trying fix

packages/dd-trace/src/appsec/iast/taint-tracking/rewriter-esm.mjs

@@ -6,7 +6,7 @@ import fs from 'fs'
 import { csiMethods } from './csi-methods.js'
 import { getName } from '../telemetry/verbosity.js'
 import { isNotLibraryFile, isPrivateModule } from './filter.js'
-
+console.log('rewriter-esm')
 const currentUrl = new URL(import.meta.url)
 const ddTraceDir = path.join(currentUrl.pathname, '..', '..', '..', '..', '..', '..')
 
@@ -24,6 +24,7 @@ function log (...msgs) {
 }
 
 export async function initialize (data) {
+  console.log('rewriter-esm - initialize')
   if (rewriter) return Promise.reject(new Error('ALREADY INITIALIZED'))
 
   const { csiMethods, telemetryVerbosity, chainSourceMap } = data
@@ -48,6 +49,7 @@ export async function load (url, context, nextLoad) {
   if (url.includes(ddTraceDir) || url.includes('iitm=true')) return result
 
   try {
+    console.log('rewriter-esm - load - ' + url)
     if (isPrivateModule(url) && isNotLibraryFile(url)) {
       const rewritten = rewriter.rewrite(result.source.toString(), url)
 
@@ -72,6 +74,9 @@ export async function load (url, context, nextLoad) {
       data
     })
   }
-
+  if (url.includes('index.mjs')) {
+    console.log('result.source - index.mjs')
+    console.log(result.source)
+  }
   return result
 }

packages/dd-trace/test/appsec/iast/index.esm.spec.js

@@ -25,7 +25,7 @@ describe('ESM', () => {
   after(async function () {
     await sandbox.remove()
   })
-  const nodeOptionsList = ['--import dd-trace/initialize.mjs', '--require dd-trace/init.js --loader dd-trace/initialize.mjs']
+  const nodeOptionsList = ['--import dd-trace/initialize.mjs', '--require dd-trace/init.js --loader dd-trace/loader-hook.mjs']
 
   nodeOptionsList.forEach(nodeOptions => {
     describe(`with NODE_OPTIONS=${nodeOptions}`, () => {
@@ -49,19 +49,36 @@ describe('ESM', () => {
         await agent.stop()
       })
 
+      function verifySpan (payload, verify) {
+        let err
+        for (let i = 0; i < payload.length; i++) {
+          const trace = payload[i]
+          for (let j = 0; j < trace.length; j++) {
+            try {
+              verify(trace[j])
+              return
+            } catch (e) {
+              err = err || e
+            }
+          }
+        }
+        throw err
+      }
+
       it('test endpoint have COMMAND_INJECTION vulnerability', async function () {
         this.timeout(30000)
         console.log('00 A')
         await axios.get('/cmdi-vulnerable?args=-la')
         console.log('10 A')
 
         await agent.assertMessageReceived(({ payload }) => {
-          console.log('20 A', payload)
-          assert.property(payload[0][0].meta, '_dd.iast.json')
-          console.log('30 A', payload)
-          assert.include(payload[0][0].meta['_dd.iast.json'], '"COMMAND_INJECTION"')
-          console.log('40 A', payload)
-        })
+          verifySpan(payload, span => {
+            assert.property(span.meta, '_dd.iast.json')
+            console.log('30 A', JSON.stringify(span.meta))
+            assert.include(span.meta['_dd.iast.json'], '"COMMAND_INJECTION"')
+            console.log('40 A')
+          })
+        }, null, 1, true)
       })
 
       it('test endpoint have COMMAND_INJECTION vulnerability in imported file', async () => {
@@ -70,12 +87,14 @@ describe('ESM', () => {
         console.log('10 B')
 
         await agent.assertMessageReceived(({ payload }) => {
-          console.log('20 B')
-          assert.property(payload[0][0].meta, '_dd.iast.json')
-          console.log('30 B')
-          assert.include(payload[0][0].meta['_dd.iast.json'], '"COMMAND_INJECTION"')
-          console.log('40 B')
-        })
+          verifySpan(payload, span => {
+            console.log('20 B')
+            assert.property(span.meta, '_dd.iast.json')
+            console.log('30 B')
+            assert.include(span.meta['_dd.iast.json'], '"COMMAND_INJECTION"')
+            console.log('40 B')
+          })
+        }, null, 1, true)
       })
     })
   })