dd-trace 2.23.0 → 2.25.0

package/packages/dd-trace/src/appsec/index.js

@@ -10,31 +10,42 @@ const Gateway = require('./gateway/engine')
 const addresses = require('./addresses')
 const Reporter = require('./reporter')
 const web = require('../plugins/util/web')
+const { extractIp } = require('./ip_extractor')
+const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
+const { block, loadTemplates, loadTemplatesAsync } = require('./blocking')
 
 let isEnabled = false
+let config
 
-function enable (config) {
+function enable (_config) {
   if (isEnabled) return
 
   try {
-    // TODO: enable dc_blocking: config.appsec.blocking === true
+    loadTemplates(_config)
+    const rules = fs.readFileSync(_config.appsec.rules || path.join(__dirname, 'recommended.json'))
+    enableFromRules(_config, JSON.parse(rules))
+  } catch (err) {
+    abortEnable(err)
+  }
+}
 
-    let rules = fs.readFileSync(config.appsec.rules || path.join(__dirname, 'recommended.json'))
-    rules = JSON.parse(rules)
+async function enableAsync (_config) {
+  if (isEnabled) return
 
-    RuleManager.applyRules(rules, config.appsec)
-    remoteConfig.enableAsmData(config.appsec)
+  try {
+    await loadTemplatesAsync(_config)
+    const rules = await fs.promises.readFile(_config.appsec.rules || path.join(__dirname, 'recommended.json'))
+    enableFromRules(_config, JSON.parse(rules))
   } catch (err) {
-    log.error('Unable to start AppSec')
-    log.error(err)
-
-    // abort AppSec start
-    RuleManager.clearAllRules()
-    remoteConfig.disableAsmData()
-    return
+    abortEnable(err)
   }
+}
+
+function enableFromRules (_config, rules) {
+  RuleManager.applyRules(rules, _config.appsec)
+  remoteConfig.enableAsmData(_config.appsec)
 
-  Reporter.setRateLimit(config.appsec.rateLimit)
+  Reporter.setRateLimit(_config.appsec.rateLimit)
 
   incomingHttpRequestStart.subscribe(incomingHttpStartTranslator)
   incomingHttpRequestEnd.subscribe(incomingHttpEndTranslator)
@@ -46,27 +57,55 @@ function enable (config) {
   Gateway.manager.addresses.add(addresses.HTTP_INCOMING_REMOTE_IP)
 
   isEnabled = true
+  config = _config
 }
 
-function incomingHttpStartTranslator (data) {
-  // TODO: get span from datadog-core storage instead
-  const topSpan = web.root(data.req)
-  if (topSpan) {
-    topSpan.addTags({
-      '_dd.appsec.enabled': 1,
-      '_dd.runtime_family': 'nodejs'
-    })
-  }
+function abortEnable (err) {
+  log.error('Unable to start AppSec')
+  log.error(err)
+
+  // abort AppSec start
+  RuleManager.clearAllRules()
+  remoteConfig.disableAsmData()
 }
 
-function incomingHttpEndTranslator (data) {
+function incomingHttpStartTranslator ({ req, res, abortController }) {
+  const topSpan = web.root(req)
+  if (!topSpan) return
+
+  const clientIp = extractIp(config, req)
+
+  topSpan.addTags({
+    '_dd.appsec.enabled': 1,
+    '_dd.runtime_family': 'nodejs',
+    [HTTP_CLIENT_IP]: clientIp
+  })
+
   const store = Gateway.startContext()
 
-  store.set('req', data.req)
-  store.set('res', data.res)
+  store.set('req', req)
+  store.set('res', res)
 
   const context = store.get('context')
 
+  if (clientIp) {
+    const results = Gateway.propagate({
+      [addresses.HTTP_CLIENT_IP]: clientIp
+    }, context)
+
+    if (!results || !abortController) return
+
+    for (const entry of results) {
+      if (entry && entry.includes('block')) {
+        block(req, res, topSpan, abortController)
+        break
+      }
+    }
+  }
+}
+
+function incomingHttpEndTranslator (data) {
+  const context = Gateway.getContext()
   if (!context) return
 
   const requestHeaders = Object.assign({}, data.req.headers)
@@ -107,7 +146,7 @@ function incomingHttpEndTranslator (data) {
     payload[addresses.HTTP_INCOMING_COOKIES] = {}
 
     for (const k of Object.keys(data.req.cookies)) {
-      payload[addresses.HTTP_INCOMING_COOKIES][k] = [ data.req.cookies[k] ]
+      payload[addresses.HTTP_INCOMING_COOKIES][k] = [data.req.cookies[k]]
     }
   }
 
@@ -118,6 +157,7 @@ function incomingHttpEndTranslator (data) {
 
 function disable () {
   isEnabled = false
+  config = null
 
   RuleManager.clearAllRules()
   remoteConfig.disableAsmData()
@@ -129,6 +169,7 @@ function disable () {
 
 module.exports = {
   enable,
+  enableAsync,
   disable,
   incomingHttpStartTranslator,
   incomingHttpEndTranslator

package/packages/dd-trace/src/appsec/ip_extractor.js

@@ -0,0 +1,98 @@
+'use strict'
+
+const BlockList = require('./ip_blocklist')
+const net = require('net')
+const log = require('../log')
+
+const ipHeaderList = [
+  'x-forwarded-for',
+  'x-real-ip',
+  'client-ip',
+  'x-forwarded',
+  'x-cluster-client-ip',
+  'forwarded-for',
+  'forwarded',
+  'via',
+  'true-client-ip'
+]
+
+const privateCIDRs = [
+  '127.0.0.0/8',
+  '10.0.0.0/8',
+  '172.16.0.0/12',
+  '192.168.0.0/16',
+  '169.254.0.0/16',
+  '::1/128',
+  'fec0::/10',
+  'fe80::/10',
+  'fc00::/7',
+  'fd00::/8'
+]
+
+const privateIPMatcher = new BlockList()
+
+for (const cidr of privateCIDRs) {
+  const [address, prefix] = cidr.split('/')
+
+  privateIPMatcher.addSubnet(address, parseInt(prefix), net.isIPv6(address) ? 'ipv6' : 'ipv4')
+}
+
+function extractIp (config, req) {
+  const headers = req.headers
+  if (config.clientIpHeader) {
+    if (!headers) return
+    const header = headers[config.clientIpHeader]
+    if (!header) return
+
+    return findFirstIp(header)
+  }
+
+  const foundHeaders = []
+  if (headers) {
+    for (let i = 0; i < ipHeaderList.length; i++) {
+      if (headers[ipHeaderList[i]]) {
+        foundHeaders.push(ipHeaderList[i])
+      }
+    }
+  }
+
+  if (foundHeaders.length === 1) {
+    const header = headers[foundHeaders[0]]
+    const firstIp = findFirstIp(header)
+
+    if (firstIp) return firstIp
+  } else if (foundHeaders.length > 1) {
+    log.error(`Cannot find client IP: multiple IP headers detected ${foundHeaders}`)
+    return
+  }
+
+  return req.socket && req.socket.remoteAddress
+}
+
+function findFirstIp (str) {
+  let firstPrivateIp
+  const splitted = str.split(',')
+
+  for (let i = 0; i < splitted.length; i++) {
+    const chunk = splitted[i].trim()
+
+    // TODO: strip port and interface data ?
+
+    const type = net.isIP(chunk)
+    if (!type) continue
+
+    if (!privateIPMatcher.check(chunk, type === 6 ? 'ipv6' : 'ipv4')) {
+      // it's public, return it immediately
+      return chunk
+    }
+
+    // it's private, only save the first one found
+    if (!firstPrivateIp) firstPrivateIp = chunk
+  }
+
+  return firstPrivateIp
+}
+
+module.exports = {
+  extractIp
+}

package/packages/dd-trace/src/appsec/recommended.json

@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.4.2"
+    "rules_version": "1.4.3"
   },
   "rules": [
     {
@@ -1802,7 +1802,7 @@
                 "address": "server.request.path_params"
               }
             ],
-            "regex": "^(?i:file|ftps?|https?).*?\\?+$",
+            "regex": "^(?i:file|ftps?|http)://.*?\\?+$",
             "options": {
               "case_sensitive": true,
               "min_length": 4
@@ -2694,8 +2694,9 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|lert|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\")*\\(.*\\)",
+            "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|lert|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)",
             "options": {
+              "case_sensitive": true,
               "min_length": 5
             }
           },
@@ -3524,7 +3525,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function)\\s*\\(",
+            "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function|alert|prompt)\\s*\\([^\\)]",
             "options": {
               "case_sensitive": true,
               "min_length": 5
@@ -3770,7 +3771,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?))",
+            "regex": "(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)",
             "options": {
               "case_sensitive": true,
               "min_length": 3
@@ -3808,7 +3809,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)\\b|(?:(?:(?:trunc|cre)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\\s+\\w+|u(?:nion\\s*(?:(?:distin|sele)ct|all)\\b|pdate\\s+\\w+))|\\b(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|end\\s*?\\);)|[\\\"'`\\w]\\s+as\\b\\s*[\\\"'`\\w]+\\s*\\bfrom|[\\s(?:]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)",
+            "regex": "(?:^[\\W\\d]+\\s*?(?:alter\\s*(?:a(?:(?:pplication\\s*rol|ggregat)e|s(?:ymmetric\\s*ke|sembl)y|u(?:thorization|dit)|vailability\\s*group)|c(?:r(?:yptographic\\s*provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)|curity|quence|ssion|arch)|y(?:mmetric\\s*key|nonym)|togroup|chema)|m(?:a(?:s(?:ter\\s*key|k)|terialized)|e(?:ssage\\s*type|thod)|odule)|l(?:o(?:g(?:file\\s*group|in)|ckdown)|a(?:ngua|r)ge|ibrary)|t(?:(?:abl(?:espac)?|yp)e|r(?:igger|usted)|hreshold|ext)|p(?:a(?:rtition|ckage)|ro(?:cedur|fil)e|ermission)|d(?:i(?:mension|skgroup)|atabase|efault|omain)|r(?:o(?:l(?:lback|e)|ute)|e(?:sourc|mot)e)|f(?:u(?:lltext|nction)|lashback|oreign)|e(?:xte(?:nsion|rnal)|(?:ndpoi|ve)nt)|in(?:dex(?:type)?|memory|stance)|b(?:roker\\s*priority|ufferpool)|x(?:ml\\s*schema|srobject)|w(?:ork(?:load)?|rapper)|hi(?:erarchy|stogram)|o(?:perator|utline)|(?:nicknam|queu)e|us(?:age|er)|group|java|view)|union\\s*(?:(?:distin|sele)ct|all))\\b|\\b(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\\s+(?:group_concat|load_file|char)\\b\\s*\\(?|[\\s(]load_file\\s*?\\(|[\\\"'`]\\s+regexp\\W)",
             "options": {
               "min_length": 5
             }
@@ -4177,7 +4178,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "[#%$]{[^}]+[^\\w\\s][^}]+}",
+            "regex": "[#%$]{(?:[^}]+[^\\w\\s}\\-_][^}]+|\\d+-\\d+)}",
             "options": {
               "case_sensitive": true
             }
@@ -4352,6 +4353,38 @@
       ],
       "transformers": []
     },
+    {
+      "id": "dog-931-001",
+      "name": "RFI: URL Payload to well known RFI target",
+      "tags": {
+        "type": "rfi",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              }
+            ],
+            "regex": "^(?i:file|ftps?|https?).*/rfiinc\\.txt\\?+$",
+            "options": {
+              "case_sensitive": true,
+              "min_length": 17
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "nfd-000-001",
       "name": "Detect common directory discovery scans",
@@ -5160,7 +5193,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10}|localhost)(:[0-9]{1,5})?(\\/.*|)$"
+            "regex": "^(jar:)?(http|https):\\/\\/([0-9oq]{1,5}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}|[0-9]{1,10})(:[0-9]{1,5})?(\\/.*|)$"
           },
           "operator": "match_regex"
         }
@@ -6417,6 +6450,40 @@
       ],
       "transformers": []
     },
+    {
+      "id": "ua0-600-56x",
+      "name": "Datadog test scanner - blocking version: user-agent",
+      "tags": {
+        "type": "security_scanner",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              },
+              {
+                "address": "grpc.server.request.metadata",
+                "key_path": [
+                  "dd-canary"
+                ]
+              }
+            ],
+            "regex": "^dd-test-scanner-log-block$"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [],
+      "on_match": [
+        "block"
+      ]
+    },
     {
       "id": "ua0-600-5xx",
       "name": "Blind SQL Injection Brute Forcer",

package/packages/dd-trace/src/appsec/remote_config/index.js

@@ -23,7 +23,7 @@ function enable (config) {
         }
 
         if (shouldEnable) {
-          require('..').enable(config)
+          require('..').enableAsync(config).catch(() => {})
         } else {
           require('..').disable()
         }
@@ -34,6 +34,7 @@ function enable (config) {
 
 function enableAsmData (appsecConfig) {
   if (rc && appsecConfig && appsecConfig.rules === undefined) {
+    rc.updateCapabilities(RemoteConfigCapabilities.ASM_IP_BLOCKING, true)
     rc.on('ASM_DATA', _asmDataListener)
   }
 }

package/packages/dd-trace/src/appsec/remote_config/manager.js

@@ -9,7 +9,6 @@ const log = require('../../log')
 
 const clientId = uuid()
 
-const POLL_INTERVAL = 5e3
 const DEFAULT_CAPABILITY = Buffer.alloc(1).toString('base64') // 0x00
 
 // There MUST NOT exist separate instances of RC clients in a tracer making separate ClientGetConfigsRequest
@@ -18,7 +17,8 @@ class RemoteConfigManager extends EventEmitter {
   constructor (config) {
     super()
 
-    this.scheduler = new Scheduler((cb) => this.poll(cb), POLL_INTERVAL)
+    const pollInterval = config.remoteConfig.pollInterval * 1000
+    this.scheduler = new Scheduler((cb) => this.poll(cb), pollInterval)
 
     this.requestOptions = {
       url: config.url,

package/packages/dd-trace/src/appsec/templates/blocked.html

@@ -0,0 +1,99 @@
+<!-- Sorry, you’ve been blocked -->
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
+    <title>You've been blocked</title>
+    <style>
+        a,
+        body,
+        div,
+        html,
+        span {
+            margin: 0;
+            padding: 0;
+            border: 0;
+            font-size: 100%;
+            font: inherit;
+            vertical-align: baseline
+        }
+
+        body {
+            background: -webkit-radial-gradient(26% 19%, circle, #fff, #f4f7f9);
+            background: radial-gradient(circle at 26% 19%, #fff, #f4f7f9);
+            display: -webkit-box;
+            display: -ms-flexbox;
+            display: flex;
+            -webkit-box-pack: center;
+            -ms-flex-pack: center;
+            justify-content: center;
+            -webkit-box-align: center;
+            -ms-flex-align: center;
+            align-items: center;
+            -ms-flex-line-pack: center;
+            align-content: center;
+            width: 100%;
+            min-height: 100vh;
+            line-height: 1;
+            flex-direction: column
+        }
+
+        p {
+            display: block
+        }
+
+
+        main {
+            text-align: center;
+            flex: 1;
+            display: -webkit-box;
+            display: -ms-flexbox;
+            display: flex;
+            -webkit-box-pack: center;
+            -ms-flex-pack: center;
+            justify-content: center;
+            -webkit-box-align: center;
+            -ms-flex-align: center;
+            align-items: center;
+            -ms-flex-line-pack: center;
+            align-content: center;
+            flex-direction: column
+        }
+
+        p {
+            font-size: 18px;
+            line-height: normal;
+            color: #646464;
+            font-family: sans-serif;
+            font-weight: 400
+        }
+
+        a {
+            color: #4842b7
+        }
+
+        footer {
+            width: 100%;
+            text-align: center
+        }
+
+        footer p {
+            font-size: 16px
+        }
+    </style>
+</head>
+
+<body>
+    <main>
+        <p>Sorry, you cannot access this page. Please contact the customer service team.</p>
+    </main>
+    <footer>
+        <p>Security provided by <a
+                href="https://www.datadoghq.com/product/security-platform/application-security-monitoring/"
+                target="_blank">Datadog</a></p>
+    </footer>
+</body>
+
+</html>

package/packages/dd-trace/src/appsec/templates/blocked.json

@@ -0,0 +1,8 @@
+{
+  "errors": [
+    {
+      "title": "You've been blocked",
+      "detail": "Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."
+    }
+  ]
+}

package/packages/dd-trace/src/ci-visibility/exporters/agent-proxy/index.js

@@ -57,6 +57,10 @@ class AgentProxyCiVisibilityExporter extends CiVisibilityExporter {
       this.exportUncodedCoverages()
     })
   }
+
+  setUrl (url, coverageUrl) {
+    this._setUrl(url, coverageUrl)
+  }
 }
 
 module.exports = AgentProxyCiVisibilityExporter

package/packages/dd-trace/src/ci-visibility/exporters/agentless/index.js

@@ -4,6 +4,7 @@ const URL = require('url').URL
 const Writer = require('./writer')
 const CoverageWriter = require('./coverage-writer')
 const CiVisibilityExporter = require('../ci-visibility-exporter')
+const log = require('../../../log')
 
 class AgentlessCiVisibilityExporter extends CiVisibilityExporter {
   constructor (config) {
@@ -19,11 +20,26 @@ class AgentlessCiVisibilityExporter extends CiVisibilityExporter {
     this._coverageUrl = url || new URL(`https://event-platform-intake.${site}`)
     this._coverageWriter = new CoverageWriter({ url: this._coverageUrl })
 
+    this._apiUrl = url || new URL(`https://api.${site}`)
+
     if (isGitUploadEnabled) {
-      const gitUrl = url || new URL(`https://api.${site}`)
-      this.sendGitMetadata({ url: gitUrl })
+      this.sendGitMetadata({ url: this._getApiUrl() })
+    }
+  }
+
+  setUrl (url, coverageUrl = url, apiUrl = url) {
+    this._setUrl(url, coverageUrl)
+    try {
+      apiUrl = new URL(apiUrl)
+      this._apiUrl = apiUrl
+    } catch (e) {
+      log.error(e)
     }
   }
+
+  _getApiUrl () {
+    return this._apiUrl
+  }
 }
 
 module.exports = AgentlessCiVisibilityExporter

package/packages/dd-trace/src/ci-visibility/exporters/ci-visibility-exporter.js

@@ -63,9 +63,7 @@ class CiVisibilityExporter extends AgentInfoExporter {
   }
 
   canReportCodeCoverage () {
-    return this._canUseCiVisProtocol &&
-      this._itrConfig &&
-      this._itrConfig.isCodeCoverageEnabled
+    return this._canUseCiVisProtocol
   }
 
   // We can't call the skippable endpoint until git upload has finished,
@@ -79,7 +77,7 @@ class CiVisibilityExporter extends AgentInfoExporter {
         return callback(gitUploadError, [])
       }
       const configuration = {
-        url: this._url,
+        url: this._getApiUrl(),
         site: this._config.site,
         env: this._config.env,
         service: this._config.service,
@@ -103,13 +101,17 @@ class CiVisibilityExporter extends AgentInfoExporter {
         return callback(null, {})
       }
       const configuration = {
-        url: this._url,
+        url: this._getApiUrl(),
         env: this._config.env,
         service: this._config.service,
         isEvpProxy: !!this._isUsingEvpProxy,
         ...testConfiguration
       }
       getItrConfigurationRequest(configuration, (err, itrConfig) => {
+        /**
+         * **Important**: this._itrConfig remains empty in testing frameworks
+         * where the tests run in a subprocess, because `getItrConfiguration` is called only once.
+         */
         this._itrConfig = itrConfig
         callback(err, itrConfig)
       })
@@ -179,7 +181,7 @@ class CiVisibilityExporter extends AgentInfoExporter {
     this._coverageBuffer = []
   }
 
-  setUrl (url, coverageUrl = url) {
+  _setUrl (url, coverageUrl = url) {
     try {
       url = new URL(url)
       coverageUrl = new URL(coverageUrl)
@@ -191,6 +193,10 @@ class CiVisibilityExporter extends AgentInfoExporter {
       log.error(e)
     }
   }
+
+  _getApiUrl () {
+    return this._url
+  }
 }
 
 module.exports = CiVisibilityExporter