Merge 869d0eb into e743328

y9v · web-flow · commit 070743f26005 · 2025-09-08T13:53:06.000+02:00
diff --git a/datadog.gemspec b/datadog.gemspec
@@ -65,7 +65,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'datadog-ruby_core_source', '~> 3.4', '>= 3.4.1'
 
   # Used by appsec
-  spec.add_dependency 'libddwaf', '~> 1.24.1.1.0'
+  spec.add_dependency 'libddwaf', '~> 1.24.1.2.0'
 
   # When updating the version here, please also update the version in `libdatadog_extconf_helpers.rb`
   # (and yes we have a test for it)
diff --git a/lib/datadog/appsec/metrics/collector.rb b/lib/datadog/appsec/metrics/collector.rb
@@ -5,14 +5,28 @@ module AppSec
     module Metrics
       # A class responsible for collecting WAF and RASP call metrics.
       class Collector
-        Store = Struct.new(:evals, :matches, :errors, :timeouts, :duration_ns, :duration_ext_ns, keyword_init: true)
+        Store = Struct.new(
+          :evals,
+          :matches,
+          :errors,
+          :timeouts,
+          :duration_ns,
+          :duration_ext_ns,
+          :input_truncated_count,
+          keyword_init: true
+        )
 
         attr_reader :waf, :rasp
 
         def initialize
           @mutex = Mutex.new
-          @waf = Store.new(evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0, duration_ext_ns: 0)
-          @rasp = Store.new(evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0, duration_ext_ns: 0)
+
+          @waf = Store.new(
+            evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0, duration_ext_ns: 0, input_truncated_count: 0
+          )
+          @rasp = Store.new(
+            evals: 0, matches: 0, errors: 0, timeouts: 0, duration_ns: 0, duration_ext_ns: 0, input_truncated_count: 0
+          )
         end
 
         def record_waf(result)
@@ -23,6 +37,7 @@ def record_waf(result)
             @waf.timeouts += 1 if result.timeout?
             @waf.duration_ns += result.duration_ns
             @waf.duration_ext_ns += result.duration_ext_ns
+            @waf.input_truncated_count += 1 if result.input_truncated?
           end
         end
 
@@ -34,6 +49,7 @@ def record_rasp(result)
             @rasp.timeouts += 1 if result.timeout?
             @rasp.duration_ns += result.duration_ns
             @rasp.duration_ext_ns += result.duration_ext_ns
+            @rasp.input_truncated_count += 1 if result.input_truncated?
           end
         end
       end
diff --git a/lib/datadog/appsec/metrics/telemetry_exporter.rb b/lib/datadog/appsec/metrics/telemetry_exporter.rb
@@ -18,7 +18,8 @@ def export_waf_request_metrics(metrics, context)
               waf_timeout: metrics.timeouts.positive?.to_s,
               request_blocked: context.interrupted?.to_s,
               block_failure: 'false',
-              rate_limited: (!context.trace.sampled?).to_s
+              rate_limited: (!context.trace.sampled?).to_s,
+              input_truncated: metrics.input_truncated_count.positive?.to_s,
             }
           )
         end
diff --git a/lib/datadog/appsec/security_engine/result.rb b/lib/datadog/appsec/security_engine/result.rb
@@ -9,14 +9,15 @@ module Result
         class Base
           attr_reader :events, :actions, :derivatives, :duration_ns, :duration_ext_ns
 
-          def initialize(events:, actions:, derivatives:, timeout:, duration_ns:, duration_ext_ns:)
+          def initialize(events:, actions:, derivatives:, timeout:, duration_ns:, duration_ext_ns:, input_truncated:)
             @events = events
             @actions = actions
             @derivatives = derivatives
 
             @timeout = timeout
             @duration_ns = duration_ns
             @duration_ext_ns = duration_ext_ns
+            @input_truncated = input_truncated
           end
 
           def timeout?
@@ -30,6 +31,10 @@ def match?
           def error?
             raise NotImplementedError
           end
+
+          def input_truncated?
+            @input_truncated
+          end
         end
 
         # A result that indicates a security rule match
@@ -58,11 +63,12 @@ def error?
         class Error
           attr_reader :events, :actions, :derivatives, :duration_ns, :duration_ext_ns
 
-          def initialize(duration_ext_ns:)
+          def initialize(duration_ext_ns:, input_truncated:)
             @events = []
             @actions = @derivatives = {}
             @duration_ns = 0
             @duration_ext_ns = duration_ext_ns
+            @input_truncated = input_truncated
           end
 
           def timeout?
@@ -76,6 +82,10 @@ def match?
           def error?
             true
           end
+
+          def input_truncated?
+            @input_truncated
+          end
         end
       end
     end
diff --git a/lib/datadog/appsec/security_engine/runner.rb b/lib/datadog/appsec/security_engine/runner.rb
@@ -42,7 +42,7 @@ def run(persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIME
           report_execution(result)
 
           unless SUCCESSFUL_EXECUTION_CODES.include?(result.status)
-            return Result::Error.new(duration_ext_ns: stop_ns - start_ns)
+            return Result::Error.new(duration_ext_ns: stop_ns - start_ns, input_truncated: result.input_truncated?)
           end
 
           klass = (result.status == :match) ? Result::Match : Result::Ok
@@ -52,7 +52,8 @@ def run(persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIME
             derivatives: result.derivatives,
             timeout: result.timeout,
             duration_ns: result.total_runtime,
-            duration_ext_ns: (stop_ns - start_ns)
+            duration_ext_ns: (stop_ns - start_ns),
+            input_truncated: result.input_truncated?
           )
         ensure
           @mutex.unlock
diff --git a/sig/datadog/appsec/metrics/collector.rbs b/sig/datadog/appsec/metrics/collector.rbs
@@ -15,7 +15,9 @@ module Datadog
 
           attr_accessor duration_ext_ns: ::Integer
 
-          def self.new: (evals: ::Integer, matches: ::Integer, errors: ::Integer, timeouts: ::Integer, duration_ns: ::Integer, duration_ext_ns: ::Integer) -> void
+          attr_accessor input_truncated_count: ::Integer
+
+          def self.new: (evals: ::Integer, matches: ::Integer, errors: ::Integer, timeouts: ::Integer, duration_ns: ::Integer, duration_ext_ns: ::Integer, input_truncated_count: ::Integer) -> void
         end
 
         @mutex: Mutex
diff --git a/sig/datadog/appsec/security_engine/result.rbs b/sig/datadog/appsec/security_engine/result.rbs
@@ -21,6 +21,8 @@ module Datadog
 
           @duration_ext_ns: ::Integer
 
+          @input_truncated: bool
+
           attr_reader events: events
 
           attr_reader actions: actions
@@ -31,13 +33,15 @@ module Datadog
 
           attr_reader duration_ext_ns: ::Integer
 
-          def initialize: (events: events, actions: actions, derivatives: derivatives, timeout: bool, duration_ns: ::Integer, duration_ext_ns: ::Integer) -> void
+          def initialize: (events: events, actions: actions, derivatives: derivatives, timeout: bool, duration_ns: ::Integer, duration_ext_ns: ::Integer, input_truncated: bool) -> void
 
           def timeout?: () -> bool
 
           def match?: () -> bool
 
           def error?: () -> bool
+
+          def input_truncated?: () -> bool
         end
 
         # A result that indicates a security rule match
@@ -66,6 +70,8 @@ module Datadog
 
           @duration_ext_ns: ::Integer
 
+          @input_truncated: bool
+
           attr_reader events: events
 
           attr_reader actions: actions
@@ -76,13 +82,15 @@ module Datadog
 
           attr_reader duration_ext_ns: ::Integer
 
-          def initialize: (duration_ext_ns: ::Integer) -> void
+          def initialize: (duration_ext_ns: ::Integer, input_truncated: bool) -> void
 
           def timeout?: () -> false
 
           def match?: () -> false
 
           def error?: () -> true
+
+          def input_truncated?: () -> bool
         end
       end
     end
diff --git a/spec/datadog/appsec/metrics/collector_spec.rb b/spec/datadog/appsec/metrics/collector_spec.rb
@@ -14,6 +14,7 @@
         expect(collector.waf.timeouts).to eq(0)
         expect(collector.waf.duration_ns).to eq(0)
         expect(collector.waf.duration_ext_ns).to eq(0)
+        expect(collector.waf.input_truncated_count).to eq(0)
       end
     end
 
@@ -22,7 +23,8 @@
 
       let(:result) do
         Datadog::AppSec::SecurityEngine::Result::Ok.new(
-          events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 100, duration_ext_ns: 200
+          events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 100,
+          duration_ext_ns: 200, input_truncated: false
         )
       end
 
@@ -33,6 +35,7 @@
         expect(collector.waf.timeouts).to eq(0)
         expect(collector.waf.duration_ns).to eq(100)
         expect(collector.waf.duration_ext_ns).to eq(200)
+        expect(collector.waf.input_truncated_count).to eq(0)
       end
     end
 
@@ -44,13 +47,15 @@
 
       let(:result_1) do
         Datadog::AppSec::SecurityEngine::Result::Ok.new(
-          events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 100, duration_ext_ns: 200
+          events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 100,
+          duration_ext_ns: 200, input_truncated: false
         )
       end
 
       let(:result_2) do
         Datadog::AppSec::SecurityEngine::Result::Match.new(
-          events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 1000, duration_ext_ns: 1200
+          events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 1000,
+          duration_ext_ns: 1200, input_truncated: false
         )
       end
 
@@ -60,6 +65,7 @@
         expect(collector.waf.errors).to eq(0)
         expect(collector.waf.duration_ns).to eq(1100)
         expect(collector.waf.duration_ext_ns).to eq(1400)
+        expect(collector.waf.input_truncated_count).to eq(0)
       end
     end
 
@@ -72,17 +78,21 @@
 
       let(:result_1) do
         Datadog::AppSec::SecurityEngine::Result::Ok.new(
-          events: [], actions: {}, derivatives: {}, timeout: true, duration_ns: 100, duration_ext_ns: 500
+          events: [], actions: {}, derivatives: {}, timeout: true, duration_ns: 100,
+          duration_ext_ns: 500, input_truncated: false
         )
       end
 
       let(:result_2) do
         Datadog::AppSec::SecurityEngine::Result::Match.new(
-          events: [], actions: {}, derivatives: {}, timeout: true, duration_ns: 400, duration_ext_ns: 1200
+          events: [], actions: {}, derivatives: {}, timeout: true, duration_ns: 400,
+          duration_ext_ns: 1200, input_truncated: false
         )
       end
 
-      let(:result_3) { Datadog::AppSec::SecurityEngine::Result::Error.new(duration_ext_ns: 300) }
+      let(:result_3) do
+        Datadog::AppSec::SecurityEngine::Result::Error.new(duration_ext_ns: 300, input_truncated: false)
+      end
 
       it 'accumulates timeouts in addition to other metics' do
         expect(collector.waf.evals).to eq(3)
@@ -91,6 +101,7 @@
         expect(collector.waf.timeouts).to eq(2)
         expect(collector.waf.duration_ns).to eq(500)
         expect(collector.waf.duration_ext_ns).to eq(2000)
+        expect(collector.waf.input_truncated_count).to eq(0)
       end
     end
   end
@@ -104,6 +115,7 @@
         expect(collector.rasp.timeouts).to eq(0)
         expect(collector.rasp.duration_ns).to eq(0)
         expect(collector.rasp.duration_ext_ns).to eq(0)
+        expect(collector.rasp.input_truncated_count).to eq(0)
       end
     end
 
@@ -112,7 +124,8 @@
 
       let(:result) do
         Datadog::AppSec::SecurityEngine::Result::Ok.new(
-          events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 100, duration_ext_ns: 200
+          events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 100,
+          duration_ext_ns: 200, input_truncated: false
         )
       end
 
@@ -123,6 +136,7 @@
         expect(collector.rasp.timeouts).to eq(0)
         expect(collector.rasp.duration_ns).to eq(100)
         expect(collector.rasp.duration_ext_ns).to eq(200)
+        expect(collector.rasp.input_truncated_count).to eq(0)
       end
     end
 
@@ -134,13 +148,15 @@
 
       let(:result_1) do
         Datadog::AppSec::SecurityEngine::Result::Ok.new(
-          events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 100, duration_ext_ns: 200
+          events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 100,
+          duration_ext_ns: 200, input_truncated: false
         )
       end
 
       let(:result_2) do
         Datadog::AppSec::SecurityEngine::Result::Match.new(
-          events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 1000, duration_ext_ns: 1200
+          events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 1000,
+          duration_ext_ns: 1200, input_truncated: false
         )
       end
 
@@ -151,6 +167,7 @@
         expect(collector.rasp.timeouts).to eq(0)
         expect(collector.rasp.duration_ns).to eq(1100)
         expect(collector.rasp.duration_ext_ns).to eq(1400)
+        expect(collector.rasp.input_truncated_count).to eq(0)
       end
     end
 
@@ -163,17 +180,22 @@
 
       let(:result_1) do
         Datadog::AppSec::SecurityEngine::Result::Ok.new(
-          events: [], actions: {}, derivatives: {}, timeout: true, duration_ns: 100, duration_ext_ns: 500
+          events: [], actions: {}, derivatives: {}, timeout: true, duration_ns: 100,
+          duration_ext_ns: 500, input_truncated: false
         )
       end
 
       let(:result_2) do
         Datadog::AppSec::SecurityEngine::Result::Match.new(
-          events: [], actions: {}, derivatives: {}, timeout: true, duration_ns: 400, duration_ext_ns: 1200
+          events: [], actions: {}, derivatives: {}, timeout: true, duration_ns: 400,
+          duration_ext_ns: 1200,
+          input_truncated: false
         )
       end
 
-      let(:result_3) { Datadog::AppSec::SecurityEngine::Result::Error.new(duration_ext_ns: 300) }
+      let(:result_3) do
+        Datadog::AppSec::SecurityEngine::Result::Error.new(duration_ext_ns: 300, input_truncated: false)
+      end
 
       it 'accumulates timeouts in addition to other metics' do
         expect(collector.rasp.evals).to eq(3)
@@ -182,6 +204,7 @@
         expect(collector.rasp.timeouts).to eq(2)
         expect(collector.rasp.duration_ns).to eq(500)
         expect(collector.rasp.duration_ext_ns).to eq(2000)
+        expect(collector.rasp.input_truncated_count).to eq(0)
       end
     end
   end
diff --git a/spec/datadog/appsec/metrics/telemetry_exporter_spec.rb b/spec/datadog/appsec/metrics/telemetry_exporter_spec.rb
diff --git a/spec/datadog/appsec/security_engine/runner_spec.rb b/spec/datadog/appsec/security_engine/runner_spec.rb
diff --git a/vendor/rbs/libddwaf-stub/0/datadog/appsec/waf.rbs b/vendor/rbs/libddwaf-stub/0/datadog/appsec/waf.rbs

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,8 @@ def export_waf_request_metrics(metrics, context)`
`18`	`18`	`waf_timeout: metrics.timeouts.positive?.to_s,`
`19`	`19`	`request_blocked: context.interrupted?.to_s,`
`20`	`20`	`block_failure: 'false',`
`21`		`- rate_limited: (!context.trace.sampled?).to_s`
	`21`	`+ rate_limited: (!context.trace.sampled?).to_s,`
	`22`	`+ input_truncated: metrics.input_truncated_count.positive?.to_s,`
`22`	`23`	`}`
`23`	`24`	`)`
`24`	`25`	`end`