Skip to content

[APMSP-3174] AppSec body parsing size limit#5877

Merged
Strech merged 7 commits into
masterfrom
apmsp-3174-appsec-body-parsing-size-limit
Jun 10, 2026
Merged

[APMSP-3174] AppSec body parsing size limit#5877
Strech merged 7 commits into
masterfrom
apmsp-3174-appsec-body-parsing-size-limit

Conversation

@Strech

@Strech Strech commented Jun 9, 2026

Copy link
Copy Markdown
Member

What does this PR do?

Add new DD_APPSEC_BODY_PARSING_SIZE_LIMIT env variable to control the size of the request/response payload processing by AppSec.

Motivation:

This is a part of unconditional parsing when AppSec is enabled. There are still few bits that should be properly guarded or maybe re-written that might trigger parsing (see Rails body collection). But this is a first step to control the max. size of the payload we might touch.

Change log entry

Yes. Add DD_APPSEC_BODY_PARSING_SIZE_LIMIT to limit request body size sent to the WAF; set to 0 to disable body collection

Additional Notes:

[RFC-1089] Improving WAF Timeouts and Truncations Management

How to test the change?

CI + ST

@dd-octo-sts dd-octo-sts Bot added core Involves Datadog core libraries integrations Involves tracing integrations appsec Application Security monitoring product labels Jun 9, 2026
@dd-octo-sts

dd-octo-sts Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Typing analysis

Note: Ignored files are excluded from the next sections.

Untyped methods

This PR introduces 8 partially typed methods, and clears 7 partially typed methods. It decreases the percentage of typed methods from 65.14% to 65.11% (-0.03%).

Partially typed methods (+8-7)Introduced:
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:10
└── def self?.from_request: (Hash[String, untyped] payload) -> Hash[String, untyped]
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:12
└── def self?.from_response: (Hash[String, untyped]? payload) -> Hash[String, untyped]
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:14
└── def self?.parse_headers: (Hash[String, untyped] payload) -> Hash[String, String]
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:16
└── def self?.parse_cookies: (Hash[String, untyped] payload, Hash[String, String] headers) -> Hash[String, String?]?
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:18
└── def self?.build_fullpath: (Hash[String, untyped] payload) -> String?
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:20
└── def self?.build_query_string: (Hash[String, untyped] payload) -> String?
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:24
└── def self?.parse_body: (Hash[String, untyped] payload, Hash[String, String] headers) -> untyped
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:26
└── def self?.body_byte_length: (Hash[String, untyped] payload) -> Integer?
Cleared:
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:6
└── def self?.from_request: (::Hash[::String, untyped] payload) -> ::Hash[::String, untyped]
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:8
└── def self?.from_response: (::Hash[::String, untyped]? payload) -> ::Hash[::String, untyped]
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:10
└── def self?.parse_headers: (::Hash[::String, untyped] payload) -> ::Hash[::String, ::String]
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:12
└── def self?.parse_cookies: (::Hash[::String, untyped] payload, ::Hash[::String, ::String] headers) -> ::Hash[::String, ::String?]?
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:14
└── def self?.build_fullpath: (::Hash[::String, untyped] payload) -> ::String?
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:16
└── def self?.build_query_string: (::Hash[::String, untyped] payload) -> ::String?
sig/datadog/appsec/contrib/aws_lambda/waf_addresses.rbs:20
└── def self?.parse_body: (::Hash[::String, untyped] payload, ::Hash[::String, ::String] headers) -> untyped

If you believe a method or an attribute is rightfully untyped or partially typed, you can add # untyped:accept on the line before the definition to remove it from the stats.

@datadog-prod-us1-6

datadog-prod-us1-6 Bot commented Jun 9, 2026

Copy link
Copy Markdown

Tests

🎉 All green!

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 93.52%
Overall Coverage: 90.07% (+0.01%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 9759a7e | Docs | Datadog PR Page | Give us feedback!

@Strech
Strech marked this pull request as ready for review June 9, 2026 09:40
@Strech
Strech requested review from a team as code owners June 9, 2026 09:40

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e7c603db8e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread lib/datadog/appsec/contrib/rack/gateway/watcher.rb Outdated
Comment thread lib/datadog/appsec/contrib/rails/gateway/watcher.rb Outdated
Comment thread lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb Outdated
@pr-commenter

pr-commenter Bot commented Jun 9, 2026

Copy link
Copy Markdown

Benchmarks

Benchmark execution time: 2026-06-09 16:05:14

Comparing candidate commit 9759a7e in PR branch apmsp-3174-appsec-body-parsing-size-limit with baseline commit e014f83 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 45 metrics, 1 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

@Strech
Strech marked this pull request as draft June 9, 2026 13:34
@Strech
Strech force-pushed the apmsp-3174-appsec-body-parsing-size-limit branch from e7c603d to 9759a7e Compare June 9, 2026 15:39
@Strech
Strech marked this pull request as ready for review June 9, 2026 15:43
@Strech
Strech enabled auto-merge June 9, 2026 15:44
@Strech
Strech merged commit 259049d into master Jun 10, 2026
872 of 874 checks passed
@Strech
Strech deleted the apmsp-3174-appsec-body-parsing-size-limit branch June 10, 2026 11:26
@dd-octo-sts dd-octo-sts Bot added this to the 2.36.0 milestone Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

appsec Application Security monitoring product core Involves Datadog core libraries integrations Involves tracing integrations

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants