DataDog
diff --git a/‎.circleci/continue_config.yml‎
Lines changed: 16 additions & 5 deletions b/‎.circleci/continue_config.yml‎
Lines changed: 16 additions & 5 deletions
diff --git a/‎VERSION‎
Lines changed: 1 addition & 1 deletion b/‎VERSION‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎appsec/cmake/helper.cmake‎
Lines changed: 3 additions & 1 deletion b/‎appsec/cmake/helper.cmake‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎appsec/src/extension/backtrace.c‎
Lines changed: 2 additions & 1 deletion b/‎appsec/src/extension/backtrace.c‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎appsec/src/extension/commands/client_init.c‎
Lines changed: 4 additions & 87 deletions b/‎appsec/src/extension/commands/client_init.c‎
Lines changed: 4 additions & 87 deletions
diff --git a/‎appsec/src/extension/commands/config_sync.c‎
Lines changed: 13 additions & 9 deletions b/‎appsec/src/extension/commands/config_sync.c‎
Lines changed: 13 additions & 9 deletions
diff --git a/‎appsec/src/extension/commands/config_sync.h‎
Lines changed: 6 additions & 1 deletion b/‎appsec/src/extension/commands/config_sync.h‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎appsec/src/extension/ddappsec.c‎
Lines changed: 35 additions & 1 deletion b/‎appsec/src/extension/ddappsec.c‎
Lines changed: 35 additions & 1 deletion
diff --git a/‎appsec/src/extension/ddappsec.h‎
Lines changed: 3 additions & 0 deletions b/‎appsec/src/extension/ddappsec.h‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎appsec/src/extension/ddappsec.version‎
Lines changed: 1 addition & 0 deletions b/‎appsec/src/extension/ddappsec.version‎
Lines changed: 1 addition & 0 deletions
@@ -650,7 +650,9 @@ commands:
     steps:
       - run:
           name: Build Profiler NTS
+          shell: /bin/bash -ieo pipefail
           command: |
+            source "$BASH_ENV"
             if [ -d '/opt/rh/devtoolset-7' ] ; then
                 set +eo pipefail
                 source scl_source enable devtoolset-7
@@ -659,7 +661,7 @@ commands:
             set -u
             prefix="<< parameters.prefix >>"
             mkdir -vp "${prefix}"
-            command -v switch-php && switch-php "${PHP_VERSION}"
+            switch-php "${PHP_VERSION}"
             cd profiling
             echo "${CARGO_TARGET_DIR}"
             cargo build --release
@@ -668,7 +670,9 @@ commands:
             objcopy --compress-debug-sections "${prefix}/datadog-profiling.so"
       - run:
           name: Build Profiler ZTS
+          shell: /bin/bash -ieo pipefail
           command: |
+            source "$BASH_ENV"
             if [ -d '/opt/rh/devtoolset-7' ] ; then
                 set +eo pipefail
                 source scl_source enable devtoolset-7
@@ -677,7 +681,7 @@ commands:
             set -u
             prefix="<< parameters.prefix >>"
             mkdir -vp "${prefix}"
-            command -v switch-php && switch-php "${PHP_VERSION}-zts"
+            switch-php "${PHP_VERSION}-zts"
             cd profiling
             echo "${CARGO_TARGET_DIR}"
             touch build.rs #make sure `build.rs` gets executed after `switch-php` call
@@ -1411,7 +1415,14 @@ jobs:
           command: |
             export DEBIAN_FRONTEND=noninteractive
             apt update
-            apt install -y wget sudo git g++ gcc gcovr cmake make curl libcurl4-gnutls-dev clang clang-tidy clang-format git php-dev php8.2-xml php-cgi cargo
+            apt install -y wget sudo git g++ gcc gcovr cmake make curl libcurl4-gnutls-dev clang clang-tidy clang-format git php-dev php8.2-xml php-cgi
+      - run:
+          name: Install rust
+          command: |
+            curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /tmp/rustup.sh
+            chmod +x /tmp/rustup.sh
+            /tmp/rustup.sh -y --default-toolchain 1.76
+            sudo ln -s $HOME/.cargo/bin/* /usr/bin/
       - run: git config --global --add safe.directory /home/circleci/datadog/appsec/third_party/libddwaf
       - run:
           name: CMake
@@ -1422,7 +1433,7 @@ jobs:
       - run:
           name: Test
           command: |
-            make -C appsec/build -j $(nproc) xtest ddappsec_helper_test
+            PATH=$PATH:$HOME/.cargo/bin make -C appsec/build -j $(nproc) xtest ddappsec_helper_test
             ./appsec/build/tests/helper/ddappsec_helper_test
       - run:
           name: Generate XML coverage
@@ -3855,7 +3866,7 @@ jobs:
               php datadog-setup.php --file "${installable_bundle}" --php-bin php --enable-profiling
               # run phpize just to get run-tests.php
               phpize
-              php run-tests.php -p $(which php) --show-diff -g "FAIL,XFAIL,BORK,WARN,LEAK,XLEAK,SKIP" tests/ext/profiling
+              php run-tests.php -p $(which php) -d datadog.remote_config_enabled=false --show-diff -g "FAIL,XFAIL,BORK,WARN,LEAK,XLEAK,SKIP" tests/ext/profiling
 
   "cbindgen up-to-date":
     working_directory: ~/datadog
 
@@ -1 +1 @@
-1.3.0
+1.4.0
@@ -20,7 +20,7 @@ set_target_properties(helper_objects PROPERTIES
     CXX_STANDARD 20
     CXX_STANDARD_REQUIRED YES
     POSITION_INDEPENDENT_CODE 1)
-target_include_directories(helper_objects PUBLIC ${HELPER_INCLUDE_DIR})
+target_include_directories(helper_objects INTERFACE ${HELPER_INCLUDE_DIR})
 target_compile_definitions(helper_objects PUBLIC SPDLOG_ACTIVE_LEVEL=SPDLOG_LEVEL_TRACE)
 target_compile_options(helper_objects PRIVATE -ftls-model=global-dynamic)
 target_link_libraries(helper_objects PUBLIC libddwaf_objects pthread spdlog cpp-base64 msgpack_c RapidJSON::rapidjson Boost::system zlibstatic)
@@ -35,6 +35,8 @@ if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
     # Bind symbols lookup of symbols defined in the library to the library itself
     # also avoids relocation problems with libc++.a on linux/aarch64
     target_link_options(ddappsec-helper PRIVATE -Wl,-Bsymbolic)
+elseif(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
+    target_link_options(ddappsec-helper PRIVATE -undefined dynamic_lookup)
 endif()
 set_target_properties(ddappsec-helper PROPERTIES
     CXX_VISIBILITY_PRESET hidden
 
@@ -48,7 +48,8 @@ php_backtrace_frame_to_datadog_backtrace_frame( // NOLINTNEXTLINE(bugprone-easil
     if (file) {
         // In order to be able to test full path encoded everywhere lets set
         // only the file name without path
-        char *file_name = memrchr(Z_STRVAL_P(file), '/', Z_STRLEN_P(file));
+        const char *file_name =
+            zend_memrchr(Z_STRVAL_P(file), '/', Z_STRLEN_P(file));
         if (file_name) {
             zend_string *new_file = zend_string_init(file_name + 1,
                 Z_STRLEN_P(file) - (file_name + 1 - Z_STRVAL_P(file)), 0);
 
@@ -17,68 +17,20 @@
 #include "../version.h"
 #include "client_init.h"
 
-static const unsigned int DEFAULT_AGENT_PORT = 8126;
-static const char *DEFAULT_AGENT_HOST = "127.0.0.1";
-static const unsigned int MAX_TCP_PORT_ALLOWED = UINT16_MAX;
-
 static dd_result _pack_command(mpack_writer_t *nonnull w, void *nullable ctx);
 static dd_result _process_response(mpack_node_t root, void *nullable ctx);
 static void _process_meta_and_metrics(
     mpack_node_t root, struct req_info *nonnull ctx);
-static void _pack_agent_details(mpack_writer_t *nonnull w);
 
 static const dd_command_spec _spec = {
     .name = "client_init",
     .name_len = sizeof("client_init") - 1,
-    .num_args = 7,
+    .num_args = 6,
     .outgoing_cb = _pack_command,
     .incoming_cb = _process_response,
     .config_features_cb = dd_command_process_config_features_unexpected,
 };
 
-static void _pack_agent_details(mpack_writer_t *nonnull w)
-{
-    zend_string *agent_host = get_global_DD_AGENT_HOST();
-    zend_string *agent_url = get_global_DD_TRACE_AGENT_URL();
-    unsigned int port = get_global_DD_TRACE_AGENT_PORT();
-    char *host = NULL;
-    php_url *parsed_url = NULL;
-
-    if (agent_host && ZSTR_LEN(agent_host) > 0) {
-        host = ZSTR_VAL(agent_host);
-    } else if (agent_url && ZSTR_LEN(agent_url) > 0) {
-        parsed_url = php_url_parse(ZSTR_VAL(agent_url));
-        if (parsed_url) {
-#if PHP_VERSION_ID < 70300
-            if (parsed_url->host && strlen(parsed_url->host) > 0) {
-                host = parsed_url->host;
-            }
-#else
-            if (parsed_url->host && ZSTR_LEN(parsed_url->host) > 0) {
-                host = ZSTR_VAL(parsed_url->host);
-            }
-#endif
-            port = parsed_url->port;
-        }
-    }
-
-    if (!host) {
-        host = (char *)DEFAULT_AGENT_HOST;
-    }
-    if (port <= 0 || port > MAX_TCP_PORT_ALLOWED) {
-        port = DEFAULT_AGENT_PORT;
-    }
-
-    dd_mpack_write_lstr(w, "host");
-    dd_mpack_write_nullable_cstr(w, host);
-    dd_mpack_write_lstr(w, "port");
-    mpack_write_uint(w, port);
-
-    if (parsed_url) {
-        php_url_free(parsed_url);
-    }
-}
-
 dd_result dd_client_init(dd_conn *nonnull conn, struct req_info *nonnull ctx)
 {
     return dd_command_exec_cred(conn, &_spec, ctx);
@@ -97,39 +49,6 @@ static dd_result _pack_command(
         mpack_write_bool(w, DDAPPSEC_G(active));
     }
 
-    // Service details
-    // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers)
-    mpack_start_map(w, 6);
-
-    dd_mpack_write_lstr(w, "service");
-    dd_mpack_write_nullable_cstr(w, ZSTR_VAL(get_DD_SERVICE()));
-
-    dd_mpack_write_lstr(w, "extra_services");
-    zval extra_services;
-    ZVAL_ARR(&extra_services, get_global_DD_EXTRA_SERVICES());
-    dd_mpack_write_zval(w, &extra_services);
-
-    dd_mpack_write_lstr(w, "env");
-    dd_mpack_write_nullable_cstr(w, ZSTR_VAL(get_DD_ENV()));
-
-    dd_mpack_write_lstr(w, "tracer_version");
-    dd_mpack_write_nullable_cstr(w, dd_trace_version());
-
-    dd_mpack_write_lstr(w, "app_version");
-    dd_mpack_write_nullable_cstr(w, ZSTR_VAL(get_DD_VERSION()));
-
-    // We send this empty for now. The helper will check for empty and if so it
-    // will generate it
-    dd_mpack_write_lstr(w, "runtime_id");
-    zend_string *runtime_id = dd_trace_get_formatted_runtime_id(false);
-    if (runtime_id == NULL) {
-        dd_mpack_write_nullable_cstr(w, "");
-    } else {
-        dd_mpack_write_nullable_zstr(w, runtime_id);
-        zend_string_free(runtime_id);
-    }
-    mpack_finish_map(w);
-
     // Engine settings
     // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers)
     mpack_start_map(w, 6);
@@ -180,15 +99,13 @@ static dd_result _pack_command(
 
     // Remote config settings
     // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers)
-    mpack_start_map(w, 4);
+    mpack_start_map(w, 2);
 
     dd_mpack_write_lstr(w, "enabled");
     mpack_write_bool(w, get_DD_REMOTE_CONFIG_ENABLED());
 
-    _pack_agent_details(w);
-
-    dd_mpack_write_lstr(w, "poll_interval");
-    mpack_write_u32(w, get_DD_REMOTE_CONFIG_POLL_INTERVAL());
+    dd_mpack_write_lstr(w, "shmem_path");
+    dd_mpack_write_nullable_cstr(w, dd_trace_remote_config_get_path());
 
     mpack_finish_map(w);
 
 
@@ -8,32 +8,36 @@
 #include <php.h>
 
 #include "../commands_helpers.h"
+#include "../ddtrace.h"
+#include "../msgpack_helpers.h"
+#include "config_sync.h"
 #include <mpack.h>
 
-static dd_result _request_pack(
-    mpack_writer_t *nonnull w, void *nullable ATTR_UNUSED ctx);
+static dd_result _request_pack(mpack_writer_t *nonnull w, void *nonnull ctx);
 dd_result dd_command_process_config_sync(
     mpack_node_t root, ATTR_UNUSED void *unspecnull ctx);
 
 static const dd_command_spec _spec = {
     .name = "config_sync",
     .name_len = sizeof("config_sync") - 1,
-    .num_args = 0, // a single map
+    .num_args = 1,
     .outgoing_cb = _request_pack,
     .incoming_cb = dd_command_process_config_sync,
     .config_features_cb = dd_command_process_config_features,
 };
 
-dd_result dd_config_sync(dd_conn *nonnull conn)
+dd_result dd_config_sync(
+    dd_conn *nonnull conn, const struct config_sync_data *nonnull data)
 {
-    return dd_command_exec(conn, &_spec, NULL);
+    return dd_command_exec(conn, &_spec, (void *)data);
 }
 
-static dd_result _request_pack(
-    mpack_writer_t *nonnull w, void *nullable ATTR_UNUSED ctx)
+static dd_result _request_pack(mpack_writer_t *nonnull w, void *nonnull ctx_)
 {
-    UNUSED(ctx);
-    UNUSED(w);
+    const struct config_sync_data *nonnull data =
+        (struct config_sync_data *)ctx_;
+
+    dd_mpack_write_nullable_cstr(w, data->rem_cfg_path);
 
     return dd_success;
 }
 
@@ -7,4 +7,9 @@
 
 #include "../network.h"
 
-dd_result dd_config_sync(dd_conn *nonnull conn);
+struct config_sync_data {
+    char *nullable rem_cfg_path;
+};
+
+dd_result dd_config_sync(
+    dd_conn *nonnull conn, const struct config_sync_data *nonnull data);
@@ -45,6 +45,7 @@
 #include "user_tracking.h"
 
 #include <json/json.h>
+#include <zend_string.h>
 
 #if ZTS
 static atomic_int _thread_count;
@@ -100,7 +101,7 @@ static zend_extension ddappsec_extension_entry = {
     PHP_DDAPPSEC_EXTNAME,
     PHP_DDAPPSEC_VERSION,
     "Datadog",
-    "https://github.com/DataDog/dd-appsec-php",
+    "https://github.com/DataDog/dd-trace-php",
     "Copyright Datadog",
     ddappsec_startup,
     NULL,
@@ -253,6 +254,21 @@ void dd_appsec_rinit_once()
     pthread_once(&_rinit_once_control, _rinit_once);
 }
 
+static void _warn_on_empty_service_or_env()
+{
+    if (!get_global_DD_APPSEC_TESTING() && get_DD_REMOTE_CONFIG_ENABLED() &&
+        DDAPPSEC_G(enabled) != APPSEC_FULLY_DISABLED &&
+        (zend_string_equals_literal(get_DD_ENV(), "") ||
+            zend_string_equals_literal(get_DD_SERVICE(), ""))) {
+        mlog(dd_log_warning,
+            "AppSec is not disabled and Datadog service or env is empty. "
+            "Please set DD_SERVICE and DD_ENV rather than setting the "
+            "corresponding properties on the root span. Otherwise, remote "
+            "configuration for AppSec will use service=unnamed-php-service and "
+            "env=none");
+    }
+}
+
 // NOLINTNEXTLINE
 static PHP_RINIT_FUNCTION(ddappsec)
 {
@@ -265,6 +281,7 @@ static PHP_RINIT_FUNCTION(ddappsec)
     dd_appsec_rinit_once();
     zai_config_rinit();
     _check_enabled();
+    _warn_on_empty_service_or_env();
 
     if (DDAPPSEC_G(enabled) == APPSEC_FULLY_DISABLED) {
         return SUCCESS;
@@ -378,6 +395,23 @@ static void _check_enabled()
     };
 }
 
+__attribute__((visibility("default"))) void dd_appsec_rc_conf(
+    bool *nonnull appsec_features, bool *nonnull appsec_conf) // NOLINT
+{
+    bool prev_enabled = DDAPPSEC_G(enabled);
+    bool prev_active = DDAPPSEC_G(active);
+    bool prev_to_be_configured = DDAPPSEC_G(to_be_configured);
+    _check_enabled();
+
+    *appsec_features = DDAPPSEC_G(enabled) == APPSEC_ENABLED_VIA_REMCFG;
+    // only enable ASM / ASM_DD / ASM_DATA if no rules file is specified
+    *appsec_conf = get_global_DD_APPSEC_RULES()->len == 0;
+
+    DDAPPSEC_G(enabled) = prev_enabled;
+    DDAPPSEC_G(active) = prev_active;
+    DDAPPSEC_G(to_be_configured) = prev_to_be_configured;
+}
+
 static PHP_FUNCTION(datadog_appsec_is_enabled)
 {
     if (zend_parse_parameters_none() == FAILURE) {
 
@@ -56,6 +56,9 @@ extern __thread void *unspecnull ATTR_TLS_LOCAL_DYNAMIC TSRMLS_CACHE;
 void dd_appsec_rinit_once(void);
 int dd_appsec_rshutdown(bool ignore_verdict);
 
+__attribute__((visibility("default"))) void dd_appsec_rc_conf(
+    bool *nonnull appsec_features, bool *nonnull appsec_conf); // NOLINT
+
 // Add a NO_CACHE version.
 // Use tsrm_get_ls_cache() instead of thread-local _tsrmls_ls_cache
 #ifdef ZTS
 
@@ -2,5 +2,6 @@
 	global:
 		get_module;
 		dd_appsec_maybe_enable_helper;
+		dd_appsec_rc_conf;
 	local: *;
 };