Skip to content

[APMSP-3102] Fix HTTP client body parsing#5990

Merged
Strech merged 8 commits into
masterfrom
apmsp-3102-fix-http-client-body-parsing
Jul 3, 2026
Merged

[APMSP-3102] Fix HTTP client body parsing#5990
Strech merged 8 commits into
masterfrom
apmsp-3102-fix-http-client-body-parsing

Conversation

@Strech

@Strech Strech commented Jul 3, 2026

Copy link
Copy Markdown
Member

What does this PR do?

Adds configurable limit on request/response body size for WAF analysis during downstream requests for supported HTTP contribs

Motivation:

Fix APPSEC-68529
Fix APPSEC-68522
Fix APPSEC-68551

Change log entry

Yes. Add size-awareness for downstream HTTP body analysis

Additional Notes:

All clients share same-looking code for request/response parsing, but no extraction was done. It's hard to generalize that for multi-purpose, hence going to live as duplication for now.

How to test the change?

CI

@Strech
Strech requested review from a team as code owners July 3, 2026 12:39
@dd-octo-sts dd-octo-sts Bot added core Involves Datadog core libraries integrations Involves tracing integrations appsec Application Security monitoring product labels Jul 3, 2026
@dd-octo-sts

dd-octo-sts Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Typing analysis

Note: Ignored files are excluded from the next sections.

steep:ignore comments

This PR introduces 3 steep:ignore comments, and clears 2 steep:ignore comments.

steep:ignore comments (+3-2)Introduced:
lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb:174
lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb:176
lib/datadog/appsec/utils/http/body_reader.rb:51
Cleared:
lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb:121
lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb:123

Untyped methods

This PR introduces 1 partially typed method. It increases the percentage of typed methods from 65.59% to 65.77% (+0.18%).

Partially typed methods (+1-0)Introduced:
sig/datadog/appsec/utils/http/body_reader.rbs:6
└── def self?.read: (untyped body, limit: Integer, ?rewind_before_read: bool) -> String?

Untyped other declarations

This PR introduces 1 untyped other declaration, and clears 1 untyped other declaration. It increases the percentage of typed other declarations from 83.63% to 83.69% (+0.06%).

Untyped other declarations (+1-1)Introduced:
sig/datadog/appsec/contrib/rack/buffered_input.rbs:13
└── @buffer: untyped
Cleared:
sig/datadog/appsec/contrib/rack/buffered_input.rbs:27
└── @buffer: untyped

If you believe a method or an attribute is rightfully untyped or partially typed, you can add # untyped:accept on the line before the definition to remove it from the stats.

@datadog-prod-us1-5

datadog-prod-us1-5 Bot commented Jul 3, 2026

Copy link
Copy Markdown

Tests

🎉 All green!

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 95.48%
Overall Coverage: 90.04% (+0.00%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 4257cdb | Docs | Datadog PR Page | Give us feedback!

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4257cdbdfe

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread lib/datadog/appsec/contrib/faraday/ssrf_detection_middleware.rb
@Strech
Strech enabled auto-merge July 3, 2026 13:40
@Strech
Strech merged commit 0f52e46 into master Jul 3, 2026
869 of 872 checks passed
@Strech
Strech deleted the apmsp-3102-fix-http-client-body-parsing branch July 3, 2026 13:50
@dd-octo-sts dd-octo-sts Bot added this to the 2.37.0 milestone Jul 3, 2026
end

content_length_value = headers['content-length']
if !content_length_value.is_a?(String) || !content_length_value.match?(/\A[1-9][0-9]*\z/)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as discussed, regex can be dropped here

end

content_length_value = headers['content-length']
if !content_length_value.is_a?(String) || !content_length_value.match?(/\A[1-9][0-9]*\z/)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

appsec Application Security monitoring product core Involves Datadog core libraries integrations Involves tracing integrations

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants