[Serverless] Fix panic when running the extension without appsec enabled. #16054
Conversation
purple4reina
added
changelog/no-changelog
[deprecated] qa/skip-qa - use other qa/ labels
purple4reina
changed the title
purple4reina
force-pushed
the
rey.abolofia/nil-pointer-interface
branch
from
6aeaf95
to
5c8f81d
Compare
| func TestInvocationSubProcessorNilInterface(t *testing.T) { | ||
| lp := &invocationlifecycle.LifecycleProcessor{ | ||
| DetectLambdaLibrary: func() bool { return true }, | ||
| SubProcessor: (*httpsec.InvocationSubProcessor)(nil), | ||
| } | ||
|
|
||
| assert.True(t, lp.SubProcessor != nil) | ||
|
|
||
| lp.OnInvokeStart(&invocationlifecycle.InvocationStartDetails{ | ||
| InvokeEventRawPayload: []byte( | ||
| `{"requestcontext":{"stage":"purple"},"httpmethod":"purple","resource":"purple"}`), | ||
| }) | ||
|
|
||
| lp.OnInvokeEnd(&invocationlifecycle.InvocationEndDetails{}) | ||
| } |
There was a problem hiding this comment.
I'd suggest you move this test into the lifecycle processor test suite as this is testing its nil-check is working as expected.
There was a problem hiding this comment.
When I worked to move this test to the lifecycle processor suite, I hit the import cycle issue. Working around it created a pretty large diff. While I agree this isn't the perfect place for this test, I do think it is the best place for this test.
|
I've determined that the Serverless Integration Tests failures are also occurring on We are seeing the following log line for java and dotnet functions: {
"level": "ERROR",
"message": "datadog: Malformed _X_AMZN_TRACE_ID value: Root=1-6414d1a3-4c0e6f6d4dce99ae7c78561a;Parent=69e50da0d91875c2;Sampled=1;Lineage=f1f89451:0"
} |
| if err != nil { | ||
| log.Error("appsec: could not start: ", err) | ||
| } | ||
| if subProcessor != nil { | ||
| appsecSubProcessor = subProcessor | ||
| } else if proxySubProcessor != nil { |
There was a problem hiding this comment.
Are both appsecSubProcessor and appsecProxyProcessor supposed to be set? This else if will only get called if subProcessor is not equal to nil and it wasn't clear if that was intended. I'm guessing we use either a subprocessor or proxy, but not both?
There was a problem hiding this comment.
Yes, you got this right: appsec is either a "proxy subprocessor", or a "regular subprocessor".
What does this PR do?
This pull request fixes a bug when running a java function in aws lambda without appsec enabled.
The problem stems from the fact that when a go interface can be implemented by a nil pointer, the interface itself is considered not nil. In the example below, the interface
io.Readeris implemented in three ways, but only the first of which is considerednil. This is despite the second implementation be a nil pointer, as is the case which triggered the panic this PR addresses.Motivation
Additional Notes
Possible Drawbacks / Trade-offs
Describe how to test/QA your changes
Reviewer's Checklist
Triagemilestone is set.major_changelabel if your change either has a major impact on the code base, is impacting multiple teams or is changing important well-established internals of the Agent. This label will be use during QA to make sure each team pay extra attention to the changed behavior. For any customer facing change use a releasenote.changelog/no-changeloglabel has been applied.qa/skip-qalabel is not applied.team/..label has been applied, indicating the team(s) that should QA this change.need-change/operatorandneed-change/helmlabels have been applied.k8s/<min-version>label, indicating the lowest Kubernetes version compatible with this feature.