[Bug]: AppSec warnings when tracer is disabled

[christianseel]

Bug report

This is a followup of #2014

We are in the process of evaluating ASM for our applications and are already using APM since some time. Since installing the latest version of the tracer and enabling dd-appsec (--enable-appsec) we are facing similar issues to #2014

We are having parts of our application, where we want the tracer (and appsec) to be disabled. We did that already inside subfolders via .htaccess and SetEnv DD_TRACE_ENABLED 0. Now with appsec installed we are getting warnings from ddappsec:

<br />
<b>Warning</b>:  Unknown: [ddappsec] Failed to retrieve root span meta in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Unknown: [ddappsec] Failed to add tag _dd.appsec.event_rules.version in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Unknown: [ddappsec] Failed to retrieve root span meta in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Unknown: [ddappsec] Failed to add _dd.runtime_family to root span in <b>Unknown</b> on line <b>0</b><br />

We tried adding SetEnv DD_APPSEC_ENABLED 0 to our .htaccess, but it did not resolve the warnings.

While setting datadog.appsec.enabled = Off in the 98-ddtrace.ini resolves the warnings, however this disables it globally, which is not our goal.

PHP version

8.1.22

Tracer or profiler version

0.92.0

Installed extensions

[PHP Modules]
Core
ctype
curl
date
ddappsec
ddtrace
dom
exif
fileinfo
filter
ftp
gd
gmp
hash
iconv
imagick
intl
json
libxml
mbstring
mysqlnd
openssl
pcntl
pcov
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
readline
redis
Reflection
session
SimpleXML
sodium
SPL
sqlite3
standard
tokenizer
xdebug
xml
xmlreader
xmlwriter
Zend OPcache
zip
zlib

[Zend Modules]
Xdebug
Zend OPcache
ddappsec
ddtrace

Output of phpinfo()

{ "date": "2023-09-28T10:14:34Z", "os_name": "Linux 0681fa8edf17 6.5.0-1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.5.3-1 (2023-09-13) x86_64", "os_version": "6.5.0-1-amd64", "version": "0.92.0", "lang": "php", "lang_version": "8.1.22", "env": null, "enabled": true, "service": "radio.web", "enabled_cli": false, "agent_url": "xxx", "debug": false, "analytics_enabled": false, "sample_rate": -1, "sampling_rules": [ { "service": "xxx.api", "sample_rate": 0.2 } ], "tags": [], "service_mapping": [], "distributed_tracing_enabled": true, "priority_sampling_enabled": true, "dd_version": null, "architecture": "x86_64", "sapi": "fpm-fcgi", "datadog.trace.request_init_hook": "/opt/datadog/dd-library/0.92.0/dd-trace-sources/bridge/dd_wrap_autoloader.php", "open_basedir_configured": false, "uri_fragment_regex": null, "uri_mapping_incoming": null, "uri_mapping_outgoing": null, "auto_flush_enabled": false, "generate_root_span": true, "http_client_split_by_domain": false, "measure_compile_time": true, "report_hostname_on_root_span": false, "traced_internal_functions": null, "auto_prepend_file_configured": false, "integrations_disabled": "default", "enabled_from_env": true, "opcache.file_cache": null, "agent_error": "Failed to connect to localhost port 8126 after 0 ms: Couldn't connect to server" }

Upgrading from

PHP 8.1.18 (cli) (built: Apr 14 2023 19:12:08) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.18, Copyright (c) Zend Technologies
with Zend OPcache v8.1.18, Copyright (c), by Zend Technologies
with ddtrace v0.90.0, Copyright Datadog, by Datadog

[Anilm3]

We tried adding SetEnv DD_APPSEC_ENABLED 0 to our .htaccess, but it did not resolve the warnings.

This should've worked, we'll investigate and get back to you as soon as we have an update.

cc: @estringana

[Anilm3]

@christianseel with a configuration containing:

datadog.appsec.enabled = On

And an .htaccess containing:

SetEnv DD_TRACE_ENABLED 0

I can see the aforementioned warnings, this is a bug that we're fixing here: DataDog/dd-appsec-php#305

However when I disable appsec in .htaccess as follows:

SetEnv DD_APPSEC_ENABLED 0
SetEnv DD_TRACE_ENABLED 0

I don't see any warnings when using 0.92.0.

Can you provide us with the full phpinfo(); produced through the affected apache server? If you believe there could be any sensitive information in it, you can provide this through support. If you mention this ticket and the fact that I'm helping you with this issue, the support team will send the information directly to me.

[rtripault]

Hi @Anilm3 i'm @christianseel co-worker. We are still able to reproduce the issue in our environment with

SetEnv DD_APPSEC_ENABLED 0
SetEnv DD_TRACE_ENABLED 0

The requested phpinfo has been sent through support (# 1372356).

I'm happy to provide any other info/test you might need.

[Anilm3]

Hi @rtripault I just checked the provided phpinfo and in the PHP Variables section I don't see DD_TRACE_ENABLED or DD_APPSEC_ENABLED. I would've expected an entry for each of the variables as part of the server global, e.g.$_SERVER['DD_TRACE_ENABLED'].

Did you generate the phpinfo(); within a directory containing an .htaccess file?

[rtripault]

@Anilm3 my bad... that indeed that generated from a path not having the correct htaccess... i've sent the correct one on the same ticket.

[rtripault]

To bring more details (as i was trying to get a bare minimal php file reproducing the issue), it feels like the warnings are only displayed every 2 requests... a simple

<?php

echo "test";

generates

test<br />
<b>Warning</b>:  Unknown: [ddappsec] Failed to retrieve root span meta in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Unknown: [ddappsec] Failed to add tag _dd.appsec.event_rules.version in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Unknown: [ddappsec] Failed to retrieve root span meta in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>:  Unknown: [ddappsec] Failed to add _dd.runtime_family to root span in <b>Unknown</b> on line <b>0</b><br />

every 2 requests

[Anilm3]

Thanks @rtripault, I've managed to reproduce it now so I'm working on a fix.

[Anilm3]

@christianseel, @rtripault we are releasing 0.92.2 soon which should fix this issue.

[Anilm3]

Fixed in 0.92.2.