datadog 2.7.1 → 2.9.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (133) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +69 -1
  3. data/ext/datadog_profiling_native_extension/clock_id.h +2 -2
  4. data/ext/datadog_profiling_native_extension/collectors_cpu_and_wall_time_worker.c +64 -54
  5. data/ext/datadog_profiling_native_extension/collectors_discrete_dynamic_sampler.c +1 -1
  6. data/ext/datadog_profiling_native_extension/collectors_discrete_dynamic_sampler.h +1 -1
  7. data/ext/datadog_profiling_native_extension/collectors_idle_sampling_helper.c +16 -16
  8. data/ext/datadog_profiling_native_extension/collectors_stack.c +7 -7
  9. data/ext/datadog_profiling_native_extension/collectors_thread_context.c +259 -132
  10. data/ext/datadog_profiling_native_extension/extconf.rb +0 -8
  11. data/ext/datadog_profiling_native_extension/heap_recorder.c +11 -89
  12. data/ext/datadog_profiling_native_extension/heap_recorder.h +1 -1
  13. data/ext/datadog_profiling_native_extension/http_transport.c +4 -4
  14. data/ext/datadog_profiling_native_extension/private_vm_api_access.c +4 -1
  15. data/ext/datadog_profiling_native_extension/private_vm_api_access.h +3 -1
  16. data/ext/datadog_profiling_native_extension/profiling.c +10 -8
  17. data/ext/datadog_profiling_native_extension/ruby_helpers.c +8 -8
  18. data/ext/datadog_profiling_native_extension/stack_recorder.c +54 -88
  19. data/ext/datadog_profiling_native_extension/stack_recorder.h +1 -1
  20. data/ext/datadog_profiling_native_extension/time_helpers.h +1 -1
  21. data/ext/datadog_profiling_native_extension/unsafe_api_calls_check.c +47 -0
  22. data/ext/datadog_profiling_native_extension/unsafe_api_calls_check.h +31 -0
  23. data/ext/libdatadog_api/crashtracker.c +3 -0
  24. data/ext/libdatadog_extconf_helpers.rb +1 -1
  25. data/lib/datadog/appsec/assets/waf_rules/recommended.json +355 -157
  26. data/lib/datadog/appsec/assets/waf_rules/strict.json +62 -32
  27. data/lib/datadog/appsec/component.rb +1 -8
  28. data/lib/datadog/appsec/context.rb +54 -0
  29. data/lib/datadog/appsec/contrib/active_record/instrumentation.rb +73 -0
  30. data/lib/datadog/appsec/contrib/active_record/integration.rb +41 -0
  31. data/lib/datadog/appsec/contrib/active_record/patcher.rb +53 -0
  32. data/lib/datadog/appsec/contrib/devise/patcher/authenticatable_patch.rb +6 -6
  33. data/lib/datadog/appsec/contrib/devise/patcher/registration_controller_patch.rb +4 -4
  34. data/lib/datadog/appsec/contrib/graphql/gateway/watcher.rb +19 -28
  35. data/lib/datadog/appsec/contrib/graphql/reactive/multiplex.rb +5 -5
  36. data/lib/datadog/appsec/contrib/rack/gateway/response.rb +3 -3
  37. data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +64 -96
  38. data/lib/datadog/appsec/contrib/rack/reactive/request.rb +10 -10
  39. data/lib/datadog/appsec/contrib/rack/reactive/request_body.rb +5 -5
  40. data/lib/datadog/appsec/contrib/rack/reactive/response.rb +6 -6
  41. data/lib/datadog/appsec/contrib/rack/request_body_middleware.rb +10 -11
  42. data/lib/datadog/appsec/contrib/rack/request_middleware.rb +43 -49
  43. data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb +21 -32
  44. data/lib/datadog/appsec/contrib/rails/patcher.rb +1 -1
  45. data/lib/datadog/appsec/contrib/rails/reactive/action.rb +6 -6
  46. data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb +41 -63
  47. data/lib/datadog/appsec/contrib/sinatra/patcher.rb +2 -2
  48. data/lib/datadog/appsec/contrib/sinatra/reactive/routed.rb +5 -5
  49. data/lib/datadog/appsec/event.rb +6 -6
  50. data/lib/datadog/appsec/ext.rb +3 -1
  51. data/lib/datadog/appsec/monitor/gateway/watcher.rb +22 -32
  52. data/lib/datadog/appsec/monitor/reactive/set_user.rb +5 -5
  53. data/lib/datadog/appsec/processor/context.rb +2 -2
  54. data/lib/datadog/appsec/processor/rule_loader.rb +0 -3
  55. data/lib/datadog/appsec/remote.rb +1 -3
  56. data/lib/datadog/appsec/response.rb +7 -11
  57. data/lib/datadog/appsec.rb +6 -5
  58. data/lib/datadog/auto_instrument.rb +3 -0
  59. data/lib/datadog/core/configuration/agent_settings_resolver.rb +39 -11
  60. data/lib/datadog/core/configuration/components.rb +20 -2
  61. data/lib/datadog/core/configuration/settings.rb +10 -0
  62. data/lib/datadog/core/configuration.rb +10 -2
  63. data/lib/datadog/{tracing → core}/contrib/rails/utils.rb +1 -3
  64. data/lib/datadog/core/crashtracking/component.rb +1 -3
  65. data/lib/datadog/core/remote/client/capabilities.rb +6 -0
  66. data/lib/datadog/core/remote/client.rb +65 -59
  67. data/lib/datadog/core/telemetry/component.rb +9 -3
  68. data/lib/datadog/core/telemetry/event.rb +87 -3
  69. data/lib/datadog/core/telemetry/ext.rb +1 -0
  70. data/lib/datadog/core/telemetry/logging.rb +2 -2
  71. data/lib/datadog/core/telemetry/metric.rb +22 -0
  72. data/lib/datadog/core/telemetry/worker.rb +33 -0
  73. data/lib/datadog/di/base.rb +115 -0
  74. data/lib/datadog/di/code_tracker.rb +11 -7
  75. data/lib/datadog/di/component.rb +21 -11
  76. data/lib/datadog/di/configuration/settings.rb +11 -1
  77. data/lib/datadog/di/contrib/active_record.rb +1 -0
  78. data/lib/datadog/di/contrib/railtie.rb +15 -0
  79. data/lib/datadog/di/contrib.rb +26 -0
  80. data/lib/datadog/di/error.rb +5 -0
  81. data/lib/datadog/di/instrumenter.rb +111 -20
  82. data/lib/datadog/di/preload.rb +18 -0
  83. data/lib/datadog/di/probe.rb +11 -1
  84. data/lib/datadog/di/probe_builder.rb +1 -0
  85. data/lib/datadog/di/probe_manager.rb +8 -5
  86. data/lib/datadog/di/probe_notification_builder.rb +27 -7
  87. data/lib/datadog/di/probe_notifier_worker.rb +5 -6
  88. data/lib/datadog/di/remote.rb +124 -0
  89. data/lib/datadog/di/serializer.rb +14 -7
  90. data/lib/datadog/di/transport.rb +3 -5
  91. data/lib/datadog/di/utils.rb +7 -0
  92. data/lib/datadog/di.rb +23 -62
  93. data/lib/datadog/kit/appsec/events.rb +3 -3
  94. data/lib/datadog/kit/identity.rb +4 -4
  95. data/lib/datadog/profiling/component.rb +59 -69
  96. data/lib/datadog/profiling/http_transport.rb +1 -26
  97. data/lib/datadog/tracing/configuration/settings.rb +4 -8
  98. data/lib/datadog/tracing/contrib/action_cable/integration.rb +5 -2
  99. data/lib/datadog/tracing/contrib/action_mailer/integration.rb +6 -2
  100. data/lib/datadog/tracing/contrib/action_pack/integration.rb +5 -2
  101. data/lib/datadog/tracing/contrib/action_view/integration.rb +5 -2
  102. data/lib/datadog/tracing/contrib/active_job/integration.rb +5 -2
  103. data/lib/datadog/tracing/contrib/active_record/integration.rb +6 -2
  104. data/lib/datadog/tracing/contrib/active_support/cache/events/cache.rb +3 -1
  105. data/lib/datadog/tracing/contrib/active_support/cache/instrumentation.rb +3 -1
  106. data/lib/datadog/tracing/contrib/active_support/cache/redis.rb +16 -4
  107. data/lib/datadog/tracing/contrib/active_support/configuration/settings.rb +10 -0
  108. data/lib/datadog/tracing/contrib/active_support/integration.rb +5 -2
  109. data/lib/datadog/tracing/contrib/auto_instrument.rb +2 -2
  110. data/lib/datadog/tracing/contrib/aws/integration.rb +3 -0
  111. data/lib/datadog/tracing/contrib/concurrent_ruby/integration.rb +3 -0
  112. data/lib/datadog/tracing/contrib/elasticsearch/configuration/settings.rb +4 -0
  113. data/lib/datadog/tracing/contrib/elasticsearch/patcher.rb +6 -1
  114. data/lib/datadog/tracing/contrib/httprb/integration.rb +3 -0
  115. data/lib/datadog/tracing/contrib/kafka/integration.rb +3 -0
  116. data/lib/datadog/tracing/contrib/mongodb/integration.rb +3 -0
  117. data/lib/datadog/tracing/contrib/opensearch/integration.rb +3 -0
  118. data/lib/datadog/tracing/contrib/presto/integration.rb +3 -0
  119. data/lib/datadog/tracing/contrib/rack/integration.rb +2 -2
  120. data/lib/datadog/tracing/contrib/rails/framework.rb +2 -2
  121. data/lib/datadog/tracing/contrib/rails/patcher.rb +1 -1
  122. data/lib/datadog/tracing/contrib/rest_client/integration.rb +3 -0
  123. data/lib/datadog/tracing/span.rb +12 -4
  124. data/lib/datadog/tracing/span_event.rb +123 -3
  125. data/lib/datadog/tracing/span_operation.rb +6 -0
  126. data/lib/datadog/tracing/transport/serializable_trace.rb +24 -6
  127. data/lib/datadog/version.rb +2 -2
  128. data/lib/datadog.rb +3 -0
  129. metadata +30 -17
  130. data/lib/datadog/appsec/processor/actions.rb +0 -49
  131. data/lib/datadog/appsec/reactive/operation.rb +0 -68
  132. data/lib/datadog/appsec/scope.rb +0 -58
  133. data/lib/datadog/core/crashtracking/agent_base_url.rb +0 -21
data/lib/datadog/appsec/assets/waf_rules/strict.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "version": "2.2",
3
3
  "metadata": {
4
- "rules_version": "1.13.1"
4
+ "rules_version": "1.13.3"
5
5
  },
6
6
  "rules": [
7
7
  {
@@ -10,7 +10,8 @@
10
10
  "tags": {
11
11
  "type": "security_scanner",
12
12
  "crs_id": "913100",
13
- "category": "attack_attempt"
13
+ "category": "attack_attempt",
14
+ "module": "waf"
14
15
  },
15
16
  "conditions": [
16
17
  {
@@ -84,7 +85,8 @@
84
85
  "tags": {
85
86
  "type": "http_protocol_violation",
86
87
  "crs_id": "921120",
87
- "category": "attack_attempt"
88
+ "category": "attack_attempt",
89
+ "module": "waf"
88
90
  },
89
91
  "conditions": [
90
92
  {
@@ -127,7 +129,8 @@
127
129
  "crs_id": "921140",
128
130
  "category": "attack_attempt",
129
131
  "capec": "1000/210/272/220/273",
130
- "cwe": "113"
132
+ "cwe": "113",
133
+ "module": "waf"
131
134
  },
132
135
  "conditions": [
133
136
  {
@@ -154,7 +157,8 @@
154
157
  "tags": {
155
158
  "type": "command_injection",
156
159
  "crs_id": "932100",
157
- "category": "attack_attempt"
160
+ "category": "attack_attempt",
161
+ "module": "waf"
158
162
  },
159
163
  "conditions": [
160
164
  {
@@ -193,7 +197,8 @@
193
197
  "tags": {
194
198
  "type": "command_injection",
195
199
  "crs_id": "932115",
196
- "category": "attack_attempt"
200
+ "category": "attack_attempt",
201
+ "module": "waf"
197
202
  },
198
203
  "conditions": [
199
204
  {
@@ -690,7 +695,8 @@
690
695
  "tags": {
691
696
  "type": "command_injection",
692
697
  "crs_id": "932130",
693
- "category": "attack_attempt"
698
+ "category": "attack_attempt",
699
+ "module": "waf"
694
700
  },
695
701
  "conditions": [
696
702
  {
@@ -729,7 +735,8 @@
729
735
  "tags": {
730
736
  "type": "command_injection",
731
737
  "crs_id": "932150",
732
- "category": "attack_attempt"
738
+ "category": "attack_attempt",
739
+ "module": "waf"
733
740
  },
734
741
  "conditions": [
735
742
  {
@@ -768,7 +775,8 @@
768
775
  "tags": {
769
776
  "type": "php_code_injection",
770
777
  "crs_id": "933110",
771
- "category": "attack_attempt"
778
+ "category": "attack_attempt",
779
+ "module": "waf"
772
780
  },
773
781
  "conditions": [
774
782
  {
@@ -818,7 +826,8 @@
818
826
  "tags": {
819
827
  "type": "php_code_injection",
820
828
  "crs_id": "933180",
821
- "category": "attack_attempt"
829
+ "category": "attack_attempt",
830
+ "module": "waf"
822
831
  },
823
832
  "conditions": [
824
833
  {
@@ -857,7 +866,8 @@
857
866
  "tags": {
858
867
  "type": "php_code_injection",
859
868
  "crs_id": "933210",
860
- "category": "attack_attempt"
869
+ "category": "attack_attempt",
870
+ "module": "waf"
861
871
  },
862
872
  "conditions": [
863
873
  {
@@ -897,7 +907,8 @@
897
907
  "type": "xss",
898
908
  "crs_id": "941100",
899
909
  "category": "attack_attempt",
900
- "cwe": "79"
910
+ "cwe": "79",
911
+ "module": "waf"
901
912
  },
902
913
  "conditions": [
903
914
  {
@@ -948,7 +959,8 @@
948
959
  "tags": {
949
960
  "type": "xss",
950
961
  "crs_id": "941130",
951
- "category": "attack_attempt"
962
+ "category": "attack_attempt",
963
+ "module": "waf"
952
964
  },
953
965
  "conditions": [
954
966
  {
@@ -994,7 +1006,8 @@
994
1006
  "tags": {
995
1007
  "type": "xss",
996
1008
  "crs_id": "941150",
997
- "category": "attack_attempt"
1009
+ "category": "attack_attempt",
1010
+ "module": "waf"
998
1011
  },
999
1012
  "conditions": [
1000
1013
  {
@@ -1041,7 +1054,8 @@
1041
1054
  "tags": {
1042
1055
  "type": "xss",
1043
1056
  "crs_id": "941160",
1044
- "category": "attack_attempt"
1057
+ "category": "attack_attempt",
1058
+ "module": "waf"
1045
1059
  },
1046
1060
  "conditions": [
1047
1061
  {
@@ -1093,7 +1107,8 @@
1093
1107
  "tags": {
1094
1108
  "type": "xss",
1095
1109
  "crs_id": "941190",
1096
- "category": "attack_attempt"
1110
+ "category": "attack_attempt",
1111
+ "module": "waf"
1097
1112
  },
1098
1113
  "conditions": [
1099
1114
  {
@@ -1134,7 +1149,8 @@
1134
1149
  "tags": {
1135
1150
  "type": "xss",
1136
1151
  "crs_id": "941250",
1137
- "category": "attack_attempt"
1152
+ "category": "attack_attempt",
1153
+ "module": "waf"
1138
1154
  },
1139
1155
  "conditions": [
1140
1156
  {
@@ -1175,7 +1191,8 @@
1175
1191
  "tags": {
1176
1192
  "type": "xss",
1177
1193
  "crs_id": "941260",
1178
- "category": "attack_attempt"
1194
+ "category": "attack_attempt",
1195
+ "module": "waf"
1179
1196
  },
1180
1197
  "conditions": [
1181
1198
  {
@@ -1216,7 +1233,8 @@
1216
1233
  "tags": {
1217
1234
  "type": "xss",
1218
1235
  "crs_id": "941370",
1219
- "category": "attack_attempt"
1236
+ "category": "attack_attempt",
1237
+ "module": "waf"
1220
1238
  },
1221
1239
  "conditions": [
1222
1240
  {
@@ -1255,7 +1273,8 @@
1255
1273
  "tags": {
1256
1274
  "type": "js_code_injection",
1257
1275
  "crs_id": "941380",
1258
- "category": "attack_attempt"
1276
+ "category": "attack_attempt",
1277
+ "module": "waf"
1259
1278
  },
1260
1279
  "conditions": [
1261
1280
  {
@@ -1294,7 +1313,8 @@
1294
1313
  "tags": {
1295
1314
  "type": "sql_injection",
1296
1315
  "crs_id": "942151",
1297
- "category": "attack_attempt"
1316
+ "category": "attack_attempt",
1317
+ "module": "waf"
1298
1318
  },
1299
1319
  "conditions": [
1300
1320
  {
@@ -1333,7 +1353,8 @@
1333
1353
  "tags": {
1334
1354
  "type": "sql_injection",
1335
1355
  "crs_id": "942170",
1336
- "category": "attack_attempt"
1356
+ "category": "attack_attempt",
1357
+ "module": "waf"
1337
1358
  },
1338
1359
  "conditions": [
1339
1360
  {
@@ -1372,7 +1393,8 @@
1372
1393
  "type": "sql_injection",
1373
1394
  "crs_id": "942190",
1374
1395
  "category": "attack_attempt",
1375
- "cwe": "89"
1396
+ "cwe": "89",
1397
+ "module": "waf"
1376
1398
  },
1377
1399
  "conditions": [
1378
1400
  {
@@ -1413,7 +1435,8 @@
1413
1435
  "tags": {
1414
1436
  "type": "sql_injection",
1415
1437
  "crs_id": "942230",
1416
- "category": "attack_attempt"
1438
+ "category": "attack_attempt",
1439
+ "module": "waf"
1417
1440
  },
1418
1441
  "conditions": [
1419
1442
  {
@@ -1452,7 +1475,8 @@
1452
1475
  "tags": {
1453
1476
  "type": "sql_injection",
1454
1477
  "crs_id": "942320",
1455
- "category": "attack_attempt"
1478
+ "category": "attack_attempt",
1479
+ "module": "waf"
1456
1480
  },
1457
1481
  "conditions": [
1458
1482
  {
@@ -1490,7 +1514,8 @@
1490
1514
  "tags": {
1491
1515
  "type": "sql_injection",
1492
1516
  "crs_id": "942350",
1493
- "category": "attack_attempt"
1517
+ "category": "attack_attempt",
1518
+ "module": "waf"
1494
1519
  },
1495
1520
  "conditions": [
1496
1521
  {
@@ -1528,7 +1553,8 @@
1528
1553
  "tags": {
1529
1554
  "type": "java_code_injection",
1530
1555
  "crs_id": "944240",
1531
- "category": "attack_attempt"
1556
+ "category": "attack_attempt",
1557
+ "module": "waf"
1532
1558
  },
1533
1559
  "conditions": [
1534
1560
  {
@@ -1573,7 +1599,8 @@
1573
1599
  "type": "lfi",
1574
1600
  "category": "attack_attempt",
1575
1601
  "cwe": "22",
1576
- "capec": "1000/255/153/126"
1602
+ "capec": "1000/255/153/126",
1603
+ "module": "waf"
1577
1604
  },
1578
1605
  "conditions": [
1579
1606
  {
@@ -1612,7 +1639,8 @@
1612
1639
  "type": "lfi",
1613
1640
  "category": "attack_attempt",
1614
1641
  "cwe": "22",
1615
- "capec": "1000/255/153/126"
1642
+ "capec": "1000/255/153/126",
1643
+ "module": "waf"
1616
1644
  },
1617
1645
  "conditions": [
1618
1646
  {
@@ -1653,7 +1681,8 @@
1653
1681
  "tags": {
1654
1682
  "type": "nosql_injection",
1655
1683
  "category": "attack_attempt",
1656
- "cwe": "943"
1684
+ "cwe": "943",
1685
+ "module": "waf"
1657
1686
  },
1658
1687
  "conditions": [
1659
1688
  {
@@ -1689,7 +1718,8 @@
1689
1718
  "name": "Node.js: Prototype pollution",
1690
1719
  "tags": {
1691
1720
  "type": "js_code_injection",
1692
- "category": "attack_attempt"
1721
+ "category": "attack_attempt",
1722
+ "module": "waf"
1693
1723
  },
1694
1724
  "conditions": [
1695
1725
  {
@@ -3060,4 +3090,4 @@
3060
3090
  }
3061
3091
  }
3062
3092
  ]
3063
- }
3093
+ }
data/lib/datadog/appsec/component.rb CHANGED
@@ -3,7 +3,6 @@
3
3
  require_relative 'processor'
4
4
  require_relative 'processor/rule_merger'
5
5
  require_relative 'processor/rule_loader'
6
- require_relative 'processor/actions'
7
6
 
8
7
  module Datadog
9
8
  module AppSec
@@ -52,10 +51,6 @@ module Datadog
52
51
  )
53
52
  return nil unless rules
54
53
 
55
- actions = rules['actions']
56
-
57
- AppSec::Processor::Actions.merge(actions) if actions
58
-
59
54
  data = AppSec::Processor::RuleLoader.load_data(
60
55
  ip_denylist: settings.appsec.ip_denylist,
61
56
  user_id_denylist: settings.appsec.user_id_denylist,
@@ -84,10 +79,8 @@ module Datadog
84
79
  @mutex = Mutex.new
85
80
  end
86
81
 
87
- def reconfigure(ruleset:, actions:, telemetry:)
82
+ def reconfigure(ruleset:, telemetry:)
88
83
  @mutex.synchronize do
89
- AppSec::Processor::Actions.merge(actions)
90
-
91
84
  new = Processor.new(ruleset: ruleset, telemetry: telemetry)
92
85
 
93
86
  if new && new.ready?
data/lib/datadog/appsec/context.rb ADDED
@@ -0,0 +1,54 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Datadog
4
+ module AppSec
5
+ # This class accumulates the context over the request life-cycle and exposes
6
+ # interface sufficient for instrumentation to perform threat detection.
7
+ class Context
8
+ ActiveContextError = Class.new(StandardError)
9
+
10
+ attr_reader :trace, :span
11
+
12
+ # NOTE: This is an intermediate state and will be changed
13
+ attr_reader :waf_runner
14
+
15
+ class << self
16
+ def activate(context)
17
+ raise ArgumentError, 'not a Datadog::AppSec::Context' unless context.instance_of?(Context)
18
+ raise ActiveContextError, 'another context is active, nested contexts are not supported' if active
19
+
20
+ Thread.current[Ext::ACTIVE_CONTEXT_KEY] = context
21
+ end
22
+
23
+ def deactivate
24
+ active&.finalize
25
+ ensure
26
+ Thread.current[Ext::ACTIVE_CONTEXT_KEY] = nil
27
+ end
28
+
29
+ def active
30
+ Thread.current[Ext::ACTIVE_CONTEXT_KEY]
31
+ end
32
+ end
33
+
34
+ def initialize(trace, span, security_engine)
35
+ @trace = trace
36
+ @span = span
37
+ @security_engine = security_engine
38
+ @waf_runner = security_engine.new_context
39
+ end
40
+
41
+ def run_waf(persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
42
+ @waf_runner.run(persistent_data, ephemeral_data, timeout)
43
+ end
44
+
45
+ def run_rasp(_type, persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
46
+ @waf_runner.run(persistent_data, ephemeral_data, timeout)
47
+ end
48
+
49
+ def finalize
50
+ @waf_runner.finalize
51
+ end
52
+ end
53
+ end
54
+ end
data/lib/datadog/appsec/contrib/active_record/instrumentation.rb ADDED
@@ -0,0 +1,73 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Datadog
4
+ module AppSec
5
+ module Contrib
6
+ module ActiveRecord
7
+ # AppSec module that will be prepended to ActiveRecord adapter
8
+ module Instrumentation
9
+ module_function
10
+
11
+ def detect_sql_injection(sql, adapter_name)
12
+ context = AppSec.active_context
13
+ return unless context
14
+
15
+ # libddwaf expects db system to be lowercase,
16
+ # in case of sqlite adapter, libddwaf expects 'sqlite' as db system
17
+ db_system = adapter_name.downcase
18
+ db_system = 'sqlite' if db_system == 'sqlite3'
19
+
20
+ ephemeral_data = {
21
+ 'server.db.statement' => sql,
22
+ 'server.db.system' => db_system
23
+ }
24
+
25
+ waf_timeout = Datadog.configuration.appsec.waf_timeout
26
+ result = context.run_rasp(Ext::RASP_SQLI, {}, ephemeral_data, waf_timeout)
27
+
28
+ if result.status == :match
29
+ Datadog::AppSec::Event.tag_and_keep!(context, result)
30
+
31
+ event = {
32
+ waf_result: result,
33
+ trace: context.trace,
34
+ span: context.span,
35
+ sql: sql,
36
+ actions: result.actions
37
+ }
38
+ context.waf_runner.events << event
39
+ end
40
+ end
41
+
42
+ # patch for all adapters in ActiveRecord >= 7.1
43
+ module InternalExecQueryAdapterPatch
44
+ def internal_exec_query(sql, *args, **rest)
45
+ Instrumentation.detect_sql_injection(sql, adapter_name)
46
+
47
+ super
48
+ end
49
+ end
50
+
51
+ # patch for postgres adapter in ActiveRecord < 7.1
52
+ module ExecuteAndClearAdapterPatch
53
+ def execute_and_clear(sql, *args, **rest)
54
+ Instrumentation.detect_sql_injection(sql, adapter_name)
55
+
56
+ super
57
+ end
58
+ end
59
+
60
+ # patch for mysql2 and sqlite3 adapters in ActiveRecord < 7.1
61
+ # this patch is also used when using JDBC adapter
62
+ module ExecQueryAdapterPatch
63
+ def exec_query(sql, *args, **rest)
64
+ Instrumentation.detect_sql_injection(sql, adapter_name)
65
+
66
+ super
67
+ end
68
+ end
69
+ end
70
+ end
71
+ end
72
+ end
73
+ end
data/lib/datadog/appsec/contrib/active_record/integration.rb ADDED
@@ -0,0 +1,41 @@
1
+ # frozen_string_literal: true
2
+
3
+ require_relative '../integration'
4
+ require_relative 'patcher'
5
+
6
+ module Datadog
7
+ module AppSec
8
+ module Contrib
9
+ module ActiveRecord
10
+ # This class provides helper methods that are used when patching ActiveRecord
11
+ class Integration
12
+ include Datadog::AppSec::Contrib::Integration
13
+
14
+ MINIMUM_VERSION = Gem::Version.new('4')
15
+
16
+ register_as :active_record, auto_patch: false
17
+
18
+ def self.version
19
+ Gem.loaded_specs['activerecord'] && Gem.loaded_specs['activerecord'].version
20
+ end
21
+
22
+ def self.loaded?
23
+ !defined?(::ActiveRecord).nil?
24
+ end
25
+
26
+ def self.compatible?
27
+ super && version >= MINIMUM_VERSION
28
+ end
29
+
30
+ def self.auto_instrument?
31
+ true
32
+ end
33
+
34
+ def patcher
35
+ Patcher
36
+ end
37
+ end
38
+ end
39
+ end
40
+ end
41
+ end
data/lib/datadog/appsec/contrib/active_record/patcher.rb ADDED
@@ -0,0 +1,53 @@
1
+ # frozen_string_literal: true
2
+
3
+ require_relative '../patcher'
4
+ require_relative 'instrumentation'
5
+
6
+ module Datadog
7
+ module AppSec
8
+ module Contrib
9
+ module ActiveRecord
10
+ # AppSec patcher module for ActiveRecord
11
+ module Patcher
12
+ include Datadog::AppSec::Contrib::Patcher
13
+
14
+ module_function
15
+
16
+ def patched?
17
+ Patcher.instance_variable_get(:@patched)
18
+ end
19
+
20
+ def target_version
21
+ Integration.version
22
+ end
23
+
24
+ def patch
25
+ ActiveSupport.on_load :active_record do
26
+ instrumentation_module = if ::ActiveRecord.gem_version >= Gem::Version.new('7.1')
27
+ Instrumentation::InternalExecQueryAdapterPatch
28
+ else
29
+ Instrumentation::ExecQueryAdapterPatch
30
+ end
31
+
32
+ if defined?(::ActiveRecord::ConnectionAdapters::SQLite3Adapter)
33
+ ::ActiveRecord::ConnectionAdapters::SQLite3Adapter.prepend(instrumentation_module)
34
+ end
35
+
36
+ if defined?(::ActiveRecord::ConnectionAdapters::Mysql2Adapter)
37
+ ::ActiveRecord::ConnectionAdapters::Mysql2Adapter.prepend(instrumentation_module)
38
+ end
39
+
40
+ if defined?(::ActiveRecord::ConnectionAdapters::PostgreSQLAdapter)
41
+ unless defined?(::ActiveRecord::ConnectionAdapters::JdbcAdapter)
42
+ instrumentation_module = Instrumentation::ExecuteAndClearAdapterPatch
43
+ end
44
+
45
+ ::ActiveRecord::ConnectionAdapters::PostgreSQLAdapter.prepend(instrumentation_module)
46
+ end
47
+ end
48
+ end
49
+ end
50
+ end
51
+ end
52
+ end
53
+ end
data/lib/datadog/appsec/contrib/devise/patcher/authenticatable_patch.rb CHANGED
@@ -23,9 +23,9 @@ module Datadog
23
23
 
24
24
  automated_track_user_events_mode = track_user_events_configuration.mode
25
25
 
26
- appsec_scope = Datadog::AppSec.active_scope
26
+ appsec_context = Datadog::AppSec.active_context
27
27
 
28
- return result unless appsec_scope
28
+ return result unless appsec_context
29
29
 
30
30
  devise_resource = resource ? Resource.new(resource) : nil
31
31
 
@@ -39,8 +39,8 @@ module Datadog
39
39
  end
40
40
 
41
41
  Tracking.track_login_success(
42
- appsec_scope.trace,
43
- appsec_scope.service_entry_span,
42
+ appsec_context.trace,
43
+ appsec_context.span,
44
44
  user_id: event_information.user_id,
45
45
  **event_information.to_h
46
46
  )
@@ -59,8 +59,8 @@ module Datadog
59
59
  end
60
60
 
61
61
  Tracking.track_login_failure(
62
- appsec_scope.trace,
63
- appsec_scope.service_entry_span,
62
+ appsec_context.trace,
63
+ appsec_context.span,
64
64
  user_id: event_information.user_id,
65
65
  user_exists: user_exists,
66
66
  **event_information.to_h
data/lib/datadog/appsec/contrib/devise/patcher/registration_controller_patch.rb CHANGED
@@ -20,8 +20,8 @@ module Datadog
20
20
 
21
21
  automated_track_user_events_mode = track_user_events_configuration.mode
22
22
 
23
- appsec_scope = Datadog::AppSec.active_scope
24
- return super unless appsec_scope
23
+ appsec_context = Datadog::AppSec.active_context
24
+ return super unless appsec_context
25
25
 
26
26
  super do |resource|
27
27
  if resource.persisted?
@@ -36,8 +36,8 @@ module Datadog
36
36
  end
37
37
 
38
38
  Tracking.track_signup(
39
- appsec_scope.trace,
40
- appsec_scope.service_entry_span,
39
+ appsec_context.trace,
40
+ appsec_context.span,
41
41
  user_id: event_information.user_id,
42
42
  **event_information.to_h
43
43
  )
data/lib/datadog/appsec/contrib/graphql/gateway/watcher.rb CHANGED
@@ -2,8 +2,8 @@
2
2
 
3
3
  require 'json'
4
4
  require_relative '../../../instrumentation/gateway'
5
+ require_relative '../../../reactive/engine'
5
6
  require_relative '../reactive/multiplex'
6
- require_relative '../../../reactive/operation'
7
7
 
8
8
  module Datadog
9
9
  module AppSec
@@ -24,38 +24,29 @@ module Datadog
24
24
  gateway.watch('graphql.multiplex', :appsec) do |stack, gateway_multiplex|
25
25
  block = false
26
26
  event = nil
27
-
28
- scope = AppSec::Scope.active_scope
29
-
30
- if scope
31
- AppSec::Reactive::Operation.new('graphql.multiplex') do |op|
32
- GraphQL::Reactive::Multiplex.subscribe(op, scope.processor_context) do |result|
33
- event = {
34
- waf_result: result,
35
- trace: scope.trace,
36
- span: scope.service_entry_span,
37
- multiplex: gateway_multiplex,
38
- actions: result.actions
39
- }
40
-
41
- Datadog::AppSec::Event.tag_and_keep!(scope, result)
42
- scope.processor_context.events << event
43
- end
44
-
45
- block = GraphQL::Reactive::Multiplex.publish(op, gateway_multiplex)
27
+ context = AppSec::Context.active
28
+ engine = AppSec::Reactive::Engine.new
29
+
30
+ if context
31
+ GraphQL::Reactive::Multiplex.subscribe(engine, context) do |result|
32
+ event = {
33
+ waf_result: result,
34
+ trace: context.trace,
35
+ span: context.span,
36
+ multiplex: gateway_multiplex,
37
+ actions: result.actions
38
+ }
39
+
40
+ Datadog::AppSec::Event.tag_and_keep!(context, result)
41
+ context.waf_runner.events << event
46
42
  end
43
+
44
+ block = GraphQL::Reactive::Multiplex.publish(engine, gateway_multiplex)
47
45
  end
48
46
 
49
47
  next [nil, [[:block, event]]] if block
50
48
 
51
- ret, res = stack.call(gateway_multiplex.arguments)
52
-
53
- if event
54
- res ||= []
55
- res << [:monitor, event]
56
- end
57
-
58
- [ret, res]
49
+ stack.call(gateway_multiplex.arguments)
59
50
  end
60
51
  end
61
52
  end