RubyGems - datadog - Versions diffs - 2.21.0 → 2.22.0 - Mend

datadog 2.21.0 → 2.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +48 -1
data/ext/LIBDATADOG_DEVELOPMENT.md +60 -0
data/ext/datadog_profiling_native_extension/collectors_discrete_dynamic_sampler.c +1 -1
data/ext/libdatadog_api/ddsketch.c +106 -0
data/ext/libdatadog_api/init.c +3 -0
data/ext/libdatadog_api/library_config.c +35 -27
data/ext/libdatadog_api/process_discovery.c +19 -13
data/ext/libdatadog_extconf_helpers.rb +1 -1
data/lib/datadog/appsec/api_security/endpoint_collection/grape_route_serializer.rb +26 -0
data/lib/datadog/appsec/api_security/endpoint_collection/rails_collector.rb +59 -0
data/lib/datadog/appsec/api_security/endpoint_collection/rails_route_serializer.rb +29 -0
data/lib/datadog/appsec/api_security/endpoint_collection/sinatra_route_serializer.rb +26 -0
data/lib/datadog/appsec/api_security/endpoint_collection.rb +10 -0
data/lib/datadog/appsec/assets/waf_rules/README.md +30 -36
data/lib/datadog/appsec/assets/waf_rules/recommended.json +359 -4
data/lib/datadog/appsec/assets/waf_rules/strict.json +43 -2
data/lib/datadog/appsec/compressed_json.rb +1 -1
data/lib/datadog/appsec/configuration/settings.rb +9 -0
data/lib/datadog/appsec/contrib/active_record/instrumentation.rb +3 -1
data/lib/datadog/appsec/contrib/excon/ssrf_detection_middleware.rb +3 -2
data/lib/datadog/appsec/contrib/faraday/ssrf_detection_middleware.rb +3 -1
data/lib/datadog/appsec/contrib/graphql/gateway/watcher.rb +3 -1
data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +9 -4
data/lib/datadog/appsec/contrib/rack/request_middleware.rb +5 -1
data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb +7 -2
data/lib/datadog/appsec/contrib/rails/patcher.rb +30 -0
data/lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb +3 -1
data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb +10 -4
data/lib/datadog/appsec/event.rb +12 -14
data/lib/datadog/appsec/metrics/collector.rb +19 -3
data/lib/datadog/appsec/metrics/telemetry_exporter.rb +2 -1
data/lib/datadog/appsec/monitor/gateway/watcher.rb +4 -4
data/lib/datadog/appsec/remote.rb +25 -13
data/lib/datadog/appsec/security_engine/result.rb +28 -9
data/lib/datadog/appsec/security_engine/runner.rb +17 -7
data/lib/datadog/appsec/security_event.rb +5 -7
data/lib/datadog/core/configuration/components.rb +14 -6
data/lib/datadog/core/configuration/stable_config.rb +10 -0
data/lib/datadog/core/configuration/supported_configurations.rb +2 -0
data/lib/datadog/core/configuration.rb +1 -1
data/lib/datadog/core/ddsketch.rb +21 -0
data/lib/datadog/core/environment/yjit.rb +2 -1
data/lib/datadog/core/pin.rb +4 -8
data/lib/datadog/core/process_discovery.rb +4 -2
data/lib/datadog/core/remote/component.rb +4 -6
data/lib/datadog/core/telemetry/component.rb +11 -0
data/lib/datadog/core/telemetry/emitter.rb +6 -6
data/lib/datadog/core/telemetry/event/app_endpoints_loaded.rb +30 -0
data/lib/datadog/core/telemetry/event.rb +1 -0
data/lib/datadog/core/transport/response.rb +4 -1
data/lib/datadog/core/utils/network.rb +19 -0
data/lib/datadog/di/boot.rb +1 -0
data/lib/datadog/di/component.rb +14 -0
data/lib/datadog/di/context.rb +70 -0
data/lib/datadog/di/el/compiler.rb +164 -0
data/lib/datadog/di/el/evaluator.rb +159 -0
data/lib/datadog/di/el/expression.rb +42 -0
data/lib/datadog/di/el.rb +5 -0
data/lib/datadog/di/error.rb +25 -0
data/lib/datadog/di/instrumenter.rb +101 -32
data/lib/datadog/di/probe.rb +35 -15
data/lib/datadog/di/probe_builder.rb +39 -1
data/lib/datadog/di/probe_manager.rb +3 -2
data/lib/datadog/di/probe_notification_builder.rb +50 -51
data/lib/datadog/di/serializer.rb +151 -7
data/lib/datadog/tracing/component.rb +6 -17
data/lib/datadog/tracing/configuration/dynamic.rb +2 -2
data/lib/datadog/tracing/configuration/settings.rb +3 -3
data/lib/datadog/tracing/contrib/component.rb +2 -2
data/lib/datadog/tracing/contrib/graphql/configuration/settings.rb +7 -0
data/lib/datadog/tracing/contrib/graphql/ext.rb +1 -0
data/lib/datadog/tracing/contrib/graphql/unified_trace.rb +53 -28
data/lib/datadog/tracing/metadata/ext.rb +8 -0
data/lib/datadog/version.rb +1 -1
metadata +22 -9
data/ext/libdatadog_api/macos_development.md +0 -26

data/lib/datadog/core/configuration/supported_configurations.rb CHANGED Viewed

@@ -10,6 +10,7 @@ module Datadog
         {"DD_AGENT_HOST" => {version: ["A"]},
          "DD_API_KEY" => {version: ["A"]},
          "DD_API_SECURITY_ENABLED" => {version: ["A"]},
+         "DD_API_SECURITY_ENDPOINT_COLLECTION_ENABLED" => {version: ["A"]},
          "DD_API_SECURITY_REQUEST_SAMPLE_RATE" => {version: ["A"]},
          "DD_API_SECURITY_SAMPLE_DELAY" => {version: ["A"]},
          "DD_APM_TRACING_ENABLED" => {version: ["A"]},
@@ -171,6 +172,7 @@ module Datadog
          "DD_TRACE_GRAPHQL_ANALYTICS_SAMPLE_RATE" => {version: ["A"]},
          "DD_TRACE_GRAPHQL_ENABLED" => {version: ["A"]},
          "DD_TRACE_GRAPHQL_ERROR_EXTENSIONS" => {version: ["A"]},
+         "DD_TRACE_GRAPHQL_ERROR_TRACKING" => {version: ["A"]},
          "DD_TRACE_GRAPHQL_WITH_UNIFIED_TRACER" => {version: ["A"]},
          "DD_TRACE_GRPC_ANALYTICS_ENABLED" => {version: ["A"]},
          "DD_TRACE_GRPC_ANALYTICS_SAMPLE_RATE" => {version: ["A"]},

data/lib/datadog/core/configuration.rb CHANGED Viewed

@@ -238,7 +238,7 @@ module Datadog
           yield write_components
         rescue ThreadError => e
           logger_without_components.error(
-            'Detected deadlock during datadog initialization. ' \
+            "Detected deadlock during datadog initialization: #{e.class}: #{e}. " \
             'Please report this at https://github.com/datadog/dd-trace-rb/blob/master/CONTRIBUTING.md#found-a-bug' \
             "\n\tSource:\n\t#{Array(e.backtrace).join("\n\t")}"
           )

data/lib/datadog/core/ddsketch.rb ADDED Viewed

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+require 'datadog/core'
+module Datadog
+  module Core
+    # Used to access ddsketch APIs.
+    # APIs in this class are implemented as native code.
+    class DDSketch
+      def self.supported?
+        Datadog::Core::LIBDATADOG_API_FAILURE.nil?
+      end
+      def initialize
+        unless self.class.supported?
+          raise(ArgumentError, "DDSketch is not supported: #{Datadog::Core::LIBDATADOG_API_FAILURE}")
+        end
+      end
+    end
+  end
+end

data/lib/datadog/core/environment/yjit.rb CHANGED Viewed

@@ -54,7 +54,8 @@ module Datadog
         # Ratio of YJIT-executed instructions
         def ratio_in_yjit
-          ::RubyVM::YJIT.runtime_stats[:ratio_in_yjit]
+          stats = ::RubyVM::YJIT.runtime_stats
+          stats[:ratio_in_yjit] if stats.key?(:ratio_in_yjit)
         end
         def available?

data/lib/datadog/core/pin.rb CHANGED Viewed

@@ -43,18 +43,14 @@ module Datadog
       # rubocop:disable Style/TrivialAccessors
       def onto(obj)
         unless obj.respond_to? :datadog_pin=
-          obj.instance_exec do
-            def datadog_pin=(pin)
-              @datadog_pin = pin
-            end
+          obj.define_singleton_method(:datadog_pin=) do |pin|
+            @datadog_pin = pin
           end
         end
         unless obj.respond_to? :datadog_pin
-          obj.instance_exec do
-            def datadog_pin
-              @datadog_pin
-            end
+          obj.define_singleton_method(:datadog_pin) do
+            @datadog_pin
           end
         end

data/lib/datadog/core/process_discovery.rb CHANGED Viewed

@@ -37,14 +37,16 @@ module Datadog
         # In the C method exposed by ddcommon, memfd_create replaces empty strings by None for these fields.
         def get_metadata(settings)
           {
-            schema_version: 1,
             runtime_id: Core::Environment::Identity.id,
             tracer_language: Core::Environment::Identity.lang,
             tracer_version: Core::Environment::Identity.gem_datadog_version_semver2,
             hostname: Core::Environment::Socket.hostname,
             service_name: settings.service || '',
             service_env: settings.env || '',
-            service_version: settings.version || ''
+            service_version: settings.version || '',
+            # TODO: Implement process tags and container id
+            process_tags: '',
+            container_id: ''
           }
         end

data/lib/datadog/core/remote/component.rb CHANGED Viewed

@@ -135,13 +135,11 @@ module Datadog
           # Release all current waiters
           def lift
-            @mutex.lock
+            @mutex.synchronize do
+              @once ||= true
-            @once ||= true
-            @condition.broadcast
-          ensure
-            @mutex.unlock
+              @condition.broadcast
+            end
           end
         end

data/lib/datadog/core/telemetry/component.rb CHANGED Viewed

@@ -19,6 +19,8 @@ module Datadog
       #
       # @api private
       class Component
+        ENDPOINT_COLLECTION_MESSAGE_LIMIT = 300
         attr_reader :enabled, :logger, :transport, :worker
         include Core::Utils::Forking
@@ -165,6 +167,15 @@ module Datadog
           @worker.enqueue(Event::AppClientConfigurationChange.new(changes, 'remote_config'))
         end
+        # Report application endpoints
+        def app_endpoints_loaded(endpoints, page_size: ENDPOINT_COLLECTION_MESSAGE_LIMIT)
+          return if !@enabled || forked?
+          endpoints.each_slice(page_size).with_index do |endpoints_slice, i|
+            @worker.enqueue(Event::AppEndpointsLoaded.new(endpoints_slice, is_first: i.zero?))
+          end
+        end
         # Increments a count metric.
         def inc(namespace, metric_name, value, tags: {}, common: true)
           @metrics_manager.inc(namespace, metric_name, value, tags: tags, common: common)

data/lib/datadog/core/telemetry/emitter.rb CHANGED Viewed

@@ -31,15 +31,15 @@ module Datadog
           seq_id = self.class.sequence.next
           payload = Request.build_payload(event, seq_id, debug: debug?)
           res = @transport.send_telemetry(request_type: event.type, payload: payload)
-          logger.debug { "Telemetry sent for event `#{event.type}` (response code: #{res.code})" }
+          if res.ok?
+            logger.debug { "Telemetry sent for event `#{event.type}`" }
+          else
+            logger.debug { "Failed to send telemetry for event `#{event.type}`: #{res.inspect}" }
+          end
           res
         rescue => e
           logger.debug {
-            "Unable to send telemetry request for event `#{begin
-              event.type
-            rescue
-              "unknown"
-            end}`: #{e}"
+            "Unable to send telemetry request for event `#{event.respond_to?(:type) ? event.type : event.to_s}`: #{e.class}: #{e}"
           }
           Core::Transport::InternalErrorResponse.new(e)
         end

data/lib/datadog/core/telemetry/event/app_endpoints_loaded.rb ADDED Viewed

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+require_relative 'base'
+module Datadog
+  module Core
+    module Telemetry
+      module Event
+        # Telemetry event class for sending 'app-endpoints' payload
+        class AppEndpointsLoaded < Base
+          def initialize(endpoints, is_first:)
+            @endpoints = endpoints
+            @is_first = !!is_first
+          end
+          def type
+            'app-endpoints'
+          end
+          def payload
+            {
+              is_first: @is_first,
+              endpoints: @endpoints
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/core/telemetry/event.rb CHANGED Viewed

@@ -26,6 +26,7 @@ require_relative 'event/base'
 require_relative 'event/app_client_configuration_change'
 require_relative 'event/app_closing'
 require_relative 'event/app_dependencies_loaded'
+require_relative 'event/app_endpoints_loaded'
 require_relative 'event/app_heartbeat'
 require_relative 'event/app_integrations_change'
 require_relative 'event/app_started'

data/lib/datadog/core/transport/response.rb CHANGED Viewed

@@ -34,7 +34,10 @@ module Datadog
         end
         def inspect
-          "#{self.class} ok?:#{ok?} unsupported?:#{unsupported?}, " \
+          maybe_code = if respond_to?(:code)
+            " code:#{code}," # steep:ignore
+          end
+          "#{self.class} ok?:#{ok?},#{maybe_code} unsupported?:#{unsupported?}, " \
             "not_found?:#{not_found?}, client_error?:#{client_error?}, " \
             "server_error?:#{server_error?}, internal_error?:#{internal_error?}, " \
             "payload:#{payload}"

data/lib/datadog/core/utils/network.rb CHANGED Viewed

@@ -13,6 +13,7 @@ module Datadog
           true-client-ip
           x-client-ip
           x-forwarded
+          forwarded
           forwarded-for
           x-cluster-client-ip
           fastly-client-ip
@@ -73,6 +74,8 @@ module Datadog
               next unless value
               ips = value.split(',')
+              ips = process_forwarded_header_values(ips) if name == 'forwarded'
               ips.each do |ip|
                 parsed_ip = ip_to_ipaddr(ip.strip)
@@ -83,6 +86,22 @@ module Datadog
             nil
           end
+          def process_forwarded_header_values(values)
+            values.each_with_object([]) do |value, acc|
+              value.downcase!
+              value.split(';').each do |tuple_str|
+                tuple_str.strip!
+                next unless tuple_str.start_with?('for=')
+                tuple_str.delete_prefix!('for=')
+                tuple_str.delete!('"')
+                acc << tuple_str
+              end
+            end
+          end
           # Returns whether the given value is more likely to be an IPv4 than an IPv6 address.
           #
           # This is done by checking if a dot (`'.'`) character appears before a colon (`':'`) in the value.

data/lib/datadog/di/boot.rb CHANGED Viewed

@@ -5,6 +5,7 @@ require_relative 'base'
 require_relative 'error'
 require_relative 'code_tracker'
 require_relative 'component'
+require_relative 'context'
 require_relative 'instrumenter'
 require_relative 'probe'
 require_relative 'probe_builder'

data/lib/datadog/di/component.rb CHANGED Viewed

@@ -115,6 +115,20 @@ module Datadog
       def parse_probe_spec_and_notify(probe_spec)
         probe = ProbeBuilder.build_from_remote_config(probe_spec)
+      rescue => exc
+        begin
+          probe = Struct.new(:id).new(
+            probe_spec['id'],
+          )
+          payload = probe_notification_builder.build_errored(probe, exc)
+          probe_notifier_worker.add_status(payload)
+        rescue # standard:disable Lint/UselessRescue
+          # TODO report via instrumentation telemetry?
+          raise
+        end
+        raise
+      else
         payload = probe_notification_builder.build_received(probe)
         probe_notifier_worker.add_status(payload)
         probe

data/lib/datadog/di/context.rb ADDED Viewed

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+module Datadog
+  module DI
+    # Contains local and instance variables used when evaluating
+    # expressions in DI Expression Language.
+    #
+    # @api private
+    class Context
+      def initialize(probe:, settings:, serializer:, locals: nil,
+        # In Ruby everything is a method, therefore we should always have
+        # a target self. However, if we are not capturing a snapshot,
+        # there is no need to pass in the target self.
+        target_self: nil,
+        path: nil, caller_locations: nil,
+        serialized_entry_args: nil,
+        return_value: nil, duration: nil, exception: nil)
+        @probe = probe
+        @settings = settings
+        @serializer = serializer
+        @locals = locals
+        @target_self = target_self
+        @path = path
+        @caller_locations = caller_locations
+        @serialized_entry_args = serialized_entry_args
+        @return_value = return_value
+        @duration = duration
+        @exception = exception
+      end
+      attr_reader :probe
+      attr_reader :settings
+      attr_reader :serializer
+      attr_reader :locals
+      attr_reader :target_self
+      # Actual path of the instrumented file.
+      attr_reader :path
+      # TODO check how many stack frames we should be keeping/sending,
+      # this should be all frames for enriched probes and no frames for
+      # non-enriched probes?
+      attr_reader :caller_locations
+      attr_reader :serialized_entry_args
+      # Return value for the method, for a method probe
+      attr_reader :return_value
+      # How long the method took to execute, for a method probe
+      attr_reader :duration
+      # Exception raised by the method, if any, for a method probe
+      attr_reader :exception
+      def serialized_locals
+        # TODO cache?
+        locals && serializer.serialize_vars(locals,
+          depth: probe.max_capture_depth || settings.dynamic_instrumentation.max_capture_depth,
+          attribute_count: probe.max_capture_attribute_count || settings.dynamic_instrumentation.max_capture_attribute_count,)
+      end
+      def fetch(var_name)
+        unless locals
+          # TODO return "undefined" instead?
+          return nil
+        end
+        locals[var_name.to_sym]
+      end
+      def fetch_ivar(var_name)
+        target_self.instance_variable_get(var_name)
+      end
+    end
+  end
+end

data/lib/datadog/di/el/compiler.rb ADDED Viewed

@@ -0,0 +1,164 @@
+# frozen_string_literal: true
+module Datadog
+  module DI
+    module EL
+      # DI Expression Language compiler.
+      #
+      # Converts AST in probe definitions into Expression objects.
+      #
+      # WARNING: this class produces strings that are then eval'd as
+      # Ruby code. Input ASTs are user-controlled. As such the compiler
+      # must sanitize and escape all input to avoid injection.
+      #
+      # Besides quotes and backslashes we must also escape # which is
+      # starting string interpolation (#{...}).
+      #
+      # @api private
+      class Compiler
+        def compile(ast)
+          compile_partial(ast)
+        end
+        private
+        OPERATORS = {
+          'eq' => '==',
+          'ne' => '!=',
+          'ge' => '>=',
+          'gt' => '>',
+          'le' => '<=',
+          'lt' => '<',
+        }.freeze
+        SINGLE_ARG_METHODS = %w[
+          len isEmpty isUndefined
+        ].freeze
+        TWO_ARG_METHODS = %w[
+          startsWith endsWith contains matches
+          getmember index instanceof
+        ].freeze
+        MULTI_ARG_METHODS = {
+          'and' => '&&',
+          'or' => '||',
+        }.freeze
+        def compile_partial(ast)
+          case ast
+          when Hash
+            if ast.length != 1
+              raise DI::Error::InvalidExpression, "Expected hash of length 1: #{ast}"
+            end
+            op, target = ast.first
+            case op
+            when 'ref'
+              unless String === target
+                raise DI::Error::InvalidExpression, "Bad ref value type: #{target.class}: #{target}"
+              end
+              case target
+              when '@it'
+                'current_item'
+              when '@key'
+                'current_key'
+              when '@value'
+                'current_value'
+              when '@return'
+                # For @return, @duration and @exception we shadow
+                # instance variables.
+                "context.return_value"
+              when '@duration'
+                # There is no way to explicitly format the duration.
+                # TODO come up with better formatting?
+                # We could format to a string here but what if customer
+                # has @duration as part of an expression and wants
+                # to retain it as a number?
+                "(context.duration * 1000)"
+              when '@exception'
+                "context.exception"
+              else
+                # Ruby technically allows all kinds of symbols in variable
+                # names, for example spaces and many characters.
+                # Start out with strict validation to avoid possible
+                # surprises and need to escape.
+                unless target =~ %r{\A(@?)([a-zA-Z0-9_]+)\z}
+                  raise DI::Error::BadVariableName, "Bad variable name: #{target}"
+                end
+                method_name = (($1 == '@') ? 'iref' : 'ref')
+                "#{method_name}('#{target}')"
+              end
+            when *SINGLE_ARG_METHODS
+              method_name = op.gsub(/[A-Z]/) { |m| "_#{m.downcase}" }
+              "#{method_name}(#{compile_partial(target)}, '#{var_name_maybe(target)}')"
+            when *TWO_ARG_METHODS
+              method_name = op.gsub(/[A-Z]/) { |m| "_#{m.downcase}" }
+              unless Array === target && target.length == 2
+                raise DI::Error::InvalidExpression, "Improper #{op} syntax"
+              end
+              first, second = target
+              "#{method_name}(#{compile_partial(first)}, (#{compile_partial(second)}))"
+            when *MULTI_ARG_METHODS.keys
+              unless Array === target && target.length >= 1
+                raise DI::Error::InvalidExpression, "Improper #{op} syntax"
+              end
+              compiled_targets = target.map do |item|
+                "(#{compile_partial(item)})"
+              end
+              compiled_op = MULTI_ARG_METHODS[op]
+              "(#{compiled_targets.join(" #{compiled_op} ")})"
+            when 'substring'
+              unless Array === target && target.length == 3
+                raise DI::Error::InvalidExpression, "Improper #{op} syntax"
+              end
+              "#{op}(#{target.map { |arg| "(#{compile_partial(arg)})" }.join(", ")})"
+            when 'not'
+              "!(#{compile_partial(target)})"
+            when *OPERATORS.keys
+              unless Array === target && target.length == 2
+                raise DI::Error::InvalidExpression, "Improper #{op} syntax"
+              end
+              first, second = target
+              operator = OPERATORS.fetch(op)
+              "(#{compile_partial(first)}) #{operator} (#{compile_partial(second)})"
+            when 'any', 'all', 'filter'
+              "#{op}(#{compile_partial(target.first)}) { |current_item, current_key, current_value| #{compile_partial(target.last)} }"
+            else
+              raise DI::Error::InvalidExpression, "Unknown operation: #{op}"
+            end
+          when Numeric, true, false, nil
+            # No escaping is needed for the values here.
+            ast.inspect
+          when String
+            "\"#{escape(ast)}\""
+          when Array
+            # Arrays are commonly used as arguments of operators/methods,
+            # but there are no arrays at the top level in the syntax that
+            # we currently understand. Provide a helpful error message in case
+            # syntax is expanded in the future.
+            raise DI::Error::InvalidExpression, "Array is not valid at its location, do you need to upgrade dd-trace-rb? #{ast}"
+          else
+            raise DI::Error::InvalidExpression, "Unknown type in AST: #{ast}"
+          end
+        end
+        # Returns a textual description of +target+ for use in exception
+        # messages. +target+ could be any expression language expression.
+        # WARNING: the result of this method is included in eval'd code,
+        # it must be sanitized to avoid injection.
+        def var_name_maybe(target)
+          if Hash === target && target.length == 1 && target.keys.first == 'ref' &&
+              String === (value = target.values.first)
+            escape(value)
+          else
+            '(expression)'
+          end
+        end
+        def escape(needle)
+          needle.gsub("\\") { "\\\\" }.gsub('"') { "\\\"" }.gsub('#') { "\\#" }
+        end
+      end
+    end
+  end
+end