Module: Datadog::AppSec::Event

Defined in:
lib/datadog/appsec/event.rb

Overview

AppSec event

Constant Summary collapse

ALLOWED_REQUEST_HEADERS =
%w[
  X-Forwarded-For
  X-Client-IP
  X-Real-IP
  X-Forwarded
  X-Cluster-Client-IP
  Forwarded-For
  Forwarded
  Via
  True-Client-IP
  Content-Length
  Content-Type
  Content-Encoding
  Content-Language
  Host
  User-Agent
  Accept
  Accept-Encoding
  Accept-Language
].map!(&:downcase).freeze
ALLOWED_RESPONSE_HEADERS =
%w[
  Content-Length
  Content-Type
  Content-Encoding
  Content-Language
].map!(&:downcase).freeze
MAX_ENCODED_SCHEMA_SIZE =
25000
MIN_SCHEMA_SIZE_FOR_COMPRESSION =

For more information about this number please check github.com/DataDog/dd-trace-rb/pull/3177#issuecomment-1747221082

260

Class Method Summary collapse

Class Method Details

.build_service_entry_tags(event_group) ⇒ Object

rubocop:disable Metrics/MethodLength



84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# File 'lib/datadog/appsec/event.rb', line 84

def (event_group)
  waf_events = []
   = event_group.each_with_object({ '_dd.origin' => 'appsec' }) do |event, tags|
    # TODO: assume HTTP request context for now
    if (request = event[:request])
      request.headers.each do |header, value|
        tags["http.request.headers.#{header}"] = value if ALLOWED_REQUEST_HEADERS.include?(header.downcase)
      end

      tags['http.host'] = request.host
      tags['http.useragent'] = request.user_agent
      tags['network.client.ip'] = request.remote_addr
    end

    if (response = event[:response])
      response.headers.each do |header, value|
        tags["http.response.headers.#{header}"] = value if ALLOWED_RESPONSE_HEADERS.include?(header.downcase)
      end
    end

    waf_result = event[:waf_result]
    # accumulate triggers
    waf_events += waf_result.events

    waf_result.derivatives.each do |key, value|
      parsed_value = json_parse(value)
      next unless parsed_value

      parsed_value_size = parsed_value.size

      schema_value = if parsed_value_size >= MIN_SCHEMA_SIZE_FOR_COMPRESSION
                       compressed_and_base64_encoded(parsed_value)
                     else
                       parsed_value
                     end
      next unless schema_value

      if schema_value.size >= MAX_ENCODED_SCHEMA_SIZE
        Datadog.logger.debug do
          "Schema key: #{key} exceeds the max size value. It will not be included as part of the span tags"
        end
        next
      end

      tags[key] = schema_value
    end

    tags
  end

  appsec_events = json_parse({ triggers: waf_events })
  ['_dd.appsec.json'] = appsec_events if appsec_events
  
end

.record(span, *events) ⇒ Object



51
52
53
54
55
56
57
58
# File 'lib/datadog/appsec/event.rb', line 51

def record(span, *events)
  # ensure rate limiter is called only when there are events to record
  return if events.empty? || span.nil?

  Datadog::AppSec::RateLimiter.thread_local.limit do
    record_via_span(span, *events)
  end
end

.record_via_span(span, *events) ⇒ Object



60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# File 'lib/datadog/appsec/event.rb', line 60

def record_via_span(span, *events)
  events.group_by { |e| e[:trace] }.each do |trace, event_group|
    unless trace
      Datadog.logger.debug { "{ error: 'no trace: cannot record', event_group: #{event_group.inspect}}" }
      next
    end

    trace.keep!
    trace.set_tag(
      Datadog::Tracing::Metadata::Ext::Distributed::TAG_DECISION_MAKER,
      Datadog::Tracing::Sampling::Ext::Decision::ASM
    )

    # prepare and gather tags to apply
     = (event_group)

    # apply tags to service entry span
    .each do |key, value|
      span.set_tag(key, value)
    end
  end
end

.tag_and_keep!(scope, waf_result) ⇒ Object

rubocop:enable Metrics/MethodLength



140
141
142
143
144
145
146
147
148
149
150
# File 'lib/datadog/appsec/event.rb', line 140

def tag_and_keep!(scope, waf_result)
  # We want to keep the trace in case of security event
  scope.trace.keep! if scope.trace

  if scope.service_entry_span
    scope.service_entry_span.set_tag('appsec.blocked', 'true') if waf_result.actions.key?('block_request')
    scope.service_entry_span.set_tag('appsec.event', 'true')
  end

  add_distributed_tags(scope.trace)
end