dd-trace 3.36.0 → 3.38.0

package/packages/datadog-plugin-cypress/src/plugin.js

@@ -21,11 +21,14 @@ const {
   getCoveredFilenamesFromCoverage,
   getTestSuitePath,
   addIntelligentTestRunnerSpanTags,
-  TEST_SKIPPED_BY_ITR
+  TEST_SKIPPED_BY_ITR,
+  TEST_ITR_UNSKIPPABLE,
+  TEST_ITR_FORCED_RUN
 } = require('../../dd-trace/src/plugins/util/test')
 const { ORIGIN_KEY, COMPONENT } = require('../../dd-trace/src/constants')
 const log = require('../../dd-trace/src/log')
 const NoopTracer = require('../../dd-trace/src/noop/tracer')
+const { isMarkedAsUnskippable } = require('../../datadog-plugin-jest/src/util')
 
 const TEST_FRAMEWORK_NAME = 'cypress'
 
@@ -185,8 +188,11 @@ module.exports = (on, config) => {
   let isSuitesSkippingEnabled = false
   let isCodeCoverageEnabled = false
   let testsToSkip = []
+  const unskippableSuites = []
+  let hasForcedToRunSuites = false
+  let hasUnskippableSuites = false
 
-  function getTestSpan (testName, testSuite) {
+  function getTestSpan (testName, testSuite, isUnskippable, isForcedToRun) {
     const testSuiteTags = {
       [TEST_COMMAND]: command,
       [TEST_COMMAND]: command,
@@ -212,6 +218,16 @@ module.exports = (on, config) => {
       testSpanMetadata[TEST_CODE_OWNERS] = codeOwners
     }
 
+    if (isUnskippable) {
+      hasUnskippableSuites = true
+      testSpanMetadata[TEST_ITR_UNSKIPPABLE] = 'true'
+    }
+
+    if (isForcedToRun) {
+      hasForcedToRunSuites = true
+      testSpanMetadata[TEST_ITR_FORCED_RUN] = 'true'
+    }
+
     return tracer.startSpan(`${TEST_FRAMEWORK_NAME}.test`, {
       childOf,
       tags: {
@@ -233,13 +249,21 @@ module.exports = (on, config) => {
         isCodeCoverageEnabled = itrConfig.isCodeCoverageEnabled
       }
 
-      getSkippableTests(isSuitesSkippingEnabled, tracer, testConfiguration).then(({ err, skippableTests }) => {
+      return getSkippableTests(isSuitesSkippingEnabled, tracer, testConfiguration).then(({ err, skippableTests }) => {
         if (err) {
           log.error(err)
         } else {
           testsToSkip = skippableTests || []
         }
 
+        // `details.specs` are test files
+        details.specs.forEach(({ absolute, relative }) => {
+          const isUnskippableSuite = isMarkedAsUnskippable({ path: absolute })
+          if (isUnskippableSuite) {
+            unskippableSuites.push(relative)
+          }
+        })
+
         const childOf = getTestParentSpan(tracer)
         rootDir = getRootDir(details)
 
@@ -340,7 +364,9 @@ module.exports = (on, config) => {
           isSuitesSkippingEnabled,
           isCodeCoverageEnabled,
           skippingType: 'test',
-          skippingCount: skippedTests.length
+          skippingCount: skippedTests.length,
+          hasForcedToRunSuites,
+          hasUnskippableSuites
         }
       )
 
@@ -384,17 +410,21 @@ module.exports = (on, config) => {
     },
     'dd:beforeEach': (test) => {
       const { testName, testSuite } = test
-      // skip test
-      if (testsToSkip.find(test => {
+      const shouldSkip = !!testsToSkip.find(test => {
         return testName === test.name && testSuite === test.suite
-      })) {
+      })
+      const isUnskippable = unskippableSuites.includes(testSuite)
+      const isForcedToRun = shouldSkip && isUnskippable
+
+      // skip test
+      if (shouldSkip && !isUnskippable) {
         skippedTests.push(test)
         isTestsSkipped = true
         return { shouldSkip: true }
       }
 
       if (!activeSpan) {
-        activeSpan = getTestSpan(testName, testSuite)
+        activeSpan = getTestSpan(testName, testSuite, isUnskippable, isForcedToRun)
       }
 
       return activeSpan ? { traceId: activeSpan.context().toTraceId() } : {}

package/packages/datadog-plugin-jest/src/index.js

@@ -10,7 +10,9 @@ const {
   TEST_PARAMETERS,
   TEST_COMMAND,
   TEST_FRAMEWORK_VERSION,
-  TEST_SOURCE_START
+  TEST_SOURCE_START,
+  TEST_ITR_UNSKIPPABLE,
+  TEST_ITR_FORCED_RUN
 } = require('../../dd-trace/src/plugins/util/test')
 const { COMPONENT } = require('../../dd-trace/src/constants')
 const id = require('../../dd-trace/src/id')
@@ -50,7 +52,9 @@ class JestPlugin extends CiPlugin {
       isSuitesSkippingEnabled,
       isCodeCoverageEnabled,
       testCodeCoverageLinesTotal,
-      numSkippedSuites
+      numSkippedSuites,
+      hasUnskippableSuites,
+      hasForcedToRunSuites
     }) => {
       this.testSessionSpan.setTag(TEST_STATUS, status)
       this.testModuleSpan.setTag(TEST_STATUS, status)
@@ -64,7 +68,9 @@ class JestPlugin extends CiPlugin {
           isCodeCoverageEnabled,
           testCodeCoverageLinesTotal,
           skippingType: 'suite',
-          skippingCount: numSkippedSuites
+          skippingCount: numSkippedSuites,
+          hasUnskippableSuites,
+          hasForcedToRunSuites
         }
       )
 
@@ -89,7 +95,9 @@ class JestPlugin extends CiPlugin {
       const {
         _ddTestSessionId: testSessionId,
         _ddTestCommand: testCommand,
-        _ddTestModuleId: testModuleId
+        _ddTestModuleId: testModuleId,
+        _ddForcedToRun,
+        _ddUnskippable
       } = testEnvironmentOptions
 
       const testSessionSpanContext = this.tracer.extract('text_map', {
@@ -99,6 +107,13 @@ class JestPlugin extends CiPlugin {
 
       const testSuiteMetadata = getTestSuiteCommonTags(testCommand, frameworkVersion, testSuite, 'jest')
 
+      if (_ddUnskippable) {
+        testSuiteMetadata[TEST_ITR_UNSKIPPABLE] = 'true'
+        if (_ddForcedToRun) {
+          testSuiteMetadata[TEST_ITR_FORCED_RUN] = 'true'
+        }
+      }
+
       this.testSuiteSpan = this.tracer.startSpan('jest.test_suite', {
         childOf: testSessionSpanContext,
         tags: {

package/packages/datadog-plugin-jest/src/util.js

@@ -1,4 +1,8 @@
+const { readFileSync } = require('fs')
+const { parse, extract } = require('jest-docblock')
+
 const { getTestSuitePath } = require('../../dd-trace/src/plugins/util/test')
+const log = require('../../dd-trace/src/log')
 
 /**
  * There are two ways to call `test.each` in `jest`:
@@ -47,17 +51,56 @@ function getJestTestName (test) {
   return titles.join(' ')
 }
 
+function isMarkedAsUnskippable (test) {
+  let docblocks
+
+  try {
+    const testSource = readFileSync(test.path, 'utf8')
+    docblocks = parse(extract(testSource))
+  } catch (e) {
+    // If we have issues parsing the file, we'll assume no unskippable was passed
+    return false
+  }
+
+  // docblocks were correctly parsed but it does not include a @datadog block
+  if (!docblocks?.datadog) {
+    return false
+  }
+
+  try {
+    return JSON.parse(docblocks.datadog).unskippable
+  } catch (e) {
+    // If the @datadog block comment is present but malformed, we'll run the suite
+    log.warn('@datadog block comment is malformed.')
+    return true
+  }
+}
+
 function getJestSuitesToRun (skippableSuites, originalTests, rootDir) {
   return originalTests.reduce((acc, test) => {
     const relativePath = getTestSuitePath(test.path, rootDir)
     const shouldBeSkipped = skippableSuites.includes(relativePath)
+
+    if (isMarkedAsUnskippable(test)) {
+      acc.suitesToRun.push(test)
+      if (test?.context?.config?.testEnvironmentOptions) {
+        test.context.config.testEnvironmentOptions['_ddUnskippable'] = true
+        acc.hasUnskippableSuites = true
+        if (shouldBeSkipped) {
+          test.context.config.testEnvironmentOptions['_ddForcedToRun'] = true
+          acc.hasForcedToRunSuites = true
+        }
+      }
+      return acc
+    }
+
     if (shouldBeSkipped) {
       acc.skippedSuites.push(relativePath)
     } else {
       acc.suitesToRun.push(test)
     }
     return acc
-  }, { skippedSuites: [], suitesToRun: [] })
+  }, { skippedSuites: [], suitesToRun: [], hasUnskippableSuites: false, hasForcedToRunSuites: false })
 }
 
-module.exports = { getFormattedJestTestParameters, getJestTestName, getJestSuitesToRun }
+module.exports = { getFormattedJestTestParameters, getJestTestName, getJestSuitesToRun, isMarkedAsUnskippable }

package/packages/datadog-plugin-memcached/src/index.js

@@ -9,15 +9,20 @@ class MemcachedPlugin extends CachePlugin {
   start ({ client, server, query }) {
     const address = getAddress(client, server, query)
 
+    const meta = {
+      'out.host': address[0],
+      [CLIENT_PORT_KEY]: address[1]
+    }
+
+    if (this.config.memcachedCommandEnabled) {
+      meta['memcached.command'] = query.command
+    }
+
     this.startSpan({
       service: this.serviceName({ pluginConfig: this.config, system: this.system }),
       resource: query.type,
       type: 'memcached',
-      meta: {
-        'memcached.command': query.command,
-        'out.host': address[0],
-        [CLIENT_PORT_KEY]: address[1]
-      }
+      meta
     })
   }
 }

package/packages/datadog-plugin-mocha/src/index.js

@@ -11,7 +11,9 @@ const {
   getTestParametersString,
   getTestSuiteCommonTags,
   addIntelligentTestRunnerSpanTags,
-  TEST_SOURCE_START
+  TEST_SOURCE_START,
+  TEST_ITR_UNSKIPPABLE,
+  TEST_ITR_FORCED_RUN
 } = require('../../dd-trace/src/plugins/util/test')
 const { COMPONENT } = require('../../dd-trace/src/constants')
 
@@ -47,14 +49,21 @@ class MochaPlugin extends CiPlugin {
       this.tracer._exporter.exportCoverage(formattedCoverage)
     })
 
-    this.addSub('ci:mocha:test-suite:start', (suite) => {
+    this.addSub('ci:mocha:test-suite:start', ({ testSuite, isUnskippable, isForcedToRun }) => {
       const store = storage.getStore()
       const testSuiteMetadata = getTestSuiteCommonTags(
         this.command,
         this.frameworkVersion,
-        getTestSuitePath(suite.file, this.sourceRoot),
+        getTestSuitePath(testSuite, this.sourceRoot),
         'mocha'
       )
+      if (isUnskippable) {
+        testSuiteMetadata[TEST_ITR_UNSKIPPABLE] = 'true'
+      }
+      if (isForcedToRun) {
+        testSuiteMetadata[TEST_ITR_FORCED_RUN] = 'true'
+      }
+
       const testSuiteSpan = this.tracer.startSpan('mocha.test_suite', {
         childOf: this.testModuleSpan,
         tags: {
@@ -64,7 +73,7 @@ class MochaPlugin extends CiPlugin {
         }
       })
       this.enter(testSuiteSpan, store)
-      this._testSuites.set(suite.file, testSuiteSpan)
+      this._testSuites.set(testSuite, testSuiteSpan)
     })
 
     this.addSub('ci:mocha:test-suite:finish', (status) => {
@@ -139,7 +148,9 @@ class MochaPlugin extends CiPlugin {
       status,
       isSuitesSkipped,
       testCodeCoverageLinesTotal,
-      numSkippedSuites
+      numSkippedSuites,
+      hasForcedToRunSuites,
+      hasUnskippableSuites
     }) => {
       if (this.testSessionSpan) {
         const { isSuitesSkippingEnabled, isCodeCoverageEnabled } = this.itrConfig || {}
@@ -155,7 +166,9 @@ class MochaPlugin extends CiPlugin {
             isCodeCoverageEnabled,
             testCodeCoverageLinesTotal,
             skippingCount: numSkippedSuites,
-            skippingType: 'suite'
+            skippingType: 'suite',
+            hasForcedToRunSuites,
+            hasUnskippableSuites
           }
         )
 

package/packages/datadog-plugin-mysql/src/index.js

@@ -9,7 +9,7 @@ class MySQLPlugin extends DatabasePlugin {
 
   start (payload) {
     const service = this.serviceName({ pluginConfig: this.config, dbConfig: payload.conf, system: this.system })
-    this.startSpan(this.operationName(), {
+    const span = this.startSpan(this.operationName(), {
       service,
       resource: payload.sql,
       type: 'sql',
@@ -22,7 +22,7 @@ class MySQLPlugin extends DatabasePlugin {
         [CLIENT_PORT_KEY]: payload.conf.port
       }
     })
-    payload.sql = this.injectDbmQuery(payload.sql, service)
+    payload.sql = this.injectDbmQuery(span, payload.sql, service)
   }
 }
 

package/packages/datadog-plugin-next/src/index.js

@@ -50,7 +50,6 @@ class NextPlugin extends ServerPlugin {
 
     const span = store.span
     const error = span.context()._tags['error']
-    const page = span.context()._tags['next.page']
 
     if (!this.config.validateStatus(res.statusCode) && !error) {
       span.setTag('error', true)
@@ -60,14 +59,12 @@ class NextPlugin extends ServerPlugin {
       'http.status_code': res.statusCode
     })
 
-    if (page) web.setRoute(req, page)
-
     this.config.hooks.request(span, req, res)
 
     span.finish()
   }
 
-  pageLoad ({ page }) {
+  pageLoad ({ page, isAppPath }) {
     const store = storage.getStore()
 
     if (!store) return
@@ -77,15 +74,27 @@ class NextPlugin extends ServerPlugin {
 
     // Only use error page names if there's not already a name
     const current = span.context()._tags['next.page']
-    if (current && (page === '/404' || page === '/500' || page === '/_error')) {
+    if (current && ['/404', '/500', '/_error', '/_not-found'].includes(page)) {
       return
     }
 
+    // remove ending /route or /page for appDir projects
+    if (isAppPath) page = page.substring(0, page.lastIndexOf('/'))
+
+    // This is for static files whose 'page' includes the whole file path
+    // For normal page matches, like /api/hello/[name] and a req.url like /api/hello/world,
+    // nothing should happen
+    // For page matches like /User/something/public/text.txt and req.url like /text.txt,
+    // it should disregard the extra absolute path Next.js sometimes sets
+    if (page.includes(req.url)) page = req.url
+
     span.addTags({
       [COMPONENT]: this.constructor.id,
       'resource.name': `${req.method} ${page}`.trim(),
       'next.page': page
     })
+
+    web.setRoute(req, page)
   }
 
   configure (config) {

package/packages/datadog-plugin-pg/src/index.js

@@ -12,7 +12,7 @@ class PGPlugin extends DatabasePlugin {
     const service = this.serviceName({ pluginConfig: this.config, params })
     const originalStatement = this.maybeTruncate(query.text)
 
-    this.startSpan(this.operationName(), {
+    const span = this.startSpan(this.operationName(), {
       service,
       resource: originalStatement,
       type: 'sql',
@@ -27,7 +27,7 @@ class PGPlugin extends DatabasePlugin {
       }
     })
 
-    query.__ddInjectableQuery = this.injectDbmQuery(query.text, service, !!query.name)
+    query.__ddInjectableQuery = this.injectDbmQuery(span, query.text, service, !!query.name)
   }
 }
 

package/packages/dd-trace/src/appsec/channels.js

@@ -5,10 +5,13 @@ const dc = require('../../../diagnostics_channel')
 // TODO: use TBD naming convention
 module.exports = {
   bodyParser: dc.channel('datadog:body-parser:read:finish'),
+  cookieParser: dc.channel('datadog:cookie-parser:read:finish'),
   graphqlFinishExecute: dc.channel('apm:graphql:execute:finish'),
   incomingHttpRequestStart: dc.channel('dd-trace:incomingHttpRequestStart'),
   incomingHttpRequestEnd: dc.channel('dd-trace:incomingHttpRequestEnd'),
   passportVerify: dc.channel('datadog:passport:verify:finish'),
   queryParser: dc.channel('datadog:query:read:finish'),
-  setCookieChannel: dc.channel('datadog:iast:set-cookie')
+  setCookieChannel: dc.channel('datadog:iast:set-cookie'),
+  nextBodyParsed: dc.channel('apm:next:body-parsed'),
+  nextQueryParsed: dc.channel('apm:next:query-parsed')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -7,6 +7,7 @@ module.exports = {
   'LDAP_ANALYZER': require('./ldap-injection-analyzer'),
   'NO_HTTPONLY_COOKIE_ANALYZER': require('./no-httponly-cookie-analyzer'),
   'NO_SAMESITE_COOKIE_ANALYZER': require('./no-samesite-cookie-analyzer'),
+  'NOSQL_MONGODB_INJECTION': require('./nosql-injection-mongodb-analyzer'),
   'PATH_TRAVERSAL_ANALYZER': require('./path-traversal-analyzer'),
   'SQL_INJECTION_ANALYZER': require('./sql-injection-analyzer'),
   'SSRF': require('./ssrf-analyzer'),

package/packages/dd-trace/src/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.js

@@ -0,0 +1,166 @@
+'use strict'
+
+const InjectionAnalyzer = require('./injection-analyzer')
+const { NOSQL_MONGODB_INJECTION } = require('../vulnerabilities')
+const { getRanges, addSecureMark } = require('../taint-tracking/operations')
+const { getNodeModulesPaths } = require('../path-line')
+const { getNextSecureMark } = require('../taint-tracking/secure-marks-generator')
+const { storage } = require('../../../../../datadog-core')
+const { getIastContext } = require('../iast-context')
+
+const EXCLUDED_PATHS_FROM_STACK = getNodeModulesPaths('mongodb', 'mongoose')
+const MONGODB_NOSQL_SECURE_MARK = getNextSecureMark()
+
+function iterateObjectStrings (target, fn, levelKeys = [], depth = 50, visited = new Set()) {
+  if (target && typeof target === 'object') {
+    Object.keys(target).forEach((key) => {
+      const nextLevelKeys = [...levelKeys, key]
+      const val = target[key]
+
+      if (typeof val === 'string') {
+        fn(val, nextLevelKeys, target, key)
+      } else if (depth > 0 && !visited.has(val)) {
+        iterateObjectStrings(val, fn, nextLevelKeys, depth - 1, visited)
+        visited.add(val)
+      }
+    })
+  }
+}
+
+class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super(NOSQL_MONGODB_INJECTION)
+    this.sanitizedObjects = new WeakSet()
+  }
+
+  onConfigure () {
+    this.configureSanitizers()
+
+    this.addSub('datadog:mongodb:collection:filter:start', ({ filters }) => {
+      const store = storage.getStore()
+      if (store && !store.nosqlAnalyzed && filters?.length) {
+        filters.forEach(filter => {
+          this.analyze({ filter }, store)
+        })
+      }
+    })
+
+    this.addSub('datadog:mongoose:model:filter:start', ({ filters }) => {
+      const store = storage.getStore()
+      if (!store) return
+
+      if (filters?.length) {
+        filters.forEach(filter => {
+          this.analyze({ filter }, store)
+        })
+      }
+
+      storage.enterWith({ ...store, nosqlAnalyzed: true, mongooseParentStore: store })
+    })
+
+    this.addSub('datadog:mongoose:model:filter:finish', () => {
+      const store = storage.getStore()
+      if (store?.mongooseParentStore) {
+        storage.enterWith(store.mongooseParentStore)
+      }
+    })
+  }
+
+  configureSanitizers () {
+    this.addNotSinkSub('datadog:express-mongo-sanitize:filter:finish', ({ sanitizedProperties, req }) => {
+      const store = storage.getStore()
+      const iastContext = getIastContext(store)
+
+      if (iastContext) { // do nothing if we are not in an iast request
+        sanitizedProperties.forEach(key => {
+          iterateObjectStrings(req[key], function (value, levelKeys) {
+            if (typeof value === 'string') {
+              let parentObj = req[key]
+              const levelsLength = levelKeys.length
+
+              for (let i = 0; i < levelsLength; i++) {
+                const currentLevelKey = levelKeys[i]
+
+                if (i === levelsLength - 1) {
+                  parentObj[currentLevelKey] = addSecureMark(iastContext, value, MONGODB_NOSQL_SECURE_MARK)
+                } else {
+                  parentObj = parentObj[currentLevelKey]
+                }
+              }
+            }
+          })
+        })
+      }
+    })
+
+    this.addNotSinkSub('datadog:express-mongo-sanitize:sanitize:finish', ({ sanitizedObject }) => {
+      const store = storage.getStore()
+      const iastContext = getIastContext(store)
+
+      if (iastContext) { // do nothing if we are not in an iast request
+        iterateObjectStrings(sanitizedObject, function (value, levelKeys, parent, lastKey) {
+          try {
+            parent[lastKey] = addSecureMark(iastContext, value, MONGODB_NOSQL_SECURE_MARK)
+          } catch {
+            // if it is a readonly property, do nothing
+          }
+        })
+      }
+    })
+
+    this.addNotSinkSub('datadog:mongoose:sanitize-filter:finish', ({ sanitizedObject }) => {
+      this.sanitizedObjects.add(sanitizedObject)
+    })
+  }
+
+  _isVulnerable (value, iastContext) {
+    if (value?.filter && iastContext) {
+      let isVulnerable = false
+
+      if (this.sanitizedObjects.has(value.filter)) {
+        return false
+      }
+
+      const rangesByKey = {}
+      const allRanges = []
+
+      iterateObjectStrings(value.filter, function (val, nextLevelKeys) {
+        const ranges = getRanges(iastContext, val)
+        if (ranges?.length) {
+          const filteredRanges = []
+
+          for (const range of ranges) {
+            if ((range.secureMarks & MONGODB_NOSQL_SECURE_MARK) !== MONGODB_NOSQL_SECURE_MARK) {
+              isVulnerable = true
+              filteredRanges.push(range)
+            }
+          }
+
+          if (filteredRanges.length > 0) {
+            rangesByKey[nextLevelKeys.join('.')] = filteredRanges
+            allRanges.push(...filteredRanges)
+          }
+        }
+      }, [], 4)
+
+      if (isVulnerable) {
+        value.rangesToApply = rangesByKey
+        value.ranges = allRanges
+      }
+
+      return isVulnerable
+    }
+    return false
+  }
+
+  _getEvidence (value, iastContext) {
+    return { value: value.filter, rangesToApply: value.rangesToApply, ranges: value.ranges }
+  }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS_FROM_STACK
+  }
+}
+
+module.exports = new NosqlInjectionMongodbAnalyzer()
+module.exports.MONGODB_NOSQL_SECURE_MARK = MONGODB_NOSQL_SECURE_MARK

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -8,7 +8,7 @@ const { getIastContext } = require('../iast-context')
 const { addVulnerability } = require('../vulnerability-reporter')
 const { getNodeModulesPaths } = require('../path-line')
 
-const EXCLUDED_PATHS = getNodeModulesPaths('mysql', 'mysql2', 'sequelize', 'pg-pool')
+const EXCLUDED_PATHS = getNodeModulesPaths('mysql', 'mysql2', 'sequelize', 'pg-pool', 'knex')
 
 class SqlInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -31,6 +31,12 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
 
     this.addSub('datadog:mysql:pool:query:start', ({ sql }) => this.getStoreAndAnalyze(sql, 'MYSQL'))
     this.addSub('datadog:mysql:pool:query:finish', () => this.returnToParentStore())
+
+    this.addSub('datadog:knex:raw:start', ({ sql, dialect: knexDialect }) => {
+      const dialect = this.normalizeKnexDialect(knexDialect)
+      this.getStoreAndAnalyze(sql, dialect)
+    })
+    this.addSub('datadog:knex:raw:finish', () => this.returnToParentStore())
   }
 
   getStoreAndAnalyze (query, dialect) {
@@ -83,6 +89,20 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
   _getExcludedPaths () {
     return EXCLUDED_PATHS
   }
+
+  normalizeKnexDialect (knexDialect) {
+    if (knexDialect === 'postgresql') {
+      return 'POSTGRES'
+    }
+
+    if (knexDialect === 'sqlite3') {
+      return 'SQLITE'
+    }
+
+    if (typeof knexDialect === 'string') {
+      return knexDialect.toUpperCase()
+    }
+  }
 }
 
 module.exports = new SqlInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js

@@ -6,8 +6,8 @@ const { getNodeModulesPaths } = require('../path-line')
 const { getRanges } = require('../taint-tracking/operations')
 const {
   HTTP_REQUEST_HEADER_VALUE,
-  HTTP_REQUEST_PATH,
-  HTTP_REQUEST_PATH_PARAM
+  HTTP_REQUEST_PATH_PARAM,
+  HTTP_REQUEST_URI
 } = require('../taint-tracking/source-types')
 
 const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
@@ -56,7 +56,7 @@ class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
   }
 
   _isUrl (range) {
-    return range.iinfo.type === HTTP_REQUEST_PATH
+    return range.iinfo.type === HTTP_REQUEST_URI
   }
 
   _getExcludedPaths () {

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -71,8 +71,7 @@ class Analyzer extends SinkIastPlugin {
     return store && !iastContext
   }
 
-  analyze (value) {
-    const store = storage.getStore()
+  analyze (value, store = storage.getStore()) {
     const iastContext = getIastContext(store)
     if (this._isInvalidContext(store, iastContext)) return