Add stack trace collection support

[vpellan]

What does this PR do?

This PR adds stack trace collection support using meta_struct

Motivation:

Stack trace collection is required for exploit prevention.

Change log entry

Yes. Fix stack trace not being with RASP SQLi signals

Additional Notes:

How to test the change?

[datadog-datadog-prod-us1]

Datadog Report

Branch report: vpellan/stack-trace-collection
Commit report: a6ab36f
Test service: dd-trace-rb

❌ 9 Failed (0 Known Flaky), 21946 Passed, 1476 Skipped, 5m 27.74s Total Time

❌ Failed Tests (9)

This report shows up to 5 failed tests.

• Datadog::AppSec::ActionsHandler.handle calls both generate_stack and block_request when both are present - rspec - Details

  Expand for error

   undefined method \`trace' for nil:NilClass
   Did you mean?  trap
   
   Failure/Error: service_entry_operation = context.trace || context.span
   
   NoMethodError:
     undefined method \`trace' for nil:NilClass
     Did you mean?  trap
   ./lib/datadog/appsec/stack_trace.rb:82:in \`add_stack_trace'
   ./lib/datadog/appsec/actions_handler.rb:23:in \`generate_stack'
   ...
  

• Datadog::AppSec::ActionsHandler.handle calls both generate_stack and generate_schema when both are present - rspec - Details

  Expand for error

   undefined method \`trace' for nil:NilClass
   Did you mean?  trap
   
   Failure/Error: service_entry_operation = context.trace || context.span
   
   NoMethodError:
     undefined method \`trace' for nil:NilClass
     Did you mean?  trap
   ./lib/datadog/appsec/stack_trace.rb:82:in \`add_stack_trace'
   ./lib/datadog/appsec/actions_handler.rb:23:in \`generate_stack'
   ...
  

• Datadog::AppSec::ActionsHandler.handle calls both generate_stack and redirect_request when both are present - rspec - Details

  Expand for error

   undefined method \`trace' for nil:NilClass
   Did you mean?  trap
   
   Failure/Error: service_entry_operation = context.trace || context.span
   
   NoMethodError:
     undefined method \`trace' for nil:NilClass
     Did you mean?  trap
   ./lib/datadog/appsec/stack_trace.rb:82:in \`add_stack_trace'
   ./lib/datadog/appsec/actions_handler.rb:23:in \`generate_stack'
   ...
  

• Datadog::AppSec::ActionsHandler.handle calls generate_stack with action parameters - rspec - Details

  Expand for error

   undefined method \`trace' for nil:NilClass
   Did you mean?  trap
   
   Failure/Error: service_entry_operation = context.trace || context.span
   
   NoMethodError:
     undefined method \`trace' for nil:NilClass
     Did you mean?  trap
   ./lib/datadog/appsec/stack_trace.rb:82:in \`add_stack_trace'
   ./lib/datadog/appsec/actions_handler.rb:23:in \`generate_stack'
   ...
  

• Datadog::Tracing::Span#to_hash is expected to eq {:error=>0, :meta=>{}, :metrics=>{}, :name=>"my.span", :parent_id=>0, :resource=>"my.span", :service=>nil, :span_id=>34, :span_links=>[], :trace_id=>12, :type=>nil} - rspec - Details

  Expand for error

   expected: {:error=>0, :meta=>{}, :metrics=>{}, :name=>"my.span", :parent_id=>0, :resource=>"my.span", :service=>nil, :span_id=>34, :span_links=>[], :trace_id=>12, :type=>nil}
        got: {:error=>0, :meta=>{}, :meta_struct=>{}, :metrics=>{}, :name=>"my.span", :parent_id=>0, :resource=>"my.span", :service=>nil, :span_id=>34, :span_links=>[], :trace_id=>12, :type=>nil}
   
   (compared using ==)
   
   Diff:
   @@ -1,5 +1,6 @@
    :error => 0,
    :meta => {},
   +:meta_struct => {},
   ...
  

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-03-03 17:52:52

Comparing candidate commit d68d25b in PR branch vpellan/stack-trace-collection with baseline commit 20d026a in branch vpellan/meta-struct.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 30 metrics, 2 unstable metrics.

scenario:profiler - gvl benchmark samples

• 🟥 throughput [-948.107op/s; -940.005op/s] or [-8.158%; -8.088%]

[y9v]

why are we changing this everywhere?

[datadog-datadog-prod-us1]

Datadog Report

Branch report: vpellan/stack-trace-collection
Commit report: 365dd2f
Test service: dd-trace-rb

✅ 0 Failed, 22135 Passed, 1476 Skipped, 5m 2.11s Total Time

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 94.38669% with 27 lines in your changes missing coverage. Please review.

Project coverage is 97.69%. Comparing base (65dd37b) to head (365dd2f).

Files with missing lines	Patch %	Lines
...atadog/appsec/actions_handler/stack_trace/frame.rb	31.57%	13 Missing ⚠️
.../appsec/actions_handler/stack_trace/representor.rb	35.29%	11 Missing ⚠️
lib/datadog/appsec/actions_handler/stack_trace.rb	94.87%	2 Missing ⚠️
spec/support/thread_backtrace_helpers.rb	96.96%	1 Missing ⚠️

Additional details and impacted files

@@                   Coverage Diff                   @@
##           vpellan/meta-struct    #4269      +/-   ##
=======================================================
- Coverage                97.71%   97.69%   -0.02%     
=======================================================
  Files                     1370     1377       +7     
  Lines                    83106    83583     +477     
  Branches                  4227     4254      +27     
=======================================================
+ Hits                     81209    81659     +450     
- Misses                    1897     1924      +27     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Strech]

Is the return a missing type alias? And with type you can have it recursive

[Strech]

Should it be opposite order

Suggested change

	type stack_trace = Hash[Symbol, String | nil | Array[Datadog::AppSec::ActionsHandler::StackTraceCollection::stack_frame]]
	type stack_trace = Hash[nil, Symbol, String | Array[Datadog::AppSec::ActionsHandler::StackTraceCollection::stack_frame]]

[Strech]

Will that work?

Suggested change

	locations = []
	1000.times do
	locations << self.locations.first
	end
	locations
	1000.times.map { self.locations.first }

[Strech]

I think all the examples could be simplified to examples like

context 'when given a value' do
  it 'sets max value to 0' do
    settings.appsec.stack_trace.max_depth_top_percent = -1
    expect(settings.appsec.stack_trace.max_depth_top_percent).to eq(0)
  end
end

[Strech]

Please use verified double i.e (instance_double) here

[Strech]

FYI if you go this way - you will need to clean the settings afterwards (see other tests where we do that)

[Strech]

TBH i thought that helper suppose to make things easier. I think here it's either missing something or else ...

[Strech]

TBH this test suite look overly complicated and violates certain test practices and it would be easier to go over in 1:1 instead of chatting here.

[Strech]

Suggested change

	stack = context.trace.nil? ? span_stack : trace_stack
	stack.push({ language: 'ruby', id: utf8_stack_id, frames: stack_frames })
	(context.trace || context.span).push(language: 'ruby', id: stack_id, frames: stack_frames)

[vpellan]

This does not work as we are using the push method defined in StackTraceInMetastruct

[Strech]

This variable will be nil if no params[stack_id] is given, right? I think the whole method will not work without stack_id, hence we always have it or of not - we should do nothing and report a telemetry or generate warning or so.

Because of that that line must be adjusted to

Suggested change

	utf8_stack_id = action_params['stack_id'].encode('UTF-8') if action_params['stack_id']
	stack_id = action_params['stack_id'].encode('UTF-8')

P.S it doesn't make sense to mention UTF-8 in the variable name because it's not important

[Strech]

Suggested change

	span_stack = ActionsHandler::StackTraceInMetastruct.create(context.span&.metastruct)
	trace_stack = ActionsHandler::StackTraceInMetastruct.create(context.trace&.metastruct)
	span_stack = StackTraceInMetastruct.create(context.span&.metastruct)
	trace_stack = StackTraceInMetastruct.create(context.trace&.metastruct)

[Strech]

I think it should be converted into mutating to avoid allocation

Suggested change

	locations = (caller_locations || []).reject { |location| location.to_s.include?('lib/datadog') }
	locations = (caller_locations || [])
	locations.reject! { |location| location.to_s.include?('lib/datadog') }

[Strech]

This is a second time we convert location into the string, I think it makes sense to do it once at the beginning of the collection

[y9v]

this should be closer to the guard-clause on line 39

[y9v]

Why are we calling span metastruct a span_stack? Should we rather call it span_metastruct? Same one line below

[vpellan]

Because StackTraceInMetastruct is specifically applying changes to '_dd.stack' field of metastruct. We give a metastruct as an input but we cannot do any changes to it other than on the stack traces

[y9v]

do we want to avoid stack trace collection if the stack is longer than max_collect, or do we want to truncate the stack?

[vpellan]

max_collect is the maximum number of stack traces that we want in our trace, not the maximum number of frames in each stack trace (which is defined by max_depth). So if we already have the maximum number of stack traces in metastruct, we want to avoid collection.

[y9v]

is top_limit lower than bottom_limit?

What are we trying to do here? Get the top n items from the array? Do we really need to calculate both limits, or can we just slice n items from one end?

[vpellan]

For example, if max_depth is 32 and top_percent is 75%, and we have more than 32 stack frames, we want to keep the 24th first stack traces, the 8th last, and drop everything in the middle. So what this method do is calculate the limits of the frames that we should drop, so we can just do a slice on the locations with that range

[y9v]

according to RFC, we have to take 2 slices - one from the top of the stack trace, and one from the bottom:

In the original RFC, some restrictions were placed on the layout of stack traces, namely:
Stack traces must contain a maximum of 32 frames.
When a stack trace is truncated, 24 frames should be from the bottom of the stack and 8 from the top.

The number of top and bottom frames on truncated stack traces can be considered a flexible requirement and it’s up to the library implementor to decide the most useful number of frames from each side of the stack for their language. In addition, since the user can configure the maximum number of frames through the use of DD_APPSEC_MAX_STACK_TRACE_DEPTH, the number of top and bottom frames for a truncated stack trace of arbitrary size must be computed dynamically based on the configuration value, with the simplest approach being a proportional one. 

Similarly, the default maximum number of frames might not be particularly useful in languages with notoriously deep stacks, for that reason, the requirement must be updated to ensure that each library can provide meaningful stack traces.

Given the above, the requirements can be amended as follows:
Stack traces must be limited to a maximum of 32 frames, or a more suitable higher value for the given language.
When a stack trace is truncated, libraries must collect some frames from both the top and bottom of the stack. As a recommendation, libraries may collect 75% of frames from the bottom of the stack and 25% from the top.

I think this is not what we are doing here?

[y9v]

according to RFC, we have to take 2 slices - one from the top of the stack trace, and one from the bottom:

In the original RFC, some restrictions were placed on the layout of stack traces, namely:
Stack traces must contain a maximum of 32 frames.
When a stack trace is truncated, 24 frames should be from the bottom of the stack and 8 from the top.

The number of top and bottom frames on truncated stack traces can be considered a flexible requirement and it’s up to the library implementor to decide the most useful number of frames from each side of the stack for their language. In addition, since the user can configure the maximum number of frames through the use of DD_APPSEC_MAX_STACK_TRACE_DEPTH, the number of top and bottom frames for a truncated stack trace of arbitrary size must be computed dynamically based on the configuration value, with the simplest approach being a proportional one. 

Similarly, the default maximum number of frames might not be particularly useful in languages with notoriously deep stacks, for that reason, the requirement must be updated to ensure that each library can provide meaningful stack traces.

Given the above, the requirements can be amended as follows:
Stack traces must be limited to a maximum of 32 frames, or a more suitable higher value for the given language.
When a stack trace is truncated, libraries must collect some frames from both the top and bottom of the stack. As a recommendation, libraries may collect 75% of frames from the bottom of the stack and 25% from the top.

I think this is not what we are doing here?

[y9v]

RFC specifies separate class_name and function fields, and #label is containing both class name and function name. We have to parse it

[vpellan]

according to RFC, we have to take 2 slices - one from the top of the stack trace, and one from the bottom. I think this is not what we are doing here?

The slice! method will remove the part in the middle and locations will then contains the top part and the bottom part only.

[y9v]

according to RFC, we have to take 2 slices - one from the top of the stack trace, and one from the bottom. I think this is not what we are doing here?

The slice! method will remove the part in the middle and locations will then contains the top part and the bottom part only.

sorry, my bad, you are right