dd-trace 5.64.0 → 5.66.0

package/packages/datadog-plugin-ws/src/index.js

@@ -0,0 +1,26 @@
+'use strict'
+
+const CompositePlugin = require('../../dd-trace/src/plugins/composite')
+
+const WSServerPlugin = require('./server')
+const WSProducerPlugin = require('./producer')
+const WSReceiverPlugin = require('./receiver')
+const WSClosePlugin = require('./close')
+
+class WSPlugin extends CompositePlugin {
+  static get id () { return 'ws' }
+  static get plugins () {
+    return {
+      server: WSServerPlugin,
+      producer: WSProducerPlugin,
+      receiver: WSReceiverPlugin,
+      close: WSClosePlugin
+    }
+  }
+
+  configure (config) {
+    return super.configure(config)
+  }
+}
+
+module.exports = WSPlugin

package/packages/datadog-plugin-ws/src/producer.js

@@ -0,0 +1,60 @@
+'use strict'
+
+const TracingPlugin = require('../../dd-trace/src/plugins/tracing.js')
+
+class WSProducerPlugin extends TracingPlugin {
+  static get id () { return 'ws' }
+  static get prefix () { return 'tracing:ws:send' }
+  static get type () { return 'websocket' }
+  static get kind () { return 'producer' }
+
+  bindStart (ctx) {
+    const messagesEnabled = this.config.traceWebsocketMessagesEnabled
+    if (!messagesEnabled) return
+
+    const { byteLength, socket, binary } = ctx
+    if (!socket.spanContext) return
+
+    const spanTags = socket.spanContext.spanTags
+    const path = spanTags['resource.name'].split(' ')[1]
+    const opCode = binary ? 'binary' : 'text'
+    const service = this.serviceName({ pluginConfig: this.config })
+    const span = this.startSpan(this.operationName(), {
+      service,
+      meta: {
+        'span.type': 'websocket',
+        'span.kind': 'producer',
+        'resource.name': `websocket ${path}`,
+        'websocket.message.type': opCode,
+
+      },
+      metrics: {
+        'websocket.message.length': byteLength
+      }
+
+    }, ctx)
+
+    ctx.span = span
+    return ctx.currentStore
+  }
+
+  bindAsyncStart (ctx) {
+    ctx.span.finish()
+    return ctx.parentStore
+  }
+
+  asyncStart (ctx) {
+    ctx.span.finish()
+  }
+
+  end (ctx) {
+    if (!Object.hasOwn(ctx, 'result')) return
+
+    if (ctx.socket.spanContext) ctx.span.addLink(ctx.socket.spanContext, { 'dd.kind': 'resuming' })
+
+    ctx.span.finish()
+    return ctx.parentStore
+  }
+}
+
+module.exports = WSProducerPlugin

package/packages/datadog-plugin-ws/src/receiver.js

@@ -0,0 +1,70 @@
+'use strict'
+
+const TracingPlugin = require('../../dd-trace/src/plugins/tracing.js')
+
+class WSReceiverPlugin extends TracingPlugin {
+  static get id () { return 'ws' }
+  static get prefix () { return 'tracing:ws:receive' }
+  static get type () { return 'websocket' }
+  static get kind () { return 'consumer' }
+
+  bindStart (ctx) {
+    const {
+      traceWebsocketMessagesEnabled,
+      traceWebsocketMessagesInheritSampling,
+      traceWebsocketMessagesSeparateTraces
+    } = this.config
+    if (!traceWebsocketMessagesEnabled) return
+
+    const { byteLength, socket, binary } = ctx
+    if (!socket.spanContext) return
+
+    const spanTags = socket.spanContext.spanTags
+    const path = spanTags['resource.name'].split(' ')[1]
+    const opCode = binary ? 'binary' : 'text'
+
+    const service = this.serviceName({ pluginConfig: this.config })
+    const span = this.startSpan(this.operationName(), {
+      service,
+      meta: {
+        'span.type': 'websocket',
+        'span.kind': 'consumer',
+        'resource.name': `websocket ${path}`,
+        'websocket.duration.style': 'handler',
+        'websocket.message.type': opCode,
+      },
+      metrics: {
+        'websocket.message.length': byteLength,
+      }
+
+    }, ctx)
+
+    if (traceWebsocketMessagesInheritSampling && traceWebsocketMessagesSeparateTraces) {
+      span.setTag('_dd.dm.service', spanTags['service.name'] || service)
+      span.setTag('_dd.dm.resource', spanTags['resource.name'] || `websocket ${path}`)
+      span.setTag('_dd.dm.inherited', 1)
+    }
+
+    ctx.span = span
+    return ctx.currentStore
+  }
+
+  bindAsyncStart (ctx) {
+    return ctx.parentStore
+  }
+
+  asyncStart (ctx) {
+    ctx.span.finish()
+  }
+
+  end (ctx) {
+    if (!Object.hasOwn(ctx, 'result')) return
+
+    if (ctx.socket.spanContext) ctx.span.addLink(ctx.socket.spanContext, { 'dd.kind': 'executed_by' })
+
+    ctx.span.finish()
+    return ctx.parentStore
+  }
+}
+
+module.exports = WSReceiverPlugin

package/packages/datadog-plugin-ws/src/server.js

@@ -0,0 +1,79 @@
+'use strict'
+
+const TracingPlugin = require('../../dd-trace/src/plugins/tracing.js')
+const tags = require('../../../ext/tags.js')
+
+const HTTP_STATUS_CODE = tags.HTTP_STATUS_CODE
+
+class WSServerPlugin extends TracingPlugin {
+  static get id () { return 'ws' }
+  static get prefix () { return 'tracing:ws:server:connect' }
+  static get type () { return 'websocket' }
+  static get kind () { return 'request' }
+
+  bindStart (ctx) {
+    const req = ctx.req
+
+    const options = {}
+    const headers = Object.entries(req.headers)
+    options.headers = Object.fromEntries(headers)
+    options.method = req.method
+
+    const protocol = `${getRequestProtocol(req)}:`
+    const host = options.headers.host
+    const path = req.url
+    const uri = `${protocol}//${host}${path}`
+
+    ctx.args = { options }
+
+    const service = this.serviceName({ pluginConfig: this.config })
+    const span = this.startSpan(this.operationName(), {
+      service,
+      meta: {
+        'span.type': 'websocket',
+        'http.upgraded': 'websocket',
+        'http.method': options.method,
+        'http.url': uri,
+        'resource.name': `${options.method} ${path}`,
+        'span.kind': 'server'
+
+      }
+
+    }, ctx)
+    ctx.span = span
+
+    ctx.socket.spanContext = ctx.span._spanContext
+    ctx.socket.spanContext.spanTags = ctx.span._spanContext._tags
+
+    return ctx.currentStore
+  }
+
+  bindAsyncStart (ctx) {
+    ctx.span.setTag(HTTP_STATUS_CODE, ctx.req.resStatus)
+
+    return ctx.parentStore
+  }
+
+  asyncStart (ctx) {
+    ctx.span.finish()
+  }
+}
+
+function getRequestProtocol (req, fallback = 'ws') {
+  // 1. Check if the underlying TLS socket has 'encrypted'
+  if (req.socket && req.socket.encrypted) {
+    return 'wss'
+  }
+
+  // 2. Check for a trusted header set by a proxy
+  if (req.headers && req.headers['x-forwarded-proto']) {
+    const proto = req.headers['x-forwarded-proto'].split(',')[0].trim()
+    if (proto === 'https') return 'wss'
+    if (proto === 'http') return 'ws'
+  }
+
+  // 3. Fallback to ws
+  return fallback
+}
+
+module.exports = WSServerPlugin

package/packages/datadog-shimmer/src/shimmer.js

@@ -86,7 +86,7 @@ function wrapFunction (original, wrapper) {
 /**
  * Wraps a method of an object with a wrapper function.
  *
- * @param {Record<string | symbol, unknown> | Function} target - The target
+ * @param {Record<string | symbol, unknown> | Function | undefined} target - The target
  * object.
  * @param {string | symbol} name - The property key of the method to wrap.
  * @param {(original: Function) => (...args) => any} wrapper - The wrapper function.
@@ -95,7 +95,7 @@ function wrapFunction (original, wrapper) {
  * returns the earlier retrieved value. Use with care! This may only be done in
  * case the getter absolutely has no side effect and no setter is defined for the
  * property.
- * @returns {Record<string | symbol, unknown> | Function} The target object with
+ * @returns {Record<string | symbol, unknown> | Function | undefined} The target object with
  * the wrapped method.
  */
 function wrap (target, name, wrapper, options) {
@@ -103,6 +103,15 @@ function wrap (target, name, wrapper, options) {
     throw new TypeError(wrapper ? 'Target is not a function' : 'No function provided')
   }
 
+  if (target == null) {
+    // TODO: Add logging. This is an indicator that the part of a module that we
+    // try to instrument changed.
+    // Accessing the properties directly is in itself also unsafe, so we could just
+    // pass through an array of properties that should be accessed and automatically
+    // handle the access in here.
+    return
+  }
+
   // No descriptor means original was on the prototype. This is not totally
   // safe, since we define the property on the target. That could have an impact
   // in case e.g., the own keys are checks.

package/packages/dd-trace/src/appsec/blocking.js

@@ -14,6 +14,8 @@ let defaultBlockingActionParameters
 
 const responseBlockedSet = new WeakSet()
 
+const blockDelegations = new WeakMap()
+
 const specificBlockingTypes = {
   GRAPHQL: 'graphql'
 }
@@ -99,6 +101,9 @@ function getBlockingData (req, specificType, actionParameters) {
 }
 
 function block (req, res, rootSpan, abortController, actionParameters = defaultBlockingActionParameters) {
+  // synchronous blocking overrides previously created delegations
+  blockDelegations.delete(res)
+
   try {
     if (res.headersSent) {
       log.warn('[ASM] Cannot send blocking response when headers have already been sent')
@@ -127,11 +132,33 @@ function block (req, res, rootSpan, abortController, actionParameters = defaultB
     rootSpan?.setTag('_dd.appsec.block.failed', 1)
     log.error('[ASM] Blocking error', err)
 
+    // TODO: if blocking fails, then the response will never be sent ?
+
     updateBlockFailureMetric(req)
     return false
   }
 }
 
+function registerBlockDelegation (req, res) {
+  const args = arguments
+
+  return new Promise((resolve) => {
+    // ignore subsequent delegations by never calling their resolve()
+    if (blockDelegations.has(res)) return
+
+    blockDelegations.set(res, { args, resolve })
+  })
+}
+
+function callBlockDelegation (res) {
+  const delegation = blockDelegations.get(res)
+  if (delegation) {
+    const result = block.apply(this, delegation.args)
+    delegation.resolve(result)
+    return result
+  }
+}
+
 function getBlockingAction (actions) {
   // waf only returns one action, but it prioritizes redirect over block
   return actions?.redirect_request || actions?.block_request
@@ -158,6 +185,8 @@ function setDefaultBlockingActionParameters (actions) {
 module.exports = {
   addSpecificEndpoint,
   block,
+  registerBlockDelegation,
+  callBlockDelegation,
   specificBlockingTypes,
   getBlockingData,
   getBlockingAction,

package/packages/dd-trace/src/appsec/channels.js

@@ -14,10 +14,11 @@ module.exports = {
   expressProcessParams: dc.channel('datadog:express:process_params:start'),
   expressSession: dc.channel('datadog:express-session:middleware:finish'),
   fastifyBodyParser: dc.channel('datadog:fastify:body-parser:finish'),
-  fastifyResponseChannel: dc.channel('datadog:fastify:response:finish'),
-  fastifyQueryParams: dc.channel('datadog:fastify:query-params:finish'),
   fastifyCookieParser: dc.channel('datadog:fastify-cookie:read:finish'),
+  fastifyMiddlewareError: dc.channel('apm:fastify:middleware:error'),
   fastifyPathParams: dc.channel('datadog:fastify:path-params:finish'),
+  fastifyQueryParams: dc.channel('datadog:fastify:query-params:finish'),
+  fastifyResponseChannel: dc.channel('datadog:fastify:response:finish'),
   fsOperationStart: dc.channel('apm:fs:operation:start'),
   graphqlMiddlewareChannel: dc.tracingChannel('datadog:apollo:middleware'),
   httpClientRequestStart: dc.channel('apm:http:client:request:start'),
@@ -36,6 +37,7 @@ module.exports = {
   responseSetHeader: dc.channel('datadog:http:server:response:set-header:start'),
   responseWriteHead: dc.channel('apm:http:server:response:writeHead:start'),
   routerParam: dc.channel('datadog:router:param:start'),
+  routerMiddlewareError: dc.channel('apm:router:middleware:error'),
   setCookieChannel: dc.channel('datadog:iast:set-cookie'),
   setUncaughtExceptionCaptureCallbackStart: dc.channel('datadog:process:setUncaughtExceptionCaptureCallback:start'),
   startGraphqlResolve: dc.channel('datadog:graphql:resolver:start'),

package/packages/dd-trace/src/appsec/index.js

@@ -34,7 +34,7 @@ const apiSecuritySampler = require('./api_security_sampler')
 const web = require('../plugins/util/web')
 const { extractIp } = require('../plugins/util/ip_extractor')
 const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
-const { isBlocked, block, setTemplates, getBlockingAction } = require('./blocking')
+const { isBlocked, block, callBlockDelegation, setTemplates, getBlockingAction } = require('./blocking')
 const UserTracking = require('./user_tracking')
 const { storage } = require('../../../datadog-core')
 const graphql = require('./graphql')
@@ -306,8 +306,13 @@ function onResponseWriteHead ({ req, res, abortController, statusCode, responseH
     storedResponseHeaders.set(req, responseHeaders)
   }
 
+  // TODO: do not call waf if inside block()
+  // if (isBlocking()) {
+  //   return
+  // }
+
   // avoid "write after end" error
-  if (isBlocked(res)) {
+  if (isBlocked(res) || callBlockDelegation(res)) {
     abortController?.abort()
     return
   }

package/packages/dd-trace/src/appsec/rasp/fs-plugin.js

@@ -35,6 +35,7 @@ class AppsecFsPlugin extends Plugin {
     this.addBind('apm:fs:operation:finish', this._onFsOperationFinishOrRenderEnd)
     this.addBind('tracing:datadog:express:response:render:start', this._onResponseRenderStart)
     this.addBind('tracing:datadog:express:response:render:end', this._onFsOperationFinishOrRenderEnd)
+    // We might have to add the same subscribers for fastify later
 
     super.configure(true)
   }

package/packages/dd-trace/src/appsec/rasp/index.js

@@ -1,8 +1,13 @@
 'use strict'
 
 const web = require('../../plugins/util/web')
-const { setUncaughtExceptionCaptureCallbackStart, expressMiddlewareError } = require('../channels')
-const { block, isBlocked } = require('../blocking')
+const {
+  setUncaughtExceptionCaptureCallbackStart,
+  expressMiddlewareError,
+  fastifyMiddlewareError,
+  routerMiddlewareError
+} = require('../channels')
+const { block, registerBlockDelegation, isBlocked } = require('../blocking')
 const ssrf = require('./ssrf')
 const sqli = require('./sql_injection')
 const lfi = require('./lfi')
@@ -39,7 +44,7 @@ function findDatadogRaspAbortError (err, deep = 10) {
 }
 
 function handleUncaughtExceptionMonitor (error) {
-  if (!blockOnDatadogRaspAbortError({ error })) return
+  if (!blockOnDatadogRaspAbortError({ error, isTopLevel: true })) return
 
   if (process.hasUncaughtExceptionCaptureCallback()) {
     // uncaughtException event is not executed when hasUncaughtExceptionCaptureCallback is true
@@ -81,15 +86,22 @@ function handleUncaughtExceptionMonitor (error) {
   }
 }
 
-function blockOnDatadogRaspAbortError ({ error }) {
+function blockOnDatadogRaspAbortError ({ error, isTopLevel }) {
   const abortError = findDatadogRaspAbortError(error)
   if (!abortError) return false
 
   const { req, res, blockingAction, raspRule, ruleTriggered } = abortError
   if (!isBlocked(res)) {
-    const blocked = block(req, res, web.root(req), null, blockingAction)
+    const blockFn = isTopLevel ? block : registerBlockDelegation
+    const blocked = blockFn(req, res, web.root(req), null, blockingAction)
     if (ruleTriggered) {
-      updateRaspRuleMatchMetricTags(req, raspRule, true, blocked)
+      // block() returns a bool, and registerBlockDelegation() returns a promise
+      // we use Promise.resolve() to handle both cases
+      Promise.resolve(blocked).then(blocked => {
+        // TODO: bug: this metric is not called when the raspAbortError is caught by user
+        // or on subsequent blockDelegations
+        updateRaspRuleMatchMetricTags(req, raspRule, true, blocked)
+      })
     }
   }
 
@@ -103,7 +115,10 @@ function enable (config) {
   cmdi.enable(config)
 
   process.on('uncaughtExceptionMonitor', handleUncaughtExceptionMonitor)
+
   expressMiddlewareError.subscribe(blockOnDatadogRaspAbortError)
+  fastifyMiddlewareError.subscribe(blockOnDatadogRaspAbortError)
+  routerMiddlewareError.subscribe(blockOnDatadogRaspAbortError)
 }
 
 function disable () {
@@ -113,7 +128,10 @@ function disable () {
   cmdi.disable()
 
   process.off('uncaughtExceptionMonitor', handleUncaughtExceptionMonitor)
-  if (expressMiddlewareError.hasSubscribers) expressMiddlewareError.unsubscribe(blockOnDatadogRaspAbortError)
+
+  expressMiddlewareError.unsubscribe(blockOnDatadogRaspAbortError)
+  fastifyMiddlewareError.unsubscribe(blockOnDatadogRaspAbortError)
+  routerMiddlewareError.unsubscribe(blockOnDatadogRaspAbortError)
 }
 
 module.exports = {

package/packages/dd-trace/src/appsec/rasp/lfi.js

@@ -33,7 +33,7 @@ function disable () {
 }
 
 function onFirstReceivedRequest () {
-  // nodejs unsubscribe during publish bug: https://github.com/nodejs/node/pull/55116
+  // Node.js unsubscribe during publish bug: https://github.com/nodejs/node/pull/55116
   process.nextTick(() => {
     incomingHttpRequestStart.unsubscribe(onFirstReceivedRequest)
   })

package/packages/dd-trace/src/appsec/rasp/utils.js

@@ -19,6 +19,11 @@ const RULE_TYPES = {
   SSRF: 'ssrf'
 }
 
+const ALLOWED_ROOTSPAN_NAMES = new Set([
+  'express.request',
+  'fastify.request'
+])
+
 class DatadogRaspAbortError extends Error {
   constructor (req, res, blockingAction, raspRule, ruleTriggered) {
     super('DatadogRaspAbortError')
@@ -28,6 +33,12 @@ class DatadogRaspAbortError extends Error {
     this.blockingAction = blockingAction
     this.raspRule = raspRule
     this.ruleTriggered = ruleTriggered
+
+    // hide these props to not pollute app logs
+    Object.defineProperties(this, {
+      req: { enumerable: false },
+      res: { enumerable: false }
+    })
   }
 }
 
@@ -52,9 +63,9 @@ function handleResult (result, req, res, abortController, config, raspRule) {
 
   if (abortController && !abortOnUncaughtException) {
     const blockingAction = getBlockingAction(result?.actions)
+    const rootSpanName = rootSpan?.context?.()?._name
 
-    // Should block only in express
-    if (blockingAction && rootSpan?.context()._name === 'express.request') {
+    if (blockingAction && ALLOWED_ROOTSPAN_NAMES.has(rootSpanName)) {
       const abortError = new DatadogRaspAbortError(req, res, blockingAction, raspRule, ruleTriggered)
       abortController.abort(abortError)
 

package/packages/dd-trace/src/azure_metadata.js

@@ -76,10 +76,11 @@ function buildMetadata () {
 }
 
 function getAzureAppMetadata () {
-  // DD_AZURE_APP_SERVICES is an environment variable introduced by the .NET APM team and is set automatically for
-  // anyone using the Datadog APM Extensions (.NET, Java, or Node) for Windows Azure App Services
-  // See: https://github.com/DataDog/datadog-aas-extension/blob/01f94b5c28b7fa7a9ab264ca28bd4e03be603900/node/src/applicationHost.xdt#L20-L21
-  if (getEnvironmentVariable('DD_AZURE_APP_SERVICES') !== undefined) {
+  // WEBSITE_SITE_NAME is the unique name of the website instance within Azure App Services. Its
+  // presence is used to determine if we are running in Azure App Service
+  // See equivalent in dd-trace-dotnet:
+  // https://github.com/DataDog/dd-trace-dotnet/blob/37030168b2996e549ba23231ae732874b53a37e6/tracer/src/Datadog.Trace/Util/EnvironmentHelpers.cs#L99-L155
+  if (getEnvironmentVariable('WEBSITE_SITE_NAME') !== undefined) {
     return buildMetadata()
   }
 }

package/packages/dd-trace/src/config.js

@@ -630,6 +630,9 @@ class Config {
     defaults['tracePropagationStyle.inject'] = ['datadog', 'tracecontext', 'baggage']
     defaults['tracePropagationStyle.extract'] = ['datadog', 'tracecontext', 'baggage']
     defaults['tracePropagationStyle.otelPropagators'] = false
+    defaults.traceWebsocketMessagesEnabled = true
+    defaults.traceWebsocketMessagesInheritSampling = true
+    defaults.traceWebsocketMessagesSeparateTraces = true
     defaults.tracing = true
     defaults.url = undefined
     defaults.version = pkg.version
@@ -812,6 +815,9 @@ class Config {
       DD_TRACE_SPAN_LEAK_DEBUG,
       DD_TRACE_STARTUP_LOGS,
       DD_TRACE_TAGS,
+      DD_TRACE_WEBSOCKET_MESSAGES_ENABLED,
+      DD_TRACE_WEBSOCKET_MESSAGES_INHERIT_SAMPLING,
+      DD_TRACE_WEBSOCKET_MESSAGES_SEPARATE_TRACES,
       DD_TRACE_X_DATADOG_TAGS_MAX_LENGTH,
       DD_TRACING_ENABLED,
       DD_VERSION,
@@ -1050,6 +1056,9 @@ class Config {
       DD_TRACE_PROPAGATION_STYLE_EXTRACT
         ? false
         : !!OTEL_PROPAGATORS)
+    this._setBoolean(env, 'traceWebsocketMessagesEnabled', DD_TRACE_WEBSOCKET_MESSAGES_ENABLED)
+    this._setBoolean(env, 'traceWebsocketMessagesInheritSampling', DD_TRACE_WEBSOCKET_MESSAGES_INHERIT_SAMPLING)
+    this._setBoolean(env, 'traceWebsocketMessagesSeparateTraces', DD_TRACE_WEBSOCKET_MESSAGES_SEPARATE_TRACES)
     this._setBoolean(env, 'tracing', DD_TRACING_ENABLED)
     this._setString(env, 'version', DD_VERSION || tags.version)
     this._setBoolean(env, 'inferredProxyServicesEnabled', DD_TRACE_INFERRED_PROXY_SERVICES_ENABLED)
@@ -1215,6 +1224,9 @@ class Config {
     this._setTags(opts, 'tags', tags)
     this._setBoolean(opts, 'traceId128BitGenerationEnabled', options.traceId128BitGenerationEnabled)
     this._setBoolean(opts, 'traceId128BitLoggingEnabled', options.traceId128BitLoggingEnabled)
+    this._setBoolean(opts, 'traceWebsocketMessagesEnabled', options.traceWebsocketMessagesEnabled)
+    this._setBoolean(opts, 'traceWebsocketMessagesInheritSampling', options.traceWebsocketMessagesInheritSampling)
+    this._setBoolean(opts, 'traceWebsocketMessagesSeparateTraces', options.traceWebsocketMessagesSeparateTraces)
     this._setString(opts, 'version', options.version || tags.version)
     this._setBoolean(opts, 'inferredProxyServicesEnabled', options.inferredProxyServicesEnabled)
     this._setBoolean(opts, 'graphqlErrorExtensions', options.graphqlErrorExtensions)

package/packages/dd-trace/src/datastreams/pathway.js

@@ -17,7 +17,7 @@ const CONTEXT_PROPAGATION_KEY_BASE64 = 'dd-pathway-ctx-base64'
 const logKeys = [CONTEXT_PROPAGATION_KEY, CONTEXT_PROPAGATION_KEY_BASE64]
 
 function shaHash (checkpointString) {
-  const hash = crypto.createHash('md5').update(checkpointString).digest('hex').slice(0, 16)
+  const hash = crypto.createHash('sha256').update(checkpointString).digest('hex').slice(0, 16)
   return Buffer.from(hash, 'hex')
 }
 

package/packages/dd-trace/src/dogstatsd.js

@@ -156,23 +156,19 @@ class DogStatsDClient {
     return socket
   }
 
-  static generateClientConfig (config = {}) {
+  static generateClientConfig (config) {
     const tags = []
 
     if (config.tags) {
-      Object.keys(config.tags)
-        .filter(key => typeof config.tags[key] === 'string')
-        .filter(key => {
-          // Skip runtime-id unless enabled as cardinality may be too high
-          if (key !== 'runtime-id') return true
-          return config.runtimeMetricsRuntimeId
-        })
-        .forEach(key => {
+      for (const [key, value] of Object.entries(config.tags)) {
+        // Skip runtime-id unless enabled as cardinality may be too high
+        if (typeof value === 'string' && (key !== 'runtime-id' || config.runtimeMetricsRuntimeId)) {
           // https://docs.datadoghq.com/tagging/#defining-tags
-          const value = config.tags[key].replaceAll(/[^a-z0-9_:./-]/ig, '_')
+          const valueStripped = value.replaceAll(/[^a-z0-9_:./-]/ig, '_')
 
-          tags.push(`${key}:${value}`)
-        })
+          tags.push(`${key}:${valueStripped}`)
+        }
+      }
     }
 
     const clientConfig = {
@@ -216,7 +212,7 @@ class MetricsAggregationClient {
     this._histograms = new Map()
   }
 
-  // TODO: Aggerate with a histogram and send the buckets to the client.
+  // TODO: Aggregate with a histogram and send the buckets to the client.
   distribution (name, value, tags) {
     this._client.distribution(name, value, tags)
   }
@@ -352,9 +348,10 @@ class MetricsAggregationClient {
  * @implements {DogStatsD}
  */
 class CustomMetrics {
+  #client
   constructor (config) {
     const clientConfig = DogStatsDClient.generateClientConfig(config)
-    this._client = new MetricsAggregationClient(new DogStatsDClient(clientConfig))
+    this.#client = new MetricsAggregationClient(new DogStatsDClient(clientConfig))
 
     const flush = this.flush.bind(this)
 
@@ -365,27 +362,27 @@ class CustomMetrics {
   }
 
   increment (stat, value = 1, tags) {
-    this._client.increment(stat, value, CustomMetrics.tagTranslator(tags))
+    this.#client.increment(stat, value, CustomMetrics.tagTranslator(tags))
   }
 
   decrement (stat, value = 1, tags) {
-    this._client.decrement(stat, value, CustomMetrics.tagTranslator(tags))
+    this.#client.decrement(stat, value, CustomMetrics.tagTranslator(tags))
   }
 
   gauge (stat, value, tags) {
-    this._client.gauge(stat, value, CustomMetrics.tagTranslator(tags))
+    this.#client.gauge(stat, value, CustomMetrics.tagTranslator(tags))
   }
 
   distribution (stat, value, tags) {
-    this._client.distribution(stat, value, CustomMetrics.tagTranslator(tags))
+    this.#client.distribution(stat, value, CustomMetrics.tagTranslator(tags))
   }
 
   histogram (stat, value, tags) {
-    this._client.histogram(stat, value, CustomMetrics.tagTranslator(tags))
+    this.#client.histogram(stat, value, CustomMetrics.tagTranslator(tags))
   }
 
   flush () {
-    return this._client.flush()
+    return this.#client.flush()
   }
 
   /**