datadog 2.35.0 → 2.36.0

data/ext/datadog_profiling_native_extension/ruby_helpers.c

@@ -21,42 +21,40 @@ void ruby_helpers_init(void) {
   to_s_id = rb_intern("to_s");
 }
 
-// Internal helper for raising pre-formatted syserr exceptions
-static NORETURN(void private_raise_syserr_formatted(int syserr_errno, const char *detailed_message, const char *static_message)) {
-  VALUE exception = rb_syserr_new(syserr_errno, detailed_message);
-  private_raise_exception(exception, static_message);
-}
-
 // Use `raise_syserr` the macro instead, as it provides additional argument checks.
 void private_raise_syserr(int syserr_errno, const char *fmt, ...) {
-  FORMAT_VA_ERROR_MESSAGE(detailed_message, fmt);
-  private_raise_syserr_formatted(syserr_errno, detailed_message, fmt);
+  va_list args;
+  va_start(args, fmt);
+  VALUE detailed_message = rb_vsprintf(fmt, args);
+  va_end(args);
+
+  VALUE exception = rb_syserr_new_str(syserr_errno, detailed_message);
+  private_raise_exception(exception, fmt);
 }
 
 typedef struct {
   VALUE exception_class;
   int syserr_errno;
-  char exception_message[MAX_RAISE_MESSAGE_SIZE];
-  char telemetry_message[MAX_RAISE_MESSAGE_SIZE];
+  const char *format_string;
+  va_list va_args;
 } raise_args;
 
+// Called via rb_thread_call_with_gvl from private_grab_gvl_and_raise.
+// Formats the message with rb_vsprintf (which requires the GVL) and raises.
 static void *trigger_raise(void *raise_arguments) {
   raise_args *args = (raise_args *) raise_arguments;
 
+  VALUE detailed_message = rb_vsprintf(args->format_string, args->va_args);
+
+  VALUE exception;
   if (args->syserr_errno) {
-    private_raise_syserr_formatted(
-      args->syserr_errno,
-      args->exception_message,
-      args->telemetry_message
-    );
+    exception = rb_syserr_new_str(args->syserr_errno, detailed_message);
   } else {
-    private_raise_error_formatted(
-      args->exception_class,
-      args->exception_message,
-      args->telemetry_message
-    );
+    exception = rb_exc_new_str(args->exception_class, detailed_message);
   }
 
+  private_raise_exception(exception, args->format_string);
+
   return NULL;
 }
 
@@ -71,11 +69,17 @@ void private_grab_gvl_and_raise(VALUE exception_class, int syserr_errno, const c
     args.syserr_errno = 0;
   }
 
-  FORMAT_VA_ERROR_MESSAGE(formatted_exception_message, format_string);
-  snprintf(args.exception_message, MAX_RAISE_MESSAGE_SIZE, "%s", formatted_exception_message);
-  snprintf(args.telemetry_message, MAX_RAISE_MESSAGE_SIZE, "%s", format_string);
+  args.format_string = format_string;
+  va_start(args.va_args, format_string);
 
   if (is_current_thread_holding_the_gvl()) {
+    VALUE detailed_message = rb_vsprintf(format_string, args.va_args);
+    va_end(args.va_args);
+
+    VALUE wrapped_message = rb_sprintf(
+      "grab_gvl_and_raise called by thread holding the global VM lock: %"PRIsVALUE,
+      detailed_message
+    );
     char telemetry_message[MAX_RAISE_MESSAGE_SIZE];
     snprintf(
       telemetry_message,
@@ -83,20 +87,14 @@ void private_grab_gvl_and_raise(VALUE exception_class, int syserr_errno, const c
       "grab_gvl_and_raise called by thread holding the global VM lock: %s",
       format_string
     );
-    char exception_message[MAX_RAISE_MESSAGE_SIZE];
-    snprintf(
-      exception_message,
-      MAX_RAISE_MESSAGE_SIZE,
-      "grab_gvl_and_raise called by thread holding the global VM lock: %s",
-      args.exception_message
-    );
-    VALUE exception = rb_exc_new_cstr(rb_eRuntimeError, exception_message);
+    VALUE exception = rb_exc_new_str(rb_eRuntimeError, wrapped_message);
     private_raise_exception(exception, telemetry_message);
   }
 
   rb_thread_call_with_gvl(trigger_raise, &args);
 
-  rb_bug("[ddtrace] Unexpected: Reached the end of grab_gvl_and_raise while raising '%s'\n", args.exception_message);
+  va_end(args.va_args);
+  rb_bug("[ddtrace] Unexpected: Reached the end of grab_gvl_and_raise while raising '%s'\n", format_string);
 }
 
 void private_raise_enforce_syserr(
@@ -107,10 +105,11 @@ void private_raise_enforce_syserr(
   int line,
   const char *function_name
 ) {
+  const char *format = "Failure returned by '%s' at %s:%d:in `%s'";
   if (have_gvl) {
-    rb_exc_raise(rb_syserr_new_str(syserr_errno, rb_sprintf("Failure returned by '%s' at %s:%d:in `%s'", expression, file, line, function_name)));
+    private_raise_exception(rb_syserr_new_str(syserr_errno, rb_sprintf(format, expression, file, line, function_name)), format);
   } else {
-    private_grab_gvl_and_raise(Qnil, syserr_errno, "Failure returned by '%s' at %s:%d:in `%s'", expression, file, line, function_name);
+    private_grab_gvl_and_raise(Qnil, syserr_errno, format, expression, file, line, function_name);
   }
 }
 

data/ext/datadog_profiling_native_extension/stack_recorder.c

@@ -9,6 +9,7 @@
 #include "time_helpers.h"
 #include "heap_recorder.h"
 #include "encoded_profile.h"
+#include "collectors_thread_context.h"
 
 // Used to wrap a ddog_prof_Profile in a Ruby object and expose Ruby-level serialization APIs
 // This file implements the native bits of the Datadog::Profiling::StackRecorder class
@@ -177,6 +178,10 @@ typedef struct {
   heap_recorder *heap_recorder;
   bool heap_clean_after_gc_enabled;
 
+  // When set, _native_serialize will call thread_context_collector_on_serialize on this instance
+  // before serializing, so that threads suspended across the whole profile period still get sampled.
+  VALUE thread_context_collector_instance;
+
   pthread_mutex_t mutex_slot_one;
   profile_slot profile_slot_one;
   pthread_mutex_t mutex_slot_two;
@@ -320,6 +325,7 @@ static VALUE _native_new(VALUE klass) {
   // being leaked.
 
   state->heap_clean_after_gc_enabled = false;
+  state->thread_context_collector_instance = Qnil;
 
   ddog_prof_Slice_SampleType sample_types = {.ptr = all_sample_types, .len = ALL_VALUE_TYPES_COUNT};
 
@@ -391,6 +397,7 @@ static void initialize_profiles(stack_recorder_state *state, ddog_prof_Slice_Sam
 static void stack_recorder_typed_data_mark(void *state_ptr) {
   stack_recorder_state *state = (stack_recorder_state *) state_ptr;
 
+  rb_gc_mark(state->thread_context_collector_instance);
   heap_recorder_mark_pending_recordings(state->heap_recorder);
 }
 
@@ -515,12 +522,16 @@ static VALUE _native_serialize(DDTRACE_UNUSED VALUE _self, VALUE recorder_instan
   TypedData_Get_Struct(recorder_instance, stack_recorder_state, &stack_recorder_typed_data, state);
 
   ddog_Timespec finish_timestamp = system_epoch_now_timespec();
-  // Need to do this while still holding on to the Global VM Lock; see comments on method for why
+  // Need to do this while still holding the Global VM Lock; see comments on method for why
   serializer_set_start_timestamp_for_next_profile(state, finish_timestamp);
 
+  if (state->thread_context_collector_instance != Qnil) {
+    thread_context_collector_on_serialize(state->thread_context_collector_instance);
+  }
+
   long heap_iteration_prep_start_time_ns = monotonic_wall_time_now_ns(DO_NOT_RAISE_ON_FAILURE);
   // Prepare the iteration on heap recorder we'll be doing outside the GVL. The preparation needs to
-  // happen while holding on to the GVL.
+  // happen while holding the GVL.
   // NOTE: While rare, it's possible for the GVL to be released inside this function (see comments on `heap_recorder_update`)
   // and thus don't assume this is an "atomic" step -- other threads may get some running time in the meanwhile.
   heap_recorder_prepare_iteration(state->heap_recorder);
@@ -548,7 +559,7 @@ static VALUE _native_serialize(DDTRACE_UNUSED VALUE _self, VALUE recorder_instan
     rb_thread_call_without_gvl2(call_serialize_without_gvl, &args, NULL /* No interruption function needed in this case */, NULL /* Not needed */);
   }
 
-  // Cleanup after heap recorder iteration. This needs to happen while holding on to the GVL.
+  // Cleanup after heap recorder iteration. This needs to happen while holding the GVL.
   heap_recorder_finish_iteration(state->heap_recorder);
 
   // NOTE: We are focusing on the serialization time outside of the GVL in this stat here. This doesn't
@@ -894,6 +905,9 @@ static ddog_Timespec system_epoch_now_timespec(void) {
 //
 // Assumption: This method gets called BEFORE restarting profiling -- e.g. there are no components attempting to
 // trigger samples at the same time.
+//
+// Note that tests call this method directly in the same process without forking,
+// and in such a case non-current Threads keep running.
 static VALUE _native_reset_after_fork(DDTRACE_UNUSED VALUE self, VALUE recorder_instance) {
   stack_recorder_state *state;
   TypedData_Get_Struct(recorder_instance, stack_recorder_state, &stack_recorder_typed_data, state);
@@ -1147,3 +1161,10 @@ static VALUE _native_finalize_pending_heap_recordings(DDTRACE_UNUSED VALUE _self
 
   return Qtrue;
 }
+
+void recorder_install_on_serialize(VALUE recorder_instance, VALUE thread_context_collector_instance) {
+  stack_recorder_state *state;
+  TypedData_Get_Struct(recorder_instance, stack_recorder_state, &stack_recorder_typed_data, state);
+
+  state->thread_context_collector_instance = enforce_thread_context_collector_instance(thread_context_collector_instance);
+}

data/ext/datadog_profiling_native_extension/stack_recorder.h

@@ -29,4 +29,5 @@ void record_endpoint(VALUE recorder_instance, uint64_t local_root_span_id, ddog_
 __attribute__((warn_unused_result)) bool track_object(VALUE recorder_instance, VALUE new_object, unsigned int sample_weight, ddog_CharSlice alloc_class);
 void recorder_after_sample(VALUE recorder_instance);
 void recorder_after_gc_step(VALUE recorder_instance);
+void recorder_install_on_serialize(VALUE recorder_instance, VALUE thread_context_collector_instance);
 VALUE enforce_recorder_instance(VALUE object);

data/ext/datadog_profiling_native_extension/unsafe_api_calls_check.h

@@ -4,7 +4,7 @@
 //
 // Specifically, when the profiler is sampling, we're never supposed to call into Ruby code (e.g. methods
 // implemented using Ruby code) or allocate Ruby objects.
-// That's because those events introduce thread switch points, and really we don't the VM switching between threads
+// That's because those events introduce thread switch points, and really we don't want the VM switching between threads
 // in the middle of the profiler sampling. This includes raising exceptions.
 //
 // Raising exceptions as the very last operation, to stop the profiler is ok, but comes a caveat: raising exceptions
@@ -18,10 +18,12 @@
 // in most (all?) thread switch points, Ruby will check for interrupts and run the postponed jobs.
 //
 // Thus, if we set a flag while we're sampling (inside_unsafe_context), trigger the postponed job, and then only unset
-// the flag after sampling, he correct thing to happen is that the postponed job should never see the flag.
+// the flag after sampling, the correct thing to happen is that the postponed job should never see the flag.
 //
 // If, however, we have a bug and there's a thread switch point, our postponed job will see the flag and immediately
 // stop the Ruby VM before further damage happens (and hopefully giving us a stack trace clearly pointing to the culprit).
+//
+// Note that this check currently does not detect Ruby object allocations, as those do not check for interrupts.
 
 void unsafe_api_calls_check_init(void);
 

data/ext/libdatadog_api/datadog_ruby_common.c

@@ -29,16 +29,15 @@ void private_raise_exception(VALUE exception, const char *static_message) {
   rb_exc_raise(exception);
 }
 
-// Helper for raising pre-formatted exceptions
-void private_raise_error_formatted(VALUE exception_class, const char *detailed_message, const char *static_message) {
-  VALUE exception = rb_exc_new_cstr(exception_class, detailed_message);
-  private_raise_exception(exception, static_message);
-}
-
 // Use `raise_error` the macro instead, as it provides additional argument checks.
 void private_raise_error(VALUE exception_class, const char *fmt, ...) {
-  FORMAT_VA_ERROR_MESSAGE(detailed_message, fmt);
-  private_raise_error_formatted(exception_class, detailed_message, fmt);
+  va_list args;
+  va_start(args, fmt);
+  VALUE detailed_message = rb_vsprintf(fmt, args);
+  va_end(args);
+
+  VALUE exception = rb_exc_new_str(exception_class, detailed_message);
+  private_raise_exception(exception, fmt);
 }
 
 VALUE datadog_gem_version(void) {

data/ext/libdatadog_api/datadog_ruby_common.h

@@ -47,11 +47,6 @@ NORETURN(
   __attribute__ ((format (printf, 2, 3)));
 );
 
-// Internal helper for raising pre-formatted exceptions
-NORETURN(
-  void private_raise_error_formatted(VALUE exception_class, const char *detailed_message, const char *static_message)
-);
-
 // Raises an exception with separate telemetry-safe and detailed messages.
 // NOTE: Raising an exception always invokes Ruby code so it requires the GVL and is not compatible with "debug_enter_unsafe_context".
 // @see debug_enter_unsafe_context
@@ -61,13 +56,6 @@ NORETURN(
 
 #define MAX_RAISE_MESSAGE_SIZE 256
 
-#define FORMAT_VA_ERROR_MESSAGE(buf, fmt) \
-  char buf[MAX_RAISE_MESSAGE_SIZE]; \
-  va_list buf##_args; \
-  va_start(buf##_args, fmt); \
-  vsnprintf(buf, MAX_RAISE_MESSAGE_SIZE, fmt, buf##_args); \
-  va_end(buf##_args);
-
 // Helper to retrieve Datadog::VERSION::STRING
 VALUE datadog_gem_version(void);
 

data/ext/libdatadog_extconf_helpers.rb

@@ -10,7 +10,7 @@ module Datadog
   module LibdatadogExtconfHelpers
     # Used to make sure the correct gem version gets loaded, as extconf.rb does not get run with "bundle exec" and thus
     # may see multiple libdatadog versions. See https://github.com/DataDog/dd-trace-rb/pull/2531 for the horror story.
-    LIBDATADOG_VERSION = '~> 33.0.0.1.0'
+    LIBDATADOG_VERSION = '~> 35.0.0.1.0'
 
     # Used as an workaround for a limitation with how dynamic linking works in environments where the datadog gem and
     # libdatadog are moved after the extension gets compiled.

data/lib/datadog/appsec/api_security/route_extractor.rb

@@ -50,6 +50,12 @@ module Datadog
         #          In Rails < 7.1 it also will not be set even if a route was found,
         #          but in this case `action_dispatch.request.path_parameters` won't be empty.
         def self.route_pattern(request)
+          # NOTE: Requests from contribs like AWS Lambda don't provide a usable
+          #       `::Rack::Request#env`, so infer the route from the path instead
+          unless request.respond_to?(:env)
+            return Tracing::Contrib::Rack::RouteInference.infer(request.path.to_s)
+          end
+
           if request.env.key?(GRAPE_ROUTE_KEY)
             pattern = request.env[GRAPE_ROUTE_KEY][:route_info]&.pattern&.origin
             "#{request.script_name}#{pattern}"

data/lib/datadog/appsec/component.rb

@@ -22,7 +22,7 @@ module Datadog
             return
           end
 
-          if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('3.3') && ffi_version < Gem::Version.new('1.16.0')
+          if RubyVersion.is?('>= 3.3') && ffi_version < Gem::Version.new('1.16.0')
             Datadog.logger.warn(
               'AppSec is not supported in Ruby versions above 3.3.0 when using `ffi` versions older than 1.16.0, ' \
               'and will be forcibly disabled due to a memory leak in `ffi`. ' \

data/lib/datadog/appsec/configuration.rb

@@ -134,6 +134,13 @@ module Datadog
                 end
               end
 
+              # NOTE: A value of 0 (or less) disables request body collection
+              option :body_parsing_size_limit do |o|
+                o.type :int
+                o.env 'DD_APPSEC_BODY_PARSING_SIZE_LIMIT' # bytes
+                o.default 10_485_760
+              end
+
               option :waf_debug do |o|
                 o.env 'DD_APPSEC_WAF_DEBUG'
                 o.default false

data/lib/datadog/appsec/contrib/aws_lambda/waf_addresses.rb

@@ -15,6 +15,10 @@ module Datadog
         # Extracts WAF input addresses from normalized AWS Lambda API Gateway event payloads.
         # @api private
         module WAFAddresses
+          BASE64_CHARS_PER_GROUP = 4
+          BASE64_BYTES_PER_GROUP = 3
+          BASE64_PADDING_BYTE = "=".ord
+
           module_function
 
           def from_request(payload)
@@ -27,10 +31,11 @@ module Datadog
               'server.request.uri.raw' => build_fullpath(payload),
               'server.request.headers' => headers,
               'server.request.headers.no_cookies' => headers.dup.tap { |h| h.delete('cookie') },
-              'http.client_ip' => extract_client_ip(payload['source_ip'], headers),
               'server.request.method' => payload['method'],
               'server.request.body' => parse_body(payload, headers),
-              'server.request.path_params' => payload['path_params']
+              'server.request.body.byte_length' => body_byte_length(payload),
+              'server.request.path_params' => payload['path_params'],
+              'http.client_ip' => extract_client_ip(payload['source_ip'], headers)
             }
 
             data.compact!
@@ -44,7 +49,9 @@ module Datadog
             data = {
               'server.response.status' => payload['status_code']&.to_s,
               'server.response.headers' => headers,
-              'server.response.headers.no_cookies' => headers.dup.tap { |h| h.delete('set-cookie') }
+              'server.response.headers.no_cookies' => headers.dup.tap { |h| h.delete('set-cookie') },
+              'server.response.body' => parse_body(payload, headers),
+              'server.response.body.byte_length' => body_byte_length(payload)
             }
 
             data.compact!
@@ -94,7 +101,9 @@ module Datadog
             body = payload['body']
             return unless body
 
-            body = Core::Utils::Base64Codec.strict_decode64(body) if payload['base64_encoded']
+            if (byte_length = body_byte_length(payload))
+              return if byte_length > Datadog.configuration.appsec.body_parsing_size_limit
+            end
 
             content_type = headers['content-type']
             return unless content_type
@@ -102,7 +111,31 @@ module Datadog
             media_type = AppSec::Utils::HTTP::MediaType.parse(content_type)
             return unless media_type
 
+            body = Core::Utils::Base64Codec.strict_decode64(body) if payload['base64_encoded']
             AppSec::Utils::HTTP::Body.parse(body, media_type: media_type)
+          rescue ArgumentError => e
+            AppSec.telemetry.report(e, description: 'AppSec: Failed to decode base64 body')
+
+            nil
+          end
+
+          def body_byte_length(payload)
+            body = payload['body']
+
+            return unless body
+            return body.bytesize unless payload['base64_encoded']
+
+            # NOTE: Base64 packs every 3 bytes into 4 characters and pads the last
+            #       group with up to two "=" bytes. The decoded length is therefore
+            #       derivable from the encoded length, letting us measure the raw
+            #       body size without allocating the decoded string.
+            padding = 0
+            if body.getbyte(-1) == BASE64_PADDING_BYTE
+              padding = 1
+              padding = 2 if body.getbyte(-2) == BASE64_PADDING_BYTE
+            end
+
+            body.bytesize / BASE64_CHARS_PER_GROUP * BASE64_BYTES_PER_GROUP - padding
           end
         end
       end

data/lib/datadog/appsec/contrib/graphql/gateway/multiplex.rb

@@ -50,38 +50,83 @@ module Datadog
                 selected_operation = query.selected_operation
                 next unless selected_operation
 
-                arguments_from_selections(selected_operation.selections, query.variables, args_hash)
+                arguments_from_selections(selected_operation.selections, query.variables, args_hash, query.fragments)
               end
             end
 
-            def arguments_from_selections(selections, query_variables, args_hash)
+            def arguments_from_selections(selections, query_variables, args_hash, fragments, visited_fragments = {})
               selections.each do |selection|
-                # rubocop:disable Style/ClassEqualityComparison
-                next unless selection.class.name == Integration::AST_NODE_CLASS_NAMES[:field]
-                # rubocop:enable Style/ClassEqualityComparison
-
-                selection_name = selection.alias || selection.name
-
-                if !selection.arguments.empty? || !selection.directives.empty?
-                  args_hash[selection_name] ||= []
-                  args_hash[selection_name] <<
-                    arguments_hash(selection.arguments, query_variables).merge!(
-                      arguments_from_directives(selection.directives, query_variables)
-                    )
+                case selection
+                when ::GraphQL::Language::Nodes::FragmentSpread
+                  fragment_name = selection.name
+                  append_arguments(
+                    args_hash, fragment_name, nil, arguments_from_directives(selection.directives, query_variables)
+                  )
+
+                  next if visited_fragments[fragment_name]
+
+                  fragment = fragments[fragment_name]
+                  next unless fragment
+
+                  append_arguments(
+                    args_hash, fragment_name, nil, arguments_from_directives(fragment.directives, query_variables)
+                  )
+
+                  visited_fragments[fragment_name] = true
+                  arguments_from_selections(
+                    fragment.selections, query_variables, args_hash, fragments, visited_fragments
+                  )
+                  visited_fragments.delete(fragment_name)
+                when ::GraphQL::Language::Nodes::Field
+                  selection_name = selection.alias || selection.name
+                  field_arguments = arguments_hash(selection.arguments, query_variables) unless selection.arguments.empty?
+                  append_arguments(
+                    args_hash,
+                    selection_name,
+                    field_arguments,
+                    arguments_from_directives(selection.directives, query_variables)
+                  )
+
+                  arguments_from_selections(
+                    selection.selections, query_variables, args_hash, fragments, visited_fragments
+                  )
+                when ::GraphQL::Language::Nodes::InlineFragment
+                  append_arguments(
+                    args_hash, selection.type.name, nil, arguments_from_directives(selection.directives, query_variables)
+                  )
+
+                  arguments_from_selections(
+                    selection.selections, query_variables, args_hash, fragments, visited_fragments
+                  )
                 end
+              end
+            end
 
-                arguments_from_selections(selection.selections, query_variables, args_hash)
+            def append_arguments(args_hash, selection_name, arguments, directive_arguments)
+              combined_arguments = if arguments
+                arguments.merge!(directive_arguments) if directive_arguments
+                arguments
+              else
+                directive_arguments
               end
+              return unless combined_arguments
+
+              args_hash[selection_name] ||= []
+              args_hash[selection_name] << combined_arguments
             end
 
             def arguments_from_directives(directives, query_variables)
-              directives.each_with_object({}) do |directive, args_hash|
-                # rubocop:disable Style/ClassEqualityComparison
-                next unless directive.class.name == Integration::AST_NODE_CLASS_NAMES[:directive]
-                # rubocop:enable Style/ClassEqualityComparison
+              return if directives.empty?
+
+              directive_arguments = directives.each_with_object({}) do |directive, args_hash|
+                next unless directive.is_a?(::GraphQL::Language::Nodes::Directive)
 
                 args_hash[directive.name] = arguments_hash(directive.arguments, query_variables)
               end
+
+              return if directive_arguments.empty?
+
+              directive_arguments
             end
 
             def arguments_hash(arguments, query_variables)

data/lib/datadog/appsec/contrib/graphql/integration.rb

@@ -16,6 +16,7 @@ module Datadog
           AST_NODE_CLASS_NAMES = {
             field: 'GraphQL::Language::Nodes::Field',
             directive: 'GraphQL::Language::Nodes::Directive',
+            fragment_spread: 'GraphQL::Language::Nodes::FragmentSpread',
             variable_identifier: 'GraphQL::Language::Nodes::VariableIdentifier',
             input_object: 'GraphQL::Language::Nodes::InputObject',
           }.freeze

data/lib/datadog/appsec/contrib/rack/buffered_input.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Contrib
+      module Rack
+        # Wraps a `rack.input` stream with a buffer placed in front of it.
+        # Every read drains the buffer first, then continues from the stream
+        #
+        # NOTE: Forward-only: no rewind, no seek
+        #
+        # NOTE: Rack 3 dropped the rewind requirement from the input stream contract
+        # @see https://github.com/rack/rack/blob/v3.2.6/SPEC.rdoc
+        class BufferedInput
+          # NOTE: Rack's multipart parser reads in 1 MiB chunks, used to bound
+          #       {#each} the same way
+          # @see https://github.com/rack/rack/blob/v3.2.6/lib/rack/multipart/parser.rb#L54
+          READ_BUFSIZE_BYTES = 1_048_576
+
+          def initialize(stream, buffer:)
+            @stream = stream
+            @buffer = buffer
+          end
+
+          def read(length = nil, outbuf = nil)
+            if length.nil?
+              data = @buffer.read(nil, outbuf) || +''
+              more = @stream.read
+
+              data << more if more
+
+              return data
+            end
+
+            data = @buffer.read(length, outbuf)
+
+            if data.nil?
+              more = @stream.read(length, outbuf)
+              return more if more && !more.empty?
+
+              # NOTE: Match `IO#read(length, outbuf)` at EOF. Return nil and clear
+              #       the caller's buffer so stale bytes are not mistaken for data
+              outbuf&.clear
+              return
+            end
+
+            remaining = length - data.bytesize
+            return data if remaining <= 0
+
+            more = @stream.read(remaining)
+            data << more if more
+
+            data
+          end
+
+          def gets
+            line = @buffer.gets
+
+            return @stream.gets if line.nil?
+            return line if line.end_with?("\n")
+
+            more = @stream.gets
+            more ? (line << more) : line
+          end
+
+          def each
+            while (chunk = read(READ_BUFSIZE_BYTES))
+              yield chunk
+            end
+
+            self
+          end
+
+          def close
+            @buffer.close
+          ensure
+            @stream.close
+          end
+        end
+      end
+    end
+  end
+end