RubyGems - datadog - Versions diffs - 2.15.0 → 2.17.0 - Mend

datadog 2.15.0 → 2.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (194) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +74 -2
data/ext/datadog_profiling_native_extension/datadog_ruby_common.c +1 -4
data/ext/datadog_profiling_native_extension/datadog_ruby_common.h +7 -0
data/ext/datadog_profiling_native_extension/encoded_profile.c +22 -12
data/ext/datadog_profiling_native_extension/encoded_profile.h +1 -0
data/ext/datadog_profiling_native_extension/extconf.rb +3 -0
data/ext/datadog_profiling_native_extension/heap_recorder.c +8 -1
data/ext/datadog_profiling_native_extension/http_transport.c +45 -72
data/ext/datadog_profiling_native_extension/stack_recorder.c +4 -5
data/ext/libdatadog_api/crashtracker.c +11 -12
data/ext/libdatadog_api/crashtracker.h +5 -0
data/ext/libdatadog_api/datadog_ruby_common.c +1 -4
data/ext/libdatadog_api/datadog_ruby_common.h +7 -0
data/ext/libdatadog_api/init.c +15 -0
data/ext/libdatadog_api/library_config.c +122 -0
data/ext/libdatadog_api/library_config.h +19 -0
data/ext/libdatadog_api/macos_development.md +3 -3
data/ext/libdatadog_api/process_discovery.c +117 -0
data/ext/libdatadog_api/process_discovery.h +5 -0
data/ext/libdatadog_extconf_helpers.rb +1 -1
data/lib/datadog/appsec/actions_handler.rb +3 -2
data/lib/datadog/appsec/api_security/lru_cache.rb +49 -0
data/lib/datadog/appsec/api_security.rb +9 -0
data/lib/datadog/appsec/assets/waf_rules/recommended.json +1344 -0
data/lib/datadog/appsec/assets/waf_rules/strict.json +1344 -0
data/lib/datadog/appsec/autoload.rb +1 -1
data/lib/datadog/appsec/component.rb +11 -4
data/lib/datadog/appsec/configuration/settings.rb +31 -18
data/lib/datadog/appsec/context.rb +1 -1
data/lib/datadog/appsec/contrib/active_record/instrumentation.rb +10 -12
data/lib/datadog/appsec/contrib/active_record/integration.rb +1 -1
data/lib/datadog/appsec/contrib/active_record/patcher.rb +22 -22
data/lib/datadog/appsec/contrib/devise/data_extractor.rb +2 -3
data/lib/datadog/appsec/contrib/devise/ext.rb +1 -0
data/lib/datadog/appsec/contrib/devise/integration.rb +1 -1
data/lib/datadog/appsec/contrib/devise/patcher.rb +3 -5
data/lib/datadog/appsec/contrib/devise/tracking_middleware.rb +17 -4
data/lib/datadog/appsec/contrib/excon/integration.rb +1 -1
data/lib/datadog/appsec/contrib/excon/ssrf_detection_middleware.rb +9 -10
data/lib/datadog/appsec/contrib/faraday/integration.rb +1 -1
data/lib/datadog/appsec/contrib/faraday/ssrf_detection_middleware.rb +8 -9
data/lib/datadog/appsec/contrib/graphql/gateway/watcher.rb +8 -9
data/lib/datadog/appsec/contrib/graphql/integration.rb +1 -1
data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +22 -32
data/lib/datadog/appsec/contrib/rack/integration.rb +1 -1
data/lib/datadog/appsec/contrib/rack/request_middleware.rb +16 -16
data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb +11 -13
data/lib/datadog/appsec/contrib/rails/integration.rb +1 -1
data/lib/datadog/appsec/contrib/rails/patcher.rb +21 -21
data/lib/datadog/appsec/contrib/rest_client/integration.rb +1 -1
data/lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb +10 -11
data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb +17 -23
data/lib/datadog/appsec/contrib/sinatra/integration.rb +1 -1
data/lib/datadog/appsec/event.rb +85 -95
data/lib/datadog/appsec/instrumentation/gateway/argument.rb +5 -2
data/lib/datadog/appsec/metrics/telemetry.rb +1 -1
data/lib/datadog/appsec/monitor/gateway/watcher.rb +42 -12
data/lib/datadog/appsec/processor/rule_loader.rb +26 -28
data/lib/datadog/appsec/processor/rule_merger.rb +5 -5
data/lib/datadog/appsec/processor.rb +1 -1
data/lib/datadog/appsec/remote.rb +14 -13
data/lib/datadog/appsec/response.rb +6 -6
data/lib/datadog/appsec/security_engine/runner.rb +1 -1
data/lib/datadog/appsec/security_event.rb +39 -0
data/lib/datadog/appsec.rb +1 -1
data/lib/datadog/core/buffer/random.rb +18 -2
data/lib/datadog/core/configuration/agent_settings_resolver.rb +5 -5
data/lib/datadog/core/configuration/agentless_settings_resolver.rb +176 -0
data/lib/datadog/core/configuration/components.rb +48 -30
data/lib/datadog/core/configuration/components_state.rb +23 -0
data/lib/datadog/core/configuration/option.rb +79 -43
data/lib/datadog/core/configuration/option_definition.rb +4 -4
data/lib/datadog/core/configuration/options.rb +1 -1
data/lib/datadog/core/configuration/settings.rb +20 -10
data/lib/datadog/core/configuration/stable_config.rb +23 -0
data/lib/datadog/core/configuration.rb +40 -16
data/lib/datadog/core/crashtracking/component.rb +3 -10
data/lib/datadog/core/encoding.rb +1 -1
data/lib/datadog/core/environment/cgroup.rb +10 -12
data/lib/datadog/core/environment/container.rb +38 -40
data/lib/datadog/core/environment/ext.rb +6 -6
data/lib/datadog/core/environment/git.rb +1 -0
data/lib/datadog/core/environment/identity.rb +3 -3
data/lib/datadog/core/environment/platform.rb +3 -3
data/lib/datadog/core/environment/variable_helpers.rb +1 -1
data/lib/datadog/core/error.rb +11 -9
data/lib/datadog/core/logger.rb +2 -2
data/lib/datadog/core/metrics/client.rb +20 -21
data/lib/datadog/core/metrics/logging.rb +5 -5
data/lib/datadog/core/process_discovery.rb +32 -0
data/lib/datadog/core/rate_limiter.rb +4 -2
data/lib/datadog/core/remote/client.rb +39 -31
data/lib/datadog/core/remote/component.rb +3 -3
data/lib/datadog/core/remote/configuration/digest.rb +7 -7
data/lib/datadog/core/remote/configuration/path.rb +1 -1
data/lib/datadog/core/remote/transport/http/client.rb +1 -1
data/lib/datadog/core/remote/transport/http/config.rb +21 -5
data/lib/datadog/core/remote/transport/http/negotiation.rb +1 -1
data/lib/datadog/core/runtime/metrics.rb +4 -4
data/lib/datadog/core/telemetry/component.rb +78 -53
data/lib/datadog/core/telemetry/emitter.rb +23 -11
data/lib/datadog/core/telemetry/event/app_client_configuration_change.rb +65 -0
data/lib/datadog/core/telemetry/event/app_closing.rb +18 -0
data/lib/datadog/core/telemetry/event/app_dependencies_loaded.rb +33 -0
data/lib/datadog/core/telemetry/event/app_heartbeat.rb +18 -0
data/lib/datadog/core/telemetry/event/app_integrations_change.rb +58 -0
data/lib/datadog/core/telemetry/event/app_started.rb +179 -0
data/lib/datadog/core/telemetry/event/base.rb +40 -0
data/lib/datadog/core/telemetry/event/distributions.rb +18 -0
data/lib/datadog/core/telemetry/event/generate_metrics.rb +43 -0
data/lib/datadog/core/telemetry/event/log.rb +76 -0
data/lib/datadog/core/telemetry/event/message_batch.rb +42 -0
data/lib/datadog/core/telemetry/event/synth_app_client_configuration_change.rb +43 -0
data/lib/datadog/core/telemetry/event.rb +17 -472
data/lib/datadog/core/telemetry/http/adapters/net.rb +12 -97
data/lib/datadog/core/telemetry/logger.rb +1 -1
data/lib/datadog/core/telemetry/metric.rb +3 -3
data/lib/datadog/core/telemetry/request.rb +3 -3
data/lib/datadog/core/telemetry/transport/http/api.rb +43 -0
data/lib/datadog/core/telemetry/transport/http/client.rb +49 -0
data/lib/datadog/core/telemetry/transport/http/telemetry.rb +92 -0
data/lib/datadog/core/telemetry/transport/http.rb +63 -0
data/lib/datadog/core/telemetry/transport/telemetry.rb +51 -0
data/lib/datadog/core/telemetry/worker.rb +90 -24
data/lib/datadog/core/transport/http/adapters/test.rb +2 -1
data/lib/datadog/core/transport/http/builder.rb +13 -13
data/lib/datadog/core/utils/at_fork_monkey_patch.rb +6 -6
data/lib/datadog/core/utils/duration.rb +32 -32
data/lib/datadog/core/utils/forking.rb +2 -2
data/lib/datadog/core/utils/network.rb +6 -6
data/lib/datadog/core/utils/only_once_successful.rb +16 -5
data/lib/datadog/core/utils/time.rb +20 -0
data/lib/datadog/core/utils/truncation.rb +21 -0
data/lib/datadog/core/vendor/multipart-post/multipart/post/composite_read_io.rb +1 -1
data/lib/datadog/core/vendor/multipart-post/multipart/post/multipartable.rb +8 -8
data/lib/datadog/core/vendor/multipart-post/multipart/post/parts.rb +7 -7
data/lib/datadog/core/worker.rb +1 -1
data/lib/datadog/core/workers/async.rb +29 -12
data/lib/datadog/core/workers/interval_loop.rb +12 -1
data/lib/datadog/core/workers/runtime_metrics.rb +2 -2
data/lib/datadog/core.rb +8 -0
data/lib/datadog/di/boot.rb +34 -0
data/lib/datadog/di/remote.rb +2 -0
data/lib/datadog/di.rb +5 -32
data/lib/datadog/error_tracking/collector.rb +87 -0
data/lib/datadog/error_tracking/component.rb +167 -0
data/lib/datadog/error_tracking/configuration/settings.rb +63 -0
data/lib/datadog/error_tracking/configuration.rb +11 -0
data/lib/datadog/error_tracking/ext.rb +18 -0
data/lib/datadog/error_tracking/extensions.rb +16 -0
data/lib/datadog/error_tracking/filters.rb +77 -0
data/lib/datadog/error_tracking.rb +18 -0
data/lib/datadog/kit/identity.rb +1 -1
data/lib/datadog/profiling/collectors/code_provenance.rb +1 -1
data/lib/datadog/profiling/exporter.rb +1 -1
data/lib/datadog/profiling/ext.rb +0 -1
data/lib/datadog/profiling/flush.rb +1 -1
data/lib/datadog/profiling/http_transport.rb +1 -6
data/lib/datadog/profiling/scheduler.rb +8 -1
data/lib/datadog/profiling/tag_builder.rb +1 -5
data/lib/datadog/tracing/analytics.rb +1 -1
data/lib/datadog/tracing/contrib/active_support/cache/events/cache.rb +4 -1
data/lib/datadog/tracing/contrib/active_support/cache/instrumentation.rb +33 -0
data/lib/datadog/tracing/contrib/active_support/cache/patcher.rb +4 -0
data/lib/datadog/tracing/contrib/active_support/cache/redis.rb +2 -4
data/lib/datadog/tracing/contrib/aws/instrumentation.rb +10 -0
data/lib/datadog/tracing/contrib/aws/parsed_context.rb +5 -1
data/lib/datadog/tracing/contrib/http/instrumentation.rb +1 -5
data/lib/datadog/tracing/contrib/httpclient/instrumentation.rb +1 -5
data/lib/datadog/tracing/contrib/httprb/instrumentation.rb +1 -5
data/lib/datadog/tracing/contrib/karafka/distributed/propagation.rb +2 -0
data/lib/datadog/tracing/contrib/karafka/monitor.rb +1 -1
data/lib/datadog/tracing/contrib/mongodb/configuration/settings.rb +8 -0
data/lib/datadog/tracing/contrib/mongodb/ext.rb +1 -0
data/lib/datadog/tracing/contrib/mongodb/subscribers.rb +18 -1
data/lib/datadog/tracing/contrib/patcher.rb +5 -2
data/lib/datadog/tracing/contrib/support.rb +28 -0
data/lib/datadog/tracing/distributed/b3_multi.rb +1 -1
data/lib/datadog/tracing/distributed/b3_single.rb +1 -1
data/lib/datadog/tracing/distributed/datadog.rb +2 -2
data/lib/datadog/tracing/metadata/errors.rb +4 -4
data/lib/datadog/tracing/sampling/rate_sampler.rb +2 -1
data/lib/datadog/tracing/span_operation.rb +38 -14
data/lib/datadog/tracing/trace_operation.rb +15 -7
data/lib/datadog/tracing/tracer.rb +7 -3
data/lib/datadog/tracing/utils.rb +1 -1
data/lib/datadog/version.rb +1 -1
data/lib/datadog.rb +2 -3
metadata +53 -10
data/lib/datadog/core/telemetry/http/env.rb +0 -20
data/lib/datadog/core/telemetry/http/ext.rb +0 -28
data/lib/datadog/core/telemetry/http/response.rb +0 -70
data/lib/datadog/core/telemetry/http/transport.rb +0 -90

data/lib/datadog/appsec/monitor/gateway/watcher.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
+require_relative '../../event'
+require_relative '../../security_event'
 require_relative '../../instrumentation/gateway'
 module Datadog
@@ -8,18 +10,24 @@ module Datadog
       module Gateway
         # Watcher for Apssec internal events
         module Watcher
+          ARBITRARY_VALUE = 'invalid'
+          EVENT_LOGIN_SUCCESS = 'users.login.success'
+          EVENT_LOGIN_FAILURE = 'users.login.failure'
+          WATCHED_LOGIN_EVENTS = [EVENT_LOGIN_SUCCESS, EVENT_LOGIN_FAILURE].freeze
           class << self
             def watch
               gateway = Instrumentation.gateway
               watch_user_id(gateway)
+              watch_user_login(gateway)
             end
             def watch_user_id(gateway = Instrumentation.gateway)
               gateway.watch('identity.set_user', :appsec) do |stack, user|
-                context = Datadog::AppSec.active_context
+                context = AppSec.active_context
-                if user.id.nil? && user.login.nil?
+                if user.id.nil? && user.login.nil? && user.session_id.nil?
                   Datadog.logger.debug { 'AppSec: skipping WAF check because no user information was provided' }
                   next stack.call(user)
                 end
@@ -27,24 +35,46 @@ module Datadog
                 persistent_data = {}
                 persistent_data['usr.id'] = user.id if user.id
                 persistent_data['usr.login'] = user.login if user.login
+                persistent_data['usr.session_id'] = user.session_id if user.session_id
                 result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
+                if result.match? || result.derivatives.any?
+                  context.events.push(
+                    AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+                  )
+                end
                 if result.match?
-                  Datadog::AppSec::Event.tag_and_keep!(context, result)
+                  AppSec::Event.tag_and_keep!(context, result)
+                  AppSec::ActionsHandler.handle(result.actions)
+                end
+                stack.call(user)
+              end
+            end
-                  context.events << {
-                    waf_result: result,
-                    trace: context.trace,
-                    span: context.span,
-                    user: user,
-                    actions: result.actions
-                  }
+            def watch_user_login(gateway = Instrumentation.gateway)
+              gateway.watch('appsec.events.user_lifecycle', :appsec) do |stack, kind|
+                context = AppSec.active_context
-                  Datadog::AppSec::ActionsHandler.handle(result.actions)
+                next stack.call(kind) unless WATCHED_LOGIN_EVENTS.include?(kind)
+                persistent_data = {"server.business_logic.#{kind}" => ARBITRARY_VALUE}
+                result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
+                if result.match? || result.derivatives.any?
+                  context.events.push(
+                    AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+                  )
                 end
-                stack.call(user)
+                if result.match?
+                  AppSec::Event.tag_and_keep!(context, result)
+                  AppSec::ActionsHandler.handle(result.actions)
+                end
+                stack.call(kind)
               end
             end
           end

data/lib/datadog/appsec/processor/rule_loader.rb CHANGED Viewed

@@ -10,35 +10,33 @@ module Datadog
       module RuleLoader
         class << self
           def load_rules(ruleset:, telemetry:)
-            begin
-              case ruleset
-              when :recommended, :strict
-                JSON.parse(Datadog::AppSec::Assets.waf_rules(ruleset))
-              when :risky
-                Datadog.logger.warn(
-                  'The :risky Application Security Management ruleset has been deprecated and no longer available.'\
-                  'The `:recommended` ruleset will be used instead.'\
-                  'Please remove the `appsec.ruleset = :risky` setting from your Datadog.configure block.'
-                )
-                JSON.parse(Datadog::AppSec::Assets.waf_rules(:recommended))
-              when String
-                JSON.parse(File.read(File.expand_path(ruleset)))
-              when File, StringIO
-                JSON.parse(ruleset.read || '').tap { ruleset.rewind }
-              when Hash
-                ruleset
-              else
-                raise ArgumentError, "unsupported value for ruleset setting: #{ruleset.inspect}"
-              end
-            rescue StandardError => e
-              Datadog.logger.error do
-                "libddwaf ruleset failed to load, ruleset: #{ruleset.inspect} error: #{e.inspect}"
-              end
+            case ruleset
+            when :recommended, :strict
+              JSON.parse(Datadog::AppSec::Assets.waf_rules(ruleset))
+            when :risky
+              Datadog.logger.warn(
+                'The :risky Application Security Management ruleset has been deprecated and no longer available.' \
+                'The `:recommended` ruleset will be used instead.' \
+                'Please remove the `appsec.ruleset = :risky` setting from your Datadog.configure block.'
+              )
+              JSON.parse(Datadog::AppSec::Assets.waf_rules(:recommended))
+            when String
+              JSON.parse(File.read(File.expand_path(ruleset)))
+            when File, StringIO
+              JSON.parse(ruleset.read || '').tap { ruleset.rewind }
+            when Hash
+              ruleset
+            else
+              raise ArgumentError, "unsupported value for ruleset setting: #{ruleset.inspect}"
+            end
+          rescue => e
+            Datadog.logger.error do
+              "libddwaf ruleset failed to load, ruleset: #{ruleset.inspect} error: #{e.inspect}"
+            end
-              telemetry.report(e, description: 'libddwaf ruleset failed to load')
+            telemetry.report(e, description: 'libddwaf ruleset failed to load')
-              nil
-            end
+            nil
           end
           def load_data(ip_denylist: [], user_id_denylist: [])
@@ -62,7 +60,7 @@ module Datadog
             {
               'id' => id,
               'type' => 'data_with_expiration',
-              'data' => denylist.map { |v| { 'value' => v.to_s, 'expiration' => 2**63 } }
+              'data' => denylist.map { |v| {'value' => v.to_s, 'expiration' => 2**63} }
             }
           end

data/lib/datadog/appsec/processor/rule_merger.rb CHANGED Viewed

@@ -11,8 +11,8 @@ module Datadog
         # RuleVersionMismatchError
         class RuleVersionMismatchError < StandardError
           def initialize(version1, version2)
-            msg = 'Merging rule files with different version could lead to unkown behaviour. '\
-              "We have receieve two rule files with versions: #{version1}, #{version2}. "\
+            msg = 'Merging rule files with different version could lead to unkown behaviour. ' \
+              "We have receieve two rule files with versions: #{version1}, #{version2}. " \
               'Please validate the configuration is correct and try again.'
             super(msg)
           end
@@ -27,7 +27,7 @@ module Datadog
           )
             processors ||= begin
               default_waf_processors
-            rescue StandardError => e
+            rescue => e
               Datadog.logger.error("libddwaf rulemerger failed to parse default waf processors. Error: #{e.inspect}")
               telemetry.report(
                 e,
@@ -38,7 +38,7 @@ module Datadog
             scanners ||= begin
               default_waf_scanners
-            rescue StandardError => e
+            rescue => e
               Datadog.logger.error("libddwaf rulemerger failed to parse default waf scanners. Error: #{e.inspect}")
               telemetry.report(
                 e,
@@ -146,7 +146,7 @@ module Datadog
             end
             result.each_with_object([]) do |entry, acc|
-              value = { 'value' => entry[0] }
+              value = {'value' => entry[0]}
               value['expiration'] = entry[1] if entry[1]
               acc << value

data/lib/datadog/appsec/processor.rb CHANGED Viewed

@@ -82,7 +82,7 @@ module Datadog
         @diagnostics = e.diagnostics if e.diagnostics
         false
-      rescue StandardError => e
+      rescue => e
         Datadog.logger.error do
           "libddwaf failed to initialize, error: #{e.inspect}"
         end

data/lib/datadog/appsec/remote.rb CHANGED Viewed

@@ -9,22 +9,23 @@ module Datadog
     # Remote
     module Remote
       class ReadError < StandardError; end
       class NoRulesError < StandardError; end
       class << self
-        CAP_ASM_RESERVED_1                = 1 << 0   # RESERVED
-        CAP_ASM_ACTIVATION                = 1 << 1   # Remote activation via ASM_FEATURES product
-        CAP_ASM_IP_BLOCKING               = 1 << 2   # accept IP blocking data from ASM_DATA product
-        CAP_ASM_DD_RULES                  = 1 << 3   # read ASM rules from ASM_DD product
-        CAP_ASM_EXCLUSIONS                = 1 << 4   # exclusion filters (passlist) via ASM product
-        CAP_ASM_REQUEST_BLOCKING          = 1 << 5   # can block on request info
-        CAP_ASM_RESPONSE_BLOCKING         = 1 << 6   # can block on response info
-        CAP_ASM_USER_BLOCKING             = 1 << 7   # accept user blocking data from ASM_DATA product
-        CAP_ASM_CUSTOM_RULES              = 1 << 8   # accept custom rules
-        CAP_ASM_CUSTOM_BLOCKING_RESPONSE  = 1 << 9   # supports custom http code or redirect sa blocking response
-        CAP_ASM_TRUSTED_IPS               = 1 << 10  # supports trusted ip
-        CAP_ASM_RASP_SSRF                 = 1 << 23  # support for server-side request forgery exploit prevention rules
-        CAP_ASM_RASP_SQLI                 = 1 << 21  # support for SQL injection exploit prevention rules
+        CAP_ASM_RESERVED_1 = 1 << 0   # RESERVED
+        CAP_ASM_ACTIVATION = 1 << 1   # Remote activation via ASM_FEATURES product
+        CAP_ASM_IP_BLOCKING = 1 << 2   # accept IP blocking data from ASM_DATA product
+        CAP_ASM_DD_RULES = 1 << 3   # read ASM rules from ASM_DD product
+        CAP_ASM_EXCLUSIONS = 1 << 4   # exclusion filters (passlist) via ASM product
+        CAP_ASM_REQUEST_BLOCKING = 1 << 5   # can block on request info
+        CAP_ASM_RESPONSE_BLOCKING = 1 << 6   # can block on response info
+        CAP_ASM_USER_BLOCKING = 1 << 7   # accept user blocking data from ASM_DATA product
+        CAP_ASM_CUSTOM_RULES = 1 << 8   # accept custom rules
+        CAP_ASM_CUSTOM_BLOCKING_RESPONSE = 1 << 9   # supports custom http code or redirect sa blocking response
+        CAP_ASM_TRUSTED_IPS = 1 << 10  # supports trusted ip
+        CAP_ASM_RASP_SSRF = 1 << 23  # support for server-side request forgery exploit prevention rules
+        CAP_ASM_RASP_SQLI = 1 << 21  # support for SQL injection exploit prevention rules
         # TODO: we need to dynamically add CAP_ASM_ACTIVATION once we support it
         ASM_CAPABILITIES = [

data/lib/datadog/appsec/response.rb CHANGED Viewed

@@ -30,13 +30,13 @@ module Datadog
         def block_response(interrupt_params, http_accept_header)
           content_type = case interrupt_params['type']
-                         when nil, 'auto' then content_type(http_accept_header)
-                         else FORMAT_TO_CONTENT_TYPE.fetch(interrupt_params['type'], DEFAULT_CONTENT_TYPE)
-                         end
+          when nil, 'auto' then content_type(http_accept_header)
+          else FORMAT_TO_CONTENT_TYPE.fetch(interrupt_params['type'], DEFAULT_CONTENT_TYPE)
+          end
           Response.new(
             status: interrupt_params['status_code']&.to_i || 403,
-            headers: { 'Content-Type' => content_type },
+            headers: {'Content-Type' => content_type},
             body: [content(content_type)],
           )
         end
@@ -45,8 +45,8 @@ module Datadog
           status_code = interrupt_params['status_code'].to_i
           Response.new(
-            status: (status_code >= 300 && status_code < 400 ? status_code : 303),
-            headers: { 'Location' => interrupt_params.fetch('location') },
+            status: ((status_code >= 300 && status_code < 400) ? status_code : 303),
+            headers: {'Location' => interrupt_params.fetch('location')},
             body: [],
           )
         end

data/lib/datadog/appsec/security_engine/runner.rb CHANGED Viewed

@@ -42,7 +42,7 @@ module Datadog
             return Result::Error.new(duration_ext_ns: stop_ns - start_ns)
           end
-          klass = result.status == :match ? Result::Match : Result::Ok
+          klass = (result.status == :match) ? Result::Match : Result::Ok
           klass.new(
             events: result.events,
             actions: result.actions,

data/lib/datadog/appsec/security_event.rb ADDED Viewed

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+module Datadog
+  module AppSec
+    # A class that represents a security event of any kind. It could be an event
+    # representing an attack or fingerprinting results as derivatives or an API
+    # security check with extracted schema.
+    class SecurityEvent
+      SCHEMA_KEY_PREFIX = '_dd.appsec.s.'
+      FINGERPRINT_KEY_PREFIX = '_dd.appsec.fp.'
+      attr_reader :waf_result, :trace, :span
+      def initialize(waf_result, trace:, span:)
+        @waf_result = waf_result
+        @trace = trace
+        @span = span
+      end
+      def attack?
+        return @is_attack if defined?(@is_attack)
+        @is_attack = @waf_result.is_a?(SecurityEngine::Result::Match)
+      end
+      def schema?
+        return @has_schema if defined?(@has_schema)
+        @has_schema = @waf_result.derivatives.any? { |name, _| name.start_with?(SCHEMA_KEY_PREFIX) }
+      end
+      def fingerprint?
+        return @has_fingerprint if defined?(@has_fingerprint)
+        @has_fingerprint = @waf_result.derivatives.any? { |name, _| name.start_with?(FINGERPRINT_KEY_PREFIX) }
+      end
+    end
+  end
+end

data/lib/datadog/appsec.rb CHANGED Viewed

@@ -44,7 +44,7 @@ module Datadog
         appsec_component.reconfigure_lock(&block)
       end
-      def api_security_enabled?
+      def perform_api_security_check?
         Datadog.configuration.appsec.api_security.enabled &&
           Datadog.configuration.appsec.api_security.sample_rate.sample?
       end

data/lib/datadog/core/buffer/random.rb CHANGED Viewed

@@ -40,7 +40,23 @@ module Datadog
           add_all!(underflow) unless underflow.nil?
           # Iteratively replace items, to ensure pseudo-random replacement.
-          overflow.each { |item| replace!(item) } unless overflow.nil?
+          overflow&.each { |item| replace!(item) }
+        end
+        def unshift(*items)
+          # TODO The existing concat implementation does not always append
+          # to the end of the buffer - if the buffer is full, a random
+          # item is deleted and the new item is added in the position of
+          # removed item.
+          # Therefore, if we want to preserve the item order, concat
+          # would also need to be changed to maintain order.
+          # With the existing implementation, the idea is to not move
+          # existing items around, which is what sets unshift apart from
+          # concat to begin with.
+          #
+          # Since this method currently delegates to +concat+, it does not
+          # have a matching definition in the thread-safe worker.
+          concat(items)
         end
         # Stored items are returned and the local buffer is reset.
@@ -78,7 +94,7 @@ module Datadog
           underflow = nil
           overflow = nil
-          overflow_size = @max_size > 0 ? (@items.length + items.length) - @max_size : 0
+          overflow_size = (@max_size > 0) ? (@items.length + items.length) - @max_size : 0
           if overflow_size > 0
             # Items will overflow

data/lib/datadog/core/configuration/agent_settings_resolver.rb CHANGED Viewed

@@ -37,8 +37,8 @@ module Datadog
             case adapter
             when Datadog::Core::Configuration::Ext::Agent::HTTP::ADAPTER
               hostname = self.hostname
-              hostname = "[#{hostname}]" if hostname =~ IPV6_REGEXP
-              "#{ssl ? 'https' : 'http'}://#{hostname}:#{port}/"
+              hostname = "[#{hostname}]" if IPV6_REGEXP.match?(hostname)
+              "#{ssl ? "https" : "http"}://#{hostname}:#{port}/"
             when Datadog::Core::Configuration::Ext::Agent::UnixSocket::ADAPTER
               "unix://#{uds_path}"
             else
@@ -158,7 +158,7 @@ module Datadog
               value: settings.agent.timeout_seconds,
             ),
             try_parsing_as_integer(
-              friendly_name: "#{Datadog::Core::Configuration::Ext::Agent::ENV_DEFAULT_TIMEOUT_SECONDS} "\
+              friendly_name: "#{Datadog::Core::Configuration::Ext::Agent::ENV_DEFAULT_TIMEOUT_SECONDS} " \
                 'environment variable',
               value: ENV[Datadog::Core::Configuration::Ext::Agent::ENV_DEFAULT_TIMEOUT_SECONDS],
             )
@@ -338,13 +338,13 @@ module Datadog
           log_warning(
             'Configuration mismatch: values differ between ' \
             "#{detected_configurations_in_priority_order
-              .map { |config| "#{config.friendly_name} (#{config.value.inspect})" }.join(' and ')}" \
+              .map { |config| "#{config.friendly_name} (#{config.value.inspect})" }.join(" and ")}" \
             ". Using #{detected_configurations_in_priority_order.first.value.inspect} and ignoring other configuration."
           )
         end
         def log_warning(message)
-          logger.warn(message) if logger
+          logger&.warn(message)
         end
         def http_scheme?(uri)

data/lib/datadog/core/configuration/agentless_settings_resolver.rb ADDED Viewed

@@ -0,0 +1,176 @@
+# frozen_string_literal: true
+# rubocop:disable Style/*
+require 'uri'
+require_relative 'agent_settings_resolver'
+module Datadog
+  module Core
+    module Configuration
+      # Agent settings resolver for agentless operations (currently, telemetry
+      # in agentless mode).
+      #
+      # The terminology gets a little confusing here, but transports communicate
+      # with servers which are - for most components in the tracer - the
+      # (local) agent. Hence, "agent settings" to refer to where the server
+      # is located. Telemetry supports sending to the local agent but also
+      # implements agentless mode where it sends directly to Datadog intake
+      # endpoints. The agentless mode is configured using different settings,
+      # and this class produces AgentSettings instances when in agentless mode.
+      #
+      # Agentless settings resolver uses the following configuration sources:
+      #
+      # 1. url_override constructor parameter, if provided
+      # 2. Built-in default host/port/TLS settings for the backend
+      #    intake endpoint
+      #
+      # The agentless resolver does NOT use agent settings (since it is
+      # for agentless operation), specifically it ignores:
+      #
+      # - c.agent.host
+      # - DD_AGENT_HOST
+      # - c.agent.port
+      # - DD_AGENT_PORT
+      #
+      # However, agentless resolver does respect the timeout specified via
+      # c.agent.timeout_seconds or DD_TRACE_AGENT_TIMEOUT_SECONDS.
+      class AgentlessSettingsResolver < AgentSettingsResolver
+        # To avoid coupling this class to telemetry, the URL override is
+        # taken here as a parameter instead of being read out of
+        # c.telemetry.agentless_url_override. For the same reason, the
+        # +url_override_source+ parameter should be set to the string
+        # "c.telemetry.agentless_url_override".
+        def self.call(settings, host_prefix:, url_override: nil, url_override_source: nil, logger: Datadog.logger)
+          new(
+            settings,
+            host_prefix: host_prefix,
+            url_override: url_override,
+            url_override_source: url_override_source,
+            logger: logger
+          ).send(:call)
+        end
+        private
+        attr_reader \
+          :host_prefix,
+          :url_override,
+          :url_override_source
+        def initialize(settings, host_prefix:, url_override: nil, url_override_source: nil, logger: Datadog.logger)
+          if url_override && url_override_source.nil?
+            raise ArgumentError, 'url_override_source must be provided when url_override is provided'
+          end
+          super(settings, logger: logger)
+          @host_prefix = host_prefix
+          @url_override = url_override
+          @url_override_source = url_override_source
+        end
+        def hostname
+          if should_use_uds?
+            nil
+          else
+            configured_hostname || "#{host_prefix}.#{settings.site}"
+          end
+        end
+        def configured_hostname
+          return @configured_hostname if defined?(@configured_hostname)
+          if should_use_uds?
+            nil
+          else
+            @configured_hostname = (parsed_url.hostname if parsed_url)
+          end
+        end
+        def configured_port
+          return @configured_port if defined?(@configured_port)
+          @configured_port = (parsed_url.port if parsed_url)
+        end
+        # Note that this method should always return true or false
+        def ssl?
+          if configured_hostname
+            configured_ssl || false
+          else
+            if should_use_uds?
+              false
+            else
+              # If no hostname is specified, we are communicating with the
+              # default Datadog intake, which uses TLS.
+              true
+            end
+          end
+        end
+        # Note that this method can return nil
+        def configured_ssl
+          return @configured_ssl if defined?(@configured_ssl)
+          @configured_ssl = (parsed_url_ssl? if parsed_url)
+        end
+        def port
+          if configured_port
+            configured_port
+          else
+            if should_use_uds?
+              nil
+            else
+              # If no hostname is specified, we are communicating with the
+              # default Datadog intake, which exists on port 443.
+              443
+            end
+          end
+        end
+        def mixed_http_and_uds
+          false
+        end
+        def configured_uds_path
+          return @configured_uds_path if defined?(@configured_uds_path)
+          parsed_url_uds_path
+        end
+        def can_use_uds?
+          # While in theory agentless transport could communicate via UDS,
+          # in practice "agentless" means we are communicating with Datadog
+          # infrastructure which is always remote.
+          # Permit UDS for proxy usage?
+          !configured_uds_path.nil?
+        end
+        def parsed_url
+          return @parsed_url if defined?(@parsed_url)
+          @parsed_url =
+            if @url_override
+              parsed = URI.parse(@url_override)
+              # Agentless URL should never refer to a UDS?
+              if http_scheme?(parsed) || unix_scheme?(parsed)
+                parsed
+              else
+                log_warning(
+                  "Invalid URI scheme '#{parsed.scheme}' for #{url_override_source}. " \
+                  "Ignoring the contents of #{url_override_source}."
+                )
+                nil
+              end
+            end
+        end
+      end
+    end
+  end
+end
+# rubocop:enable Style/*