datadog 2.7.1 → 2.18.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +353 -1
- data/ext/datadog_profiling_native_extension/clock_id.h +2 -2
- data/ext/datadog_profiling_native_extension/collectors_cpu_and_wall_time_worker.c +78 -102
- data/ext/datadog_profiling_native_extension/collectors_discrete_dynamic_sampler.c +1 -1
- data/ext/datadog_profiling_native_extension/collectors_discrete_dynamic_sampler.h +1 -1
- data/ext/datadog_profiling_native_extension/collectors_idle_sampling_helper.c +16 -16
- data/ext/datadog_profiling_native_extension/collectors_stack.c +235 -57
- data/ext/datadog_profiling_native_extension/collectors_stack.h +21 -5
- data/ext/datadog_profiling_native_extension/collectors_thread_context.c +376 -156
- data/ext/datadog_profiling_native_extension/collectors_thread_context.h +1 -0
- data/ext/datadog_profiling_native_extension/datadog_ruby_common.c +1 -4
- data/ext/datadog_profiling_native_extension/datadog_ruby_common.h +10 -0
- data/ext/datadog_profiling_native_extension/encoded_profile.c +79 -0
- data/ext/datadog_profiling_native_extension/encoded_profile.h +8 -0
- data/ext/datadog_profiling_native_extension/extconf.rb +14 -8
- data/ext/datadog_profiling_native_extension/gvl_profiling_helper.c +2 -0
- data/ext/datadog_profiling_native_extension/gvl_profiling_helper.h +0 -8
- data/ext/datadog_profiling_native_extension/heap_recorder.c +295 -532
- data/ext/datadog_profiling_native_extension/heap_recorder.h +6 -8
- data/ext/datadog_profiling_native_extension/http_transport.c +64 -98
- data/ext/datadog_profiling_native_extension/libdatadog_helpers.c +22 -0
- data/ext/datadog_profiling_native_extension/libdatadog_helpers.h +8 -5
- data/ext/datadog_profiling_native_extension/private_vm_api_access.c +69 -1
- data/ext/datadog_profiling_native_extension/private_vm_api_access.h +16 -4
- data/ext/datadog_profiling_native_extension/profiling.c +19 -8
- data/ext/datadog_profiling_native_extension/ruby_helpers.c +9 -21
- data/ext/datadog_profiling_native_extension/ruby_helpers.h +2 -10
- data/ext/datadog_profiling_native_extension/stack_recorder.c +231 -181
- data/ext/datadog_profiling_native_extension/stack_recorder.h +2 -2
- data/ext/datadog_profiling_native_extension/time_helpers.h +1 -1
- data/ext/datadog_profiling_native_extension/unsafe_api_calls_check.c +47 -0
- data/ext/datadog_profiling_native_extension/unsafe_api_calls_check.h +31 -0
- data/ext/libdatadog_api/crashtracker.c +17 -15
- data/ext/libdatadog_api/crashtracker.h +5 -0
- data/ext/libdatadog_api/datadog_ruby_common.c +1 -4
- data/ext/libdatadog_api/datadog_ruby_common.h +10 -0
- data/ext/libdatadog_api/extconf.rb +2 -2
- data/ext/libdatadog_api/init.c +15 -0
- data/ext/libdatadog_api/library_config.c +164 -0
- data/ext/libdatadog_api/library_config.h +25 -0
- data/ext/libdatadog_api/macos_development.md +3 -3
- data/ext/libdatadog_api/process_discovery.c +112 -0
- data/ext/libdatadog_api/process_discovery.h +5 -0
- data/ext/libdatadog_extconf_helpers.rb +2 -2
- data/lib/datadog/appsec/actions_handler/serializable_backtrace.rb +89 -0
- data/lib/datadog/appsec/actions_handler.rb +49 -0
- data/lib/datadog/appsec/anonymizer.rb +16 -0
- data/lib/datadog/appsec/api_security/lru_cache.rb +56 -0
- data/lib/datadog/appsec/api_security/route_extractor.rb +65 -0
- data/lib/datadog/appsec/api_security/sampler.rb +59 -0
- data/lib/datadog/appsec/api_security.rb +23 -0
- data/lib/datadog/appsec/assets/waf_rules/README.md +50 -5
- data/lib/datadog/appsec/assets/waf_rules/recommended.json +623 -253
- data/lib/datadog/appsec/assets/waf_rules/strict.json +69 -107
- data/lib/datadog/appsec/autoload.rb +1 -1
- data/lib/datadog/appsec/component.rb +49 -65
- data/lib/datadog/appsec/compressed_json.rb +40 -0
- data/lib/datadog/appsec/configuration/settings.rb +212 -27
- data/lib/datadog/appsec/context.rb +74 -0
- data/lib/datadog/appsec/contrib/active_record/instrumentation.rb +92 -0
- data/lib/datadog/appsec/contrib/active_record/integration.rb +41 -0
- data/lib/datadog/appsec/contrib/active_record/patcher.rb +101 -0
- data/lib/datadog/appsec/contrib/auto_instrument.rb +1 -1
- data/lib/datadog/appsec/contrib/devise/configuration.rb +52 -0
- data/lib/datadog/appsec/contrib/devise/data_extractor.rb +78 -0
- data/lib/datadog/appsec/contrib/devise/ext.rb +22 -0
- data/lib/datadog/appsec/contrib/devise/integration.rb +1 -2
- data/lib/datadog/appsec/contrib/devise/patcher.rb +33 -25
- data/lib/datadog/appsec/contrib/devise/patches/signin_tracking_patch.rb +102 -0
- data/lib/datadog/appsec/contrib/devise/patches/signup_tracking_patch.rb +69 -0
- data/lib/datadog/appsec/contrib/devise/{patcher/rememberable_patch.rb → patches/skip_signin_tracking_patch.rb} +3 -3
- data/lib/datadog/appsec/contrib/devise/tracking_middleware.rb +106 -0
- data/lib/datadog/appsec/contrib/excon/integration.rb +41 -0
- data/lib/datadog/appsec/contrib/excon/patcher.rb +28 -0
- data/lib/datadog/appsec/contrib/excon/ssrf_detection_middleware.rb +42 -0
- data/lib/datadog/appsec/contrib/faraday/connection_patch.rb +22 -0
- data/lib/datadog/appsec/contrib/faraday/integration.rb +42 -0
- data/lib/datadog/appsec/contrib/faraday/patcher.rb +53 -0
- data/lib/datadog/appsec/contrib/faraday/rack_builder_patch.rb +22 -0
- data/lib/datadog/appsec/contrib/faraday/ssrf_detection_middleware.rb +41 -0
- data/lib/datadog/appsec/contrib/graphql/appsec_trace.rb +1 -7
- data/lib/datadog/appsec/contrib/graphql/gateway/watcher.rb +17 -30
- data/lib/datadog/appsec/contrib/graphql/integration.rb +1 -1
- data/lib/datadog/appsec/contrib/graphql/patcher.rb +0 -3
- data/lib/datadog/appsec/contrib/rack/ext.rb +34 -0
- data/lib/datadog/appsec/contrib/rack/gateway/response.rb +3 -3
- data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +78 -98
- data/lib/datadog/appsec/contrib/rack/integration.rb +1 -1
- data/lib/datadog/appsec/contrib/rack/patcher.rb +0 -3
- data/lib/datadog/appsec/contrib/rack/request_body_middleware.rb +10 -11
- data/lib/datadog/appsec/contrib/rack/request_middleware.rb +73 -78
- data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb +16 -33
- data/lib/datadog/appsec/contrib/rails/integration.rb +1 -1
- data/lib/datadog/appsec/contrib/rails/patcher.rb +25 -38
- data/lib/datadog/appsec/contrib/rest_client/integration.rb +45 -0
- data/lib/datadog/appsec/contrib/rest_client/patcher.rb +28 -0
- data/lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb +38 -0
- data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb +31 -68
- data/lib/datadog/appsec/contrib/sinatra/integration.rb +1 -1
- data/lib/datadog/appsec/contrib/sinatra/patcher.rb +5 -31
- data/lib/datadog/appsec/event.rb +96 -135
- data/lib/datadog/appsec/ext.rb +12 -3
- data/lib/datadog/appsec/instrumentation/gateway/argument.rb +7 -2
- data/lib/datadog/appsec/instrumentation/gateway/middleware.rb +24 -0
- data/lib/datadog/appsec/instrumentation/gateway.rb +17 -22
- data/lib/datadog/appsec/metrics/collector.rb +38 -0
- data/lib/datadog/appsec/metrics/exporter.rb +35 -0
- data/lib/datadog/appsec/metrics/telemetry.rb +23 -0
- data/lib/datadog/appsec/metrics.rb +13 -0
- data/lib/datadog/appsec/monitor/gateway/watcher.rb +52 -32
- data/lib/datadog/appsec/processor/rule_loader.rb +30 -36
- data/lib/datadog/appsec/remote.rb +31 -57
- data/lib/datadog/appsec/response.rb +19 -85
- data/lib/datadog/appsec/security_engine/engine.rb +194 -0
- data/lib/datadog/appsec/security_engine/result.rb +67 -0
- data/lib/datadog/appsec/security_engine/runner.rb +87 -0
- data/lib/datadog/appsec/security_engine.rb +9 -0
- data/lib/datadog/appsec/security_event.rb +39 -0
- data/lib/datadog/appsec/utils.rb +0 -2
- data/lib/datadog/appsec.rb +22 -12
- data/lib/datadog/auto_instrument.rb +3 -0
- data/lib/datadog/core/buffer/random.rb +18 -2
- data/lib/datadog/core/configuration/agent_settings.rb +52 -0
- data/lib/datadog/core/configuration/agent_settings_resolver.rb +4 -18
- data/lib/datadog/core/configuration/agentless_settings_resolver.rb +176 -0
- data/lib/datadog/core/configuration/components.rb +74 -32
- data/lib/datadog/core/configuration/components_state.rb +23 -0
- data/lib/datadog/core/configuration/ext.rb +5 -1
- data/lib/datadog/core/configuration/option.rb +81 -45
- data/lib/datadog/core/configuration/option_definition.rb +6 -4
- data/lib/datadog/core/configuration/options.rb +3 -3
- data/lib/datadog/core/configuration/settings.rb +121 -50
- data/lib/datadog/core/configuration/stable_config.rb +22 -0
- data/lib/datadog/core/configuration.rb +43 -11
- data/lib/datadog/{tracing → core}/contrib/rails/utils.rb +1 -3
- data/lib/datadog/core/crashtracking/component.rb +4 -13
- data/lib/datadog/core/crashtracking/tag_builder.rb +4 -22
- data/lib/datadog/core/diagnostics/environment_logger.rb +1 -1
- data/lib/datadog/core/encoding.rb +17 -1
- data/lib/datadog/core/environment/agent_info.rb +78 -0
- data/lib/datadog/core/environment/cgroup.rb +10 -12
- data/lib/datadog/core/environment/container.rb +38 -40
- data/lib/datadog/core/environment/ext.rb +6 -6
- data/lib/datadog/core/environment/git.rb +1 -0
- data/lib/datadog/core/environment/identity.rb +3 -3
- data/lib/datadog/core/environment/platform.rb +3 -3
- data/lib/datadog/core/environment/variable_helpers.rb +1 -1
- data/lib/datadog/core/error.rb +11 -9
- data/lib/datadog/core/logger.rb +2 -2
- data/lib/datadog/core/metrics/client.rb +27 -27
- data/lib/datadog/core/metrics/logging.rb +5 -5
- data/lib/datadog/core/process_discovery/tracer_memfd.rb +15 -0
- data/lib/datadog/core/process_discovery.rb +36 -0
- data/lib/datadog/core/rate_limiter.rb +4 -2
- data/lib/datadog/core/remote/client/capabilities.rb +6 -0
- data/lib/datadog/core/remote/client.rb +107 -92
- data/lib/datadog/core/remote/component.rb +18 -19
- data/lib/datadog/core/remote/configuration/digest.rb +7 -7
- data/lib/datadog/core/remote/configuration/path.rb +1 -1
- data/lib/datadog/core/remote/configuration/repository.rb +14 -1
- data/lib/datadog/core/remote/negotiation.rb +9 -9
- data/lib/datadog/core/remote/transport/config.rb +4 -3
- data/lib/datadog/core/remote/transport/http/api.rb +13 -18
- data/lib/datadog/core/remote/transport/http/client.rb +5 -4
- data/lib/datadog/core/remote/transport/http/config.rb +27 -55
- data/lib/datadog/core/remote/transport/http/negotiation.rb +8 -51
- data/lib/datadog/core/remote/transport/http.rb +25 -94
- data/lib/datadog/core/remote/transport/negotiation.rb +17 -4
- data/lib/datadog/core/remote/worker.rb +10 -7
- data/lib/datadog/core/runtime/metrics.rb +12 -5
- data/lib/datadog/core/tag_builder.rb +56 -0
- data/lib/datadog/core/telemetry/component.rb +84 -49
- data/lib/datadog/core/telemetry/emitter.rb +23 -11
- data/lib/datadog/core/telemetry/event/app_client_configuration_change.rb +66 -0
- data/lib/datadog/core/telemetry/event/app_closing.rb +18 -0
- data/lib/datadog/core/telemetry/event/app_dependencies_loaded.rb +33 -0
- data/lib/datadog/core/telemetry/event/app_heartbeat.rb +18 -0
- data/lib/datadog/core/telemetry/event/app_integrations_change.rb +58 -0
- data/lib/datadog/core/telemetry/event/app_started.rb +269 -0
- data/lib/datadog/core/telemetry/event/base.rb +40 -0
- data/lib/datadog/core/telemetry/event/distributions.rb +18 -0
- data/lib/datadog/core/telemetry/event/generate_metrics.rb +43 -0
- data/lib/datadog/core/telemetry/event/log.rb +76 -0
- data/lib/datadog/core/telemetry/event/message_batch.rb +42 -0
- data/lib/datadog/core/telemetry/event/synth_app_client_configuration_change.rb +43 -0
- data/lib/datadog/core/telemetry/event.rb +17 -383
- data/lib/datadog/core/telemetry/ext.rb +1 -0
- data/lib/datadog/core/telemetry/http/adapters/net.rb +12 -97
- data/lib/datadog/core/telemetry/logger.rb +5 -4
- data/lib/datadog/core/telemetry/logging.rb +12 -6
- data/lib/datadog/core/telemetry/metric.rb +28 -6
- data/lib/datadog/core/telemetry/request.rb +4 -4
- data/lib/datadog/core/telemetry/transport/http/api.rb +43 -0
- data/lib/datadog/core/telemetry/transport/http/client.rb +49 -0
- data/lib/datadog/core/telemetry/transport/http/telemetry.rb +92 -0
- data/lib/datadog/core/telemetry/transport/http.rb +63 -0
- data/lib/datadog/core/telemetry/transport/telemetry.rb +51 -0
- data/lib/datadog/core/telemetry/worker.rb +128 -25
- data/lib/datadog/core/transport/http/adapters/net.rb +17 -2
- data/lib/datadog/core/transport/http/adapters/test.rb +2 -1
- data/lib/datadog/core/transport/http/adapters/unix_socket.rb +1 -1
- data/lib/datadog/{tracing → core}/transport/http/api/instance.rb +18 -1
- data/lib/datadog/core/transport/http/api/spec.rb +36 -0
- data/lib/datadog/{tracing → core}/transport/http/builder.rb +53 -31
- data/lib/datadog/core/transport/http/env.rb +8 -0
- data/lib/datadog/core/transport/http.rb +75 -0
- data/lib/datadog/core/transport/response.rb +4 -0
- data/lib/datadog/core/utils/at_fork_monkey_patch.rb +6 -6
- data/lib/datadog/core/utils/duration.rb +32 -32
- data/lib/datadog/core/utils/forking.rb +2 -2
- data/lib/datadog/core/utils/network.rb +6 -6
- data/lib/datadog/core/utils/only_once_successful.rb +16 -5
- data/lib/datadog/core/utils/time.rb +20 -0
- data/lib/datadog/core/utils/truncation.rb +21 -0
- data/lib/datadog/core/utils.rb +7 -0
- data/lib/datadog/core/vendor/multipart-post/multipart/post/composite_read_io.rb +1 -1
- data/lib/datadog/core/vendor/multipart-post/multipart/post/multipartable.rb +8 -8
- data/lib/datadog/core/vendor/multipart-post/multipart/post/parts.rb +7 -7
- data/lib/datadog/core/worker.rb +1 -1
- data/lib/datadog/core/workers/async.rb +29 -12
- data/lib/datadog/core/workers/interval_loop.rb +12 -1
- data/lib/datadog/core/workers/runtime_metrics.rb +2 -2
- data/lib/datadog/core.rb +8 -0
- data/lib/datadog/di/base.rb +115 -0
- data/lib/datadog/di/boot.rb +34 -0
- data/lib/datadog/di/code_tracker.rb +26 -15
- data/lib/datadog/di/component.rb +23 -14
- data/lib/datadog/di/configuration/settings.rb +25 -1
- data/lib/datadog/di/contrib/active_record.rb +1 -0
- data/lib/datadog/di/contrib/railtie.rb +15 -0
- data/lib/datadog/di/contrib.rb +28 -0
- data/lib/datadog/di/error.rb +5 -0
- data/lib/datadog/di/instrumenter.rb +162 -21
- data/lib/datadog/di/logger.rb +30 -0
- data/lib/datadog/di/preload.rb +18 -0
- data/lib/datadog/di/probe.rb +14 -7
- data/lib/datadog/di/probe_builder.rb +1 -0
- data/lib/datadog/di/probe_manager.rb +11 -5
- data/lib/datadog/di/probe_notification_builder.rb +54 -38
- data/lib/datadog/di/probe_notifier_worker.rb +60 -26
- data/lib/datadog/di/redactor.rb +0 -1
- data/lib/datadog/di/remote.rb +147 -0
- data/lib/datadog/di/serializer.rb +19 -8
- data/lib/datadog/di/transport/diagnostics.rb +62 -0
- data/lib/datadog/di/transport/http/api.rb +42 -0
- data/lib/datadog/di/transport/http/client.rb +47 -0
- data/lib/datadog/di/transport/http/diagnostics.rb +65 -0
- data/lib/datadog/di/transport/http/input.rb +77 -0
- data/lib/datadog/di/transport/http.rb +57 -0
- data/lib/datadog/di/transport/input.rb +70 -0
- data/lib/datadog/di/utils.rb +103 -0
- data/lib/datadog/di.rb +14 -76
- data/lib/datadog/error_tracking/collector.rb +87 -0
- data/lib/datadog/error_tracking/component.rb +167 -0
- data/lib/datadog/error_tracking/configuration/settings.rb +63 -0
- data/lib/datadog/error_tracking/configuration.rb +11 -0
- data/lib/datadog/error_tracking/ext.rb +18 -0
- data/lib/datadog/error_tracking/extensions.rb +16 -0
- data/lib/datadog/error_tracking/filters.rb +77 -0
- data/lib/datadog/error_tracking.rb +18 -0
- data/lib/datadog/kit/appsec/events.rb +15 -3
- data/lib/datadog/kit/identity.rb +9 -5
- data/lib/datadog/opentelemetry/api/baggage.rb +90 -0
- data/lib/datadog/opentelemetry/api/baggage.rbs +26 -0
- data/lib/datadog/opentelemetry/api/context.rb +16 -2
- data/lib/datadog/opentelemetry/sdk/trace/span.rb +1 -1
- data/lib/datadog/opentelemetry.rb +2 -1
- data/lib/datadog/profiling/collectors/code_provenance.rb +18 -9
- data/lib/datadog/profiling/collectors/cpu_and_wall_time_worker.rb +4 -0
- data/lib/datadog/profiling/collectors/idle_sampling_helper.rb +1 -0
- data/lib/datadog/profiling/collectors/info.rb +3 -0
- data/lib/datadog/profiling/collectors/thread_context.rb +17 -2
- data/lib/datadog/profiling/component.rb +64 -82
- data/lib/datadog/profiling/encoded_profile.rb +11 -0
- data/lib/datadog/profiling/exporter.rb +3 -4
- data/lib/datadog/profiling/ext.rb +0 -14
- data/lib/datadog/profiling/flush.rb +5 -8
- data/lib/datadog/profiling/http_transport.rb +8 -87
- data/lib/datadog/profiling/load_native_extension.rb +1 -33
- data/lib/datadog/profiling/profiler.rb +2 -0
- data/lib/datadog/profiling/scheduler.rb +10 -2
- data/lib/datadog/profiling/stack_recorder.rb +9 -9
- data/lib/datadog/profiling/tag_builder.rb +5 -41
- data/lib/datadog/profiling/tasks/setup.rb +2 -0
- data/lib/datadog/profiling.rb +6 -2
- data/lib/datadog/tracing/analytics.rb +1 -1
- data/lib/datadog/tracing/component.rb +16 -12
- data/lib/datadog/tracing/configuration/ext.rb +8 -1
- data/lib/datadog/tracing/configuration/settings.rb +22 -10
- data/lib/datadog/tracing/context_provider.rb +1 -1
- data/lib/datadog/tracing/contrib/action_cable/integration.rb +5 -2
- data/lib/datadog/tracing/contrib/action_mailer/integration.rb +6 -2
- data/lib/datadog/tracing/contrib/action_pack/action_controller/instrumentation.rb +15 -0
- data/lib/datadog/tracing/contrib/action_pack/action_dispatch/instrumentation.rb +19 -12
- data/lib/datadog/tracing/contrib/action_pack/ext.rb +2 -0
- data/lib/datadog/tracing/contrib/action_pack/integration.rb +5 -2
- data/lib/datadog/tracing/contrib/action_view/integration.rb +5 -2
- data/lib/datadog/tracing/contrib/active_job/integration.rb +5 -2
- data/lib/datadog/tracing/contrib/active_record/integration.rb +7 -3
- data/lib/datadog/tracing/contrib/active_support/cache/events/cache.rb +7 -2
- data/lib/datadog/tracing/contrib/active_support/cache/instrumentation.rb +36 -1
- data/lib/datadog/tracing/contrib/active_support/cache/patcher.rb +4 -0
- data/lib/datadog/tracing/contrib/active_support/cache/redis.rb +14 -4
- data/lib/datadog/tracing/contrib/active_support/configuration/settings.rb +10 -0
- data/lib/datadog/tracing/contrib/active_support/integration.rb +5 -2
- data/lib/datadog/tracing/contrib/auto_instrument.rb +2 -2
- data/lib/datadog/tracing/contrib/aws/instrumentation.rb +10 -0
- data/lib/datadog/tracing/contrib/aws/integration.rb +3 -0
- data/lib/datadog/tracing/contrib/aws/parsed_context.rb +5 -1
- data/lib/datadog/tracing/contrib/concurrent_ruby/integration.rb +3 -0
- data/lib/datadog/tracing/contrib/configuration/settings.rb +1 -1
- data/lib/datadog/tracing/contrib/elasticsearch/configuration/settings.rb +4 -0
- data/lib/datadog/tracing/contrib/elasticsearch/patcher.rb +6 -1
- data/lib/datadog/tracing/contrib/ethon/easy_patch.rb +4 -5
- data/lib/datadog/tracing/contrib/excon/middleware.rb +5 -3
- data/lib/datadog/tracing/contrib/ext.rb +1 -0
- data/lib/datadog/tracing/contrib/extensions.rb +29 -3
- data/lib/datadog/tracing/contrib/faraday/middleware.rb +5 -3
- data/lib/datadog/tracing/contrib/graphql/configuration/error_extension_env_parser.rb +21 -0
- data/lib/datadog/tracing/contrib/graphql/configuration/settings.rb +11 -0
- data/lib/datadog/tracing/contrib/graphql/ext.rb +5 -0
- data/lib/datadog/tracing/contrib/graphql/unified_trace.rb +102 -11
- data/lib/datadog/tracing/contrib/grpc/datadog_interceptor/client.rb +7 -1
- data/lib/datadog/tracing/contrib/grpc/distributed/propagation.rb +3 -0
- data/lib/datadog/tracing/contrib/http/circuit_breaker.rb +0 -15
- data/lib/datadog/tracing/contrib/http/distributed/propagation.rb +4 -1
- data/lib/datadog/tracing/contrib/http/instrumentation.rb +6 -10
- data/lib/datadog/tracing/contrib/http/integration.rb +3 -0
- data/lib/datadog/tracing/contrib/httpclient/instrumentation.rb +6 -16
- data/lib/datadog/tracing/contrib/httprb/instrumentation.rb +7 -15
- data/lib/datadog/tracing/contrib/httprb/integration.rb +3 -0
- data/lib/datadog/tracing/contrib/kafka/integration.rb +3 -0
- data/lib/datadog/tracing/contrib/karafka/configuration/settings.rb +27 -0
- data/lib/datadog/tracing/contrib/karafka/distributed/propagation.rb +48 -0
- data/lib/datadog/tracing/contrib/karafka/ext.rb +27 -0
- data/lib/datadog/tracing/contrib/karafka/integration.rb +45 -0
- data/lib/datadog/tracing/contrib/karafka/monitor.rb +66 -0
- data/lib/datadog/tracing/contrib/karafka/patcher.rb +71 -0
- data/lib/datadog/tracing/contrib/karafka.rb +37 -0
- data/lib/datadog/tracing/contrib/lograge/patcher.rb +4 -2
- data/lib/datadog/tracing/contrib/mongodb/configuration/settings.rb +8 -0
- data/lib/datadog/tracing/contrib/mongodb/ext.rb +1 -0
- data/lib/datadog/tracing/contrib/mongodb/integration.rb +3 -0
- data/lib/datadog/tracing/contrib/mongodb/subscribers.rb +18 -1
- data/lib/datadog/tracing/contrib/opensearch/configuration/settings.rb +17 -0
- data/lib/datadog/tracing/contrib/opensearch/ext.rb +9 -0
- data/lib/datadog/tracing/contrib/opensearch/integration.rb +3 -0
- data/lib/datadog/tracing/contrib/opensearch/patcher.rb +5 -1
- data/lib/datadog/tracing/contrib/patcher.rb +5 -2
- data/lib/datadog/tracing/contrib/presto/integration.rb +3 -0
- data/lib/datadog/tracing/contrib/rack/header_collection.rb +11 -1
- data/lib/datadog/tracing/contrib/rack/integration.rb +2 -2
- data/lib/datadog/tracing/contrib/rack/middlewares.rb +1 -1
- data/lib/datadog/tracing/contrib/rack/request_queue.rb +1 -1
- data/lib/datadog/tracing/contrib/rails/framework.rb +2 -2
- data/lib/datadog/tracing/contrib/rails/patcher.rb +1 -1
- data/lib/datadog/tracing/contrib/rest_client/integration.rb +3 -0
- data/lib/datadog/tracing/contrib/rest_client/request_patch.rb +5 -3
- data/lib/datadog/tracing/contrib/sidekiq/client_tracer.rb +6 -1
- data/lib/datadog/tracing/contrib/sidekiq/distributed/propagation.rb +3 -0
- data/lib/datadog/tracing/contrib/sidekiq/ext.rb +1 -0
- data/lib/datadog/tracing/contrib/sidekiq/server_tracer.rb +5 -2
- data/lib/datadog/tracing/contrib/span_attribute_schema.rb +6 -1
- data/lib/datadog/tracing/contrib/support.rb +28 -0
- data/lib/datadog/tracing/contrib.rb +1 -0
- data/lib/datadog/tracing/correlation.rb +9 -2
- data/lib/datadog/tracing/distributed/b3_multi.rb +1 -1
- data/lib/datadog/tracing/distributed/b3_single.rb +1 -1
- data/lib/datadog/tracing/distributed/baggage.rb +131 -0
- data/lib/datadog/tracing/distributed/datadog.rb +4 -2
- data/lib/datadog/tracing/distributed/propagation.rb +25 -4
- data/lib/datadog/tracing/distributed/propagation_policy.rb +42 -0
- data/lib/datadog/tracing/metadata/errors.rb +4 -4
- data/lib/datadog/tracing/metadata/ext.rb +5 -0
- data/lib/datadog/tracing/metadata/metastruct.rb +36 -0
- data/lib/datadog/tracing/metadata/metastruct_tagging.rb +42 -0
- data/lib/datadog/tracing/metadata.rb +2 -0
- data/lib/datadog/tracing/sampling/rate_sampler.rb +2 -1
- data/lib/datadog/tracing/sampling/span/rule.rb +0 -1
- data/lib/datadog/tracing/span.rb +22 -5
- data/lib/datadog/tracing/span_event.rb +124 -4
- data/lib/datadog/tracing/span_operation.rb +52 -16
- data/lib/datadog/tracing/sync_writer.rb +10 -6
- data/lib/datadog/tracing/trace_digest.rb +9 -2
- data/lib/datadog/tracing/trace_operation.rb +55 -27
- data/lib/datadog/tracing/trace_segment.rb +6 -4
- data/lib/datadog/tracing/tracer.rb +66 -14
- data/lib/datadog/tracing/transport/http/api.rb +5 -4
- data/lib/datadog/tracing/transport/http/client.rb +5 -4
- data/lib/datadog/tracing/transport/http/traces.rb +13 -44
- data/lib/datadog/tracing/transport/http.rb +13 -70
- data/lib/datadog/tracing/transport/serializable_trace.rb +31 -7
- data/lib/datadog/tracing/transport/trace_formatter.rb +7 -0
- data/lib/datadog/tracing/transport/traces.rb +47 -13
- data/lib/datadog/tracing/utils.rb +1 -1
- data/lib/datadog/tracing/workers/trace_writer.rb +8 -5
- data/lib/datadog/tracing/workers.rb +5 -4
- data/lib/datadog/tracing/writer.rb +10 -6
- data/lib/datadog/tracing.rb +16 -3
- data/lib/datadog/version.rb +2 -2
- data/lib/datadog.rb +2 -0
- metadata +149 -54
- data/ext/datadog_profiling_loader/datadog_profiling_loader.c +0 -142
- data/ext/datadog_profiling_loader/extconf.rb +0 -60
- data/lib/datadog/appsec/assets/waf_rules/processors.json +0 -92
- data/lib/datadog/appsec/assets/waf_rules/scanners.json +0 -114
- data/lib/datadog/appsec/contrib/devise/event.rb +0 -57
- data/lib/datadog/appsec/contrib/devise/patcher/authenticatable_patch.rb +0 -77
- data/lib/datadog/appsec/contrib/devise/patcher/registration_controller_patch.rb +0 -54
- data/lib/datadog/appsec/contrib/devise/resource.rb +0 -35
- data/lib/datadog/appsec/contrib/devise/tracking.rb +0 -57
- data/lib/datadog/appsec/contrib/graphql/reactive/multiplex.rb +0 -46
- data/lib/datadog/appsec/contrib/patcher.rb +0 -12
- data/lib/datadog/appsec/contrib/rack/reactive/request.rb +0 -69
- data/lib/datadog/appsec/contrib/rack/reactive/request_body.rb +0 -47
- data/lib/datadog/appsec/contrib/rack/reactive/response.rb +0 -53
- data/lib/datadog/appsec/contrib/rails/reactive/action.rb +0 -53
- data/lib/datadog/appsec/contrib/sinatra/ext.rb +0 -14
- data/lib/datadog/appsec/contrib/sinatra/reactive/routed.rb +0 -48
- data/lib/datadog/appsec/monitor/reactive/set_user.rb +0 -45
- data/lib/datadog/appsec/processor/actions.rb +0 -49
- data/lib/datadog/appsec/processor/context.rb +0 -107
- data/lib/datadog/appsec/processor/rule_merger.rb +0 -170
- data/lib/datadog/appsec/processor.rb +0 -106
- data/lib/datadog/appsec/reactive/address_hash.rb +0 -22
- data/lib/datadog/appsec/reactive/engine.rb +0 -47
- data/lib/datadog/appsec/reactive/operation.rb +0 -68
- data/lib/datadog/appsec/reactive/subscriber.rb +0 -19
- data/lib/datadog/appsec/scope.rb +0 -58
- data/lib/datadog/appsec/utils/trace_operation.rb +0 -15
- data/lib/datadog/core/crashtracking/agent_base_url.rb +0 -21
- data/lib/datadog/core/remote/transport/http/api/instance.rb +0 -39
- data/lib/datadog/core/remote/transport/http/api/spec.rb +0 -21
- data/lib/datadog/core/remote/transport/http/builder.rb +0 -219
- data/lib/datadog/core/telemetry/http/env.rb +0 -20
- data/lib/datadog/core/telemetry/http/ext.rb +0 -28
- data/lib/datadog/core/telemetry/http/response.rb +0 -70
- data/lib/datadog/core/telemetry/http/transport.rb +0 -90
- data/lib/datadog/di/transport.rb +0 -81
- data/lib/datadog/tracing/transport/http/api/spec.rb +0 -19
|
@@ -12,14 +12,29 @@ module Datadog
|
|
|
12
12
|
DEFAULT_OBFUSCATOR_KEY_REGEX = '(?i)pass|pw(?:or)?d|secret|(?:api|private|public|access)[_-]?key|token|consumer[_-]?(?:id|key|secret)|sign(?:ed|ature)|bearer|authorization|jsessionid|phpsessid|asp\.net[_-]sessionid|sid|jwt'
|
|
13
13
|
DEFAULT_OBFUSCATOR_VALUE_REGEX = '(?i)(?:p(?:ass)?w(?:or)?d|pass(?:[_-]?phrase)?|secret(?:[_-]?key)?|(?:(?:api|private|public|access)[_-]?)key(?:[_-]?id)?|(?:(?:auth|access|id|refresh)[_-]?)?token|consumer[_-]?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?|jsessionid|phpsessid|asp\.net(?:[_-]|-)sessionid|sid|jwt)(?:\s*=[^;]|"\s*:\s*"[^"]+")|bearer\s+[a-z0-9\._\-]+|token:[a-z0-9]{13}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\w=-]+\.ey[I-L][\w=-]+(?:\.[\w.+\/=-]+)?|[\-]{5}BEGIN[a-z\s]+PRIVATE\sKEY[\-]{5}[^\-]+[\-]{5}END[a-z\s]+PRIVATE\sKEY|ssh-rsa\s*[a-z0-9\/\.+]{100,}'
|
|
14
14
|
# rubocop:enable Layout/LineLength
|
|
15
|
+
|
|
16
|
+
DISABLED_AUTO_USER_INSTRUMENTATION_MODE = 'disabled'
|
|
17
|
+
ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE = 'anonymization'
|
|
18
|
+
IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE = 'identification'
|
|
19
|
+
AUTO_USER_INSTRUMENTATION_MODES = [
|
|
20
|
+
DISABLED_AUTO_USER_INSTRUMENTATION_MODE,
|
|
21
|
+
ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE,
|
|
22
|
+
IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE
|
|
23
|
+
].freeze
|
|
24
|
+
AUTO_USER_INSTRUMENTATION_MODES_ALIASES = {
|
|
25
|
+
'ident' => IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE,
|
|
26
|
+
'anon' => ANONYMIZATION_AUTO_USER_INSTRUMENTATION_MODE,
|
|
27
|
+
}.freeze
|
|
28
|
+
|
|
29
|
+
# NOTE: These two constants are deprecated
|
|
30
|
+
SAFE_TRACK_USER_EVENTS_MODE = 'safe'
|
|
31
|
+
EXTENDED_TRACK_USER_EVENTS_MODE = 'extended'
|
|
15
32
|
APPSEC_VALID_TRACK_USER_EVENTS_MODE = [
|
|
16
|
-
|
|
17
|
-
'extended'
|
|
33
|
+
SAFE_TRACK_USER_EVENTS_MODE, EXTENDED_TRACK_USER_EVENTS_MODE
|
|
18
34
|
].freeze
|
|
19
|
-
APPSEC_VALID_TRACK_USER_EVENTS_ENABLED_VALUES = [
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
].concat(APPSEC_VALID_TRACK_USER_EVENTS_MODE).freeze
|
|
35
|
+
APPSEC_VALID_TRACK_USER_EVENTS_ENABLED_VALUES = ['1', 'true'].concat(
|
|
36
|
+
APPSEC_VALID_TRACK_USER_EVENTS_MODE
|
|
37
|
+
).freeze
|
|
23
38
|
|
|
24
39
|
def self.extended(base)
|
|
25
40
|
base = base.singleton_class unless base.is_a?(Class)
|
|
@@ -49,6 +64,15 @@ module Datadog
|
|
|
49
64
|
end
|
|
50
65
|
end
|
|
51
66
|
|
|
67
|
+
# RASP or Runtime Application Self-Protection
|
|
68
|
+
# is a collection of techniques and heuristics aimed at detecting malicious inputs and preventing
|
|
69
|
+
# any potential side-effects on the application resulting from the use of said malicious inputs.
|
|
70
|
+
option :rasp_enabled do |o|
|
|
71
|
+
o.type :bool, nilable: true
|
|
72
|
+
o.env 'DD_APPSEC_RASP_ENABLED'
|
|
73
|
+
o.default true
|
|
74
|
+
end
|
|
75
|
+
|
|
52
76
|
option :ruleset do |o|
|
|
53
77
|
o.env 'DD_APPSEC_RULES'
|
|
54
78
|
o.default :recommended
|
|
@@ -56,16 +80,49 @@ module Datadog
|
|
|
56
80
|
|
|
57
81
|
option :ip_passlist do |o|
|
|
58
82
|
o.default []
|
|
83
|
+
|
|
84
|
+
o.setter do |value|
|
|
85
|
+
next value if value.nil? || value.empty?
|
|
86
|
+
|
|
87
|
+
Datadog::Core.log_deprecation(disallowed_next_major: false) do
|
|
88
|
+
'The ip_passlist setting is deprecated and will be removed in the next release. ' \
|
|
89
|
+
'Please migrate this configuration to your service settings via the Datadog UI'
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
value
|
|
93
|
+
end
|
|
59
94
|
end
|
|
60
95
|
|
|
61
96
|
option :ip_denylist do |o|
|
|
62
97
|
o.type :array
|
|
63
98
|
o.default []
|
|
99
|
+
|
|
100
|
+
o.setter do |value|
|
|
101
|
+
next value if value.nil? || value.empty?
|
|
102
|
+
|
|
103
|
+
Datadog::Core.log_deprecation(disallowed_next_major: false) do
|
|
104
|
+
'The ip_denylist setting is deprecated and will be removed in the next release. ' \
|
|
105
|
+
'Please migrate this configuration to your service settings via the Datadog UI'
|
|
106
|
+
end
|
|
107
|
+
|
|
108
|
+
value
|
|
109
|
+
end
|
|
64
110
|
end
|
|
65
111
|
|
|
66
112
|
option :user_id_denylist do |o|
|
|
67
113
|
o.type :array
|
|
68
114
|
o.default []
|
|
115
|
+
|
|
116
|
+
o.setter do |value|
|
|
117
|
+
next value if value.nil? || value.empty?
|
|
118
|
+
|
|
119
|
+
Datadog::Core.log_deprecation(disallowed_next_major: false) do
|
|
120
|
+
'The user_id_denylist setting is deprecated and will be removed in the next release. ' \
|
|
121
|
+
'Please migrate this configuration to your service settings via the Datadog UI'
|
|
122
|
+
end
|
|
123
|
+
|
|
124
|
+
value
|
|
125
|
+
end
|
|
69
126
|
end
|
|
70
127
|
|
|
71
128
|
option :waf_timeout do |o|
|
|
@@ -107,9 +164,12 @@ module Datadog
|
|
|
107
164
|
o.type :string, nilable: true
|
|
108
165
|
o.setter do |value|
|
|
109
166
|
if value
|
|
110
|
-
|
|
167
|
+
unless File.exist?(value)
|
|
168
|
+
raise(ArgumentError,
|
|
169
|
+
"appsec.templates.html: file not found: #{value}")
|
|
170
|
+
end
|
|
111
171
|
|
|
112
|
-
File.
|
|
172
|
+
File.binread(value) || ''
|
|
113
173
|
end
|
|
114
174
|
end
|
|
115
175
|
end
|
|
@@ -119,9 +179,12 @@ module Datadog
|
|
|
119
179
|
o.type :string, nilable: true
|
|
120
180
|
o.setter do |value|
|
|
121
181
|
if value
|
|
122
|
-
|
|
182
|
+
unless File.exist?(value)
|
|
183
|
+
raise(ArgumentError,
|
|
184
|
+
"appsec.templates.json: file not found: #{value}")
|
|
185
|
+
end
|
|
123
186
|
|
|
124
|
-
File.
|
|
187
|
+
File.binread(value) || ''
|
|
125
188
|
end
|
|
126
189
|
end
|
|
127
190
|
end
|
|
@@ -131,15 +194,101 @@ module Datadog
|
|
|
131
194
|
o.type :string, nilable: true
|
|
132
195
|
o.setter do |value|
|
|
133
196
|
if value
|
|
134
|
-
|
|
197
|
+
unless File.exist?(value)
|
|
198
|
+
raise(ArgumentError,
|
|
199
|
+
"appsec.templates.text: file not found: #{value}")
|
|
200
|
+
end
|
|
135
201
|
|
|
136
|
-
File.
|
|
202
|
+
File.binread(value) || ''
|
|
137
203
|
end
|
|
138
204
|
end
|
|
139
205
|
end
|
|
140
206
|
end
|
|
141
207
|
end
|
|
142
208
|
|
|
209
|
+
settings :stack_trace do
|
|
210
|
+
option :enabled do |o|
|
|
211
|
+
o.type :bool
|
|
212
|
+
o.env 'DD_APPSEC_STACK_TRACE_ENABLED'
|
|
213
|
+
o.default true
|
|
214
|
+
end
|
|
215
|
+
|
|
216
|
+
# The maximum number of stack trace frames to collect for each stack trace.
|
|
217
|
+
#
|
|
218
|
+
# If the stack trace exceeds this limit, the frames are dropped from the middle of the stack trace:
|
|
219
|
+
# 75% of the frames are kept from the top of the stack trace and 25% from the bottom
|
|
220
|
+
# (this percentage is also configurable).
|
|
221
|
+
#
|
|
222
|
+
# Minimum value is 10.
|
|
223
|
+
# Set to zero if you don't want any frames to be dropped.
|
|
224
|
+
#
|
|
225
|
+
# Default value is 32
|
|
226
|
+
option :max_depth do |o|
|
|
227
|
+
o.type :int
|
|
228
|
+
o.env 'DD_APPSEC_MAX_STACK_TRACE_DEPTH'
|
|
229
|
+
o.default 32
|
|
230
|
+
|
|
231
|
+
o.setter do |value|
|
|
232
|
+
value = 0 if value < 0
|
|
233
|
+
value
|
|
234
|
+
end
|
|
235
|
+
end
|
|
236
|
+
|
|
237
|
+
# The percentage of frames to keep from the top of the stack trace.
|
|
238
|
+
#
|
|
239
|
+
# Default value is 75
|
|
240
|
+
option :top_percentage do |o|
|
|
241
|
+
o.type :int
|
|
242
|
+
o.env 'DD_APPSEC_MAX_STACK_TRACE_DEPTH_TOP_PERCENT'
|
|
243
|
+
o.default 75
|
|
244
|
+
|
|
245
|
+
o.setter do |value|
|
|
246
|
+
value = 100 if value > 100
|
|
247
|
+
value = 0 if value.negative?
|
|
248
|
+
value
|
|
249
|
+
end
|
|
250
|
+
end
|
|
251
|
+
|
|
252
|
+
# Maximum number of stack traces to collect per span.
|
|
253
|
+
#
|
|
254
|
+
# Set to zero if you want to collect all stack traces.
|
|
255
|
+
#
|
|
256
|
+
# Default value is 2
|
|
257
|
+
option :max_stack_traces do |o|
|
|
258
|
+
o.type :int
|
|
259
|
+
o.env 'DD_APPSEC_MAX_STACK_TRACES'
|
|
260
|
+
o.default 2
|
|
261
|
+
|
|
262
|
+
o.setter do |value|
|
|
263
|
+
value = 0 if value < 0
|
|
264
|
+
value
|
|
265
|
+
end
|
|
266
|
+
end
|
|
267
|
+
end
|
|
268
|
+
|
|
269
|
+
settings :auto_user_instrumentation do
|
|
270
|
+
define_method(:enabled?) { get_option(:mode) != DISABLED_AUTO_USER_INSTRUMENTATION_MODE }
|
|
271
|
+
|
|
272
|
+
option :mode do |o|
|
|
273
|
+
o.type :string
|
|
274
|
+
o.env 'DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE'
|
|
275
|
+
o.default IDENTIFICATION_AUTO_USER_INSTRUMENTATION_MODE
|
|
276
|
+
o.setter do |value|
|
|
277
|
+
mode = AUTO_USER_INSTRUMENTATION_MODES_ALIASES.fetch(value, value)
|
|
278
|
+
next mode if AUTO_USER_INSTRUMENTATION_MODES.include?(mode)
|
|
279
|
+
|
|
280
|
+
Datadog.logger.warn(
|
|
281
|
+
'The appsec.auto_user_instrumentation.mode value provided is not supported. ' \
|
|
282
|
+
"Supported values are: #{AUTO_USER_INSTRUMENTATION_MODES.join(" | ")}. " \
|
|
283
|
+
"Using value: #{DISABLED_AUTO_USER_INSTRUMENTATION_MODE}."
|
|
284
|
+
)
|
|
285
|
+
|
|
286
|
+
DISABLED_AUTO_USER_INSTRUMENTATION_MODE
|
|
287
|
+
end
|
|
288
|
+
end
|
|
289
|
+
end
|
|
290
|
+
|
|
291
|
+
# DEV-3.0: Remove `track_user_events.enabled` and `track_user_events.mode` options
|
|
143
292
|
settings :track_user_events do
|
|
144
293
|
option :enabled do |o|
|
|
145
294
|
o.default true
|
|
@@ -152,36 +301,71 @@ module Datadog
|
|
|
152
301
|
APPSEC_VALID_TRACK_USER_EVENTS_ENABLED_VALUES.include?(env_value.strip.downcase)
|
|
153
302
|
end
|
|
154
303
|
end
|
|
304
|
+
o.after_set do |_, _, precedence|
|
|
305
|
+
unless precedence == Datadog::Core::Configuration::Option::Precedence::DEFAULT
|
|
306
|
+
Core.log_deprecation(key: :appsec_track_user_events_enabled) do
|
|
307
|
+
'The appsec.track_user_events.enabled setting is deprecated. ' \
|
|
308
|
+
'Please remove it from your Datadog.configure block and use ' \
|
|
309
|
+
'appsec.auto_user_instrumentation.mode instead.'
|
|
310
|
+
end
|
|
311
|
+
end
|
|
312
|
+
end
|
|
155
313
|
end
|
|
156
314
|
|
|
157
315
|
option :mode do |o|
|
|
158
316
|
o.type :string
|
|
159
317
|
o.env 'DD_APPSEC_AUTOMATED_USER_EVENTS_TRACKING'
|
|
160
|
-
o.default
|
|
318
|
+
o.default SAFE_TRACK_USER_EVENTS_MODE
|
|
161
319
|
o.setter do |v|
|
|
162
320
|
if APPSEC_VALID_TRACK_USER_EVENTS_MODE.include?(v)
|
|
163
321
|
v
|
|
164
322
|
elsif v == 'disabled'
|
|
165
|
-
|
|
323
|
+
SAFE_TRACK_USER_EVENTS_MODE
|
|
166
324
|
else
|
|
167
325
|
Datadog.logger.warn(
|
|
168
326
|
'The appsec.track_user_events.mode value provided is not supported.' \
|
|
169
|
-
|
|
170
|
-
|
|
327
|
+
"Supported values are: #{APPSEC_VALID_TRACK_USER_EVENTS_MODE.join(" | ")}." \
|
|
328
|
+
"Using default value: #{SAFE_TRACK_USER_EVENTS_MODE}."
|
|
171
329
|
)
|
|
172
|
-
|
|
330
|
+
|
|
331
|
+
SAFE_TRACK_USER_EVENTS_MODE
|
|
332
|
+
end
|
|
333
|
+
end
|
|
334
|
+
o.after_set do |_, _, precedence|
|
|
335
|
+
unless precedence == Datadog::Core::Configuration::Option::Precedence::DEFAULT
|
|
336
|
+
Core.log_deprecation(key: :appsec_track_user_events_mode) do
|
|
337
|
+
'The appsec.track_user_events.mode setting is deprecated. ' \
|
|
338
|
+
'Please remove it from your Datadog.configure block and use ' \
|
|
339
|
+
'appsec.auto_user_instrumentation.mode instead.'
|
|
340
|
+
end
|
|
173
341
|
end
|
|
174
342
|
end
|
|
175
343
|
end
|
|
176
344
|
end
|
|
177
345
|
|
|
178
346
|
settings :api_security do
|
|
347
|
+
define_method(:enabled?) { get_option(:enabled) }
|
|
348
|
+
|
|
179
349
|
option :enabled do |o|
|
|
180
350
|
o.type :bool
|
|
181
|
-
o.env '
|
|
182
|
-
o.default
|
|
351
|
+
o.env 'DD_API_SECURITY_ENABLED'
|
|
352
|
+
o.default true
|
|
353
|
+
end
|
|
354
|
+
|
|
355
|
+
# NOTE: Unfortunately, we have to go with Float due to other libs
|
|
356
|
+
# setup, even tho we don't plan to support sub-second delays.
|
|
357
|
+
#
|
|
358
|
+
# WARNING: The value will be converted to Integer.
|
|
359
|
+
option :sample_delay do |o|
|
|
360
|
+
o.type :float
|
|
361
|
+
o.env 'DD_API_SECURITY_SAMPLE_DELAY'
|
|
362
|
+
o.default 30
|
|
363
|
+
o.setter do |value|
|
|
364
|
+
value.to_i
|
|
365
|
+
end
|
|
183
366
|
end
|
|
184
367
|
|
|
368
|
+
# DEV-3.0: Remove `api_security.sample_rate` option
|
|
185
369
|
option :sample_rate do |o|
|
|
186
370
|
o.type :float
|
|
187
371
|
o.env 'DD_API_SECURITY_REQUEST_SAMPLE_RATE'
|
|
@@ -190,6 +374,15 @@ module Datadog
|
|
|
190
374
|
value = 1 if value > 1
|
|
191
375
|
SampleRate.new(value)
|
|
192
376
|
end
|
|
377
|
+
o.after_set do |_, _, precedence|
|
|
378
|
+
next if precedence == Datadog::Core::Configuration::Option::Precedence::DEFAULT
|
|
379
|
+
|
|
380
|
+
Core.log_deprecation(key: :appsec_api_security_sample_rate) do
|
|
381
|
+
'The appsec.api_security.sample_rate setting is deprecated. ' \
|
|
382
|
+
'Please remove it from your Datadog.configure block and use ' \
|
|
383
|
+
'appsec.api_security.sample_delay instead.'
|
|
384
|
+
end
|
|
385
|
+
end
|
|
193
386
|
end
|
|
194
387
|
end
|
|
195
388
|
|
|
@@ -197,14 +390,6 @@ module Datadog
|
|
|
197
390
|
o.type :bool, nilable: true
|
|
198
391
|
o.env 'DD_APPSEC_SCA_ENABLED'
|
|
199
392
|
end
|
|
200
|
-
|
|
201
|
-
settings :standalone do
|
|
202
|
-
option :enabled do |o|
|
|
203
|
-
o.type :bool
|
|
204
|
-
o.env 'DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED'
|
|
205
|
-
o.default false
|
|
206
|
-
end
|
|
207
|
-
end
|
|
208
393
|
end
|
|
209
394
|
end
|
|
210
395
|
end
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require_relative 'metrics'
|
|
4
|
+
|
|
5
|
+
module Datadog
|
|
6
|
+
module AppSec
|
|
7
|
+
# This class accumulates the context over the request life-cycle and exposes
|
|
8
|
+
# interface sufficient for instrumentation to perform threat detection.
|
|
9
|
+
class Context
|
|
10
|
+
ActiveContextError = Class.new(StandardError)
|
|
11
|
+
|
|
12
|
+
# TODO: add delegators for active trace span
|
|
13
|
+
attr_reader :trace, :span, :events
|
|
14
|
+
|
|
15
|
+
class << self
|
|
16
|
+
def activate(context)
|
|
17
|
+
raise ArgumentError, 'not a Datadog::AppSec::Context' unless context.instance_of?(Context)
|
|
18
|
+
raise ActiveContextError, 'another context is active, nested contexts are not supported' if active
|
|
19
|
+
|
|
20
|
+
Thread.current[Ext::ACTIVE_CONTEXT_KEY] = context
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def deactivate
|
|
24
|
+
active&.finalize!
|
|
25
|
+
ensure
|
|
26
|
+
Thread.current[Ext::ACTIVE_CONTEXT_KEY] = nil
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def active
|
|
30
|
+
Thread.current[Ext::ACTIVE_CONTEXT_KEY]
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def initialize(trace, span, waf_runner)
|
|
35
|
+
@trace = trace
|
|
36
|
+
@span = span
|
|
37
|
+
@events = []
|
|
38
|
+
@waf_runner = waf_runner
|
|
39
|
+
@metrics = Metrics::Collector.new
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
def run_waf(persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
|
|
43
|
+
result = @waf_runner.run(persistent_data, ephemeral_data, timeout)
|
|
44
|
+
|
|
45
|
+
@metrics.record_waf(result)
|
|
46
|
+
result
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
def run_rasp(type, persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
|
|
50
|
+
result = @waf_runner.run(persistent_data, ephemeral_data, timeout)
|
|
51
|
+
|
|
52
|
+
Metrics::Telemetry.report_rasp(type, result)
|
|
53
|
+
@metrics.record_rasp(result)
|
|
54
|
+
|
|
55
|
+
result
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
def extract_schema
|
|
59
|
+
@waf_runner.run({'waf.context.processor' => {'extract-schema' => true}}, {})
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
def export_metrics
|
|
63
|
+
return if @span.nil?
|
|
64
|
+
|
|
65
|
+
Metrics::Exporter.export_waf_metrics(@metrics.waf, @span)
|
|
66
|
+
Metrics::Exporter.export_rasp_metrics(@metrics.rasp, @span)
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
def finalize!
|
|
70
|
+
@waf_runner.finalize!
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
end
|
|
74
|
+
end
|
|
@@ -0,0 +1,92 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require_relative '../../event'
|
|
4
|
+
require_relative '../../security_event'
|
|
5
|
+
|
|
6
|
+
module Datadog
|
|
7
|
+
module AppSec
|
|
8
|
+
module Contrib
|
|
9
|
+
module ActiveRecord
|
|
10
|
+
# AppSec module that will be prepended to ActiveRecord adapter
|
|
11
|
+
module Instrumentation
|
|
12
|
+
module_function
|
|
13
|
+
|
|
14
|
+
def detect_sql_injection(sql, adapter_name)
|
|
15
|
+
return unless AppSec.rasp_enabled?
|
|
16
|
+
|
|
17
|
+
context = AppSec.active_context
|
|
18
|
+
return unless context
|
|
19
|
+
|
|
20
|
+
# libddwaf expects db system to be lowercase,
|
|
21
|
+
# in case of sqlite adapter, libddwaf expects 'sqlite' as db system
|
|
22
|
+
db_system = adapter_name.downcase
|
|
23
|
+
db_system = 'sqlite' if db_system == 'sqlite3'
|
|
24
|
+
|
|
25
|
+
ephemeral_data = {
|
|
26
|
+
'server.db.statement' => sql,
|
|
27
|
+
'server.db.system' => db_system
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
waf_timeout = Datadog.configuration.appsec.waf_timeout
|
|
31
|
+
result = context.run_rasp(Ext::RASP_SQLI, {}, ephemeral_data, waf_timeout)
|
|
32
|
+
|
|
33
|
+
if result.match?
|
|
34
|
+
AppSec::Event.tag_and_keep!(context, result)
|
|
35
|
+
|
|
36
|
+
context.events.push(
|
|
37
|
+
AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
|
|
38
|
+
)
|
|
39
|
+
|
|
40
|
+
AppSec::ActionsHandler.handle(result.actions)
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
# patch for mysql2, sqlite3, and postgres+jdbc adapters in ActiveRecord >= 7.1
|
|
45
|
+
module InternalExecQueryAdapterPatch
|
|
46
|
+
def internal_exec_query(sql, *args, **rest)
|
|
47
|
+
Instrumentation.detect_sql_injection(sql, adapter_name)
|
|
48
|
+
|
|
49
|
+
super
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
# patch for mysql2, sqlite3, and postgres+jdbc adapters in ActiveRecord < 7.1
|
|
54
|
+
module ExecQueryAdapterPatch
|
|
55
|
+
def exec_query(sql, *args, **rest)
|
|
56
|
+
Instrumentation.detect_sql_injection(sql, adapter_name)
|
|
57
|
+
|
|
58
|
+
super
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
# patch for mysql2, sqlite3, and postgres+jdbc db adapters in ActiveRecord 4
|
|
63
|
+
module Rails4ExecQueryAdapterPatch
|
|
64
|
+
def exec_query(sql, *args)
|
|
65
|
+
Instrumentation.detect_sql_injection(sql, adapter_name)
|
|
66
|
+
|
|
67
|
+
super
|
|
68
|
+
end
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
# patch for non-jdbc postgres adapter in ActiveRecord > 4
|
|
72
|
+
module ExecuteAndClearAdapterPatch
|
|
73
|
+
def execute_and_clear(sql, *args, **rest)
|
|
74
|
+
Instrumentation.detect_sql_injection(sql, adapter_name)
|
|
75
|
+
|
|
76
|
+
super
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
# patch for non-jdbc postgres adapter in ActiveRecord 4
|
|
81
|
+
module Rails4ExecuteAndClearAdapterPatch
|
|
82
|
+
def execute_and_clear(sql, name, binds)
|
|
83
|
+
Instrumentation.detect_sql_injection(sql, adapter_name)
|
|
84
|
+
|
|
85
|
+
super
|
|
86
|
+
end
|
|
87
|
+
end
|
|
88
|
+
end
|
|
89
|
+
end
|
|
90
|
+
end
|
|
91
|
+
end
|
|
92
|
+
end
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require_relative '../integration'
|
|
4
|
+
require_relative 'patcher'
|
|
5
|
+
|
|
6
|
+
module Datadog
|
|
7
|
+
module AppSec
|
|
8
|
+
module Contrib
|
|
9
|
+
module ActiveRecord
|
|
10
|
+
# This class provides helper methods that are used when patching ActiveRecord
|
|
11
|
+
class Integration
|
|
12
|
+
include Datadog::AppSec::Contrib::Integration
|
|
13
|
+
|
|
14
|
+
MINIMUM_VERSION = Gem::Version.new('4')
|
|
15
|
+
|
|
16
|
+
register_as :active_record, auto_patch: true
|
|
17
|
+
|
|
18
|
+
def self.version
|
|
19
|
+
Gem.loaded_specs['activerecord']&.version
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def self.loaded?
|
|
23
|
+
!defined?(::ActiveRecord).nil?
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def self.compatible?
|
|
27
|
+
super && version >= MINIMUM_VERSION
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def self.auto_instrument?
|
|
31
|
+
true
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def patcher
|
|
35
|
+
Patcher
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
end
|
|
@@ -0,0 +1,101 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require_relative 'instrumentation'
|
|
4
|
+
|
|
5
|
+
module Datadog
|
|
6
|
+
module AppSec
|
|
7
|
+
module Contrib
|
|
8
|
+
module ActiveRecord
|
|
9
|
+
# AppSec patcher module for ActiveRecord
|
|
10
|
+
module Patcher
|
|
11
|
+
module_function
|
|
12
|
+
|
|
13
|
+
def patched?
|
|
14
|
+
Patcher.instance_variable_get(:@patched)
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def target_version
|
|
18
|
+
Integration.version
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def patch
|
|
22
|
+
# Rails 7.0 intruduced new on-load hooks for sqlite3 and postgresql adapters
|
|
23
|
+
# The load hook for mysql2 adapter was introduced in Rails 7.1
|
|
24
|
+
#
|
|
25
|
+
# If the adapter is not loaded when the :active_record load hook is called,
|
|
26
|
+
# we need to add a load hook for the adapter
|
|
27
|
+
ActiveSupport.on_load :active_record do
|
|
28
|
+
if defined?(::ActiveRecord::ConnectionAdapters::SQLite3Adapter)
|
|
29
|
+
::Datadog::AppSec::Contrib::ActiveRecord::Patcher.patch_sqlite3_adapter
|
|
30
|
+
else
|
|
31
|
+
ActiveSupport.on_load :active_record_sqlite3adapter do
|
|
32
|
+
::Datadog::AppSec::Contrib::ActiveRecord::Patcher.patch_sqlite3_adapter
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
if defined?(::ActiveRecord::ConnectionAdapters::Mysql2Adapter)
|
|
37
|
+
::Datadog::AppSec::Contrib::ActiveRecord::Patcher.patch_mysql2_adapter
|
|
38
|
+
else
|
|
39
|
+
ActiveSupport.on_load :active_record_mysql2adapter do
|
|
40
|
+
::Datadog::AppSec::Contrib::ActiveRecord::Patcher.patch_mysql2_adapter
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
if defined?(::ActiveRecord::ConnectionAdapters::PostgreSQLAdapter)
|
|
45
|
+
::Datadog::AppSec::Contrib::ActiveRecord::Patcher.patch_postgresql_adapter
|
|
46
|
+
else
|
|
47
|
+
ActiveSupport.on_load :active_record_postgresqladapter do
|
|
48
|
+
::Datadog::AppSec::Contrib::ActiveRecord::Patcher.patch_postgresql_adapter
|
|
49
|
+
end
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
def patch_sqlite3_adapter
|
|
55
|
+
instrumentation_module = if ::ActiveRecord.gem_version >= Gem::Version.new('7.1')
|
|
56
|
+
Instrumentation::InternalExecQueryAdapterPatch
|
|
57
|
+
elsif ::ActiveRecord.gem_version.segments.first == 4
|
|
58
|
+
Instrumentation::Rails4ExecQueryAdapterPatch
|
|
59
|
+
else
|
|
60
|
+
Instrumentation::ExecQueryAdapterPatch
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
::ActiveRecord::ConnectionAdapters::SQLite3Adapter.prepend(instrumentation_module)
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
def patch_mysql2_adapter
|
|
67
|
+
instrumentation_module = if ::ActiveRecord.gem_version >= Gem::Version.new('7.1')
|
|
68
|
+
Instrumentation::InternalExecQueryAdapterPatch
|
|
69
|
+
elsif ::ActiveRecord.gem_version.segments.first == 4
|
|
70
|
+
Instrumentation::Rails4ExecQueryAdapterPatch
|
|
71
|
+
else
|
|
72
|
+
Instrumentation::ExecQueryAdapterPatch
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
::ActiveRecord::ConnectionAdapters::Mysql2Adapter.prepend(instrumentation_module)
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
def patch_postgresql_adapter
|
|
79
|
+
instrumentation_module = if ::ActiveRecord.gem_version.segments.first == 4
|
|
80
|
+
Instrumentation::Rails4ExecuteAndClearAdapterPatch
|
|
81
|
+
else
|
|
82
|
+
Instrumentation::ExecuteAndClearAdapterPatch
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
if defined?(::ActiveRecord::ConnectionAdapters::JdbcAdapter)
|
|
86
|
+
instrumentation_module = if ::ActiveRecord.gem_version >= Gem::Version.new('7.1')
|
|
87
|
+
Instrumentation::InternalExecQueryAdapterPatch
|
|
88
|
+
elsif ::ActiveRecord.gem_version.segments.first == 4
|
|
89
|
+
Instrumentation::Rails4ExecQueryAdapterPatch
|
|
90
|
+
else
|
|
91
|
+
Instrumentation::ExecQueryAdapterPatch
|
|
92
|
+
end
|
|
93
|
+
end
|
|
94
|
+
|
|
95
|
+
::ActiveRecord::ConnectionAdapters::PostgreSQLAdapter.prepend(instrumentation_module)
|
|
96
|
+
end
|
|
97
|
+
end
|
|
98
|
+
end
|
|
99
|
+
end
|
|
100
|
+
end
|
|
101
|
+
end
|
|
@@ -9,7 +9,7 @@ module Datadog
|
|
|
9
9
|
def self.patch_all
|
|
10
10
|
integrations = []
|
|
11
11
|
|
|
12
|
-
Datadog::AppSec::Contrib::Integration.registry.
|
|
12
|
+
Datadog::AppSec::Contrib::Integration.registry.each_value do |integration|
|
|
13
13
|
next unless integration.klass.auto_instrument?
|
|
14
14
|
|
|
15
15
|
integrations << integration.name
|