datadog 2.10.0 → 2.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +46 -1
- data/ext/datadog_profiling_native_extension/collectors_stack.c +3 -3
- data/ext/datadog_profiling_native_extension/collectors_thread_context.c +44 -1
- data/ext/datadog_profiling_native_extension/extconf.rb +4 -0
- data/ext/datadog_profiling_native_extension/gvl_profiling_helper.c +2 -0
- data/ext/datadog_profiling_native_extension/gvl_profiling_helper.h +0 -8
- data/ext/datadog_profiling_native_extension/heap_recorder.c +1 -1
- data/ext/datadog_profiling_native_extension/private_vm_api_access.c +56 -0
- data/ext/datadog_profiling_native_extension/private_vm_api_access.h +7 -0
- data/ext/datadog_profiling_native_extension/profiling.c +7 -0
- data/ext/libdatadog_api/crashtracker.c +4 -4
- data/ext/libdatadog_extconf_helpers.rb +1 -1
- data/lib/datadog/appsec/configuration/settings.rb +64 -11
- data/lib/datadog/appsec/contrib/active_record/patcher.rb +0 -3
- data/lib/datadog/appsec/contrib/devise/configuration.rb +76 -0
- data/lib/datadog/appsec/contrib/devise/event.rb +4 -7
- data/lib/datadog/appsec/contrib/devise/patcher/authenticatable_patch.rb +16 -21
- data/lib/datadog/appsec/contrib/devise/patcher/registration_controller_patch.rb +8 -15
- data/lib/datadog/appsec/contrib/devise/patcher/rememberable_patch.rb +1 -1
- data/lib/datadog/appsec/contrib/devise/patcher.rb +0 -3
- data/lib/datadog/appsec/contrib/devise/tracking.rb +1 -1
- data/lib/datadog/appsec/contrib/excon/integration.rb +41 -0
- data/lib/datadog/appsec/contrib/excon/patcher.rb +28 -0
- data/lib/datadog/appsec/contrib/excon/ssrf_detection_middleware.rb +43 -0
- data/lib/datadog/appsec/contrib/faraday/connection_patch.rb +22 -0
- data/lib/datadog/appsec/contrib/faraday/integration.rb +42 -0
- data/lib/datadog/appsec/contrib/faraday/patcher.rb +53 -0
- data/lib/datadog/appsec/contrib/faraday/rack_builder_patch.rb +22 -0
- data/lib/datadog/appsec/contrib/faraday/ssrf_detection_middleware.rb +42 -0
- data/lib/datadog/appsec/contrib/graphql/gateway/watcher.rb +10 -12
- data/lib/datadog/appsec/contrib/graphql/patcher.rb +0 -3
- data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +65 -73
- data/lib/datadog/appsec/contrib/rack/patcher.rb +0 -3
- data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb +20 -25
- data/lib/datadog/appsec/contrib/rails/patcher.rb +0 -3
- data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb +38 -49
- data/lib/datadog/appsec/contrib/sinatra/patcher.rb +0 -3
- data/lib/datadog/appsec/monitor/gateway/watcher.rb +19 -25
- data/lib/datadog/appsec/remote.rb +4 -0
- data/lib/datadog/appsec.rb +2 -0
- data/lib/datadog/core/configuration/components.rb +7 -1
- data/lib/datadog/core/configuration/ext.rb +1 -1
- data/lib/datadog/core/configuration/option_definition.rb +2 -0
- data/lib/datadog/core/configuration/settings.rb +22 -6
- data/lib/datadog/core/encoding.rb +16 -0
- data/lib/datadog/core/environment/agent_info.rb +77 -0
- data/lib/datadog/core/remote/transport/http/api.rb +13 -18
- data/lib/datadog/core/remote/transport/http/config.rb +0 -18
- data/lib/datadog/core/remote/transport/http/negotiation.rb +1 -18
- data/lib/datadog/core/remote/transport/http.rb +7 -12
- data/lib/datadog/core/remote/transport/negotiation.rb +13 -1
- data/lib/datadog/core/telemetry/event.rb +5 -0
- data/lib/datadog/core/transport/http/adapters/unix_socket.rb +1 -1
- data/lib/datadog/{tracing → core}/transport/http/api/instance.rb +1 -1
- data/lib/datadog/{tracing → core}/transport/http/api/spec.rb +1 -1
- data/lib/datadog/{tracing → core}/transport/http/builder.rb +37 -17
- data/lib/datadog/core/transport/response.rb +4 -0
- data/lib/datadog/di/code_tracker.rb +15 -8
- data/lib/datadog/di/component.rb +1 -0
- data/lib/datadog/di/configuration/settings.rb +14 -0
- data/lib/datadog/di/contrib.rb +2 -0
- data/lib/datadog/di/logger.rb +30 -0
- data/lib/datadog/di/probe.rb +3 -6
- data/lib/datadog/di/probe_manager.rb +5 -2
- data/lib/datadog/di/probe_notifier_worker.rb +15 -4
- data/lib/datadog/di/remote.rb +3 -3
- data/lib/datadog/di/utils.rb +91 -0
- data/lib/datadog/di.rb +3 -0
- data/lib/datadog/profiling/component.rb +2 -8
- data/lib/datadog/profiling/load_native_extension.rb +1 -33
- data/lib/datadog/tracing/configuration/ext.rb +1 -0
- data/lib/datadog/tracing/contrib/extensions.rb +14 -0
- data/lib/datadog/tracing/contrib/graphql/configuration/error_extension_env_parser.rb +21 -0
- data/lib/datadog/tracing/contrib/graphql/configuration/settings.rb +11 -0
- data/lib/datadog/tracing/contrib/graphql/ext.rb +5 -0
- data/lib/datadog/tracing/contrib/graphql/unified_trace.rb +102 -11
- data/lib/datadog/tracing/contrib/rack/header_collection.rb +11 -1
- data/lib/datadog/tracing/contrib/rack/middlewares.rb +1 -1
- data/lib/datadog/tracing/contrib/span_attribute_schema.rb +6 -1
- data/lib/datadog/tracing/transport/http/api.rb +11 -2
- data/lib/datadog/tracing/transport/http/traces.rb +0 -3
- data/lib/datadog/tracing/transport/http.rb +12 -7
- data/lib/datadog/tracing/transport/serializable_trace.rb +8 -4
- data/lib/datadog/tracing/transport/traces.rb +25 -8
- data/lib/datadog/version.rb +1 -1
- metadata +23 -28
- data/ext/datadog_profiling_loader/datadog_profiling_loader.c +0 -142
- data/ext/datadog_profiling_loader/extconf.rb +0 -60
- data/lib/datadog/appsec/contrib/graphql/reactive/multiplex.rb +0 -46
- data/lib/datadog/appsec/contrib/patcher.rb +0 -12
- data/lib/datadog/appsec/contrib/rack/reactive/request.rb +0 -69
- data/lib/datadog/appsec/contrib/rack/reactive/request_body.rb +0 -47
- data/lib/datadog/appsec/contrib/rack/reactive/response.rb +0 -53
- data/lib/datadog/appsec/contrib/rails/reactive/action.rb +0 -53
- data/lib/datadog/appsec/contrib/sinatra/reactive/routed.rb +0 -48
- data/lib/datadog/appsec/monitor/reactive/set_user.rb +0 -45
- data/lib/datadog/appsec/reactive/address_hash.rb +0 -22
- data/lib/datadog/appsec/reactive/engine.rb +0 -47
- data/lib/datadog/appsec/reactive/subscriber.rb +0 -19
- data/lib/datadog/core/remote/transport/http/api/instance.rb +0 -39
- data/lib/datadog/core/remote/transport/http/api/spec.rb +0 -21
- data/lib/datadog/core/remote/transport/http/builder.rb +0 -219
|
@@ -1,10 +1,6 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require_relative '../../../instrumentation/gateway'
|
|
4
|
-
require_relative '../../../reactive/engine'
|
|
5
|
-
require_relative '../reactive/request'
|
|
6
|
-
require_relative '../reactive/request_body'
|
|
7
|
-
require_relative '../reactive/response'
|
|
8
4
|
require_relative '../../../event'
|
|
9
5
|
|
|
10
6
|
module Datadog
|
|
@@ -25,31 +21,33 @@ module Datadog
|
|
|
25
21
|
|
|
26
22
|
def watch_request(gateway = Instrumentation.gateway)
|
|
27
23
|
gateway.watch('rack.request', :appsec) do |stack, gateway_request|
|
|
28
|
-
event = nil
|
|
29
24
|
context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
|
|
30
|
-
engine = AppSec::Reactive::Engine.new
|
|
31
|
-
|
|
32
|
-
Rack::Reactive::Request.subscribe(engine, context) do |result|
|
|
33
|
-
if result.match?
|
|
34
|
-
# TODO: should this hash be an Event instance instead?
|
|
35
|
-
event = {
|
|
36
|
-
waf_result: result,
|
|
37
|
-
trace: context.trace,
|
|
38
|
-
span: context.span,
|
|
39
|
-
request: gateway_request,
|
|
40
|
-
actions: result.actions
|
|
41
|
-
}
|
|
42
|
-
|
|
43
|
-
# We want to keep the trace in case of security event
|
|
44
|
-
context.trace.keep! if context.trace
|
|
45
|
-
Datadog::AppSec::Event.tag_and_keep!(context, result)
|
|
46
|
-
context.events << event
|
|
47
|
-
|
|
48
|
-
Datadog::AppSec::ActionsHandler.handle(result.actions)
|
|
49
|
-
end
|
|
50
|
-
end
|
|
51
25
|
|
|
52
|
-
|
|
26
|
+
persistent_data = {
|
|
27
|
+
'server.request.cookies' => gateway_request.cookies,
|
|
28
|
+
'server.request.query' => gateway_request.query,
|
|
29
|
+
'server.request.uri.raw' => gateway_request.fullpath,
|
|
30
|
+
'server.request.headers' => gateway_request.headers,
|
|
31
|
+
'server.request.headers.no_cookies' => gateway_request.headers.dup.tap { |h| h.delete('cookie') },
|
|
32
|
+
'http.client_ip' => gateway_request.client_ip,
|
|
33
|
+
'server.request.method' => gateway_request.method
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
|
|
37
|
+
|
|
38
|
+
if result.match?
|
|
39
|
+
Datadog::AppSec::Event.tag_and_keep!(context, result)
|
|
40
|
+
|
|
41
|
+
context.events << {
|
|
42
|
+
waf_result: result,
|
|
43
|
+
trace: context.trace,
|
|
44
|
+
span: context.span,
|
|
45
|
+
request: gateway_request,
|
|
46
|
+
actions: result.actions
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
Datadog::AppSec::ActionsHandler.handle(result.actions)
|
|
50
|
+
end
|
|
53
51
|
|
|
54
52
|
stack.call(gateway_request.request)
|
|
55
53
|
end
|
|
@@ -57,31 +55,29 @@ module Datadog
|
|
|
57
55
|
|
|
58
56
|
def watch_response(gateway = Instrumentation.gateway)
|
|
59
57
|
gateway.watch('rack.response', :appsec) do |stack, gateway_response|
|
|
60
|
-
event = nil
|
|
61
58
|
context = gateway_response.context
|
|
62
|
-
engine = AppSec::Reactive::Engine.new
|
|
63
|
-
|
|
64
|
-
Rack::Reactive::Response.subscribe(engine, context) do |result|
|
|
65
|
-
if result.match?
|
|
66
|
-
# TODO: should this hash be an Event instance instead?
|
|
67
|
-
event = {
|
|
68
|
-
waf_result: result,
|
|
69
|
-
trace: context.trace,
|
|
70
|
-
span: context.span,
|
|
71
|
-
response: gateway_response,
|
|
72
|
-
actions: result.actions
|
|
73
|
-
}
|
|
74
|
-
|
|
75
|
-
# We want to keep the trace in case of security event
|
|
76
|
-
context.trace.keep! if context.trace
|
|
77
|
-
Datadog::AppSec::Event.tag_and_keep!(context, result)
|
|
78
|
-
context.events << event
|
|
79
|
-
|
|
80
|
-
Datadog::AppSec::ActionsHandler.handle(result.actions)
|
|
81
|
-
end
|
|
82
|
-
end
|
|
83
59
|
|
|
84
|
-
|
|
60
|
+
persistent_data = {
|
|
61
|
+
'server.response.status' => gateway_response.status.to_s,
|
|
62
|
+
'server.response.headers' => gateway_response.headers,
|
|
63
|
+
'server.response.headers.no_cookies' => gateway_response.headers.dup.tap { |h| h.delete('set-cookie') }
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
|
|
67
|
+
|
|
68
|
+
if result.match?
|
|
69
|
+
Datadog::AppSec::Event.tag_and_keep!(context, result)
|
|
70
|
+
|
|
71
|
+
context.events << {
|
|
72
|
+
waf_result: result,
|
|
73
|
+
trace: context.trace,
|
|
74
|
+
span: context.span,
|
|
75
|
+
response: gateway_response,
|
|
76
|
+
actions: result.actions
|
|
77
|
+
}
|
|
78
|
+
|
|
79
|
+
Datadog::AppSec::ActionsHandler.handle(result.actions)
|
|
80
|
+
end
|
|
85
81
|
|
|
86
82
|
stack.call(gateway_response.response)
|
|
87
83
|
end
|
|
@@ -89,31 +85,27 @@ module Datadog
|
|
|
89
85
|
|
|
90
86
|
def watch_request_body(gateway = Instrumentation.gateway)
|
|
91
87
|
gateway.watch('rack.request.body', :appsec) do |stack, gateway_request|
|
|
92
|
-
event = nil
|
|
93
88
|
context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
|
|
94
|
-
engine = AppSec::Reactive::Engine.new
|
|
95
|
-
|
|
96
|
-
Rack::Reactive::RequestBody.subscribe(engine, context) do |result|
|
|
97
|
-
if result.match?
|
|
98
|
-
# TODO: should this hash be an Event instance instead?
|
|
99
|
-
event = {
|
|
100
|
-
waf_result: result,
|
|
101
|
-
trace: context.trace,
|
|
102
|
-
span: context.span,
|
|
103
|
-
request: gateway_request,
|
|
104
|
-
actions: result.actions
|
|
105
|
-
}
|
|
106
|
-
|
|
107
|
-
# We want to keep the trace in case of security event
|
|
108
|
-
context.trace.keep! if context.trace
|
|
109
|
-
Datadog::AppSec::Event.tag_and_keep!(context, result)
|
|
110
|
-
context.events << event
|
|
111
|
-
|
|
112
|
-
Datadog::AppSec::ActionsHandler.handle(result.actions)
|
|
113
|
-
end
|
|
114
|
-
end
|
|
115
89
|
|
|
116
|
-
|
|
90
|
+
persistent_data = {
|
|
91
|
+
'server.request.body' => gateway_request.form_hash
|
|
92
|
+
}
|
|
93
|
+
|
|
94
|
+
result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
|
|
95
|
+
|
|
96
|
+
if result.match?
|
|
97
|
+
Datadog::AppSec::Event.tag_and_keep!(context, result)
|
|
98
|
+
|
|
99
|
+
context.events << {
|
|
100
|
+
waf_result: result,
|
|
101
|
+
trace: context.trace,
|
|
102
|
+
span: context.span,
|
|
103
|
+
request: gateway_request,
|
|
104
|
+
actions: result.actions
|
|
105
|
+
}
|
|
106
|
+
|
|
107
|
+
Datadog::AppSec::ActionsHandler.handle(result.actions)
|
|
108
|
+
end
|
|
117
109
|
|
|
118
110
|
stack.call(gateway_request.request)
|
|
119
111
|
end
|
|
@@ -1,6 +1,5 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
-
require_relative '../patcher'
|
|
4
3
|
require_relative '../../monitor'
|
|
5
4
|
require_relative 'gateway/watcher'
|
|
6
5
|
|
|
@@ -10,8 +9,6 @@ module Datadog
|
|
|
10
9
|
module Rack
|
|
11
10
|
# Patcher for Rack integration
|
|
12
11
|
module Patcher
|
|
13
|
-
include Datadog::AppSec::Contrib::Patcher
|
|
14
|
-
|
|
15
12
|
module_function
|
|
16
13
|
|
|
17
14
|
def patched?
|
|
@@ -1,8 +1,6 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require_relative '../../../instrumentation/gateway'
|
|
4
|
-
require_relative '../../../reactive/engine'
|
|
5
|
-
require_relative '../reactive/action'
|
|
6
4
|
require_relative '../../../event'
|
|
7
5
|
|
|
8
6
|
module Datadog
|
|
@@ -21,31 +19,28 @@ module Datadog
|
|
|
21
19
|
|
|
22
20
|
def watch_request_action(gateway = Instrumentation.gateway)
|
|
23
21
|
gateway.watch('rails.request.action', :appsec) do |stack, gateway_request|
|
|
24
|
-
event = nil
|
|
25
22
|
context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
|
|
26
|
-
engine = AppSec::Reactive::Engine.new
|
|
27
|
-
|
|
28
|
-
Rails::Reactive::Action.subscribe(engine, context) do |result|
|
|
29
|
-
if result.match?
|
|
30
|
-
# TODO: should this hash be an Event instance instead?
|
|
31
|
-
event = {
|
|
32
|
-
waf_result: result,
|
|
33
|
-
trace: context.trace,
|
|
34
|
-
span: context.span,
|
|
35
|
-
request: gateway_request,
|
|
36
|
-
actions: result.actions
|
|
37
|
-
}
|
|
38
|
-
|
|
39
|
-
# We want to keep the trace in case of security event
|
|
40
|
-
context.trace.keep! if context.trace
|
|
41
|
-
Datadog::AppSec::Event.tag_and_keep!(context, result)
|
|
42
|
-
context.events << event
|
|
43
|
-
|
|
44
|
-
Datadog::AppSec::ActionsHandler.handle(result.actions)
|
|
45
|
-
end
|
|
46
|
-
end
|
|
47
23
|
|
|
48
|
-
|
|
24
|
+
persistent_data = {
|
|
25
|
+
'server.request.body' => gateway_request.parsed_body,
|
|
26
|
+
'server.request.path_params' => gateway_request.route_params
|
|
27
|
+
}
|
|
28
|
+
|
|
29
|
+
result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
|
|
30
|
+
|
|
31
|
+
if result.match?
|
|
32
|
+
Datadog::AppSec::Event.tag_and_keep!(context, result)
|
|
33
|
+
|
|
34
|
+
context.events << {
|
|
35
|
+
waf_result: result,
|
|
36
|
+
trace: context.trace,
|
|
37
|
+
span: context.span,
|
|
38
|
+
request: gateway_request,
|
|
39
|
+
actions: result.actions
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
Datadog::AppSec::ActionsHandler.handle(result.actions)
|
|
43
|
+
end
|
|
49
44
|
|
|
50
45
|
stack.call(gateway_request.request)
|
|
51
46
|
end
|
|
@@ -2,7 +2,6 @@
|
|
|
2
2
|
|
|
3
3
|
require_relative '../../../core/utils/only_once'
|
|
4
4
|
|
|
5
|
-
require_relative '../patcher'
|
|
6
5
|
require_relative 'framework'
|
|
7
6
|
require_relative '../../response'
|
|
8
7
|
require_relative '../rack/request_middleware'
|
|
@@ -18,8 +17,6 @@ module Datadog
|
|
|
18
17
|
module Rails
|
|
19
18
|
# Patcher for AppSec on Rails
|
|
20
19
|
module Patcher
|
|
21
|
-
include Datadog::AppSec::Contrib::Patcher
|
|
22
|
-
|
|
23
20
|
BEFORE_INITIALIZE_ONLY_ONCE_PER_APP = Hash.new { |h, key| h[key] = Datadog::Core::Utils::OnlyOnce.new }
|
|
24
21
|
AFTER_INITIALIZE_ONLY_ONCE_PER_APP = Hash.new { |h, key| h[key] = Datadog::Core::Utils::OnlyOnce.new }
|
|
25
22
|
|
|
@@ -1,9 +1,6 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require_relative '../../../instrumentation/gateway'
|
|
4
|
-
require_relative '../../../reactive/engine'
|
|
5
|
-
require_relative '../../rack/reactive/request_body'
|
|
6
|
-
require_relative '../reactive/routed'
|
|
7
4
|
require_relative '../../../event'
|
|
8
5
|
|
|
9
6
|
module Datadog
|
|
@@ -23,31 +20,27 @@ module Datadog
|
|
|
23
20
|
|
|
24
21
|
def watch_request_dispatch(gateway = Instrumentation.gateway)
|
|
25
22
|
gateway.watch('sinatra.request.dispatch', :appsec) do |stack, gateway_request|
|
|
26
|
-
event = nil
|
|
27
23
|
context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
|
|
28
|
-
engine = AppSec::Reactive::Engine.new
|
|
29
|
-
|
|
30
|
-
Rack::Reactive::RequestBody.subscribe(engine, context) do |result|
|
|
31
|
-
if result.match?
|
|
32
|
-
# TODO: should this hash be an Event instance instead?
|
|
33
|
-
event = {
|
|
34
|
-
waf_result: result,
|
|
35
|
-
trace: context.trace,
|
|
36
|
-
span: context.span,
|
|
37
|
-
request: gateway_request,
|
|
38
|
-
actions: result.actions
|
|
39
|
-
}
|
|
40
|
-
|
|
41
|
-
# We want to keep the trace in case of security event
|
|
42
|
-
context.trace.keep! if context.trace
|
|
43
|
-
Datadog::AppSec::Event.tag_and_keep!(context, result)
|
|
44
|
-
context.events << event
|
|
45
|
-
|
|
46
|
-
Datadog::AppSec::ActionsHandler.handle(result.actions)
|
|
47
|
-
end
|
|
48
|
-
end
|
|
49
24
|
|
|
50
|
-
|
|
25
|
+
persistent_data = {
|
|
26
|
+
'server.request.body' => gateway_request.form_hash
|
|
27
|
+
}
|
|
28
|
+
|
|
29
|
+
result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
|
|
30
|
+
|
|
31
|
+
if result.match?
|
|
32
|
+
Datadog::AppSec::Event.tag_and_keep!(context, result)
|
|
33
|
+
|
|
34
|
+
context.events << {
|
|
35
|
+
waf_result: result,
|
|
36
|
+
trace: context.trace,
|
|
37
|
+
span: context.span,
|
|
38
|
+
request: gateway_request,
|
|
39
|
+
actions: result.actions
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
Datadog::AppSec::ActionsHandler.handle(result.actions)
|
|
43
|
+
end
|
|
51
44
|
|
|
52
45
|
stack.call(gateway_request.request)
|
|
53
46
|
end
|
|
@@ -55,31 +48,27 @@ module Datadog
|
|
|
55
48
|
|
|
56
49
|
def watch_request_routed(gateway = Instrumentation.gateway)
|
|
57
50
|
gateway.watch('sinatra.request.routed', :appsec) do |stack, (gateway_request, gateway_route_params)|
|
|
58
|
-
event = nil
|
|
59
51
|
context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
|
|
60
|
-
engine = AppSec::Reactive::Engine.new
|
|
61
|
-
|
|
62
|
-
Sinatra::Reactive::Routed.subscribe(engine, context) do |result|
|
|
63
|
-
if result.match?
|
|
64
|
-
# TODO: should this hash be an Event instance instead?
|
|
65
|
-
event = {
|
|
66
|
-
waf_result: result,
|
|
67
|
-
trace: context.trace,
|
|
68
|
-
span: context.span,
|
|
69
|
-
request: gateway_request,
|
|
70
|
-
actions: result.actions
|
|
71
|
-
}
|
|
72
|
-
|
|
73
|
-
# We want to keep the trace in case of security event
|
|
74
|
-
context.trace.keep! if context.trace
|
|
75
|
-
Datadog::AppSec::Event.tag_and_keep!(context, result)
|
|
76
|
-
context.events << event
|
|
77
|
-
|
|
78
|
-
Datadog::AppSec::ActionsHandler.handle(result.actions)
|
|
79
|
-
end
|
|
80
|
-
end
|
|
81
52
|
|
|
82
|
-
|
|
53
|
+
persistent_data = {
|
|
54
|
+
'server.request.path_params' => gateway_route_params.params
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
|
|
58
|
+
|
|
59
|
+
if result.match?
|
|
60
|
+
Datadog::AppSec::Event.tag_and_keep!(context, result)
|
|
61
|
+
|
|
62
|
+
context.events << {
|
|
63
|
+
waf_result: result,
|
|
64
|
+
trace: context.trace,
|
|
65
|
+
span: context.span,
|
|
66
|
+
request: gateway_request,
|
|
67
|
+
actions: result.actions
|
|
68
|
+
}
|
|
69
|
+
|
|
70
|
+
Datadog::AppSec::ActionsHandler.handle(result.actions)
|
|
71
|
+
end
|
|
83
72
|
|
|
84
73
|
stack.call(gateway_request.request)
|
|
85
74
|
end
|
|
@@ -2,7 +2,6 @@
|
|
|
2
2
|
|
|
3
3
|
require_relative '../../../tracing/contrib'
|
|
4
4
|
|
|
5
|
-
require_relative '../patcher'
|
|
6
5
|
require_relative '../../response'
|
|
7
6
|
require_relative '../rack/request_middleware'
|
|
8
7
|
require_relative 'framework'
|
|
@@ -102,8 +101,6 @@ module Datadog
|
|
|
102
101
|
|
|
103
102
|
# Patcher for AppSec on Sinatra
|
|
104
103
|
module Patcher
|
|
105
|
-
include Datadog::AppSec::Contrib::Patcher
|
|
106
|
-
|
|
107
104
|
module_function
|
|
108
105
|
|
|
109
106
|
def patched?
|
|
@@ -1,8 +1,6 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require_relative '../../instrumentation/gateway'
|
|
4
|
-
require_relative '../../reactive/engine'
|
|
5
|
-
require_relative '../reactive/set_user'
|
|
6
4
|
|
|
7
5
|
module Datadog
|
|
8
6
|
module AppSec
|
|
@@ -19,31 +17,27 @@ module Datadog
|
|
|
19
17
|
|
|
20
18
|
def watch_user_id(gateway = Instrumentation.gateway)
|
|
21
19
|
gateway.watch('identity.set_user', :appsec) do |stack, user|
|
|
22
|
-
event = nil
|
|
23
20
|
context = Datadog::AppSec.active_context
|
|
24
|
-
engine = AppSec::Reactive::Engine.new
|
|
25
|
-
|
|
26
|
-
Monitor::Reactive::SetUser.subscribe(engine, context) do |result|
|
|
27
|
-
if result.match?
|
|
28
|
-
# TODO: should this hash be an Event instance instead?
|
|
29
|
-
event = {
|
|
30
|
-
waf_result: result,
|
|
31
|
-
trace: context.trace,
|
|
32
|
-
span: context.span,
|
|
33
|
-
user: user,
|
|
34
|
-
actions: result.actions
|
|
35
|
-
}
|
|
36
|
-
|
|
37
|
-
# We want to keep the trace in case of security event
|
|
38
|
-
context.trace.keep! if context.trace
|
|
39
|
-
Datadog::AppSec::Event.tag_and_keep!(context, result)
|
|
40
|
-
context.events << event
|
|
41
|
-
|
|
42
|
-
Datadog::AppSec::ActionsHandler.handle(result.actions)
|
|
43
|
-
end
|
|
44
|
-
end
|
|
45
21
|
|
|
46
|
-
|
|
22
|
+
persistent_data = {
|
|
23
|
+
'usr.id' => user.id
|
|
24
|
+
}
|
|
25
|
+
|
|
26
|
+
result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
|
|
27
|
+
|
|
28
|
+
if result.match?
|
|
29
|
+
Datadog::AppSec::Event.tag_and_keep!(context, result)
|
|
30
|
+
|
|
31
|
+
context.events << {
|
|
32
|
+
waf_result: result,
|
|
33
|
+
trace: context.trace,
|
|
34
|
+
span: context.span,
|
|
35
|
+
user: user,
|
|
36
|
+
actions: result.actions
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
Datadog::AppSec::ActionsHandler.handle(result.actions)
|
|
40
|
+
end
|
|
47
41
|
|
|
48
42
|
stack.call(user)
|
|
49
43
|
end
|
data/lib/datadog/appsec.rb
CHANGED
|
@@ -68,5 +68,7 @@ require_relative 'appsec/contrib/rails/integration'
|
|
|
68
68
|
require_relative 'appsec/contrib/active_record/integration'
|
|
69
69
|
require_relative 'appsec/contrib/devise/integration'
|
|
70
70
|
require_relative 'appsec/contrib/graphql/integration'
|
|
71
|
+
require_relative 'appsec/contrib/faraday/integration'
|
|
72
|
+
require_relative 'appsec/contrib/excon/integration'
|
|
71
73
|
|
|
72
74
|
require_relative 'appsec/autoload'
|
|
@@ -16,6 +16,8 @@ require_relative '../../appsec/component'
|
|
|
16
16
|
require_relative '../../di/component'
|
|
17
17
|
require_relative '../crashtracking/component'
|
|
18
18
|
|
|
19
|
+
require_relative '../environment/agent_info'
|
|
20
|
+
|
|
19
21
|
module Datadog
|
|
20
22
|
module Core
|
|
21
23
|
module Configuration
|
|
@@ -85,7 +87,8 @@ module Datadog
|
|
|
85
87
|
:tracer,
|
|
86
88
|
:crashtracker,
|
|
87
89
|
:dynamic_instrumentation,
|
|
88
|
-
:appsec
|
|
90
|
+
:appsec,
|
|
91
|
+
:agent_info
|
|
89
92
|
|
|
90
93
|
def initialize(settings)
|
|
91
94
|
@logger = self.class.build_logger(settings)
|
|
@@ -96,6 +99,9 @@ module Datadog
|
|
|
96
99
|
# the Core resolver from within your product/component's namespace.
|
|
97
100
|
agent_settings = AgentSettingsResolver.call(settings, logger: @logger)
|
|
98
101
|
|
|
102
|
+
# Exposes agent capability information for detection by any components
|
|
103
|
+
@agent_info = Core::Environment::AgentInfo.new(agent_settings)
|
|
104
|
+
|
|
99
105
|
@telemetry = self.class.build_telemetry(settings, agent_settings, @logger)
|
|
100
106
|
|
|
101
107
|
@remote = Remote::Component.build(settings, agent_settings, telemetry: telemetry)
|
|
@@ -79,6 +79,8 @@ module Datadog
|
|
|
79
79
|
@deprecated_env = value
|
|
80
80
|
end
|
|
81
81
|
|
|
82
|
+
# Invoked when the option is first read, and {#env} is defined.
|
|
83
|
+
# The block provided is only invoked if the environment variable is present (not-nil).
|
|
82
84
|
def env_parser(&block)
|
|
83
85
|
@env_parser = block
|
|
84
86
|
end
|
|
@@ -461,15 +461,31 @@ module Datadog
|
|
|
461
461
|
end
|
|
462
462
|
end
|
|
463
463
|
|
|
464
|
-
#
|
|
465
|
-
#
|
|
466
|
-
# This is a preview feature and disabled by default. It requires Ruby 3.2+.
|
|
467
|
-
#
|
|
468
|
-
# @default `DD_PROFILING_PREVIEW_GVL_ENABLED` environment variable as a boolean, otherwise `false`
|
|
464
|
+
# @deprecated Use {:gvl_enabled} instead.
|
|
469
465
|
option :preview_gvl_enabled do |o|
|
|
470
466
|
o.type :bool
|
|
471
|
-
o.env 'DD_PROFILING_PREVIEW_GVL_ENABLED'
|
|
472
467
|
o.default false
|
|
468
|
+
o.after_set do |_, _, precedence|
|
|
469
|
+
unless precedence == Datadog::Core::Configuration::Option::Precedence::DEFAULT
|
|
470
|
+
Datadog.logger.warn(
|
|
471
|
+
'The profiling.advanced.preview_gvl_enabled setting has been deprecated for removal and ' \
|
|
472
|
+
'no longer does anything. Please remove it from your Datadog.configure block. ' \
|
|
473
|
+
'GVL profiling is now controlled by the profiling.advanced.gvl_enabled setting instead.'
|
|
474
|
+
)
|
|
475
|
+
end
|
|
476
|
+
end
|
|
477
|
+
end
|
|
478
|
+
|
|
479
|
+
# Controls GVL profiling. This will show when threads are waiting for GVL in the timeline view.
|
|
480
|
+
#
|
|
481
|
+
# This feature requires Ruby 3.2+.
|
|
482
|
+
#
|
|
483
|
+
# @default `DD_PROFILING_GVL_ENABLED` environment variable as a boolean, otherwise `true`
|
|
484
|
+
option :gvl_enabled do |o|
|
|
485
|
+
o.type :bool
|
|
486
|
+
o.deprecated_env 'DD_PROFILING_PREVIEW_GVL_ENABLED'
|
|
487
|
+
o.env 'DD_PROFILING_GVL_ENABLED'
|
|
488
|
+
o.default true
|
|
473
489
|
end
|
|
474
490
|
|
|
475
491
|
# Controls the smallest time period the profiler will report a thread waiting for the GVL.
|
|
@@ -10,6 +10,7 @@ module Datadog
|
|
|
10
10
|
# Encoder interface that provides the logic to encode traces and service
|
|
11
11
|
# @abstract
|
|
12
12
|
module Encoder
|
|
13
|
+
# :nocov:
|
|
13
14
|
def content_type
|
|
14
15
|
raise NotImplementedError
|
|
15
16
|
end
|
|
@@ -23,6 +24,13 @@ module Datadog
|
|
|
23
24
|
def encode(_)
|
|
24
25
|
raise NotImplementedError
|
|
25
26
|
end
|
|
27
|
+
|
|
28
|
+
# Deserializes a value serialized with {#encode}.
|
|
29
|
+
# This method is used for debugging purposes.
|
|
30
|
+
def decode(_)
|
|
31
|
+
raise NotImplementedError
|
|
32
|
+
end
|
|
33
|
+
# :nocov:
|
|
26
34
|
end
|
|
27
35
|
|
|
28
36
|
# Encoder for the JSON format
|
|
@@ -41,6 +49,10 @@ module Datadog
|
|
|
41
49
|
JSON.dump(obj)
|
|
42
50
|
end
|
|
43
51
|
|
|
52
|
+
def decode(obj)
|
|
53
|
+
JSON.parse(obj)
|
|
54
|
+
end
|
|
55
|
+
|
|
44
56
|
def join(encoded_data)
|
|
45
57
|
"[#{encoded_data.join(',')}]"
|
|
46
58
|
end
|
|
@@ -62,6 +74,10 @@ module Datadog
|
|
|
62
74
|
MessagePack.pack(obj)
|
|
63
75
|
end
|
|
64
76
|
|
|
77
|
+
def decode(obj)
|
|
78
|
+
MessagePack.unpack(obj)
|
|
79
|
+
end
|
|
80
|
+
|
|
65
81
|
def join(encoded_data)
|
|
66
82
|
packer = MessagePack::Packer.new
|
|
67
83
|
packer.write_array_header(encoded_data.size)
|