revert all changes expect in contrib/envoyproxy

Signed-off-by: Eliott Bouhana <[email protected]>

contrib/internal/httptrace/httptrace.go

@@ -11,7 +11,6 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"net/url"
 	"strconv"
 	"strings"
 
@@ -28,29 +27,14 @@ var (
 )
 
 // StartRequestSpan starts an HTTP request span with the standard list of HTTP request span tags (http.method, http.url,
-// http.useragent) with a http.Request object. Any further span start option can be added with opts.
-func StartRequestSpan(r *http.Request, opts ...ddtrace.StartSpanOption) (tracer.Span, context.Context) {
-	return StartHttpSpan(
-		r.Context(),
-		r.Header,
-		r.Host,
-		r.Method,
-		urlFromRequest(r),
-		r.UserAgent(),
-		r.RemoteAddr,
-		opts...,
-	)
-}
-
-// StartHttpSpan starts an HTTP request span with the standard list of HTTP request span tags (http.method, http.url,
 // http.useragent). Any further span start option can be added with opts.
-func StartHttpSpan(ctx context.Context, headers map[string][]string, host string, method string, url string, userAgent string, remoteAddr string, opts ...ddtrace.StartSpanOption) (tracer.Span, context.Context) {
+func StartRequestSpan(r *http.Request, opts ...ddtrace.StartSpanOption) (tracer.Span, context.Context) {
 	// Append our span options before the given ones so that the caller can "overwrite" them.
 	// TODO(): rework span start option handling (https://github.com/DataDog/dd-trace-go/issues/1352)
 
 	var ipTags map[string]string
 	if cfg.traceClientIP {
-		ipTags, _ = httpsec.ClientIPTags(headers, true, remoteAddr)
+		ipTags, _ = httpsec.ClientIPTags(r.Header, true, r.RemoteAddr)
 	}
 	nopts := make([]ddtrace.StartSpanOption, 0, len(opts)+1+len(ipTags))
 	nopts = append(nopts,
@@ -59,23 +43,22 @@ func StartHttpSpan(ctx context.Context, headers map[string][]string, host string
 				cfg.Tags = make(map[string]interface{})
 			}
 			cfg.Tags[ext.SpanType] = ext.SpanTypeWeb
-			cfg.Tags[ext.HTTPMethod] = method
-			cfg.Tags[ext.HTTPURL] = url
-			cfg.Tags[ext.HTTPUserAgent] = userAgent
+			cfg.Tags[ext.HTTPMethod] = r.Method
+			cfg.Tags[ext.HTTPURL] = urlFromRequest(r)
+			cfg.Tags[ext.HTTPUserAgent] = r.UserAgent()
 			cfg.Tags["_dd.measured"] = 1
-			if host != "" {
-				cfg.Tags["http.host"] = host
+			if r.Host != "" {
+				cfg.Tags["http.host"] = r.Host
 			}
-			if spanctx, err := tracer.Extract(tracer.HTTPHeadersCarrier(headers)); err == nil {
+			if spanctx, err := tracer.Extract(tracer.HTTPHeadersCarrier(r.Header)); err == nil {
 				cfg.Parent = spanctx
 			}
-
 			for k, v := range ipTags {
 				cfg.Tags[k] = v
 			}
 		})
 	nopts = append(nopts, opts...)
-	return tracer.StartSpanFromContext(ctx, namingschema.OpName(namingschema.HTTPServer), nopts...)
+	return tracer.StartSpanFromContext(r.Context(), namingschema.OpName(namingschema.HTTPServer), nopts...)
 }
 
 // FinishRequestSpan finishes the given HTTP request span and sets the expected response-related tags such as the status
@@ -114,54 +97,27 @@ func urlFromRequest(r *http.Request) string {
 	// "For most requests, fields other than Path and RawQuery will be
 	// empty. (See RFC 7230, Section 5.3)"
 	// This is why we don't rely on url.URL.String(), url.URL.Host, url.URL.Scheme, etc...
+	var url string
+	path := r.URL.EscapedPath()
 	scheme := "http"
 	if r.TLS != nil {
 		scheme = "https"
 	}
-
-	return urlFromArgs(
-		r.URL.EscapedPath(),
-		scheme,
-		r.Host,
-		r.URL.RawQuery,
-		r.URL.EscapedFragment(),
-	)
-}
-
-// UrlFromUrl returns the full URL from a URL object. If query params are collected, they are obfuscated granted
-// obfuscation is not disabled by the user (through DD_TRACE_OBFUSCATION_QUERY_STRING_REGEXP)
-// See https://docs.datadoghq.com/tracing/configure_data_security#redacting-the-query-in-the-url for more information.
-func UrlFromUrl(u *url.URL) string {
-	scheme := "http"
-	if u.Scheme != "" {
-		scheme = u.Scheme
-	}
-	return urlFromArgs(
-		u.EscapedPath(),
-		scheme,
-		u.Host,
-		u.RawQuery,
-		u.EscapedFragment(),
-	)
-}
-
-func urlFromArgs(escapedPath string, scheme string, host string, rawQuery string, escapedFragment string) string {
-	var url string
-	if host != "" {
-		url = strings.Join([]string{scheme, "://", host, escapedPath}, "")
+	if r.Host != "" {
+		url = strings.Join([]string{scheme, "://", r.Host, path}, "")
 	} else {
-		url = escapedPath
+		url = path
 	}
 	// Collect the query string if we are allowed to report it and obfuscate it if possible/allowed
-	if cfg.queryString && rawQuery != "" {
-		query := rawQuery
+	if cfg.queryString && r.URL.RawQuery != "" {
+		query := r.URL.RawQuery
 		if cfg.queryStringRegexp != nil {
 			query = cfg.queryStringRegexp.ReplaceAllLiteralString(query, "<redacted>")
 		}
 		url = strings.Join([]string{url, query}, "?")
 	}
-	if escapedFragment != "" {
-		url = strings.Join([]string{url, escapedFragment}, "#")
+	if frag := r.URL.EscapedFragment(); frag != "" {
+		url = strings.Join([]string{url, frag}, "#")
 	}
 	return url
 }

go.mod

@@ -40,7 +40,7 @@ require (
 	github.com/elastic/go-elasticsearch/v8 v8.4.0
 	github.com/emicklei/go-restful v2.16.0+incompatible
 	github.com/emicklei/go-restful/v3 v3.11.0
-	github.com/envoyproxy/go-control-plane v0.13.0
+	github.com/envoyproxy/go-control-plane v0.12.0
 	github.com/garyburd/redigo v1.6.4
 	github.com/gin-gonic/gin v1.9.1
 	github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8
@@ -104,7 +104,7 @@ require (
 	golang.org/x/time v0.6.0
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028
 	google.golang.org/api v0.192.0
-	google.golang.org/grpc v1.65.0
+	google.golang.org/grpc v1.64.1
 	google.golang.org/protobuf v1.34.2
 	gopkg.in/jinzhu/gorm.v1 v1.9.2
 	gopkg.in/olivere/elastic.v3 v3.0.75
@@ -244,7 +244,6 @@ require (
 	github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 // indirect
 	github.com/pierrec/lz4/v4 v4.1.18 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20220216144756-c35f1ee13d7c // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect

go.sum

@@ -1125,8 +1125,8 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.m
 github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/go-control-plane v0.10.3/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34=
-github.com/envoyproxy/go-control-plane v0.13.0 h1:HzkeUz1Knt+3bK+8LG1bxOO/jzWZmdxpwC51i202les=
-github.com/envoyproxy/go-control-plane v0.13.0/go.mod h1:GRaKG3dwvFoTg4nj7aXdZnvMg4d7nvT/wl9WgVXn3Q8=
+github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI=
+github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo=
 github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w=
@@ -1894,8 +1894,6 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
-github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
-github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -3066,8 +3064,8 @@ google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCD
 google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww=
 google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
 google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
-google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
-google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
+google.golang.org/grpc v1.64.1 h1:LKtvyfbX3UGVPFcGqJ9ItpVWW6oN/2XqTxfAnwRRXiA=
+google.golang.org/grpc v1.64.1/go.mod h1:hiQF4LFZelK2WKaP6W0L92zGHtiQdZxk8CrSdvyjeP0=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=

internal/appsec/emitter/httpsec/http.go

@@ -12,12 +12,9 @@ package httpsec
 
 import (
 	"context"
-	"strings"
-
 	// Blank import needed to use embed for the default blocked response payloads
 	_ "embed"
 	"net/http"
-	"net/url"
 	"sync"
 	"sync/atomic"
 
@@ -192,46 +189,3 @@ func WrapHandler(handler http.Handler, span ddtrace.Span, pathParams map[string]
 		handler.ServeHTTP(tw, tr)
 	})
 }
-
-// MakeHandlerOperationArgs creates the HandlerOperationArgs value.
-func MakeHandlerOperationArgs(headers map[string][]string, method string, host string, remoteAddr string, url *url.URL) HandlerOperationArgs {
-	cookies := filterCookiesFromHeaders(headers)
-
-	args := HandlerOperationArgs{
-		Method:      method,
-		RequestURI:  url.RequestURI(),
-		Host:        host,
-		RemoteAddr:  remoteAddr,
-		Headers:     headers,
-		Cookies:     cookies,
-		QueryParams: url.Query(),
-		PathParams:  map[string]string{},
-	}
-
-	return args
-}
-
-// Separate the cookies from the headers, return the parsed cookies and remove in place the cookies from the headers.
-// Headers used for `server.request.headers.no_cookies` and `server.response.headers.no_cookies` addresses for the WAF
-// Cookies are used for the `server.request.cookies` address
-func filterCookiesFromHeaders(headers http.Header) map[string][]string {
-	cookieHeader, ok := headers["Cookie"]
-	if !ok {
-		return make(http.Header)
-	}
-
-	delete(headers, "Cookie")
-
-	cookies := make(map[string][]string, len(cookieHeader))
-	for _, c := range cookieHeader {
-		parts := strings.Split(c, ";")
-		for _, part := range parts {
-			cookie := strings.Split(part, "=")
-			if len(cookie) == 2 {
-				cookies[cookie[0]] = append(cookies[cookie[0]], cookie[1])
-			}
-		}
-	}
-
-	return cookies
-}

internal/appsec/emitter/waf/actions/block.go

@@ -69,11 +69,6 @@ type (
 	// BlockHTTP are actions that interact with an HTTP request flow
 	BlockHTTP struct {
 		http.Handler
-
-		StatusCode       int `mapstructure:"status_code"`
-		RedirectLocation string
-		// BlockingTemplate is a function that returns the headers to be added and body to be written to the response
-		BlockingTemplate func(headers map[string][]string) (map[string][]string, []byte)
 	}
 )
 
@@ -130,11 +125,7 @@ func NewBlockAction(params map[string]any) []Action {
 }
 
 func newHTTPBlockRequestAction(status int, template string) *BlockHTTP {
-	return &BlockHTTP{
-		Handler:          newBlockHandler(status, template),
-		BlockingTemplate: newManualBlockHandler(template),
-		StatusCode:       status,
-	}
+	return &BlockHTTP{Handler: newBlockHandler(status, template)}
 }
 
 // newBlockHandler creates, initializes and returns a new BlockRequestAction
@@ -148,47 +139,16 @@ func newBlockHandler(status int, template string) http.Handler {
 		return htmlHandler
 	default:
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			h := findCorrectTemplate(jsonHandler, htmlHandler, r.Header.Get("Accept"))
-			h.(http.Handler).ServeHTTP(w, r)
-		})
-	}
-}
-
-func newManualBlockHandler(template string) func(headers map[string][]string) (map[string][]string, []byte) {
-	htmlHandler := newManualBlockDataHandler("text/html", blockedTemplateHTML)
-	jsonHandler := newManualBlockDataHandler("application/json", blockedTemplateJSON)
-	switch template {
-	case "json":
-		return jsonHandler
-	case "html":
-		return htmlHandler
-	default:
-		return func(headers map[string][]string) (map[string][]string, []byte) {
-			acceptHeader := ""
-			if hdr, ok := headers["Accept"]; ok && len(hdr) > 0 {
-				acceptHeader = hdr[0]
+			h := jsonHandler
+			hdr := r.Header.Get("Accept")
+			htmlIdx := strings.Index(hdr, "text/html")
+			jsonIdx := strings.Index(hdr, "application/json")
+			// Switch to html handler if text/html comes before application/json in the Accept header
+			if htmlIdx != -1 && (jsonIdx == -1 || htmlIdx < jsonIdx) {
+				h = htmlHandler
 			}
-			h := findCorrectTemplate(jsonHandler, htmlHandler, acceptHeader)
-			return h.(func(headers map[string][]string) (map[string][]string, []byte))(headers)
-		}
-	}
-}
-
-func findCorrectTemplate(jsonHandler interface{}, htmlHandler interface{}, acceptHeader string) interface{} {
-	h := jsonHandler
-	hdr := acceptHeader
-	htmlIdx := strings.Index(hdr, "text/html")
-	jsonIdx := strings.Index(hdr, "application/json")
-	// Switch to html handler if text/html comes before application/json in the Accept header
-	if htmlIdx != -1 && (jsonIdx == -1 || htmlIdx < jsonIdx) {
-		h = htmlHandler
-	}
-	return h
-}
-
-func newManualBlockDataHandler(ct string, template []byte) func(headers map[string][]string) (map[string][]string, []byte) {
-	return func(headers map[string][]string) (map[string][]string, []byte) {
-		return map[string][]string{"Content-Type": {ct}}, template
+			h.ServeHTTP(w, r)
+		})
 	}
 }