dd-trace 5.59.0 → 5.61.0

package/packages/datadog-plugin-openai/src/stream-helpers.js

@@ -0,0 +1,114 @@
+'use strict'
+
+/**
+ * Combines legacy OpenAI streamed chunks into a single object.
+ * These legacy chunks are returned as buffers instead of individual objects.
+ * @param {readonly Uint8Array[]} chunks
+ * @returns {Array<Record<string, any>>}
+ */
+function convertBuffersToObjects (chunks) {
+  return Buffer
+    .concat(chunks) // combine the buffers
+    .toString() // stringify
+    .split(/(?=data:)/) // split on "data:"
+    .map(chunk => chunk.replaceAll('\n', '').slice(6)) // remove newlines and 'data: ' from the front
+    .slice(0, -1) // remove the last [DONE] message
+    .map(JSON.parse) // parse all of the returned objects
+}
+
+/**
+ * Common function for combining chunks with n choices into a single response body.
+ * The shared logic will add a new choice index entry if it doesn't exist, and otherwise
+ * hand off to a onChoice handler to add that choice to the previously stored choice.
+ *
+ * @param {Array<Record<string, any>>} chunks
+ * @param {number} n
+ * @param {function(Record<string, any>, Record<string, any>): void} onChoice
+ * @returns {Record<string, any>}
+ */
+function constructResponseFromStreamedChunks (chunks, n, onChoice) {
+  const body = { ...chunks[0], choices: Array.from({ length: n }) }
+
+  for (const chunk of chunks) {
+    body.usage = chunk.usage
+    for (const choice of chunk.choices) {
+      const choiceIdx = choice.index
+      const oldChoice = body.choices.find(choice => choice?.index === choiceIdx)
+
+      if (!oldChoice) {
+        body.choices[choiceIdx] = choice
+        continue
+      }
+
+      if (!oldChoice.finish_reason) {
+        oldChoice.finish_reason = choice.finish_reason
+      }
+
+      onChoice(choice, oldChoice)
+    }
+  }
+
+  return body
+}
+
+/**
+ * Constructs the entire response from a stream of OpenAI completion chunks,
+ * mainly combining the text choices of each chunk into a single string per choice.
+ * @param {Array<Record<string, any>>} chunks
+ * @param {number} n the number of choices to expect in the response
+ * @returns {Record<string, any>}
+ */
+function constructCompletionResponseFromStreamedChunks (chunks, n) {
+  return constructResponseFromStreamedChunks(chunks, n, (choice, oldChoice) => {
+    const text = choice.text
+    if (text) {
+      if (oldChoice.text) {
+        oldChoice.text += text
+      } else {
+        oldChoice.text = text
+      }
+    }
+  })
+}
+
+/**
+ * Constructs the entire response from a stream of OpenAI chat completion chunks,
+ * mainly combining the text choices of each chunk into a single string per choice.
+ * @param {Array<Record<string, any>>} chunks
+ * @param {number} n the number of choices to expect in the response
+ * @returns {Record<string, any>}
+ */
+function constructChatCompletionResponseFromStreamedChunks (chunks, n) {
+  return constructResponseFromStreamedChunks(chunks, n, (choice, oldChoice) => {
+    const delta = choice.delta
+    if (!delta) return
+
+    const content = delta.content
+    if (content) {
+      if (oldChoice.delta.content) {
+        oldChoice.delta.content += content
+      } else {
+        oldChoice.delta.content = content
+      }
+    }
+
+    const tools = delta.tool_calls
+    if (!tools) return
+
+    oldChoice.delta.tool_calls = tools.map((newTool, toolIdx) => {
+      const oldTool = oldChoice.delta.tool_calls?.[toolIdx]
+      if (oldTool) {
+        oldTool.function.arguments += newTool.function.arguments
+        return oldTool
+      }
+
+      return newTool
+    })
+  })
+}
+
+module.exports = {
+  convertBuffersToObjects,
+  constructCompletionResponseFromStreamedChunks,
+  constructChatCompletionResponseFromStreamedChunks
+}

package/packages/datadog-plugin-openai/src/tracing.js

@@ -10,6 +10,11 @@ const { MEASURED } = require('../../../ext/tags')
 const { estimateTokens } = require('./token-estimator')
 
 const makeUtilities = require('../../dd-trace/src/plugins/util/llm')
+const {
+  convertBuffersToObjects,
+  constructCompletionResponseFromStreamedChunks,
+  constructChatCompletionResponseFromStreamedChunks
+} = require('./stream-helpers')
 
 let normalize
 
@@ -48,6 +53,39 @@ class OpenAiTracingPlugin extends TracingPlugin {
 
       normalize = utilities.normalize
     }
+
+    this.addSub('apm:openai:request:chunk', ({ ctx, chunk, done }) => {
+      if (!ctx.chunks) ctx.chunks = []
+
+      if (chunk) ctx.chunks.push(chunk)
+      if (!done) return
+
+      let chunks = ctx.chunks
+      if (chunks.length === 0) return
+
+      const firstChunk = chunks[0]
+      // OpenAI in legacy versions returns chunked buffers instead of objects.
+      // These buffers will need to be combined and coalesced into a list of object chunks.
+      if (firstChunk instanceof Buffer) {
+        chunks = convertBuffersToObjects(chunks)
+      }
+
+      const methodName = ctx.currentStore.normalizedMethodName
+      let n = 1
+      const prompt = ctx.args[0].prompt
+      if (Array.isArray(prompt) && typeof prompt[0] !== 'number') {
+        n *= prompt.length
+      }
+
+      let response = {}
+      if (methodName === 'createCompletion') {
+        response = constructCompletionResponseFromStreamedChunks(chunks, n)
+      } else if (methodName === 'createChatCompletion') {
+        response = constructChatCompletionResponseFromStreamedChunks(chunks, n)
+      }
+
+      ctx.result = { data: response }
+    })
   }
 
   configure (config) {

package/packages/dd-trace/src/appsec/iast/analyzers/cookie-analyzer.js

@@ -3,7 +3,14 @@
 const Analyzer = require('./vulnerability-analyzer')
 const { getNodeModulesPaths } = require('../path-line')
 
-const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
+const EXCLUDED_PATHS = [
+  // Express
+  getNodeModulesPaths('express/lib/response.js'),
+  // Fastify
+  getNodeModulesPaths('fastify/lib/reply.js'),
+  getNodeModulesPaths('fastify/lib/hooks.js'),
+  getNodeModulesPaths('@fastify/cookie/plugin.js')
+]
 
 class CookieAnalyzer extends Analyzer {
   constructor (type, propertyToBeSafe) {

package/packages/dd-trace/src/appsec/iast/analyzers/hsts-header-missing-analyzer.js

@@ -10,8 +10,8 @@ class HstsHeaderMissingAnalyzer extends MissingHeaderAnalyzer {
     super(HSTS_HEADER_MISSING, HSTS_HEADER_NAME)
   }
 
-  _isVulnerableFromRequestAndResponse (req, res) {
-    const headerValues = this._getHeaderValues(res, HSTS_HEADER_NAME)
+  _isVulnerableFromRequestAndResponse (req, res, storedHeaders) {
+    const headerValues = this._getHeaderValues(res, storedHeaders, HSTS_HEADER_NAME)
     return this._isHttpsProtocol(req) && (
       headerValues.length === 0 ||
       headerValues.some(headerValue => !this._isHeaderValid(headerValue))

package/packages/dd-trace/src/appsec/iast/analyzers/missing-header-analyzer.js

@@ -28,8 +28,9 @@ class MissingHeaderAnalyzer extends Analyzer {
     }, (data) => this.analyze(data))
   }
 
-  _getHeaderValues (res, headerName) {
-    const headerValue = res.getHeader(headerName)
+  _getHeaderValues (res, storedHeaders, headerName) {
+    headerName = headerName.toLowerCase()
+    const headerValue = res.getHeader(headerName) || storedHeaders[headerName]
     if (Array.isArray(headerValue)) {
       return headerValue
     }
@@ -46,8 +47,8 @@ class MissingHeaderAnalyzer extends Analyzer {
     return `${type}:${this.config.tracerConfig.service}`
   }
 
-  _getEvidence ({ res }) {
-    const headerValues = this._getHeaderValues(res, this.headerName)
+  _getEvidence ({ res, storedHeaders }) {
+    const headerValues = this._getHeaderValues(res, storedHeaders, this.headerName)
     let value
     if (headerValues.length === 1) {
       value = headerValues[0]
@@ -57,19 +58,19 @@ class MissingHeaderAnalyzer extends Analyzer {
     return { value }
   }
 
-  _isVulnerable ({ req, res }, context) {
-    if (!IGNORED_RESPONSE_STATUS_LIST.has(res.statusCode) && this._isResponseHtml(res)) {
-      return this._isVulnerableFromRequestAndResponse(req, res)
+  _isVulnerable ({ req, res, storedHeaders }, context) {
+    if (!IGNORED_RESPONSE_STATUS_LIST.has(res.statusCode) && this._isResponseHtml(res, storedHeaders)) {
+      return this._isVulnerableFromRequestAndResponse(req, res, storedHeaders)
     }
     return false
   }
 
-  _isVulnerableFromRequestAndResponse (req, res) {
+  _isVulnerableFromRequestAndResponse (req, res, storedHeaders) {
     return false
   }
 
-  _isResponseHtml (res) {
-    const contentTypes = this._getHeaderValues(res, 'content-type')
+  _isResponseHtml (res, storedHeaders) {
+    const contentTypes = this._getHeaderValues(res, storedHeaders, 'content-type')
     return contentTypes.some(contentType => {
       return contentType && HTML_CONTENT_TYPES.some(htmlContentType => {
         return htmlContentType === contentType || contentType.startsWith(htmlContentType + ';')

package/packages/dd-trace/src/appsec/iast/analyzers/set-cookies-header-interceptor.js

@@ -7,25 +7,32 @@ class SetCookiesHeaderInterceptor extends Plugin {
   constructor () {
     super()
     this.cookiesInRequest = new WeakMap()
-    this.addSub('datadog:http:server:response:set-header:finish', ({ name, value, res }) => {
-      if (name.toLowerCase() === 'set-cookie') {
-        let allCookies = value
-        if (typeof value === 'string') {
-          allCookies = [value]
-        }
-        const alreadyCheckedCookies = this._getAlreadyCheckedCookiesInResponse(res)
-
-        let location
-        allCookies.forEach(cookieString => {
-          if (!alreadyCheckedCookies.includes(cookieString)) {
-            alreadyCheckedCookies.push(cookieString)
-            const parsedCookie = this._parseCookie(cookieString, location)
-            setCookieChannel.publish(parsedCookie)
-            location = parsedCookie.location
-          }
-        })
+
+    this.addSub('datadog:http:server:response:set-header:finish',
+      ({ name, value, res }) => this._handleCookies(name, value, res))
+
+    this.addSub('datadog:fastify:set-header:finish',
+      ({ name, value, res }) => this._handleCookies(name, value, res))
+  }
+
+  _handleCookies (name, value, res) {
+    if (name.toLowerCase() === 'set-cookie') {
+      let allCookies = value
+      if (typeof value === 'string') {
+        allCookies = [value]
       }
-    })
+      const alreadyCheckedCookies = this._getAlreadyCheckedCookiesInResponse(res)
+
+      let location
+      allCookies.forEach(cookieString => {
+        if (!alreadyCheckedCookies.includes(cookieString)) {
+          alreadyCheckedCookies.push(cookieString)
+          const parsedCookie = this._parseCookie(cookieString, location)
+          setCookieChannel.publish(parsedCookie)
+          location = parsedCookie.location
+        }
+      })
+    }
   }
 
   _parseCookie (cookieString, location) {

package/packages/dd-trace/src/appsec/iast/analyzers/sql-injection-analyzer.js

@@ -18,31 +18,39 @@ class SqlInjectionAnalyzer extends StoredInjectionAnalyzer {
     this.addSub('datadog:mysql2:outerquery:start', ({ sql }) => this.analyze(sql, undefined, 'MYSQL'))
     this.addSub('apm:pg:query:start', ({ query }) => this.analyze(query.text, undefined, 'POSTGRES'))
 
-    this.addSub(
+    this.addBind(
       'datadog:sequelize:query:start',
       ({ sql, dialect }) => this.getStoreAndAnalyze(sql, dialect.toUpperCase())
     )
     this.addSub('datadog:sequelize:query:finish', () => this.returnToParentStore())
 
-    this.addSub('datadog:pg:pool:query:start', ({ query }) => this.getStoreAndAnalyze(query.text, 'POSTGRES'))
+    this.addSub('datadog:pg:pool:query:start', ({ query }) => this.setStoreAndAnalyze(query.text, 'POSTGRES'))
     this.addSub('datadog:pg:pool:query:finish', () => this.returnToParentStore())
 
-    this.addSub('datadog:mysql:pool:query:start', ({ sql }) => this.getStoreAndAnalyze(sql, 'MYSQL'))
+    this.addSub('datadog:mysql:pool:query:start', ({ sql }) => this.setStoreAndAnalyze(sql, 'MYSQL'))
     this.addSub('datadog:mysql:pool:query:finish', () => this.returnToParentStore())
 
     this.addSub('datadog:knex:raw:start', ({ sql, dialect: knexDialect }) => {
       const dialect = this.normalizeKnexDialect(knexDialect)
-      this.getStoreAndAnalyze(sql, dialect)
+      this.setStoreAndAnalyze(sql, dialect)
     })
     this.addSub('datadog:knex:raw:finish', () => this.returnToParentStore())
   }
 
+  setStoreAndAnalyze (query, dialect) {
+    const store = this.getStoreAndAnalyze(query, dialect)
+
+    if (store) {
+      storage('legacy').enterWith(store)
+    }
+  }
+
   getStoreAndAnalyze (query, dialect) {
     const parentStore = storage('legacy').getStore()
     if (parentStore) {
       this.analyze(query, parentStore, dialect)
 
-      storage('legacy').enterWith({ ...parentStore, sqlAnalyzed: true, sqlParentStore: parentStore })
+      return { ...parentStore, sqlAnalyzed: true, sqlParentStore: parentStore }
     }
   }
 

package/packages/dd-trace/src/appsec/iast/analyzers/unvalidated-redirect-analyzer.js

@@ -9,7 +9,10 @@ const {
   HTTP_REQUEST_PARAMETER
 } = require('../taint-tracking/source-types')
 
-const EXCLUDED_PATHS = getNodeModulesPaths('express/lib/response.js')
+const EXCLUDED_PATHS = [
+  getNodeModulesPaths('express/lib/response.js'),
+  getNodeModulesPaths('fastify/lib/reply.js'),
+]
 
 const VULNERABLE_SOURCE_TYPES = new Set([
   HTTP_REQUEST_BODY,
@@ -23,6 +26,7 @@ class UnvalidatedRedirectAnalyzer extends InjectionAnalyzer {
 
   onConfigure () {
     this.addSub('datadog:http:server:response:set-header:finish', ({ name, value }) => this.analyze(name, value))
+    this.addSub('datadog:fastify:set-header:finish', ({ name, value }) => this.analyze(name, value))
   }
 
   analyze (name, value) {

package/packages/dd-trace/src/appsec/iast/analyzers/xcontenttype-header-missing-analyzer.js

@@ -10,8 +10,8 @@ class XcontenttypeHeaderMissingAnalyzer extends MissingHeaderAnalyzer {
     super(XCONTENTTYPE_HEADER_MISSING, XCONTENTTYPEOPTIONS_HEADER_NAME)
   }
 
-  _isVulnerableFromRequestAndResponse (req, res) {
-    const headerValues = this._getHeaderValues(res, XCONTENTTYPEOPTIONS_HEADER_NAME)
+  _isVulnerableFromRequestAndResponse (req, res, storedHeaders) {
+    const headerValues = this._getHeaderValues(res, storedHeaders, XCONTENTTYPEOPTIONS_HEADER_NAME)
     return headerValues.length === 0 || headerValues.some(headerValue => headerValue.trim().toLowerCase() !== 'nosniff')
   }
 }

package/packages/dd-trace/src/appsec/iast/iast-plugin.js

@@ -47,6 +47,10 @@ class IastPluginSubscription {
   }
 
   matchesModuleInstrumented (name) {
+    // Remove node: prefix if present
+    if (name.startsWith('node:')) {
+      name = name.slice(5)
+    }
     // https module is a special case because it's events are published as http
     name = name === 'https' ? 'http' : name
     return this.moduleName === name

package/packages/dd-trace/src/appsec/iast/index.js

@@ -18,11 +18,12 @@ const { IAST_ENABLED_TAG_KEY } = require('./tags')
 const iastTelemetry = require('./telemetry')
 const { enable: enableFsPlugin, disable: disableFsPlugin, IAST_MODULE } = require('../rasp/fs-plugin')
 const securityControls = require('./security-controls')
+const { incomingHttpRequestStart, incomingHttpRequestEnd, responseWriteHead } = require('../channels')
+
+const collectedResponseHeaders = new WeakMap()
 
 // TODO Change to `apm:http:server:request:[start|close]` when the subscription
 //  order of the callbacks can be enforce
-const requestStart = dc.channel('dd-trace:incomingHttpRequestStart')
-const requestClose = dc.channel('dd-trace:incomingHttpRequestEnd')
 const iastResponseEnd = dc.channel('datadog:iast:response-end')
 let isEnabled = false
 
@@ -33,8 +34,9 @@ function enable (config, _tracer) {
   enableFsPlugin(IAST_MODULE)
   enableAllAnalyzers(config)
   enableTaintTracking(config.iast, iastTelemetry.verbosity)
-  requestStart.subscribe(onIncomingHttpRequestStart)
-  requestClose.subscribe(onIncomingHttpRequestEnd)
+  incomingHttpRequestStart.subscribe(onIncomingHttpRequestStart)
+  incomingHttpRequestEnd.subscribe(onIncomingHttpRequestEnd)
+  responseWriteHead.subscribe(onResponseWriteHeadCollect)
   overheadController.configure(config.iast)
   overheadController.startGlobalContext()
   securityControls.configure(config.iast)
@@ -53,8 +55,9 @@ function disable () {
   disableAllAnalyzers()
   disableTaintTracking()
   overheadController.finishGlobalContext()
-  if (requestStart.hasSubscribers) requestStart.unsubscribe(onIncomingHttpRequestStart)
-  if (requestClose.hasSubscribers) requestClose.unsubscribe(onIncomingHttpRequestEnd)
+  if (incomingHttpRequestStart.hasSubscribers) incomingHttpRequestStart.unsubscribe(onIncomingHttpRequestStart)
+  if (incomingHttpRequestEnd.hasSubscribers) incomingHttpRequestEnd.unsubscribe(onIncomingHttpRequestEnd)
+  if (responseWriteHead.hasSubscribers) responseWriteHead.unsubscribe(onResponseWriteHeadCollect)
   vulnerabilityReporter.stop()
 }
 
@@ -89,7 +92,13 @@ function onIncomingHttpRequestEnd (data) {
     const topContext = web.getContext(data.req)
     const iastContext = iastContextFunctions.getIastContext(store, topContext)
     if (iastContext?.rootSpan) {
-      iastResponseEnd.publish(data)
+      const storedHeaders = collectedResponseHeaders.get(data.res) || {}
+
+      iastResponseEnd.publish({ ...data, storedHeaders })
+
+      if (Object.keys(storedHeaders).length) {
+        collectedResponseHeaders.delete(data.res)
+      }
 
       const vulnerabilities = iastContext.vulnerabilities
       const rootSpan = iastContext.rootSpan
@@ -105,4 +114,13 @@ function onIncomingHttpRequestEnd (data) {
   }
 }
 
+// Response headers are collected here because they are not available in the onIncomingHttpRequestEnd when using Fastify
+function onResponseWriteHeadCollect ({ res, responseHeaders = {} }) {
+  if (!res) return
+
+  if (Object.keys(responseHeaders).length) {
+    collectedResponseHeaders.set(res, responseHeaders)
+  }
+}
+
 module.exports = { enable, disable, onIncomingHttpRequestEnd, onIncomingHttpRequestStart }

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js

@@ -38,6 +38,25 @@ class TaintTrackingPlugin extends SourceIastPlugin {
   }
 
   onConfigure () {
+    this.addBodyParsingSubscriptions()
+
+    this.addQueryParameterSubscriptions()
+
+    this.addCookieSubscriptions()
+
+    this.addDatabaseSubscriptions()
+
+    this.addPathParameterSubscriptions()
+
+    this.addGraphQLSubscriptions()
+
+    this.addURLParsingSubscriptions()
+
+    // this is a special case to increment INSTRUMENTED_SOURCE metric for header
+    this.addInstrumentedSource('http', [HTTP_REQUEST_HEADER_VALUE, HTTP_REQUEST_HEADER_NAME])
+  }
+
+  addBodyParsingSubscriptions () {
     const onRequestBody = ({ req }) => {
       const iastContext = getIastContext(storage('legacy').getStore())
       if (iastContext && iastContext.body !== req.body) {
@@ -57,17 +76,13 @@ class TaintTrackingPlugin extends SourceIastPlugin {
     )
 
     this.addSub(
-      { channelName: 'datadog:query:read:finish', tag: HTTP_REQUEST_PARAMETER },
-      ({ query }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, query)
-    )
-
-    this.addSub(
-      { channelName: 'datadog:express:query:finish', tag: HTTP_REQUEST_PARAMETER },
-      ({ query }) => {
+      { channelName: 'datadog:fastify:body-parser:finish', tag: HTTP_REQUEST_BODY },
+      ({ body }) => {
         const iastContext = getIastContext(storage('legacy').getStore())
-        if (!iastContext || !query) return
-
-        taintQueryWithCache(iastContext, query)
+        if (iastContext && iastContext.body !== body) {
+          this._taintTrackingHandler(HTTP_REQUEST_BODY, body)
+          iastContext.body = body
+        }
       }
     )
 
@@ -83,12 +98,45 @@ class TaintTrackingPlugin extends SourceIastPlugin {
         }
       }
     )
+  }
+
+  addQueryParameterSubscriptions () {
+    this.addSub(
+      { channelName: 'datadog:query:read:finish', tag: HTTP_REQUEST_PARAMETER },
+      ({ query }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, query)
+    )
+
+    this.addSub(
+      { channelName: 'datadog:fastify:query-params:finish', tag: HTTP_REQUEST_PARAMETER },
+      ({ query }) => {
+        this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, query)
+      }
+    )
 
+    this.addSub(
+      { channelName: 'datadog:express:query:finish', tag: HTTP_REQUEST_PARAMETER },
+      ({ query }) => {
+        const iastContext = getIastContext(storage('legacy').getStore())
+        if (!iastContext || !query) return
+
+        taintQueryWithCache(iastContext, query)
+      }
+    )
+  }
+
+  addCookieSubscriptions () {
     this.addSub(
       { channelName: 'datadog:cookie:parse:finish', tag: [HTTP_REQUEST_COOKIE_VALUE, HTTP_REQUEST_COOKIE_NAME] },
       ({ cookies }) => this._cookiesTaintTrackingHandler(cookies)
     )
 
+    this.addSub(
+      { channelName: 'datadog:fastify-cookie:read:finish', tag: [HTTP_REQUEST_COOKIE_VALUE, HTTP_REQUEST_COOKIE_NAME] },
+      ({ cookies }) => this._cookiesTaintTrackingHandler(cookies)
+    )
+  }
+
+  addDatabaseSubscriptions () {
     this.addSub(
       { channelName: 'datadog:sequelize:query:finish', tag: SQL_ROW_VALUE },
       ({ result }) => this._taintDatabaseResult(result, 'sequelize')
@@ -98,25 +146,36 @@ class TaintTrackingPlugin extends SourceIastPlugin {
       { channelName: 'apm:pg:query:finish', tag: SQL_ROW_VALUE },
       ({ result }) => this._taintDatabaseResult(result, 'pg')
     )
+  }
+
+  addPathParameterSubscriptions () {
+    const pathParamHandler = ({ req }) => {
+      if (req && req.params !== null && typeof req.params === 'object') {
+        this._taintTrackingHandler(HTTP_REQUEST_PATH_PARAM, req, 'params')
+      }
+    }
 
     this.addSub(
       { channelName: 'datadog:express:process_params:start', tag: HTTP_REQUEST_PATH_PARAM },
-      ({ req }) => {
-        if (req && req.params !== null && typeof req.params === 'object') {
-          this._taintTrackingHandler(HTTP_REQUEST_PATH_PARAM, req, 'params')
-        }
-      }
+      pathParamHandler
     )
 
     this.addSub(
       { channelName: 'datadog:router:param:start', tag: HTTP_REQUEST_PATH_PARAM },
-      ({ req }) => {
-        if (req && req.params !== null && typeof req.params === 'object') {
-          this._taintTrackingHandler(HTTP_REQUEST_PATH_PARAM, req, 'params')
+      pathParamHandler
+    )
+
+    this.addSub(
+      { channelName: 'datadog:fastify:path-params:finish', tag: HTTP_REQUEST_PATH_PARAM },
+      ({ req, params }) => {
+        if (req) {
+          this._taintTrackingHandler(HTTP_REQUEST_PATH_PARAM, params)
         }
       }
     )
+  }
 
+  addGraphQLSubscriptions () {
     this.addSub(
       { channelName: 'apm:graphql:resolve:start', tag: HTTP_REQUEST_BODY },
       (data) => {
@@ -128,7 +187,9 @@ class TaintTrackingPlugin extends SourceIastPlugin {
         }
       }
     )
+  }
 
+  addURLParsingSubscriptions () {
     const urlResultTaintedProperties = ['host', 'origin', 'hostname']
     this.addSub(
       { channelName: 'datadog:url:parse:finish' },
@@ -162,9 +223,6 @@ class TaintTrackingPlugin extends SourceIastPlugin {
         context.result =
           newTaintedString(iastContext, context.result, origRange.iinfo.parameterName, origRange.iinfo.type)
       })
-
-    // this is a special case to increment INSTRUMENTED_SOURCE metric for header
-    this.addInstrumentedSource('http', [HTTP_REQUEST_HEADER_VALUE, HTTP_REQUEST_HEADER_NAME])
   }
 
   _taintTrackingHandler (type, target, property, iastContext = getIastContext(storage('legacy').getStore())) {

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js

@@ -4,9 +4,7 @@ const sensitiveHandler = require('./evidence-redaction/sensitive-handler')
 const { stringifyWithRanges } = require('./utils')
 
 class VulnerabilityFormatter {
-  constructor () {
-    this._redactVulnearbilities = true
-  }
+  _redactVulnearbilities = true
 
   setRedactVulnerabilities (shouldRedactVulnerabilities, redactionNamePattern, redactionValuePattern) {
     this._redactVulnearbilities = shouldRedactVulnerabilities

package/packages/dd-trace/src/appsec/rasp/fs-plugin.js

@@ -35,10 +35,6 @@ class AppsecFsPlugin extends Plugin {
     this.addBind('apm:fs:operation:finish', this._onFsOperationFinishOrRenderEnd)
     this.addBind('tracing:datadog:express:response:render:start', this._onResponseRenderStart)
     this.addBind('tracing:datadog:express:response:render:end', this._onFsOperationFinishOrRenderEnd)
-    // TODO Remove this when dc-polyfill is fixed&updated
-    //  hack to node 18 and early 20.x
-    //  with dc-polyfill addBind is not enough to force a channel.hasSubscribers === true
-    this.addSub('tracing:datadog:express:response:render:start', () => {})
 
     super.configure(true)
   }