Merge pull request #4526 from DataDog/appsec-stack-trace-reporting

Add Stack Trace reporting for AppSec actions

Author: y9v

lib/datadog/appsec/actions_handler.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_relative 'actions_handler/serializable_backtrace'
+
 module Datadog
   module AppSec
     # this module encapsulates functions for handling actions that libddawf returns
@@ -19,7 +21,26 @@ def interrupt_execution(action_params)
         throw(Datadog::AppSec::Ext::INTERRUPT, action_params)
       end
 
-      def generate_stack(_action_params); end
+      def generate_stack(action_params)
+        return unless Datadog.configuration.appsec.stack_trace.enabled
+
+        stack_id = action_params['stack_id']
+        return unless stack_id
+
+        active_span = AppSec.active_context&.span
+        return unless active_span
+
+        event_category = Ext::EXPLOIT_PREVENTION_EVENT_CATEGORY
+        tag_key = Ext::TAG_METASTRUCT_STACK_TRACE
+
+        existing_stack_data = active_span.get_metastruct_tag(tag_key).dup || { event_category => [] }
+        max_stack_traces = Datadog.configuration.appsec.stack_trace.max_stack_traces
+        return if max_stack_traces != 0 && existing_stack_data[event_category].count >= max_stack_traces
+
+        backtrace = SerializableBacktrace.new(locations: Array(caller_locations), stack_id: stack_id)
+        existing_stack_data[event_category] << backtrace
+        active_span.set_metastruct_tag(tag_key, existing_stack_data)
+      end
 
       def generate_schema(_action_params); end
     end

lib/datadog/appsec/actions_handler/serializable_backtrace.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module ActionsHandler
+      # This module serves encapsulates MessagePack serialization for caller locations.
+      #
+      # It serializes part of the stack:
+      # up to 32 frames (configurable)
+      # keeping frames from top and bottom of the stack (75% to 25%, configurable).
+      #
+      # It represents the stack trace that is added to span metastruct field.
+      class SerializableBacktrace
+        CLASS_AND_FUNCTION_NAME_REGEX = /\b([\w+:{2}]*\w+)?[#|.]?\b(\w+)\z/.freeze
+
+        def initialize(locations:, stack_id:)
+          @stack_id = stack_id
+          @locations = locations
+        end
+
+        def to_msgpack(packer = nil)
+          # JRuby doesn't pass the packer
+          packer ||= MessagePack::Packer.new
+
+          packer.write_map_header(3)
+
+          packer.write('id')
+          packer.write(@stack_id.encode('UTF-8'))
+
+          packer.write('language')
+          packer.write('ruby'.encode('UTF-8'))
+
+          serializable_locations_map = build_serializable_locations_map
+
+          packer.write('frames')
+          packer.write_array_header(serializable_locations_map.size)
+
+          serializable_locations_map.each do |frame_id, location|
+            packer.write_map_header(6)
+
+            packer.write('id')
+            packer.write(frame_id)
+
+            packer.write('text')
+            packer.write(location.to_s.encode('UTF-8'))
+
+            packer.write('file')
+            packer.write(location.path&.encode('UTF-8'))
+
+            packer.write('line')
+            packer.write(location.lineno)
+
+            class_name, function_name = location.label&.match(CLASS_AND_FUNCTION_NAME_REGEX)&.captures
+
+            packer.write('class_name')
+            packer.write(class_name&.encode('UTF-8'))
+
+            packer.write('function')
+            packer.write(function_name&.encode('UTF-8'))
+          end
+
+          packer
+        end
+
+        private
+
+        def build_serializable_locations_map
+          max_depth = Datadog.configuration.appsec.stack_trace.max_depth
+          top_percent = Datadog.configuration.appsec.stack_trace.top_percentage
+
+          drop_from_idx = max_depth * top_percent / 100
+          drop_until_idx = @locations.size - (max_depth - drop_from_idx)
+
+          frame_idx = -1
+          @locations.each_with_object({}) do |location, map|
+            # we are dropping frames from library code without increasing frame index
+            next if location.path&.include?('lib/datadog')
+
+            frame_idx += 1
+
+            next if max_depth != 0 && frame_idx >= drop_from_idx && frame_idx < drop_until_idx
+
+            map[frame_idx] = location
+          end
+        end
+      end
+    end
+  end
+end

lib/datadog/appsec/configuration/settings.rb

@@ -164,6 +164,66 @@ def self.add_settings!(base)
                 end
               end
 
+              settings :stack_trace do
+                option :enabled do |o|
+                  o.type :bool
+                  o.env 'DD_APPSEC_STACK_TRACE_ENABLED'
+                  o.default true
+                end
+
+                # The maximum number of stack trace frames to collect for each stack trace.
+                #
+                # If the stack trace exceeds this limit, the frames are dropped from the middle of the stack trace:
+                # 75% of the frames are kept from the top of the stack trace and 25% from the bottom
+                # (this percentage is also configurable).
+                #
+                # Minimum value is 10.
+                # Set to zero if you don't want any frames to be dropped.
+                #
+                # Default value is 32
+                option :max_depth do |o|
+                  o.type :int
+                  o.env 'DD_APPSEC_MAX_STACK_TRACE_DEPTH'
+                  o.default 32
+
+                  o.setter do |value|
+                    value = 0 if value < 0
+                    value
+                  end
+                end
+
+                # The percentage of frames to keep from the top of the stack trace.
+                #
+                # Default value is 75
+                option :top_percentage do |o|
+                  o.type :int
+                  o.env 'DD_APPSEC_MAX_STACK_TRACE_DEPTH_TOP_PERCENT'
+                  o.default 75
+
+                  o.setter do |value|
+                    value = 100 if value > 100
+                    value = 0 if value.negative?
+                    value
+                  end
+                end
+
+                # Maximum number of stack traces to collect per span.
+                #
+                # Set to zero if you want to collect all stack traces.
+                #
+                # Default value is 2
+                option :max_stack_traces do |o|
+                  o.type :int
+                  o.env 'DD_APPSEC_MAX_STACK_TRACES'
+                  o.default 2
+
+                  o.setter do |value|
+                    value = 0 if value < 0
+                    value
+                  end
+                end
+              end
+
               settings :auto_user_instrumentation do
                 define_method(:enabled?) { get_option(:mode) != DISABLED_AUTO_USER_INSTRUMENTATION_MODE }
 

lib/datadog/appsec/ext.rb

@@ -10,10 +10,12 @@ module Ext
       INTERRUPT = :datadog_appsec_interrupt
       CONTEXT_KEY = 'datadog.appsec.context'
       ACTIVE_CONTEXT_KEY = :datadog_appsec_active_context
+      EXPLOIT_PREVENTION_EVENT_CATEGORY = 'exploit'
 
       TAG_APPSEC_ENABLED = '_dd.appsec.enabled'
       TAG_APM_ENABLED = '_dd.apm.enabled'
       TAG_DISTRIBUTED_APPSEC_EVENT = '_dd.p.appsec'
+      TAG_METASTRUCT_STACK_TRACE = '_dd.stack'
 
       TELEMETRY_METRICS_NAMESPACE = 'appsec'
     end

sig/datadog/appsec/actions_handler/serializable_backtrace.rbs

@@ -0,0 +1,14 @@
+module Datadog
+  module AppSec
+    module ActionsHandler
+      class SerializableBacktrace
+        CLASS_AND_FUNCTION_NAME_REGEX: ::Regexp
+
+        def initialize: (locations: ::Array[::Thread::Backtrace::Location], stack_id: String) -> void
+        def to_msgpack: (?untyped? packer) -> void
+
+        private def build_serializable_locations_map: -> ::Hash[Integer, ::Thread::Backtrace::Location]
+      end
+    end
+  end
+end

sig/datadog/appsec/ext.rbs

@@ -15,12 +15,16 @@ module Datadog
 
       ACTIVE_CONTEXT_KEY: ::Symbol
 
+      EXPLOIT_PREVENTION_EVENT_CATEGORY: ::String
+
       TAG_APPSEC_ENABLED: ::String
 
       TAG_APM_ENABLED: ::String
 
       TAG_DISTRIBUTED_APPSEC_EVENT: ::String
 
+      TAG_METASTRUCT_STACK_TRACE: ::String
+
       TELEMETRY_METRICS_NAMESPACE: ::String
     end
   end