Conversation
…" (#4867) - this reverts commit 1d2543c. - reverts a change that would automatically inject tracing headers into AWS requests - this appears to break S3 requests (and DynamoDB?) when using AWS SDK v2 - we don't have any reports of other services or of AWS SDK v3 breaking - for follow up work we need to make this a configurable environment variable instead of just an init setting - this is because folks using the lambda layer need to configure the tracer via env vars - alternatively we only block s3 and dynamo? however there could be other services that fail... - alternatively we only block aws sdk v2? however it seems that a bunch of the services are fine... - internal stuff: APMS-13694, APMS-13713 - more discussion in #4717
* Add exclusions for header injection vulnerability * Rewrite fn to get a partial value from accept-encoding header to reflect it in transfer/content-encoding * Fix linting problems
* Fix integration by preventing unsafe access to properties. --------- Co-authored-by: William Conti <william.conti@datadoghq.com> Co-authored-by: William Conti <58711692+wconti27@users.noreply.github.com>
* Add support for inferred spans to be created for proxies. Initially supports AWS API Gateway and creates a span when the required headers are attached on the received request. --------- Co-authored-by: wantsui <wan.tsui@datadoghq.com>
* add tracer version to top-level payload * fix dd-trace.version to be ddtrace.version tag
Contributor
Overall package sizeSelf size: 8.04 MB Dependency sizes| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/libdatadog | 0.2.2 | 29.27 MB | 29.27 MB | | @datadog/native-appsec | 8.3.0 | 19.37 MB | 19.38 MB | | @datadog/native-iast-taint-tracking | 3.2.0 | 13.9 MB | 13.91 MB | | @datadog/pprof | 5.4.1 | 9.76 MB | 10.13 MB | | protobufjs | 7.2.5 | 2.77 MB | 7.01 MB | | @datadog/native-iast-rewriter | 2.5.0 | 2.51 MB | 2.65 MB | | @opentelemetry/core | 1.14.0 | 872.87 kB | 1.47 MB | | @datadog/native-metrics | 3.0.1 | 1.06 MB | 1.46 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | import-in-the-middle | 1.11.2 | 112.74 kB | 826.22 kB | | msgpack-lite | 0.1.26 | 201.16 kB | 281.59 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | lru-cache | 7.18.3 | 133.92 kB | 133.92 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.0 | 109.9 kB | 109.9 kB | | semver | 7.6.3 | 95.82 kB | 95.82 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 5.3.1 | 51.46 kB | 51.46 kB | | int64-buffer | 0.1.10 | 49.18 kB | 49.18 kB | | shell-quote | 1.8.1 | 44.96 kB | 44.96 kB | | istanbul-lib-coverage | 3.2.0 | 29.34 kB | 29.34 kB | | rfdc | 1.3.1 | 25.21 kB | 25.21 kB | | @isaacs/ttlcache | 1.4.1 | 25.2 kB | 25.2 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | dc-polyfill | 0.1.4 | 23.1 kB | 23.1 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | path-to-regexp | 0.1.10 | 6.38 kB | 6.38 kB | | module-details-from-path | 1.0.3 | 4.47 kB | 4.47 kB |🤖 This report was automatically generated by heaviest-objects-in-the-universe |
BenchmarksBenchmark execution time: 2024-11-19 18:43:10 Comparing candidate commit af167eb in PR branch Found 1 performance improvements and 2 performance regressions! Performance is the same for 768 metrics, 27 unstable metrics. scenario:appsec-startup-time-appsec-enabled-16
scenario:async_hooks-init-only-16
|
Collaborator
|
could you include #4863? It fixes a customer issue |
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
* Template injection vulnerability detection in handlebars * template injection vulnerability detection in pug * fix lint and naming issues * create separate job for template injection * add support to registerPartial function * add tests for pug render function
…rvice is instrumented and fix typo (#4851) * [DSM] Set checkpoints for DSM with SQS & Kinesis for consumers even when the producer did not have DSM enabled * [DSM] Send checkpoints to DSM if its enabled even if there is no streamName
rochdev
force-pushed
the
v4.50.0-proposal
branch
from
a296c29 to
6eb35e8
Compare
* Update dd native-appsec waf bindings to v8.3.0 * Update WAF recommended rules to v1.13.3
* add support to api security sampling * fix express plugin schema extraction * use priority simpler to get span priority * use lru cache package * use route path instead of url * use route.path or url to generate the key * use ttlcache * Fix standalone integration test * Increase test timeout * simplify force sample * avoid checking is sampled twice * use route.path or url to generate the key * remove unnecessary tests of sample delay * fix non experimental options test * remove unused isSampled * always sample request if delay is 0 --------- Co-authored-by: Igor Unanua <igor.unanua@datadoghq.com> Co-authored-by: simon-id <simon.id@datadoghq.com>
…ith invalid traces (#4874) * initial commit * updating _links and when links are created * logging * add link to instrumentation * updating integrations to include span links * fixing syntax error * fixing ci tests * updating unit test * fix ci * fixing moleculer tests * safe checking all contexts before getting links
* Add span pointer info on S3 `putObject`, `copyObject`, and `completeMultipartUpload` requests. * Unit tests * small improvement * Create `addSpanPointer()` so we don't have to export a context with 0s for trace+span id; add debug logs * Add integration test for completeMultipartUpload; update unit test * Rename to `addSpanPointers()` * Update comments and make getting eTag more reliable * Validate parameters before calling `generateS3PointerHash` * add unit tests * Rename var to `SPAN_LINK_POINTER_KIND`; standardize the hashing function. * Set the span link kind in the `addSpanPointer()` functions so that downstream callers don't have to worry about passing it. * Move constants to constants.js; move `generatePointerHash` to util.js
* log.error accepting multiple arguments * clean up * warn, info, debug methods * Update packages/dd-trace/src/log/writer.js Co-authored-by: Attila Szegedi <szegedi@users.noreply.github.com> * attila suggestion * include error type in the telemetry log * remove optional chaining to work in node 12 * remove optional chainingand ?? to work in node 12 --------- Co-authored-by: Attila Szegedi <szegedi@users.noreply.github.com>
rochdev
force-pushed
the
v4.50.0-proposal
branch
from
6eb35e8 to
bb96eb6
Compare
…oot, not the project's root dir or working directory (#4903)
rochdev
force-pushed
the
v4.50.0-proposal
branch
from
bb96eb6 to
af167eb
Compare
bengl
approved these changes
Nov 19, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
17 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
add2338291] - (SEMVER-PATCH) Increase timeout on RASP integration test for windows (Carles Capell) #4907920d2a2768] - (SEMVER-PATCH) [test optimization] Report code coverage relative to the repository root, not the project's root dir or working directory (Juan Antonio Fernández de Alba) #4903a41951c2c6] - (SEMVER-MINOR) log template messages and errors (Igor Unanua) #48569c081c81d2] - (SEMVER-PATCH) disable merge queue (Bryan English) #49056392a2e12b] - (SEMVER-MINOR) [serverless] Add S3 Span Pointers (Nicholas Hulston) #48752072a1f0e7] - (SEMVER-PATCH) improve output for release proposal script (Roch Devost) #48979de411aa0c] - (SEMVER-PATCH) automate release notes from github actions (Roch Devost) #4893f0df061a4b] - (SEMVER-MINOR) Adding Span Link support for distributed tracing header extractions with invalid traces (mhlidd) #487461c5a3218e] - (SEMVER-PATCH) Upgrade cross-spawn to v7.0.5 - patched ReDoS (Carles Capell) #4899bdbeb024b0] - (SEMVER-MINOR) add support to api security sampling (ishabi) #47551670ef921d] - (SEMVER-PATCH) Adding new ST scenarios for rasp (Ugaitz Urien) #4883170a97cc95] - (SEMVER-MINOR) Update WAF rules and bindings (Carles Capell) #489151bea5452e] - (SEMVER-PATCH) [DSM] Set checkpoints for DSM even when there is no context if the service is instrumented and fix typo (Eric Firth) #4851a8896ee676] - (SEMVER-PATCH) update release script to also create pr (Roch Devost) #488025ae8e737e] - (SEMVER-PATCH) Ignore elasticsearch 8.16.0 from esm tests (Ugaitz Urien) #4892985cb1db96] - (SEMVER-MINOR) Template injection vulnerability detection in handlebars and pug (ishabi) #482759e9a2a75f] - (SEMVER-PATCH) [test optimization] Fix active span being null in cypress (Juan Antonio Fernández de Alba) #48639146f26c93] - (SEMVER-PATCH) Removex-forwardedfrom ipHeaderList (simon-id) #488283e11a3e13] - (SEMVER-PATCH) add namespace support for async storage (Roch Devost) #47751ce47d2ba0] - (SEMVER-PATCH) chore(llmobs): tracer version tagging (Sam Brenner) #48857addced607] - (SEMVER-MINOR) add crashtracking with libdatadog native binding (Roch Devost) #469236903cc982] - (SEMVER-PATCH) skip warning if propagator is baggage (Ida Liu) #48669794630aa0] - (SEMVER-PATCH) add more node version test to unsupported guardrails matrix (Roch Devost) #48791e1a2a1014] - (SEMVER-PATCH) add guardrail to completely bail out in very old versions (Roch Devost) #487829ff735a64] - (SEMVER-MINOR) feat(tracing): AWS API Gateway Inferred Span Support (William Conti) #4837b81d9d84bf] - (SEMVER-MINOR) Prevent errors in Express 5.x applications (wantsui) #48720a44e6e4dc] - (SEMVER-PATCH) Have one version tag in metrics (Attila Szegedi) #48570a411ee6e1] - (SEMVER-PATCH) add release proposal script for use locally (Roch Devost) #485370e99bd56b] - (SEMVER-MINOR) Add exclusions for header injection vulnerability (Carles Capell) #4841367bd2d65c] - (SEMVER-PATCH) Discard non-web traces when searching for a vulnerability not being present (Carles Capell) #48711ee8000111] - (SEMVER-PATCH) Revert "always enable tracing header injection for AWS requests (always enable tracing header injection for AWS requests #4717)" (Thomas Hunter II) #4867