[APPSEC-61864] Add AppSec AWS Lambda contrib#5663
Conversation
The request and response watchers crash with NoMethodError when AppSec::Context is not active. Skip WAF processing and continue the gateway stack instead. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Replace manual JSON/form-urlencoded parsing with Body.parse and MediaType.parse. This adds telemetry on parse errors, preserves duplicate URL-encoded keys as arrays, and adds missing require for base64. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
API Gateway v1 provides pre-decoded queryStringParameters but no raw query string. Manual string concatenation produced invalid URIs when values contained special characters like & or spaces. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Move all AppSec logic (context lifecycle, WAF, Event.record, finalization) from datadog-lambda-rb into dd-trace-rb watcher. Producer (datadog-lambda-rb) becomes a dumb data provider that pushes raw PORO hashes through the gateway. Delete Request and Response gateway classes — parsing logic now lives in the watcher as private helpers. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Move Lambda payload parsing and WAF address building into a dedicated AwsLambda::WAFAddresses module. Watcher becomes a thin orchestrator that delegates data transformation. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Remove activate_context and finalize from watcher — context creation, Event.record, export, and deactivation now owned by Lambda::AppSec in datadog-lambda-rb. Watcher keeps only WAF logic (handle_request + handle_response). Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Lambda now owns request data via AppSec::Request. The Watcher receives DataContainer payloads and unwraps .data for WAFAddresses. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
AWS Lambda events can have explicit null values for fields like queryStringParameters. Hash#fetch returns nil when the key exists with a nil value, causing URI.encode_www_form to crash on nil.map. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
|
Thank you for updating Change log entry section 👏 Visited at: 2026-05-04 12:02:33 UTC |
Typing analysisNote: Ignored files are excluded from the next sections. Untyped methodsThis PR introduces 7 partially typed methods. It increases the percentage of typed methods from 61.75% to 61.77% (+0.02%). Partially typed methods (+7-0)❌ Introduced:If you believe a method or an attribute is rightfully untyped or partially typed, you can add |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6474970492
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
- Add missing require 'uri' (crashes on Ruby 3.3+ for v1 payloads) - Fix build_query_string to prefer multiValueQueryStringParameters, consistent with parse_query (URI.encode_www_form handles arrays) - Switch watcher from Context.active to payload.context, matching other AppSec watchers that read context from the gateway payload - Rename handle_request/handle_response to watch_request/watch_response to match codebase naming convention - Fix from_response nil guard to idiomatic default parameter - Integration#compatible? now delegates to super Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- Remove stale activate_context and finalize signatures from watcher - Rename handle_* to watch_* matching Ruby implementation - Use fully qualified gateway type matching Rack watcher pattern - compatible? returns bool (not literal true) matching other integrations - Replace untyped with any for intentionally polymorphic Lambda payloads - Fix from_response signature for default parameter Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- Use instance_double with verified classes (SecurityEngine::Result, TraceOperation, SpanOperation) instead of unverified double - Inline nil context in subject instead of let override - Move local variables in .watch test to let statements - Fix let ordering in patcher spec (caller before callee) Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
BenchmarksBenchmark execution time: 2026-05-06 19:08:04 Comparing candidate commit b6f988b in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 45 metrics, 1 unstable metrics.
|
Stop injecting fake values (200 status, GET method, / path) when AWS event fields are missing — let WAF handle absent addresses via compact. Rename parse_body local to body, simplify guard returns, reorder requires, and update RBS nullability. In specs: rename appsec_context to context, remove events let indirection, pre-compute base64 fixture. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Return early from from_response when payload is nil or empty instead of computing empty hashes for WAF. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Drop v1/v2 fallback chains — WAFAddresses now reads standard keys (method, path, source_ip, query, query_string, etc.) produced by lambda-rb's event normalizer. Unify cookie parsing for both v2 cookie arrays and v1 Cookie header. Remove extract_method and parse_query methods that were just fallback wrappers. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
The caller always provides the argument; nil is handled by the guard. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
* Add description to the WAFAddresses module
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: afc234367b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
🎉 All green!❄️ No new flaky tests detected 🎯 Code Coverage (details) 🔗 Commit SHA: b6f988b | Docs | Datadog PR Page | Give us feedback! |
V2 events now carry `query` from lambda-rb normalizer. Add realistic V2 test and keep the query_string-only fallback path covered separately. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
What does this PR do?
This PR will add handling of AWS Lambda pushing messages to the gateway.
Motivation:
This is an AppSec part of the Endpoint Discovery & Correlation from Inferred Spans RFC
Change log entry
Yes. Add AWS Lambda contrib
Additional Notes:
This PR was generated with a help of AI, but rewritten by hand.
How to test the change?
CI + ST