DataDog
diff --git a/‎index.d.ts‎
Lines changed: 2 additions & 0 deletions b/‎index.d.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎index.js‎
Lines changed: 4 additions & 0 deletions b/‎index.js‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/api/concat.cc‎
Lines changed: 1 addition & 1 deletion b/‎src/api/concat.cc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/api/replace.cc‎
Lines changed: 8 additions & 7 deletions b/‎src/api/replace.cc‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎src/api/string_methods.cc‎
Lines changed: 69 additions & 2 deletions b/‎src/api/string_methods.cc‎
Lines changed: 69 additions & 2 deletions
diff --git a/‎src/api/trim.cc‎
Lines changed: 2 additions & 2 deletions b/‎src/api/trim.cc‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/tainted/range.cc‎
Lines changed: 10 additions & 1 deletion b/‎src/tainted/range.cc‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎src/tainted/range.h‎
Lines changed: 3 additions & 1 deletion b/‎src/tainted/range.h‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/tainted/string_resource.h‎
Lines changed: 11 additions & 0 deletions b/‎src/tainted/string_resource.h‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎src/tainted/transaction.h‎
Lines changed: 2 additions & 2 deletions b/‎src/tainted/transaction.h‎
Lines changed: 2 additions & 2 deletions
@@ -16,6 +16,7 @@ declare module 'datadog-iast-taint-tracking' {
         start: number;
         end: number;
         iinfo: NativeInputInfo;
+        secureMarks: number;
         readonly ref?: string;
     }
 
@@ -26,6 +27,7 @@ declare module 'datadog-iast-taint-tracking' {
     export interface TaintedUtils {
         createTransaction(transactionId: string): string;
         newTaintedString(transactionId: string, original: string, paramName: string, type: string): string;
+        addSecureMarksToTaintedString(transactionId: string, taintedString: string, secureMarks: number): string;
         isTainted(transactionId: string, ...args: string[]): boolean;
         getMetrics(transactionId: string, telemetryVerbosity: number): Metrics;
         getRanges(transactionId: string, original: string): NativeTaintedRange[];
 
@@ -16,6 +16,9 @@ try {
     newTaintedString (transactionId, original) {
       return original
     },
+    addSecureMarksToTaintedString (transactionId, original) {
+      return original
+    },
     isTainted () {
       return false
     },
@@ -55,6 +58,7 @@ try {
 
 const iastNativeMethods = {
   newTaintedString: addon.newTaintedString,
+  addSecureMarksToTaintedString: addon.addSecureMarksToTaintedString,
   isTainted: addon.isTainted,
   getMetrics: addon.getMetrics,
   getRanges: addon.getRanges,
 
@@ -70,7 +70,7 @@ void TaintConcatOperator(const FunctionCallbackInfo<Value>& args) {
                             auto argRange = *it;
                             auto newRange = transaction->GetRange(offset + argRange->start
                                     , offset + argRange->end,
-                                    argRange->inputInfo);
+                                    argRange->inputInfo, argRange->secureMarks);
                             ranges->PushBack(newRange);
                         }
                     } else {
 
@@ -58,7 +58,7 @@ inline void addReplacerRanges(Transaction* transaction,
             for (auto replacerIt = replacerRanges->begin(); replacerItEnd != replacerIt; replacerIt++) {
                 auto range = (*replacerIt);
                 newRanges->PushBack(transaction->GetRange(range->start + toReplaceStart,
-                            range->end + toReplaceStart, range->inputInfo));
+                            range->end + toReplaceStart, range->inputInfo, range->secureMarks));
             }
         }
     }
@@ -86,7 +86,8 @@ inline SharedRanges* adjustReplacementRanges(Transaction* transaction,
             if (range->end <= toReplaceStart) {
                 newRanges->PushBack(range);
             } else if (range->end > toReplaceStart) {
-                newRanges->PushBack(transaction->GetRange(range->start, toReplaceStart, range->inputInfo));
+                newRanges->PushBack(transaction->GetRange(range->start, toReplaceStart,
+                                                          range->inputInfo, range->secureMarks));
                 break;
             }
             ++subjectIt;
@@ -102,13 +103,13 @@ inline SharedRanges* adjustReplacementRanges(Transaction* transaction,
                 if (range->start <= toReplaceEnd) {
                     newRanges->PushBack(transaction->GetRange(toReplaceEnd + offset,
                                 range->end + offset,
-                                range->inputInfo));
+                                range->inputInfo, range->secureMarks));
                 } else if (offset == 0) {
                     newRanges->PushBack(range);
                 } else {
                     newRanges->PushBack(transaction->GetRange(range->start + offset,
                                 range->end + offset,
-                                range->inputInfo));
+                                range->inputInfo, range->secureMarks));
                 }
             }
             subjectIt++;
@@ -161,7 +162,7 @@ inline SharedRanges* adjustRegexReplacementRanges(Transaction* transaction,
                     if (start == range->start && end == range->end) {
                         newRanges->PushBack(range);
                     } else {
-                        newRanges->PushBack(transaction->GetRange(start, end, range->inputInfo));
+                        newRanges->PushBack(transaction->GetRange(start, end, range->inputInfo, range->secureMarks));
                     }
                 }
                 if (breakLoop) {
@@ -183,13 +184,13 @@ inline SharedRanges* adjustRegexReplacementRanges(Transaction* transaction,
             if (lastEnd < range->end) {
                 if (lastEnd > range->start) {
                     newRanges->PushBack(transaction->GetRange(lastEnd + offset, range->end + offset,
-                                range->inputInfo));
+                                range->inputInfo, range->secureMarks));
                 } else if (offset == 0) {
                     newRanges->PushBack(range);
                 } else {
                     newRanges->PushBack(
                             transaction->GetRange(range->start + offset, range->end + offset,
-                                range->inputInfo));
+                                range->inputInfo, range->secureMarks));
                 }
             }
             ++subjectIt;
 
@@ -21,6 +21,7 @@
 #include "../gc/gc.h"
 #include "../iast.h"
 #include "v8.h"
+#include "../utils/string_utils.h"
 
 using v8::Exception;
 using v8::FunctionCallbackInfo;
@@ -33,6 +34,7 @@ using v8::Value;
 using v8::Array;
 
 using iast::tainted::InputInfo;
+using iast::tainted::secure_marks_t;
 
 namespace iast {
 namespace api {
@@ -98,7 +100,7 @@ void NewTaintedString(const FunctionCallbackInfo<Value>& args) {
 
         auto range = transaction->GetRange(0,
                 utils::GetLength(args.GetIsolate(), parameterValue),
-                inputInfo);
+                inputInfo, 0);
         auto ranges = transaction->GetSharedVectorRange();
         ranges->PushBack(range);
         auto stringPointer = utils::GetLocalStringPointer(parameterValue);
@@ -112,6 +114,71 @@ void NewTaintedString(const FunctionCallbackInfo<Value>& args) {
     }
 }
 
+void AddSecureMarksToTaintedString(const FunctionCallbackInfo<Value>& args) {
+    auto isolate = args.GetIsolate();
+    if (args.Length() < 3) {
+        isolate->ThrowException(v8::Exception::TypeError(
+                v8::String::NewFromUtf8(isolate,
+                                        "Wrong number of arguments",
+                                        v8::NewStringType::kNormal).ToLocalChecked()));
+        return;
+    }
+
+    if (!(args[0]->IsString()) || !Local<String>::Cast(args[0])->Length()) {
+        // invalid transaction id, return taintedString
+        args.GetReturnValue().Set(args[1]);
+        return;
+    }
+
+    if (!(args[1]->IsString())) {
+        // invalid taintedString, return it
+        args.GetReturnValue().Set(args[1]);
+        return;
+    }
+
+    auto context = isolate->GetCurrentContext();
+
+    auto transactionIdArgument = args[0];
+    auto taintedString = args[1];
+    auto secureMarksArgument = args[2];
+
+    args.GetReturnValue().Set(taintedString);
+
+    secure_marks_t secureMarks = secureMarksArgument->IntegerValue(context).FromJust();
+    if (secureMarks == 0) {
+        // not secure marks to add
+        return;
+    }
+
+    uintptr_t transactionId = utils::GetLocalStringPointer(transactionIdArgument);
+    auto transaction = NewTransaction(transactionId);
+    if (transaction == nullptr) {
+        return;
+    }
+    auto taintedObj = transaction->FindTaintedObject(utils::GetLocalStringPointer(taintedString));
+    if (!taintedObj) {
+        // It is not a tainted object, do nothing
+        return;
+    }
+    try {
+        auto newRanges = transaction->GetSharedVectorRange();
+        auto oRanges = taintedObj->getRanges();
+        taintedString = tainted::NewStringInstanceForNewTaintedObject
+                (isolate, v8::Local<v8::String>::Cast(taintedString));
+        for (auto it = oRanges->begin(); it != oRanges->end(); ++it) {
+            auto oRange = *it;
+            auto start = oRange->start;
+            auto end = oRange->end;
+            auto oSecureMarks = oRange->secureMarks;
+            newRanges->PushBack(transaction->GetRange(start, end, oRange->inputInfo, oSecureMarks | secureMarks));
+        }
+        transaction->AddTainted(utils::GetLocalStringPointer(taintedString), newRanges, taintedString);
+        args.GetReturnValue().Set(taintedString);
+    } catch (const std::bad_alloc& err) {
+    } catch (const container::QueuedPoolBadAlloc& err) {
+    } catch (const container::PoolBadAlloc& err) {
+    }
+}
 void IsTainted(const FunctionCallbackInfo<Value>& args) {
     auto argsLength = args.Length();
     if (argsLength < 2) {
@@ -149,7 +216,6 @@ void GetRanges(const FunctionCallbackInfo<Value>& args) {
                 NewStringType::kNormal).ToLocalChecked()));
         return;
     }
-
     uintptr_t transactionId = utils::GetLocalStringPointer(args[0]);
     auto transaction = GetTransaction(transactionId);
     if (transaction != nullptr) {
@@ -206,6 +272,7 @@ void SetMaxTransactions(const FunctionCallbackInfo<Value>& args) {
 void StringMethods::Init(Local<Object> exports) {
     NODE_SET_METHOD(exports, "createTransaction", CreateTransaction);
     NODE_SET_METHOD(exports, "newTaintedString", NewTaintedString);
+    NODE_SET_METHOD(exports, "addSecureMarksToTaintedString", AddSecureMarksToTaintedString);
     NODE_SET_METHOD(exports, "isTainted", IsTainted);  // TODO(julio): support several objects.
     NODE_SET_METHOD(exports, "getRanges", GetRanges);
     NODE_SET_METHOD(exports, "removeTransaction", DeleteTransaction);
 
@@ -85,7 +85,7 @@ void TaintTrimOperator(const FunctionCallbackInfo<Value>& args) {
             }
 
             if (newRangeEnd > newRangeStart) {
-                auto newRange = transaction->GetRange(newRangeStart, newRangeEnd, range->inputInfo);
+                auto newRange = transaction->GetRange(newRangeStart, newRangeEnd, range->inputInfo, range->secureMarks);
                 resultRanges->PushBack(newRange);
             }
         }
@@ -150,7 +150,7 @@ void TaintTrimEndOperator(const FunctionCallbackInfo<Value>& args) {
             }
 
             if (newRangeEnd > newRangeStart) {
-                auto newRange = transaction->GetRange(newRangeStart, newRangeEnd, range->inputInfo);
+                auto newRange = transaction->GetRange(newRangeStart, newRangeEnd, range->inputInfo, range->secureMarks);
                 resultRanges->PushBack(newRange);
             }
         }
 
@@ -19,16 +19,20 @@ bool labelsDefined = false;
 v8::Persistent<v8::Value> startLabel;
 v8::Persistent<v8::Value> endLabel;
 v8::Persistent<v8::Value> iinfoLabel;
-Range::Range(int start, int end, InputInfo *inputInfo) {
+v8::Persistent<v8::Value> secureMarksLabel;
+
+Range::Range(int start, int end, InputInfo *inputInfo, secure_marks_t secureMarks) {
     this->start = start;
     this->end = end;
     this->inputInfo = inputInfo;
+    this->secureMarks = secureMarks;
 }
 
 Range::Range(const Range& range) {
     this->start = range.start;
     this->end = range.end;
     this->inputInfo = range.inputInfo;
+    this->secureMarks = range.secureMarks;
 }
 
 Range::~Range() {}
@@ -39,25 +43,30 @@ v8::Local<v8::Object> Range::toJSObject(v8::Isolate* isolate) {
     v8::Local<v8::Value> startLabelLocal;
     v8::Local<v8::Value> endLabelLocal;
     v8::Local<v8::Value> iinfoLabelLocal;
+    v8::Local<v8::Value> secureMarksLabelLocal;
     if (!labelsDefined) {
         startLabelLocal = utils::NewV8String(isolate, "start");
         endLabelLocal = utils::NewV8String(isolate, "end");
         iinfoLabelLocal = utils::NewV8String(isolate, "iinfo");
+        secureMarksLabelLocal = utils::NewV8String(isolate, "secureMarks");
         startLabel.Reset(isolate, startLabelLocal);
         endLabel.Reset(isolate, endLabelLocal);
         iinfoLabel.Reset(isolate, iinfoLabelLocal);
+        secureMarksLabel.Reset(isolate, secureMarksLabelLocal);
         labelsDefined = true;
     } else {
         startLabelLocal = v8::Local<v8::Value>::New(isolate, startLabel);
         endLabelLocal = v8::Local<v8::Value>::New(isolate, endLabel);
         iinfoLabelLocal = v8::Local<v8::Value>::New(isolate, iinfoLabel);
+        secureMarksLabelLocal = v8::Local<v8::Value>::New(isolate, secureMarksLabel);
     }
 
     taintedRangev8Obj->Set(context, startLabelLocal, v8::Number::New(isolate, this->start)).Check();
     taintedRangev8Obj->Set(context, endLabelLocal, v8::Number::New(isolate, this->end)).Check();
     taintedRangev8Obj->Set(context,
             iinfoLabelLocal,
             GetJsObjectFromInputInfo(isolate, context, this->inputInfo)).Check();
+    taintedRangev8Obj->Set(context, secureMarksLabelLocal, v8::Number::New(isolate, this->secureMarks)).Check();
 
     return taintedRangev8Obj;
 }
 
@@ -11,15 +11,17 @@
 
 namespace iast {
 namespace tainted {
+using secure_marks_t = uint16_t;
 class Range {
  public:
-    explicit Range(int start, int end, InputInfo *inputInfo);
+    explicit Range(int start, int end, InputInfo *inputInfo, secure_marks_t secureMarks);
     Range(const Range& taintedRange);
     ~Range();
     v8::Local<v8::Object> toJSObject(v8::Isolate* isolate);
     int start;
     int end;
     InputInfo* inputInfo;
+    secure_marks_t secureMarks;
 };
 }    // namespace tainted
 }    // namespace iast
 
@@ -5,6 +5,7 @@
 #ifndef SRC_TAINTED_STRING_RESOURCE_H_
 #define SRC_TAINTED_STRING_RESOURCE_H_
 #include <node.h>
+#include <string>
 
 namespace iast {
 namespace tainted {
@@ -27,6 +28,16 @@ class StringResource : public v8::String::ExternalStringResource {
 };
 
 v8::Local<v8::String> NewExternalString(v8::Isolate* isolate, v8::Local<v8::Value> obj);
+inline v8::Local<v8::String> NewStringInstanceForNewTaintedObject(v8::Isolate* isolate, v8::Local<v8::String> obj) {
+    int len =  obj->Length();
+    if (len == 1) {
+        return tainted::NewExternalString(isolate, obj);
+    } else {
+        v8::String::Utf8Value param1(isolate, obj);
+        std::string cppStr(*param1);
+        return v8::String::NewFromUtf8(isolate, cppStr.c_str(), v8::NewStringType::kNormal).ToLocalChecked();
+    }
+}
 }  // namespace tainted
 }  // namespace iast
 #endif  // SRC_TAINTED_STRING_RESOURCE_H_
 
@@ -39,8 +39,8 @@ class Transaction {
             v8::Local<v8::Value> parameterValue,
             v8::Local<v8::Value> type);
 
-    Range* GetRange(int start, int end, InputInfo *inputInfo) {
-        return _rangesPool.Pop(start, end, inputInfo);
+    Range* GetRange(int start, int end, InputInfo *inputInfo, secure_marks_t secureMarks) {
+        return _rangesPool.Pop(start, end, inputInfo, secureMarks);
     }
 
     SharedRanges* GetSharedVectorRange(void) {
Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ void TaintConcatOperator(const FunctionCallbackInfo<Value>& args) {`
`70`	`70`	`auto argRange = *it;`
`71`	`71`	`auto newRange = transaction->GetRange(offset + argRange->start`
`72`	`72`	`, offset + argRange->end,`
`73`		`- argRange->inputInfo);`
	`73`	`+ argRange->inputInfo, argRange->secureMarks);`
`74`	`74`	`ranges->PushBack(newRange);`
`75`	`75`	`}`
`76`	`76`	`} else {`
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ void TaintTrimOperator(const FunctionCallbackInfo<Value>& args) {`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`if (newRangeEnd > newRangeStart) {`
`88`		`- auto newRange = transaction->GetRange(newRangeStart, newRangeEnd, range->inputInfo);`
	`88`	`+ auto newRange = transaction->GetRange(newRangeStart, newRangeEnd, range->inputInfo, range->secureMarks);`
`89`	`89`	`resultRanges->PushBack(newRange);`
`90`	`90`	`}`
`91`	`91`	`}`
`@@ -150,7 +150,7 @@ void TaintTrimEndOperator(const FunctionCallbackInfo<Value>& args) {`
`150`	`150`	`}`
`151`	`151`
`152`	`152`	`if (newRangeEnd > newRangeStart) {`
`153`		`- auto newRange = transaction->GetRange(newRangeStart, newRangeEnd, range->inputInfo);`
	`153`	`+ auto newRange = transaction->GetRange(newRangeStart, newRangeEnd, range->inputInfo, range->secureMarks);`
`154`	`154`	`resultRanges->PushBack(newRange);`
`155`	`155`	`}`
`156`	`156`	`}`
Original file line number	Diff line number	Diff line change
`@@ -39,8 +39,8 @@ class Transaction {`
`39`	`39`	`v8::Local<v8::Value> parameterValue,`
`40`	`40`	`v8::Local<v8::Value> type);`
`41`	`41`
`42`		`- Range* GetRange(int start, int end, InputInfo *inputInfo) {`
`43`		`- return _rangesPool.Pop(start, end, inputInfo);`
	`42`	`+ Range* GetRange(int start, int end, InputInfo *inputInfo, secure_marks_t secureMarks) {`
	`43`	`+ return _rangesPool.Pop(start, end, inputInfo, secureMarks);`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`SharedRanges* GetSharedVectorRange(void) {`