Module: Datadog::AppSec::Contrib::ActiveRecord::Instrumentation

Defined in:
lib/datadog/appsec/contrib/active_record/instrumentation.rb

Overview

AppSec module that will be prepended to ActiveRecord adapter

Defined Under Namespace

Modules: ExecQueryAdapterPatch, ExecuteAndClearAdapterPatch, InternalExecQueryAdapterPatch, Rails4ExecQueryAdapterPatch, Rails4ExecuteAndClearAdapterPatch

Class Method Summary collapse

Class Method Details

.detect_sql_injection(sql, adapter_name) ⇒ Object 



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
# File 'lib/datadog/appsec/contrib/active_record/instrumentation.rb', line 11

def detect_sql_injection(sql, adapter_name)
  return unless AppSec.rasp_enabled?

  context = AppSec.active_context
  return unless context

  # libddwaf expects db system to be lowercase,
  # in case of sqlite adapter, libddwaf expects 'sqlite' as db system
  db_system = adapter_name.downcase
  db_system = 'sqlite' if db_system == 'sqlite3'

  ephemeral_data = {
    'server.db.statement' => sql,
    'server.db.system' => db_system
  }

  waf_timeout = Datadog.configuration.appsec.waf_timeout
  result = context.run_rasp(Ext::RASP_SQLI, {}, ephemeral_data, waf_timeout)

  if result.match?
    Datadog::AppSec::Event.tag_and_keep!(context, result)

    event = {
      waf_result: result,
      trace: context.trace,
      span: context.span,
      sql: sql,
      actions: result.actions
    }
    context.events << event

    ActionsHandler.handle(result.actions)
  end
end