Add stack trace collection to meta_struct and actions_handler

Author: vpellan

lib/datadog/appsec/actions_handler.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require_relative 'actions_handler/rasp_stack_trace'
+require_relative 'actions_handler/stack_trace_collection'
+
 module Datadog
   module AppSec
     # this module encapsulates functions for handling actions that libddawf returns
@@ -19,7 +22,31 @@ def interrupt_execution(action_params)
         throw(Datadog::AppSec::Ext::INTERRUPT, action_params)
       end
 
-      def generate_stack(_action_params); end
+      def generate_stack(action_params)
+        return unless Datadog.configuration.appsec.stack_trace.enabled
+
+        context = AppSec.active_context
+        if context.nil? || context.trace.nil? && context.span.nil?
+          Datadog.logger.debug { 'Cannot find trace or service entry span to add stack trace' }
+          return
+        end
+
+        config = Datadog.configuration.appsec.stack_trace
+
+        # Check that the sum of stack_trace count in trace and entry_span does not exceed configuration
+        span_stack = ActionsHandler::RaspStackTrace.new(context.span&.metastruct)
+        trace_stack = ActionsHandler::RaspStackTrace.new(context.trace&.metastruct)
+        return if config.max_collect != 0 && span_stack.count + trace_stack.count >= config.max_collect
+
+        # Generate stacktrace
+        utf8_stack_id = action_params['stack_id'].encode('UTF-8') if action_params['stack_id']
+        stack_frames = ActionsHandler::StackTraceCollection.collect(config.max_depth, config.max_depth_top_percent)
+        stack_trace = { language: 'ruby', id: utf8_stack_id, frames: stack_frames }
+
+        # Add newly created stacktrace to metastruct
+        stack = context.trace.nil? ? span_stack : trace_stack
+        stack.push(stack_trace)
+      end
 
       def generate_schema(_action_params); end
     end

lib/datadog/appsec/actions_handler/rasp_stack_trace.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module ActionsHandler
+      # Object that holds a metastruct, and modify the exploit group stack traces
+      class RaspStackTrace
+        def initialize(metastruct)
+          @metastruct = metastruct
+        end
+
+        def count
+          @metastruct&.dig(AppSec::Ext::TAG_STACK_TRACE, AppSec::Ext::EXPLOIT_PREVENTION_EVENT_CATEGORY)&.size || 0
+        end
+
+        def push(stack_trace)
+          return if @metastruct.nil?
+
+          # steep:ignore:start
+          @metastruct[AppSec::Ext::TAG_STACK_TRACE] ||= {}
+          @metastruct[AppSec::Ext::TAG_STACK_TRACE][AppSec::Ext::EXPLOIT_PREVENTION_EVENT_CATEGORY] ||= []
+          @metastruct[AppSec::Ext::TAG_STACK_TRACE][AppSec::Ext::EXPLOIT_PREVENTION_EVENT_CATEGORY] << stack_trace
+          # steep:ignore:end
+        end
+      end
+    end
+  end
+end

lib/datadog/appsec/actions_handler/stack_trace_collection.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module ActionsHandler
+      # Module that collects the stack trace into formatted hash
+      module StackTraceCollection
+        module_function
+
+        def collect(max_depth, top_percent)
+          filtered_locations = caller_locations&.reject { |location| location.to_s.include?('lib/datadog') } || []
+
+          skip_locations =
+            if max_depth == 0 || filtered_locations.size <= max_depth
+              (0...0)
+            else
+              top_limit = (max_depth * top_percent / 100.0).round
+              bottom_limit = filtered_locations.size - (max_depth - top_limit)
+              (top_limit...bottom_limit)
+            end
+          filtered_locations.slice!(skip_locations)
+
+          filtered_locations.map.with_index do |location, index|
+            {
+              id: index,
+              text: location.to_s.encode('UTF-8'),
+              file: (location.absolute_path || location.path)&.encode('UTF-8'),
+              line: location.lineno,
+              function: location.label&.encode('UTF-8')
+            }
+          end
+        end
+      end
+    end
+  end
+end

lib/datadog/appsec/configuration/settings.rb

@@ -267,6 +267,55 @@ def self.add_settings!(base)
                   o.default false
                 end
               end
+
+              settings :stack_trace do
+                option :enabled do |o|
+                  o.type :bool
+                  o.env 'DD_APPSEC_STACK_TRACE_ENABLED'
+                  o.default true
+                end
+
+                # The maximum number of stack frames to collect for each stack trace.
+                # If the number of frames in a stack trace exceeds this value,
+                # max_depth / 4 frames will be collected from the top, and max_depth * 3 / 4 from the bottom.
+                option :max_depth do |o|
+                  o.type :int
+                  o.env 'DD_APPSEC_MAX_STACK_TRACE_DEPTH'
+                  o.default 32
+                  # 0 means no limit
+                  o.setter do |value|
+                    value = 0 if value.negative?
+                    value
+                  end
+                end
+
+                # The percentage that decides the number of top stack frame to collect
+                # for each stack trace if there is more stack frames than max_depth.
+                # number_of_top_frames = max_depth * max_depth_top_percent / 100
+                # Default is 75
+                option :max_depth_top_percent do |o|
+                  o.type :float
+                  o.env 'DD_APPSEC_MAX_STACK_TRACE_DEPTH_TOP_PERCENT'
+                  o.default 75
+                  o.setter do |value|
+                    value = 100 if value > 100
+                    value = 0 if value < 0
+                    value
+                  end
+                end
+
+                # The maximum number of stack traces to collect for each exploit prevention event.
+                option :max_collect do |o|
+                  o.type :int
+                  o.env 'DD_APPSEC_MAX_STACK_TRACES'
+                  o.default 2
+                  # 0 means no limit
+                  o.setter do |value|
+                    value = 0 if value < 0
+                    value
+                  end
+                end
+              end
             end
           end
         end

lib/datadog/appsec/context.rb

@@ -62,8 +62,8 @@ def extract_schema
       def export_metrics
         return if @span.nil?
 
-        Metrics::Exporter.export_waf_metrics(@metrics.waf, @span)
-        Metrics::Exporter.export_rasp_metrics(@metrics.rasp, @span)
+        Metrics::Exporter.export_waf_metrics(@metrics.waf, @span) # steep:ignore ArgumentTypeMismatch
+        Metrics::Exporter.export_rasp_metrics(@metrics.rasp, @span) # steep:ignore ArgumentTypeMismatch
       end
 
       def finalize

lib/datadog/appsec/ext.rb

@@ -10,12 +10,14 @@ module Ext
       INTERRUPT = :datadog_appsec_interrupt
       CONTEXT_KEY = 'datadog.appsec.context'
       ACTIVE_CONTEXT_KEY = :datadog_appsec_active_context
+      EXPLOIT_PREVENTION_EVENT_CATEGORY = 'exploit'
 
       TAG_APPSEC_ENABLED = '_dd.appsec.enabled'
       TAG_APM_ENABLED = '_dd.apm.enabled'
       TAG_DISTRIBUTED_APPSEC_EVENT = '_dd.p.appsec'
 
       TELEMETRY_METRICS_NAMESPACE = 'appsec'
+      TAG_STACK_TRACE = '_dd.stack'
     end
   end
 end

sig/datadog/appsec/actions_handler.rbs

@@ -8,6 +8,12 @@ module Datadog
       def generate_stack: (Datadog::AppSec::SecurityEngine::Result::action action_params) -> void
 
       def generate_schema: (Datadog::AppSec::SecurityEngine::Result::action action_params) -> void
+
+      private
+
+      def generate_stack_trace: (Integer max_depth, Float top_percent) -> (Hash[Symbol, String | Integer | Array[Hash[Symbol, String | Integer | nil]] | nil ])
+
+
     end
   end
 end

sig/datadog/appsec/actions_handler/rasp_stack_trace.rbs

@@ -0,0 +1,17 @@
+module Datadog
+  module AppSec
+    module ActionsHandler
+      class RaspStackTrace
+        type stack_trace = Hash[Symbol, String | nil | Array[Datadog::AppSec::ActionsHandler::StackTraceCollection::stack_frame]]
+
+        @metastruct: Datadog::Tracing::Metadata::Metastruct?
+
+        def initialize: (Datadog::Tracing::Metadata::Metastruct? metastruct) -> void
+
+        def count: () -> Integer
+
+        def push: (stack_trace stack_trace) -> void
+      end
+    end
+  end
+end

sig/datadog/appsec/actions_handler/stack_trace_collection.rbs

@@ -0,0 +1,11 @@
+module Datadog
+  module AppSec
+    module ActionsHandler
+      module StackTraceCollection
+        type stack_frame = Hash[Symbol, String | Integer | nil]
+
+        def self.collect: (Integer max_depth, Float top_percent) -> Array[stack_frame]
+      end
+    end
+  end
+end

sig/datadog/appsec/context.rbs

@@ -3,9 +3,9 @@ module Datadog
     class Context
       type input_data = SecurityEngine::Runner::input_data
 
-      @trace: Tracing::TraceOperation
+      @trace: Tracing::TraceOperation?
 
-      @span: Tracing::SpanOperation
+      @span: Tracing::SpanOperation?
 
       @events: ::Array[untyped]
 
@@ -17,17 +17,17 @@ module Datadog
 
       ActiveContextError: ::StandardError
 
-      attr_reader trace: Tracing::TraceOperation
+      attr_reader trace: Tracing::TraceOperation?
 
-      attr_reader span: Tracing::SpanOperation
+      attr_reader span: Tracing::SpanOperation?
 
       attr_reader events: ::Array[untyped]
 
       def self.activate: (Context context) -> Context
 
       def self.deactivate: () -> void
 
-      def self.active: () -> Context
+      def self.active: () -> Context?
 
       def initialize: (Tracing::TraceOperation trace, Tracing::SpanOperation span, AppSec::Processor security_engine) -> void
 

sig/datadog/appsec/event.rbs

@@ -24,7 +24,7 @@ module Datadog
 
       def self.gzip: (untyped value) -> untyped
 
-      def self.add_distributed_tags: (Tracing::TraceOperation trace) -> void
+      def self.add_distributed_tags: (Tracing::TraceOperation? trace) -> void
     end
   end
 end

sig/datadog/appsec/ext.rbs

@@ -14,6 +14,7 @@ module Datadog
       CONTEXT_KEY: ::String
 
       ACTIVE_CONTEXT_KEY: ::Symbol
+      EXPLOIT_PREVENTION_EVENT_CATEGORY: ::String
 
       TAG_APPSEC_ENABLED: ::String
 
@@ -22,6 +23,7 @@ module Datadog
       TAG_DISTRIBUTED_APPSEC_EVENT: ::String
 
       TELEMETRY_METRICS_NAMESPACE: ::String
+      TAG_STACK_TRACE: ::String
     end
   end
 end

spec/datadog/appsec/actions_handler/rasp_stack_trace_spec.rb

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+
+require 'datadog/appsec/actions_handler/rasp_stack_trace'
+require 'datadog/tracing/metadata/metastruct'
+
+RSpec.describe Datadog::AppSec::ActionsHandler::RaspStackTrace do
+  subject(:rasp_stack_trace) { described_class.new(metastruct) }
+  let(:metastruct) { Datadog::Tracing::Metadata::Metastruct.new(metastruct_hash) }
+  let(:metastruct_hash) { {} }
+
+  describe '.count' do
+    subject(:count) { rasp_stack_trace.count }
+
+    context 'with nil as metastruct' do
+      let(:metastruct) { nil }
+
+      it { is_expected.to eq 0 }
+    end
+
+    context 'with empty metastruct' do
+      it { is_expected.to eq 0 }
+    end
+
+    context 'with metastruct containing non-exploit stack traces' do
+      let(:metastruct_hash) do
+        {
+          '_dd.stack' => {
+            'vulnerabilities' => [1, 2]
+          }
+        }
+      end
+
+      it { is_expected.to eq 0 }
+    end
+
+    context 'with metastruct containing exploit stack traces' do
+      let(:metastruct_hash) do
+        {
+          '_dd.stack' => {
+            'exploit' => [1, 2]
+          }
+        }
+      end
+
+      it { is_expected.to eq 2 }
+    end
+  end
+
+  describe '.push' do
+    before do
+      rasp_stack_trace.push({ language: 'ruby', stack_id: 'foo', frames: [] })
+    end
+
+    context 'with empty metastruct' do
+      it 'adds a new stack trace to the metastruct' do
+        expect(metastruct.to_h).to eq(
+          '_dd.stack' => {
+            'exploit' => [
+              {
+                language: 'ruby',
+                stack_id: 'foo',
+                frames: []
+              }
+            ]
+          }
+        )
+      end
+    end
+
+    context 'with existing exploit stack traces in different group' do
+      let(:metastruct_hash) do
+        {
+          '_dd.stack' => {
+            'vulnerabilities' => [1, 2]
+          }
+        }
+      end
+
+      it 'adds a new stack trace to the metastruct' do
+        expect(metastruct.to_h).to eq(
+          '_dd.stack' => {
+            'vulnerabilities' => [1, 2],
+            'exploit' => [
+              {
+                language: 'ruby',
+                stack_id: 'foo',
+                frames: []
+              }
+            ]
+          }
+        )
+      end
+    end
+
+    context 'with existing exploit stack traces in the same group' do
+      let(:metastruct_hash) do
+        {
+          '_dd.stack' => {
+            'exploit' => [1, 2]
+          }
+        }
+      end
+
+      it 'adds a new stack trace to the metastruct' do
+        expect(metastruct.to_h).to eq(
+          '_dd.stack' => {
+            'exploit' => [
+              1,
+              2,
+              {
+                language: 'ruby',
+                stack_id: 'foo',
+                frames: []
+              }
+            ]
+          }
+        )
+      end
+    end
+  end
+end

spec/datadog/appsec/actions_handler/stack_trace_collection_spec.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require 'datadog/appsec/actions_handler/stack_trace_collection'
+require 'support/thread_backtrace_helpers'
+
+RSpec.describe Datadog::AppSec::ActionsHandler::StackTraceCollection do
+  describe '.collect' do
+    subject(:collection) { described_class.collect(max_depth, top_percent) }
+
+    # Default values in config
+    let(:max_depth) { 32 }
+    let(:top_percent) { 75 }
+
+    # "/app/spec/support/thread_backtrace_helpers.rb:12:in `block in locations_inside_nested_blocks'",
+    # "/app/spec/support/thread_backtrace_helpers.rb:14:in `block (2 levels) in locations_inside_nested_blocks'",
+    # "/app/spec/support/thread_backtrace_helpers.rb:16:in `block (3 levels) in locations_inside_nested_blocks'",
+    # "/app/spec/support/thread_backtrace_helpers.rb:16:in `block (4 levels) in locations_inside_nested_blocks'",
+    # "/app/spec/support/thread_backtrace_helpers.rb:16:in `block (5 levels) in locations_inside_nested_blocks'"
+    let(:frames) { ThreadBacktraceHelper.locations_inside_nested_blocks }
+
+    before do
+      # Hack to get caller_locations to return a known set of frames
+      allow_any_instance_of(Array).to receive(:reject).and_return(frames.clone)
+    end
+
+    it 'returns stack frames excluding those from datadog' do
+      expect(collection.any? { |loc| loc[:text].include?('lib/datadog') }).to be false
+    end
+
+    it 'returns the correct number of stack frames' do
+      expect(collection.size).to eq(5)
+    end
+
+    context 'with max_depth set to 4' do
+      let(:max_depth) { 4 }
+
+      it 'creates a stack trace with 4 frames, 3 top' do
+        expect(collection.count).to eq(4)
+        expect(collection[2][:text]).to eq(frames[2].to_s)
+        expect(collection[3][:text]).to eq(frames[4].to_s)
+      end
+
+      context 'with max_depth_top_percent set to 25' do
+        let(:top_percent) { 25 }
+
+        it 'creates a stack trace with 4 frames, 1 top' do
+          expect(collection.count).to eq(4)
+          expect(collection[0][:text]).to eq(frames[0].to_s)
+          expect(collection[1][:text]).to eq(frames[2].to_s)
+        end
+      end
+
+      context 'with max_depth_top_percent set to 100' do
+        let(:top_percent) { 100 }
+
+        it 'creates a stack trace with 4 top frames' do
+          expect(collection.count).to eq(4)
+          expect(collection[0][:text]).to eq(frames[0].to_s)
+          expect(collection[3][:text]).to eq(frames[3].to_s)
+        end
+      end
+
+      context 'with max_depth_top_percent set to 0' do
+        let(:top_percent) { 0 }
+
+        it 'creates a stack trace with 4 bottom frames' do
+          expect(collection.count).to eq(4)
+          expect(collection[0][:text]).to eq(frames[1].to_s)
+          expect(collection[3][:text]).to eq(frames[4].to_s)
+        end
+      end
+    end
+
+    context 'with max_depth set to 3' do
+      let(:max_depth) { 3 }
+
+      context 'with max_depth_top_percent set to 66.67' do
+        let(:top_percent) { 200 / 3.0 }
+
+        it 'creates a stack trace with 3 frames, 2 top' do
+          expect(collection.count).to eq(3)
+          expect(collection[1][:text]).to eq(frames[1].to_s)
+          expect(collection[2][:text]).to eq(frames[4].to_s)
+        end
+      end
+    end
+  end
+end

spec/datadog/appsec/actions_handler_spec.rb

@@ -1,6 +1,10 @@
 # frozen_string_literal: true
 
+require 'ostruct'
+
+require 'datadog/appsec/ext'
 require 'datadog/appsec/spec_helper'
+require 'support/thread_backtrace_helpers'
 
 RSpec.describe Datadog::AppSec::ActionsHandler do
   describe '.handle' do
@@ -97,4 +101,124 @@
       end
     end
   end
+
+  describe '.generate_stack' do
+    let(:generate_stack_action) { { 'stack_id' => 'foo' } }
+    let(:trace_op) { Datadog::Tracing::TraceOperation.new }
+    let(:trace_op_metastruct) { nil }
+    let(:span_op) { Datadog::Tracing::SpanOperation.new('span_test') }
+    let(:span_op_metastruct) { nil }
+    let(:context) { OpenStruct.new(trace: trace_op, span: span_op) }
+    let(:stack_trace_enabled) { true }
+    let(:max_collect) { 0 }
+
+    let(:stack_key) { Datadog::AppSec::Ext::TAG_STACK_TRACE }
+    let(:exploit_category) { Datadog::AppSec::Ext::EXPLOIT_PREVENTION_EVENT_CATEGORY }
+
+    before do
+      Datadog.configure do |c|
+        c.appsec.stack_trace.max_depth = 0
+        c.appsec.stack_trace.max_depth_top_percent = 0
+      end
+      allow(Datadog.configuration.appsec.stack_trace).to receive(:enabled).and_return(stack_trace_enabled)
+      allow(Datadog.configuration.appsec.stack_trace).to receive(:max_collect).and_return(max_collect)
+      allow(Datadog::AppSec).to receive(:active_context).and_return(context)
+      allow(Datadog::AppSec::ActionsHandler::StackTraceCollection).to receive(:collect).and_return(
+        ThreadBacktraceHelper.locations_inside_nested_blocks.map.with_index do |location, index|
+          {
+            id: index,
+            text: location.to_s.encode('UTF-8'),
+            file: (location.absolute_path || location.path)&.encode('UTF-8'),
+            line: location.lineno,
+            function: location.label&.encode('UTF-8')
+          }
+        end
+      )
+      trace_op.metastruct[Datadog::AppSec::Ext::TAG_STACK_TRACE] = trace_op_metastruct
+      span_op.metastruct[Datadog::AppSec::Ext::TAG_STACK_TRACE] = span_op_metastruct
+      described_class.generate_stack(generate_stack_action)
+    end
+
+    context 'when stack trace is enabled and context contains trace and span' do
+      it 'adds stack trace to the trace' do
+        trace_op_result = trace_op.metastruct[stack_key][exploit_category]
+        expect(trace_op_result.size).to eq(1)
+        expect(trace_op_result.first[:id]).to eq('foo')
+        expect(trace_op_result.first[:frames].size).to eq(5)
+      end
+
+      context 'when max_collect is 2' do
+        let(:max_collect) { 2 }
+
+        context 'with two elements contained in same group in trace' do
+          let(:trace_op_metastruct) { { exploit_category => [1, 2] } }
+
+          it 'does not add stack trace to the trace nor the span' do
+            trace_op_result = trace_op.metastruct.dig(stack_key, exploit_category)
+            expect(trace_op_result.size).to eq(2)
+            expect(trace_op_result[0]).to eq(1)
+            expect(trace_op_result[1]).to eq(2)
+            span_op_result = span_op.metastruct.dig(stack_key, exploit_category)
+            expect(span_op_result).to be_nil
+          end
+        end
+
+        context 'with two elements contained in same group in span' do
+          let(:span_op_metastruct) { { exploit_category => [1, 2] } }
+
+          it 'does not add stack trace to the trace nor the span' do
+            span_op_result = span_op.metastruct.dig(stack_key, exploit_category)
+            expect(span_op_result.size).to eq(2)
+            expect(span_op_result[0]).to eq(1)
+            expect(span_op_result[1]).to eq(2)
+            trace_op_result = trace_op.metastruct.dig(stack_key, exploit_category)
+            expect(trace_op_result).to be_nil
+          end
+        end
+
+        context 'with one element contained in same group in span and trace' do
+          let(:trace_op_metastruct) { { exploit_category => [1] } }
+          let(:span_op_metastruct) { { exploit_category => [2] } }
+
+          it 'does not add stack trace to the trace nor the span' do
+            trace_op_result = trace_op.metastruct.dig(stack_key, exploit_category)
+            expect(trace_op_result.size).to eq(1)
+            expect(trace_op_result.first).to eq(1)
+            span_op_result = span_op.metastruct.dig(stack_key, exploit_category)
+            expect(span_op_result.size).to eq(1)
+            expect(span_op_result.first).to eq(2)
+          end
+        end
+
+        context 'with two elements contained in different group in trace' do
+          let(:trace_op_metastruct) { { 'other_group' => [1, 2] } }
+
+          it 'does add stack trace to the trace' do
+            trace_op_result = trace_op.metastruct.dig(stack_key, exploit_category)
+            expect(trace_op_result.size).to eq(1)
+            expect(trace_op_result.first[:id]).to eq('foo')
+          end
+        end
+      end
+    end
+
+    context 'when stack trace is enabled and context contains only span' do
+      let(:context) { OpenStruct.new(span: span_op) }
+
+      it 'adds stack trace to the span' do
+        test_result = span_op.metastruct[stack_key][exploit_category]
+        expect(test_result.size).to eq(1)
+        expect(test_result.first[:id]).to eq('foo')
+        expect(test_result.first[:frames].size).to eq(5)
+      end
+    end
+
+    context 'when stack trace is disabled' do
+      let(:stack_trace_enabled) { false }
+
+      it 'does not add stack trace to the trace' do
+        expect(trace_op.metastruct[stack_key]).to be_nil
+      end
+    end
+  end
 end

spec/datadog/appsec/configuration/settings_spec.rb

@@ -930,5 +930,189 @@ def patcher
         end
       end
     end
+
+    describe 'stack_trace' do
+      describe '#enabled' do
+        subject(:enabled) { settings.appsec.stack_trace.enabled }
+
+        context 'when DD_APPSEC_STACK_TRACE_ENABLED' do
+          around do |example|
+            ClimateControl.modify('DD_APPSEC_STACK_TRACE_ENABLED' => stack_trace_enabled) do
+              example.run
+            end
+          end
+
+          context 'is not defined' do
+            let(:stack_trace_enabled) { nil }
+
+            it { is_expected.to eq true }
+          end
+
+          [true, false].each do |value|
+            context "is defined as #{value}" do
+              let(:stack_trace_enabled) { value.to_s }
+
+              it { is_expected.to eq value }
+            end
+          end
+        end
+      end
+
+      describe '#enabled=' do
+        subject(:set_stack_trace_enabled) { settings.appsec.stack_trace.enabled = stack_trace_enabled }
+
+        [true, false].each do |value|
+          context "when given #{value}" do
+            let(:stack_trace_enabled) { value }
+
+            before { set_stack_trace_enabled }
+
+            it { expect(settings.appsec.stack_trace.enabled).to eq(value) }
+          end
+        end
+      end
+
+      describe '#max_depth' do
+        subject(:max_depth) { settings.appsec.stack_trace.max_depth }
+
+        context 'when DD_APPSEC_MAX_STACK_TRACE_DEPTH' do
+          around do |example|
+            ClimateControl.modify('DD_APPSEC_MAX_STACK_TRACE_DEPTH' => stack_trace_max_depth) do
+              example.run
+            end
+          end
+
+          context 'is not defined' do
+            let(:stack_trace_max_depth) { nil }
+
+            it { is_expected.to eq 32 }
+          end
+
+          context 'is defined' do
+            let(:stack_trace_max_depth) { '64' }
+
+            it { is_expected.to eq(64) }
+          end
+        end
+      end
+
+      describe '#max_depth=' do
+        subject(:set_stack_trace_max_depth) { settings.appsec.stack_trace.max_depth = stack_trace_max_depth }
+
+        context 'when given a value' do
+          let(:stack_trace_max_depth) { 64 }
+
+          before { set_stack_trace_max_depth }
+
+          it { expect(settings.appsec.stack_trace.max_depth).to eq(64) }
+        end
+
+        context 'when given a negative value' do
+          let(:stack_trace_max_depth) { -1 }
+
+          before { set_stack_trace_max_depth }
+
+          it { expect(settings.appsec.stack_trace.max_depth).to eq(0) }
+        end
+      end
+
+      describe '#max_depth_top_percent' do
+        subject(:max_depth_top_percent) { settings.appsec.stack_trace.max_depth_top_percent }
+
+        context 'when DD_APPSEC_MAX_STACK_TRACE_DEPTH_TOP_PERCENT' do
+          around do |example|
+            ClimateControl.modify('DD_APPSEC_MAX_STACK_TRACE_DEPTH_TOP_PERCENT' => stack_trace_max_depth_top_percent) do
+              example.run
+            end
+          end
+
+          context 'is not defined' do
+            let(:stack_trace_max_depth_top_percent) { nil }
+
+            it { is_expected.to eq 75 }
+          end
+
+          context 'is defined' do
+            let(:stack_trace_max_depth_top_percent) { '50' }
+
+            it { is_expected.to eq(50) }
+          end
+        end
+      end
+
+      describe '#max_depth_top_percent=' do
+        subject(:set_stack_trace_max_depth_top_percent) do
+          settings.appsec.stack_trace.max_depth_top_percent = stack_trace_max_depth_top_percent
+        end
+
+        context 'when given a value' do
+          let(:stack_trace_max_depth_top_percent) { 50 }
+
+          before { set_stack_trace_max_depth_top_percent }
+
+          it { expect(settings.appsec.stack_trace.max_depth_top_percent).to eq(50) }
+        end
+
+        context 'when given a negative value' do
+          let(:stack_trace_max_depth_top_percent) { -1 }
+
+          before { set_stack_trace_max_depth_top_percent }
+
+          it { expect(settings.appsec.stack_trace.max_depth_top_percent).to eq(0) }
+        end
+
+        context 'when given a value higher than 100' do
+          let(:stack_trace_max_depth_top_percent) { 101 }
+
+          before { set_stack_trace_max_depth_top_percent }
+
+          it { expect(settings.appsec.stack_trace.max_depth_top_percent).to eq(100) }
+        end
+      end
+
+      describe '#max_collect' do
+        subject(:max_collect) { settings.appsec.stack_trace.max_collect }
+
+        context 'when DD_APPSEC_MAX_STACK_TRACES' do
+          around do |example|
+            ClimateControl.modify('DD_APPSEC_MAX_STACK_TRACES' => stack_trace_max_collect) do
+              example.run
+            end
+          end
+
+          context 'is not defined' do
+            let(:stack_trace_max_collect) { nil }
+
+            it { is_expected.to eq 2 }
+          end
+
+          context 'is defined' do
+            let(:stack_trace_max_collect) { '4' }
+
+            it { is_expected.to eq(4) }
+          end
+        end
+      end
+
+      describe '#max_collect=' do
+        subject(:set_stack_trace_max_collect) { settings.appsec.stack_trace.max_collect = stack_trace_max_collect }
+
+        context 'when given a value' do
+          let(:stack_trace_max_collect) { 4 }
+
+          before { set_stack_trace_max_collect }
+
+          it { expect(settings.appsec.stack_trace.max_collect).to eq(4) }
+        end
+
+        context 'when given a negative value' do
+          let(:stack_trace_max_collect) { -1 }
+
+          before { set_stack_trace_max_collect }
+
+          it { expect(settings.appsec.stack_trace.max_collect).to eq(0) }
+        end
+      end
+    end
   end
 end

spec/support/thread_backtrace_helpers.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+# Module to test stack trace generation. Inspired by:
+# https://github.com/ruby/ruby/blob/master/spec/ruby/core/thread/backtrace/location/fixtures/classes.rb
+module ThreadBacktraceHelper
+  def self.locations
+    caller_locations
+  end
+
+  # Deeply nested blocks to test max_depth and max_depth_top_percentage variables
+  def self.locations_inside_nested_blocks
+    first_level_location = nil
+    second_level_location = nil
+    third_level_location = nil
+    fourth_level_location = nil
+    fifth_level_location = nil
+
+    # rubocop:disable Lint/UselessTimes
+    1.times do
+      first_level_location = locations.first
+      1.times do
+        second_level_location = locations.first
+        1.times do
+          third_level_location = locations.first
+          1.times do
+            fourth_level_location = locations.first
+            1.times do
+              fifth_level_location = locations.first
+            end
+          end
+        end
+      end
+    end
+    # rubocop:enable Lint/UselessTimes
+
+    [first_level_location, second_level_location, third_level_location, fourth_level_location, fifth_level_location]
+  end
+
+  def self.thousand_locations
+    locations = []
+    1000.times do
+      locations << self.locations.first
+    end
+    locations
+  end
+
+  LocationASCII8Bit = Struct.new(:text, :path, :lineno, :label, keyword_init: true) do
+    def to_s
+      text
+    end
+  end
+
+  def self.location_ascii_8bit
+    location = locations.first
+    LocationASCII8Bit.new(
+      text: location.to_s.encode('ASCII-8BIT'),
+      path: (location.absolute_path || location.path).encode('ASCII-8BIT'),
+      lineno: location.lineno,
+      label: location.label.encode('ASCII-8BIT')
+    )
+
+    [location]
+  end
+end