Merge pull request #4311 from DataDog/appsec-add-rasp-enabled-config

Add Datadog.configuration.appsec.rasp_enabled

Author: y9v

lib/datadog/appsec.rb

@@ -14,6 +14,10 @@ def enabled?
         Datadog.configuration.appsec.enabled
       end
 
+      def rasp_enabled?
+        Datadog.configuration.appsec.rasp_enabled
+      end
+
       def active_context
         Datadog::AppSec::Context.active
       end

lib/datadog/appsec/configuration/settings.rb

@@ -49,6 +49,15 @@ def self.add_settings!(base)
                 end
               end
 
+              # RASP or Runtime Application Self-Protection
+              # is a collection of techniques and heuristics aimed at detecting malicious inputs and preventing
+              # any potential side-effects on the application resulting from the use of said malicious inputs.
+              option :rasp_enabled do |o|
+                o.type :bool, nilable: true
+                o.env 'DD_APPSEC_RASP_ENABLED'
+                o.default true
+              end
+
               option :ruleset do |o|
                 o.env 'DD_APPSEC_RULES'
                 o.default :recommended

lib/datadog/appsec/contrib/active_record/instrumentation.rb

@@ -9,6 +9,8 @@ module Instrumentation
           module_function
 
           def detect_sql_injection(sql, adapter_name)
+            return unless AppSec.rasp_enabled?
+
             context = AppSec.active_context
             return unless context
 

spec/datadog/appsec/configuration/settings_spec.rb

@@ -77,6 +77,28 @@ def patcher
       end
     end
 
+    describe '#rasp_enabled' do
+      context 'when DD_APPSEC_RASP_ENABLED' do
+        around do |example|
+          ClimateControl.modify('DD_APPSEC_RASP_ENABLED' => rasp_enabled_env_var) do
+            example.run
+          end
+        end
+
+        context 'is not defined' do
+          let(:rasp_enabled_env_var) { nil }
+
+          it { expect(settings.appsec.rasp_enabled).to eq(true) }
+        end
+
+        context 'is defined' do
+          let(:rasp_enabled_env_var) { 'false' }
+
+          it { expect(settings.appsec.rasp_enabled).to eq(false) }
+        end
+      end
+    end
+
     describe '#instrument' do
       let(:registry) { {} }
       let(:integration_name) { :fake }

spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb

@@ -64,46 +64,70 @@
     processor.finalize
   end
 
-  it 'calls waf with correct arguments when querying using .where' do
-    expect(Datadog::AppSec.active_context).to(
-      receive(:run_rasp).with(
-        Datadog::AppSec::Ext::RASP_SQLI,
-        {},
-        {
-          'server.db.statement' => "SELECT `users`.* FROM `users` WHERE `users`.`name` = 'Bob'",
-          'server.db.system' => 'mysql2'
-        },
-        Datadog.configuration.appsec.waf_timeout
-      ).and_call_original
-    )
-
-    User.where(name: 'Bob').to_a
-  end
+  context 'when RASP is disabled' do
+    before do
+      allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(false)
+    end
 
-  it 'calls waf with correct arguments when querying using .find_by_sql' do
-    expect(Datadog::AppSec.active_context).to(
-      receive(:run_rasp).with(
-        Datadog::AppSec::Ext::RASP_SQLI,
-        {},
-        {
-          'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'",
-          'server.db.system' => 'mysql2'
-        },
-        Datadog.configuration.appsec.waf_timeout
-      ).and_call_original
-    )
-
-    User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    it 'does not call waf when querying using .where' do
+      expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
+
+      User.where(name: 'Bob').to_a
+    end
+
+    it 'does not call waf when querying using .find_by_sql' do
+      expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
+
+      User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    end
   end
 
-  it 'adds an event to processor context if waf result is a match' do
-    result = Datadog::AppSec::SecurityEngine::Result::Match.new(
-      events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0
-    )
+  context 'when RASP is enabled' do
+    before do
+      allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(true)
+    end
+
+    it 'calls waf with correct arguments when querying using .where' do
+      expect(Datadog::AppSec.active_context).to(
+        receive(:run_rasp).with(
+          Datadog::AppSec::Ext::RASP_SQLI,
+          {},
+          {
+            'server.db.statement' => "SELECT `users`.* FROM `users` WHERE `users`.`name` = 'Bob'",
+            'server.db.system' => 'mysql2'
+          },
+          Datadog.configuration.appsec.waf_timeout
+        ).and_call_original
+      )
+
+      User.where(name: 'Bob').to_a
+    end
 
-    expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result)
-    expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original
+    it 'calls waf with correct arguments when querying using .find_by_sql' do
+      expect(Datadog::AppSec.active_context).to(
+        receive(:run_rasp).with(
+          Datadog::AppSec::Ext::RASP_SQLI,
+          {},
+          {
+            'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'",
+            'server.db.system' => 'mysql2'
+          },
+          Datadog.configuration.appsec.waf_timeout
+        ).and_call_original
+      )
+
+      User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    end
 
-    User.where(name: 'Bob').to_a
+    it 'adds an event to processor context if waf result is a match' do
+      result = Datadog::AppSec::SecurityEngine::Result::Match.new(
+        events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0
+      )
+
+      expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result)
+      expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original
+
+      User.where(name: 'Bob').to_a
+    end
   end
 end

spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb

@@ -65,52 +65,76 @@
     processor.finalize
   end
 
-  it 'calls waf with correct arguments when querying using .where' do
-    expected_db_statement = if PlatformHelpers.jruby?
-                              'SELECT "users".* FROM "users" WHERE "users"."name" = ?'
-                            else
-                              'SELECT "users".* FROM "users" WHERE "users"."name" = $1'
-                            end
-
-    expect(Datadog::AppSec.active_context).to(
-      receive(:run_rasp).with(
-        Datadog::AppSec::Ext::RASP_SQLI,
-        {},
-        {
-          'server.db.statement' => expected_db_statement,
-          'server.db.system' => 'postgresql'
-        },
-        Datadog.configuration.appsec.waf_timeout
-      ).and_call_original
-    )
-
-    User.where(name: 'Bob').to_a
-  end
+  context 'when RASP is disabled' do
+    before do
+      allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(false)
+    end
 
-  it 'calls waf with correct arguments when querying using .find_by_sql' do
-    expect(Datadog::AppSec.active_context).to(
-      receive(:run_rasp).with(
-        Datadog::AppSec::Ext::RASP_SQLI,
-        {},
-        {
-          'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'",
-          'server.db.system' => 'postgresql'
-        },
-        Datadog.configuration.appsec.waf_timeout
-      ).and_call_original
-    )
-
-    User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    it 'does not call waf when querying using .where' do
+      expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
+
+      User.where(name: 'Bob').to_a
+    end
+
+    it 'does not call waf when querying using .find_by_sql' do
+      expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
+
+      User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    end
   end
 
-  it 'adds an event to processor context if waf result is a match' do
-    result = Datadog::AppSec::SecurityEngine::Result::Match.new(
-      events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0
-    )
+  context 'when RASP is enabled' do
+    before do
+      allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(true)
+    end
+
+    it 'calls waf with correct arguments when querying using .where' do
+      expected_db_statement = if PlatformHelpers.jruby?
+                                'SELECT "users".* FROM "users" WHERE "users"."name" = ?'
+                              else
+                                'SELECT "users".* FROM "users" WHERE "users"."name" = $1'
+                              end
+
+      expect(Datadog::AppSec.active_context).to(
+        receive(:run_rasp).with(
+          Datadog::AppSec::Ext::RASP_SQLI,
+          {},
+          {
+            'server.db.statement' => expected_db_statement,
+            'server.db.system' => 'postgresql'
+          },
+          Datadog.configuration.appsec.waf_timeout
+        ).and_call_original
+      )
+
+      User.where(name: 'Bob').to_a
+    end
 
-    expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result)
-    expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original
+    it 'calls waf with correct arguments when querying using .find_by_sql' do
+      expect(Datadog::AppSec.active_context).to(
+        receive(:run_rasp).with(
+          Datadog::AppSec::Ext::RASP_SQLI,
+          {},
+          {
+            'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'",
+            'server.db.system' => 'postgresql'
+          },
+          Datadog.configuration.appsec.waf_timeout
+        ).and_call_original
+      )
+
+      User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    end
 
-    User.where(name: 'Bob').to_a
+    it 'adds an event to processor context if waf result is a match' do
+      result = Datadog::AppSec::SecurityEngine::Result::Match.new(
+        events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0
+      )
+
+      expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result)
+      expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original
+
+      User.where(name: 'Bob').to_a
+    end
   end
 end

spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb

@@ -58,46 +58,70 @@
     processor.finalize
   end
 
-  it 'calls waf with correct arguments when querying using .where' do
-    expect(Datadog::AppSec.active_context).to(
-      receive(:run_rasp).with(
-        Datadog::AppSec::Ext::RASP_SQLI,
-        {},
-        {
-          'server.db.statement' => 'SELECT "users".* FROM "users" WHERE "users"."name" = ?',
-          'server.db.system' => 'sqlite'
-        },
-        Datadog.configuration.appsec.waf_timeout
-      ).and_call_original
-    )
-
-    User.where(name: 'Bob').to_a
-  end
+  context 'when RASP is disabled' do
+    before do
+      allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(false)
+    end
 
-  it 'calls waf with correct arguments when querying using .find_by_sql' do
-    expect(Datadog::AppSec.active_context).to(
-      receive(:run_rasp).with(
-        Datadog::AppSec::Ext::RASP_SQLI,
-        {},
-        {
-          'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'",
-          'server.db.system' => 'sqlite'
-        },
-        Datadog.configuration.appsec.waf_timeout
-      ).and_call_original
-    )
-
-    User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    it 'does not call waf when querying using .where' do
+      expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
+
+      User.where(name: 'Bob').to_a
+    end
+
+    it 'does not call waf when querying using .find_by_sql' do
+      expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
+
+      User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    end
   end
 
-  it 'adds an event to processor context if waf result is a match' do
-    result = Datadog::AppSec::SecurityEngine::Result::Match.new(
-      events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0
-    )
+  context 'when RASP is enabled' do
+    before do
+      allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(true)
+    end
+
+    it 'calls waf with correct arguments when querying using .where' do
+      expect(Datadog::AppSec.active_context).to(
+        receive(:run_rasp).with(
+          Datadog::AppSec::Ext::RASP_SQLI,
+          {},
+          {
+            'server.db.statement' => 'SELECT "users".* FROM "users" WHERE "users"."name" = ?',
+            'server.db.system' => 'sqlite'
+          },
+          Datadog.configuration.appsec.waf_timeout
+        ).and_call_original
+      )
+
+      User.where(name: 'Bob').to_a
+    end
 
-    expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result)
-    expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original
+    it 'calls waf with correct arguments when querying using .find_by_sql' do
+      expect(Datadog::AppSec.active_context).to(
+        receive(:run_rasp).with(
+          Datadog::AppSec::Ext::RASP_SQLI,
+          {},
+          {
+            'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'",
+            'server.db.system' => 'sqlite'
+          },
+          Datadog.configuration.appsec.waf_timeout
+        ).and_call_original
+      )
+
+      User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    end
 
-    User.where(name: 'Bob').to_a
+    it 'adds an event to processor context if waf result is a match' do
+      result = Datadog::AppSec::SecurityEngine::Result::Match.new(
+        events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0
+      )
+
+      expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result)
+      expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original
+
+      User.where(name: 'Bob').to_a
+    end
   end
 end