Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

contrib/google.golang.org/grpc: improve the memory efficiency of threats detection for grpc #2338

Merged
merged 19 commits into from Nov 14, 2023
Merged

contrib/google.golang.org/grpc: improve the memory efficiency of threats detection for grpc #2338

merged 19 commits into from Nov 14, 2023

Conversation

RomainMuller
Copy link
Contributor

What does this PR do?

Upgrades github.com/DataDog/go-libddwaf to the first commit that includes libddwaf@1.5, which is capable of ephemeral addresses, allowing workloads such as gRPC streaming and GraphQL to evaluate certain rules multiple times without having to reset the entire WAF context each time.

Motivation

Improved ASM capabilities for protocols that allow for multiple sub-requests to be composed into a single top-level request (such as gRPC streaming, GraphQL, ...)

Reviewer's Checklist

  • Changed code has unit tests for its functionality at or near 100% coverage.
  • There is a benchmark for any new code, or changes to existing code.
  • If this interacts with the agent in a new way, a system test has been added.

For Datadog employees:

  • If this PR touches code that handles credentials of any kind, such as Datadog API keys, I've requested a review from @DataDog/security-design-and-guidance.
  • This PR doesn't touch any of that.

@pr-commenter
Copy link

pr-commenter bot commented Nov 7, 2023
edited

Benchmarks

Benchmark execution time: 2023-11-14 13:41:59

Comparing candidate commit dbaa2fc in PR branch romain.marcadier/waf-upgrade-ephemeral/APPSEC-12062 with baseline commit 403e56d in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 40 metrics, 1 unstable metrics.

@RomainMuller RomainMuller marked this pull request as ready for review November 7, 2023 17:35
@RomainMuller RomainMuller requested review from a team as code owners November 7, 2023 17:35
Julio-Guerra
Julio-Guerra requested changes Nov 8, 2023
View reviewed changes
go.mod Outdated Show resolved Hide resolved
internal/appsec/remoteconfig.go Outdated Show resolved Hide resolved
internal/appsec/remoteconfig.go Outdated Show resolved Hide resolved
internal/appsec/waf.go Show resolved Hide resolved
internal/appsec/waf.go Outdated Show resolved Hide resolved
internal/appsec/waf.go Outdated Show resolved Hide resolved
internal/appsec/waf.go Outdated Show resolved Hide resolved
internal/appsec/waf.go Outdated Show resolved Hide resolved
github-actions[bot]
github-actions bot reviewed Nov 9, 2023
View reviewed changes
internal/appsec/waf_unit_test.go Outdated Show resolved Hide resolved
internal/appsec/waf_unit_test.go Outdated Show resolved Hide resolved
@RomainMuller RomainMuller enabled auto-merge (squash) November 14, 2023 13:23
github-actions[bot]
github-actions bot reviewed Nov 14, 2023
View reviewed changes
internal/appsec/waf.go Outdated
@@ -59,6 +59,11 @@ func (a *appsec) swapWAF(rules rulesFragment) (err error) {
}
}()

wafDiags := newHandle.Diagnostics()
if err := wafDiags.TopLevelError(); err != nil {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [golangci] reported by reviewdog 🐶
wafDiags.TopLevelError undefined (type waf.Diagnostics has no field or method TopLevelError)) (typecheck)

internal/appsec/waf.go Outdated
@@ -59,6 +59,11 @@
}
}()

wafDiags := newHandle.Diagnostics()
if err := wafDiags.TopLevelError(); err != nil {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [golangci] reported by reviewdog 🐶
wafDiags.TopLevelError undefined (type waf.Diagnostics has no field or method TopLevelError)) (typecheck)

internal/appsec/waf.go Outdated
@@ -59,6 +59,11 @@
}
}()

wafDiags := newHandle.Diagnostics()
if err := wafDiags.TopLevelError(); err != nil {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [golangci] reported by reviewdog 🐶
wafDiags.TopLevelError undefined (type waf.Diagnostics has no field or method TopLevelError)) (typecheck)

internal/appsec/waf.go Outdated
@@ -59,6 +59,11 @@
}
}()

wafDiags := newHandle.Diagnostics()
if err := wafDiags.TopLevelError(); err != nil {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [golangci] reported by reviewdog 🐶
wafDiags.TopLevelError undefined (type waf.Diagnostics has no field or method TopLevelError) (typecheck)

internal/appsec/waf.go Outdated
@@ -59,6 +59,11 @@
}
}()

wafDiags := newHandle.Diagnostics()
if err := wafDiags.TopLevelError(); err != nil {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [golangci] reported by reviewdog 🐶
wafDiags.TopLevelError undefined (type waf.Diagnostics has no field or method TopLevelError)) (typecheck)

@RomainMuller RomainMuller enabled auto-merge (squash) November 14, 2023 13:28
@RomainMuller
Copy link
Contributor Author

/merge

@dd-devflow
Copy link

dd-devflow bot commented Nov 14, 2023

🚂 MergeQueue

Pull request added to the queue.

This build is going to start soon! (estimated merge in less than 10m)

you can cancel this operation by commenting your pull request with /merge -c!

@dd-devflow
Copy link

dd-devflow bot commented Nov 14, 2023

🚨 MergeQueue

not able to merge the branch in the target branch

Details

Error: PUT https://api.github.com/repos/DataDog/dd-trace-go/pulls/2338/merge: 405 5 of 5 required status checks are expected. []

FullStacktrace:
activity error (type: github.GithubService_MergePullRequest, scheduledEventID: 41, startedEventID: 42, identity: 1@github-worker-68bf997945-6hkzp@): PUT https://api.github.com/repos/DataDog/dd-trace-go/pulls/2338/merge: 405 5 of 5 required status checks are expected. [] (type: ErrorResponse, retryable: true)

If you need support, contact us on slack #ci-interfaces with those details!

@RomainMuller @eliottness
feat: upgrade in-app WAF to ephemeral-capable version
d882e40 
Upgrades `github.com/DataDog/go-libddwaf` to the first commit that
includes `libddwaf@1.5`, which is capable of ephemeral addresses,
allowing workloads such as gRPC streaming and GraphQL to evaluate
certain rules multiple times without having to reset the entire WAF
context each time.
@RomainMuller @eliottness
don't reset the waf context mid-flight in gRPC now that we have ephem…
8c884d0 
…erals
@RomainMuller @eliottness
Don't skip applying actions when there are some
200f953
@RomainMuller @eliottness
limit environment tampering to smallest possible window
5c0a07c
@RomainMuller @eliottness
format status code as a string so the WAF actually examines it
d79918c
@RomainMuller @eliottness
remove env var hijack
340eb3b
@RomainMuller @eliottness
fixup RC update test
81041f2
@RomainMuller @eliottness
switch to merged in commit
cd1b209
RomainMuller and others added 10 commits November 14, 2023 15:12
@eliottness eliottness force-pushed the romain.marcadier/waf-upgrade-ephemeral/APPSEC-12062 branch from dbaa2fc to 2aca4bc Compare November 14, 2023 14:12
@RomainMuller RomainMuller enabled auto-merge (squash) November 14, 2023 14:13
auto-merge was automatically disabled November 14, 2023 14:19

Pull Request is not mergeable

@eliottness
Copy link
Contributor

/merge

@dd-devflow
Copy link

dd-devflow bot commented Nov 14, 2023

🚂 MergeQueue

Pull request added to the queue.

This build is going to start soon! (estimated merge in less than 10m)

you can cancel this operation by commenting your pull request with /merge -c!

@RomainMuller RomainMuller merged commit edc0344 into main Nov 14, 2023
344 checks passed
@RomainMuller RomainMuller deleted the romain.marcadier/waf-upgrade-ephemeral/APPSEC-12062 branch November 14, 2023 14:27
RomainMuller added a commit that referenced this pull request Nov 14, 2023
@RomainMuller @eliottness @Julio-Guerra
feat: upgrade in-app WAF to ephemeral-capable version (#2338)
abda36e 
Signed-off-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Co-authored-by: Eliott Bouhana <eliott.bouhana@datadoghq.com>
Co-authored-by: Julio Guerra <julio@datadog.com>
@dd-devflow
Copy link

dd-devflow bot commented Nov 14, 2023

🚂 MergeQueue

PullRequest was merged manually

@darccio darccio restored the romain.marcadier/waf-upgrade-ephemeral/APPSEC-12062 branch November 16, 2023 10:22
@darccio darccio deleted the romain.marcadier/waf-upgrade-ephemeral/APPSEC-12062 branch November 16, 2023 10:24
@Julio-Guerra Julio-Guerra changed the title feat: upgrade in-app WAF to ephemeral-capable version contrib/google.golang.org/grpc: improve the memory efficiency of threats detection for grpc Nov 16, 2023
@github-actions github-actions bot added the apm:ecosystem contrib/* related feature requests or bugs label Nov 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions left review comments

@Julio-Guerra Julio-Guerra Julio-Guerra approved these changes

Assignees
No one assigned
Labels
apm:ecosystem contrib/* related feature requests or bugs appsec mergequeue-status: done
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@RomainMuller @eliottness @Julio-Guerra