Disable ActiveRecord instrumentation when RASP is disabled

DataDog · Jan 22, 2025 · d4793b5 · d4793b5
1 parent 27144e5
commit d4793b5
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 0 deletions.
diff --git a/lib/datadog/appsec/contrib/active_record/instrumentation.rb b/lib/datadog/appsec/contrib/active_record/instrumentation.rb
@@ -9,6 +9,8 @@ module Instrumentation
           module_function
 
           def detect_sql_injection(sql, adapter_name)
+            return unless AppSec.rasp_enabled?
+
             context = AppSec.active_context
             return unless context
 

diff --git a/spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb b/spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb
@@ -16,6 +16,7 @@
   let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) }
   let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) }
   let(:context) { Datadog::AppSec::Context.new(trace, span, processor) }
+  let(:rasp_enabled) { true }
 
   let(:span) { Datadog::Tracing::SpanOperation.new('root') }
   let(:trace) { Datadog::Tracing::TraceOperation.new }
@@ -54,6 +55,8 @@
 
     Datadog::AppSec::Context.activate(context)
 
+    allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled)
+
     raise_on_rails_deprecation!
   end
 
@@ -64,6 +67,22 @@
     processor.finalize
   end
 
+  context 'when RASP is disabled' do
+    let(:rasp_enabled) { false }
+
+    it 'does not call waf when querying using .where' do
+      expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
+
+      User.where(name: 'Bob').to_a
+    end
+
+    it 'does not call waf when querying using .find_by_sql' do
+      expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
+
+      User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    end
+  end
+
   it 'calls waf with correct arguments when querying using .where' do
     expect(Datadog::AppSec.active_context).to(
       receive(:run_rasp).with(

diff --git a/spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb b/spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb
@@ -16,6 +16,7 @@
   let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) }
   let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) }
   let(:context) { Datadog::AppSec::Context.new(trace, span, processor) }
+  let(:rasp_enabled) { true }
 
   let(:span) { Datadog::Tracing::SpanOperation.new('root') }
   let(:trace) { Datadog::Tracing::TraceOperation.new }
@@ -55,6 +56,8 @@
 
     Datadog::AppSec::Context.activate(context)
 
+    allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled)
+
     raise_on_rails_deprecation!
   end
 
@@ -65,6 +68,22 @@
     processor.finalize
   end
 
+  context 'when RASP is disabled' do
+    let(:rasp_enabled) { false }
+
+    it 'does not call waf when querying using .where' do
+      expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
+
+      User.where(name: 'Bob').to_a
+    end
+
+    it 'does not call waf when querying using .find_by_sql' do
+      expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
+
+      User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    end
+  end
+
   it 'calls waf with correct arguments when querying using .where' do
     expected_db_statement = if PlatformHelpers.jruby?
                               'SELECT "users".* FROM "users" WHERE "users"."name" = ?'

diff --git a/spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb b/spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb
@@ -16,6 +16,7 @@
   let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) }
   let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) }
   let(:context) { Datadog::AppSec::Context.new(trace, span, processor) }
+  let(:rasp_enabled) { true }
 
   let(:span) { Datadog::Tracing::SpanOperation.new('root') }
   let(:trace) { Datadog::Tracing::TraceOperation.new }
@@ -48,6 +49,8 @@
 
     Datadog::AppSec::Context.activate(context)
 
+    allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled)
+
     raise_on_rails_deprecation!
   end
 
@@ -58,6 +61,22 @@
     processor.finalize
   end
 
+  context 'when RASP is disabled' do
+    let(:rasp_enabled) { false }
+
+    it 'does not call waf when querying using .where' do
+      expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
+
+      User.where(name: 'Bob').to_a
+    end
+
+    it 'does not call waf when querying using .find_by_sql' do
+      expect(Datadog::AppSec.active_context).not_to receive(:run_rasp)
+
+      User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a
+    end
+  end
+
   it 'calls waf with correct arguments when querying using .where' do
     expect(Datadog::AppSec.active_context).to(
       receive(:run_rasp).with(