forwarded headers parsing + downgrade log level

Author: claponcet

dd-trace-core/src/main/java/datadog/trace/lambda/LambdaAppSecHandler.java

@@ -71,9 +71,12 @@ public static AgentSpanContext processRequestStart(Object event) {
 
     try {
       LambdaEventData eventData = extractEventData((ByteArrayInputStream) event);
+      if (eventData == LambdaEventData.EMPTY) {
+        return null;
+      }
       return processAppSecRequestData(eventData);
     } catch (Exception e) {
-      log.error("Failed to process AppSec request data", e);
+      log.debug("Failed to process AppSec request data", e);
       return null;
     }
   }
@@ -96,7 +99,7 @@ public static void processRequestEnd(AgentSpan span) {
       if (requestEndedCallback != null) {
         requestEndedCallback.apply(requestContext, span);
       } else {
-        log.warn("requestEnded callback is null");
+        log.debug("requestEnded callback is null");
       }
     }
   }
@@ -129,7 +132,7 @@ public static AgentSpanContext mergeContexts(
         return merged;
       }
 
-      log.warn(
+      log.debug(
           "Cannot merge AppSec data: extension context is not a TagContext: {}",
           extensionContext.getClass());
     }
@@ -141,7 +144,7 @@ private static AgentSpanContext processAppSecRequestData(LambdaEventData eventDa
     Supplier<Flow<Object>> requestStartedCallback =
         tracer.getCallbackProvider(RequestContextSlot.APPSEC).getCallback(EVENTS.requestStarted());
     if (requestStartedCallback == null) {
-      log.warn("requestStarted callback is null");
+      log.debug("requestStarted callback is null");
       return null;
     }
 
@@ -165,10 +168,10 @@ private static AgentSpanContext processAppSecRequestData(LambdaEventData eventDa
         if (methodUriCallback != null) {
           // Reconstruct full path with query string for AppSec analysis
           String fullPath = buildFullPath(eventData.path, eventData.queryParameters);
-          LambdaURIDataAdapter uriAdapter = new LambdaURIDataAdapter(fullPath);
+          LambdaURIDataAdapter uriAdapter = new LambdaURIDataAdapter(fullPath, eventData.headers);
           methodUriCallback.apply(requestContext, eventData.method, uriAdapter);
         } else {
-          log.warn("requestMethodUriRaw callback is null");
+          log.debug("requestMethodUriRaw callback is null");
         }
       }
 
@@ -183,7 +186,7 @@ private static AgentSpanContext processAppSecRequestData(LambdaEventData eventDa
             headerCallback.accept(requestContext, header.getKey(), header.getValue());
           }
         } else {
-          log.warn("requestHeader callback is null");
+          log.debug("requestHeader callback is null");
         }
       }
 
@@ -198,7 +201,7 @@ private static AgentSpanContext processAppSecRequestData(LambdaEventData eventDa
           Integer port = eventData.sourcePort != null ? eventData.sourcePort : 0;
           socketAddrCallback.apply(requestContext, eventData.sourceIp, port);
         } else {
-          log.warn("requestClientSocketAddress callback is null");
+          log.debug("requestClientSocketAddress callback is null");
         }
       }
 
@@ -210,7 +213,7 @@ private static AgentSpanContext processAppSecRequestData(LambdaEventData eventDa
       if (headerDoneCallback != null) {
         headerDoneCallback.apply(requestContext);
       } else {
-        log.warn("requestHeaderDone callback is null");
+        log.debug("requestHeaderDone callback is null");
       }
 
       // Call requestPathParams
@@ -222,7 +225,7 @@ private static AgentSpanContext processAppSecRequestData(LambdaEventData eventDa
         if (pathParamsCallback != null) {
           pathParamsCallback.apply(requestContext, eventData.pathParameters);
         } else {
-          log.warn("requestPathParams callback is null");
+          log.debug("requestPathParams callback is null");
         }
       }
 
@@ -235,7 +238,7 @@ private static AgentSpanContext processAppSecRequestData(LambdaEventData eventDa
         if (bodyCallback != null) {
           bodyCallback.apply(requestContext, eventData.body);
         } else {
-          log.warn("requestBodyProcessed callback is null");
+          log.debug("requestBodyProcessed callback is null");
         }
       }
     }
@@ -249,20 +252,11 @@ private static LambdaEventData extractEventData(ByteArrayInputStream inputStream
       int availableBytes = inputStream.available();
 
       if (availableBytes <= 0 || availableBytes > MAX_EVENT_SIZE) {
-        log.warn(
+        log.debug(
             "Event size {} exceeds limit {} or is invalid, skipping AppSec processing",
             availableBytes,
             MAX_EVENT_SIZE);
-        return new LambdaEventData(
-            Collections.emptyMap(),
-            null,
-            null,
-            null,
-            null,
-            LambdaTriggerType.UNKNOWN,
-            Collections.emptyMap(),
-            Collections.emptyMap(),
-            null);
+        return LambdaEventData.EMPTY;
       }
 
       StringBuilder jsonBuilder = new StringBuilder(availableBytes);
@@ -286,16 +280,7 @@ private static LambdaEventData extractEventDataFromJson(String json) {
       log.debug("Event JSON parsed successfully");
 
       if (event == null) {
-        return new LambdaEventData(
-            Collections.emptyMap(),
-            null,
-            null,
-            null,
-            null,
-            LambdaTriggerType.UNKNOWN,
-            Collections.emptyMap(),
-            Collections.emptyMap(),
-            null);
+        return LambdaEventData.EMPTY;
       }
 
       // Detect trigger type
@@ -319,17 +304,8 @@ private static LambdaEventData extractEventDataFromJson(String json) {
           return extractGenericData(event);
       }
     } catch (Exception e) {
-      log.error("Failed to parse event data from JSON", e);
-      return new LambdaEventData(
-          Collections.emptyMap(),
-          null,
-          null,
-          null,
-          null,
-          LambdaTriggerType.UNKNOWN,
-          Collections.emptyMap(),
-          Collections.emptyMap(),
-          null);
+      log.debug("Failed to parse event data from JSON", e);
+      return LambdaEventData.EMPTY;
     }
   }
 
@@ -524,7 +500,8 @@ private static LambdaEventData extractAlbData(
 
     String method = (String) event.get("httpMethod");
     String path = (String) event.get("path");
-    String sourceIp = headers.get("x-forwarded-for");
+    String xff = headers.get("x-forwarded-for");
+    String sourceIp = xff != null ? xff.split(",")[0].trim() : null;
 
     return new LambdaEventData(
         headers, method, path, sourceIp, null, triggerType, pathParameters, queryParameters, body);
@@ -779,8 +756,7 @@ private static Object parseBodyAsJson(String body) {
     }
 
     try {
-      Object parsed = OBJECT_ADAPTER.fromJson(body);
-      return parsed;
+      return OBJECT_ADAPTER.fromJson(body);
     } catch (Exception e) {
       return null;
     }
@@ -853,6 +829,11 @@ static class LambdaEventData {
     final Map<String, List<String>> queryParameters;
     final Object body;
 
+    static final LambdaEventData EMPTY = new LambdaEventData(
+        Collections.emptyMap(), null, null, null, null,
+        LambdaTriggerType.UNKNOWN,
+        Collections.emptyMap(), Collections.emptyMap(), null);
+
     LambdaEventData(
         Map<String, String> headers,
         String method,
@@ -879,8 +860,10 @@ static class LambdaEventData {
   private static class LambdaURIDataAdapter extends URIDataAdapterBase {
     private final String path;
     private final String query;
+    private final String scheme;
+    private final int port;
 
-    LambdaURIDataAdapter(String pathWithQuery) {
+    LambdaURIDataAdapter(String pathWithQuery, Map<String, String> headers) {
       if (pathWithQuery != null) {
         int queryIndex = pathWithQuery.indexOf('?');
         if (queryIndex != -1) {
@@ -894,11 +877,24 @@ private static class LambdaURIDataAdapter extends URIDataAdapterBase {
         this.path = "/";
         this.query = null;
       }
+
+      String forwardedProto = headers != null ? headers.get("x-forwarded-proto") : null;
+      this.scheme = (forwardedProto != null && !forwardedProto.isEmpty()) ? forwardedProto : "https";
+
+      String forwardedPort = headers != null ? headers.get("x-forwarded-port") : null;
+      int parsedPort = -1;
+      if (forwardedPort != null && !forwardedPort.isEmpty()) {
+        try {
+          parsedPort = Integer.parseInt(forwardedPort.trim());
+        } catch (NumberFormatException ignored) {
+        }
+      }
+      this.port = parsedPort > 0 ? parsedPort : 443;
     }
 
     @Override
     public String scheme() {
-      return "https";
+      return scheme;
     }
 
     @Override
@@ -908,7 +904,7 @@ public String host() {
 
     @Override
     public int port() {
-      return 443;
+      return port;
     }
 
     @Override

dd-trace-core/src/test/groovy/datadog/trace/lambda/LambdaAppSecHandlerTest.groovy

@@ -730,6 +730,111 @@ class LambdaAppSecHandlerTest extends DDCoreSpecification {
     capturedQuery == "id=123&filter=active"
   }
 
+  def "extracts scheme and port from X-Forwarded headers"() {
+    given:
+    def eventJson = '''
+    {
+      "path": "/api/test",
+      "headers": {
+        "x-forwarded-proto": "http",
+        "x-forwarded-port": "8080"
+      },
+      "requestContext": {
+        "httpMethod": "GET",
+        "requestId": "req-123"
+      }
+    }
+    '''
+    def event = createInputStream(eventJson)
+
+    def capturedScheme = null
+    def capturedPort = null
+
+    setupMockCallbacks(
+    onMethodUri: { method, uri ->
+      capturedScheme = uri.scheme()
+      capturedPort = uri.port()
+    }
+    )
+
+    when:
+    def result = LambdaAppSecHandler.processRequestStart(event)
+
+    then:
+    result != null
+    capturedScheme == "http"
+    capturedPort == 8080
+  }
+
+  def "falls back to https/443 when X-Forwarded headers are absent"() {
+    given:
+    def eventJson = '''
+    {
+      "path": "/api/test",
+      "headers": {},
+      "requestContext": {
+        "httpMethod": "GET",
+        "requestId": "req-123"
+      }
+    }
+    '''
+    def event = createInputStream(eventJson)
+
+    def capturedScheme = null
+    def capturedPort = null
+
+    setupMockCallbacks(
+    onMethodUri: { method, uri ->
+      capturedScheme = uri.scheme()
+      capturedPort = uri.port()
+    }
+    )
+
+    when:
+    def result = LambdaAppSecHandler.processRequestStart(event)
+
+    then:
+    result != null
+    capturedScheme == "https"
+    capturedPort == 443
+  }
+
+  def "handles invalid X-Forwarded-Port gracefully"() {
+    given:
+    def eventJson = '''
+    {
+      "path": "/api/test",
+      "headers": {
+        "x-forwarded-proto": "https",
+        "x-forwarded-port": "not-a-number"
+      },
+      "requestContext": {
+        "httpMethod": "GET",
+        "requestId": "req-123"
+      }
+    }
+    '''
+    def event = createInputStream(eventJson)
+
+    def capturedScheme = null
+    def capturedPort = null
+
+    setupMockCallbacks(
+    onMethodUri: { method, uri ->
+      capturedScheme = uri.scheme()
+      capturedPort = uri.port()
+    }
+    )
+
+    when:
+    def result = LambdaAppSecHandler.processRequestStart(event)
+
+    then:
+    result != null
+    capturedScheme == "https"
+    capturedPort == 443
+  }
+
   def "handles invalid base64 body gracefully"() {
     given:
     def eventJson = '''
@@ -1271,7 +1376,7 @@ class LambdaAppSecHandlerTest extends DDCoreSpecification {
       get() >> new Flow.ResultFlow<>(mockAppSecContext)
     }
 
-    def mockMethodUriCallback = callbacks.onMethodUri ? Mock(datadog.trace.api.function.TriFunction) {
+    def mockMethodUriCallback = callbacks.onMethodUri ? Mock(TriFunction) {
       apply(_ as RequestContext, _ as String, _ as URIDataAdapter) >> {
         RequestContext ctx, String method, URIDataAdapter uri ->
         callbacks.onMethodUri(method, uri)