DataDog
diff --git a/‎integration-tests/appsec/iast-esbuild.spec.js‎
Lines changed: 144 additions & 0 deletions b/‎integration-tests/appsec/iast-esbuild.spec.js‎
Lines changed: 144 additions & 0 deletions
diff --git a/‎integration-tests/appsec/iast-esbuild/app.js‎
Lines changed: 16 additions & 0 deletions b/‎integration-tests/appsec/iast-esbuild/app.js‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎integration-tests/appsec/iast-esbuild/esbuild-no-iast.js‎
Lines changed: 16 additions & 0 deletions b/‎integration-tests/appsec/iast-esbuild/esbuild-no-iast.js‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎integration-tests/appsec/iast-esbuild/esbuild.common-config.js‎
Lines changed: 22 additions & 0 deletions b/‎integration-tests/appsec/iast-esbuild/esbuild.common-config.js‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎integration-tests/appsec/iast-esbuild/esbuild.js‎
Lines changed: 25 additions & 0 deletions b/‎integration-tests/appsec/iast-esbuild/esbuild.js‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎integration-tests/appsec/iast-esbuild/iast/index.js‎
Lines changed: 14 additions & 0 deletions b/‎integration-tests/appsec/iast-esbuild/iast/index.js‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎integration-tests/appsec/iast-esbuild/package.json‎
Lines changed: 20 additions & 0 deletions b/‎integration-tests/appsec/iast-esbuild/package.json‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎integration-tests/appsec/iast-esbuild/random.json‎
Lines changed: 3 additions & 0 deletions b/‎integration-tests/appsec/iast-esbuild/random.json‎
Lines changed: 3 additions & 0 deletions
@@ -0,0 +1,144 @@
+'use strict'
+
+const Axios = require('axios')
+const { assert } = require('chai')
+const childProcess = require('child_process')
+const fs = require('fs')
+const path = require('path')
+const { promisify } = require('util')
+const msgpack = require('@msgpack/msgpack')
+
+const { createSandbox, FakeAgent, spawnProc } = require('../helpers')
+
+const exec = promisify(childProcess.exec)
+
+describe('esbuild support for IAST', () => {
+  describe('cjs', () => {
+    let proc, agent, sandbox, axios
+    let applicationDir, bundledApplicationDir
+
+    before(async () => {
+      sandbox = await createSandbox([])
+      const cwd = sandbox.folder
+      applicationDir = path.join(cwd, 'appsec/iast-esbuild')
+
+      // Craft node_modules directory to ship native modules
+      const craftedNodeModulesDir = path.join(applicationDir, 'tmp_node_modules')
+      fs.mkdirSync(craftedNodeModulesDir)
+      await exec('npm init -y', { cwd: craftedNodeModulesDir })
+      await exec('npm install @datadog/native-iast-rewriter @datadog/native-iast-taint-tracking', {
+        cwd: craftedNodeModulesDir,
+        timeout: 3e3
+      })
+
+      // Install app deps
+      await exec('npm install || npm install', {
+        cwd: applicationDir,
+        timeout: 6e3
+      })
+
+      // Bundle the application
+      await exec('npm run build', {
+        cwd: applicationDir,
+        timeout: 3e3
+      })
+
+      bundledApplicationDir = path.join(applicationDir, 'build')
+
+      // Copy crafted node_modules with native modules
+      fs.cpSync(path.join(craftedNodeModulesDir, 'node_modules'), bundledApplicationDir, { recursive: true })
+    })
+
+    after(async () => {
+      await sandbox.remove()
+    })
+
+    function startServer (appFile, iastEnabled) {
+      beforeEach(async () => {
+        agent = await new FakeAgent().start()
+        proc = await spawnProc(path.join(bundledApplicationDir, appFile), {
+          cwd: applicationDir,
+          env: {
+            DD_TRACE_AGENT_PORT: agent.port,
+            DD_IAST_ENABLED: String(iastEnabled),
+            DD_IAST_REQUEST_SAMPLING: '100',
+          }
+        })
+        axios = Axios.create({ baseURL: proc.url })
+      })
+
+      afterEach(async () => {
+        proc.kill()
+        await agent.stop()
+      })
+    }
+
+    describe('with IAST enabled', () => {
+      describe('with sourcemap esbuild option enabled', () => {
+        startServer('iast-enabled-with-sm.js', true)
+
+        it('should detect vulnerability with correct location', async () => {
+          await axios.get('/iast/cmdi-vulnerable?args=-la')
+
+          const expectedVulnerabilityType = 'COMMAND_INJECTION'
+          const expectedVulnerabilityLocationPath = path.join('iast', 'index.js')
+          const expectedVulnerabilityLocationLine = 9
+
+          await agent.assertMessageReceived(({ payload }) => {
+            const spans = payload.flatMap(p => p.filter(span => span.name === 'express.request'))
+            spans.forEach(span => {
+              assert.property(span.meta, '_dd.iast.json')
+              const spanIastData = JSON.parse(span.meta['_dd.iast.json'])
+              assert.strictEqual(spanIastData.vulnerabilities[0].type, expectedVulnerabilityType)
+              assert.strictEqual(spanIastData.vulnerabilities[0].location.path, expectedVulnerabilityLocationPath)
+              assert.strictEqual(spanIastData.vulnerabilities[0].location.line, expectedVulnerabilityLocationLine)
+
+              const ddStack = msgpack.decode(span.meta_struct['_dd.stack'])
+              assert.property(ddStack.vulnerability[0], 'frames')
+              assert.isNotEmpty(ddStack.vulnerability[0].frames)
+            })
+          }, null, 1, true)
+        })
+      })
+
+      describe('with sourcemap esbuild option disabled', () => {
+        startServer('iast-enabled-with-no-sm.js', true)
+
+        it('should detect vulnerability with first callsite location', async () => {
+          await axios.get('/iast/cmdi-vulnerable?args=-la')
+
+          const expectedVulnerabilityType = 'COMMAND_INJECTION'
+          const expectedVulnerabilityLocationPath = path.join('build', 'iast-enabled-with-no-sm.js')
+
+          await agent.assertMessageReceived(({ payload }) => {
+            const spans = payload.flatMap(p => p.filter(span => span.name === 'express.request'))
+            spans.forEach(span => {
+              assert.property(span.meta, '_dd.iast.json')
+              const spanIastData = JSON.parse(span.meta['_dd.iast.json'])
+              assert.strictEqual(spanIastData.vulnerabilities[0].type, expectedVulnerabilityType)
+              assert.strictEqual(spanIastData.vulnerabilities[0].location.path, expectedVulnerabilityLocationPath)
+
+              const ddStack = msgpack.decode(span.meta_struct['_dd.stack'])
+              assert.property(ddStack.vulnerability[0], 'frames')
+              assert.isNotEmpty(ddStack.vulnerability[0].frames)
+            })
+          }, null, 1, true)
+        })
+      })
+    })
+
+    describe('with IAST disabled', () => {
+      startServer('iast-disabled.js', false)
+
+      it('should not detect any vulnerability', async () => {
+        await axios.get('/iast/cmdi-vulnerable?args=-la')
+        await agent.assertMessageReceived(({ payload }) => {
+          const spans = payload.flatMap(p => p.filter(span => span.name === 'express.request'))
+          spans.forEach(span => {
+            assert.notProperty(span.meta, '_dd.iast.json')
+          })
+        }, null, 1, true)
+      })
+    })
+  })
+})
@@ -0,0 +1,16 @@
+'use strict'
+
+require('dd-trace').init()
+
+const express = require('express')
+
+const iastRouter = require('./iast')
+const randomJson = require('./random.json') // eslint-disable-line no-unused-vars
+
+const app = express()
+
+app.use('/iast', iastRouter)
+
+const server = app.listen(0, () => {
+  process.send?.({ port: server.address().port })
+})
@@ -0,0 +1,16 @@
+'use strict'
+
+/* eslint-disable no-console */
+
+const esbuild = require('esbuild')
+
+const esbuildCommonConfig = require('./esbuild.common-config')
+
+esbuild.build({
+  ...esbuildCommonConfig,
+  outfile: 'build/iast-disabled.js',
+  sourcemap: false
+}).catch((err) => {
+  console.error(err)
+  process.exit(1)
+})
@@ -0,0 +1,22 @@
+'use strict'
+
+const ddPlugin = require('dd-trace/esbuild')
+
+module.exports = {
+  entryPoints: ['app.js'],
+  bundle: true,
+  minify: true,
+  plugins: [ddPlugin],
+  platform: 'node',
+  target: ['node18'],
+  external: [
+    '@datadog/native-iast-taint-tracking',
+    '@datadog/native-iast-rewriter',
+
+    // required if you encounter graphql errors during the build step
+    // see https://docs.datadoghq.com/tracing/trace_collection/automatic_instrumentation/dd_libraries/nodejs/#bundling
+    'graphql/language/visitor',
+    'graphql/language/printer',
+    'graphql/utilities'
+  ]
+}
@@ -0,0 +1,25 @@
+'use strict'
+
+/* eslint-disable no-console */
+
+const esbuild = require('esbuild')
+
+const esbuildCommonConfig = require('./esbuild.common-config')
+
+esbuild.build({
+  ...esbuildCommonConfig,
+  outfile: 'build/iast-enabled-with-sm.js',
+  sourcemap: true,
+}).catch((err) => {
+  console.error(err)
+  process.exit(1)
+})
+
+esbuild.build({
+  ...esbuildCommonConfig,
+  outfile: 'build/iast-enabled-with-no-sm.js',
+  sourcemap: false,
+}).catch((err) => {
+  console.error(err)
+  process.exit(1)
+})
@@ -0,0 +1,14 @@
+'use strict'
+
+const express = require('express')
+const { execSync } = require('child_process')
+
+const router = express.Router()
+
+router.get('/cmdi-vulnerable', (req, res) => {
+  execSync(`ls ${req.query.args}`)
+
+  res.end()
+})
+
+module.exports = router
@@ -0,0 +1,20 @@
+{
+  "name": "esbuild-dd-trace-iast",
+  "private": true,
+  "version": "1.0.0",
+  "description": "Basic application to test IAST support on a bundled app with dd-trace via esbuild",
+  "main": "app.js",
+  "scripts": {
+    "build": "DD_IAST_ENABLED=true node ./esbuild.js && DD_IAST_ENABLED=false node ./esbuild-no-iast.js"
+  },
+  "keywords": [
+    "esbuild",
+    "iast"
+  ],
+  "author": "Carles Capell <[email protected]>",
+  "license": "ISC",
+  "dependencies": {
+    "esbuild": "^0.25.9",
+    "express": "^4.21.2"
+  }
+}
@@ -0,0 +1,3 @@
+{
+  "isRandom": true
+}