Module: Datadog::AppSec::Event

Defined in:
lib/datadog/appsec/event.rb

Overview

AppSec event

Constant Summary collapse

ALLOWED_REQUEST_HEADERS = 
%w[
  X-Forwarded-For
  X-Client-IP
  X-Real-IP
  X-Forwarded
  X-Cluster-Client-IP
  Forwarded-For
  Forwarded
  Via
  True-Client-IP
  Content-Length
  Content-Type
  Content-Encoding
  Content-Language
  Host
  User-Agent
  Accept
  Accept-Encoding
  Accept-Language
].map!(&:downcase).freeze
ALLOWED_RESPONSE_HEADERS = 
%w[
  Content-Length
  Content-Type
  Content-Encoding
  Content-Language
].map!(&:downcase).freeze
MAX_ENCODED_SCHEMA_SIZE = 
25000
MIN_SCHEMA_SIZE_FOR_COMPRESSION =

For more information about this number please check github.com/DataDog/dd-trace-rb/pull/3177#issuecomment-1747221082

260

Class Method Summary collapse

Class Method Details

.build_service_entry_tags(event_group) ⇒ Object

rubocop:disable Metrics/MethodLength



82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
 
# File 'lib/datadog/appsec/event.rb', line 82

def build_service_entry_tags(event_group)
  waf_events = []
  entry_tags = event_group.each_with_object({ '_dd.origin' => 'appsec' }) do |event, tags|
    # TODO: assume HTTP request context for now
    if (request = event[:request])
      request.headers.each do |header, value|
        tags["http.request.headers.#{header}"] = value if ALLOWED_REQUEST_HEADERS.include?(header.downcase)
      end

      tags['http.host'] = request.host
      tags['http.useragent'] = request.user_agent
      tags['network.client.ip'] = request.remote_addr
    end

    if (response = event[:response])
      response.headers.each do |header, value|
        tags["http.response.headers.#{header}"] = value if ALLOWED_RESPONSE_HEADERS.include?(header.downcase)
      end
    end

    waf_result = event[:waf_result]
    # accumulate triggers
    waf_events += waf_result.events

    waf_result.derivatives.each do |key, value|
      parsed_value = json_parse(value)
      next unless parsed_value

      parsed_value_size = parsed_value.size

      schema_value = if parsed_value_size >= MIN_SCHEMA_SIZE_FOR_COMPRESSION
                       compressed_and_base64_encoded(parsed_value)
                     else
                       parsed_value
                     end
      next unless schema_value

      if schema_value.size >= MAX_ENCODED_SCHEMA_SIZE
        Datadog.logger.debug do
          "Schema key: #{key} exceeds the max size value. It will not be included as part of the span tags"
        end
        next
      end

      tags[key] = schema_value
    end

    tags
  end

  appsec_events = json_parse({ triggers: waf_events })
  entry_tags['_dd.appsec.json'] = appsec_events if appsec_events
  entry_tags
end

.record(span, *events) ⇒ Object 



49
50
51
52
53
54
55
56
 
# File 'lib/datadog/appsec/event.rb', line 49

def record(span, *events)
  # ensure rate limiter is called only when there are events to record
  return if events.empty? || span.nil?

  Datadog::AppSec::RateLimiter.limit(:traces) do
    record_via_span(span, *events)
  end
end

.record_via_span(span, *events) ⇒ Object 



58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
 
# File 'lib/datadog/appsec/event.rb', line 58

def record_via_span(span, *events)
  events.group_by { |e| e[:trace] }.each do |trace, event_group|
    unless trace
      Datadog.logger.debug { "{ error: 'no trace: cannot record', event_group: #{event_group.inspect}}" }
      next
    end

    trace.keep!
    trace.set_tag(
      Datadog::Tracing::Metadata::Ext::Distributed::TAG_DECISION_MAKER,
      Datadog::Tracing::Sampling::Ext::Decision::ASM
    )

    # prepare and gather tags to apply
    service_entry_tags = build_service_entry_tags(event_group)

    # apply tags to service entry span
    service_entry_tags.each do |key, value|
      span.set_tag(key, value)
    end
  end
end