From c213023df017b25a7e5071897367320bfb362451 Mon Sep 17 00:00:00 2001
From: Ugaitz Urien <ugaitz.urien@datadoghq.com>
Date: Mon, 19 Jun 2023 17:54:20 +0200
Subject: [PATCH] Check `store` has value before use it

---
 .../iast/analyzers/sql-injection-analyzer.js      |  2 +-
 .../iast/analyzers/sql-injection-analyzer.spec.js | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js b/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js
index f769961c478..f2ba289e305 100644
--- a/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js
+++ b/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js
@@ -28,7 +28,7 @@ class SqlInjectionAnalyzer extends InjectionAnalyzer {
 
     this.addSub('datadog:sequelize:query:finish', () => {
       const store = storage.getStore()
-      if (store.sequelizeParentStore) {
+      if (store && store.sequelizeParentStore) {
         storage.enterWith(store.sequelizeParentStore)
       }
     })
diff --git a/packages/dd-trace/test/appsec/iast/analyzers/sql-injection-analyzer.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/sql-injection-analyzer.spec.js
index 4e6827f487c..bd621a8ac35 100644
--- a/packages/dd-trace/test/appsec/iast/analyzers/sql-injection-analyzer.spec.js
+++ b/packages/dd-trace/test/appsec/iast/analyzers/sql-injection-analyzer.spec.js
@@ -2,6 +2,9 @@
 
 const proxyquire = require('proxyquire')
 
+const iastLog = require('../../../../src/appsec/iast/iast-log')
+const dc = require('../../../../../diagnostics_channel')
+
 describe('sql-injection-analyzer', () => {
   const NOT_TAINTED_QUERY = 'no vulnerable query'
   const TAINTED_QUERY = 'vulnerable query'
@@ -19,6 +22,10 @@ describe('sql-injection-analyzer', () => {
     './injection-analyzer': InjectionAnalyzer
   })
 
+  afterEach(() => {
+    sinon.restore()
+  })
+
   it('should subscribe to mysql, mysql2 and pg start query channel', () => {
     expect(sqlInjectionAnalyzer._subscriptions).to.have.lengthOf(5)
     expect(sqlInjectionAnalyzer._subscriptions[0]._channel.name).to.equals('apm:mysql:query:start')
@@ -83,4 +90,12 @@ describe('sql-injection-analyzer', () => {
       evidence: { dialect: dialect }
     })
   })
+
+  it('should not report an error when context is not initialized', () => {
+    sinon.stub(iastLog, 'errorAndPublish')
+    sqlInjectionAnalyzer.configure(true)
+    dc.channel('datadog:sequelize:query:finish').publish()
+    sqlInjectionAnalyzer.configure(false)
+    expect(iastLog.errorAndPublish).not.to.be.called
+  })
 })