[Nodejs] Update iast stack trace tests (#3746)

Author: IlyasShabi

manifests/nodejs.yml

@@ -42,7 +42,8 @@ refs:
   - &ref_5_27_0 '>=5.27.0 || ^4.51.0'
   - &ref_5_29_0 '>=5.29.0 || ^4.53.0' # express 5 support
   - &ref_5_30_0 '>=5.30.0 || ^4.54.0'
-  - &ref_5_32_0 '>=5.32.0 || ^4.56.0'
+  - &ref_5_32_0 '>=5.32.0'
+  - &ref_5_33_0 '>=5.33.0'
 
 tests/:
   apm_tracing_e2e/:
@@ -95,12 +96,16 @@ tests/:
           TestCodeInjection:
             '*': *ref_5_20_0
             nextjs: missing_feature
-          TestCodeInjection_StackTrace: missing_feature
+          TestCodeInjection_StackTrace:
+            '*': *ref_5_33_0
+            nextjs: missing_feature
         test_command_injection.py:
           TestCommandInjection:
             '*': *ref_3_11_0
             nextjs: missing_feature
-          TestCommandInjection_StackTrace: missing_feature
+          TestCommandInjection_StackTrace:
+            '*': *ref_5_33_0
+            nextjs: missing_feature
         test_email_html_injection.py:
           TestEmailHtmlInjection: missing_feature
           TestEmailHtmlInjection_StackTrace: missing_feature
@@ -137,7 +142,9 @@ tests/:
             '*': *ref_5_26_0
             express5: *ref_5_29_0 # test uses querystring
             nextjs: missing_feature
-          TestHeaderInjection_StackTrace: missing_feature
+          TestHeaderInjection_StackTrace:
+            '*': *ref_5_33_0
+            nextjs: missing_feature
         test_hsts_missing_header.py:
           Test_HstsMissingHeader:
             '*': *ref_4_8_0
@@ -158,7 +165,9 @@ tests/:
           TestLDAPInjection:
             '*': *ref_4_1_0
             nextjs: missing_feature
-          TestLDAPInjection_StackTrace: missing_feature
+          TestLDAPInjection_StackTrace:
+            '*': *ref_5_33_0
+            nextjs: missing_feature
         test_no_httponly_cookie.py:
           TestNoHttponlyCookie:
             '*': *ref_4_3_0
@@ -179,25 +188,33 @@ tests/:
           TestNoSqlMongodbInjection:
             '*': *ref_4_17_0
             nextjs: missing_feature
-          TestNoSqlMongodbInjection_StackTrace: missing_feature
+          TestNoSqlMongodbInjection_StackTrace:
+            '*': *ref_5_33_0
+            nextjs: missing_feature
         test_path_traversal.py:
           TestPathTraversal:
             '*': *ref_3_19_0
             nextjs: missing_feature
-          TestPathTraversal_StackTrace: missing_feature
+          TestPathTraversal_StackTrace:
+            '*': *ref_5_33_0
+            nextjs: missing_feature
         test_reflection_injection.py:
           TestReflectionInjection: missing_feature
           TestReflectionInjection_StackTrace: missing_feature
         test_sql_injection.py:
           TestSqlInjection:
             '*': *ref_3_11_0
             nextjs: missing_feature
-          TestSqlInjection_StackTrace: missing_feature
+          TestSqlInjection_StackTrace:
+            '*': *ref_5_33_0
+            nextjs: missing_feature
         test_ssrf.py:
           TestSSRF:
             '*': *ref_4_1_0
             nextjs: missing_feature
-          TestSSRF_StackTrace: missing_feature
+          TestSSRF_StackTrace:
+            '*': *ref_5_33_0
+            nextjs: missing_feature
         test_template_injection.py:
           TestTemplateInjection:
             '*': *ref_5_26_0
@@ -214,32 +231,42 @@ tests/:
           TestUnvalidatedHeader:
             '*': *ref_4_3_0
             nextjs: missing_feature
-          TestUnvalidatedHeader_StackTrace: missing_feature
+          TestUnvalidatedHeader_StackTrace:
+            '*': *ref_5_33_0
+            nextjs: missing_feature
           TestUnvalidatedRedirect:
             '*': *ref_4_3_0
             nextjs: missing_feature
-          TestUnvalidatedRedirect_StackTrace: missing_feature
+          TestUnvalidatedRedirect_StackTrace:
+            '*': *ref_5_33_0
+            nextjs: missing_feature
         test_unvalidated_redirect_forward.py:
           TestUnvalidatedForward: missing_feature
           TestUnvalidatedForward_StackTrace: missing_feature
         test_weak_cipher.py:
           TestWeakCipher:
             '*': *ref_3_6_0
             nextjs: missing_feature
-          TestWeakCipher_StackTrace: missing_feature
+          TestWeakCipher_StackTrace:
+            '*': *ref_5_33_0
+            nextjs: missing_feature
         test_weak_hash.py:
           TestDeduplication:
             '*': *ref_3_11_0
             nextjs: missing_feature
           TestWeakHash:
             '*': *ref_3_11_0
             nextjs: missing_feature
-          TestWeakHash_StackTrace: missing_feature
+          TestWeakHash_StackTrace:
+            '*': *ref_5_33_0
+            nextjs: missing_feature
         test_weak_randomness.py:
           TestWeakRandomness:
             '*': *ref_5_1_0
             nextjs: missing_feature
-          TestWeakRandomness_StackTrace: missing_feature
+          TestWeakRandomness_StackTrace:
+            '*': *ref_5_33_0
+            nextjs: missing_feature
         test_xcontent_sniffing.py:
           Test_XContentSniffing:
             '*': *ref_4_8_0

tests/appsec/iast/sink/test_nosql_mongodb_injection.py

@@ -41,6 +41,7 @@ def test_telemetry_metric_executed_sink(self):
 @rfc(
     "https://docs.google.com/document/d/1ga7yCKq2htgcwgQsInYZKktV0hNlv4drY9XzSxT-o5U/edit?tab=t.0#heading=h.d0f5wzmlfhat"
 )
+@scenarios.integrations
 @features.iast_stack_trace
 class TestNoSqlMongodbInjection_StackTrace:
     """Validate stack trace generation"""

tests/appsec/iast/utils.py

@@ -235,7 +235,7 @@ def validate_stack_traces(request):
     locationFrame = None
     for frame in stack_trace["frames"]:
         # We are looking for the frame that corresponds to the location of the vulnerability, we will need to update this to cover all tracers
-        # currently support: Java, Python
+        # currently support: Java, Python, Node.js
         if (
             stack_trace["language"] == "java"
             and (
@@ -244,7 +244,7 @@ def validate_stack_traces(request):
                 and location["line"] == frame["line"]
             )
         ) or (
-            stack_trace["language"] == "python"
+            stack_trace["language"] in ("python", "nodejs")
             and (frame.get("file", "").endswith(location["path"]) and location["line"] == frame["line"])
         ):
             locationFrame = frame