dd-trace 3.9.3 → 3.11.0

package/packages/datadog-instrumentations/src/pg.js

@@ -40,9 +40,8 @@ function wrapQuery (query) {
     const callbackResource = new AsyncResource('bound-anonymous-fn')
     const asyncResource = new AsyncResource('bound-anonymous-fn')
     const processId = this.processID
-
     return asyncResource.runInAsyncScope(() => {
-      startCh.publish({ params: this.connectionParameters, query: pgQuery, processId })
+      startCh.publish({ params: this.connectionParameters, originalQuery: pgQuery.text, query: pgQuery, processId })
 
       const finish = asyncResource.bind(function (error) {
         if (error) {

package/packages/datadog-instrumentations/src/router.js

@@ -90,7 +90,7 @@ function createWrapRouterMethod (name) {
 
   function wrapNext (req, next) {
     return function (error) {
-      if (error) {
+      if (error && error !== 'route' && error !== 'router') {
         errorChannel.publish({ req, error })
       }
 

package/packages/datadog-plugin-cucumber/src/index.js

@@ -21,7 +21,7 @@ class CucumberPlugin extends CiPlugin {
     super(...args)
 
     this.addSub('ci:cucumber:session:finish', () => {
-      this.tracer._exporter._writer.flush()
+      this.tracer._exporter.flush()
     })
 
     this.addSub('ci:cucumber:run:start', ({ testName, fullTestSuite }) => {

package/packages/datadog-plugin-http/src/server.js

@@ -3,7 +3,7 @@
 const Plugin = require('../../dd-trace/src/plugins/plugin')
 const { storage } = require('../../datadog-core')
 const web = require('../../dd-trace/src/plugins/util/web')
-const { incomingHttpRequestStart } = require('../../dd-trace/src/appsec/gateway/channels')
+const { incomingHttpRequestStart, incomingHttpRequestEnd } = require('../../dd-trace/src/appsec/gateway/channels')
 const { COMPONENT } = require('../../dd-trace/src/constants')
 
 class HttpServerPlugin extends Plugin {
@@ -16,7 +16,7 @@ class HttpServerPlugin extends Plugin {
 
     this._parentStore = undefined
 
-    this.addSub('apm:http:server:request:start', ({ req, res }) => {
+    this.addSub('apm:http:server:request:start', ({ req, res, abortController }) => {
       const store = storage.getStore()
       const span = web.startSpan(this.tracer, this.config, req, res, 'web.request')
 
@@ -33,7 +33,7 @@ class HttpServerPlugin extends Plugin {
       }
 
       if (incomingHttpRequestStart.hasSubscribers) {
-        incomingHttpRequestStart.publish({ req, res })
+        incomingHttpRequestStart.publish({ req, res, abortController })
       }
     })
 
@@ -42,7 +42,8 @@ class HttpServerPlugin extends Plugin {
     })
 
     this.addSub('apm:http:server:request:exit', ({ req }) => {
-      this.enter(this._parentStore)
+      const span = this._parentStore && this._parentStore.span
+      this.enter(span, this._parentStore)
       this._parentStore = undefined
     })
 
@@ -51,6 +52,10 @@ class HttpServerPlugin extends Plugin {
 
       if (!context || !context.res) return // Not created by a http.Server instance.
 
+      if (incomingHttpRequestEnd.hasSubscribers) {
+        incomingHttpRequestEnd.publish({ req, res: context.res })
+      }
+
       web.finishAll(context)
     })
   }

package/packages/datadog-plugin-jest/src/index.js

@@ -15,6 +15,8 @@ const {
   TEST_SUITE_ID,
   TEST_COMMAND,
   TEST_ITR_TESTS_SKIPPED,
+  TEST_SESSION_ITR_CODE_COVERAGE_ENABLED,
+  TEST_SESSION_ITR_SKIPPING_ENABLED,
   TEST_CODE_COVERAGE_LINES_TOTAL
 } = require('../../dd-trace/src/plugins/util/test')
 const { COMPONENT } = require('../../dd-trace/src/constants')
@@ -33,7 +35,7 @@ class JestPlugin extends CiPlugin {
     // Used to handle the end of a jest worker to be able to flush
     const handler = ([message]) => {
       if (message === CHILD_MESSAGE_END) {
-        this.tracer._exporter._writer.flush(() => {
+        this.tracer._exporter.flush(() => {
           // eslint-disable-next-line
           // https://github.com/facebook/jest/blob/24ed3b5ecb419c023ee6fdbc838f07cc028fc007/packages/jest-worker/src/workers/processChild.ts#L118-L133
           // Only after the flush is done we clean up open handles
@@ -48,9 +50,6 @@ class JestPlugin extends CiPlugin {
     this.codeOwnersEntries = getCodeOwnersFileEntries()
 
     this.addSub('ci:jest:session:start', (command) => {
-      if (!this.config.isAgentlessEnabled) {
-        return
-      }
       const store = storage.getStore()
       const childOf = getTestParentSpan(this.tracer)
       const testSessionSpanMetadata = getTestSessionCommonTags(command, this.tracer._version)
@@ -66,30 +65,32 @@ class JestPlugin extends CiPlugin {
       this.enter(testSessionSpan, store)
     })
 
-    this.addSub('ci:jest:session:finish', ({ status, isTestsSkipped, testCodeCoverageLinesTotal }) => {
-      if (!this.config.isAgentlessEnabled) {
-        return
-      }
+    this.addSub('ci:jest:session:finish', ({
+      status,
+      isSuitesSkipped,
+      isSuitesSkippingEnabled,
+      isCodeCoverageEnabled,
+      testCodeCoverageLinesTotal
+    }) => {
       const testSessionSpan = storage.getStore().span
+
       testSessionSpan.setTag(TEST_STATUS, status)
-      if (isTestsSkipped) {
-        testSessionSpan.setTag(TEST_ITR_TESTS_SKIPPED, 'true')
-      }
+      testSessionSpan.setTag(TEST_ITR_TESTS_SKIPPED, isSuitesSkipped ? 'true' : 'false')
+      testSessionSpan.setTag(TEST_SESSION_ITR_SKIPPING_ENABLED, isSuitesSkippingEnabled ? 'true' : 'false')
+      testSessionSpan.setTag(TEST_SESSION_ITR_CODE_COVERAGE_ENABLED, isCodeCoverageEnabled ? 'true' : 'false')
+
       if (testCodeCoverageLinesTotal !== undefined) {
         testSessionSpan.setTag(TEST_CODE_COVERAGE_LINES_TOTAL, testCodeCoverageLinesTotal)
       }
       testSessionSpan.finish()
       finishAllTraceSpans(testSessionSpan)
-      this.tracer._exporter._writer.flush()
+      this.tracer._exporter.flush()
     })
 
     // Test suites can be run in a different process from jest's main one.
     // This subscriber changes the configuration objects from jest to inject the trace id
     // of the test session to the processes that run the test suites.
     this.addSub('ci:jest:session:configuration', configs => {
-      if (!this.config.isAgentlessEnabled) {
-        return
-      }
       const testSessionSpan = storage.getStore().span
       configs.forEach(config => {
         config._ddTestSessionId = testSessionSpan.context()._traceId.toString(10)
@@ -98,10 +99,6 @@ class JestPlugin extends CiPlugin {
     })
 
     this.addSub('ci:jest:test-suite:start', ({ testSuite, testEnvironmentOptions }) => {
-      if (!this.config.isAgentlessEnabled) {
-        return
-      }
-
       const { _ddTestSessionId: testSessionId, _ddTestCommand: testCommand } = testEnvironmentOptions
 
       const store = storage.getStore()
@@ -125,9 +122,6 @@ class JestPlugin extends CiPlugin {
     })
 
     this.addSub('ci:jest:test-suite:finish', ({ status, errorMessage }) => {
-      if (!this.config.isAgentlessEnabled) {
-        return
-      }
       const testSuiteSpan = storage.getStore().span
       testSuiteSpan.setTag(TEST_STATUS, status)
       if (errorMessage) {
@@ -139,10 +133,12 @@ class JestPlugin extends CiPlugin {
       finishAllTraceSpans(testSuiteSpan)
     })
 
+    /**
+     * This can't use `this.itrConfig` like `ci:mocha:test-suite:code-coverage`
+     * because this subscription happens in a different process from the one
+     * fetching the ITR config.
+     */
     this.addSub('ci:jest:test-suite:code-coverage', (coverageFiles) => {
-      if (!this.config.isAgentlessEnabled || !this.config.isIntelligentTestRunnerEnabled) {
-        return
-      }
       const testSuiteSpan = storage.getStore().span
       this.tracer._exporter.exportCoverage({ span: testSuiteSpan, coverageFiles })
     })

package/packages/datadog-plugin-mocha/src/index.js

@@ -14,7 +14,10 @@ const {
   getTestSuiteCommonTags,
   TEST_SUITE_ID,
   TEST_SESSION_ID,
-  TEST_COMMAND
+  TEST_COMMAND,
+  TEST_ITR_TESTS_SKIPPED,
+  TEST_SESSION_ITR_CODE_COVERAGE_ENABLED,
+  TEST_SESSION_ITR_SKIPPING_ENABLED
 } = require('../../dd-trace/src/plugins/util/test')
 const { COMPONENT } = require('../../dd-trace/src/constants')
 
@@ -31,9 +34,6 @@ class MochaPlugin extends CiPlugin {
     this.sourceRoot = process.cwd()
 
     this.addSub('ci:mocha:test-suite:code-coverage', ({ coverageFiles, suiteFile }) => {
-      if (!this.config.isAgentlessEnabled || !this.config.isIntelligentTestRunnerEnabled) {
-        return
-      }
       if (!this.itrConfig || !this.itrConfig.isCodeCoverageEnabled) {
         return
       }
@@ -49,9 +49,6 @@ class MochaPlugin extends CiPlugin {
     })
 
     this.addSub('ci:mocha:session:start', (command) => {
-      if (!this.config.isAgentlessEnabled) {
-        return
-      }
       const childOf = getTestParentSpan(this.tracer)
       const testSessionSpanMetadata = getTestSessionCommonTags(command, this.tracer._version)
 
@@ -67,9 +64,6 @@ class MochaPlugin extends CiPlugin {
     })
 
     this.addSub('ci:mocha:test-suite:start', (suite) => {
-      if (!this.config.isAgentlessEnabled) {
-        return
-      }
       const store = storage.getStore()
       const testSuiteMetadata = getTestSuiteCommonTags(
         this.command,
@@ -89,9 +83,6 @@ class MochaPlugin extends CiPlugin {
     })
 
     this.addSub('ci:mocha:test-suite:finish', (status) => {
-      if (!this.config.isAgentlessEnabled) {
-        return
-      }
       const span = storage.getStore().span
       // the test status of the suite may have been set in ci:mocha:test-suite:error already
       if (!span.context()._tags[TEST_STATUS]) {
@@ -101,9 +92,6 @@ class MochaPlugin extends CiPlugin {
     })
 
     this.addSub('ci:mocha:test-suite:error', (err) => {
-      if (!this.config.isAgentlessEnabled) {
-        return
-      }
       const span = storage.getStore().span
       span.setTag('error', err)
       span.setTag(TEST_STATUS, 'fail')
@@ -151,14 +139,19 @@ class MochaPlugin extends CiPlugin {
       this._testNameToParams[name] = params
     })
 
-    this.addSub('ci:mocha:session:finish', (status) => {
+    this.addSub('ci:mocha:session:finish', ({ status, isSuitesSkipped }) => {
       if (this.testSessionSpan) {
+        const { isSuitesSkippingEnabled, isCodeCoverageEnabled } = this.itrConfig || {}
         this.testSessionSpan.setTag(TEST_STATUS, status)
+        this.testSessionSpan.setTag(TEST_ITR_TESTS_SKIPPED, isSuitesSkipped ? 'true' : 'false')
+        this.testSessionSpan.setTag(TEST_SESSION_ITR_SKIPPING_ENABLED, isSuitesSkippingEnabled ? 'true' : 'false')
+        this.testSessionSpan.setTag(TEST_SESSION_ITR_CODE_COVERAGE_ENABLED, isCodeCoverageEnabled ? 'true' : 'false')
+
         this.testSessionSpan.finish()
         finishAllTraceSpans(this.testSessionSpan)
       }
-      this.tracer._exporter._writer.flush()
       this.itrConfig = null
+      this.tracer._exporter.flush()
     })
   }
 

package/packages/datadog-plugin-mongodb-core/src/index.js

@@ -8,7 +8,7 @@ class MongodbCorePlugin extends DatabasePlugin {
 
   start ({ ns, ops, options = {}, name }) {
     const query = getQuery(ops)
-    const resource = truncate(getResource(ns, query, name))
+    const resource = truncate(getResource(this, ns, query, name))
 
     this.startSpan('mongodb.query', {
       service: this.config.service,
@@ -31,10 +31,10 @@ function getQuery (cmd) {
   if (cmd.filter) return JSON.stringify(limitDepth(cmd.filter))
 }
 
-function getResource (ns, query, operationName) {
+function getResource (plugin, ns, query, operationName) {
   const parts = [operationName, ns]
 
-  if (query) {
+  if (plugin.config.queryInResourceName && query) {
     parts.push(query)
   }
 

package/packages/datadog-plugin-router/src/index.js

@@ -29,8 +29,9 @@ class RouterPlugin extends WebPlugin {
         context.middleware.push(span)
       }
 
-      this._storeStack.push(storage.getStore())
-      this.enter(span)
+      const store = storage.getStore()
+      this._storeStack.push(store)
+      this.enter(span, store)
 
       web.patch(req)
       web.setRoute(req, context.route)
@@ -53,7 +54,9 @@ class RouterPlugin extends WebPlugin {
     })
 
     this.addSub(`apm:${this.constructor.name}:middleware:exit`, ({ req }) => {
-      this.enter(this._storeStack.pop())
+      const savedStore = this._storeStack.pop()
+      const span = savedStore && savedStore.span
+      this.enter(span, savedStore)
     })
 
     this.addSub(`apm:${this.constructor.name}:middleware:error`, ({ req, error }) => {

package/packages/dd-trace/src/appsec/addresses.js

@@ -14,5 +14,7 @@ module.exports = {
   HTTP_INCOMING_RESPONSE_HEADERS: 'server.response.headers.no_cookies',
   // TODO: 'server.response.trailers',
   HTTP_INCOMING_REMOTE_IP: 'server.request.client_ip',
-  HTTP_INCOMING_REMOTE_PORT: 'server.request.client_port'
+  HTTP_INCOMING_REMOTE_PORT: 'server.request.client_port',
+
+  HTTP_CLIENT_IP: 'http.client_ip'
 }

package/packages/dd-trace/src/appsec/blocking.js

@@ -0,0 +1,44 @@
+'use strict'
+
+const fs = require('fs')
+let templateHtml, templateJson
+function block (req, res, topSpan, abortController) {
+  let type
+  let body
+
+  // parse the Accept header, ex: Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8
+  const accept = req.headers.accept && req.headers.accept.split(',').map((str) => str.split(';', 1)[0].trim())
+
+  if (accept && accept.includes('text/html') && !accept.includes('application/json')) {
+    type = 'text/html'
+    body = templateHtml
+  } else {
+    type = 'application/json'
+    body = templateJson
+  }
+
+  topSpan.addTags({
+    'appsec.blocked': 'true'
+  })
+
+  res.statusCode = 403
+  res.setHeader('Content-Type', type)
+  res.setHeader('Content-Length', Buffer.byteLength(body))
+  res.end(body)
+
+  abortController.abort()
+}
+
+function loadTemplates (config) {
+  templateHtml = fs.readFileSync(config.appsec.blockedTemplateHtml)
+  templateJson = fs.readFileSync(config.appsec.blockedTemplateJson)
+}
+
+async function loadTemplatesAsync (config) {
+  templateHtml = await fs.promises.readFile(config.appsec.blockedTemplateHtml)
+  templateJson = await fs.promises.readFile(config.appsec.blockedTemplateJson)
+}
+
+module.exports = {
+  block, loadTemplates, loadTemplatesAsync
+}

package/packages/dd-trace/src/appsec/callbacks/ddwaf.js

@@ -61,7 +61,7 @@ class WAFCallback {
 
           subscribedAddresses.add(address)
 
-          Gateway.manager.addSubscription({ addresses: [ address ], callback })
+          Gateway.manager.addSubscription({ addresses: [address], callback })
         }
       }
     }
@@ -123,6 +123,10 @@ class WAFCallback {
     return result.actions
   }
 
+  updateRuleData (ruleData) {
+    this.ddwaf.updateRuleData(ruleData)
+  }
+
   clear () {
     this.ddwaf.dispose()
 

package/packages/dd-trace/src/appsec/gateway/engine/engine.js

@@ -28,7 +28,7 @@ class SubscriptionManager {
       const list = this.addressToSubscriptions.get(address)
 
       if (list === undefined) {
-        this.addressToSubscriptions.set(address, [ subscription ])
+        this.addressToSubscriptions.set(address, [subscription])
       } else {
         list.push(subscription)
       }

package/packages/dd-trace/src/appsec/gateway/engine/index.js

@@ -22,6 +22,10 @@ function getContext () {
   return store && store.get('context')
 }
 
+function needsAddress (address) {
+  return manager.addresses.has(address)
+}
+
 function propagate (data, context = getContext()) {
   if (!context) return
 
@@ -30,7 +34,7 @@ function propagate (data, context = getContext()) {
   for (let i = 0; i < keys.length; ++i) {
     const key = keys[i]
 
-    if (manager.addresses.has(key)) {
+    if (needsAddress(key)) {
       context.setValue(key, data[key])
     }
   }
@@ -42,5 +46,6 @@ module.exports = {
   manager,
   startContext,
   getContext,
+  needsAddress,
   propagate
 }

package/packages/dd-trace/src/appsec/gateway/engine/runner.js

@@ -26,7 +26,6 @@ function runSubscriptions (subscriptions, params) {
       result = subscription.callback.method(params, store)
     } catch (err) {
       // TODO: log ?
-      result = {}
     }
 
     results.push(result)

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -2,5 +2,6 @@ module.exports = {
   'WEAK_CIPHER_ANALYZER': require('./weak-cipher-analyzer'),
   'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer'),
   'SQL_INJECTION_ANALYZER': require('./sql-injection-analyzer'),
-  'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer')
+  'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
+  'LDAP_ANALYZER': require('./ldap-injection-analyzer')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/ldap-injection-analyzer.js

@@ -0,0 +1,11 @@
+'use strict'
+const InjectionAnalyzer = require('./injection-analyzer')
+
+class LdapInjectionAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super('LDAP_INJECTION')
+    this.addSub('datadog:ldapjs:client:search', ({ base, filter }) => this.analyzeAll(base, filter))
+  }
+}
+
+module.exports = new LdapInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -6,7 +6,7 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
     super('SQL_INJECTION')
     this.addSub('apm:mysql:query:start', ({ sql }) => this.analyze(sql))
     this.addSub('apm:mysql2:query:start', ({ sql }) => this.analyze(sql))
-    this.addSub('apm:pg:query:start', ({ query }) => query && this.analyze(query.text))
+    this.addSub('apm:pg:query:start', ({ originalQuery }) => this.analyze(originalQuery))
   }
 }
 

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -2,6 +2,7 @@
 
 const Plugin = require('../../../../src/plugins/plugin')
 const { storage } = require('../../../../../datadog-core')
+const log = require('../../../log')
 const { getFirstNonDDPathAndLine } = require('../path-line')
 const { createVulnerability, addVulnerability } = require('../vulnerability-reporter')
 const { getIastContext } = require('../iast-context')
@@ -13,6 +14,20 @@ class Analyzer extends Plugin {
     this._type = type
   }
 
+  _wrapHandler (handler) {
+    return (message, name) => {
+      try {
+        handler(message, name)
+      } catch (e) {
+        log.debug(e)
+      }
+    }
+  }
+
+  addSub (channelName, handler) {
+    super.addSub(channelName, this._wrapHandler(handler))
+  }
+
   _isVulnerable (value, context) {
     return false
   }
@@ -25,6 +40,14 @@ class Analyzer extends Plugin {
     addVulnerability(context, vulnerability)
   }
 
+  _reportIfVulnerable (value, context) {
+    if (this._isVulnerable(value, context) && this._checkOCE(context)) {
+      this._report(value, context)
+      return true
+    }
+    return false
+  }
+
   _getEvidence (value) {
     return { value }
   }
@@ -35,8 +58,23 @@ class Analyzer extends Plugin {
 
   analyze (value) {
     const iastContext = getIastContext(storage.getStore())
-    if (iastContext && this._isVulnerable(value, iastContext) && this._checkOCE(iastContext)) {
-      this._report(value, iastContext)
+    if (!iastContext) return
+
+    this._reportIfVulnerable(value, iastContext)
+  }
+
+  analyzeAll (...values) {
+    const iastContext = getIastContext(storage.getStore())
+    if (!iastContext) return
+
+    for (let i = 0; i < values.length; i++) {
+      const value = values[i]
+      if (this._isVulnerable(value, iastContext)) {
+        if (this._checkOCE(iastContext)) {
+          this._report(value, iastContext)
+        }
+        break
+      }
     }
   }
 

package/packages/dd-trace/src/appsec/iast/iast-context.js

@@ -1,4 +1,5 @@
 const IAST_CONTEXT_KEY = Symbol('_dd.iast.context')
+const IAST_TRANSACTION_ID = Symbol('_dd.iast.transactionId')
 
 function getIastContext (store) {
   return store && store[IAST_CONTEXT_KEY]
@@ -46,5 +47,6 @@ module.exports = {
   getIastContext,
   saveIastContext,
   cleanIastContext,
-  IAST_CONTEXT_KEY
+  IAST_CONTEXT_KEY,
+  IAST_TRANSACTION_ID
 }

package/packages/dd-trace/src/appsec/iast/index.js

@@ -7,6 +7,8 @@ const dc = require('diagnostics_channel')
 const iastContextFunctions = require('./iast-context')
 const { enableTaintTracking, disableTaintTracking, createTransaction, removeTransaction } = require('./taint-tracking')
 
+const IAST_ENABLED_TAG_KEY = '_dd.iast.enabled'
+
 // TODO Change to `apm:http:server:request:[start|close]` when the subscription
 //  order of the callbacks can be enforce
 const requestStart = dc.channel('dd-trace:incomingHttpRequestStart')
@@ -40,6 +42,11 @@ function onIncomingHttpRequestStart (data) {
           createTransaction(rootSpan.context().toSpanId(), iastContext)
           overheadController.initializeRequestContext(iastContext)
         }
+        if (rootSpan.addTags) {
+          rootSpan.addTags({
+            [IAST_ENABLED_TAG_KEY]: isRequestAcquired ? '1' : '0'
+          })
+        }
       }
     }
   }

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -1,4 +1,5 @@
 const path = require('path')
+const process = require('process')
 const pathLine = {
   getFirstNonDDPathAndLine,
   getFirstNonDDPathAndLineFromCallsites, // Exported only for test purposes
@@ -7,7 +8,7 @@ const pathLine = {
 }
 
 const EXCLUDED_PATHS = [
-  '/node_modules/diagnostics_channel'
+  path.join(path.sep, 'node_modules', 'diagnostics_channel')
 ]
 const EXCLUDED_PATH_PREFIXES = [
   'node:diagnostics_channel',
@@ -20,7 +21,7 @@ const EXCLUDED_PATH_PREFIXES = [
 
 function calculateDDBasePath (dirname) {
   const dirSteps = dirname.split(path.sep)
-  const packagesIndex = dirSteps.indexOf('packages')
+  const packagesIndex = dirSteps.lastIndexOf('packages')
   return dirSteps.slice(0, packagesIndex).join(path.sep) + path.sep
 }
 
@@ -43,10 +44,10 @@ function getFirstNonDDPathAndLineFromCallsites (callsites) {
   if (callsites) {
     for (let i = 0; i < callsites.length; i++) {
       const callsite = callsites[i]
-      const path = callsite.getFileName()
-      if (!isExcluded(callsite) && path.indexOf(pathLine.ddBasePath) === -1) {
+      const filepath = callsite.getFileName()
+      if (!isExcluded(callsite) && filepath.indexOf(pathLine.ddBasePath) === -1) {
         return {
-          path,
+          path: path.relative(process.cwd(), filepath),
           line: callsite.getLineNumber()
         }
       }

package/packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js

@@ -0,0 +1,12 @@
+'use strict'
+
+const csiMethods = [
+  { src: 'plusOperator', operator: true },
+  { src: 'trim' },
+  { src: 'trimStart', dst: 'trim' },
+  { src: 'trimEnd' }
+]
+
+module.exports = {
+  csiMethods
+}

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js

@@ -1,33 +1,6 @@
-const { storage } = require('../../../../../datadog-core')
-const iastContextFunctions = require('../iast-context')
-const log = require('../../../log')
 const TaintedUtils = require('@datadog/native-iast-taint-tracking')
-
-const IAST_TRANSACTION_ID = Symbol('_dd.iast.transactionId')
-
-function noop (res) { return res }
-const TaintTrackingDummy = {
-  plusOperator: noop
-}
-
-const TaintTracking = {
-  plusOperator: function (res, op1, op2) {
-    try {
-      if (typeof res !== 'string' ||
-        (typeof op1 !== 'string' && typeof op2 !== 'string')) { return res }
-
-      const store = storage.getStore()
-      const iastContext = iastContextFunctions.getIastContext(store)
-      const transactionId = iastContext && iastContext[IAST_TRANSACTION_ID]
-      if (transactionId) {
-        return TaintedUtils.concat(transactionId, res, op1, op2)
-      }
-    } catch (e) {
-      log.debug(e)
-    }
-    return res
-  }
-}
+const { IAST_TRANSACTION_ID } = require('../iast-context')
+const { TaintTracking, TaintTrackingDummy } = require('./taint-tracking-impl')
 
 function createTransaction (id, iastContext) {
   if (id && iastContext) {