datadog 2.26.0 → 2.27.0

data/lib/datadog/appsec/contrib/excon/ssrf_detection_middleware.rb

@@ -13,27 +13,62 @@ module Datadog
         # AppSec Middleware for Excon
         class SSRFDetectionMiddleware < ::Excon::Middleware::Base
           def request_call(data)
-            return super unless AppSec.rasp_enabled? && AppSec.active_context
+            context = AppSec.active_context
+            return super unless context && AppSec.rasp_enabled?
+
+            timeout = Datadog.configuration.appsec.waf_timeout
+            ephemeral_data = {
+              'server.io.net.url' => request_url(data),
+              'server.io.net.request.method' => data[:method].to_s.upcase,
+              'server.io.net.request.headers' => normalize_headers(data[:headers])
+            }
+
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_REQUEST_PHASE)
+            handle(result, context: context) if result.match?
+
+            super
+          end
 
+          def response_call(data)
             context = AppSec.active_context
+            return super unless context && AppSec.rasp_enabled?
 
-            request_url = URI.join("#{data[:scheme]}://#{data[:host]}", data[:path]).to_s
-            ephemeral_data = {'server.io.net.url' => request_url}
+            timeout = Datadog.configuration.appsec.waf_timeout
+            ephemeral_data = {
+              'server.io.net.response.status' => data.dig(:response, :status).to_s,
+              'server.io.net.response.headers' => normalize_headers(data.dig(:response, :headers))
+            }
 
-            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, Datadog.configuration.appsec.waf_timeout)
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_RESPONSE_PHASE)
+            handle(result, context: context) if result.match?
 
-            if result.match?
-              AppSec::Event.tag(context, result)
-              TraceKeeper.keep!(context.trace) if result.keep?
+            super
+          end
 
-              context.events.push(
-                AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
-              )
+          private
 
-              AppSec::ActionsHandler.handle(result.actions)
+          def request_url(data)
+            klass = (data[:scheme] == 'https') ? URI::HTTPS : URI::HTTP
+            klass.build(host: data[:host], path: data[:path], query: data[:query]).to_s
+          end
+
+          def normalize_headers(headers)
+            return {} if headers.nil? || headers.empty?
+
+            headers.each_with_object({}) do |(key, value), memo|
+              memo[key.downcase] = value.is_a?(Array) ? value.join(', ') : value
             end
+          end
 
-            super
+          def handle(result, context:)
+            AppSec::Event.tag(context, result)
+            TraceKeeper.keep!(context.trace) if result.keep?
+
+            context.events.push(
+              AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+            )
+
+            AppSec::ActionsHandler.handle(result.actions)
           end
         end
       end

data/lib/datadog/appsec/contrib/faraday/ssrf_detection_middleware.rb

@@ -10,33 +10,50 @@ module Datadog
       module Faraday
         # AppSec SSRF detection Middleware for Faraday
         class SSRFDetectionMiddleware < ::Faraday::Middleware
-          def call(request_env)
+          def call(env)
             context = AppSec.active_context
+            return @app.call(env) unless context && AppSec.rasp_enabled?
 
-            return @app.call(request_env) unless context && AppSec.rasp_enabled?
-
+            timeout = Datadog.configuration.appsec.waf_timeout
             ephemeral_data = {
-              'server.io.net.url' => request_env.url.to_s
+              'server.io.net.url' => env.url.to_s,
+              'server.io.net.request.method' => env.method.to_s.upcase,
+              'server.io.net.request.headers' => env.request_headers.transform_keys(&:downcase)
             }
 
-            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, Datadog.configuration.appsec.waf_timeout)
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_REQUEST_PHASE)
+            handle(result, context: context) if result.match?
+
+            @app.call(env).on_complete { |response_env| on_complete(response_env, context: context) }
+          end
+
+          private
+
+          def on_complete(env, context:)
+            timeout = Datadog.configuration.appsec.waf_timeout
 
-            if result.match?
-              AppSec::Event.tag(context, result)
-              TraceKeeper.keep!(context.trace) if result.keep?
+            response_headers = env.response_headers || {}
+            ephemeral_data = {
+              'server.io.net.response.status' => env.status.to_s,
+              'server.io.net.response.headers' => response_headers.transform_keys(&:downcase)
+            }
+
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_RESPONSE_PHASE)
+            handle(result, context: context) if result.match?
+          end
 
-              context.events.push(
-                AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
-              )
+          def handle(result, context:)
+            AppSec::Event.tag(context, result)
+            TraceKeeper.keep!(context.trace) if result.keep?
 
-              AppSec::ActionsHandler.handle(result.actions)
-            end
+            context.events.push(
+              AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+            )
 
-            @app.call(request_env)
+            AppSec::ActionsHandler.handle(result.actions)
           end
         end
       end
     end
   end
 end
-# rubocop:enable Naming/FileName

data/lib/datadog/appsec/contrib/rest_client/integration.rb

@@ -28,7 +28,7 @@ module Datadog
           end
 
           def self.compatible?
-            super && version >= MINIMUM_VERSION
+            super && !!(version&.>= MINIMUM_VERSION)
           end
 
           def self.auto_instrument?

data/lib/datadog/appsec/contrib/rest_client/patcher.rb

@@ -9,7 +9,7 @@ module Datadog
           module_function
 
           def patched?
-            Patcher.instance_variable_get(:@patched)
+            !!Patcher.instance_variable_get(:@patched)
           end
 
           def target_version

data/lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb

@@ -11,29 +11,65 @@ module Datadog
         # Module that adds SSRF detection to RestClient::Request#execute
         module RequestSSRFDetectionPatch
           def execute(&block)
-            return super unless AppSec.rasp_enabled? && AppSec.active_context
-
             context = AppSec.active_context
+            return super unless context && AppSec.rasp_enabled?
+
+            timeout = Datadog.configuration.appsec.waf_timeout
+            ephemeral_data = {
+              'server.io.net.url' => url,
+              'server.io.net.request.method' => method.to_s.upcase,
+              'server.io.net.request.headers' => normalize_request_headers
+            }
+
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_REQUEST_PHASE)
+            handle(result, context: context) if result.match?
+
+            response = super
+
+            ephemeral_data = {
+              'server.io.net.response.status' => response.code.to_s,
+              'server.io.net.response.headers' => normalize_response_headers(response)
+            }
+
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_RESPONSE_PHASE)
+            handle(result, context: context) if result.match?
 
-            ephemeral_data = {'server.io.net.url' => url}
-            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, Datadog.configuration.appsec.waf_timeout)
+            response
+          end
+
+          private
+
+          # NOTE: Starting version 2.1.0 headers are already normalized via internal
+          #       variable `@processed_headers_lowercase`. In case it's available,
+          #       we use it to avoid unnecessary transformation.
+          def normalize_request_headers
+            return @processed_headers_lowercase if defined?(@processed_headers_lowercase)
 
-            if result.match?
-              AppSec::Event.tag(context, result)
-              TraceKeeper.keep!(context.trace) if result.keep?
+            processed_headers.transform_keys(&:downcase)
+          end
+
+          # NOTE: Headers values are always an `Array` in `Net::HTTPResponse`,
+          #       but we want to avoid accidents and will wrap them in no-op
+          #       `Array` call just in case of a breaking change in the future
+          #
+          # FIXME: Steep has issues with `transform_values!` modifying the original
+          #        type and it failed with "Cannot allow block body" error
+          def normalize_response_headers(response) # steep:ignore MethodBodyTypeMismatch
+            response.net_http_res.to_hash.transform_values! { |value| Array(value).join(', ') } # steep:ignore BlockBodyTypeMismatch
+          end
 
-              context.events.push(
-                AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
-              )
+          def handle(result, context:)
+            AppSec::Event.tag(context, result)
+            TraceKeeper.keep!(context.trace) if result.keep?
 
-              AppSec::ActionsHandler.handle(result.actions)
-            end
+            context.events.push(
+              AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
+            )
 
-            super
+            AppSec::ActionsHandler.handle(result.actions)
           end
         end
       end
     end
   end
 end
-# rubocop:enable Naming/FileName

data/lib/datadog/appsec/ext.rb

@@ -6,6 +6,8 @@ module Datadog
       RASP_SQLI = 'sql_injection'
       RASP_LFI = 'lfi'
       RASP_SSRF = 'ssrf'
+      RASP_REQUEST_PHASE = 'request'
+      RASP_RESPONSE_PHASE = 'response'
 
       PRODUCT_BIT = 0b00000010
 

data/lib/datadog/appsec/metrics/collector.rb

@@ -13,6 +13,7 @@ module Datadog
           :duration_ns,
           :duration_ext_ns,
           :inputs_truncated,
+          :downstream_requests,
           keyword_init: true
         )
 
@@ -22,10 +23,13 @@ module Datadog
           @mutex = Mutex.new
 
           @waf = Store.new(
-            evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0, duration_ext_ns: 0, inputs_truncated: 0
+            evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0,
+            duration_ext_ns: 0, inputs_truncated: 0, downstream_requests: 0
           )
+
           @rasp = Store.new(
-            evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0, duration_ext_ns: 0, inputs_truncated: 0
+            evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0,
+            duration_ext_ns: 0, inputs_truncated: 0, downstream_requests: 0
           )
         end
 
@@ -41,7 +45,7 @@ module Datadog
           end
         end
 
-        def record_rasp(result)
+        def record_rasp(result, type:, phase: nil)
           @mutex.synchronize do
             @rasp.evals += 1
             @waf.matches += 1 if result.match?
@@ -50,6 +54,7 @@ module Datadog
             @rasp.duration_ns += result.duration_ns
             @rasp.duration_ext_ns += result.duration_ext_ns
             @rasp.inputs_truncated += 1 if result.input_truncated?
+            @rasp.downstream_requests += 1 if type == Ext::RASP_SSRF && phase == Ext::RASP_REQUEST_PHASE
           end
         end
       end

data/lib/datadog/appsec/metrics/exporter.rb

@@ -22,6 +22,13 @@ module Datadog
           span.set_tag('_dd.appsec.rasp.timeout', 1) unless metrics.timeouts.zero?
           span.set_tag('_dd.appsec.rasp.duration', convert_ns_to_us(metrics.duration_ns))
           span.set_tag('_dd.appsec.rasp.duration_ext', convert_ns_to_us(metrics.duration_ext_ns))
+
+          # NOTE: In case of downstream requests being analyzed additionally
+          #       with `Context.run_waf` method, we would need to share it
+          #       between two exporting methods
+          unless metrics.downstream_requests.zero?
+            span.set_tag('_dd.appsec.downstream_request', metrics.downstream_requests)
+          end
         end
 
         # private

data/lib/datadog/appsec/metrics/telemetry.rb

@@ -7,10 +7,15 @@ module Datadog
       module Telemetry
         module_function
 
-        def report_rasp(type, result)
+        def report_rasp(type, result, phase: nil)
           return if result.error?
 
-          tags = {rule_type: type, waf_version: Datadog::AppSec::WAF::VERSION::BASE_STRING}
+          tags = {rule_type: type, waf_version: WAF::VERSION::BASE_STRING}
+          tags[:rule_variant] = phase if phase
+
+          context = AppSec.active_context
+          tags[:event_rules_version] = context.waf_runner_ruleset_version if context
+
           namespace = Ext::TELEMETRY_METRICS_NAMESPACE
 
           AppSec.telemetry.inc(namespace, 'rasp.rule.eval', 1, tags: tags)

data/lib/datadog/appsec/metrics.rb

@@ -1,5 +1,10 @@
 # frozen_string_literal: true
 
+require_relative 'metrics/collector'
+require_relative 'metrics/exporter'
+require_relative 'metrics/telemetry'
+require_relative 'metrics/telemetry_exporter'
+
 module Datadog
   module AppSec
     # This namespace contains classes related to metrics collection and exportation.
@@ -7,8 +12,3 @@ module Datadog
     end
   end
 end
-
-require_relative 'metrics/collector'
-require_relative 'metrics/exporter'
-require_relative 'metrics/telemetry'
-require_relative 'metrics/telemetry_exporter'

data/lib/datadog/appsec/remote.rb

@@ -75,7 +75,8 @@ module Datadog
 
           matcher = Core::Remote::Dispatcher::Matcher::Product.new(ASM_PRODUCTS)
           receiver = Core::Remote::Dispatcher::Receiver.new(matcher) do |repository, changes|
-            next unless AppSec.security_engine
+            engine = AppSec.security_engine
+            next unless engine
 
             changes.each do |change|
               content = repository[change.path]
@@ -84,11 +85,10 @@ module Datadog
               case change.type
               when :insert, :update
                 # @type var content: Core::Remote::Configuration::Content
-                AppSec.security_engine.add_or_update_config(parse_content(content), path: change.path.to_s)
-
+                engine.add_or_update_config(parse_content(content), path: change.path.to_s)
                 content.applied
               when :delete
-                AppSec.security_engine.remove_config_at_path(change.path.to_s)
+                engine.remove_config_at_path(change.path.to_s)
               end
             end
 

data/lib/datadog/appsec.rb

@@ -22,8 +22,14 @@ module Datadog
         Datadog::AppSec::Context.active
       end
 
+      # NOTE:  This is a temporary workaround for type checking.
+      #
+      #        We want to move from possible nil-component to the disabled-component
+      #        on an initialization error. Technically, telemetry will be never
+      #        used if AppSec was not able to initialize, so it's safe to assume
+      #        that telemetry will never be used and will be nil at the same time.
       def telemetry
-        components.appsec&.telemetry
+        components.appsec&.telemetry || components.telemetry
       end
 
       def security_engine

data/lib/datadog/core/configuration/settings.rb

@@ -436,6 +436,23 @@ module Datadog
               o.default true
             end
 
+            # The profiler gathers data by sending `SIGPROF` unix signals to Ruby application threads.
+            #
+            # When using `Kernel#exec` on Linux, it can happen that a signal sent before calling `exec` arrives after
+            # the new process is running, causing it to fail with the `Profiling timer expired` error message.
+            # To avoid this, the profiler installs a monkey patch on `Kernel#exec` to stop profiling before actually
+            # calling `exec`.
+            # This monkey patch is available for Ruby 2.7+; let us know if you need it on earlier Rubies.
+            # For more details see https://github.com/DataDog/dd-trace-rb/issues/5101 .
+            #
+            # @default `DD_PROFILING_SHUTDOWN_ON_EXEC_ENABLED` environment variable as a boolean,
+            # otherwise `true`
+            option :shutdown_on_exec_enabled do |o|
+              o.env 'DD_PROFILING_SHUTDOWN_ON_EXEC_ENABLED'
+              o.type :bool
+              o.default true
+            end
+
             # Configures how much wall-time overhead the profiler targets. The profiler will dynamically adjust the
             # interval between samples it takes so as to try and maintain the property that it spends no longer than
             # this amount of wall-clock time profiling. For example, with the default value of 2%, the profiler will

data/lib/datadog/core/configuration/supported_configurations.rb

@@ -81,6 +81,7 @@ module Datadog
           "DD_PROFILING_NO_SIGNALS_WORKAROUND_ENABLED",
           "DD_PROFILING_OVERHEAD_TARGET_PERCENTAGE",
           "DD_PROFILING_PREVIEW_OTEL_CONTEXT_ENABLED",
+          "DD_PROFILING_SHUTDOWN_ON_EXEC_ENABLED",
           "DD_PROFILING_SIGHANDLER_SAMPLING_ENABLED",
           "DD_PROFILING_SKIP_MYSQL2_CHECK",
           "DD_PROFILING_TIMELINE_ENABLED",

data/lib/datadog/core/telemetry/logger.rb

@@ -14,10 +14,12 @@ module Datadog
       #   read: lib/datadog/core/telemetry/logging.rb
       module Logger
         class << self
+          # (see Datadog::Core::Telemetry::Logging#report)
           def report(exception, level: :error, description: nil)
             instance&.report(exception, level: level, description: description)
           end
 
+          # (see Datadog::Core::Telemetry::Logging#error)
           def error(description)
             instance&.error(description)
           end

data/lib/datadog/core/telemetry/logging.rb

@@ -45,11 +45,20 @@ module Datadog
           end
         end
 
+        # @param exception [Exception] The exception to report
+        # @param level [Symbol] The log level (:error, :warn, :info, :debug)
+        # @param description [String, nil] A low cardinality description, without dynamic data
         def report(exception, level: :error, description: nil)
           # Anonymous exceptions to be logged as <Class:0x00007f8b1c0b3b40>
-          message = +"#{exception.class.name || exception.class.inspect}" # standard:disable Style/RedundantInterpolation
+          message = +(exception.class.name || exception.class.inspect)
 
-          message << ": #{description}" if description
+          telemetry_message = message_for_telemetry(exception)
+
+          if description || telemetry_message
+            message << ':'
+            message << " #{description}" if description
+            message << " (#{telemetry_message})" if telemetry_message
+          end
 
           event = Event::Log.new(
             message: message,
@@ -65,6 +74,15 @@ module Datadog
 
           log!(event)
         end
+
+        private
+
+        # A constant string representing the exception
+        def message_for_telemetry(exception)
+          return unless exception.instance_variable_defined?(:@telemetry_message)
+
+          exception.instance_variable_get(:@telemetry_message)
+        end
       end
     end
   end

data/lib/datadog/profiling/component.rb

@@ -82,6 +82,10 @@ module Datadog
           Datadog::Profiling::Ext::DirMonkeyPatches.apply!
         end
 
+        if can_apply_exec_monkey_patch?(settings)
+          Datadog::Profiling::Ext::ExecMonkeyPatch.apply!
+        end
+
         [profiler, {profiling_enabled: true}]
       end
 
@@ -434,6 +438,15 @@ module Datadog
         settings.profiling.advanced.dir_interruption_workaround_enabled
       end
 
+      private_class_method def self.can_apply_exec_monkey_patch?(settings)
+        return false if RUBY_VERSION < "2.7"
+
+        # This file is 2.7+ only so we only require it here once we've checked the Ruby version
+        require "datadog/profiling/ext/exec_monkey_patch"
+
+        settings.profiling.advanced.shutdown_on_exec_enabled
+      end
+
       private_class_method def self.enable_gvl_profiling?(settings, logger)
         return false if RUBY_VERSION < "3.2"
 

data/lib/datadog/profiling/exporter.rb

@@ -70,6 +70,9 @@ module Datadog
 
         uncompressed_code_provenance = code_provenance_collector.refresh.generate_json if code_provenance_collector
 
+        process_tags = Datadog.configuration.experimental_propagate_process_tags_enabled ?
+          Core::Environment::Process.serialized : ''
+
         Flush.new(
           start: start,
           finish: finish,
@@ -80,6 +83,7 @@ module Datadog
             settings: Datadog.configuration,
             profile_seq: sequence_tracker.get_next,
           ).to_a,
+          process_tags: process_tags,
           internal_metadata: internal_metadata.merge(
             {
               worker_stats: worker_stats,

data/lib/datadog/profiling/ext/exec_monkey_patch.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Datadog
+  module Profiling
+    module Ext
+      # The profiler gathers data by sending `SIGPROF` unix signals to Ruby application threads.
+      #
+      # When using `Kernel#exec` on Linux, it can happen that a signal sent before calling `exec` arrives after
+      # the new process is running, causing it to fail with the `Profiling timer expired` error message.
+      # To avoid this, the profiler installs a monkey patch on `Kernel#exec` to stop profiling before actually
+      # calling `exec`.
+      # This monkey patch is available for Ruby 2.7+; let us know if you need it on earlier Rubies.
+      # For more details see https://github.com/DataDog/dd-trace-rb/issues/5101 .
+      module ExecMonkeyPatch
+        def self.apply!
+          ::Object.prepend(ObjectMonkeyPatch)
+
+          true
+        end
+
+        module ObjectMonkeyPatch
+          private
+
+          def exec(...)
+            Datadog.send(:components, allow_initialization: false)&.profiler&.shutdown!(report_last_profile: false)
+            super
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/profiling/flush.rb

@@ -13,6 +13,7 @@ module Datadog
         :code_provenance_file_name,
         :code_provenance_data,
         :tags_as_array,
+        :process_tags,
         :internal_metadata_json,
         :info_json
 
@@ -23,6 +24,7 @@ module Datadog
         code_provenance_file_name:,
         code_provenance_data:,
         tags_as_array:,
+        process_tags:,
         internal_metadata:,
         info_json:
       )
@@ -32,6 +34,7 @@ module Datadog
         @code_provenance_file_name = code_provenance_file_name
         @code_provenance_data = code_provenance_data
         @tags_as_array = tags_as_array
+        @process_tags = process_tags
         @internal_metadata_json = JSON.generate(internal_metadata)
         @info_json = info_json
       end

data/lib/datadog/profiling/profiler.rb

@@ -31,10 +31,11 @@ module Datadog
         scheduler.start(on_failure_proc: proc { component_failed(:scheduler) })
       end
 
-      def shutdown!
+      def shutdown!(report_last_profile: true)
         Datadog.logger.debug("Shutting down profiler")
 
         stop_worker
+        scheduler.disable_reporting unless report_last_profile
         stop_scheduler
       end
 
@@ -57,11 +58,8 @@ module Datadog
         Datadog::Core::Telemetry::Logger
           .error("Detected issue with profiler (#{failed_component} component), stopping profiling")
 
-        # We explicitly not stop the crash tracker in this situation, under the assumption that, if a component failed,
-        # we're operating in a degraded state and crash tracking may still be helpful.
-
         if failed_component == :worker
-          scheduler.mark_profiler_failed
+          scheduler.disable_reporting
           stop_scheduler
         elsif failed_component == :scheduler
           stop_worker

data/lib/datadog/profiling/scheduler.rb

@@ -24,7 +24,7 @@ module Datadog
       attr_reader \
         :exporter,
         :transport,
-        :profiler_failed
+        :reporting_disabled
 
       public
 
@@ -36,7 +36,7 @@ module Datadog
       )
         @exporter = exporter
         @transport = transport
-        @profiler_failed = false
+        @reporting_disabled = false
         @stop_requested = false
 
         # Workers::Async::Thread settings
@@ -83,14 +83,15 @@ module Datadog
         true
       end
 
-      # This is called by the Profiler class whenever an issue happened in the profiler. This makes sure that even
-      # if there is data to be flushed, we don't try to flush it.
-      def mark_profiler_failed
-        @profiler_failed = true
+      # Called by the Profiler when it wants to prevent any further reporting,
+      # even if there is data to be flushed.
+      # Used when the profiler failed or we're otherwise in a hurry to shut down.
+      def disable_reporting
+        @reporting_disabled = true
       end
 
       def work_pending?
-        !profiler_failed && exporter.can_flush? && (run_loop? || !stop_requested?)
+        !reporting_disabled && exporter.can_flush? && (run_loop? || !stop_requested?)
       end
 
       def reset_after_fork

data/lib/datadog/profiling/tag_builder.rb

@@ -50,6 +50,7 @@ module Datadog
           FORM_FIELD_TAG_PROFILER_VERSION => profiler_version,
           'profile_seq' => profile_seq.to_s,
         )
+
         user_tag_keys = settings.tags.keys
         hash.keep_if { |tag| user_tag_keys.include?(tag) || ALLOWED_TAGS.include?(tag) }
         Core::Utils.encode_tags(hash)

data/lib/datadog/version.rb

@@ -3,7 +3,7 @@
 module Datadog
   module VERSION
     MAJOR = 2
-    MINOR = 26
+    MINOR = 27
     PATCH = 0
     PRE = nil
     BUILD = nil