datadog 2.18.0 → 2.20.0

data/ext/datadog_profiling_native_extension/private_vm_api_access.c

@@ -212,21 +212,6 @@ uint64_t native_thread_id_for(VALUE thread) {
   #endif
 }
 
-// Returns the stack depth by using the same approach as rb_profile_frames and backtrace_each: get the positions
-// of the end and current frame pointers and subtracting them.
-ptrdiff_t stack_depth_for(VALUE thread) {
-  const rb_execution_context_t *ec = thread_struct_from_object(thread)->ec;
-  const rb_control_frame_t *cfp = ec->cfp, *end_cfp = RUBY_VM_END_CONTROL_FRAME(ec);
-
-  if (end_cfp == NULL) return 0;
-
-  // Skip dummy frame, as seen in `backtrace_each` (`vm_backtrace.c`) and our custom rb_profile_frames
-  // ( https://github.com/ruby/ruby/blob/4bd38e8120f2fdfdd47a34211720e048502377f1/vm_backtrace.c#L890-L914 )
-  end_cfp = RUBY_VM_NEXT_CONTROL_FRAME(end_cfp);
-
-  return end_cfp <= cfp ? 0 : end_cfp - cfp - 1;
-}
-
 // This was renamed in Ruby 3.2
 #if !defined(ccan_list_for_each) && defined(list_for_each)
   #define ccan_list_for_each list_for_each
@@ -360,11 +345,16 @@ calc_pos(const rb_iseq_t *iseq, const VALUE *pc, int *lineno, int *node_id)
         }
 #endif
 
-        // In PROF-11475 we spotted a crash when calling `rb_iseq_line_no` from this method. We couldn't reproduce or
-        // figure out the root cause, but "just in case", we're validating that the iseq looks valid and that the
-        // `n` used for the position is also sane, and if they don't look good, we don't calculate the line, rather
-        // than potentially trigger any issues.
-        if (RB_UNLIKELY(!RB_TYPE_P((VALUE) iseq, T_IMEMO) || n < 0 || n > ISEQ_BODY(iseq)->iseq_size)) return 0;
+        // In PROF-11475 we spotted a crash when calling `rb_iseq_line_no` from this method.
+        // We were only able to reproduce this issue on Ruby 2.6 and 2.7, not 2.5 or the 3.x series (tried 3.0, 3.2 and 3.4).
+        // Note that going out of bounds doesn't crash every time, as usual with C we may just read garbage or get lucky.
+        //
+        // For those problematic Rubies, we observed that when we try to take a sample in the middle of processing the
+        // VM `LEAVE` instruction, the value of `n` can violate the documented assumptions above and be
+        // `n > ISEQ_BODY(iseq)->iseq_size)`.
+        //
+        // To work around this and any other potential issues, we validate here that the bytecode position is sane.
+        if (RB_UNLIKELY(n < 0 || n > ISEQ_BODY(iseq)->iseq_size)) return 0;
 
         if (lineno) *lineno = rb_iseq_line_no(iseq, pos);
 #ifdef USE_ISEQ_NODE_ID
@@ -410,6 +400,9 @@ calc_lineno(const rb_iseq_t *iseq, const VALUE *pc)
 // * Add frame_flags.same_frame and logic to skip redoing work if the buffer already contains the same data we're collecting
 // * Skipped use of rb_callable_method_entry_t (cme) for Ruby frames as it doesn't impact us.
 // * Imported fix from https://github.com/ruby/ruby/pull/8280 to keep us closer to upstream
+// * Added potential fix for https://github.com/ruby/ruby/pull/13643 (this one is a just-in-case, unclear if it happens
+//   for ddtrace)
+// * Reversed order of iteration to better enable caching
 //
 // What is rb_profile_frames?
 // `rb_profile_frames` is a Ruby VM debug API added for use by profilers for sampling the stack trace of a Ruby thread.
@@ -445,6 +438,16 @@ int ddtrace_rb_profile_frames(VALUE thread, int start, int limit, frame_info *st
     // support sampling any thread (including the current) passed as an argument
     rb_thread_t *th = thread_struct_from_object(thread);
     const rb_execution_context_t *ec = th->ec;
+
+    // As of this writing, we don't support profiling with MN enabled, and this only happens in that mode, but as we
+    // probably want to experiment with it in the future, I've decided to import https://github.com/ruby/ruby/pull/9310
+    // here.
+    if (ec == NULL) return 0;
+
+    // I suspect this won't happen for ddtrace, but just-in-case we've imported a potential fix for
+    // https://github.com/ruby/ruby/pull/13643 by assuming that these can be NULL/zero with the cfp being non-NULL yet.
+    if (ec->vm_stack == NULL || ec->vm_stack_size == 0) return 0;
+
     const rb_control_frame_t *cfp = ec->cfp, *end_cfp = RUBY_VM_END_CONTROL_FRAME(ec);
     #ifndef NO_JIT_RETURN
       const rb_control_frame_t *top = cfp;
@@ -462,11 +465,6 @@ int ddtrace_rb_profile_frames(VALUE thread, int start, int limit, frame_info *st
     // it from https://github.com/ruby/ruby/pull/7116 in a "just in case" kind of mindset.
     if (cfp == NULL) return 0;
 
-    // As of this writing, we don't support profiling with MN enabled, and this only happens in that mode, but as we
-    // probably want to experiment with it in the future, I've decided to import https://github.com/ruby/ruby/pull/9310
-    // here.
-    if (ec == NULL) return 0;
-
     // Fix: Skip dummy frame that shows up in main thread.
     //
     // According to a comment in `backtrace_each` (`vm_backtrace.c`), there's two dummy frames that we should ignore
@@ -483,7 +481,20 @@ int ddtrace_rb_profile_frames(VALUE thread, int start, int limit, frame_info *st
     // See comment on `record_placeholder_stack_in_native_code` for a full explanation of what this means (and why we don't just return 0)
     if (end_cfp <= cfp) return PLACEHOLDER_STACK_IN_NATIVE_CODE;
 
-    for (i=0; i<limit && cfp != end_cfp; cfp = RUBY_VM_PREVIOUS_CONTROL_FRAME(cfp)) {
+    // This is the position just after the top of the stack -- e.g. where a new frame pushed on the stack would end up.
+    const rb_control_frame_t *top_sentinel = RUBY_VM_NEXT_CONTROL_FRAME(cfp);
+
+    // We iterate the stack from bottom (beginning of thread) to the top (currently-active frame). This is different
+    // from upstream rb_profile_frames, but actually matches what `backtrace_each` does (yes, different Ruby VM APIs
+    // iterate in different directions).
+    // We do this to better take advantage of the `same_frame` caching mechanism: By starting from the bottom of the
+    // stack towards the top, we can usually keep most of the stack intact when the code is only going up and down
+    // a few methods at the top. Before this change, the cache was really only useful if between samples the app had
+    // not moved from the current stack, as adding or removing one frame would invalidate the existing cache (because
+    // every position would shift).
+    cfp = RUBY_VM_NEXT_CONTROL_FRAME(end_cfp);
+
+    for (i=0; i<limit && cfp != top_sentinel; cfp = RUBY_VM_NEXT_CONTROL_FRAME(cfp)) {
         if (cfp->iseq && !cfp->pc) {
           // Fix: Do nothing -- this frame should not be used
           //

data/ext/datadog_profiling_native_extension/private_vm_api_access.h

@@ -41,7 +41,6 @@ rb_nativethread_id_t pthread_id_for(VALUE thread);
 bool is_current_thread_holding_the_gvl(void);
 current_gvl_owner gvl_owner(void);
 uint64_t native_thread_id_for(VALUE thread);
-ptrdiff_t stack_depth_for(VALUE thread);
 void ddtrace_thread_list(VALUE result_array);
 bool is_thread_alive(VALUE thread);
 VALUE thread_name_for(VALUE thread);

data/ext/datadog_profiling_native_extension/ruby_helpers.h

@@ -72,7 +72,7 @@ NORETURN(void raise_syserr(
 // reference a valid object (in which case value is not changed).
 //
 // Note: GVL can be released and other threads may get to run before this method returns
-bool ruby_ref_from_id(size_t id, VALUE *value);
+bool ruby_ref_from_id(VALUE obj_id, VALUE *value);
 
 // Native wrapper to get the approximate/estimated current size of the passed
 // object.

data/ext/libdatadog_api/extconf.rb

@@ -26,7 +26,9 @@ if ENV['DD_NO_EXTENSION'].to_s.strip.downcase == 'true'
 end
 skip_building_extension!('current Ruby VM is not supported') if RUBY_ENGINE != 'ruby'
 skip_building_extension!('Microsoft Windows is not supported') if Gem.win_platform?
-skip_building_extension!('issue setting up `libdatadog` gem') if Datadog::LibdatadogExtconfHelpers.libdatadog_issue?
+
+libdatadog_issue = Datadog::LibdatadogExtconfHelpers.load_libdatadog_or_get_issue
+skip_building_extension!("issue setting up `libdatadog` gem: #{libdatadog_issue}") if libdatadog_issue
 
 require 'mkmf'
 

data/ext/libdatadog_extconf_helpers.rb

@@ -5,6 +5,8 @@ require 'pathname'
 
 module Datadog
   # Contains a bunch of shared helpers that get used during building of extensions that link to libdatadog
+  #
+  # Note: Specs for this file currently live in `spec/datadog/profiling/native_extension_helpers_spec.rb`.
   module LibdatadogExtconfHelpers
     # Used to make sure the correct gem version gets loaded, as extconf.rb does not get run with "bundle exec" and thus
     # may see multiple libdatadog versions. See https://github.com/DataDog/dd-trace-rb/pull/2531 for the horror story.
@@ -122,9 +124,17 @@ module Datadog
       end
     end
 
-    def self.libdatadog_issue?
-      try_loading_libdatadog { |_exception| return true }
-      Libdatadog.pkgconfig_folder.nil?
+    # Note: This helper is currently only used in the `libdatadog_api/extconf.rb` BUT still lives here to enable testing.
+    def self.load_libdatadog_or_get_issue
+      try_loading_libdatadog do |exception|
+        return "There was an error loading `libdatadog`: #{exception.class} #{exception.message}"
+      end
+
+      unless Libdatadog.pkgconfig_folder
+        "The `libdatadog` gem installed on your system is missing binaries for your platform variant. " \
+          "Your platform: " \
+          "`#{Libdatadog.current_platform}`; available binaries: `#{Libdatadog.available_binaries.join("`, `")}`"
+      end
     end
   end
 end

data/lib/datadog/appsec/api_security/route_extractor.rb

@@ -10,6 +10,7 @@ module Datadog
         GRAPE_ROUTE_KEY = 'grape.routing_args'
         RAILS_ROUTE_KEY = 'action_dispatch.route_uri_pattern'
         RAILS_ROUTES_KEY = 'action_dispatch.routes'
+        RAILS_PATH_PARAMS_KEY = 'action_dispatch.request.path_parameters'
         RAILS_FORMAT_SUFFIX = '(.:format)'
 
         # HACK: We rely on the fact that each contrib will modify `request.env`
@@ -36,6 +37,11 @@ module Datadog
         #         "/users/:id(.:format)"
         #
         # WARNING: This method works only *after* the request has been routed.
+        #
+        # WARNING: In Rails > 7.1 when a route was not found,
+        #          action_dispatch.route_uri_pattern will not be set.
+        #          In Rails < 7.1 it also will not be set even if a route was found,
+        #          but in this case  action_dispatch.request.path_parameters won't be empty.
         def self.route_pattern(request)
           if request.env.key?(GRAPE_ROUTE_KEY)
             pattern = request.env[GRAPE_ROUTE_KEY][:route_info]&.pattern&.origin
@@ -45,7 +51,7 @@ module Datadog
             "#{request.script_name}#{pattern}"
           elsif request.env.key?(RAILS_ROUTE_KEY)
             request.env[RAILS_ROUTE_KEY].delete_suffix(RAILS_FORMAT_SUFFIX)
-          elsif request.env.key?(RAILS_ROUTES_KEY)
+          elsif request.env.key?(RAILS_ROUTES_KEY) && !request.env.fetch(RAILS_PATH_PARAMS_KEY, {}).empty?
             pattern = request.env[RAILS_ROUTES_KEY].router
               .recognize(request) { |route, _| break route.path.spec.to_s }
 

data/lib/datadog/appsec/component.rb

@@ -4,6 +4,7 @@ require_relative 'security_engine/engine'
 require_relative 'security_engine/runner'
 require_relative 'processor/rule_loader'
 require_relative 'actions_handler'
+require_relative 'thread_safe_ref'
 
 module Datadog
   module AppSec
@@ -74,25 +75,14 @@ module Datadog
       def initialize(security_engine:, telemetry:)
         @security_engine = security_engine
         @telemetry = telemetry
-
-        @mutex = Mutex.new
       end
 
       def reconfigure!
-        @mutex.synchronize do
-          security_engine.reconfigure!
-        end
-      end
-
-      def reconfigure_lock(&block)
-        @mutex.synchronize(&block)
+        security_engine.reconfigure!
       end
 
       def shutdown!
-        @mutex.synchronize do
-          security_engine.finalize!
-          @security_engine = nil
-        end
+        # no-op
       end
     end
   end

data/lib/datadog/appsec/context.rb

@@ -37,6 +37,7 @@ module Datadog
         @events = []
         @waf_runner = waf_runner
         @metrics = Metrics::Collector.new
+        @interrupted = false
       end
 
       def run_waf(persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
@@ -55,6 +56,22 @@ module Datadog
         result
       end
 
+      def mark_as_interrupted!
+        @interrupted = true
+      end
+
+      def interrupted?
+        @interrupted
+      end
+
+      def waf_runner_ruleset_version
+        @waf_runner.ruleset_version
+      end
+
+      def waf_runner_known_addresses
+        @waf_runner.waf_addresses
+      end
+
       def extract_schema
         @waf_runner.run({'waf.context.processor' => {'extract-schema' => true}}, {})
       end
@@ -66,6 +83,12 @@ module Datadog
         Metrics::Exporter.export_rasp_metrics(@metrics.rasp, @span)
       end
 
+      def export_request_telemetry
+        return if @trace.nil?
+
+        Metrics::TelemetryExporter.export_waf_request_metrics(@metrics.waf, self)
+      end
+
       def finalize!
         @waf_runner.finalize!
       end

data/lib/datadog/appsec/contrib/devise/patches/signin_tracking_patch.rb

@@ -3,6 +3,7 @@
 require_relative '../ext'
 require_relative '../configuration'
 require_relative '../data_extractor'
+require_relative '../../../trace_keeper'
 
 module Datadog
   module AppSec
@@ -25,7 +26,7 @@ module Datadog
                 return result
               end
 
-              context.trace.keep!
+              TraceKeeper.keep!(context.trace)
 
               if result
                 record_successful_signin(context, resource)

data/lib/datadog/appsec/contrib/devise/patches/signup_tracking_patch.rb

@@ -3,6 +3,7 @@
 require_relative '../ext'
 require_relative '../configuration'
 require_relative '../data_extractor'
+require_relative '../../../trace_keeper'
 
 module Datadog
   module AppSec
@@ -26,7 +27,7 @@ module Datadog
 
                 next yield(resource) if resource.new_record? && block_given?
 
-                context.trace.keep!
+                TraceKeeper.keep!(context.trace)
                 record_successful_signup(context, resource)
                 Instrumentation.gateway.push('appsec.events.user_lifecycle', Ext::EVENT_SIGNUP)
 

data/lib/datadog/appsec/contrib/excon/ssrf_detection_middleware.rb

@@ -1,4 +1,3 @@
-# rubocop:disable Naming/FileName
 # frozen_string_literal: true
 
 require 'excon'

data/lib/datadog/appsec/contrib/faraday/ssrf_detection_middleware.rb

@@ -1,4 +1,3 @@
-# rubocop:disable Naming/FileName
 # frozen_string_literal: true
 
 require_relative '../../event'

data/lib/datadog/appsec/contrib/rack/request_middleware.rb

@@ -46,33 +46,22 @@ module Datadog
             boot = Datadog::Core::Remote::Tie.boot
             Datadog::Core::Remote::Tie::Tracing.tag(boot, active_span)
 
-            security_engine = nil
-            ready = false
-            ctx = nil
-
             # For a given request, keep using the first Rack stack scope for
             # nested apps. Don't set `context` local variable so that on popping
             # out of this nested stack we don't finalize the parent's context
             return @app.call(env) if active_context(env)
 
-            Datadog::AppSec.reconfigure_lock do
-              security_engine = Datadog::AppSec.security_engine
-
-              if security_engine
-                ctx = Datadog::AppSec::Context.activate(
-                  Datadog::AppSec::Context.new(active_trace, active_span, security_engine.new_runner)
-                )
-
-                env[Datadog::AppSec::Ext::CONTEXT_KEY] = ctx
-                ready = true
-              end
-            end
+            security_engine = Datadog::AppSec.security_engine
 
             # TODO: handle exceptions, except for @app.call
+            return @app.call(env) unless security_engine
 
-            return @app.call(env) unless ready
+            ctx = Datadog::AppSec::Context.activate(
+              Datadog::AppSec::Context.new(active_trace, active_span, security_engine.new_runner)
+            )
+            env[Datadog::AppSec::Ext::CONTEXT_KEY] = ctx
 
-            add_appsec_tags(security_engine, ctx)
+            add_appsec_tags(ctx)
             add_request_tags(ctx, env)
 
             http_response = nil
@@ -97,6 +86,7 @@ module Datadog
             end
 
             if interrupt_params
+              ctx.mark_as_interrupted!
               http_response = AppSec::Response.from_interrupt_params(interrupt_params, env['HTTP_ACCEPT']).to_rack
             end
 
@@ -128,6 +118,8 @@ module Datadog
           ensure
             if ctx
               ctx.export_metrics
+              ctx.export_request_telemetry
+
               Datadog::AppSec::Context.deactivate
             end
           end
@@ -156,7 +148,7 @@ module Datadog
           end
 
           # standard:disable Metrics/MethodLength
-          def add_appsec_tags(security_engine, context)
+          def add_appsec_tags(context)
             span = context.span
             trace = context.trace
 
@@ -166,15 +158,15 @@ module Datadog
             span.set_tag('_dd.runtime_family', 'ruby')
             span.set_tag('_dd.appsec.waf.version', Datadog::AppSec::WAF::VERSION::BASE_STRING)
 
-            if security_engine.ruleset_version
-              span.set_tag('_dd.appsec.event_rules.version', security_engine.ruleset_version)
+            if context.waf_runner_ruleset_version
+              span.set_tag('_dd.appsec.event_rules.version', context.waf_runner_ruleset_version)
 
               unless @oneshot_tags_sent
                 # Small race condition, but it's inoccuous: worst case the tags
                 # are sent a couple of times more than expected
                 @oneshot_tags_sent = true
 
-                span.set_tag('_dd.appsec.event_rules.addresses', JSON.dump(security_engine.waf_addresses))
+                span.set_tag('_dd.appsec.event_rules.addresses', JSON.dump(context.waf_runner_known_addresses))
 
                 # Ensure these tags reach the backend
                 trace.keep!

data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb

@@ -16,6 +16,7 @@ module Datadog
                 gateway = Instrumentation.gateway
 
                 watch_request_action(gateway)
+                watch_response_body_json(gateway)
               end
 
               def watch_request_action(gateway = Instrumentation.gateway)
@@ -29,18 +30,38 @@ module Datadog
 
                   result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
 
-                  if result.match? || !result.derivatives.empty?
+                  if result.match?
                     context.events.push(
                       AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
                     )
+
+                    AppSec::Event.tag_and_keep!(context, result)
+                    AppSec::ActionsHandler.handle(result.actions)
                   end
 
+                  stack.call(gateway_request.request)
+                end
+              end
+
+              def watch_response_body_json(gateway = Instrumentation.gateway)
+                gateway.watch('rails.response.body.json', :appsec) do |stack, container|
+                  context = container.context
+
+                  persistent_data = {
+                    'server.response.body' => container.data
+                  }
+                  result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
+
                   if result.match?
+                    context.events.push(
+                      AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+                    )
+
                     AppSec::Event.tag_and_keep!(context, result)
                     AppSec::ActionsHandler.handle(result.actions)
                   end
 
-                  stack.call(gateway_request.request)
+                  stack.call(container)
                 end
               end
             end

data/lib/datadog/appsec/contrib/rails/patcher.rb

@@ -8,6 +8,8 @@ require_relative '../rack/request_middleware'
 require_relative '../rack/request_body_middleware'
 require_relative 'gateway/watcher'
 require_relative 'gateway/request'
+require_relative 'patches/render_to_body_patch'
+require_relative 'patches/process_action_patch'
 
 require_relative '../../../tracing/contrib/rack/middlewares'
 
@@ -17,6 +19,7 @@ module Datadog
       module Rails
         # Patcher for AppSec on Rails
         module Patcher
+          GUARD_ACTION_CONTROLLER_ONCE_PER_APP = Hash.new { |h, key| h[key] = Datadog::Core::Utils::OnlyOnce.new }
           BEFORE_INITIALIZE_ONLY_ONCE_PER_APP = Hash.new { |h, key| h[key] = Datadog::Core::Utils::OnlyOnce.new }
           AFTER_INITIALIZE_ONLY_ONCE_PER_APP = Hash.new { |h, key| h[key] = Datadog::Core::Utils::OnlyOnce.new }
 
@@ -34,6 +37,7 @@ module Datadog
             Gateway::Watcher.watch
             patch_before_initialize
             patch_after_initialize
+            patch_action_controller
 
             Patcher.instance_variable_set(:@patched, true)
           end
@@ -49,7 +53,8 @@ module Datadog
               # Middleware must be added before the application is initialized.
               # Otherwise the middleware stack will be frozen.
               add_middleware(app) if Datadog.configuration.tracing[:rails][:middleware]
-              patch_process_action
+
+              ::ActionController::Metal.prepend(Patches::ProcessActionPatch)
             end
           end
 
@@ -65,31 +70,6 @@ module Datadog
             end
           end
 
-          # Hook into ActionController::Instrumentation#process_action, which encompasses action filters
-          module ProcessActionPatch
-            def process_action(*args)
-              env = request.env
-
-              context = env[Datadog::AppSec::Ext::CONTEXT_KEY]
-
-              return super unless context
-
-              # TODO: handle exceptions, except for super
-
-              gateway_request = Gateway::Request.new(request)
-
-              http_response, _gateway_request = Instrumentation.gateway.push('rails.request.action', gateway_request) do
-                super
-              end
-
-              http_response
-            end
-          end
-
-          def patch_process_action
-            ::ActionController::Metal.prepend(ProcessActionPatch)
-          end
-
           def include_middleware?(middleware, app)
             found = false
 
@@ -143,6 +123,14 @@ module Datadog
             end
           end
 
+          def patch_action_controller
+            ::ActiveSupport.on_load(:action_controller) do
+              GUARD_ACTION_CONTROLLER_ONCE_PER_APP[self].run do
+                ::ActionController::Base.prepend(Patches::RenderToBodyPatch)
+              end
+            end
+          end
+
           def setup_security
             Datadog::AppSec::Contrib::Rails::Framework.setup
           end

data/lib/datadog/appsec/contrib/rails/patches/process_action_patch.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Contrib
+      module Rails
+        module Patches
+          # Hook into ActionController::Instrumentation#process_action, which encompasses action filters
+          module ProcessActionPatch
+            def process_action(*args)
+              context = request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
+              return super unless context
+
+              # TODO: handle exceptions, except for super
+              gateway_request = Gateway::Request.new(request)
+              http_response, _gateway_request = Instrumentation.gateway.push('rails.request.action', gateway_request) do
+                super
+              end
+
+              http_response
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/rails/patches/render_to_body_patch.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require_relative '../../../utils/hash_coercion'
+require_relative '../../../instrumentation/gateway/argument'
+
+module Datadog
+  module AppSec
+    module Contrib
+      module Rails
+        module Patches
+          # A patch targeting `AbstractController::Rendering#render_to_body`
+          # method to capture JSON response body right before it is serialized.
+          module RenderToBodyPatch
+            def render_to_body(options = {})
+              return super unless options.key?(:json)
+
+              context = request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
+              return super unless context
+
+              data = Utils::HashCoercion.coerce(options[:json])
+              return super unless data
+
+              container = Instrumentation::Gateway::DataContainer.new(data, context: context)
+              Instrumentation.gateway.push('rails.response.body.json', container)
+
+              super
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb

@@ -1,4 +1,3 @@
-# rubocop:disable Naming/FileName
 # frozen_string_literal: true
 
 require_relative '../../event'

data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb

@@ -17,6 +17,7 @@ module Datadog
 
                 watch_request_dispatch(gateway)
                 watch_request_routed(gateway)
+                watch_response_body_json(gateway)
               end
 
               def watch_request_dispatch(gateway = Instrumentation.gateway)
@@ -67,6 +68,28 @@ module Datadog
                   stack.call(gateway_request.request)
                 end
               end
+
+              def watch_response_body_json(gateway = Instrumentation.gateway)
+                gateway.watch('sinatra.response.body.json', :appsec) do |stack, container|
+                  context = container.context
+
+                  persistent_data = {
+                    'server.response.body' => container.data
+                  }
+                  result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
+
+                  if result.match?
+                    context.events.push(
+                      AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+                    )
+
+                    AppSec::Event.tag_and_keep!(context, result)
+                    AppSec::ActionsHandler.handle(result.actions)
+                  end
+
+                  stack.call(container)
+                end
+              end
             end
           end
         end