search

DataDog / dd-native-iast-rewriter-js

Apache License 2.0
3 stars 1 forks source link

Generated JS code behaves differently from original source code #101

Open tprado opened 1 week ago

tprado commented 1 week ago

Describe what happened:

Code generated by Rewriter.rewrite function presents a different behavior than the original source code.

Describe what you expected:

Code generated by the Rewriter.rewrite function to behave the same as the original source code.

Steps to reproduce the issue:

Using the same csi methods used by dd-trace-js/dd-trace/src/appsec/iast/taint-tracking:

  csiMethods: [
    {src: 'concat'},
    {src: 'join'},
    {src: 'parse'},
    {src: 'plusOperator', operator: true},
    {src: 'random'},
    {src: 'replace'},
    {src: 'slice'},
    {src: 'substr'},
    {src: 'substring'},
    {src: 'toLowerCase', dst: 'stringCase'},
    {src: 'toUpperCase', dst: 'stringCase'},
    {src: 'tplOperator', operator: true},
    {src: 'trim'},
    {src: 'trimEnd'},
    {src: 'trimStart', dst: 'trim'},
    {src: 'eval', allowedWithoutCallee: true}
  ]

With the following input code:

"use strict";

function names(arg) {
  const flag = arg;
  const addPrefix = (value) => (flag ? `"${value}"` : `"my_prefix.${value}"`);
  const result = `
      ${addPrefix('NAME_0')}
      ${addPrefix('NAME_1')}
      ${addPrefix('NAME_2')}
      ${addPrefix('NAME_3')}
    `;
  return result;
}

console.log(names(false))

Which outputs this:

      "my_prefix.NAME_0"
      "my_prefix.NAME_1"
      "my_prefix.NAME_2"
      "my_prefix.NAME_3"

Using Rewriter.rewrite, it generates:

"use strict";
function names(arg) {
    let __datadog_rkfexd_0, __datadog_rkfexd_1, __datadog_rkfexd_2, __datadog_rkfexd_3;
    const flag = arg;
    const addPrefix = (value)=>(flag ? (__datadog_rkfexd_0 = value, _ddiast.tplOperator(`"${__datadog_rkfexd_0}"`, __datadog_rkfexd_0)) : (__datadog_rkfexd_0 = value, _ddiast.tplOperator(`"my_prefix.${__datadog_rkfexd_0}"`, __datadog_rkfexd_0)));
    const result = (__datadog_rkfexd_0 = addPrefix('NAME_0'), __datadog_rkfexd_1 = addPrefix('NAME_1'), __datadog_rkfexd_2 = addPrefix('NAME_2'), __datadog_rkfexd_3 = addPrefix('NAME_3'), _ddiast.tplOperator(`
      ${__datadog_rkfexd_0}
      ${__datadog_rkfexd_1}
      ${__datadog_rkfexd_2}
      ${__datadog_rkfexd_3}
    `, __datadog_rkfexd_0, __datadog_rkfexd_1, __datadog_rkfexd_2, __datadog_rkfexd_3));
    return result;
}
console.log(names(false));

Which outputs this instead:

      NAME_3
      "my_prefix.NAME_1"
      "my_prefix.NAME_2"
      "my_prefix.NAME_3"

Here's a repository that demonstrates the issue.

Additional environment details (language runtime version, list of relevant dependencies and versions, operating System, cloud provider, etc):

oliveirafilipe commented 1 week ago

Probably caused by https://github.com/DataDog/dd-native-iast-rewriter-js/pull/98