npm - dd-trace - Versions diffs - 5.53.0 → 5.54.0 - Mend

dd-trace 5.53.0 → 5.54.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (319) hide show

package/packages/dd-trace/src/appsec/blocking.js CHANGED Viewed

@@ -93,11 +93,9 @@ function getBlockWithContentData (req, specificType, actionParameters) {
 }
 function getBlockingData (req, specificType, actionParameters) {
-  if (actionParameters?.location) {
-    return getBlockWithRedirectData(actionParameters)
-  } else {
-    return getBlockWithContentData(req, specificType, actionParameters)
-  }
+  return actionParameters?.location
+    ? getBlockWithRedirectData(actionParameters)
+    : getBlockWithContentData(req, specificType, actionParameters)
 }
 function block (req, res, rootSpan, abortController, actionParameters = defaultBlockingActionParameters) {
@@ -140,23 +138,11 @@ function getBlockingAction (actions) {
 }
 function setTemplates (config) {
-  if (config.appsec.blockedTemplateHtml) {
-    templateHtml = config.appsec.blockedTemplateHtml
-  } else {
-    templateHtml = blockedTemplates.html
-  }
+  templateHtml = config.appsec.blockedTemplateHtml || blockedTemplates.html
-  if (config.appsec.blockedTemplateJson) {
-    templateJson = config.appsec.blockedTemplateJson
-  } else {
-    templateJson = blockedTemplates.json
-  }
+  templateJson = config.appsec.blockedTemplateJson || blockedTemplates.json
-  if (config.appsec.blockedTemplateGraphql) {
-    templateGraphqlJson = config.appsec.blockedTemplateGraphql
-  } else {
-    templateGraphqlJson = blockedTemplates.graphqlJson
-  }
+  templateGraphqlJson = config.appsec.blockedTemplateGraphql || blockedTemplates.graphqlJson
 }
 function isBlocked (res) {

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-password-rules.js CHANGED Viewed

@@ -1,4 +1,4 @@
-/* eslint-disable @stylistic/js/max-len */
+/* eslint-disable @stylistic/max-len */
 'use strict'
 const { NameAndValue } = require('./hardcoded-rule-type')

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secret-rules.js CHANGED Viewed

@@ -1,4 +1,4 @@
-/* eslint-disable @stylistic/js/max-len */
+/* eslint-disable @stylistic/max-len */
 'use strict'
 const { ValueOnly, NameAndValue } = require('./hardcoded-rule-type')

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secrets-rules.js CHANGED Viewed

@@ -1,4 +1,4 @@
-/* eslint-disable @stylistic/js/max-len */
+/* eslint-disable @stylistic/max-len */
 'use strict'
 const { ValueOnly, NameAndValue } = require('./hardcoded-rule-type')

package/packages/dd-trace/src/appsec/iast/analyzers/header-injection-analyzer.js CHANGED Viewed

@@ -11,13 +11,13 @@ const {
 } = require('../taint-tracking/source-types')
 const EXCLUDED_PATHS = getNodeModulesPaths('express')
-const EXCLUDED_HEADER_NAMES = [
+const EXCLUDED_HEADER_NAMES = new Set([
   'location',
   'sec-websocket-location',
   'sec-websocket-accept',
   'upgrade',
   'connection'
-]
+])
 class HeaderInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -27,9 +27,7 @@ class HeaderInjectionAnalyzer extends InjectionAnalyzer {
   onConfigure () {
     this.addSub('datadog:http:server:response:set-header:finish', ({ name, value }) => {
       if (Array.isArray(value)) {
-        for (let i = 0; i < value.length; i++) {
-          const headerValue = value[i]
+        for (const headerValue of value) {
           this.analyze({ name, value: headerValue })
         }
       } else {
@@ -65,7 +63,7 @@ class HeaderInjectionAnalyzer extends InjectionAnalyzer {
   }
   isExcludedHeaderName (name) {
-    return EXCLUDED_HEADER_NAMES.includes(name)
+    return EXCLUDED_HEADER_NAMES.has(name)
   }
   isAllRangesFromHeader (ranges, headerName) {

package/packages/dd-trace/src/appsec/iast/analyzers/hsts-header-missing-analyzer.js CHANGED Viewed

@@ -19,26 +19,21 @@ class HstsHeaderMissingAnalyzer extends MissingHeaderAnalyzer {
   }
   _isHeaderValid (headerValue) {
-    if (!headerValue) {
-      return false
-    }
     headerValue = headerValue.trim()
-    if (!headerValue.startsWith(HEADER_VALID_PREFIX)) {
+    if (!headerValue?.startsWith(HEADER_VALID_PREFIX)) {
       return false
     }
     const semicolonIndex = headerValue.indexOf(';')
-    let timestampString
-    if (semicolonIndex > -1) {
-      timestampString = headerValue.substring(HEADER_VALID_PREFIX.length + 1, semicolonIndex)
-    } else {
-      timestampString = headerValue.substring(HEADER_VALID_PREFIX.length + 1)
-    }
+    const timestampString = headerValue.slice(
+      HEADER_VALID_PREFIX.length + 1,
+      semicolonIndex === -1 ? headerValue.length : semicolonIndex
+    )
-    const timestamp = parseInt(timestampString)
+    const timestamp = Number.parseInt(timestampString)
     // eslint-disable-next-line eqeqeq
-    return timestamp == timestampString && timestamp > 0
+    return timestamp > 0 && timestamp == timestampString
   }
   _isHttpsProtocol (req) {

package/packages/dd-trace/src/appsec/iast/analyzers/missing-header-analyzer.js CHANGED Viewed

@@ -10,8 +10,8 @@ const SC_NOT_FOUND = 404
 const SC_GONE = 410
 const SC_INTERNAL_SERVER_ERROR = 500
-const IGNORED_RESPONSE_STATUS_LIST = [SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_NOT_MODIFIED,
-  SC_TEMPORARY_REDIRECT, SC_NOT_FOUND, SC_GONE, SC_INTERNAL_SERVER_ERROR]
+const IGNORED_RESPONSE_STATUS_LIST = new Set([SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_NOT_MODIFIED,
+  SC_TEMPORARY_REDIRECT, SC_NOT_FOUND, SC_GONE, SC_INTERNAL_SERVER_ERROR])
 const HTML_CONTENT_TYPES = ['text/html', 'application/xhtml+xml']
 class MissingHeaderAnalyzer extends Analyzer {
@@ -37,9 +37,7 @@ class MissingHeaderAnalyzer extends Analyzer {
     }
   }
-  _getLocation () {
-    return undefined
-  }
+  _getLocation () {}
   _checkOCE (context) {
     return true
@@ -61,7 +59,7 @@ class MissingHeaderAnalyzer extends Analyzer {
   }
   _isVulnerable ({ req, res }, context) {
-    if (!IGNORED_RESPONSE_STATUS_LIST.includes(res.statusCode) && this._isResponseHtml(res)) {
+    if (!IGNORED_RESPONSE_STATUS_LIST.has(res.statusCode) && this._isResponseHtml(res)) {
       return this._isVulnerableFromRequestAndResponse(req, res)
     }
     return false

package/packages/dd-trace/src/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.js CHANGED Viewed

@@ -24,6 +24,8 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
   onConfigure () {
     this.configureSanitizers()
+    // Anything that accesses the storage is context dependent
+    // eslint-disable-next-line unicorn/consistent-function-scoping
     const onStart = ({ filters }) => {
       const store = storage('legacy').getStore()
       if (store && !store.nosqlAnalyzed && filters?.length) {
@@ -42,6 +44,8 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
       }
     }
+    // Anything that accesses the storage is context dependent
+    // eslint-disable-next-line unicorn/consistent-function-scoping
     const onFinish = () => {
       const store = storage('legacy').getStore()
       if (store?.nosqlParentStore) {

package/packages/dd-trace/src/appsec/iast/analyzers/path-traversal-analyzer.js CHANGED Viewed

@@ -7,7 +7,7 @@ const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
 const { PATH_TRAVERSAL } = require('../vulnerabilities')
-const ignoredOperations = ['dir.close', 'close']
+const ignoredOperations = new Set(['dir.close', 'close'])
 class PathTraversalAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -20,10 +20,10 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
     this.internalExclusionList = [
       'node:fs',
       'node:internal/fs',
-      'node:internal\\fs',
+      String.raw`node:internal\fs`,
       'fs.js',
       'internal/fs',
-      'internal\\fs'
+      String.raw`internal\fs`
     ]
   }
@@ -36,7 +36,7 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
       // but if we spect a store in the context to be present we are going to exclude
       // all out_of_the_request fs.operations
       // AppsecFsPlugin must be enabled
-      if (ignoredOperations.includes(obj.operation) || outOfReqOrChild) return
+      if (ignoredOperations.has(obj.operation) || outOfReqOrChild) return
       const pathArguments = []
       if (obj.dest) {
@@ -71,16 +71,13 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
   }
   _isExcluded (location) {
-    let ret = true
-    if (location && location.path) {
+    if (location?.path) {
       // Exclude from reporting those vulnerabilities which location is from an internal fs call
-      if (location.isInternal) {
-        ret = this.internalExclusionList.some(elem => location.path.includes(elem))
-      } else {
-        ret = this.exclusionList.some(elem => location.path.includes(elem))
-      }
+      return location.isInternal
+        ? this.internalExclusionList.some(elem => location.path.includes(elem))
+        : this.exclusionList.some(elem => location.path.includes(elem))
     }
-    return ret
+    return true
   }
   analyze (value) {

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js CHANGED Viewed

@@ -41,7 +41,7 @@ class Analyzer extends SinkIastPlugin {
     if (!this._isExcluded(location)) {
       const originalLocation = this._getOriginalLocation(location)
-      const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
+      const spanId = context?.rootSpan?.context().toSpanId()
       const stackId = getIastStackTraceId(context)
       const vulnerability = this._createVulnerability(
         this._type,
@@ -112,9 +112,10 @@ class Analyzer extends SinkIastPlugin {
     const iastContext = getIastContext(store)
     if (this._isInvalidContext(store, iastContext)) return
-    for (let i = 0; i < values.length; i++) {
-      const value = values[i]
+    for (const value of values) {
       if (this._isVulnerable(value, iastContext)) {
+        // TODO(BridgeAR): Here are multiple cases that receive a different
+        // number of arguments than passed through. Fix those cases.
         if (this._checkOCE(iastContext, value)) {
           this._report(value, iastContext)
         }
@@ -124,7 +125,7 @@ class Analyzer extends SinkIastPlugin {
   }
   _checkOCE (context) {
-    return overheadController.hasQuota(overheadController.OPERATIONS.REPORT_VULNERABILITY, context)
+    return overheadController.hasQuota(overheadController.OPERATIONS.REPORT_VULNERABILITY, context, this._type)
   }
   _createVulnerability (type, evidence, spanId, location, stackId) {

package/packages/dd-trace/src/appsec/iast/context/context-plugin.js CHANGED Viewed

@@ -11,7 +11,7 @@ const { TagKey } = require('../telemetry/iast-metric')
 class IastContextPlugin extends IastPlugin {
   startCtxOn (channelName, tag) {
-    super.addSub(channelName, (message) => this.startContext())
+    super.addSub(channelName, (message) => this.startContext(message?.currentStore))
     this._getAndRegisterSubscription({
       channelName,
@@ -44,11 +44,10 @@ class IastContextPlugin extends IastPlugin {
     }
   }
-  startContext () {
+  startContext (store = storage('legacy').getStore()) {
     let isRequestAcquired = false
     let iastContext
-    const store = storage('legacy').getStore()
     if (store) {
       const topContext = this.getTopContext()
       const rootSpan = this.getRootSpan(store)

package/packages/dd-trace/src/appsec/iast/iast-plugin.js CHANGED Viewed

@@ -130,9 +130,9 @@ class IastPlugin extends Plugin {
   }
   _getAndRegisterSubscription ({ moduleName, channelName, tag, tagKey }) {
-    if (!channelName && !moduleName) return
     if (!moduleName) {
+      if (!channelName) return
       let firstSep = channelName.indexOf(':')
       if (firstSep === -1) {
         moduleName = channelName
@@ -141,7 +141,7 @@ class IastPlugin extends Plugin {
           firstSep = channelName.indexOf(':', 'tracing:'.length + 1)
         }
         const lastSep = channelName.indexOf(':', firstSep + 1)
-        moduleName = channelName.substring(firstSep + 1, lastSep !== -1 ? lastSep : channelName.length)
+        moduleName = channelName.slice(firstSep + 1, lastSep === -1 ? channelName.length : lastSep)
       }
     }

package/packages/dd-trace/src/appsec/iast/index.js CHANGED Viewed

@@ -92,6 +92,7 @@ function onIncomingHttpRequestEnd (data) {
       const vulnerabilities = iastContext.vulnerabilities
       const rootSpan = iastContext.rootSpan
       vulnerabilityReporter.sendVulnerabilities(vulnerabilities, rootSpan)
+      overheadController.consolidateVulnerabilities(iastContext)
       removeTransaction(iastContext)
       iastTelemetry.onRequestEnd(iastContext, iastContext.rootSpan)
     }

package/packages/dd-trace/src/appsec/iast/overhead-controller.js CHANGED Viewed

@@ -1,5 +1,9 @@
 'use strict'
+const LRUCache = require('lru-cache')
+const web = require('../../plugins/util/web')
+const vulnerabilities = require('./vulnerabilities')
 const OVERHEAD_CONTROLLER_CONTEXT_KEY = 'oce'
 const REPORT_VULNERABILITY = 'REPORT_VULNERABILITY'
 const INTERVAL_RESET_GLOBAL_CONTEXT = 60 * 1000
@@ -9,13 +13,62 @@ const GLOBAL_OCE_CONTEXT = {}
 let resetGlobalContextInterval
 let config = {}
 let availableRequest = 0
+const globalRouteMap = new LRUCache({ max: 4096 })
+let vulnerabilitiesSize = 0
+const vulnerabilityIndexes = Object.values(vulnerabilities).reduce((obj, item, index) => {
+  obj[item] = index
+  vulnerabilitiesSize++
+  return obj
+}, {})
+function newCountersArray () {
+  return (new Array(vulnerabilitiesSize)).fill(0)
+}
+function copyFromGlobalMap (route) {
+  const vulnerabilityCounters = globalRouteMap.get(route)
+  return vulnerabilityCounters ? [...vulnerabilityCounters] : newCountersArray()
+}
+// for testing purposes
+function clearGlobalRouteMap () {
+  globalRouteMap.clear()
+}
 const OPERATIONS = {
   REPORT_VULNERABILITY: {
-    hasQuota: (context) => {
-      const reserved = context && context.tokens && context.tokens[REPORT_VULNERABILITY] > 0
+    hasQuota: (context, vulnerabilityType) => {
+      const reserved = context?.tokens?.[REPORT_VULNERABILITY] > 0
+      if (reserved && context.route != null) {
+        let copyMap = context.copyMap
+        let localMap = context.localMap
+        if (context.loadedRoute !== context.route) {
+          context.copyMaps ??= {}
+          context.copyMaps[context.route] ??= copyFromGlobalMap(context.route)
+          context.localMaps ??= {}
+          context.localMaps[context.route] ??= newCountersArray()
+          context.loadedRoute = context.route
+          copyMap = context.copyMaps[context.route]
+          localMap = context.localMaps[context.route]
+          context.copyMap = copyMap
+          context.localMap = localMap
+        }
+        const vulnerabilityIndex = vulnerabilityIndexes[vulnerabilityType]
+        const counter = localMap[vulnerabilityIndex]++
+        const storedCounter = copyMap[vulnerabilityIndex]
+        if (counter < storedCounter) {
+          return false
+        }
+      }
       if (reserved) {
         context.tokens[REPORT_VULNERABILITY]--
       }
       return reserved
     },
     name: REPORT_VULNERABILITY,
@@ -41,12 +94,52 @@ function _getNewContext () {
 }
 function _getContext (iastContext) {
-  if (iastContext && iastContext[OVERHEAD_CONTROLLER_CONTEXT_KEY]) {
+  if (iastContext?.[OVERHEAD_CONTROLLER_CONTEXT_KEY]) {
+    const oceContext = iastContext[OVERHEAD_CONTROLLER_CONTEXT_KEY]
+    if (!oceContext.webContext) {
+      oceContext.webContext = web.getContext(iastContext.req)
+      oceContext.method = iastContext.req?.method
+    }
+    const currentPaths = oceContext.webContext?.paths
+    if (currentPaths !== oceContext.paths || !oceContext.route) {
+      oceContext.paths = currentPaths
+      oceContext.route = '#' + oceContext.method + '#' + (currentPaths?.join('') || '')
+    }
     return iastContext[OVERHEAD_CONTROLLER_CONTEXT_KEY]
   }
   return GLOBAL_OCE_CONTEXT
 }
+function consolidateVulnerabilities (iastContext) {
+  const context = _getContext(iastContext)
+  if (!context.localMaps) return
+  const reserved = context.tokens?.[REPORT_VULNERABILITY] > 0
+  if (reserved) { // still a bit of budget available
+    Object.keys(context.localMaps).forEach(route => {
+      globalRouteMap.set(route, newCountersArray())
+    })
+  } else {
+    Object.keys(context.localMaps).forEach(route => {
+      const localMap = context.localMaps[route]
+      const globalMap = globalRouteMap.get(route)
+      if (!globalMap) {
+        globalRouteMap.set(route, localMap)
+        return
+      }
+      for (let i = 0; i < vulnerabilitiesSize; i++) {
+        if (localMap[i] > globalMap[i]) {
+          globalMap[i] = localMap[i]
+        }
+      }
+    })
+  }
+}
 function _resetGlobalContext () {
   Object.assign(GLOBAL_OCE_CONTEXT, _getNewContext())
 }
@@ -70,9 +163,9 @@ function releaseRequest () {
   }
 }
-function hasQuota (operation, iastContext) {
+function hasQuota (operation, iastContext, vulnerabilityType) {
   const oceContext = _getContext(iastContext)
-  return operation.hasQuota(oceContext)
+  return operation.hasQuota(oceContext, vulnerabilityType)
 }
 function initializeRequestContext (iastContext) {
@@ -90,7 +183,7 @@ function startGlobalContext () {
   resetGlobalContextInterval = setInterval(() => {
     _resetGlobalContext()
   }, INTERVAL_RESET_GLOBAL_CONTEXT)
-  resetGlobalContextInterval.unref && resetGlobalContextInterval.unref()
+  resetGlobalContextInterval.unref?.()
 }
 function finishGlobalContext () {
@@ -110,5 +203,7 @@ module.exports = {
   hasQuota,
   acquireRequest,
   releaseRequest,
-  configure
+  configure,
+  consolidateVulnerabilities,
+  clearGlobalRouteMap
 }

package/packages/dd-trace/src/appsec/iast/path-line.js CHANGED Viewed

@@ -2,13 +2,12 @@
 const path = require('path')
 const process = require('process')
-const { calculateDDBasePath } = require('../../util')
+const { ddBasePath } = require('../../util')
 const pathLine = {
   getNodeModulesPaths,
   getRelativePath,
   getNonDDCallSiteFrames,
-  calculateDDBasePath, // Exported only for test purposes
-  ddBasePath: calculateDDBasePath(__dirname) // Only for test purposes
+  ddBasePath // Exported only for test purposes
 }
 const EXCLUDED_PATHS = [
@@ -32,7 +31,7 @@ function getNonDDCallSiteFrames (callSiteFrames, externallyExcludedPaths) {
   for (const callsite of callSiteFrames) {
     const filepath = callsite.file
-    if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) {
+    if (!isExcluded(callsite, externallyExcludedPaths) && !filepath.includes(pathLine.ddBasePath)) {
       callsite.path = getRelativePath(filepath)
       callsite.isInternal = !path.isAbsolute(filepath)
@@ -58,14 +57,14 @@ function isExcluded (callsite, externallyExcludedPaths) {
     excludedPaths = [...excludedPaths, ...externallyExcludedPaths]
   }
-  for (let i = 0; i < excludedPaths.length; i++) {
-    if (filename.indexOf(excludedPaths[i]) > -1) {
+  for (const excludedPath of excludedPaths) {
+    if (filename.includes(excludedPath)) {
       return true
     }
   }
-  for (let i = 0; i < EXCLUDED_PATH_PREFIXES.length; i++) {
-    if (filename.indexOf(EXCLUDED_PATH_PREFIXES[i]) === 0) {
+  for (const EXCLUDED_PATH_PREFIX of EXCLUDED_PATH_PREFIXES) {
+    if (filename.indexOf(EXCLUDED_PATH_PREFIX) === 0) {
       return true
     }
   }

package/packages/dd-trace/src/appsec/iast/security-controls/index.js CHANGED Viewed

@@ -52,7 +52,7 @@ function onModuleLoaded (payload) {
 function getControls (filename) {
   if (filename.startsWith('file://')) {
-    filename = filename.substring(7)
+    filename = filename.slice(7)
   }
   let key = path.isAbsolute(filename) ? path.relative(process.cwd(), filename) : filename
@@ -74,12 +74,9 @@ function hookModule (filename, module, controlsByFile) {
         return
       }
-      let wrapper
-      if (type === SANITIZER_TYPE) {
-        wrapper = wrapSanitizer(target, secureMarks)
-      } else {
-        wrapper = wrapInputValidator(target, parameters, secureMarks)
-      }
+      const wrapper = type === SANITIZER_TYPE
+        ? wrapSanitizer(target, secureMarks)
+        : wrapInputValidator(target, parameters, secureMarks)
       if (methodName) {
         parent[methodName] = wrapper
@@ -97,11 +94,7 @@ function hookModule (filename, module, controlsByFile) {
 function resolve (path, obj, separator = '.') {
   if (!path) {
     // esm module with default export
-    if (obj?.default) {
-      return { target: obj.default, parent: obj, methodName: 'default' }
-    } else {
-      return { target: obj, parent: obj }
-    }
+    return obj?.default ? { target: obj.default, parent: obj, methodName: 'default' } : { target: obj, parent: obj }
   }
   const properties = path.split(separator)
@@ -164,7 +157,7 @@ function addSecureMarks (value, secureMarks, createNewTainted = true) {
         if (createNewTainted) {
           parent[lastKey] = securedTainted
         }
-      } catch (e) {
+      } catch {
         // if it is a readonly property, do nothing
       }
     })

package/packages/dd-trace/src/appsec/iast/security-controls/parser.js CHANGED Viewed

@@ -10,7 +10,7 @@ const SECURITY_CONTROL_ELEMENT_DELIMITER = ','
 const INPUT_VALIDATOR_TYPE = 'INPUT_VALIDATOR'
 const SANITIZER_TYPE = 'SANITIZER'
-const validTypes = [INPUT_VALIDATOR_TYPE, SANITIZER_TYPE]
+const validTypes = new Set([INPUT_VALIDATOR_TYPE, SANITIZER_TYPE])
 function parse (securityControlsConfiguration) {
   const controls = new Map()
@@ -42,7 +42,7 @@ function parseControl (control) {
   let [type, marks, file, method, parameters] = fields
   type = type.trim().toUpperCase()
-  if (!validTypes.includes(type)) {
+  if (!validTypes.has(type)) {
     log.warn('[ASM] Invalid security control type: %s', type)
     return
   }
@@ -60,7 +60,7 @@ function parseControl (control) {
   try {
     parameters = getParameters(parameters)
-  } catch (e) {
+  } catch {
     log.warn('[ASM] Invalid non-numeric security control parameter %s', parameters)
     return
   }
@@ -77,11 +77,11 @@ function getSecureMarks (marks) {
 function getParameters (parameters) {
   return parameters?.split(SECURITY_CONTROL_ELEMENT_DELIMITER)
     .map(param => {
-      const parsedParam = parseInt(param, 10)
+      const parsedParam = Number.parseInt(param, 10)
       // discard the securityControl if there is an incorrect parameter
-      if (isNaN(parsedParam)) {
-        throw new Error('Invalid non-numeric security control parameter')
+      if (Number.isNaN(parsedParam)) {
+        throw new TypeError('Invalid non-numeric security control parameter')
       }
       return parsedParam

package/packages/dd-trace/src/appsec/iast/taint-tracking/filter.js CHANGED Viewed

@@ -3,11 +3,11 @@
 const NODE_MODULES = 'node_modules'
 const isPrivateModule = function (file) {
-  return file && file.indexOf(NODE_MODULES) === -1
+  return file && !file.includes(NODE_MODULES)
 }
 const isDdTrace = function (file) {
-  return file && (file.indexOf('dd-trace-js') !== -1 || file.indexOf('dd-trace') !== -1)
+  return Boolean(file?.includes('dd-trace'))
 }
 module.exports = {

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations-taint-object.js CHANGED Viewed

@@ -20,10 +20,10 @@ function taintObject (iastContext, object, type) {
       try {
         if (typeof value === 'string') {
           const tainted = TaintedUtils.newTaintedString(transactionId, value, property, type)
-          if (!parent) {
-            result = tainted
-          } else {
+          if (parent) {
             parent[key] = tainted
+          } else {
+            result = tainted
           }
         } else if (typeof value === 'object' && !visited.has(value)) {
           visited.add(value)