dd-trace 5.3.0 → 5.5.0

package/packages/datadog-plugin-mocha/src/index.js

@@ -16,7 +16,11 @@ const {
   TEST_ITR_FORCED_RUN,
   TEST_CODE_OWNERS,
   ITR_CORRELATION_ID,
-  TEST_SOURCE_FILE
+  TEST_SOURCE_FILE,
+  removeEfdStringFromTestName,
+  TEST_IS_NEW,
+  TEST_EARLY_FLAKE_IS_RETRY,
+  TEST_EARLY_FLAKE_IS_ENABLED
 } = require('../../dd-trace/src/plugins/util/test')
 const { COMPONENT } = require('../../dd-trace/src/constants')
 const {
@@ -39,7 +43,7 @@ class MochaPlugin extends CiPlugin {
     super(...args)
 
     this._testSuites = new Map()
-    this._testNameToParams = {}
+    this._testTitleToParams = {}
     this.sourceRoot = process.cwd()
 
     this.addSub('ci:mocha:test-suite:code-coverage', ({ coverageFiles, suiteFile }) => {
@@ -131,9 +135,9 @@ class MochaPlugin extends CiPlugin {
       }
     })
 
-    this.addSub('ci:mocha:test:start', ({ test, testStartLine }) => {
+    this.addSub('ci:mocha:test:start', (testInfo) => {
       const store = storage.getStore()
-      const span = this.startTestSpan(test, testStartLine)
+      const span = this.startTestSpan(testInfo)
 
       this.enter(span, store)
     })
@@ -156,12 +160,12 @@ class MochaPlugin extends CiPlugin {
       }
     })
 
-    this.addSub('ci:mocha:test:skip', (test) => {
+    this.addSub('ci:mocha:test:skip', (testInfo) => {
       const store = storage.getStore()
       // skipped through it.skip, so the span is not created yet
       // for this test
       if (!store) {
-        const testSpan = this.startTestSpan(test)
+        const testSpan = this.startTestSpan(testInfo)
         this.enter(testSpan, store)
       }
     })
@@ -179,8 +183,8 @@ class MochaPlugin extends CiPlugin {
       }
     })
 
-    this.addSub('ci:mocha:test:parameterize', ({ name, params }) => {
-      this._testNameToParams[name] = params
+    this.addSub('ci:mocha:test:parameterize', ({ title, params }) => {
+      this._testTitleToParams[title] = params
     })
 
     this.addSub('ci:mocha:session:finish', ({
@@ -190,7 +194,8 @@ class MochaPlugin extends CiPlugin {
       numSkippedSuites,
       hasForcedToRunSuites,
       hasUnskippableSuites,
-      error
+      error,
+      isEarlyFlakeDetectionEnabled
     }) => {
       if (this.testSessionSpan) {
         const { isSuitesSkippingEnabled, isCodeCoverageEnabled } = this.libraryConfig || {}
@@ -217,6 +222,10 @@ class MochaPlugin extends CiPlugin {
           }
         )
 
+        if (isEarlyFlakeDetectionEnabled) {
+          this.testSessionSpan.setTag(TEST_EARLY_FLAKE_IS_ENABLED, 'true')
+        }
+
         this.testModuleSpan.finish()
         this.telemetry.ciVisEvent(TELEMETRY_EVENT_FINISHED, 'module')
         this.testSessionSpan.finish()
@@ -228,12 +237,19 @@ class MochaPlugin extends CiPlugin {
     })
   }
 
-  startTestSpan (test, testStartLine) {
-    const testName = test.fullTitle()
-    const { file: testSuiteAbsolutePath, title } = test
+  startTestSpan (testInfo) {
+    const {
+      testSuiteAbsolutePath,
+      title,
+      isNew,
+      isEfdRetry,
+      testStartLine
+    } = testInfo
+
+    const testName = removeEfdStringFromTestName(testInfo.testName)
 
     const extraTags = {}
-    const testParametersString = getTestParametersString(this._testNameToParams, title)
+    const testParametersString = getTestParametersString(this._testTitleToParams, title)
     if (testParametersString) {
       extraTags[TEST_PARAMETERS] = testParametersString
     }
@@ -245,14 +261,19 @@ class MochaPlugin extends CiPlugin {
     const testSuite = getTestSuitePath(testSuiteAbsolutePath, this.sourceRoot)
     const testSuiteSpan = this._testSuites.get(testSuiteAbsolutePath)
 
-    const testSourceFile = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
-
-    if (testSourceFile) {
-      extraTags[TEST_SOURCE_FILE] = testSourceFile
+    if (this.repositoryRoot !== this.sourceRoot && !!this.repositoryRoot) {
+      extraTags[TEST_SOURCE_FILE] = getTestSuitePath(testSuiteAbsolutePath, this.repositoryRoot)
     } else {
       extraTags[TEST_SOURCE_FILE] = testSuite
     }
 
+    if (isNew) {
+      extraTags[TEST_IS_NEW] = 'true'
+      if (isEfdRetry) {
+        extraTags[TEST_EARLY_FLAKE_IS_RETRY] = 'true'
+      }
+    }
+
     return super.startTestSpan(testName, testSuite, testSuiteSpan, extraTags)
   }
 }

package/packages/datadog-plugin-rhea/src/consumer.js

@@ -31,7 +31,10 @@ class RheaConsumerPlugin extends ConsumerPlugin {
       }
     })
 
-    if (this.config.dsmEnabled && msgObj.message) {
+    if (
+      this.config.dsmEnabled &&
+      msgObj?.message?.delivery_annotations?.[CONTEXT_PROPAGATION_KEY]
+    ) {
       const payloadSize = getAmqpMessageSize(
         { headers: msgObj.message.delivery_annotations, content: msgObj.message.body }
       )

package/packages/dd-trace/src/appsec/iast/context/context-plugin.js

@@ -0,0 +1,90 @@
+'use strict'
+
+const { storage } = require('../../../../../datadog-core')
+const iastContextFunctions = require('../iast-context')
+const overheadController = require('../overhead-controller')
+const { IastPlugin } = require('../iast-plugin')
+const { IAST_ENABLED_TAG_KEY } = require('../tags')
+const { createTransaction, removeTransaction } = require('../taint-tracking/operations')
+const vulnerabilityReporter = require('../vulnerability-reporter')
+const { TagKey } = require('../telemetry/iast-metric')
+
+class IastContextPlugin extends IastPlugin {
+  startCtxOn (channelName, tag) {
+    super.addSub(channelName, (message) => this.startContext())
+
+    this._getAndRegisterSubscription({
+      channelName,
+      tag,
+      tagKey: TagKey.SOURCE_TYPE
+    })
+  }
+
+  finishCtxOn (channelName) {
+    super.addSub(channelName, (message) => this.finishContext())
+  }
+
+  getRootSpan (store) {
+    return store?.span
+  }
+
+  getTopContext () {
+    return {}
+  }
+
+  newIastContext (rootSpan) {
+    return { rootSpan }
+  }
+
+  addIastEnabledTag (isRequestAcquired, rootSpan) {
+    if (rootSpan?.addTags) {
+      rootSpan.addTags({
+        [IAST_ENABLED_TAG_KEY]: isRequestAcquired ? 1 : 0
+      })
+    }
+  }
+
+  startContext () {
+    let isRequestAcquired = false
+    let iastContext
+
+    const store = storage.getStore()
+    if (store) {
+      const topContext = this.getTopContext()
+      const rootSpan = this.getRootSpan(store)
+
+      isRequestAcquired = overheadController.acquireRequest(rootSpan)
+      if (isRequestAcquired) {
+        iastContext = iastContextFunctions.saveIastContext(store, topContext, this.newIastContext(rootSpan))
+        createTransaction(rootSpan.context().toSpanId(), iastContext)
+        overheadController.initializeRequestContext(iastContext)
+      }
+      this.addIastEnabledTag(isRequestAcquired, rootSpan)
+    }
+
+    return {
+      isRequestAcquired,
+      iastContext,
+      store
+    }
+  }
+
+  finishContext () {
+    const store = storage.getStore()
+    if (store) {
+      const topContext = this.getTopContext()
+      const iastContext = iastContextFunctions.getIastContext(store, topContext)
+      const rootSpan = iastContext?.rootSpan
+      if (iastContext && rootSpan) {
+        vulnerabilityReporter.sendVulnerabilities(iastContext.vulnerabilities, rootSpan)
+        removeTransaction(iastContext)
+      }
+
+      if (iastContextFunctions.cleanIastContext(store, topContext, iastContext)) {
+        overheadController.releaseRequest()
+      }
+    }
+  }
+}
+
+module.exports = IastContextPlugin

package/packages/dd-trace/src/appsec/iast/context/kafka-ctx-plugin.js

@@ -0,0 +1,14 @@
+'use strict'
+
+const { KAFKA_MESSAGE_KEY, KAFKA_MESSAGE_VALUE } = require('../taint-tracking/source-types')
+const IastContextPlugin = require('./context-plugin')
+
+class KafkaContextPlugin extends IastContextPlugin {
+  onConfigure () {
+    this.startCtxOn('dd-trace:kafkajs:consumer:afterStart', [KAFKA_MESSAGE_KEY, KAFKA_MESSAGE_VALUE])
+
+    this.finishCtxOn('dd-trace:kafkajs:consumer:beforeFinish')
+  }
+}
+
+module.exports = new KafkaContextPlugin()

package/packages/dd-trace/src/appsec/iast/iast-plugin.js

@@ -101,6 +101,14 @@ class IastPlugin extends Plugin {
     }
   }
 
+  enable () {
+    this.configure(true)
+  }
+
+  disable () {
+    this.configure(false)
+  }
+
   onConfigure () {}
 
   configure (config) {

package/packages/dd-trace/src/appsec/iast/index.js

@@ -22,7 +22,7 @@ const requestClose = dc.channel('dd-trace:incomingHttpRequestEnd')
 const iastResponseEnd = dc.channel('datadog:iast:response-end')
 
 function enable (config, _tracer) {
-  iastTelemetry.configure(config, config.iast && config.iast.telemetryVerbosity)
+  iastTelemetry.configure(config, config.iast?.telemetryVerbosity)
   enableAllAnalyzers(config)
   enableTaintTracking(config.iast, iastTelemetry.verbosity)
   requestStart.subscribe(onIncomingHttpRequestStart)
@@ -43,7 +43,7 @@ function disable () {
 }
 
 function onIncomingHttpRequestStart (data) {
-  if (data && data.req) {
+  if (data?.req) {
     const store = storage.getStore()
     if (store) {
       const topContext = web.getContext(data.req)
@@ -68,11 +68,11 @@ function onIncomingHttpRequestStart (data) {
 }
 
 function onIncomingHttpRequestEnd (data) {
-  if (data && data.req) {
+  if (data?.req) {
     const store = storage.getStore()
     const topContext = web.getContext(data.req)
     const iastContext = iastContextFunctions.getIastContext(store, topContext)
-    if (iastContext && iastContext.rootSpan) {
+    if (iastContext?.rootSpan) {
       iastResponseEnd.publish(data)
 
       const vulnerabilities = iastContext.vulnerabilities

package/packages/dd-trace/src/appsec/iast/overhead-controller.js

@@ -52,7 +52,7 @@ function _resetGlobalContext () {
 }
 
 function acquireRequest (rootSpan) {
-  if (availableRequest > 0) {
+  if (availableRequest > 0 && rootSpan) {
     const sampling = config && typeof config.requestSampling === 'number'
       ? config.requestSampling : 30
     if (rootSpan.context().toSpanId().slice(-2) <= sampling) {

package/packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js

@@ -2,6 +2,7 @@
 
 const csiMethods = [
   { src: 'concat' },
+  { src: 'parse' },
   { src: 'plusOperator', operator: true },
   { src: 'random' },
   { src: 'replace' },

package/packages/dd-trace/src/appsec/iast/taint-tracking/index.js

@@ -10,18 +10,28 @@ const {
 } = require('./operations')
 
 const taintTrackingPlugin = require('./plugin')
+const kafkaConsumerPlugin = require('./plugins/kafka')
+
+const kafkaContextPlugin = require('../context/kafka-ctx-plugin')
 
 module.exports = {
   enableTaintTracking (config, telemetryVerbosity) {
     enableRewriter(telemetryVerbosity)
     enableTaintOperations(telemetryVerbosity)
     taintTrackingPlugin.enable()
+
+    kafkaContextPlugin.enable()
+    kafkaConsumerPlugin.enable()
+
     setMaxTransactions(config.maxConcurrentRequests)
   },
   disableTaintTracking () {
     disableRewriter()
     disableTaintOperations()
     taintTrackingPlugin.disable()
+
+    kafkaContextPlugin.disable()
+    kafkaConsumerPlugin.disable()
   },
   setMaxTransactions: setMaxTransactions,
   createTransaction: createTransaction,

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations-taint-object.js

@@ -0,0 +1,53 @@
+'use strict'
+
+const TaintedUtils = require('@datadog/native-iast-taint-tracking')
+const { IAST_TRANSACTION_ID } = require('../iast-context')
+const iastLog = require('../iast-log')
+
+function taintObject (iastContext, object, type, keyTainting, keyType) {
+  let result = object
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
+    const queue = [{ parent: null, property: null, value: object }]
+    const visited = new WeakSet()
+
+    while (queue.length > 0) {
+      const { parent, property, value, key } = queue.pop()
+      if (value === null) {
+        continue
+      }
+
+      try {
+        if (typeof value === 'string') {
+          const tainted = TaintedUtils.newTaintedString(transactionId, value, property, type)
+          if (!parent) {
+            result = tainted
+          } else if (keyTainting && key) {
+            const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
+            parent[taintedProperty] = tainted
+          } else {
+            parent[key] = tainted
+          }
+        } else if (typeof value === 'object' && !visited.has(value)) {
+          visited.add(value)
+
+          for (const key of Object.keys(value)) {
+            queue.push({ parent: value, property: property ? `${property}.${key}` : key, value: value[key], key })
+          }
+
+          if (parent && keyTainting && key) {
+            const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
+            parent[taintedProperty] = value
+          }
+        }
+      } catch (e) {
+        iastLog.error(`Error visiting property : ${property}`).errorAndPublish(e)
+      }
+    }
+  }
+  return result
+}
+
+module.exports = {
+  taintObject
+}

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js

@@ -2,11 +2,11 @@
 
 const TaintedUtils = require('@datadog/native-iast-taint-tracking')
 const { IAST_TRANSACTION_ID } = require('../iast-context')
-const iastLog = require('../iast-log')
 const iastTelemetry = require('../telemetry')
 const { REQUEST_TAINTED } = require('../telemetry/iast-metric')
 const { isInfoAllowed } = require('../telemetry/verbosity')
 const { getTaintTrackingImpl, getTaintTrackingNoop } = require('./taint-tracking-impl')
+const { taintObject } = require('./operations-taint-object')
 
 function createTransaction (id, iastContext) {
   if (id && iastContext) {
@@ -34,7 +34,7 @@ function removeTransaction (iastContext) {
 }
 
 function newTaintedString (iastContext, string, name, type) {
-  let result = string
+  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
   if (transactionId) {
     result = TaintedUtils.newTaintedString(transactionId, string, name, type)
@@ -44,56 +44,19 @@ function newTaintedString (iastContext, string, name, type) {
   return result
 }
 
-function taintObject (iastContext, object, type, keyTainting, keyType) {
-  let result = object
+function newTaintedObject (iastContext, obj, name, type) {
+  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
   if (transactionId) {
-    const queue = [{ parent: null, property: null, value: object }]
-    const visited = new WeakSet()
-
-    while (queue.length > 0) {
-      const { parent, property, value, key } = queue.pop()
-      if (value === null) {
-        continue
-      }
-
-      try {
-        if (typeof value === 'string') {
-          const tainted = TaintedUtils.newTaintedString(transactionId, value, property, type)
-          if (!parent) {
-            result = tainted
-          } else {
-            if (keyTainting && key) {
-              const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
-              parent[taintedProperty] = tainted
-            } else {
-              parent[key] = tainted
-            }
-          }
-        } else if (typeof value === 'object' && !visited.has(value)) {
-          visited.add(value)
-
-          const keys = Object.keys(value)
-          for (let i = 0; i < keys.length; i++) {
-            const key = keys[i]
-            queue.push({ parent: value, property: property ? `${property}.${key}` : key, value: value[key], key })
-          }
-
-          if (parent && keyTainting && key) {
-            const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
-            parent[taintedProperty] = value
-          }
-        }
-      } catch (e) {
-        iastLog.error(`Error visiting property : ${property}`).errorAndPublish(e)
-      }
-    }
+    result = TaintedUtils.newTaintedObject(transactionId, obj, name, type)
+  } else {
+    result = obj
   }
   return result
 }
 
 function isTainted (iastContext, string) {
-  let result = false
+  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
   if (transactionId) {
     result = TaintedUtils.isTainted(transactionId, string)
@@ -104,7 +67,7 @@ function isTainted (iastContext, string) {
 }
 
 function getRanges (iastContext, string) {
-  let result = []
+  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
   if (transactionId) {
     result = TaintedUtils.getRanges(transactionId, string)
@@ -148,6 +111,7 @@ module.exports = {
   createTransaction,
   removeTransaction,
   newTaintedString,
+  newTaintedObject,
   taintObject,
   isTainted,
   getRanges,

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -3,7 +3,7 @@
 const { SourceIastPlugin } = require('../iast-plugin')
 const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
-const { taintObject, newTaintedString } = require('./operations')
+const { taintObject, newTaintedString, getRanges } = require('./operations')
 const {
   HTTP_REQUEST_BODY,
   HTTP_REQUEST_COOKIE_VALUE,
@@ -65,6 +65,18 @@ class TaintTrackingPlugin extends SourceIastPlugin {
       }
     )
 
+    this.addSub(
+      { channelName: 'apm:graphql:resolve:start', tag: HTTP_REQUEST_BODY },
+      (data) => {
+        const iastContext = getIastContext(storage.getStore())
+        const source = data.context?.source
+        const ranges = source && getRanges(iastContext, source)
+        if (ranges?.length) {
+          this._taintTrackingHandler(ranges[0].iinfo.type, data.args, null, iastContext)
+        }
+      }
+    )
+
     // this is a special case to increment INSTRUMENTED_SOURCE metric for header
     this.addInstrumentedSource('http', [HTTP_REQUEST_HEADER_VALUE, HTTP_REQUEST_HEADER_NAME])
   }
@@ -104,14 +116,6 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     this.taintHeaders(req.headers, iastContext)
     this.taintUrl(req, iastContext)
   }
-
-  enable () {
-    this.configure(true)
-  }
-
-  disable () {
-    this.configure(false)
-  }
 }
 
 module.exports = new TaintTrackingPlugin()

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugins/kafka.js

@@ -0,0 +1,47 @@
+'use strict'
+
+const shimmer = require('../../../../../../datadog-shimmer')
+const { storage } = require('../../../../../../datadog-core')
+const { getIastContext } = require('../../iast-context')
+const { KAFKA_MESSAGE_KEY, KAFKA_MESSAGE_VALUE } = require('../source-types')
+const { newTaintedObject, newTaintedString } = require('../operations')
+const { SourceIastPlugin } = require('../../iast-plugin')
+
+class KafkaConsumerIastPlugin extends SourceIastPlugin {
+  onConfigure () {
+    this.addSub({ channelName: 'dd-trace:kafkajs:consumer:afterStart', tag: [KAFKA_MESSAGE_KEY, KAFKA_MESSAGE_VALUE] },
+      ({ message }) => this.taintKafkaMessage(message)
+    )
+  }
+
+  getToStringWrap (toString, iastContext, type) {
+    return function () {
+      const res = toString.apply(this, arguments)
+      return newTaintedString(iastContext, res, undefined, type)
+    }
+  }
+
+  taintKafkaMessage (message) {
+    const iastContext = getIastContext(storage.getStore())
+
+    if (iastContext && message) {
+      const { key, value } = message
+
+      if (key && typeof key === 'object') {
+        shimmer.wrap(key, 'toString',
+          toString => this.getToStringWrap(toString, iastContext, KAFKA_MESSAGE_KEY))
+
+        newTaintedObject(iastContext, key, undefined, KAFKA_MESSAGE_KEY)
+      }
+
+      if (value && typeof value === 'object') {
+        shimmer.wrap(value, 'toString',
+          toString => this.getToStringWrap(toString, iastContext, KAFKA_MESSAGE_VALUE))
+
+        newTaintedObject(iastContext, value, undefined, KAFKA_MESSAGE_VALUE)
+      }
+    }
+  }
+}
+
+module.exports = new KafkaConsumerIastPlugin()

package/packages/dd-trace/src/appsec/iast/taint-tracking/source-types.js

@@ -9,5 +9,7 @@ module.exports = {
   HTTP_REQUEST_PARAMETER: 'http.request.parameter',
   HTTP_REQUEST_PATH: 'http.request.path',
   HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter',
-  HTTP_REQUEST_URI: 'http.request.uri'
+  HTTP_REQUEST_URI: 'http.request.uri',
+  KAFKA_MESSAGE_KEY: 'kafka.message.key',
+  KAFKA_MESSAGE_VALUE: 'kafka.message.value'
 }

package/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js

@@ -7,15 +7,19 @@ const iastContextFunctions = require('../iast-context')
 const iastLog = require('../iast-log')
 const { EXECUTED_PROPAGATION } = require('../telemetry/iast-metric')
 const { isDebugAllowed } = require('../telemetry/verbosity')
+const { taintObject } = require('./operations-taint-object')
 
 const mathRandomCallCh = dc.channel('datadog:random:call')
 
+const JSON_VALUE = 'json.value'
+
 function noop (res) { return res }
 // NOTE: methods of this object must be synchronized with csi-methods.js file definitions!
 // Otherwise you may end up rewriting a method and not providing its rewritten implementation
 const TaintTrackingNoop = {
-  plusOperator: noop,
   concat: noop,
+  parse: noop,
+  plusOperator: noop,
   random: noop,
   replace: noop,
   slice: noop,
@@ -26,7 +30,7 @@ const TaintTrackingNoop = {
 }
 
 function getTransactionId (iastContext) {
-  return iastContext && iastContext[iastContextFunctions.IAST_TRANSACTION_ID]
+  return iastContext?.[iastContextFunctions.IAST_TRANSACTION_ID]
 }
 
 function getContextDefault () {
@@ -120,6 +124,29 @@ function csiMethodsOverrides (getContext) {
       if (mathRandomCallCh.hasSubscribers) {
         mathRandomCallCh.publish({ fn })
       }
+      return res
+    },
+
+    parse: function (res, fn, target, json) {
+      if (fn === JSON.parse) {
+        try {
+          const iastContext = getContext()
+          const transactionId = getTransactionId(iastContext)
+          if (transactionId) {
+            const ranges = TaintedUtils.getRanges(transactionId, json)
+
+            // TODO: first version.
+            // here we are losing the original source because taintObject always creates a new tainted
+            if (ranges?.length > 0) {
+              const range = ranges.find(range => range.iinfo?.type)
+              res = taintObject(iastContext, res, range?.iinfo.type || JSON_VALUE)
+            }
+          }
+        } catch (e) {
+          iastLog.error(e)
+        }
+      }
+
       return res
     }
   }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/utils.js

@@ -20,7 +20,7 @@ function iterateObject (target, fn, levelKeys = [], depth = 50) {
 
     fn(val, nextLevelKeys, target, key)
 
-    if (val !== null && typeof val === 'object') {
+    if (val !== null && typeof val === 'object' && depth > 0) {
       iterateObject(val, fn, nextLevelKeys, depth - 1)
     }
   })

package/packages/dd-trace/src/appsec/remote_config/capabilities.js

@@ -14,5 +14,6 @@ module.exports = {
   APM_TRACING_SAMPLE_RATE: 1n << 12n,
   APM_TRACING_LOGS_INJECTION: 1n << 13n,
   APM_TRACING_HTTP_HEADER_TAGS: 1n << 14n,
-  APM_TRACING_CUSTOM_TAGS: 1n << 15n
+  APM_TRACING_CUSTOM_TAGS: 1n << 15n,
+  APM_TRACING_ENABLED: 1n << 19n
 }