dd-trace 5.45.0 → 5.47.0

package/packages/dd-trace/src/appsec/telemetry/waf.js

@@ -33,21 +33,9 @@ function addWafRequestMetrics (store, { duration, durationExt, wafTimeout, error
   }
 }
 
-function trackWafDurations ({ duration, durationExt }, versionsTags) {
-  if (duration) {
-    appsecMetrics.distribution('waf.duration', versionsTags).track(duration)
-  }
-
-  if (durationExt) {
-    appsecMetrics.distribution('waf.duration_ext', versionsTags).track(durationExt)
-  }
-}
-
 function trackWafMetrics (store, metrics) {
   const versionsTags = getVersionsTags(metrics.wafVersion, metrics.rulesVersion)
 
-  trackWafDurations(metrics, versionsTags)
-
   const metricTags = getOrCreateMetricTags(store, versionsTags)
 
   if (metrics.blockFailed) {
@@ -134,24 +122,6 @@ function incrementWafRequests (store) {
 function incrementTruncatedMetrics (metrics, truncationReason) {
   const truncationTags = { truncation_reason: truncationReason }
   appsecMetrics.count('waf.input_truncated', truncationTags).inc(1)
-
-  if (metrics?.maxTruncatedString) {
-    appsecMetrics.distribution('waf.truncated_value_size', {
-      truncation_reason: TRUNCATION_FLAGS.STRING
-    }).track(metrics.maxTruncatedString)
-  }
-
-  if (metrics?.maxTruncatedContainerSize) {
-    appsecMetrics.distribution('waf.truncated_value_size', {
-      truncation_reason: TRUNCATION_FLAGS.CONTAINER_SIZE
-    }).track(metrics.maxTruncatedContainerSize)
-  }
-
-  if (metrics?.maxTruncatedContainerDepth) {
-    appsecMetrics.distribution('waf.truncated_value_size', {
-      truncation_reason: TRUNCATION_FLAGS.CONTAINER_DEPTH
-    }).track(metrics.maxTruncatedContainerDepth)
-  }
 }
 
 function getTruncationReason ({ maxTruncatedString, maxTruncatedContainerSize, maxTruncatedContainerDepth }) {

package/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js

@@ -25,6 +25,10 @@ class WAFContextWrapper {
   run ({ persistent, ephemeral }, raspRule) {
     if (this.ddwafContext.disposed) {
       log.warn('[ASM] Calling run on a disposed context')
+      if (raspRule) {
+        Reporter.reportRaspRuleSkipped(raspRule, 'after-request')
+      }
+
       return
     }
 

package/packages/dd-trace/src/ci-visibility/exporters/test-worker/index.js

@@ -6,7 +6,8 @@ const {
   JEST_WORKER_TRACE_PAYLOAD_CODE,
   CUCUMBER_WORKER_TRACE_PAYLOAD_CODE,
   MOCHA_WORKER_TRACE_PAYLOAD_CODE,
-  JEST_WORKER_LOGS_PAYLOAD_CODE
+  JEST_WORKER_LOGS_PAYLOAD_CODE,
+  PLAYWRIGHT_WORKER_TRACE_PAYLOAD_CODE
 } = require('../../../plugins/util/test')
 
 function getInterprocessTraceCode () {
@@ -19,6 +20,9 @@ function getInterprocessTraceCode () {
   if (process.env.MOCHA_WORKER_ID) {
     return MOCHA_WORKER_TRACE_PAYLOAD_CODE
   }
+  if (process.env.DD_PLAYWRIGHT_WORKER) {
+    return PLAYWRIGHT_WORKER_TRACE_PAYLOAD_CODE
+  }
   return null
 }
 
@@ -65,8 +69,9 @@ class TestWorkerCiVisibilityExporter {
     this._logsWriter.append({ testConfiguration, logMessage })
   }
 
-  flush () {
-    this._writer.flush()
+  // TODO: add to other writers
+  flush (onDone) {
+    this._writer.flush(onDone)
     this._coverageWriter.flush()
     this._logsWriter.flush()
   }

package/packages/dd-trace/src/ci-visibility/exporters/test-worker/writer.js

@@ -8,13 +8,13 @@ class Writer {
     this._interprocessCode = interprocessCode
   }
 
-  flush () {
+  flush (onDone) {
     const count = this._encoder.count()
 
     if (count > 0) {
       const payload = this._encoder.makePayload()
 
-      this._sendPayload(payload)
+      this._sendPayload(payload, onDone)
     }
   }
 
@@ -22,7 +22,7 @@ class Writer {
     this._encoder.encode(payload)
   }
 
-  _sendPayload (data) {
+  _sendPayload (data, onDone = () => {}) {
     // ## Jest
     // Only available when `child_process` is used for the jest worker.
     // eslint-disable-next-line
@@ -36,7 +36,9 @@ class Writer {
     // eslint-disable-next-line
     // https://github.com/cucumber/cucumber-js/blob/5ce371870b677fe3d1a14915dc535688946f734c/src/runtime/parallel/run_worker.ts#L13
     if (process.send) { // it only works if process.send is available
-      process.send([this._interprocessCode, data])
+      process.send([this._interprocessCode, data], () => {
+        onDone()
+      })
     }
   }
 }

package/packages/dd-trace/src/config.js

@@ -63,6 +63,8 @@ const otelDdEnvMapping = {
 
 const VALID_PROPAGATION_STYLES = new Set(['datadog', 'tracecontext', 'b3', 'b3 single header', 'none'])
 
+const VALID_PROPAGATION_BEHAVIOR_EXTRACT = new Set(['continue', 'restart', 'ignore'])
+
 const VALID_LOG_LEVELS = new Set(['debug', 'info', 'warn', 'error'])
 
 function getFromOtelSamplerMap (otelTracesSampler, otelTracesSamplerArg) {
@@ -584,6 +586,7 @@ class Config {
     this._setValue(defaults, 'traceId128BitGenerationEnabled', true)
     this._setValue(defaults, 'traceId128BitLoggingEnabled', true)
     this._setValue(defaults, 'tracePropagationExtractFirst', false)
+    this._setValue(defaults, 'tracePropagationBehaviorExtract', 'continue')
     this._setValue(defaults, 'tracePropagationStyle.inject', ['datadog', 'tracecontext', 'baggage'])
     this._setValue(defaults, 'tracePropagationStyle.extract', ['datadog', 'tracecontext', 'baggage'])
     this._setValue(defaults, 'tracePropagationStyle.otelPropagators', false)
@@ -746,6 +749,7 @@ class Config {
       DD_TRACE_PARTIAL_FLUSH_MIN_SPANS,
       DD_TRACE_PEER_SERVICE_MAPPING,
       DD_TRACE_PROPAGATION_EXTRACT_FIRST,
+      DD_TRACE_PROPAGATION_BEHAVIOR_EXTRACT,
       DD_TRACE_PROPAGATION_STYLE,
       DD_TRACE_PROPAGATION_STYLE_INJECT,
       DD_TRACE_PROPAGATION_STYLE_EXTRACT,
@@ -967,6 +971,11 @@ class Config {
     this._setBoolean(env, 'traceId128BitGenerationEnabled', DD_TRACE_128_BIT_TRACEID_GENERATION_ENABLED)
     this._setBoolean(env, 'traceId128BitLoggingEnabled', DD_TRACE_128_BIT_TRACEID_LOGGING_ENABLED)
     this._setBoolean(env, 'tracePropagationExtractFirst', DD_TRACE_PROPAGATION_EXTRACT_FIRST)
+    const stringPropagationBehaviorExtract = String(DD_TRACE_PROPAGATION_BEHAVIOR_EXTRACT)
+    this._setValue(env, 'tracePropagationBehaviorExtract',
+      VALID_PROPAGATION_BEHAVIOR_EXTRACT.has(stringPropagationBehaviorExtract)
+        ? stringPropagationBehaviorExtract
+        : 'continue')
     this._setBoolean(env, 'tracePropagationStyle.otelPropagators',
       DD_TRACE_PROPAGATION_STYLE ||
       DD_TRACE_PROPAGATION_STYLE_INJECT ||

package/packages/dd-trace/src/constants.js

@@ -26,6 +26,7 @@ module.exports = {
   ERROR_TYPE: 'error.type',
   ERROR_MESSAGE: 'error.message',
   ERROR_STACK: 'error.stack',
+  IGNORE_OTEL_ERROR: Symbol('ignore.otel.error'),
   COMPONENT: 'component',
   CLIENT_PORT_KEY: 'network.destination.port',
   PEER_SERVICE_KEY: 'peer.service',

package/packages/dd-trace/src/debugger/devtools_client/breakpoints.js

@@ -1,9 +1,11 @@
 'use strict'
 
 const { getGeneratedPosition } = require('./source-maps')
+const lock = require('./lock')()
 const session = require('./session')
+const compileCondition = require('./condition')
 const { MAX_SNAPSHOTS_PER_SECOND_PER_PROBE, MAX_NON_SNAPSHOTS_PER_SECOND_PER_PROBE } = require('./defaults')
-const { findScriptFromPartialPath, probes, breakpoints } = require('./state')
+const { findScriptFromPartialPath, locationToBreakpoint, breakpointToProbes, probeToLocation } = require('./state')
 const log = require('../../log')
 
 let sessionStarted = false
@@ -42,21 +44,44 @@ async function addBreakpoint (probe) {
     ({ line: lineNumber, column: columnNumber } = await getGeneratedPosition(url, source, lineNumber, sourceMapURL))
   }
 
-  log.debug(
-    '[debugger:devtools_client] Adding breakpoint at %s:%d:%d (probe: %s, version: %d)',
-    url, lineNumber, columnNumber, probe.id, probe.version
-  )
+  try {
+    probe.condition = probe.when?.json && compileCondition(probe.when.json)
+  } catch (err) {
+    throw new Error(`Cannot compile expression: ${probe.when.dsl}`, { cause: err })
+  }
 
-  const { breakpointId } = await session.post('Debugger.setBreakpoint', {
-    location: {
-      scriptId,
-      lineNumber: lineNumber - 1, // Beware! lineNumber is zero-indexed
-      columnNumber
+  const release = await lock()
+
+  try {
+    log.debug(
+      '[debugger:devtools_client] Adding breakpoint at %s:%d:%d (probe: %s, version: %d)',
+      url, lineNumber, columnNumber, probe.id, probe.version
+    )
+
+    const locationKey = generateLocationKey(scriptId, lineNumber, columnNumber)
+    const breakpoint = locationToBreakpoint.get(locationKey)
+
+    if (breakpoint) {
+      // A breakpoint already exists at this location, so we need to add the probe to the existing breakpoint
+      await updateBreakpoint(breakpoint, probe)
+    } else {
+      // No breakpoint exists at this location, so we need to create a new one
+      const location = {
+        scriptId,
+        lineNumber: lineNumber - 1, // Beware! lineNumber is zero-indexed
+        columnNumber
+      }
+      const result = await session.post('Debugger.setBreakpoint', {
+        location,
+        condition: probe.condition
+      })
+      probeToLocation.set(probe.id, locationKey)
+      locationToBreakpoint.set(locationKey, { id: result.breakpointId, location, locationKey })
+      breakpointToProbes.set(result.breakpointId, new Map([[probe.id, probe]]))
     }
-  })
-
-  probes.set(probe.id, breakpointId)
-  breakpoints.set(breakpointId, probe)
+  } finally {
+    release()
+  }
 }
 
 async function removeBreakpoint ({ id }) {
@@ -64,24 +89,79 @@ async function removeBreakpoint ({ id }) {
     // We should not get in this state, but abort if we do, so the code doesn't fail unexpected
     throw Error(`Cannot remove probe ${id}: Debugger not started`)
   }
-  if (!probes.has(id)) {
+  if (!probeToLocation.has(id)) {
     throw Error(`Unknown probe id: ${id}`)
   }
 
-  const breakpointId = probes.get(id)
-  await session.post('Debugger.removeBreakpoint', { breakpointId })
-  probes.delete(id)
-  breakpoints.delete(breakpointId)
+  const release = await lock()
+
+  try {
+    const locationKey = probeToLocation.get(id)
+    const breakpoint = locationToBreakpoint.get(locationKey)
+    const probesAtLocation = breakpointToProbes.get(breakpoint.id)
+
+    probesAtLocation.delete(id)
+    probeToLocation.delete(id)
+
+    if (probesAtLocation.size === 0) {
+      locationToBreakpoint.delete(locationKey)
+      breakpointToProbes.delete(breakpoint.id)
+      if (breakpointToProbes.size === 0) {
+        await stop() // TODO: Will this actually delete the breakpoint?
+      } else {
+        await session.post('Debugger.removeBreakpoint', { breakpointId: breakpoint.id })
+      }
+    } else {
+      await updateBreakpoint(breakpoint)
+    }
+  } finally {
+    release()
+  }
+}
+
+async function updateBreakpoint (breakpoint, probe) {
+  const probesAtLocation = breakpointToProbes.get(breakpoint.id)
+  const conditionBeforeNewProbe = compileCompoundCondition(Array.from(probesAtLocation.values()))
 
-  if (breakpoints.size === 0) return stop() // return instead of await to reduce number of promises created
+  // If a probe is provided, add it to the breakpoint. If not, it's because we're removing a probe, but potentially
+  // need to update the condtion of the breakpoint.
+  if (probe) {
+    probesAtLocation.set(probe.id, probe)
+    probeToLocation.set(probe.id, breakpoint.locationKey)
+  }
+
+  const condition = compileCompoundCondition(Array.from(probesAtLocation.values()))
+
+  if (condition || conditionBeforeNewProbe !== condition) {
+    await session.post('Debugger.removeBreakpoint', { breakpointId: breakpoint.id })
+    breakpointToProbes.delete(breakpoint.id)
+    const result = await session.post('Debugger.setBreakpoint', {
+      location: breakpoint.location,
+      condition
+    })
+    breakpoint.id = result.breakpointId
+    breakpointToProbes.set(result.breakpointId, probesAtLocation)
+  }
 }
 
 function start () {
   sessionStarted = true
-  return session.post('Debugger.enable') // return instead of await to reduce number of promises created
+  return session.post('Debugger.enable')
 }
 
 function stop () {
   sessionStarted = false
-  return session.post('Debugger.disable') // return instead of await to reduce number of promises created
+  return session.post('Debugger.disable')
+}
+
+// Only if all probes have a condition can we use a compound condition.
+// Otherwise, we need to evaluate each probe individually once the breakpoint is hit.
+function compileCompoundCondition (probes) {
+  return probes.every(p => p.condition)
+    ? probes.map(p => p.condition).filter(Boolean).join(' || ')
+    : undefined
+}
+
+function generateLocationKey (scriptId, lineNumber, columnNumber) {
+  return `${scriptId}:${lineNumber}:${columnNumber}`
 }

package/packages/dd-trace/src/debugger/devtools_client/condition.js

@@ -0,0 +1,263 @@
+'use strict'
+
+module.exports = compile
+
+const identifierRegex = /^[@a-zA-Z_$][\w$]*$/
+
+// The following identifiers have purposefully not been included in this list:
+// - The reserved words `this` and `super` as they can have valid use cases as `ref` values
+// - The literals `undefined` and `Infinity` as they can be useful as `ref` values, especially to check if a
+//   variable is `undefined`.
+// - The following future reserved words in older standards, as they can now be used safely:
+//   `abstract`, `boolean`, `byte`, `char`, `double`, `final`, `float`, `goto`, `int`, `long`, `native`, `short`,
+//   `synchronized`, `throws`, `transient`, `volatile`.
+const reservedWords = new Set([
+  // Reserved words
+  'break', 'case', 'catch', 'class', 'const', 'continue', 'debugger', 'default', 'delete', 'do', 'else', 'export',
+  'extends', 'false', 'finally', 'for', 'function', 'if', 'import', 'in', 'instanceof', 'new', 'null', 'return',
+  'switch', 'throw', 'true', 'try', 'typeof', 'var', 'void', 'while', 'with',
+
+  // Reserved in strict mode
+  'let', 'static', 'yield',
+
+  // Reserved in module code or async function bodies:
+  'await',
+
+  // Future reserved words
+  'enum',
+
+  // Future reserved words in strict mode
+  'implements', 'interface', 'package', 'private', 'protected', 'public',
+
+  // Litterals
+  'NaN'
+])
+
+const PRIMITIVE_TYPES = new Set(['string', 'number', 'bigint', 'boolean', 'undefined', 'symbol', 'null'])
+
+// TODO: Consider storing some of these functions on `process` so they can be reused across probes
+function compile (node) {
+  if (node === null || typeof node === 'number' || typeof node === 'boolean') {
+    return node
+  } else if (typeof node === 'string') {
+    return JSON.stringify(node)
+  }
+
+  const [type, value] = Object.entries(node)[0]
+
+  if (type === 'not') {
+    return `!(${compile(value)})`
+  } else if (type === 'len' || type === 'count') {
+    return getSize(compile(value))
+  } else if (type === 'isEmpty') {
+    return `${getSize(compile(value))} === 0`
+  } else if (type === 'isDefined') {
+    return `(() => {
+      try {
+        ${compile(value)}
+        return true
+      } catch {
+        return false
+      }
+    })()`
+  } else if (type === 'instanceof') {
+    if (isPrimitiveType(value[1])) {
+      return `(typeof ${compile(value[0])} === '${value[1]}')` // TODO: Is parenthesizing necessary?
+    } else {
+      return `Function.prototype[Symbol.hasInstance].call(${assertIdentifier(value[1])}, ${compile(value[0])})`
+    }
+  } else if (type === 'ref') {
+    if (value === '@it') {
+      return '$dd_it'
+    } else if (value === '@key') {
+      return '$dd_key'
+    } else if (value === '@value') {
+      return '$dd_value'
+    } else {
+      return assertIdentifier(value)
+    }
+  } else if (Array.isArray(value)) {
+    const args = value.map(compile)
+    switch (type) {
+      case 'eq': return `(${args[0]}) === (${args[1]})`
+      case 'ne': return `(${args[0]}) !== (${args[1]})`
+      case 'gt': return `${guardAgainstCoercionSideEffects(args[0])} > ${guardAgainstCoercionSideEffects(args[1])}`
+      case 'ge': return `${guardAgainstCoercionSideEffects(args[0])} >= ${guardAgainstCoercionSideEffects(args[1])}`
+      case 'lt': return `${guardAgainstCoercionSideEffects(args[0])} < ${guardAgainstCoercionSideEffects(args[1])}`
+      case 'le': return `${guardAgainstCoercionSideEffects(args[0])} <= ${guardAgainstCoercionSideEffects(args[1])}`
+      case 'any': return iterateOn('some', ...args)
+      case 'all': return iterateOn('every', ...args)
+      case 'and': return `(${args.join(') && (')})`
+      case 'or': return `(${args.join(') || (')})`
+      case 'startsWith': return `String.prototype.startsWith.call(${assertString(args[0])}, ${assertString(args[1])})`
+      case 'endsWith': return `String.prototype.endsWith.call(${assertString(args[0])}, ${assertString(args[1])})`
+      case 'contains': return `((obj, elm) => {
+          if (${isString('obj')}) {
+            return String.prototype.includes.call(obj, elm)
+          } else if (Array.isArray(obj)) {
+            return Array.prototype.includes.call(obj, elm)
+          } else if (${isTypedArray('obj')}) {
+            return Object.getPrototypeOf(Int8Array.prototype).includes.call(obj, elm)
+          } else if (${isInstanceOfCoreType('Set', 'obj')}) {
+            return Set.prototype.has.call(obj, elm)
+          } else if (${isInstanceOfCoreType('WeakSet', 'obj')}) {
+            return WeakSet.prototype.has.call(obj, elm)
+          } else if (${isInstanceOfCoreType('Map', 'obj')}) {
+            return Map.prototype.has.call(obj, elm)
+          } else if (${isInstanceOfCoreType('WeakMap', 'obj')}) {
+            return WeakMap.prototype.has.call(obj, elm)
+          } else {
+            throw new TypeError('Variable does not support contains')
+          }
+        })(${args[0]}, ${args[1]})`
+      case 'matches': return `((str, regex) => {
+          if (${isString('str')}) {
+            const regexIsString = ${isString('regex')}
+            if (regexIsString || Object.getPrototypeOf(regex) === RegExp.prototype) {
+              return RegExp.prototype.test.call(regexIsString ? new RegExp(regex) : regex, str)
+            } else {
+              throw new TypeError('Regular expression must be either a string or an instance of RegExp')
+            }
+          } else {
+            throw new TypeError('Variable is not a string')
+          }
+        })(${args[0]}, ${args[1]})`
+      case 'filter': return `(($dd_var) => {
+          return ${isIterableCollection('$dd_var')}
+            ? Array.from($dd_var).filter(($dd_it) => ${args[1]})
+            : Object.entries($dd_var).reduce((acc, [$dd_key, $dd_value]) => {
+                if (${args[1]}) acc[$dd_key] = $dd_value
+                return acc
+              }, {})
+        })(${args[0]})`
+      case 'substring': return `((str) => {
+          if (${isString('str')}) {
+            return String.prototype.substring.call(str, ${args[1]}, ${args[2]})
+          } else {
+            throw new TypeError('Variable is not a string')
+          }
+        })(${args[0]})`
+      case 'getmember': return accessProperty(args[0], args[1], false)
+      case 'index': return accessProperty(args[0], args[1], true)
+    }
+  }
+
+  throw new TypeError(`Unknown AST node type: ${type}`)
+}
+
+function iterateOn (fnName, variable, callbackCode) {
+  return `(($dd_val) => {
+    return ${isIterableCollection('$dd_val')}
+      ? Array.from($dd_val).${fnName}(($dd_it) => ${callbackCode})
+      : Object.entries($dd_val).${fnName}(([$dd_key, $dd_value]) => ${callbackCode})
+  })(${variable})`
+}
+
+function isString (variable) {
+  return `(typeof ${variable} === 'string' || ${variable} instanceof String)`
+}
+
+function isPrimitiveType (type) {
+  return PRIMITIVE_TYPES.has(type)
+}
+
+function isIterableCollection (variable) {
+  return `(${isArrayOrTypedArray(variable)} || ${isInstanceOfCoreType('Set', variable)} || ` +
+    `${isInstanceOfCoreType('WeakSet', variable)})`
+}
+
+function isArrayOrTypedArray (variable) {
+  return `(Array.isArray(${variable}) || ${isTypedArray(variable)})`
+}
+
+function isTypedArray (variable) {
+  return isInstanceOfCoreType('TypedArray', variable, `${variable} instanceof Object.getPrototypeOf(Int8Array)`)
+}
+
+function isInstanceOfCoreType (type, variable, fallback = `${variable} instanceof ${type}`) {
+  return `(process[Symbol.for('datadog:node:util:types')]?.is${type}?.(${variable}) ?? ${fallback})`
+}
+
+function getSize (variable) {
+  return `((val) => {
+    if (${isString('val')} || ${isArrayOrTypedArray('val')}) {
+      return ${guardAgainstPropertyAccessSideEffects('val', '"length"')}
+    } else if (${isInstanceOfCoreType('Set', 'val')} || ${isInstanceOfCoreType('Map', 'val')}) {
+      return ${guardAgainstPropertyAccessSideEffects('val', '"size"')}
+    } else if (${isInstanceOfCoreType('WeakSet', 'val')} || ${isInstanceOfCoreType('WeakMap', 'val')}) {
+      throw new TypeError('Cannot get size of WeakSet or WeakMap')
+    } else if (typeof val === 'object' && val !== null) {
+      return Object.keys(val).length
+    } else {
+      throw new TypeError('Cannot get length of variable')
+    }
+  })(${variable})`
+}
+
+function accessProperty (variable, keyOrIndex, allowMapAccess) {
+  return `((val, key) => {
+    if (${isInstanceOfCoreType('Map', 'val')}) {
+      ${allowMapAccess
+        ? 'return Map.prototype.get.call(val, key)'
+        : 'throw new Error(\'Accessing a Map is not allowed\')'}
+    } else if (${isInstanceOfCoreType('WeakMap', 'val')}) {
+      ${allowMapAccess
+        ? 'return WeakMap.prototype.get.call(val, key)'
+        : 'throw new Error(\'Accessing a WeakMap is not allowed\')'}
+    } else if (${isInstanceOfCoreType('Set', 'val')} || ${isInstanceOfCoreType('WeakSet', 'val')}) {
+      throw new Error('Accessing a Set or WeakSet is not allowed')
+    } else {
+      return ${guardAgainstPropertyAccessSideEffects('val', 'key')}
+    }
+  })(${variable}, ${keyOrIndex})`
+}
+
+function guardAgainstPropertyAccessSideEffects (variable, propertyName) {
+  return `((val, key) => {
+    if (
+      ${isInstanceOfCoreType('Proxy', 'val', 'true')} ||
+      Object.getOwnPropertyDescriptor(val, key)?.get !== undefined
+    ) {
+      throw new Error('Possibility of side effect')
+    } else {
+      return val[key]
+    }
+  })(${variable}, ${propertyName})`
+}
+
+function guardAgainstCoercionSideEffects (variable) {
+  // shortcut if we're comparing number literals
+  if (typeof variable === 'number') return variable
+
+  return `((val) => {
+    if (
+      typeof val === 'object' && val !== null && (
+        ${isInstanceOfCoreType('Proxy', 'val', 'true')} ||
+        val[Symbol.toPrimitive] !== undefined ||
+        val.valueOf !== Object.prototype.valueOf ||
+        val.toString !== Object.prototype.toString
+      )
+    ) {
+      throw new Error('Possibility of side effect due to coercion methods')
+    } else {
+      return val
+    }
+  })(${variable})`
+}
+
+function assertString (variable) {
+  return `((val) => {
+    if (typeof val === 'string' || val instanceof String) {
+      return val
+    } else {
+      throw new TypeError('Variable is not a string')
+    }
+  })(${variable})`
+}
+
+function assertIdentifier (value) {
+  if (!identifierRegex.test(value) || reservedWords.has(value)) {
+    throw new SyntaxError(`Illegal identifier: ${value}`)
+  }
+  return value
+}