DataDog
diff --git a/‎.gitlab/dockerhub-login.sh‎
Lines changed: 87 additions & 0 deletions b/‎.gitlab/dockerhub-login.sh‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎.gitlab/generate-appsec.php‎
Lines changed: 2 additions & 14 deletions b/‎.gitlab/generate-appsec.php‎
Lines changed: 2 additions & 14 deletions
diff --git a/‎.gitlab/generate-common.php‎
Lines changed: 6 additions & 1 deletion b/‎.gitlab/generate-common.php‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎.gitlab/generate-package.php‎
Lines changed: 8 additions & 0 deletions b/‎.gitlab/generate-package.php‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎.gitlab/generate-tracer.php‎
Lines changed: 4 additions & 3 deletions b/‎.gitlab/generate-tracer.php‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 30 additions & 29 deletions b/‎CHANGELOG.md‎
Lines changed: 30 additions & 29 deletions
diff --git a/‎VERSION‎
Lines changed: 1 addition & 1 deletion b/‎VERSION‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎appsec/src/extension/configuration.h‎
Lines changed: 1 addition & 0 deletions b/‎appsec/src/extension/configuration.h‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎appsec/src/extension/helper_process.c‎
Lines changed: 5 additions & 0 deletions b/‎appsec/src/extension/helper_process.c‎
Lines changed: 5 additions & 0 deletions
@@ -0,0 +1,87 @@
+#!/bin/sh
+
+set -e
+
+export VAULT_VERSION="1.20.0"
+
+echo "=== Setting up Docker Hub authentication ==="
+
+# Determine architecture for binary downloads
+arch="$(uname -m)"
+case "${arch}" in
+  x86_64)
+    vault_arch="amd64"
+    ;;
+  aarch64|arm64)
+    vault_arch="arm64"
+    ;;
+  *)
+    echo "Warning: Unsupported architecture: ${arch}. Skipping Docker Hub authentication." >&2
+    exit 0
+    ;;
+esac
+
+# Install jq if not already available
+if ! command -v jq > /dev/null 2>&1; then
+  echo "Installing jq..."
+
+  jq_path="/tmp/jq"
+
+  if ! curl -L --fail "https://github.com/jqlang/jq/releases/latest/download/jq-linux-${vault_arch}" \
+      --output "${jq_path}"; then
+    echo "Warning: Failed to download jq. Skipping Docker Hub authentication." >&2
+    exit 0
+  fi
+
+  chmod +x "${jq_path}"
+  export PATH="/tmp:${PATH}"
+fi
+
+# Install Vault if not already available
+vault_cmd="vault"
+if ! command -v vault > /dev/null 2>&1; then
+  echo "Installing Vault CLI..."
+
+  vault_path="/tmp/vault"
+  vault_zip="${vault_path}.zip"
+
+  if ! curl -L --fail "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_${vault_arch}.zip" \
+      --output "${vault_zip}"; then
+    echo "Warning: Failed to download Vault. Skipping Docker Hub authentication." >&2
+    exit 0
+  fi
+
+  if ! unzip -q "${vault_zip}" -d /tmp; then
+    echo "Warning: Failed to extract Vault. Skipping Docker Hub authentication." >&2
+    exit 0
+  fi
+
+  chmod +x "${vault_path}"
+  rm -f "${vault_zip}"
+
+  vault_cmd="${vault_path}"
+fi
+
+# Fetch Docker Hub credentials from Vault
+echo "Fetching Docker Hub credentials from Vault..."
+vaultoutput="$("${vault_cmd}" kv get --format=json kv/k8s/gitlab-runner/dd-trace-php/dockerhub)" || {
+  echo "Warning: Failed to fetch Docker Hub credentials from Vault. Skipping Docker Hub authentication." >&2
+  exit 0
+}
+
+user="$(echo "$vaultoutput" | jq -r '.data.data.user')"
+token="$(echo "$vaultoutput" | jq -r '.data.data.token')"
+
+if [ -z "${user}" ] || [ -z "${token}" ] || [ "${user}" = "null" ] || [ "${token}" = "null" ]; then
+  echo "Warning: Docker Hub credentials are empty or invalid. Skipping Docker Hub authentication." >&2
+  exit 0
+fi
+
+echo "Docker Hub user: ${user}"
+echo "Logging in to Docker Hub..."
+if ! echo "${token}" | docker login -u "${user}" --password-stdin docker.io; then
+  echo "Warning: Failed to login to Docker Hub. Continuing without authentication." >&2
+  exit 0
+fi
+
+echo "=== Docker Hub authentication successful ==="
@@ -62,20 +62,7 @@
   image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:24.0.4-gbi-focal
   before_script:
 <?php echo $ecrLoginSnippet, "\n"; ?>
-    - |
-      echo "Logging in to Docker Hub"
-      if [ "$CI_REGISTRY_USER" = "" ]; then
-        echo "Fetching Docker Hub credentials from vault"
-        vaultoutput=$(vault kv get --format=json kv/k8s/gitlab-runner/dd-trace-php/dockerhub)
-        user=$(echo "$vaultoutput" | jq -r .data.data.user)
-        token=$(echo "$vaultoutput" | jq -r .data.data.token)
-      else
-        user="$CI_REGISTRY_USER"
-        token="$CI_REGISTRY_TOKEN"
-      fi
-
-      echo "Docker Hub user: $user"
-      docker login -u "$user" -p "$token" docker.io
+<?php dockerhub_login() ?>
     - apt update && apt install -y openjdk-17-jre
 
 "test appsec extension":
@@ -141,6 +128,7 @@
           - test8.5-release-zts
   before_script:
 <?php echo $ecrLoginSnippet, "\n"; ?>
+<?php dockerhub_login() ?>
   script:
     - apt update && apt install -y openjdk-17-jre
     - find "$CI_PROJECT_DIR"/appsec/tests/integration/build || true
 
@@ -31,7 +31,6 @@
 
 function unset_dd_runner_env_vars() {
 ?>
-
     # DD env vars auto-added to GitLab runners for infra purposes
     - unset DD_SERVICE
     - unset DD_ENV
@@ -40,6 +39,12 @@ function unset_dd_runner_env_vars() {
 <?php
 }
 
+function dockerhub_login() {
+?>
+    - if command -v docker > /dev/null 2>&1; then .gitlab/dockerhub-login.sh; fi
+<?php
+}
+
 ?>
 default:
   retry:
 
@@ -753,6 +753,7 @@
     RUST_BACKTRACE: 1
     DOCKER_COMPOSE_DOWNLOAD_NAME: docker-compose-linux-x86_64
   before_script:
+<?php dockerhub_login() ?>
     - apt install -y php git make curl
     - curl -L --fail https://github.com/docker/compose/releases/download/v2.36.0/${DOCKER_COMPOSE_DOWNLOAD_NAME} -o /usr/local/bin/docker-compose
     - chmod +x /usr/local/bin/docker-compose
@@ -833,6 +834,7 @@
     KUBERNETES_MEMORY_LIMIT: 4Gi
     RUST_BACKTRACE: 1
   before_script:
+<?php dockerhub_login() ?>
     - apt install -y make
     - mkdir build
     - mv packages build
@@ -897,6 +899,7 @@
         # - symfony_no_ddtrace
         # - symfony
   before_script:
+<?php dockerhub_login() ?>
     - apt install -y make curl
     - curl -L --fail https://github.com/docker/compose/releases/download/v2.36.0/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
     - chmod +x /usr/local/bin/docker-compose
@@ -959,6 +962,7 @@
     - job: datadog-setup.php
       artifacts: true
   before_script: &verify_alpine_before_script
+<?php dockerhub_login() ?>
     - mkdir build
     - mv packages build
     - apk add --no-cache ca-certificates # see https://support.circleci.com/hc/en-us/articles/360016505753-Resolve-Certificate-Signed-By-Unknown-Authority-error-in-Alpine-images?flash_digest=39b76521a337cecacac0cc10cb28f3747bb5fc6a
@@ -987,6 +991,7 @@
     - job: datadog-setup.php
       artifacts: true
   before_script:
+<?php dockerhub_login() ?>
     - mkdir build
     - mv packages build
     - '# Fix yum config, as centos 7 is EOL and mirrorlist.centos.org does not resolve anymore - https://serverfault.com/a/1161847'
@@ -1012,6 +1017,7 @@
     - job: datadog-setup.php
       artifacts: true
   before_script:
+<?php dockerhub_login() ?>
     - mkdir build
     - mv packages build
     - apt update
@@ -1125,6 +1131,7 @@
     - !reference [.services, request-replayer]
     - !reference [.services, httpbin-integration]
   before_script:
+<?php dockerhub_login() ?>
     - switch-php debug
   script:
     - sudo dpkg -i packages/*amd64*.deb
@@ -1161,6 +1168,7 @@
     - job: "prepare code"
       artifacts: true
   before_script:
+<?php dockerhub_login() ?>
     - |
       # Setup cache dirs
       mkdir -p $PIP_CACHE_DIR
 
@@ -33,7 +33,8 @@ function sidecar_logs() {
 <?php
 }
 
-function before_script_steps() {
+function before_script_steps($with_docker_auth = false) {
+    if ($with_docker_auth) dockerhub_login();
     unset_dd_runner_env_vars();
 ?>
 
@@ -211,7 +212,7 @@ function before_script_steps() {
     HTTPBIN_HOSTNAME: httpbin-integration
     HTTPBIN_PORT: 8080
   before_script:
-<?php before_script_steps() ?>
+<?php before_script_steps(true) ?>
     - .gitlab/wait-for-service-ready.sh
 
 .asan_test:
@@ -498,7 +499,7 @@ function before_script_steps() {
     SWITCH_PHP_VERSION: debug
     COMPOSER_VERSION: 2
   before_script:
-<?php before_script_steps() ?>
+<?php before_script_steps(true) ?>
     - if [[ "$MAKE_TARGET" != "test_composer" ]] || ! [[ "$PHP_MAJOR_MINOR" =~ 8.[01] ]]; then sudo composer self-update --$COMPOSER_VERSION --no-interaction; fi
     - COMPOSER_MEMORY_LIMIT=-1 composer update --no-interaction # disable composer memory limit completely
     - make composer_tests_update
 
@@ -1,38 +1,39 @@
 Changelog for older versions can be found in our [release page](https://github.com/DataDog/dd-trace-php/releases).
 
 ## All products
-- Add PHP 8.5 support #3400
-
-## Tracer
-### Added
-- Implement APM endpoint resource renaming #3415
-- Enable dynamic configuration for debugger-related products #3476
-
-### Fixed
-- Collect incompletely fetched CurlMulti handles upon destruction #3469
-- Safeguard proc_get_span in case proc_assoc_span is not happening #3471
-- Skip SSI injector in installer for accurate ini-dir readings #3472
-- Make stub file compatible with php 8.4+ parser #3475
-- Fix function resolver on PHP 8.0 and PHP 8.1 for targets without HAVE_GCC_GLOBAL_REGS and with active JIT #3482
-- Support ENOENT as shm_open failure mode DataDog/libdatadog#1315
-  - This fixes a failure mode present on some serverless runtimes.
-
 ### Internal
-- Add crashtracker support for the sidecar #3453
-- Strip error messages from hook telemetry #3449
-- Collect runtime crash frames #3479
-- Use a dedicated endpoint for enriched logs DataDog/libdatadog#1338
+- bump tracing-core from 0.1.33 to 0.1.35 #3516
 
-## Profiling
+## Tracer
 ### Internal
-- Cleanup I/O profiling code #3406
-- Upgrade to libdatadog v23, profiling uses zstd now #3470
-- Switch panics to abort #3474
+- Const-ify some logging thread-local variables #3513
+### Fixed
+- Avoid curl's `getenv` calls #3528
+- `code_origin_for_spans_enabled` naming inconsistency #3494
+- Add `NULL` guard clause in sidecar reconnect callback #3499
 
-## Application Security Management
+## Profiler
 ### Added
-- Print block_id #3444
-
+- Detect parallel threads #3515
 ### Changed
-- Upgrade libddwaf and rules #3438
-- Adapt security_response_id to latest #3480
+- Speedup hot path in allocator #3505
+### Fixed
+- Fixed asserting length of INI #3508
+
+## AppSec
+### Added
+- Minify blocking json message #3502
+- Add Custom Data Classification #3524
+- Add metrics for extension connections #3527
+### Fixed
+- Amend string on request abort #3506
+- Fix accessing to incorrectly hardcoded `$_GET` #3501
+- Amend issue where `security_response_id` is being release before displaying it #3493
+- AppSec helper: add send timeouts #3518
+- Minor fixes and improvements to file descriptor reclamation #3526
+- LaravelIntegration: be more defensive #3503
+- Fix `duration_ext` metric #3507
+- Fix segfault iterating mapping #3517
+- Fix double end hook run/segfault when blocking in PHP 7.x #3490
+- Fix `_iovec_writer_flush` and enforce limits on `$_POST` #3495
+- Clear `client_ip` on `request_init` #3496
@@ -1 +1 @@
-1.14.0
+1.15.0
@@ -41,6 +41,7 @@ extern bool runtime_config_first_init;
     SYSCFG(BOOL, DD_APPSEC_TESTING, "false")                                                                                          \
     SYSCFG(BOOL, DD_APPSEC_TESTING_ABORT_RINIT, "false")                                                                              \
     SYSCFG(BOOL, DD_APPSEC_TESTING_RAW_BODY, "false")                                                                                 \
+    SYSCFG(BOOL, DD_APPSEC_TESTING_HELPER_METRICS, "false")                                                                           \
     CONFIG(CUSTOM(INT), DD_APPSEC_LOG_LEVEL, "warn", .parser = dd_parse_log_level)                                                    \
     SYSCFG(STRING, DD_APPSEC_LOG_FILE, "php_error_reporting")                                                                         \
     SYSCFG(BOOL, DD_APPSEC_HELPER_LAUNCH, "true")                                                                                     \
 
@@ -21,6 +21,7 @@
 #include "network.h"
 #include "php_compat.h"
 #include "php_objects.h"
+#include "telemetry.h"
 #include "version.h"
 
 #define MAX_WAIT_TIME_MS (1ULL << 55)
@@ -151,11 +152,13 @@ dd_conn *nullable dd_helper_mgr_acquire_conn(
 
     _mgr.connected_this_req = true;
     _release_shared_state_lock(&_mgr.hss);
+    dd_telemetry_helper_conn_success(_mgr.socket_path);
 
     return conn;
 
 error:
     _inc_failed_counter(&_mgr.hss);
+    dd_telemetry_helper_conn_error(_mgr.socket_path);
     return NULL;
 }
 
@@ -262,6 +265,8 @@ void dd_helper_close_conn(void)
         mlog_err(dd_log_warning, "Error closing connection to helper");
     }
 
+    dd_telemetry_helper_conn_close(_mgr.socket_path);
+
     /* we treat closing the connection on the request it was opened a failure
      * for the purposes of the connection backoff */
     if (_mgr.connected_this_req && _shared_state) {