Module: Datadog::AppSec::Event

Defined in:

lib/datadog/appsec/event.rb

Overview

AppSec event

Constant Summary

ATTRIBUTES_SCHEMA_KEY_PREFIX =

'_dd.appsec.s.'

ATTRIBUTES_SCHEMA_MAX_COMPRESSED_SIZE =

25000

ALLOWED_REQUEST_HEADERS =

%w[
  x-forwarded-for
  x-client-ip
  x-real-ip
  x-forwarded
  x-cluster-client-ip
  forwarded-for
  forwarded
  via
  true-client-ip
  content-length
  content-type
  content-encoding
  content-language
  host
  user-agent
  accept
  accept-encoding
  accept-language
].freeze

ALLOWED_RESPONSE_HEADERS =

%w[
  content-length
  content-type
  content-encoding
  content-language
].freeze

Class Method Summary

• .record(context, request: nil, response: nil) ⇒ Object
• .tag(context, waf_result) ⇒ Object

Class Method Details

.record(context, request: nil, response: nil) ⇒ Object

# File 'lib/datadog/appsec/event.rb', line 53

def record(context, request: nil, response: nil)
  return if context.events.empty? || context.span.nil?

  Datadog::AppSec::RateLimiter.thread_local.limit do
    context.events.group_by(&:trace).each do |trace, event_group|
      unless trace
        next Datadog.logger.debug do
          "AppSec: Cannot record event group with #{event_group.count} events because it has no trace"
        end
      end

      if event_group.any? { |event| event.keep? || event.schema? }
        TraceKeeper.keep!(trace)

        context.span['_dd.origin'] = 'appsec'
        context.span.set_tags(request_tags(request)) if request
        context.span.set_tags(response_tags(response)) if response
      end

      context.span.set_tags(waf_tags(event_group))
    end
  end
end

.tag(context, waf_result) ⇒ Object

# File 'lib/datadog/appsec/event.rb', line 43

def tag(context, waf_result)
  return if context.span.nil?

  if waf_result.actions.key?('block_request') || waf_result.actions.key?('redirect_request')
    context.span.set_tag('appsec.blocked', 'true')
  end

  context.span.set_tag('appsec.event', 'true')
end