-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Serverless] Fix panic when running the extension without appsec enabled. #16054
Conversation
6aeaf95
to
5c8f81d
Compare
func TestInvocationSubProcessorNilInterface(t *testing.T) { | ||
lp := &invocationlifecycle.LifecycleProcessor{ | ||
DetectLambdaLibrary: func() bool { return true }, | ||
SubProcessor: (*httpsec.InvocationSubProcessor)(nil), | ||
} | ||
|
||
assert.True(t, lp.SubProcessor != nil) | ||
|
||
lp.OnInvokeStart(&invocationlifecycle.InvocationStartDetails{ | ||
InvokeEventRawPayload: []byte( | ||
`{"requestcontext":{"stage":"purple"},"httpmethod":"purple","resource":"purple"}`), | ||
}) | ||
|
||
lp.OnInvokeEnd(&invocationlifecycle.InvocationEndDetails{}) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd suggest you move this test into the lifecycle processor test suite as this is testing its nil-check is working as expected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When I worked to move this test to the lifecycle processor suite, I hit the import cycle issue. Working around it created a pretty large diff. While I agree this isn't the perfect place for this test, I do think it is the best place for this test.
I've determined that the Serverless Integration Tests failures are also occurring on We are seeing the following log line for java and dotnet functions: {
"level": "ERROR",
"message": "datadog: Malformed _X_AMZN_TRACE_ID value: Root=1-6414d1a3-4c0e6f6d4dce99ae7c78561a;Parent=69e50da0d91875c2;Sampled=1;Lineage=f1f89451:0"
} |
if err != nil { | ||
log.Error("appsec: could not start: ", err) | ||
} | ||
if subProcessor != nil { | ||
appsecSubProcessor = subProcessor | ||
} else if proxySubProcessor != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are both appsecSubProcessor
and appsecProxyProcessor
supposed to be set? This else if
will only get called if subProcessor
is not equal to nil and it wasn't clear if that was intended. I'm guessing we use either a subprocessor or proxy, but not both?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you got this right: appsec is either a "proxy subprocessor", or a "regular subprocessor".
What does this PR do?
This pull request fixes a bug when running a java function in aws lambda without appsec enabled.
The problem stems from the fact that when a go interface can be implemented by a nil pointer, the interface itself is considered not nil. In the example below, the interface
io.Reader
is implemented in three ways, but only the first of which is considerednil
. This is despite the second implementation be a nil pointer, as is the case which triggered the panic this PR addresses.Motivation
Additional Notes
Possible Drawbacks / Trade-offs
Describe how to test/QA your changes
Reviewer's Checklist
Triage
milestone is set.major_change
label if your change either has a major impact on the code base, is impacting multiple teams or is changing important well-established internals of the Agent. This label will be use during QA to make sure each team pay extra attention to the changed behavior. For any customer facing change use a releasenote.changelog/no-changelog
label has been applied.qa/skip-qa
label is not applied.team/..
label has been applied, indicating the team(s) that should QA this change.need-change/operator
andneed-change/helm
labels have been applied.k8s/<min-version>
label, indicating the lowest Kubernetes version compatible with this feature.