Merge pull request #4391 from DataDog/appsec-add-faraday-instrumentation

Add Faraday instrumentation for AppSec

Author: y9v

Matrixfile

@@ -296,6 +296,10 @@
     'graphql-2.0'  => '✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ✅ 3.0 / ✅ 3.1 / ✅ 3.2 / ✅ 3.3 / ✅ 3.4 / ✅ jruby',
     'graphql-1.13' => '❌ 2.5 / ✅ 2.6 / ✅ 2.7 / ✅ 3.0 / ✅ 3.1 / ✅ 3.2 / ✅ 3.3 / ✅ 3.4 / ✅ jruby',
   },
+  'appsec:http' => {
+    'http' => '✅ 2.5 / ✅ 2.6 / ✅ 2.7 / ✅ 3.0 / ✅ 3.1 / ✅ 3.2 / ✅ 3.3 / ✅ 3.4 / ✅ jruby',
+    'contrib-old' => '❌ 2.5 / ✅ 2.6 / ✅ 2.7 / ✅ 3.0 / ✅ 3.1 / ✅ 3.2 / ✅ 3.3 / ✅ 3.4 / ✅ jruby'
+  },
   'di:active_record' => {
     'rails61-mysql2' => '❌ 2.5 / ✅ 2.6 / ✅ 2.7 / ✅ 3.0 / ✅ 3.1 / ✅ 3.2 / ✅ 3.3 / ✅ 3.4 / ❌ jruby',
   },

Rakefile

@@ -276,7 +276,7 @@ namespace :spec do
   end
 
   namespace :appsec do
-    task all: [:main, :active_record, :rack, :rails, :sinatra, :devise, :graphql, :integration]
+    task all: [:main, :active_record, :rack, :rails, :sinatra, :devise, :graphql, :http, :integration]
 
     # Datadog AppSec main specs
     desc '' # "Explicitly hiding from `rake -T`"
@@ -302,6 +302,7 @@ namespace :spec do
       :rails,
       :devise,
       :graphql,
+      :http
     ].each do |contrib|
       desc '' # "Explicitly hiding from `rake -T`"
       RSpec::Core::RakeTask.new(contrib) do |t, args|

appraisal/ruby-3.3.rb

@@ -188,6 +188,7 @@
 
 appraise 'rails-app' do
   gem 'devise', '~> 4.9'
+  gem 'faraday', '~> 2.0'
   gem 'rack', '~> 2'
   gem 'rack-contrib', '~> 2'
   gem 'rack-test' # Dev dependencies for testing rack-based code

gemfiles/ruby_3.3_rails_app.gemfile

@@ -68,5 +68,6 @@ def components
 require_relative 'appsec/contrib/active_record/integration'
 require_relative 'appsec/contrib/devise/integration'
 require_relative 'appsec/contrib/graphql/integration'
+require_relative 'appsec/contrib/faraday/integration'
 
 require_relative 'appsec/autoload'

gemfiles/ruby_3.3_rails_app.gemfile.lock

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        # Handles installation of our middleware if the user has *not*
+        # already explicitly configured our middleware for this correction.
+        #
+        # Wraps Faraday::Connection#initialize:
+        # https://github.com/lostisland/faraday/blob/ff9dc1d1219a1bbdba95a9a4cf5d135b97247ee2/lib/faraday/connection.rb#L62-L92
+        module ConnectionPatch
+          def initialize(*args, &block)
+            super.tap do
+              use(:datadog_appsec) unless builder.handlers.any? { |h| h.klass == SSRFDetectionMiddleware }
+            end
+          end
+        end
+      end
+    end
+  end
+end

lib/datadog/appsec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require_relative '../integration'
+
+require_relative 'patcher'
+
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        # This class provides helper methods that are used when patching Faraday
+        class Integration
+          include Datadog::AppSec::Contrib::Integration
+
+          MINIMUM_VERSION = Gem::Version.new('0.14.0')
+
+          register_as :faraday, auto_patch: true
+
+          def self.version
+            Gem.loaded_specs['faraday'] && Gem.loaded_specs['faraday'].version
+          end
+
+          def self.loaded?
+            !defined?(::Faraday).nil?
+          end
+
+          def self.compatible?
+            super && version >= MINIMUM_VERSION
+          end
+
+          def self.auto_instrument?
+            true
+          end
+
+          def patcher
+            Patcher
+          end
+        end
+      end
+    end
+  end
+end

lib/datadog/appsec/contrib/faraday/connection_patch.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        # Patcher for Faraday
+        module Patcher
+          module_function
+
+          def patched?
+            Patcher.instance_variable_get(:@patched)
+          end
+
+          def target_version
+            Integration.version
+          end
+
+          def patch
+            require_relative 'ssrf_detection_middleware'
+            require_relative 'connection_patch'
+            require_relative 'rack_builder_patch'
+
+            ::Faraday::Middleware.register_middleware(datadog_appsec: SSRFDetectionMiddleware)
+            configure_default_faraday_connection
+
+            Patcher.instance_variable_set(:@patched, true)
+          end
+
+          def configure_default_faraday_connection
+            if target_version >= Gem::Version.new('1.0.0')
+              # Patch the default connection (e.g. +Faraday.get+)
+              ::Faraday.default_connection.use(:datadog_appsec)
+
+              # Patch new connection instances (e.g. +Faraday.new+)
+              ::Faraday::Connection.prepend(ConnectionPatch)
+            else
+              # Patch the default connection (e.g. +Faraday.get+)
+              #
+              # We insert our middleware before the 'adapter', which is
+              # always the last handler.
+              idx = ::Faraday.default_connection.builder.handlers.size - 1
+              ::Faraday.default_connection.builder.insert(idx, SSRFDetectionMiddleware)
+
+              # Patch new connection instances (e.g. +Faraday.new+)
+              ::Faraday::RackBuilder.prepend(RackBuilderPatch)
+            end
+          end
+        end
+      end
+    end
+  end
+end

lib/datadog/appsec/contrib/faraday/integration.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        # Handles installation of our middleware if the user has *not*
+        # already explicitly configured it for this correction.
+        #
+        # RackBuilder class was introduced in faraday 0.9.0:
+        # https://github.com/lostisland/faraday/commit/77d7546d6d626b91086f427c56bc2cdd951353b3
+        module RackBuilderPatch
+          def adapter(*args)
+            use(:datadog_appsec) unless @handlers.any? { |h| h.klass == SSRFDetectionMiddleware }
+
+            super
+          end
+        end
+      end
+    end
+  end
+end

lib/datadog/appsec/contrib/faraday/patcher.rb

@@ -0,0 +1,42 @@
+# rubocop:disable Naming/FileName
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        # AppSec SSRF detection Middleware for Faraday
+        class SSRFDetectionMiddleware < ::Faraday::Middleware
+          def call(request_env)
+            context = AppSec.active_context
+
+            return @app.call(request_env) unless context && AppSec.rasp_enabled?
+
+            ephemeral_data = {
+              'server.io.net.url' => request_env.url.to_s
+            }
+
+            result = context.run_rasp(Ext::RASP_SSRF, {}, ephemeral_data, Datadog.configuration.appsec.waf_timeout)
+
+            if result.match?
+              Datadog::AppSec::Event.tag_and_keep!(context, result)
+
+              context.events << {
+                waf_result: result,
+                trace: context.trace,
+                span: context.span,
+                request_url: request_env.url,
+                actions: result.actions
+              }
+
+              ActionsHandler.handle(result.actions)
+            end
+
+            @app.call(request_env)
+          end
+        end
+      end
+    end
+  end
+end
+# rubocop:enable Naming/FileName

lib/datadog/appsec/contrib/faraday/rack_builder_patch.rb

@@ -0,0 +1,11 @@
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        class ConnectionPatch
+          def initialize: (*untyped args) ?{ () -> untyped } -> void
+        end
+      end
+    end
+  end
+end

lib/datadog/appsec/contrib/faraday/ssrf_detection_middleware.rb

@@ -0,0 +1,23 @@
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        class Integration
+          include Datadog::AppSec::Contrib::Integration
+
+          MINIMUM_VERSION: ::Gem::Version
+
+          def self.version: () -> ::Gem::Version?
+
+          def self.loaded?: () -> bool
+
+          def self.compatible?: () -> bool
+
+          def self.auto_instrument?: () -> bool
+
+          def patcher: () -> Datadog::AppSec::Contrib::GraphQL::Patcher
+        end
+      end
+    end
+  end
+end

sig/datadog/appsec/contrib/faraday/connection_patch.rbs

@@ -0,0 +1,19 @@
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        module Patcher
+          def self?.patched?: () -> bool
+
+          def self?.target_version: () -> ::Gem::Version
+
+          def self?.patch: () -> bool
+
+          def self?.register_middleware!: () -> void
+
+          def self?.add_default_middleware!: () -> void
+        end
+      end
+    end
+  end
+end

sig/datadog/appsec/contrib/faraday/integration.rbs

@@ -0,0 +1,11 @@
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        module RackBuilder
+          def adapter: (*untyped args) -> untyped
+        end
+      end
+    end
+  end
+end

sig/datadog/appsec/contrib/faraday/patcher.rbs

@@ -0,0 +1,15 @@
+module Datadog
+  module AppSec
+    module Contrib
+      module Faraday
+        class SSRFDetectionMiddleware < ::Faraday::Middleware
+          def call: (untyped env) -> void
+
+          private
+
+          attr_reader app: untyped
+        end
+      end
+    end
+  end
+end