datadog 2.28.0 → 2.30.0

data/lib/datadog/appsec/assets/blocked.html

@@ -100,7 +100,8 @@
     <footer>
         <p>Security provided by <a
                 href="https://www.datadoghq.com/product/security-platform/application-security-monitoring/"
-                target="_blank">Datadog</a></p>
+                target="_blank"
+                rel="noopener noreferrer">Datadog</a></p>
     </footer>
 </body>
 

data/lib/datadog/appsec/configuration/settings.rb

@@ -393,6 +393,20 @@ module Datadog
                     end
                   end
                 end
+
+                settings :downstream_body_analysis do
+                  option :sample_rate do |o|
+                    o.type :float
+                    o.env 'DD_API_SECURITY_DOWNSTREAM_BODY_ANALYSIS_SAMPLE_RATE'
+                    o.default 0.5
+                  end
+
+                  option :max_requests do |o|
+                    o.type :int
+                    o.env 'DD_API_SECURITY_MAX_DOWNSTREAM_REQUEST_BODY_ANALYSIS'
+                    o.default 1
+                  end
+                end
               end
 
               option :sca_enabled do |o|

data/lib/datadog/appsec/context.rb

@@ -1,17 +1,36 @@
 # frozen_string_literal: true
 
+require_relative 'counter_sampler'
 require_relative 'metrics'
+require_relative 'security_event'
 
 module Datadog
   module AppSec
-    # This class accumulates the context over the request life-cycle and exposes
-    # interface sufficient for instrumentation to perform threat detection.
+    # Request-bound context providing threat detection interface.
+    #
+    # Activated at the start of a request (see `Contrib::Rack::RequestMiddleware`)
+    # and shared across all instrumentations within that request's lifecycle.
+    #
+    # Accumulates security events, metrics, and state needed for coordinated
+    # threat detection.
+    #
+    # @api private
     class Context
       # Steep: https://github.com/soutaro/steep/issues/1880
       ActiveContextError = Class.new(StandardError) # steep:ignore IncompatibleAssignment
 
       # TODO: add delegators for active trace span
-      attr_reader :trace, :span, :events
+      attr_reader :trace, :span
+
+      # Shared mutable storage for counters, flags, and data accumulated during
+      # the request's lifecycle.
+      #
+      # NOTE: This attribute is a subject to change, but in a current form
+      #       it's a `Hash`-like structure.
+      attr_reader :state
+
+      # Sampler for downstream HTTP request/response body analysis.
+      attr_reader :downstream_body_sampler
 
       class << self
         def activate(context)
@@ -35,10 +54,16 @@ module Datadog
       def initialize(trace, span, waf_runner)
         @trace = trace
         @span = span
-        @events = []
         @waf_runner = waf_runner
         @metrics = Metrics::Collector.new
-        @interrupted = false
+        @downstream_body_sampler = CounterSampler.new(
+          Datadog.configuration.appsec.api_security.downstream_body_analysis.sample_rate
+        )
+        @state = {
+          events: [],
+          interrupted: false,
+          downstream_body_analyzed_count: 0
+        }
       end
 
       def run_waf(persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
@@ -57,12 +82,16 @@ module Datadog
         result
       end
 
+      def events
+        @state[:events]
+      end
+
       def mark_as_interrupted!
-        @interrupted = true
+        @state[:interrupted] = true
       end
 
       def interrupted?
-        @interrupted
+        @state[:interrupted]
       end
 
       def waf_runner_ruleset_version
@@ -73,8 +102,13 @@ module Datadog
         @waf_runner.waf_addresses
       end
 
-      def extract_schema
-        @waf_runner.run({'waf.context.processor' => {'extract-schema' => true}}, {})
+      def extract_schema!
+        waf_result = @waf_runner.run({'waf.context.processor' => {'extract-schema' => true}}, {})
+        security_event = AppSec::SecurityEvent.new(waf_result, trace: trace, span: span)
+
+        @state[:schema_extracted] = security_event.schema?
+
+        events.push(security_event)
       end
 
       def export_metrics
@@ -88,6 +122,7 @@ module Datadog
         return if @trace.nil?
 
         Metrics::TelemetryExporter.export_waf_request_metrics(@metrics.waf, self)
+        Metrics::TelemetryExporter.export_api_security_metrics(self)
       end
 
       def finalize!

data/lib/datadog/appsec/contrib/active_record/patcher.rb

@@ -61,6 +61,7 @@ module Datadog
             end
 
             ::ActiveRecord::ConnectionAdapters::SQLite3Adapter.prepend(instrumentation_module)
+            Patcher.instance_variable_set(:@patched, true)
           end
 
           def patch_mysql2_adapter
@@ -73,6 +74,7 @@ module Datadog
             end
 
             ::ActiveRecord::ConnectionAdapters::Mysql2Adapter.prepend(instrumentation_module)
+            Patcher.instance_variable_set(:@patched, true)
           end
 
           def patch_postgresql_adapter
@@ -93,6 +95,7 @@ module Datadog
             end
 
             ::ActiveRecord::ConnectionAdapters::PostgreSQLAdapter.prepend(instrumentation_module)
+            Patcher.instance_variable_set(:@patched, true)
           end
         end
       end

data/lib/datadog/appsec/contrib/devise/integration.rb

@@ -24,7 +24,7 @@ module Datadog
           end
 
           def self.compatible?
-            super && version >= MINIMUM_VERSION
+            !!(super && (version&.>= MINIMUM_VERSION))
           end
 
           def self.auto_instrument?

data/lib/datadog/appsec/contrib/excon/patcher.rb

@@ -20,6 +20,8 @@ module Datadog
             require_relative 'ssrf_detection_middleware'
 
             ::Excon.defaults[:middlewares].insert(0, SSRFDetectionMiddleware)
+
+            Patcher.instance_variable_set(:@patched, true)
           end
         end
       end

data/lib/datadog/appsec/contrib/excon/ssrf_detection_middleware.rb

@@ -5,6 +5,8 @@ require 'excon'
 require_relative '../../event'
 require_relative '../../trace_keeper'
 require_relative '../../security_event'
+require_relative '../../utils/http/url_encoded'
+require_relative '../../utils/http/body'
 
 module Datadog
   module AppSec
@@ -12,17 +14,36 @@ module Datadog
       module Excon
         # AppSec Middleware for Excon
         class SSRFDetectionMiddleware < ::Excon::Middleware::Base
+          REDIRECT_STATUS_CODES = (300..399).freeze
+          SAMPLE_BODY_KEY = :__datadog_appsec_sample_downstream_body
+
           def request_call(data)
             context = AppSec.active_context
             return super unless context && AppSec.rasp_enabled?
 
-            timeout = Datadog.configuration.appsec.waf_timeout
+            url = request_url(data)
+            headers = normalize_headers(data[:headers])
+            # @type var ephemeral_data: ::Datadog::AppSec::Context::input_data
             ephemeral_data = {
-              'server.io.net.url' => request_url(data),
+              'server.io.net.url' => url,
               'server.io.net.request.method' => data[:method].to_s.upcase,
-              'server.io.net.request.headers' => normalize_headers(data[:headers])
+              'server.io.net.request.headers' => headers
             }
 
+            is_redirect = context.state[:downstream_redirect_url] == url
+            if is_redirect
+              context.state.delete(:downstream_redirect_url)
+              data[SAMPLE_BODY_KEY] = true
+            else
+              mark_body_sampling!(data, context: context)
+            end
+
+            if !is_redirect && data[SAMPLE_BODY_KEY]
+              body = parse_body(data[:body], content_type: headers['content-type'])
+              ephemeral_data['server.io.net.request.body'] = body if body
+            end
+
+            timeout = Datadog.configuration.appsec.waf_timeout
             result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_REQUEST_PHASE)
             handle(result, context: context) if result.match?
 
@@ -33,12 +54,24 @@ module Datadog
             context = AppSec.active_context
             return super unless context && AppSec.rasp_enabled?
 
-            timeout = Datadog.configuration.appsec.waf_timeout
+            headers = normalize_headers(data.dig(:response, :headers))
+            # @type var ephemeral_data: ::Datadog::AppSec::Context::input_data
             ephemeral_data = {
               'server.io.net.response.status' => data.dig(:response, :status).to_s,
-              'server.io.net.response.headers' => normalize_headers(data.dig(:response, :headers))
+              'server.io.net.response.headers' => headers
             }
 
+            is_redirect = REDIRECT_STATUS_CODES.cover?(data.dig(:response, :status)) && headers.key?('location')
+            if is_redirect && data[SAMPLE_BODY_KEY]
+              context.state[:downstream_redirect_url] = URI.join(request_url(data), headers['location']).to_s
+            end
+
+            if !is_redirect && data[SAMPLE_BODY_KEY]
+              body = parse_body(data.dig(:response, :body), content_type: headers['content-type'])
+              ephemeral_data['server.io.net.response.body'] = body if body
+            end
+
+            timeout = Datadog.configuration.appsec.waf_timeout
             result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_RESPONSE_PHASE)
             handle(result, context: context) if result.match?
 
@@ -47,9 +80,25 @@ module Datadog
 
           private
 
+          def mark_body_sampling!(data, context:)
+            max = Datadog.configuration.appsec.api_security.downstream_body_analysis.max_requests
+            return if context.state[:downstream_body_analyzed_count] >= max
+            return unless context.downstream_body_sampler.sample?
+
+            context.state[:downstream_body_analyzed_count] += 1
+            data[SAMPLE_BODY_KEY] = true
+          end
+
+          def parse_body(body, content_type:)
+            media_type = Utils::HTTP::MediaType.parse(content_type)
+            return unless media_type
+
+            Utils::HTTP::Body.parse(body, media_type: media_type)
+          end
+
           def request_url(data)
             klass = (data[:scheme] == 'https') ? URI::HTTPS : URI::HTTP
-            klass.build(host: data[:host], path: data[:path], query: data[:query]).to_s
+            klass.build(host: data[:host], port: data[:port], path: data[:path], query: data[:query]).to_s
           end
 
           def normalize_headers(headers)

data/lib/datadog/appsec/contrib/faraday/integration.rb

@@ -25,7 +25,7 @@ module Datadog
           end
 
           def self.compatible?
-            super && version >= MINIMUM_VERSION
+            super && !!(version&.>= MINIMUM_VERSION)
           end
 
           def self.auto_instrument?

data/lib/datadog/appsec/contrib/faraday/patcher.rb

@@ -28,7 +28,7 @@ module Datadog
           end
 
           def configure_default_faraday_connection
-            if target_version >= Gem::Version.new('1.0.0')
+            if target_version&.>= Gem::Version.new('1.0.0')
               # Patch the default connection (e.g. +Faraday.get+)
               ::Faraday.default_connection.use(:datadog_appsec)
 

data/lib/datadog/appsec/contrib/faraday/ssrf_detection_middleware.rb

@@ -3,6 +3,8 @@
 require_relative '../../event'
 require_relative '../../trace_keeper'
 require_relative '../../security_event'
+require_relative '../../utils/http/media_type'
+require_relative '../../utils/http/body'
 
 module Datadog
   module AppSec
@@ -10,17 +12,36 @@ module Datadog
       module Faraday
         # AppSec SSRF detection Middleware for Faraday
         class SSRFDetectionMiddleware < ::Faraday::Middleware
+          REDIRECT_STATUS_CODES = (300..399).freeze
+          SAMPLE_BODY_KEY = :__datadog_appsec_sample_downstream_body
+
           def call(env)
             context = AppSec.active_context
             return @app.call(env) unless context && AppSec.rasp_enabled?
 
-            timeout = Datadog.configuration.appsec.waf_timeout
+            url = env.url.to_s
+            headers = normalize_headers(env.request_headers)
+            # @type var ephemeral_data: ::Datadog::AppSec::Context::input_data
             ephemeral_data = {
-              'server.io.net.url' => env.url.to_s,
+              'server.io.net.url' => url,
               'server.io.net.request.method' => env.method.to_s.upcase,
-              'server.io.net.request.headers' => env.request_headers.transform_keys(&:downcase)
+              'server.io.net.request.headers' => headers
             }
 
+            is_redirect = context.state[:downstream_redirect_url] == url
+            if is_redirect
+              context.state.delete(:downstream_redirect_url)
+              env[SAMPLE_BODY_KEY] = true
+            else
+              mark_body_sampling!(env, context: context)
+            end
+
+            if !is_redirect && env[SAMPLE_BODY_KEY]
+              body = parse_body(env.body, content_type: headers['content-type'])
+              ephemeral_data['server.io.net.request.body'] = body if body
+            end
+
+            timeout = Datadog.configuration.appsec.waf_timeout
             result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_REQUEST_PHASE)
             handle(result, context: context) if result.match?
 
@@ -30,18 +51,50 @@ module Datadog
           private
 
           def on_complete(env, context:)
-            timeout = Datadog.configuration.appsec.waf_timeout
-
-            response_headers = env.response_headers || {}
+            headers = normalize_headers(env.response_headers)
+            # @type var ephemeral_data: ::Datadog::AppSec::Context::input_data
             ephemeral_data = {
               'server.io.net.response.status' => env.status.to_s,
-              'server.io.net.response.headers' => response_headers.transform_keys(&:downcase)
+              'server.io.net.response.headers' => headers
             }
 
+            is_redirect = REDIRECT_STATUS_CODES.cover?(env.status) && headers.key?('location')
+            if is_redirect && env[SAMPLE_BODY_KEY]
+              context.state[:downstream_redirect_url] = URI.join(env.url.to_s, headers['location']).to_s
+            end
+
+            if !is_redirect && env[SAMPLE_BODY_KEY]
+              body = parse_body(env.body, content_type: headers['content-type'])
+              ephemeral_data['server.io.net.response.body'] = body if body
+            end
+
+            timeout = Datadog.configuration.appsec.waf_timeout
             result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, timeout, phase: Ext::RASP_RESPONSE_PHASE)
             handle(result, context: context) if result.match?
           end
 
+          def mark_body_sampling!(env, context:)
+            max = Datadog.configuration.appsec.api_security.downstream_body_analysis.max_requests
+            return if context.state[:downstream_body_analyzed_count] >= max
+            return unless context.downstream_body_sampler.sample?
+
+            context.state[:downstream_body_analyzed_count] += 1
+            env[SAMPLE_BODY_KEY] = true
+          end
+
+          def parse_body(body, content_type:)
+            media_type = Utils::HTTP::MediaType.parse(content_type)
+            return unless media_type
+
+            Utils::HTTP::Body.parse(body, media_type: media_type)
+          end
+
+          def normalize_headers(headers)
+            return {} if headers.nil? || headers.empty?
+
+            headers.transform_keys(&:downcase)
+          end
+
           def handle(result, context:)
             AppSec::Event.tag(context, result)
             TraceKeeper.keep!(context.trace) if result.keep?

data/lib/datadog/appsec/contrib/graphql/gateway/multiplex.rb

@@ -47,9 +47,10 @@ module Datadog
             # Note that the `comments` "include" directive is included in the arguments list
             def build_arguments_hash
               queries.each_with_object({}) do |query, args_hash|
-                next unless query.selected_operation
+                selected_operation = query.selected_operation
+                next unless selected_operation
 
-                arguments_from_selections(query.selected_operation.selections, query.variables, args_hash)
+                arguments_from_selections(selected_operation.selections, query.variables, args_hash)
               end
             end
 
@@ -90,15 +91,19 @@ module Datadog
             end
 
             def argument_value(argument, query_variables)
-              case argument.value.class.name
+              value = argument.value
+
+              case value.class.name
               when Integration::AST_NODE_CLASS_NAMES[:variable_identifier]
+                # @type var value: GraphQL::Language::Nodes::VariableIdentifier
                 # we need to pass query.variables here instead of query.provided_variables,
                 # since #provided_variables don't know anything about variable default value
-                query_variables[argument.value.name]
+                query_variables[value.name]
               when Integration::AST_NODE_CLASS_NAMES[:input_object]
-                arguments_hash(argument.value.arguments, query_variables)
+                # @type var value: GraphQL::Language::Nodes::InputObject
+                arguments_hash(value.arguments, query_variables)
               else
-                argument.value
+                value
               end
             end
           end

data/lib/datadog/appsec/contrib/graphql/gateway/watcher.rb

@@ -22,7 +22,7 @@ module Datadog
               end
 
               def watch_multiplex(gateway = Instrumentation.gateway)
-                gateway.watch('graphql.multiplex', :appsec) do |stack, gateway_multiplex|
+                gateway.watch('graphql.multiplex') do |stack, gateway_multiplex|
                   context = AppSec::Context.active
 
                   if context

data/lib/datadog/appsec/contrib/graphql/integration.rb

@@ -31,7 +31,7 @@ module Datadog
           end
 
           def self.compatible?
-            super && version >= MINIMUM_VERSION && ast_node_classes_defined?
+            !!(super && version&.>=(MINIMUM_VERSION) && ast_node_classes_defined?)
           end
 
           def self.auto_instrument?

data/lib/datadog/appsec/contrib/rack/gateway/request.rb

@@ -23,16 +23,12 @@ module Datadog
             end
 
             def query
-              # Downstream libddwaf expects keys and values to be extractable
-              # separately so we can't use [[k, v], ...]. We also want to allow
-              # duplicate keys, so we use {k => [v, ...], ...} instead, taking into
-              # account that {k => [v1, v2, ...], ...} is possible for duplicate keys.
-              request.query_string.split('&').each.with_object({}) do |e, hash|
-                k, v = e.split('=').map { |s| CGI.unescape(s) }
-                hash[k] ||= []
-
-                hash[k] << v
-              end
+              ::Rack::Utils.parse_query(request.query_string)
+            rescue => e
+              Datadog.logger.debug { "AppSec: Failed to parse request query string: #{e.class}: #{e.message}" }
+              AppSec.telemetry.report(e, description: 'AppSec: Failed to parse request query string')
+
+              {}
             end
 
             def method

data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb

@@ -24,7 +24,7 @@ module Datadog
               end
 
               def watch_request(gateway = Instrumentation.gateway)
-                gateway.watch('rack.request', :appsec) do |stack, gateway_request|
+                gateway.watch('rack.request') do |stack, gateway_request|
                   context = gateway_request.env[AppSec::Ext::CONTEXT_KEY]
 
                   persistent_data = {
@@ -57,7 +57,7 @@ module Datadog
               end
 
               def watch_response(gateway = Instrumentation.gateway)
-                gateway.watch('rack.response', :appsec) do |stack, gateway_response|
+                gateway.watch('rack.response') do |stack, gateway_response|
                   context = gateway_response.context
 
                   persistent_data = {
@@ -84,7 +84,7 @@ module Datadog
               end
 
               def watch_request_body(gateway = Instrumentation.gateway)
-                gateway.watch('rack.request.body', :appsec) do |stack, gateway_request|
+                gateway.watch('rack.request.body') do |stack, gateway_request|
                   context = gateway_request.env[AppSec::Ext::CONTEXT_KEY]
 
                   persistent_data = {
@@ -113,7 +113,7 @@ module Datadog
               #       somewhere closer to identity related monitor.
               # WARNING: The Gateway is a subject of refactoring
               def watch_request_finish(gateway = Instrumentation.gateway)
-                gateway.watch('rack.request.finish', :appsec) do |stack, gateway_request|
+                gateway.watch('rack.request.finish') do |stack, gateway_request|
                   context = gateway_request.env[AppSec::Ext::CONTEXT_KEY]
 
                   if context.span.nil? || !gateway.pushed?('appsec.events.user_lifecycle')

data/lib/datadog/appsec/contrib/rack/integration.rb

@@ -27,7 +27,7 @@ module Datadog
           end
 
           def self.compatible?
-            super && version >= MINIMUM_VERSION
+            !!(super && (version&.>= MINIMUM_VERSION))
           end
 
           def self.auto_instrument?

data/lib/datadog/appsec/contrib/rack/request_middleware.rb

@@ -2,6 +2,7 @@
 
 require 'json'
 
+require_relative 'response_body'
 require_relative 'gateway/request'
 require_relative 'gateway/response'
 
@@ -18,6 +19,13 @@ module Datadog
   module AppSec
     module Contrib
       module Rack
+        RESPONSE_HEADERS_TAGS = %w[
+          content-length
+          content-type
+          content-encoding
+          content-language
+        ].freeze
+
         WAF_VENDOR_HEADERS_TAGS = %w[
           X-Amzn-Trace-Id
           Cloudfront-Viewer-Ja3-Fingerprint
@@ -107,13 +115,12 @@ module Datadog
 
             if AppSec::APISecurity.enabled? && AppSec::APISecurity.sample_trace?(ctx.trace) &&
                 AppSec::APISecurity.sample?(gateway_request.request, tmp_response.response)
-              ctx.events.push(
-                AppSec::SecurityEvent.new(ctx.extract_schema, trace: ctx.trace, span: ctx.span)
-              )
+              ctx.extract_schema!
             end
 
-            AppSec::Event.record(ctx, request: gateway_request, response: gateway_response)
+            AppSec::Event.record(ctx, request: gateway_request)
 
+            add_response_tags(ctx, tmp_response)
             http_response
           ensure
             if ctx
@@ -182,7 +189,6 @@ module Datadog
           # standard:disable Metrics/MethodLength
           def add_request_tags(context, env)
             span = context.span
-
             return unless span
 
             # Always add WAF vendors headers
@@ -204,6 +210,21 @@ module Datadog
           end
           # standard:enable Metrics/MethodLength
 
+          def add_response_tags(context, response)
+            span = context.span
+            return unless span
+
+            RESPONSE_HEADERS_TAGS.each do |name|
+              value = response.headers[name]
+              span.set_tag("http.response.headers.#{name}", value.to_s) if value
+            end
+
+            unless response.headers.key?('content-length')
+              length = ResponseBody.content_length(response.body)
+              span.set_tag('http.response.headers.content-length', length.to_s) if length
+            end
+          end
+
           def oneshot_tags_sent?
             @oneshot_tags_sent
           end

data/lib/datadog/appsec/contrib/rack/response_body.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Contrib
+      module Rack
+        module ResponseBody
+          # NOTE: We compute content length only for fixed-size response bodies,
+          #       ignoring streaming bodies to avoid buffering.
+          #
+          #       On Rack 3.x, `body.to_ary` on a BodyProxy triggers `close` on all
+          #       nested BodyProxy layers. This is safe because web servers, like Puma
+          #       handles already-closed bodies (its own `to_ary` becomes a no-op).
+          #
+          # @see Puma::Response#prepare_response
+          # @see https://github.com/puma/puma/blob/b1271222cbf21868f3fb64154caa4d03936a7b9e/lib/puma/response.rb#L165-L168
+          def self.content_length(body)
+            return unless body.respond_to?(:to_ary)
+
+            # NOTE: When `to_ary` exists but returns `nil`, the body will be
+            #       transferred in chunks and we can't compute content length
+            #       without buffering it.
+            body_ary = body.to_ary
+            return unless body_ary.is_a?(Array)
+
+            body_ary.sum { |part| part.is_a?(String) ? part.bytesize : 0 }
+          rescue => e
+            AppSec.telemetry.report(e, description: 'AppSec: Failed to compute body content length')
+
+            nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb

@@ -21,7 +21,7 @@ module Datadog
               end
 
               def watch_request_action(gateway = Instrumentation.gateway)
-                gateway.watch('rails.request.action', :appsec) do |stack, gateway_request|
+                gateway.watch('rails.request.action') do |stack, gateway_request|
                   context = gateway_request.env[AppSec::Ext::CONTEXT_KEY]
 
                   persistent_data = {
@@ -47,7 +47,7 @@ module Datadog
               end
 
               def watch_response_body_json(gateway = Instrumentation.gateway)
-                gateway.watch('rails.response.body.json', :appsec) do |stack, container|
+                gateway.watch('rails.response.body.json') do |stack, container|
                   context = container.context
 
                   persistent_data = {

data/lib/datadog/appsec/contrib/rails/integration.rb

@@ -26,7 +26,7 @@ module Datadog
           end
 
           def self.compatible?
-            super && version >= MINIMUM_VERSION
+            !!(super && (version&.>= MINIMUM_VERSION))
           end
 
           def self.auto_instrument?