datadog 2.14.0 → 2.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d6f1f9a8bd097f353792ce207813881aadce161aaef09d6790c551686de7d53e
-  data.tar.gz: 34dbaf125e9b9a3ce3eec376546ae3817f42f3556033a27b83b69578372b2475
+  metadata.gz: 7d17c177691be6204c922253f717344b69cbf2ccf0e6cc51b5d2063e484ffcf9
+  data.tar.gz: fb55233c5db1aa2d80562d7d2a0f7297f4d13b0b1f1c8a3f3a6feec8f15bb947
 SHA512:
-  metadata.gz: 07d6d7499521fb3ebb75574960e7eff4bd7e893dc8631b02b9a4db2201ed47afa0b294ab493a198c09b5bfe7e00e1d215ae61a45f4e8a756c2644e7a59ee56d9
-  data.tar.gz: 31aa80c9ee735eef7dc676a72e7fe2b33fe996704a2a58c97386284af16fdf5fa6037269e6d7e1f3a4a2b823825a0e3cef0f36f3e04f45bf9c8907510d7d5e54
+  metadata.gz: ef69c8e13819833ce2b1a0987ec66a674a15ca029bd4ad0a29703a613c7dd263015ca0018433ac366f69e655fa264a74aa949a1d6b12e30753b249fa8b7d62c2
+  data.tar.gz: 1d44dca02ab71b49b87e371825bbdda696fbd686bc9d24662d5d90c5091c4ddf82226abda23c56da9da8e8274ab06759a90b73fd3eb44cecc081598fd8cc188a

data/CHANGELOG.md

@@ -2,6 +2,22 @@
 
 ## [Unreleased]
 
+## [2.15.0] - 2025-04-17
+
+### Added
+
+* AppSec: Add auto-patching for `activerecord` with sql injection detection ([#4581][])
+* Tracing: Add option for `opensearch` to set resource with relative path ([#4509][])
+
+### Changed
+
+* AppSec: Update In-App WAF rules, processors, and scanners ([#4568][])
+
+### Fixed
+
+* AppSec: Fix blocked requests not marked correctly when using custom redirect blocking action ([#4580][])
+* AppSec: Fix UTF-8 unsafe payloads in InApp-WAF causing runtime exceptions ([#4573][])
+
 ## [2.14.0] - 2025-04-04
 
 ### Added
@@ -3178,7 +3194,8 @@ Release notes: https://github.com/DataDog/dd-trace-rb/releases/tag/v0.3.1
 Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 
 
-[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v2.14.0...master
+[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v2.15.0...master
+[2.15.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.14.0...v2.15.0
 [2.14.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.13.0...v2.14.0
 [2.13.0]: https://github.com/DataDog/dd-trace-rb/compare/v2.12.2...v2.13.0
 [2.12.2]: https://github.com/DataDog/dd-trace-rb/compare/v2.12.1...v2.12.2
@@ -4693,6 +4710,7 @@ Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 [#4498]: https://github.com/DataDog/dd-trace-rb/issues/4498
 [#4505]: https://github.com/DataDog/dd-trace-rb/issues/4505
 [#4507]: https://github.com/DataDog/dd-trace-rb/issues/4507
+[#4509]: https://github.com/DataDog/dd-trace-rb/issues/4509
 [#4526]: https://github.com/DataDog/dd-trace-rb/issues/4526
 [#4528]: https://github.com/DataDog/dd-trace-rb/issues/4528
 [#4530]: https://github.com/DataDog/dd-trace-rb/issues/4530
@@ -4701,6 +4719,10 @@ Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 [#4549]: https://github.com/DataDog/dd-trace-rb/issues/4549
 [#4552]: https://github.com/DataDog/dd-trace-rb/issues/4552
 [#4558]: https://github.com/DataDog/dd-trace-rb/issues/4558
+[#4568]: https://github.com/DataDog/dd-trace-rb/issues/4568
+[#4573]: https://github.com/DataDog/dd-trace-rb/issues/4573
+[#4580]: https://github.com/DataDog/dd-trace-rb/issues/4580
+[#4581]: https://github.com/DataDog/dd-trace-rb/issues/4581
 [@AdrianLC]: https://github.com/AdrianLC
 [@Azure7111]: https://github.com/Azure7111
 [@BabyGroot]: https://github.com/BabyGroot
@@ -4852,4 +4874,4 @@ Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 [@y-yagi]: https://github.com/y-yagi
 [@yujideveloper]: https://github.com/yujideveloper
 [@yukimurasawa]: https://github.com/yukimurasawa
-[@zachmccormick]: https://github.com/zachmccormick
+[@zachmccormick]: https://github.com/zachmccormick

data/ext/datadog_profiling_native_extension/collectors_thread_context.c

@@ -297,7 +297,7 @@ static void otel_without_ddtrace_trace_identifiers_for(
 static otel_span otel_span_from(VALUE otel_context, VALUE otel_current_span_key);
 static uint64_t otel_span_id_to_uint(VALUE otel_span_id);
 static VALUE safely_lookup_hash_without_going_into_ruby_code(VALUE hash, VALUE key);
-static VALUE _native_reset_monotonic_to_system_state(DDTRACE_UNUSED VALUE self, VALUE collector_instance);
+static VALUE _native_system_epoch_time_now_ns(DDTRACE_UNUSED VALUE self, VALUE collector_instance);
 
 void collectors_thread_context_init(VALUE profiling_module) {
   VALUE collectors_module = rb_define_module_under(profiling_module, "Collectors");
@@ -329,7 +329,7 @@ void collectors_thread_context_init(VALUE profiling_module) {
   rb_define_singleton_method(testing_module, "_native_gc_tracking", _native_gc_tracking, 1);
   rb_define_singleton_method(testing_module, "_native_new_empty_thread", _native_new_empty_thread, 0);
   rb_define_singleton_method(testing_module, "_native_sample_skipped_allocation_samples", _native_sample_skipped_allocation_samples, 2);
-  rb_define_singleton_method(testing_module, "_native_reset_monotonic_to_system_state", _native_reset_monotonic_to_system_state, 1);
+  rb_define_singleton_method(testing_module, "_native_system_epoch_time_now_ns", _native_system_epoch_time_now_ns, 1);
   #ifndef NO_GVL_INSTRUMENTATION
     rb_define_singleton_method(testing_module, "_native_on_gvl_waiting", _native_on_gvl_waiting, 1);
     rb_define_singleton_method(testing_module, "_native_gvl_waiting_at_for", _native_gvl_waiting_at_for, 1);
@@ -1308,7 +1308,7 @@ static long thread_id_for(VALUE thread) {
 }
 
 VALUE enforce_thread_context_collector_instance(VALUE object) {
-  Check_TypedStruct(object, &thread_context_collector_typed_data);
+  ENFORCE_TYPED_DATA(object, &thread_context_collector_typed_data);
   return object;
 }
 
@@ -2160,11 +2160,12 @@ static VALUE safely_lookup_hash_without_going_into_ruby_code(VALUE hash, VALUE k
   return state.result;
 }
 
-static VALUE _native_reset_monotonic_to_system_state(DDTRACE_UNUSED VALUE self, VALUE collector_instance) {
+static VALUE _native_system_epoch_time_now_ns(DDTRACE_UNUSED VALUE self, VALUE collector_instance) {
   thread_context_collector_state *state;
   TypedData_Get_Struct(collector_instance, thread_context_collector_state, &thread_context_collector_typed_data, state);
 
-  state->time_converter_state = (monotonic_to_system_epoch_state) MONOTONIC_TO_SYSTEM_EPOCH_INITIALIZER;
+  long current_monotonic_wall_time_ns = monotonic_wall_time_now_ns(RAISE_ON_FAILURE);
+  long system_epoch_time_ns = monotonic_to_system_epoch_ns(&state->time_converter_state, current_monotonic_wall_time_ns);
 
-  return Qtrue;
+  return LONG2NUM(system_epoch_time_ns);
 }

data/ext/datadog_profiling_native_extension/datadog_ruby_common.h

@@ -27,6 +27,9 @@
 #define ENFORCE_BOOLEAN(value) \
   { if (RB_UNLIKELY(value != Qtrue && value != Qfalse)) raise_unexpected_type(value, ADD_QUOTES(value), "true or false", __FILE__, __LINE__, __func__); }
 
+#define ENFORCE_TYPED_DATA(value, type) \
+  { if (RB_UNLIKELY(!rb_typeddata_is_kind_of(value, type))) raise_unexpected_type(value, ADD_QUOTES(value), "TypedData of type " ADD_QUOTES(type), __FILE__, __LINE__, __func__); }
+
 NORETURN(void raise_unexpected_type(VALUE value, const char *value_name, const char *type_name, const char *file, int line, const char* function_name));
 
 // Helper to retrieve Datadog::VERSION::STRING

data/ext/datadog_profiling_native_extension/encoded_profile.c

@@ -0,0 +1,69 @@
+#include "encoded_profile.h"
+#include "datadog_ruby_common.h"
+#include "libdatadog_helpers.h"
+
+// This class exists to wrap a ddog_prof_EncodedProfile into a Ruby object
+// This file implements the native bits of the Datadog::Profiling::EncodedProfile class
+
+static void encoded_profile_typed_data_free(void *state_ptr);
+static VALUE _native_bytes(VALUE self);
+
+static VALUE encoded_profile_class = Qnil;
+
+void encoded_profile_init(VALUE profiling_module) {
+  encoded_profile_class = rb_define_class_under(profiling_module, "EncodedProfile", rb_cObject);
+
+  rb_undef_alloc_func(encoded_profile_class); // Class cannot be created from Ruby code
+  rb_global_variable(&encoded_profile_class);
+
+  rb_define_method(encoded_profile_class, "_native_bytes", _native_bytes, 0);
+}
+
+// This structure is used to define a Ruby object that stores a `ddog_prof_EncodedProfile`
+// See also https://github.com/ruby/ruby/blob/master/doc/extension.rdoc for how this works
+static const rb_data_type_t encoded_profile_typed_data = {
+  .wrap_struct_name = "Datadog::Profiling::EncodedProfile",
+  .function = {
+    .dmark = NULL, // We don't store references to Ruby objects so we don't need to mark any of them
+    .dfree = encoded_profile_typed_data_free,
+    .dsize = NULL, // We don't track memory usage (although it'd be cool if we did!)
+    //.dcompact = NULL, // Not needed -- we don't store references to Ruby objects
+  },
+  .flags = RUBY_TYPED_FREE_IMMEDIATELY
+};
+
+VALUE from_ddog_prof_EncodedProfile(ddog_prof_EncodedProfile profile) {
+  ddog_prof_EncodedProfile *state = ruby_xcalloc(1, sizeof(ddog_prof_EncodedProfile));
+  *state = profile;
+  return TypedData_Wrap_Struct(encoded_profile_class, &encoded_profile_typed_data, state);
+}
+
+static void encoded_profile_typed_data_free(void *state_ptr) {
+  ddog_prof_EncodedProfile *state = (ddog_prof_EncodedProfile *) state_ptr;
+
+  // This drops the profile itself
+  ddog_prof_EncodedProfile_drop(state);
+
+  // This drops the tiny bit of memory we allocated to contain the ` ddog_prof_EncodedProfile` struct
+  ruby_xfree(state);
+}
+
+static VALUE _native_bytes(VALUE self) {
+  ddog_prof_EncodedProfile *state;
+  TypedData_Get_Struct(self, ddog_prof_EncodedProfile, &encoded_profile_typed_data, state);
+
+  return ruby_string_from_vec_u8(state->buffer);
+
+  // TODO: This will be used for libdatadog 17
+  /*ddog_prof_Result_ByteSlice raw_bytes = ddog_prof_EncodedProfile_bytes(state);
+  if (raw_bytes.tag == DDOG_PROF_RESULT_BYTE_SLICE_ERR_BYTE_SLICE) {
+    rb_raise(rb_eRuntimeError, "Failed to get bytes from profile: %"PRIsVALUE, get_error_details_and_drop(&raw_bytes.err));
+  }
+
+  return rb_str_new((const char *) raw_bytes.ok.ptr, raw_bytes.ok.len);*/
+}
+
+VALUE enforce_encoded_profile_instance(VALUE object) {
+  ENFORCE_TYPED_DATA(object, &encoded_profile_typed_data);
+  return object;
+}

data/ext/datadog_profiling_native_extension/encoded_profile.h

@@ -0,0 +1,7 @@
+#pragma once
+
+#include <ruby.h>
+#include <datadog/profiling.h>
+
+VALUE from_ddog_prof_EncodedProfile(ddog_prof_EncodedProfile profile);
+VALUE enforce_encoded_profile_instance(VALUE object);

data/ext/datadog_profiling_native_extension/http_transport.c

@@ -4,6 +4,7 @@
 #include "helpers.h"
 #include "libdatadog_helpers.h"
 #include "ruby_helpers.h"
+#include "encoded_profile.h"
 
 // Used to report profiling data to Datadog.
 // This file implements the native bits of the Datadog::Profiling::HttpTransport class
@@ -29,17 +30,11 @@ static VALUE _native_do_export(
   VALUE self,
   VALUE exporter_configuration,
   VALUE upload_timeout_milliseconds,
+  VALUE flush,
   VALUE start_timespec_seconds,
   VALUE start_timespec_nanoseconds,
   VALUE finish_timespec_seconds,
-  VALUE finish_timespec_nanoseconds,
-  VALUE pprof_file_name,
-  VALUE pprof_data,
-  VALUE code_provenance_file_name,
-  VALUE code_provenance_data,
-  VALUE tags_as_array,
-  VALUE internal_metadata_json,
-  VALUE info_json
+  VALUE finish_timespec_nanoseconds
 );
 static void *call_exporter_without_gvl(void *call_args);
 static void interrupt_exporter_call(void *cancel_token);
@@ -48,7 +43,7 @@ void http_transport_init(VALUE profiling_module) {
   VALUE http_transport_class = rb_define_class_under(profiling_module, "HttpTransport", rb_cObject);
 
   rb_define_singleton_method(http_transport_class, "_native_validate_exporter",  _native_validate_exporter, 1);
-  rb_define_singleton_method(http_transport_class, "_native_do_export",  _native_do_export, 13);
+  rb_define_singleton_method(http_transport_class, "_native_do_export",  _native_do_export, 7);
 
   ok_symbol = ID2SYM(rb_intern_const("ok"));
   error_symbol = ID2SYM(rb_intern_const("error"));
@@ -84,22 +79,17 @@ static ddog_prof_Endpoint endpoint_from(VALUE exporter_configuration) {
   ENFORCE_TYPE(exporter_working_mode, T_SYMBOL);
   ID working_mode = SYM2ID(exporter_working_mode);
 
-  ID agentless_id = rb_intern("agentless");
-  ID agent_id = rb_intern("agent");
-
-  if (working_mode != agentless_id && working_mode != agent_id) {
-    rb_raise(rb_eArgError, "Failed to initialize transport: Unexpected working mode, expected :agentless or :agent");
-  }
-
-  if (working_mode == agentless_id) {
+  if (working_mode == rb_intern("agentless")) {
     VALUE site = rb_ary_entry(exporter_configuration, 1);
     VALUE api_key = rb_ary_entry(exporter_configuration, 2);
 
     return ddog_prof_Endpoint_agentless(char_slice_from_ruby_string(site), char_slice_from_ruby_string(api_key));
-  } else { // agent_id
+  } else if (working_mode == rb_intern("agent")) {
     VALUE base_url = rb_ary_entry(exporter_configuration, 1);
 
     return ddog_prof_Endpoint_agent(char_slice_from_ruby_string(base_url));
+  } else {
+    rb_raise(rb_eArgError, "Failed to initialize transport: Unexpected working mode, expected :agentless or :agent");
   }
 }
 
@@ -139,7 +129,6 @@ static VALUE perform_export(
   ddog_Timespec finish,
   ddog_prof_Exporter_Slice_File files_to_compress_and_export,
   ddog_prof_Exporter_Slice_File files_to_export_unmodified,
-  ddog_Vec_Tag *additional_tags,
   ddog_CharSlice internal_metadata,
   ddog_CharSlice info
 ) {
@@ -150,7 +139,7 @@ static VALUE perform_export(
     finish,
     files_to_compress_and_export,
     files_to_export_unmodified,
-    additional_tags,
+    /* optional_additional_tags: */ NULL,
     endpoints_stats,
     &internal_metadata,
     &info
@@ -214,26 +203,27 @@ static VALUE _native_do_export(
   DDTRACE_UNUSED VALUE _self,
   VALUE exporter_configuration,
   VALUE upload_timeout_milliseconds,
+  VALUE flush,
   VALUE start_timespec_seconds,
   VALUE start_timespec_nanoseconds,
   VALUE finish_timespec_seconds,
-  VALUE finish_timespec_nanoseconds,
-  VALUE pprof_file_name,
-  VALUE pprof_data,
-  VALUE code_provenance_file_name,
-  VALUE code_provenance_data,
-  VALUE tags_as_array,
-  VALUE internal_metadata_json,
-  VALUE info_json
+  VALUE finish_timespec_nanoseconds
 ) {
+  VALUE encoded_profile = rb_funcall(flush, rb_intern("encoded_profile"), 0);
+  VALUE code_provenance_file_name = rb_funcall(flush, rb_intern("code_provenance_file_name"), 0);
+  VALUE code_provenance_data = rb_funcall(flush, rb_intern("code_provenance_data"), 0);
+  VALUE tags_as_array = rb_funcall(flush, rb_intern("tags_as_array"), 0);
+  VALUE internal_metadata_json = rb_funcall(flush, rb_intern("internal_metadata_json"), 0);
+  VALUE info_json = rb_funcall(flush, rb_intern("info_json"), 0);
+
   ENFORCE_TYPE(upload_timeout_milliseconds, T_FIXNUM);
   ENFORCE_TYPE(start_timespec_seconds, T_FIXNUM);
   ENFORCE_TYPE(start_timespec_nanoseconds, T_FIXNUM);
   ENFORCE_TYPE(finish_timespec_seconds, T_FIXNUM);
   ENFORCE_TYPE(finish_timespec_nanoseconds, T_FIXNUM);
-  ENFORCE_TYPE(pprof_file_name, T_STRING);
-  ENFORCE_TYPE(pprof_data, T_STRING);
+  enforce_encoded_profile_instance(encoded_profile);
   ENFORCE_TYPE(code_provenance_file_name, T_STRING);
+  ENFORCE_TYPE(tags_as_array, T_ARRAY);
   ENFORCE_TYPE(internal_metadata_json, T_STRING);
   ENFORCE_TYPE(info_json, T_STRING);
 
@@ -256,6 +246,11 @@ static VALUE _native_do_export(
   ddog_prof_Exporter_Slice_File files_to_compress_and_export = {.ptr = to_compress, .len = to_compress_length};
   ddog_prof_Exporter_Slice_File files_to_export_unmodified = {.ptr = already_compressed, .len = already_compressed_length};
 
+  // TODO: Hardcoding the file name will go away with libdatadog 17
+  VALUE pprof_file_name = rb_str_new_cstr("rubyprofile.pprof");
+  VALUE pprof_data = rb_funcall(encoded_profile, rb_intern("_native_bytes"), 0);
+  ENFORCE_TYPE(pprof_data, T_STRING);
+
   already_compressed[0] = (ddog_prof_Exporter_File) {
     .name = char_slice_from_ruby_string(pprof_file_name),
     .file = byte_slice_from_ruby_string(pprof_data),
@@ -268,7 +263,6 @@ static VALUE _native_do_export(
     };
   }
 
-  ddog_Vec_Tag *null_additional_tags = NULL;
   ddog_CharSlice internal_metadata = char_slice_from_ruby_string(internal_metadata_json);
   ddog_CharSlice info = char_slice_from_ruby_string(info_json);
 
@@ -293,7 +287,6 @@ static VALUE _native_do_export(
     finish,
     files_to_compress_and_export,
     files_to_export_unmodified,
-    null_additional_tags,
     internal_metadata,
     info
   );

data/ext/datadog_profiling_native_extension/profiling.c

@@ -20,6 +20,7 @@ void collectors_dynamic_sampling_rate_init(VALUE profiling_module);
 void collectors_idle_sampling_helper_init(VALUE profiling_module);
 void collectors_stack_init(VALUE profiling_module);
 void collectors_thread_context_init(VALUE profiling_module);
+void encoded_profile_init(VALUE profiling_module);
 void http_transport_init(VALUE profiling_module);
 void stack_recorder_init(VALUE profiling_module);
 
@@ -61,6 +62,7 @@ void DDTRACE_EXPORT Init_datadog_profiling_native_extension(void) {
   collectors_idle_sampling_helper_init(profiling_module);
   collectors_stack_init(profiling_module);
   collectors_thread_context_init(profiling_module);
+  encoded_profile_init(profiling_module);
   http_transport_init(profiling_module);
   stack_recorder_init(profiling_module);
   unsafe_api_calls_check_init();

data/ext/datadog_profiling_native_extension/stack_recorder.c

@@ -8,6 +8,7 @@
 #include "ruby_helpers.h"
 #include "time_helpers.h"
 #include "heap_recorder.h"
+#include "encoded_profile.h"
 
 // Used to wrap a ddog_prof_Profile in a Ruby object and expose Ruby-level serialization APIs
 // This file implements the native bits of the Datadog::Profiling::StackRecorder class
@@ -181,6 +182,7 @@ typedef struct {
 typedef struct {
   ddog_prof_Profile profile;
   stats_slot stats;
+  ddog_Timespec start_timestamp;
 } profile_slot;
 
 // Contains native state for each instance
@@ -252,7 +254,7 @@ static ddog_Timespec system_epoch_now_timespec(void);
 static VALUE _native_reset_after_fork(DDTRACE_UNUSED VALUE self, VALUE recorder_instance);
 static void serializer_set_start_timestamp_for_next_profile(stack_recorder_state *state, ddog_Timespec start_time);
 static VALUE _native_record_endpoint(DDTRACE_UNUSED VALUE _self, VALUE recorder_instance, VALUE local_root_span_id, VALUE endpoint);
-static void reset_profile_slot(profile_slot *slot, ddog_Timespec *start_time /* Can be null */);
+static void reset_profile_slot(profile_slot *slot, ddog_Timespec start_timestamp);
 static VALUE _native_track_object(DDTRACE_UNUSED VALUE _self, VALUE recorder_instance, VALUE new_obj, VALUE weight, VALUE alloc_class);
 static VALUE _native_check_heap_hashes(DDTRACE_UNUSED VALUE _self, VALUE locations);
 static VALUE _native_start_fake_slow_heap_serialization(DDTRACE_UNUSED VALUE _self, VALUE recorder_instance);
@@ -358,24 +360,26 @@ static void initialize_slot_concurrency_control(stack_recorder_state *state) {
 }
 
 static void initialize_profiles(stack_recorder_state *state, ddog_prof_Slice_ValueType sample_types) {
+  ddog_Timespec start_timestamp = system_epoch_now_timespec();
+
   ddog_prof_Profile_NewResult slot_one_profile_result =
-    ddog_prof_Profile_new(sample_types, NULL /* period is optional */, NULL /* start_time is optional */);
+    ddog_prof_Profile_new(sample_types, NULL /* period is optional */, &start_timestamp);
 
   if (slot_one_profile_result.tag == DDOG_PROF_PROFILE_NEW_RESULT_ERR) {
     rb_raise(rb_eRuntimeError, "Failed to initialize slot one profile: %"PRIsVALUE, get_error_details_and_drop(&slot_one_profile_result.err));
   }
 
-  state->profile_slot_one = (profile_slot) { .profile = slot_one_profile_result.ok };
+  state->profile_slot_one = (profile_slot) { .profile = slot_one_profile_result.ok, .start_timestamp = start_timestamp };
 
   ddog_prof_Profile_NewResult slot_two_profile_result =
-    ddog_prof_Profile_new(sample_types, NULL /* period is optional */, NULL /* start_time is optional */);
+    ddog_prof_Profile_new(sample_types, NULL /* period is optional */, &start_timestamp);
 
   if (slot_two_profile_result.tag == DDOG_PROF_PROFILE_NEW_RESULT_ERR) {
     // Note: No need to take any special care of slot one, it'll get cleaned up by stack_recorder_typed_data_free
     rb_raise(rb_eRuntimeError, "Failed to initialize slot two profile: %"PRIsVALUE, get_error_details_and_drop(&slot_two_profile_result.err));
   }
 
-  state->profile_slot_two = (profile_slot) { .profile = slot_two_profile_result.ok };
+  state->profile_slot_two = (profile_slot) { .profile = slot_two_profile_result.ok, .start_timestamp = start_timestamp };
 }
 
 static void stack_recorder_typed_data_free(void *state_ptr) {
@@ -564,18 +568,14 @@ static VALUE _native_serialize(DDTRACE_UNUSED VALUE _self, VALUE recorder_instan
 
   state->stats_lifetime.serialization_successes++;
 
-  VALUE encoded_pprof = ruby_string_from_vec_u8(serialized_profile.ok.buffer);
-
-  ddog_Timespec ddprof_start = serialized_profile.ok.start;
-  ddog_Timespec ddprof_finish = serialized_profile.ok.end;
+  // Once we wrap this into a Ruby object, our `EncodedProfile` class will automatically manage memory for it
+  VALUE encoded_profile = from_ddog_prof_EncodedProfile(serialized_profile.ok);
 
-  ddog_prof_EncodedProfile_drop(&serialized_profile.ok);
-
-  VALUE start = ruby_time_from(ddprof_start);
-  VALUE finish = ruby_time_from(ddprof_finish);
+  VALUE start = ruby_time_from(args.slot->start_timestamp);
+  VALUE finish = ruby_time_from(finish_timestamp);
   VALUE profile_stats = build_profile_stats(args.slot, serialization_time_ns, heap_iteration_prep_time_ns, args.heap_profile_build_time_ns);
 
-  return rb_ary_new_from_args(2, ok_symbol, rb_ary_new_from_args(4, start, finish, encoded_pprof, profile_stats));
+  return rb_ary_new_from_args(2, ok_symbol, rb_ary_new_from_args(4, start, finish, encoded_profile, profile_stats));
 }
 
 static VALUE ruby_time_from(ddog_Timespec ddprof_time) {
@@ -780,7 +780,7 @@ static void *call_serialize_without_gvl(void *call_args) {
 }
 
 VALUE enforce_recorder_instance(VALUE object) {
-  Check_TypedStruct(object, &stack_recorder_typed_data);
+  ENFORCE_TYPED_DATA(object, &stack_recorder_typed_data);
   return object;
 }
 
@@ -889,9 +889,9 @@ static VALUE _native_reset_after_fork(DDTRACE_UNUSED VALUE self, VALUE recorder_
   // In case the fork happened halfway through `serializer_flip_active_and_inactive_slots` execution and the
   // resulting state is inconsistent, we make sure to reset it back to the initial state.
   initialize_slot_concurrency_control(state);
-
-  reset_profile_slot(&state->profile_slot_one, /* start_time: */ NULL);
-  reset_profile_slot(&state->profile_slot_two, /* start_time: */ NULL);
+  ddog_Timespec start_timestamp = system_epoch_now_timespec();
+  reset_profile_slot(&state->profile_slot_one, start_timestamp);
+  reset_profile_slot(&state->profile_slot_two, start_timestamp);
 
   heap_recorder_after_fork(state->heap_recorder);
 
@@ -903,7 +903,7 @@ static VALUE _native_reset_after_fork(DDTRACE_UNUSED VALUE self, VALUE recorder_
 static void serializer_set_start_timestamp_for_next_profile(stack_recorder_state *state, ddog_Timespec start_time) {
   // Before making this profile active, we reset it so that it uses the correct start_time for its start
   profile_slot *next_profile_slot = (state->active_slot == 1) ? &state->profile_slot_two : &state->profile_slot_one;
-  reset_profile_slot(next_profile_slot, &start_time);
+  reset_profile_slot(next_profile_slot, start_time);
 }
 
 static VALUE _native_record_endpoint(DDTRACE_UNUSED VALUE _self, VALUE recorder_instance, VALUE local_root_span_id, VALUE endpoint) {
@@ -948,11 +948,12 @@ static VALUE _native_check_heap_hashes(DDTRACE_UNUSED VALUE _self, VALUE locatio
   return Qnil;
 }
 
-static void reset_profile_slot(profile_slot *slot, ddog_Timespec *start_time /* Can be null */) {
-  ddog_prof_Profile_Result reset_result = ddog_prof_Profile_reset(&slot->profile, start_time);
+static void reset_profile_slot(profile_slot *slot, ddog_Timespec start_timestamp) {
+  ddog_prof_Profile_Result reset_result = ddog_prof_Profile_reset(&slot->profile, &start_timestamp);
   if (reset_result.tag == DDOG_PROF_PROFILE_RESULT_ERR) {
     rb_raise(rb_eRuntimeError, "Failed to reset profile: %"PRIsVALUE, get_error_details_and_drop(&reset_result.err));
   }
+  slot->start_timestamp = start_timestamp;
   slot->stats = (stats_slot) {};
 }
 

data/ext/libdatadog_api/datadog_ruby_common.h

@@ -27,6 +27,9 @@
 #define ENFORCE_BOOLEAN(value) \
   { if (RB_UNLIKELY(value != Qtrue && value != Qfalse)) raise_unexpected_type(value, ADD_QUOTES(value), "true or false", __FILE__, __LINE__, __func__); }
 
+#define ENFORCE_TYPED_DATA(value, type) \
+  { if (RB_UNLIKELY(!rb_typeddata_is_kind_of(value, type))) raise_unexpected_type(value, ADD_QUOTES(value), "TypedData of type " ADD_QUOTES(type), __FILE__, __LINE__, __func__); }
+
 NORETURN(void raise_unexpected_type(VALUE value, const char *value_name, const char *type_name, const char *file, int line, const char* function_name));
 
 // Helper to retrieve Datadog::VERSION::STRING

data/lib/datadog/appsec/assets/waf_rules/README.md

@@ -1,7 +1,52 @@
-Vendored WAF rules originate from https://github.com/datadog/appsec-event-rules
+AppSec WAF rules based on [appsec-event-rules](https://github.com/datadog/appsec-event-rules) builds
 
-One should check rule compatibility with libddwaf, which is the end consumer of
-these rules.
+## How to update
 
-There might be rules that look to be irrelevant to Ruby as they may still help
-identify bad actors.
+> [!WARNING]
+> This process is a temporary workaround to maintain compatibility with the existing code structure and will be changed.
+
+1. Download `recommended.json` and `strict.json` of the desired version from [appsec-event-rules](https://github.com/datadog/appsec-event-rules) (example: [v1.13.3](https://github.com/DataDog/appsec-event-rules/tree/1.13.3/build))
+2. Run the script below inside `waf_rules` folder to extract scanners and processors into separate files
+
+    ```ruby
+    require 'json'
+
+    recommended_rules = JSON.parse(File.read(File.expand_path('recommended.json', __dir__)))
+    strict_rules = JSON.parse(File.read(File.expand_path('strict.json', __dir__)))
+
+    recommended_processors = recommended_rules.delete('processors')
+    strict_processors = strict_rules.delete('processors')
+
+    if recommended_processors.sort_by { |processor| processor['id'] } !=
+        strict_processors.sort_by { |processor| processor['id'] }
+      raise 'Processors are not the same, unable to extract them'
+    end
+
+    puts 'Extracting processors...'
+    File.open(File.expand_path('processors.json', __dir__), 'wb') do |file|
+      file.write(JSON.pretty_generate(recommended_processors))
+    end
+
+    recommended_scanners = recommended_rules.delete('scanners')
+    strict_scanners = strict_rules.delete('scanners')
+
+    if recommended_scanners.sort_by { |processor| processor['id'] } !=
+        strict_scanners.sort_by { |processor| processor['id'] }
+      raise 'Scanners are not the same, unable to extract them'
+    end
+
+    puts 'Extracting scanners...'
+    File.open(File.expand_path('scanners.json', __dir__), 'wb') do |file|
+      file.write(JSON.pretty_generate(recommended_scanners))
+    end
+
+    puts 'Updating rules...'
+
+    File.open(File.expand_path('recommended.json', __dir__), 'wb') do |file|
+      file.write(JSON.pretty_generate(recommended_rules))
+    end
+
+    File.open(File.expand_path('strict.json', __dir__), 'wb') do |file|
+      file.write(JSON.pretty_generate(strict_rules))
+    end
+    ```