feat(iast): Improve callsite processing on IAST vuln location computing (#7509)

CarlesDD · web-flow · commit 39131371120a · 2026-02-27T07:59:17.000+01:00
* Improve callsite processing on IAST vuln location computing

* Simplify excluding conditional

* Specify array types in getCallSiteFramesForLocation JSDoc
diff --git a/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js b/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js
@@ -1,7 +1,7 @@
 'use strict'
 
 const { storage } = require('../../../../../datadog-core')
-const { getNonDDCallSiteFrames } = require('../path-line')
+const { getCallSiteFramesForLocation } = require('../path-line')
 const { getIastContext, getIastStackTraceId } = require('../iast-context')
 const overheadController = require('../overhead-controller')
 const { SinkIastPlugin } = require('../iast-plugin')
@@ -35,9 +35,8 @@ class Analyzer extends SinkIastPlugin {
 
   _reportEvidence (value, context, evidence) {
     const callSiteFrames = getVulnerabilityCallSiteFrames()
-    const nonDDCallSiteFrames = getNonDDCallSiteFrames(callSiteFrames, this._getExcludedPaths())
-
-    const location = this._getLocation(value, nonDDCallSiteFrames)
+    const frames = getCallSiteFramesForLocation(callSiteFrames, this._getExcludedPaths())
+    const location = this._getLocation(value, frames)
 
     if (!this._isExcluded(location)) {
       const originalLocation = this._getOriginalLocation(location)
@@ -51,7 +50,7 @@ class Analyzer extends SinkIastPlugin {
         stackId
       )
 
-      addVulnerability(context, vulnerability, nonDDCallSiteFrames)
+      addVulnerability(context, vulnerability, frames)
     }
   }
 
diff --git a/packages/dd-trace/src/appsec/iast/path-line.js b/packages/dd-trace/src/appsec/iast/path-line.js
@@ -8,29 +8,40 @@ const { getOriginalPathAndLineFromSourceMap } = require('./taint-tracking/rewrit
 const pathLine = {
   getNodeModulesPaths,
   getRelativePath,
-  getNonDDCallSiteFrames,
+  getCallSiteFramesForLocation,
   ddBasePath, // Exported only for test purposes
 }
 
 const EXCLUDED_PATHS = [
   path.join(path.sep, 'node_modules', 'dc-polyfill'),
 ]
-const EXCLUDED_PATH_PREFIXES = [
-  'node:diagnostics_channel',
-  'diagnostics_channel',
-  'node:child_process',
-  'child_process',
-  'node:async_hooks',
-  'async_hooks',
-  'node:internal/async_local_storage',
-]
 
-function getNonDDCallSiteFrames (callSiteFrames, externallyExcludedPaths) {
+/**
+ * Processes and filters call site frames to find the best location for a vulnerability.
+ * Returns client frames if available, otherwise falls back to all processed frames.
+ * Excludes dd-trace frames and all Node.js built-in/internal modules (node:*).
+ * @param {CallSiteFrame[]} callSiteFrames
+ * @param {string[]} externallyExcludedPaths
+ * @returns {CallSiteFrame[]} Client frames if available, otherwise all processed frames
+ *
+ * @typedef {object} CallSiteFrame
+ * @property {number} id
+ * @property {string} file - Original file path
+ * @property {number} line
+ * @property {number} column
+ * @property {string} function
+ * @property {string} class_name
+ * @property {boolean} isNative
+ * @property {string} [path] - Relative path, added during processing
+ * @property {boolean} [isInternal] - Whether the frame is internal, added during processing
+ */
+function getCallSiteFramesForLocation (callSiteFrames, externallyExcludedPaths) {
   if (!callSiteFrames) {
     return []
   }
 
-  const result = []
+  const allFrames = []
+  const clientFrames = []
 
   for (const callsite of callSiteFrames) {
     let filepath = callsite.file?.startsWith('file://') ? fileURLToPath(callsite.file) : callsite.file
@@ -47,18 +58,22 @@ function getNonDDCallSiteFrames (callSiteFrames, externallyExcludedPaths) {
       callsite.column = column
     }
 
-    if (
-      !isExcluded(callsite, externallyExcludedPaths) &&
-      (!filepath.includes(pathLine.ddBasePath) || globalThis.__DD_ESBUILD_IAST_WITH_NO_SM)
-    ) {
+    if (filepath) {
       callsite.path = getRelativePath(filepath)
       callsite.isInternal = !path.isAbsolute(filepath)
 
-      result.push(callsite)
+      allFrames.push(callsite)
+
+      if (
+        !isExcluded(callsite, externallyExcludedPaths) &&
+        (!filepath.includes(pathLine.ddBasePath) || globalThis.__DD_ESBUILD_IAST_WITH_NO_SM)
+      ) {
+        clientFrames.push(callsite)
+      }
     }
   }
 
-  return result
+  return clientFrames.length > 0 ? clientFrames : allFrames
 }
 
 function getRelativePath (filepath) {
@@ -67,10 +82,12 @@ function getRelativePath (filepath) {
 
 function isExcluded (callsite, externallyExcludedPaths) {
   if (callsite.isNative) return true
+
   const filename = globalThis.__DD_ESBUILD_IAST_WITH_SM ? callsite.path : callsite.file
-  if (!filename) {
+  if (!filename || filename.startsWith('node:')) {
     return true
   }
+
   let excludedPaths = EXCLUDED_PATHS
   if (externallyExcludedPaths) {
     excludedPaths = [...excludedPaths, ...externallyExcludedPaths]
@@ -82,12 +99,6 @@ function isExcluded (callsite, externallyExcludedPaths) {
     }
   }
 
-  for (const EXCLUDED_PATH_PREFIX of EXCLUDED_PATH_PREFIXES) {
-    if (filename.indexOf(EXCLUDED_PATH_PREFIX) === 0) {
-      return true
-    }
-  }
-
   return false
 }
 
diff --git a/packages/dd-trace/test/appsec/iast/path-line.spec.js b/packages/dd-trace/test/appsec/iast/path-line.spec.js
@@ -6,7 +6,6 @@ const path = require('path')
 
 const proxyquire = require('proxyquire')
 
-const { getCallsiteFrames } = require('../../../src/appsec/stack_trace')
 class CallSiteMock {
   constructor (fileName, lineNumber, columnNumber = 0) {
     this.file = fileName
@@ -26,10 +25,12 @@ describe('path-line', function () {
   const firstSep = tmpdir.indexOf(path.sep)
   const rootPath = tmpdir.slice(0, firstSep + 1)
 
-  const DIAGNOSTICS_CHANNEL_PATHS = [
+  const EXCLUDED_TEST_PATHS = [
     path.join(rootPath, 'path', 'node_modules', 'dc-polyfill'),
     'node:diagnostics_channel',
-    'diagnostics_channel',
+    'node:fs',
+    'node:events',
+    'node:internal/async_local_storage',
   ]
   let mockPath, pathLine, mockProcess
 
@@ -42,20 +43,20 @@ describe('path-line', function () {
     })
   })
 
-  describe('getNonDDCallSiteFrames', () => {
+  describe('getCallSiteFramesForLocation', () => {
     describe('does not fail', () => {
       it('with null parameter', () => {
-        const result = pathLine.getNonDDCallSiteFrames(null)
+        const result = pathLine.getCallSiteFramesForLocation(null)
         assert.deepStrictEqual(result, [])
       })
 
       it('with empty list parameter', () => {
-        const result = pathLine.getNonDDCallSiteFrames([])
+        const result = pathLine.getCallSiteFramesForLocation([])
         assert.deepStrictEqual(result, [])
       })
 
       it('without parameter', () => {
-        const result = pathLine.getNonDDCallSiteFrames()
+        const result = pathLine.getCallSiteFramesForLocation()
         assert.deepStrictEqual(result, [])
       })
     })
@@ -91,7 +92,7 @@ describe('path-line', function () {
         callsites.push(new CallSiteMock(firstFileOutOfDD, 13, 42))
         callsites.push(new CallSiteMock(secondFileOutOfDD, 20, 15))
 
-        const results = pathLine.getNonDDCallSiteFrames(callsites)
+        const results = pathLine.getCallSiteFramesForLocation(callsites)
 
         assert.strictEqual(results.length, 2)
 
@@ -104,17 +105,19 @@ describe('path-line', function () {
         assert.strictEqual(results[1].column, 15)
       })
 
-      it('should return an empty array when all stack frames are in dd trace', () => {
+      it('should fallback to all processed frames when all stack frames are in dd trace', () => {
         const callsites = []
         callsites.push(new CallSiteMock(PATH_AND_LINE_PATH, PATH_AND_LINE_LINE))
         callsites.push(new CallSiteMock(path.join(DD_BASE_PATH, 'other', 'file', 'in', 'dd.js'), 89))
         callsites.push(new CallSiteMock(path.join(DD_BASE_PATH, 'another', 'file', 'in', 'dd.js'), 5))
 
-        const results = pathLine.getNonDDCallSiteFrames(callsites)
-        assert.deepStrictEqual(results, [])
+        const results = pathLine.getCallSiteFramesForLocation(callsites)
+
+        assert.strictEqual(results.length, 3)
+        assert.ok(results.every(r => r.path && typeof r.isInternal === 'boolean'))
       })
 
-      DIAGNOSTICS_CHANNEL_PATHS.forEach((dcPath) => {
+      EXCLUDED_TEST_PATHS.forEach((dcPath) => {
         it(`should exclude ${dcPath} from the results`, () => {
           const callsites = []
           const expectedFilePath = path.join('first', 'file', 'out', 'of', 'dd.js')
@@ -125,7 +128,7 @@ describe('path-line', function () {
           callsites.push(new CallSiteMock(dcPath, 25))
           callsites.push(new CallSiteMock(firstFileOutOfDD, 13, 42))
 
-          const results = pathLine.getNonDDCallSiteFrames(callsites)
+          const results = pathLine.getCallSiteFramesForLocation(callsites)
           assert.strictEqual(results.length, 1)
 
           assert.strictEqual(results[0].path, expectedFilePath)
@@ -167,7 +170,7 @@ describe('path-line', function () {
         callsites.push(new CallSiteMock(firstFileOutOfDD, 13, 42))
         callsites.push(new CallSiteMock(secondFileOutOfDD, 20, 15))
 
-        const results = pathLine.getNonDDCallSiteFrames(callsites)
+        const results = pathLine.getCallSiteFramesForLocation(callsites)
         assert.strictEqual(results.length, 2)
 
         assert.strictEqual(results[0].path, expectedFilePaths[0])
@@ -230,7 +233,7 @@ describe('path-line', function () {
           callsites.push(new CallSiteMock(path.join(PROJECT_PATH, bundleOutFile), 3))
           callsites.push(new CallSiteMock(path.join(PROJECT_PATH, bundleOutFile), 4, 71))
 
-          const results = pathLine.getNonDDCallSiteFrames(callsites)
+          const results = pathLine.getCallSiteFramesForLocation(callsites)
           assert.strictEqual(results.length, 2)
 
           assert.strictEqual(results[0].path, 'file.js')
@@ -275,7 +278,7 @@ describe('path-line', function () {
           callsites.push(new CallSiteMock(path.join(OUT_BUILD_PATH, bundleOutFile), 3, 14))
           callsites.push(new CallSiteMock(path.join(OUT_BUILD_PATH, bundleOutFile), 2, 71))
 
-          const results = pathLine.getNonDDCallSiteFrames(callsites)
+          const results = pathLine.getCallSiteFramesForLocation(callsites)
           assert.strictEqual(results.length, 4)
 
           assert.strictEqual(results[0].path, bundleOutFile)
@@ -297,35 +300,12 @@ describe('path-line', function () {
   })
 
   describe('getNodeModulesPaths', () => {
-    function getCallSiteInfo () {
-      const previousPrepareStackTrace = Error.prepareStackTrace
-      const previousStackTraceLimit = Error.stackTraceLimit
-      let callsiteList
-      Error.stackTraceLimit = 100
-      Error.prepareStackTrace = function (_, callsites) {
-        callsiteList = callsites
-      }
-      const e = new Error()
-      e.stack
-      Error.prepareStackTrace = previousPrepareStackTrace
-      Error.stackTraceLimit = previousStackTraceLimit
-
-      return callsiteList
-    }
-
     it('should handle windows paths correctly', () => {
-      const basePath = pathLine.ddBasePath
-      pathLine.ddBasePath = path.join('test', 'base', 'path')
-
-      const list = getCallsiteFrames(32, getCallSiteInfo, getCallSiteInfo)
-      const firstNonDDPath = pathLine.getNonDDCallSiteFrames(list)[0]
-
-      const expectedPath = path.join('node_modules', firstNonDDPath.path)
-      const nodeModulesPaths = pathLine.getNodeModulesPaths(firstNonDDPath.path)
+      const testPath = 'some/nested/path/file.js'
+      const expectedPath = path.join('node_modules', 'some', 'nested', 'path', 'file.js')
+      const nodeModulesPaths = pathLine.getNodeModulesPaths(testPath)
 
       assert.strictEqual(nodeModulesPaths[0], expectedPath)
-
-      pathLine.ddBasePath = basePath
     })
 
     it('should convert / to \\ in windows platforms', () => {
