DataDog · IlyasShabi · Jan 17, 2025 · Dec 31, 2024 · Dec 31, 2024 · Jan 3, 2025
@@ -42,6 +42,7 @@ refs:
   - &ref_5_27_0 '>=5.27.0 || ^4.51.0'
   - &ref_5_29_0 '>=5.29.0 || ^4.53.0' # express 5 support
   - &ref_5_30_0 '>=5.30.0 || ^4.54.0'
+  - &ref_5_32_0 '>=5.32.0 || ^4.56.0'
 
 tests/:
   apm_tracing_e2e/:
@@ -202,7 +203,9 @@ tests/:
           Test_TrustBoundaryViolation: missing_feature
           Test_TrustBoundaryViolation_StackTrace: missing_feature
         test_untrusted_deserialization.py:
-          TestUntrustedDeserialization: missing_feature
+          TestUntrustedDeserialization:
+            '*': *ref_5_32_0
+            nextjs: missing_feature
           TestUntrustedDeserialization_StackTrace: missing_feature
         test_unvalidated_redirect.py:
           TestUnvalidatedHeader:

@@ -12,9 +12,12 @@ class TestUntrustedDeserialization(BaseSinkTest):
 
     vulnerability_type = "UNTRUSTED_DESERIALIZATION"
     http_method = "GET"
-    insecure_endpoint = "/iast/untrusted_deserialization/test_insecure"
+    insecure_endpoint = "/iast/untrusted_deserialization/test_insecure?name=example"
     secure_endpoint = "/iast/untrusted_deserialization/test_secure"
-    location_map = {"java": "com.datadoghq.system_tests.iast.utils.DeserializationExamples"}
+    location_map = {
+        "java": "com.datadoghq.system_tests.iast.utils.DeserializationExamples",
+        "nodejs": {"express4": "iast/index.js", "express4-typescript": "iast.ts", "express5": "iast/index.js"},
+    }
 
 
 @rfc(

@@ -8,6 +8,8 @@ const { execSync } = require('child_process')
 const https = require('https')
 const { MongoClient } = require('mongodb')
 const pug = require('pug')
+const { unserialize } = require('node-serialize')
+
 const ldap = require('../integrations/ldap')
 const { mongoSanitizeEnabled } = require('../config')
 
@@ -381,6 +383,16 @@ function initRoutes (app, tracer) {
     res.send(`OK:${html}`)
   })
 
+  app.get('/iast/untrusted_deserialization/test_insecure', (req, res) => {
+    const name = unserialize(req.query.name)
+    res.send(`OK:${name}`)
+  })
+
+  app.get('/iast/untrusted_deserialization/test_secure', (req, res) => {
+    const name = unserialize(JSON.stringify({ name: 'example' }))
+    res.send(`OK:${name}`)
+  })
+
   require('./sources')(app, tracer)
 }
 

@@ -24,6 +24,7 @@
     "mssql": "^9.1.0",
     "multer": "^1.4.5-lts.1",
     "mysql2": "^3.5.0",
+    "node-serialize": "^0.0.4",
     "passport": "^0.6.0",
     "passport-http": "^0.3.0",
     "passport-local": "^1.0.0",

@@ -15,6 +15,7 @@ const { join } = require('path')
 const { Client } = require('pg')
 const { Kafka } = require('kafkajs')
 const pug = require('pug')
+const { unserialize } = require('node-serialize')
 
 const ldap = require('./integrations/ldap')
 
@@ -395,6 +396,16 @@ function initSinkRoutes (app: Express): void {
     const html = fn()
     res.send(`OK:${html}`)
   })
+
+  app.get('/iast/untrusted_deserialization/test_insecure', (req: Request, res: Response) => {
+    const name = unserialize(req.query.name)
+    res.send(`OK:${name}`)
+  })
+
+  app.get('/iast/untrusted_deserialization/test_secure', (req: Request, res: Response) => {
+    const name = unserialize(JSON.stringify({ name: 'example' }))
+    res.send(`OK:${name}`)
+  })
 }
 
 function initSourceRoutes (app: Express): void {

@@ -26,6 +26,7 @@
     "ldapjs": "2.0.0",
     "mongodb": "^6.1.0",
     "multer": "^1.4.5-lts.1",
+    "node-serialize": "^0.0.4",
     "passport": "^0.6.0",
     "passport-http": "^0.3.0",
     "passport-local": "^1.0.0",