datadog-lambda 3.28.0 → 3.29.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5e2d8635a06b2c62e65a431f5fede05eb2f2de447fe310541a62dfbdbedc41b5
-  data.tar.gz: 6fc01a5fa9b25beb6296a2127de07962ea2cb2166b738c4e32a69a8d0acd9e28
+  metadata.gz: 6c288d37d55d147aaca103a9ddfb7a7b6f9817aad19528a8be645ac81c879bfc
+  data.tar.gz: 0d7252abd55bbbb0075e9e560292487091c8e462027d5001d2cf89237116a761
 SHA512:
-  metadata.gz: d7f386673cb7bf6ec500e7b144821d811921129a853f21d96a9cf54804321f17bd2ce18fdd420f272f77f192f581d983b6d2d079d97bfb5179252cc026d6f32f
-  data.tar.gz: e9f6f80d1330d0ef908c11035c89f23ba3c4460a6de7f51f3c25cee65813fdf3ff17877836d649421144b457820b23cb79a08e9309b2eb7dfb2ab58b0ce2a105
+  metadata.gz: 789cf5a6f51a19ffb8e0ed0e701c976669f841a186245aa58b881d9eca93865e2a76b19866f0426f3e08cda03bc552686ea41893d15ba2ad29d82e88f8f7493d
+  data.tar.gz: 1ef9d2bc286e9b7279fe55cc548f17b579eb3bad7dedbc5d6109fda28d0a4f964ebe43d8569420e084da33a28386d8c70d48faeb96721277a3f28fe773e7e82e

data/lib/datadog/lambda/appsec/event_normalizer.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Datadog
+  module Lambda
+    module AppSec
+      # Normalizes API Gateway v1/v2 event payloads into a standard key set.
+      #
+      # NOTE: The REST API (v1) event does NOT have a version field.
+      #       Only the HTTP API events have "version": "1.0" or "version": "2.0".
+      #
+      # @see https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-lambda.html#http-api-develop-integrations-lambda.proxy-format-structure
+      module EventNormalizer
+        module_function
+
+        def normalize(event)
+          event.key?('httpMethod') ? normalize_v1(event) : normalize_v2(event)
+        end
+
+        def normalize_v1(event)
+          data = {
+            'method' => event['httpMethod'],
+            'path' => event['path'],
+            'headers' => event['headers'],
+            'query' => event['multiValueQueryStringParameters'] || event['queryStringParameters'],
+            'source_ip' => event.dig('requestContext', 'identity', 'sourceIp'),
+            'body' => event['body'],
+            'base64_encoded' => event['isBase64Encoded'],
+            'path_params' => event['pathParameters']
+          }
+          data.compact!
+          data
+        end
+
+        def normalize_v2(event)
+          data = {
+            'method' => event.dig('requestContext', 'http', 'method'),
+            'path' => event['rawPath'],
+            'headers' => event['headers'],
+            'cookies' => event['cookies'],
+            'query' => event['queryStringParameters'],
+            'query_string' => event['rawQueryString'],
+            'source_ip' => event.dig('requestContext', 'http', 'sourceIp'),
+            'body' => event['body'],
+            'base64_encoded' => event['isBase64Encoded'],
+            'path_params' => event['pathParameters']
+          }
+          data.compact!
+          data
+        end
+      end
+    end
+  end
+end

data/lib/datadog/lambda/appsec/request.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Datadog
+  module Lambda
+    module AppSec
+      # Minimal request object for AppSec event recording.
+      #
+      # WARNING: It's a minimal data for interface compliance
+      #
+      # @see Datadog::AppSec::Event.record
+      # @see Datadog::AppSec::Contrib::Rack::Gateway::Request
+      class Request
+        attr_reader :host, :user_agent, :remote_addr, :headers
+
+        class << self
+          def from_normalized(event)
+            headers = lowercase_headers(event)
+
+            new(
+              host: headers['host'],
+              user_agent: headers['user-agent'],
+              remote_addr: event['source_ip'],
+              headers: headers
+            )
+          end
+
+          private
+
+          def lowercase_headers(event)
+            (event['headers'] || {}).each_with_object({}) do |(key, value), hash|
+              hash[key.downcase] = value
+            end
+          end
+        end
+
+        def initialize(host:, user_agent:, remote_addr:, headers:)
+          @host = host
+          @user_agent = user_agent
+          @remote_addr = remote_addr
+          @headers = headers
+        end
+      end
+    end
+  end
+end

data/lib/datadog/lambda/appsec/response_normalizer.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Datadog
+  module Lambda
+    module AppSec
+      # Normalizes Lambda handler return values into a standard key set.
+      #
+      # @see https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#api-gateway-simple-proxy-for-lambda-output-format
+      module ResponseNormalizer
+        module_function
+
+        def normalize(response)
+          data = {
+            'status_code' => response['statusCode'],
+            'headers' => merge_headers(response),
+            'body' => response['body'],
+            'base64_encoded' => response['isBase64Encoded']
+          }
+          data.compact!
+          data
+        end
+
+        # Merges single-value and multi-value headers into one hash with
+        # multi-value entries take priority when a key appears in both.
+        def merge_headers(response)
+          headers = response['headers']
+          multi_headers = response['multiValueHeaders']
+
+          return headers unless multi_headers
+          return multi_headers unless headers
+
+          headers.merge(multi_headers)
+        end
+      end
+    end
+  end
+end

data/lib/datadog/lambda/appsec.rb

@@ -0,0 +1,138 @@
+# frozen_string_literal: true
+
+require 'json'
+require_relative 'appsec/request'
+require_relative 'appsec/event_normalizer'
+require_relative 'appsec/response_normalizer'
+
+module Datadog
+  module Lambda
+    # AppSec integration for AWS Lambda invocations.
+    module AppSec
+      class << self
+        # rubocop:disable Metrics/AbcSize
+        def on_start(event, trace:, span:, cold_start: false)
+          @request = nil
+          return unless enabled?
+
+          context = create_context(trace, span)
+          return unless Datadog::AppSec::Context.active
+
+          tag_and_keep(context, cold_start: cold_start)
+
+          event = EventNormalizer.normalize(event)
+          @request = Request.from_normalized(event)
+
+          payload = Datadog::AppSec::Instrumentation::Gateway::DataContainer.new(
+            event, context: context
+          )
+
+          interrupt_params = catch(Datadog::AppSec::Ext::INTERRUPT) do
+            Datadog::AppSec::Instrumentation.gateway.push('aws_lambda.request.start', payload)
+            nil
+          end
+
+          return unless interrupt_params
+
+          context.mark_as_interrupted!
+          response_override(interrupt_params, headers: @request.headers)
+        rescue StandardError => e
+          Datadog::AppSec::Context.deactivate if context
+          Datadog::Utils.logger.debug("failed to start AppSec: #{e}")
+        end
+        # rubocop:enable Metrics/AbcSize
+
+        # rubocop:disable Metrics/AbcSize
+        def on_finish(response)
+          return unless enabled?
+
+          context = Datadog::AppSec::Context.active
+          return unless context
+
+          response = ResponseNormalizer.normalize(response)
+          payload = Datadog::AppSec::Instrumentation::Gateway::DataContainer.new(
+            response, context: context
+          )
+
+          interrupt_params = catch(Datadog::AppSec::Ext::INTERRUPT) do
+            Datadog::AppSec::Instrumentation.gateway.push('aws_lambda.response.start', payload)
+            nil
+          end
+
+          context.mark_as_interrupted! if interrupt_params
+
+          Datadog::AppSec::Event.record(context, request: @request)
+          context.export_metrics
+          context.export_request_telemetry
+
+          response_override(interrupt_params, headers: @request.headers) if interrupt_params
+        rescue StandardError => e
+          Datadog::Utils.logger.debug "failed to finish AppSec: #{e}"
+        ensure
+          Datadog::AppSec::Context.deactivate if context
+        end
+        # rubocop:enable Metrics/AbcSize
+
+        private
+
+        def enabled?
+          defined?(Datadog::AppSec) &&
+            Datadog::AppSec.respond_to?(:enabled?) &&
+            Datadog::AppSec.enabled?
+        end
+
+        def create_context(trace, span)
+          return if trace.nil? || span.nil?
+
+          security_engine = Datadog::AppSec.security_engine
+          return unless security_engine
+
+          context = Datadog::AppSec::Context.new(trace, span, security_engine.new_runner)
+          Datadog::AppSec::Context.activate(context)
+
+          context
+        end
+
+        def tag_and_keep(context, cold_start:)
+          span = context.span
+          trace = context.trace
+
+          return unless trace && span
+
+          span.set_metric(Datadog::AppSec::Ext::TAG_APPSEC_ENABLED, 1)
+          span.set_tag('_dd.runtime_family', 'ruby')
+          span.set_tag('_dd.appsec.waf.version', Datadog::AppSec::WAF::VERSION::BASE_STRING)
+
+          ruleset_version = context.waf_runner_ruleset_version
+          return unless ruleset_version
+
+          span.set_tag('_dd.appsec.event_rules.version', ruleset_version)
+
+          return unless cold_start
+
+          span.set_tag(
+            '_dd.appsec.event_rules.addresses', JSON.dump(context.waf_runner_known_addresses)
+          )
+
+          trace.keep!
+          trace.set_tag(
+            Datadog::Tracing::Metadata::Ext::Distributed::TAG_DECISION_MAKER,
+            Datadog::Tracing::Sampling::Ext::Decision::ASM
+          )
+        end
+
+        def response_override(interrupt_params, headers:)
+          response = Datadog::AppSec::Response.from_interrupt_params(
+            interrupt_params, headers['accept']
+          )
+
+          {
+            'statusCode' => response.status,
+            'headers' => response.headers,
+            'body' => response.body.join
+          }
+        end
+      end
+    end
+  end
+end

data/lib/datadog/lambda/trace/listener.rb

@@ -11,11 +11,16 @@
 require 'datadog/lambda/trace/context'
 require 'datadog/lambda/trace/patch_http'
 require 'datadog/lambda/trace/ddtrace'
+require 'datadog/lambda/appsec'
 
 module Datadog
   module Trace
     # TraceListener tracks tracing context information
     class Listener
+      # AppSec blocking response that replaces the handler result.
+      # Set during either on_start or on_end when WAF decides to block.
+      attr_reader :response_override
+
       @trace = nil
       def initialize(handler_name:, function_name:, patch_http:,
                      merge_xray_traces:)
@@ -50,10 +55,17 @@ module Datadog
         @trace = Datadog::Tracing.trace('aws.lambda', **options)
 
         Datadog::Trace.apply_datadog_trace_context(Datadog::Trace.trace_context)
+        @response_override = Datadog::Lambda::AppSec.on_start(
+          event, trace: Datadog::Tracing.active_trace, span: @trace, cold_start: cold_start
+        )
       end
       # rubocop:enable Metrics/AbcSize
 
       def on_end(response:, request_context:)
+        if (override = Datadog::Lambda::AppSec.on_finish(response))
+          @response_override = override
+        end
+
         Datadog::Utils.send_end_invocation_request(response:, span_id: @trace.id, request_context:)
         @trace&.finish
       end

data/lib/datadog/lambda/version.rb

@@ -12,7 +12,7 @@ module Datadog
   module Lambda
     module VERSION
       MAJOR = 3
-      MINOR = 28
+      MINOR = 29
       PATCH = 0
       PRE = nil
 

data/lib/datadog/lambda.rb

@@ -29,6 +29,8 @@ module Datadog
     # Configures Datadog's APM tracer with lambda specific defaults.
     # Same options can be given as Datadog.configure in tracer
     # See https://github.com/DataDog/dd-trace-rb/blob/master/docs/GettingStarted.md#quickstart-for-ruby-applications
+    #
+    # rubocop:disable Metrics/AbcSize
     def self.configure_apm
       require 'datadog/tracing'
       require 'datadog/tracing/transport/io'
@@ -48,30 +50,37 @@ module Datadog
         c.tracing.instrument :aws if trace_managed_services?
 
         yield(c) if block_given?
+
+        c.appsec.instrument(:aws_lambda)
       end
     end
+    # rubocop:enable Metrics/AbcSize
 
     # Wrap the body of a lambda invocation
     # @param event [Object] event sent to lambda
     # @param context [Object] lambda context
     # @param block [Proc] implementation of the handler function.
+    # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
     def self.wrap(event, context, &block)
+      @response = nil
       @listener ||= initialize_listener
       record_enhanced('invocations', context)
       begin
         cold = @is_cold_start
         @listener&.on_start(event:, request_context: context, cold_start: cold)
-        @response = block.call
+        @response = @listener&.response_override || block.call
       rescue StandardError => e
         record_enhanced('errors', context)
         raise e
       ensure
         @listener&.on_end(response: @response, request_context: context)
+        @response = @listener&.response_override || @response
         @is_cold_start = false
         @metrics_client.close
       end
       @response
     end
+    # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
 
     # Gets the current tracing context
     def self.trace_context

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: datadog-lambda
 version: !ruby/object:Gem::Version
-  version: 3.28.0
+  version: 3.29.0
 platform: ruby
 authors:
 - Datadog, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2026-05-14 00:00:00.000000000 Z
+date: 2026-06-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-xray-sdk
@@ -119,6 +119,10 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/datadog/lambda.rb
+- lib/datadog/lambda/appsec.rb
+- lib/datadog/lambda/appsec/event_normalizer.rb
+- lib/datadog/lambda/appsec/request.rb
+- lib/datadog/lambda/appsec/response_normalizer.rb
 - lib/datadog/lambda/metrics.rb
 - lib/datadog/lambda/trace/constants.rb
 - lib/datadog/lambda/trace/context.rb