From 47388d525cb3d0d7e2414a0e2ff110851f79e45f Mon Sep 17 00:00:00 2001
From: Ugaitz Urien <ugaitz.urien@datadoghq.com>
Date: Fri, 16 Jun 2023 11:09:51 +0200
Subject: [PATCH 1/2] Add sources tests

---
 .../plugin.express.plugin.spec.js             | 55 +++++++++++++++++++
 packages/dd-trace/test/appsec/iast/utils.js   | 17 ++++--
 2 files changed, 67 insertions(+), 5 deletions(-)
 create mode 100644 packages/dd-trace/test/appsec/iast/taint-tracking/plugin.express.plugin.spec.js

diff --git a/packages/dd-trace/test/appsec/iast/taint-tracking/plugin.express.plugin.spec.js b/packages/dd-trace/test/appsec/iast/taint-tracking/plugin.express.plugin.spec.js
new file mode 100644
index 00000000000..216d4c56ac6
--- /dev/null
+++ b/packages/dd-trace/test/appsec/iast/taint-tracking/plugin.express.plugin.spec.js
@@ -0,0 +1,55 @@
+'use strict'
+
+const { prepareTestServerForIastInExpress } = require('../utils')
+const axios = require('axios')
+
+function noop () {}
+describe('Taint tracking plugin sources express tests', () => {
+  withVersions('express', 'express', '>=4.8.0', version => {
+    prepareTestServerForIastInExpress('in express', version,
+      (testThatRequestHasVulnerability, _, config) => {
+        describe('tainted body', () => {
+          function makePostRequest (done) {
+            axios.post(`http://localhost:${config.port}/`, {
+              command: 'echo 1'
+            }).catch(done)
+          }
+
+          testThatRequestHasVulnerability((req) => {
+            const childProcess = require('child_process')
+            childProcess.exec(req.body.command, noop)
+          }, 'COMMAND_INJECTION', 1, () => {
+          }, makePostRequest)
+        })
+
+        describe('tainted query param', () => {
+          function makeRequestWithParams (done) {
+            axios.get(`http://localhost:${config.port}/?command=echo`).catch(done)
+          }
+
+          testThatRequestHasVulnerability((req) => {
+            const childProcess = require('child_process')
+            childProcess.exec(req.query.command, noop)
+          }, 'COMMAND_INJECTION', 1, () => {
+          }, makeRequestWithParams)
+        })
+
+        describe('tainted header', () => {
+          function makeRequestWithHeaders (done) {
+            axios.get(`http://localhost:${config.port}/`, {
+              headers: {
+                'x-iast-test-command': 'echo 1'
+              }
+            }).catch(done)
+          }
+
+          testThatRequestHasVulnerability((req) => {
+            const childProcess = require('child_process')
+            childProcess.exec(req.headers['x-iast-test-command'], noop)
+          }, 'COMMAND_INJECTION', 1, () => {
+          }, makeRequestWithHeaders)
+        })
+      }
+    )
+  })
+})
diff --git a/packages/dd-trace/test/appsec/iast/utils.js b/packages/dd-trace/test/appsec/iast/utils.js
index 3bed8af71a9..6eacca0c208 100644
--- a/packages/dd-trace/test/appsec/iast/utils.js
+++ b/packages/dd-trace/test/appsec/iast/utils.js
@@ -146,7 +146,7 @@ function checkNoVulnerabilityInRequest (vulnerability, config, done) {
     .catch(done)
   axios.get(`http://localhost:${config.port}/`).catch(done)
 }
-function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb, config, done) {
+function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb, makeRequest, config, done) {
   let location
   let occurrences = occurrencesAndLocation
   if (typeof occurrencesAndLocation === 'object') {
@@ -195,7 +195,11 @@ function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb,
     })
     .then(done)
     .catch(done)
-  axios.get(`http://localhost:${config.port}/`).catch(done)
+  if (makeRequest) {
+    makeRequest(done)
+  } else {
+    axios.get(`http://localhost:${config.port}/`).catch(done)
+  }
 }
 
 function prepareTestServerForIast (description, tests, iastConfig) {
@@ -247,7 +251,7 @@ function prepareTestServerForIast (description, tests, iastConfig) {
       it(`should have ${vulnerability} vulnerability`, function (done) {
         this.timeout(5000)
         app = fn
-        checkVulnerabilityInRequest(vulnerability, occurrences, cb, config, done)
+        checkVulnerabilityInRequest(vulnerability, occurrences, cb, undefined, config, done)
       })
     }
 
@@ -278,7 +282,10 @@ function prepareTestServerForIastInExpress (description, expressVersion, tests)
 
     before((done) => {
       const express = require(`../../../../../versions/express@${expressVersion}`).get()
+      const bodyParser = require(`../../../../../versions/body-parser`).get()
       const expressApp = express()
+      expressApp.use(bodyParser.json())
+
       expressApp.all('/', listener)
       getPort().then(newPort => {
         config.port = newPort
@@ -300,11 +307,11 @@ function prepareTestServerForIastInExpress (description, expressVersion, tests)
       return agent.close({ ritmReset: false })
     })
 
-    function testThatRequestHasVulnerability (fn, vulnerability, occurrences, cb) {
+    function testThatRequestHasVulnerability (fn, vulnerability, occurrences, cb, makeRequest) {
       it(`should have ${vulnerability} vulnerability`, function (done) {
         this.timeout(5000)
         app = fn
-        checkVulnerabilityInRequest(vulnerability, occurrences, cb, config, done)
+        checkVulnerabilityInRequest(vulnerability, occurrences, cb, makeRequest, config, done)
       })
     }
 

From 4693d732d7fb136a42aa90e9ee8164598decd242 Mon Sep 17 00:00:00 2001
From: Ugaitz Urien <ugaitz.urien@datadoghq.com>
Date: Mon, 19 Jun 2023 16:07:03 +0200
Subject: [PATCH 2/2] styles

---
 .../taint-tracking/plugin.express.plugin.spec.js   | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/packages/dd-trace/test/appsec/iast/taint-tracking/plugin.express.plugin.spec.js b/packages/dd-trace/test/appsec/iast/taint-tracking/plugin.express.plugin.spec.js
index 216d4c56ac6..f2a8193d1be 100644
--- a/packages/dd-trace/test/appsec/iast/taint-tracking/plugin.express.plugin.spec.js
+++ b/packages/dd-trace/test/appsec/iast/taint-tracking/plugin.express.plugin.spec.js
@@ -4,6 +4,7 @@ const { prepareTestServerForIastInExpress } = require('../utils')
 const axios = require('axios')
 
 function noop () {}
+
 describe('Taint tracking plugin sources express tests', () => {
   withVersions('express', 'express', '>=4.8.0', version => {
     prepareTestServerForIastInExpress('in express', version,
@@ -18,24 +19,22 @@ describe('Taint tracking plugin sources express tests', () => {
           testThatRequestHasVulnerability((req) => {
             const childProcess = require('child_process')
             childProcess.exec(req.body.command, noop)
-          }, 'COMMAND_INJECTION', 1, () => {
-          }, makePostRequest)
+          }, 'COMMAND_INJECTION', 1, noop, makePostRequest)
         })
 
         describe('tainted query param', () => {
-          function makeRequestWithParams (done) {
+          function makeRequestWithQueryParam (done) {
             axios.get(`http://localhost:${config.port}/?command=echo`).catch(done)
           }
 
           testThatRequestHasVulnerability((req) => {
             const childProcess = require('child_process')
             childProcess.exec(req.query.command, noop)
-          }, 'COMMAND_INJECTION', 1, () => {
-          }, makeRequestWithParams)
+          }, 'COMMAND_INJECTION', 1, noop, makeRequestWithQueryParam)
         })
 
         describe('tainted header', () => {
-          function makeRequestWithHeaders (done) {
+          function makeRequestWithHeader (done) {
             axios.get(`http://localhost:${config.port}/`, {
               headers: {
                 'x-iast-test-command': 'echo 1'
@@ -46,8 +45,7 @@ describe('Taint tracking plugin sources express tests', () => {
           testThatRequestHasVulnerability((req) => {
             const childProcess = require('child_process')
             childProcess.exec(req.headers['x-iast-test-command'], noop)
-          }, 'COMMAND_INJECTION', 1, () => {
-          }, makeRequestWithHeaders)
+          }, 'COMMAND_INJECTION', 1, noop, makeRequestWithHeader)
         })
       }
     )