RubyGems - datadog - Versions diffs - 2.30.0 → 2.32.0 - Mend

datadog 2.30.0 → 2.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (219) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +44 -1
data/ext/datadog_profiling_native_extension/collectors_cpu_and_wall_time_worker.c +17 -7
data/ext/datadog_profiling_native_extension/collectors_thread_context.c +11 -4
data/ext/datadog_profiling_native_extension/collectors_thread_context.h +6 -0
data/ext/datadog_profiling_native_extension/datadog_ruby_common.c +18 -0
data/ext/datadog_profiling_native_extension/datadog_ruby_common.h +10 -0
data/ext/datadog_profiling_native_extension/extconf.rb +7 -4
data/ext/datadog_profiling_native_extension/http_transport.c +10 -5
data/ext/libdatadog_api/crashtracker.c +5 -8
data/ext/libdatadog_api/datadog_ruby_common.c +18 -0
data/ext/libdatadog_api/datadog_ruby_common.h +10 -0
data/ext/libdatadog_api/di.c +127 -0
data/ext/libdatadog_api/extconf.rb +9 -4
data/ext/libdatadog_api/init.c +5 -2
data/ext/libdatadog_extconf_helpers.rb +46 -1
data/lib/datadog/ai_guard/component.rb +2 -0
data/lib/datadog/ai_guard/configuration.rb +105 -2
data/lib/datadog/ai_guard/contrib/ruby_llm/chat_instrumentation.rb +41 -3
data/lib/datadog/ai_guard/evaluation/content_builder.rb +31 -0
data/lib/datadog/ai_guard/evaluation/content_part.rb +36 -0
data/lib/datadog/ai_guard/evaluation/no_op_result.rb +3 -1
data/lib/datadog/ai_guard/evaluation/request.rb +14 -9
data/lib/datadog/ai_guard/evaluation/result.rb +3 -1
data/lib/datadog/ai_guard/evaluation.rb +37 -7
data/lib/datadog/ai_guard/ext.rb +1 -0
data/lib/datadog/ai_guard.rb +26 -8
data/lib/datadog/appsec/autoload.rb +1 -1
data/lib/datadog/appsec/component.rb +11 -7
data/lib/datadog/appsec/configuration.rb +414 -1
data/lib/datadog/appsec/contrib/devise/patches/signin_tracking_patch.rb +2 -1
data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +6 -7
data/lib/datadog/appsec/instrumentation/gateway.rb +0 -13
data/lib/datadog/appsec/metrics/telemetry.rb +13 -1
data/lib/datadog/appsec/monitor/gateway/watcher.rb +2 -0
data/lib/datadog/appsec/security_engine/runner.rb +1 -1
data/lib/datadog/appsec/trace_keeper.rb +18 -6
data/lib/datadog/appsec/utils/http/media_type.rb +1 -2
data/lib/datadog/appsec/utils/http/url_encoded.rb +3 -3
data/lib/datadog/appsec.rb +5 -9
data/lib/datadog/core/configuration/base.rb +17 -5
data/lib/datadog/core/configuration/components.rb +22 -9
data/lib/datadog/core/configuration/config_helper.rb +9 -0
data/lib/datadog/core/configuration/option.rb +30 -5
data/lib/datadog/core/configuration/option_definition.rb +38 -12
data/lib/datadog/core/configuration/options.rb +40 -6
data/lib/datadog/core/configuration/settings.rb +18 -0
data/lib/datadog/core/configuration/supported_configurations.rb +3 -0
data/lib/datadog/core/configuration.rb +1 -1
data/lib/datadog/core/contrib/rails/railtie.rb +32 -0
data/lib/datadog/core/contrib/rails/utils.rb +7 -3
data/lib/datadog/core/crashtracking/component.rb +3 -3
data/lib/datadog/core/diagnostics/environment_logger.rb +3 -1
data/lib/datadog/core/environment/container.rb +2 -2
data/lib/datadog/core/environment/ext.rb +1 -0
data/lib/datadog/core/environment/identity.rb +25 -3
data/lib/datadog/core/environment/process.rb +12 -0
data/lib/datadog/core/feature_flags.rb +1 -1
data/lib/datadog/core/metrics/client.rb +5 -5
data/lib/datadog/core/remote/client.rb +1 -1
data/lib/datadog/core/remote/component.rb +38 -21
data/lib/datadog/core/runtime/metrics.rb +1 -1
data/lib/datadog/core/telemetry/component.rb +3 -0
data/lib/datadog/core/telemetry/emitter.rb +1 -1
data/lib/datadog/core/telemetry/event/app_client_configuration_change.rb +2 -3
data/lib/datadog/core/telemetry/event/app_extended_heartbeat.rb +32 -0
data/lib/datadog/core/telemetry/event/app_started.rb +151 -169
data/lib/datadog/core/telemetry/event.rb +1 -7
data/lib/datadog/core/telemetry/ext.rb +1 -0
data/lib/datadog/core/telemetry/transport/http/telemetry.rb +5 -0
data/lib/datadog/core/telemetry/worker.rb +20 -0
data/lib/datadog/core/transport/http.rb +2 -0
data/lib/datadog/core/utils/only_once.rb +1 -1
data/lib/datadog/core/utils/spawn_monkey_patch.rb +36 -0
data/lib/datadog/core/utils.rb +1 -1
data/lib/datadog/core/workers/async.rb +1 -1
data/lib/datadog/core.rb +1 -2
data/lib/datadog/data_streams/configuration.rb +40 -1
data/lib/datadog/data_streams/pathway_context.rb +1 -1
data/lib/datadog/data_streams/processor.rb +1 -1
data/lib/datadog/data_streams.rb +1 -1
data/lib/datadog/di/base.rb +8 -5
data/lib/datadog/di/boot.rb +2 -4
data/lib/datadog/di/code_tracker.rb +179 -1
data/lib/datadog/di/component.rb +5 -1
data/lib/datadog/di/configuration.rb +235 -2
data/lib/datadog/di/instrumenter.rb +55 -29
data/lib/datadog/di/probe_builder.rb +1 -1
data/lib/datadog/di/probe_file_loader.rb +2 -2
data/lib/datadog/di/probe_manager.rb +6 -6
data/lib/datadog/di/probe_notification_builder.rb +110 -2
data/lib/datadog/di/probe_notifier_worker.rb +2 -2
data/lib/datadog/di/remote.rb +6 -6
data/lib/datadog/di/transport/input.rb +3 -3
data/lib/datadog/di.rb +81 -0
data/lib/datadog/error_tracking/configuration.rb +55 -2
data/lib/datadog/kit/enable_core_dumps.rb +1 -1
data/lib/datadog/open_feature/component.rb +18 -1
data/lib/datadog/open_feature/evaluation_engine.rb +2 -2
data/lib/datadog/open_feature/hooks/flag_eval_hook.rb +49 -0
data/lib/datadog/open_feature/metrics/flag_eval_metrics.rb +149 -0
data/lib/datadog/open_feature/provider.rb +19 -1
data/lib/datadog/open_feature/remote.rb +1 -1
data/lib/datadog/open_feature/transport.rb +1 -1
data/lib/datadog/opentelemetry/configuration/settings.rb +2 -0
data/lib/datadog/opentelemetry/metrics.rb +3 -3
data/lib/datadog/opentelemetry/sdk/configurator.rb +1 -1
data/lib/datadog/opentelemetry/sdk/metrics_exporter.rb +1 -1
data/lib/datadog/profiling/collectors/code_provenance.rb +36 -11
data/lib/datadog/profiling/collectors/cpu_and_wall_time_worker.rb +31 -2
data/lib/datadog/profiling/collectors/idle_sampling_helper.rb +8 -2
data/lib/datadog/profiling/collectors/info.rb +16 -3
data/lib/datadog/profiling/component.rb +12 -4
data/lib/datadog/profiling/exporter.rb +37 -12
data/lib/datadog/profiling/ext.rb +0 -2
data/lib/datadog/profiling/flush.rb +21 -12
data/lib/datadog/profiling/http_transport.rb +12 -1
data/lib/datadog/profiling/load_native_extension.rb +2 -2
data/lib/datadog/profiling/profiler.rb +13 -5
data/lib/datadog/profiling/scheduler.rb +2 -2
data/lib/datadog/profiling/tasks/exec.rb +8 -3
data/lib/datadog/profiling/tasks/help.rb +1 -0
data/lib/datadog/profiling/tasks/setup.rb +2 -2
data/lib/datadog/profiling.rb +1 -2
data/lib/datadog/single_step_instrument.rb +1 -1
data/lib/datadog/symbol_database/configuration.rb +65 -0
data/lib/datadog/symbol_database/extractor.rb +915 -0
data/lib/datadog/symbol_database/file_hash.rb +46 -0
data/lib/datadog/symbol_database/logger.rb +43 -0
data/lib/datadog/symbol_database/scope.rb +98 -0
data/lib/datadog/symbol_database/service_version.rb +57 -0
data/lib/datadog/symbol_database/symbol.rb +66 -0
data/lib/datadog/symbol_database/transport/http/endpoint.rb +28 -0
data/lib/datadog/symbol_database/transport/http.rb +45 -0
data/lib/datadog/symbol_database/transport.rb +54 -0
data/lib/datadog/symbol_database/uploader.rb +166 -0
data/lib/datadog/symbol_database.rb +49 -0
data/lib/datadog/tracing/buffer.rb +3 -3
data/lib/datadog/tracing/component.rb +11 -0
data/lib/datadog/tracing/configuration/settings.rb +2 -1
data/lib/datadog/tracing/contrib/action_pack/action_controller/instrumentation.rb +5 -3
data/lib/datadog/tracing/contrib/action_pack/action_dispatch/instrumentation.rb +20 -0
data/lib/datadog/tracing/contrib/action_pack/action_dispatch/patcher.rb +3 -1
data/lib/datadog/tracing/contrib/action_view/events/render_template.rb +1 -1
data/lib/datadog/tracing/contrib/active_job/events/discard.rb +1 -1
data/lib/datadog/tracing/contrib/active_job/events/enqueue.rb +1 -1
data/lib/datadog/tracing/contrib/active_job/events/enqueue_at.rb +1 -1
data/lib/datadog/tracing/contrib/active_job/events/enqueue_retry.rb +1 -1
data/lib/datadog/tracing/contrib/active_job/events/perform.rb +1 -1
data/lib/datadog/tracing/contrib/active_job/events/retry_stopped.rb +1 -1
data/lib/datadog/tracing/contrib/active_model_serializers/events/render.rb +1 -1
data/lib/datadog/tracing/contrib/active_model_serializers/events/serialize.rb +1 -1
data/lib/datadog/tracing/contrib/active_record/configuration/resolver.rb +2 -2
data/lib/datadog/tracing/contrib/active_record/events/instantiation.rb +1 -1
data/lib/datadog/tracing/contrib/active_record/events/sql.rb +1 -1
data/lib/datadog/tracing/contrib/active_record/utils.rb +1 -1
data/lib/datadog/tracing/contrib/active_support/cache/events/cache.rb +1 -1
data/lib/datadog/tracing/contrib/active_support/notifications/subscription.rb +2 -2
data/lib/datadog/tracing/contrib/aws/instrumentation.rb +1 -1
data/lib/datadog/tracing/contrib/component.rb +1 -1
data/lib/datadog/tracing/contrib/configurable.rb +18 -3
data/lib/datadog/tracing/contrib/configuration/resolver.rb +7 -4
data/lib/datadog/tracing/contrib/dalli/quantize.rb +1 -1
data/lib/datadog/tracing/contrib/elasticsearch/patcher.rb +1 -1
data/lib/datadog/tracing/contrib/excon/middleware.rb +2 -2
data/lib/datadog/tracing/contrib/extensions.rb +9 -0
data/lib/datadog/tracing/contrib/faraday/middleware.rb +2 -2
data/lib/datadog/tracing/contrib/grape/endpoint.rb +5 -5
data/lib/datadog/tracing/contrib/grpc/datadog_interceptor/client.rb +2 -2
data/lib/datadog/tracing/contrib/grpc/datadog_interceptor/server.rb +2 -2
data/lib/datadog/tracing/contrib/http/instrumentation.rb +3 -3
data/lib/datadog/tracing/contrib/httpclient/instrumentation.rb +6 -2
data/lib/datadog/tracing/contrib/httprb/instrumentation.rb +3 -3
data/lib/datadog/tracing/contrib/kafka/instrumentation/consumer.rb +2 -2
data/lib/datadog/tracing/contrib/kafka/instrumentation/producer.rb +2 -2
data/lib/datadog/tracing/contrib/karafka/patcher.rb +1 -1
data/lib/datadog/tracing/contrib/mongodb/subscribers.rb +3 -3
data/lib/datadog/tracing/contrib/opensearch/patcher.rb +1 -1
data/lib/datadog/tracing/contrib/presto/instrumentation.rb +3 -3
data/lib/datadog/tracing/contrib/rack/patcher.rb +1 -1
data/lib/datadog/tracing/contrib/rack/request_queue.rb +1 -1
data/lib/datadog/tracing/contrib/rails/log_injection.rb +1 -1
data/lib/datadog/tracing/contrib/rails/patcher.rb +0 -1
data/lib/datadog/tracing/contrib/rails/runner.rb +1 -1
data/lib/datadog/tracing/contrib/rake/instrumentation.rb +2 -2
data/lib/datadog/tracing/contrib/redis/quantize.rb +1 -1
data/lib/datadog/tracing/contrib/redis/tags.rb +1 -1
data/lib/datadog/tracing/contrib/sidekiq/utils.rb +1 -1
data/lib/datadog/tracing/contrib/status_range_matcher.rb +4 -0
data/lib/datadog/tracing/contrib/stripe/request.rb +1 -1
data/lib/datadog/tracing/contrib.rb +8 -0
data/lib/datadog/tracing/diagnostics/environment_logger.rb +3 -1
data/lib/datadog/tracing/distributed/baggage.rb +59 -5
data/lib/datadog/tracing/distributed/datadog.rb +13 -11
data/lib/datadog/tracing/distributed/datadog_tags_codec.rb +1 -1
data/lib/datadog/tracing/distributed/propagation.rb +2 -2
data/lib/datadog/tracing/distributed/trace_context.rb +74 -32
data/lib/datadog/tracing/event.rb +1 -1
data/lib/datadog/tracing/metadata/tagging.rb +2 -2
data/lib/datadog/tracing/pipeline.rb +1 -1
data/lib/datadog/tracing/remote.rb +1 -1
data/lib/datadog/tracing/sampling/ext.rb +2 -0
data/lib/datadog/tracing/sampling/priority_sampler.rb +13 -0
data/lib/datadog/tracing/sampling/rule.rb +1 -1
data/lib/datadog/tracing/sampling/rule_sampler.rb +54 -25
data/lib/datadog/tracing/sampling/span/rule_parser.rb +2 -2
data/lib/datadog/tracing/span_operation.rb +4 -4
data/lib/datadog/tracing/trace_operation.rb +53 -9
data/lib/datadog/tracing/tracer.rb +29 -4
data/lib/datadog/tracing/transport/io/client.rb +1 -1
data/lib/datadog/tracing/transport/trace_formatter.rb +1 -1
data/lib/datadog/tracing/workers.rb +2 -1
data/lib/datadog/version.rb +1 -1
metadata +27 -12
data/lib/datadog/ai_guard/configuration/settings.rb +0 -113
data/lib/datadog/appsec/configuration/settings.rb +0 -423
data/lib/datadog/data_streams/configuration/settings.rb +0 -49
data/lib/datadog/di/configuration/settings.rb +0 -243
data/lib/datadog/error_tracking/configuration/settings.rb +0 -63

data/lib/datadog/appsec/configuration.rb CHANGED Viewed

@@ -1,11 +1,424 @@
 # frozen_string_literal: true
-require_relative 'configuration/settings'
+require_relative '../core/utils/duration'
+require_relative 'sample_rate'
 module Datadog
   module AppSec
     # Configuration for AppSec
     module Configuration
+      # Settings
+      module Settings
+        # rubocop:disable Layout/LineLength
+        DEFAULT_OBFUSCATOR_KEY_REGEX = '(?i)pass|pw(?:or)?d|secret|(?:api|private|public|access)[_-]?key|token|consumer[_-]?(?:id|key|secret)|sign(?:ed|ature)|bearer|authorization|jsessionid|phpsessid|asp\.net[_-]sessionid|sid|jwt'
+        DEFAULT_OBFUSCATOR_VALUE_REGEX = '(?i)(?:p(?:ass)?w(?:or)?d|pass(?:[_-]?phrase)?|secret(?:[_-]?key)?|(?:(?:api|private|public|access)[_-]?)key(?:[_-]?id)?|(?:(?:auth|access|id|refresh)[_-]?)?token|consumer[_-]?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?|jsessionid|phpsessid|asp\.net(?:[_-]|-)sessionid|sid|jwt)(?:\s*=[^;]|"\s*:\s*"[^"]+")|bearer\s+[a-z0-9\._\-]+|token:[a-z0-9]{13}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\w=-]+\.ey[I-L][\w=-]+(?:\.[\w.+\/=-]+)?|[\-]{5}BEGIN[a-z\s]+PRIVATE\sKEY[\-]{5}[^\-]+[\-]{5}END[a-z\s]+PRIVATE\sKEY|ssh-rsa\s*[a-z0-9\/\.+]{100,}'
+        # rubocop:enable Layout/LineLength
+        DISABLED_AUTO_USER_INSTRUMENTATION_MODE = 'disabled'
+        ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE = 'anonymization'
+        IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE = 'identification'
+        AUTO_USER_INSTRUMENTATION_MODES = [
+          DISABLED_AUTO_USER_INSTRUMENTATION_MODE,
+          ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE,
+          IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE
+        ].freeze
+        AUTO_USER_INSTRUMENTATION_MODES_ALIASES = {
+          'ident' => IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE,
+          'anon' => ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE,
+        }.freeze
+        # NOTE: These two constants are deprecated
+        SAFE_TRACK_USER_EVENTS_MODE = 'safe'
+        EXTENDED_TRACK_USER_EVENTS_MODE = 'extended'
+        APPSEC_VALID_TRACK_USER_EVENTS_MODE = [
+          SAFE_TRACK_USER_EVENTS_MODE, EXTENDED_TRACK_USER_EVENTS_MODE
+        ].freeze
+        APPSEC_VALID_TRACK_USER_EVENTS_ENABLED_VALUES = ['1', 'true'].concat(
+          APPSEC_VALID_TRACK_USER_EVENTS_MODE
+        ).freeze
+        def self.extended(base)
+          base = base.singleton_class unless base.is_a?(Class)
+          add_settings!(base)
+        end
+        # rubocop:disable Metrics/AbcSize,Metrics/MethodLength,Metrics/BlockLength,Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+        def self.add_settings!(base)
+          base.class_eval do
+            settings :appsec do
+              option :enabled do |o|
+                o.type :bool
+                o.env 'DD_APPSEC_ENABLED'
+                o.default false
+              end
+              define_method(:instrument) do |integration_name|
+                if enabled
+                  registered_integration = Datadog::AppSec::Contrib::Integration.registry[integration_name]
+                  if registered_integration
+                    klass = registered_integration.klass
+                    if klass.loaded? && klass.compatible?
+                      instance = klass.new
+                      instance.patcher.patch unless instance.patcher.patched?
+                    end
+                  end
+                end
+              end
+              # RASP or Runtime Application Self-Protection
+              # is a collection of techniques and heuristics aimed at detecting malicious inputs and preventing
+              # any potential side-effects on the application resulting from the use of said malicious inputs.
+              option :rasp_enabled do |o|
+                o.type :bool, nilable: true
+                o.env 'DD_APPSEC_RASP_ENABLED'
+                o.default true
+              end
+              option :ruleset do |o|
+                o.env 'DD_APPSEC_RULES'
+                o.default :recommended
+              end
+              option :ip_passlist do |o|
+                o.default []
+                o.setter do |value|
+                  next value if value.nil? || value.empty?
+                  Datadog::Core.log_deprecation(disallowed_next_major: false) do
+                    'The ip_passlist setting is deprecated and will be removed in the next release. ' \
+                    'Please migrate this configuration to your service settings via the Datadog UI'
+                  end
+                  value
+                end
+              end
+              option :ip_denylist do |o|
+                o.type :array
+                o.default []
+                o.setter do |value|
+                  next value if value.nil? || value.empty?
+                  Datadog::Core.log_deprecation(disallowed_next_major: false) do
+                    'The ip_denylist setting is deprecated and will be removed in the next release. ' \
+                    'Please migrate this configuration to your service settings via the Datadog UI'
+                  end
+                  value
+                end
+              end
+              option :user_id_denylist do |o|
+                o.type :array
+                o.default []
+                o.setter do |value|
+                  next value if value.nil? || value.empty?
+                  Datadog::Core.log_deprecation(disallowed_next_major: false) do
+                    'The user_id_denylist setting is deprecated and will be removed in the next release. ' \
+                    'Please migrate this configuration to your service settings via the Datadog UI'
+                  end
+                  value
+                end
+              end
+              option :waf_timeout do |o|
+                o.env 'DD_APPSEC_WAF_TIMEOUT' # us
+                o.default 5_000
+                o.setter do |v|
+                  Datadog::Core::Utils::Duration.call(v.to_s, base: :us)
+                end
+              end
+              option :waf_debug do |o|
+                o.env 'DD_APPSEC_WAF_DEBUG'
+                o.default false
+                o.type :bool
+              end
+              option :trace_rate_limit do |o|
+                o.type :int
+                o.env 'DD_APPSEC_TRACE_RATE_LIMIT' # trace/s
+                o.default 100
+              end
+              option :obfuscator_key_regex do |o|
+                o.type :string
+                o.env 'DD_APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP'
+                o.default DEFAULT_OBFUSCATOR_KEY_REGEX
+              end
+              option :obfuscator_value_regex do |o|
+                o.type :string
+                o.env 'DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP'
+                o.default DEFAULT_OBFUSCATOR_VALUE_REGEX
+              end
+              settings :block do
+                settings :templates do
+                  option :html do |o|
+                    o.env 'DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML'
+                    o.type :string, nilable: true
+                    o.setter do |value|
+                      if value
+                        unless File.exist?(value)
+                          raise(ArgumentError,
+                            "appsec.templates.html: file not found: #{value}")
+                        end
+                        File.binread(value) || ''
+                      end
+                    end
+                  end
+                  option :json do |o|
+                    o.env 'DD_APPSEC_HTTP_BLOCKED_TEMPLATE_JSON'
+                    o.type :string, nilable: true
+                    o.setter do |value|
+                      if value
+                        unless File.exist?(value)
+                          raise(ArgumentError,
+                            "appsec.templates.json: file not found: #{value}")
+                        end
+                        File.binread(value) || ''
+                      end
+                    end
+                  end
+                  option :text do |o|
+                    o.env 'DD_APPSEC_HTTP_BLOCKED_TEMPLATE_TEXT'
+                    o.type :string, nilable: true
+                    o.setter do |value|
+                      if value
+                        unless File.exist?(value)
+                          raise(ArgumentError,
+                            "appsec.templates.text: file not found: #{value}")
+                        end
+                        File.binread(value) || ''
+                      end
+                    end
+                  end
+                end
+              end
+              settings :stack_trace do
+                option :enabled do |o|
+                  o.type :bool
+                  o.env 'DD_APPSEC_STACK_TRACE_ENABLED'
+                  o.default true
+                end
+                # The maximum number of stack trace frames to collect for each stack trace.
+                #
+                # If the stack trace exceeds this limit, the frames are dropped from the middle of the stack trace:
+                # 75% of the frames are kept from the top of the stack trace and 25% from the bottom
+                # (this percentage is also configurable).
+                #
+                # Minimum value is 10.
+                # Set to zero if you don't want any frames to be dropped.
+                #
+                # Default value is 32
+                option :max_depth do |o|
+                  o.type :int
+                  o.env 'DD_APPSEC_MAX_STACK_TRACE_DEPTH'
+                  o.default 32
+                  o.setter do |value|
+                    value = 0 if value < 0
+                    value
+                  end
+                end
+                # The percentage of frames to keep from the top of the stack trace.
+                #
+                # Default value is 75
+                option :top_percentage do |o|
+                  o.type :int
+                  o.env 'DD_APPSEC_MAX_STACK_TRACE_DEPTH_TOP_PERCENT'
+                  o.default 75
+                  o.setter do |value|
+                    value = 100 if value > 100
+                    value = 0 if value.negative?
+                    value
+                  end
+                end
+                # Maximum number of stack traces to collect per span.
+                #
+                # Set to zero if you want to collect all stack traces.
+                #
+                # Default value is 2
+                option :max_stack_traces do |o|
+                  o.type :int
+                  o.env 'DD_APPSEC_MAX_STACK_TRACES'
+                  o.default 2
+                  o.setter do |value|
+                    value = 0 if value < 0
+                    value
+                  end
+                end
+              end
+              settings :auto_user_instrumentation do
+                define_method(:enabled?) { get_option(:mode) != DISABLED_AUTO_USER_INSTRUMENTATION_MODE }
+                option :mode do |o|
+                  o.type :string
+                  o.env 'DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE'
+                  o.default IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE
+                  o.setter do |value|
+                    mode = AUTO_USER_INSTRUMENTATION_MODES_ALIASES.fetch(value, value)
+                    next mode if AUTO_USER_INSTRUMENTATION_MODES.include?(mode)
+                    Datadog.logger.warn(
+                      'The appsec.auto_user_instrumentation.mode value provided is not supported. ' \
+                      "Supported values are: #{AUTO_USER_INSTRUMENTATION_MODES.join(" | ")}. " \
+                      "Using value: #{DISABLED_AUTO_USER_INSTRUMENTATION_MODE}."
+                    )
+                    DISABLED_AUTO_USER_INSTRUMENTATION_MODE
+                  end
+                end
+              end
+              # DEV-3.0: Remove `track_user_events.enabled` and `track_user_events.mode` options
+              settings :track_user_events do
+                option :enabled do |o|
+                  o.default true
+                  o.type :bool
+                  o.env 'DD_APPSEC_AUTOMATED_USER_EVENTS_TRACKING'
+                  o.env_parser do |env_value|
+                    if env_value == 'disabled'
+                      false
+                    else
+                      APPSEC_VALID_TRACK_USER_EVENTS_ENABLED_VALUES.include?(env_value.strip.downcase)
+                    end
+                  end
+                  o.after_set do |_, _, precedence|
+                    unless precedence == Datadog::Core::Configuration::Option::Precedence::DEFAULT
+                      Core.log_deprecation(key: :appsec_track_user_events_enabled) do
+                        'The appsec.track_user_events.enabled setting is deprecated. ' \
+                        'Please remove it from your Datadog.configure block and use ' \
+                        'appsec.auto_user_instrumentation.mode instead.'
+                      end
+                    end
+                  end
+                end
+                option :mode do |o|
+                  o.type :string
+                  o.env 'DD_APPSEC_AUTOMATED_USER_EVENTS_TRACKING'
+                  o.default SAFE_TRACK_USER_EVENTS_MODE
+                  o.setter do |v|
+                    if APPSEC_VALID_TRACK_USER_EVENTS_MODE.include?(v)
+                      v
+                    elsif v == 'disabled'
+                      SAFE_TRACK_USER_EVENTS_MODE
+                    else
+                      Datadog.logger.warn(
+                        'The appsec.track_user_events.mode value provided is not supported.' \
+                        "Supported values are: #{APPSEC_VALID_TRACK_USER_EVENTS_MODE.join(" | ")}." \
+                        "Using default value: #{SAFE_TRACK_USER_EVENTS_MODE}."
+                      )
+                      SAFE_TRACK_USER_EVENTS_MODE
+                    end
+                  end
+                  o.after_set do |_, _, precedence|
+                    unless precedence == Datadog::Core::Configuration::Option::Precedence::DEFAULT
+                      Core.log_deprecation(key: :appsec_track_user_events_mode) do
+                        'The appsec.track_user_events.mode setting is deprecated. ' \
+                        'Please remove it from your Datadog.configure block and use ' \
+                        'appsec.auto_user_instrumentation.mode instead.'
+                      end
+                    end
+                  end
+                end
+              end
+              settings :api_security do
+                define_method(:enabled?) { get_option(:enabled) }
+                option :enabled do |o|
+                  o.type :bool
+                  o.env 'DD_API_SECURITY_ENABLED'
+                  o.default true
+                end
+                settings :endpoint_collection do
+                  # Enables reporting of application routes at application start via telemetry
+                  option :enabled do |o|
+                    o.type :bool, nilable: true
+                    o.env 'DD_API_SECURITY_ENDPOINT_COLLECTION_ENABLED'
+                    o.default true
+                  end
+                end
+                # NOTE: Unfortunately, we have to go with Float due to other libs
+                #       setup, even tho we don't plan to support sub-second delays.
+                #
+                # WARNING: The value will be converted to Integer.
+                option :sample_delay do |o|
+                  o.type :float
+                  o.env 'DD_API_SECURITY_SAMPLE_DELAY'
+                  o.default 30
+                  o.setter do |value|
+                    value.to_i
+                  end
+                end
+                # DEV-3.0: Remove `api_security.sample_rate` option
+                option :sample_rate do |o|
+                  o.type :float
+                  o.env 'DD_API_SECURITY_REQUEST_SAMPLE_RATE'
+                  o.default 0.1
+                  o.setter do |value|
+                    value = 1 if value > 1
+                    SampleRate.new(value)
+                  end
+                  o.after_set do |_, _, precedence|
+                    next if precedence == Datadog::Core::Configuration::Option::Precedence::DEFAULT
+                    Core.log_deprecation(key: :appsec_api_security_sample_rate) do
+                      'The appsec.api_security.sample_rate setting is deprecated. ' \
+                      'Please remove it from your Datadog.configure block and use ' \
+                      'appsec.api_security.sample_delay instead.'
+                    end
+                  end
+                end
+                settings :downstream_body_analysis do
+                  option :sample_rate do |o|
+                    o.type :float
+                    o.env 'DD_API_SECURITY_DOWNSTREAM_BODY_ANALYSIS_SAMPLE_RATE'
+                    o.default 0.5
+                  end
+                  option :max_requests do |o|
+                    o.type :int
+                    o.env 'DD_API_SECURITY_MAX_DOWNSTREAM_REQUEST_BODY_ANALYSIS'
+                    o.default 1
+                  end
+                end
+              end
+              option :sca_enabled do |o|
+                o.type :bool, nilable: true
+                o.env 'DD_APPSEC_SCA_ENABLED'
+              end
+            end
+          end
+        end
+        # rubocop:enable Metrics/AbcSize,Metrics/MethodLength,Metrics/BlockLength,Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+      end
     end
   end
 end

data/lib/datadog/appsec/contrib/devise/patches/signin_tracking_patch.rb CHANGED Viewed

@@ -18,9 +18,10 @@ module Datadog
               return result unless AppSec.enabled?
               return result if @_datadog_appsec_skip_track_login_event
               return result unless Configuration.auto_user_instrumentation_enabled?
-              return result unless AppSec.active_context
               context = AppSec.active_context
+              return result unless context
               if context.trace.nil? || context.span.nil?
                 Datadog.logger.debug { 'AppSec: unable to track signin events, due to missing trace or span' }
                 return result

data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb CHANGED Viewed

@@ -116,17 +116,16 @@ module Datadog
                 gateway.watch('rack.request.finish') do |stack, gateway_request|
                   context = gateway_request.env[AppSec::Ext::CONTEXT_KEY]
-                  if context.span.nil? || !gateway.pushed?('appsec.events.user_lifecycle')
-                    next stack.call(gateway_request.request)
-                  end
+                  next stack.call(gateway_request.request) if context.span.nil?
                   gateway_request.headers.each do |name, value|
-                    if !Ext::COLLECTABLE_REQUEST_HEADERS.include?(name) &&
-                        !Ext::IDENTITY_COLLECTABLE_REQUEST_HEADERS.include?(name)
-                      next
+                    if Ext::COLLECTABLE_REQUEST_HEADERS.include?(name)
+                      context.span["http.request.headers.#{name}"] ||= value
                     end
-                    context.span["http.request.headers.#{name}"] ||= value
+                    if context.state[:has_identity_event] && Ext::IDENTITY_COLLECTABLE_REQUEST_HEADERS.include?(name)
+                      context.span["http.request.headers.#{name}"] ||= value
+                    end
                   end
                   stack.call(gateway_request.request)

data/lib/datadog/appsec/instrumentation/gateway.rb CHANGED Viewed

@@ -10,18 +10,9 @@ module Datadog
       class Gateway
         def initialize
           @middlewares = Hash.new { |h, k| h[k] = [] }
-          @pushed_events = {}
         end
-        # NOTE: Be careful with pushed names because every pushed event name
-        #       is recorded in order to provide an ability to any subscriber
-        #       to check wether an arbitrary event had happened.
-        #
-        # WARNING: If we start pushing generated names we should consider
-        #          limiting the storage of pushed names.
         def push(name, env, &block)
-          @pushed_events[name] = true
           block ||= -> {}
           middlewares_for_name = @middlewares[name]
@@ -44,10 +35,6 @@ module Datadog
         def watch(name, &block)
           @middlewares[name] << Middleware.new(&block)
         end
-        def pushed?(name)
-          @pushed_events.key?(name)
-        end
       end
       # NOTE: This left as-is and will be depricated soon.

data/lib/datadog/appsec/metrics/telemetry.rb CHANGED Viewed

@@ -5,6 +5,11 @@ module Datadog
     module Metrics
       # A class responsible for reporting WAF and RASP telemetry metrics.
       module Telemetry
+        ACTION_BLOCK = 'block_request'
+        ACTION_REDIRECT = 'redirect_request'
+        BLOCK_SUCCESS = 'success'
+        BLOCK_IRRELEVANT = 'irrelevant'
         module_function
         def report_rasp(type, result, phase: nil)
@@ -19,8 +24,15 @@ module Datadog
           namespace = Ext::TELEMETRY_METRICS_NAMESPACE
           AppSec.telemetry.inc(namespace, 'rasp.rule.eval', 1, tags: tags)
-          AppSec.telemetry.inc(namespace, 'rasp.rule.match', 1, tags: tags) if result.match?
           AppSec.telemetry.inc(namespace, 'rasp.timeout', 1, tags: tags) if result.timeout?
+          if result.match?
+            blocked = result.actions.key?(ACTION_BLOCK) || result.actions.key?(ACTION_REDIRECT)
+            # NOTE: Mutates tags to avoid an extra hash allocation. Keep this the last .inc call.
+            tags[:block] = blocked ? BLOCK_SUCCESS : BLOCK_IRRELEVANT
+            AppSec.telemetry.inc(namespace, 'rasp.rule.match', 1, tags: tags)
+          end
         end
       end
     end

data/lib/datadog/appsec/monitor/gateway/watcher.rb CHANGED Viewed

@@ -26,6 +26,7 @@ module Datadog
             def watch_user_id(gateway = Instrumentation.gateway)
               gateway.watch('identity.set_user') do |stack, user|
                 context = AppSec.active_context
+                context.state[:has_identity_event] = true
                 if user.id.nil? && user.login.nil? && user.session_id.nil?
                   Datadog.logger.debug { 'AppSec: skipping WAF check because no user information was provided' }
@@ -57,6 +58,7 @@ module Datadog
             def watch_user_login(gateway = Instrumentation.gateway)
               gateway.watch('appsec.events.user_lifecycle') do |stack, kind|
                 context = AppSec.active_context
+                context.state[:has_identity_event] = true
                 next stack.call(kind) unless WATCHED_LOGIN_EVENTS.include?(kind)

data/lib/datadog/appsec/security_engine/runner.rb CHANGED Viewed

@@ -79,7 +79,7 @@ module Datadog
         def try_run(persistent_data, ephemeral_data, timeout)
           waf_context.run(persistent_data, ephemeral_data, timeout)
         rescue WAF::LibDDWAFError => e
-          Datadog.logger.debug { "#{@debug_tag} execution error: #{e} backtrace: #{e.backtrace&.first(3)}" }
+          Datadog.logger.debug { "#{@debug_tag} execution error: #{e.class}: #{e.message} backtrace: #{e.backtrace&.first(3)}" }
           AppSec.telemetry.report(e, description: 'libddwaf-rb internal low-level error')
           WAF::Result.new(

data/lib/datadog/appsec/trace_keeper.rb CHANGED Viewed

@@ -7,16 +7,28 @@ module Datadog
       def self.keep!(trace)
         return unless trace
+        previous_dm = trace.get_tag(Tracing::Metadata::Ext::Distributed::TAG_DECISION_MAKER)
         # NOTE: This action will not set correct decision maker value, so the
         #       trace keeping must be done with additional steps below
         trace.keep!
-        # Propagate to downstream services the information that
-        # the current distributed trace is containing at least one ASM event.
-        trace.set_tag(
-          Tracing::Metadata::Ext::Distributed::TAG_DECISION_MAKER,
-          Tracing::Sampling::Ext::Decision::ASM
-        )
+        # NOTE: Preserve decision maker if already set by another product.
+        #       As `trace.keep!` resets `_dd.p.dm` to `MANUAL`, we restore the
+        #       previous value when another product has already claimed the
+        #       decision maker.
+        if previous_dm.nil? || previous_dm == Tracing::Sampling::Ext::Decision::MANUAL
+          trace.set_tag(
+            Tracing::Metadata::Ext::Distributed::TAG_DECISION_MAKER,
+            Tracing::Sampling::Ext::Decision::ASM
+          )
+        else
+          trace.set_tag(
+            Tracing::Metadata::Ext::Distributed::TAG_DECISION_MAKER,
+            previous_dm,
+          )
+        end
         trace.set_distributed_source(Ext::PRODUCT_BIT)
       end
     end

data/lib/datadog/appsec/utils/http/media_type.rb CHANGED Viewed

@@ -68,8 +68,7 @@ module Datadog
                 name.downcase! # steep:ignore NoMethod
                 value.downcase!
-                # See https://github.com/soutaro/steep/issues/2051
-                parameters[name] = value # steep:ignore ArgumentTypeMismatch
+                parameters[name] = value
               end
             end

data/lib/datadog/appsec/utils/http/url_encoded.rb CHANGED Viewed

@@ -30,9 +30,9 @@ module Datadog
               #
               # @type var key: ::String
               # @type var value: ::String
-              key, value = pair.split('=', 2).map! do |value| #: ::String
-                CGI.unescape(value)
-              end
+              key, value = pair.split('=', 2).map! do |val|
+                CGI.unescape(val)
+              end #: [::String, ::String]
               if (stored = memo[key])
                 if stored.is_a?(Array)

data/lib/datadog/appsec.rb CHANGED Viewed

@@ -11,25 +11,21 @@ module Datadog
   module AppSec
     class << self
       def enabled?
-        Datadog.configuration.appsec.enabled
+        !!components.appsec
       end
       def rasp_enabled?
-        Datadog.configuration.appsec.rasp_enabled
+        # TODO this should take rasp_enabled flag from the settings in
+        # the appsec component rather than reading global configuration.
+        enabled? && Datadog.configuration.appsec.rasp_enabled
       end
       def active_context
         Datadog::AppSec::Context.active
       end
-      # NOTE:  This is a temporary workaround for type checking.
-      #
-      #        We want to move from possible nil-component to the disabled-component
-      #        on an initialization error. Technically, telemetry will be never
-      #        used if AppSec was not able to initialize, so it's safe to assume
-      #        that telemetry will never be used and will be nil at the same time.
       def telemetry
-        components.appsec&.telemetry || components.telemetry
+        components.telemetry
       end
       def security_engine

data/lib/datadog/core/configuration/base.rb CHANGED Viewed

@@ -24,9 +24,21 @@ module Datadog
           # e.g. `settings :foo { option :bar }` --> `config.foo.bar`
           # @param [Symbol] name option name. Methods will be created based on this name.
           def settings(name, &block)
-            settings_class = new_settings_class(name, &block)
-            option(name) do |o|
+            nested_settings_path = settings_path ? "#{settings_path}.#{name}" : name.to_s
+            settings_class = new_settings_class(name, nested_settings_path, &block)
+            # Record the child settings class on the owning class so
+            # Options::ClassMethods#settings_path= can later propagate any path
+            # changes down to nested settings classes.
+            #
+            # Example:
+            #   settings :cache_key { option :enabled }
+            # creates a child class whose initial settings_path is "cache_key".
+            # If a contrib integration later assigns the parent path to
+            # "tracing.active_support", settings_children lets us update the
+            # nested class to "tracing.active_support.cache_key" as well.
+            settings_children[name] = settings_class
+            option(name, is_settings: true) do |o|
               o.default { settings_class.new }
               o.resetter do |value|
@@ -40,9 +52,9 @@ module Datadog
           private
-          def new_settings_class(name, &block)
+          def new_settings_class(name, settings_path, &block)
             Class.new { include Configuration::Base }.tap do |klass|
-              klass.instance_variable_set(:@settings_name, name)
+              klass.instance_variable_set(:@settings_path, settings_path)
               klass.instance_eval(&block) if block
             end
           end