RubyGems - ddtrace - Versions diffs - 1.11.1 → 1.12.0 - Mend

ddtrace 1.11.1 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (110) hide show

data/lib/datadog/appsec/assets/waf_rules/strict.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.5.2"
+    "rules_version": "1.7.0"
   },
   "rules": [
     {
@@ -24,96 +24,51 @@
               }
             ],
             "list": [
-              "",
               "(hydra)",
-              ".nasl",
               "absinthe",
-              "advanced email extractor",
-              "arachni/",
               "autogetcontent",
               "bilbo",
               "bfac",
-              "brutus",
-              "brutus/aet",
-              "bsqlbf",
-              "cgichk",
               "cisco-torch",
-              "commix",
               "core-project/1.0",
               "crimscanner/",
               "datacha0s",
-              "detectify",
-              "dirbuster",
               "domino hunter",
               "dotdotpwn",
               "email extractor",
               "fhscan core 1.",
               "floodgate",
-              "fuzz faster u fool",
               "f-secure radar",
               "get-minimal",
-              "gobuster",
               "gootkit auto-rooter scanner",
               "grabber",
               "grendel-scan",
-              "havij",
               "inspath",
               "internet ninja",
-              "jaascois",
-              "jorgee",
               "masscan",
-              "metis",
               "morfeus fucking scanner",
               "mysqloit",
-              "n-stealth",
-              "nessus",
-              "netsparker",
-              "nikto",
-              "nmap nse",
-              "nmap scripting engine",
-              "nmap-nse",
-              "nsauditor",
-              "nuclei",
-              "openvas",
-              "pangolin",
-              "paros",
-              "pmafind",
               "prog.customcrawler",
               "qqgamehall",
-              "qualys was",
               "s.t.a.l.k.e.r.",
-              "security scan",
               "springenwerk",
               "sql power injector",
-              "sqlmap",
-              "sqlninja",
               "struts-pwn",
               "sysscan",
               "tbi-webscanner",
               "teh forest lobster",
-              "this is an exploit",
               "toata dragostea",
-              "toata dragostea mea pentru diavola",
               "uil2pn",
               "user-agent:",
               "vega/",
               "voideye",
-              "w3af.sf.net",
-              "w3af.sourceforge.net",
-              "w3af.org",
               "webbandit",
-              "webinspect",
               "webshag",
-              "webtrends security analyzer",
               "webvulnscan",
-              "wfuzz",
               "whatweb",
               "whcc/",
               "wordpress hash grabber",
-              "wpscan",
-              "xmlrpc exploit",
-              "zgrab",
-              "zmeu"
+              "xmlrpc exploit"
             ]
           },
           "operator": "phrase_match"

data/lib/datadog/appsec/configuration/settings.rb CHANGED Viewed

@@ -116,7 +116,7 @@ module Datadog
         }.freeze
         # Struct constant whisker cast for Steep
-        Integration = _ = Struct.new(:integration, :options) # rubocop:disable Naming/ConstantName
+        Integration = _ = Struct.new(:integration) # rubocop:disable Naming/ConstantName
         def initialize
           @integrations = []
@@ -181,14 +181,6 @@ module Datadog
           _ = @options[:obfuscator_value_regex]
         end
-        def [](integration_name)
-          integration = Datadog::AppSec::Contrib::Integration.registry[integration_name]
-          raise ArgumentError, "'#{integration_name}' is not a valid integration." unless integration
-          integration.options
-        end
         def merge(dsl)
           dsl.options.each do |k, v|
             unless v.nil?
@@ -203,7 +195,7 @@ module Datadog
           dsl.instruments.each do |instrument|
             # TODO: error handling
             registered_integration = Datadog::AppSec::Contrib::Integration.registry[instrument.name]
-            @integrations << Integration.new(registered_integration, instrument.options)
+            @integrations << Integration.new(registered_integration)
             # TODO: move to a separate apply step
             klass = registered_integration.klass

data/lib/datadog/appsec/configuration.rb CHANGED Viewed

@@ -15,7 +15,7 @@ module Datadog
       # Configuration DSL implementation
       class DSL
         # Struct constant whisker cast for Steep
-        Instrument = _ = Struct.new(:name, :options) # rubocop:disable Naming/ConstantName
+        Instrument = _ = Struct.new(:name) # rubocop:disable Naming/ConstantName
         def initialize
           @instruments = []
@@ -24,8 +24,8 @@ module Datadog
         attr_reader :instruments, :options
-        def instrument(name, options = {})
-          @instruments << Instrument.new(name, options)
+        def instrument(name)
+          @instruments << Instrument.new(name)
         end
         def enabled=(value)
@@ -64,12 +64,6 @@ module Datadog
         def obfuscator_value_regex=(value)
           options[:obfuscator_value_regex] = value
         end
-        def [](key)
-          found = @instruments.find { |e| e.name == key }
-          found.options if found
-        end
       end
       # class-level methods for Configuration

data/lib/datadog/appsec/contrib/rack/ext.rb CHANGED Viewed

@@ -5,7 +5,6 @@ module Datadog
         # Rack integration constants
         module Ext
           APP = 'rack'.freeze
-          ENV_ENABLED = 'DD_TRACE_RACK_ENABLED'.freeze # TODO: DD_APPSEC?
         end
       end
     end

data/lib/datadog/appsec/contrib/rack/gateway/request.rb CHANGED Viewed

@@ -33,6 +33,10 @@ module Datadog
               end
             end
+            def method
+              request.request_method
+            end
             def headers
               request.env.each_with_object({}) do |(k, v), h|
                 h[k.gsub(/^HTTP_/, '').downcase.tr('_', '-')] = v if k =~ /^HTTP_/
@@ -47,6 +51,14 @@ module Datadog
               request.url
             end
+            def fullpath
+              request.fullpath
+            end
+            def path
+              request.path
+            end
             def cookies
               request.cookies
             end

data/lib/datadog/appsec/contrib/rack/gateway/response.rb CHANGED Viewed

@@ -9,14 +9,14 @@ module Datadog
         module Gateway
           # Gateway Response argument.
           class Response < Instrumentation::Gateway::Argument
-            attr_reader :body, :status, :headers, :active_context
+            attr_reader :body, :status, :headers, :scope
-            def initialize(body, status, headers, active_context:)
+            def initialize(body, status, headers, scope:)
               super()
               @body = body
               @status = status
               @headers = headers.each_with_object({}) { |(k, v), h| h[k.downcase] = v }
-              @active_context = active_context
+              @scope = scope
             end
             def response

data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb CHANGED Viewed

@@ -25,13 +25,13 @@ module Datadog
                 gateway.watch('rack.request', :appsec) do |stack, gateway_request|
                   block = false
                   event = nil
-                  waf_context = gateway_request.env['datadog.waf.context']
+                  scope = gateway_request.env[Datadog::AppSec::Ext::SCOPE_KEY]
                   AppSec::Reactive::Operation.new('rack.request') do |op|
                     trace = active_trace
                     span = active_span
-                    Rack::Reactive::Request.subscribe(op, waf_context) do |result, _block|
+                    Rack::Reactive::Request.subscribe(op, scope.processor_context) do |result, _block|
                       if result.status == :match
                         # TODO: should this hash be an Event instance instead?
                         event = {
@@ -44,7 +44,7 @@ module Datadog
                         span.set_tag('appsec.event', 'true') if span
-                        waf_context.events << event
+                        scope.processor_context.events << event
                       end
                     end
@@ -68,13 +68,13 @@ module Datadog
                 gateway.watch('rack.response', :appsec) do |stack, gateway_response|
                   block = false
                   event = nil
-                  waf_context = gateway_response.active_context
+                  scope = gateway_response.scope
                   AppSec::Reactive::Operation.new('rack.response') do |op|
                     trace = active_trace
                     span = active_span
-                    Rack::Reactive::Response.subscribe(op, waf_context) do |result, _block|
+                    Rack::Reactive::Response.subscribe(op, scope.processor_context) do |result, _block|
                       if result.status == :match
                         # TODO: should this hash be an Event instance instead?
                         event = {
@@ -87,7 +87,7 @@ module Datadog
                         span.set_tag('appsec.event', 'true') if span
-                        waf_context.events << event
+                        scope.processor_context.events << event
                       end
                     end
@@ -111,13 +111,13 @@ module Datadog
                 gateway.watch('rack.request.body', :appsec) do |stack, gateway_request|
                   block = false
                   event = nil
-                  waf_context = gateway_request.env['datadog.waf.context']
+                  scope = gateway_request.env[Datadog::AppSec::Ext::SCOPE_KEY]
                   AppSec::Reactive::Operation.new('rack.request.body') do |op|
                     trace = active_trace
                     span = active_span
-                    Rack::Reactive::RequestBody.subscribe(op, waf_context) do |result, _block|
+                    Rack::Reactive::RequestBody.subscribe(op, scope.processor_context) do |result, _block|
                       if result.status == :match
                         # TODO: should this hash be an Event instance instead?
                         event = {
@@ -130,7 +130,7 @@ module Datadog
                         span.set_tag('appsec.event', 'true') if span
-                        waf_context.events << event
+                        scope.processor_context.events << event
                       end
                     end

data/lib/datadog/appsec/contrib/rack/integration.rb CHANGED Viewed

@@ -1,6 +1,5 @@
 require_relative '../integration'
-require_relative 'configuration/settings'
 require_relative 'patcher'
 require_relative 'request_middleware'
 require_relative 'request_body_middleware'
@@ -33,10 +32,6 @@ module Datadog
             false
           end
-          def default_configuration
-            Configuration::Settings.new
-          end
           def patcher
             Patcher
           end

data/lib/datadog/appsec/contrib/rack/reactive/request.rb CHANGED Viewed

@@ -13,6 +13,7 @@ module Datadog
               'request.query',
               'request.cookies',
               'request.client_ip',
+              'server.request.method'
             ].freeze
             private_constant :ADDRESSES
@@ -20,14 +21,16 @@ module Datadog
               catch(:block) do
                 op.publish('request.query', gateway_request.query)
                 op.publish('request.headers', gateway_request.headers)
-                op.publish('request.uri.raw', gateway_request.url)
+                op.publish('request.uri.raw', gateway_request.fullpath)
                 op.publish('request.cookies', gateway_request.cookies)
                 op.publish('request.client_ip', gateway_request.client_ip)
+                op.publish('server.request.method', gateway_request.method)
                 nil
               end
             end
+            # rubocop:disable Metrics/MethodLength
             def self.subscribe(op, waf_context)
               op.subscribe(*ADDRESSES) do |*values|
                 Datadog.logger.debug { "reacted to #{ADDRESSES.inspect}: #{values.inspect}" }
@@ -37,6 +40,7 @@ module Datadog
                 query = values[2]
                 cookies = values[3]
                 client_ip = values[4]
+                request_method = values[5]
                 waf_args = {
                   'server.request.cookies' => cookies,
@@ -45,6 +49,7 @@ module Datadog
                   'server.request.headers' => headers,
                   'server.request.headers.no_cookies' => headers_no_cookies,
                   'http.client_ip' => client_ip,
+                  'server.request.method' => request_method,
                 }
                 waf_timeout = Datadog::AppSec.settings.waf_timeout
@@ -71,6 +76,7 @@ module Datadog
                   Datadog.logger.debug { "WAF UNKNOWN: #{result.status.inspect} #{result.inspect}" }
                 end
               end
+              # rubocop:enable Metrics/MethodLength
             end
           end
         end

data/lib/datadog/appsec/contrib/rack/request_body_middleware.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module Datadog
           end
           def call(env)
-            context = env['datadog.waf.context']
+            context = env[Datadog::AppSec::Ext::SCOPE_KEY]
             return @app.call(env) unless context

data/lib/datadog/appsec/contrib/rack/request_middleware.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'json'
 require_relative 'gateway/request'
 require_relative 'gateway/response'
-require_relative '../../ext'
 require_relative '../../instrumentation/gateway'
 require_relative '../../processor'
 require_relative '../../response'
@@ -23,7 +22,7 @@ module Datadog
             @oneshot_tags_sent = false
           end
-          # rubocop:disable Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity,Metrics/MethodLength
+          # rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity,Metrics/MethodLength
           def call(env)
             return @app.call(env) unless Datadog::AppSec.enabled?
@@ -31,14 +30,19 @@ module Datadog
             processor = nil
             ready = false
-            context = nil
+            scope = nil
+            # For a given request, keep using the first Rack stack scope for
+            # nested apps. Don't set `context` local variable so that on popping
+            # out of this nested stack we don't finalize the parent's context
+            return @app.call(env) if active_scope(env)
             Datadog::AppSec.reconfigure_lock do
               processor = Datadog::AppSec.processor
               if !processor.nil? && processor.ready?
-                context = processor.activate_context
-                env['datadog.waf.context'] = context
+                scope = Datadog::AppSec::Scope.activate_scope(active_trace, active_span, processor)
+                env[Datadog::AppSec::Ext::SCOPE_KEY] = scope
                 ready = true
               end
             end
@@ -65,17 +69,17 @@ module Datadog
               request_return[2],
               request_return[0],
               request_return[1],
-              active_context: context
+              scope: scope
             )
             _response_return, response_response = Instrumentation.gateway.push('rack.response', gateway_response)
-            context.events.each do |e|
+            scope.processor_context.events.each do |e|
               e[:response] ||= gateway_response
               e[:request]  ||= gateway_request
             end
-            AppSec::Event.record(*context.events)
+            AppSec::Event.record(active_span, *scope.processor_context.events)
             if response_response && response_response.any? { |action, _event| action == :block }
               request_return = AppSec::Response.negotiate(env).to_rack
@@ -83,15 +87,19 @@ module Datadog
             request_return
           ensure
-            if context
-              add_waf_runtime_tags(active_trace, context)
-              processor.deactivate_context
+            if scope
+              add_waf_runtime_tags(active_span, scope.processor_context)
+              Datadog::AppSec::Scope.deactivate_scope
             end
           end
-          # rubocop:enable Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity,Metrics/MethodLength
+          # rubocop:enable Metrics/AbcSize,Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity,Metrics/MethodLength
           private
+          def active_scope(env)
+            env[Datadog::AppSec::Ext::SCOPE_KEY]
+          end
           def active_trace
             # TODO: factor out tracing availability detection
@@ -111,9 +119,9 @@ module Datadog
           def add_appsec_tags(processor, trace, span, env)
             return unless trace
-            trace.set_tag('_dd.appsec.enabled', 1)
-            trace.set_tag('_dd.runtime_family', 'ruby')
-            trace.set_tag('_dd.appsec.waf.version', Datadog::AppSec::WAF::VERSION::BASE_STRING)
+            span.set_tag('_dd.appsec.enabled', 1)
+            span.set_tag('_dd.runtime_family', 'ruby')
+            span.set_tag('_dd.appsec.waf.version', Datadog::AppSec::WAF::VERSION::BASE_STRING)
             if span && span.get_tag(Tracing::Metadata::Ext::HTTP::TAG_CLIENT_IP).nil?
               request_header_collection = Datadog::Tracing::Contrib::Rack::Header::RequestHeaderCollection.new(env)
@@ -127,17 +135,17 @@ module Datadog
             end
             if processor.ruleset_info
-              trace.set_tag('_dd.appsec.event_rules.version', processor.ruleset_info[:version])
+              span.set_tag('_dd.appsec.event_rules.version', processor.ruleset_info[:version])
               unless @oneshot_tags_sent
                 # Small race condition, but it's inoccuous: worst case the tags
                 # are sent a couple of times more than expected
                 @oneshot_tags_sent = true
-                trace.set_tag('_dd.appsec.event_rules.loaded', processor.ruleset_info[:loaded].to_f)
-                trace.set_tag('_dd.appsec.event_rules.error_count', processor.ruleset_info[:failed].to_f)
-                trace.set_tag('_dd.appsec.event_rules.errors', JSON.dump(processor.ruleset_info[:errors]))
-                trace.set_tag('_dd.appsec.event_rules.addresses', JSON.dump(processor.addresses))
+                span.set_tag('_dd.appsec.event_rules.loaded', processor.ruleset_info[:loaded].to_f)
+                span.set_tag('_dd.appsec.event_rules.error_count', processor.ruleset_info[:failed].to_f)
+                span.set_tag('_dd.appsec.event_rules.errors', JSON.dump(processor.ruleset_info[:errors]))
+                span.set_tag('_dd.appsec.event_rules.addresses', JSON.dump(processor.addresses))
                 # Ensure these tags reach the backend
                 trace.keep!
@@ -149,15 +157,15 @@ module Datadog
             end
           end
-          def add_waf_runtime_tags(trace, context)
-            return unless trace
+          def add_waf_runtime_tags(span, context)
+            return unless span
             return unless context
-            trace.set_tag('_dd.appsec.waf.timeouts', context.timeouts)
+            span.set_tag('_dd.appsec.waf.timeouts', context.timeouts)
             # these tags expect time in us
-            trace.set_tag('_dd.appsec.waf.duration', context.time_ns / 1000.0)
-            trace.set_tag('_dd.appsec.waf.duration_ext', context.time_ext_ns / 1000.0)
+            span.set_tag('_dd.appsec.waf.duration', context.time_ns / 1000.0)
+            span.set_tag('_dd.appsec.waf.duration_ext', context.time_ext_ns / 1000.0)
           end
         end
       end

data/lib/datadog/appsec/contrib/rails/ext.rb CHANGED Viewed

@@ -5,7 +5,6 @@ module Datadog
         # Rack integration constants
         module Ext
           APP = 'rails'.freeze
-          ENV_ENABLED = 'DD_TRACE_RAILS_ENABLED'.freeze
         end
       end
     end

data/lib/datadog/appsec/contrib/rails/framework.rb CHANGED Viewed

@@ -8,21 +8,9 @@ module Datadog
         module Framework
           def self.setup
             Datadog::AppSec.configure do |datadog_config|
-              rails_config = config_with_defaults(datadog_config)
-              activate_rack!(datadog_config, rails_config)
+              datadog_config.instrument(:rack)
             end
           end
-          def self.config_with_defaults(datadog_config)
-            datadog_config[:rails]
-          end
-          # Apply relevant configuration from Sinatra to Rack
-          def self.activate_rack!(datadog_config, sinatra_config)
-            datadog_config.instrument(
-              :rack,
-            )
-          end
         end
       end
     end

data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb CHANGED Viewed

@@ -21,13 +21,13 @@ module Datadog
                 gateway.watch('rails.request.action', :appsec) do |stack, gateway_request|
                   block = false
                   event = nil
-                  waf_context = gateway_request.env['datadog.waf.context']
+                  scope = gateway_request.env[Datadog::AppSec::Ext::SCOPE_KEY]
                   AppSec::Reactive::Operation.new('rails.request.action') do |op|
                     trace = active_trace
                     span = active_span
-                    Rails::Reactive::Action.subscribe(op, waf_context) do |result, _block|
+                    Rails::Reactive::Action.subscribe(op, scope.processor_context) do |result, _block|
                       if result.status == :match
                         # TODO: should this hash be an Event instance instead?
                         event = {
@@ -40,7 +40,7 @@ module Datadog
                         span.set_tag('appsec.event', 'true') if span
-                        waf_context.events << event
+                        scope.processor_context.events << event
                       end
                     end

data/lib/datadog/appsec/contrib/rails/integration.rb CHANGED Viewed

@@ -1,6 +1,5 @@
 require_relative '../integration'
-require_relative 'configuration/settings'
 require_relative 'patcher'
 require_relative 'request_middleware'
@@ -32,10 +31,6 @@ module Datadog
             true
           end
-          def default_configuration
-            Configuration::Settings.new
-          end
           def patcher
             Patcher
           end

data/lib/datadog/appsec/contrib/rails/patcher.rb CHANGED Viewed

@@ -72,7 +72,7 @@ module Datadog
             def process_action(*args)
               env = request.env
-              context = env['datadog.waf.context']
+              context = env[Datadog::AppSec::Ext::SCOPE_KEY]
               return super unless context

data/lib/datadog/appsec/contrib/sinatra/ext.rb CHANGED Viewed

@@ -5,7 +5,6 @@ module Datadog
         # Sinatra integration constants
         module Ext
           APP = 'sinatra'.freeze
-          ENV_ENABLED = 'DD_TRACE_SINATRA_ENABLED'.freeze
           ROUTE_INTERRUPT = :datadog_appsec_contrib_sinatra_route_interrupt
         end
       end

data/lib/datadog/appsec/contrib/sinatra/framework.rb CHANGED Viewed

@@ -12,21 +12,9 @@ module Datadog
           # Configure Rack from Sinatra, but only if Rack has not been configured manually beforehand
           def self.setup
             Datadog::AppSec.configure do |datadog_config|
-              sinatra_config = config_with_defaults(datadog_config)
-              activate_rack!(datadog_config, sinatra_config)
+              datadog_config.instrument(:rack)
             end
           end
-          def self.config_with_defaults(datadog_config)
-            datadog_config[:sinatra]
-          end
-          # Apply relevant configuration from Sinatra to Rack
-          def self.activate_rack!(datadog_config, sinatra_config)
-            datadog_config.instrument(
-              :rack,
-            )
-          end
         end
       end
     end