DataDog
diff --git a/‎.gitlab/dockerhub-login.sh‎
Lines changed: 87 additions & 0 deletions b/‎.gitlab/dockerhub-login.sh‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎.gitlab/generate-appsec.php‎
Lines changed: 4 additions & 16 deletions b/‎.gitlab/generate-appsec.php‎
Lines changed: 4 additions & 16 deletions
diff --git a/‎.gitlab/generate-common.php‎
Lines changed: 6 additions & 1 deletion b/‎.gitlab/generate-common.php‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎.gitlab/generate-package.php‎
Lines changed: 8 additions & 0 deletions b/‎.gitlab/generate-package.php‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎.gitlab/generate-tracer.php‎
Lines changed: 4 additions & 3 deletions b/‎.gitlab/generate-tracer.php‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 30 additions & 29 deletions b/‎CHANGELOG.md‎
Lines changed: 30 additions & 29 deletions
diff --git a/‎VERSION‎
Lines changed: 1 addition & 1 deletion b/‎VERSION‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎appsec/.clang-tidy‎
Lines changed: 1 addition & 1 deletion b/‎appsec/.clang-tidy‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎appsec/run-tests-internal.php‎
Lines changed: 8 additions & 8 deletions b/‎appsec/run-tests-internal.php‎
Lines changed: 8 additions & 8 deletions
@@ -0,0 +1,87 @@
+#!/bin/sh
+
+set -e
+
+export VAULT_VERSION="1.20.0"
+
+echo "=== Setting up Docker Hub authentication ==="
+
+# Determine architecture for binary downloads
+arch="$(uname -m)"
+case "${arch}" in
+  x86_64)
+    vault_arch="amd64"
+    ;;
+  aarch64|arm64)
+    vault_arch="arm64"
+    ;;
+  *)
+    echo "Warning: Unsupported architecture: ${arch}. Skipping Docker Hub authentication." >&2
+    exit 0
+    ;;
+esac
+
+# Install jq if not already available
+if ! command -v jq > /dev/null 2>&1; then
+  echo "Installing jq..."
+
+  jq_path="/tmp/jq"
+
+  if ! curl -L --fail "https://github.com/jqlang/jq/releases/latest/download/jq-linux-${vault_arch}" \
+      --output "${jq_path}"; then
+    echo "Warning: Failed to download jq. Skipping Docker Hub authentication." >&2
+    exit 0
+  fi
+
+  chmod +x "${jq_path}"
+  export PATH="/tmp:${PATH}"
+fi
+
+# Install Vault if not already available
+vault_cmd="vault"
+if ! command -v vault > /dev/null 2>&1; then
+  echo "Installing Vault CLI..."
+
+  vault_path="/tmp/vault"
+  vault_zip="${vault_path}.zip"
+
+  if ! curl -L --fail "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_${vault_arch}.zip" \
+      --output "${vault_zip}"; then
+    echo "Warning: Failed to download Vault. Skipping Docker Hub authentication." >&2
+    exit 0
+  fi
+
+  if ! unzip -q "${vault_zip}" -d /tmp; then
+    echo "Warning: Failed to extract Vault. Skipping Docker Hub authentication." >&2
+    exit 0
+  fi
+
+  chmod +x "${vault_path}"
+  rm -f "${vault_zip}"
+
+  vault_cmd="${vault_path}"
+fi
+
+# Fetch Docker Hub credentials from Vault
+echo "Fetching Docker Hub credentials from Vault..."
+vaultoutput="$("${vault_cmd}" kv get --format=json kv/k8s/gitlab-runner/dd-trace-php/dockerhub)" || {
+  echo "Warning: Failed to fetch Docker Hub credentials from Vault. Skipping Docker Hub authentication." >&2
+  exit 0
+}
+
+user="$(echo "$vaultoutput" | jq -r '.data.data.user')"
+token="$(echo "$vaultoutput" | jq -r '.data.data.token')"
+
+if [ -z "${user}" ] || [ -z "${token}" ] || [ "${user}" = "null" ] || [ "${token}" = "null" ]; then
+  echo "Warning: Docker Hub credentials are empty or invalid. Skipping Docker Hub authentication." >&2
+  exit 0
+fi
+
+echo "Docker Hub user: ${user}"
+echo "Logging in to Docker Hub..."
+if ! echo "${token}" | docker login -u "${user}" --password-stdin docker.io; then
+  echo "Warning: Failed to login to Docker Hub. Continuing without authentication." >&2
+  exit 0
+fi
+
+echo "=== Docker Hub authentication successful ==="
@@ -62,21 +62,8 @@
   image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:24.0.4-gbi-focal
   before_script:
 <?php echo $ecrLoginSnippet, "\n"; ?>
-    - |
-      echo "Logging in to Docker Hub"
-      if [ "$CI_REGISTRY_USER" = "" ]; then
-        echo "Fetching Docker Hub credentials from vault"
-        vaultoutput=$(vault kv get --format=json kv/k8s/gitlab-runner/dd-trace-php/dockerhub)
-        user=$(echo "$vaultoutput" | jq -r .data.data.user)
-        token=$(echo "$vaultoutput" | jq -r .data.data.token)
-      else
-        user="$CI_REGISTRY_USER"
-        token="$CI_REGISTRY_TOKEN"
-      fi
-
-      echo "Docker Hub user: $user"
-      docker login -u "$user" -p "$token" docker.io
-    - apt update && apt install -y default-jre
+<?php dockerhub_login() ?>
+    - apt update && apt install -y openjdk-17-jre
 
 "test appsec extension":
   stage: test
@@ -141,8 +128,9 @@
           - test8.5-release-zts
   before_script:
 <?php echo $ecrLoginSnippet, "\n"; ?>
+<?php dockerhub_login() ?>
   script:
-    - apt update && apt install -y default-jre
+    - apt update && apt install -y openjdk-17-jre
     - find "$CI_PROJECT_DIR"/appsec/tests/integration/build || true
     - |
       cd appsec/tests/integration
 
@@ -31,7 +31,6 @@
 
 function unset_dd_runner_env_vars() {
 ?>
-
     # DD env vars auto-added to GitLab runners for infra purposes
     - unset DD_SERVICE
     - unset DD_ENV
@@ -40,6 +39,12 @@ function unset_dd_runner_env_vars() {
 <?php
 }
 
+function dockerhub_login() {
+?>
+    - if command -v docker > /dev/null 2>&1; then .gitlab/dockerhub-login.sh; fi
+<?php
+}
+
 ?>
 default:
   retry:
 
@@ -753,6 +753,7 @@
     RUST_BACKTRACE: 1
     DOCKER_COMPOSE_DOWNLOAD_NAME: docker-compose-linux-x86_64
   before_script:
+<?php dockerhub_login() ?>
     - apt install -y php git make curl
     - curl -L --fail https://github.com/docker/compose/releases/download/v2.36.0/${DOCKER_COMPOSE_DOWNLOAD_NAME} -o /usr/local/bin/docker-compose
     - chmod +x /usr/local/bin/docker-compose
@@ -833,6 +834,7 @@
     KUBERNETES_MEMORY_LIMIT: 4Gi
     RUST_BACKTRACE: 1
   before_script:
+<?php dockerhub_login() ?>
     - apt install -y make
     - mkdir build
     - mv packages build
@@ -897,6 +899,7 @@
         # - symfony_no_ddtrace
         # - symfony
   before_script:
+<?php dockerhub_login() ?>
     - apt install -y make curl
     - curl -L --fail https://github.com/docker/compose/releases/download/v2.36.0/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
     - chmod +x /usr/local/bin/docker-compose
@@ -959,6 +962,7 @@
     - job: datadog-setup.php
       artifacts: true
   before_script: &verify_alpine_before_script
+<?php dockerhub_login() ?>
     - mkdir build
     - mv packages build
     - apk add --no-cache ca-certificates # see https://support.circleci.com/hc/en-us/articles/360016505753-Resolve-Certificate-Signed-By-Unknown-Authority-error-in-Alpine-images?flash_digest=39b76521a337cecacac0cc10cb28f3747bb5fc6a
@@ -987,6 +991,7 @@
     - job: datadog-setup.php
       artifacts: true
   before_script:
+<?php dockerhub_login() ?>
     - mkdir build
     - mv packages build
     - '# Fix yum config, as centos 7 is EOL and mirrorlist.centos.org does not resolve anymore - https://serverfault.com/a/1161847'
@@ -1012,6 +1017,7 @@
     - job: datadog-setup.php
       artifacts: true
   before_script:
+<?php dockerhub_login() ?>
     - mkdir build
     - mv packages build
     - apt update
@@ -1125,6 +1131,7 @@
     - !reference [.services, request-replayer]
     - !reference [.services, httpbin-integration]
   before_script:
+<?php dockerhub_login() ?>
     - switch-php debug
   script:
     - sudo dpkg -i packages/*amd64*.deb
@@ -1161,6 +1168,7 @@
     - job: "prepare code"
       artifacts: true
   before_script:
+<?php dockerhub_login() ?>
     - |
       # Setup cache dirs
       mkdir -p $PIP_CACHE_DIR
 
@@ -33,7 +33,8 @@ function sidecar_logs() {
 <?php
 }
 
-function before_script_steps() {
+function before_script_steps($with_docker_auth = false) {
+    if ($with_docker_auth) dockerhub_login();
     unset_dd_runner_env_vars();
 ?>
 
@@ -211,7 +212,7 @@ function before_script_steps() {
     HTTPBIN_HOSTNAME: httpbin-integration
     HTTPBIN_PORT: 8080
   before_script:
-<?php before_script_steps() ?>
+<?php before_script_steps(true) ?>
     - .gitlab/wait-for-service-ready.sh
 
 .asan_test:
@@ -498,7 +499,7 @@ function before_script_steps() {
     SWITCH_PHP_VERSION: debug
     COMPOSER_VERSION: 2
   before_script:
-<?php before_script_steps() ?>
+<?php before_script_steps(true) ?>
     - if [[ "$MAKE_TARGET" != "test_composer" ]] || ! [[ "$PHP_MAJOR_MINOR" =~ 8.[01] ]]; then sudo composer self-update --$COMPOSER_VERSION --no-interaction; fi
     - COMPOSER_MEMORY_LIMIT=-1 composer update --no-interaction # disable composer memory limit completely
     - make composer_tests_update
 
@@ -1,38 +1,39 @@
 Changelog for older versions can be found in our [release page](https://github.com/DataDog/dd-trace-php/releases).
 
 ## All products
-- Add PHP 8.5 support #3400
-
-## Tracer
-### Added
-- Implement APM endpoint resource renaming #3415
-- Enable dynamic configuration for debugger-related products #3476
-
-### Fixed
-- Collect incompletely fetched CurlMulti handles upon destruction #3469
-- Safeguard proc_get_span in case proc_assoc_span is not happening #3471
-- Skip SSI injector in installer for accurate ini-dir readings #3472
-- Make stub file compatible with php 8.4+ parser #3475
-- Fix function resolver on PHP 8.0 and PHP 8.1 for targets without HAVE_GCC_GLOBAL_REGS and with active JIT #3482
-- Support ENOENT as shm_open failure mode DataDog/libdatadog#1315
-  - This fixes a failure mode present on some serverless runtimes.
-
 ### Internal
-- Add crashtracker support for the sidecar #3453
-- Strip error messages from hook telemetry #3449
-- Collect runtime crash frames #3479
-- Use a dedicated endpoint for enriched logs DataDog/libdatadog#1338
+- bump tracing-core from 0.1.33 to 0.1.35 #3516
 
-## Profiling
+## Tracer
 ### Internal
-- Cleanup I/O profiling code #3406
-- Upgrade to libdatadog v23, profiling uses zstd now #3470
-- Switch panics to abort #3474
+- Const-ify some logging thread-local variables #3513
+### Fixed
+- Avoid curl's `getenv` calls #3528
+- `code_origin_for_spans_enabled` naming inconsistency #3494
+- Add `NULL` guard clause in sidecar reconnect callback #3499
 
-## Application Security Management
+## Profiler
 ### Added
-- Print block_id #3444
-
+- Detect parallel threads #3515
 ### Changed
-- Upgrade libddwaf and rules #3438
-- Adapt security_response_id to latest #3480
+- Speedup hot path in allocator #3505
+### Fixed
+- Fixed asserting length of INI #3508
+
+## AppSec
+### Added
+- Minify blocking json message #3502
+- Add Custom Data Classification #3524
+- Add metrics for extension connections #3527
+### Fixed
+- Amend string on request abort #3506
+- Fix accessing to incorrectly hardcoded `$_GET` #3501
+- Amend issue where `security_response_id` is being release before displaying it #3493
+- AppSec helper: add send timeouts #3518
+- Minor fixes and improvements to file descriptor reclamation #3526
+- LaravelIntegration: be more defensive #3503
+- Fix `duration_ext` metric #3507
+- Fix segfault iterating mapping #3517
+- Fix double end hook run/segfault when blocking in PHP 7.x #3490
+- Fix `_iovec_writer_flush` and enforce limits on `$_POST` #3495
+- Clear `client_ip` on `request_init` #3496
@@ -1 +1 @@
-1.14.0
+1.15.0
@@ -1,7 +1,7 @@
 ---
 # readability-function-cognitive-complexity temporarily disabled until clang-tidy is fixed
 # right now emalloc causes it to misbehave
-Checks:          '*,-bugprone-reserved-identifier,-hicpp-signed-bitwise,-llvmlibc-restrict-system-libc-headers,-altera-unroll-loops,-hicpp-named-parameter,-cert-dcl37-c,-cert-dcl51-cpp,-read,-cppcoreguidelines-init-variables,-cppcoreguidelines-avoid-non-const-global-variables,-altera-id-dependent-backward-branch,-performance-no-int-to-ptr,-altera-struct-pack-align,-google-readability-casting,-modernize-use-trailing-return-type,-llvmlibc-implementation-in-namespace,-llvmlibc-callee-namespace,-cppcoreguidelines-pro-bounds-pointer-arithmetic,-fuchsia-default-arguments-declarations,-fuchsia-overloaded-operator,-cppcoreguidelines-pro-type-union-access,-fuchsia-default-arguments-calls,-cppcoreguidelines-non-private-member-variables-in-classes,-misc-non-private-member-variables-in-classes,-google-readability-todo,-llvm-header-guard,-readability-function-cognitive-complexity,-readability-identifier-length,-modernize-macro-to-enum,-misc-include-cleaner,-bugprone-empty-catch,-cppcoreguidelines-avoid-do-while,-hicpp-no-array-decay'
+Checks:          '*,-bugprone-reserved-identifier,-hicpp-signed-bitwise,-llvmlibc-restrict-system-libc-headers,-altera-unroll-loops,-hicpp-named-parameter,-cert-dcl37-c,-cert-dcl51-cpp,-read,-cppcoreguidelines-init-variables,-cppcoreguidelines-avoid-non-const-global-variables,-altera-id-dependent-backward-branch,-performance-no-int-to-ptr,-altera-struct-pack-align,-google-readability-casting,-modernize-use-trailing-return-type,-llvmlibc-implementation-in-namespace,-llvmlibc-callee-namespace,-cppcoreguidelines-pro-bounds-pointer-arithmetic,-fuchsia-default-arguments-declarations,-fuchsia-overloaded-operator,-cppcoreguidelines-pro-type-union-access,-fuchsia-default-arguments-calls,-cppcoreguidelines-non-private-member-variables-in-classes,-misc-non-private-member-variables-in-classes,-google-readability-todo,-llvm-header-guard,-readability-function-cognitive-complexity,-readability-identifier-length,-modernize-macro-to-enum,-misc-include-cleaner,-bugprone-empty-catch,-cppcoreguidelines-avoid-do-while,-hicpp-no-array-decay,-llvmlibc-*'
 WarningsAsErrors: '*'
 HeaderFilterRegex: ''
 CheckOptions:
 
@@ -845,19 +845,19 @@ function write_information()
     $info_params = array();
     settings2array($ini_overwrites, $info_params);
     $info_params = settings2params($info_params);
-    $php_info = `$php $pass_options $info_params $no_file_cache "$info_file"`;
-    define('TESTED_PHP_VERSION', `$php -n -r "echo PHP_VERSION;"`);
+    $php_info = shell_exec("$php $pass_options $info_params $no_file_cache \"$info_file\"");
+    define('TESTED_PHP_VERSION', shell_exec("$php -n -r \"echo PHP_VERSION;\""));
 
     if ($php_cgi && $php != $php_cgi) {
-        $php_info_cgi = `$php_cgi $pass_options $info_params $no_file_cache -q "$info_file"`;
+        $php_info_cgi = shell_exec("$php_cgi $pass_options $info_params $no_file_cache -q \"$info_file\"");
         $php_info_sep = "\n---------------------------------------------------------------------";
         $php_cgi_info = "$php_info_sep\nPHP         : $php_cgi $php_info_cgi$php_info_sep";
     } else {
         $php_cgi_info = '';
     }
 
     if ($phpdbg) {
-        $phpdbg_info = `$phpdbg $pass_options $info_params $no_file_cache -qrr "$info_file"`;
+        $phpdbg_info = shell_exec("$phpdbg $pass_options $info_params $no_file_cache -qrr \"$info_file\"");
         $php_info_sep = "\n---------------------------------------------------------------------";
         $phpdbg_info = "$php_info_sep\nPHP         : $phpdbg $phpdbg_info$php_info_sep";
     } else {
@@ -872,7 +872,7 @@ function write_information()
     // load list of enabled extensions
     save_text($info_file,
         '<?php echo str_replace("Zend OPcache", "opcache", implode(",", get_loaded_extensions())); ?>');
-    $exts_to_test = explode(',', `$php $pass_options $info_params $no_file_cache "$info_file"`);
+    $exts_to_test = explode(',', shell_exec("$php $pass_options $info_params $no_file_cache \"$info_file\""));
     // check for extensions that need special handling and regenerate
     $info_params_ex = array(
         'session' => array('session.auto_start=0'),
@@ -2171,9 +2171,9 @@ function run_test($php, $file, array $env)
         $ext_params = array();
         settings2array($ini_overwrites, $ext_params);
         $ext_params = settings2params($ext_params);
-        $ext_dir = `$php $pass_options $extra_options $ext_params $no_file_cache -d display_errors=0 -r "echo ini_get('extension_dir');"`;
+        $ext_dir = shell_exec("$php $pass_options $extra_options $ext_params $no_file_cache -d display_errors=0 -r \"echo ini_get('extension_dir');\"");
         $extensions = preg_split("/[\n\r]+/", trim($section_text['EXTENSIONS']));
-        $loaded = explode(",", `$php $pass_options $extra_options $ext_params $no_file_cache -d display_errors=0 -r "echo implode(',', get_loaded_extensions());"`);
+        $loaded = explode(",", shell_exec("$php $pass_options $extra_options $ext_params $no_file_cache -d display_errors=0 -r \"echo implode(',', get_loaded_extensions());\""));
         $ext_prefix = IS_WINDOWS ? "php_" : "";
         foreach ($extensions as $req_ext) {
             if (!in_array($req_ext, $loaded)) {
@@ -3403,7 +3403,7 @@ function show_result(
     $tested,
     $tested_file,
     $extra = '',
-    array $temp_filenames = null
+    $temp_filenames = null
 ) {
     global $SHOW_ONLY_GROUPS, $colorize;