Skip to content
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 11 additions & 4 deletions tests/appsec/test_inferred_spans.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,18 @@ def setup_lambda_inferred_span(self) -> None:
self.r = weblog.get("/waf/?message=<script>alert()</script>")

def test_lambda_inferred_span(self) -> None:
# The AppSec report is carried by the service-entry span. Depending on
# the tracer / lambda layer version this is either the downstream
# aws.lambda span, or the inferred API Gateway span when it shares the
# function's service (serverless service representation) and therefore
# becomes the top-level service-entry span. Capture the AppSec data from
# whichever span reports it.
service_entry_appsec_data = None
for _, _, span, appsec_data in interfaces.library.get_appsec_events(self.r):
if span.get("name") == "aws.lambda":
lambda_span_appsec_data = appsec_data
if span.get("name") == "aws.lambda" or span.get("name") in INFERRED_SPAN_NAMES:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Search the full trace for inferred AppSec data

When AppSec moves onto the inferred API Gateway span, adding the inferred names here is not enough because get_appsec_events(self.r) still uses full_trace=False; utils/interfaces/_library/core.py::get_spans then yields only spans whose extracted request id matches the response. In Lambda traces where the request id remains on aws.lambda but the AppSec payload is only on aws.apigateway/aws.httpapi, this loop never sees the new service-entry span and the assertion below still fails, so this should read events with full_trace=True like the inferred-span validation does.

Useful? React with 👍 / 👎.

service_entry_appsec_data = appsec_data

assert lambda_span_appsec_data, "Expected non empty appsec data on aws.lambda span"
assert service_entry_appsec_data, "Expected non empty appsec data on the service-entry span"

def validate_inferred_span(span: DataDogLibrarySpan) -> bool:
if span.get("name") not in INFERRED_SPAN_NAMES:
Expand All @@ -41,7 +48,7 @@ def validate_inferred_span(span: DataDogLibrarySpan) -> bool:
inferred_payload = (
json.loads(inferred_span_payload) if isinstance(inferred_span_payload, str) else inferred_span_payload
)
assert inferred_payload == lambda_span_appsec_data, "AppSec Data must match the service-entry span"
assert inferred_payload == service_entry_appsec_data, "AppSec Data must match the service-entry span"

return True

Expand Down
Loading