From ab14f2fd24c03a5efd0945c5bafacd6ef08f2cad Mon Sep 17 00:00:00 2001 From: Yury Lebedev Date: Wed, 22 Jan 2025 16:14:09 +0100 Subject: [PATCH 1/5] Add Datadog.configuration.appsec.rasp_enabled --- lib/datadog/appsec.rb | 4 ++++ lib/datadog/appsec/configuration/settings.rb | 6 +++++ .../appsec/configuration/settings_spec.rb | 24 +++++++++++++++++++ 3 files changed, 34 insertions(+) diff --git a/lib/datadog/appsec.rb b/lib/datadog/appsec.rb index 0c6218fc72f..9136c3d68a0 100644 --- a/lib/datadog/appsec.rb +++ b/lib/datadog/appsec.rb @@ -14,6 +14,10 @@ def enabled? Datadog.configuration.appsec.enabled end + def rasp_enabled? + Datadog.configuration.appsec.rasp_enabled + end + def active_context Datadog::AppSec::Context.active end diff --git a/lib/datadog/appsec/configuration/settings.rb b/lib/datadog/appsec/configuration/settings.rb index e8ed0a8240a..038487f1add 100644 --- a/lib/datadog/appsec/configuration/settings.rb +++ b/lib/datadog/appsec/configuration/settings.rb @@ -49,6 +49,12 @@ def self.add_settings!(base) end end + option :rasp_enabled do |o| + o.type :bool, nilable: true + o.env 'DD_APPSEC_RASP_ENABLED' + o.default true + end + option :ruleset do |o| o.env 'DD_APPSEC_RULES' o.default :recommended diff --git a/spec/datadog/appsec/configuration/settings_spec.rb b/spec/datadog/appsec/configuration/settings_spec.rb index 3d8115bc3fc..7e2fbe07bf5 100644 --- a/spec/datadog/appsec/configuration/settings_spec.rb +++ b/spec/datadog/appsec/configuration/settings_spec.rb @@ -77,6 +77,30 @@ def patcher end end + describe '#rasp_enabled' do + subject(:rasp_enabled) { settings.appsec.rasp_enabled } + + context 'when DD_APPSEC_RASP_ENABLED' do + around do |example| + ClimateControl.modify('DD_APPSEC_RASP_ENABLED' => rasp_enabled_env_var) do + example.run + end + end + + context 'is not defined' do + let(:rasp_enabled_env_var) { nil } + + it { is_expected.to eq true } + end + + context 'is defined' do + let(:rasp_enabled_env_var) { 'false' } + + it { is_expected.to eq(false) } + end + end + end + describe '#instrument' do let(:registry) { {} } let(:integration_name) { :fake } From ec03f71ccb658abc674fb33c983aef9403fa353b Mon Sep 17 00:00:00 2001 From: Yury Lebedev Date: Wed, 22 Jan 2025 16:33:58 +0100 Subject: [PATCH 2/5] Disable ActiveRecord instrumentation when RASP is disabled --- .../contrib/active_record/instrumentation.rb | 2 ++ .../active_record/mysql2_adapter_spec.rb | 19 +++++++++++++++++++ .../active_record/postgresql_adapter_spec.rb | 19 +++++++++++++++++++ .../active_record/sqlite3_adapter_spec.rb | 19 +++++++++++++++++++ 4 files changed, 59 insertions(+) diff --git a/lib/datadog/appsec/contrib/active_record/instrumentation.rb b/lib/datadog/appsec/contrib/active_record/instrumentation.rb index aa0cfcf3236..3e77de6dfca 100644 --- a/lib/datadog/appsec/contrib/active_record/instrumentation.rb +++ b/lib/datadog/appsec/contrib/active_record/instrumentation.rb @@ -9,6 +9,8 @@ module Instrumentation module_function def detect_sql_injection(sql, adapter_name) + return unless AppSec.rasp_enabled? + context = AppSec.active_context return unless context diff --git a/spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb b/spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb index 72b73b22162..cb50e1c19c8 100644 --- a/spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb +++ b/spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb @@ -16,6 +16,7 @@ let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) } let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) } let(:context) { Datadog::AppSec::Context.new(trace, span, processor) } + let(:rasp_enabled) { true } let(:span) { Datadog::Tracing::SpanOperation.new('root') } let(:trace) { Datadog::Tracing::TraceOperation.new } @@ -54,6 +55,8 @@ Datadog::AppSec::Context.activate(context) + allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled) + raise_on_rails_deprecation! end @@ -64,6 +67,22 @@ processor.finalize end + context 'when RASP is disabled' do + let(:rasp_enabled) { false } + + it 'does not call waf when querying using .where' do + expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) + + User.where(name: 'Bob').to_a + end + + it 'does not call waf when querying using .find_by_sql' do + expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) + + User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a + end + end + it 'calls waf with correct arguments when querying using .where' do expect(Datadog::AppSec.active_context).to( receive(:run_rasp).with( diff --git a/spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb b/spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb index 2ea1825d279..7b266acbb1a 100644 --- a/spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb +++ b/spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb @@ -16,6 +16,7 @@ let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) } let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) } let(:context) { Datadog::AppSec::Context.new(trace, span, processor) } + let(:rasp_enabled) { true } let(:span) { Datadog::Tracing::SpanOperation.new('root') } let(:trace) { Datadog::Tracing::TraceOperation.new } @@ -55,6 +56,8 @@ Datadog::AppSec::Context.activate(context) + allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled) + raise_on_rails_deprecation! end @@ -65,6 +68,22 @@ processor.finalize end + context 'when RASP is disabled' do + let(:rasp_enabled) { false } + + it 'does not call waf when querying using .where' do + expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) + + User.where(name: 'Bob').to_a + end + + it 'does not call waf when querying using .find_by_sql' do + expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) + + User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a + end + end + it 'calls waf with correct arguments when querying using .where' do expected_db_statement = if PlatformHelpers.jruby? 'SELECT "users".* FROM "users" WHERE "users"."name" = ?' diff --git a/spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb b/spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb index 26607bca764..aa121a924b6 100644 --- a/spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb +++ b/spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb @@ -16,6 +16,7 @@ let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) } let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) } let(:context) { Datadog::AppSec::Context.new(trace, span, processor) } + let(:rasp_enabled) { true } let(:span) { Datadog::Tracing::SpanOperation.new('root') } let(:trace) { Datadog::Tracing::TraceOperation.new } @@ -48,6 +49,8 @@ Datadog::AppSec::Context.activate(context) + allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled) + raise_on_rails_deprecation! end @@ -58,6 +61,22 @@ processor.finalize end + context 'when RASP is disabled' do + let(:rasp_enabled) { false } + + it 'does not call waf when querying using .where' do + expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) + + User.where(name: 'Bob').to_a + end + + it 'does not call waf when querying using .find_by_sql' do + expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) + + User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a + end + end + it 'calls waf with correct arguments when querying using .where' do expect(Datadog::AppSec.active_context).to( receive(:run_rasp).with( From ceba57335b3d9b288dee04579103afeed2c0702d Mon Sep 17 00:00:00 2001 From: Yury Lebedev Date: Wed, 22 Jan 2025 17:39:46 +0100 Subject: [PATCH 3/5] Improve specs for AppSec ActiveRecord instrumentation --- .../appsec/configuration/settings_spec.rb | 4 +- .../active_record/mysql2_adapter_spec.rb | 87 ++++++++-------- .../active_record/postgresql_adapter_spec.rb | 99 ++++++++++--------- .../active_record/sqlite3_adapter_spec.rb | 87 ++++++++-------- 4 files changed, 146 insertions(+), 131 deletions(-) diff --git a/spec/datadog/appsec/configuration/settings_spec.rb b/spec/datadog/appsec/configuration/settings_spec.rb index 7e2fbe07bf5..d3b33844a1b 100644 --- a/spec/datadog/appsec/configuration/settings_spec.rb +++ b/spec/datadog/appsec/configuration/settings_spec.rb @@ -90,13 +90,13 @@ def patcher context 'is not defined' do let(:rasp_enabled_env_var) { nil } - it { is_expected.to eq true } + it { expect(settings.appsec.rasp_enabled).to eq(true) } end context 'is defined' do let(:rasp_enabled_env_var) { 'false' } - it { is_expected.to eq(false) } + it { expect(settings.appsec.rasp_enabled).to eq(false) } end end end diff --git a/spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb b/spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb index cb50e1c19c8..e0598617dac 100644 --- a/spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb +++ b/spec/datadog/appsec/contrib/active_record/mysql2_adapter_spec.rb @@ -16,7 +16,6 @@ let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) } let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) } let(:context) { Datadog::AppSec::Context.new(trace, span, processor) } - let(:rasp_enabled) { true } let(:span) { Datadog::Tracing::SpanOperation.new('root') } let(:trace) { Datadog::Tracing::TraceOperation.new } @@ -55,8 +54,6 @@ Datadog::AppSec::Context.activate(context) - allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled) - raise_on_rails_deprecation! end @@ -68,7 +65,9 @@ end context 'when RASP is disabled' do - let(:rasp_enabled) { false } + before do + allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(false) + end it 'does not call waf when querying using .where' do expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) @@ -83,46 +82,52 @@ end end - it 'calls waf with correct arguments when querying using .where' do - expect(Datadog::AppSec.active_context).to( - receive(:run_rasp).with( - Datadog::AppSec::Ext::RASP_SQLI, - {}, - { - 'server.db.statement' => "SELECT `users`.* FROM `users` WHERE `users`.`name` = 'Bob'", - 'server.db.system' => 'mysql2' - }, - Datadog.configuration.appsec.waf_timeout - ).and_call_original - ) - - User.where(name: 'Bob').to_a - end + context 'when RASP is enabled' do + before do + allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(true) + end - it 'calls waf with correct arguments when querying using .find_by_sql' do - expect(Datadog::AppSec.active_context).to( - receive(:run_rasp).with( - Datadog::AppSec::Ext::RASP_SQLI, - {}, - { - 'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'", - 'server.db.system' => 'mysql2' - }, - Datadog.configuration.appsec.waf_timeout - ).and_call_original - ) - - User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a - end + it 'calls waf with correct arguments when querying using .where' do + expect(Datadog::AppSec.active_context).to( + receive(:run_rasp).with( + Datadog::AppSec::Ext::RASP_SQLI, + {}, + { + 'server.db.statement' => "SELECT `users`.* FROM `users` WHERE `users`.`name` = 'Bob'", + 'server.db.system' => 'mysql2' + }, + Datadog.configuration.appsec.waf_timeout + ).and_call_original + ) + + User.where(name: 'Bob').to_a + end + + it 'calls waf with correct arguments when querying using .find_by_sql' do + expect(Datadog::AppSec.active_context).to( + receive(:run_rasp).with( + Datadog::AppSec::Ext::RASP_SQLI, + {}, + { + 'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'", + 'server.db.system' => 'mysql2' + }, + Datadog.configuration.appsec.waf_timeout + ).and_call_original + ) - it 'adds an event to processor context if waf result is a match' do - result = Datadog::AppSec::SecurityEngine::Result::Match.new( - events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0 - ) + User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a + end - expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result) - expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original + it 'adds an event to processor context if waf result is a match' do + result = Datadog::AppSec::SecurityEngine::Result::Match.new( + events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0 + ) - User.where(name: 'Bob').to_a + expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result) + expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original + + User.where(name: 'Bob').to_a + end end end diff --git a/spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb b/spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb index 7b266acbb1a..40a14101820 100644 --- a/spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb +++ b/spec/datadog/appsec/contrib/active_record/postgresql_adapter_spec.rb @@ -16,7 +16,6 @@ let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) } let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) } let(:context) { Datadog::AppSec::Context.new(trace, span, processor) } - let(:rasp_enabled) { true } let(:span) { Datadog::Tracing::SpanOperation.new('root') } let(:trace) { Datadog::Tracing::TraceOperation.new } @@ -56,8 +55,6 @@ Datadog::AppSec::Context.activate(context) - allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled) - raise_on_rails_deprecation! end @@ -69,7 +66,9 @@ end context 'when RASP is disabled' do - let(:rasp_enabled) { false } + before do + allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(false) + end it 'does not call waf when querying using .where' do expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) @@ -84,52 +83,58 @@ end end - it 'calls waf with correct arguments when querying using .where' do - expected_db_statement = if PlatformHelpers.jruby? - 'SELECT "users".* FROM "users" WHERE "users"."name" = ?' - else - 'SELECT "users".* FROM "users" WHERE "users"."name" = $1' - end - - expect(Datadog::AppSec.active_context).to( - receive(:run_rasp).with( - Datadog::AppSec::Ext::RASP_SQLI, - {}, - { - 'server.db.statement' => expected_db_statement, - 'server.db.system' => 'postgresql' - }, - Datadog.configuration.appsec.waf_timeout - ).and_call_original - ) - - User.where(name: 'Bob').to_a - end + context 'when RASP is enabled' do + before do + allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(true) + end - it 'calls waf with correct arguments when querying using .find_by_sql' do - expect(Datadog::AppSec.active_context).to( - receive(:run_rasp).with( - Datadog::AppSec::Ext::RASP_SQLI, - {}, - { - 'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'", - 'server.db.system' => 'postgresql' - }, - Datadog.configuration.appsec.waf_timeout - ).and_call_original - ) - - User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a - end + it 'calls waf with correct arguments when querying using .where' do + expected_db_statement = if PlatformHelpers.jruby? + 'SELECT "users".* FROM "users" WHERE "users"."name" = ?' + else + 'SELECT "users".* FROM "users" WHERE "users"."name" = $1' + end + + expect(Datadog::AppSec.active_context).to( + receive(:run_rasp).with( + Datadog::AppSec::Ext::RASP_SQLI, + {}, + { + 'server.db.statement' => expected_db_statement, + 'server.db.system' => 'postgresql' + }, + Datadog.configuration.appsec.waf_timeout + ).and_call_original + ) + + User.where(name: 'Bob').to_a + end + + it 'calls waf with correct arguments when querying using .find_by_sql' do + expect(Datadog::AppSec.active_context).to( + receive(:run_rasp).with( + Datadog::AppSec::Ext::RASP_SQLI, + {}, + { + 'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'", + 'server.db.system' => 'postgresql' + }, + Datadog.configuration.appsec.waf_timeout + ).and_call_original + ) - it 'adds an event to processor context if waf result is a match' do - result = Datadog::AppSec::SecurityEngine::Result::Match.new( - events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0 - ) + User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a + end - expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result) - expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original + it 'adds an event to processor context if waf result is a match' do + result = Datadog::AppSec::SecurityEngine::Result::Match.new( + events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0 + ) - User.where(name: 'Bob').to_a + expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result) + expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original + + User.where(name: 'Bob').to_a + end end end diff --git a/spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb b/spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb index aa121a924b6..203780f834d 100644 --- a/spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb +++ b/spec/datadog/appsec/contrib/active_record/sqlite3_adapter_spec.rb @@ -16,7 +16,6 @@ let(:ruleset) { Datadog::AppSec::Processor::RuleLoader.load_rules(ruleset: :recommended, telemetry: telemetry) } let(:processor) { Datadog::AppSec::Processor.new(ruleset: ruleset, telemetry: telemetry) } let(:context) { Datadog::AppSec::Context.new(trace, span, processor) } - let(:rasp_enabled) { true } let(:span) { Datadog::Tracing::SpanOperation.new('root') } let(:trace) { Datadog::Tracing::TraceOperation.new } @@ -49,8 +48,6 @@ Datadog::AppSec::Context.activate(context) - allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(rasp_enabled) - raise_on_rails_deprecation! end @@ -62,7 +59,9 @@ end context 'when RASP is disabled' do - let(:rasp_enabled) { false } + before do + allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(false) + end it 'does not call waf when querying using .where' do expect(Datadog::AppSec.active_context).not_to receive(:run_rasp) @@ -77,46 +76,52 @@ end end - it 'calls waf with correct arguments when querying using .where' do - expect(Datadog::AppSec.active_context).to( - receive(:run_rasp).with( - Datadog::AppSec::Ext::RASP_SQLI, - {}, - { - 'server.db.statement' => 'SELECT "users".* FROM "users" WHERE "users"."name" = ?', - 'server.db.system' => 'sqlite' - }, - Datadog.configuration.appsec.waf_timeout - ).and_call_original - ) - - User.where(name: 'Bob').to_a - end + context 'when RASP is enabled' do + before do + allow(Datadog::AppSec).to receive(:rasp_enabled?).and_return(true) + end - it 'calls waf with correct arguments when querying using .find_by_sql' do - expect(Datadog::AppSec.active_context).to( - receive(:run_rasp).with( - Datadog::AppSec::Ext::RASP_SQLI, - {}, - { - 'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'", - 'server.db.system' => 'sqlite' - }, - Datadog.configuration.appsec.waf_timeout - ).and_call_original - ) - - User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a - end + it 'calls waf with correct arguments when querying using .where' do + expect(Datadog::AppSec.active_context).to( + receive(:run_rasp).with( + Datadog::AppSec::Ext::RASP_SQLI, + {}, + { + 'server.db.statement' => 'SELECT "users".* FROM "users" WHERE "users"."name" = ?', + 'server.db.system' => 'sqlite' + }, + Datadog.configuration.appsec.waf_timeout + ).and_call_original + ) + + User.where(name: 'Bob').to_a + end + + it 'calls waf with correct arguments when querying using .find_by_sql' do + expect(Datadog::AppSec.active_context).to( + receive(:run_rasp).with( + Datadog::AppSec::Ext::RASP_SQLI, + {}, + { + 'server.db.statement' => "SELECT * FROM users WHERE name = 'Bob'", + 'server.db.system' => 'sqlite' + }, + Datadog.configuration.appsec.waf_timeout + ).and_call_original + ) - it 'adds an event to processor context if waf result is a match' do - result = Datadog::AppSec::SecurityEngine::Result::Match.new( - events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0 - ) + User.find_by_sql("SELECT * FROM users WHERE name = 'Bob'").to_a + end - expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result) - expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original + it 'adds an event to processor context if waf result is a match' do + result = Datadog::AppSec::SecurityEngine::Result::Match.new( + events: [], actions: {}, derivatives: {}, timeout: false, duration_ns: 0, duration_ext_ns: 0 + ) - User.where(name: 'Bob').to_a + expect(Datadog::AppSec.active_context).to receive(:run_rasp).and_return(result) + expect(Datadog::AppSec.active_context.events).to receive(:<<).and_call_original + + User.where(name: 'Bob').to_a + end end end From 89495b52406c35abe9f76d6051b60fc5d98f7ee9 Mon Sep 17 00:00:00 2001 From: Yury Lebedev Date: Thu, 23 Jan 2025 09:59:58 +0100 Subject: [PATCH 4/5] Remove obsolete variable from AppSec::Configuration::Settings spec --- spec/datadog/appsec/configuration/settings_spec.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/spec/datadog/appsec/configuration/settings_spec.rb b/spec/datadog/appsec/configuration/settings_spec.rb index d3b33844a1b..541546ae364 100644 --- a/spec/datadog/appsec/configuration/settings_spec.rb +++ b/spec/datadog/appsec/configuration/settings_spec.rb @@ -78,8 +78,6 @@ def patcher end describe '#rasp_enabled' do - subject(:rasp_enabled) { settings.appsec.rasp_enabled } - context 'when DD_APPSEC_RASP_ENABLED' do around do |example| ClimateControl.modify('DD_APPSEC_RASP_ENABLED' => rasp_enabled_env_var) do From 65e8bfb57c68f4a3bce7d70eec5beb428e947e36 Mon Sep 17 00:00:00 2001 From: Yury Lebedev Date: Thu, 23 Jan 2025 11:22:27 +0100 Subject: [PATCH 5/5] Add a comment explaining what RASP means --- lib/datadog/appsec/configuration/settings.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/datadog/appsec/configuration/settings.rb b/lib/datadog/appsec/configuration/settings.rb index 038487f1add..74a3aabb62e 100644 --- a/lib/datadog/appsec/configuration/settings.rb +++ b/lib/datadog/appsec/configuration/settings.rb @@ -49,6 +49,9 @@ def self.add_settings!(base) end end + # RASP or Runtime Application Self-Protection + # is a collection of techniques and heuristics aimed at detecting malicious inputs and preventing + # any potential side-effects on the application resulting from the use of said malicious inputs. option :rasp_enabled do |o| o.type :bool, nilable: true o.env 'DD_APPSEC_RASP_ENABLED'