RubyGems - datadog - Versions diffs - 2.9.0 → 2.11.0 - Mend

datadog 2.9.0 → 2.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (131) hide show

data/lib/datadog/appsec/contrib/devise/patcher/authenticatable_patch.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
+require_relative '../configuration'
 require_relative '../tracking'
 require_relative '../resource'
 require_relative '../event'
@@ -14,33 +15,27 @@ module Datadog
             # rubocop:disable Metrics/MethodLength
             def validate(resource, &block)
               result = super
-              return result unless AppSec.enabled?
-              return result if @_datadog_skip_track_login_event
-              track_user_events_configuration = Datadog.configuration.appsec.track_user_events
-              return result unless track_user_events_configuration.enabled
-              automated_track_user_events_mode = track_user_events_configuration.mode
-              appsec_context = Datadog::AppSec.active_context
-              return result unless appsec_context
+              return result unless AppSec.enabled?
+              return result if @_datadog_appsec_skip_track_login_event
+              return result unless Configuration.auto_user_instrumentation_enabled?
+              return result unless AppSec.active_context
               devise_resource = resource ? Resource.new(resource) : nil
-              event_information = Event.new(devise_resource, automated_track_user_events_mode)
+              event_information = Event.new(devise_resource, Configuration.auto_user_instrumentation_mode)
               if result
                 if event_information.user_id
-                  Datadog.logger.debug { 'User Login Event success' }
+                  Datadog.logger.debug { 'AppSec: User successful login event' }
                 else
-                  Datadog.logger.debug { 'User Login Event success, but can\'t extract user ID. Tracking empty event' }
+                  Datadog.logger.debug do
+                    "AppSec: User successful login event, but can't extract user ID. Tracking empty event"
+                  end
                 end
                 Tracking.track_login_success(
-                  appsec_context.trace,
-                  appsec_context.span,
+                  AppSec.active_context.trace,
+                  AppSec.active_context.span,
                   user_id: event_information.user_id,
                   **event_information.to_h
                 )
@@ -52,15 +47,15 @@ module Datadog
               if resource
                 user_exists = true
-                Datadog.logger.debug { 'User Login Event failure users exists' }
+                Datadog.logger.debug { 'AppSec: User failed login event, but user exists' }
               else
                 user_exists = false
-                Datadog.logger.debug { 'User Login Event failure user do not exists' }
+                Datadog.logger.debug { 'AppSec: User failed login event and user does not exist' }
               end
               Tracking.track_login_failure(
-                appsec_context.trace,
-                appsec_context.span,
+                AppSec.active_context.trace,
+                AppSec.active_context.span,
                 user_id: event_information.user_id,
                 user_exists: user_exists,
                 **event_information.to_h

data/lib/datadog/appsec/contrib/devise/patcher/registration_controller_patch.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
+require_relative '../configuration'
 require_relative '../tracking'
 require_relative '../resource'
 require_relative '../event'
@@ -13,31 +14,23 @@ module Datadog
           module RegistrationControllerPatch
             def create
               return super unless AppSec.enabled?
-              track_user_events_configuration = Datadog.configuration.appsec.track_user_events
-              return super unless track_user_events_configuration.enabled
-              automated_track_user_events_mode = track_user_events_configuration.mode
-              appsec_context = Datadog::AppSec.active_context
-              return super unless appsec_context
+              return super unless Configuration.auto_user_instrumentation_enabled?
+              return super unless AppSec.active_context
               super do |resource|
                 if resource.persisted?
                   devise_resource = Resource.new(resource)
-                  event_information = Event.new(devise_resource, automated_track_user_events_mode)
+                  event_information = Event.new(devise_resource, Configuration.auto_user_instrumentation_mode)
                   if event_information.user_id
-                    Datadog.logger.debug { 'User Signup Event' }
+                    Datadog.logger.debug { 'AppSec: User signup event' }
                   else
-                    Datadog.logger.warn { 'User Signup Event, but can\'t extract user ID. Tracking empty event' }
+                    Datadog.logger.warn { "AppSec: User signup event, but can't extract user ID. Tracking empty event" }
                   end
                   Tracking.track_signup(
-                    appsec_context.trace,
-                    appsec_context.span,
+                    AppSec.active_context.trace,
+                    AppSec.active_context.span,
                     user_id: event_information.user_id,
                     **event_information.to_h
                   )

data/lib/datadog/appsec/contrib/devise/patcher/rememberable_patch.rb CHANGED Viewed

@@ -9,7 +9,7 @@ module Datadog
           # Rememberable strategy as Login Success events.
           module RememberablePatch
             def validate(*args)
-              @_datadog_skip_track_login_event = true
+              @_datadog_appsec_skip_track_login_event = true
               super
             end

data/lib/datadog/appsec/contrib/devise/patcher.rb CHANGED Viewed

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
-require_relative '../patcher'
 require_relative 'patcher/authenticatable_patch'
 require_relative 'patcher/rememberable_patch'
 require_relative 'patcher/registration_controller_patch'
@@ -11,8 +10,6 @@ module Datadog
       module Devise
         # Patcher for AppSec on Devise
         module Patcher
-          include Datadog::AppSec::Contrib::Patcher
           module_function
           def patched?

data/lib/datadog/appsec/contrib/devise/tracking.rb CHANGED Viewed

@@ -40,7 +40,7 @@ module Datadog
             return if trace.nil? || span.nil?
             span.set_tag("appsec.events.#{event}.track", 'true')
-            span.set_tag("_dd.appsec.events.#{event}.auto.mode", Datadog.configuration.appsec.track_user_events.mode)
+            span.set_tag("_dd.appsec.events.#{event}.auto.mode", Configuration.track_user_events_mode)
             others.each do |k, v|
               raise ArgumentError, 'key cannot be :track' if k.to_sym == :track

data/lib/datadog/appsec/contrib/excon/integration.rb ADDED Viewed

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+require_relative '../integration'
+require_relative 'patcher'
+module Datadog
+  module AppSec
+    module Contrib
+      module Excon
+        # This class provides helper methods that are used when patching Excon
+        class Integration
+          include Datadog::AppSec::Contrib::Integration
+          MINIMUM_VERSION = Gem::Version.new('0.50.0')
+          register_as :excon
+          def self.version
+            Gem.loaded_specs['excon'] && Gem.loaded_specs['excon'].version
+          end
+          def self.loaded?
+            !defined?(::Excon).nil?
+          end
+          def self.compatible?
+            super && version >= MINIMUM_VERSION
+          end
+          def self.auto_instrument?
+            false
+          end
+          def patcher
+            Patcher
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/excon/patcher.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+module Datadog
+  module AppSec
+    module Contrib
+      module Excon
+        # AppSec patcher module for Excon
+        module Patcher
+          module_function
+          def patched?
+            Patcher.instance_variable_get(:@patched)
+          end
+          def target_version
+            Integration.version
+          end
+          def patch
+            require_relative 'ssrf_detection_middleware'
+            ::Excon.defaults[:middlewares].insert(0, SSRFDetectionMiddleware)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/excon/ssrf_detection_middleware.rb ADDED Viewed

@@ -0,0 +1,43 @@
+# rubocop:disable Naming/FileName
+# frozen_string_literal: true
+require 'excon'
+module Datadog
+  module AppSec
+    module Contrib
+      module Excon
+        # AppSec Middleware for Excon
+        class SSRFDetectionMiddleware < ::Excon::Middleware::Base
+          def request_call(data)
+            return super unless AppSec.rasp_enabled? && AppSec.active_context
+            context = AppSec.active_context
+            request_url = URI.join("#{data[:scheme]}://#{data[:host]}", data[:path]).to_s
+            ephemeral_data = { 'server.io.net.url' => request_url }
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, Datadog.configuration.appsec.waf_timeout)
+            if result.match?
+              Datadog::AppSec::Event.tag_and_keep!(context, result)
+              context.events << {
+                waf_result: result,
+                trace: context.trace,
+                span: context.span,
+                request_url: request_url,
+                actions: result.actions
+              }
+              ActionsHandler.handle(result.actions)
+            end
+            super
+          end
+        end
+      end
+    end
+  end
+end
+# rubocop:enable Naming/FileName

data/lib/datadog/appsec/contrib/faraday/connection_patch.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        # Handles installation of our middleware if the user has *not*
+        # already explicitly configured our middleware for this correction.
+        #
+        # Wraps Faraday::Connection#initialize:
+        # https://github.com/lostisland/faraday/blob/ff9dc1d1219a1bbdba95a9a4cf5d135b97247ee2/lib/faraday/connection.rb#L62-L92
+        module ConnectionPatch
+          def initialize(*args, &block)
+            super.tap do
+              use(:datadog_appsec) unless builder.handlers.any? { |h| h.klass == SSRFDetectionMiddleware }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/faraday/integration.rb ADDED Viewed

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+require_relative '../integration'
+require_relative 'patcher'
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        # This class provides helper methods that are used when patching Faraday
+        class Integration
+          include Datadog::AppSec::Contrib::Integration
+          MINIMUM_VERSION = Gem::Version.new('0.14.0')
+          register_as :faraday, auto_patch: true
+          def self.version
+            Gem.loaded_specs['faraday'] && Gem.loaded_specs['faraday'].version
+          end
+          def self.loaded?
+            !defined?(::Faraday).nil?
+          end
+          def self.compatible?
+            super && version >= MINIMUM_VERSION
+          end
+          def self.auto_instrument?
+            true
+          end
+          def patcher
+            Patcher
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/faraday/patcher.rb ADDED Viewed

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        # Patcher for Faraday
+        module Patcher
+          module_function
+          def patched?
+            Patcher.instance_variable_get(:@patched)
+          end
+          def target_version
+            Integration.version
+          end
+          def patch
+            require_relative 'ssrf_detection_middleware'
+            require_relative 'connection_patch'
+            require_relative 'rack_builder_patch'
+            ::Faraday::Middleware.register_middleware(datadog_appsec: SSRFDetectionMiddleware)
+            configure_default_faraday_connection
+            Patcher.instance_variable_set(:@patched, true)
+          end
+          def configure_default_faraday_connection
+            if target_version >= Gem::Version.new('1.0.0')
+              # Patch the default connection (e.g. +Faraday.get+)
+              ::Faraday.default_connection.use(:datadog_appsec)
+              # Patch new connection instances (e.g. +Faraday.new+)
+              ::Faraday::Connection.prepend(ConnectionPatch)
+            else
+              # Patch the default connection (e.g. +Faraday.get+)
+              #
+              # We insert our middleware before the 'adapter', which is
+              # always the last handler.
+              idx = ::Faraday.default_connection.builder.handlers.size - 1
+              ::Faraday.default_connection.builder.insert(idx, SSRFDetectionMiddleware)
+              # Patch new connection instances (e.g. +Faraday.new+)
+              ::Faraday::RackBuilder.prepend(RackBuilderPatch)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/faraday/rack_builder_patch.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        # Handles installation of our middleware if the user has *not*
+        # already explicitly configured it for this correction.
+        #
+        # RackBuilder class was introduced in faraday 0.9.0:
+        # https://github.com/lostisland/faraday/commit/77d7546d6d626b91086f427c56bc2cdd951353b3
+        module RackBuilderPatch
+          def adapter(*args)
+            use(:datadog_appsec) unless @handlers.any? { |h| h.klass == SSRFDetectionMiddleware }
+            super
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/faraday/ssrf_detection_middleware.rb ADDED Viewed

@@ -0,0 +1,42 @@
+# rubocop:disable Naming/FileName
+# frozen_string_literal: true
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        # AppSec SSRF detection Middleware for Faraday
+        class SSRFDetectionMiddleware < ::Faraday::Middleware
+          def call(request_env)
+            context = AppSec.active_context
+            return @app.call(request_env) unless context && AppSec.rasp_enabled?
+            ephemeral_data = {
+              'server.io.net.url' => request_env.url.to_s
+            }
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, Datadog.configuration.appsec.waf_timeout)
+            if result.match?
+              Datadog::AppSec::Event.tag_and_keep!(context, result)
+              context.events << {
+                waf_result: result,
+                trace: context.trace,
+                span: context.span,
+                request_url: request_env.url,
+                actions: result.actions
+              }
+              ActionsHandler.handle(result.actions)
+            end
+            @app.call(request_env)
+          end
+        end
+      end
+    end
+  end
+end
+# rubocop:enable Naming/FileName

data/lib/datadog/appsec/contrib/graphql/appsec_trace.rb CHANGED Viewed

@@ -16,16 +16,10 @@ module Datadog
             gateway_multiplex = Gateway::Multiplex.new(multiplex)
-            multiplex_return, multiplex_response = Instrumentation.gateway.push('graphql.multiplex', gateway_multiplex) do
+            multiplex_return, _gateway_multiplex = Instrumentation.gateway.push('graphql.multiplex', gateway_multiplex) do
               super
             end
-            # Returns an error * the number of queries so that the entire multiplex is blocked
-            if multiplex_response
-              blocked_event = multiplex_response.find { |action, _options| action == :block }
-              multiplex_return = AppSec::Response.graphql_response(gateway_multiplex) if blocked_event
-            end
             multiplex_return
           end
         end

data/lib/datadog/appsec/contrib/graphql/gateway/watcher.rb CHANGED Viewed

@@ -2,8 +2,6 @@
 require 'json'
 require_relative '../../../instrumentation/gateway'
-require_relative '../../../reactive/engine'
-require_relative '../reactive/multiplex'
 module Datadog
   module AppSec
@@ -19,17 +17,21 @@ module Datadog
                 watch_multiplex(gateway)
               end
-              # This time we don't throw but use next
               def watch_multiplex(gateway = Instrumentation.gateway)
                 gateway.watch('graphql.multiplex', :appsec) do |stack, gateway_multiplex|
-                  block = false
-                  event = nil
                   context = AppSec::Context.active
-                  engine = AppSec::Reactive::Engine.new
                   if context
-                    GraphQL::Reactive::Multiplex.subscribe(engine, context) do |result|
-                      event = {
+                    persistent_data = {
+                      'graphql.server.all_resolvers' => gateway_multiplex.arguments
+                    }
+                    result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
+                    if result.match?
+                      Datadog::AppSec::Event.tag_and_keep!(context, result)
+                      context.events << {
                         waf_result: result,
                         trace: context.trace,
                         span: context.span,
@@ -37,15 +39,10 @@ module Datadog
                         actions: result.actions
                       }
-                      Datadog::AppSec::Event.tag_and_keep!(context, result)
-                      context.waf_runner.events << event
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
-                    block = GraphQL::Reactive::Multiplex.publish(engine, gateway_multiplex)
                   end
-                  next [nil, [[:block, event]]] if block
                   stack.call(gateway_multiplex.arguments)
                 end
               end

data/lib/datadog/appsec/contrib/graphql/patcher.rb CHANGED Viewed

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
-require_relative '../patcher'
 require_relative 'gateway/watcher'
 if Gem.loaded_specs['graphql'] && Gem.loaded_specs['graphql'].version >= Gem::Version.new('2.0.19')
@@ -13,8 +12,6 @@ module Datadog
       module GraphQL
         # Patcher for AppSec on GraphQL
         module Patcher
-          include Datadog::AppSec::Contrib::Patcher
           module_function
           def patched?