dd-trace 5.45.0 → 5.47.0

package/packages/dd-trace/src/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.js

@@ -12,6 +12,9 @@ const EXCLUDED_PATHS_FROM_STACK = getNodeModulesPaths('mongodb', 'mongoose', 'mq
 const { NOSQL_MONGODB_INJECTION_MARK } = require('../taint-tracking/secure-marks')
 const { iterateObjectStrings } = require('../utils')
 
+const SAFE_OPERATORS = new Set(['$eq', '$gt', '$gte', '$in', '$lt', '$lte', '$ne', '$nin',
+  '$exists', '$type', '$mod', '$bitsAllClear', '$bitsAllSet', '$bitsAnyClear', '$bitsAnySet'])
+
 class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
   constructor () {
     super(NOSQL_MONGODB_INJECTION)
@@ -103,7 +106,11 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
     })
   }
 
-  _isVulnerableRange (range) {
+  _isVulnerableRange (range, value) {
+    const rangeIsWholeValue = range.start === 0 && range.end === value?.length
+
+    if (!rangeIsWholeValue) return false
+
     const rangeType = range?.iinfo?.type
     return rangeType === HTTP_REQUEST_PARAMETER || rangeType === HTTP_REQUEST_BODY
   }
@@ -119,29 +126,25 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
       const rangesByKey = {}
       const allRanges = []
 
-      iterateObjectStrings(value.filter, (val, nextLevelKeys) => {
+      iterateMongodbQueryStrings(value.filter, (val, nextLevelKeys) => {
         let ranges = getRanges(iastContext, val)
-        if (ranges?.length) {
-          const filteredRanges = []
-
+        if (ranges?.length === 1) {
           ranges = this._filterSecureRanges(ranges)
           if (!ranges.length) {
             this._incrementSuppressedMetric(iastContext)
+            return
           }
 
-          for (const range of ranges) {
-            if (this._isVulnerableRange(range)) {
-              isVulnerable = true
-              filteredRanges.push(range)
-            }
+          const range = ranges[0]
+          if (!this._isVulnerableRange(range, val)) {
+            return
           }
+          isVulnerable = true
 
-          if (filteredRanges.length > 0) {
-            rangesByKey[nextLevelKeys.join('.')] = filteredRanges
-            allRanges.push(...filteredRanges)
-          }
+          rangesByKey[nextLevelKeys.join('.')] = ranges
+          allRanges.push(range)
         }
-      }, [], 4)
+      })
 
       if (isVulnerable) {
         value.rangesToApply = rangesByKey
@@ -162,4 +165,25 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
   }
 }
 
+function iterateMongodbQueryStrings (target, fn, levelKeys = [], depth = 10, visited = new Set()) {
+  if (target !== null && typeof target === 'object') {
+    if (visited.has(target)) return
+
+    visited.add(target)
+
+    Object.keys(target).forEach((key) => {
+      if (SAFE_OPERATORS.has(key)) return
+
+      const nextLevelKeys = [...levelKeys, key]
+      const val = target[key]
+
+      if (typeof val === 'string') {
+        fn(val, nextLevelKeys, target, key)
+      } else if (depth > 0) {
+        iterateMongodbQueryStrings(val, fn, nextLevelKeys, depth - 1, visited)
+      }
+    })
+  }
+}
+
 module.exports = new NosqlInjectionMongodbAnalyzer()

package/packages/dd-trace/src/appsec/iast/taint-tracking/filter.js

@@ -6,11 +6,11 @@ const isPrivateModule = function (file) {
   return file && file.indexOf(NODE_MODULES) === -1
 }
 
-const isNotLibraryFile = function (file) {
-  return file && file.indexOf('dd-trace-js') === -1 && file.indexOf('dd-trace') === -1
+const isDdTrace = function (file) {
+  return file && (file.indexOf('dd-trace-js') !== -1 || file.indexOf('dd-trace') !== -1)
 }
 
 module.exports = {
   isPrivateModule,
-  isNotLibraryFile
+  isDdTrace
 }

package/packages/dd-trace/src/appsec/iast/taint-tracking/index.js

@@ -1,6 +1,5 @@
 'use strict'
 
-const { enableRewriter, disableRewriter } = require('./rewriter')
 const {
   createTransaction,
   removeTransaction,
@@ -16,7 +15,6 @@ const kafkaContextPlugin = require('../context/kafka-ctx-plugin')
 
 module.exports = {
   enableTaintTracking (config, telemetryVerbosity) {
-    enableRewriter(telemetryVerbosity)
     enableTaintOperations(telemetryVerbosity)
     taintTrackingPlugin.enable(config)
 
@@ -26,7 +24,6 @@ module.exports = {
     setMaxTransactions(config.maxConcurrentRequests)
   },
   disableTaintTracking () {
-    disableRewriter()
     disableTaintOperations()
     taintTrackingPlugin.disable()
 

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter-esm.mjs

@@ -3,28 +3,30 @@
 import path from 'path'
 import { URL } from 'url'
 import { getName } from '../telemetry/verbosity.js'
-import { isNotLibraryFile, isPrivateModule } from './filter.js'
+import { isDdTrace, isPrivateModule } from './filter.js'
 import constants from './constants.js'
 
 const currentUrl = new URL(import.meta.url)
 const ddTraceDir = path.join(currentUrl.pathname, '..', '..', '..', '..', '..', '..')
 
-let port, rewriter
+let port, rewriter, iastEnabled
 
 export async function initialize (data) {
   if (rewriter) return Promise.reject(new Error('ALREADY INITIALIZED'))
 
-  const { csiMethods, telemetryVerbosity, chainSourceMap } = data
+  const { csiMethods, telemetryVerbosity, chainSourceMap, orchestrionConfig } = data
   port = data.port
+  iastEnabled = data.iastEnabled
 
-  const iastRewriter = await import('@datadog/native-iast-rewriter')
+  const iastRewriter = await import('@datadog/wasm-js-rewriter')
 
   const { NonCacheRewriter } = iastRewriter.default
 
   rewriter = new NonCacheRewriter({
     csiMethods,
     telemetryVerbosity: getName(telemetryVerbosity),
-    chainSourceMap
+    chainSourceMap,
+    orchestrion: orchestrionConfig
   })
 }
 
@@ -35,15 +37,26 @@ export async function load (url, context, nextLoad) {
   if (!result.source) return result
   if (url.includes(ddTraceDir) || url.includes('iitm=true')) return result
 
+  let passes
   try {
-    if (isPrivateModule(url) && isNotLibraryFile(url)) {
-      const rewritten = rewriter.rewrite(result.source.toString(), url)
-
-      if (rewritten?.content) {
-        result.source = rewritten.content || result.source
-        const data = { url, rewritten }
-        port.postMessage({ type: constants.REWRITTEN_MESSAGE, data })
+    if (isDdTrace(url)) {
+      return result
+    }
+    if (isPrivateModule(url)) {
+      // TODO error tracking needs to be added based on config
+      passes = ['error_tracking']
+      if (iastEnabled) {
+        passes.push('iast')
       }
+    } else {
+      passes = ['orchestrion']
+    }
+    const rewritten = rewriter.rewrite(result.source.toString(), url, passes)
+
+    if (rewritten?.content) {
+      result.source = rewritten.content || result.source
+      const data = { url, rewritten }
+      port.postMessage({ type: constants.REWRITTEN_MESSAGE, data })
     }
   } catch (e) {
     const newErrObject = {

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter-telemetry.js

@@ -4,39 +4,10 @@ const iastTelemetry = require('../telemetry')
 const { Verbosity } = require('../telemetry/verbosity')
 const { INSTRUMENTED_PROPAGATION } = require('../telemetry/iast-metric')
 
-const telemetryRewriter = {
-  off (content, filename, rewriter) {
-    return rewriter.rewrite(content, filename)
-  },
-
-  information (content, filename, rewriter) {
-    const response = this.off(content, filename, rewriter)
-
-    incrementTelemetry(response.metrics)
-
-    return response
-  }
-}
-
-function getRewriteFunction (rewriter) {
-  switch (iastTelemetry.verbosity) {
-    case Verbosity.OFF:
-      return (content, filename) => telemetryRewriter.off(content, filename, rewriter)
-    default:
-      return (content, filename) => telemetryRewriter.information(content, filename, rewriter)
-  }
-}
-
-function incrementTelemetry (metrics) {
-  if (metrics?.instrumentedPropagation) {
-    INSTRUMENTED_PROPAGATION.inc(undefined, metrics.instrumentedPropagation)
-  }
-}
-
 function incrementTelemetryIfNeeded (metrics) {
-  if (iastTelemetry.verbosity !== Verbosity.OFF) {
-    incrementTelemetry(metrics)
+  if (iastTelemetry.verbosity !== Verbosity.OFF && metrics?.instrumentedPropagation) {
+    INSTRUMENTED_PROPAGATION.inc(undefined, metrics.instrumentedPropagation)
   }
 }
 
-module.exports = { getRewriteFunction, incrementTelemetryIfNeeded }
+module.exports = { incrementTelemetryIfNeeded }

package/packages/dd-trace/src/appsec/iast/taint-tracking/rewriter.js

@@ -4,69 +4,70 @@ const Module = require('module')
 const { pathToFileURL } = require('url')
 const { MessageChannel } = require('worker_threads')
 const shimmer = require('../../../../../datadog-shimmer')
-const { isPrivateModule, isNotLibraryFile } = require('./filter')
+const { isPrivateModule, isDdTrace } = require('./filter')
 const { csiMethods } = require('./csi-methods')
 const { getName } = require('../telemetry/verbosity')
-const { getRewriteFunction, incrementTelemetryIfNeeded } = require('./rewriter-telemetry')
+const telemetry = require('../telemetry')
+const { incrementTelemetryIfNeeded } = require('./rewriter-telemetry')
 const dc = require('dc-polyfill')
 const log = require('../../../log')
 const { isMainThread } = require('worker_threads')
 const { LOG_MESSAGE, REWRITTEN_MESSAGE } = require('./constants')
+const orchestrionConfig = require('../../../../../datadog-instrumentations/src/orchestrion-config')
 
+let config
 const hardcodedSecretCh = dc.channel('datadog:secrets:result')
 let rewriter
+let unwrapCompile = () => {}
 let getPrepareStackTrace, cacheRewrittenSourceMap
 let kSymbolPrepareStackTrace
 let esmRewriterEnabled = false
 
-let getRewriterOriginalPathAndLineFromSourceMap = function (path, line, column) {
-  return { path, line, column }
-}
-
 function isFlagPresent (flag) {
   return process.env.NODE_OPTIONS?.includes(flag) ||
     process.execArgv?.some(arg => arg.includes(flag))
 }
 
-function getGetOriginalPathAndLineFromSourceMapFunction (chainSourceMap, getOriginalPathAndLineFromSourceMap) {
-  if (chainSourceMap) {
-    return function (path, line, column) {
+let getRewriterOriginalPathAndLineFromSourceMap = function (path, line, column) {
+  return { path, line, column }
+}
+
+function setGetOriginalPathAndLineFromSourceMapFunction (chainSourceMap, { getOriginalPathAndLineFromSourceMap }) {
+  if (!getOriginalPathAndLineFromSourceMap) return
+
+  getRewriterOriginalPathAndLineFromSourceMap = chainSourceMap
+    ? (path, line, column) => {
       // if --enable-source-maps is present stacktraces of the rewritten files contain the original path, file and
       // column because the sourcemap chaining is done during the rewriting process so we can skip it
-      if (isPrivateModule(path) && isNotLibraryFile(path)) {
-        return { path, line, column }
-      } else {
-        return getOriginalPathAndLineFromSourceMap(path, line, column)
+        if (isPrivateModule(path) && !isDdTrace(path)) {
+          return { path, line, column }
+        } else {
+          return getOriginalPathAndLineFromSourceMap(path, line, column)
+        }
       }
-    }
-  } else {
-    return getOriginalPathAndLineFromSourceMap
-  }
+    : getOriginalPathAndLineFromSourceMap
 }
 
 function getRewriter (telemetryVerbosity) {
   if (!rewriter) {
     try {
-      const iastRewriter = require('@datadog/native-iast-rewriter')
+      const iastRewriter = require('@datadog/wasm-js-rewriter')
       const Rewriter = iastRewriter.Rewriter
       getPrepareStackTrace = iastRewriter.getPrepareStackTrace
       kSymbolPrepareStackTrace = iastRewriter.kSymbolPrepareStackTrace
       cacheRewrittenSourceMap = iastRewriter.cacheRewrittenSourceMap
 
       const chainSourceMap = isFlagPresent('--enable-source-maps')
-      const getOriginalPathAndLineFromSourceMap = iastRewriter.getOriginalPathAndLineFromSourceMap
-      if (getOriginalPathAndLineFromSourceMap) {
-        getRewriterOriginalPathAndLineFromSourceMap =
-          getGetOriginalPathAndLineFromSourceMapFunction(chainSourceMap, getOriginalPathAndLineFromSourceMap)
-      }
+      setGetOriginalPathAndLineFromSourceMapFunction(chainSourceMap, iastRewriter)
 
       rewriter = new Rewriter({
         csiMethods,
         telemetryVerbosity: getName(telemetryVerbosity),
-        chainSourceMap
+        chainSourceMap,
+        orchestrion: orchestrionConfig
       })
     } catch (e) {
-      log.error('[ASM] Unable to initialize TaintTracking Rewriter', e)
+      log.error('Unable to initialize Rewriter', e)
     }
   }
   return rewriter
@@ -74,6 +75,9 @@ function getRewriter (telemetryVerbosity) {
 
 let originalPrepareStackTrace
 function getPrepareStackTraceAccessor () {
+  if (!getPrepareStackTrace) {
+    getPrepareStackTrace = require('@datadog/wasm-js-rewriter/js/stack-trace').getPrepareStackTrace
+  }
   originalPrepareStackTrace = Error.prepareStackTrace
   let actual = getPrepareStackTrace(originalPrepareStackTrace)
   return {
@@ -89,25 +93,42 @@ function getPrepareStackTraceAccessor () {
 }
 
 function getCompileMethodFn (compileMethod) {
-  const rewriteFn = getRewriteFunction(rewriter)
-  return function (content, filename) {
+  let delegate = function (content, filename) {
     try {
-      if (isPrivateModule(filename) && isNotLibraryFile(filename)) {
-        const rewritten = rewriteFn(content, filename)
+      if (isDdTrace(filename)) {
+        return compileMethod.apply(this, [content, filename])
+      }
+      if (!isPrivateModule(filename) || !config.iast?.enabled) {
+        return compileMethod.apply(this, [content, filename])
+      }
+      // TODO when we have CJS support for orchestrion and taint-tracking, add
+      // them here as appropriate
+      const rewritten = rewriter.rewrite(content, filename, ['iast'])
 
-        if (rewritten?.literalsResult && hardcodedSecretCh.hasSubscribers) {
-          hardcodedSecretCh.publish(rewritten.literalsResult)
-        }
+      incrementTelemetryIfNeeded(rewritten.metrics)
 
-        if (rewritten?.content) {
-          return compileMethod.apply(this, [rewritten.content, filename])
-        }
+      if (rewritten?.literalsResult && hardcodedSecretCh.hasSubscribers) {
+        hardcodedSecretCh.publish(rewritten.literalsResult)
+      }
+
+      if (rewritten?.content) {
+        return compileMethod.apply(this, [rewritten.content, filename])
       }
     } catch (e) {
-      log.error('[ASM] Error rewriting file %s', filename, e)
+      log.error('Error rewriting file %s', filename, e)
     }
     return compileMethod.apply(this, [content, filename])
   }
+
+  const shim = function () {
+    return delegate.apply(this, arguments)
+  }
+
+  unwrapCompile = function () {
+    delegate = compileMethod
+  }
+
+  return shim
 }
 
 function esmRewritePostProcess (rewritten, filename) {
@@ -128,20 +149,31 @@ function esmRewritePostProcess (rewritten, filename) {
   }
 }
 
+let shimmedPrepareStackTrace = false
+function shimPrepareStackTrace () {
+  if (shimmedPrepareStackTrace) {
+    return
+  }
+  const pstDescriptor = Object.getOwnPropertyDescriptor(global.Error, 'prepareStackTrace')
+  if (!pstDescriptor || pstDescriptor.configurable) {
+    Object.defineProperty(global.Error, 'prepareStackTrace', getPrepareStackTraceAccessor())
+  }
+  shimmedPrepareStackTrace = true
+}
+
 function enableRewriter (telemetryVerbosity) {
   try {
-    const rewriter = getRewriter(telemetryVerbosity)
-    if (rewriter) {
-      const pstDescriptor = Object.getOwnPropertyDescriptor(global.Error, 'prepareStackTrace')
-      if (!pstDescriptor || pstDescriptor.configurable) {
-        Object.defineProperty(global.Error, 'prepareStackTrace', getPrepareStackTraceAccessor())
+    if (config.iast?.enabled) {
+      const rewriter = getRewriter(telemetryVerbosity)
+      if (rewriter) {
+        shimPrepareStackTrace()
+        shimmer.wrap(Module.prototype, '_compile', compileMethod => getCompileMethodFn(compileMethod))
       }
-      shimmer.wrap(Module.prototype, '_compile', compileMethod => getCompileMethodFn(compileMethod))
     }
 
     enableEsmRewriter(telemetryVerbosity)
   } catch (e) {
-    log.error('[ASM] Error enabling TaintTracking Rewriter', e)
+    log.error('Error enabling Rewriter', e)
   }
 }
 
@@ -155,6 +187,8 @@ function isEsmConfigured () {
 
 function enableEsmRewriter (telemetryVerbosity) {
   if (isMainThread && Module.register && !esmRewriterEnabled && isEsmConfigured()) {
+    shimPrepareStackTrace()
+
     esmRewriterEnabled = true
 
     const { port1, port2 } = new MessageChannel()
@@ -175,30 +209,31 @@ function enableEsmRewriter (telemetryVerbosity) {
     port1.unref()
     port2.unref()
 
-    const chainSourceMap = isFlagPresent('--enable-source-maps')
-    const data = {
-      port: port2,
-      csiMethods,
-      telemetryVerbosity,
-      chainSourceMap
-    }
-
     try {
       Module.register('./rewriter-esm.mjs', {
         parentURL: pathToFileURL(__filename),
         transferList: [port2],
-        data
+        data: {
+          port: port2,
+          csiMethods,
+          telemetryVerbosity,
+          chainSourceMap: isFlagPresent('--enable-source-maps'),
+          orchestrionConfig,
+          iastEnabled: config?.iast?.enabled
+        }
       })
     } catch (e) {
-      log.error('[ASM] Error enabling ESM Rewriter', e)
+      log.error('Error enabling ESM Rewriter', e)
       port1.close()
       port2.close()
     }
+
+    cacheRewrittenSourceMap = require('@datadog/wasm-js-rewriter/js/source-map').cacheRewrittenSourceMap
   }
 }
 
-function disableRewriter () {
-  shimmer.unwrap(Module.prototype, '_compile')
+function disable () {
+  unwrapCompile()
 
   if (!Error.prepareStackTrace?.[kSymbolPrepareStackTrace]) return
 
@@ -206,8 +241,10 @@ function disableRewriter () {
     delete Error.prepareStackTrace
 
     Error.prepareStackTrace = originalPrepareStackTrace
+
+    shimmedPrepareStackTrace = false
   } catch (e) {
-    log.warn('[ASM] Error disabling TaintTracking rewriter', e)
+    log.warn('Error disabling Rewriter', e)
   }
 }
 
@@ -215,6 +252,11 @@ function getOriginalPathAndLineFromSourceMap ({ path, line, column }) {
   return getRewriterOriginalPathAndLineFromSourceMap(path, line, column)
 }
 
+function enable (configArg) {
+  config = configArg
+  enableRewriter(telemetry.verbosity || 'OFF')
+}
+
 module.exports = {
-  enableRewriter, disableRewriter, getOriginalPathAndLineFromSourceMap
+  enable, disable, getOriginalPathAndLineFromSourceMap
 }

package/packages/dd-trace/src/appsec/rasp/command_injection.js

@@ -47,7 +47,7 @@ function analyzeCommandInjection ({ file, fileArgs, shell, abortController }) {
   const result = waf.run({ ephemeral }, req, raspRule)
 
   const res = store?.res
-  handleResult(result, req, res, abortController, config)
+  handleResult(result, req, res, abortController, config, raspRule)
 }
 
 module.exports = {

package/packages/dd-trace/src/appsec/rasp/index.js

@@ -7,6 +7,7 @@ const ssrf = require('./ssrf')
 const sqli = require('./sql_injection')
 const lfi = require('./lfi')
 const cmdi = require('./command_injection')
+const { updateRaspRuleMatchMetricTags } = require('../telemetry')
 
 const { DatadogRaspAbortError } = require('./utils')
 
@@ -84,9 +85,10 @@ function blockOnDatadogRaspAbortError ({ error }) {
   const abortError = findDatadogRaspAbortError(error)
   if (!abortError) return false
 
-  const { req, res, blockingAction } = abortError
+  const { req, res, blockingAction, raspRule } = abortError
   if (!isBlocked(res)) {
-    block(req, res, web.root(req), null, blockingAction)
+    const blocked = block(req, res, web.root(req), null, blockingAction)
+    updateRaspRuleMatchMetricTags(req, raspRule, true, blocked)
   }
 
   return true

package/packages/dd-trace/src/appsec/rasp/lfi.js

@@ -61,7 +61,7 @@ function analyzeLfi (ctx) {
     const raspRule = { type: RULE_TYPES.LFI }
 
     const result = waf.run({ ephemeral }, req, raspRule)
-    handleResult(result, req, res, ctx.abortController, config)
+    handleResult(result, req, res, ctx.abortController, config, raspRule)
   })
 }
 

package/packages/dd-trace/src/appsec/rasp/sql_injection.js

@@ -76,7 +76,7 @@ function analyzeSqlInjection (query, dbSystem, abortController) {
 
   const result = waf.run({ ephemeral }, req, raspRule)
 
-  handleResult(result, req, res, abortController, config)
+  handleResult(result, req, res, abortController, config, raspRule)
 }
 
 function hasInputAddress (payload) {

package/packages/dd-trace/src/appsec/rasp/ssrf.js

@@ -34,7 +34,7 @@ function analyzeSsrf (ctx) {
   const result = waf.run({ ephemeral }, req, raspRule)
 
   const res = store?.res
-  handleResult(result, req, res, ctx.abortController, config)
+  handleResult(result, req, res, ctx.abortController, config, raspRule)
 }
 
 module.exports = { enable, disable }

package/packages/dd-trace/src/appsec/rasp/utils.js

@@ -4,6 +4,7 @@ const web = require('../../plugins/util/web')
 const { getCallsiteFrames, reportStackTrace, canReportStackTrace } = require('../stack_trace')
 const { getBlockingAction } = require('../blocking')
 const log = require('../../log')
+const { updateRaspRuleMatchMetricTags } = require('../telemetry')
 
 const abortOnUncaughtException = process.execArgv?.includes('--abort-on-uncaught-exception')
 
@@ -19,16 +20,17 @@ const RULE_TYPES = {
 }
 
 class DatadogRaspAbortError extends Error {
-  constructor (req, res, blockingAction) {
+  constructor (req, res, blockingAction, raspRule) {
     super('DatadogRaspAbortError')
     this.name = 'DatadogRaspAbortError'
     this.req = req
     this.res = res
     this.blockingAction = blockingAction
+    this.raspRule = raspRule
   }
 }
 
-function handleResult (actions, req, res, abortController, config) {
+function handleResult (actions, req, res, abortController, config, raspRule) {
   const generateStackTraceAction = actions?.generate_stack
 
   const { enabled, maxDepth, maxStackTraces } = config.appsec.stackTrace
@@ -45,21 +47,24 @@ function handleResult (actions, req, res, abortController, config) {
     )
   }
 
-  if (!abortController || abortOnUncaughtException) return
+  if (abortController && !abortOnUncaughtException) {
+    const blockingAction = getBlockingAction(actions)
 
-  const blockingAction = getBlockingAction(actions)
-  if (blockingAction) {
     // Should block only in express
-    if (rootSpan?.context()._name === 'express.request') {
-      const abortError = new DatadogRaspAbortError(req, res, blockingAction)
+    if (blockingAction && rootSpan?.context()._name === 'express.request') {
+      const abortError = new DatadogRaspAbortError(req, res, blockingAction, raspRule)
       abortController.abort(abortError)
 
       // TODO Delete this when support for node 16 is removed
       if (!abortController.signal.reason) {
         abortController.signal.reason = abortError
       }
+
+      return
     }
   }
+
+  updateRaspRuleMatchMetricTags(req, raspRule, false, false)
 }
 
 module.exports = {