Skip to content

feat(aap): In App WAF support for lambda#7783

Merged
CarlesDD merged 19 commits into
masterfrom
ccapell/APPSEC-60752/in-app-waf-port
Jun 30, 2026
Merged

feat(aap): In App WAF support for lambda#7783
CarlesDD merged 19 commits into
masterfrom
ccapell/APPSEC-60752/in-app-waf-port

Conversation

@CarlesDD

@CarlesDD CarlesDD commented Mar 16, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Adds AppSec support for AWS lambda to dd-trace-js by introducing DC handlers that allow the datadog-lambda-js layer to delegate WAF execution to the tracer.

inappwafport

Changes:

  • New datadog:lambda:start-invocation and datadog:lambda:end-invocation diagnostic channels with its subscribers (appsec/lambdja.js), which maps extracted HTTP data to WAF addresses, run the WAF and reports the results.
  • Reporter adaptation: reportMetrics, reportAttack, reportAttributes, and finishRequest now accept an optional rootSpan parameter, falling back to web.root(req) when not provided. This allows the Lambda handler to pass the span directly since there is no req object in Lambda
  • WAF rootSpan threading: waf/index.js and waf_context_wrapper.js thread rootSpan through the call chain so that keepTrace and reporter calls work correctly for Lambda

Motivation

Porting the In-App WAF security product to AWS Lambda for the Node.js runtime. The Lambda layer extracts HTTP data from the event and dispatches it to the tracer's AppSec domain via DC.

This approach keeps all security logic (WAF execution, attack reporting, trace keep decisions) inside dd-trace-js, and the Lambda layer is only responsible for extracting raw HTTP data and publishing it.

Additional Notes

  • The Lambda channels are always subscribed when AppSec is enabled. They are no-ops unless datadog-lambda-js publishes to them.
  • No new configuration is needed;DD_APPSEC_ENABLED env var controls everything.
  • Serverless defaults in dd-trace-js already neutralize telemetry, remote config, and error logging, so there are no side effects to enabling AppSec in Lambda beyond the WAF initialization cold start cost.
  • This is a monitoring-only first iteration. Blocking, Remote Config, and telemetry are out of scope.
  • Companion PR in datadog-lambda-js: feat(aap): In App WAF support datadog-lambda-js#744

APPSEC-60752

@github-actions

github-actions Bot commented Mar 16, 2026

Copy link
Copy Markdown
Contributor

Overall package size

Self size: 6.42 MB
Deduped: 7.49 MB
No deduping: 7.49 MB

Dependency sizes | name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 3.2.0 | 104.26 kB | 843.44 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | dc-polyfill | 0.1.11 | 25.74 kB | 25.74 kB |

🤖 This report was automatically generated by heaviest-objects-in-the-universe

@codecov

codecov Bot commented Mar 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.73%. Comparing base (9efd086) to head (22d6848).

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #7783   +/-   ##
=======================================
  Coverage   93.72%   93.73%           
=======================================
  Files         891      892    +1     
  Lines       51163    51234   +71     
  Branches    11900    11923   +23     
=======================================
+ Hits        47952    48023   +71     
  Misses       3211     3211           
Flag Coverage Δ
aiguard 34.87% <0.00%> (-0.09%) ⬇️
aiguard-integration 41.78% <0.00%> (-0.02%) ⬇️
apm-bucket-0 34.83% <0.00%> (-0.09%) ⬇️
apm-bucket-1 40.33% <0.00%> (-0.09%) ⬇️
apm-bucket-2 37.33% <0.00%> (-0.09%) ⬇️
apm-capabilities-tracing 48.68% <9.30%> (-0.08%) ⬇️
apm-integrations-aerospike 33.12% <0.00%> (-0.09%) ⬇️
apm-integrations-confluentinc-kafka-javascript 40.02% <0.00%> (-0.09%) ⬇️
apm-integrations-couchbase 33.51% <0.00%> (+0.02%) ⬆️
apm-integrations-http 41.95% <28.88%> (-0.16%) ⬇️
apm-integrations-kafkajs 40.26% <0.00%> (-0.09%) ⬇️
apm-integrations-next 29.46% <0.00%> (-0.08%) ⬇️
apm-integrations-prisma 35.03% <0.00%> (-0.08%) ⬇️
apm-integrations-tedious 33.89% <0.00%> (-0.09%) ⬇️
appsec 57.71% <100.00%> (+0.11%) ⬆️
appsec-express_fastify_graphql 53.66% <38.88%> (-0.15%) ⬇️
appsec-integration 36.21% <36.66%> (-0.04%) ⬇️
appsec-kafka_ldapjs_lodash 43.58% <0.00%> (-0.08%) ⬇️
appsec-mongodb-core_mongoose_mysql 48.74% <36.66%> (-0.15%) ⬇️
appsec-next 28.00% <0.00%> (-0.08%) ⬇️
appsec-node-serialize_passport_postgres 47.91% <38.88%> (-0.15%) ⬇️
appsec-sourcing_stripe_template 45.47% <31.11%> (-0.15%) ⬇️
debugger 44.36% <0.00%> (-0.02%) ⬇️
instrumentations-bucket-0 28.15% <0.00%> (-0.09%) ⬇️
instrumentations-bucket-1 37.40% <0.00%> (-0.09%) ⬇️
instrumentations-bucket-10 40.35% <28.88%> (-0.15%) ⬇️
instrumentations-bucket-11 27.95% <0.00%> (-0.09%) ⬇️
instrumentations-bucket-12 28.66% <0.00%> (-0.09%) ⬇️
instrumentations-bucket-13 27.78% <0.00%> (-0.09%) ⬇️
instrumentations-bucket-2 30.23% <0.00%> (-0.08%) ⬇️
instrumentations-bucket-3 35.90% <0.00%> (-0.09%) ⬇️
instrumentations-bucket-4 28.06% <0.00%> (-0.09%) ⬇️
instrumentations-bucket-5 36.27% <0.00%> (-0.08%) ⬇️
instrumentations-bucket-6 38.25% <0.00%> (-0.09%) ⬇️
instrumentations-bucket-7 36.01% <0.00%> (-0.08%) ⬇️
instrumentations-bucket-8 36.95% <0.00%> (-0.08%) ⬇️
instrumentations-bucket-9 39.45% <28.88%> (-0.15%) ⬇️
instrumentations-instrumentation-couchbase 46.54% <ø> (ø)
instrumentations-integration-esbuild 24.86% <0.00%> (-0.01%) ⬇️
llmobs-ai_anthropic_bedrock 39.53% <0.00%> (-0.08%) ⬇️
llmobs-google-genai_langchain_vertex-ai 36.97% <0.00%> (-0.07%) ⬇️
llmobs-openai 39.57% <0.00%> (-0.08%) ⬇️
llmobs-sdk 43.59% <0.00%> (-0.09%) ⬇️
master-coverage 93.73% <100.00%> (?)
openfeature 37.75% <0.00%> (-0.01%) ⬇️
openfeature-unit 50.39% <ø> (ø)
platform-core_esbuild_instrumentations-misc 23.36% <0.00%> (-0.01%) ⬇️
platform-integration 47.41% <0.00%> (-0.03%) ⬇️
platform-shimmer_unit-guardrails_webpack 18.89% <ø> (ø)
plugins-bucket-0 36.33% <0.00%> (-0.08%) ⬇️
plugins-bucket-1 39.59% <0.00%> (-0.02%) ⬇️
plugins-bucket-11 38.46% <0.00%> (-0.09%) ⬇️
plugins-bucket-17 39.15% <0.00%> (-0.09%) ⬇️
plugins-bucket-18 42.00% <0.00%> (-0.08%) ⬇️
plugins-bucket-19 39.56% <0.00%> (-0.09%) ⬇️
plugins-bucket-20 43.25% <0.00%> (-0.03%) ⬇️
plugins-bucket-4 37.71% <0.00%> (-0.09%) ⬇️
plugins-bullmq_cassandra_cookie 39.76% <0.00%> (-0.09%) ⬇️
plugins-cookie-parser_crypto_dd-trace-api 33.21% <0.00%> (-0.09%) ⬇️
plugins-fetch_fs_generic-pool 36.04% <0.00%> (-0.07%) ⬇️
plugins-google-cloud-pubsub_grpc_handlebars 43.10% <0.00%> (-0.09%) ⬇️
plugins-hapi_hono_ioredis 37.78% <0.00%> (-0.09%) ⬇️
plugins-jest_knex_langgraph 32.60% <0.00%> (-0.09%) ⬇️
plugins-ldapjs_light-my-request_limitd-client 27.84% <0.00%> (-0.09%) ⬇️
plugins-lodash_mariadb_memcached 35.17% <0.00%> (-0.09%) ⬇️
plugins-mongodb_mongodb-core_mongoose 36.30% <0.00%> (-0.09%) ⬇️
plugins-multer_mysql_mysql2 35.14% <0.00%> (-0.09%) ⬇️
plugins-nats_node-serialize_opensearch 37.14% <0.00%> (-0.09%) ⬇️
plugins-passport-http_pino_postgres 35.52% <0.00%> (-0.09%) ⬇️
plugins-process_pug_redis 34.26% <0.00%> (-0.09%) ⬇️
plugins-undici_url_valkey 35.87% <0.00%> (-0.09%) ⬇️
plugins-vm_winston_ws 37.55% <0.00%> (-0.09%) ⬇️
profiling 43.61% <0.00%> (-0.08%) ⬇️
serverless-aws-sdk-aws-sdk 33.29% <0.00%> (-0.07%) ⬇️
serverless-aws-sdk-bedrockruntime 32.16% <0.00%> (-0.08%) ⬇️
serverless-aws-sdk-client 37.21% <ø> (ø)
serverless-aws-sdk-dynamodb 34.09% <0.00%> (-0.08%) ⬇️
serverless-aws-sdk-eventbridge 27.24% <0.00%> (-0.08%) ⬇️
serverless-aws-sdk-kinesis 37.40% <0.00%> (-0.08%) ⬇️
serverless-aws-sdk-lambda 34.59% <0.00%> (-0.08%) ⬇️
serverless-aws-sdk-s3 32.59% <0.00%> (-0.08%) ⬇️
serverless-aws-sdk-serverless-peer-service 39.47% <ø> (-0.08%) ⬇️
serverless-aws-sdk-sns 38.37% <0.00%> (+0.04%) ⬆️
serverless-aws-sdk-sqs 37.99% <0.00%> (-0.08%) ⬇️
serverless-aws-sdk-stepfunctions 33.18% <0.00%> (-0.08%) ⬇️
serverless-aws-sdk-util 47.95% <ø> (ø)
serverless-bucket-0 39.45% <0.00%> (-0.02%) ⬇️
serverless-lambda 34.33% <ø> (-0.09%) ⬇️
test-optimization-cucumber 52.30% <0.00%> (+0.09%) ⬆️
test-optimization-cypress 49.41% <0.00%> (+0.05%) ⬆️
test-optimization-jest 55.34% <0.00%> (+0.03%) ⬆️
test-optimization-mocha 53.38% <0.00%> (+0.06%) ⬆️
test-optimization-playwright-playwright-atr 43.32% <0.00%> (+0.07%) ⬆️
test-optimization-playwright-playwright-efd 43.60% <0.00%> (+0.07%) ⬆️
test-optimization-playwright-playwright-final-status 43.73% <0.00%> (+0.07%) ⬆️
test-optimization-playwright-playwright-impacted-tests 43.15% <0.00%> (-0.02%) ⬇️
test-optimization-playwright-playwright-reporting 43.26% <0.00%> (+0.07%) ⬆️
test-optimization-playwright-playwright-test-management 44.71% <0.00%> (+0.07%) ⬆️
test-optimization-playwright-playwright-test-span 44.51% <0.00%> (+0.06%) ⬆️
test-optimization-selenium 45.28% <0.00%> (+0.05%) ⬆️
test-optimization-testopt 48.03% <0.00%> (+0.07%) ⬆️
test-optimization-vitest 50.62% <0.00%> (+0.08%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@pr-commenter

pr-commenter Bot commented Mar 16, 2026

Copy link
Copy Markdown

Benchmarks

Benchmark execution time: 2026-06-29 22:47:06

Comparing candidate commit 22d6848 in PR branch ccapell/APPSEC-60752/in-app-waf-port with baseline commit 9efd086 in branch master.

📊 Benchmarking dashboard

Found 0 performance improvements and 0 performance regressions! Performance is the same for 2248 metrics, 38 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

Unstable benchmarks

These benchmarks have a confidence interval too wide to call a change; treat them as noise rather than signal.

scenario:appsec-appsec-enabled-20

  • unstable execution_time [-184.526ms; +190.229ms] or [-4.983%; +5.137%]

scenario:appsec-appsec-enabled-24

  • unstable execution_time [-182.822ms; +174.856ms] or [-6.955%; +6.652%]

scenario:appsec-appsec-enabled-26

  • unstable execution_time [-212056.057µs; +213427.290µs] or [-8.404%; +8.458%]

scenario:appsec-appsec-enabled-with-attacks-26

  • unstable execution_time [-162.359ms; +153.938ms] or [-5.641%; +5.348%]

scenario:appsec-control-20

  • unstable execution_time [-166.021ms; +135.231ms] or [-9.588%; +7.810%]

scenario:appsec-control-24

  • unstable execution_time [-102.983ms; +105.406ms] or [-8.471%; +8.670%]

scenario:appsec-control-26

  • unstable execution_time [-102.390ms; +118.892ms] or [-8.553%; +9.931%]

scenario:debugger-line-probe-with-snapshot-default-24

  • unstable cpu_user_time [-1892.893ms; +3003.428ms] or [-23.869%; +37.873%]
  • unstable execution_time [-1960.558ms; +3063.785ms] or [-22.783%; +35.604%]
  • unstable instructions [-16.2G instructions; +25.8G instructions] or [-25.115%; +39.989%]
  • unstable max_rss_usage [-6.616MB; +10.811MB] or [-4.180%; +6.830%]
  • unstable throughput [-895.342op/s; +580.080op/s] or [-23.331%; +15.116%]

scenario:debugger-line-probe-with-snapshot-default-26

  • unstable cpu_user_time [-1886.300ms; +531.575ms] or [-20.168%; +5.683%]
  • unstable execution_time [-1897.740ms; +539.395ms] or [-18.877%; +5.365%]
  • unstable instructions [-17.0G instructions; +4.9G instructions] or [-21.863%; +6.302%]
  • unstable throughput [-110.466op/s; +428.245op/s] or [-3.380%; +13.103%]

scenario:debugger-line-probe-with-snapshot-minimal-26

  • unstable cpu_user_time [-1868.389ms; +580.720ms] or [-20.120%; +6.254%]
  • unstable execution_time [-1887.173ms; +579.852ms] or [-18.933%; +5.817%]
  • unstable instructions [-16.7G instructions; +5.3G instructions] or [-21.640%; +6.801%]
  • unstable throughput [-130.624op/s; +429.735op/s] or [-3.959%; +13.025%]

scenario:debugger-line-probe-without-snapshot-24

  • unstable cpu_user_time [-1903.579ms; +3093.875ms] or [-23.956%; +38.935%]
  • unstable execution_time [-1930.940ms; +3097.296ms] or [-22.391%; +35.916%]
  • unstable instructions [-16.7G instructions; +26.5G instructions] or [-25.854%; +41.085%]
  • unstable max_rss_usage [-7.611MB; +11.855MB] or [-4.820%; +7.507%]
  • unstable throughput [-905.094op/s; +561.986op/s] or [-23.630%; +14.672%]

scenario:debugger-line-probe-without-snapshot-26

  • unstable cpu_user_time [-2880.861ms; +2923.288ms] or [-28.805%; +29.229%]
  • unstable execution_time [-2894.855ms; +2926.735ms] or [-27.077%; +27.375%]
  • unstable instructions [-25731.2M instructions; +25756.3M instructions] or [-30.800%; +30.830%]
  • unstable max_rss_usage [-9172.226KB; +8832.226KB] or [-5.710%; +5.498%]
  • unstable throughput [-641.417op/s; +622.522op/s] or [-20.510%; +19.905%]

scenario:dogstatsd-with-tags-20

  • unstable cpu_user_time [-356.193ms; +364.383ms] or [-7.423%; +7.594%]
  • unstable execution_time [-358.859ms; +364.422ms] or [-7.367%; +7.481%]
  • unstable throughput [-124587.669op/s; +123543.988op/s] or [-7.224%; +7.164%]

scenario:plugin-graphql-long-with-depth-and-collapse-off-20

  • unstable max_rss_usage [-30.959MB; +14.147MB] or [-8.100%; +3.702%]

scenario:plugin-graphql-long-with-depth-on-max-20

  • unstable max_rss_usage [-47.838MB; +61.157MB] or [-23.699%; +30.297%]

scenario:sampling-rate-limited-20

  • unstable cpu_user_time [-67.862ms; +101.565ms] or [-4.780%; +7.154%]
  • unstable execution_time [-68.356ms; +100.182ms] or [-4.805%; +7.042%]

scenario:test-optimization-large-suite-20

  • unstable max_rss_usage [-4628.557KB; +6167.890KB] or [-5.764%; +7.681%]

@datadog-official

datadog-official Bot commented Mar 16, 2026

Copy link
Copy Markdown

Tests

🎉 All green!

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 96.67%
Overall Coverage: 88.04% (+0.01%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 22d6848 | Docs | Datadog PR Page | Give us feedback!

Comment thread packages/dd-trace/src/appsec/reporter.js Outdated
Comment on lines +340 to 343
function reportAttack ({ events: attackData, actions }, req, rootSpan) {
if (!req) {
req = storage('legacy').getStore()?.req
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'm worried that in this function, if we don't pass the empty object fake "req", it will try to get it from the store, which would make this req variable here undefined, and crash later down the function because it's trying to access props in req (req.socket, req.body, etc).

The safety mecanism that was in place before was the rootSpan check. If req was missing, then rootSpan would also be missing, and thus the if(!rootSpan) return would protect us from undefined req.
But now that we can pass the rootSpan separately from req, this safety check is inoperant. Does that make sense ?

Can you prove to me that req can never be empty here ?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, your concern is legit: decoupling rootSpan from req breaks the implicit safety mechanism. But in the lambda path, req is never null or undefined in reportAttack (it's an invocationKey ({}), a truthy object flowing from lambda.js). The only place where req is null is in finishRequest.

I've added a test to check the WAF path with a strict req object that throws on any unaudited property access, making it fail if someone adds req.something without a guard in this path.

Comment thread packages/dd-trace/src/appsec/lambda.js
@simon-id

Copy link
Copy Markdown
Contributor

Overall this PR is a bit scary because it invalidates assumptions that were made during the entire evolution of our codebase. We should really be careful about these changes, a strong test suite, and proactive monitoring. For now I feel like the test suite is a bit light no ?

@CarlesDD CarlesDD force-pushed the ccapell/APPSEC-60752/in-app-waf-port branch from f4de885 to e0b39e1 Compare April 21, 2026 15:05
@CarlesDD

Copy link
Copy Markdown
Contributor Author

Overall this PR is a bit scary because it invalidates assumptions that were made during the entire evolution of our codebase. We should really be careful about these changes, a strong test suite, and proactive monitoring. For now I feel like the test suite is a bit light no ?

Agree this needs careful handling. I've pushed additional changes to strengthen the safety net:

  • More tests for Lambda handler
  • A proxy based WAF path safety test: it fails if anyone adds req.something with no guard in the future
  • Reporter lambda specific test: covering finishRequest and reportAttack with null/empty req
  • JSDocs to make the contract more explicit.

@CarlesDD CarlesDD force-pushed the ccapell/APPSEC-60752/in-app-waf-port branch from c83559f to 590897a Compare April 27, 2026 08:15
@CarlesDD CarlesDD marked this pull request as ready for review April 27, 2026 09:04
@CarlesDD CarlesDD requested a review from a team as a code owner April 27, 2026 09:04

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 590897a5f9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread packages/dd-trace/src/appsec/lambda.js Outdated
@CarlesDD CarlesDD requested a review from simon-id April 27, 2026 17:20
Comment thread packages/dd-trace/src/appsec/reporter.js Outdated
Comment thread packages/dd-trace/src/appsec/lambda.js
Comment thread packages/dd-trace/src/appsec/lambda.js Outdated
}

const invocationKey = {}
span._lambdaAppsecKey = invocationKey

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should store extra data in span, we usually create a WeakMap<span,data>.

And I think that you even could use the span itself as "invocationKey"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replaced span._lambdaAppsecKey with a WeakSet to track active invocations.

Comment thread packages/dd-trace/src/appsec/lambda.js Outdated

waf.disposeContext(invocationKey)

Reporter.finishRequest(null, null, {}, undefined, span)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't we send invocationKey as req here to be able to report metrics correctly?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

}

if (clientIp) {
persistent[addresses.HTTP_CLIENT_IP] = clientIp

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add span.setTag(HTTP_CLIENT_IP, clientIp) here and remove first block

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. The two separate conditionals are now merged into one.

Comment thread packages/dd-trace/src/appsec/lambda.js Outdated
persistent[addresses.HTTP_INCOMING_COOKIES] = cookies
}

waf.run({ persistent }, invocationKey, undefined, span)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

invocationKey gonna be always {} no?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed

Comment thread packages/dd-trace/src/appsec/lambda.js Outdated
persistent[addresses.HTTP_INCOMING_RESPONSE_HEADERS] = filteredHeaders
}

if (Object.keys(persistent).length > 0) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's add a flag and make it true when we have something to add to persistent and then avoid Object.keys(persistent).length > 0.
We should fix this in all our appsec code to avoid the overhead of creating unnecessary objects

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed with a hasPersistentData boolean flag

if (!rootSpan) {
rootSpan = web.root(req)
}
if (!rootSpan) return

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (!rootSpan) return
if (!req || !rootSpan) return

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Applied

: '{"triggers":' + attackDataStr + '}'

if (req.socket) {
if (req?.socket) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to change it if we check !req before

Suggested change
if (req?.socket) {
if (req.socket) {

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Applied


rootSpan.addTags(newTags)

if (!req) return

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need for this it if we check !req before

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

rootSpan = web.root(req)
}

if (!rootSpan) return

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reportAttributes doesn't use req after getting rootSpan, so the !req guard isn't needed here (unlike reportAttack, which accesses req.socket, web.getContext(req), and req.body after the guard.

There is also an existing test that calls reportAttributes without a req and expects addTags to be called, relying on web.root(undefined) resolving to a span. Adding !req would break that path.

@CarlesDD CarlesDD requested review from IlyasShabi and uurien June 22, 2026 15:04
} catch (err) {
if (!IS_SERVERLESS) {
if (IS_SERVERLESS) {
log.debug('[ASM] Serverless mode: suppressing error log, calling disable()')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's helpful to attach the error here for later investigations.

@CarlesDD CarlesDD merged commit 038b5ba into master Jun 30, 2026
1190 of 1192 checks passed
@CarlesDD CarlesDD deleted the ccapell/APPSEC-60752/in-app-waf-port branch June 30, 2026 05:00
This was referenced Jun 30, 2026
rochdev pushed a commit that referenced this pull request Jul 2, 2026
Adds AppSec support for AWS lambda to dd-trace-js by introducing DC handlers that allow the datadog-lambda-js layer to delegate WAF execution to the tracer.
rochdev pushed a commit that referenced this pull request Jul 2, 2026
Adds AppSec support for AWS lambda to dd-trace-js by introducing DC handlers that allow the datadog-lambda-js layer to delegate WAF execution to the tracer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants