diff --git a/dd-java-agent/agent-tooling/src/main/java/datadog/trace/agent/tooling/InstrumenterModule.java b/dd-java-agent/agent-tooling/src/main/java/datadog/trace/agent/tooling/InstrumenterModule.java index f1afd39e2f7..307d6c029ef 100644 --- a/dd-java-agent/agent-tooling/src/main/java/datadog/trace/agent/tooling/InstrumenterModule.java +++ b/dd-java-agent/agent-tooling/src/main/java/datadog/trace/agent/tooling/InstrumenterModule.java @@ -10,6 +10,7 @@ import datadog.trace.agent.tooling.muzzle.Reference; import datadog.trace.agent.tooling.muzzle.ReferenceMatcher; import datadog.trace.agent.tooling.muzzle.ReferenceProvider; +import datadog.trace.api.Config; import datadog.trace.api.InstrumenterConfig; import datadog.trace.api.ProductActivation; import datadog.trace.api.config.ProfilingConfig; @@ -227,9 +228,23 @@ public AppSec(String instrumentationName, String... additionalNames) { super(instrumentationName, additionalNames); } + private boolean applies() { + Set disabled = Config.get().getDisabledAppSecInstrumentations(); + if (disabled.contains("*")) { + return false; + } + if (disabled.contains(name())) { + return false; + } + if (disabled.contains(getClass().getSimpleName())) { + return false; + } + return true; + } + @Override public boolean isApplicable(Set enabledSystems) { - return enabledSystems.contains(TargetSystem.APPSEC); + return enabledSystems.contains(TargetSystem.APPSEC) && applies(); } } diff --git a/dd-trace-api/src/main/java/datadog/trace/api/config/AppSecConfig.java b/dd-trace-api/src/main/java/datadog/trace/api/config/AppSecConfig.java index ca56889fda7..bc503f8fd0d 100644 --- a/dd-trace-api/src/main/java/datadog/trace/api/config/AppSecConfig.java +++ b/dd-trace-api/src/main/java/datadog/trace/api/config/AppSecConfig.java @@ -27,6 +27,7 @@ public final class AppSecConfig { public static final String API_SECURITY_ENABLED_EXPERIMENTAL = "experimental.api-security.enabled"; public static final String API_SECURITY_REQUEST_SAMPLE_RATE = "api-security.request.sample.rate"; + public static final String DISABLED_INSTRUMENTATIONS = "appsec.disabled-instrumentations"; public static final String APPSEC_SCA_ENABLED = "appsec.sca.enabled"; public static final String APPSEC_RASP_ENABLED = "appsec.rasp.enabled"; diff --git a/internal-api/src/main/java/datadog/trace/api/Config.java b/internal-api/src/main/java/datadog/trace/api/Config.java index e24c7413fcf..96df5f130a8 100644 --- a/internal-api/src/main/java/datadog/trace/api/Config.java +++ b/internal-api/src/main/java/datadog/trace/api/Config.java @@ -164,6 +164,7 @@ import static datadog.trace.api.config.AppSecConfig.APPSEC_TRACE_RATE_LIMIT; import static datadog.trace.api.config.AppSecConfig.APPSEC_WAF_METRICS; import static datadog.trace.api.config.AppSecConfig.APPSEC_WAF_TIMEOUT; +import static datadog.trace.api.config.AppSecConfig.DISABLED_INSTRUMENTATIONS; import static datadog.trace.api.config.CiVisibilityConfig.CIVISIBILITY_ADDITIONAL_CHILD_PROCESS_JVM_ARGS; import static datadog.trace.api.config.CiVisibilityConfig.CIVISIBILITY_AGENTLESS_ENABLED; import static datadog.trace.api.config.CiVisibilityConfig.CIVISIBILITY_AGENTLESS_URL; @@ -490,6 +491,7 @@ import static datadog.trace.util.CollectionUtils.tryMakeImmutableList; import static datadog.trace.util.CollectionUtils.tryMakeImmutableSet; import static datadog.trace.util.Strings.propertyNameToEnvironmentVariableName; +import static java.util.Collections.emptySet; import datadog.trace.api.config.GeneralConfig; import datadog.trace.api.config.ProfilingConfig; @@ -763,6 +765,7 @@ static class HostNameHolder { private final boolean appSecStandaloneEnabled; private final boolean apiSecurityEnabled; private final float apiSecurityRequestSampleRate; + private final Set disabledAppSecInstrumentations; private final IastDetectionMode iastDetectionMode; private final int iastMaxConcurrentRequests; @@ -1710,6 +1713,7 @@ PROFILING_DATADOG_PROFILER_ENABLED, isDatadogProfilerSafeInCurrentEnvironment()) apiSecurityRequestSampleRate = configProvider.getFloat( API_SECURITY_REQUEST_SAMPLE_RATE, DEFAULT_API_SECURITY_REQUEST_SAMPLE_RATE); + disabledAppSecInstrumentations = configProvider.getSet(DISABLED_INSTRUMENTATIONS, emptySet()); iastDebugEnabled = configProvider.getBoolean(IAST_DEBUG_ENABLED, DEFAULT_IAST_DEBUG_ENABLED); @@ -2931,6 +2935,10 @@ public float getApiSecurityRequestSampleRate() { return apiSecurityRequestSampleRate; } + public Set getDisabledAppSecInstrumentations() { + return disabledAppSecInstrumentations; + } + public ProductActivation getIastActivation() { return instrumenterConfig.getIastActivation(); } @@ -4140,7 +4148,7 @@ private Set getSettingsSetFromEnvironment( private Set convertSettingsSet(Set fromSet, Function> mapper) { if (fromSet.isEmpty()) { - return Collections.emptySet(); + return emptySet(); } Set result = new LinkedHashSet<>(fromSet.size()); for (F from : fromSet) { @@ -4220,7 +4228,7 @@ private static Set parseStringIntoSetOfNonEmptyStrings( private static Set convertStringSetToSet( String setting, final Set input, Function mapper) { if (input.isEmpty()) { - return Collections.emptySet(); + return emptySet(); } // Using LinkedHashSet to preserve original string order final Set result = new LinkedHashSet<>();