datadog 2.8.0 → 2.9.0

data/lib/datadog/appsec/assets/waf_rules/strict.json

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.13.1"
+    "rules_version": "1.13.3"
   },
   "rules": [
     {
@@ -10,7 +10,8 @@
       "tags": {
         "type": "security_scanner",
         "crs_id": "913100",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -84,7 +85,8 @@
       "tags": {
         "type": "http_protocol_violation",
         "crs_id": "921120",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -127,7 +129,8 @@
         "crs_id": "921140",
         "category": "attack_attempt",
         "capec": "1000/210/272/220/273",
-        "cwe": "113"
+        "cwe": "113",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -154,7 +157,8 @@
       "tags": {
         "type": "command_injection",
         "crs_id": "932100",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -193,7 +197,8 @@
       "tags": {
         "type": "command_injection",
         "crs_id": "932115",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -690,7 +695,8 @@
       "tags": {
         "type": "command_injection",
         "crs_id": "932130",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -729,7 +735,8 @@
       "tags": {
         "type": "command_injection",
         "crs_id": "932150",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -768,7 +775,8 @@
       "tags": {
         "type": "php_code_injection",
         "crs_id": "933110",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -818,7 +826,8 @@
       "tags": {
         "type": "php_code_injection",
         "crs_id": "933180",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -857,7 +866,8 @@
       "tags": {
         "type": "php_code_injection",
         "crs_id": "933210",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -897,7 +907,8 @@
         "type": "xss",
         "crs_id": "941100",
         "category": "attack_attempt",
-        "cwe": "79"
+        "cwe": "79",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -948,7 +959,8 @@
       "tags": {
         "type": "xss",
         "crs_id": "941130",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -994,7 +1006,8 @@
       "tags": {
         "type": "xss",
         "crs_id": "941150",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1041,7 +1054,8 @@
       "tags": {
         "type": "xss",
         "crs_id": "941160",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1093,7 +1107,8 @@
       "tags": {
         "type": "xss",
         "crs_id": "941190",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1134,7 +1149,8 @@
       "tags": {
         "type": "xss",
         "crs_id": "941250",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1175,7 +1191,8 @@
       "tags": {
         "type": "xss",
         "crs_id": "941260",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1216,7 +1233,8 @@
       "tags": {
         "type": "xss",
         "crs_id": "941370",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1255,7 +1273,8 @@
       "tags": {
         "type": "js_code_injection",
         "crs_id": "941380",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1294,7 +1313,8 @@
       "tags": {
         "type": "sql_injection",
         "crs_id": "942151",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1333,7 +1353,8 @@
       "tags": {
         "type": "sql_injection",
         "crs_id": "942170",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1372,7 +1393,8 @@
         "type": "sql_injection",
         "crs_id": "942190",
         "category": "attack_attempt",
-        "cwe": "89"
+        "cwe": "89",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1413,7 +1435,8 @@
       "tags": {
         "type": "sql_injection",
         "crs_id": "942230",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1452,7 +1475,8 @@
       "tags": {
         "type": "sql_injection",
         "crs_id": "942320",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1490,7 +1514,8 @@
       "tags": {
         "type": "sql_injection",
         "crs_id": "942350",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1528,7 +1553,8 @@
       "tags": {
         "type": "java_code_injection",
         "crs_id": "944240",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1573,7 +1599,8 @@
         "type": "lfi",
         "category": "attack_attempt",
         "cwe": "22",
-        "capec": "1000/255/153/126"
+        "capec": "1000/255/153/126",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1612,7 +1639,8 @@
         "type": "lfi",
         "category": "attack_attempt",
         "cwe": "22",
-        "capec": "1000/255/153/126"
+        "capec": "1000/255/153/126",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1653,7 +1681,8 @@
       "tags": {
         "type": "nosql_injection",
         "category": "attack_attempt",
-        "cwe": "943"
+        "cwe": "943",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -1689,7 +1718,8 @@
       "name": "Node.js: Prototype pollution",
       "tags": {
         "type": "js_code_injection",
-        "category": "attack_attempt"
+        "category": "attack_attempt",
+        "module": "waf"
       },
       "conditions": [
         {
@@ -3060,4 +3090,4 @@
       }
     }
   ]
-}
+}

data/lib/datadog/appsec/context.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    # This class accumulates the context over the request life-cycle and exposes
+    # interface sufficient for instrumentation to perform threat detection.
+    class Context
+      ActiveContextError = Class.new(StandardError)
+
+      attr_reader :trace, :span
+
+      # NOTE: This is an intermediate state and will be changed
+      attr_reader :waf_runner
+
+      class << self
+        def activate(context)
+          raise ArgumentError, 'not a Datadog::AppSec::Context' unless context.instance_of?(Context)
+          raise ActiveContextError, 'another context is active, nested contexts are not supported' if active
+
+          Thread.current[Ext::ACTIVE_CONTEXT_KEY] = context
+        end
+
+        def deactivate
+          active&.finalize
+        ensure
+          Thread.current[Ext::ACTIVE_CONTEXT_KEY] = nil
+        end
+
+        def active
+          Thread.current[Ext::ACTIVE_CONTEXT_KEY]
+        end
+      end
+
+      def initialize(trace, span, security_engine)
+        @trace = trace
+        @span = span
+        @security_engine = security_engine
+        @waf_runner = security_engine.new_context
+      end
+
+      def run_waf(persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
+        @waf_runner.run(persistent_data, ephemeral_data, timeout)
+      end
+
+      def run_rasp(_type, persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
+        @waf_runner.run(persistent_data, ephemeral_data, timeout)
+      end
+
+      def finalize
+        @waf_runner.finalize
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/active_record/instrumentation.rb

@@ -9,8 +9,8 @@ module Datadog
           module_function
 
           def detect_sql_injection(sql, adapter_name)
-            scope = AppSec.active_scope
-            return unless scope
+            context = AppSec.active_context
+            return unless context
 
             # libddwaf expects db system to be lowercase,
             # in case of sqlite adapter, libddwaf expects 'sqlite' as db system
@@ -23,19 +23,19 @@ module Datadog
             }
 
             waf_timeout = Datadog.configuration.appsec.waf_timeout
-            result = scope.processor_context.run({}, ephemeral_data, waf_timeout)
+            result = context.run_rasp(Ext::RASP_SQLI, {}, ephemeral_data, waf_timeout)
 
             if result.status == :match
-              Datadog::AppSec::Event.tag_and_keep!(scope, result)
+              Datadog::AppSec::Event.tag_and_keep!(context, result)
 
               event = {
                 waf_result: result,
-                trace: scope.trace,
-                span: scope.service_entry_span,
+                trace: context.trace,
+                span: context.span,
                 sql: sql,
                 actions: result.actions
               }
-              scope.processor_context.events << event
+              context.waf_runner.events << event
             end
           end
 

data/lib/datadog/appsec/contrib/devise/patcher/authenticatable_patch.rb

@@ -23,9 +23,9 @@ module Datadog
 
               automated_track_user_events_mode = track_user_events_configuration.mode
 
-              appsec_scope = Datadog::AppSec.active_scope
+              appsec_context = Datadog::AppSec.active_context
 
-              return result unless appsec_scope
+              return result unless appsec_context
 
               devise_resource = resource ? Resource.new(resource) : nil
 
@@ -39,8 +39,8 @@ module Datadog
                 end
 
                 Tracking.track_login_success(
-                  appsec_scope.trace,
-                  appsec_scope.service_entry_span,
+                  appsec_context.trace,
+                  appsec_context.span,
                   user_id: event_information.user_id,
                   **event_information.to_h
                 )
@@ -59,8 +59,8 @@ module Datadog
               end
 
               Tracking.track_login_failure(
-                appsec_scope.trace,
-                appsec_scope.service_entry_span,
+                appsec_context.trace,
+                appsec_context.span,
                 user_id: event_information.user_id,
                 user_exists: user_exists,
                 **event_information.to_h

data/lib/datadog/appsec/contrib/devise/patcher/registration_controller_patch.rb

@@ -20,8 +20,8 @@ module Datadog
 
               automated_track_user_events_mode = track_user_events_configuration.mode
 
-              appsec_scope = Datadog::AppSec.active_scope
-              return super unless appsec_scope
+              appsec_context = Datadog::AppSec.active_context
+              return super unless appsec_context
 
               super do |resource|
                 if resource.persisted?
@@ -36,8 +36,8 @@ module Datadog
                   end
 
                   Tracking.track_signup(
-                    appsec_scope.trace,
-                    appsec_scope.service_entry_span,
+                    appsec_context.trace,
+                    appsec_context.span,
                     user_id: event_information.user_id,
                     **event_information.to_h
                   )

data/lib/datadog/appsec/contrib/graphql/gateway/watcher.rb

@@ -2,8 +2,8 @@
 
 require 'json'
 require_relative '../../../instrumentation/gateway'
+require_relative '../../../reactive/engine'
 require_relative '../reactive/multiplex'
-require_relative '../../../reactive/operation'
 
 module Datadog
   module AppSec
@@ -24,38 +24,29 @@ module Datadog
                 gateway.watch('graphql.multiplex', :appsec) do |stack, gateway_multiplex|
                   block = false
                   event = nil
-
-                  scope = AppSec::Scope.active_scope
-
-                  if scope
-                    AppSec::Reactive::Operation.new('graphql.multiplex') do |op|
-                      GraphQL::Reactive::Multiplex.subscribe(op, scope.processor_context) do |result|
-                        event = {
-                          waf_result: result,
-                          trace: scope.trace,
-                          span: scope.service_entry_span,
-                          multiplex: gateway_multiplex,
-                          actions: result.actions
-                        }
-
-                        Datadog::AppSec::Event.tag_and_keep!(scope, result)
-                        scope.processor_context.events << event
-                      end
-
-                      block = GraphQL::Reactive::Multiplex.publish(op, gateway_multiplex)
+                  context = AppSec::Context.active
+                  engine = AppSec::Reactive::Engine.new
+
+                  if context
+                    GraphQL::Reactive::Multiplex.subscribe(engine, context) do |result|
+                      event = {
+                        waf_result: result,
+                        trace: context.trace,
+                        span: context.span,
+                        multiplex: gateway_multiplex,
+                        actions: result.actions
+                      }
+
+                      Datadog::AppSec::Event.tag_and_keep!(context, result)
+                      context.waf_runner.events << event
                     end
+
+                    block = GraphQL::Reactive::Multiplex.publish(engine, gateway_multiplex)
                   end
 
                   next [nil, [[:block, event]]] if block
 
-                  ret, res = stack.call(gateway_multiplex.arguments)
-
-                  if event
-                    res ||= []
-                    res << [:monitor, event]
-                  end
-
-                  [ret, res]
+                  stack.call(gateway_multiplex.arguments)
                 end
               end
             end

data/lib/datadog/appsec/contrib/graphql/reactive/multiplex.rb

@@ -12,16 +12,16 @@ module Datadog
             ].freeze
             private_constant :ADDRESSES
 
-            def self.publish(op, gateway_multiplex)
+            def self.publish(engine, gateway_multiplex)
               catch(:block) do
-                op.publish('graphql.server.all_resolvers', gateway_multiplex.arguments)
+                engine.publish('graphql.server.all_resolvers', gateway_multiplex.arguments)
 
                 nil
               end
             end
 
-            def self.subscribe(op, waf_context)
-              op.subscribe(*ADDRESSES) do |*values|
+            def self.subscribe(engine, context)
+              engine.subscribe(*ADDRESSES) do |*values|
                 Datadog.logger.debug { "reacted to #{ADDRESSES.inspect}: #{values.inspect}" }
                 arguments = values[0]
 
@@ -30,7 +30,7 @@ module Datadog
                 }
 
                 waf_timeout = Datadog.configuration.appsec.waf_timeout
-                result = waf_context.run(persistent_data, {}, waf_timeout)
+                result = context.run_waf(persistent_data, {}, waf_timeout)
 
                 next if result.status != :match
 

data/lib/datadog/appsec/contrib/rack/gateway/response.rb

@@ -9,14 +9,14 @@ module Datadog
         module Gateway
           # Gateway Response argument.
           class Response < Instrumentation::Gateway::Argument
-            attr_reader :body, :status, :headers, :scope
+            attr_reader :body, :status, :headers, :context
 
-            def initialize(body, status, headers, scope:)
+            def initialize(body, status, headers, context:)
               super()
               @body = body
               @status = status
               @headers = headers.each_with_object({}) { |(k, v), h| h[k.downcase] = v }
-              @scope = scope
+              @context = context
             end
 
             def response