Add new APPSEC_HEADER_COLLECTION_REDACTION_ENABLED config

Author: jandro996

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -704,7 +704,11 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
         traceSeg.setDataTop("appsec", wrapper);
 
         // Report collected request and response headers based on allow list
-        boolean collectAll = Config.get().isAppSecCollectAllHeaders();
+        boolean collectAll =
+            Config.get().isAppSecCollectAllHeaders()
+                // Until redaction is defined we don't want to collect all headers due to risk of
+                // leaking sensitive data
+                && !Config.get().isAppSecHeaderCollectionRedactionEnabled();
         writeRequestHeaders(
             traceSeg, REQUEST_HEADERS_ALLOW_LIST, ctx.getRequestHeaders(), collectAll);
         writeResponseHeaders(

dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/ExtendedDataCollectionSmokeTest.groovy

@@ -15,6 +15,7 @@ class ExtendedDataCollectionSmokeTest extends AbstractAppSecServerSmokeTest {
     command.addAll(defaultJavaProperties)
     command.addAll(defaultAppSecProperties)
     command.add('-Ddd.appsec.collect.all.headers=true')
+    command.add('-Ddd.appsec.header.collection.redaction.enabled=false')
     command.addAll((String[]) ["-jar", springBootShadowJar, "--server.port=${httpPort}"])
 
     ProcessBuilder processBuilder = new ProcessBuilder(command)

dd-trace-api/src/main/java/datadog/trace/api/config/AppSecConfig.java

@@ -45,6 +45,8 @@ public final class AppSecConfig {
       "appsec.max.stacktrace.depth"; // old non-standard as a fallback alias
   public static final String APPSEC_COLLECT_ALL_HEADERS = "appsec.collect.all.headers";
   public static final String APPSEC_MAX_COLLECTED_HEADERS = "appsec.max.collected.headers";
+  public static final String APPSEC_HEADER_COLLECTION_REDACTION_ENABLED =
+      "appsec.header.collection.redaction.enabled";
 
   private AppSecConfig() {}
 }

internal-api/src/main/java/datadog/trace/api/Config.java

@@ -292,6 +292,7 @@ public static String getHostName() {
   private final int appSecMaxStackTraces;
   private final int appSecMaxStackTraceDepth;
   private final boolean appSecCollectAllHeaders;
+  private final boolean appSecHeaderCollectionRedactionEnabled;
   private final int appSecMaxCollectedHeaders;
   private final boolean apiSecurityEnabled;
   private final float apiSecuritySampleDelay;
@@ -1386,6 +1387,8 @@ PROFILING_DATADOG_PROFILER_ENABLED, isDatadogProfilerSafeInCurrentEnvironment())
             DEFAULT_APPSEC_MAX_STACK_TRACE_DEPTH,
             APPSEC_MAX_STACKTRACE_DEPTH_DEPRECATED);
     appSecCollectAllHeaders = configProvider.getBoolean(APPSEC_COLLECT_ALL_HEADERS, false);
+    appSecHeaderCollectionRedactionEnabled =
+        configProvider.getBoolean(APPSEC_HEADER_COLLECTION_REDACTION_ENABLED, true);
     appSecMaxCollectedHeaders =
         configProvider.getInteger(
             APPSEC_MAX_COLLECTED_HEADERS, DEFAULT_APPSEC_MAX_COLLECTED_HEADERS);
@@ -4198,6 +4201,10 @@ public boolean isAppSecCollectAllHeaders() {
     return appSecCollectAllHeaders;
   }
 
+  public boolean isAppSecHeaderCollectionRedactionEnabled() {
+    return appSecHeaderCollectionRedactionEnabled;
+  }
+
   public int getAppsecMaxCollectedHeaders() {
     return appSecMaxCollectedHeaders;
   }