dd-trace 5.18.0 → 5.20.0

package/packages/datadog-plugin-cypress/src/cypress-plugin.js

@@ -28,7 +28,8 @@ const {
   TEST_SOURCE_FILE,
   TEST_IS_NEW,
   TEST_IS_RETRY,
-  TEST_EARLY_FLAKE_ENABLED
+  TEST_EARLY_FLAKE_ENABLED,
+  NUM_FAILED_TEST_RETRIES
 } = require('../../dd-trace/src/plugins/util/test')
 const { isMarkedAsUnskippable } = require('../../datadog-plugin-jest/src/util')
 const { ORIGIN_KEY, COMPONENT } = require('../../dd-trace/src/constants')
@@ -207,10 +208,40 @@ class CypressPlugin {
     this.knownTests = []
   }
 
+  // Init function returns a promise that resolves with the Cypress configuration
+  // Depending on the received configuration, the Cypress configuration can be modified:
+  // for example, to enable retries for failed tests.
   init (tracer, cypressConfig) {
     this._isInit = true
     this.tracer = tracer
     this.cypressConfig = cypressConfig
+
+    this.libraryConfigurationPromise = getLibraryConfiguration(this.tracer, this.testConfiguration)
+      .then((libraryConfigurationResponse) => {
+        if (libraryConfigurationResponse.err) {
+          log.error(libraryConfigurationResponse.err)
+        } else {
+          const {
+            libraryConfig: {
+              isSuitesSkippingEnabled,
+              isCodeCoverageEnabled,
+              isEarlyFlakeDetectionEnabled,
+              earlyFlakeDetectionNumRetries,
+              isFlakyTestRetriesEnabled
+            }
+          } = libraryConfigurationResponse
+          this.isSuitesSkippingEnabled = isSuitesSkippingEnabled
+          this.isCodeCoverageEnabled = isCodeCoverageEnabled
+          this.isEarlyFlakeDetectionEnabled = isEarlyFlakeDetectionEnabled
+          this.earlyFlakeDetectionNumRetries = earlyFlakeDetectionNumRetries
+          this.isFlakyTestRetriesEnabled = isFlakyTestRetriesEnabled
+          if (this.isFlakyTestRetriesEnabled) {
+            this.cypressConfig.retries.runMode = NUM_FAILED_TEST_RETRIES
+          }
+        }
+        return this.cypressConfig
+      })
+    return this.libraryConfigurationPromise
   }
 
   getTestSuiteSpan (suite) {
@@ -227,7 +258,7 @@ class CypressPlugin {
     })
   }
 
-  getTestSpan (testName, testSuite, isUnskippable, isForcedToRun) {
+  getTestSpan ({ testName, testSuite, isUnskippable, isForcedToRun, testSourceFile }) {
     const testSuiteTags = {
       [TEST_COMMAND]: this.command,
       [TEST_COMMAND]: this.command,
@@ -251,8 +282,11 @@ class CypressPlugin {
       ...testSpanMetadata
     } = getTestCommonTags(testName, testSuite, this.cypressConfig.version, TEST_FRAMEWORK_NAME)
 
-    const codeOwners = getCodeOwnersForFilename(testSuite, this.codeOwnersEntries)
+    if (testSourceFile) {
+      testSpanMetadata[TEST_SOURCE_FILE] = testSourceFile
+    }
 
+    const codeOwners = this.getTestCodeOwners({ testSuite, testSourceFile })
     if (codeOwners) {
       testSpanMetadata[TEST_CODE_OWNERS] = codeOwners
     }
@@ -297,29 +331,13 @@ class CypressPlugin {
   }
 
   async beforeRun (details) {
+    // We need to make sure that the plugin is initialized before running the tests
+    // This is for the case where the user has not returned the promise from the init function
+    await this.libraryConfigurationPromise
     this.command = getCypressCommand(details)
     this.frameworkVersion = getCypressVersion(details)
     this.rootDir = getRootDir(details)
 
-    const libraryConfigurationResponse = await getLibraryConfiguration(this.tracer, this.testConfiguration)
-
-    if (libraryConfigurationResponse.err) {
-      log.error(libraryConfigurationResponse.err)
-    } else {
-      const {
-        libraryConfig: {
-          isSuitesSkippingEnabled,
-          isCodeCoverageEnabled,
-          isEarlyFlakeDetectionEnabled,
-          earlyFlakeDetectionNumRetries
-        }
-      } = libraryConfigurationResponse
-      this.isSuitesSkippingEnabled = isSuitesSkippingEnabled
-      this.isCodeCoverageEnabled = isCodeCoverageEnabled
-      this.isEarlyFlakeDetectionEnabled = isEarlyFlakeDetectionEnabled
-      this.earlyFlakeDetectionNumRetries = earlyFlakeDetectionNumRetries
-    }
-
     if (this.isEarlyFlakeDetectionEnabled) {
       const knownTestsResponse = await getKnownTests(
         this.tracer,
@@ -465,12 +483,16 @@ class CypressPlugin {
       const isSkippedByItr = this.testsToSkip.find(test =>
         cypressTestName === test.name && spec.relative === test.suite
       )
-      const skippedTestSpan = this.getTestSpan(cypressTestName, spec.relative)
+      let testSourceFile
+
       if (spec.absolute && this.repositoryRoot) {
-        skippedTestSpan.setTag(TEST_SOURCE_FILE, getTestSuitePath(spec.absolute, this.repositoryRoot))
+        testSourceFile = getTestSuitePath(spec.absolute, this.repositoryRoot)
       } else {
-        skippedTestSpan.setTag(TEST_SOURCE_FILE, spec.relative)
+        testSourceFile = spec.relative
       }
+
+      const skippedTestSpan = this.getTestSpan({ testName: cypressTestName, testSuite: spec.relative, testSourceFile })
+
       skippedTestSpan.setTag(TEST_STATUS, 'skip')
       if (isSkippedByItr) {
         skippedTestSpan.setTag(TEST_SKIPPED_BY_ITR, 'true')
@@ -485,29 +507,61 @@ class CypressPlugin {
     // This is not always the case, such as when an `after` hook fails:
     // Cypress will report the last run test as failed, but we don't know that yet at `dd:afterEach`
     let latestError
-    finishedTests.forEach((finishedTest) => {
-      const cypressTest = cypressTests.find(test => test.title.join(' ') === finishedTest.testName)
-      if (!cypressTest) {
-        return
-      }
-      if (cypressTest.displayError) {
-        latestError = new Error(cypressTest.displayError)
-      }
-      const cypressTestStatus = CYPRESS_STATUS_TO_TEST_STATUS[cypressTest.state]
-      // update test status
-      if (cypressTestStatus !== finishedTest.testStatus) {
-        finishedTest.testSpan.setTag(TEST_STATUS, cypressTestStatus)
-        finishedTest.testSpan.setTag('error', latestError)
-      }
-      if (this.itrCorrelationId) {
-        finishedTest.testSpan.setTag(ITR_CORRELATION_ID, this.itrCorrelationId)
-      }
-      if (spec.absolute && this.repositoryRoot) {
-        finishedTest.testSpan.setTag(TEST_SOURCE_FILE, getTestSuitePath(spec.absolute, this.repositoryRoot))
-      } else {
-        finishedTest.testSpan.setTag(TEST_SOURCE_FILE, spec.relative)
+
+    const finishedTestsByTestName = finishedTests.reduce((acc, finishedTest) => {
+      if (!acc[finishedTest.testName]) {
+        acc[finishedTest.testName] = []
       }
-      finishedTest.testSpan.finish(finishedTest.finishTime)
+      acc[finishedTest.testName].push(finishedTest)
+      return acc
+    }, {})
+
+    Object.entries(finishedTestsByTestName).forEach(([testName, finishedTestAttempts]) => {
+      finishedTestAttempts.forEach((finishedTest, attemptIndex) => {
+        // TODO: there could be multiple if there have been retries!
+        // potentially we need to match the test status!
+        const cypressTest = cypressTests.find(test => test.title.join(' ') === testName)
+        if (!cypressTest) {
+          return
+        }
+        // finishedTests can include multiple tests with the same name if they have been retried
+        // by early flake detection. Cypress is unaware of this so .attempts does not necessarily have
+        // the same length as `finishedTestAttempts`
+        let cypressTestStatus = CYPRESS_STATUS_TO_TEST_STATUS[cypressTest.state]
+        if (cypressTest.attempts && cypressTest.attempts[attemptIndex]) {
+          cypressTestStatus = CYPRESS_STATUS_TO_TEST_STATUS[cypressTest.attempts[attemptIndex].state]
+          if (attemptIndex > 0) {
+            finishedTest.testSpan.setTag(TEST_IS_RETRY, 'true')
+          }
+        }
+        if (cypressTest.displayError) {
+          latestError = new Error(cypressTest.displayError)
+        }
+        // Update test status
+        if (cypressTestStatus !== finishedTest.testStatus) {
+          finishedTest.testSpan.setTag(TEST_STATUS, cypressTestStatus)
+          finishedTest.testSpan.setTag('error', latestError)
+        }
+        if (this.itrCorrelationId) {
+          finishedTest.testSpan.setTag(ITR_CORRELATION_ID, this.itrCorrelationId)
+        }
+        let testSourceFile
+        if (spec.absolute && this.repositoryRoot) {
+          testSourceFile = getTestSuitePath(spec.absolute, this.repositoryRoot)
+        } else {
+          testSourceFile = spec.relative
+        }
+        if (testSourceFile) {
+          finishedTest.testSpan.setTag(TEST_SOURCE_FILE, testSourceFile)
+        }
+        const codeOwners = this.getTestCodeOwners({ testSuite: spec.relative, testSourceFile })
+
+        if (codeOwners) {
+          finishedTest.testSpan.setTag(TEST_CODE_OWNERS, codeOwners)
+        }
+
+        finishedTest.testSpan.finish(finishedTest.finishTime)
+      })
     })
 
     if (this.testSuiteSpan) {
@@ -554,7 +608,12 @@ class CypressPlugin {
         }
 
         if (!this.activeTestSpan) {
-          this.activeTestSpan = this.getTestSpan(testName, testSuite, isUnskippable, isForcedToRun)
+          this.activeTestSpan = this.getTestSpan({
+            testName,
+            testSuite,
+            isUnskippable,
+            isForcedToRun
+          })
         }
 
         return this.activeTestSpan ? { traceId: this.activeTestSpan.context().toTraceId() } : {}
@@ -621,6 +680,13 @@ class CypressPlugin {
       }
     }
   }
+
+  getTestCodeOwners ({ testSuite, testSourceFile }) {
+    if (testSourceFile) {
+      return getCodeOwnersForFilename(testSourceFile, this.codeOwnersEntries)
+    }
+    return getCodeOwnersForFilename(testSuite, this.codeOwnersEntries)
+  }
 }
 
 module.exports = new CypressPlugin()

package/packages/datadog-plugin-cypress/src/plugin.js

@@ -22,13 +22,14 @@ module.exports = (on, config) => {
   // The tracer was not init correctly for whatever reason (such as invalid DD_SITE)
   if (tracer._tracer instanceof NoopTracer) {
     // We still need to register these tasks or the support file will fail
-    return on('task', noopTask)
+    on('task', noopTask)
+    return config
   }
 
-  cypressPlugin.init(tracer, config)
-
   on('before:run', cypressPlugin.beforeRun.bind(cypressPlugin))
   on('after:spec', cypressPlugin.afterSpec.bind(cypressPlugin))
   on('after:run', cypressPlugin.afterRun.bind(cypressPlugin))
   on('task', cypressPlugin.getTasks())
+
+  return cypressPlugin.init(tracer, config)
 }

package/packages/datadog-plugin-fs/src/index.js

@@ -29,7 +29,7 @@ class FsPlugin extends TracingPlugin {
       resource: operation,
       kind: 'internal',
       meta: {
-        'file.descriptor': (typeof fd === 'object' || typeof fd === 'number') ? fd.toString() : '',
+        'file.descriptor': ((fd !== null && typeof fd === 'object') || typeof fd === 'number') ? fd.toString() : '',
         'file.dest': params.dest || params.newPath || (params.target && params.path),
         'file.flag': String(flag || defaultFlag || ''),
         'file.gid': gid || '',

package/packages/datadog-plugin-jest/src/index.js

@@ -148,6 +148,7 @@ class JestPlugin extends CiPlugin {
         config._ddIsEarlyFlakeDetectionEnabled = !!this.libraryConfig?.isEarlyFlakeDetectionEnabled
         config._ddEarlyFlakeDetectionNumRetries = this.libraryConfig?.earlyFlakeDetectionNumRetries ?? 0
         config._ddRepositoryRoot = this.repositoryRoot
+        config._ddIsFlakyTestRetriesEnabled = this.libraryConfig?.isFlakyTestRetriesEnabled ?? false
       })
     })
 
@@ -324,7 +325,8 @@ class JestPlugin extends CiPlugin {
       testStartLine,
       testSourceFile,
       isNew,
-      isEfdRetry
+      isEfdRetry,
+      isJestRetry
     } = test
 
     const extraTags = {
@@ -349,6 +351,10 @@ class JestPlugin extends CiPlugin {
       }
     }
 
+    if (isJestRetry) {
+      extraTags[TEST_IS_RETRY] = 'true'
+    }
+
     return super.startTestSpan(name, suite, this.testSuiteSpan, extraTags)
   }
 }

package/packages/datadog-plugin-kafkajs/src/producer.js

@@ -81,7 +81,7 @@ class KafkajsProducerPlugin extends ProducerPlugin {
       span.setTag(BOOTSTRAP_SERVERS_KEY, bootstrapServers)
     }
     for (const message of messages) {
-      if (typeof message === 'object') {
+      if (message !== null && typeof message === 'object') {
         this.tracer.inject(span, 'text_map', message.headers)
         if (this.config.dsmEnabled) {
           const payloadSize = getMessageSize(message)

package/packages/datadog-plugin-mongodb-core/src/index.js

@@ -115,7 +115,7 @@ function limitDepth (input) {
 }
 
 function isObject (val) {
-  return typeof val === 'object' && val !== null && !(val instanceof Array)
+  return val !== null && typeof val === 'object' && !Array.isArray(val)
 }
 
 function isBSON (val) {

package/packages/datadog-plugin-openai/src/index.js

@@ -118,7 +118,7 @@ class OpenApiPlugin extends TracingPlugin {
     }
 
     // createChatCompletion, createCompletion
-    if (typeof payload.logit_bias === 'object' && payload.logit_bias) {
+    if (payload.logit_bias !== null && typeof payload.logit_bias === 'object') {
       for (const [tokenId, bias] of Object.entries(payload.logit_bias)) {
         tags[`openai.request.logit_bias.${tokenId}`] = bias
       }
@@ -427,14 +427,14 @@ function createChatCompletionRequestExtraction (tags, payload, store) {
 function commonCreateImageRequestExtraction (tags, payload, store) {
   // createImageEdit, createImageVariation
   const img = payload.file || payload.image
-  if (img && typeof img === 'object' && img.path) {
+  if (img !== null && typeof img === 'object' && img.path) {
     const file = path.basename(img.path)
     tags['openai.request.image'] = file
     store.file = file
   }
 
   // createImageEdit
-  if (payload.mask && typeof payload.mask === 'object' && payload.mask.path) {
+  if (payload.mask !== null && typeof payload.mask === 'object' && payload.mask.path) {
     const mask = path.basename(payload.mask.path)
     tags['openai.request.mask'] = mask
     store.mask = mask
@@ -633,7 +633,7 @@ function commonCreateAudioRequestExtraction (tags, body, store) {
   tags['openai.request.response_format'] = body.response_format
   tags['openai.request.language'] = body.language
 
-  if (body.file && typeof body.file === 'object' && body.file.path) {
+  if (body.file !== null && typeof body.file === 'object' && body.file.path) {
     const filename = path.basename(body.file.path)
     tags['openai.request.filename'] = filename
     store.file = filename
@@ -646,7 +646,7 @@ function commonFileRequestExtraction (tags, body) {
   // User can provider either exact file contents or a file read stream
   // With the stream we extract the filepath
   // This is a best effort attempt to extract the filename during the request
-  if (body.file && typeof body.file === 'object' && body.file.path) {
+  if (body.file !== null && typeof body.file === 'object' && body.file.path) {
     tags['openai.request.filename'] = path.basename(body.file.path)
   }
 }

package/packages/datadog-plugin-playwright/src/index.js

@@ -116,7 +116,7 @@ class PlaywrightPlugin extends CiPlugin {
 
       this.enter(span, store)
     })
-    this.addSub('ci:playwright:test:finish', ({ testStatus, steps, error, extraTags, isNew, isEfdRetry }) => {
+    this.addSub('ci:playwright:test:finish', ({ testStatus, steps, error, extraTags, isNew, isEfdRetry, isRetry }) => {
       const store = storage.getStore()
       const span = store && store.span
       if (!span) return
@@ -135,6 +135,9 @@ class PlaywrightPlugin extends CiPlugin {
           span.setTag(TEST_IS_RETRY, 'true')
         }
       }
+      if (isRetry) {
+        span.setTag(TEST_IS_RETRY, 'true')
+      }
 
       steps.forEach(step => {
         const stepStartTime = step.startTime.getTime()

package/packages/datadog-plugin-sharedb/src/index.js

@@ -54,7 +54,7 @@ function sanitize (input) {
 }
 
 function isObject (val) {
-  return typeof val === 'object' && val !== null && !(val instanceof Array)
+  return val !== null && typeof val === 'object' && !Array.isArray(val)
 }
 
 module.exports = SharedbPlugin

package/packages/datadog-plugin-vitest/src/index.js

@@ -6,7 +6,8 @@ const {
   finishAllTraceSpans,
   getTestSuitePath,
   getTestSuiteCommonTags,
-  TEST_SOURCE_FILE
+  TEST_SOURCE_FILE,
+  TEST_IS_RETRY
 } = require('../../dd-trace/src/plugins/util/test')
 const { COMPONENT } = require('../../dd-trace/src/constants')
 
@@ -25,16 +26,22 @@ class VitestPlugin extends CiPlugin {
 
     this.taskToFinishTime = new WeakMap()
 
-    this.addSub('ci:vitest:test:start', ({ testName, testSuiteAbsolutePath }) => {
+    this.addSub('ci:vitest:test:start', ({ testName, testSuiteAbsolutePath, isRetry }) => {
       const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
       const store = storage.getStore()
+
+      const extraTags = {
+        [TEST_SOURCE_FILE]: testSuite
+      }
+      if (isRetry) {
+        extraTags[TEST_IS_RETRY] = 'true'
+      }
+
       const span = this.startTestSpan(
         testName,
         testSuite,
         this.testSuiteSpan,
-        {
-          [TEST_SOURCE_FILE]: testSuite
-        }
+        extraTags
       )
 
       this.enter(span, store)
@@ -73,7 +80,11 @@ class VitestPlugin extends CiPlugin {
         if (error) {
           span.setTag('error', error)
         }
-        span.finish(span._startTime + duration - MILLISECONDS_TO_SUBTRACT_FROM_FAILED_TEST_DURATION) // milliseconds
+        if (duration) {
+          span.finish(span._startTime + duration - MILLISECONDS_TO_SUBTRACT_FROM_FAILED_TEST_DURATION) // milliseconds
+        } else {
+          span.finish() // retries will not have a duration
+        }
         finishAllTraceSpans(span)
       }
     })
@@ -91,7 +102,8 @@ class VitestPlugin extends CiPlugin {
       ).finish()
     })
 
-    this.addSub('ci:vitest:test-suite:start', (testSuiteAbsolutePath) => {
+    this.addSub('ci:vitest:test-suite:start', ({ testSuiteAbsolutePath, frameworkVersion }) => {
+      this.frameworkVersion = frameworkVersion
       const testSessionSpanContext = this.tracer.extract('text_map', {
         'x-datadog-trace-id': process.env.DD_CIVISIBILITY_TEST_SESSION_ID,
         'x-datadog-parent-id': process.env.DD_CIVISIBILITY_TEST_MODULE_ID

package/packages/dd-trace/src/analytics_sampler.js

@@ -4,7 +4,7 @@ const { MEASURED } = require('../../../ext/tags')
 
 module.exports = {
   sample (span, measured, measuredByDefault) {
-    if (typeof measured === 'object') {
+    if (measured !== null && typeof measured === 'object') {
       this.sample(span, measured[span.context()._name], measuredByDefault)
     } else if (measured !== undefined) {
       span.setTag(MEASURED, !!measured)

package/packages/dd-trace/src/appsec/blocking.js

@@ -9,6 +9,8 @@ let templateHtml = blockedTemplates.html
 let templateJson = blockedTemplates.json
 let templateGraphqlJson = blockedTemplates.graphqlJson
 
+const responseBlockedSet = new WeakSet()
+
 const specificBlockingTypes = {
   GRAPHQL: 'graphql'
 }
@@ -117,6 +119,8 @@ function block (req, res, rootSpan, abortController, actionParameters) {
 
   res.writeHead(statusCode, headers).end(body)
 
+  responseBlockedSet.add(res)
+
   abortController?.abort()
 }
 
@@ -144,11 +148,16 @@ function setTemplates (config) {
   }
 }
 
+function isBlocked (res) {
+  return responseBlockedSet.has(res)
+}
+
 module.exports = {
   addSpecificEndpoint,
   block,
   specificBlockingTypes,
   getBlockingData,
   getBlockingAction,
-  setTemplates
+  setTemplates,
+  isBlocked
 }

package/packages/dd-trace/src/appsec/channels.js

@@ -19,5 +19,8 @@ module.exports = {
   nextQueryParsed: dc.channel('apm:next:query-parsed'),
   responseBody: dc.channel('datadog:express:response:json:start'),
   responseWriteHead: dc.channel('apm:http:server:response:writeHead:start'),
-  httpClientRequestStart: dc.channel('apm:http:client:request:start')
+  httpClientRequestStart: dc.channel('apm:http:client:request:start'),
+  responseSetHeader: dc.channel('datadog:http:server:response:set-header:start'),
+  setUncaughtExceptionCaptureCallbackStart: dc.channel('datadog:process:setUncaughtExceptionCaptureCallback:start')
+
 }

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -1,6 +1,7 @@
 'use strict'
 
 module.exports = {
+  CODE_INJECTION_ANALYZER: require('./code-injection-analyzer'),
   COMMAND_INJECTION_ANALYZER: require('./command-injection-analyzer'),
   HARCODED_PASSWORD_ANALYZER: require('./hardcoded-password-analyzer'),
   HARCODED_SECRET_ANALYZER: require('./hardcoded-secret-analyzer'),

package/packages/dd-trace/src/appsec/iast/analyzers/code-injection-analyzer.js

@@ -0,0 +1,16 @@
+'use strict'
+
+const InjectionAnalyzer = require('./injection-analyzer')
+const { CODE_INJECTION } = require('../vulnerabilities')
+
+class CodeInjectionAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super(CODE_INJECTION)
+  }
+
+  onConfigure () {
+    this.addSub('datadog:eval:call', ({ script }) => this.analyze(script))
+  }
+}
+
+module.exports = new CodeInjectionAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.js

@@ -13,7 +13,7 @@ const EXCLUDED_PATHS_FROM_STACK = getNodeModulesPaths('mongodb', 'mongoose', 'mq
 const MONGODB_NOSQL_SECURE_MARK = getNextSecureMark()
 
 function iterateObjectStrings (target, fn, levelKeys = [], depth = 20, visited = new Set()) {
-  if (target && typeof target === 'object') {
+  if (target !== null && typeof target === 'object') {
     Object.keys(target).forEach((key) => {
       const nextLevelKeys = [...levelKeys, key]
       const val = target[key]

package/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js

@@ -47,6 +47,8 @@ class WeakHashAnalyzer extends Analyzer {
   }
 
   _isExcluded (location) {
+    if (!location) return false
+
     return EXCLUDED_LOCATIONS.some(excludedLocation => {
       return location.path.includes(excludedLocation)
     })

package/packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js

@@ -14,7 +14,8 @@ const csiMethods = [
   { src: 'toUpperCase', dst: 'stringCase' },
   { src: 'trim' },
   { src: 'trimEnd' },
-  { src: 'trimStart', dst: 'trim' }
+  { src: 'trimStart', dst: 'trim' },
+  { src: 'eval', allowedWithoutCallee: true }
 ]
 
 module.exports = {

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -45,7 +45,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     this.addSub(
       { channelName: 'apm:express:middleware:next', tag: HTTP_REQUEST_BODY },
       ({ req }) => {
-        if (req && req.body && typeof req.body === 'object') {
+        if (req && req.body !== null && typeof req.body === 'object') {
           const iastContext = getIastContext(storage.getStore())
           if (iastContext && iastContext.body !== req.body) {
             this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
@@ -63,7 +63,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     this.addSub(
       { channelName: 'datadog:express:process_params:start', tag: HTTP_REQUEST_PATH_PARAM },
       ({ req }) => {
-        if (req && req.params && typeof req.params === 'object') {
+        if (req && req.params !== null && typeof req.params === 'object') {
           this._taintTrackingHandler(HTTP_REQUEST_PATH_PARAM, req, 'params')
         }
       }

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugins/kafka.js

@@ -27,14 +27,14 @@ class KafkaConsumerIastPlugin extends SourceIastPlugin {
     if (iastContext && message) {
       const { key, value } = message
 
-      if (key && typeof key === 'object') {
+      if (key !== null && typeof key === 'object') {
         shimmer.wrap(key, 'toString',
           toString => this.getToStringWrap(toString, iastContext, KAFKA_MESSAGE_KEY))
 
         newTaintedObject(iastContext, key, undefined, KAFKA_MESSAGE_KEY)
       }
 
-      if (value && typeof value === 'object') {
+      if (value !== null && typeof value === 'object') {
         shimmer.wrap(value, 'toString',
           toString => this.getToStringWrap(toString, iastContext, KAFKA_MESSAGE_VALUE))
 

package/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js

@@ -10,6 +10,7 @@ const { isDebugAllowed } = require('../telemetry/verbosity')
 const { taintObject } = require('./operations-taint-object')
 
 const mathRandomCallCh = dc.channel('datadog:random:call')
+const evalCallCh = dc.channel('datadog:eval:call')
 
 const JSON_VALUE = 'json.value'
 
@@ -18,6 +19,7 @@ function noop (res) { return res }
 // Otherwise you may end up rewriting a method and not providing its rewritten implementation
 const TaintTrackingNoop = {
   concat: noop,
+  eval: noop,
   join: noop,
   parse: noop,
   plusOperator: noop,
@@ -136,6 +138,15 @@ function csiMethodsOverrides (getContext) {
       return res
     },
 
+    eval: function (res, fn, target, script) {
+      // eslint-disable-next-line no-eval
+      if (evalCallCh.hasSubscribers && fn === globalThis.eval) {
+        evalCallCh.publish({ script })
+      }
+
+      return res
+    },
+
     parse: function (res, fn, target, json) {
       if (fn === JSON.parse) {
         try {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/code-injection-sensitive-analyzer.js

@@ -0,0 +1,25 @@
+'use strict'
+
+module.exports = function extractSensitiveRanges (evidence) {
+  const newRanges = []
+  if (evidence.ranges[0].start > 0) {
+    newRanges.push({
+      start: 0,
+      end: evidence.ranges[0].start
+    })
+  }
+
+  for (let i = 0; i < evidence.ranges.length; i++) {
+    const currentRange = evidence.ranges[i]
+    const nextRange = evidence.ranges[i + 1]
+
+    const start = currentRange.end
+    const end = nextRange?.start || evidence.value.length
+
+    if (start < end) {
+      newRanges.push({ start, end })
+    }
+  }
+
+  return newRanges
+}