From 2282901a455e46ad5a71f1b4c3b3d2df8f982a46 Mon Sep 17 00:00:00 2001 From: Loic Nageleisen Date: Thu, 21 Nov 2024 16:09:41 +0100 Subject: [PATCH 01/10] Move `host_inject.rb` and preserve history --- lib-injection/{host_inject.rb => host_inject_main.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename lib-injection/{host_inject.rb => host_inject_main.rb} (100%) diff --git a/lib-injection/host_inject.rb b/lib-injection/host_inject_main.rb similarity index 100% rename from lib-injection/host_inject.rb rename to lib-injection/host_inject_main.rb From 5591d97f9c24023456439ef8e537eed56ac0abbd Mon Sep 17 00:00:00 2001 From: Loic Nageleisen Date: Thu, 21 Nov 2024 16:14:24 +0100 Subject: [PATCH 02/10] Add frontend `host_inject.rb`, guarding against older versions These versions may be unable to execute - or even parse - the main host injection script. --- .gitlab/prepare-oci-package.sh | 1 + lib-injection/host_inject.rb | 7 +++++++ 2 files changed, 8 insertions(+) create mode 100644 lib-injection/host_inject.rb diff --git a/.gitlab/prepare-oci-package.sh b/.gitlab/prepare-oci-package.sh index d051f359c15..2c2e65f3322 100755 --- a/.gitlab/prepare-oci-package.sh +++ b/.gitlab/prepare-oci-package.sh @@ -5,6 +5,7 @@ set -e mkdir sources cp ../lib-injection/host_inject.rb sources +cp ../lib-injection/host_inject_main.rb sources cp ../lib-injection/requirements.json sources/requirements.json # Kubernetes injection expects a different path ln -rs sources/host_inject.rb sources/auto_inject.rb diff --git a/lib-injection/host_inject.rb b/lib-injection/host_inject.rb new file mode 100644 index 00000000000..eaca133a905 --- /dev/null +++ b/lib-injection/host_inject.rb @@ -0,0 +1,7 @@ +# This file's intent is to be parseable and executable by all ruby versions +# to call into the main one only for versions for which it is known-compatible +# with at the language level. + +if RUBY_VERSION >= '2.5.' + require File.expand_path(File.join(File.dirname(__FILE__), 'host_inject_main.rb')) +end From f9aec1a9725b24981fa9fab494eab8b1d4171b78 Mon Sep 17 00:00:00 2001 From: Loic Nageleisen Date: Wed, 27 Nov 2024 13:48:37 +0100 Subject: [PATCH 03/10] Lower to ruby 2.3 --- lib-injection/host_inject.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib-injection/host_inject.rb b/lib-injection/host_inject.rb index eaca133a905..1dbf4d683d8 100644 --- a/lib-injection/host_inject.rb +++ b/lib-injection/host_inject.rb @@ -2,6 +2,6 @@ # to call into the main one only for versions for which it is known-compatible # with at the language level. -if RUBY_VERSION >= '2.5.' +if RUBY_VERSION >= '2.3.' require File.expand_path(File.join(File.dirname(__FILE__), 'host_inject_main.rb')) end From ca7c789f397f4baef67213009e58ec8abea216bc Mon Sep 17 00:00:00 2001 From: Yury Lebedev Date: Thu, 28 Nov 2024 19:45:48 +0100 Subject: [PATCH 04/10] Fix handling of non integer response status code in AppSec Custom actions for AppSec can have status codes that are strings and not integers. We need to handle them properly. --- lib/datadog/appsec/response.rb | 5 +++-- spec/datadog/appsec/response_spec.rb | 6 +++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/lib/datadog/appsec/response.rb b/lib/datadog/appsec/response.rb index 03ae79dbac7..fee2f2e8999 100644 --- a/lib/datadog/appsec/response.rb +++ b/lib/datadog/appsec/response.rb @@ -87,7 +87,7 @@ def block_response(env, options) body << content(content_type) Response.new( - status: options['status_code'] || 403, + status: (options['status_code'] ? options['status_code'].to_i : 403), headers: { 'Content-Type' => content_type }, body: body, ) @@ -96,8 +96,9 @@ def block_response(env, options) def redirect_response(env, options) if options['location'] && !options['location'].empty? content_type = content_type(env) + status_code = options['status_code'].to_i - status = options['status_code'] >= 300 && options['status_code'] < 400 ? options['status_code'] : 303 + status = status_code >= 300 && status_code < 400 ? status_code : 303 headers = { 'Content-Type' => content_type, diff --git a/spec/datadog/appsec/response_spec.rb b/spec/datadog/appsec/response_spec.rb index e4d2d786fc1..0872ae57060 100644 --- a/spec/datadog/appsec/response_spec.rb +++ b/spec/datadog/appsec/response_spec.rb @@ -21,7 +21,7 @@ end let(:type) { 'html' } - let(:status_code) { 100 } + let(:status_code) { '100' } context 'status_code' do subject(:status) { described_class.negotiate(env, actions).status } @@ -92,7 +92,7 @@ end let(:location) { 'foo' } - let(:status_code) { 303 } + let(:status_code) { '303' } context 'status_code' do subject(:status) { described_class.negotiate(env, actions).status } @@ -100,7 +100,7 @@ it { is_expected.to eq 303 } context 'when status code do not starts with 3' do - let(:status_code) { 202 } + let(:status_code) { '202' } it { is_expected.to eq 303 } end From 70a5d28b4886ebb0bbd5ae7704f408ecb0fcc6ba Mon Sep 17 00:00:00 2001 From: Yury Lebedev Date: Thu, 28 Nov 2024 19:49:25 +0100 Subject: [PATCH 05/10] Switch system tests workflow to a temporary branch --- .github/workflows/system-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml index 929541ba8e6..49f5f841ba9 100644 --- a/.github/workflows/system-tests.yml +++ b/.github/workflows/system-tests.yml @@ -11,7 +11,7 @@ on: env: REGISTRY: ghcr.io REPO: ghcr.io/datadog/dd-trace-rb - SYSTEM_TESTS_REF: main # This must always be set to `main` on dd-trace-rb's master branch + SYSTEM_TESTS_REF: unskip-waf-blocking-tests-for-ruby # This must always be set to `main` on dd-trace-rb's master branch jobs: build-harness: From aa168e390975d7e2fa893bbc0b132a3bb1697d7b Mon Sep 17 00:00:00 2001 From: Yury Lebedev Date: Thu, 28 Nov 2024 19:52:53 +0100 Subject: [PATCH 06/10] Use range to compare status code in AppSec::Response --- lib/datadog/appsec/response.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/datadog/appsec/response.rb b/lib/datadog/appsec/response.rb index fee2f2e8999..361138f4142 100644 --- a/lib/datadog/appsec/response.rb +++ b/lib/datadog/appsec/response.rb @@ -98,7 +98,7 @@ def redirect_response(env, options) content_type = content_type(env) status_code = options['status_code'].to_i - status = status_code >= 300 && status_code < 400 ? status_code : 303 + status = (300...400).cover?(status_code) ? status_code : 303 headers = { 'Content-Type' => content_type, From e3e16f41b169f5967d872fdf214652209da3f296 Mon Sep 17 00:00:00 2001 From: Yury Lebedev Date: Thu, 28 Nov 2024 19:55:55 +0100 Subject: [PATCH 07/10] Use safe navigation operator for status code in AppSec::Response --- lib/datadog/appsec/response.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/datadog/appsec/response.rb b/lib/datadog/appsec/response.rb index 361138f4142..c2f3613854d 100644 --- a/lib/datadog/appsec/response.rb +++ b/lib/datadog/appsec/response.rb @@ -87,7 +87,7 @@ def block_response(env, options) body << content(content_type) Response.new( - status: (options['status_code'] ? options['status_code'].to_i : 403), + status: options['status_code']&.to_i || 403, headers: { 'Content-Type' => content_type }, body: body, ) From 482bf1249bbfaa048635c8bab8d90320ddf1e07a Mon Sep 17 00:00:00 2001 From: Yury Lebedev Date: Fri, 29 Nov 2024 10:26:37 +0100 Subject: [PATCH 08/10] Remove range allocation from AppSec::Response --- lib/datadog/appsec/response.rb | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/lib/datadog/appsec/response.rb b/lib/datadog/appsec/response.rb index c2f3613854d..7acccf31895 100644 --- a/lib/datadog/appsec/response.rb +++ b/lib/datadog/appsec/response.rb @@ -87,7 +87,7 @@ def block_response(env, options) body << content(content_type) Response.new( - status: options['status_code']&.to_i || 403, + status: options.fetch('status_code', 403).to_i, headers: { 'Content-Type' => content_type }, body: body, ) @@ -96,17 +96,15 @@ def block_response(env, options) def redirect_response(env, options) if options['location'] && !options['location'].empty? content_type = content_type(env) - status_code = options['status_code'].to_i - - status = (300...400).cover?(status_code) ? status_code : 303 headers = { 'Content-Type' => content_type, 'Location' => options['location'] } + status_code = options['status_code'].to_i Response.new( - status: status, + status: (status_code >= 300 && status_code < 400 ? status_code : 303), headers: headers, body: [], ) From 01d150ea862e2257423c04a82fea5996e78b53c9 Mon Sep 17 00:00:00 2001 From: Yury Lebedev Date: Fri, 29 Nov 2024 10:38:53 +0100 Subject: [PATCH 09/10] Remove fetch from AppSec::Response for getting status_code --- lib/datadog/appsec/response.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/datadog/appsec/response.rb b/lib/datadog/appsec/response.rb index 7acccf31895..8d63fd88622 100644 --- a/lib/datadog/appsec/response.rb +++ b/lib/datadog/appsec/response.rb @@ -87,7 +87,7 @@ def block_response(env, options) body << content(content_type) Response.new( - status: options.fetch('status_code', 403).to_i, + status: options['status_code']&.to_i || 403, headers: { 'Content-Type' => content_type }, body: body, ) From b95a01141ebb1cc0414274a7d9d29efb98e9d4aa Mon Sep 17 00:00:00 2001 From: Yury Lebedev Date: Fri, 29 Nov 2024 10:57:03 +0100 Subject: [PATCH 10/10] Switch system-tests branch back to main --- .github/workflows/system-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml index 49f5f841ba9..929541ba8e6 100644 --- a/.github/workflows/system-tests.yml +++ b/.github/workflows/system-tests.yml @@ -11,7 +11,7 @@ on: env: REGISTRY: ghcr.io REPO: ghcr.io/datadog/dd-trace-rb - SYSTEM_TESTS_REF: unskip-waf-blocking-tests-for-ruby # This must always be set to `main` on dd-trace-rb's master branch + SYSTEM_TESTS_REF: main # This must always be set to `main` on dd-trace-rb's master branch jobs: build-harness: