dd-trace 5.53.0 → 5.55.0

package/packages/dd-trace/src/appsec/iast/analyzers/missing-header-analyzer.js

@@ -10,8 +10,8 @@ const SC_NOT_FOUND = 404
 const SC_GONE = 410
 const SC_INTERNAL_SERVER_ERROR = 500
 
-const IGNORED_RESPONSE_STATUS_LIST = [SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_NOT_MODIFIED,
-  SC_TEMPORARY_REDIRECT, SC_NOT_FOUND, SC_GONE, SC_INTERNAL_SERVER_ERROR]
+const IGNORED_RESPONSE_STATUS_LIST = new Set([SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_NOT_MODIFIED,
+  SC_TEMPORARY_REDIRECT, SC_NOT_FOUND, SC_GONE, SC_INTERNAL_SERVER_ERROR])
 const HTML_CONTENT_TYPES = ['text/html', 'application/xhtml+xml']
 
 class MissingHeaderAnalyzer extends Analyzer {
@@ -32,14 +32,11 @@ class MissingHeaderAnalyzer extends Analyzer {
     const headerValue = res.getHeader(headerName)
     if (Array.isArray(headerValue)) {
       return headerValue
-    } else {
-      return headerValue ? [headerValue.toString()] : []
     }
+    return headerValue ? [headerValue.toString()] : []
   }
 
-  _getLocation () {
-    return undefined
-  }
+  _getLocation () {}
 
   _checkOCE (context) {
     return true
@@ -61,7 +58,7 @@ class MissingHeaderAnalyzer extends Analyzer {
   }
 
   _isVulnerable ({ req, res }, context) {
-    if (!IGNORED_RESPONSE_STATUS_LIST.includes(res.statusCode) && this._isResponseHtml(res)) {
+    if (!IGNORED_RESPONSE_STATUS_LIST.has(res.statusCode) && this._isResponseHtml(res)) {
       return this._isVulnerableFromRequestAndResponse(req, res)
     }
     return false

package/packages/dd-trace/src/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.js

@@ -24,6 +24,8 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
   onConfigure () {
     this.configureSanitizers()
 
+    // Anything that accesses the storage is context dependent
+    // eslint-disable-next-line unicorn/consistent-function-scoping
     const onStart = ({ filters }) => {
       const store = storage('legacy').getStore()
       if (store && !store.nosqlAnalyzed && filters?.length) {
@@ -42,6 +44,8 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
       }
     }
 
+    // Anything that accesses the storage is context dependent
+    // eslint-disable-next-line unicorn/consistent-function-scoping
     const onFinish = () => {
       const store = storage('legacy').getStore()
       if (store?.nosqlParentStore) {

package/packages/dd-trace/src/appsec/iast/analyzers/path-traversal-analyzer.js

@@ -7,7 +7,7 @@ const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
 const { PATH_TRAVERSAL } = require('../vulnerabilities')
 
-const ignoredOperations = ['dir.close', 'close']
+const ignoredOperations = new Set(['dir.close', 'close'])
 
 class PathTraversalAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -20,10 +20,10 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
     this.internalExclusionList = [
       'node:fs',
       'node:internal/fs',
-      'node:internal\\fs',
+      String.raw`node:internal\fs`,
       'fs.js',
       'internal/fs',
-      'internal\\fs'
+      String.raw`internal\fs`
     ]
   }
 
@@ -36,7 +36,7 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
       // but if we spect a store in the context to be present we are going to exclude
       // all out_of_the_request fs.operations
       // AppsecFsPlugin must be enabled
-      if (ignoredOperations.includes(obj.operation) || outOfReqOrChild) return
+      if (ignoredOperations.has(obj.operation) || outOfReqOrChild) return
 
       const pathArguments = []
       if (obj.dest) {
@@ -71,16 +71,13 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
   }
 
   _isExcluded (location) {
-    let ret = true
-    if (location && location.path) {
+    if (location?.path) {
       // Exclude from reporting those vulnerabilities which location is from an internal fs call
-      if (location.isInternal) {
-        ret = this.internalExclusionList.some(elem => location.path.includes(elem))
-      } else {
-        ret = this.exclusionList.some(elem => location.path.includes(elem))
-      }
+      return location.isInternal
+        ? this.internalExclusionList.some(elem => location.path.includes(elem))
+        : this.exclusionList.some(elem => location.path.includes(elem))
     }
-    return ret
+    return true
   }
 
   analyze (value) {

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -41,7 +41,7 @@ class Analyzer extends SinkIastPlugin {
 
     if (!this._isExcluded(location)) {
       const originalLocation = this._getOriginalLocation(location)
-      const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
+      const spanId = context?.rootSpan?.context().toSpanId()
       const stackId = getIastStackTraceId(context)
       const vulnerability = this._createVulnerability(
         this._type,
@@ -112,9 +112,10 @@ class Analyzer extends SinkIastPlugin {
     const iastContext = getIastContext(store)
     if (this._isInvalidContext(store, iastContext)) return
 
-    for (let i = 0; i < values.length; i++) {
-      const value = values[i]
+    for (const value of values) {
       if (this._isVulnerable(value, iastContext)) {
+        // TODO(BridgeAR): Here are multiple cases that receive a different
+        // number of arguments than passed through. Fix those cases.
         if (this._checkOCE(iastContext, value)) {
           this._report(value, iastContext)
         }
@@ -124,7 +125,7 @@ class Analyzer extends SinkIastPlugin {
   }
 
   _checkOCE (context) {
-    return overheadController.hasQuota(overheadController.OPERATIONS.REPORT_VULNERABILITY, context)
+    return overheadController.hasQuota(overheadController.OPERATIONS.REPORT_VULNERABILITY, context, this._type)
   }
 
   _createVulnerability (type, evidence, spanId, location, stackId) {

package/packages/dd-trace/src/appsec/iast/context/context-plugin.js

@@ -11,7 +11,7 @@ const { TagKey } = require('../telemetry/iast-metric')
 
 class IastContextPlugin extends IastPlugin {
   startCtxOn (channelName, tag) {
-    super.addSub(channelName, (message) => this.startContext())
+    super.addSub(channelName, (message) => this.startContext(message?.currentStore))
 
     this._getAndRegisterSubscription({
       channelName,
@@ -44,11 +44,10 @@ class IastContextPlugin extends IastPlugin {
     }
   }
 
-  startContext () {
+  startContext (store = storage('legacy').getStore()) {
     let isRequestAcquired = false
     let iastContext
 
-    const store = storage('legacy').getStore()
     if (store) {
       const topContext = this.getTopContext()
       const rootSpan = this.getRootSpan(store)

package/packages/dd-trace/src/appsec/iast/iast-plugin.js

@@ -130,9 +130,9 @@ class IastPlugin extends Plugin {
   }
 
   _getAndRegisterSubscription ({ moduleName, channelName, tag, tagKey }) {
-    if (!channelName && !moduleName) return
-
     if (!moduleName) {
+      if (!channelName) return
+
       let firstSep = channelName.indexOf(':')
       if (firstSep === -1) {
         moduleName = channelName
@@ -141,7 +141,7 @@ class IastPlugin extends Plugin {
           firstSep = channelName.indexOf(':', 'tracing:'.length + 1)
         }
         const lastSep = channelName.indexOf(':', firstSep + 1)
-        moduleName = channelName.substring(firstSep + 1, lastSep !== -1 ? lastSep : channelName.length)
+        moduleName = channelName.slice(firstSep + 1, lastSep === -1 ? channelName.length : lastSep)
       }
     }
 

package/packages/dd-trace/src/appsec/iast/index.js

@@ -92,6 +92,7 @@ function onIncomingHttpRequestEnd (data) {
       const vulnerabilities = iastContext.vulnerabilities
       const rootSpan = iastContext.rootSpan
       vulnerabilityReporter.sendVulnerabilities(vulnerabilities, rootSpan)
+      overheadController.consolidateVulnerabilities(iastContext)
       removeTransaction(iastContext)
       iastTelemetry.onRequestEnd(iastContext, iastContext.rootSpan)
     }

package/packages/dd-trace/src/appsec/iast/overhead-controller.js

@@ -1,5 +1,9 @@
 'use strict'
 
+const LRUCache = require('lru-cache')
+const web = require('../../plugins/util/web')
+const vulnerabilities = require('./vulnerabilities')
+
 const OVERHEAD_CONTROLLER_CONTEXT_KEY = 'oce'
 const REPORT_VULNERABILITY = 'REPORT_VULNERABILITY'
 const INTERVAL_RESET_GLOBAL_CONTEXT = 60 * 1000
@@ -9,13 +13,62 @@ const GLOBAL_OCE_CONTEXT = {}
 let resetGlobalContextInterval
 let config = {}
 let availableRequest = 0
+
+const globalRouteMap = new LRUCache({ max: 4096 })
+let vulnerabilitiesSize = 0
+const vulnerabilityIndexes = Object.values(vulnerabilities).reduce((obj, item, index) => {
+  obj[item] = index
+  vulnerabilitiesSize++
+  return obj
+}, {})
+
+function newCountersArray () {
+  return (new Array(vulnerabilitiesSize)).fill(0)
+}
+
+function copyFromGlobalMap (route) {
+  const vulnerabilityCounters = globalRouteMap.get(route)
+  return vulnerabilityCounters ? [...vulnerabilityCounters] : newCountersArray()
+}
+
+// for testing purposes
+function clearGlobalRouteMap () {
+  globalRouteMap.clear()
+}
+
 const OPERATIONS = {
   REPORT_VULNERABILITY: {
-    hasQuota: (context) => {
-      const reserved = context && context.tokens && context.tokens[REPORT_VULNERABILITY] > 0
+    hasQuota: (context, vulnerabilityType) => {
+      const reserved = context?.tokens?.[REPORT_VULNERABILITY] > 0
+      if (reserved && context.route != null) {
+        let copyMap = context.copyMap
+        let localMap = context.localMap
+
+        if (context.loadedRoute !== context.route) {
+          context.copyMaps ??= {}
+          context.copyMaps[context.route] ??= copyFromGlobalMap(context.route)
+          context.localMaps ??= {}
+          context.localMaps[context.route] ??= newCountersArray()
+          context.loadedRoute = context.route
+          copyMap = context.copyMaps[context.route]
+          localMap = context.localMaps[context.route]
+          context.copyMap = copyMap
+          context.localMap = localMap
+        }
+
+        const vulnerabilityIndex = vulnerabilityIndexes[vulnerabilityType]
+        const counter = localMap[vulnerabilityIndex]++
+        const storedCounter = copyMap[vulnerabilityIndex]
+
+        if (counter < storedCounter) {
+          return false
+        }
+      }
+
       if (reserved) {
         context.tokens[REPORT_VULNERABILITY]--
       }
+
       return reserved
     },
     name: REPORT_VULNERABILITY,
@@ -41,12 +94,52 @@ function _getNewContext () {
 }
 
 function _getContext (iastContext) {
-  if (iastContext && iastContext[OVERHEAD_CONTROLLER_CONTEXT_KEY]) {
+  if (iastContext?.[OVERHEAD_CONTROLLER_CONTEXT_KEY]) {
+    const oceContext = iastContext[OVERHEAD_CONTROLLER_CONTEXT_KEY]
+    if (!oceContext.webContext) {
+      oceContext.webContext = web.getContext(iastContext.req)
+      oceContext.method = iastContext.req?.method
+    }
+
+    const currentPaths = oceContext.webContext?.paths
+    if (currentPaths !== oceContext.paths || !oceContext.route) {
+      oceContext.paths = currentPaths
+      oceContext.route = '#' + oceContext.method + '#' + (currentPaths?.join('') || '')
+    }
+
     return iastContext[OVERHEAD_CONTROLLER_CONTEXT_KEY]
   }
   return GLOBAL_OCE_CONTEXT
 }
 
+function consolidateVulnerabilities (iastContext) {
+  const context = _getContext(iastContext)
+  if (!context.localMaps) return
+
+  const reserved = context.tokens?.[REPORT_VULNERABILITY] > 0
+
+  if (reserved) { // still a bit of budget available
+    Object.keys(context.localMaps).forEach(route => {
+      globalRouteMap.set(route, newCountersArray())
+    })
+  } else {
+    Object.keys(context.localMaps).forEach(route => {
+      const localMap = context.localMaps[route]
+      const globalMap = globalRouteMap.get(route)
+      if (!globalMap) {
+        globalRouteMap.set(route, localMap)
+        return
+      }
+
+      for (let i = 0; i < vulnerabilitiesSize; i++) {
+        if (localMap[i] > globalMap[i]) {
+          globalMap[i] = localMap[i]
+        }
+      }
+    })
+  }
+}
+
 function _resetGlobalContext () {
   Object.assign(GLOBAL_OCE_CONTEXT, _getNewContext())
 }
@@ -70,9 +163,9 @@ function releaseRequest () {
   }
 }
 
-function hasQuota (operation, iastContext) {
+function hasQuota (operation, iastContext, vulnerabilityType) {
   const oceContext = _getContext(iastContext)
-  return operation.hasQuota(oceContext)
+  return operation.hasQuota(oceContext, vulnerabilityType)
 }
 
 function initializeRequestContext (iastContext) {
@@ -90,7 +183,7 @@ function startGlobalContext () {
   resetGlobalContextInterval = setInterval(() => {
     _resetGlobalContext()
   }, INTERVAL_RESET_GLOBAL_CONTEXT)
-  resetGlobalContextInterval.unref && resetGlobalContextInterval.unref()
+  resetGlobalContextInterval.unref?.()
 }
 
 function finishGlobalContext () {
@@ -110,5 +203,7 @@ module.exports = {
   hasQuota,
   acquireRequest,
   releaseRequest,
-  configure
+  configure,
+  consolidateVulnerabilities,
+  clearGlobalRouteMap
 }

package/packages/dd-trace/src/appsec/iast/path-line.js

@@ -2,13 +2,12 @@
 
 const path = require('path')
 const process = require('process')
-const { calculateDDBasePath } = require('../../util')
+const { ddBasePath } = require('../../util')
 const pathLine = {
   getNodeModulesPaths,
   getRelativePath,
   getNonDDCallSiteFrames,
-  calculateDDBasePath, // Exported only for test purposes
-  ddBasePath: calculateDDBasePath(__dirname) // Only for test purposes
+  ddBasePath // Exported only for test purposes
 }
 
 const EXCLUDED_PATHS = [
@@ -32,7 +31,7 @@ function getNonDDCallSiteFrames (callSiteFrames, externallyExcludedPaths) {
 
   for (const callsite of callSiteFrames) {
     const filepath = callsite.file
-    if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) {
+    if (!isExcluded(callsite, externallyExcludedPaths) && !filepath.includes(pathLine.ddBasePath)) {
       callsite.path = getRelativePath(filepath)
       callsite.isInternal = !path.isAbsolute(filepath)
 
@@ -58,14 +57,14 @@ function isExcluded (callsite, externallyExcludedPaths) {
     excludedPaths = [...excludedPaths, ...externallyExcludedPaths]
   }
 
-  for (let i = 0; i < excludedPaths.length; i++) {
-    if (filename.indexOf(excludedPaths[i]) > -1) {
+  for (const excludedPath of excludedPaths) {
+    if (filename.includes(excludedPath)) {
       return true
     }
   }
 
-  for (let i = 0; i < EXCLUDED_PATH_PREFIXES.length; i++) {
-    if (filename.indexOf(EXCLUDED_PATH_PREFIXES[i]) === 0) {
+  for (const EXCLUDED_PATH_PREFIX of EXCLUDED_PATH_PREFIXES) {
+    if (filename.indexOf(EXCLUDED_PATH_PREFIX) === 0) {
       return true
     }
   }

package/packages/dd-trace/src/appsec/iast/security-controls/index.js

@@ -52,7 +52,7 @@ function onModuleLoaded (payload) {
 
 function getControls (filename) {
   if (filename.startsWith('file://')) {
-    filename = filename.substring(7)
+    filename = filename.slice(7)
   }
 
   let key = path.isAbsolute(filename) ? path.relative(process.cwd(), filename) : filename
@@ -74,12 +74,9 @@ function hookModule (filename, module, controlsByFile) {
         return
       }
 
-      let wrapper
-      if (type === SANITIZER_TYPE) {
-        wrapper = wrapSanitizer(target, secureMarks)
-      } else {
-        wrapper = wrapInputValidator(target, parameters, secureMarks)
-      }
+      const wrapper = type === SANITIZER_TYPE
+        ? wrapSanitizer(target, secureMarks)
+        : wrapInputValidator(target, parameters, secureMarks)
 
       if (methodName) {
         parent[methodName] = wrapper
@@ -97,11 +94,7 @@ function hookModule (filename, module, controlsByFile) {
 function resolve (path, obj, separator = '.') {
   if (!path) {
     // esm module with default export
-    if (obj?.default) {
-      return { target: obj.default, parent: obj, methodName: 'default' }
-    } else {
-      return { target: obj, parent: obj }
-    }
+    return obj?.default ? { target: obj.default, parent: obj, methodName: 'default' } : { target: obj, parent: obj }
   }
 
   const properties = path.split(separator)
@@ -157,19 +150,18 @@ function addSecureMarks (value, secureMarks, createNewTainted = true) {
 
   if (typeof value === 'string') {
     return TaintTrackingOperations.addSecureMark(iastContext, value, secureMarks, createNewTainted)
-  } else {
-    iterateObjectStrings(value, (value, levelKeys, parent, lastKey) => {
-      try {
-        const securedTainted = TaintTrackingOperations.addSecureMark(iastContext, value, secureMarks, createNewTainted)
-        if (createNewTainted) {
-          parent[lastKey] = securedTainted
-        }
-      } catch (e) {
-        // if it is a readonly property, do nothing
-      }
-    })
-    return value
   }
+  iterateObjectStrings(value, (value, levelKeys, parent, lastKey) => {
+    try {
+      const securedTainted = TaintTrackingOperations.addSecureMark(iastContext, value, secureMarks, createNewTainted)
+      if (createNewTainted) {
+        parent[lastKey] = securedTainted
+      }
+    } catch {
+      // if it is a readonly property, do nothing
+    }
+  })
+  return value
 }
 
 function disable () {

package/packages/dd-trace/src/appsec/iast/security-controls/parser.js

@@ -10,7 +10,7 @@ const SECURITY_CONTROL_ELEMENT_DELIMITER = ','
 const INPUT_VALIDATOR_TYPE = 'INPUT_VALIDATOR'
 const SANITIZER_TYPE = 'SANITIZER'
 
-const validTypes = [INPUT_VALIDATOR_TYPE, SANITIZER_TYPE]
+const validTypes = new Set([INPUT_VALIDATOR_TYPE, SANITIZER_TYPE])
 
 function parse (securityControlsConfiguration) {
   const controls = new Map()
@@ -42,7 +42,7 @@ function parseControl (control) {
   let [type, marks, file, method, parameters] = fields
 
   type = type.trim().toUpperCase()
-  if (!validTypes.includes(type)) {
+  if (!validTypes.has(type)) {
     log.warn('[ASM] Invalid security control type: %s', type)
     return
   }
@@ -60,7 +60,7 @@ function parseControl (control) {
 
   try {
     parameters = getParameters(parameters)
-  } catch (e) {
+  } catch {
     log.warn('[ASM] Invalid non-numeric security control parameter %s', parameters)
     return
   }
@@ -77,11 +77,11 @@ function getSecureMarks (marks) {
 function getParameters (parameters) {
   return parameters?.split(SECURITY_CONTROL_ELEMENT_DELIMITER)
     .map(param => {
-      const parsedParam = parseInt(param, 10)
+      const parsedParam = Number.parseInt(param, 10)
 
       // discard the securityControl if there is an incorrect parameter
-      if (isNaN(parsedParam)) {
-        throw new Error('Invalid non-numeric security control parameter')
+      if (Number.isNaN(parsedParam)) {
+        throw new TypeError('Invalid non-numeric security control parameter')
       }
 
       return parsedParam

package/packages/dd-trace/src/appsec/iast/taint-tracking/filter.js

@@ -3,11 +3,11 @@
 const NODE_MODULES = 'node_modules'
 
 const isPrivateModule = function (file) {
-  return file && file.indexOf(NODE_MODULES) === -1
+  return file && !file.includes(NODE_MODULES)
 }
 
 const isDdTrace = function (file) {
-  return file && (file.indexOf('dd-trace-js') !== -1 || file.indexOf('dd-trace') !== -1)
+  return Boolean(file?.includes('dd-trace'))
 }
 
 module.exports = {

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations-taint-object.js

@@ -20,10 +20,10 @@ function taintObject (iastContext, object, type) {
       try {
         if (typeof value === 'string') {
           const tainted = TaintedUtils.newTaintedString(transactionId, value, property, type)
-          if (!parent) {
-            result = tainted
-          } else {
+          if (parent) {
             parent[key] = tainted
+          } else {
+            result = tainted
           }
         } else if (typeof value === 'object' && !visited.has(value)) {
           visited.add(value)

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js

@@ -41,47 +41,23 @@ function removeTransaction (iastContext) {
 }
 
 function newTaintedString (iastContext, string, name, type) {
-  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
-  if (transactionId) {
-    result = TaintedUtils.newTaintedString(transactionId, string, name, type)
-  } else {
-    result = string
-  }
-  return result
+  return transactionId ? TaintedUtils.newTaintedString(transactionId, string, name, type) : string
 }
 
 function newTaintedObject (iastContext, obj, name, type) {
-  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
-  if (transactionId) {
-    result = TaintedUtils.newTaintedObject(transactionId, obj, name, type)
-  } else {
-    result = obj
-  }
-  return result
+  return transactionId ? TaintedUtils.newTaintedObject(transactionId, obj, name, type) : obj
 }
 
 function isTainted (iastContext, string) {
-  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
-  if (transactionId) {
-    result = TaintedUtils.isTainted(transactionId, string)
-  } else {
-    result = false
-  }
-  return result
+  return transactionId ? TaintedUtils.isTainted(transactionId, string) : false
 }
 
 function getRanges (iastContext, string) {
-  let result
   const transactionId = iastContext?.[IAST_TRANSACTION_ID]
-  if (transactionId) {
-    result = TaintedUtils.getRanges(transactionId, string)
-  } else {
-    result = []
-  }
-  return result
+  return transactionId ? TaintedUtils.getRanges(transactionId, string) : []
 }
 
 function addSecureMark (iastContext, string, mark, createNewTainted = true) {

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -129,13 +129,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
       { channelName: 'datadog:url:parse:finish' },
       ({ input, base, parsed, isURL }) => {
         const iastContext = getIastContext(storage('legacy').getStore())
-        let ranges
-
-        if (base) {
-          ranges = getRanges(iastContext, base)
-        } else {
-          ranges = getRanges(iastContext, input)
-        }
+        const ranges = getRanges(iastContext, base || input)
 
         if (ranges?.length) {
           if (isURL) {
@@ -213,7 +207,7 @@ class TaintTrackingPlugin extends SourceIastPlugin {
 
     if (Array.isArray(result)) {
       for (let i = 0; i < result.length && i < this._rowsToTaint; i++) {
-        const nextName = name ? `${name}.${i}` : '' + i
+        const nextName = name ? `${name}.${i}` : String(i)
         result[i] = this._taintDatabaseResult(result[i], dbOrigin, iastContext, nextName)
       }
     } else if (result && typeof result === 'object') {

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugins/kafka.js

@@ -1,7 +1,6 @@
 'use strict'
 
 const shimmer = require('../../../../../../datadog-shimmer')
-const { storage } = require('../../../../../../datadog-core')
 const { getIastContext } = require('../../iast-context')
 const { KAFKA_MESSAGE_KEY, KAFKA_MESSAGE_VALUE } = require('../source-types')
 const { newTaintedObject, newTaintedString } = require('../operations')
@@ -10,7 +9,7 @@ const { SourceIastPlugin } = require('../../iast-plugin')
 class KafkaConsumerIastPlugin extends SourceIastPlugin {
   onConfigure () {
     this.addSub({ channelName: 'dd-trace:kafkajs:consumer:afterStart', tag: [KAFKA_MESSAGE_KEY, KAFKA_MESSAGE_VALUE] },
-      ({ message }) => this.taintKafkaMessage(message)
+      ({ message, currentStore }) => this.taintKafkaMessage(message, currentStore)
     )
   }
 
@@ -21,8 +20,8 @@ class KafkaConsumerIastPlugin extends SourceIastPlugin {
     }
   }
 
-  taintKafkaMessage (message) {
-    const iastContext = getIastContext(storage('legacy').getStore())
+  taintKafkaMessage (message, currentStore) {
+    const iastContext = getIastContext(currentStore)
 
     if (iastContext && message) {
       const { key, value } = message

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter-esm.mjs

@@ -12,7 +12,7 @@ const ddTraceDir = path.join(currentUrl.pathname, '..', '..', '..', '..', '..',
 let port, rewriter, iastEnabled
 
 export async function initialize (data) {
-  if (rewriter) return Promise.reject(new Error('ALREADY INITIALIZED'))
+  if (rewriter) throw new Error('ALREADY INITIALIZED')
 
   const { csiMethods, telemetryVerbosity, chainSourceMap, orchestrionConfig } = data
   port = data.port