Module: Datadog::AppSec::Event

Defined in:
lib/datadog/appsec/event.rb

Overview

AppSec event

Constant Summary collapse

DERIVATIVE_SCHEMA_KEY_PREFIX =
'_dd.appsec.s.'
DERIVATIVE_SCHEMA_MAX_COMPRESSED_SIZE =
25000
ALLOWED_REQUEST_HEADERS =
%w[
  X-Forwarded-For
  X-Client-IP
  X-Real-IP
  X-Forwarded
  X-Cluster-Client-IP
  Forwarded-For
  Forwarded
  Via
  True-Client-IP
  Content-Length
  Content-Type
  Content-Encoding
  Content-Language
  Host
  User-Agent
  Accept
  Accept-Encoding
  Accept-Language
].map!(&:downcase).freeze
ALLOWED_RESPONSE_HEADERS =
%w[
  Content-Length
  Content-Type
  Content-Encoding
  Content-Language
].map!(&:downcase).freeze

Class Method Summary collapse

Class Method Details

.build_service_entry_tags(event_group) ⇒ Object


78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# File 'lib/datadog/appsec/event.rb', line 78

def (event_group)
  waf_events = []
   = event_group.each_with_object({ '_dd.origin' => 'appsec' }) do |event, tags|
    # TODO: assume HTTP request context for now
    if (request = event[:request])
      request.headers.each do |header, value|
        tags["http.request.headers.#{header}"] = value if ALLOWED_REQUEST_HEADERS.include?(header.downcase)
      end

      tags['http.host'] = request.host
      tags['http.useragent'] = request.user_agent
      tags['network.client.ip'] = request.remote_addr
    end

    if (response = event[:response])
      response.headers.each do |header, value|
        tags["http.response.headers.#{header}"] = value if ALLOWED_RESPONSE_HEADERS.include?(header.downcase)
      end
    end

    waf_result = event[:waf_result]
    # accumulate triggers
    waf_events += waf_result.events

    waf_result.derivatives.each do |key, value|
      next tags[key] = value unless key.start_with?(DERIVATIVE_SCHEMA_KEY_PREFIX)

      value = CompressedJson.dump(value)
      next if value.nil?

      if value.size >= DERIVATIVE_SCHEMA_MAX_COMPRESSED_SIZE
        Datadog.logger.debug { "AppSec: Schema key '#{key}' will not be included into span tags due to it's size" }
        next
      end

      tags[key] = value
    end

    tags
  end

  appsec_events = json_parse({ triggers: waf_events })
  ['_dd.appsec.json'] = appsec_events if appsec_events
  
end

.record(span, *events) ⇒ Object


46
47
48
49
50
51
52
53
# File 'lib/datadog/appsec/event.rb', line 46

def record(span, *events)
  # ensure rate limiter is called only when there are events to record
  return if events.empty? || span.nil?

  Datadog::AppSec::RateLimiter.thread_local.limit do
    record_via_span(span, *events)
  end
end

.record_via_span(span, *events) ⇒ Object


55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# File 'lib/datadog/appsec/event.rb', line 55

def record_via_span(span, *events)
  events.group_by { |e| e[:trace] }.each do |trace, event_group|
    unless trace
      Datadog.logger.debug { "{ error: 'no trace: cannot record', event_group: #{event_group.inspect}}" }
      next
    end

    trace.keep!
    trace.set_tag(
      Datadog::Tracing::Metadata::Ext::Distributed::TAG_DECISION_MAKER,
      Datadog::Tracing::Sampling::Ext::Decision::ASM
    )

    # prepare and gather tags to apply
     = (event_group)

    # apply tags to service entry span
    .each do |key, value|
      span.set_tag(key, value)
    end
  end
end

.tag_and_keep!(context, waf_result) ⇒ Object


124
125
126
127
128
129
130
131
132
133
134
135
136
137
# File 'lib/datadog/appsec/event.rb', line 124

def tag_and_keep!(context, waf_result)
  # We want to keep the trace in case of security event
  context.trace.keep! if context.trace

  if context.span
    if waf_result.actions.key?('block_request') || waf_result.actions.key?('redirect_request')
      context.span.set_tag('appsec.blocked', 'true')
    end

    context.span.set_tag('appsec.event', 'true')
  end

  add_distributed_tags(context.trace)
end