cw-datadog 2.23.0.2 → 2.23.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1df9f1c701dfee9c819f80db1e8e764e10d0a283556d63aa89ec0cd7b1ebbdb4
-  data.tar.gz: 20190b5ab1f748d04967ced16fb2dd2f1a816f78c7cbd147313004876c8d8006
+  metadata.gz: e48258b923a9015853cdfcb2b879dfcf9cc347ca9c8ade2ec013d66c0752ed93
+  data.tar.gz: '0998633db06aa8661eeb1f75bb6b4a18460109ae6815671cdcc6e10f8def8a30'
 SHA512:
-  metadata.gz: b59b083e935746d529131ecf3e068d25330b825eaeca87e68cba933309baa620a08aefc2d8995e06199b37384bda49c4ea1dd14498e365031b3ade42834fd04f
-  data.tar.gz: 1ae963ed6f4812e7cdd7d0d1439a7cb4ed7d5a74ae957f2b41fffb5a7aeba54cbbd48c1e71f67a4d3e021a3f8b48bc5fa0f50568f6162012f859d02b15290770
+  metadata.gz: 216d0de9105aecd55f60d887be3c1779d3fdb51aa120f454a4b8ab7093f6e0e64fe06df5d9ea69677c94a190ed1cd767f67be0fd98c255b137c64495f9208447
+  data.tar.gz: 126ae7bae30741f6b010cf6e13dd5ff013f0a2e69a82bf2a156043260142781e520f4d87341bebbd4d928e599790094e67af55f505e1f08c138eca515e2ef77e

data/ext/datadog_profiling_native_extension/extconf.rb

@@ -141,8 +141,10 @@ end
 # On Ruby 3.5, we can't ask the object_id from IMEMOs (https://github.com/ruby/ruby/pull/13347)
 $defs << "-DNO_IMEMO_OBJECT_ID" unless RUBY_VERSION < "3.5"
 
-# On Ruby 2.5 and 3.3, this symbol was not visible. It is on 2.6 to 3.2, as well as 3.4+
-$defs << "-DNO_RB_OBJ_INFO" if RUBY_VERSION.start_with?("2.5", "3.3")
+# This symbol is exclusively visible on certain Ruby versions: 2.6 to 3.2, as well as 3.4 and 3.5-preview1 (but not 4.0)
+# It's only used to get extra information about an object when a failure happens, so it's a "very nice to have" but not
+# actually required for correct behavior of the profiler.
+$defs << "-DNO_RB_OBJ_INFO" if RUBY_VERSION.start_with?("2.5", "3.3", "4.0")
 
 # On older Rubies, rb_postponed_job_preregister/rb_postponed_job_trigger did not exist
 $defs << "-DNO_POSTPONED_TRIGGER" if RUBY_VERSION < "3.3"

data/ext/libdatadog_api/library_config.c

@@ -99,27 +99,28 @@ static VALUE _native_configurator_get(VALUE self) {
   ddog_Configurator *configurator;
   TypedData_Get_Struct(self, ddog_Configurator, &configurator_typed_data, configurator);
 
-  // Wrapping config_logged_result into a Ruby object enables the Ruby GC to manage its memory
-  // We need to allocate memory for config_logged_result because once it is out of scope, it will be freed (at the end of this function)
-  // So we cannot reference it with &config_logged_result
-  // We are doing this in case one of the ruby API raises an exception before the end of this function,
-  // so the allocated memory will still be freed
-  ddog_LibraryConfigLoggedResult *configurator_logged_result = ruby_xcalloc(1, sizeof(ddog_LibraryConfigLoggedResult));
-  *configurator_logged_result = ddog_library_configurator_get(configurator);
-  VALUE config_logged_result_rb = TypedData_Wrap_Struct(config_logged_result_class, &config_logged_result_typed_data, configurator_logged_result);
+  // We don't allocate memory here so if there is an error, we don't need to manage the memory
+  ddog_LibraryConfigLoggedResult before_error_result = ddog_library_configurator_get(configurator);
 
-  if (configurator_logged_result->tag == DDOG_LIBRARY_CONFIG_LOGGED_RESULT_ERR) {
-    ddog_Error err = configurator_logged_result->err;
+  if (before_error_result.tag == DDOG_LIBRARY_CONFIG_LOGGED_RESULT_ERR) {
+    ddog_Error err = before_error_result.err;
     VALUE message = get_error_details_and_drop(&err);
     if (is_config_loaded()) {
       log_warning(message);
     } else {
       log_warning_without_config(message);
     }
-    RB_GC_GUARD(config_logged_result_rb);
     return rb_hash_new();
   }
 
+  // Wrapping config_logged_result into a Ruby object enables the Ruby GC to manage its memory
+  // We need to allocate memory for config_logged_result because once it is out of scope, it will be freed (at the end of this function)
+  // We are doing this in case one of the ruby API raises an exception before the end of this function,
+  // so the allocated memory will still be freed
+  ddog_LibraryConfigLoggedResult *configurator_logged_result = ruby_xcalloc(1, sizeof(ddog_LibraryConfigLoggedResult));
+  *configurator_logged_result = before_error_result;
+  VALUE config_logged_result_rb = TypedData_Wrap_Struct(config_logged_result_class, &config_logged_result_typed_data, configurator_logged_result);
+
   VALUE logs = Qnil;
   if (configurator_logged_result->ok.logs.length > 0) {
     logs = rb_utf8_str_new_cstr(configurator_logged_result->ok.logs.ptr);

data/ext/libdatadog_extconf_helpers.rb

@@ -10,7 +10,7 @@ module Datadog
   module LibdatadogExtconfHelpers
     # Used to make sure the correct gem version gets loaded, as extconf.rb does not get run with "bundle exec" and thus
     # may see multiple libdatadog versions. See https://github.com/DataDog/dd-trace-rb/pull/2531 for the horror story.
-    LIBDATADOG_VERSION = '~> 23.0.0.1.0'
+    LIBDATADOG_VERSION = '~> 24.0.1.1.0'
 
     # Used as an workaround for a limitation with how dynamic linking works in environments where the datadog gem and
     # libdatadog are moved after the extension gets compiled.

data/lib/datadog/appsec/api_security/route_extractor.rb

@@ -10,7 +10,8 @@ module Datadog
         SINATRA_ROUTE_KEY = 'sinatra.route'
         SINATRA_ROUTE_SEPARATOR = ' '
         GRAPE_ROUTE_KEY = 'grape.routing_args'
-        RAILS_ROUTE_KEY = 'action_dispatch.route_uri_pattern'
+        RAILS_ROUTE_URI_PATTERN_KEY = 'action_dispatch.route_uri_pattern'
+        RAILS_ROUTE_KEY = 'action_dispatch.route' # Rails 8.1.1+
         RAILS_ROUTES_KEY = 'action_dispatch.routes'
         RAILS_PATH_PARAMS_KEY = 'action_dispatch.request.path_parameters'
         RAILS_FORMAT_SUFFIX = '(.:format)'
@@ -37,6 +38,9 @@ module Datadog
         #       Rails > 7.1 (fast path)
         #         uses `action_dispatch.route_uri_pattern` with a string like
         #         "/users/:id(.:format)"
+        #       Rails > 8.1.1 (fast path)
+        #         uses `action_dispatch.route` to store the ActionDispatch::Journey::Route
+        #         that matched when the request was routed
         #
         # WARNING: This method works only *after* the request has been routed.
         #
@@ -52,11 +56,18 @@ module Datadog
             pattern = request.env[SINATRA_ROUTE_KEY].split(SINATRA_ROUTE_SEPARATOR, 2)[1]
             "#{request.script_name}#{pattern}"
           elsif request.env.key?(RAILS_ROUTE_KEY)
-            request.env[RAILS_ROUTE_KEY].delete_suffix(RAILS_FORMAT_SUFFIX)
+            request.env[RAILS_ROUTE_KEY].path.spec.to_s.delete_suffix(RAILS_FORMAT_SUFFIX)
+          elsif request.env.key?(RAILS_ROUTE_URI_PATTERN_KEY)
+            request.env[RAILS_ROUTE_URI_PATTERN_KEY].delete_suffix(RAILS_FORMAT_SUFFIX)
           elsif request.env.key?(RAILS_ROUTES_KEY) && !request.env.fetch(RAILS_PATH_PARAMS_KEY, {}).empty?
-            # NOTE: Rails mutate HEAD request in order to understand that route is supported.
-            #       It will assing GET request method and run the route recognition.
-            request = request.env[RAILS_ROUTES_KEY].request_class.new(request.env) if request.head?
+            # NOTE: In Rails < 7.1 this `request` argument will be a Rack::Request,
+            #       it does not have all the methods that ActionDispatch::Request has.
+            #       Before trying to use the router to recognize the route, we need to
+            #       create a new ActionDispatch::Request from the request env
+            #
+            # NOTE: Rails mutates HEAD request by changing the method to GET
+            #       and uses it for route recognition to check if the route is defined
+            request = request.env[RAILS_ROUTES_KEY].request_class.new(request.env)
 
             pattern = request.env[RAILS_ROUTES_KEY].router
               .recognize(request) { |route, _| break route.path.spec.to_s }
@@ -70,6 +81,10 @@ module Datadog
           else
             Tracing::Contrib::Rack::RouteInference.read_or_infer(request.env)
           end
+        rescue => e
+          AppSec.telemetry&.report(e, description: 'AppSec: Could not extract route pattern')
+
+          nil
         end
       end
     end

data/lib/datadog/appsec/api_security/sampler.rb

@@ -45,7 +45,9 @@ module Datadog
           return true if @sample_delay_seconds.zero?
           return false if response.status == 404
 
-          key = Zlib.crc32("#{request.request_method}#{RouteExtractor.route_pattern(request)}#{response.status}")
+          route_pattern = RouteExtractor.route_pattern(request).to_s
+
+          key = Zlib.crc32("#{request.request_method}#{route_pattern}#{response.status}")
           current_timestamp = Core::Utils::Time.now.to_i
           cached_timestamp = @cache[key] || 0
 

data/lib/datadog/appsec/assets/blocked.html

@@ -82,12 +82,20 @@
         footer p {
             font-size: 16px
         }
+
+        .security-response-id {
+            font-size:14px;
+            color:#999;
+            margin-top:20px;
+            font-family:monospace
+        }
     </style>
 </head>
 
 <body>
     <main>
         <p>Sorry, you cannot access this page. Please contact the customer service team.</p>
+        <p class="security-response-id">Security Response ID: [security_response_id]</p>
     </main>
     <footer>
         <p>Security provided by <a

data/lib/datadog/appsec/assets/blocked.json

@@ -1 +1 @@
-{"errors": [{"title": "You've been blocked", "detail": "Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}
+{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}],"security_response_id":"[security_response_id]"}

data/lib/datadog/appsec/assets/blocked.text

@@ -1,5 +1,7 @@
-You've been blocked
+You've been blocked.
 
 Sorry, you cannot access this page. Please contact the customer service team.
 
+Security Response ID: [security_response_id]
+
 Security provided by Datadog.

data/lib/datadog/appsec/assets.rb

@@ -21,7 +21,7 @@ module Datadog
       end
 
       def blocked(format: :html)
-        (@blocked ||= {})[format] ||= read("blocked.#{format}")
+        (@blocked ||= {})[format] ||= read("blocked.#{format}").freeze
       end
 
       def path

data/lib/datadog/appsec/remote.rb

@@ -23,6 +23,8 @@ module Datadog
         CAP_ASM_CUSTOM_RULES = 1 << 8
         CAP_ASM_CUSTOM_BLOCKING_RESPONSE = 1 << 9
         CAP_ASM_TRUSTED_IPS = 1 << 10
+        CAP_ASM_PROCESSOR_OVERRIDES = 1 << 16
+        CAP_ASM_CUSTOM_DATA_SCANNERS = 1 << 17
         CAP_ASM_RASP_SSRF = 1 << 23
         CAP_ASM_RASP_SQLI = 1 << 21
         CAP_ASM_AUTO_USER_INSTRUM_MODE = 1 << 31
@@ -43,6 +45,8 @@ module Datadog
           CAP_ASM_CUSTOM_RULES,
           CAP_ASM_CUSTOM_BLOCKING_RESPONSE,
           CAP_ASM_TRUSTED_IPS,
+          CAP_ASM_PROCESSOR_OVERRIDES,
+          CAP_ASM_CUSTOM_DATA_SCANNERS,
           CAP_ASM_RASP_SSRF,
           CAP_ASM_RASP_SQLI,
           CAP_ASM_AUTO_USER_INSTRUM_MODE,

data/lib/datadog/appsec/response.rb

@@ -7,6 +7,8 @@ module Datadog
   module AppSec
     # AppSec response
     class Response
+      SECURITY_RESPONSE_ID_PLACEHOLDER = '[security_response_id]'
+
       attr_reader :status, :headers, :body
 
       def initialize(status:, headers: {}, body: [])
@@ -37,16 +39,26 @@ module Datadog
           Response.new(
             status: interrupt_params['status_code']&.to_i || 403,
             headers: {'Content-Type' => content_type},
-            body: [content(content_type)],
+            body: [
+              content(
+                security_response_id: interrupt_params['security_response_id'],
+                content_type: content_type
+              )
+            ],
           )
         end
 
         def redirect_response(interrupt_params)
           status_code = interrupt_params['status_code'].to_i
+          location = interrupt_params.fetch('location')
+
+          if (security_response_id = interrupt_params.fetch('security_response_id'))
+            location.gsub!(SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id)
+          end
 
           Response.new(
             status: ((status_code >= 300 && status_code < 400) ? status_code : 303),
-            headers: {'Location' => interrupt_params.fetch('location')},
+            headers: {'Location' => location},
             body: [],
           )
         end
@@ -82,16 +94,18 @@ module Datadog
           DEFAULT_CONTENT_TYPE
         end
 
-        def content(content_type)
+        def content(security_response_id:, content_type:)
           content_format = CONTENT_TYPE_TO_FORMAT[content_type]
 
           using_default = Datadog.configuration.appsec.block.templates.using_default?(content_format)
 
-          if using_default
+          template = if using_default
             Datadog::AppSec::Assets.blocked(format: content_format)
           else
             Datadog.configuration.appsec.block.templates.send(content_format)
           end
+
+          template.gsub(SECURITY_RESPONSE_ID_PLACEHOLDER, security_response_id.to_s)
         end
       end
     end