RubyGems - ddtrace - Versions diffs - 1.14.0 → 1.16.0 - Mend

ddtrace 1.14.0 → 1.16.0

Files changed (283) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +146 -2
data/ext/ddtrace_profiling_native_extension/NativeExtensionDesign.md +3 -5
data/ext/ddtrace_profiling_native_extension/clock_id.h +0 -3
data/ext/ddtrace_profiling_native_extension/clock_id_from_pthread.c +0 -22
data/ext/ddtrace_profiling_native_extension/clock_id_noop.c +0 -1
data/ext/ddtrace_profiling_native_extension/collectors_cpu_and_wall_time_worker.c +41 -6
data/ext/ddtrace_profiling_native_extension/collectors_idle_sampling_helper.c +3 -0
data/ext/ddtrace_profiling_native_extension/collectors_stack.c +76 -24
data/ext/ddtrace_profiling_native_extension/collectors_stack.h +1 -1
data/ext/ddtrace_profiling_native_extension/collectors_thread_context.c +207 -32
data/ext/ddtrace_profiling_native_extension/collectors_thread_context.h +1 -1
data/ext/ddtrace_profiling_native_extension/extconf.rb +8 -2
data/ext/ddtrace_profiling_native_extension/http_transport.c +26 -10
data/ext/ddtrace_profiling_native_extension/libdatadog_helpers.c +42 -0
data/ext/ddtrace_profiling_native_extension/libdatadog_helpers.h +6 -0
data/ext/ddtrace_profiling_native_extension/native_extension_helpers.rb +1 -16
data/ext/ddtrace_profiling_native_extension/pid_controller.c +57 -0
data/ext/ddtrace_profiling_native_extension/pid_controller.h +45 -0
data/ext/ddtrace_profiling_native_extension/private_vm_api_access.c +17 -12
data/ext/ddtrace_profiling_native_extension/profiling.c +0 -2
data/ext/ddtrace_profiling_native_extension/stack_recorder.c +74 -37
data/ext/ddtrace_profiling_native_extension/stack_recorder.h +13 -3
data/lib/datadog/appsec/assets/waf_rules/processors.json +92 -0
data/lib/datadog/appsec/assets/waf_rules/recommended.json +698 -75
data/lib/datadog/appsec/assets/waf_rules/scanners.json +114 -0
data/lib/datadog/appsec/assets/waf_rules/strict.json +98 -8
data/lib/datadog/appsec/assets.rb +8 -0
data/lib/datadog/appsec/component.rb +9 -2
data/lib/datadog/appsec/configuration/settings.rb +67 -2
data/lib/datadog/appsec/contrib/rack/gateway/request.rb +6 -2
data/lib/datadog/appsec/contrib/rack/gateway/response.rb +46 -0
data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb +8 -6
data/lib/datadog/appsec/contrib/rack/reactive/request.rb +2 -7
data/lib/datadog/appsec/contrib/rack/reactive/request_body.rb +2 -5
data/lib/datadog/appsec/contrib/rack/reactive/response.rb +7 -5
data/lib/datadog/appsec/contrib/rack/request_body_middleware.rb +3 -2
data/lib/datadog/appsec/contrib/rack/request_middleware.rb +34 -10
data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb +3 -2
data/lib/datadog/appsec/contrib/rails/patcher.rb +9 -3
data/lib/datadog/appsec/contrib/rails/reactive/action.rb +2 -5
data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb +6 -4
data/lib/datadog/appsec/contrib/sinatra/patcher.rb +13 -7
data/lib/datadog/appsec/contrib/sinatra/reactive/routed.rb +2 -5
data/lib/datadog/appsec/event.rb +106 -50
data/lib/datadog/appsec/monitor/gateway/watcher.rb +3 -3
data/lib/datadog/appsec/monitor/reactive/set_user.rb +2 -5
data/lib/datadog/appsec/processor/actions.rb +49 -0
data/lib/datadog/appsec/processor/rule_merger.rb +22 -2
data/lib/datadog/appsec/processor.rb +34 -6
data/lib/datadog/appsec/remote.rb +4 -1
data/lib/datadog/appsec/response.rb +82 -4
data/lib/datadog/appsec/sample_rate.rb +21 -0
data/lib/datadog/appsec.rb +2 -2
data/lib/datadog/core/configuration/agent_settings_resolver.rb +29 -24
data/lib/datadog/core/configuration/base.rb +1 -11
data/lib/datadog/core/configuration/components.rb +7 -2
data/lib/datadog/core/configuration/ext.rb +21 -0
data/lib/datadog/core/configuration/option.rb +2 -4
data/lib/datadog/core/configuration/option_definition.rb +17 -41
data/lib/datadog/core/configuration/options.rb +5 -5
data/lib/datadog/core/configuration/settings.rb +47 -45
data/lib/datadog/core/environment/execution.rb +47 -9
data/lib/datadog/core/environment/variable_helpers.rb +0 -69
data/lib/datadog/core/error.rb +1 -0
data/lib/datadog/core/git/ext.rb +2 -0
data/lib/datadog/core/remote/client/capabilities.rb +1 -1
data/lib/datadog/core/remote/component.rb +2 -2
data/lib/datadog/core/remote/negotiation.rb +2 -2
data/lib/datadog/core/remote/transport/config.rb +60 -0
data/lib/datadog/core/remote/transport/http/api/instance.rb +39 -0
data/lib/datadog/core/remote/transport/http/api/spec.rb +21 -0
data/lib/datadog/core/remote/transport/http/api.rb +58 -0
data/lib/datadog/core/remote/transport/http/builder.rb +219 -0
data/lib/datadog/core/remote/transport/http/client.rb +48 -0
data/lib/datadog/core/remote/transport/http/config.rb +280 -0
data/lib/datadog/core/remote/transport/http/negotiation.rb +146 -0
data/lib/datadog/core/remote/transport/http.rb +179 -0
data/lib/datadog/core/{transport → remote/transport}/negotiation.rb +25 -23
data/lib/datadog/core/remote/worker.rb +3 -1
data/lib/datadog/core/telemetry/collector.rb +3 -2
data/lib/datadog/core/telemetry/http/transport.rb +2 -1
data/lib/datadog/core/transport/ext.rb +47 -0
data/lib/datadog/core/transport/http/adapters/net.rb +168 -0
data/lib/datadog/core/transport/http/adapters/registry.rb +29 -0
data/lib/datadog/core/transport/http/adapters/test.rb +89 -0
data/lib/datadog/core/transport/http/adapters/unix_socket.rb +83 -0
data/lib/datadog/core/transport/http/api/endpoint.rb +31 -0
data/lib/datadog/core/transport/http/api/fallbacks.rb +26 -0
data/lib/datadog/core/transport/http/api/map.rb +18 -0
data/lib/datadog/core/transport/http/env.rb +62 -0
data/lib/datadog/core/transport/http/response.rb +60 -0
data/lib/datadog/core/transport/parcel.rb +22 -0
data/lib/datadog/core/transport/request.rb +17 -0
data/lib/datadog/core/transport/response.rb +64 -0
data/lib/datadog/core/workers/polling.rb +2 -2
data/lib/datadog/opentelemetry/api/context.rb +10 -3
data/lib/datadog/opentelemetry/sdk/propagator.rb +2 -1
data/lib/datadog/opentelemetry/sdk/span_processor.rb +14 -2
data/lib/datadog/opentelemetry/sdk/trace/span.rb +68 -0
data/lib/datadog/opentelemetry/trace.rb +58 -0
data/lib/datadog/opentelemetry.rb +1 -0
data/lib/datadog/opentracer.rb +9 -0
data/lib/datadog/profiling/collectors/cpu_and_wall_time_worker.rb +14 -19
data/lib/datadog/profiling/collectors/idle_sampling_helper.rb +1 -1
data/lib/datadog/profiling/collectors/thread_context.rb +9 -1
data/lib/datadog/profiling/component.rb +24 -99
data/lib/datadog/profiling/ext.rb +0 -12
data/lib/datadog/profiling/flush.rb +0 -3
data/lib/datadog/profiling/http_transport.rb +6 -3
data/lib/datadog/profiling/native_extension.rb +0 -21
data/lib/datadog/profiling/profiler.rb +36 -13
data/lib/datadog/profiling/scheduler.rb +16 -9
data/lib/datadog/profiling.rb +8 -81
data/lib/datadog/tracing/component.rb +10 -4
data/lib/datadog/tracing/configuration/agent_settings_resolver.rb +13 -0
data/lib/datadog/tracing/configuration/ext.rb +4 -2
data/lib/datadog/tracing/configuration/settings.rb +14 -7
data/lib/datadog/tracing/contrib/action_pack/configuration/settings.rb +1 -1
data/lib/datadog/tracing/contrib/active_job/configuration/settings.rb +1 -1
data/lib/datadog/tracing/contrib/active_record/events/sql.rb +4 -0
data/lib/datadog/tracing/contrib/active_support/cache/instrumentation.rb +106 -197
data/lib/datadog/tracing/contrib/active_support/cache/patcher.rb +3 -0
data/lib/datadog/tracing/contrib/aws/instrumentation.rb +7 -0
data/lib/datadog/tracing/contrib/concurrent_ruby/context_composite_executor_service.rb +14 -14
data/lib/datadog/tracing/contrib/concurrent_ruby/future_patch.rb +3 -10
data/lib/datadog/tracing/contrib/concurrent_ruby/integration.rb +2 -1
data/lib/datadog/tracing/contrib/concurrent_ruby/patcher.rb +8 -1
data/lib/datadog/tracing/contrib/concurrent_ruby/promises_future_patch.rb +22 -0
data/lib/datadog/tracing/contrib/configuration/settings.rb +1 -1
data/lib/datadog/tracing/contrib/dalli/configuration/settings.rb +6 -0
data/lib/datadog/tracing/contrib/dalli/ext.rb +7 -0
data/lib/datadog/tracing/contrib/dalli/instrumentation.rb +9 -2
data/lib/datadog/tracing/contrib/delayed_job/configuration/settings.rb +1 -1
data/lib/datadog/tracing/contrib/elasticsearch/patcher.rb +5 -0
data/lib/datadog/tracing/contrib/ethon/easy_patch.rb +5 -0
data/lib/datadog/tracing/contrib/ethon/multi_patch.rb +8 -0
data/lib/datadog/tracing/contrib/excon/middleware.rb +5 -0
data/lib/datadog/tracing/contrib/ext.rb +3 -0
data/lib/datadog/tracing/contrib/faraday/configuration/settings.rb +1 -1
data/lib/datadog/tracing/contrib/faraday/middleware.rb +5 -0
data/lib/datadog/tracing/contrib/grpc/configuration/settings.rb +21 -1
data/lib/datadog/tracing/contrib/grpc/datadog_interceptor/client.rb +11 -1
data/lib/datadog/tracing/contrib/grpc/datadog_interceptor/server.rb +18 -0
data/lib/datadog/tracing/contrib/grpc/datadog_interceptor.rb +0 -4
data/lib/datadog/tracing/contrib/http/circuit_breaker.rb +3 -3
data/lib/datadog/tracing/contrib/http/instrumentation.rb +5 -0
data/lib/datadog/tracing/contrib/httpclient/instrumentation.rb +5 -0
data/lib/datadog/tracing/contrib/httprb/instrumentation.rb +5 -0
data/lib/datadog/tracing/contrib/mongodb/subscribers.rb +7 -0
data/lib/datadog/tracing/contrib/mysql2/instrumentation.rb +13 -3
data/lib/datadog/tracing/contrib/opensearch/integration.rb +2 -2
data/lib/datadog/tracing/contrib/opensearch/patcher.rb +7 -0
data/lib/datadog/tracing/contrib/pg/instrumentation.rb +5 -0
data/lib/datadog/tracing/contrib/presto/instrumentation.rb +5 -0
data/lib/datadog/tracing/contrib/propagation/sql_comment.rb +1 -1
data/lib/datadog/tracing/contrib/que/configuration/settings.rb +1 -1
data/lib/datadog/tracing/contrib/racecar/event.rb +5 -0
data/lib/datadog/tracing/contrib/rack/header_tagging.rb +14 -4
data/lib/datadog/tracing/contrib/rails/configuration/settings.rb +4 -4
data/lib/datadog/tracing/contrib/rake/configuration/settings.rb +1 -1
data/lib/datadog/tracing/contrib/redis/configuration/settings.rb +1 -1
data/lib/datadog/tracing/contrib/redis/instrumentation.rb +3 -38
data/lib/datadog/tracing/contrib/redis/tags.rb +7 -2
data/lib/datadog/tracing/contrib/redis/trace_middleware.rb +46 -33
data/lib/datadog/tracing/contrib/resque/configuration/settings.rb +1 -1
data/lib/datadog/tracing/contrib/rest_client/request_patch.rb +5 -0
data/lib/datadog/tracing/contrib/sequel/utils.rb +5 -0
data/lib/datadog/tracing/contrib/shoryuken/configuration/settings.rb +1 -1
data/lib/datadog/tracing/contrib/sidekiq/configuration/settings.rb +1 -1
data/lib/datadog/tracing/contrib/sneakers/configuration/settings.rb +1 -1
data/lib/datadog/tracing/contrib/utils/quantization/http.rb +2 -2
data/lib/datadog/tracing/diagnostics/environment_logger.rb +6 -0
data/lib/datadog/tracing/distributed/propagation.rb +13 -33
data/lib/datadog/tracing/metadata/tagging.rb +3 -3
data/lib/datadog/tracing/sync_writer.rb +3 -3
data/lib/datadog/tracing/tracer.rb +2 -0
data/lib/datadog/{core → tracing}/transport/http/api/instance.rb +1 -1
data/lib/datadog/{core → tracing}/transport/http/api/spec.rb +1 -1
data/lib/datadog/tracing/transport/http/api.rb +43 -0
data/lib/datadog/{core → tracing}/transport/http/builder.rb +13 -68
data/lib/datadog/tracing/transport/http/client.rb +57 -0
data/lib/datadog/tracing/transport/http/statistics.rb +47 -0
data/lib/datadog/tracing/transport/http/traces.rb +152 -0
data/lib/datadog/tracing/transport/http.rb +124 -0
data/lib/datadog/tracing/transport/io/client.rb +89 -0
data/lib/datadog/tracing/transport/io/response.rb +27 -0
data/lib/datadog/tracing/transport/io/traces.rb +101 -0
data/lib/datadog/tracing/transport/io.rb +30 -0
data/lib/datadog/tracing/transport/serializable_trace.rb +126 -0
data/lib/datadog/tracing/transport/statistics.rb +77 -0
data/lib/datadog/tracing/transport/trace_formatter.rb +209 -0
data/lib/datadog/tracing/transport/traces.rb +224 -0
data/lib/datadog/tracing/workers/trace_writer.rb +5 -3
data/lib/datadog/tracing/workers.rb +3 -2
data/lib/datadog/tracing/writer.rb +5 -2
data/lib/ddtrace/transport/ext.rb +17 -15
data/lib/ddtrace/version.rb +1 -1
data/lib/ddtrace.rb +1 -1
metadata +73 -96
data/lib/datadog/ci/configuration/components.rb +0 -32
data/lib/datadog/ci/configuration/settings.rb +0 -51
data/lib/datadog/ci/contrib/cucumber/configuration/settings.rb +0 -35
data/lib/datadog/ci/contrib/cucumber/ext.rb +0 -22
data/lib/datadog/ci/contrib/cucumber/formatter.rb +0 -94
data/lib/datadog/ci/contrib/cucumber/instrumentation.rb +0 -28
data/lib/datadog/ci/contrib/cucumber/integration.rb +0 -47
data/lib/datadog/ci/contrib/cucumber/patcher.rb +0 -27
data/lib/datadog/ci/contrib/minitest/configuration/settings.rb +0 -35
data/lib/datadog/ci/contrib/minitest/ext.rb +0 -21
data/lib/datadog/ci/contrib/minitest/integration.rb +0 -49
data/lib/datadog/ci/contrib/minitest/patcher.rb +0 -27
data/lib/datadog/ci/contrib/minitest/test_helper.rb +0 -68
data/lib/datadog/ci/contrib/rspec/configuration/settings.rb +0 -35
data/lib/datadog/ci/contrib/rspec/example.rb +0 -68
data/lib/datadog/ci/contrib/rspec/ext.rb +0 -21
data/lib/datadog/ci/contrib/rspec/integration.rb +0 -48
data/lib/datadog/ci/contrib/rspec/patcher.rb +0 -27
data/lib/datadog/ci/ext/app_types.rb +0 -9
data/lib/datadog/ci/ext/environment.rb +0 -575
data/lib/datadog/ci/ext/settings.rb +0 -10
data/lib/datadog/ci/ext/test.rb +0 -35
data/lib/datadog/ci/extensions.rb +0 -19
data/lib/datadog/ci/flush.rb +0 -38
data/lib/datadog/ci/test.rb +0 -81
data/lib/datadog/ci.rb +0 -21
data/lib/datadog/core/configuration/dependency_resolver.rb +0 -28
data/lib/datadog/core/configuration/option_definition_set.rb +0 -22
data/lib/datadog/core/configuration/option_set.rb +0 -10
data/lib/datadog/core/transport/config.rb +0 -58
data/lib/datadog/core/transport/http/api.rb +0 -57
data/lib/datadog/core/transport/http/client.rb +0 -45
data/lib/datadog/core/transport/http/config.rb +0 -278
data/lib/datadog/core/transport/http/negotiation.rb +0 -144
data/lib/datadog/core/transport/http.rb +0 -169
data/lib/datadog/core/utils/object_set.rb +0 -43
data/lib/datadog/core/utils/string_table.rb +0 -47
data/lib/datadog/profiling/backtrace_location.rb +0 -34
data/lib/datadog/profiling/buffer.rb +0 -43
data/lib/datadog/profiling/collectors/old_stack.rb +0 -301
data/lib/datadog/profiling/encoding/profile.rb +0 -41
data/lib/datadog/profiling/event.rb +0 -15
data/lib/datadog/profiling/events/stack.rb +0 -82
data/lib/datadog/profiling/old_recorder.rb +0 -107
data/lib/datadog/profiling/pprof/builder.rb +0 -125
data/lib/datadog/profiling/pprof/converter.rb +0 -102
data/lib/datadog/profiling/pprof/message_set.rb +0 -16
data/lib/datadog/profiling/pprof/payload.rb +0 -20
data/lib/datadog/profiling/pprof/pprof.proto +0 -212
data/lib/datadog/profiling/pprof/pprof_pb.rb +0 -81
data/lib/datadog/profiling/pprof/stack_sample.rb +0 -139
data/lib/datadog/profiling/pprof/string_table.rb +0 -12
data/lib/datadog/profiling/pprof/template.rb +0 -118
data/lib/datadog/profiling/trace_identifiers/ddtrace.rb +0 -43
data/lib/datadog/profiling/trace_identifiers/helper.rb +0 -45
data/lib/ddtrace/transport/http/adapters/net.rb +0 -168
data/lib/ddtrace/transport/http/adapters/registry.rb +0 -27
data/lib/ddtrace/transport/http/adapters/test.rb +0 -85
data/lib/ddtrace/transport/http/adapters/unix_socket.rb +0 -77
data/lib/ddtrace/transport/http/api/endpoint.rb +0 -29
data/lib/ddtrace/transport/http/api/fallbacks.rb +0 -24
data/lib/ddtrace/transport/http/api/instance.rb +0 -35
data/lib/ddtrace/transport/http/api/map.rb +0 -16
data/lib/ddtrace/transport/http/api/spec.rb +0 -17
data/lib/ddtrace/transport/http/api.rb +0 -39
data/lib/ddtrace/transport/http/builder.rb +0 -176
data/lib/ddtrace/transport/http/client.rb +0 -52
data/lib/ddtrace/transport/http/env.rb +0 -58
data/lib/ddtrace/transport/http/response.rb +0 -58
data/lib/ddtrace/transport/http/statistics.rb +0 -43
data/lib/ddtrace/transport/http/traces.rb +0 -144
data/lib/ddtrace/transport/http.rb +0 -117
data/lib/ddtrace/transport/io/client.rb +0 -85
data/lib/ddtrace/transport/io/response.rb +0 -25
data/lib/ddtrace/transport/io/traces.rb +0 -99
data/lib/ddtrace/transport/io.rb +0 -28
data/lib/ddtrace/transport/parcel.rb +0 -20
data/lib/ddtrace/transport/request.rb +0 -15
data/lib/ddtrace/transport/response.rb +0 -60
data/lib/ddtrace/transport/serializable_trace.rb +0 -122
data/lib/ddtrace/transport/statistics.rb +0 -75
data/lib/ddtrace/transport/trace_formatter.rb +0 -207
data/lib/ddtrace/transport/traces.rb +0 -216

data/lib/datadog/appsec/event.rb CHANGED Viewed

@@ -1,4 +1,6 @@
 require 'json'
+require 'zlib'
+require 'base64'
 require_relative 'rate_limiter'
@@ -34,78 +36,132 @@ module Datadog
         Content-Language
       ].map!(&:downcase).freeze
+      MAX_ENCODED_SCHEMA_SIZE = 25000
+      # For more information about this number
+      # please check https://github.com/DataDog/dd-trace-rb/pull/3177#issuecomment-1747221082
+      MIN_SCHEMA_SIZE_FOR_COMPRESSION = 260
       # Record events for a trace
       #
       # This is expected to be called only once per trace for the rate limiter
       # to properly apply
-      def self.record(span, *events)
-        # ensure rate limiter is called only when there are events to record
-        return if events.empty? || span.nil?
+      class << self
+        def record(span, *events)
+          # ensure rate limiter is called only when there are events to record
+          return if events.empty? || span.nil?
-        Datadog::AppSec::RateLimiter.limit(:traces) do
-          record_via_span(span, *events)
+          Datadog::AppSec::RateLimiter.limit(:traces) do
+            record_via_span(span, *events)
+          end
         end
-      end
-      def self.record_via_span(span, *events)
-        events.group_by { |e| e[:trace] }.each do |trace, event_group|
-          unless trace
-            Datadog.logger.debug { "{ error: 'no trace: cannot record', event_group: #{event_group.inspect}}" }
-            next
-          end
+        def record_via_span(span, *events)
+          events.group_by { |e| e[:trace] }.each do |trace, event_group|
+            unless trace
+              Datadog.logger.debug { "{ error: 'no trace: cannot record', event_group: #{event_group.inspect}}" }
+              next
+            end
+            trace.keep!
+            trace.set_tag(
+              Datadog::Tracing::Metadata::Ext::Distributed::TAG_DECISION_MAKER,
+              Datadog::Tracing::Sampling::Ext::Decision::ASM
+            )
-          trace.keep!
-          trace.set_tag(
-            Datadog::Tracing::Metadata::Ext::Distributed::TAG_DECISION_MAKER,
-            Datadog::Tracing::Sampling::Ext::Decision::ASM
-          )
-          # prepare and gather tags to apply
-          service_entry_tags = build_service_entry_tags(event_group)
-          # complex types are unsupported, we need to serialize to a string
-          triggers = service_entry_tags.delete('_dd.appsec.triggers')
-          span.set_tag('_dd.appsec.json', JSON.dump({ triggers: triggers }))
-          # apply tags to service entry span
-          service_entry_tags.each do |key, value|
-            span.set_tag(key, value)
+            # prepare and gather tags to apply
+            service_entry_tags = build_service_entry_tags(event_group)
+            # apply tags to service entry span
+            service_entry_tags.each do |key, value|
+              span.set_tag(key, value)
+            end
           end
         end
-      end
-      def self.build_service_entry_tags(event_group)
-        event_group.each_with_object({}) do |event, tags|
-          # TODO: assume HTTP request context for now
+        # rubocop:disable Metrics/MethodLength
+        def build_service_entry_tags(event_group)
+          waf_events = []
+          entry_tags = event_group.each_with_object({ '_dd.origin' => 'appsec' }) do |event, tags|
+            # TODO: assume HTTP request context for now
+            if (request = event[:request])
+              request.headers.each do |header, value|
+                tags["http.request.headers.#{header}"] = value if ALLOWED_REQUEST_HEADERS.include?(header.downcase)
+              end
+              tags['http.host'] = request.host
+              tags['http.useragent'] = request.user_agent
+              tags['network.client.ip'] = request.remote_addr
+            end
-          if (request = event[:request])
-            request_headers = request.headers.select do |k, _|
-              ALLOWED_REQUEST_HEADERS.include?(k.downcase)
+            if (response = event[:response])
+              response.headers.each do |header, value|
+                tags["http.response.headers.#{header}"] = value if ALLOWED_RESPONSE_HEADERS.include?(header.downcase)
+              end
             end
-            request_headers.each do |header, value|
-              tags["http.request.headers.#{header}"] = value
+            waf_result = event[:waf_result]
+            # accumulate triggers
+            waf_events += waf_result.events
+            waf_result.derivatives.each do |key, value|
+              parsed_value = json_parse(value)
+              next unless parsed_value
+              parsed_value_size = parsed_value.size
+              schema_value = if parsed_value_size >= MIN_SCHEMA_SIZE_FOR_COMPRESSION
+                               compressed_and_base64_encoded(parsed_value)
+                             else
+                               parsed_value
+                             end
+              next unless schema_value
+              if schema_value.size >= MAX_ENCODED_SCHEMA_SIZE
+                Datadog.logger.debug do
+                  "Schema key: #{key} exceeds the max size value. It will not be included as part of the span tags"
+                end
+                next
+              end
+              tags[key] = schema_value
             end
-            tags['http.host'] = request.host
-            tags['http.useragent'] = request.user_agent
-            tags['network.client.ip'] = request.remote_addr
+            tags
           end
-          if (response = event[:response])
-            response_headers = response.headers.select do |k, _|
-              ALLOWED_RESPONSE_HEADERS.include?(k.downcase)
-            end
+          appsec_events = json_parse({ triggers: waf_events })
+          entry_tags['_dd.appsec.json'] = appsec_events if appsec_events
+          entry_tags
+        end
+        # rubocop:enable Metrics/MethodLength
-            response_headers.each do |header, value|
-              tags["http.response.headers.#{header}"] = value
-            end
+        private
+        def compressed_and_base64_encoded(value)
+          Base64.encode64(gzip(value))
+        rescue TypeError => e
+          Datadog.logger.debug do
+            "Failed to compress and encode value when populating AppSec::Event. Error: #{e.message}"
           end
+          nil
+        end
-          tags['_dd.origin'] = 'appsec'
+        def json_parse(value)
+          JSON.dump(value)
+        rescue ArgumentError => e
+          Datadog.logger.debug do
+            "Failed to parse value to JSON when populating AppSec::Event. Error: #{e.message}"
+          end
+          nil
+        end
-          # accumulate triggers
-          tags['_dd.appsec.triggers'] ||= []
-          tags['_dd.appsec.triggers'] += event[:waf_result].data
+        def gzip(value)
+          sio = StringIO.new
+          # For an in depth comparison of Zlib options check https://github.com/DataDog/dd-trace-rb/pull/3177#issuecomment-1747215473
+          gz = Zlib::GzipWriter.new(sio, Zlib::BEST_SPEED, Zlib::DEFAULT_STRATEGY)
+          gz.write(value)
+          gz.close
+          sio.string
         end
       end
     end

data/lib/datadog/appsec/monitor/gateway/watcher.rb CHANGED Viewed

@@ -24,7 +24,7 @@ module Datadog
                 scope = Datadog::AppSec.active_scope
                 AppSec::Reactive::Operation.new('identity.set_user') do |op|
-                  Monitor::Reactive::SetUser.subscribe(op, scope.processor_context) do |result, _block|
+                  Monitor::Reactive::SetUser.subscribe(op, scope.processor_context) do |result|
                     if result.status == :match
                       # TODO: should this hash be an Event instance instead?
                       event = {
@@ -44,10 +44,10 @@ module Datadog
                     end
                   end
-                  _result, block = Monitor::Reactive::SetUser.publish(op, user)
+                  block = Monitor::Reactive::SetUser.publish(op, user)
                 end
-                throw(Datadog::AppSec::Ext::INTERRUPT, [nil, [:block, event]]) if block
+                throw(Datadog::AppSec::Ext::INTERRUPT, [nil, [[:block, event]]]) if block
                 ret, res = stack.call(user)

data/lib/datadog/appsec/monitor/reactive/set_user.rb CHANGED Viewed

@@ -38,11 +38,8 @@ module Datadog
               when :match
                 Datadog.logger.debug { "WAF: #{result.inspect}" }
-                block = result.actions.include?('block')
-                yield [result, block]
-                throw(:block, [result, true]) if block
+                yield result
+                throw(:block, true) unless result.actions.empty?
               when :ok
                 Datadog.logger.debug { "WAF OK: #{result.inspect}" }
               when :invalid_call

data/lib/datadog/appsec/processor/actions.rb ADDED Viewed

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+module Datadog
+  module AppSec
+    class Processor
+      # Actions store the actions information in memory
+      # Also, takes care of merging when RC send new information
+      module Actions
+        class << self
+          def actions
+            @actions ||= []
+          end
+          def fecth_configuration(action)
+            actions.find { |action_configuration| action_configuration['id'] == action }
+          end
+          def merge(actions_to_merge)
+            return if actions_to_merge.empty?
+            if actions.empty?
+              @actions = actions_to_merge
+            else
+              merged_actions = []
+              actions_dup = actions.dup
+              actions_to_merge.each do |new_action|
+                existing_action = actions_dup.find { |action| new_action['id'] == action['id'] }
+                # the old action is discard and the new kept
+                actions_dup.delete(existing_action) if existing_action
+                merged_actions << new_action
+              end
+              @actions = merged_actions.concat(actions_dup)
+            end
+          end
+          private
+          # Used in tests
+          def reset
+            @actions = []
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/processor/rule_merger.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
+require_relative '../assets'
 module Datadog
   module AppSec
     class Processor
@@ -16,8 +18,25 @@ module Datadog
           end
         end
+        DEFAULT_WAF_PROCESSORS = begin
+          JSON.parse(Datadog::AppSec::Assets.waf_processors)
+        rescue StandardError => e
+          Datadog.logger.error { "libddwaf rulemerger failed to parse default waf processors. Error: #{e.inspect}" }
+          []
+        end
+        DEFAULT_WAF_SCANNERS = begin
+          JSON.parse(Datadog::AppSec::Assets.waf_scanners)
+        rescue StandardError => e
+          Datadog.logger.error { "libddwaf rulemerger failed to parse default waf scanners. Error: #{e.inspect}" }
+          []
+        end
         class << self
-          def merge(rules:, data: [], overrides: [], exclusions: [], custom_rules: [])
+          def merge(
+            rules:, data: [], overrides: [], exclusions: [], custom_rules: [],
+            processors: DEFAULT_WAF_PROCESSORS, scanners: DEFAULT_WAF_SCANNERS
+          )
             combined_rules = combine_rules(rules)
             combined_data = combine_data(data) if data.any?
@@ -29,7 +48,8 @@ module Datadog
             combined_rules['rules_override'] = combined_overrides if combined_overrides
             combined_rules['exclusions'] = combined_exclusions if combined_exclusions
             combined_rules['custom_rules'] = combined_custom_rules if combined_custom_rules
+            combined_rules['processors'] = processors
+            combined_rules['scanners'] = scanners
             combined_rules
           end

data/lib/datadog/appsec/processor.rb CHANGED Viewed

@@ -22,8 +22,15 @@ module Datadog
           start_ns = Core::Utils::Time.get_time(:nanosecond)
-          # this WAF::Context#run call is not thread safe as it mutates the context
-          # TODO: remove multiple assignment
+          input.reject! do |_, v|
+            case v
+            when TrueClass, FalseClass
+              false
+            else
+              v.nil? ? true : v.empty?
+            end
+          end
           _code, res = @context.run(input, timeout)
           stop_ns = Core::Utils::Time.get_time(:nanosecond)
@@ -38,15 +45,36 @@ module Datadog
           @run_mutex.unlock
         end
+        def extract_schema
+          return unless extract_schema?
+          input = {
+            'waf.context.processor' => {
+              'extract-schema' => true
+            }
+          }
+          _code, res = @context.run(input, WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
+          res
+        end
         def finalize
           @context.finalize
         end
+        private
+        def extract_schema?
+          Datadog.configuration.appsec.api_security.enabled &&
+            Datadog.configuration.appsec.api_security.sample_rate.sample?
+        end
       end
-      attr_reader :ruleset_info, :addresses
+      attr_reader :diagnostics, :addresses
       def initialize(ruleset:)
-        @ruleset_info = nil
+        @diagnostics = nil
         @addresses = []
         settings = Datadog.configuration.appsec
@@ -83,7 +111,7 @@ module Datadog
         }
         @handle = Datadog::AppSec::WAF::Handle.new(ruleset, obfuscator: obfuscator_config)
-        @ruleset_info = @handle.ruleset_info
+        @diagnostics = @handle.diagnostics
         @addresses = @handle.required_addresses
         true
@@ -92,7 +120,7 @@ module Datadog
           "libddwaf failed to initialize, error: #{e.inspect}"
         end
-        @ruleset_info = e.ruleset_info if e.ruleset_info
+        @diagnostics = e.diagnostics if e.diagnostics
         false
       rescue StandardError => e

data/lib/datadog/appsec/remote.rb CHANGED Viewed

@@ -31,6 +31,7 @@ module Datadog
           CAP_ASM_RESPONSE_BLOCKING,
           CAP_ASM_DD_RULES,
           CAP_ASM_CUSTOM_RULES,
+          CAP_ASM_CUSTOM_BLOCKING_RESPONSE,
         ].freeze
         ASM_PRODUCTS = [
@@ -63,6 +64,7 @@ module Datadog
             data = []
             overrides = []
             exclusions = []
+            actions = []
             repository.contents.each do |content|
               parsed_content = parse_content(content)
@@ -76,6 +78,7 @@ module Datadog
                 overrides << parsed_content['rules_override'] if parsed_content['rules_override']
                 exclusions << parsed_content['exclusions'] if parsed_content['exclusions']
                 custom_rules << parsed_content['custom_rules'] if parsed_content['custom_rules']
+                actions.concat(parsed_content['actions']) if parsed_content['actions']
               end
             end
@@ -95,7 +98,7 @@ module Datadog
               custom_rules: custom_rules,
             )
-            Datadog::AppSec.reconfigure(ruleset: ruleset)
+            Datadog::AppSec.reconfigure(ruleset: ruleset, actions: actions)
           end
           [receiver]

data/lib/datadog/appsec/response.rb CHANGED Viewed

@@ -28,19 +28,80 @@ module Datadog
       end
       class << self
-        def negotiate(env)
+        def negotiate(env, actions)
+          # @type var configured_response: Response?
+          configured_response = nil
+          actions.each do |action|
+            # Need to use next to make steep happy :(
+            # I rather use break to stop the execution
+            next if configured_response
+            action_configuration = AppSec::Processor::Actions.fecth_configuration(action)
+            next unless action_configuration
+            configured_response = case action_configuration['type']
+                                  when 'block_request'
+                                    block_response(env, action_configuration['parameters'])
+                                  when 'redirect_request'
+                                    redirect_response(env, action_configuration['parameters'])
+                                  end
+          end
+          configured_response || default_response(env)
+        end
+        private
+        def default_response(env)
           content_type = content_type(env)
-          Datadog.logger.debug { "negotiated response content type: #{content_type}" }
+          body = []
+          body << content(content_type)
           Response.new(
             status: 403,
             headers: { 'Content-Type' => content_type },
-            body: [Datadog::AppSec::Assets.blocked(format: CONTENT_TYPE_TO_FORMAT[content_type])]
+            body: body,
           )
         end
-        private
+        def block_response(env, options)
+          content_type = if options['type'] == 'auto'
+                           content_type(env)
+                         else
+                           FORMAT_TO_CONTENT_TYPE[options['type']]
+                         end
+          body = []
+          body << content(content_type)
+          Response.new(
+            status: options['status_code'] || 403,
+            headers: { 'Content-Type' => content_type },
+            body: body,
+          )
+        end
+        def redirect_response(env, options)
+          if options['location'] && !options['location'].empty?
+            content_type = content_type(env)
+            status = options['status_code'] >= 300 && options['status_code'] < 400 ? options['status_code'] : 303
+            headers = {
+              'Content-Type' => content_type,
+              'Location' => options['location']
+            }
+            Response.new(
+              status: status,
+              headers: headers,
+              body: [],
+            )
+          else
+            default_response(env)
+          end
+        end
         CONTENT_TYPE_TO_FORMAT = {
           'application/json' => :json,
@@ -48,6 +109,11 @@ module Datadog
           'text/plain' => :text,
         }.freeze
+        FORMAT_TO_CONTENT_TYPE = {
+          'json' => 'application/json',
+          'html' => 'text/html',
+        }.freeze
         DEFAULT_CONTENT_TYPE = 'application/json'
         def content_type(env)
@@ -67,6 +133,18 @@ module Datadog
         rescue Datadog::AppSec::Utils::HTTP::MediaRange::ParseError
           DEFAULT_CONTENT_TYPE
         end
+        def content(content_type)
+          content_format = CONTENT_TYPE_TO_FORMAT[content_type]
+          using_default = Datadog.configuration.appsec.block.templates.using_default?(content_format)
+          if using_default
+            Datadog::AppSec::Assets.blocked(format: content_format)
+          else
+            Datadog.configuration.appsec.block.templates.send(content_format)
+          end
+        end
       end
     end
   end

data/lib/datadog/appsec/sample_rate.rb ADDED Viewed

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+module Datadog
+  module AppSec
+    # SampleRate basic sample rate
+    class SampleRate
+      attr_reader :rate
+      def initialize(rate)
+        @rate = rate
+      end
+      def sample?
+        return false if rate <= 0
+        return true if rate >= 1
+        Kernel.rand < rate
+      end
+    end
+  end
+end

data/lib/datadog/appsec.rb CHANGED Viewed

@@ -23,12 +23,12 @@ module Datadog
         appsec_component.processor if appsec_component
       end
-      def reconfigure(ruleset:)
+      def reconfigure(ruleset:, actions:)
         appsec_component = components.appsec
         return unless appsec_component
-        appsec_component.reconfigure(ruleset: ruleset)
+        appsec_component.reconfigure(ruleset: ruleset, actions: actions)
       end
       def reconfigure_lock(&block)