Update document v2.33.0#5748
Open
dd-octo-sts[bot] wants to merge 134 commits into
Open
Conversation
The request and response watchers crash with NoMethodError when AppSec::Context is not active. Skip WAF processing and continue the gateway stack instead. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace manual JSON/form-urlencoded parsing with Body.parse and MediaType.parse. This adds telemetry on parse errors, preserves duplicate URL-encoded keys as arrays, and adds missing require for base64. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
API Gateway v1 provides pre-decoded queryStringParameters but no raw query string. Manual string concatenation produced invalid URIs when values contained special characters like & or spaces. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move all AppSec logic (context lifecycle, WAF, Event.record, finalization) from datadog-lambda-rb into dd-trace-rb watcher. Producer (datadog-lambda-rb) becomes a dumb data provider that pushes raw PORO hashes through the gateway. Delete Request and Response gateway classes — parsing logic now lives in the watcher as private helpers. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move Lambda payload parsing and WAF address building into a dedicated AwsLambda::WAFAddresses module. Watcher becomes a thin orchestrator that delegates data transformation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove activate_context and finalize from watcher — context creation, Event.record, export, and deactivation now owned by Lambda::AppSec in datadog-lambda-rb. Watcher keeps only WAF logic (handle_request + handle_response). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Lambda now owns request data via AppSec::Request. The Watcher receives DataContainer payloads and unwraps .data for WAFAddresses. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
AWS Lambda events can have explicit null values for fields like queryStringParameters. Hash#fetch returns nil when the key exists with a nil value, causing URI.encode_www_form to crash on nil.map. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add missing require 'uri' (crashes on Ruby 3.3+ for v1 payloads) - Fix build_query_string to prefer multiValueQueryStringParameters, consistent with parse_query (URI.encode_www_form handles arrays) - Switch watcher from Context.active to payload.context, matching other AppSec watchers that read context from the gateway payload - Rename handle_request/handle_response to watch_request/watch_response to match codebase naming convention - Fix from_response nil guard to idiomatic default parameter - Integration#compatible? now delegates to super Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove stale activate_context and finalize signatures from watcher - Rename handle_* to watch_* matching Ruby implementation - Use fully qualified gateway type matching Rack watcher pattern - compatible? returns bool (not literal true) matching other integrations - Replace untyped with any for intentionally polymorphic Lambda payloads - Fix from_response signature for default parameter Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Use instance_double with verified classes (SecurityEngine::Result, TraceOperation, SpanOperation) instead of unverified double - Inline nil context in subject instead of let override - Move local variables in .watch test to let statements - Fix let ordering in patcher spec (caller before callee) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Stop injecting fake values (200 status, GET method, / path) when AWS event fields are missing — let WAF handle absent addresses via compact. Rename parse_body local to body, simplify guard returns, reorder requires, and update RBS nullability. In specs: rename appsec_context to context, remove events let indirection, pre-compute base64 fixture. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Return early from from_response when payload is nil or empty instead of computing empty hashes for WAF. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Drop v1/v2 fallback chains — WAFAddresses now reads standard keys (method, path, source_ip, query, query_string, etc.) produced by lambda-rb's event normalizer. Unify cookie parsing for both v2 cookie arrays and v1 Cookie header. Remove extract_method and parse_query methods that were just fallback wrappers. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The caller always provides the argument; nil is handled by the guard. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add description to the WAFAddresses module
V2 events now carry `query` from lambda-rb normalizer. Add realistic V2 test and keep the query_string-only fallback path covered separately. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The profiler's CPU time measurement was Linux-only because it relied on pthread_getcpuclockid(), which doesn't exist on macOS. This adds a macOS implementation using Mach APIs (pthread_mach_thread_np + thread_info with THREAD_BASIC_INFO) to get per-thread CPU time, so CPU profiling works on macOS in development mode with DD_PROFILING_MACOS_TESTING=true. The native extension only builds on Linux and macOS, so the previous cpu-time noop fallback (clock_id_noop.c) was dead code and is removed along with its associated test branches. Co-authored-by: Ivo Anjo <ivo.anjo@datadoghq.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CPU time is now supported on every platform that builds the native extension, so the flag was always true. Drop the parameter from the Ruby and C initializers, the RBS sig, and the tests, and unconditionally enable the CPU_TIME sample type. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Munir Abdinur <munir.abdinur@datadoghq.com>
feat(otel): support DD_HOSTNAME as host.name OTel resource attribute
…5741) Bumps the gh-actions-packages group with 2 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action) and [actions/labeler](https://github.com/actions/labeler). Updates `github/codeql-action` from 4.35.3 to 4.35.4 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@e46ed2c...68bde55) Updates `actions/labeler` from 6.0.1 to 6.1.0 - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@634933e...f27b608) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gh-actions-packages - dependency-name: actions/labeler dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gh-actions-packages ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Victor Pellan <37553749+vpellan@users.noreply.github.com>
[APPSEC-62616] Add inferred proxy spans
Bump to version 2.33.0
Contributor
Author
|
👋 Hey @DataDog/ruby-guild, please fill "Change log entry" section in the pull request description. If changes need to be present in CHANGELOG.md you can state it this way **Change log entry**
Yes. A brief summary to be placed into the CHANGELOG.md(possible answers Yes/Yep/Yeah) Or you can opt out like that **Change log entry**
None.(possible answers No/Nope/None) Visited at: 2026-05-13 09:53:12 UTC |
dd-octo-sts
Bot
added
core
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ee26dc1eb7
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Strech
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an auto-generated PR to update documentation from here. Please merge (with a merge commit) when ready.\n\nTo resolve conflicts:\n
bash\ngit merge release\ngit checkout --ours ..