Skip to content

Commit 5a97b55

Browse files
authored
Merge branch 'release/v1.39.x' into mattalp/patch-profiler-to-1.15.0
2 parents e72240d + bb44f89 commit 5a97b55

File tree

7 files changed

+31
-10
lines changed

7 files changed

+31
-10
lines changed

.circleci/config.continue.yml.j2

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ instrumentation_modules: &instrumentation_modules "dd-java-agent/instrumentation
3636
debugger_modules: &debugger_modules "dd-java-agent/agent-debugger|dd-java-agent/agent-bootstrap|dd-java-agent/agent-builder|internal-api|communication|dd-trace-core"
3737
profiling_modules: &profiling_modules "dd-java-agent/agent-profiling"
3838

39-
default_system_tests_commit: &default_system_tests_commit 15713a66e48f82b7d995cea2eb6eb78bec0270df
39+
default_system_tests_commit: &default_system_tests_commit 39bf65e0d94278c60fdd6ff85ba668cb436467f0
4040

4141
parameters:
4242
nightly:

dd-java-agent/appsec/build.gradle

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ dependencies {
1515
implementation project(':internal-api')
1616
implementation project(':communication')
1717
implementation project(':telemetry')
18-
implementation group: 'io.sqreen', name: 'libsqreen', version: '11.0.0'
18+
implementation group: 'io.sqreen', name: 'libsqreen', version: '11.0.1'
1919
implementation libs.moshi
2020

2121
testImplementation libs.bytebuddy

dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigServiceImpl.java

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313
import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_IP_BLOCKING;
1414
import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_NETWORK_FINGERPRINT;
1515
import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_SQLI;
16+
import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_SSRF;
1617
import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_REQUEST_BLOCKING;
1718
import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_TRUSTED_IPS;
1819
import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_USER_BLOCKING;
@@ -97,7 +98,7 @@ private void subscribeConfigurationPoller() {
9798

9899
this.configurationPoller.addConfigurationEndListener(applyRemoteConfigListener);
99100

100-
this.configurationPoller.addCapabilities(
101+
long capabilities =
101102
CAPABILITY_ASM_DD_RULES
102103
| CAPABILITY_ASM_IP_BLOCKING
103104
| CAPABILITY_ASM_EXCLUSIONS
@@ -107,12 +108,16 @@ private void subscribeConfigurationPoller() {
107108
| CAPABILITY_ASM_CUSTOM_RULES
108109
| CAPABILITY_ASM_CUSTOM_BLOCKING_RESPONSE
109110
| CAPABILITY_ASM_TRUSTED_IPS
110-
| CAPABILITY_ASM_RASP_SQLI
111111
| CAPABILITY_ENDPOINT_FINGERPRINT
112112
// TODO enable when usr.id and usr.session_id addresses are added
113113
// | CAPABILITY_ASM_SESSION_FINGERPRINT
114114
| CAPABILITY_ASM_NETWORK_FINGERPRINT
115-
| CAPABILITY_ASM_HEADER_FINGERPRINT);
115+
| CAPABILITY_ASM_HEADER_FINGERPRINT;
116+
if (tracerConfig.isAppSecRaspEnabled()) {
117+
capabilities |= CAPABILITY_ASM_RASP_SQLI;
118+
capabilities |= CAPABILITY_ASM_RASP_SSRF;
119+
}
120+
this.configurationPoller.addCapabilities(capabilities);
116121
}
117122

118123
private void subscribeRulesAndData() {
@@ -353,6 +358,7 @@ public void close() {
353358
| CAPABILITY_ASM_TRUSTED_IPS
354359
| CAPABILITY_ASM_API_SECURITY_SAMPLE_RATE
355360
| CAPABILITY_ASM_RASP_SQLI
361+
| CAPABILITY_ASM_RASP_SSRF
356362
| CAPABILITY_ASM_AUTO_USER_INSTRUM_MODE
357363
| CAPABILITY_ENDPOINT_FINGERPRINT
358364
// TODO enable when usr.id and usr.session_id addresses are added

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
import datadog.trace.api.Config;
1212
import datadog.trace.api.http.StoredBodySupplier;
1313
import datadog.trace.api.internal.TraceSegment;
14+
import datadog.trace.api.telemetry.LogCollector;
1415
import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
1516
import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
1617
import io.sqreen.powerwaf.Additive;
@@ -118,7 +119,7 @@ public class AppSecRequestContext implements DataBundle, Closeable {
118119
// set after additive is set
119120
private volatile PowerwafMetrics wafMetrics;
120121
private volatile PowerwafMetrics raspMetrics;
121-
private AtomicInteger raspMetricsCounter;
122+
private final AtomicInteger raspMetricsCounter = new AtomicInteger(0);
122123
private volatile boolean blocked;
123124
private volatile int timeouts;
124125

@@ -182,7 +183,6 @@ public Additive getOrCreateAdditive(PowerwafContext ctx, boolean createMetrics,
182183
}
183184
if (isRasp && raspMetrics == null) {
184185
this.raspMetrics = ctx.createMetrics();
185-
this.raspMetricsCounter = new AtomicInteger(0);
186186
}
187187
}
188188

@@ -433,7 +433,9 @@ public void close() {
433433

434434
public void close(boolean requiresPostProcessing) {
435435
if (additive != null || derivatives != null) {
436-
log.warn("WAF object had not been closed (probably missed request-end event)");
436+
log.debug(
437+
LogCollector.SEND_TELEMETRY,
438+
"WAF object had not been closed (probably missed request-end event)");
437439
closeAdditive();
438440
derivatives = null;
439441
}

dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFStatsReporter.java

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,10 @@ public void processTraceSegment(
3535
segment.setTagTop(RASP_TOTAL_DURATION_US_TAG, raspMetrics.getTotalRunTimeNs() / 1000L);
3636
segment.setTagTop(
3737
RASP_TOTAL_DDWAF_RUN_DURATION_US_TAG, raspMetrics.getTotalDdwafRunTimeNs() / 1000L);
38-
segment.setTagTop(RASP_RULE_EVAL, ctx.getRaspMetricsCounter().get());
38+
final int raspCount = ctx.getRaspMetricsCounter().get();
39+
if (raspCount > 0) {
40+
segment.setTagTop(RASP_RULE_EVAL, raspCount);
41+
}
3942
}
4043

4144
String rulesVersion = this.rulesVersion;

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/config/AppSecConfigServiceImplSpecification.groovy

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_HEADER_FINGERPRIN
2727
import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_IP_BLOCKING
2828
import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_NETWORK_FINGERPRINT
2929
import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_SQLI
30+
import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_RASP_SSRF
3031
import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_REQUEST_BLOCKING
3132
import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_TRUSTED_IPS
3233
import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_USER_BLOCKING
@@ -197,6 +198,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
197198
configurer.commit()
198199

199200
then:
201+
1 * config.isAppSecRaspEnabled() >> true
200202
1 * config.getAppSecRulesFile() >> null
201203
1 * config.getAppSecActivation() >> ProductActivation.ENABLED_INACTIVE
202204
1 * poller.addListener(Product.ASM_FEATURES, _, _) >> {
@@ -233,6 +235,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
233235
configurer.commit()
234236

235237
then:
238+
1 * config.isAppSecRaspEnabled() >> true
236239
1 * config.getAppSecRulesFile() >> null
237240
1 * config.getAppSecActivation() >> ProductActivation.ENABLED_INACTIVE
238241
1 * poller.addListener(Product.ASM_DD, _, _) >> {
@@ -265,6 +268,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
265268
| CAPABILITY_ASM_CUSTOM_BLOCKING_RESPONSE
266269
| CAPABILITY_ASM_TRUSTED_IPS
267270
| CAPABILITY_ASM_RASP_SQLI
271+
| CAPABILITY_ASM_RASP_SSRF
268272
| CAPABILITY_ENDPOINT_FINGERPRINT
269273
// | CAPABILITY_ASM_SESSION_FINGERPRINT
270274
| CAPABILITY_ASM_NETWORK_FINGERPRINT
@@ -382,6 +386,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
382386
configurer.commit()
383387

384388
then:
389+
1 * config.isAppSecRaspEnabled() >> true
385390
1 * config.getAppSecRulesFile() >> null
386391
1 * config.getAppSecActivation() >> ProductActivation.ENABLED_INACTIVE
387392
1 * poller.addListener(Product.ASM_DD, _, _) >> {
@@ -414,6 +419,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
414419
| CAPABILITY_ASM_CUSTOM_BLOCKING_RESPONSE
415420
| CAPABILITY_ASM_TRUSTED_IPS
416421
| CAPABILITY_ASM_RASP_SQLI
422+
| CAPABILITY_ASM_RASP_SSRF
417423
| CAPABILITY_ENDPOINT_FINGERPRINT
418424
// | CAPABILITY_ASM_SESSION_FINGERPRINT
419425
| CAPABILITY_ASM_NETWORK_FINGERPRINT
@@ -485,6 +491,7 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
485491
| CAPABILITY_ASM_TRUSTED_IPS
486492
| CAPABILITY_ASM_API_SECURITY_SAMPLE_RATE
487493
| CAPABILITY_ASM_RASP_SQLI
494+
| CAPABILITY_ASM_RASP_SSRF
488495
| CAPABILITY_ASM_AUTO_USER_INSTRUM_MODE
489496
| CAPABILITY_ENDPOINT_FINGERPRINT
490497
// | CAPABILITY_ASM_SESSION_FINGERPRINT

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/powerwaf/PowerWAFModuleSpecification.groovy

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1490,6 +1490,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
14901490
void 'fingerprint support'() {
14911491
given:
14921492
final flow = Mock(ChangeableFlow)
1493+
final fingerprint = '_dd.appsec.fp.http.endpoint'
14931494
setupWithStubConfigService 'fingerprint_config.json'
14941495
dataListener = pwafModule.dataSubscriptions.first()
14951496
ctx.closeAdditive()
@@ -1508,7 +1509,9 @@ class PowerWAFModuleSpecification extends DDSpecification {
15081509

15091510
then:
15101511
1 * flow.setAction({ it.blocking })
1511-
ctx.derivativeKeys.contains('_dd.appsec.fp.http.endpoint')
1512+
1 * ctx.reportDerivatives({ Map<String, String> map ->
1513+
map.containsKey(fingerprint) && map.get(fingerprint).matches('http-get-.*')
1514+
})
15121515
}
15131516

15141517
private Map<String, Object> getDefaultConfig() {

0 commit comments

Comments
 (0)