feat(aap): In App WAF support#744
Conversation
a9a47e9 to
a79197a
Compare
|
| if (!this.tracerWrapper.currentSpan) return false; | ||
| this.wrappedCurrentSpan = new SpanWrapper(this.tracerWrapper.currentSpan, {}); | ||
|
|
||
| processAppsecRequest(event, this.tracerWrapper.currentSpan); |
There was a problem hiding this comment.
Should this happen at the beginning of the invocation? I'm wondering if this should be moved to onStartInvocation.
There was a problem hiding this comment.
Good catch. processAppsecRequest ran after the handler, too late to ever support blocking. Moved it to onRequestStart, called right before the handler runs, once the span is active. Couldnt be onStartInvocation itself since the span doesnt exist yet there.
| * @param event | ||
| */ | ||
| public onRequestStart(event: any): void { | ||
| processAppsecRequest(event, this.tracerWrapper.currentSpan); |
There was a problem hiding this comment.
Is there a reason we can't just put this into onStartInvocation?
| } | ||
|
|
||
| public async onStartInvocation(event: any, context: Context) { | ||
| initAppsec(); |
There was a problem hiding this comment.
Looks like there's a this.config object available. Makes sense to add the appsec enabled check to the config.
What does this PR do?
Adds AppSec support to the Lambda layer by extracting HTTP data from Lambda events and publishing it to diagnostic channels consumed by dd-trace-js's AppSec subsystem.
Changes:
move_ddtrace_dependency.jsnow reads@datadog/native-appsecfrom dd-trace'soptionalDependenciesand promotes it to a direct dependency so it survives--ignore-optional. The Dockerfile runs the script beforerm -rf node_modulesand strips unused native prebuilds (non-Linux-glibc platforms)src/appsec/event-data-extractor.ts): Parses API Gateway v1/v2, ALB, and Lambda Function URL events, extracting headers, method, path, query, body, client IP, path params, cookies, and routesrc/appsec/index.ts): ChecksDD_APPSEC_ENABLEDand publishes extracted data todatadog:lambda:start-invocation/datadog:lambda:end-invocationdiagnostic channelsinitAppsec()called inonStartInvocation,processAppSecRequestandprocessAppSecResponsecalled inonEndingInvocationMotivation
Porting the In-App WAF security product to AWS Lambda for the Node.js runtime. The Lambda layer extracts HTTP data and dispatches it to the tracer for WAF execution and reporting.
The layer is intentionally kept thin, only extracting and publishing data. All security logic (WAF, reporting, trace keeping) lives in dd-trace-js.
Testing Guidelines
Additional Notes
@datadog/native-appsecis NOT added to this repo'spackage.json. The version is read dynamically from dd-trace'soptionalDependenciesat build time, so dd-trace-js remains the single owner of the native module version.DD_APPSEC_ENABLED.Types of Changes
Check all that apply
APPSEC-60752