Module: Datadog::AppSec::Contrib::ActiveRecord::Instrumentation

Defined in:
lib/datadog/appsec/contrib/active_record/instrumentation.rb

Overview

AppSec module that will be prepended to ActiveRecord adapter

Defined Under Namespace

Modules: ExecQueryAdapterPatch, ExecuteAndClearAdapterPatch, InternalExecQueryAdapterPatch, Rails4ExecQueryAdapterPatch, Rails4ExecuteAndClearAdapterPatch

Class Method Summary collapse

Class Method Details

.detect_sql_injection(sql, adapter_name) ⇒ Object 



14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
# File 'lib/datadog/appsec/contrib/active_record/instrumentation.rb', line 14

def detect_sql_injection(sql, adapter_name)
  return unless AppSec.rasp_enabled?

  context = AppSec.active_context
  return unless context

  # libddwaf expects db system to be lowercase,
  # in case of sqlite adapter, libddwaf expects 'sqlite' as db system
  db_system = adapter_name.downcase
  db_system = 'sqlite' if db_system == 'sqlite3'

  ephemeral_data = {
    'server.db.statement' => sql,
    'server.db.system' => db_system
  }

  waf_timeout = Datadog.configuration.appsec.waf_timeout
  result = context.run_rasp(Ext::RASP_SQLI, {}, ephemeral_data, waf_timeout)

  if result.match?
    AppSec::Event.tag_and_keep!(context, result)

    context.events.push(
      AppSec::SecurityEvent.new(result, trace: context.trace, span: context.span)
    )

    AppSec::ActionsHandler.handle(result.actions)
  end
end