ddtrace 1.0.0 → 1.1.0

data/ext/ddtrace_profiling_native_extension/stack_recorder.c

@@ -0,0 +1,139 @@
+#include <ruby.h>
+#include <ruby/thread.h>
+#include "stack_recorder.h"
+#include "libddprof_helpers.h"
+
+// Used to wrap a ddprof_ffi_Profile in a Ruby object and expose Ruby-level serialization APIs
+// This file implements the native bits of the Datadog::Profiling::StackRecorder class
+
+static VALUE ok_symbol = Qnil; // :ok in Ruby
+static VALUE error_symbol = Qnil; // :error in Ruby
+
+static ID ruby_time_from_id; // id of :ruby_time_from in Ruby
+
+static VALUE stack_recorder_class = Qnil;
+
+struct call_serialize_without_gvl_arguments {
+  ddprof_ffi_Profile *profile;
+  ddprof_ffi_SerializeResult result;
+  bool serialize_ran;
+};
+
+static VALUE _native_new(VALUE klass);
+static void stack_recorder_typed_data_free(void *data);
+static VALUE _native_serialize(VALUE self, VALUE recorder_instance);
+static VALUE ruby_time_from(ddprof_ffi_Timespec ddprof_time);
+static void *call_serialize_without_gvl(void *call_args);
+
+void stack_recorder_init(VALUE profiling_module) {
+  stack_recorder_class = rb_define_class_under(profiling_module, "StackRecorder", rb_cObject);
+
+  // Instances of the StackRecorder class are going to be "TypedData" objects.
+  // "TypedData" objects are special objects in the Ruby VM that can wrap C structs.
+  // In our case, we're going to keep a libddprof profile reference inside our object.
+  //
+  // Because Ruby doesn't know how to initialize libddprof profiles, we MUST override the allocation function for objects
+  // of this class so that we can manage this part. Not overriding or disabling the allocation function is a common
+  // gotcha for "TypedData" objects that can very easily lead to VM crashes, see for instance
+  // https://bugs.ruby-lang.org/issues/18007 for a discussion around this.
+  rb_define_alloc_func(stack_recorder_class, _native_new);
+
+  rb_define_singleton_method(stack_recorder_class, "_native_serialize",  _native_serialize, 1);
+
+  ok_symbol = ID2SYM(rb_intern_const("ok"));
+  error_symbol = ID2SYM(rb_intern_const("error"));
+  ruby_time_from_id = rb_intern_const("ruby_time_from");
+}
+
+// This structure is used to define a Ruby object that stores a pointer to a ddprof_ffi_Profile instance
+// See also https://github.com/ruby/ruby/blob/master/doc/extension.rdoc for how this works
+static const rb_data_type_t stack_recorder_typed_data = {
+  .wrap_struct_name = "Datadog::Profiling::StackRecorder",
+  .function = {
+    .dfree = stack_recorder_typed_data_free,
+    .dsize = NULL, // We don't track profile memory usage (although it'd be cool if we did!)
+    // No need to provide dmark nor dcompact because we don't directly reference Ruby VALUEs from inside this object
+  },
+  .flags = RUBY_TYPED_FREE_IMMEDIATELY
+};
+
+static VALUE _native_new(VALUE klass) {
+  ddprof_ffi_Slice_value_type sample_types = {.ptr = enabled_value_types, .len = ENABLED_VALUE_TYPES_COUNT};
+
+  ddprof_ffi_Profile *profile = ddprof_ffi_Profile_new(sample_types, NULL /* Period is optional */);
+
+  return TypedData_Wrap_Struct(klass, &stack_recorder_typed_data, profile);
+}
+
+static void stack_recorder_typed_data_free(void *data) {
+  ddprof_ffi_Profile_free((ddprof_ffi_Profile *) data);
+}
+
+static VALUE _native_serialize(VALUE self, VALUE recorder_instance) {
+  ddprof_ffi_Profile *profile;
+  TypedData_Get_Struct(recorder_instance, ddprof_ffi_Profile, &stack_recorder_typed_data, profile);
+
+  // We'll release the Global VM Lock while we're calling serialize, so that the Ruby VM can continue to work while this
+  // is pending
+  struct call_serialize_without_gvl_arguments args = {.profile = profile, .serialize_ran = false};
+
+  // We use rb_thread_call_without_gvl2 for similar reasons as in http_transport.c: we don't want pending interrupts
+  // that cause exceptions to be raised to be processed as otherwise we can leak the serialized profile.
+  rb_thread_call_without_gvl2(call_serialize_without_gvl, &args, /* No interruption supported */ NULL, NULL);
+
+  // This weird corner case can happen if rb_thread_call_without_gvl2 returns immediately due to an interrupt
+  // without ever calling call_serialize_without_gvl. In this situation, we don't have anything to clean up, we can
+  // just return.
+  if (!args.serialize_ran) {
+    return rb_ary_new_from_args(2, error_symbol, rb_str_new_cstr("Interrupted before call_serialize_without_gvl ran"));
+  }
+
+  ddprof_ffi_SerializeResult serialized_profile = args.result;
+
+  if (serialized_profile.tag == DDPROF_FFI_SERIALIZE_RESULT_ERR) {
+    VALUE err_details = ruby_string_from_vec_u8(serialized_profile.err);
+    ddprof_ffi_SerializeResult_drop(serialized_profile);
+    return rb_ary_new_from_args(2, error_symbol, err_details);
+  }
+
+  VALUE encoded_pprof = ruby_string_from_vec_u8(serialized_profile.ok.buffer);
+
+  ddprof_ffi_Timespec ddprof_start = serialized_profile.ok.start;
+  ddprof_ffi_Timespec ddprof_finish = serialized_profile.ok.end;
+
+  // Clean up libddprof object to avoid leaking in case ruby_time_from raises an exception
+  ddprof_ffi_SerializeResult_drop(serialized_profile);
+
+  VALUE start = ruby_time_from(ddprof_start);
+  VALUE finish = ruby_time_from(ddprof_finish);
+
+  if (!ddprof_ffi_Profile_reset(profile)) return rb_ary_new_from_args(2, error_symbol, rb_str_new_cstr("Failed to reset profile"));
+
+  return rb_ary_new_from_args(2, ok_symbol, rb_ary_new_from_args(3, start, finish, encoded_pprof));
+}
+
+static VALUE ruby_time_from(ddprof_ffi_Timespec ddprof_time) {
+  #ifndef NO_RB_TIME_TIMESPEC_NEW // Modern Rubies
+    const int utc = INT_MAX - 1; // From Ruby sources
+    struct timespec time = {.tv_sec = ddprof_time.seconds, .tv_nsec = ddprof_time.nanoseconds};
+    return rb_time_timespec_new(&time, utc);
+  #else // Ruby < 2.3
+    return rb_funcall(stack_recorder_class, ruby_time_from_id, 2, LONG2NUM(ddprof_time.seconds), UINT2NUM(ddprof_time.nanoseconds));
+  #endif
+}
+
+void record_sample(VALUE recorder_instance, ddprof_ffi_Sample sample) {
+  ddprof_ffi_Profile *profile;
+  TypedData_Get_Struct(recorder_instance, ddprof_ffi_Profile, &stack_recorder_typed_data, profile);
+
+  ddprof_ffi_Profile_add(profile, sample);
+}
+
+static void *call_serialize_without_gvl(void *call_args) {
+  struct call_serialize_without_gvl_arguments *args = (struct call_serialize_without_gvl_arguments *) call_args;
+
+  args->result = ddprof_ffi_Profile_serialize(args->profile);
+  args->serialize_ran = true;
+
+  return NULL; // Unused
+}

data/ext/ddtrace_profiling_native_extension/stack_recorder.h

@@ -0,0 +1,28 @@
+#pragma once
+
+#include <ddprof/ffi.h>
+
+// Note: Please DO NOT use `VALUE_STRING` anywhere else, instead use `DDPROF_FFI_CHARSLICE_C`.
+// `VALUE_STRING` is only needed because older versions of gcc (4.9.2, used in our Ruby 2.1 and 2.2 CI test images)
+// tripped when compiling `enabled_value_types` using `-std=gnu99` due to the extra cast that is included in
+// `DDPROF_FFI_CHARSLICE_C` with the following error:
+//
+// ```
+// compiling ../../../../ext/ddtrace_profiling_native_extension/stack_recorder.c
+// ../../../../ext/ddtrace_profiling_native_extension/stack_recorder.c:23:1: error: initializer element is not constant
+// static const ddprof_ffi_ValueType enabled_value_types[] = {CPU_TIME_VALUE, CPU_SAMPLES_VALUE, WALL_TIME_VALUE};
+// ^
+// ```
+#define VALUE_STRING(string) {.ptr = "" string, .len = sizeof(string) - 1}
+
+#define      CPU_TIME_VALUE {.type_ = VALUE_STRING("cpu-time"),      .unit = VALUE_STRING("nanoseconds")}
+#define   CPU_SAMPLES_VALUE {.type_ = VALUE_STRING("cpu-samples"),   .unit = VALUE_STRING("count")}
+#define     WALL_TIME_VALUE {.type_ = VALUE_STRING("wall-time"),     .unit = VALUE_STRING("nanoseconds")}
+#define ALLOC_SAMPLES_VALUE {.type_ = VALUE_STRING("alloc-samples"), .unit = VALUE_STRING("count")}
+#define   ALLOC_SPACE_VALUE {.type_ = VALUE_STRING("alloc-space"),   .unit = VALUE_STRING("bytes")}
+#define    HEAP_SPACE_VALUE {.type_ = VALUE_STRING("heap-space"),    .unit = VALUE_STRING("bytes")}
+
+static const ddprof_ffi_ValueType enabled_value_types[] = {CPU_TIME_VALUE, CPU_SAMPLES_VALUE, WALL_TIME_VALUE};
+#define ENABLED_VALUE_TYPES_COUNT (sizeof(enabled_value_types) / sizeof(ddprof_ffi_ValueType))
+
+void record_sample(VALUE recorder_instance, ddprof_ffi_Sample sample);

data/lib/datadog/appsec/autoload.rb

@@ -4,13 +4,13 @@ if %w[1 true].include?((ENV['DD_APPSEC_ENABLED'] || '').downcase)
   begin
     require 'datadog/appsec'
   rescue StandardError => e
-    puts "AppSec failed to load. No security check will be performed. error: #{e.message}"
+    puts "AppSec failed to load. No security check will be performed. error: #{e.class.name} #{e.message}"
   end
 
   begin
     require 'datadog/appsec/contrib/auto_instrument'
     Datadog::AppSec::Contrib::AutoInstrument.patch_all
   rescue StandardError => e
-    puts "AppSec failed to instrument. No security check will be performed. error: #{e.message}"
+    puts "AppSec failed to instrument. No security check will be performed. error: #{e.class.name} #{e.message}"
   end
 end

data/lib/datadog/appsec/configuration/settings.rb

@@ -5,6 +5,7 @@ module Datadog
     module Configuration
       # Configuration settings, acting as an integration registry
       # TODO: as with Configuration, this is a trivial implementation
+      # rubocop:disable Metrics/ClassLength
       class Settings
         class << self
           def boolean
@@ -84,12 +85,19 @@ module Datadog
           # rubocop:enable Metrics/MethodLength
         end
 
+        # rubocop:disable Layout/LineLength
+        DEFAULT_OBFUSCATOR_KEY_REGEX = '(?i)(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?)key)|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)|bearer|authorization'.freeze
+        DEFAULT_OBFUSCATOR_VALUE_REGEX = '(?i)(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)(?:\s*=[^;]|"\s*:\s*"[^"]+")|bearer\s+[a-z0-9\._\-]+|token:[a-z0-9]{13}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\w=-]+\.ey[I-L][\w=-]+(?:\.[\w.+\/=-]+)?|[\-]{5}BEGIN[a-z\s]+PRIVATE\sKEY[\-]{5}[^\-]+[\-]{5}END[a-z\s]+PRIVATE\sKEY|ssh-rsa\s*[a-z0-9\/\.+]{100,}'.freeze
+        # rubocop:enable Layout/LineLength
+
         DEFAULTS = {
           enabled: false,
           ruleset: :recommended,
           waf_timeout: 5_000, # us
           waf_debug: false,
           trace_rate_limit: 100, # traces/s
+          obfuscator_key_regex: DEFAULT_OBFUSCATOR_KEY_REGEX,
+          obfuscator_value_regex: DEFAULT_OBFUSCATOR_VALUE_REGEX,
         }.freeze
 
         ENVS = {
@@ -98,6 +106,8 @@ module Datadog
           'DD_APPSEC_WAF_TIMEOUT' => [:waf_timeout, Settings.duration(:us)],
           'DD_APPSEC_WAF_DEBUG' => [:waf_debug, Settings.boolean],
           'DD_APPSEC_TRACE_RATE_LIMIT' => [:trace_rate_limit, Settings.integer],
+          'DD_APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP' => [:obfuscator_key_regex, Settings.string],
+          'DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP' => [:obfuscator_value_regex, Settings.string],
         }.freeze
 
         Integration = Struct.new(:integration, :options)
@@ -131,6 +141,14 @@ module Datadog
           @options[:trace_rate_limit]
         end
 
+        def obfuscator_key_regex
+          @options[:obfuscator_key_regex]
+        end
+
+        def obfuscator_value_regex
+          @options[:obfuscator_value_regex]
+        end
+
         def [](integration_name)
           integration = Datadog::AppSec::Contrib::Integration.registry[integration_name]
 
@@ -170,6 +188,7 @@ module Datadog
           initialize
         end
       end
+      # rubocop:enable Metrics/ClassLength
     end
   end
 end

data/lib/datadog/appsec/configuration.rb

@@ -47,6 +47,14 @@ module Datadog
           options[:trace_rate_limit] = value
         end
 
+        def obfuscator_key_regex=(value)
+          options[:obfuscator_key_regex] = value
+        end
+
+        def obfuscator_value_regex=(value)
+          options[:obfuscator_value_regex] = value
+        end
+
         def [](key)
           found = @instruments.find { |e| e.name == key }
 

data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb

@@ -3,6 +3,7 @@
 require 'datadog/appsec/instrumentation/gateway'
 require 'datadog/appsec/reactive/operation'
 require 'datadog/appsec/contrib/rack/reactive/request'
+require 'datadog/appsec/contrib/rack/reactive/request_body'
 require 'datadog/appsec/contrib/rack/reactive/response'
 require 'datadog/appsec/event'
 
@@ -12,11 +13,10 @@ module Datadog
       module Rack
         module Gateway
           # Watcher for Rack gateway events
+          # rubocop:disable Metrics/ModuleLength
           module Watcher
             # rubocop:disable Metrics/AbcSize
-            # rubocop:disable Metrics/CyclomaticComplexity
             # rubocop:disable Metrics/MethodLength
-            # rubocop:disable Metrics/PerceivedComplexity
             def self.watch
               Instrumentation.gateway.watch('rack.request') do |stack, request|
                 block = false
@@ -24,18 +24,8 @@ module Datadog
                 waf_context = request.env['datadog.waf.context']
 
                 AppSec::Reactive::Operation.new('rack.request') do |op|
-                  # TODO: factor out
-                  if defined?(Datadog::Tracing) && Datadog::Tracing.respond_to?(:active_span)
-                    active_trace = Datadog::Tracing.active_trace
-                    active_span = Datadog::Tracing.active_span
-
-                    Datadog.logger.debug { "active span: #{active_span.span_id}" } if active_span
-
-                    if active_span
-                      active_span.set_tag('_dd.appsec.enabled', 1)
-                      active_span.set_tag('_dd.runtime_family', 'ruby')
-                    end
-                  end
+                  trace = active_trace
+                  span = active_span
 
                   Rack::Reactive::Request.subscribe(op, waf_context) do |action, result, _block|
                     record = [:block, :monitor].include?(action)
@@ -43,11 +33,13 @@ module Datadog
                       # TODO: should this hash be an Event instance instead?
                       event = {
                         waf_result: result,
-                        trace: active_trace,
-                        span: active_span,
+                        trace: trace,
+                        span: span,
                         request: request,
                         action: action
                       }
+
+                      waf_context.events << event
                     end
                   end
 
@@ -72,18 +64,8 @@ module Datadog
                 waf_context = response.instance_eval { @waf_context }
 
                 AppSec::Reactive::Operation.new('rack.response') do |op|
-                  # TODO: factor out
-                  if defined?(Datadog::Tracing) && Datadog::Tracing.respond_to?(:active_span)
-                    active_trace = Datadog::Tracing.active_trace
-                    active_span = Datadog::Tracing.active_span
-
-                    Datadog.logger.debug { "active span: #{active_span.span_id}" } if active_span
-
-                    if active_span
-                      active_span.set_tag('_dd.appsec.enabled', 1)
-                      active_span.set_tag('_dd.runtime_family', 'ruby')
-                    end
-                  end
+                  trace = active_trace
+                  span = active_span
 
                   Rack::Reactive::Response.subscribe(op, waf_context) do |action, result, _block|
                     record = [:block, :monitor].include?(action)
@@ -91,11 +73,13 @@ module Datadog
                       # TODO: should this hash be an Event instance instead?
                       event = {
                         waf_result: result,
-                        trace: active_trace,
-                        span: active_span,
+                        trace: trace,
+                        span: span,
                         response: response,
                         action: action
                       }
+
+                      waf_context.events << event
                     end
                   end
 
@@ -113,12 +97,71 @@ module Datadog
 
                 [ret, res]
               end
+
+              Instrumentation.gateway.watch('rack.request.body') do |stack, request|
+                block = false
+                event = nil
+                waf_context = request.env['datadog.waf.context']
+
+                AppSec::Reactive::Operation.new('rack.request.body') do |op|
+                  trace = active_trace
+                  span = active_span
+
+                  Rack::Reactive::RequestBody.subscribe(op, waf_context) do |action, result, _block|
+                    record = [:block, :monitor].include?(action)
+                    if record
+                      # TODO: should this hash be an Event instance instead?
+                      event = {
+                        waf_result: result,
+                        trace: trace,
+                        span: span,
+                        request: request,
+                        action: action
+                      }
+
+                      waf_context.events << event
+                    end
+                  end
+
+                  _action, _result, block = Rack::Reactive::RequestBody.publish(op, request)
+                end
+
+                next [nil, [[:block, event]]] if block
+
+                ret, res = stack.call(request)
+
+                if event
+                  res ||= []
+                  res << [:monitor, event]
+                end
+
+                [ret, res]
+              end
             end
-            # rubocop:enable Metrics/AbcSize
-            # rubocop:enable Metrics/CyclomaticComplexity
             # rubocop:enable Metrics/MethodLength
-            # rubocop:enable Metrics/PerceivedComplexity
+            # rubocop:enable Metrics/AbcSize
+
+            class << self
+              private
+
+              def active_trace
+                # TODO: factor out tracing availability detection
+
+                return unless defined?(Datadog::Tracing)
+
+                Datadog::Tracing.active_trace
+              end
+
+              def active_span
+                # TODO: factor out tracing availability detection
+
+                return unless defined?(Datadog::Tracing)
+
+                Datadog::Tracing.active_span
+              end
+            end
           end
+          # rubocop:enable Metrics/ModuleLength
         end
       end
     end

data/lib/datadog/appsec/contrib/rack/integration.rb

@@ -5,6 +5,7 @@ require 'datadog/appsec/contrib/integration'
 require 'datadog/appsec/contrib/rack/configuration/settings'
 require 'datadog/appsec/contrib/rack/patcher'
 require 'datadog/appsec/contrib/rack/request_middleware'
+require 'datadog/appsec/contrib/rack/request_body_middleware'
 
 module Datadog
   module AppSec

data/lib/datadog/appsec/contrib/rack/patcher.rb

@@ -1,7 +1,6 @@
 # typed: ignore
 
 require 'datadog/appsec/contrib/patcher'
-require 'datadog/appsec/contrib/rack/integration'
 require 'datadog/appsec/contrib/rack/gateway/watcher'
 
 module Datadog

data/lib/datadog/appsec/contrib/rack/reactive/request_body.rb

@@ -0,0 +1,64 @@
+# typed: true
+
+require 'datadog/appsec/contrib/rack/request'
+
+module Datadog
+  module AppSec
+    module Contrib
+      module Rack
+        module Reactive
+          # Dispatch data from a Rack request to the WAF context
+          module RequestBody
+            def self.publish(op, request)
+              catch(:block) do
+                # params have been parsed from the request body
+                op.publish('request.body', Rack::Request.form_hash(request))
+
+                nil
+              end
+            end
+
+            def self.subscribe(op, waf_context)
+              addresses = [
+                'request.body',
+              ]
+
+              op.subscribe(*addresses) do |*values|
+                Datadog.logger.debug { "reacted to #{addresses.inspect}: #{values.inspect}" }
+                body = values[0]
+
+                waf_args = {
+                  'server.request.body' => body,
+                }
+
+                waf_timeout = Datadog::AppSec.settings.waf_timeout
+                action, result = waf_context.run(waf_args, waf_timeout)
+
+                Datadog.logger.debug { "WAF TIMEOUT: #{result.inspect}" } if result.timeout
+
+                # TODO: encapsulate return array in a type
+                case action
+                when :monitor
+                  Datadog.logger.debug { "WAF: #{result.inspect}" }
+                  yield [action, result, false]
+                when :block
+                  Datadog.logger.debug { "WAF: #{result.inspect}" }
+                  yield [action, result, true]
+                  throw(:block, [action, result, true])
+                when :good
+                  Datadog.logger.debug { "WAF OK: #{result.inspect}" }
+                when :invalid_call
+                  Datadog.logger.debug { "WAF CALL ERROR: #{result.inspect}" }
+                when :invalid_rule, :invalid_flow, :no_rule
+                  Datadog.logger.debug { "WAF RULE ERROR: #{result.inspect}" }
+                else
+                  Datadog.logger.debug { "WAF UNKNOWN: #{action.inspect} #{result.inspect}" }
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/rack/request.rb

@@ -45,6 +45,12 @@ module Datadog
           def self.cookies(request)
             request.cookies
           end
+
+          def self.form_hash(request)
+            # usually Hash<String,String> but can be a more complex
+            # Hash<String,String||Array||Hash> when e.g coming from JSON
+            request.env['rack.request.form_hash']
+          end
         end
       end
     end

data/lib/datadog/appsec/contrib/rack/request_body_middleware.rb

@@ -0,0 +1,41 @@
+# typed: ignore
+
+require 'datadog/appsec/instrumentation/gateway'
+require 'datadog/appsec/assets'
+
+module Datadog
+  module AppSec
+    module Contrib
+      module Rack
+        # Rack request body middleware for AppSec
+        # This should be inserted just below Rack::JSONBodyParser or
+        # legacy Rack::PostBodyContentTypeParser from rack-contrib
+        class RequestBodyMiddleware
+          def initialize(app, opt = {})
+            @app = app
+          end
+
+          def call(env)
+            context = env['datadog.waf.context']
+
+            return @app.call(env) unless context
+
+            # TODO: handle exceptions, except for @app.call
+
+            request = ::Rack::Request.new(env)
+
+            request_return, request_response = Instrumentation.gateway.push('rack.request.body', request) do
+              @app.call(env)
+            end
+
+            if request_response && request_response.any? { |action, _event| action == :block }
+              request_return = [403, { 'Content-Type' => 'text/html' }, [Datadog::AppSec::Assets.blocked]]
+            end
+
+            request_return
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/rack/request_middleware.rb

@@ -1,5 +1,7 @@
 # typed: ignore
 
+require 'json'
+
 require 'datadog/appsec/instrumentation/gateway'
 require 'datadog/appsec/processor'
 require 'datadog/appsec/assets'
@@ -14,6 +16,7 @@ module Datadog
           def initialize(app, opt = {})
             @app = app
 
+            @oneshot_tags_sent = false
             @processor = Datadog::AppSec::Processor.new
           end
 
@@ -27,6 +30,8 @@ module Datadog
             env['datadog.waf.context'] = context
             request = ::Rack::Request.new(env)
 
+            add_appsec_tags
+
             request_return, request_response = Instrumentation.gateway.push('rack.request', request) do
               @app.call(env)
             end
@@ -40,15 +45,65 @@ module Datadog
               @waf_context = context
             end
 
-            _, response_response = Instrumentation.gateway.push('rack.response', response)
+            _response_return, _response_response = Instrumentation.gateway.push('rack.response', response)
 
-            request_response.each { |_, e| e.merge!(response: response) } if request_response
-            response_response.each { |_, e| e.merge!(request: request) } if response_response
-            both_response = (request_response || []) + (response_response || [])
+            context.events.each do |e|
+              e[:response] ||= response
+              e[:request]  ||= request
+            end
 
-            AppSec::Event.record(*both_response.map { |_action, event| event }) if both_response.any?
+            AppSec::Event.record(*context.events)
 
             request_return
+          ensure
+            add_waf_runtime_tags(context) if context
+          end
+
+          private
+
+          def active_trace
+            # TODO: factor out tracing availability detection
+
+            return unless defined?(Datadog::Tracing)
+
+            Datadog::Tracing.active_trace
+          end
+
+          def add_appsec_tags
+            return unless active_trace
+
+            active_trace.set_tag('_dd.appsec.enabled', 1)
+            active_trace.set_tag('_dd.runtime_family', 'ruby')
+            active_trace.set_tag('_dd.appsec.waf.version', Datadog::AppSec::WAF::VERSION::BASE_STRING)
+
+            if @processor.ruleset_info
+              active_trace.set_tag('_dd.appsec.event_rules.version', @processor.ruleset_info[:version])
+
+              unless @oneshot_tags_sent
+                # Small race condition, but it's inoccuous: worst case the tags
+                # are sent a couple of times more than expected
+                @oneshot_tags_sent = true
+
+                active_trace.set_tag('_dd.appsec.event_rules.loaded', @processor.ruleset_info[:loaded].to_f)
+                active_trace.set_tag('_dd.appsec.event_rules.error_count', @processor.ruleset_info[:failed].to_f)
+                active_trace.set_tag('_dd.appsec.event_rules.errors', JSON.dump(@processor.ruleset_info[:errors]))
+                active_trace.set_tag('_dd.appsec.event_rules.addresses', JSON.dump(@processor.addresses))
+
+                # Ensure these tags reach the backend
+                active_trace.keep!
+              end
+            end
+          end
+
+          def add_waf_runtime_tags(context)
+            return unless active_trace
+            return unless context
+
+            active_trace.set_tag('_dd.appsec.waf.timeouts', context.timeouts)
+
+            # these tags expect time in us
+            active_trace.set_tag('_dd.appsec.waf.duration', context.time_ns / 1000.0)
+            active_trace.set_tag('_dd.appsec.waf.duration_ext', context.time_ext_ns / 1000.0)
           end
         end
       end