datadog 2.9.0 → 2.11.0

data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb

@@ -1,10 +1,6 @@
 # frozen_string_literal: true
 
 require_relative '../../../instrumentation/gateway'
-require_relative '../../../reactive/engine'
-require_relative '../reactive/request'
-require_relative '../reactive/request_body'
-require_relative '../reactive/response'
 require_relative '../../../event'
 
 module Datadog
@@ -25,30 +21,33 @@ module Datadog
 
               def watch_request(gateway = Instrumentation.gateway)
                 gateway.watch('rack.request', :appsec) do |stack, gateway_request|
-                  event = nil
                   context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
-                  engine = AppSec::Reactive::Engine.new
-
-                  Rack::Reactive::Request.subscribe(engine, context) do |result|
-                    if result.status == :match
-                      # TODO: should this hash be an Event instance instead?
-                      event = {
-                        waf_result: result,
-                        trace: context.trace,
-                        span: context.span,
-                        request: gateway_request,
-                        actions: result.actions
-                      }
-
-                      # We want to keep the trace in case of security event
-                      context.trace.keep! if context.trace
-                      Datadog::AppSec::Event.tag_and_keep!(context, result)
-                      context.waf_runner.events << event
-                    end
-                  end
 
-                  block = Rack::Reactive::Request.publish(engine, gateway_request)
-                  throw(Datadog::AppSec::Ext::INTERRUPT, event[:actions]) if block
+                  persistent_data = {
+                    'server.request.cookies' => gateway_request.cookies,
+                    'server.request.query' => gateway_request.query,
+                    'server.request.uri.raw' => gateway_request.fullpath,
+                    'server.request.headers' => gateway_request.headers,
+                    'server.request.headers.no_cookies' => gateway_request.headers.dup.tap { |h| h.delete('cookie') },
+                    'http.client_ip' => gateway_request.client_ip,
+                    'server.request.method' => gateway_request.method
+                  }
+
+                  result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
+
+                  if result.match?
+                    Datadog::AppSec::Event.tag_and_keep!(context, result)
+
+                    context.events << {
+                      waf_result: result,
+                      trace: context.trace,
+                      span: context.span,
+                      request: gateway_request,
+                      actions: result.actions
+                    }
+
+                    Datadog::AppSec::ActionsHandler.handle(result.actions)
+                  end
 
                   stack.call(gateway_request.request)
                 end
@@ -56,30 +55,29 @@ module Datadog
 
               def watch_response(gateway = Instrumentation.gateway)
                 gateway.watch('rack.response', :appsec) do |stack, gateway_response|
-                  event = nil
                   context = gateway_response.context
-                  engine = AppSec::Reactive::Engine.new
-
-                  Rack::Reactive::Response.subscribe(engine, context) do |result|
-                    if result.status == :match
-                      # TODO: should this hash be an Event instance instead?
-                      event = {
-                        waf_result: result,
-                        trace: context.trace,
-                        span: context.span,
-                        response: gateway_response,
-                        actions: result.actions
-                      }
-
-                      # We want to keep the trace in case of security event
-                      context.trace.keep! if context.trace
-                      Datadog::AppSec::Event.tag_and_keep!(context, result)
-                      context.waf_runner.events << event
-                    end
-                  end
 
-                  block = Rack::Reactive::Response.publish(engine, gateway_response)
-                  throw(Datadog::AppSec::Ext::INTERRUPT, event[:actions]) if block
+                  persistent_data = {
+                    'server.response.status' => gateway_response.status.to_s,
+                    'server.response.headers' => gateway_response.headers,
+                    'server.response.headers.no_cookies' => gateway_response.headers.dup.tap { |h| h.delete('set-cookie') }
+                  }
+
+                  result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
+
+                  if result.match?
+                    Datadog::AppSec::Event.tag_and_keep!(context, result)
+
+                    context.events << {
+                      waf_result: result,
+                      trace: context.trace,
+                      span: context.span,
+                      response: gateway_response,
+                      actions: result.actions
+                    }
+
+                    Datadog::AppSec::ActionsHandler.handle(result.actions)
+                  end
 
                   stack.call(gateway_response.response)
                 end
@@ -87,30 +85,27 @@ module Datadog
 
               def watch_request_body(gateway = Instrumentation.gateway)
                 gateway.watch('rack.request.body', :appsec) do |stack, gateway_request|
-                  event = nil
                   context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
-                  engine = AppSec::Reactive::Engine.new
-
-                  Rack::Reactive::RequestBody.subscribe(engine, context) do |result|
-                    if result.status == :match
-                      # TODO: should this hash be an Event instance instead?
-                      event = {
-                        waf_result: result,
-                        trace: context.trace,
-                        span: context.span,
-                        request: gateway_request,
-                        actions: result.actions
-                      }
-
-                      # We want to keep the trace in case of security event
-                      context.trace.keep! if context.trace
-                      Datadog::AppSec::Event.tag_and_keep!(context, result)
-                      context.waf_runner.events << event
-                    end
-                  end
 
-                  block = Rack::Reactive::RequestBody.publish(engine, gateway_request)
-                  throw(Datadog::AppSec::Ext::INTERRUPT, event[:actions]) if block
+                  persistent_data = {
+                    'server.request.body' => gateway_request.form_hash
+                  }
+
+                  result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
+
+                  if result.match?
+                    Datadog::AppSec::Event.tag_and_keep!(context, result)
+
+                    context.events << {
+                      waf_result: result,
+                      trace: context.trace,
+                      span: context.span,
+                      request: gateway_request,
+                      actions: result.actions
+                    }
+
+                    Datadog::AppSec::ActionsHandler.handle(result.actions)
+                  end
 
                   stack.call(gateway_request.request)
                 end

data/lib/datadog/appsec/contrib/rack/patcher.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require_relative '../patcher'
 require_relative '../../monitor'
 require_relative 'gateway/watcher'
 
@@ -10,8 +9,6 @@ module Datadog
       module Rack
         # Patcher for Rack integration
         module Patcher
-          include Datadog::AppSec::Contrib::Patcher
-
           module_function
 
           def patched?

data/lib/datadog/appsec/contrib/rack/request_body_middleware.rb

@@ -24,15 +24,15 @@ module Datadog
             # TODO: handle exceptions, except for @app.call
 
             http_response = nil
-            block_actions = catch(::Datadog::AppSec::Ext::INTERRUPT) do
-              http_response, = Instrumentation.gateway.push('rack.request.body', Gateway::Request.new(env)) do
+            interrupt_params = catch(::Datadog::AppSec::Ext::INTERRUPT) do
+              http_response, _request = Instrumentation.gateway.push('rack.request.body', Gateway::Request.new(env)) do
                 @app.call(env)
               end
 
               nil
             end
 
-            return AppSec::Response.negotiate(env, block_actions).to_rack if block_actions
+            return AppSec::Response.from_interrupt_params(interrupt_params, env['HTTP_ACCEPT']).to_rack if interrupt_params
 
             http_response
           end

data/lib/datadog/appsec/contrib/rack/request_middleware.rb

@@ -76,8 +76,8 @@ module Datadog
             gateway_request = Gateway::Request.new(env)
             gateway_response = nil
 
-            block_actions = catch(::Datadog::AppSec::Ext::INTERRUPT) do
-              http_response, = Instrumentation.gateway.push('rack.request', gateway_request) do
+            interrupt_params = catch(::Datadog::AppSec::Ext::INTERRUPT) do
+              http_response, _gateway_request = Instrumentation.gateway.push('rack.request', gateway_request) do
                 @app.call(env)
               end
 
@@ -90,27 +90,29 @@ module Datadog
               nil
             end
 
-            http_response = AppSec::Response.negotiate(env, block_actions).to_rack if block_actions
+            if interrupt_params
+              http_response = AppSec::Response.from_interrupt_params(interrupt_params, env['HTTP_ACCEPT']).to_rack
+            end
 
-            if (result = ctx.waf_runner.extract_schema)
-              ctx.waf_runner.events << {
+            if AppSec.api_security_enabled?
+              ctx.events << {
                 trace: ctx.trace,
                 span: ctx.span,
-                waf_result: result,
+                waf_result: ctx.extract_schema,
               }
             end
 
-            ctx.waf_runner.events.each do |e|
+            ctx.events.each do |e|
               e[:response] ||= gateway_response
               e[:request]  ||= gateway_request
             end
 
-            AppSec::Event.record(ctx.span, *ctx.waf_runner.events)
+            AppSec::Event.record(ctx.span, *ctx.events)
 
             http_response
           ensure
             if ctx
-              add_waf_runtime_tags(ctx)
+              ctx.export_metrics
               Datadog::AppSec::Context.deactivate
             end
           end
@@ -198,19 +200,6 @@ module Datadog
             end
           end
 
-          def add_waf_runtime_tags(context)
-            span = context.span
-            context = context.waf_runner
-
-            return unless span && context
-
-            span.set_tag('_dd.appsec.waf.timeouts', context.timeouts)
-
-            # these tags expect time in us
-            span.set_tag('_dd.appsec.waf.duration', context.time_ns / 1000.0)
-            span.set_tag('_dd.appsec.waf.duration_ext', context.time_ext_ns / 1000.0)
-          end
-
           def to_rack_header(header)
             @rack_headers[header] ||= Datadog::Tracing::Contrib::Rack::Header.to_rack_header(header)
           end

data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
 require_relative '../../../instrumentation/gateway'
-require_relative '../../../reactive/engine'
-require_relative '../reactive/action'
 require_relative '../../../event'
 
 module Datadog
@@ -21,30 +19,28 @@ module Datadog
 
               def watch_request_action(gateway = Instrumentation.gateway)
                 gateway.watch('rails.request.action', :appsec) do |stack, gateway_request|
-                  event = nil
                   context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
-                  engine = AppSec::Reactive::Engine.new
-
-                  Rails::Reactive::Action.subscribe(engine, context) do |result|
-                    if result.status == :match
-                      # TODO: should this hash be an Event instance instead?
-                      event = {
-                        waf_result: result,
-                        trace: context.trace,
-                        span: context.span,
-                        request: gateway_request,
-                        actions: result.actions
-                      }
-
-                      # We want to keep the trace in case of security event
-                      context.trace.keep! if context.trace
-                      Datadog::AppSec::Event.tag_and_keep!(context, result)
-                      context.waf_runner.events << event
-                    end
-                  end
 
-                  block = Rails::Reactive::Action.publish(engine, gateway_request)
-                  next [nil, [[:block, event]]] if block
+                  persistent_data = {
+                    'server.request.body' => gateway_request.parsed_body,
+                    'server.request.path_params' => gateway_request.route_params
+                  }
+
+                  result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
+
+                  if result.match?
+                    Datadog::AppSec::Event.tag_and_keep!(context, result)
+
+                    context.events << {
+                      waf_result: result,
+                      trace: context.trace,
+                      span: context.span,
+                      request: gateway_request,
+                      actions: result.actions
+                    }
+
+                    Datadog::AppSec::ActionsHandler.handle(result.actions)
+                  end
 
                   stack.call(gateway_request.request)
                 end

data/lib/datadog/appsec/contrib/rails/patcher.rb

@@ -2,7 +2,6 @@
 
 require_relative '../../../core/utils/only_once'
 
-require_relative '../patcher'
 require_relative 'framework'
 require_relative '../../response'
 require_relative '../rack/request_middleware'
@@ -18,8 +17,6 @@ module Datadog
       module Rails
         # Patcher for AppSec on Rails
         module Patcher
-          include Datadog::AppSec::Contrib::Patcher
-
           BEFORE_INITIALIZE_ONLY_ONCE_PER_APP = Hash.new { |h, key| h[key] = Datadog::Core::Utils::OnlyOnce.new }
           AFTER_INITIALIZE_ONLY_ONCE_PER_APP = Hash.new { |h, key| h[key] = Datadog::Core::Utils::OnlyOnce.new }
 
@@ -80,22 +77,12 @@ module Datadog
               # TODO: handle exceptions, except for super
 
               gateway_request = Gateway::Request.new(request)
-              request_return, request_response = Instrumentation.gateway.push('rails.request.action', gateway_request) do
-                super
-              end
 
-              if request_response
-                blocked_event = request_response.find { |action, _options| action == :block }
-                if blocked_event
-                  @_response = AppSec::Response.negotiate(
-                    env,
-                    blocked_event.last[:actions]
-                  ).to_action_dispatch_response
-                  request_return = @_response.body
-                end
+              http_response, _gateway_request = Instrumentation.gateway.push('rails.request.action', gateway_request) do
+                super
               end
 
-              request_return
+              http_response
             end
           end
 

data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb

@@ -1,9 +1,6 @@
 # frozen_string_literal: true
 
 require_relative '../../../instrumentation/gateway'
-require_relative '../../../reactive/engine'
-require_relative '../../rack/reactive/request_body'
-require_relative '../reactive/routed'
 require_relative '../../../event'
 
 module Datadog
@@ -23,30 +20,27 @@ module Datadog
 
               def watch_request_dispatch(gateway = Instrumentation.gateway)
                 gateway.watch('sinatra.request.dispatch', :appsec) do |stack, gateway_request|
-                  event = nil
                   context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
-                  engine = AppSec::Reactive::Engine.new
-
-                  Rack::Reactive::RequestBody.subscribe(engine, context) do |result|
-                    if result.status == :match
-                      # TODO: should this hash be an Event instance instead?
-                      event = {
-                        waf_result: result,
-                        trace: context.trace,
-                        span: context.span,
-                        request: gateway_request,
-                        actions: result.actions
-                      }
-
-                      # We want to keep the trace in case of security event
-                      context.trace.keep! if context.trace
-                      Datadog::AppSec::Event.tag_and_keep!(context, result)
-                      context.waf_runner.events << event
-                    end
-                  end
 
-                  block = Rack::Reactive::RequestBody.publish(engine, gateway_request)
-                  next [nil, [[:block, event]]] if block
+                  persistent_data = {
+                    'server.request.body' => gateway_request.form_hash
+                  }
+
+                  result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
+
+                  if result.match?
+                    Datadog::AppSec::Event.tag_and_keep!(context, result)
+
+                    context.events << {
+                      waf_result: result,
+                      trace: context.trace,
+                      span: context.span,
+                      request: gateway_request,
+                      actions: result.actions
+                    }
+
+                    Datadog::AppSec::ActionsHandler.handle(result.actions)
+                  end
 
                   stack.call(gateway_request.request)
                 end
@@ -54,30 +48,27 @@ module Datadog
 
               def watch_request_routed(gateway = Instrumentation.gateway)
                 gateway.watch('sinatra.request.routed', :appsec) do |stack, (gateway_request, gateway_route_params)|
-                  event = nil
                   context = gateway_request.env[Datadog::AppSec::Ext::CONTEXT_KEY]
-                  engine = AppSec::Reactive::Engine.new
-
-                  Sinatra::Reactive::Routed.subscribe(engine, context) do |result|
-                    if result.status == :match
-                      # TODO: should this hash be an Event instance instead?
-                      event = {
-                        waf_result: result,
-                        trace: context.trace,
-                        span: context.span,
-                        request: gateway_request,
-                        actions: result.actions
-                      }
-
-                      # We want to keep the trace in case of security event
-                      context.trace.keep! if context.trace
-                      Datadog::AppSec::Event.tag_and_keep!(context, result)
-                      context.waf_runner.events << event
-                    end
-                  end
 
-                  block = Sinatra::Reactive::Routed.publish(engine, [gateway_request, gateway_route_params])
-                  next [nil, [[:block, event]]] if block
+                  persistent_data = {
+                    'server.request.path_params' => gateway_route_params.params
+                  }
+
+                  result = context.run_waf(persistent_data, {}, Datadog.configuration.appsec.waf_timeout)
+
+                  if result.match?
+                    Datadog::AppSec::Event.tag_and_keep!(context, result)
+
+                    context.events << {
+                      waf_result: result,
+                      trace: context.trace,
+                      span: context.span,
+                      request: gateway_request,
+                      actions: result.actions
+                    }
+
+                    Datadog::AppSec::ActionsHandler.handle(result.actions)
+                  end
 
                   stack.call(gateway_request.request)
                 end

data/lib/datadog/appsec/contrib/sinatra/patcher.rb

@@ -2,11 +2,9 @@
 
 require_relative '../../../tracing/contrib'
 
-require_relative '../patcher'
 require_relative '../../response'
 require_relative '../rack/request_middleware'
 require_relative 'framework'
-require_relative 'ext'
 require_relative 'gateway/watcher'
 require_relative 'gateway/route_params'
 require_relative 'gateway/request'
@@ -62,17 +60,8 @@ module Datadog
 
             gateway_request = Gateway::Request.new(env)
 
-            request_return, request_response = Instrumentation.gateway.push('sinatra.request.dispatch', gateway_request) do
-              # handle process_route interruption
-              catch(Datadog::AppSec::Contrib::Sinatra::Ext::ROUTE_INTERRUPT) { super }
-            end
-
-            if request_response
-              blocked_event = request_response.find { |action, _options| action == :block }
-              if blocked_event
-                self.response = AppSec::Response.negotiate(env, blocked_event.last[:actions]).to_sinatra_response
-                request_return = nil
-              end
+            request_return, _gateway_request = Instrumentation.gateway.push('sinatra.request.dispatch', gateway_request) do
+              super
             end
 
             request_return
@@ -103,20 +92,7 @@ module Datadog
               gateway_request = Gateway::Request.new(env)
               gateway_route_params = Gateway::RouteParams.new(route_params)
 
-              _, request_response = Instrumentation.gateway.push(
-                'sinatra.request.routed',
-                [gateway_request, gateway_route_params]
-              )
-
-              if request_response
-                blocked_event = request_response.find { |action, _options| action == :block }
-                if blocked_event
-                  self.response = AppSec::Response.negotiate(env, blocked_event.last[:actions]).to_sinatra_response
-
-                  # interrupt request and return response to dispatch! for consistency
-                  throw(Datadog::AppSec::Contrib::Sinatra::Ext::ROUTE_INTERRUPT, response)
-                end
-              end
+              Instrumentation.gateway.push('sinatra.request.routed', [gateway_request, gateway_route_params])
 
               yield(*args)
             end
@@ -125,8 +101,6 @@ module Datadog
 
         # Patcher for AppSec on Sinatra
         module Patcher
-          include Datadog::AppSec::Contrib::Patcher
-
           module_function
 
           def patched?

data/lib/datadog/appsec/ext.rb

@@ -3,7 +3,10 @@
 module Datadog
   module AppSec
     module Ext
-      RASP_SQLI = :sql_injection
+      RASP_SQLI = 'sql_injection'
+      RASP_LFI = 'lfi'
+      RASP_SSRF = 'ssrf'
+
       INTERRUPT = :datadog_appsec_interrupt
       CONTEXT_KEY = 'datadog.appsec.context'
       ACTIVE_CONTEXT_KEY = :datadog_appsec_active_context
@@ -11,6 +14,8 @@ module Datadog
       TAG_APPSEC_ENABLED = '_dd.appsec.enabled'
       TAG_APM_ENABLED = '_dd.apm.enabled'
       TAG_DISTRIBUTED_APPSEC_EVENT = '_dd.p.appsec'
+
+      TELEMETRY_METRICS_NAMESPACE = 'appsec'
     end
   end
 end

data/lib/datadog/appsec/metrics/collector.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Metrics
+      # A class responsible for collecting WAF and RASP call metrics.
+      class Collector
+        Store = Struct.new(:evals, :timeouts, :duration_ns, :duration_ext_ns, keyword_init: true)
+
+        attr_reader :waf, :rasp
+
+        def initialize
+          @mutex = Mutex.new
+          @waf = Store.new(evals: 0, timeouts: 0, duration_ns: 0, duration_ext_ns: 0)
+          @rasp = Store.new(evals: 0, timeouts: 0, duration_ns: 0, duration_ext_ns: 0)
+        end
+
+        def record_waf(result)
+          @mutex.synchronize do
+            @waf.evals += 1
+            @waf.timeouts += 1 if result.timeout?
+            @waf.duration_ns += result.duration_ns
+            @waf.duration_ext_ns += result.duration_ext_ns
+          end
+        end
+
+        def record_rasp(result)
+          @mutex.synchronize do
+            @rasp.evals += 1
+            @rasp.timeouts += 1 if result.timeout?
+            @rasp.duration_ns += result.duration_ns
+            @rasp.duration_ext_ns += result.duration_ext_ns
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/metrics/exporter.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Metrics
+      # A class responsible for exporting WAF and RASP call metrics.
+      module Exporter
+        module_function
+
+        def export_waf_metrics(metrics, span)
+          return if metrics.evals.zero?
+
+          span.set_tag('_dd.appsec.waf.timeouts', metrics.timeouts)
+          span.set_tag('_dd.appsec.waf.duration', convert_ns_to_us(metrics.duration_ns))
+          span.set_tag('_dd.appsec.waf.duration_ext', convert_ns_to_us(metrics.duration_ext_ns))
+        end
+
+        def export_rasp_metrics(metrics, span)
+          return if metrics.evals.zero?
+
+          span.set_tag('_dd.appsec.rasp.rule.eval', metrics.evals)
+          span.set_tag('_dd.appsec.rasp.timeout', 1) unless metrics.timeouts.zero?
+          span.set_tag('_dd.appsec.rasp.duration', convert_ns_to_us(metrics.duration_ns))
+          span.set_tag('_dd.appsec.rasp.duration_ext', convert_ns_to_us(metrics.duration_ext_ns))
+        end
+
+        # private
+
+        def convert_ns_to_us(value)
+          value / 1000.0
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/metrics/telemetry.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Metrics
+      # A class responsible for reporting WAF and RASP telemetry metrics.
+      module Telemetry
+        module_function
+
+        def report_rasp(type, result)
+          return if result.is_a?(SecurityEngine::Result::Error)
+
+          tags = { rule_type: type, waf_version: Datadog::AppSec::WAF::VERSION::BASE_STRING }
+          namespace = Ext::TELEMETRY_METRICS_NAMESPACE
+
+          AppSec.telemetry.inc(namespace, 'rasp.rule.eval', 1, tags: tags)
+          AppSec.telemetry.inc(namespace, 'rasp.rule.match', 1, tags: tags) if result.match?
+          AppSec.telemetry.inc(namespace, 'rasp.timeout', 1, tags: tags) if result.timeout?
+        end
+      end
+    end
+  end
+end