Implement tplOperator tracking method

packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js

@@ -12,6 +12,7 @@ const csiMethods = [
   { src: 'substring' },
   { src: 'toLowerCase', dst: 'stringCase' },
   { src: 'toUpperCase', dst: 'stringCase' },
+  { src: 'tplOperator', operator: true },
   { src: 'trim' },
   { src: 'trimEnd' },
   { src: 'trimStart', dst: 'trim' },

packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js

@@ -29,6 +29,7 @@ const TaintTrackingNoop = {
   substr: noop,
   substring: noop,
   stringCase: noop,
+  tplOperator: noop,
   trim: noop,
   trimEnd: noop
 }
@@ -117,6 +118,20 @@ function csiMethodsOverrides (getContext) {
       return res
     },
 
+    tplOperator: function (res, ...rest) {
+      try {
+        const iastContext = getContext()
+        const transactionId = getTransactionId(iastContext)
+        if (transactionId) {
+          return TaintedUtils.concat(transactionId, res, ...rest)
+        }
+      } catch (e) {
+        iastLog.error('Error invoking CSI tplOperator')
+          .errorAndPublish(e)
+      }
+      return res
+    },
+
     stringCase: getCsiFn(
       (transactionId, res, target) => TaintedUtils.stringCase(transactionId, res, target),
       getContext,

packages/dd-trace/test/appsec/iast/taint-tracking/resources/propagationFunctions.js

@@ -12,6 +12,13 @@ function templateLiteralEndingWithNumberParams (str) {
   return `${str}Literal${num1}${num2}`
 }
 
+function templateLiteralWithTaintedAtTheEnd (str) {
+  const num1 = 1
+  const num2 = 2
+  const hello = 'world'
+  return `Literal${num1}${num2}-${hello}-${str}`
+}
+
 function appendStr (str) {
   let pre = 'pre_'
   pre += str
@@ -108,6 +115,7 @@ module.exports = {
   substrStr,
   substringStr,
   templateLiteralEndingWithNumberParams,
+  templateLiteralWithTaintedAtTheEnd,
   toLowerCaseStr,
   toUpperCaseStr,
   trimEndStr,

packages/dd-trace/test/appsec/iast/taint-tracking/taint-tracking-impl.spec.js

@@ -26,6 +26,7 @@ const propagationFns = [
   'substrStr',
   'substringStr',
   'templateLiteralEndingWithNumberParams',
+  'templateLiteralWithTaintedAtTheEnd',
   'toLowerCaseStr',
   'toUpperCaseStr',
   'trimEndStr',
@@ -137,7 +138,8 @@ describe('TaintTracking', () => {
       'concatSuffix',
       'concatTaintedStr',
       'insertStr',
-      'templateLiteralEndingWithNumberParams'
+      'templateLiteralEndingWithNumberParams',
+      'templateLiteralWithTaintedAtTheEnd'
     ]
     propagationFns.forEach((propFn) => {
       if (filtered.includes(propFn)) return