dd-trace 3.10.0 → 3.11.0

package/LICENSE-3rdparty.csv

@@ -20,6 +20,7 @@ require,lodash.uniq,MIT,Copyright JS Foundation and other contributors
 require,lru-cache,ISC,Copyright (c) 2010-2022 Isaac Z. Schlueter and Contributors
 require,methods,MIT,Copyright 2013-2014 TJ Holowaychuk
 require,module-details-from-path,MIT,Copyright 2016 Thomas Watson Steen
+require,node-abort-controller,MIT,Copyright (c) 2019 Steve Faulkner
 require,opentracing,MIT,Copyright 2016 Resonance Labs Inc
 require,path-to-regexp,MIT,Copyright 2014 Blake Embrey
 require,protobufjs,BSD-3-Clause,Copyright 2016 Daniel Wirtz

package/index.d.ts

@@ -509,7 +509,17 @@ export declare interface TracerOptions {
     /**
      * Specifies a regex that will redact sensitive data by its value in attack reports.
      */
-    obfuscatorValueRegex?: string
+    obfuscatorValueRegex?: string,
+
+    /**
+     * Specifies a path to a custom blocking template html file.
+     */
+    blockedTemplateHtml?: string,
+
+    /**
+     * Specifies a path to a custom blocking template json file.
+     */
+    blockedTemplateJson?: string,
   };
 }
 
@@ -1208,6 +1218,12 @@ declare namespace plugins {
    */
   interface kafkajs extends Instrumentation {}
 
+  /**
+   * This plugin automatically instruments the
+   * [ldapjs](https://github.com/ldapjs/node-ldapjs/) module.
+   */
+  interface ldapjs extends Instrumentation {}
+
   /**
    * This plugin automatically instruments the
    * [mariadb](https://github.com/mariadb-corporation/mariadb-connector-nodejs) module.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dd-trace",
-  "version": "3.10.0",
+  "version": "3.11.0",
   "description": "Datadog APM tracing client for JavaScript",
   "main": "index.js",
   "typings": "index.d.ts",
@@ -16,14 +16,14 @@
     "services": "node ./scripts/install_plugin_modules && node packages/dd-trace/test/setup/services",
     "tdd": "node scripts/tdd.js",
     "test": "SERVICES=* yarn services && mocha --colors --exit --expose-gc 'packages/dd-trace/test/setup/node.js' 'packages/*/test/**/*.spec.js'",
-    "test:trace:core": "mocha --colors --exit --expose-gc --file packages/dd-trace/test/setup/core.js --exclude \"packages/dd-trace/test/profiling/**/*.spec.js\" \"packages/dd-trace/test/**/*.spec.js\"",
-    "test:trace:core:ci": "nyc --no-clean --include \"packages/dd-trace/src/**/*.js\" --exclude \"packages/dd-trace/src/profiling/**/*.js\" -- npm run test:trace:core -- --reporter mocha-multi-reporters --reporter-options configFile=mocha-reporter.json",
+    "test:trace:core": "mocha --colors --exit --expose-gc --file packages/dd-trace/test/setup/core.js --exclude \"packages/dd-trace/test/profiling/**/*.spec.js\" --exclude \"packages/dd-trace/test/appsec/iast/**/*.plugin.spec.js\" \"packages/dd-trace/test/**/*.spec.js\"",
+    "test:trace:core:ci": "nyc --no-clean --include \"packages/dd-trace/src/**/*.js\" --exclude \"packages/dd-trace/src/profiling/**/*.js\" --exclude \"packages/dd-trace/test/appsec/iast/**/*.plugin.spec.js\" -- npm run test:trace:core -- --reporter mocha-multi-reporters --reporter-options configFile=mocha-reporter.json",
     "test:instrumentations": "mocha --colors --file 'packages/dd-trace/test/setup/core.js' 'packages/datadog-instrumentations/test/**/*.spec.js'",
     "test:instrumentations:ci": "nyc --no-clean --include 'packages/datadog-instrumentations/src/**/*.js' -- npm run test:instrumentations",
     "test:core": "mocha --colors --file packages/datadog-core/test/setup.js 'packages/datadog-core/test/**/*.spec.js'",
     "test:core:ci": "nyc --no-clean --include 'packages/datadog-core/src/**/*.js' -- npm run test:core",
-    "test:plugins": "mocha --colors --exit --file \"packages/dd-trace/test/setup/core.js\" \"packages/datadog-instrumentations/test/@($(echo $PLUGINS)).spec.js\" \"packages/datadog-plugin-@($(echo $PLUGINS))/test/**/*.spec.js\"",
-    "test:plugins:ci": "yarn services && nyc --no-clean --include \"packages/datadog-instrumentations/src/@($(echo $PLUGINS)).js\" --include \"packages/datadog-instrumentations/src/@($(echo $PLUGINS))/**/*.js\" --include \"packages/datadog-plugin-@($(echo $PLUGINS))/src/**/*.js\" -- npm run test:plugins",
+    "test:plugins": "mocha --colors --exit --file \"packages/dd-trace/test/setup/core.js\" \"packages/datadog-instrumentations/test/@($(echo $PLUGINS)).spec.js\" \"packages/datadog-plugin-@($(echo $PLUGINS))/test/**/*.spec.js\" \"packages/dd-trace/test/appsec/iast/**/*.@($(echo $PLUGINS)).plugin.spec.js\"",
+    "test:plugins:ci": "yarn services && nyc --no-clean --include \"packages/datadog-instrumentations/src/@($(echo $PLUGINS)).js\" --include \"packages/datadog-instrumentations/src/@($(echo $PLUGINS))/**/*.js\" --include \"packages/datadog-plugin-@($(echo $PLUGINS))/src/**/*.js\" --include \"packages/dd-trace/test/appsec/iast/**/*.@($(echo $PLUGINS)).plugin.spec.js\" -- npm run test:plugins",
     "test:plugins:upstream": "node ./packages/dd-trace/test/plugins/suite.js",
     "test:profiler": "mocha --colors --exit --file \"packages/dd-trace/test/setup/core.js\" \"packages/dd-trace/test/profiling/**/*.spec.js\"",
     "test:profiler:ci": "nyc --no-clean --include \"packages/dd-trace/src/profiling/**/*.js\" -- npm run test:profiler",
@@ -59,7 +59,7 @@
   },
   "dependencies": {
     "@datadog/native-appsec": "2.0.0",
-    "@datadog/native-iast-rewriter": "1.0.1",
+    "@datadog/native-iast-rewriter": "1.1.2",
     "@datadog/native-iast-taint-tracking": "1.0.0",
     "@datadog/native-metrics": "^1.5.0",
     "@datadog/pprof": "^1.1.1",
@@ -79,6 +79,7 @@
     "lru-cache": "^7.14.0",
     "methods": "^1.1.2",
     "module-details-from-path": "^1.0.3",
+    "node-abort-controller": "^3.0.1",
     "opentracing": ">=0.12.1",
     "path-to-regexp": "^0.1.2",
     "protobufjs": "^7.1.2",

package/packages/datadog-instrumentations/src/helpers/hooks.js

@@ -46,6 +46,7 @@ module.exports = {
   'koa': () => require('../koa'),
   'koa-router': () => require('../koa'),
   'kafkajs': () => require('../kafkajs'),
+  'ldapjs': () => require('../ldapjs'),
   'limitd-client': () => require('../limitd-client'),
   'mariadb': () => require('../mariadb'),
   'memcached': () => require('../memcached'),

package/packages/datadog-instrumentations/src/http/server.js

@@ -1,5 +1,6 @@
 'use strict'
 
+const { AbortController } = require('node-abort-controller') // AbortController is not available in node <15
 const {
   channel,
   addHook
@@ -48,9 +49,14 @@ function wrapEmit (emit) {
     if (eventName === 'request') {
       res.req = req
 
-      startServerCh.publish({ req, res })
+      const abortController = new AbortController()
+
+      startServerCh.publish({ req, res, abortController })
 
       try {
+        if (abortController.signal.aborted) {
+          return res.end()
+        }
         return emit.apply(this, arguments)
       } catch (err) {
         errorServerCh.publish(err)

package/packages/datadog-instrumentations/src/ldapjs.js

@@ -0,0 +1,91 @@
+'use strict'
+
+const {
+  channel,
+  addHook,
+  AsyncResource
+} = require('./helpers/instrument')
+const shimmer = require('../../datadog-shimmer')
+
+function isString (value) {
+  return typeof value === 'string' || value instanceof String
+}
+
+function getCallbackArgIndex (args) {
+  let callbackIndex = -1
+  for (let i = args.length - 1; i >= 0; i--) {
+    if (typeof args[i] === 'function') {
+      callbackIndex = i
+      break
+    }
+  }
+  return callbackIndex
+}
+
+function wrapEmitter (corkedEmitter) {
+  const callbackMap = new WeakMap()
+
+  const addListener = on => function (name, fn) {
+    if (typeof fn === 'function') {
+      let bindedFn = callbackMap.get(fn)
+      if (!bindedFn) {
+        const callbackResource = new AsyncResource('bound-anonymous-fn')
+        bindedFn = callbackResource.bind(fn)
+        callbackMap.set(fn, bindedFn)
+      }
+      arguments[1] = bindedFn
+    }
+    on.apply(this, arguments)
+  }
+  shimmer.wrap(corkedEmitter, 'on', addListener)
+  shimmer.wrap(corkedEmitter, 'addListener', addListener)
+
+  const removeListener = off => function (name, fn) {
+    if (typeof fn === 'function') {
+      const emitterOn = callbackMap.get(fn)
+      if (emitterOn) {
+        arguments[1] = emitterOn
+      }
+    }
+    off.apply(this, arguments)
+  }
+  shimmer.wrap(corkedEmitter, 'off', removeListener)
+  shimmer.wrap(corkedEmitter, 'removeListener', removeListener)
+}
+
+addHook({ name: 'ldapjs', versions: ['>=2'] }, ldapjs => {
+  const ldapSearchCh = channel('datadog:ldapjs:client:search')
+
+  shimmer.wrap(ldapjs.Client.prototype, 'search', search => function (base, options) {
+    if (ldapSearchCh.hasSubscribers) {
+      let filter
+      if (isString(options)) {
+        filter = options
+      } else if (typeof options === 'object' && options.filter) {
+        if (isString(options.filter)) {
+          filter = options.filter
+        }
+      }
+      ldapSearchCh.publish({ base, filter })
+    }
+
+    return search.apply(this, arguments)
+  })
+
+  shimmer.wrap(ldapjs.Client.prototype, '_send', _send => function () {
+    const callbackIndex = getCallbackArgIndex(arguments)
+    if (callbackIndex > -1) {
+      const callback = arguments[callbackIndex]
+      arguments[callbackIndex] = shimmer.wrap(callback, function (err, corkedEmitter) {
+        if (typeof corkedEmitter === 'object' && typeof corkedEmitter['on'] === 'function') {
+          wrapEmitter(corkedEmitter)
+        }
+        callback.apply(this, arguments)
+      })
+    }
+
+    return _send.apply(this, arguments)
+  })
+
+  return ldapjs
+})

package/packages/datadog-instrumentations/src/pg.js

@@ -40,9 +40,8 @@ function wrapQuery (query) {
     const callbackResource = new AsyncResource('bound-anonymous-fn')
     const asyncResource = new AsyncResource('bound-anonymous-fn')
     const processId = this.processID
-
     return asyncResource.runInAsyncScope(() => {
-      startCh.publish({ params: this.connectionParameters, query: pgQuery, processId })
+      startCh.publish({ params: this.connectionParameters, originalQuery: pgQuery.text, query: pgQuery, processId })
 
       const finish = asyncResource.bind(function (error) {
         if (error) {

package/packages/datadog-plugin-http/src/server.js

@@ -3,7 +3,7 @@
 const Plugin = require('../../dd-trace/src/plugins/plugin')
 const { storage } = require('../../datadog-core')
 const web = require('../../dd-trace/src/plugins/util/web')
-const { incomingHttpRequestStart } = require('../../dd-trace/src/appsec/gateway/channels')
+const { incomingHttpRequestStart, incomingHttpRequestEnd } = require('../../dd-trace/src/appsec/gateway/channels')
 const { COMPONENT } = require('../../dd-trace/src/constants')
 
 class HttpServerPlugin extends Plugin {
@@ -16,7 +16,7 @@ class HttpServerPlugin extends Plugin {
 
     this._parentStore = undefined
 
-    this.addSub('apm:http:server:request:start', ({ req, res }) => {
+    this.addSub('apm:http:server:request:start', ({ req, res, abortController }) => {
       const store = storage.getStore()
       const span = web.startSpan(this.tracer, this.config, req, res, 'web.request')
 
@@ -33,7 +33,7 @@ class HttpServerPlugin extends Plugin {
       }
 
       if (incomingHttpRequestStart.hasSubscribers) {
-        incomingHttpRequestStart.publish({ req, res })
+        incomingHttpRequestStart.publish({ req, res, abortController })
       }
     })
 
@@ -52,6 +52,10 @@ class HttpServerPlugin extends Plugin {
 
       if (!context || !context.res) return // Not created by a http.Server instance.
 
+      if (incomingHttpRequestEnd.hasSubscribers) {
+        incomingHttpRequestEnd.publish({ req, res: context.res })
+      }
+
       web.finishAll(context)
     })
   }

package/packages/datadog-plugin-router/src/index.js

@@ -29,8 +29,9 @@ class RouterPlugin extends WebPlugin {
         context.middleware.push(span)
       }
 
-      this._storeStack.push(storage.getStore())
-      this.enter(span)
+      const store = storage.getStore()
+      this._storeStack.push(store)
+      this.enter(span, store)
 
       web.patch(req)
       web.setRoute(req, context.route)
@@ -53,7 +54,9 @@ class RouterPlugin extends WebPlugin {
     })
 
     this.addSub(`apm:${this.constructor.name}:middleware:exit`, ({ req }) => {
-      this.enter(this._storeStack.pop())
+      const savedStore = this._storeStack.pop()
+      const span = savedStore && savedStore.span
+      this.enter(span, savedStore)
     })
 
     this.addSub(`apm:${this.constructor.name}:middleware:error`, ({ req, error }) => {

package/packages/dd-trace/src/appsec/addresses.js

@@ -14,5 +14,7 @@ module.exports = {
   HTTP_INCOMING_RESPONSE_HEADERS: 'server.response.headers.no_cookies',
   // TODO: 'server.response.trailers',
   HTTP_INCOMING_REMOTE_IP: 'server.request.client_ip',
-  HTTP_INCOMING_REMOTE_PORT: 'server.request.client_port'
+  HTTP_INCOMING_REMOTE_PORT: 'server.request.client_port',
+
+  HTTP_CLIENT_IP: 'http.client_ip'
 }

package/packages/dd-trace/src/appsec/blocking.js

@@ -0,0 +1,44 @@
+'use strict'
+
+const fs = require('fs')
+let templateHtml, templateJson
+function block (req, res, topSpan, abortController) {
+  let type
+  let body
+
+  // parse the Accept header, ex: Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8
+  const accept = req.headers.accept && req.headers.accept.split(',').map((str) => str.split(';', 1)[0].trim())
+
+  if (accept && accept.includes('text/html') && !accept.includes('application/json')) {
+    type = 'text/html'
+    body = templateHtml
+  } else {
+    type = 'application/json'
+    body = templateJson
+  }
+
+  topSpan.addTags({
+    'appsec.blocked': 'true'
+  })
+
+  res.statusCode = 403
+  res.setHeader('Content-Type', type)
+  res.setHeader('Content-Length', Buffer.byteLength(body))
+  res.end(body)
+
+  abortController.abort()
+}
+
+function loadTemplates (config) {
+  templateHtml = fs.readFileSync(config.appsec.blockedTemplateHtml)
+  templateJson = fs.readFileSync(config.appsec.blockedTemplateJson)
+}
+
+async function loadTemplatesAsync (config) {
+  templateHtml = await fs.promises.readFile(config.appsec.blockedTemplateHtml)
+  templateJson = await fs.promises.readFile(config.appsec.blockedTemplateJson)
+}
+
+module.exports = {
+  block, loadTemplates, loadTemplatesAsync
+}

package/packages/dd-trace/src/appsec/callbacks/ddwaf.js

@@ -61,7 +61,7 @@ class WAFCallback {
 
           subscribedAddresses.add(address)
 
-          Gateway.manager.addSubscription({ addresses: [ address ], callback })
+          Gateway.manager.addSubscription({ addresses: [address], callback })
         }
       }
     }

package/packages/dd-trace/src/appsec/gateway/engine/engine.js

@@ -28,7 +28,7 @@ class SubscriptionManager {
       const list = this.addressToSubscriptions.get(address)
 
       if (list === undefined) {
-        this.addressToSubscriptions.set(address, [ subscription ])
+        this.addressToSubscriptions.set(address, [subscription])
       } else {
         list.push(subscription)
       }

package/packages/dd-trace/src/appsec/gateway/engine/index.js

@@ -22,6 +22,10 @@ function getContext () {
   return store && store.get('context')
 }
 
+function needsAddress (address) {
+  return manager.addresses.has(address)
+}
+
 function propagate (data, context = getContext()) {
   if (!context) return
 
@@ -30,7 +34,7 @@ function propagate (data, context = getContext()) {
   for (let i = 0; i < keys.length; ++i) {
     const key = keys[i]
 
-    if (manager.addresses.has(key)) {
+    if (needsAddress(key)) {
       context.setValue(key, data[key])
     }
   }
@@ -42,5 +46,6 @@ module.exports = {
   manager,
   startContext,
   getContext,
+  needsAddress,
   propagate
 }

package/packages/dd-trace/src/appsec/gateway/engine/runner.js

@@ -26,7 +26,6 @@ function runSubscriptions (subscriptions, params) {
       result = subscription.callback.method(params, store)
     } catch (err) {
       // TODO: log ?
-      result = {}
     }
 
     results.push(result)

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -2,5 +2,6 @@ module.exports = {
   'WEAK_CIPHER_ANALYZER': require('./weak-cipher-analyzer'),
   'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer'),
   'SQL_INJECTION_ANALYZER': require('./sql-injection-analyzer'),
-  'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer')
+  'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
+  'LDAP_ANALYZER': require('./ldap-injection-analyzer')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/ldap-injection-analyzer.js

@@ -0,0 +1,11 @@
+'use strict'
+const InjectionAnalyzer = require('./injection-analyzer')
+
+class LdapInjectionAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super('LDAP_INJECTION')
+    this.addSub('datadog:ldapjs:client:search', ({ base, filter }) => this.analyzeAll(base, filter))
+  }
+}
+
+module.exports = new LdapInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -6,7 +6,7 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
     super('SQL_INJECTION')
     this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql))
     this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql))
-    this.addSub('apm:pg:query:start', ({ query }) => query && this.analyze(query.text))
+    this.addSub('apm:pg:query:start', ({ originalQuery }) => this.analyze(originalQuery))
   }
 }
 

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -2,6 +2,7 @@
 
 const Plugin = require('../../../../src/plugins/plugin')
 const { storage } = require('../../../../../datadog-core')
+const log = require('../../../log')
 const { getFirstNonDDPathAndLine } = require('../path-line')
 const { createVulnerability, addVulnerability } = require('../vulnerability-reporter')
 const { getIastContext } = require('../iast-context')
@@ -13,6 +14,20 @@ class Analyzer extends Plugin {
     this._type = type
   }
 
+  _wrapHandler (handler) {
+    return (message, name) => {
+      try {
+        handler(message, name)
+      } catch (e) {
+        log.debug(e)
+      }
+    }
+  }
+
+  addSub (channelName, handler) {
+    super.addSub(channelName, this._wrapHandler(handler))
+  }
+
   _isVulnerable (value, context) {
     return false
   }
@@ -25,6 +40,14 @@ class Analyzer extends Plugin {
     addVulnerability(context, vulnerability)
   }
 
+  _reportIfVulnerable (value, context) {
+    if (this._isVulnerable(value, context) && this._checkOCE(context)) {
+      this._report(value, context)
+      return true
+    }
+    return false
+  }
+
   _getEvidence (value) {
     return { value }
   }
@@ -35,8 +58,23 @@ class Analyzer extends Plugin {
 
   analyze (value) {
     const iastContext = getIastContext(storage.getStore())
-    if (iastContext && this._isVulnerable(value, iastContext) && this._checkOCE(iastContext)) {
-      this._report(value, iastContext)
+    if (!iastContext) return
+
+    this._reportIfVulnerable(value, iastContext)
+  }
+
+  analyzeAll (...values) {
+    const iastContext = getIastContext(storage.getStore())
+    if (!iastContext) return
+
+    for (let i = 0; i < values.length; i++) {
+      const value = values[i]
+      if (this._isVulnerable(value, iastContext)) {
+        if (this._checkOCE(iastContext)) {
+          this._report(value, iastContext)
+        }
+        break
+      }
     }
   }
 

package/packages/dd-trace/src/appsec/iast/iast-context.js

@@ -1,4 +1,5 @@
 const IAST_CONTEXT_KEY = Symbol('_dd.iast.context')
+const IAST_TRANSACTION_ID = Symbol('_dd.iast.transactionId')
 
 function getIastContext (store) {
   return store && store[IAST_CONTEXT_KEY]
@@ -46,5 +47,6 @@ module.exports = {
   getIastContext,
   saveIastContext,
   cleanIastContext,
-  IAST_CONTEXT_KEY
+  IAST_CONTEXT_KEY,
+  IAST_TRANSACTION_ID
 }

package/packages/dd-trace/src/appsec/iast/index.js

@@ -7,6 +7,8 @@ const dc = require('diagnostics_channel')
 const iastContextFunctions = require('./iast-context')
 const { enableTaintTracking, disableTaintTracking, createTransaction, removeTransaction } = require('./taint-tracking')
 
+const IAST_ENABLED_TAG_KEY = '_dd.iast.enabled'
+
 // TODO Change to `apm:http:server:request:[start|close]` when the subscription
 //  order of the callbacks can be enforce
 const requestStart = dc.channel('dd-trace:incomingHttpRequestStart')
@@ -40,6 +42,11 @@ function onIncomingHttpRequestStart (data) {
           createTransaction(rootSpan.context().toSpanId(), iastContext)
           overheadController.initializeRequestContext(iastContext)
         }
+        if (rootSpan.addTags) {
+          rootSpan.addTags({
+            [IAST_ENABLED_TAG_KEY]: isRequestAcquired ? '1' : '0'
+          })
+        }
       }
     }
   }

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -1,4 +1,5 @@
 const path = require('path')
+const process = require('process')
 const pathLine = {
   getFirstNonDDPathAndLine,
   getFirstNonDDPathAndLineFromCallsites, // Exported only for test purposes
@@ -7,7 +8,7 @@ const pathLine = {
 }
 
 const EXCLUDED_PATHS = [
-  '/node_modules/diagnostics_channel'
+  path.join(path.sep, 'node_modules', 'diagnostics_channel')
 ]
 const EXCLUDED_PATH_PREFIXES = [
   'node:diagnostics_channel',
@@ -20,7 +21,7 @@ const EXCLUDED_PATH_PREFIXES = [
 
 function calculateDDBasePath (dirname) {
   const dirSteps = dirname.split(path.sep)
-  const packagesIndex = dirSteps.indexOf('packages')
+  const packagesIndex = dirSteps.lastIndexOf('packages')
   return dirSteps.slice(0, packagesIndex).join(path.sep) + path.sep
 }
 
@@ -43,10 +44,10 @@ function getFirstNonDDPathAndLineFromCallsites (callsites) {
   if (callsites) {
     for (let i = 0; i < callsites.length; i++) {
       const callsite = callsites[i]
-      const path = callsite.getFileName()
-      if (!isExcluded(callsite) && path.indexOf(pathLine.ddBasePath) === -1) {
+      const filepath = callsite.getFileName()
+      if (!isExcluded(callsite) && filepath.indexOf(pathLine.ddBasePath) === -1) {
         return {
-          path,
+          path: path.relative(process.cwd(), filepath),
           line: callsite.getLineNumber()
         }
       }

package/packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js

@@ -0,0 +1,12 @@
+'use strict'
+
+const csiMethods = [
+  { src: 'plusOperator', operator: true },
+  { src: 'trim' },
+  { src: 'trimStart', dst: 'trim' },
+  { src: 'trimEnd' }
+]
+
+module.exports = {
+  csiMethods
+}

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js

@@ -1,33 +1,6 @@
-const { storage } = require('../../../../../datadog-core')
-const iastContextFunctions = require('../iast-context')
-const log = require('../../../log')
 const TaintedUtils = require('@datadog/native-iast-taint-tracking')
-
-const IAST_TRANSACTION_ID = Symbol('_dd.iast.transactionId')
-
-function noop (res) { return res }
-const TaintTrackingDummy = {
-  plusOperator: noop
-}
-
-const TaintTracking = {
-  plusOperator: function (res, op1, op2) {
-    try {
-      if (typeof res !== 'string' ||
-        (typeof op1 !== 'string' && typeof op2 !== 'string')) { return res }
-
-      const store = storage.getStore()
-      const iastContext = iastContextFunctions.getIastContext(store)
-      const transactionId = iastContext && iastContext[IAST_TRANSACTION_ID]
-      if (transactionId) {
-        return TaintedUtils.concat(transactionId, res, op1, op2)
-      }
-    } catch (e) {
-      log.debug(e)
-    }
-    return res
-  }
-}
+const { IAST_TRANSACTION_ID } = require('../iast-context')
+const { TaintTracking, TaintTrackingDummy } = require('./taint-tracking-impl')
 
 function createTransaction (id, iastContext) {
   if (id && iastContext) {