqlInjectionAnalyzer._subscriptions[7]._channel.name).to.equals('datadog:mysql:pool:query:start')
-    expect(sqlInjectionAnalyzer._subscriptions[8]._channel.name).to.equals('datadog:mysql:pool:query:finish')
-    expect(sqlInjectionAnalyzer._subscriptions[9]._channel.name).to.equals('datadog:knex:raw:start')
-    expect(sqlInjectionAnalyzer._subscriptions[10]._channel.name).to.equals('datadog:knex:raw:finish')
+    expect(sqlInjectionAnalyzer._subscriptions[3]._channel.name).to.equals('datadog:sequelize:query:finish')
+    expect(sqlInjectionAnalyzer._subscriptions[4]._channel.name).to.equals('datadog:pg:pool:query:start')
+    expect(sqlInjectionAnalyzer._subscriptions[5]._channel.name).to.equals('datadog:pg:pool:query:finish')
+    expect(sqlInjectionAnalyzer._subscriptions[6]._channel.name).to.equals('datadog:mysql:pool:query:start')
+    expect(sqlInjectionAnalyzer._subscriptions[7]._channel.name).to.equals('datadog:mysql:pool:query:finish')
+    expect(sqlInjectionAnalyzer._subscriptions[8]._channel.name).to.equals('datadog:knex:raw:start')
+    expect(sqlInjectionAnalyzer._subscriptions[9]._channel.name).to.equals('datadog:knex:raw:finish')
+
+    expect(sqlInjectionAnalyzer._bindings).to.have.lengthOf(1)
+    expect(sqlInjectionAnalyzer._bindings[0]._channel.name).to.equals('datadog:sequelize:query:start')
   })
 
   it('should not detect vulnerability when no query', () => {
