o id @sUddlmZddlZddlZddlmZddlmZddlmZddlm Z ddlm Z ddlm Z dd lm Z dd lm Z dd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlm Z ddl!m"Z"ddl#m$m%Z&ddl'm(Z)erddlm*Z*ddlm+Z+e&,e-Z%Gddde Z.GdddedZ/e/D] \Z0Z1e&2e1e&j3qd d!d!d"Z4d#Z5e d#e6d$<d%Z7e d%e6d&<d'Z8e d'e6d(<d)Z9e d)e6d*<d+Z:e d+e6d,<d-Z;e d-e6d.<e:giZe?e fe6d/<d0e>d1e>d2dfd3d4Z@Gd5d6d6ZAd2e eAfd7d8ZBd2e eAfd9d:ZCd2eDfd;d<ZEd2eDfd=d>ZFd2e efd?d@ZGd2e efdAdBZHdCZIeJe6dD<dEZKeJe6dF<GdGdHdHZLdIeAd2eDfdJdKZMd2e>fdLdMZNdNed2eDfdOdPZOdQed2dfdRdSZPdTed2dfdUdVZQd-e e=e>efedfd2dfdWdXZRdYedZe>d[e eSeJfd2dfd\d]ZTdIeAd2dfd^d_ZUdIeAd2dfd`daZVdbe>dce>d[ed2dfdddeZWdNed2dfdfdgZXdhed2dfdidjZYdce>d[ed2dfdkdlZZddbe>dce>dmed2efdndoZ[ddce>dmed2efdpdqZ\ddse eAgefdteDd2dfdudvZ]ddse eAgefdteDd2dfdwdxZ^dye gdzfd2dfd{d|Z_    rdd}e e=e>efd~e e>de e>deDd2e df ddZ`dddZade e>d2dfddZbd2e e>fddZcdNed2dfddZdd2e efddZedeDd2dfddZfd2eDfddZgde e gefded2dfddZhdddZid2eje>fddZk   r dde e>dNedeDde e d2df ddZlde>d>eDddde e>deDd2df ddZmd2e efddZnde?e=e>efd2dfddZode e.dYede>d2dfddZpdYed2dfddZqdedere esete ete efd2dfddZudedNeded2dfddZvdeded2dfddZwdeded2dfddZxd2e efddZyhdZzhdZ{e{|ezddYedNede>deDd2df ddĄZ}dddƄZ~dS))MappingN) TracebackType) TYPE_CHECKING)Any)Callable)Literal)Optional)Protocol)Union)parse)Span)APPSEC)SPAN_DATA_NAMES)Constant_Class)_set_waf_request_metrics) Block_config)Telemetry_result) get_triggers)is_inferred_span)_normalize_tag_name)core)BlockingException)config) DDWaf_info) DDWaf_resultc @sLeZdZ    d deeeefdeedeedededf d d ZdS) WafCallableNF custom_data crop_trace rule_type force_sentreturnrcCsdSN)selfrrrrr"r"W/home/ubuntu/.local/lib/python3.10/site-packages/ddtrace/appsec/_asm_request_context.py__call__&szWafCallable.__call__NNNF) __name__ __module__ __qualname__rdictstrrboolr%r"r"r"r$r%s rc@s(eZdZdZdZdZdZdZdZdZ dS) WARNING_TAGSz%asm_context::ASM_Environment::no_spanz+asm_context::set_blocked::no_active_contextz,asm_context::set_waf_info::no_active_contextz'asm_context::call_waf_callback::not_setz(asm_context::block_request::not_callablez-asm_context::get_data_sent::no_active_contextz6asm_context::store_waf_results_data::no_active_contextN) r'r(r)ASM_ENV_NO_SPANSET_BLOCKED_NO_ASM_CONTEXTSET_WAF_INFO_NO_ASM_CONTEXTCALL_WAF_CALLBACK_NOT_SETBLOCK_REQUEST_NOT_CALLABLEGET_DATA_SENT_NO_ASM_CONTEXT STORE_WAF_RESULTS_NO_ASM_CONTEXTr"r"r"r$r-/sr-) metaclassappsec)product stack_limit exec_limit_asm_env _ASM_CONTEXT waf_addresses_WAF_ADDRESSES callbacks _CALLBACKS telemetry _TELEMETRYcontext _CONTEXT_CALLblock _BLOCK_CALLGLOBAL_CALLBACKSerrormessager cCs.t}|sdS|tj||tj|dSr!)get_entry_span _set_tag_strr ERROR_TYPE ERROR_MESSAGE)rHrI entry_spanr"r"r$report_error_on_entry_spanNs rOc@s4eZdZdZ  d deedeedefddZdS) ASM_Environmentz an object of this class contains all asm data (waf and telemetry) for a single request. It is bound to a single asm request context. It is contained into a ContextVar. N waf_callablespan rc_productscCst |_|jr tt|pt}|dur$tjtj t ddt d||_ |j j |_|j jdr=|j jdd|_n|j j|_|jdd|_d|_i|_||_i|_t|_t|_g|_d|_d|_d |_||_ d |_!dS) NTextra stack_infozASM_Environment requires a spanz.requesti _Fr)"in_asm_contextrootradd_suppress_exceptionr get_root_spanloggerwarningr-r. log_extra TypeErrorrS_service_entry_spanrNnameendswith frameworklowerreplacewaf_infor=rRr?rrAsetaddresses_sent waf_triggersblocked finalizedapi_security_reportedrTdownstream_requests)r#rRrSrT context_spanr"r"r$__init__]s2      zASM_Environment.__init__NrQ) r'r(r)__doc__rrr r+rqr"r"r"r$rPVs rPcCs ttSr!r find_itemr<r"r"r"r$_get_asm_contexts rvcCs6t}|dus |jrddd}tjd|dddS|S)Nr6r7)r8r9z)asm_context::get_value::no_active_contextTrU)rvrmr^debug)envrVr"r"r$get_active_asm_contexts  rycCsttduSr!rtr"r"r"r$rZrZcCst}|dur dS|jduSNFrvrlrxr"r"r$ is_blocked r~cCst}|dur dS|jp dSr!r|r}r"r"r$ get_blockedrrcCs.t}|durt}|r|jStS|jSr!)rvrget_spanrbr]rN)rxrSr"r"r$rJsrJl~fq KNUTH_FACTORl UINT64_MAXc@s0eZdZUdZeed<eejeZ eed<dS)DownstreamRequestsrcounter sampling_rateN) r'r(r)rint__annotations__ asm_config_dr_sample_raterrr"r"r"r$rs rrxcCs.tjd7_|jtjkotjtttjkS)z*Check if we should analyze body for API10.)rrror_dr_body_limit_per_requestrrrr}r"r"r$should_analyze_body_responses rcCst}|dur dS|jSrr)rvrer}r"r"r$ get_frameworksrheadersc CsP|d|dd}|sdSd}d}|d}|D]}t|dkr"qtd|}|r|d d krJt|td t |d d urAd n|d }q|d dkrht|td t |d d ur_dn|d }q|d dkrt|td t |d d ur}d n|d }q|d dkrt|td t |d d urdn|d }q||kS)zmdecide if the response should be html or json. Add support for quality values in the Accept header. AcceptacceptrQF,z'([^/;]+/[^/;]+)(?:;q=([01](?:\.\d*)?))?r text/htmlg?Nztext/*g?zapplication/jsonz application/*) getsplitlenrematchstripgroupmaxminfloat)rctype html_score json_scorectypesctmr"r"r$ _use_htmls*  ...,r block_configcCs<t}|dur dS|jdkrt|s|jdkrd|_dSdS)zJcompute MIME type of the blocked response and store it in the block configNautohtmlr) get_headerstyper content_type)rrr"r"r$_ctype_from_headerss  rrlcCs6t}|durtjtjtdddSt|||_dSNTrU)rvr^r_r-r/r`rrl)rlrxr"r"r$ set_blockeds  rcCs:t|tr tdi|}n |durt}n|}t|dS)Nr") isinstancer*rr)rErlr"r"r$set_blocked_dicts  rrSrcvaluecCs|||||p ddS)Nr) set_metric get_metric)rSrcrr"r"r$update_span_metricssrcCsddlm}|j}|jrbt|}|dur||jn|j}tjr+|t j d|in| t j t jd|idd|j}|dur_t|r_tjrQ|t j d|in| t j t jd|iddg|_|j}|t j||jrwt|t j|j|jrt|t j|jd|_t|t j|jd|_|jrt|t j|jt|jj}|rt|t j ||jj!rt|t j"|jjt|t j#|jjt|t j$|jj!|j%j&r|'t j(t)|j%j&|j%j*r|'t j+t)|j%j*|j%j,r|'t j-t)|j%j,dSdS)Nr) ddwaf_versiontriggers)r:) separatorsr).ddtrace.appsec._metricsrrNrkrextendr_use_metastruct_for_triggers_set_struct_tagr STRUCTset_tagJSONjsondumps_parentrrArK WAF_VERSIONrorDOWNSTREAM_REQUESTStotal_duration WAF_DURATIONdurationWAF_DURATION_EXTtimeout WAF_TIMEOUTSsumraspvalues RASP_TIMEOUTSsum_eval RASP_DURATIONRASP_DURATION_EXTRASP_RULE_EVAL truncation string_lengthrTRUNCATION_STRING_LENGTHrcontainer_sizeTRUNCATION_CONTAINER_SIZEcontainer_depthTRUNCATION_CONTAINER_DEPTH)rxrrN report_listparenttelemetry_results rasp_timeoutsr"r"r$flush_waf_triggerssR rcCsp|jrdSd|_ttD]}||q t|t|j|j}|r|jrn|}z4|jrC| t j |jd|jdd}t j d|dd| t j|j|t j|j|t j|jWntymt j dtddYnwtjdur{|t jtj|j}|tji}|rt||d d |tj i}|rt||d d |j!r| t j"|j!|j#$d|_%t&'t(dS) NTr6r7r8 more_infor9z)asm_context::finalize_asm_env::waf_errorsrUz(asm_context::finalize_asm_env::exception)rVexc_inforequest)kindresponse))rmrGrDrrrArNrherrorsrKr EVENT_RULE_ERRORSr^rwEVENT_RULE_VERSIONversionrEVENT_RULE_LOADEDloadedEVENT_RULE_ERROR_COUNTfailed Exceptionr`r _rc_client_idr RC_CLIENT_IDr=rrREQUEST_HEADERS_NO_COOKIES _set_headersRESPONSE_HEADERS_NO_COOKIESrT RC_PRODUCTSr?clearrRrdiscard_local_itemr<)rxfunctionrNinforV waf_adresses req_headers res_headersr"r"r$finalize_asm_env1sH      rcategoryaddresscCs^t}|durdd|d|dd}tjd|dddSt||d}|dur-|||<dSdS)Nr6z::r7rz)asm_context::set_value::no_active_contextTrU)rvr^rwgetattr)rrrrxrVasm_context_attrr"r"r$ set_valueYs  rcC|dur ttj|dSdSr!)set_waf_addressrrrr"r"r$set_headers_responsedr body_responsecsVddlmtdurdddd}tjd|dd dSttjfd d dS) Nr)parse_response_bodyr6z::set_body_responser7rz1asm_context::set_body_response::no_active_contextTrUcsjtjdSr!)r=rrrr"rrxr r"r$usz#set_body_response..)ddtrace.appsec._utilsr rvr^rwrr RESPONSE_BODY)rrVr"r r$set_body_responseis  rcCsx|tjkr$t|}tjddg|ddR}t|}tt||ntt|||tjtj fvr:t ||dSdS)NrQr) rREQUEST_URI_RAWr urlparse ParseResult urlunparserr>REQUEST_HTTP_IPREQUEST_HEADERS_NO_COOKIES_CASErset_item)rr parse_address no_scheme waf_valuer"r"r$r|s    rdefaultcCs6t}|dur |St||d}|dur|||S|Sr!)ryrr)rrrrxrr"r"r$ get_values  rcCstt||dS)N)r)rr>)rrr"r"r$get_waf_addressrzrFrglobal_callbackcCs"|rttg}||dSdSr!)rG setdefaultrDappendrrr?r"r"r$add_context_callbacks r cs<|rtt}|rtfdd|D|dd<dSdSdS)Ncsg|]}|kr|qSr"r").0cbrr"r$ sz+remove_context_callback..)rGrrDlistrr"r#r$remove_context_callbacks  "r&rrcCs.t}|durtjtjtdddS||_dSr)rvr^r_r-r0r`rh)rrxr"r"r$ set_waf_infos  r'rrrrrcCsTtjsdSt}|dur|jdur|||||Stjtjtddt dtjdS)NTrUz#appsec::instrumentation::diagnostic) r _asm_enabledryrRr^r_r-r1r`rO)rrrrrxr"r"r$call_waf_callbacks r)cCs<tjrt}|r|jjs|j}|r|dSdSdSdSdS)z.call the waf once if it was not already calledN)rr(rvrA triggeredrR)rxrRr"r"r$$call_waf_callback_no_instrumentations  r+ipcCrr!)rrr)r,r"r"r$set_iprr-cCs tttjSr!)rr>rrr"r"r"r$get_ips r.cCrr!)rrrrr"r"r$ set_headersrr/cCstttjiSr!)rr>rrr"r"r"r$rrzrcase_sensitivecCsttj|dSr!)rrr)r0r"r"r$set_headers_case_sensitivesr1cCstttjdSr{)rr>rrr"r"r"r$get_headers_case_sensitiverzr2 _callablerYcGs"tjr |rttt|dSdSdS)z Sets a callable that could be use to do a best-effort to block the request. If the callable need any params, like headers, they should be curried with functools.partial. N)rr(rr@rF)r3rYr"r"r$set_block_request_callables r4cCs.ttt}|r |dStjtjtdddS)zE Calls or returns the stored block request callable, if set. TrUN)rr@rFr^r_r-r2r`)r3r"r"r$ block_requests  r5cCs,t}|durtjtjtddtS|jSr)rvr^r_r-r3r`rirjr}r"r"r$ get_data_sents r6 remote_ipheaders_case_sensitiveblock_request_callablecCs$t|t|t|t|dSr!)r-r/r1r4)r7rr8r9r"r"r$asm_request_context_sets r: rules_version waf_results is_sampledc Cst}|dur dS|j}t|j}ddlm}|j|O_|jdkr@|jr/t |j|j|_n|j|_ddlm } | |j||||j dD]} t |j | } t | tr]t |j | | qG|dur|j|O_|j|O_|j|j7_|r}||_|j|j7_|j|j7_dS|jj|O_|jjd7_|jj|d7<|jj|t|7<|jj|t|j7<|jj||j7<|jj|j7_|jj|j7_dS)Nr)_report_waf_truncations)_report_waf_run_error)rrrr)rvrAr,datarr> rate_limited return_coderHrr?rrrrrr*rlrrrruntimer total_runtimerrevalr durations) r;r~r<rr=rxresult is_triggeredr>r?keyresr"r"r$set_waf_telemetry_resultssF       rKcCst}|r|jSdSr!)rvrAr}r"r"r$get_waf_telemetry_results?srLr@cCsR|sdSt}|durtjtjtdddS|D]}|jj|d<q|j |dS)NTrUspan_id) rvr^r_r-r4r`rSrMrkr)r@rxdr"r"r$store_waf_results_dataFsrOrRrTcCsJtjr#ttt|||dttdtdtdtddSdS)NrRrSrT remote_addrrr8r9)rr(rrr<rPr:get_itemrPr"r"r$ start_contextRs rScCs,t}|dur|j|urt|dSdSdSr!)rvrSr)rSrxr"r"r$ end_contextes rTctx _exc_infocCs"|t}|durt|dSdSr!)rRr<r)rUrVrxr"r"r$_on_context_endedks  rWrcGs^tjsdStjr)|rt|trt|}nt|}t||r+tjr-t |dSdSdSdSr!) rr(_api_security_feature_activerr*r%itemsr!_api_security_parse_response_bodyr)rrrY list_headersr"r"r$_set_headers_and_responsets   r\ integrationcG,tjsdS|d}tj|tdtdS)Nz::srb_on_requestrVrr(r^rwr`r)r]rYrr"r"r$_call_waf_first   rbcGr^)Nz::srb_on_responser_r`rar"r"r$ _call_wafrcrdcCstjrtSdSr!)rr(rr"r"r"r$_get_headers_if_appsecsre> cf-ray user-agent content-type x-sigsci-tagsx-amzn-trace-idakamai-user-riskx-appgw-trace-idx-sigsci-requestidx-cloud-trace-context!cloudfront-viewer-ja3-fingerprintr> x-real-ip x-client-ip x-forwarded forwarded-forcontent-lengthtrue-client-ipaccept-encodingaccept-languagex-forwarded-forcf-connecting-ipcontent-encodingcontent-languagefastly-client-ipcf-connecting-ipv6x-cluster-client-ipviahost forwardedronly_asm_enabledcCsz|D]8}t|tr|\}}n|||}}t|tr|}t|tr'|}||r.tntvr:|t|||qdSr!) rtuplebytesdecoderf&_COLLECTED_REQUEST_HEADERS_ASM_ENABLED_COLLECTED_REQUEST_HEADERSrr)rSrrrkrIrr"r"r$rs    rcCstdttdtddS)Nzasm.set_blockedzasm.get_blockedr)ronrrr"r"r"r$ asm_listens rr!)Fr&)r N)NNFN)collections.abcrrrtypesrtypingrrrrrr r urllibr ddtrace._trace.spanr ddtrace.appsec._constantsr rrrrr rrrr)ddtrace.contrib.internal.trace_utils_baserddtrace.internalrddtrace.internal._exceptionsrddtrace.internal.loggerinternalr^ddloggerddtrace.internal.settings.asmrrrr get_loggerr'rr-rYtagset_tag_rate_limitDAYr`r<rr>r@rBrDrFrGr*r+r%rOrPrvryr,rZr~rrJrrrrrrrrrrrrrrrrrrrrr r&r'r)r+r-r.r/rr1r2r4r5rir6r:rKrLrOrSrTrr BaseExceptionrWr\rbrdrerrupdaterrr"r"r"r$s                            *    $ " 2(   ""    "      1