dd-trace 4.47.1 → 4.49.0

package/packages/datadog-plugin-protobufjs/src/index.js

@@ -0,0 +1,14 @@
+const SchemaPlugin = require('../../dd-trace/src/plugins/schema')
+const SchemaExtractor = require('./schema_iterator')
+
+class ProtobufjsPlugin extends SchemaPlugin {
+  static get id () {
+    return 'protobufjs'
+  }
+
+  static get schemaExtractor () {
+    return SchemaExtractor
+  }
+}
+
+module.exports = ProtobufjsPlugin

package/packages/datadog-plugin-protobufjs/src/schema_iterator.js

@@ -0,0 +1,180 @@
+const PROTOBUF = 'protobuf'
+const {
+  SCHEMA_DEFINITION,
+  SCHEMA_ID,
+  SCHEMA_NAME,
+  SCHEMA_OPERATION,
+  SCHEMA_WEIGHT,
+  SCHEMA_TYPE
+} = require('../../dd-trace/src/constants')
+const log = require('../../dd-trace/src/log')
+const {
+  SchemaBuilder
+} = require('../../dd-trace/src/datastreams/schemas/schema_builder')
+
+class SchemaExtractor {
+  constructor (schema) {
+    this.schema = schema
+  }
+
+  static getTypeAndFormat (type) {
+    const typeFormatMapping = {
+      int32: ['integer', 'int32'],
+      int64: ['integer', 'int64'],
+      uint32: ['integer', 'uint32'],
+      uint64: ['integer', 'uint64'],
+      sint32: ['integer', 'sint32'],
+      sint64: ['integer', 'sint64'],
+      fixed32: ['integer', 'fixed32'],
+      fixed64: ['integer', 'fixed64'],
+      sfixed32: ['integer', 'sfixed32'],
+      sfixed64: ['integer', 'sfixed64'],
+      float: ['number', 'float'],
+      double: ['number', 'double'],
+      bool: ['boolean', null],
+      string: ['string', null],
+      bytes: ['string', 'byte'],
+      Enum: ['enum', null],
+      Type: ['type', null],
+      map: ['map', null],
+      repeated: ['array', null]
+    }
+
+    return typeFormatMapping[type] || ['string', null]
+  }
+
+  static extractProperty (field, schemaName, fieldName, builder, depth) {
+    let array = false
+    let description
+    let ref
+    let enumValues
+
+    const resolvedType = field.resolvedType ? field.resolvedType.constructor.name : field.type
+
+    const isRepeatedField = field.rule === 'repeated'
+
+    let typeFormat = this.getTypeAndFormat(isRepeatedField ? 'repeated' : resolvedType)
+    let type = typeFormat[0]
+    let format = typeFormat[1]
+
+    if (type === 'array') {
+      array = true
+      typeFormat = this.getTypeAndFormat(resolvedType)
+      type = typeFormat[0]
+      format = typeFormat[1]
+    }
+
+    if (type === 'type') {
+      format = null
+      ref = `#/components/schemas/${removeLeadingPeriod(field.resolvedType.fullName)}`
+      // keep a reference to the original builder iterator since when we recurse this reference will get reset to
+      // deeper schemas
+      const originalSchemaExtractor = builder.iterator
+      if (!this.extractSchema(field.resolvedType, builder, depth, this)) {
+        return false
+      }
+      type = 'object'
+      builder.iterator = originalSchemaExtractor
+    } else if (type === 'enum') {
+      enumValues = []
+      let i = 0
+      while (field.resolvedType.valuesById[i]) {
+        enumValues.push(field.resolvedType.valuesById[i])
+        i += 1
+      }
+    }
+    return builder.addProperty(schemaName, fieldName, array, type, description, ref, format, enumValues)
+  }
+
+  static extractSchema (schema, builder, depth, extractor) {
+    depth += 1
+    const schemaName = removeLeadingPeriod(schema.resolvedType ? schema.resolvedType.fullName : schema.fullName)
+    if (extractor) {
+      // if we already have a defined extractor, this is a nested schema. create a new extractor for the nested
+      // schema, ensure it is added to our schema builder's cache, and replace the builders iterator with our
+      // nested schema iterator / extractor. Once complete, add the new schema to our builder's schemas.
+      const nestedSchemaExtractor = new SchemaExtractor(schema)
+      builder.iterator = nestedSchemaExtractor
+      const nestedSchema = SchemaBuilder.getSchema(schemaName, nestedSchemaExtractor, builder)
+      for (const nestedSubSchemaName in nestedSchema.components.schemas) {
+        if (nestedSchema.components.schemas.hasOwnProperty(nestedSubSchemaName)) {
+          builder.schema.components.schemas[nestedSubSchemaName] = nestedSchema.components.schemas[nestedSubSchemaName]
+        }
+      }
+      return true
+    } else {
+      if (!builder.shouldExtractSchema(schemaName, depth)) {
+        return false
+      }
+      for (const field of schema.fieldsArray) {
+        if (!this.extractProperty(field, schemaName, field.name, builder, depth)) {
+          log.warn(`DSM: Unable to extract field with name: ${field.name} from Avro schema with name: ${schemaName}`)
+        }
+      }
+      return true
+    }
+  }
+
+  static extractSchemas (descriptor, dataStreamsProcessor) {
+    const schemaName = removeLeadingPeriod(
+      descriptor.resolvedType ? descriptor.resolvedType.fullName : descriptor.fullName
+    )
+    return dataStreamsProcessor.getSchema(schemaName, new SchemaExtractor(descriptor))
+  }
+
+  iterateOverSchema (builder) {
+    this.constructor.extractSchema(this.schema, builder, 0)
+  }
+
+  static attachSchemaOnSpan (args, span, operation, tracer) {
+    const { messageClass } = args
+    const descriptor = messageClass.$type ?? messageClass
+
+    if (!descriptor || !span) {
+      return
+    }
+
+    if (span.context()._tags[SCHEMA_TYPE] && operation === 'serialization') {
+      // we have already added a schema to this span, this call is an encode of nested schema types
+      return
+    }
+
+    span.setTag(SCHEMA_TYPE, PROTOBUF)
+    span.setTag(SCHEMA_NAME, removeLeadingPeriod(descriptor.fullName))
+    span.setTag(SCHEMA_OPERATION, operation)
+
+    if (!tracer._dataStreamsProcessor.canSampleSchema(operation)) {
+      return
+    }
+
+    // if the span is unsampled, do not sample the schema
+    if (!tracer._prioritySampler.isSampled(span)) {
+      return
+    }
+
+    const weight = tracer._dataStreamsProcessor.trySampleSchema(operation)
+    if (weight === 0) {
+      return
+    }
+
+    const schemaData = SchemaBuilder.getSchemaDefinition(
+      this.extractSchemas(descriptor, tracer._dataStreamsProcessor)
+    )
+
+    span.setTag(SCHEMA_DEFINITION, schemaData.definition)
+    span.setTag(SCHEMA_WEIGHT, weight)
+    span.setTag(SCHEMA_ID, schemaData.id)
+  }
+}
+
+function removeLeadingPeriod (str) {
+  // Check if the first character is a period
+  if (str.charAt(0) === '.') {
+    // Remove the first character
+    return str.slice(1)
+  }
+  // Return the original string if the first character is not a period
+  return str
+}
+
+module.exports = SchemaExtractor

package/packages/dd-trace/src/appsec/addresses.js

@@ -23,6 +23,13 @@ module.exports = {
   WAF_CONTEXT_PROCESSOR: 'waf.context.processor',
 
   HTTP_OUTGOING_URL: 'server.io.net.url',
+  FS_OPERATION_PATH: 'server.io.fs.file',
+
   DB_STATEMENT: 'server.db.statement',
-  DB_SYSTEM: 'server.db.system'
+  DB_SYSTEM: 'server.db.system',
+
+  SHELL_COMMAND: 'server.sys.shell.cmd',
+
+  LOGIN_SUCCESS: 'server.business_logic.users.login.success',
+  LOGIN_FAILURE: 'server.business_logic.users.login.failure'
 }

package/packages/dd-trace/src/appsec/channels.js

@@ -6,6 +6,7 @@ const dc = require('dc-polyfill')
 module.exports = {
   bodyParser: dc.channel('datadog:body-parser:read:finish'),
   cookieParser: dc.channel('datadog:cookie-parser:read:finish'),
+  multerParser: dc.channel('datadog:multer:read:finish'),
   startGraphqlResolve: dc.channel('datadog:graphql:resolver:start'),
   graphqlMiddlewareChannel: dc.tracingChannel('datadog:apollo:middleware'),
   apolloChannel: dc.tracingChannel('datadog:apollo:request'),
@@ -17,6 +18,7 @@ module.exports = {
   setCookieChannel: dc.channel('datadog:iast:set-cookie'),
   nextBodyParsed: dc.channel('apm:next:body-parsed'),
   nextQueryParsed: dc.channel('apm:next:query-parsed'),
+  expressProcessParams: dc.channel('datadog:express:process_params:start'),
   responseBody: dc.channel('datadog:express:response:json:start'),
   responseWriteHead: dc.channel('apm:http:server:response:writeHead:start'),
   httpClientRequestStart: dc.channel('apm:http:client:request:start'),
@@ -24,5 +26,9 @@ module.exports = {
   setUncaughtExceptionCaptureCallbackStart: dc.channel('datadog:process:setUncaughtExceptionCaptureCallback:start'),
   pgQueryStart: dc.channel('apm:pg:query:start'),
   pgPoolQueryStart: dc.channel('datadog:pg:pool:query:start'),
-  wafRunFinished: dc.channel('datadog:waf:run:finish')
+  mysql2OuterQueryStart: dc.channel('datadog:mysql2:outerquery:start'),
+  wafRunFinished: dc.channel('datadog:waf:run:finish'),
+  fsOperationStart: dc.channel('apm:fs:operation:start'),
+  expressMiddlewareError: dc.channel('apm:express:middleware:error'),
+  childProcessExecutionTracingChannel: dc.tracingChannel('datadog:child_process:execution')
 }

package/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -2,6 +2,7 @@
 
 const Analyzer = require('./vulnerability-analyzer')
 const { getNodeModulesPaths } = require('../path-line')
+const iastLog = require('../iast-log')
 
 const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
 
@@ -11,7 +12,14 @@ class CookieAnalyzer extends Analyzer {
     this.propertyToBeSafe = propertyToBeSafe.toLowerCase()
   }
 
-  onConfigure () {
+  onConfigure (config) {
+    try {
+      this.cookieFilterRegExp = new RegExp(config.iast.cookieFilterPattern)
+    } catch {
+      iastLog.error('Invalid regex in cookieFilterPattern')
+      this.cookieFilterRegExp = /.{32,}/
+    }
+
     this.addSub(
       { channelName: 'datadog:iast:set-cookie', moduleName: 'http' },
       (cookieInfo) => this.analyze(cookieInfo)
@@ -28,6 +36,10 @@ class CookieAnalyzer extends Analyzer {
   }
 
   _createHashSource (type, evidence, location) {
+    if (typeof evidence.value === 'string' && evidence.value.match(this.cookieFilterRegExp)) {
+      return 'FILTERED_' + this._type
+    }
+
     return `${type}:${evidence.value}`
   }
 

package/packages/dd-trace/src/appsec/iast/analyzers/path-traversal-analyzer.js

@@ -29,7 +29,14 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
 
   onConfigure () {
     this.addSub('apm:fs:operation:start', (obj) => {
-      if (ignoredOperations.includes(obj.operation)) return
+      const store = storage.getStore()
+      const outOfReqOrChild = !store?.fs?.root
+
+      // we could filter out all the nested fs.operations based on store.fs.root
+      // but if we spect a store in the context to be present we are going to exclude
+      // all out_of_the_request fs.operations
+      // AppsecFsPlugin must be enabled
+      if (ignoredOperations.includes(obj.operation) || outOfReqOrChild) return
 
       const pathArguments = []
       if (obj.dest) {

package/packages/dd-trace/src/appsec/iast/iast-plugin.js

@@ -127,7 +127,7 @@ class IastPlugin extends Plugin {
       config = { enabled: config }
     }
     if (config.enabled && !this.configured) {
-      this.onConfigure()
+      this.onConfigure(config.tracerConfig)
       this.configured = true
     }
 

package/packages/dd-trace/src/appsec/iast/index.js

@@ -14,6 +14,7 @@ const {
 } = require('./taint-tracking')
 const { IAST_ENABLED_TAG_KEY } = require('./tags')
 const iastTelemetry = require('./telemetry')
+const { enable: enableFsPlugin, disable: disableFsPlugin, IAST_MODULE } = require('../rasp/fs-plugin')
 
 // TODO Change to `apm:http:server:request:[start|close]` when the subscription
 //  order of the callbacks can be enforce
@@ -27,6 +28,7 @@ function enable (config, _tracer) {
   if (isEnabled) return
 
   iastTelemetry.configure(config, config.iast?.telemetryVerbosity)
+  enableFsPlugin(IAST_MODULE)
   enableAllAnalyzers(config)
   enableTaintTracking(config.iast, iastTelemetry.verbosity)
   requestStart.subscribe(onIncomingHttpRequestStart)
@@ -44,6 +46,7 @@ function disable () {
   isEnabled = false
 
   iastTelemetry.stop()
+  disableFsPlugin(IAST_MODULE)
   disableAllAnalyzers()
   disableTaintTracking()
   overheadController.finishGlobalContext()

package/packages/dd-trace/src/appsec/iast/taint-tracking/csi-methods.js

@@ -12,6 +12,7 @@ const csiMethods = [
   { src: 'substring' },
   { src: 'toLowerCase', dst: 'stringCase' },
   { src: 'toUpperCase', dst: 'stringCase' },
+  { src: 'tplOperator', operator: true },
   { src: 'trim' },
   { src: 'trimEnd' },
   { src: 'trimStart', dst: 'trim' },

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -23,18 +23,26 @@ class TaintTrackingPlugin extends SourceIastPlugin {
   constructor () {
     super()
     this._type = 'taint-tracking'
+    this._taintedURLs = new WeakMap()
   }
 
   onConfigure () {
+    const onRequestBody = ({ req }) => {
+      const iastContext = getIastContext(storage.getStore())
+      if (iastContext && iastContext.body !== req.body) {
+        this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
+        iastContext.body = req.body
+      }
+    }
+
     this.addSub(
       { channelName: 'datadog:body-parser:read:finish', tag: HTTP_REQUEST_BODY },
-      ({ req }) => {
-        const iastContext = getIastContext(storage.getStore())
-        if (iastContext && iastContext.body !== req.body) {
-          this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
-          iastContext.body = req.body
-        }
-      }
+      onRequestBody
+    )
+
+    this.addSub(
+      { channelName: 'datadog:multer:read:finish', tag: HTTP_REQUEST_BODY },
+      onRequestBody
     )
 
     this.addSub(
@@ -81,6 +89,46 @@ class TaintTrackingPlugin extends SourceIastPlugin {
       }
     )
 
+    const urlResultTaintedProperties = ['host', 'origin', 'hostname']
+    this.addSub(
+      { channelName: 'datadog:url:parse:finish' },
+      ({ input, base, parsed, isURL }) => {
+        const iastContext = getIastContext(storage.getStore())
+        let ranges
+
+        if (base) {
+          ranges = getRanges(iastContext, base)
+        } else {
+          ranges = getRanges(iastContext, input)
+        }
+
+        if (ranges?.length) {
+          if (isURL) {
+            this._taintedURLs.set(parsed, ranges[0])
+          } else {
+            urlResultTaintedProperties.forEach(param => {
+              this._taintTrackingHandler(ranges[0].iinfo.type, parsed, param, iastContext)
+            })
+          }
+        }
+      }
+    )
+
+    this.addSub(
+      { channelName: 'datadog:url:getter:finish' },
+      (context) => {
+        if (!urlResultTaintedProperties.includes(context.property)) return
+
+        const origRange = this._taintedURLs.get(context.urlObject)
+        if (!origRange) return
+
+        const iastContext = getIastContext(storage.getStore())
+        if (!iastContext) return
+
+        context.result =
+          newTaintedString(iastContext, context.result, origRange.iinfo.parameterName, origRange.iinfo.type)
+      })
+
     // this is a special case to increment INSTRUMENTED_SOURCE metric for header
     this.addInstrumentedSource('http', [HTTP_REQUEST_HEADER_VALUE, HTTP_REQUEST_HEADER_NAME])
   }

package/packages/dd-trace/src/appsec/iast/taint-tracking/taint-tracking-impl.js

@@ -29,6 +29,7 @@ const TaintTrackingNoop = {
   substr: noop,
   substring: noop,
   stringCase: noop,
+  tplOperator: noop,
   trim: noop,
   trimEnd: noop
 }
@@ -117,6 +118,20 @@ function csiMethodsOverrides (getContext) {
       return res
     },
 
+    tplOperator: function (res, ...rest) {
+      try {
+        const iastContext = getContext()
+        const transactionId = getTransactionId(iastContext)
+        if (transactionId) {
+          return TaintedUtils.concat(transactionId, res, ...rest)
+        }
+      } catch (e) {
+        iastLog.error('Error invoking CSI tplOperator')
+          .errorAndPublish(e)
+      }
+      return res
+    },
+
     stringCase: getCsiFn(
       (transactionId, res, target) => TaintedUtils.stringCase(transactionId, res, target),
       getContext,

package/packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -1,10 +1,11 @@
 'use strict'
 
-const { MANUAL_KEEP } = require('../../../../../ext/tags')
 const LRU = require('lru-cache')
 const vulnerabilitiesFormatter = require('./vulnerabilities-formatter')
 const { IAST_ENABLED_TAG_KEY, IAST_JSON_TAG_KEY } = require('./tags')
 const standalone = require('../standalone')
+const { SAMPLING_MECHANISM_APPSEC } = require('../../constants')
+const { keepTrace } = require('../../priority_sampler')
 
 const VULNERABILITIES_KEY = 'vulnerabilities'
 const VULNERABILITY_HASHES_MAX_SIZE = 1000
@@ -56,9 +57,10 @@ function sendVulnerabilities (vulnerabilities, rootSpan) {
         const tags = {}
         // TODO: Store this outside of the span and set the tag in the exporter.
         tags[IAST_JSON_TAG_KEY] = JSON.stringify(jsonToSend)
-        tags[MANUAL_KEEP] = 'true'
         span.addTags(tags)
 
+        keepTrace(span, SAMPLING_MECHANISM_APPSEC)
+
         standalone.sample(span)
 
         if (!rootSpan) span.finish()

package/packages/dd-trace/src/appsec/index.js

@@ -6,12 +6,14 @@ const remoteConfig = require('./remote_config')
 const {
   bodyParser,
   cookieParser,
+  multerParser,
   incomingHttpRequestStart,
   incomingHttpRequestEnd,
   passportVerify,
   queryParser,
   nextBodyParsed,
   nextQueryParsed,
+  expressProcessParams,
   responseBody,
   responseWriteHead,
   responseSetHeader
@@ -30,6 +32,8 @@ const { storage } = require('../../../datadog-core')
 const graphql = require('./graphql')
 const rasp = require('./rasp')
 
+const responseAnalyzedSet = new WeakSet()
+
 let isEnabled = false
 let config
 
@@ -54,13 +58,15 @@ function enable (_config) {
 
     apiSecuritySampler.configure(_config.appsec)
 
+    bodyParser.subscribe(onRequestBodyParsed)
+    multerParser.subscribe(onRequestBodyParsed)
+    cookieParser.subscribe(onRequestCookieParser)
     incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
     incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
-    bodyParser.subscribe(onRequestBodyParsed)
+    queryParser.subscribe(onRequestQueryParsed)
     nextBodyParsed.subscribe(onRequestBodyParsed)
     nextQueryParsed.subscribe(onRequestQueryParsed)
-    queryParser.subscribe(onRequestQueryParsed)
-    cookieParser.subscribe(onRequestCookieParser)
+    expressProcessParams.subscribe(onRequestProcessParams)
     responseBody.subscribe(onResponseBody)
     responseWriteHead.subscribe(onResponseWriteHead)
     responseSetHeader.subscribe(onResponseSetHeader)
@@ -79,6 +85,41 @@ function enable (_config) {
   }
 }
 
+function onRequestBodyParsed ({ req, res, body, abortController }) {
+  if (body === undefined || body === null) return
+
+  if (!req) {
+    const store = storage.getStore()
+    req = store?.req
+  }
+
+  const rootSpan = web.root(req)
+  if (!rootSpan) return
+
+  const results = waf.run({
+    persistent: {
+      [addresses.HTTP_INCOMING_BODY]: body
+    }
+  }, req)
+
+  handleResults(results, req, res, rootSpan, abortController)
+}
+
+function onRequestCookieParser ({ req, res, abortController, cookies }) {
+  if (!cookies || typeof cookies !== 'object') return
+
+  const rootSpan = web.root(req)
+  if (!rootSpan) return
+
+  const results = waf.run({
+    persistent: {
+      [addresses.HTTP_INCOMING_COOKIES]: cookies
+    }
+  }, req)
+
+  handleResults(results, req, res, rootSpan, abortController)
+}
+
 function incomingHttpStartTranslator ({ req, res, abortController }) {
   const rootSpan = web.root(req)
   if (!rootSpan) return
@@ -122,11 +163,6 @@ function incomingHttpEndTranslator ({ req, res }) {
     persistent[addresses.HTTP_INCOMING_BODY] = req.body
   }
 
-  // TODO: temporary express instrumentation, will use express plugin later
-  if (req.params !== null && typeof req.params === 'object') {
-    persistent[addresses.HTTP_INCOMING_PARAMS] = req.params
-  }
-
   // we need to keep this to support other cookie parsers
   if (req.cookies !== null && typeof req.cookies === 'object') {
     persistent[addresses.HTTP_INCOMING_COOKIES] = req.cookies
@@ -145,24 +181,16 @@ function incomingHttpEndTranslator ({ req, res }) {
   Reporter.finishRequest(req, res)
 }
 
-function onRequestBodyParsed ({ req, res, body, abortController }) {
-  if (body === undefined || body === null) return
+function onPassportVerify ({ credentials, user }) {
+  const store = storage.getStore()
+  const rootSpan = store?.req && web.root(store.req)
 
-  if (!req) {
-    const store = storage.getStore()
-    req = store?.req
+  if (!rootSpan) {
+    log.warn('No rootSpan found in onPassportVerify')
+    return
   }
 
-  const rootSpan = web.root(req)
-  if (!rootSpan) return
-
-  const results = waf.run({
-    persistent: {
-      [addresses.HTTP_INCOMING_BODY]: body
-    }
-  }, req)
-
-  handleResults(results, req, res, rootSpan, abortController)
+  passportTrackEvent(credentials, user, rootSpan, config.appsec.eventTracking.mode)
 }
 
 function onRequestQueryParsed ({ req, res, query, abortController }) {
@@ -185,15 +213,15 @@ function onRequestQueryParsed ({ req, res, query, abortController }) {
   handleResults(results, req, res, rootSpan, abortController)
 }
 
-function onRequestCookieParser ({ req, res, abortController, cookies }) {
-  if (!cookies || typeof cookies !== 'object') return
-
+function onRequestProcessParams ({ req, res, abortController, params }) {
   const rootSpan = web.root(req)
   if (!rootSpan) return
 
+  if (!params || typeof params !== 'object' || !Object.keys(params).length) return
+
   const results = waf.run({
     persistent: {
-      [addresses.HTTP_INCOMING_COOKIES]: cookies
+      [addresses.HTTP_INCOMING_PARAMS]: params
     }
   }, req)
 
@@ -212,20 +240,6 @@ function onResponseBody ({ req, body }) {
   }, req)
 }
 
-function onPassportVerify ({ credentials, user }) {
-  const store = storage.getStore()
-  const rootSpan = store?.req && web.root(store.req)
-
-  if (!rootSpan) {
-    log.warn('No rootSpan found in onPassportVerify')
-    return
-  }
-
-  passportTrackEvent(credentials, user, rootSpan, config.appsec.eventTracking.mode)
-}
-
-const responseAnalyzedSet = new WeakSet()
-
 function onResponseWriteHead ({ req, res, abortController, statusCode, responseHeaders }) {
   // avoid "write after end" error
   if (isBlocked(res)) {
@@ -287,12 +301,16 @@ function disable () {
 
   // Channel#unsubscribe() is undefined for non active channels
   if (bodyParser.hasSubscribers) bodyParser.unsubscribe(onRequestBodyParsed)
+  if (multerParser.hasSubscribers) multerParser.unsubscribe(onRequestBodyParsed)
+  if (cookieParser.hasSubscribers) cookieParser.unsubscribe(onRequestCookieParser)
   if (incomingHttpRequestStart.hasSubscribers) incomingHttpRequestStart.unsubscribe(incomingHttpStartTranslator)
   if (incomingHttpRequestEnd.hasSubscribers) incomingHttpRequestEnd.unsubscribe(incomingHttpEndTranslator)
+  if (passportVerify.hasSubscribers) passportVerify.unsubscribe(onPassportVerify)
   if (queryParser.hasSubscribers) queryParser.unsubscribe(onRequestQueryParsed)
-  if (cookieParser.hasSubscribers) cookieParser.unsubscribe(onRequestCookieParser)
+  if (nextBodyParsed.hasSubscribers) nextBodyParsed.unsubscribe(onRequestBodyParsed)
+  if (nextQueryParsed.hasSubscribers) nextQueryParsed.unsubscribe(onRequestQueryParsed)
+  if (expressProcessParams.hasSubscribers) expressProcessParams.unsubscribe(onRequestProcessParams)
   if (responseBody.hasSubscribers) responseBody.unsubscribe(onResponseBody)
-  if (passportVerify.hasSubscribers) passportVerify.unsubscribe(onPassportVerify)
   if (responseWriteHead.hasSubscribers) responseWriteHead.unsubscribe(onResponseWriteHead)
   if (responseSetHeader.hasSubscribers) responseSetHeader.unsubscribe(onResponseSetHeader)
 }