Skip to content

AppSec Lambda: Analyze HTTP response#11750

Open
claponcet wants to merge 21 commits into
masterfrom
clara.poncet/appsec-lambda-response
Open

AppSec Lambda: Analyze HTTP response#11750
claponcet wants to merge 21 commits into
masterfrom
clara.poncet/appsec-lambda-response

Conversation

@claponcet

@claponcet claponcet commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

What Does This Do

Adds AppSec response analysis for AWS Lambda: LambdaAppSecHandler.processResponseData
parses the Lambda response object and fires the WAF gateway events (responseStarted,
responseHeader, responseHeaderDone, responseBody) with the extracted status code,
headers, and body.

Trigger-type detection (API Gateway v1/v2, ALB, Lambda URL, WebSocket) is added to
processRequestStart and stored in a ThreadLocal. processResponseData uses it to
decide whether to parse the response as an API-GW envelope or fall back to treating the
whole payload as a plain response body, matching how non-envelope HTTP triggers behave.

CoreTracer.notifyAppSecEnd is extended to receive the raw result object so it can be
forwarded to processResponseData from the Lambda handler instrumentation.

Additional extraction improvements:

  • Response header keys are lowercased (Locale.ROOT) to normalise casing across API GW / ALB variants
  • isBase64Encoded accepts "true" (string) in addition to Boolean.TRUE

LambdaHandlerInstrumentationTest and LambdaAppSecHandlerTest migrated from Spock/Groovy
to JUnit 5 Java, with new test cases for response analysis and trigger-type gating.

processRequestEnd now propagates ASM_KEEP for traces where the WAF set isManuallyKept() via a trace-tagging rule but produced no WAF events. In Lambda the WAF runs before the span exists, so GatewayBridge's existing guard (which gates the tag on non-empty events) never fires for this case; the fix applies the tags directly in processRequestEnd. A minimal AppSecContext interface is introduced in internal-api to expose isManuallyKept() across module boundaries.

Motivation

Allows the WAF to inspect Lambda HTTP responses for threats.

Additional Notes

Contributor Checklist

Jira ticket: APPSEC-60532

@claponcet claponcet force-pushed the clara.poncet/appsec-lambda-response branch from 090da74 to 65bb844 Compare June 26, 2026 09:08
@claponcet claponcet changed the title AppSec Lambda: HTTP trigger type detection and resource name fix for extension dedup AppSec Lambda: Analyze HTTP response Jun 26, 2026
@dd-octo-sts

dd-octo-sts Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite Status
Startup 🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results
Scenario Candidate master Δ (95% CI of mean)
startup:insecure-bank:iast:Agent 13.95 s 14.01 s [-1.2%; +0.3%] (no difference)
startup:insecure-bank:tracing:Agent 12.97 s 13.08 s [-1.6%; -0.1%] (maybe better)
startup:petclinic:appsec:Agent 16.88 s 16.22 s [-0.2%; +8.4%] (no difference)
startup:petclinic:iast:Agent 16.84 s 16.91 s [-1.2%; +0.4%] (no difference)
startup:petclinic:profiling:Agent 16.87 s 16.85 s [-0.9%; +1.2%] (no difference)
startup:petclinic:sca:Agent 16.77 s 16.22 s [-1.0%; +7.9%] (no difference)
startup:petclinic:tracing:Agent 16.13 s 16.11 s [-1.1%; +1.3%] (no difference)

Commit: 73f50b06 · CI Pipeline · Benchmarking Platform UI


Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

@claponcet

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3d2a12a4fb

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread dd-trace-core/src/main/java/datadog/trace/lambda/LambdaAppSecHandler.java Outdated
@claponcet claponcet added type: enhancement Enhancements and improvements comp: asm waf Application Security Management (WAF) labels Jun 29, 2026
@claponcet claponcet marked this pull request as ready for review June 29, 2026 11:44
@claponcet claponcet requested review from a team as code owners June 29, 2026 11:44
@claponcet claponcet requested review from PerfectSlayer and mtoffl01 and removed request for a team June 29, 2026 11:44
@dd-octo-sts dd-octo-sts Bot added the tag: ai generated Largely based on code generated by an AI or LLM label Jun 29, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 868f9a139e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

@claponcet claponcet requested a review from jandro996 June 29, 2026 14:37
@claponcet claponcet force-pushed the clara.poncet/appsec-lambda-response branch from 868f9a1 to 7e4ae3e Compare June 30, 2026 11:26
Comment thread dd-trace-core/src/main/java/datadog/trace/lambda/LambdaAppSecHandler.java Outdated
Comment thread dd-trace-core/src/main/java/datadog/trace/lambda/LambdaAppSecHandler.java Outdated
@jandro996

Copy link
Copy Markdown
Member

While reviewing the changes in this file, I noticed a few pre-existing lines (not touched by this PR) that also use fully-qualified names for classes already imported (List, Collections, Collectors): lines 669, 670, 675, 824, 853, 901, 902, 908. Not blocking this PR, just flagging in case you want to clean them up while you're in this file.

@claponcet claponcet requested a review from jandro996 July 2, 2026 08:44
@claponcet claponcet requested a review from a team as a code owner July 3, 2026 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp: asm waf Application Security Management (WAF) tag: ai generated Largely based on code generated by an AI or LLM type: enhancement Enhancements and improvements

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants