Rework stacktrace collection architecture

Author: vpellan

lib/datadog/appsec/actions_handler.rb

@@ -19,8 +19,44 @@ def interrupt_execution(action_params)
         throw(Datadog::AppSec::Ext::INTERRUPT, action_params)
       end
 
+      # We should change the name of this method as we also add the stack trace to the trace/span
       def generate_stack(action_params)
-        AppSec::StackTrace.add_stack_trace(action_params) if Datadog.configuration.appsec.stack_trace.enabled
+        if Datadog.configuration.appsec.stack_trace.enabled
+          context = AppSec::Context.active
+          # We use methods defined in Tracing::Metadata::Tagging,
+          # which means we can work on both the trace and the service entry span
+          service_entry_operation = context && (context.trace || context.span)
+
+          unless service_entry_operation
+            Datadog.logger.debug { 'Cannot find trace or service entry span to add stack trace' }
+            return
+          end
+
+          stack_frames = caller_locations || []
+          # caller_locations without params always returns an array but rbs still thinks it can be nil
+          stack_frames.reject! { |loc| loc.path && loc.path.include?('lib/datadog') }
+
+          collected_stack_frames = AppSec::StackTrace::Collection.new(stack_frames)
+
+          # ASCII-8BIT is encoded as byte array and backend cannot decode it properly so we enforce UTF-8 on stack_id.
+          # We must copy it as it can be frozen.
+          utf8_stack_id = action_params['stack_id'] && action_params['stack_id'].encode('UTF-8')
+          stack_trace = AppSec::StackTrace::Representation.new(utf8_stack_id, collected_stack_frames)
+
+          # Add stack trace to trace or service entry span by modifying meta_struct['_dd.stack']
+          service_entry_operation.modify_meta_struct_tag(AppSec::Ext::TAG_STACK_TRACE) do |stack_trace_categories|
+            # _dd.stack is a hash of stack traces (Hash<String, Array<StackTrace>>)
+            stack_trace_categories ||= {}
+            exploit_stack_traces = (stack_trace_categories[AppSec::Ext::EXPLOIT_PREVENTION_EVENT_CATEGORY] ||= [])
+            # We only keep the first 'max_collect' stack traces
+            # In practice we should also check the vulnerability category size, but we don't have IAST in Ruby
+            if Datadog.configuration.appsec.stack_trace.max_collect == 0 ||
+                exploit_stack_traces.size < Datadog.configuration.appsec.stack_trace.max_collect
+              exploit_stack_traces << stack_trace
+            end
+            stack_trace_categories
+          end
+        end
       end
 
       def generate_schema(_action_params); end

lib/datadog/appsec/stack_trace.rb

@@ -4,117 +4,62 @@
 
 module Datadog
   module AppSec
-    # Stack trace
-    class StackTrace
-      attr_reader :id, :message, :frames
-
-      def initialize(id, stack_trace, message: nil)
-        # ASCII-8BIT is encoded as byte array and backend cannot decode it properly
-        # so we enforce UTF-8 on strings
-        # We must copy them as they can be frozen
-        @id = id && id.encode('UTF-8')
-        @message = message && message.encode('UTF-8')
-        @frames = if stack_trace
-                    top_frames = if Datadog.configuration.appsec.stack_trace.max_depth == 0
-                                   stack_trace.size
-                                 else
-                                   (Datadog.configuration.appsec.stack_trace.max_depth *
-                                    Datadog.configuration.appsec.stack_trace.max_depth_top_percent / 100.0).round
-                                 end
-                    bottom_frames = Datadog.configuration.appsec.stack_trace.max_depth - top_frames
-                    cropped_stack_trace = []
-                    stack_trace.each_with_index do |frame, index|
-                      next if index >= top_frames && index < stack_trace.size - bottom_frames
-
-                      cropped_stack_trace << Frame.new(
-                        # We must keep the original stack trace index, to show that it was cropped
-                        index,
-                        text: frame.to_s,
-                        # path will show 'main' instead of the actual file
-                        # but absolute_path does not work for e.g. <internal:kernel>
-                        file: frame.absolute_path || frame.path,
-                        line: frame.lineno,
-                        # label will show 'block in function' instead of just 'function'
-                        function: frame.label
-                      )
-                    end
-                    cropped_stack_trace
-                  else
-                    []
-                  end
-      end
-
-      def to_h
-        @to_h ||= {
-          language: 'ruby',
-          id: @id,
-          message: @message,
-          frames: @frames.map(&:to_h)
-        }
-      end
-
-      def to_msgpack(packer = nil)
-        packer ||= MessagePack::Packer.new
-
-        packer.write_map_header(4)
-        packer.write('language')
-        packer.write('ruby')
-        packer.write('id')
-        packer.write(@id)
-        packer.write('message')
-        packer.write(@message)
-        packer.write('frames')
-        packer.write(@frames)
-        packer
-      end
-
-      def pretty_print(q)
-        q.text to_s
-      end
-
-      class << self
-        # Add the stack trace to the trace
-        def add_stack_trace(action_params)
-          # As ActionsHandler is only called when there is a context, we shouldn't need to check if it exists
-          context = AppSec::Context.active
-          # We use methods defined in Tracing::Metadata::Tagging,
-          # which means we can work on both the trace and the service entry span
-          service_entry_operation = context.trace || context.span
-
-          unless service_entry_operation
-            Datadog.logger.debug { 'Cannot find trace or service entry span to add stack trace' }
-            return
+    module StackTrace
+      # Stack trace collection class, including Enumerable (iterates on cropped frames array)
+      class Collection
+        include Enumerable
+
+        def initialize(frames)
+          max_depth = Datadog.configuration.appsec.stack_trace.max_depth
+          # 0 means no limit, setting the top_frames limit to the size of the stack trace
+          # will ensure that we keep all the frames.
+          # If not set to 0, "max_depth_top_percent" % of the max_depth value
+          # corresponds to the number of top frames we want to keep.
+          top_frames = if max_depth == 0
+                         frames.size
+                       else
+                         (max_depth * Datadog.configuration.appsec.stack_trace.max_depth_top_percent / 100.0).round
+                       end
+          bottom_frames = max_depth - top_frames
+          cropped_frames = []
+          frames.each_with_index do |frame, index|
+            next if index >= top_frames && index < frames.size - bottom_frames
+
+            # ASCII-8BIT is encoded as byte array and backend cannot decode it properly
+            # so we enforce UTF-8 on strings.
+            # We must copy them as they can be frozen
+            cropped_frames << Frame.new(
+              # We must keep the original stack trace index, to show that it was cropped
+              index,
+              text: frame.to_s && frame.to_s.encode('UTF-8'),
+              # path will show 'main' instead of the actual file
+              # but absolute_path does not work for e.g. <internal:kernel>
+              file: (frame.absolute_path || frame.path) && (frame.absolute_path || frame.path).encode('UTF-8'),
+              line: frame.lineno,
+              # label will show 'block in function' instead of just 'function'
+              function: frame.label && frame.label.encode('UTF-8')
+            )
           end
+          @frames = cropped_frames
+        end
 
-          stack_trace = from_waf_result(action_params)
-
-          service_entry_operation.modify_meta_struct_tag(AppSec::Ext::TAG_STACK_TRACE) do |stack_traces|
-            # _dd.stack is a hash of stack traces (Hash<String, Array<StackTrace>>)
-            stack_traces ||= {}
-            exploit_stack_traces = (stack_traces[AppSec::Ext::EXPLOIT_PREVENTION_EVENT_CATEGORY] ||= [])
-            # We only keep the first 'max_collect' stack traces
-            # In practice we should also check the vulnerability category size, but we don't have IAST in Ruby
-            if Datadog.configuration.appsec.stack_trace.max_collect == 0 ||
-                exploit_stack_traces.size < Datadog.configuration.appsec.stack_trace.max_collect
-              exploit_stack_traces << stack_trace
-            end
-            stack_traces
-          end
+        def each(&block)
+          @frames.each(&block)
         end
 
-        private
+        def to_msgpack(packer = nil)
+          packer ||= MessagePack::Packer.new
 
-        # Create a stack trace from the result of WAF execution
-        def from_waf_result(action_params)
-          stack_frames = caller_locations || []
-          # caller_locations without params always returns an array but rbs still thinks it can be nil
-          stack_frames.reject! { |loc| loc.path && loc.path.include?('lib/datadog') }
-          stack_trace_id = action_params['stack_id']
-          AppSec::StackTrace.new(stack_trace_id, stack_frames)
+          packer.write_array_header(@frames.size)
+          @frames.each do |frame|
+            packer.write(frame)
+          end
+          packer
         end
       end
 
-      # Stack frame
+      # Stack frame.
+      # We cannot use Struct as we need to encode it to MessagePack, and Struct does not provide a 'to_msgpack' method.
       class Frame
         attr_reader :id, :text, :file, :line, :function
 
@@ -123,10 +68,10 @@ class Frame
         # We must copy them as they can be frozen
         def initialize(id, text: nil, file: nil, line: nil, function: nil)
           @id = id
-          @text = text && text.encode('UTF-8')
-          @file = file && file.encode('UTF-8')
+          @text = text
+          @file = file
           @line = line
-          @function = function && function.encode('UTF-8')
+          @function = function
         end
 
         def to_h
@@ -156,6 +101,45 @@ def to_msgpack(packer = nil)
           packer
         end
       end
+
+      # Stack trace representation.
+      class Representation
+        attr_reader :id, :message, :stack_trace
+
+        def initialize(id, stack_trace, message: nil)
+          @id = id
+          @message = message
+          @stack_trace = stack_trace
+        end
+
+        def to_h
+          @to_h ||= {
+            language: 'ruby',
+            id: @id,
+            message: @message,
+            frames: @stack_trace.map(&:to_h)
+          }
+        end
+
+        def to_msgpack(packer = nil)
+          packer ||= MessagePack::Packer.new
+
+          packer.write_map_header(4)
+          packer.write('language')
+          packer.write('ruby')
+          packer.write('id')
+          packer.write(@id)
+          packer.write('message')
+          packer.write(@message)
+          packer.write('frames')
+          packer.write(@stack_trace)
+          packer
+        end
+
+        def pretty_print(q)
+          q.text to_s
+        end
+      end
     end
   end
 end