dd-trace 3.36.0 → 3.38.0

package/packages/dd-trace/src/appsec/iast/iast-plugin.js

@@ -196,6 +196,10 @@ class SinkIastPlugin extends IastPlugin {
   addSub (iastPluginSub, handler) {
     return super.addSub({ tagKey: TagKey.VULNERABILITY_TYPE, ...iastPluginSub }, handler)
   }
+
+  addNotSinkSub (iastPluginSub, handler) {
+    return super.addSub(iastPluginSub, handler)
+  }
 }
 
 module.exports = {

package/packages/dd-trace/src/appsec/iast/taint-tracking/operations.js

@@ -18,15 +18,14 @@ let onRemoveTransaction = (transactionId, iastContext) => {}
 
 function onRemoveTransactionInformationTelemetry (transactionId, iastContext) {
   const metrics = TaintedUtils.getMetrics(transactionId, iastTelemetry.verbosity)
-  if (metrics && metrics.requestCount) {
+  if (metrics?.requestCount) {
     REQUEST_TAINTED.add(metrics.requestCount, null, iastContext)
   }
 }
 
 function removeTransaction (iastContext) {
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
-
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     onRemoveTransaction(transactionId, iastContext)
 
     TaintedUtils.removeTransaction(transactionId)
@@ -36,8 +35,8 @@ function removeTransaction (iastContext) {
 
 function newTaintedString (iastContext, string, name, type) {
   let result = string
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     result = TaintedUtils.newTaintedString(transactionId, string, name, type)
   } else {
     result = string
@@ -47,15 +46,17 @@ function newTaintedString (iastContext, string, name, type) {
 
 function taintObject (iastContext, object, type, keyTainting, keyType) {
   let result = object
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     const queue = [{ parent: null, property: null, value: object }]
     const visited = new WeakSet()
+
     while (queue.length > 0) {
       const { parent, property, value, key } = queue.pop()
       if (value === null) {
         continue
       }
+
       try {
         if (typeof value === 'string') {
           const tainted = TaintedUtils.newTaintedString(transactionId, value, property, type)
@@ -71,11 +72,13 @@ function taintObject (iastContext, object, type, keyTainting, keyType) {
           }
         } else if (typeof value === 'object' && !visited.has(value)) {
           visited.add(value)
+
           const keys = Object.keys(value)
           for (let i = 0; i < keys.length; i++) {
             const key = keys[i]
             queue.push({ parent: value, property: property ? `${property}.${key}` : key, value: value[key], key })
           }
+
           if (parent && keyTainting && key) {
             const taintedProperty = TaintedUtils.newTaintedString(transactionId, key, property, keyType)
             parent[taintedProperty] = value
@@ -91,8 +94,8 @@ function taintObject (iastContext, object, type, keyTainting, keyType) {
 
 function isTainted (iastContext, string) {
   let result = false
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     result = TaintedUtils.isTainted(transactionId, string)
   } else {
     result = false
@@ -102,8 +105,8 @@ function isTainted (iastContext, string) {
 
 function getRanges (iastContext, string) {
   let result = []
-  if (iastContext && iastContext[IAST_TRANSACTION_ID]) {
-    const transactionId = iastContext[IAST_TRANSACTION_ID]
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
     result = TaintedUtils.getRanges(transactionId, string)
   } else {
     result = []
@@ -111,6 +114,15 @@ function getRanges (iastContext, string) {
   return result
 }
 
+function addSecureMark (iastContext, string, mark) {
+  const transactionId = iastContext?.[IAST_TRANSACTION_ID]
+  if (transactionId) {
+    return TaintedUtils.addSecureMarksToTaintedString(transactionId, string, mark)
+  }
+
+  return string
+}
+
 function enableTaintOperations (telemetryVerbosity) {
   if (isInfoAllowed(telemetryVerbosity)) {
     onRemoveTransaction = onRemoveTransactionInformationTelemetry
@@ -132,6 +144,7 @@ function setMaxTransactions (transactions) {
 }
 
 module.exports = {
+  addSecureMark,
   createTransaction,
   removeTransaction,
   newTaintedString,

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -11,8 +11,8 @@ const {
   HTTP_REQUEST_HEADER_VALUE,
   HTTP_REQUEST_HEADER_NAME,
   HTTP_REQUEST_PARAMETER,
-  HTTP_REQUEST_PATH,
-  HTTP_REQUEST_PATH_PARAM
+  HTTP_REQUEST_PATH_PARAM,
+  HTTP_REQUEST_URI
 } = require('./source-types')
 
 class TaintTrackingPlugin extends SourceIastPlugin {
@@ -93,9 +93,9 @@ class TaintTrackingPlugin extends SourceIastPlugin {
   taintUrl (req, iastContext) {
     this.execSource({
       handler: function () {
-        req.url = newTaintedString(iastContext, req.url, 'req.url', HTTP_REQUEST_PATH)
+        req.url = newTaintedString(iastContext, req.url, HTTP_REQUEST_URI, HTTP_REQUEST_URI)
       },
-      tag: [HTTP_REQUEST_PATH],
+      tag: [HTTP_REQUEST_URI],
       iastContext
     })
   }

package/packages/dd-trace/src/appsec/iast/taint-tracking/secure-marks-generator.js

@@ -0,0 +1,13 @@
+'use strict'
+
+let next = 0
+
+function getNextSecureMark () {
+  return 1 << next++
+}
+
+function reset () {
+  next = 0
+}
+
+module.exports = { getNextSecureMark, reset }

package/packages/dd-trace/src/appsec/iast/taint-tracking/source-types.js

@@ -8,5 +8,6 @@ module.exports = {
   HTTP_REQUEST_HEADER_VALUE: 'http.request.header',
   HTTP_REQUEST_PARAMETER: 'http.request.parameter',
   HTTP_REQUEST_PATH: 'http.request.path',
-  HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter'
+  HTTP_REQUEST_PATH_PARAM: 'http.request.path.parameter',
+  HTTP_REQUEST_URI: 'http.request.uri'
 }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/json-sensitive-analyzer.js

@@ -0,0 +1,16 @@
+'use strict'
+
+const { stringifyWithRanges } = require('../../utils')
+
+class JsonSensitiveAnalyzer {
+  extractSensitiveRanges (evidence) {
+    // expect object evidence
+    const { value, ranges, sensitiveRanges } = stringifyWithRanges(evidence.value, evidence.rangesToApply, true)
+    evidence.value = value
+    evidence.ranges = ranges
+
+    return sensitiveRanges
+  }
+}
+
+module.exports = JsonSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js

@@ -5,14 +5,12 @@ const vulnerabilities = require('../../vulnerabilities')
 const { contains, intersects, remove } = require('./range-utils')
 
 const CommandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
+const JsonSensitiveAnalyzer = require('./sensitive-analyzers/json-sensitive-analyzer')
 const LdapSensitiveAnalyzer = require('./sensitive-analyzers/ldap-sensitive-analyzer')
 const SqlSensitiveAnalyzer = require('./sensitive-analyzers/sql-sensitive-analyzer')
 const UrlSensitiveAnalyzer = require('./sensitive-analyzers/url-sensitive-analyzer')
 
-// eslint-disable-next-line max-len
-const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)'
-// eslint-disable-next-line max-len
-const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,}))'
+const { DEFAULT_IAST_REDACTION_NAME_PATTERN, DEFAULT_IAST_REDACTION_VALUE_PATTERN } = require('./sensitive-regex')
 
 const REDACTED_SOURCE_BUFFER = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
 
@@ -23,6 +21,7 @@ class SensitiveHandler {
 
     this._sensitiveAnalyzers = new Map()
     this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, new CommandSensitiveAnalyzer())
+    this._sensitiveAnalyzers.set(vulnerabilities.NOSQL_MONGODB_INJECTION, new JsonSensitiveAnalyzer())
     this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, new LdapSensitiveAnalyzer())
     this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, new SqlSensitiveAnalyzer())
     const urlSensitiveAnalyzer = new UrlSensitiveAnalyzer()

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-regex.js

@@ -0,0 +1,9 @@
+// eslint-disable-next-line max-len
+const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)'
+// eslint-disable-next-line max-len
+const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,}))'
+
+module.exports = {
+  DEFAULT_IAST_REDACTION_NAME_PATTERN,
+  DEFAULT_IAST_REDACTION_VALUE_PATTERN
+}

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js

@@ -1,4 +1,7 @@
+'use strict'
+
 const sensitiveHandler = require('./evidence-redaction/sensitive-handler')
+const { stringifyWithRanges } = require('./utils')
 
 class VulnerabilityFormatter {
   constructor () {
@@ -38,6 +41,13 @@ class VulnerabilityFormatter {
   getUnredactedValueParts (evidence, sourcesIndexes) {
     const valueParts = []
     let fromIndex = 0
+
+    if (typeof evidence.value === 'object' && evidence.rangesToApply) {
+      const { value, ranges } = stringifyWithRanges(evidence.value, evidence.rangesToApply)
+      evidence.value = value
+      evidence.ranges = ranges
+    }
+
     evidence.ranges.forEach((range, rangeIndex) => {
       if (fromIndex < range.start) {
         valueParts.push({ value: evidence.value.substring(fromIndex, range.start) })
@@ -45,14 +55,16 @@ class VulnerabilityFormatter {
       valueParts.push({ value: evidence.value.substring(range.start, range.end), source: sourcesIndexes[rangeIndex] })
       fromIndex = range.end
     })
+
     if (fromIndex < evidence.value.length) {
       valueParts.push({ value: evidence.value.substring(fromIndex) })
     }
+
     return { valueParts }
   }
 
   formatEvidence (type, evidence, sourcesIndexes, sources) {
-    if (!evidence.ranges) {
+    if (!evidence.ranges && !evidence.rangesToApply) {
       if (typeof evidence.value === 'undefined') {
         return undefined
       } else {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/utils.js

@@ -0,0 +1,169 @@
+'use strict'
+
+const crypto = require('crypto')
+const { DEFAULT_IAST_REDACTION_VALUE_PATTERN } = require('./evidence-redaction/sensitive-regex')
+
+const STRINGIFY_RANGE_KEY = 'DD_' + crypto.randomBytes(20).toString('hex')
+const STRINGIFY_SENSITIVE_KEY = STRINGIFY_RANGE_KEY + 'SENSITIVE'
+const STRINGIFY_SENSITIVE_NOT_STRING_KEY = STRINGIFY_SENSITIVE_KEY + 'NOTSTRING'
+
+// eslint-disable-next-line max-len
+const KEYS_REGEX_WITH_SENSITIVE_RANGES = new RegExp(`(?:"(${STRINGIFY_RANGE_KEY}_\\d+_))|(?:"(${STRINGIFY_SENSITIVE_KEY}_\\d+_(\\d+)_))|("${STRINGIFY_SENSITIVE_NOT_STRING_KEY}_\\d+_([\\s0-9.a-zA-Z]*)")`, 'gm')
+const KEYS_REGEX_WITHOUT_SENSITIVE_RANGES = new RegExp(`"(${STRINGIFY_RANGE_KEY}_\\d+_)`, 'gm')
+
+const sensitiveValueRegex = new RegExp(DEFAULT_IAST_REDACTION_VALUE_PATTERN, 'gmi')
+
+function iterateObject (target, fn, levelKeys = [], depth = 50) {
+  Object.keys(target).forEach((key) => {
+    const nextLevelKeys = [...levelKeys, key]
+    const val = target[key]
+
+    fn(val, nextLevelKeys, target, key)
+
+    if (val !== null && typeof val === 'object') {
+      iterateObject(val, fn, nextLevelKeys, depth - 1)
+    }
+  })
+}
+
+function stringifyWithRanges (obj, objRanges, loadSensitiveRanges = false) {
+  let value
+  const ranges = []
+  const sensitiveRanges = []
+  objRanges = objRanges || {}
+
+  if (objRanges || loadSensitiveRanges) {
+    const cloneObj = Array.isArray(obj) ? [] : {}
+    let counter = 0
+    const allRanges = {}
+    const sensitiveKeysMapping = {}
+
+    iterateObject(obj, (val, levelKeys, parent, key) => {
+      let currentLevelClone = cloneObj
+      for (let i = 0; i < levelKeys.length - 1; i++) {
+        let levelKey = levelKeys[i]
+
+        if (!currentLevelClone[levelKey]) {
+          const sensitiveKey = sensitiveKeysMapping[levelKey]
+          if (currentLevelClone[sensitiveKey]) {
+            levelKey = sensitiveKey
+          }
+        }
+
+        currentLevelClone = currentLevelClone[levelKey]
+      }
+
+      if (loadSensitiveRanges) {
+        const sensitiveKey = sensitiveKeysMapping[key]
+        if (sensitiveKey) {
+          key = sensitiveKey
+        } else {
+          sensitiveValueRegex.lastIndex = 0
+
+          if (sensitiveValueRegex.test(key)) {
+            const current = counter++
+            const id = `${STRINGIFY_SENSITIVE_KEY}_${current}_${key.length}_`
+            key = `${id}${key}`
+          }
+        }
+      }
+
+      if (typeof val === 'string') {
+        const ranges = objRanges[levelKeys.join('.')]
+        if (ranges) {
+          const current = counter++
+          const id = `${STRINGIFY_RANGE_KEY}_${current}_`
+
+          allRanges[id] = ranges
+          currentLevelClone[key] = `${id}${val}`
+        } else {
+          currentLevelClone[key] = val
+        }
+        if (loadSensitiveRanges) {
+          const current = counter++
+          const id = `${STRINGIFY_SENSITIVE_KEY}_${current}_${val.length}_`
+
+          currentLevelClone[key] = `${id}${currentLevelClone[key]}`
+        }
+      } else if (typeof val !== 'object' || val === null) {
+        if (loadSensitiveRanges) {
+          const current = counter++
+          const id = `${STRINGIFY_SENSITIVE_NOT_STRING_KEY}_${current}_`
+
+          // this is special, in the final string we should modify "key_value_[null|false|true]..."
+          // by null|false|..... ignoring the beginning and ending quotes
+          currentLevelClone[key] = id + val
+        } else {
+          currentLevelClone[key] = val
+        }
+      } else if (Array.isArray(val)) {
+        currentLevelClone[key] = []
+      } else {
+        currentLevelClone[key] = {}
+      }
+    })
+
+    value = JSON.stringify(cloneObj, null, 2)
+
+    if (counter > 0) {
+      let keysRegex
+      if (loadSensitiveRanges) {
+        keysRegex = KEYS_REGEX_WITH_SENSITIVE_RANGES
+      } else {
+        keysRegex = KEYS_REGEX_WITHOUT_SENSITIVE_RANGES
+      }
+      keysRegex.lastIndex = 0
+
+      let regexRes = keysRegex.exec(value)
+      while (regexRes) {
+        const offset = regexRes.index + 1 // +1 to increase the " char
+
+        if (regexRes[1]) {
+          // is a range
+          const rangesId = regexRes[1]
+          value = value.replace(rangesId, '')
+
+          const updatedRanges = allRanges[rangesId].map(range => {
+            return {
+              ...range,
+              start: range.start + offset,
+              end: range.end + offset
+            }
+          })
+
+          ranges.push(...updatedRanges)
+        } else if (regexRes[2]) {
+          // is a sensitive string literal
+          const sensitiveId = regexRes[2]
+
+          sensitiveRanges.push({
+            start: offset,
+            end: offset + parseInt(regexRes[3])
+          })
+
+          value = value.replace(sensitiveId, '')
+        } else if (regexRes[4]) {
+          // is a sensitive value (number, null, false, ...)
+          const sensitiveId = regexRes[4]
+          const originalValue = regexRes[5]
+
+          sensitiveRanges.push({
+            start: regexRes.index,
+            end: regexRes.index + originalValue.length
+          })
+
+          value = value.replace(sensitiveId, originalValue)
+        }
+
+        keysRegex.lastIndex = 0
+        regexRes = keysRegex.exec(value)
+      }
+    }
+  } else {
+    value = JSON.stringify(obj, null, 2)
+  }
+
+  return { value, ranges, sensitiveRanges }
+}
+
+module.exports = { stringifyWithRanges }

package/packages/dd-trace/src/appsec/iast/vulnerabilities.js

@@ -5,6 +5,7 @@ module.exports = {
   LDAP_INJECTION: 'LDAP_INJECTION',
   NO_HTTPONLY_COOKIE: 'NO_HTTPONLY_COOKIE',
   NO_SAMESITE_COOKIE: 'NO_SAMESITE_COOKIE',
+  NOSQL_MONGODB_INJECTION: 'NOSQL_MONGODB_INJECTION',
   PATH_TRAVERSAL: 'PATH_TRAVERSAL',
   SQL_INJECTION: 'SQL_INJECTION',
   SSRF: 'SSRF',

package/packages/dd-trace/src/appsec/index.js

@@ -5,11 +5,14 @@ const RuleManager = require('./rule_manager')
 const remoteConfig = require('./remote_config')
 const {
   bodyParser,
+  cookieParser,
   graphqlFinishExecute,
   incomingHttpRequestStart,
   incomingHttpRequestEnd,
   passportVerify,
-  queryParser
+  queryParser,
+  nextBodyParsed,
+  nextQueryParsed
 } = require('./channels')
 const waf = require('./waf')
 const addresses = require('./addresses')
@@ -29,6 +32,8 @@ function enable (_config) {
   if (isEnabled) return
 
   try {
+    appsecTelemetry.enable(_config.telemetry)
+
     setTemplates(_config)
 
     RuleManager.applyRules(_config.appsec.rules, _config.appsec)
@@ -37,12 +42,13 @@ function enable (_config) {
 
     Reporter.setRateLimit(_config.appsec.rateLimit)
 
-    appsecTelemetry.enable(_config.telemetry)
-
     incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
     incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
     bodyParser.subscribe(onRequestBodyParsed)
+    nextBodyParsed.subscribe(onRequestBodyParsed)
+    nextQueryParsed.subscribe(onRequestQueryParsed)
     queryParser.subscribe(onRequestQueryParsed)
+    cookieParser.subscribe(onRequestCookieParser)
     graphqlFinishExecute.subscribe(onGraphqlFinishExecute)
 
     if (_config.appsec.eventTracking.enabled) {
@@ -110,12 +116,13 @@ function incomingHttpEndTranslator ({ req, res }) {
     payload[addresses.HTTP_INCOMING_PARAMS] = req.params
   }
 
+  // we need to keep this to support other cookie parsers
   if (req.cookies && typeof req.cookies === 'object') {
-    payload[addresses.HTTP_INCOMING_COOKIES] = {}
+    payload[addresses.HTTP_INCOMING_COOKIES] = req.cookies
+  }
 
-    for (const k of Object.keys(req.cookies)) {
-      payload[addresses.HTTP_INCOMING_COOKIES][k] = [req.cookies[k]]
-    }
+  if (req.query && typeof req.query === 'object') {
+    payload[addresses.HTTP_INCOMING_QUERY] = req.query
   }
 
   waf.run(payload, req)
@@ -125,27 +132,50 @@ function incomingHttpEndTranslator ({ req, res }) {
   Reporter.finishRequest(req, res)
 }
 
-function onRequestBodyParsed ({ req, res, abortController }) {
+function onRequestBodyParsed ({ req, res, body, abortController }) {
+  if (body === undefined || body === null) return
+
+  if (!req) {
+    const store = storage.getStore()
+    req = store?.req
+  }
+
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
-  if (req.body === undefined || req.body === null) return
-
   const results = waf.run({
-    [addresses.HTTP_INCOMING_BODY]: req.body
+    [addresses.HTTP_INCOMING_BODY]: body
   }, req)
 
   handleResults(results, req, res, rootSpan, abortController)
 }
 
-function onRequestQueryParsed ({ req, res, abortController }) {
+function onRequestQueryParsed ({ req, res, query, abortController }) {
+  if (!query || typeof query !== 'object') return
+
+  if (!req) {
+    const store = storage.getStore()
+    req = store?.req
+  }
+
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
-  if (!req.query || typeof req.query !== 'object') return
+  const results = waf.run({
+    [addresses.HTTP_INCOMING_QUERY]: query
+  }, req)
+
+  handleResults(results, req, res, rootSpan, abortController)
+}
+
+function onRequestCookieParser ({ req, res, abortController, cookies }) {
+  if (!cookies || typeof cookies !== 'object') return
+
+  const rootSpan = web.root(req)
+  if (!rootSpan) return
 
   const results = waf.run({
-    [addresses.HTTP_INCOMING_QUERY]: req.query
+    [addresses.HTTP_INCOMING_COOKIES]: cookies
   }, req)
 
   handleResults(results, req, res, rootSpan, abortController)
@@ -201,6 +231,7 @@ function disable () {
   if (incomingHttpRequestStart.hasSubscribers) incomingHttpRequestStart.unsubscribe(incomingHttpStartTranslator)
   if (incomingHttpRequestEnd.hasSubscribers) incomingHttpRequestEnd.unsubscribe(incomingHttpEndTranslator)
   if (queryParser.hasSubscribers) queryParser.unsubscribe(onRequestQueryParsed)
+  if (cookieParser.hasSubscribers) cookieParser.unsubscribe(onRequestCookieParser)
   if (passportVerify.hasSubscribers) passportVerify.unsubscribe(onPassportVerify)
 }