ddtrace 1.16.0 → 1.18.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 59aaa9c3c11af9219405c9eee4e318df4cafdaae57eb42c7b5105d46764d3293
-  data.tar.gz: ef0d6766221287a4e9d42bf42f43fd5ddd81990ea381e536b5083be8a3f0b94d
+  metadata.gz: 69e775ab06a83ce14114a7287056e3d3fb575191b7ff6ccdc5c7b33f7fd58172
+  data.tar.gz: 13b607a4e29e516be4988dca7827eca09b79e968cf98e0641a155039d2ec3273
 SHA512:
-  metadata.gz: 0201e1fd1e96ea0a076cf88af3824cb02f15862312eb26688db474caec2698bdfee9381b947e4ab278bbaa752aeb8a92df2f2188aa7e4ba988e5cdc31331f138
-  data.tar.gz: 2a034e4187f41b85a29d7003fbe1098552cdddf0be663e490ab2ca71c4da40a8ad122f3357b11286af10df988f0891cc8d2d71ca59d9949db790dda6011033d0
+  metadata.gz: d345e07c8b0a654974c51a7457b3fc6d3d7eb99226cfc5555d6bc8ee3e65b17b3782b1e582591be925297c09dd104108007b2081e28ee43c103f8f2fec3ffe5b
+  data.tar.gz: '085ea801f5fae16ed58cd79bab86839cd1aa23fa09261b39219264f603455633e19dbb8f60d647e407c7218d7d00052ef7b593405ec5af828af56ffecd58227d'

data/CHANGELOG.md

@@ -2,6 +2,66 @@
 
 ## [Unreleased]
 
+## [1.18.0] - 2023-12-07
+
+### Added
+
+* Tracing: Support lib injection for ARM64 architecture ([#3307][])
+* Tracing: Add `error_handler` for `pg` instrumentation ([#3303][])
+* Appsec: Enable "Trusted IPs", a.k.a passlist with optional monitoring ([#3229][])
+
+### Changed
+
+* Mark ddtrace threads as fork-safe ([#3279][])
+* Bump `datadog-ci` dependency to 0.5.0 ([#3308][])
+* Bump `debase-ruby_core_source` dependency to 3.2.3 ([#3284][])
+* Profiling: Disable profiler on Ruby 3.3 when running with RUBY_MN_THREADS=1 ([#3259][])
+* Profiling: Run without "no signals" workaround on passenger 6.0.19+ ([#3280][])
+
+### Fixed
+
+* Tracing: Fix `pg` instrumentation `enabled` settings ([#3271][])
+* Profiling: Fix potential crash by importing upstream `rb_profile_frames` fix ([#3289][])
+* Appsec: Call `devise` RegistrationsController block ([#3286][])
+
+## [1.17.0] - 2023-11-22
+
+For W3C Trace Context, this release adds [`tracecontext`](https://www.w3.org/TR/trace-context/) to the default trace propagation extraction and injection styles. The new defaults are:
+* Extraction: `Datadog,b3multi,b3,tracecontext`
+* Injection: `Datadog,tracecontext`
+
+And to increase interoperability with `tracecontext`, 128-bit Trace ID generation is now the default.
+
+For OpenTelemetry, this release adds support for converting [OpenTelemetry Trace Semantic Conventions](https://opentelemetry.io/docs/specs/semconv/general/trace/) into equivalent Datadog trace semantics. Also, it's now possible to configure top-level Datadog span fields using OpenTelemetry span attributes (https://github.com/DataDog/dd-trace-rb/pull/3262).
+
+For CI Visibility, you can now manually create CI traces and spans with the [newly released API](https://github.com/DataDog/datadog-ci-rb/releases/tag/v0.4.0).
+
+### Added
+
+* OpenTelemetry: Parse OpenTelemetry semantic conventions to Datadog's ([#3273][])
+* OpenTelemetry: Support span reserved attribute overrides ([#3262][])
+* Tracing: Ensure W3C `tracestate` is always propagated ([#3255][])
+
+### Changed
+
+* Tracing: Set 128-bit trace_id to true by default ([#3266][])
+* Tracing: Default trace propagation styles to `Datadog,b3multi,b3,tracecontext` ([#3248][],[#3267][])
+* Ci-App: Upgraded `datadog-ci` dependency to 0.4 ([#3270][])
+
+## [1.16.2] - 2023-11-10
+
+This release reverts a change to appsec response body parsing that was introduced in [1.16.0 ](https://github.com/DataDog/dd-trace-rb/releases/tag/v1.16.0) that may cause memory leaks.
+
+### Fixed
+*  Appsec: [Revert parse response body fix introduced in 1.16.0](https://github.com/DataDog/dd-trace-rb/pull/3153) ([#3252][])
+
+## [1.16.1] - 2023-11-08
+
+### Fixed
+
+* Tracing: Fix `concurrent-ruby` future propagation without `active_trace` ([#3242][])
+* Tracing: Fix host injection error handling  ([#3240][])
+
 ## [1.16.0] - 2023-11-03
 
 **This release includes a security change for the Tracing Redis integration:**
@@ -2620,7 +2680,11 @@ Release notes: https://github.com/DataDog/dd-trace-rb/releases/tag/v0.3.1
 Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 
 
-[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v1.16.0...master
+[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v1.18.0...master
+[1.18.0]: https://github.com/DataDog/dd-trace-rb/compare/v1.17.0...v1.18.0
+[1.17.0]: https://github.com/DataDog/dd-trace-rb/compare/v1.16.2...v1.17.0
+[1.16.2]: https://github.com/DataDog/dd-trace-rb/compare/v1.16.1...v1.16.2
+[1.16.1]: https://github.com/DataDog/dd-trace-rb/compare/v1.16.0...v1.16.1
 [1.16.0]: https://github.com/DataDog/dd-trace-rb/compare/v1.15.0...v1.16.0
 [1.15.0]: https://github.com/DataDog/dd-trace-rb/compare/v1.14.0...v1.15.0
 [1.14.0]: https://github.com/DataDog/dd-trace-rb/compare/v1.13.1...1.14.0
@@ -3829,8 +3893,29 @@ Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 [#3206]: https://github.com/DataDog/dd-trace-rb/issues/3206
 [#3207]: https://github.com/DataDog/dd-trace-rb/issues/3207
 [#3223]: https://github.com/DataDog/dd-trace-rb/issues/3223
+[#3229]: https://github.com/DataDog/dd-trace-rb/issues/3229
 [#3234]: https://github.com/DataDog/dd-trace-rb/issues/3234
 [#3235]: https://github.com/DataDog/dd-trace-rb/issues/3235
+[#3240]: https://github.com/DataDog/dd-trace-rb/issues/3240
+[#3242]: https://github.com/DataDog/dd-trace-rb/issues/3242
+[#3248]: https://github.com/DataDog/dd-trace-rb/issues/3248
+[#3252]: https://github.com/DataDog/dd-trace-rb/issues/3252
+[#3255]: https://github.com/DataDog/dd-trace-rb/issues/3255
+[#3259]: https://github.com/DataDog/dd-trace-rb/issues/3259
+[#3262]: https://github.com/DataDog/dd-trace-rb/issues/3262
+[#3266]: https://github.com/DataDog/dd-trace-rb/issues/3266
+[#3267]: https://github.com/DataDog/dd-trace-rb/issues/3267
+[#3270]: https://github.com/DataDog/dd-trace-rb/issues/3270
+[#3271]: https://github.com/DataDog/dd-trace-rb/issues/3271
+[#3273]: https://github.com/DataDog/dd-trace-rb/issues/3273
+[#3279]: https://github.com/DataDog/dd-trace-rb/issues/3279
+[#3280]: https://github.com/DataDog/dd-trace-rb/issues/3280
+[#3284]: https://github.com/DataDog/dd-trace-rb/issues/3284
+[#3286]: https://github.com/DataDog/dd-trace-rb/issues/3286
+[#3289]: https://github.com/DataDog/dd-trace-rb/issues/3289
+[#3303]: https://github.com/DataDog/dd-trace-rb/issues/3303
+[#3307]: https://github.com/DataDog/dd-trace-rb/issues/3307
+[#3308]: https://github.com/DataDog/dd-trace-rb/issues/3308
 [@AdrianLC]: https://github.com/AdrianLC
 [@Azure7111]: https://github.com/Azure7111
 [@BabyGroot]: https://github.com/BabyGroot

data/ext/ddtrace_profiling_native_extension/clock_id_from_pthread.c

@@ -25,6 +25,9 @@ void self_test_clock_id(void) {
 // Safety: This function is assumed never to raise exceptions by callers
 thread_cpu_time_id thread_cpu_time_id_for(VALUE thread) {
   rb_nativethread_id_t thread_id = pthread_id_for(thread);
+
+  if (thread_id == 0) return (thread_cpu_time_id) {.valid = false};
+
   clockid_t clock_id;
 
   int error = pthread_getcpuclockid(thread_id, &clock_id);

data/ext/ddtrace_profiling_native_extension/collectors_thread_context.c

@@ -1150,6 +1150,7 @@ void thread_context_collector_sample_allocation(VALUE self_instance, unsigned in
   // Since this is stack allocated, be careful about moving it
   ddog_CharSlice class_name;
   ddog_CharSlice *optional_class_name = NULL;
+  char imemo_type[100];
 
   if (state->allocation_type_enabled) {
     optional_class_name = &class_name;
@@ -1197,7 +1198,13 @@ void thread_context_collector_sample_allocation(VALUE self_instance, unsigned in
         class_name = ruby_value_type_to_class_name(type);
       }
     } else if (type == RUBY_T_IMEMO) {
-      class_name = DDOG_CHARSLICE_C("(VM Internal, T_IMEMO)");
+      const char *imemo_string = imemo_kind(new_object);
+      if (imemo_string != NULL) {
+        snprintf(imemo_type, 100, "(VM Internal, T_IMEMO, %s)", imemo_string);
+        class_name = (ddog_CharSlice) {.ptr = imemo_type, .len = strlen(imemo_type)};
+      } else { // Ruby < 3
+        class_name = DDOG_CHARSLICE_C("(VM Internal, T_IMEMO)");
+      }
     } else {
       class_name = ruby_vm_type; // For other weird internal things we just use the VM type
     }

data/ext/ddtrace_profiling_native_extension/extconf.rb

@@ -81,10 +81,7 @@ end
 
 # Because we can't control what compiler versions our customers use, shipping with -Werror by default is a no-go.
 # But we can enable it in CI, so that we quickly spot any new warnings that just got introduced.
-#
-# @ivoanjo TODO: 3.3.0-preview releases are causing issues in CI because `have_header('vm_core.h')` below triggers warnings;
-# I've chosen to disable `-Werror` for this Ruby version for now, and we can revisit this on a later 3.3 release.
-add_compiler_flag '-Werror' if ENV['DDTRACE_CI'] == 'true' && !RUBY_DESCRIPTION.include?('3.3.0preview')
+add_compiler_flag '-Werror' if ENV['DDTRACE_CI'] == 'true'
 
 # Older gcc releases may not default to C99 and we need to ask for this. This is also used:
 # * by upstream Ruby -- search for gnu99 in the codebase
@@ -102,9 +99,6 @@ add_compiler_flag '-Wno-declaration-after-statement'
 # cause a segfault later. Let's ensure that never happens.
 add_compiler_flag '-Werror-implicit-function-declaration'
 
-# Warn on unused parameters to functions. Use `DDTRACE_UNUSED` to mark things as known-to-not-be-used.
-add_compiler_flag '-Wunused-parameter'
-
 # The native extension is not intended to expose any symbols/functions for other native libraries to use;
 # the sole exception being `Init_ddtrace_profiling_native_extension` which needs to be visible for Ruby to call it when
 # it `dlopen`s the library.
@@ -131,6 +125,9 @@ if RUBY_PLATFORM.include?('linux')
   $defs << '-DHAVE_PTHREAD_GETCPUCLOCKID'
 end
 
+# On older Rubies, M:N threads were not available
+$defs << '-DNO_MN_THREADS_AVAILABLE' if RUBY_VERSION < '3.3'
+
 # On older Rubies, we did not need to include the ractor header (this was built into the MJIT header)
 $defs << '-DNO_RACTOR_HEADER_INCLUDE' if RUBY_VERSION < '3.3'
 
@@ -152,12 +149,18 @@ $defs << '-DNO_PRIMITIVE_POP' if RUBY_VERSION < '3.2'
 # On older Rubies, there was no tid member in the internal thread structure
 $defs << '-DNO_THREAD_TID' if RUBY_VERSION < '3.1'
 
+# On older Rubies, there was no jit_return member on the rb_control_frame_t struct
+$defs << '-DNO_JIT_RETURN' if RUBY_VERSION < '3.1'
+
 # On older Rubies, we need to use a backported version of this function. See private_vm_api_access.h for details.
 $defs << '-DUSE_BACKPORTED_RB_PROFILE_FRAME_METHOD_NAME' if RUBY_VERSION < '3'
 
 # On older Rubies, there are no Ractors
 $defs << '-DNO_RACTORS' if RUBY_VERSION < '3'
 
+# On older Rubies, rb_imemo_name did not exist
+$defs << '-DNO_IMEMO_NAME' if RUBY_VERSION < '3'
+
 # On older Rubies, objects would not move
 $defs << '-DNO_T_MOVED' if RUBY_VERSION < '2.7'
 
@@ -238,6 +241,10 @@ if Datadog::Profiling::NativeExtensionHelpers::CAN_USE_MJIT_HEADER
   # NOTE: This needs to come after all changes to $defs
   create_header
 
+  # Warn on unused parameters to functions. Use `DDTRACE_UNUSED` to mark things as known-to-not-be-used.
+  # See the comment on the same flag below for why this is done last.
+  add_compiler_flag '-Wunused-parameter'
+
   create_makefile EXTENSION_NAME
 else
   # The MJIT header was introduced on 2.6 and removed on 3.3; for other Rubies we rely on
@@ -253,9 +260,20 @@ else
   Debase::RubyCoreSource
     .create_makefile_with_core(
       proc do
-        have_header('vm_core.h') &&
-        have_header('iseq.h') &&
-        (RUBY_VERSION < '3.3' || have_header('ractor_core.h'))
+        headers_available =
+          have_header('vm_core.h') &&
+          have_header('iseq.h') &&
+          (RUBY_VERSION < '3.3' || have_header('ractor_core.h'))
+
+        if headers_available
+          # Warn on unused parameters to functions. Use `DDTRACE_UNUSED` to mark things as known-to-not-be-used.
+          # This is added as late as possible because in some Rubies we support (e.g. 3.3), adding this flag before
+          # checking if internal VM headers are available causes those checks to fail because of this warning (and not
+          # because the headers are not available.)
+          add_compiler_flag '-Wunused-parameter'
+        end
+
+        headers_available
       end,
       EXTENSION_NAME,
     )

data/ext/ddtrace_profiling_native_extension/http_transport.c

@@ -16,7 +16,6 @@ static ID agent_id; // id of :agent in Ruby
 
 static ID log_failure_to_process_tag_id; // id of :log_failure_to_process_tag in Ruby
 
-static VALUE http_transport_class = Qnil;
 static VALUE library_version_string = Qnil;
 
 struct call_exporter_without_gvl_arguments {
@@ -54,7 +53,7 @@ static void interrupt_exporter_call(void *cancel_token);
 static VALUE ddtrace_version(void);
 
 void http_transport_init(VALUE profiling_module) {
-  http_transport_class = rb_define_class_under(profiling_module, "HttpTransport", rb_cObject);
+  VALUE http_transport_class = rb_define_class_under(profiling_module, "HttpTransport", rb_cObject);
 
   rb_define_singleton_method(http_transport_class, "_native_validate_exporter",  _native_validate_exporter, 1);
   rb_define_singleton_method(http_transport_class, "_native_do_export",  _native_do_export, 12);
@@ -180,6 +179,10 @@ static ddog_Vec_Tag convert_tags(VALUE tags_as_array) {
 }
 
 static VALUE log_failure_to_process_tag(VALUE err_details) {
+  VALUE datadog_module = rb_const_get(rb_cObject, rb_intern("Datadog"));
+  VALUE profiling_module = rb_const_get(datadog_module, rb_intern("Profiling"));
+  VALUE http_transport_class = rb_const_get(profiling_module, rb_intern("HttpTransport"));
+
   return rb_funcall(http_transport_class, log_failure_to_process_tag_id, 1, err_details);
 }
 

data/ext/ddtrace_profiling_native_extension/private_vm_api_access.c

@@ -58,9 +58,12 @@ static inline rb_thread_t *thread_struct_from_object(VALUE thread) {
 }
 
 rb_nativethread_id_t pthread_id_for(VALUE thread) {
-  // struct rb_native_thread was introduced in Ruby 3.2 (preview2): https://github.com/ruby/ruby/pull/5836
+  // struct rb_native_thread was introduced in Ruby 3.2: https://github.com/ruby/ruby/pull/5836
   #ifndef NO_RB_NATIVE_THREAD
-    return thread_struct_from_object(thread)->nt->thread_id;
+    struct rb_native_thread* native_thread = thread_struct_from_object(thread)->nt;
+    // This can be NULL on Ruby 3.3 with MN threads (RUBY_MN_THREADS=1)
+    if (native_thread == NULL) return 0;
+    return native_thread->thread_id;
   #else
     return thread_struct_from_object(thread)->thread_id;
   #endif
@@ -113,15 +116,16 @@ bool is_current_thread_holding_the_gvl(void) {
 
     if (current_owner == NULL) return (current_gvl_owner) {.valid = false};
 
-    return (current_gvl_owner) {
-      .valid = true,
-      .owner =
-        #ifndef NO_RB_NATIVE_THREAD
-          current_owner->nt->thread_id
-        #else
-          current_owner->thread_id
-        #endif
-    };
+    #ifndef NO_RB_NATIVE_THREAD
+      struct rb_native_thread* current_owner_native_thread = current_owner->nt;
+
+      // This can be NULL on Ruby 3.3 with MN threads (RUBY_MN_THREADS=1)
+      if (current_owner_native_thread == NULL) return (current_gvl_owner) {.valid = false};
+
+      return (current_gvl_owner) {.valid = true, .owner = current_owner_native_thread->thread_id};
+    #else
+      return (current_gvl_owner) {.valid = true, .owner = current_owner->thread_id};
+    #endif
   }
 #else
   current_gvl_owner gvl_owner(void) {
@@ -182,7 +186,9 @@ uint64_t native_thread_id_for(VALUE thread) {
   // The tid is only available on Ruby >= 3.1 + Linux (and FreeBSD). It's the same as `gettid()` aka the task id as seen in /proc
   #if !defined(NO_THREAD_TID) && defined(RB_THREAD_T_HAS_NATIVE_ID)
     #ifndef NO_RB_NATIVE_THREAD
-      return thread_struct_from_object(thread)->nt->tid;
+      struct rb_native_thread* native_thread = thread_struct_from_object(thread)->nt;
+      if (native_thread == NULL) rb_raise(rb_eRuntimeError, "BUG: rb_native_thread* is null. Is this Ruby running with RUBY_MN_THREADS=1?");
+      return native_thread->tid;
     #else
       return thread_struct_from_object(thread)->tid;
     #endif
@@ -407,6 +413,7 @@ calc_lineno(const rb_iseq_t *iseq, const VALUE *pc)
 //   the `VALUE` returned by rb_profile_frames returns `(eval)` instead of the path of the file where the `eval`
 //   was called from.
 // * Imported fix from https://github.com/ruby/ruby/pull/7116 to avoid sampling threads that are still being created
+// * Imported fix from https://github.com/ruby/ruby/pull/8415 to avoid potential crash when using YJIT.
 //
 // What is rb_profile_frames?
 // `rb_profile_frames` is a Ruby VM debug API added for use by profilers for sampling the stack trace of a Ruby thread.
@@ -442,12 +449,15 @@ int ddtrace_rb_profile_frames(VALUE thread, int start, int limit, VALUE *buff, i
     // Modified from upstream: Instead of using `GET_EC` to collect info from the current thread,
     // support sampling any thread (including the current) passed as an argument
     rb_thread_t *th = thread_struct_from_object(thread);
-#ifndef USE_THREAD_INSTEAD_OF_EXECUTION_CONTEXT // Modern Rubies
-    const rb_execution_context_t *ec = th->ec;
-#else // Ruby < 2.5
-    const rb_thread_t *ec = th;
-#endif
+    #ifndef USE_THREAD_INSTEAD_OF_EXECUTION_CONTEXT // Modern Rubies
+      const rb_execution_context_t *ec = th->ec;
+    #else // Ruby < 2.5
+      const rb_thread_t *ec = th;
+    #endif
     const rb_control_frame_t *cfp = ec->cfp, *end_cfp = RUBY_VM_END_CONTROL_FRAME(ec);
+    #ifndef NO_JIT_RETURN
+      const rb_control_frame_t *top = cfp;
+    #endif
     const rb_callable_method_entry_t *cme;
 
     // Avoid sampling dead threads
@@ -522,7 +532,20 @@ int ddtrace_rb_profile_frames(VALUE thread, int start, int limit, VALUE *buff, i
                 buff[i] = (VALUE)cfp->iseq;
             }
 
-            lines[i] = calc_lineno(cfp->iseq, cfp->pc);
+            // The topmost frame may not have an updated PC because the JIT
+            // may not have set one.  The JIT compiler will update the PC
+            // before entering a new function (so that `caller` will work),
+            // so only the topmost frame could possibly have an out of date PC
+            #ifndef NO_JIT_RETURN
+              if (cfp == top && cfp->jit_return) {
+                lines[i] = 0;
+              } else {
+                lines[i] = calc_lineno(cfp->iseq, cfp->pc);
+              }
+            #else // Ruby < 3.1
+              lines[i] = calc_lineno(cfp->iseq, cfp->pc);
+            #endif
+
             is_ruby_frame[i] = true;
             i++;
         }
@@ -811,3 +834,40 @@ VALUE invoke_location_for(VALUE thread, int *line_location) {
   *line_location = NUM2INT(rb_iseq_first_lineno(iseq));
   return rb_iseq_path(iseq);
 }
+
+void self_test_mn_enabled(void) {
+  #ifdef NO_MN_THREADS_AVAILABLE
+    return;
+  #else
+    if (ddtrace_get_ractor()->threads.sched.enable_mn_threads == true) {
+      rb_raise(rb_eRuntimeError, "Ruby VM is running with RUBY_MN_THREADS=1. This is not yet supported");
+    }
+  #endif
+}
+
+// Taken from upstream imemo.h at commit 6ebcf25de2859b5b6402b7e8b181066c32d0e0bf (November 2023, master branch)
+// (See the Ruby project copyright and license above)
+// to enable calling rb_imemo_name
+//
+// Modifications:
+// * Added IMEMO_MASK define
+// * Changed return type to int to avoid having to define `enum imemo_type`
+static inline int ddtrace_imemo_type(VALUE imemo) {
+  // This mask is the same between Ruby 2.5 and 3.3-preview3. Furthermore, the intention of this method is to be used
+  // to call `rb_imemo_name` which correctly handles invalid numbers so even if the mask changes in the future, at most
+  // we'll get incorrect results (and never a VM crash)
+  #define IMEMO_MASK   0x0f
+  return (RBASIC(imemo)->flags >> FL_USHIFT) & IMEMO_MASK;
+}
+
+// Safety: This function assumes the object passed in is of the imemo type. But in the worst case, you'll just get
+// a string that doesn't make any sense.
+#ifndef NO_IMEMO_NAME
+  const char *imemo_kind(VALUE imemo) {
+    return rb_imemo_name(ddtrace_imemo_type(imemo));
+  }
+#else
+  const char *imemo_kind(__attribute__((unused)) VALUE imemo) {
+    return NULL;
+  }
+#endif

data/ext/ddtrace_profiling_native_extension/private_vm_api_access.h

@@ -49,3 +49,9 @@ bool ddtrace_rb_ractor_main_p(void);
 // This is what Ruby shows in `Thread#to_s`.
 // The file is returned directly, and the line is recorded onto *line_location.
 VALUE invoke_location_for(VALUE thread, int *line_location);
+
+// Check if RUBY_MN_THREADS is enabled (aka main Ractor is not doing 1:1 threads)
+void self_test_mn_enabled(void);
+
+// Provides more specific information on what kind an imemo is
+const char *imemo_kind(VALUE imemo);

data/ext/ddtrace_profiling_native_extension/profiling.c

@@ -68,6 +68,7 @@ void DDTRACE_EXPORT Init_ddtrace_profiling_native_extension(void) {
 
 static VALUE native_working_p(DDTRACE_UNUSED VALUE _self) {
   self_test_clock_id();
+  self_test_mn_enabled();
 
   return Qtrue;
 }

data/ext/ddtrace_profiling_native_extension/stack_recorder.c

@@ -129,8 +129,6 @@
 static VALUE ok_symbol = Qnil; // :ok in Ruby
 static VALUE error_symbol = Qnil; // :error in Ruby
 
-static VALUE stack_recorder_class = Qnil;
-
 // Note: Please DO NOT use `VALUE_STRING` anywhere else, instead use `DDOG_CHARSLICE_C`.
 // `VALUE_STRING` is only needed because older versions of gcc (4.9.2, used in our Ruby 2.2 CI test images)
 // tripped when compiling `enabled_value_types` using `-std=gnu99` due to the extra cast that is included in
@@ -217,7 +215,7 @@ static VALUE _native_record_endpoint(DDTRACE_UNUSED VALUE _self, VALUE recorder_
 static void reset_profile(ddog_prof_Profile *profile, ddog_Timespec *start_time /* Can be null */);
 
 void stack_recorder_init(VALUE profiling_module) {
-  stack_recorder_class = rb_define_class_under(profiling_module, "StackRecorder", rb_cObject);
+  VALUE stack_recorder_class = rb_define_class_under(profiling_module, "StackRecorder", rb_cObject);
   // Hosts methods used for testing the native code using RSpec
   VALUE testing_module = rb_define_module_under(stack_recorder_class, "Testing");
 

data/lib/datadog/appsec/component.rb

@@ -38,12 +38,15 @@ module Datadog
 
           data = AppSec::Processor::RuleLoader.load_data(
             ip_denylist: settings.appsec.ip_denylist,
-            user_id_denylist: settings.appsec.user_id_denylist
+            user_id_denylist: settings.appsec.user_id_denylist,
           )
 
+          exclusions = AppSec::Processor::RuleLoader.load_exclusions(ip_passlist: settings.appsec.ip_passlist)
+
           ruleset = AppSec::Processor::RuleMerger.merge(
             rules: [rules],
             data: data,
+            exclusions: exclusions,
           )
 
           processor = Processor.new(ruleset: ruleset)

data/lib/datadog/appsec/configuration/settings.rb

@@ -54,6 +54,10 @@ module Datadog
                 o.default :recommended
               end
 
+              option :ip_passlist do |o|
+                o.default []
+              end
+
               option :ip_denylist do |o|
                 o.type :array
                 o.default []
@@ -188,12 +192,6 @@ module Datadog
                   end
                 end
               end
-
-              option :parse_response_body do |o|
-                o.type :bool
-                o.env 'DD_API_SECURITY_PARSE_RESPONSE_BODY'
-                o.default true
-              end
             end
           end
         end

data/lib/datadog/appsec/contrib/devise/patcher/registration_controller_patch.rb

@@ -42,6 +42,8 @@ module Datadog
                     **event_information.to_h
                   )
                 end
+
+                yield resource if block_given?
               end
             end
           end

data/lib/datadog/appsec/contrib/rack/gateway/response.rb

@@ -19,55 +19,9 @@ module Datadog
               @scope = scope
             end
 
-            def parsed_body
-              return unless Datadog.configuration.appsec.parse_response_body
-
-              unless body.instance_of?(Array)
-                Datadog.logger.debug do
-                  "Response body type unsupported: #{body.class}"
-                end
-                return
-              end
-
-              return unless json_content_type?
-
-              result = ''.dup
-              all_body_parts_are_string = true
-
-              body.each do |body_part|
-                if body_part.is_a?(String)
-                  result.concat(body_part)
-                else
-                  all_body_parts_are_string = false
-                  break
-                end
-              end
-
-              return unless all_body_parts_are_string
-
-              begin
-                JSON.parse(result)
-              rescue JSON::ParserError => e
-                Datadog.logger.debug { "Failed to parse response body. Error #{e.class}. Message #{e.message}" }
-                nil
-              end
-            end
-
             def response
               @response ||= ::Rack::Response.new(body, status, headers)
             end
-
-            private
-
-            VALID_JSON_TYPES = [
-              'application/json',
-              'text/json'
-            ].freeze
-
-            def json_content_type?
-              content_type = headers['content-type']
-              VALID_JSON_TYPES.include?(content_type)
-            end
           end
         end
       end

data/lib/datadog/appsec/contrib/rack/reactive/response.rb

@@ -10,7 +10,6 @@ module Datadog
             ADDRESSES = [
               'response.status',
               'response.headers',
-              'response.body',
             ].freeze
             private_constant :ADDRESSES
 
@@ -18,7 +17,6 @@ module Datadog
               catch(:block) do
                 op.publish('response.status', gateway_response.status)
                 op.publish('response.headers', gateway_response.headers)
-                op.publish('response.body', gateway_response.parsed_body)
 
                 nil
               end
@@ -31,7 +29,6 @@ module Datadog
                 response_status = values[0]
                 response_headers = values[1]
                 response_headers_no_cookies = response_headers.dup.tap { |h| h.delete('set-cookie') }
-                response_body = values[2]
 
                 waf_args = {
                   'server.response.status' => response_status.to_s,
@@ -39,8 +36,6 @@ module Datadog
                   'server.response.headers.no_cookies' => response_headers_no_cookies,
                 }
 
-                waf_args['server.response.body'] = response_body if response_body
-
                 waf_timeout = Datadog.configuration.appsec.waf_timeout
                 result = waf_context.run(waf_args, waf_timeout)
 

data/lib/datadog/appsec/contrib/rack/request_middleware.rb

@@ -66,16 +66,6 @@ module Datadog
               request_return = AppSec::Response.negotiate(env, blocked_event.last[:actions]).to_rack if blocked_event
             end
 
-            if request_return[2].respond_to?(:to_ary)
-              # Following the Rack specification. The response body should only call :each once.
-              # Calling :to_ary returns an array with identical content as the produced when calling :each
-              # replacing request_return[2] with that new value allow us to safely operate on the response body.
-              # On Gateway::Response#parsed_body we might iterate over the reposne body using :each
-              # https://github.com/rack/rack/blob/main/SPEC.rdoc#enumerable-body-
-              consumed_body = request_return[2].to_ary
-              request_return[2] = consumed_body if consumed_body
-            end
-
             gateway_response = Gateway::Response.new(
               request_return[2],
               request_return[0],