dd-trace 5.52.0 → 5.54.0

package/packages/datadog-shimmer/src/shimmer.js

@@ -1,12 +1,24 @@
 'use strict'
 
+/**
+ * @type {Set<string | symbol>}
+ */
 const skipMethods = new Set([
   'caller',
   'arguments',
   'name',
   'length'
 ])
+const skipMethodSize = skipMethods.size
 
+const nonConfigurableModuleExports = new WeakMap()
+
+/**
+ * Copies properties from the original function to the wrapped function.
+ *
+ * @param {Function} original - The original function.
+ * @param {Function} wrapped - The wrapped function.
+ */
 function copyProperties (original, wrapped) {
   if (original.constructor !== wrapped.constructor) {
     const proto = Object.getPrototypeOf(original)
@@ -23,7 +35,7 @@ function copyProperties (original, wrapped) {
   if (ownKeys.length !== 2) {
     for (const key of ownKeys) {
       if (skipMethods.has(key)) continue
-      const descriptor = Object.getOwnPropertyDescriptor(original, key)
+      const descriptor = /** @type {PropertyDescriptor} */ (Object.getOwnPropertyDescriptor(original, key))
       if (descriptor.writable && descriptor.enumerable && descriptor.configurable) {
         wrapped[key] = original[key]
       } else if (descriptor.writable || descriptor.configurable || !Object.hasOwn(wrapped, key)) {
@@ -33,6 +45,33 @@ function copyProperties (original, wrapped) {
   }
 }
 
+/**
+ * Copies properties from the original object to the wrapped object, skipping a specific key.
+ *
+ * @param {Record<string | symbol, unknown>} original - The original object.
+ * @param {Record<string | symbol, unknown>} wrapped - The wrapped object.
+ * @param {string | symbol} skipKey - The key to skip during copying.
+ */
+function copyObjectProperties (original, wrapped, skipKey) {
+  const ownKeys = Reflect.ownKeys(original)
+  for (const key of ownKeys) {
+    if (key === skipKey) continue
+    const descriptor = /** @type {PropertyDescriptor} */ (Object.getOwnPropertyDescriptor(original, key))
+    if (descriptor.writable && descriptor.enumerable && descriptor.configurable) {
+      wrapped[key] = original[key]
+    } else if (descriptor.writable || descriptor.configurable || !Object.hasOwn(wrapped, key)) {
+      Object.defineProperty(wrapped, key, descriptor)
+    }
+  }
+}
+
+/**
+ * Wraps a function with a wrapper function.
+ *
+ * @param {Function} original - The original function to wrap.
+ * @param {(original: Function) => Function} wrapper - The wrapper function.
+ * @returns {Function} The wrapped function.
+ */
 function wrapFunction (original, wrapper) {
   const wrapped = wrapper(original)
 
@@ -44,28 +83,55 @@ function wrapFunction (original, wrapper) {
   return wrapped
 }
 
-function wrap (target, name, wrapper) {
-  assertMethod(target, name)
+/**
+ * Wraps a method of an object with a wrapper function.
+ *
+ * @param {Record<string | symbol, unknown> | Function} target - The target
+ * object.
+ * @param {string | symbol} name - The property key of the method to wrap.
+ * @param {(original: Function) => (...args) => any} wrapper - The wrapper function.
+ * @param {{ replaceGetter?: boolean }} [options] - If `replaceGetter` is set to
+ * true, the getter is accessed and the getter is replaced with one that just
+ * returns the earlier retrieved value. Use with care! This may only be done in
+ * case the getter absolutely has no side effect and no setter is defined for the
+ * property.
+ * @returns {Record<string | symbol, unknown> | Function} The target object with
+ * the wrapped method.
+ */
+function wrap (target, name, wrapper, options) {
   if (typeof wrapper !== 'function') {
-    throw new Error(wrapper ? 'Target is not a function' : 'No function provided')
+    throw new TypeError(wrapper ? 'Target is not a function' : 'No function provided')
   }
 
-  const original = target[name]
-  const wrapped = wrapper(original)
+  // No descriptor means original was on the prototype. This is not totally
+  // safe, since we define the property on the target. That could have an impact
+  // in case e.g., the own keys are checks.
+  const descriptor = Object.getOwnPropertyDescriptor(target, name) ?? {
+    value: target[name],
+    writable: true,
+    configurable: true,
+    enumerable: false
+  }
 
-  if (typeof original === 'function') copyProperties(original, wrapped)
+  if (descriptor.set && (!descriptor.get || options?.replaceGetter)) {
+    // It is possible to support these cases by instrumenting both the getter
+    // and setter (or only the setter, in case that is a use case).
+    // For now, this is not supported due to the complexity and the fact that
+    // this is not a common use case.
+    throw new Error(options?.replaceGetter
+      ? 'Replacing a getter/setter pair is not supported. Implement if required.'
+      : 'Replacing setters is not supported. Implement if required.')
+  }
 
-  let descriptor = Object.getOwnPropertyDescriptor(target, name)
+  const original = descriptor.value ?? options?.replaceGetter ? target[name] : descriptor.get
 
-  // No descriptor means original was on the prototype
-  if (descriptor === undefined) {
-    descriptor = {
-      value: wrapped,
-      writable: true,
-      configurable: true,
-      enumerable: false
-    }
-  } else if (descriptor.writable) {
+  assertMethod(target, name, original)
+
+  const wrapped = wrapper(original)
+
+  copyProperties(original, wrapped)
+
+  if (descriptor.writable) {
     // Fast path for assigned properties.
     if (descriptor.configurable && descriptor.enumerable) {
       target[name] = wrapped
@@ -73,25 +139,54 @@ function wrap (target, name, wrapper) {
     }
     descriptor.value = wrapped
   } else {
-    if (descriptor.get || descriptor.set) {
-      // TODO(BridgeAR): What happens in case there is a setter? This seems wrong?
-      // What happens in case the user does indeed set this to a different value?
-      // In that case the getter would potentially return the wrong value?
-      descriptor.get = () => wrapped
+    if (descriptor.get) {
+      // `replaceGetter` may only be used when the getter has no side effect.
+      descriptor.get = options?.replaceGetter ? () => wrapped : wrapped
     } else {
       descriptor.value = wrapped
     }
 
     if (descriptor.configurable === false) {
-      // TODO(BridgeAR): Bail out instead (throw). It is unclear if the newly
-      // created object is actually used. If it's not used, the wrapping would
-      // have had no effect without noticing. It is also unclear what would happen
-      // in case user code would check for properties to be own properties. That
-      // would fail with this code. A function being replaced with an object is
-      // also not possible.
-      return Object.create(target, {
-        [name]: descriptor
-      })
+      // TODO(BridgeAR): This currently only works on the most outer part. The
+      // moduleExports object.
+      //
+      // It would be possible to also implement it for non moduleExports objects
+      // by passing through the moduleExports object and the property names that
+      // are accessed. That way it would be possible to redefine the complete
+      // property chain. Example:
+      //
+      // shimmer.wrap(hapi.Server.prototype, 'start', wrapStart)
+      // shimmer.wrap(hapi.Server.prototype, 'ext', wrapExt)
+      //
+      // shimmer.wrap(hapi, 'Server', 'prototype', 'start', wrapStart)
+      // shimmer.wrap(hapi, 'Server', 'prototype', 'ext', wrapExt)
+      //
+      // That would however still not resolve the issue about the user replacing
+      // the return value so that the hook picks up the new hapi moduleExports
+      // object. To safely fix that, we would have to couple the register helper
+      // with this code. That way it would be possible to directly pass through
+      // the entries.
+
+      // In case more than a single property is not configurable and writable,
+      // Just reuse the already created object.
+      let moduleExports = nonConfigurableModuleExports.get(target)
+      if (!moduleExports) {
+        if (typeof target === 'function') {
+          const original = target
+          moduleExports = function (...args) { return original.apply(original, args) }
+          // This is a rare case. Accept the slight performance hit.
+          skipMethods.add(name)
+          copyProperties(target, moduleExports)
+          if (skipMethods.size === skipMethodSize + 1) {
+            skipMethods.delete(name)
+          }
+        } else {
+          moduleExports = Object.create(target)
+          copyObjectProperties(target, moduleExports, name)
+        }
+        nonConfigurableModuleExports.set(target, moduleExports)
+      }
+      target = moduleExports
     }
   }
 
@@ -100,6 +195,16 @@ function wrap (target, name, wrapper) {
   return target
 }
 
+/**
+ * Wraps multiple methods and or multiple objects with a wrapper function.
+ * May also receive a single method or object or a single method name.
+ *
+ * @param {Array<Record<string | symbol, unknown> | Function> |
+ *         Record<string | symbol, unknown> |
+ *         Function} targets - The target objects.
+ * @param {Array<string | symbol> | string | symbol} names - The property keys of the methods to wrap.
+ * @param {(original: Function) => (...args) => any} wrapper - The wrapper function.
+ */
 function massWrap (targets, names, wrapper) {
   targets = toArray(targets)
   names = toArray(names)
@@ -111,29 +216,51 @@ function massWrap (targets, names, wrapper) {
   }
 }
 
+/**
+ * Converts a value to an array if it is not already an array.
+ *
+ * @template T
+ * @param {T | T[]} maybeArray - The value to convert.
+ * @returns {T[]} The value as an array.
+ */
 function toArray (maybeArray) {
   return Array.isArray(maybeArray) ? maybeArray : [maybeArray]
 }
 
-function assertMethod (target, name) {
-  if (typeof target?.[name] !== 'function') {
+/**
+ * Asserts that a method is a function.
+ *
+ * @param {Record<string | symbol, unknown> | Function} target - The target object.
+ * @param {string | symbol} name - The property key of the method.
+ * @param {unknown} method - The method to assert.
+ * @throws {Error} If the method is not a function.
+ */
+function assertMethod (target, name, method) {
+  if (typeof method !== 'function') {
     let message = 'No target object provided'
 
     if (target) {
       if (typeof target !== 'object' && typeof target !== 'function') {
         message = 'Invalid target'
       } else {
-        message = target[name] ? `Original method ${name} is not a function` : `No original method ${name}`
+        name = String(name)
+        message = method ? `Original method ${name} is not a function` : `No original method ${name}`
       }
     }
 
-    throw new Error(message)
+    throw new TypeError(message)
   }
 }
 
+/**
+ * Asserts that a target is not a class constructor.
+ *
+ * @param {Function} target - The target function.
+ * @throws {Error} If the target is a class constructor.
+ */
 function assertNotClass (target) {
   if (Function.prototype.toString.call(target).startsWith('class')) {
-    throw new Error('Target is a native class constructor and cannot be wrapped.')
+    throw new TypeError('Target is a native class constructor and cannot be wrapped.')
   }
 }
 

package/packages/dd-trace/src/appsec/api_security_sampler.js

@@ -18,8 +18,8 @@ let asmStandaloneEnabled
 let sampledRequests
 
 class NoopTTLCache {
-  clear () { }
-  set (_key, _value) { return undefined }
+  clear () {}
+  set (_key, _value) {}
   has (_key) { return false }
 }
 

package/packages/dd-trace/src/appsec/blocked_templates.js

@@ -1,4 +1,4 @@
-/* eslint-disable @stylistic/js/max-len */
+/* eslint-disable @stylistic/max-len */
 'use strict'
 
 const html = '<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>You\'ve been blocked</title><style>a,body,div,html,span{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}body{background:-webkit-radial-gradient(26% 19%,circle,#fff,#f4f7f9);background:radial-gradient(circle at 26% 19%,#fff,#f4f7f9);display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;width:100%;min-height:100vh;line-height:1;flex-direction:column}p{display:block}main{text-align:center;flex:1;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;flex-direction:column}p{font-size:18px;line-height:normal;color:#646464;font-family:sans-serif;font-weight:400}a{color:#4842b7}footer{width:100%;text-align:center}footer p{font-size:16px}</style></head><body><main><p>Sorry, you cannot access this page. Please contact the customer service team.</p></main><footer><p>Security provided by <a href="https://www.datadoghq.com/product/security-platform/application-security-monitoring/" target="_blank">Datadog</a></p></footer></body></html>'

package/packages/dd-trace/src/appsec/blocking.js

@@ -93,11 +93,9 @@ function getBlockWithContentData (req, specificType, actionParameters) {
 }
 
 function getBlockingData (req, specificType, actionParameters) {
-  if (actionParameters?.location) {
-    return getBlockWithRedirectData(actionParameters)
-  } else {
-    return getBlockWithContentData(req, specificType, actionParameters)
-  }
+  return actionParameters?.location
+    ? getBlockWithRedirectData(actionParameters)
+    : getBlockWithContentData(req, specificType, actionParameters)
 }
 
 function block (req, res, rootSpan, abortController, actionParameters = defaultBlockingActionParameters) {
@@ -140,23 +138,11 @@ function getBlockingAction (actions) {
 }
 
 function setTemplates (config) {
-  if (config.appsec.blockedTemplateHtml) {
-    templateHtml = config.appsec.blockedTemplateHtml
-  } else {
-    templateHtml = blockedTemplates.html
-  }
+  templateHtml = config.appsec.blockedTemplateHtml || blockedTemplates.html
 
-  if (config.appsec.blockedTemplateJson) {
-    templateJson = config.appsec.blockedTemplateJson
-  } else {
-    templateJson = blockedTemplates.json
-  }
+  templateJson = config.appsec.blockedTemplateJson || blockedTemplates.json
 
-  if (config.appsec.blockedTemplateGraphql) {
-    templateGraphqlJson = config.appsec.blockedTemplateGraphql
-  } else {
-    templateGraphqlJson = blockedTemplates.graphqlJson
-  }
+  templateGraphqlJson = config.appsec.blockedTemplateGraphql || blockedTemplates.graphqlJson
 }
 
 function isBlocked (res) {

package/packages/dd-trace/src/appsec/graphql.js

@@ -38,8 +38,8 @@ function onGraphqlStartResolve ({ context, resolverInfo }) {
 
   if (!resolverInfo || typeof resolverInfo !== 'object') return
 
-  const actions = waf.run({ ephemeral: { [addresses.HTTP_INCOMING_GRAPHQL_RESOLVER]: resolverInfo } }, req)
-  const blockingAction = getBlockingAction(actions)
+  const result = waf.run({ ephemeral: { [addresses.HTTP_INCOMING_GRAPHQL_RESOLVER]: resolverInfo } }, req)
+  const blockingAction = getBlockingAction(result?.actions)
   if (blockingAction) {
     const requestData = graphqlRequestData.get(req)
     if (requestData?.isInGraphqlRequest) {

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-password-rules.js

@@ -1,4 +1,4 @@
-/* eslint-disable @stylistic/js/max-len */
+/* eslint-disable @stylistic/max-len */
 'use strict'
 
 const { NameAndValue } = require('./hardcoded-rule-type')

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secret-rules.js

@@ -1,4 +1,4 @@
-/* eslint-disable @stylistic/js/max-len */
+/* eslint-disable @stylistic/max-len */
 'use strict'
 
 const { ValueOnly, NameAndValue } = require('./hardcoded-rule-type')

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secrets-rules.js

@@ -1,4 +1,4 @@
-/* eslint-disable @stylistic/js/max-len */
+/* eslint-disable @stylistic/max-len */
 'use strict'
 
 const { ValueOnly, NameAndValue } = require('./hardcoded-rule-type')

package/packages/dd-trace/src/appsec/iast/analyzers/header-injection-analyzer.js

@@ -11,13 +11,13 @@ const {
 } = require('../taint-tracking/source-types')
 
 const EXCLUDED_PATHS = getNodeModulesPaths('express')
-const EXCLUDED_HEADER_NAMES = [
+const EXCLUDED_HEADER_NAMES = new Set([
   'location',
   'sec-websocket-location',
   'sec-websocket-accept',
   'upgrade',
   'connection'
-]
+])
 
 class HeaderInjectionAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -27,9 +27,7 @@ class HeaderInjectionAnalyzer extends InjectionAnalyzer {
   onConfigure () {
     this.addSub('datadog:http:server:response:set-header:finish', ({ name, value }) => {
       if (Array.isArray(value)) {
-        for (let i = 0; i < value.length; i++) {
-          const headerValue = value[i]
-
+        for (const headerValue of value) {
           this.analyze({ name, value: headerValue })
         }
       } else {
@@ -65,7 +63,7 @@ class HeaderInjectionAnalyzer extends InjectionAnalyzer {
   }
 
   isExcludedHeaderName (name) {
-    return EXCLUDED_HEADER_NAMES.includes(name)
+    return EXCLUDED_HEADER_NAMES.has(name)
   }
 
   isAllRangesFromHeader (ranges, headerName) {

package/packages/dd-trace/src/appsec/iast/analyzers/hsts-header-missing-analyzer.js

@@ -19,26 +19,21 @@ class HstsHeaderMissingAnalyzer extends MissingHeaderAnalyzer {
   }
 
   _isHeaderValid (headerValue) {
-    if (!headerValue) {
-      return false
-    }
     headerValue = headerValue.trim()
 
-    if (!headerValue.startsWith(HEADER_VALID_PREFIX)) {
+    if (!headerValue?.startsWith(HEADER_VALID_PREFIX)) {
       return false
     }
 
     const semicolonIndex = headerValue.indexOf(';')
-    let timestampString
-    if (semicolonIndex > -1) {
-      timestampString = headerValue.substring(HEADER_VALID_PREFIX.length + 1, semicolonIndex)
-    } else {
-      timestampString = headerValue.substring(HEADER_VALID_PREFIX.length + 1)
-    }
+    const timestampString = headerValue.slice(
+      HEADER_VALID_PREFIX.length + 1,
+      semicolonIndex === -1 ? headerValue.length : semicolonIndex
+    )
 
-    const timestamp = parseInt(timestampString)
+    const timestamp = Number.parseInt(timestampString)
     // eslint-disable-next-line eqeqeq
-    return timestamp == timestampString && timestamp > 0
+    return timestamp > 0 && timestamp == timestampString
   }
 
   _isHttpsProtocol (req) {

package/packages/dd-trace/src/appsec/iast/analyzers/missing-header-analyzer.js

@@ -10,8 +10,8 @@ const SC_NOT_FOUND = 404
 const SC_GONE = 410
 const SC_INTERNAL_SERVER_ERROR = 500
 
-const IGNORED_RESPONSE_STATUS_LIST = [SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_NOT_MODIFIED,
-  SC_TEMPORARY_REDIRECT, SC_NOT_FOUND, SC_GONE, SC_INTERNAL_SERVER_ERROR]
+const IGNORED_RESPONSE_STATUS_LIST = new Set([SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_NOT_MODIFIED,
+  SC_TEMPORARY_REDIRECT, SC_NOT_FOUND, SC_GONE, SC_INTERNAL_SERVER_ERROR])
 const HTML_CONTENT_TYPES = ['text/html', 'application/xhtml+xml']
 
 class MissingHeaderAnalyzer extends Analyzer {
@@ -37,9 +37,7 @@ class MissingHeaderAnalyzer extends Analyzer {
     }
   }
 
-  _getLocation () {
-    return undefined
-  }
+  _getLocation () {}
 
   _checkOCE (context) {
     return true
@@ -61,7 +59,7 @@ class MissingHeaderAnalyzer extends Analyzer {
   }
 
   _isVulnerable ({ req, res }, context) {
-    if (!IGNORED_RESPONSE_STATUS_LIST.includes(res.statusCode) && this._isResponseHtml(res)) {
+    if (!IGNORED_RESPONSE_STATUS_LIST.has(res.statusCode) && this._isResponseHtml(res)) {
       return this._isVulnerableFromRequestAndResponse(req, res)
     }
     return false

package/packages/dd-trace/src/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.js

@@ -24,6 +24,8 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
   onConfigure () {
     this.configureSanitizers()
 
+    // Anything that accesses the storage is context dependent
+    // eslint-disable-next-line unicorn/consistent-function-scoping
     const onStart = ({ filters }) => {
       const store = storage('legacy').getStore()
       if (store && !store.nosqlAnalyzed && filters?.length) {
@@ -42,6 +44,8 @@ class NosqlInjectionMongodbAnalyzer extends InjectionAnalyzer {
       }
     }
 
+    // Anything that accesses the storage is context dependent
+    // eslint-disable-next-line unicorn/consistent-function-scoping
     const onFinish = () => {
       const store = storage('legacy').getStore()
       if (store?.nosqlParentStore) {

package/packages/dd-trace/src/appsec/iast/analyzers/path-traversal-analyzer.js

@@ -7,7 +7,7 @@ const { getIastContext } = require('../iast-context')
 const { storage } = require('../../../../../datadog-core')
 const { PATH_TRAVERSAL } = require('../vulnerabilities')
 
-const ignoredOperations = ['dir.close', 'close']
+const ignoredOperations = new Set(['dir.close', 'close'])
 
 class PathTraversalAnalyzer extends InjectionAnalyzer {
   constructor () {
@@ -20,10 +20,10 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
     this.internalExclusionList = [
       'node:fs',
       'node:internal/fs',
-      'node:internal\\fs',
+      String.raw`node:internal\fs`,
       'fs.js',
       'internal/fs',
-      'internal\\fs'
+      String.raw`internal\fs`
     ]
   }
 
@@ -36,7 +36,7 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
       // but if we spect a store in the context to be present we are going to exclude
       // all out_of_the_request fs.operations
       // AppsecFsPlugin must be enabled
-      if (ignoredOperations.includes(obj.operation) || outOfReqOrChild) return
+      if (ignoredOperations.has(obj.operation) || outOfReqOrChild) return
 
       const pathArguments = []
       if (obj.dest) {
@@ -71,16 +71,13 @@ class PathTraversalAnalyzer extends InjectionAnalyzer {
   }
 
   _isExcluded (location) {
-    let ret = true
-    if (location && location.path) {
+    if (location?.path) {
       // Exclude from reporting those vulnerabilities which location is from an internal fs call
-      if (location.isInternal) {
-        ret = this.internalExclusionList.some(elem => location.path.includes(elem))
-      } else {
-        ret = this.exclusionList.some(elem => location.path.includes(elem))
-      }
+      return location.isInternal
+        ? this.internalExclusionList.some(elem => location.path.includes(elem))
+        : this.exclusionList.some(elem => location.path.includes(elem))
     }
-    return ret
+    return true
   }
 
   analyze (value) {

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js

@@ -41,7 +41,7 @@ class Analyzer extends SinkIastPlugin {
 
     if (!this._isExcluded(location)) {
       const originalLocation = this._getOriginalLocation(location)
-      const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
+      const spanId = context?.rootSpan?.context().toSpanId()
       const stackId = getIastStackTraceId(context)
       const vulnerability = this._createVulnerability(
         this._type,
@@ -112,9 +112,10 @@ class Analyzer extends SinkIastPlugin {
     const iastContext = getIastContext(store)
     if (this._isInvalidContext(store, iastContext)) return
 
-    for (let i = 0; i < values.length; i++) {
-      const value = values[i]
+    for (const value of values) {
       if (this._isVulnerable(value, iastContext)) {
+        // TODO(BridgeAR): Here are multiple cases that receive a different
+        // number of arguments than passed through. Fix those cases.
         if (this._checkOCE(iastContext, value)) {
           this._report(value, iastContext)
         }
@@ -124,7 +125,7 @@ class Analyzer extends SinkIastPlugin {
   }
 
   _checkOCE (context) {
-    return overheadController.hasQuota(overheadController.OPERATIONS.REPORT_VULNERABILITY, context)
+    return overheadController.hasQuota(overheadController.OPERATIONS.REPORT_VULNERABILITY, context, this._type)
   }
 
   _createVulnerability (type, evidence, spanId, location, stackId) {

package/packages/dd-trace/src/appsec/iast/context/context-plugin.js

@@ -11,7 +11,7 @@ const { TagKey } = require('../telemetry/iast-metric')
 
 class IastContextPlugin extends IastPlugin {
   startCtxOn (channelName, tag) {
-    super.addSub(channelName, (message) => this.startContext())
+    super.addSub(channelName, (message) => this.startContext(message?.currentStore))
 
     this._getAndRegisterSubscription({
       channelName,
@@ -44,11 +44,10 @@ class IastContextPlugin extends IastPlugin {
     }
   }
 
-  startContext () {
+  startContext (store = storage('legacy').getStore()) {
     let isRequestAcquired = false
     let iastContext
 
-    const store = storage('legacy').getStore()
     if (store) {
       const topContext = this.getTopContext()
       const rootSpan = this.getRootSpan(store)

package/packages/dd-trace/src/appsec/iast/iast-plugin.js

@@ -130,9 +130,9 @@ class IastPlugin extends Plugin {
   }
 
   _getAndRegisterSubscription ({ moduleName, channelName, tag, tagKey }) {
-    if (!channelName && !moduleName) return
-
     if (!moduleName) {
+      if (!channelName) return
+
       let firstSep = channelName.indexOf(':')
       if (firstSep === -1) {
         moduleName = channelName
@@ -141,7 +141,7 @@ class IastPlugin extends Plugin {
           firstSep = channelName.indexOf(':', 'tracing:'.length + 1)
         }
         const lastSep = channelName.indexOf(':', firstSep + 1)
-        moduleName = channelName.substring(firstSep + 1, lastSep !== -1 ? lastSep : channelName.length)
+        moduleName = channelName.slice(firstSep + 1, lastSep === -1 ? channelName.length : lastSep)
       }
     }
 

package/packages/dd-trace/src/appsec/iast/index.js

@@ -92,6 +92,7 @@ function onIncomingHttpRequestEnd (data) {
       const vulnerabilities = iastContext.vulnerabilities
       const rootSpan = iastContext.rootSpan
       vulnerabilityReporter.sendVulnerabilities(vulnerabilities, rootSpan)
+      overheadController.consolidateVulnerabilities(iastContext)
       removeTransaction(iastContext)
       iastTelemetry.onRequestEnd(iastContext, iastContext.rootSpan)
     }