fix: filter IPC and Unix domain socket false positives from TCP instrumentation#142
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/instrumentation/libraries/tcp/Instrumentation.ts">
<violation number="1" location="src/instrumentation/libraries/tcp/Instrumentation.ts:203">
P1: Treating every `Pipe` handle as non-network hides unpatched dependencies that connect over Unix domain sockets.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Generated 19 tests - 19 passedTip New to Tusk Unit Tests? Learn more here. Test Summary
ResultsTusk's tests all pass and validate the core fix: the new View check history
Was Tusk helpful? Give feedback by reacting with 👍 or 👎 |
jy-tan
left a comment
jy-tan
left a comment
There was a problem hiding this comment.
is there possibility where a unix domain socket was already connected before Socket.prototype.write() is patched? then the heuristic might miss this case.
as long as |
2 participants
Summary
The TCP instrumentation's unpatched dependency detection was firing false positives for Node.js IPC traffic — specifically
process.send()calls made by tools liketsx(TypeScript compiler) and test runners (Jest workers, etc.). These IPC writes go throughnet.Socket.writebut are purely local parent-child process communication, not external network calls.The fix distinguishes inherited IPC pipes from real connections by tracking which sockets go through
connect(). IPC pipes are inherited from the parent process and never callconnect(), while Unix domain socket connections (e.g. PostgreSQL via a socket file) do — so we only filter Pipe sockets that were never explicitly connected.Changes
_isHttpResponseSocket()with a broader_isNonNetworkSocket()method that consolidates all non-network socket filteringWeakSet(explicitlyConnectedSockets) that tracks sockets passing through the patchedconnect()call_isNonNetworkSocket, Pipe-handle sockets are only filtered if they were never connected — this filters inherited IPC pipes (tsx, jest workers,process.send()) while still alerting on Unix domain socket connections that could be unpatched dependencies_httpMessagecheck) is preserved within the new methodContext
The false positive manifested as
Unpatched dependency alertlog spam during replay runs. The stack trace showedtsx'ssendToParent→process.send()→Socket.write, which the SDK intercepted and misidentified as an uninstrumented external call. IPC sockets never leave the machine and are irrelevant to record/replay.Both IPC pipes and Unix domain sockets use
Pipehandles internally (source), so a blanketPipecheck would hide unpatched dependencies connecting over Unix domain sockets. Theconnect()-tracking approach avoids this: inherited IPC pipes never callconnect(), real connections always do.