Merge branch 'master' into INPLAT-614

Author: sydney-tung

.gitlab-ci.yml

@@ -25,7 +25,7 @@ variables:
   BUILD_JOB_NAME: "build"
   DEPENDENCY_CACHE_POLICY: pull
   BUILD_CACHE_POLICY: pull
-  GRADLE_VERSION: "8.5" # must match gradle-wrapper.properties
+  GRADLE_VERSION: "8.14.3" # must match gradle-wrapper.properties
   MAVEN_REPOSITORY_PROXY: "http://artifactual.artifactual.all-clusters.local-dc.fabric.dog:8081/repository/maven-central/"
   GRADLE_PLUGIN_PROXY: "http://artifactual.artifactual.all-clusters.local-dc.fabric.dog:8081/repository/gradle-plugin-portal-proxy/"
   BUILDER_IMAGE_VERSION_PREFIX: "v25.06-" # use either an empty string (e.g. "") for latest images or a version followed by a hyphen (e.g. "v25.05-")

communication/src/main/java/datadog/communication/ddagent/SharedCommunicationObjects.java

@@ -30,7 +30,7 @@ public class SharedCommunicationObjects {
   public OkHttpClient okHttpClient;
   public HttpUrl agentUrl;
   public Monitoring monitoring;
-  private DDAgentFeaturesDiscovery featuresDiscovery;
+  private volatile DDAgentFeaturesDiscovery featuresDiscovery;
   private ConfigurationPoller configurationPoller;
 
   public SharedCommunicationObjects() {
@@ -139,28 +139,34 @@ public void setFeaturesDiscovery(DDAgentFeaturesDiscovery featuresDiscovery) {
   }
 
   public DDAgentFeaturesDiscovery featuresDiscovery(Config config) {
-    if (featuresDiscovery == null) {
-      createRemaining(config);
-      featuresDiscovery =
-          new DDAgentFeaturesDiscovery(
-              okHttpClient,
-              monitoring,
-              agentUrl,
-              config.isTraceAgentV05Enabled(),
-              config.isTracerMetricsEnabled());
-
-      if (paused) {
-        // defer remote discovery until remote I/O is allowed
-      } else {
-        if (AGENT_THREAD_GROUP.equals(Thread.currentThread().getThreadGroup())) {
-          featuresDiscovery.discover(); // safe to run on same thread
-        } else {
-          // avoid performing blocking I/O operation on application thread
-          AgentTaskScheduler.INSTANCE.execute(featuresDiscovery::discover);
+    DDAgentFeaturesDiscovery ret = featuresDiscovery;
+    if (ret == null) {
+      synchronized (this) {
+        if (featuresDiscovery == null) {
+          createRemaining(config);
+          ret =
+              new DDAgentFeaturesDiscovery(
+                  okHttpClient,
+                  monitoring,
+                  agentUrl,
+                  config.isTraceAgentV05Enabled(),
+                  config.isTracerMetricsEnabled());
+
+          if (paused) {
+            // defer remote discovery until remote I/O is allowed
+          } else {
+            if (AGENT_THREAD_GROUP.equals(Thread.currentThread().getThreadGroup())) {
+              ret.discover(); // safe to run on same thread
+            } else {
+              // avoid performing blocking I/O operation on application thread
+              AgentTaskScheduler.INSTANCE.execute(ret::discover);
+            }
+          }
+          featuresDiscovery = ret;
         }
       }
     }
-    return featuresDiscovery;
+    return ret;
   }
 
   private static final class FixedConfigUrlSupplier implements Supplier<String> {

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/HttpRouteHandler.java

@@ -0,0 +1,16 @@
+package com.datadog.iast;
+
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
+import java.util.function.BiConsumer;
+
+public class HttpRouteHandler implements BiConsumer<RequestContext, String> {
+
+  @Override
+  public void accept(final RequestContext ctx, final String route) {
+    final IastRequestContext iastCtx = ctx.getData(RequestContextSlot.IAST);
+    if (iastCtx != null) {
+      iastCtx.setRoute(route);
+    }
+  }
+}

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/IastRequestContext.java

@@ -36,6 +36,7 @@ public class IastRequestContext implements IastContext, HasMetricCollector {
   @Nullable private volatile String xForwardedProto;
   @Nullable private volatile String contentType;
   @Nullable private volatile String authorization;
+  @Nullable private volatile String route;
 
   /**
    * Use {@link IastRequestContext#IastRequestContext(TaintedObjects)} instead as we require more
@@ -121,6 +122,15 @@ public void setAuthorization(final String authorization) {
     this.authorization = authorization;
   }
 
+  @Nullable
+  public String getRoute() {
+    return route;
+  }
+
+  public void setRoute(final String route) {
+    this.route = route;
+  }
+
   public OverheadContext getOverheadContext() {
     return overheadContext;
   }

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/IastSystem.java

@@ -122,6 +122,7 @@ public static void start(
     registerRequestStartedCallback(ss, addTelemetry, dependencies);
     registerRequestEndedCallback(ss, addTelemetry, dependencies);
     registerHeadersCallback(ss);
+    registerHttpRouteCallback(ss);
     registerGrpcServerRequestMessageCallback(ss);
     maybeApplySecurityControls(instrumentation);
     LOGGER.debug("IAST started");
@@ -246,6 +247,10 @@ private static void registerHeadersCallback(final SubscriptionService ss) {
     ss.registerCallback(event, handler);
   }
 
+  private static void registerHttpRouteCallback(final SubscriptionService ss) {
+    ss.registerCallback(Events.get().httpRoute(), new HttpRouteHandler());
+  }
+
   private static void registerGrpcServerRequestMessageCallback(final SubscriptionService ss) {
     ss.registerCallback(Events.get().grpcServerRequestMessage(), new GrpcRequestMessageHandler());
   }

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/overhead/OverheadController.java

@@ -233,7 +233,7 @@ public boolean consumeQuota(
           Object methodTag = rootSpan.getTag(Tags.HTTP_METHOD);
           method = (methodTag == null) ? "" : methodTag.toString();
           Object routeTag = rootSpan.getTag(Tags.HTTP_ROUTE);
-          path = (routeTag == null) ? "" : routeTag.toString();
+          path = (routeTag == null) ? getHttpRouteFromRequestContext(span) : routeTag.toString();
         }
         if (!maybeSkipVulnerability(ctx, type, method, path)) {
           return operation.consumeQuota(ctx);
@@ -316,6 +316,19 @@ public OverheadContext getContext(@Nullable final AgentSpan span) {
       return globalContext;
     }
 
+    @Nullable
+    public String getHttpRouteFromRequestContext(@Nullable final AgentSpan span) {
+      String httpRoute = null;
+      final RequestContext requestContext = span != null ? span.getRequestContext() : null;
+      if (requestContext != null) {
+        IastRequestContext iastRequestContext = requestContext.getData(RequestContextSlot.IAST);
+        if (iastRequestContext != null) {
+          httpRoute = iastRequestContext.getRoute();
+        }
+      }
+      return httpRoute == null ? "" : httpRoute;
+    }
+
     static int computeSamplingParameter(final float pct) {
       if (pct >= 100) {
         return 100;

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/HttpRouteHandlerTest.groovy

@@ -0,0 +1,39 @@
+package com.datadog.iast
+
+import datadog.trace.api.gateway.RequestContext
+import datadog.trace.api.gateway.RequestContextSlot
+import datadog.trace.test.util.DDSpecification
+import groovy.transform.CompileDynamic
+
+@CompileDynamic
+class HttpRouteHandlerTest extends DDSpecification {
+  void 'route is set'() {
+    given:
+    final handler = new HttpRouteHandler()
+    final iastCtx = Mock(IastRequestContext)
+    final ctx = Mock(RequestContext)
+    ctx.getData(RequestContextSlot.IAST) >> iastCtx
+
+    when:
+    handler.accept(ctx, '/foo')
+
+    then:
+    1 * ctx.getData(RequestContextSlot.IAST) >> iastCtx
+    1 * iastCtx.setRoute('/foo')
+    0 * _
+  }
+
+  void 'does nothing when context missing'() {
+    given:
+    final handler = new HttpRouteHandler()
+    final ctx = Mock(RequestContext)
+    ctx.getData(RequestContextSlot.IAST) >> null
+
+    when:
+    handler.accept(ctx, '/foo')
+
+    then:
+    1 * ctx.getData(RequestContextSlot.IAST) >> null
+    0 * _
+  }
+}

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/IastSystemTest.groovy

@@ -60,6 +60,7 @@ class IastSystemTest extends DDSpecification {
     1 * ss.registerCallback(Events.get().requestStarted(), _)
     1 * ss.registerCallback(Events.get().requestEnded(), _)
     1 * ss.registerCallback(Events.get().requestHeader(), _)
+    1 * ss.registerCallback(Events.get().httpRoute(), _)
     1 * ss.registerCallback(Events.get().grpcServerRequestMessage(), _)
     0 * _
     TestLogCollector.drainCapturedLogs().any { it.message.contains('IAST is starting') }

dd-java-agent/instrumentation/gradle-8.3/src/main/groovy/datadog/trace/instrumentation/gradle/CiVisibilityGradleListenerInjector_8_3.java

@@ -1,14 +1,23 @@
 package datadog.trace.instrumentation.gradle;
 
+import datadog.trace.util.MethodHandles;
+import java.lang.invoke.MethodHandle;
 import java.util.Arrays;
+import org.gradle.api.Action;
 import org.gradle.initialization.ClassLoaderRegistry;
 import org.gradle.internal.service.DefaultServiceRegistry;
+import org.gradle.internal.service.ServiceRegistration;
 import org.gradle.internal.service.ServiceRegistry;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 public class CiVisibilityGradleListenerInjector_8_3 {
 
+  private static final MethodHandles METHOD_HANDLES =
+      new MethodHandles(DefaultServiceRegistry.class.getClassLoader());
+  private static final MethodHandle REGISTER_SERVICE =
+      METHOD_HANDLES.method(DefaultServiceRegistry.class, "register", Action.class);
+
   private static final Logger LOGGER =
       LoggerFactory.getLogger(CiVisibilityGradleListenerInjector_8_3.class);
 
@@ -21,8 +30,9 @@ public static void injectCiVisibilityGradleListener(
       Class<?> ciVisibilityGradleListener =
           CiVisibilityGradleListenerInjector_8_3.loadCiVisibilityGradleListener(
               classLoaderRegistry);
-      buildScopeServices.register(
-          serviceRegistration -> serviceRegistration.add(ciVisibilityGradleListener));
+      Action<ServiceRegistration> registrationAction =
+          serviceRegistration -> serviceRegistration.add(ciVisibilityGradleListener);
+      METHOD_HANDLES.invoke(REGISTER_SERVICE, buildScopeServices, registrationAction);
     } catch (Exception e) {
       LOGGER.warn("Could not inject CI Visibility Gradle listener", e);
     }

dd-java-agent/instrumentation/gradle-8.3/src/main/groovy/datadog/trace/instrumentation/gradle/GradleBuildScopeServices_8_3_Instrumentation.java

@@ -11,8 +11,8 @@
 import java.util.Set;
 import net.bytebuddy.asm.Advice;
 import net.bytebuddy.matcher.ElementMatcher;
+import org.gradle.internal.service.DefaultServiceRegistry;
 import org.gradle.internal.service.ServiceRegistry;
-import org.gradle.internal.service.scopes.BuildScopeServices;
 
 @AutoService(InstrumenterModule.class)
 public class GradleBuildScopeServices_8_3_Instrumentation extends InstrumenterModule.CiVisibility
@@ -55,10 +55,15 @@ public void methodAdvice(MethodTransformer transformer) {
   public static class Construct {
     @Advice.OnMethodExit(suppress = Throwable.class)
     public static void afterConstructor(
-        @Advice.This final BuildScopeServices buildScopeServices,
+        @Advice.This final DefaultServiceRegistry buildScopeServices,
         @Advice.Argument(0) final ServiceRegistry parentServices) {
       CiVisibilityGradleListenerInjector_8_3.injectCiVisibilityGradleListener(
           buildScopeServices, parentServices);
     }
   }
+
+  @Override
+  public String muzzleDirective() {
+    return "skipMuzzle";
+  }
 }