dd-trace 4.2.0 → 4.3.0

package/index.d.ts

@@ -749,6 +749,7 @@ interface Plugins {
   "elasticsearch": plugins.elasticsearch;
   "express": plugins.express;
   "fastify": plugins.fastify;
+  "fetch": plugins.fetch;
   "generic-pool": plugins.generic_pool;
   "google-cloud-pubsub": plugins.google_cloud_pubsub;
   "graphql": plugins.graphql;
@@ -1092,6 +1093,12 @@ declare namespace plugins {
    */
   interface fastify extends HttpServer {}
 
+  /**
+   * This plugin automatically instruments the
+   * [fetch](https://nodejs.org/api/globals.html#fetch) global.
+   */
+  interface fetch extends HttpClient {}
+
   /**
    * This plugin patches the [generic-pool](https://github.com/coopernurse/node-pool)
    * module to bind the callbacks the the caller context.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dd-trace",
-  "version": "4.2.0",
+  "version": "4.3.0",
   "description": "Datadog APM tracing client for JavaScript",
   "main": "index.js",
   "typings": "index.d.ts",
@@ -19,7 +19,7 @@
     "test:appsec:ci": "nyc --no-clean --include \"packages/dd-trace/src/appsec/**/*.js\" --exclude \"packages/dd-trace/test/appsec/**/*.plugin.spec.js\" -- npm run test:appsec",
     "test:appsec:plugins": "mocha --colors --exit -r \"packages/dd-trace/test/setup/mocha.js\" \"packages/dd-trace/test/appsec/**/*.@($(echo $PLUGINS)).plugin.spec.js\"",
     "test:appsec:plugins:ci": "yarn services && nyc --no-clean --include \"packages/dd-trace/test/appsec/**/*.@($(echo $PLUGINS)).plugin.spec.js\" -- npm run test:appsec:plugins",
-    "test:trace:core": "tap packages/dd-trace/test/*.spec.js \"packages/dd-trace/test/{ci-visibility,encode,exporters,opentelemetry,opentracing,plugins,telemetry}/**/*.spec.js\"",
+    "test:trace:core": "tap packages/dd-trace/test/*.spec.js \"packages/dd-trace/test/{ci-visibility,config,encode,exporters,opentelemetry,opentracing,plugins,telemetry}/**/*.spec.js\"",
     "test:trace:core:ci": "npm run test:trace:core -- --coverage --nyc-arg=--include=\"packages/dd-trace/src/**/*.js\"",
     "test:instrumentations": "mocha --colors -r 'packages/dd-trace/test/setup/mocha.js' 'packages/datadog-instrumentations/test/**/*.spec.js'",
     "test:instrumentations:ci": "nyc --no-clean --include 'packages/datadog-instrumentations/src/**/*.js' -- npm run test:instrumentations",
@@ -68,12 +68,12 @@
   "dependencies": {
     "@datadog/native-appsec": "^3.2.0",
     "@datadog/native-iast-rewriter": "2.0.1",
-    "@datadog/native-iast-taint-tracking": "^1.4.1",
+    "@datadog/native-iast-taint-tracking": "^1.5.0",
     "@datadog/native-metrics": "^2.0.0",
-    "@datadog/pprof": "^2.2.1",
+    "@datadog/pprof": "2.2.3",
     "@datadog/sketches-js": "^2.1.0",
     "@opentelemetry/api": "^1.0.0",
-    "@opentelemetry/core": "<1.4.0",
+    "@opentelemetry/core": "^1.14.0",
     "crypto-randomuuid": "^1.0.0",
     "diagnostics_channel": "^1.1.0",
     "ignore": "^5.2.0",

package/packages/datadog-instrumentations/src/cookie.js

@@ -0,0 +1,21 @@
+'use strict'
+
+const shimmer = require('../../datadog-shimmer')
+const { channel, addHook } = require('./helpers/instrument')
+
+const cookieParseCh = channel('datadog:cookie:parse:finish')
+
+function wrapParse (originalParse) {
+  return function () {
+    const cookies = originalParse.apply(this, arguments)
+    if (cookieParseCh.hasSubscribers && cookies) {
+      cookieParseCh.publish({ cookies })
+    }
+    return cookies
+  }
+}
+
+addHook({ name: 'cookie', versions: ['>=0.4'] }, cookie => {
+  shimmer.wrap(cookie, 'parse', wrapParse)
+  return cookie
+})

package/packages/datadog-instrumentations/src/fetch.js

@@ -0,0 +1,48 @@
+'use strict'
+
+const shimmer = require('../../datadog-shimmer')
+const { channel } = require('./helpers/instrument')
+
+const startChannel = channel('apm:fetch:request:start')
+const finishChannel = channel('apm:fetch:request:finish')
+const errorChannel = channel('apm:fetch:request:error')
+
+function wrapFetch (fetch, Request) {
+  if (typeof fetch !== 'function') return fetch
+
+  return function (input, init) {
+    if (!startChannel.hasSubscribers) return fetch.apply(this, arguments)
+
+    const req = new Request(input, init)
+    const headers = req.headers
+    const message = { req, headers }
+
+    startChannel.publish(message)
+
+    // Request object is read-only so we need new objects to change headers.
+    arguments[0] = message.req
+    arguments[1] = { headers: message.headers }
+
+    return fetch.apply(this, arguments)
+      .then(
+        res => {
+          finishChannel.publish({ req, res })
+
+          return res
+        },
+        err => {
+          if (err.name !== 'AbortError') {
+            errorChannel.publish(err)
+          }
+
+          finishChannel.publish({ req })
+
+          throw err
+        }
+      )
+  }
+}
+
+if (globalThis.fetch) {
+  globalThis.fetch = shimmer.wrap(fetch, wrapFetch(fetch, globalThis.Request))
+}

package/packages/datadog-instrumentations/src/grpc/server.js

@@ -109,7 +109,7 @@ function wrapStream (call, requestResource, onCancel) {
 function wrapCallback (callback, call, requestResource, parentResource, onCancel) {
   return function (err, value, trailer, flags) {
     requestResource.runInAsyncScope(() => {
-      if (err instanceof Error) {
+      if (err) {
         errorChannel.publish(err)
         finishChannel.publish(err)
       } else {

package/packages/datadog-instrumentations/src/helpers/hooks.js

@@ -14,6 +14,7 @@ module.exports = {
   '@koa/router': () => require('../koa'),
   '@node-redis/client': () => require('../redis'),
   '@opensearch-project/opensearch': () => require('../opensearch'),
+  '@opentelemetry/sdk-trace-node': () => require('../otel-sdk-trace'),
   '@redis/client': () => require('../redis'),
   'amqp10': () => require('../amqp10'),
   'amqplib': () => require('../amqplib'),
@@ -25,6 +26,7 @@ module.exports = {
   'child_process': () => require('../child-process'),
   'node:child_process': () => require('../child-process'),
   'connect': () => require('../connect'),
+  'cookie': () => require('../cookie'),
   'couchbase': () => require('../couchbase'),
   'crypto': () => require('../crypto'),
   'cypress': () => require('../cypress'),

package/packages/datadog-instrumentations/src/helpers/register.js

@@ -7,16 +7,26 @@ const Hook = require('./hook')
 const requirePackageJson = require('../../../dd-trace/src/require-package-json')
 const log = require('../../../dd-trace/src/log')
 
+const { DD_TRACE_DISABLED_INSTRUMENTATIONS = '' } = process.env
+
 const hooks = require('./hooks')
 const instrumentations = require('./instrumentations')
 const names = Object.keys(hooks)
 const pathSepExpr = new RegExp(`\\${path.sep}`, 'g')
+const disabledInstrumentations = new Set(
+  DD_TRACE_DISABLED_INSTRUMENTATIONS ? DD_TRACE_DISABLED_INSTRUMENTATIONS.split(',') : []
+)
 
 const loadChannel = channel('dd-trace:instrumentation:load')
 
+// Globals
+require('../fetch')
+
 // TODO: make this more efficient
 
 for (const packageName of names) {
+  if (disabledInstrumentations.has(packageName)) continue
+
   Hook([packageName], (moduleExports, moduleName, moduleBaseDir, moduleVersion) => {
     moduleName = moduleName.replace(pathSepExpr, '/')
 

package/packages/datadog-instrumentations/src/otel-sdk-trace.js

@@ -0,0 +1,18 @@
+'use strict'
+
+const { addHook } = require('./helpers/instrument')
+const shimmer = require('../../datadog-shimmer')
+const tracer = require('../../dd-trace')
+
+if (process.env.DD_TRACE_OTEL_ENABLED) {
+  addHook({
+    name: '@opentelemetry/sdk-trace-node',
+    file: 'build/src/NodeTracerProvider.js',
+    versions: ['*']
+  }, (mod) => {
+    shimmer.wrap(mod, 'NodeTracerProvider', () => {
+      return tracer.TracerProvider
+    })
+    return mod
+  })
+}

package/packages/datadog-plugin-fetch/src/index.js

@@ -0,0 +1,36 @@
+'use strict'
+
+const HttpClientPlugin = require('../../datadog-plugin-http/src/client')
+const { HTTP_HEADERS } = require('../../../ext/formats')
+
+class FetchPlugin extends HttpClientPlugin {
+  static get id () { return 'fetch' }
+
+  addTraceSub (eventName, handler) {
+    this.addSub(`apm:${this.constructor.id}:${this.operation}:${eventName}`, handler)
+  }
+
+  start (message) {
+    const req = message.req
+    const options = new URL(req.url)
+    const headers = options.headers = Object.fromEntries(req.headers.entries())
+
+    const args = { options }
+
+    super.start({ args })
+
+    message.req = new globalThis.Request(req, { headers })
+  }
+
+  _inject (span, headers) {
+    const carrier = {}
+
+    this.tracer.inject(span, HTTP_HEADERS, carrier)
+
+    for (const name in carrier) {
+      headers.append(name, carrier[name])
+    }
+  }
+}
+
+module.exports = FetchPlugin

package/packages/datadog-plugin-http/src/client.js

@@ -24,15 +24,17 @@ class HttpClientPlugin extends ClientPlugin {
     this.addSub(`apm:${this.constructor.id}:client:${this.operation}:${eventName}`, handler)
   }
 
-  start ({ args, http }) {
+  start ({ args, http = {} }) {
     const store = storage.getStore()
     const options = args.options
-    const agent = options.agent || options._defaultAgent || http.globalAgent
+    const agent = options.agent || options._defaultAgent || http.globalAgent || {}
     const protocol = options.protocol || agent.protocol || 'http:'
     const hostname = options.hostname || options.host || 'localhost'
     const host = options.port ? `${hostname}:${options.port}` : hostname
-    const path = options.path ? options.path.split(/[?#]/)[0] : '/'
+    const pathname = options.path || options.pathname
+    const path = pathname ? pathname.split(/[?#]/)[0] : '/'
     const uri = `${protocol}//${host}${path}`
+
     const allowed = this.config.filter(uri)
 
     const method = (options.method || 'GET').toUpperCase()
@@ -71,9 +73,11 @@ class HttpClientPlugin extends ClientPlugin {
   finish ({ req, res }) {
     const span = storage.getStore().span
     if (res) {
-      span.setTag(HTTP_STATUS_CODE, res.statusCode)
+      const status = res.status || res.statusCode
+
+      span.setTag(HTTP_STATUS_CODE, status)
 
-      if (!this.config.validateStatus(res.statusCode)) {
+      if (!this.config.validateStatus(status)) {
         span.setTag('error', 1)
       }
 
@@ -106,8 +110,14 @@ class HttpClientPlugin extends ClientPlugin {
 }
 
 function addResponseHeaders (res, span, config) {
+  if (!res.headers) return
+
+  const headers = typeof res.headers.entries === 'function'
+    ? Object.fromEntries(res.headers.entries())
+    : res.headers
+
   config.headers.forEach(key => {
-    const value = res.headers[key]
+    const value = headers[key]
 
     if (value) {
       span.setTag(`${HTTP_RESPONSE_HEADERS}.${key}`, value)
@@ -116,8 +126,12 @@ function addResponseHeaders (res, span, config) {
 }
 
 function addRequestHeaders (req, span, config) {
+  const headers = req.headers && typeof req.headers.entries === 'function'
+    ? Object.fromEntries(req.headers.entries())
+    : req.headers || req.getHeaders()
+
   config.headers.forEach(key => {
-    const value = req.getHeader(key)
+    const value = headers[key]
 
     if (value) {
       span.setTag(`${HTTP_REQUEST_HEADERS}.${key}`, Array.isArray(value) ? value.toString() : value)
@@ -193,7 +207,9 @@ function hasAmazonSignature (options) {
     }
   }
 
-  return options.path && options.path.toLowerCase().indexOf('x-amz-signature=') !== -1
+  const search = options.search || options.path
+
+  return search && search.toLowerCase().indexOf('x-amz-signature=') !== -1
 }
 
 function getServiceName (tracer, config, options) {

package/packages/datadog-plugin-mysql/src/index.js

@@ -8,9 +8,8 @@ class MySQLPlugin extends DatabasePlugin {
   static get system () { return 'mysql' }
 
   start (payload) {
-    const service = getServiceName(this.config, payload.conf)
-
-    this.startSpan(`${this.system}.query`, {
+    const service = this.serviceName(this.config, payload.conf, this.system)
+    this.startSpan(this.operationName(), {
       service,
       resource: payload.sql,
       type: 'sql',
@@ -27,12 +26,4 @@ class MySQLPlugin extends DatabasePlugin {
   }
 }
 
-function getServiceName (config, dbConfig) {
-  if (typeof config.service === 'function') {
-    return config.service(dbConfig)
-  }
-
-  return config.service
-}
-
 module.exports = MySQLPlugin

package/packages/datadog-plugin-tedious/src/index.js

@@ -9,8 +9,8 @@ class TediousPlugin extends DatabasePlugin {
   static get system () { return 'mssql' }
 
   start ({ queryOrProcedure, connectionConfig }) {
-    this.startSpan('tedious.request', {
-      service: this.config.service,
+    this.startSpan(this.operationName(), {
+      service: this.serviceName(this.config, this.system),
       resource: queryOrProcedure,
       type: 'sql',
       kind: 'client',

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -4,9 +4,12 @@ module.exports = {
   'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
   'INSECURE_COOKIE_ANALYZER': require('./insecure-cookie-analyzer'),
   'LDAP_ANALYZER': require('./ldap-injection-analyzer'),
+  'NO_HTTPONLY_COOKIE_ANALYZER': require('./no-httponly-cookie-analyzer'),
+  'NO_SAMESITE_COOKIE_ANALYZER': require('./no-samesite-cookie-analyzer'),
   'PATH_TRAVERSAL_ANALYZER': require('./path-traversal-analyzer'),
   'SQL_INJECTION_ANALYZER': require('./sql-injection-analyzer'),
   'SSRF': require('./ssrf-analyzer'),
+  'UNVALIDATED_REDIRECT_ANALYZER': require('./unvalidated-redirect-analyzer'),
   'WEAK_CIPHER_ANALYZER': require('./weak-cipher-analyzer'),
   'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -0,0 +1,52 @@
+'use strict'
+
+const Analyzer = require('./vulnerability-analyzer')
+const { getNodeModulesPaths } = require('../path-line')
+
+const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
+
+class CookieAnalyzer extends Analyzer {
+  constructor (type, propertyToBeSafe) {
+    super(type)
+    this.propertyToBeSafe = propertyToBeSafe.toLowerCase()
+    this.addSub('datadog:iast:set-cookie', (cookieInfo) => this.analyze(cookieInfo))
+  }
+
+  _isVulnerable ({ cookieProperties, cookieValue }) {
+    return cookieValue && !(cookieProperties && cookieProperties
+      .map(x => x.toLowerCase().trim()).includes(this.propertyToBeSafe))
+  }
+
+  _getEvidence ({ cookieName }) {
+    return { value: cookieName }
+  }
+
+  _createHashSource (type, evidence, location) {
+    return `${type}:${evidence.value}`
+  }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
+  _checkOCE (context, value) {
+    if (value && value.location) {
+      return true
+    }
+    return super._checkOCE(context, value)
+  }
+
+  _getLocation (value) {
+    if (!value) {
+      return super._getLocation()
+    }
+
+    if (value.location) {
+      return value.location
+    }
+    const location = super._getLocation(value)
+    value.location = location
+    return location
+  }
+}
+
+module.exports = CookieAnalyzer

package/packages/dd-trace/src/appsec/iast/analyzers/insecure-cookie-analyzer.js

@@ -1,30 +1,11 @@
 'use strict'
 
-const Analyzer = require('./vulnerability-analyzer')
 const { INSECURE_COOKIE } = require('../vulnerabilities')
+const CookieAnalyzer = require('./cookie-analyzer')
 
-const EXCLUDED_PATHS = ['node_modules/express/lib/response.js', 'node_modules\\express\\lib\\response.js']
-
-class InsecureCookieAnalyzer extends Analyzer {
+class InsecureCookieAnalyzer extends CookieAnalyzer {
   constructor () {
-    super(INSECURE_COOKIE)
-    this.addSub('datadog:iast:set-cookie', (cookieInfo) => this.analyze(cookieInfo))
-  }
-
-  _isVulnerable ({ cookieProperties, cookieValue }) {
-    return cookieValue && !(cookieProperties && cookieProperties.map(x => x.toLowerCase().trim()).includes('secure'))
-  }
-
-  _getEvidence ({ cookieName }) {
-    return { value: cookieName }
-  }
-
-  _createHashSource (type, evidence, location) {
-    return `${type}:${evidence.value}`
-  }
-
-  _getExcludedPaths () {
-    return EXCLUDED_PATHS
+    super(INSECURE_COOKIE, 'secure')
   }
 }
 

package/packages/dd-trace/src/appsec/iast/analyzers/no-httponly-cookie-analyzer.js

@@ -0,0 +1,12 @@
+'use strict'
+
+const { NO_HTTPONLY_COOKIE } = require('../vulnerabilities')
+const CookieAnalyzer = require('./cookie-analyzer')
+
+class NoHttponlyCookieAnalyzer extends CookieAnalyzer {
+  constructor () {
+    super(NO_HTTPONLY_COOKIE, 'HttpOnly')
+  }
+}
+
+module.exports = new NoHttponlyCookieAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/no-samesite-cookie-analyzer.js

@@ -0,0 +1,12 @@
+'use strict'
+
+const { NO_SAMESITE_COOKIE } = require('../vulnerabilities')
+const CookieAnalyzer = require('./cookie-analyzer')
+
+class NoSamesiteCookieAnalyzer extends CookieAnalyzer {
+  constructor () {
+    super(NO_SAMESITE_COOKIE, 'SameSite=strict')
+  }
+}
+
+module.exports = new NoSamesiteCookieAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/set-cookies-header-interceptor.js

@@ -14,24 +14,28 @@ class SetCookiesHeaderInterceptor extends Plugin {
           allCookies = [value]
         }
         const alreadyCheckedCookies = this._getAlreadyCheckedCookiesInResponse(res)
+
+        let location
         allCookies.forEach(cookieString => {
           if (!alreadyCheckedCookies.includes(cookieString)) {
             alreadyCheckedCookies.push(cookieString)
-            setCookieChannel.publish(this._parseCookie(cookieString))
+            const parsedCookie = this._parseCookie(cookieString, location)
+            setCookieChannel.publish(parsedCookie)
+            location = parsedCookie.location
           }
         })
       }
     })
   }
 
-  _parseCookie (cookieString) {
+  _parseCookie (cookieString, location) {
     const cookieParts = cookieString.split(';')
     const nameValueParts = cookieParts[0].split('=')
     const cookieName = nameValueParts[0]
     const cookieValue = nameValueParts.slice(1).join('=')
     const cookieProperties = cookieParts.slice(1).map(part => part.trim())
 
-    return { cookieName, cookieValue, cookieProperties, cookieString }
+    return { cookieName, cookieValue, cookieProperties, cookieString, location }
   }
 
   _getAlreadyCheckedCookiesInResponse (res) {

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -6,9 +6,9 @@ const { getRanges } = require('../taint-tracking/operations')
 const { storage } = require('../../../../../datadog-core')
 const { getIastContext } = require('../iast-context')
 const { addVulnerability } = require('../vulnerability-reporter')
+const { getNodeModulesPaths } = require('../path-line')
 
-const EXCLUDED_PATHS = ['node_modules/mysql2', 'node_modules/sequelize', 'node_modules\\mysql2',
-  'node_modules\\sequelize']
+const EXCLUDED_PATHS = getNodeModulesPaths('mysql2', 'sequelize')
 
 class SqlInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -28,7 +28,7 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
 
     this.addSub('datadog:sequelize:query:finish', () => {
       const store = storage.getStore()
-      if (store.sequelizeParentStore) {
+      if (store && store.sequelizeParentStore) {
         storage.enterWith(store.sequelizeParentStore)
       }
     })

package/packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js

@@ -0,0 +1,48 @@
+'use strict'
+
+const InjectionAnalyzer = require('./injection-analyzer')
+const { UNVALIDATED_REDIRECT } = require('../vulnerabilities')
+const { getNodeModulesPaths } = require('../path-line')
+const { getRanges } = require('../taint-tracking/operations')
+const { HTTP_REQUEST_HEADER_VALUE } = require('../taint-tracking/origin-types')
+
+const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
+
+class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super(UNVALIDATED_REDIRECT)
+
+    this.addSub('datadog:http:server:response:set-header:finish', ({ name, value }) => this.analyze(name, value))
+  }
+
+  // TODO: In case the location header value is tainted, this analyzer should check the ranges of the tainted.
+  // And do not report a vulnerability if source of the ranges (range.iinfo.type) are exclusively url or path params
+  // to avoid false positives.
+  analyze (name, value) {
+    if (!this.isLocationHeader(name) || typeof value !== 'string') return
+
+    super.analyze(value)
+  }
+
+  isLocationHeader (name) {
+    return name && name.trim().toLowerCase() === 'location'
+  }
+
+  _isVulnerable (value, iastContext) {
+    if (!value) return false
+
+    const ranges = getRanges(iastContext, value)
+    return ranges && ranges.length > 0 && !this._isRefererHeader(ranges)
+  }
+
+  _isRefererHeader (ranges) {
+    return ranges && ranges.every(range => range.iinfo.type === HTTP_REQUEST_HEADER_VALUE &&
+      range.iinfo.parameterName && range.iinfo.parameterName.toLowerCase() === 'referer')
+  }
+
+  _getExcludedPaths () {
+    return EXCLUDED_PATHS
+  }
+}
+
+module.exports = new UnvalidatedRedirectAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -38,7 +38,7 @@ class Analyzer extends Plugin {
 
   _report (value, context) {
     const evidence = this._getEvidence(value, context)
-    const location = this._getLocation()
+    const location = this._getLocation(value)
     if (!this._isExcluded(location)) {
       const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
       const vulnerability = this._createVulnerability(this._type, evidence, spanId, location)
@@ -47,7 +47,7 @@ class Analyzer extends Plugin {
   }
 
   _reportIfVulnerable (value, context) {
-    if (this._isVulnerable(value, context) && this._checkOCE(context)) {
+    if (this._isVulnerable(value, context) && this._checkOCE(context, value)) {
       this._report(value, context)
       return true
     }
@@ -78,7 +78,7 @@ class Analyzer extends Plugin {
     for (let i = 0; i < values.length; i++) {
       const value = values[i]
       if (this._isVulnerable(value, iastContext)) {
-        if (this._checkOCE(iastContext)) {
+        if (this._checkOCE(iastContext, value)) {
           this._report(value, iastContext)
         }
         break

package/packages/dd-trace/src/appsec/iast/index.js

@@ -5,10 +5,16 @@ const { storage } = require('../../../../datadog-core')
 const overheadController = require('./overhead-controller')
 const dc = require('../../../../diagnostics_channel')
 const iastContextFunctions = require('./iast-context')
-const { enableTaintTracking, disableTaintTracking, createTransaction, removeTransaction } = require('./taint-tracking')
+const {
+  enableTaintTracking,
+  disableTaintTracking,
+  createTransaction,
+  removeTransaction,
+  taintTrackingPlugin
+} = require('./taint-tracking')
+const { IAST_ENABLED_TAG_KEY } = require('./tags')
 
 const telemetryLogs = require('./telemetry/logs')
-const IAST_ENABLED_TAG_KEY = '_dd.iast.enabled'
 
 // TODO Change to `apm:http:server:request:[start|close]` when the subscription
 //  order of the callbacks can be enforce
@@ -48,6 +54,7 @@ function onIncomingHttpRequestStart (data) {
           const iastContext = iastContextFunctions.saveIastContext(store, topContext, { rootSpan, req: data.req })
           createTransaction(rootSpan.context().toSpanId(), iastContext)
           overheadController.initializeRequestContext(iastContext)
+          taintTrackingPlugin.taintHeaders(data.req.headers, iastContext)
         }
         if (rootSpan.addTags) {
           rootSpan.addTags({

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -5,6 +5,7 @@ const process = require('process')
 const { calculateDDBasePath } = require('../../util')
 const pathLine = {
   getFirstNonDDPathAndLine,
+  getNodeModulesPaths,
   getFirstNonDDPathAndLineFromCallsites, // Exported only for test purposes
   calculateDDBasePath, // Exported only for test purposes
   ddBasePath: calculateDDBasePath(__dirname) // Only for test purposes
@@ -83,4 +84,16 @@ function isExcluded (callsite, externallyExcludedPaths) {
 function getFirstNonDDPathAndLine (externallyExcludedPaths) {
   return getFirstNonDDPathAndLineFromCallsites(getCallSiteInfo(), externallyExcludedPaths)
 }
+
+function getNodeModulesPaths (...paths) {
+  const nodeModulesPaths = []
+
+  paths.forEach(p => {
+    const pathParts = p.split('/')
+    nodeModulesPaths.push(path.join('node_modules', ...pathParts))
+  })
+
+  return nodeModulesPaths
+}
+
 module.exports = pathLine