RubyGems - ddtrace - Versions diffs - 1.10.1 → 1.11.0.beta1 - Mend

ddtrace 1.10.1 → 1.11.0.beta1

Files changed (352) hide show

data/lib/datadog/appsec/contrib/rack/configuration/settings.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative '../../configuration/settings'
 require_relative '../ext'

data/lib/datadog/appsec/contrib/rack/gateway/request.rb CHANGED Viewed

@@ -14,7 +14,7 @@ module Datadog
             attr_reader :env
             def initialize(env)
-              super
+              super()
               @env = env
             end
@@ -33,20 +33,9 @@ module Datadog
               end
             end
-            # Rack < 2.0 does not have :each_header
-            # TODO: We need access to Rack here. We must make sure we are able to load AppSec without Rack,
-            # TODO: while still ensure correctness in ths code path.
-            if defined?(::Rack) && ::Rack::Request.instance_methods.include?(:each_header)
-              def headers
-                request.each_header.each_with_object({}) do |(k, v), h|
-                  h[k.gsub(/^HTTP_/, '').downcase.tr('_', '-')] = v if k =~ /^HTTP_/
-                end
-              end
-            else
-              def headers
-                request.env.each_with_object({}) do |(k, v), h|
-                  h[k.gsub(/^HTTP_/, '').downcase.tr('_', '-')] = v if k =~ /^HTTP_/
-                end
+            def headers
+              request.env.each_with_object({}) do |(k, v), h|
+                h[k.gsub(/^HTTP_/, '').downcase.tr('_', '-')] = v if k =~ /^HTTP_/
               end
             end

data/lib/datadog/appsec/contrib/rack/gateway/response.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module Datadog
             attr_reader :body, :status, :headers, :active_context
             def initialize(body, status, headers, active_context:)
-              super
+              super()
               @body = body
               @status = status
               @headers = headers.each_with_object({}) { |(k, v), h| h[k.downcase] = v }

data/lib/datadog/appsec/contrib/rack/patcher.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative '../patcher'
 require_relative '../../monitor'
 require_relative 'gateway/watcher'

data/lib/datadog/appsec/contrib/rack/reactive/response.rb CHANGED Viewed

@@ -9,12 +9,14 @@ module Datadog
           module Response
             ADDRESSES = [
               'response.status',
+              'response.headers',
             ].freeze
             private_constant :ADDRESSES
             def self.publish(op, gateway_response)
               catch(:block) do
                 op.publish('response.status', gateway_response.status)
+                op.publish('response.headers', gateway_response.headers)
                 nil
               end
@@ -25,9 +27,13 @@ module Datadog
                 Datadog.logger.debug { "reacted to #{ADDRESSES.inspect}: #{values.inspect}" }
                 response_status = values[0]
+                response_headers = values[1]
+                response_headers_no_cookies = response_headers.dup.tap { |h| h.delete('set-cookie') }
                 waf_args = {
                   'server.response.status' => response_status.to_s,
+                  'server.response.headers' => response_headers,
+                  'server.response.headers.no_cookies' => response_headers_no_cookies,
                 }
                 waf_timeout = Datadog::AppSec.settings.waf_timeout

data/lib/datadog/appsec/contrib/rack/request_middleware.rb CHANGED Viewed

@@ -23,17 +23,30 @@ module Datadog
             @oneshot_tags_sent = false
           end
+          # rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity,Metrics/MethodLength
           def call(env)
             return @app.call(env) unless Datadog::AppSec.enabled?
+            Datadog::Core::Remote.active_remote.barrier(:once) unless Datadog::Core::Remote.active_remote.nil?
             processor = Datadog::AppSec.processor
-            return @app.call(env) if processor.nil? || !processor.ready?
+            processor = nil
+            ready = false
+            context = nil
+            Datadog::AppSec.reconfigure_lock do
+              processor = Datadog::AppSec.processor
+              if !processor.nil? && processor.ready?
+                context = processor.activate_context
+                env['datadog.waf.context'] = context
+                ready = true
+              end
+            end
             # TODO: handle exceptions, except for @app.call
-            context = processor.activate_context
-            env['datadog.waf.context'] = context
+            return @app.call(env) unless ready
             gateway_request = Gateway::Request.new(env)
@@ -76,6 +89,7 @@ module Datadog
               processor.deactivate_context
             end
           end
+          # rubocop:enable Metrics/AbcSize,Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity,Metrics/MethodLength
           private

data/lib/datadog/appsec/contrib/rails/configuration/settings.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative '../../configuration/settings'
 require_relative '../ext'

data/lib/datadog/appsec/contrib/rails/framework.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Datadog
   module AppSec
     module Contrib

data/lib/datadog/appsec/contrib/rails/gateway/request.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module Datadog
             attr_reader :request
             def initialize(request)
-              super
+              super()
               @request = request
             end

data/lib/datadog/appsec/contrib/rails/request.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Datadog
   module AppSec
     module Contrib

data/lib/datadog/appsec/contrib/rails/request_middleware.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Datadog
   module AppSec
     module Contrib

data/lib/datadog/appsec/contrib/sinatra/configuration/settings.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative '../../configuration/settings'
 require_relative '../ext'

data/lib/datadog/appsec/contrib/sinatra/framework.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Datadog
   module AppSec
     module Contrib

data/lib/datadog/appsec/contrib/sinatra/gateway/route_params.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module Datadog
             attr_reader :params
             def initialize(params)
-              super
+              super()
               @params = params
             end
           end

data/lib/datadog/appsec/contrib/sinatra/request_middleware.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Datadog
   module AppSec
     module Contrib

data/lib/datadog/appsec/extensions.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require_relative 'configuration'
 module Datadog

data/lib/datadog/appsec/instrumentation/gateway/argument.rb CHANGED Viewed

@@ -5,16 +5,14 @@ module Datadog
     module Instrumentation
       class Gateway
         # Base class for Gateway Arguments
-        class Argument
-          def initialize(*); end
-        end
+        class Argument; end # rubocop:disable Lint/EmptyClass
         # Gateway User argument
         class User < Argument
           attr_reader :id
           def initialize(id)
-            super
+            super()
             @id = id
           end
         end

data/lib/datadog/appsec/processor/rule_loader.rb ADDED Viewed

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+require_relative '../assets'
+module Datadog
+  module AppSec
+    class Processor
+      # RuleLoader utility modules
+      # that load appsec rules and data from  settings
+      module RuleLoader
+        class << self
+          def load_rules(ruleset:)
+            begin
+              case ruleset
+              when :recommended, :strict
+                JSON.parse(Datadog::AppSec::Assets.waf_rules(ruleset))
+              when :risky
+                Datadog.logger.warn(
+                  'The :risky Application Security Management ruleset has been deprecated and no longer available.'\
+                  'The `:recommended` ruleset will be used instead.'\
+                  'Please remove the `appsec.ruleset = :risky` setting from your Datadog.configure block.'
+                )
+                JSON.parse(Datadog::AppSec::Assets.waf_rules(:recommended))
+              when String
+                JSON.parse(File.read(File.expand_path(ruleset)))
+              when File, StringIO
+                JSON.parse(ruleset.read || '').tap { ruleset.rewind }
+              when Hash
+                ruleset
+              else
+                raise ArgumentError, "unsupported value for ruleset setting: #{ruleset.inspect}"
+              end
+            rescue StandardError => e
+              Datadog.logger.error do
+                "libddwaf ruleset failed to load, ruleset: #{ruleset.inspect} error: #{e.inspect}"
+              end
+              nil
+            end
+          end
+          def load_data(ip_denylist: [], user_id_denylist: [])
+            data = []
+            data << { 'rules_data' => [denylist_data('blocked_ips', ip_denylist)] } if ip_denylist.any?
+            data << { 'rules_data' => [denylist_data('blocked_users', user_id_denylist)] } if user_id_denylist.any?
+            data.any? ? data : nil
+          end
+          private
+          def denylist_data(id, denylist)
+            {
+              'id' => id,
+              'type' => 'data_with_expiration',
+              'data' => denylist.map { |v| { 'value' => v.to_s, 'expiration' => 2**63 } }
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/processor/rule_merger.rb ADDED Viewed

@@ -0,0 +1,146 @@
+# frozen_string_literal: true
+module Datadog
+  module AppSec
+    class Processor
+      # RuleMerger merge different sources of information
+      # into the rules payload
+      module RuleMerger
+        # RuleVersionMismatchError
+        class RuleVersionMismatchError < StandardError
+          def initialize(version1, version2)
+            msg = 'Merging rule files with different version could lead to unkown behaviour. '\
+              "We have receieve two rule files with versions: #{version1}, #{version2}. "\
+              'Please validate the configuration is correct and try again.'
+            super(msg)
+          end
+        end
+        class << self
+          def merge(rules:, data: nil, overrides: nil, exclusions: nil)
+            combined_rules = combine_rules(rules)
+            rules_data = combine_data(data) if data
+            rules_overrides = combine_overrides(overrides) if overrides
+            rules_exclusions = combine_exclusions(exclusions) if exclusions
+            combined_rules['rules_data'] = rules_data if rules_data
+            combined_rules['rules_override'] = rules_overrides if rules_overrides
+            combined_rules['exclusions'] = rules_exclusions if rules_exclusions
+            combined_rules
+          end
+          private
+          def combine_rules(rules)
+            return rules[0].dup if rules.size == 1
+            final_rules = []
+            # @type var final_version: ::String
+            final_version = (_ = nil)
+            rules.each do |rule_file|
+              version = rule_file['version']
+              if version && !final_version
+                final_version = version
+              elsif final_version != version
+                raise RuleVersionMismatchError.new(final_version, version)
+              end
+              final_rules.concat(rule_file['rules'])
+            end
+            {
+              'version' => final_version,
+              'rules' => final_rules
+            }
+          end
+          def combine_data(data)
+            result = []
+            data.each do |data_entry|
+              data_entry['rules_data'].each do |value|
+                existing_data = result.find { |x| x['id'] == value['id'] }
+                if existing_data && existing_data['type'] == value['type']
+                  # Duplicate entry base on type and id
+                  # We need to merge the existing data with the new one
+                  # and make sure to remove duplicates
+                  merged_data = merge_data_base_on_expiration(existing_data['data'], value['data'])
+                  existing_data['data'] = merged_data
+                else
+                  result << value
+                end
+              end
+            end
+            return unless result.any?
+            result
+          end
+          def merge_data_base_on_expiration(data1, data2)
+            result = data1.each_with_object({}) do |value, acc|
+              acc[value['value']] = value['expiration']
+            end
+            data2.each do |data|
+              if result.key?(data['value'])
+                # The value is duplicated so we need to keep
+                # the one with the highest expiration value
+                # We replace it if the expiration is higher than the current one
+                # or if no experiration
+                current_expiration = result[data['value']]
+                new_expiration = data['expiration']
+                if new_expiration.nil? || current_expiration && new_expiration > current_expiration
+                  result[data['value']] = new_expiration
+                end
+              else
+                result[data['value']] = data['expiration']
+              end
+            end
+            result.each_with_object([]) do |entry, acc|
+              value = { 'value' => entry[0] }
+              value['expiration'] = entry[1] if entry[1]
+              acc << value
+            end
+          end
+          def combine_overrides(overrides)
+            rules_override = []
+            overrides.each do |override|
+              override['rules_override'].each do |rule_override|
+                rules_override << rule_override
+              end
+            end
+            return if rules_override.empty?
+            rules_override
+          end
+          def combine_exclusions(exclusions)
+            rules_exclusions = []
+            exclusions.each do |exclusion|
+              exclusion['exclusions'].each do |rule_exclusion|
+                rules_exclusions << rule_exclusion
+              end
+            end
+            return if rules_exclusions.empty?
+            rules_exclusions
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/processor.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require_relative 'assets'
+# frozen_string_literal: true
 module Datadog
   module AppSec
@@ -14,22 +14,28 @@ module Datadog
           @time_ext_ns = 0.0
           @timeouts = 0
           @events = []
+          @run_mutex = Mutex.new
         end
         def run(input, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
+          @run_mutex.lock
           start_ns = Core::Utils::Time.get_time(:nanosecond)
+          # this WAF::Context#run call is not thread safe as it mutates the context
           # TODO: remove multiple assignment
-          _code, res = _ = @context.run(input, timeout)
-          # @type var res: WAF::Result
+          _code, res = @context.run(input, timeout)
           stop_ns = Core::Utils::Time.get_time(:nanosecond)
+          # these updates are not thread safe and should be protected
           @time_ns += res.total_runtime
           @time_ext_ns += (stop_ns - start_ns)
           @timeouts += 1 if res.timeout
           res
+        ensure
+          @run_mutex.unlock
         end
         def finalize
@@ -63,22 +69,18 @@ module Datadog
       attr_reader :ruleset_info, :addresses
-      def initialize
+      def initialize(ruleset:)
         @ruleset_info = nil
         @addresses = []
         settings = Datadog::AppSec.settings
-        unless load_libddwaf && load_ruleset(settings) && create_waf_handle(settings)
+        unless load_libddwaf && create_waf_handle(settings, ruleset)
           Datadog.logger.warn { 'AppSec is disabled, see logged errors above' }
-          return
         end
-        apply_denylist_data(settings)
       end
       def ready?
-        !@ruleset.nil? && !@handle.nil?
+        !@handle.nil?
       end
       def new_context
@@ -102,14 +104,6 @@ module Datadog
         context.finalize
       end
-      def update_rule_data(data)
-        @handle.update_rule_data(data)
-      end
-      def toggle_rules(map)
-        @handle.toggle_rules(map)
-      end
       def finalize
         @handle.finalize
       end
@@ -120,61 +114,11 @@ module Datadog
       private
-      def apply_denylist_data(settings)
-        ruledata_setting = []
-        ruledata_setting << denylist_data('blocked_ips', settings.ip_denylist)
-        ruledata_setting << denylist_data('blocked_users', settings.user_id_denylist)
-        update_rule_data(ruledata_setting)
-      end
-      def denylist_data(id, denylist)
-        {
-          'id' => id,
-          'type' => 'data_with_expiration',
-          'data' => denylist.map { |v| { 'value' => v.to_s, 'expiration' => 2**63 } }
-        }
-      end
       def load_libddwaf
         Processor.require_libddwaf && Processor.libddwaf_provides_waf?
       end
-      def load_ruleset(settings)
-        ruleset_setting = settings.ruleset
-        begin
-          @ruleset = case ruleset_setting
-                     when :recommended, :strict
-                       JSON.parse(Datadog::AppSec::Assets.waf_rules(ruleset_setting))
-                     when :risky
-                       JSON.parse(Datadog::AppSec::Assets.waf_rules(:recommended))
-                       Datadog.logger.warn(
-                         'The :risky Application Security Management ruleset has been deprecated and no longer available.'\
-                         'The `:recommended` ruleset will be used instead.'\
-                         'Please remove the `appsec.ruleset = :risky` setting from your Datadog.configure block.'
-                       )
-                     when String
-                       JSON.parse(File.read(ruleset_setting))
-                     when File, StringIO
-                       JSON.parse(ruleset_setting.read || '').tap { ruleset_setting.rewind }
-                     when Hash
-                       ruleset_setting
-                     else
-                       raise ArgumentError, "unsupported value for ruleset setting: #{ruleset_setting.inspect}"
-                     end
-          true
-        rescue StandardError => e
-          Datadog.logger.error do
-            "libddwaf ruleset failed to load, ruleset: #{ruleset_setting.inspect} error: #{e.inspect}"
-          end
-          false
-        end
-      end
-      def create_waf_handle(settings)
+      def create_waf_handle(settings, ruleset)
         # TODO: this may need to be reset if the main Datadog logging level changes after initialization
         Datadog::AppSec::WAF.logger = Datadog.logger if Datadog.logger.debug? && settings.waf_debug
@@ -182,7 +126,8 @@ module Datadog
           key_regex: settings.obfuscator_key_regex,
           value_regex: settings.obfuscator_value_regex,
         }
-        @handle = Datadog::AppSec::WAF::Handle.new(@ruleset, obfuscator: obfuscator_config)
+        @handle = Datadog::AppSec::WAF::Handle.new(ruleset, obfuscator: obfuscator_config)
         @ruleset_info = @handle.ruleset_info
         @addresses = @handle.required_addresses