Skip to content

HTTP response schema collection and data classification #8938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 8 commits into
base: malvarez/http-route-play
Choose a base branch
from
Draft

HTTP response schema collection and data classification #8938

wants to merge 8 commits into from

Conversation

sezen-datadog
Copy link
Contributor

@sezen-datadog sezen-datadog commented Jun 6, 2025
edited by jira bot
Loading

What Does This Do

Motivation

Additional Notes

Contributor Checklist

Jira ticket: APPSEC-57259

@sezen-datadog sezen-datadog force-pushed the sezen.leblay/APPSEC-57259-extract-schema-spring branch from f3bdd40 to 7c044fd Compare June 6, 2025 12:27
@pr-commenter
Copy link

pr-commenter bot commented Jun 6, 2025
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master sezen.leblay/APPSEC-57259-extract-schema-spring
git_commit_date 1749754796 1749806973
git_commit_sha d2d38c9 9ac9a16
release_version 1.50.0-SNAPSHOT~d2d38c9d44 1.50.0-SNAPSHOT~9ac9a163f8
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1749809334 1749809334
ci_job_id 980445135 980445135
ci_pipeline_id 67648128 67648128
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-z87jatgw-project-304-concurrent-0-ojtdbbgm 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-z87jatgw-project-304-concurrent-0-ojtdbbgm 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 61 metrics, 10 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.50.0-SNAPSHOT~9ac9a163f8, baseline=1.50.0-SNAPSHOT~d2d38c9d44

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.024 s) : 0, 1023628
Total [baseline] (10.543 s) : 0, 10543149
Agent [candidate] (1.026 s) : 0, 1026263
Total [candidate] (10.516 s) : 0, 10516474
section appsec
Agent [baseline] (1.172 s) : 0, 1172036
Total [baseline] (10.673 s) : 0, 10673313
Agent [candidate] (1.168 s) : 0, 1167784
Total [candidate] (10.669 s) : 0, 10668944
section iast
Agent [baseline] (1.155 s) : 0, 1155278
Total [baseline] (10.869 s) : 0, 10868987
Agent [candidate] (1.151 s) : 0, 1150772
Total [candidate] (10.921 s) : 0, 10920541
section profiling
Agent [baseline] (1.274 s) : 0, 1273627
Total [baseline] (10.881 s) : 0, 10880876
Agent [candidate] (1.266 s) : 0, 1265911
Total [candidate] (10.886 s) : 0, 10885548
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.024 s -
Agent appsec 1.172 s 148.408 ms (14.5%)
Agent iast 1.155 s 131.65 ms (12.9%)
Agent profiling 1.274 s 249.999 ms (24.4%)
Total tracing 10.543 s -
Total appsec 10.673 s 130.163 ms (1.2%)
Total iast 10.869 s 325.838 ms (3.1%)
Total profiling 10.881 s 337.726 ms (3.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.026 s -
Agent appsec 1.168 s 141.521 ms (13.8%)
Agent iast 1.151 s 124.509 ms (12.1%)
Agent profiling 1.266 s 239.648 ms (23.4%)
Total tracing 10.516 s -
Total appsec 10.669 s 152.47 ms (1.4%)
Total iast 10.921 s 404.067 ms (3.8%)
Total profiling 10.886 s 369.075 ms (3.5%) 
gantt
    title petclinic - break down per module: candidate=1.50.0-SNAPSHOT~9ac9a163f8, baseline=1.50.0-SNAPSHOT~d2d38c9d44

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (683.704 ms) : 0, 683704
BytebuddyAgent [candidate] (684.286 ms) : 0, 684286
GlobalTracer [baseline] (240.627 ms) : 0, 240627
GlobalTracer [candidate] (241.017 ms) : 0, 241017
AppSec [baseline] (56.58 ms) : 0, 56580
AppSec [candidate] (56.509 ms) : 0, 56509
Debugger [baseline] (6.187 ms) : 0, 6187
Debugger [candidate] (6.292 ms) : 0, 6292
Remote Config [baseline] (746.724 µs) : 0, 747
Remote Config [candidate] (709.402 µs) : 0, 709
Telemetry [baseline] (12.153 ms) : 0, 12153
Telemetry [candidate] (13.873 ms) : 0, 13873
section appsec
BytebuddyAgent [baseline] (707.117 ms) : 0, 707117
BytebuddyAgent [candidate] (703.33 ms) : 0, 703330
GlobalTracer [baseline] (238.86 ms) : 0, 238860
GlobalTracer [candidate] (238.36 ms) : 0, 238360
AppSec [baseline] (177.357 ms) : 0, 177357
AppSec [candidate] (177.421 ms) : 0, 177421
Debugger [baseline] (5.997 ms) : 0, 5997
Debugger [candidate] (6.012 ms) : 0, 6012
Remote Config [baseline] (642.719 µs) : 0, 643
Remote Config [candidate] (634.006 µs) : 0, 634
Telemetry [baseline] (7.411 ms) : 0, 7411
Telemetry [candidate] (7.398 ms) : 0, 7398
IAST [baseline] (21.802 ms) : 0, 21802
IAST [candidate] (21.888 ms) : 0, 21888
section iast
BytebuddyAgent [baseline] (804.71 ms) : 0, 804710
BytebuddyAgent [candidate] (802.338 ms) : 0, 802338
GlobalTracer [baseline] (232.205 ms) : 0, 232205
GlobalTracer [candidate] (230.509 ms) : 0, 230509
AppSec [baseline] (52.969 ms) : 0, 52969
AppSec [candidate] (55.464 ms) : 0, 55464
Debugger [baseline] (6.001 ms) : 0, 6001
Debugger [candidate] (6.025 ms) : 0, 6025
Remote Config [baseline] (600.59 µs) : 0, 601
Remote Config [candidate] (591.66 µs) : 0, 592
Telemetry [baseline] (8.029 ms) : 0, 8029
Telemetry [candidate] (7.886 ms) : 0, 7886
IAST [baseline] (27.133 ms) : 0, 27133
IAST [candidate] (24.397 ms) : 0, 24397
section profiling
BytebuddyAgent [baseline] (679.25 ms) : 0, 679250
BytebuddyAgent [candidate] (675.382 ms) : 0, 675382
GlobalTracer [baseline] (362.305 ms) : 0, 362305
GlobalTracer [candidate] (359.023 ms) : 0, 359023
AppSec [baseline] (61.797 ms) : 0, 61797
AppSec [candidate] (62.029 ms) : 0, 62029
Debugger [baseline] (6.119 ms) : 0, 6119
Debugger [candidate] (6.135 ms) : 0, 6135
Remote Config [baseline] (656.352 µs) : 0, 656
Remote Config [candidate] (649.503 µs) : 0, 650
Telemetry [baseline] (8.217 ms) : 0, 8217
Telemetry [candidate] (8.178 ms) : 0, 8178
ProfilingAgent [baseline] (104.11 ms) : 0, 104110
ProfilingAgent [candidate] (103.86 ms) : 0, 103860
Profiling [baseline] (104.135 ms) : 0, 104135
Profiling [candidate] (103.884 ms) : 0, 103884
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.50.0-SNAPSHOT~9ac9a163f8, baseline=1.50.0-SNAPSHOT~d2d38c9d44

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.022 s) : 0, 1022307
Total [baseline] (8.522 s) : 0, 8521529
Agent [candidate] (1.037 s) : 0, 1037347
Total [candidate] (8.577 s) : 0, 8576595
section iast
Agent [baseline] (1.148 s) : 0, 1147808
Total [baseline] (9.176 s) : 0, 9175728
Agent [candidate] (1.157 s) : 0, 1157119
Total [candidate] (9.214 s) : 0, 9214245
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.151 s) : 0, 1151362
Total [baseline] (9.155 s) : 0, 9155377
Agent [candidate] (1.158 s) : 0, 1158226
Total [candidate] (9.164 s) : 0, 9163783
section iast_TELEMETRY_OFF
Agent [baseline] (1.143 s) : 0, 1142760
Total [baseline] (9.263 s) : 0, 9262504
Agent [candidate] (1.149 s) : 0, 1148968
Total [candidate] (9.314 s) : 0, 9313716
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.022 s -
Agent iast 1.148 s 125.501 ms (12.3%)
Agent iast_HARDCODED_SECRET_DISABLED 1.151 s 129.055 ms (12.6%)
Agent iast_TELEMETRY_OFF 1.143 s 120.453 ms (11.8%)
Total tracing 8.522 s -
Total iast 9.176 s 654.198 ms (7.7%)
Total iast_HARDCODED_SECRET_DISABLED 9.155 s 633.847 ms (7.4%)
Total iast_TELEMETRY_OFF 9.263 s 740.974 ms (8.7%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.037 s -
Agent iast 1.157 s 119.772 ms (11.5%)
Agent iast_HARDCODED_SECRET_DISABLED 1.158 s 120.879 ms (11.7%)
Agent iast_TELEMETRY_OFF 1.149 s 111.621 ms (10.8%)
Total tracing 8.577 s -
Total iast 9.214 s 637.65 ms (7.4%)
Total iast_HARDCODED_SECRET_DISABLED 9.164 s 587.188 ms (6.8%)
Total iast_TELEMETRY_OFF 9.314 s 737.121 ms (8.6%) 
gantt
    title insecure-bank - break down per module: candidate=1.50.0-SNAPSHOT~9ac9a163f8, baseline=1.50.0-SNAPSHOT~d2d38c9d44

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (683.092 ms) : 0, 683092
BytebuddyAgent [candidate] (692.758 ms) : 0, 692758
GlobalTracer [baseline] (240.087 ms) : 0, 240087
GlobalTracer [candidate] (243.269 ms) : 0, 243269
AppSec [baseline] (58.148 ms) : 0, 58148
AppSec [candidate] (57.967 ms) : 0, 57967
Debugger [baseline] (6.09 ms) : 0, 6090
Debugger [candidate] (6.368 ms) : 0, 6368
Remote Config [baseline] (727.819 µs) : 0, 728
Remote Config [candidate] (720.987 µs) : 0, 721
Telemetry [baseline] (10.51 ms) : 0, 10510
Telemetry [candidate] (12.346 ms) : 0, 12346
section iast
BytebuddyAgent [baseline] (801.039 ms) : 0, 801039
BytebuddyAgent [candidate] (807.469 ms) : 0, 807469
GlobalTracer [baseline] (229.698 ms) : 0, 229698
GlobalTracer [candidate] (231.701 ms) : 0, 231701
AppSec [baseline] (52.208 ms) : 0, 52208
AppSec [candidate] (52.834 ms) : 0, 52834
Debugger [baseline] (5.929 ms) : 0, 5929
Debugger [candidate] (5.969 ms) : 0, 5969
Remote Config [baseline] (599.642 µs) : 0, 600
Remote Config [candidate] (588.46 µs) : 0, 588
Telemetry [baseline] (7.869 ms) : 0, 7869
Telemetry [candidate] (7.977 ms) : 0, 7977
IAST [baseline] (26.937 ms) : 0, 26937
IAST [candidate] (27.042 ms) : 0, 27042
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (803.085 ms) : 0, 803085
BytebuddyAgent [candidate] (807.395 ms) : 0, 807395
GlobalTracer [baseline] (230.564 ms) : 0, 230564
GlobalTracer [candidate] (232.064 ms) : 0, 232064
AppSec [baseline] (53.388 ms) : 0, 53388
AppSec [candidate] (53.139 ms) : 0, 53139
Debugger [baseline] (5.988 ms) : 0, 5988
Debugger [candidate] (6.05 ms) : 0, 6050
Remote Config [baseline] (614.474 µs) : 0, 614
Remote Config [candidate] (611.509 µs) : 0, 612
Telemetry [baseline] (7.979 ms) : 0, 7979
Telemetry [candidate] (8.042 ms) : 0, 8042
IAST [baseline] (26.141 ms) : 0, 26141
IAST [candidate] (27.253 ms) : 0, 27253
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (796.226 ms) : 0, 796226
BytebuddyAgent [candidate] (799.914 ms) : 0, 799914
GlobalTracer [baseline] (229.775 ms) : 0, 229775
GlobalTracer [candidate] (230.991 ms) : 0, 230991
AppSec [baseline] (51.958 ms) : 0, 51958
AppSec [candidate] (53.37 ms) : 0, 53370
Debugger [baseline] (5.913 ms) : 0, 5913
Debugger [candidate] (6.075 ms) : 0, 6075
Remote Config [baseline] (591.019 µs) : 0, 591
Remote Config [candidate] (605.445 µs) : 0, 605
Telemetry [baseline] (7.744 ms) : 0, 7744
Telemetry [candidate] (7.983 ms) : 0, 7983
IAST [baseline] (27.045 ms) : 0, 27045
IAST [candidate] (26.536 ms) : 0, 26536
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2025-06-13T09:45:29 2025-06-13T09:50:18
git_branch master sezen.leblay/APPSEC-57259-extract-schema-spring
git_commit_date 1749754796 1749806973
git_commit_sha d2d38c9 9ac9a16
release_version 1.50.0-SNAPSHOT~d2d38c9d44 1.50.0-SNAPSHOT~9ac9a163f8
start_time 2025-06-13T09:45:14 2025-06-13T09:49:33
See matching parameters
Baseline Candidate
application petclinic petclinic
ci_job_date 1749808218 1749808218
ci_job_id 980445136 980445136
ci_pipeline_id 67648128 67648128
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-z87jatgw-project-304-concurrent-1-j3lhu8sk 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-z87jatgw-project-304-concurrent-1-j3lhu8sk 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
thresholds_or_results results results
variant appsec appsec

Summary

Found 0 performance improvements and 3 performance regressions! Performance is the same for 0 metrics, 9 unstable metrics.

scenario Δ mean http_req_duration Δ mean throughput candidate mean http_req_duration candidate mean throughput baseline mean http_req_duration baseline mean throughput
scenario:load:petclinic:appsec_no_iast worse
[+77.123ms; +80.060ms] or [+inf%; +inf%]		 unstable
[-18651.055op/s; -13225.298op/s] or [-116.569%; -82.658%]		 78591672.856ns 61.824op/s 0.000ns 16000.000op/s
scenario:load:petclinic:code_origins unstable
[+79.435ms; +85.665ms] or [+802.849%; +865.811%]		 worse
[-465.969op/s; -439.899op/s] or [-93.144%; -87.933%]		 92.444ms 47.333op/s 9.894ms 500.268op/s
scenario:load:petclinic:no_agent unstable
[+30.626ms; +31.855ms] or [+396.490%; +412.399%]		 worse
[-538.768op/s; -490.609op/s] or [-84.182%; -76.658%]		 38.965ms 125.312op/s 7.724ms 640.000op/s

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master sezen.leblay/APPSEC-57259-extract-schema-spring
git_commit_date 1749754796 1749806973
git_commit_sha d2d38c9 9ac9a16
release_version 1.50.0-SNAPSHOT~d2d38c9d44 1.50.0-SNAPSHOT~9ac9a163f8
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1749808959 1749808959
ci_job_id 980445137 980445137
ci_pipeline_id 67648128 67648128
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-z87jatgw-project-304-concurrent-2-dn4av7bj 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-z87jatgw-project-304-concurrent-2-dn4av7bj 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
variant appsec appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.50.0-SNAPSHOT~9ac9a163f8, baseline=1.50.0-SNAPSHOT~d2d38c9d44
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.473 ms) : 1462, 1485
.   : milestone, 1473,
appsec (2.397 ms) : 2349, 2446
.   : milestone, 2397,
iast (2.188 ms) : 2127, 2249
.   : milestone, 2188,
iast_GLOBAL (2.232 ms) : 2171, 2294
.   : milestone, 2232,
profiling (2.044 ms) : 1994, 2094
.   : milestone, 2044,
tracing (1.999 ms) : 1951, 2046
.   : milestone, 1999,
section candidate
no_agent (1.474 ms) : 1462, 1485
.   : milestone, 1474,
appsec (2.39 ms) : 2342, 2438
.   : milestone, 2390,
iast (2.179 ms) : 2118, 2241
.   : milestone, 2179,
iast_GLOBAL (2.217 ms) : 2156, 2278
.   : milestone, 2217,
profiling (2.014 ms) : 1966, 2063
.   : milestone, 2014,
tracing (2.018 ms) : 1970, 2066
.   : milestone, 2018,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.473 ms [1.462 ms, 1.485 ms] -
appsec 2.397 ms [2.349 ms, 2.446 ms] 923.808 µs (62.7%)
iast 2.188 ms [2.127 ms, 2.249 ms] 714.532 µs (48.5%)
iast_GLOBAL 2.232 ms [2.171 ms, 2.294 ms] 758.896 µs (51.5%)
profiling 2.044 ms [1.994 ms, 2.094 ms] 570.477 µs (38.7%)
tracing 1.999 ms [1.951 ms, 2.046 ms] 525.393 µs (35.7%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.474 ms [1.462 ms, 1.485 ms] -
appsec 2.39 ms [2.342 ms, 2.438 ms] 916.414 µs (62.2%)
iast 2.179 ms [2.118 ms, 2.241 ms] 705.671 µs (47.9%)
iast_GLOBAL 2.217 ms [2.156 ms, 2.278 ms] 743.287 µs (50.4%)
profiling 2.014 ms [1.966 ms, 2.063 ms] 540.548 µs (36.7%)
tracing 2.018 ms [1.97 ms, 2.066 ms] 544.639 µs (37.0%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.50.0-SNAPSHOT~9ac9a163f8, baseline=1.50.0-SNAPSHOT~d2d38c9d44
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.98 s) : 14980000, 14980000
.   : milestone, 14980000,
appsec (14.881 s) : 14881000, 14881000
.   : milestone, 14881000,
iast (18.861 s) : 18861000, 18861000
.   : milestone, 18861000,
iast_GLOBAL (18.12 s) : 18120000, 18120000
.   : milestone, 18120000,
profiling (15.422 s) : 15422000, 15422000
.   : milestone, 15422000,
tracing (15.08 s) : 15080000, 15080000
.   : milestone, 15080000,
section candidate
no_agent (15.065 s) : 15065000, 15065000
.   : milestone, 15065000,
appsec (14.893 s) : 14893000, 14893000
.   : milestone, 14893000,
iast (18.846 s) : 18846000, 18846000
.   : milestone, 18846000,
iast_GLOBAL (17.791 s) : 17791000, 17791000
.   : milestone, 17791000,
profiling (15.797 s) : 15797000, 15797000
.   : milestone, 15797000,
tracing (14.73 s) : 14730000, 14730000
.   : milestone, 14730000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.98 s [14.98 s, 14.98 s] -
appsec 14.881 s [14.881 s, 14.881 s] -99.0 ms (-0.7%)
iast 18.861 s [18.861 s, 18.861 s] 3.881 s (25.9%)
iast_GLOBAL 18.12 s [18.12 s, 18.12 s] 3.14 s (21.0%)
profiling 15.422 s [15.422 s, 15.422 s] 442.0 ms (3.0%)
tracing 15.08 s [15.08 s, 15.08 s] 100.0 ms (0.7%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.065 s [15.065 s, 15.065 s] -
appsec 14.893 s [14.893 s, 14.893 s] -172.0 ms (-1.1%)
iast 18.846 s [18.846 s, 18.846 s] 3.781 s (25.1%)
iast_GLOBAL 17.791 s [17.791 s, 17.791 s] 2.726 s (18.1%)
profiling 15.797 s [15.797 s, 15.797 s] 732.0 ms (4.9%)
tracing 14.73 s [14.73 s, 14.73 s] -335.0 ms (-2.2%)

jandro996
jandro996 reviewed Jun 9, 2025
View reviewed changes
dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java Outdated
@@ -627,6 +671,38 @@ private Flow<Void> onRequestBodyDone(RequestContext ctx_, StoredBodySupplier sup
}
}

private Flow<Void> onResponseBodyDone(RequestContext ctx_, StoredBodySupplier supplier) {
Copy link
Member

@jandro996 jandro996 Jun 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to check the RFC properly but AFAIK response body raw doesn't applies to schema collection

jandro996
jandro996 reviewed Jun 10, 2025
View reviewed changes
...c/main/java/datadog/trace/instrumentation/springweb/HttpMessageConverterInstrumentation.java
Comment on lines +149 to +160
if (action instanceof Flow.Action.RequestBlockingAction) {
Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
BlockResponseFunction brf = reqCtx.getBlockResponseFunction();
if (brf != null) {
brf.tryCommitBlockingResponse(
reqCtx.getTraceSegment(),
rba.getStatusCode(),
rba.getBlockingContentType(),
rba.getExtraHeaders());
}
throw new BlockingException("Blocked response (for HttpMessageConverter/write)");
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to do this here? we do this in the request to block if it's necessary.

jandro996
jandro996 reviewed Jun 10, 2025
View reviewed changes
...c/main/java/datadog/trace/instrumentation/springweb/HttpMessageConverterInstrumentation.java
@Advice.OnMethodEnter(suppress = Throwable.class)
public static void before(
@Advice.Argument(0) final Object obj, @ActiveRequestContext RequestContext reqCtx) {
if (obj == null) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we don't want to collect the response if the request is blocked, maybe it's a good point to check something like AppSecRequestContext#isWafBlocked (only works for waf but we can add another flag for RASP)

jandro996
jandro996 reviewed Jun 10, 2025
View reviewed changes
dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java Outdated
if (subInfo == null || subInfo.isEmpty()) {
return NoopFlow.INSTANCE;
}
Object converted = ObjectIntrospection.convert(obj, ctx, () -> {});
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to change the ObjectInstrospection#conver to be able to use it for response schema collection

Limits
Currently most libraries enforce a set of limits before serialising addresses into ddwaf_object. The default global object limits are the following:
Maximum string length: 4096 bytes
Maximum container depth: 20 levels
Maximum container size: 256 nodes

The schema extraction algorithm has a different set of limits, which are lower than the limits mentioned above:
Maximum container depth: 18 levels
Maximum array size: 10 nodes
Maximum record size: 255 nodes

When serialising addresses to ddwaf_object which aren’t used for anything other than schema extraction, the library may use the schema extraction limits, rather than the global object limits.

https://docs.google.com/document/d/1965kNw_1CScNM15GgLZ0jvMhFH2kLpDYGztw8YeOfjM/edit?tab=t.0

jandro996
jandro996 reviewed Jun 10, 2025
View reviewed changes
internal-api/src/main/java/datadog/trace/api/gateway/Events.java Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that we only need the RESPONSE_BODY_CONVERTED

jandro996
jandro996 reviewed Jun 10, 2025
View reviewed changes
internal-api/src/main/java/datadog/trace/api/gateway/InstrumentationGateway.java Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, I think that we are ok just with RESPONSE_BODY_CONVERTED_ID

jandro996
jandro996 reviewed Jun 10, 2025
View reviewed changes
dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java Outdated
@@ -98,6 +98,7 @@ public class AppSecRequestContext implements DataBundle, Closeable {
private String inferredClientIp;

private volatile StoredBodySupplier storedRequestBodySupplier;
private volatile StoredBodySupplier storedResponseBodySupplier;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we don't need this, as we can pass the response object via callback directly

jandro996
jandro996 reviewed Jun 10, 2025
View reviewed changes
dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java Outdated
@@ -106,6 +107,8 @@ public class AppSecRequestContext implements DataBundle, Closeable {
private boolean rawReqBodyPublished;
private boolean convertedReqBodyPublished;
private boolean respDataPublished;
private boolean rawRespBodyPublished;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't need raw response

@sezen-datadog sezen-datadog force-pushed the sezen.leblay/APPSEC-57259-extract-schema-spring branch 2 times, most recently from ade8110 to 5aa9177 Compare June 10, 2025 12:54
@sezen-datadog sezen-datadog changed the base branch from master to malvarez/vertx-response-extraction June 10, 2025 12:55
@sezen-datadog sezen-datadog force-pushed the sezen.leblay/APPSEC-57259-extract-schema-spring branch from 5aa9177 to 5000116 Compare June 10, 2025 12:56
@sezen-datadog sezen-datadog force-pushed the sezen.leblay/APPSEC-57259-extract-schema-spring branch from b2f2eb6 to 81198be Compare June 12, 2025 11:44
@sezen-datadog sezen-datadog force-pushed the sezen.leblay/APPSEC-57259-extract-schema-spring branch from 64ee2ba to a82275e Compare June 13, 2025 09:16
@sezen-datadog sezen-datadog force-pushed the sezen.leblay/APPSEC-57259-extract-schema-spring branch from c65407e to 9ac9a16 Compare June 13, 2025 09:29
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/vertx-response-extraction branch 3 times, most recently from 414f1ea to e6d0da9 Compare June 17, 2025 17:04
Base automatically changed from malvarez/vertx-response-extraction to malvarez/http-route-play June 17, 2025 17:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jandro996 jandro996 jandro996 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sezen-datadog @jandro996 @manuel-alvarez-alvarez