From d4793b574ebb9cadbc23b6dd04a20a9f97be29c1 Mon Sep 17 00:00:00 2001 From: Yury Lebedev Date: Wed, 22 Jan 2025 16:33:58 +0100 Subject: [PATCH] Disable ActiveRecord instrumentation when RASP is disabled --- .../contrib/active_record/instrumentation.rb | 2 ++ .../active_record/mysql2_adapter_spec.rb | 19 +++++++++++++++++++ .../active_record/postgresql_adapter_spec.rb | 19 +++++++++++++++++++ .../active_record/sqlite3_adapter_spec.rb | 19 +++++++++++++++++++ 4 files changed, 59 insertions(+) diff --git a/lib/datadog/appsec/contrib/active_record/instrumentation.rb b/lib/datadog/appsec/contrib/active_record/instrumentation.rb index aa0cfcf3236..3e77de6dfca 100644 --- a/lib/datadog/appsec/contrib/active_record/instrumentation.rb +++ b/lib/datadog/appsec/contrib/active_record/instrumentation.rb @@ -9,6 +9,8 @@ module Instrumentation module_function def detect_sql_injection(sql, adapter_name) + return unless AppSec.rasp_enabled? + context = AppSec.active_context return unless context diff --git a/spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb b/spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb index 72b73b22162..cb50e1c19c8 100644 --- a/spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb +++ b/spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb @@ -16,6 +16,7 @@ let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) } let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) } let(:context) { Datadog::AppSec::Context.new(trace, span, processor) } + let(:rasp_enabled) { true } let(:span) { Datadog::Tracing::SpanOperation.new('root') } let(:trace) { Datadog::Tracing::TraceOperation.new } @@ -54,6 +55,8 @@ Datadog::AppSec::Context.activate(context) + allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled) + raise_on_rails_deprecation! end @@ -64,6 +67,22 @@ processor.finalize end + context 'when RASP is disabled' do + let(:rasp_enabled) { false } + + it 'does not call waf when querying using .where' do + expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) + + User.where(name: 'Bob').to_a + end + + it 'does not call waf when querying using .find_by_sql' do + expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) + + User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a + end + end + it 'calls waf with correct arguments when querying using .where' do expect(Datadog::AppSec.active_context).to( receive(:run_rasp).with( diff --git a/spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb b/spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb index 2ea1825d279..7b266acbb1a 100644 --- a/spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb +++ b/spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb @@ -16,6 +16,7 @@ let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) } let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) } let(:context) { Datadog::AppSec::Context.new(trace, span, processor) } + let(:rasp_enabled) { true } let(:span) { Datadog::Tracing::SpanOperation.new('root') } let(:trace) { Datadog::Tracing::TraceOperation.new } @@ -55,6 +56,8 @@ Datadog::AppSec::Context.activate(context) + allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled) + raise_on_rails_deprecation! end @@ -65,6 +68,22 @@ processor.finalize end + context 'when RASP is disabled' do + let(:rasp_enabled) { false } + + it 'does not call waf when querying using .where' do + expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) + + User.where(name: 'Bob').to_a + end + + it 'does not call waf when querying using .find_by_sql' do + expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) + + User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a + end + end + it 'calls waf with correct arguments when querying using .where' do expected_db_statement = if PlatformHelpers.jruby? 'SELECT "users".* FROM "users" WHERE "users"."name" = ?' diff --git a/spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb b/spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb index 26607bca764..aa121a924b6 100644 --- a/spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb +++ b/spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb @@ -16,6 +16,7 @@ let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) } let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) } let(:context) { Datadog::AppSec::Context.new(trace, span, processor) } + let(:rasp_enabled) { true } let(:span) { Datadog::Tracing::SpanOperation.new('root') } let(:trace) { Datadog::Tracing::TraceOperation.new } @@ -48,6 +49,8 @@ Datadog::AppSec::Context.activate(context) + allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled) + raise_on_rails_deprecation! end @@ -58,6 +61,22 @@ processor.finalize end + context 'when RASP is disabled' do + let(:rasp_enabled) { false } + + it 'does not call waf when querying using .where' do + expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) + + User.where(name: 'Bob').to_a + end + + it 'does not call waf when querying using .find_by_sql' do + expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) + + User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a + end + end + it 'calls waf with correct arguments when querying using .where' do expect(Datadog::AppSec.active_context).to( receive(:run_rasp).with(