wip: support asm #695
wip: support asm #695
Conversation
duncanista
force-pushed
the
jordan.gonzalez/appsec/support-application-and-api-protection
branch
from
a93c4e8 to
2ec14e9
Compare
main proxy code
its not used
also added some small configs like `appsec_rules` and `appsec_waf_timeout`
so it can use decide whether to act on appsec
duncanista
force-pushed
the
jordan.gonzalez/appsec/support-application-and-api-protection
branch
from
346a130 to
ba7a1da
Compare
RomainMuller
force-pushed
the
jordan.gonzalez/appsec/support-application-and-api-protection
branch
from
0e3ae0b to
ba7a1da
Compare
RomainMuller
force-pushed
the
jordan.gonzalez/appsec/support-application-and-api-protection
branch
from
97a4a9e to
e0902ba
Compare
RomainMuller
force-pushed
the
jordan.gonzalez/appsec/support-application-and-api-protection
branch
from
a177439 to
cd8e2cf
Compare
| async fn extract(self) -> HttpData; | ||
| } | ||
|
|
||
| pub(super) async fn extract_request_address_data(body: &Bytes) -> Option<(HttpData, RequestType)> { |
There was a problem hiding this comment.
I remember you mentioned maybe we want to eventually consolidate this with the triggers – overall, great
Deserializing into type might be slow since payloads can technically be up to 6MB
There was a problem hiding this comment.
Ah, next file is doing a similar check from triggers code
There was a problem hiding this comment.
I see that specific logic, as you mentioned privately, was ported from Go, maybe for the ones that already exist here in the triggers, could we use that same logic and for the events that we don't cover for inferred spans, I.E. Kong, we maintain the Go port?
| for (key, value) in appsec_context.tags() { | ||
| self.invocation_span | ||
| .meta | ||
| .entry(key.clone()) | ||
| .or_insert(value.clone()); | ||
| } |
There was a problem hiding this comment.
Can't we use extend here?
|
|
||
| // Note: We intentionally don't set `actor.ip` because we don't have a definitive signal here. | ||
|
|
||
| //TODO(romain.marcadier): Figure out whether we can set "_dd.runtime_family" here; and to what value. |
There was a problem hiding this comment.
if there is a set of valid values, we can talk about how and when to set it, we get the specific runtime at a later point of init, but we guarantee it will arrive
There was a problem hiding this comment.
My main concern is if there's a better way to tie contexts, I won't know until I inspect the code thoroughly, but so far this looks good
| if let Some(appsec_processor) = appsec_processor { | ||
| if let Some(request_id) = intercepted_parts | ||
| .headers | ||
| .get("Lambda-Runtime-Aws-Request-Id") |
There was a problem hiding this comment.
I remember either in next or response we can get this by checking at the Path, we can leverage Axum for it, will check again which one was it
RomainMuller
force-pushed
the
jordan.gonzalez/appsec/support-application-and-api-protection
branch
from
1a2a3d6 to
d17cc48
Compare
No description provided.