Skip to content

Add RestClient instrumentation for SSRF detection #4424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
y9v merged 14 commits into from
Feb 24, 2025
Merged

Add RestClient instrumentation for SSRF detection #4424

y9v merged 14 commits into from
Feb 24, 2025

Conversation

@y9v
Copy link
Member

@y9v y9v commented Feb 21, 2025

What does this PR do?
It adds SSRF detection for rest-client gem.

To enable rest-client AppSec instrumentation:

Datadog.configure do |c|
  c.tracing.enabled = true
  c.tracing.instrument :rack

  c.appsec.enabled = true
  c.appsec.instrument :rest_client
end

Motivation:
We want to add SSRF detection to more http client libraries.

Change log entry
Yes. AppSec: Add detection of Server-Side Request Forgery attacks for rest-client http client.

Additional Notes:
None.

How to test the change?
CI and app-generator (rails-ssrf application)

@y9v y9v self-assigned this Feb 21, 2025
@y9v y9v requested review from a team as code owners February 21, 2025 11:03
@github-actions github-actions bot added integrations Involves tracing integrations appsec Application Security monitoring product labels Feb 21, 2025
@pr-commenter
Copy link

pr-commenter bot commented Feb 21, 2025
edited
Loading

Benchmarks

Benchmark execution time: 2025-02-24 12:13:50

Comparing candidate commit a632a16 in PR branch appsec-add-rest-client-instrumentation with baseline commit 2d817ff in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 31 metrics, 2 unstable metrics.

@datadog-datadog-prod-us1
Copy link
Contributor

datadog-datadog-prod-us1 bot commented Feb 21, 2025
edited
Loading

Datadog Report

Branch report: appsec-add-rest-client-instrumentation
Commit report: a632a16
Test service: dd-trace-rb

✅ 0 Failed, 20612 Passed, 1375 Skipped, 3m 21.69s Total Time

@codecov-commenter
Copy link

codecov-commenter commented Feb 21, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 97.67442% with 3 lines in your changes missing coverage. Please review.

Project coverage is 97.72%. Comparing base (2d817ff) to head (a632a16).
Report is 975 commits behind head on master.

Files with missing lines Patch % Lines
.../datadog/appsec/contrib/rest_client/integration.rb 90.90% 2 Missing ⚠️
lib/datadog/appsec/contrib/rest_client/patcher.rb 92.30% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4424      +/-   ##
==========================================
- Coverage   97.73%   97.72%   -0.01%     
==========================================
  Files        1363     1368       +5     
  Lines       83309    83438     +129     
  Branches     4217     4220       +3     
==========================================
+ Hits        81419    81543     +124     
- Misses       1890     1895       +5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@y9v y9v changed the title Add AppSec RestClient instrumentation for SSRF detection Add RestClient instrumentation for SSRF detection Feb 21, 2025
Strech
Strech approved these changes Feb 24, 2025
View reviewed changes
Copy link
Member

@Strech Strech left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

P.S I would consider few adjustments to tests and ask Tony about the Matrixfile

y9v and others added 12 commits February 24, 2025 12:33
@y9v
Add AppSec RestClient instrumentation for SSRF detection
7b5cb80
@y9v
Add type signatures for AppSec RestClient integration
9a01e56
@y9v
Fix type signatures for excon and faraday AppSec integrations
ea7614c
@y9v
Add tests for RestClient AppSec instrumentation
d32f93f
@y9v
Extract rest-client-latest appraisal
cc5a023
@y9v
[🤖] Lock Dependency: https://github.com/DataDog/dd-trace-rb/actions/r…
43c2d36 
…uns/13455470094
@TonyCTHsu @y9v
[🤖] Lock Dependency: https://github.com/DataDog/dd-trace-rb/actions/r…
cdfd8a8 
…uns/13455581146
@y9v
Remove unneeded variable from RestClient SSRF integration test
7f81eb6
@y9v
[🤖] Lock Dependency: https://github.com/DataDog/dd-trace-rb/actions/r…
8b42300 
…uns/13457056485
@y9v
Add rest-client gem to rake edge:update task
fb22f17
@y9v
[🤖] Lock Dependency: https://github.com/DataDog/dd-trace-rb/actions/r…
8b20539 
…uns/13496444973
@y9v
Rename RequestPatch to RequestSSRFDetectionPatch
49978b9
@y9v y9v force-pushed the appsec-add-rest-client-instrumentation branch from f8b49c5 to 49978b9 Compare February 24, 2025 11:33
@y9v y9v merged commit 4c0614d into master Feb 24, 2025
509 checks passed
@y9v y9v deleted the appsec-add-rest-client-instrumentation branch February 24, 2025 13:17
@github-actions github-actions bot added this to the 2.12.0 milestone Feb 24, 2025
@TonyCTHsu TonyCTHsu mentioned this pull request Feb 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TonyCTHsu TonyCTHsu TonyCTHsu left review comments

@datadog-datadog-prod-us1 datadog-datadog-prod-us1[bot] datadog-datadog-prod-us1[bot] left review comments

@Strech Strech Strech approved these changes

Assignees

@y9v y9v

Labels

appsec Application Security monitoring product integrations Involves tracing integrations

Projects

None yet

Milestone

2.12.0

Development

Successfully merging this pull request may close these issues.

5 participants

@y9v @codecov-commenter @Strech @TonyCTHsu