fix(appsec): Implement limits for analyzed downstream requests by uurien · Pull Request #8655 · DataDog/dd-trace-js

uurien · 2026-05-27T08:59:21Z

What does this PR do?

Adds limits for downstream HTTP response body collection in the AppSec SSRF path:

New config DD_API_SECURITY_MAX_DOWNSTREAM_BODY_BYTES (default 10 MB).
Pre-collection guards in http/client.js before buffering the response body:
- Supported Content-Type only (application/json, text/json, application/x-www-form-urlencoded).
- Content-Length required and non-zero.
- Declared Content-Length must not exceed maxBytes.
When a guard fails, publishes responseBodyIgnoredReason on apm:http:client:response:finish and skips body collection.
AppSec records ignore metrics on the service-entry span and skips WAF body analysis when collection was rejected or on redirects.
Unit tests for instrumentation guards, downstream helpers, SSRF wiring, and config.

Motivation

Without limits, a sampled downstream response could buffer unbounded data in memory. This change validates headers before collection and caps the maximum analyzable body size via configuration.

Additional Notes

Limits are enforced before attaching body collectors. No streaming-time size checks were added: Node’s HTTP client parser does not expose more bytes than Content-Length.
Ignore reasons: content_type_invalid, content_length_missing, content_length_too_big.
Response body / guard tests in http.spec.js use a local HTTP server for deterministic headers and body; generic finish-channel tests still hit datadoghq.

System tests

APPSEC-62792

dd-octo-sts · 2026-05-27T09:00:13Z

Overall package size

Self size: 6.07 MB
Deduped: 7.11 MB
No deduping: 7.11 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 3.0.1 | 82.56 kB | 817.39 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | dc-polyfill | 0.1.11 | 25.74 kB | 25.74 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

datadog-official · 2026-05-27T09:02:00Z

Tests

🎉 All green!

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
• Patch Coverage: 90.91%
• Overall Coverage: 86.62% (+0.12%)

_{This comment will be updated automatically if new data arrives.

🔗 Commit SHA: 1437d20 | Docs | Datadog PR Page | Give us feedback!}

codecov · 2026-05-27T09:13:28Z

Codecov Report

❌ Patch coverage is 96.96970% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 91.94%. Comparing base (c6be3b9) to head (1437d20).
⚠️ Report is 18 commits behind head on master.

Files with missing lines	Patch %	Lines
...ckages/datadog-instrumentations/src/http/client.js	94.73%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #8655      +/-   ##
==========================================
- Coverage   92.76%   91.94%   -0.83%     
==========================================
  Files         860      860              
  Lines       48708    48970     +262     
  Branches     9191     9276      +85     
==========================================
- Hits        45184    45025     -159     
- Misses       3524     3945     +421

Flag	Coverage Δ
aiguard-integration-active	`41.50% <0.00%> (-0.15%)`	⬇️
aiguard-integration-latest	`41.52% <0.00%> (-0.02%)`	⬇️
aiguard-integration-maintenance	`41.55% <0.00%> (-0.15%)`	⬇️
aiguard-macos	`33.38% <ø> (-0.19%)`	⬇️
aiguard-ubuntu	`33.47% <ø> (-0.19%)`	⬇️
aiguard-windows	`?`
apm-capabilities-tracing-macos	`48.33% <3.03%> (+0.20%)`	⬆️
apm-capabilities-tracing-ubuntu-active	`48.32% <3.03%> (+0.20%)`	⬆️
apm-capabilities-tracing-ubuntu-latest	`48.32% <3.03%> (+0.03%)`	⬆️
apm-capabilities-tracing-ubuntu-maintenance	`48.53% <3.03%> (+0.20%)`	⬆️
apm-capabilities-tracing-ubuntu-oldest	`48.54% <3.03%> (+0.38%)`	⬆️
apm-capabilities-tracing-windows	`48.15% <3.03%> (+0.22%)`	⬆️
apm-integrations-aerospike-18-gte.5.2.0	`?`
apm-integrations-aerospike-20-gte.5.5.0	`33.26% <ø> (-0.15%)`	⬇️
apm-integrations-aerospike-22-gte.5.12.1	`33.27% <ø> (-0.15%)`	⬇️
apm-integrations-aerospike-22-gte.6.0.0	`33.27% <ø> (-0.15%)`	⬇️
apm-integrations-aerospike-eol-	`33.17% <ø> (-0.15%)`	⬇️
apm-integrations-child-process	`34.19% <ø> (-0.07%)`	⬇️
apm-integrations-confluentinc-kafka-javascript-18	`?`
apm-integrations-confluentinc-kafka-javascript-20	`40.30% <ø> (-0.03%)`	⬇️
apm-integrations-confluentinc-kafka-javascript-22	`40.31% <ø> (-0.03%)`	⬇️
apm-integrations-confluentinc-kafka-javascript-24	`40.26% <ø> (-0.03%)`	⬇️
apm-integrations-couchbase-18	`33.43% <ø> (-0.15%)`	⬇️
apm-integrations-couchbase-eol	`33.31% <ø> (-0.12%)`	⬇️
apm-integrations-dns	`33.17% <ø> (-0.08%)`	⬇️
apm-integrations-elasticsearch	`34.21% <0.00%> (-0.09%)`	⬇️
apm-integrations-http-latest	`41.35% <13.63%> (-0.21%)`	⬇️
apm-integrations-http-maintenance	`41.39% <13.63%> (-0.21%)`	⬇️
apm-integrations-http-oldest	`41.32% <13.63%> (-0.29%)`	⬇️
apm-integrations-http2	`38.57% <ø> (+0.14%)`	⬆️
apm-integrations-kafkajs-latest	`40.45% <ø> (+0.06%)`	⬆️
apm-integrations-kafkajs-oldest	`?`
apm-integrations-net	`33.88% <ø> (-0.14%)`	⬇️
apm-integrations-next-11.1.4	`19.97% <ø> (-0.11%)`	⬇️
apm-integrations-next-12.3.7	`19.97% <ø> (-0.11%)`	⬇️
apm-integrations-next-13.0.0	`29.15% <0.00%> (-0.29%)`	⬇️
apm-integrations-next-13.2.0	`29.15% <0.00%> (-0.29%)`	⬇️
apm-integrations-next-13.5.11	`29.33% <0.00%> (-0.24%)`	⬇️
apm-integrations-next-14.0.0	`29.21% <0.00%> (-0.29%)`	⬇️
apm-integrations-next-14.2.35	`29.21% <0.00%> (-0.29%)`	⬇️
apm-integrations-next-14.2.6	`29.21% <0.00%> (-0.29%)`	⬇️
apm-integrations-next-14.2.7	`29.21% <0.00%> (-0.29%)`	⬇️
apm-integrations-next-15.0.0	`29.21% <0.00%> (-0.29%)`	⬇️
apm-integrations-next-15.4.0	`29.29% <0.00%> (-0.28%)`	⬇️
apm-integrations-oracledb	`34.04% <0.00%> (-0.12%)`	⬇️
apm-integrations-prisma-18-gte.6.16.0.and.lt.7.0.0	`34.61% <ø> (-0.02%)`	⬇️
apm-integrations-prisma-latest-all	`?`
apm-integrations-restify	`35.21% <0.00%> (-0.22%)`	⬇️
apm-integrations-sharedb	`32.64% <ø> (-0.13%)`	⬇️
apm-integrations-tedious	`33.50% <0.00%> (-0.10%)`	⬇️
appsec-express	`51.31% <68.18%> (-0.13%)`	⬇️
appsec-fastify	`47.97% <16.66%> (-0.22%)`	⬇️
appsec-graphql	`47.93% <15.15%> (-0.23%)`	⬇️
appsec-integration-active	`36.19% <13.63%> (-0.01%)`	⬇️
appsec-integration-latest	`36.19% <13.63%> (-0.01%)`	⬇️
appsec-integration-maintenance	`36.22% <13.63%> (-0.01%)`	⬇️
appsec-integration-oldest	`36.22% <13.63%> (-0.01%)`	⬇️
appsec-kafka	`40.54% <ø> (-0.16%)`	⬇️
appsec-ldapjs	`39.83% <0.00%> (-0.21%)`	⬇️
appsec-lodash	`39.85% <0.00%> (?)`
appsec-macos	`57.32% <50.00%> (-0.25%)`	⬇️
appsec-mongodb-core	`44.08% <0.00%> (-0.38%)`	⬇️
appsec-mongoose	`?`
appsec-mysql	`47.13% <15.15%> (-0.32%)`	⬇️
appsec-next-latest-11.1.4	`27.42% <13.15%> (-0.25%)`	⬇️
appsec-next-latest-12.3.7	`27.63% <ø> (-0.07%)`	⬇️
appsec-next-latest-13.0.0	`29.21% <13.15%> (?)`
appsec-next-latest-13.2.0	`29.23% <13.15%> (-0.29%)`	⬇️
appsec-next-latest-13.5.11	`29.33% <13.15%> (-0.28%)`	⬇️
appsec-next-latest-14.0.0	`29.25% <13.15%> (-0.29%)`	⬇️
appsec-next-latest-14.2.35	`29.25% <13.15%> (?)`
appsec-next-latest-14.2.6	`29.25% <13.15%> (-0.29%)`	⬇️
appsec-next-latest-14.2.7	`29.25% <13.15%> (-0.29%)`	⬇️
appsec-next-latest-15.0.0	`29.25% <13.15%> (-0.29%)`	⬇️
appsec-next-latest-latest	`29.26% <13.15%> (-0.29%)`	⬇️
appsec-next-oldest-11.1.4	`27.41% <13.15%> (-0.26%)`	⬇️
appsec-next-oldest-12.3.7	`?`
appsec-next-oldest-13.0.0	`29.21% <13.15%> (-0.29%)`	⬇️
appsec-next-oldest-13.2.0	`29.47% <13.15%> (-0.30%)`	⬇️
appsec-next-oldest-13.5.11	`29.58% <13.15%> (-0.28%)`	⬇️
appsec-next-oldest-14.0.0	`29.51% <13.15%> (-0.29%)`	⬇️
appsec-next-oldest-14.2.35	`?`
appsec-next-oldest-14.2.6	`29.51% <13.15%> (-0.29%)`	⬇️
appsec-next-oldest-14.2.7	`29.51% <13.15%> (-0.29%)`	⬇️
appsec-next-oldest-15.0.0	`29.51% <13.15%> (-0.29%)`	⬇️
appsec-next-oldest-latest	`27.73% <ø> (-0.07%)`	⬇️
appsec-node-serialize	`39.15% <0.00%> (-0.21%)`	⬇️
appsec-passport	`42.73% <15.15%> (-0.35%)`	⬇️
appsec-postgres	`46.85% <15.15%> (-0.26%)`	⬇️
appsec-sourcing	`38.57% <0.00%> (-0.26%)`	⬇️
appsec-stripe	`?`
appsec-template	`39.39% <0.00%> (-0.20%)`	⬇️
appsec-ubuntu	`57.38% <50.00%> (-0.25%)`	⬇️
appsec-windows	`57.26% <50.00%> (-0.23%)`	⬇️
debugger-ubuntu-active	`43.76% <0.00%> (-0.02%)`	⬇️
debugger-ubuntu-latest	`43.76% <0.00%> (-0.02%)`	⬇️
debugger-ubuntu-maintenance	`43.84% <0.00%> (-0.02%)`	⬇️
debugger-ubuntu-oldest	`44.15% <0.00%> (-0.03%)`	⬇️
instrumentations-instrumentation-ai	`32.35% <ø> (ø)`
instrumentations-instrumentation-aws-sdk	`35.50% <ø> (ø)`
instrumentations-instrumentation-bluebird	`27.59% <ø> (-0.23%)`	⬇️
instrumentations-instrumentation-body-parser	`35.72% <0.00%> (-0.25%)`	⬇️
instrumentations-instrumentation-child_process	`33.56% <ø> (-0.06%)`	⬇️
instrumentations-instrumentation-cookie-parser	`29.45% <0.00%> (-0.29%)`	⬇️
instrumentations-instrumentation-couchbase-18	`36.81% <ø> (ø)`
instrumentations-instrumentation-couchbase-eol	`36.81% <ø> (ø)`
instrumentations-instrumentation-crypto	`27.67% <ø> (-0.24%)`	⬇️
instrumentations-instrumentation-express	`29.64% <0.00%> (?)`
instrumentations-instrumentation-express-mongo-sanitize	`29.56% <0.00%> (-0.29%)`	⬇️
instrumentations-instrumentation-express-multi-version	`20.78% <ø> (-0.20%)`	⬇️
instrumentations-instrumentation-express-session	`35.49% <0.00%> (-0.24%)`	⬇️
instrumentations-instrumentation-fastify	`39.70% <ø> (ø)`
instrumentations-instrumentation-fetch	`33.05% <ø> (ø)`
instrumentations-instrumentation-fs	`27.31% <ø> (-0.23%)`	⬇️
instrumentations-instrumentation-generic-pool	`27.00% <0.00%> (-0.11%)`	⬇️
instrumentations-instrumentation-hono	`28.76% <0.00%> (-0.28%)`	⬇️
instrumentations-instrumentation-http	`38.26% <94.73%> (+2.88%)`	⬆️
instrumentations-instrumentation-http-client-options	`37.66% <0.00%> (-0.21%)`	⬇️
instrumentations-instrumentation-kafkajs	`48.79% <ø> (ø)`
instrumentations-instrumentation-knex	`27.58% <ø> (-0.23%)`	⬇️
instrumentations-instrumentation-light-my-request	`35.35% <0.00%> (-0.23%)`	⬇️
instrumentations-instrumentation-mongoose	`28.64% <0.00%> (-0.36%)`	⬇️
instrumentations-instrumentation-multer	`35.39% <0.00%> (-0.26%)`	⬇️
instrumentations-instrumentation-mysql2	`33.52% <ø> (-0.16%)`	⬇️
instrumentations-instrumentation-openai-aiguard	`42.77% <ø> (ø)`
instrumentations-instrumentation-otel-sdk-trace	`25.24% <ø> (-0.35%)`	⬇️
instrumentations-instrumentation-passport	`39.19% <13.63%> (-0.27%)`	⬇️
instrumentations-instrumentation-passport-http	`38.88% <13.63%> (-0.28%)`	⬇️
instrumentations-instrumentation-passport-local	`39.34% <13.63%> (-0.28%)`	⬇️
instrumentations-instrumentation-pg	`33.23% <ø> (-0.03%)`	⬇️
instrumentations-instrumentation-promise	`27.54% <ø> (-0.23%)`	⬇️
instrumentations-instrumentation-promise-js	`27.54% <ø> (-0.23%)`	⬇️
instrumentations-instrumentation-q	`27.57% <ø> (-0.23%)`	⬇️
instrumentations-instrumentation-router	`34.83% <ø> (-0.16%)`	⬇️
instrumentations-instrumentation-stripe	`28.02% <0.00%> (-0.29%)`	⬇️
instrumentations-instrumentation-url	`27.50% <ø> (-0.23%)`	⬇️
instrumentations-instrumentation-when	`27.55% <ø> (-0.23%)`	⬇️
instrumentations-instrumentation-zlib	`27.55% <ø> (-0.23%)`	⬇️
instrumentations-integration-esbuild-0.16.12-active	`18.47% <0.00%> (-0.11%)`	⬇️
instrumentations-integration-esbuild-0.16.12-latest	`18.47% <0.00%> (-0.11%)`	⬇️
instrumentations-integration-esbuild-0.16.12-maintenance	`18.49% <0.00%> (-0.11%)`	⬇️
instrumentations-integration-esbuild-0.16.12-oldest	`?`
instrumentations-integration-esbuild-latest-active	`18.47% <0.00%> (-0.11%)`	⬇️
instrumentations-integration-esbuild-latest-latest	`18.47% <0.00%> (-0.11%)`	⬇️
instrumentations-integration-esbuild-latest-maintenance	`18.49% <0.00%> (-0.11%)`	⬇️
instrumentations-integration-esbuild-latest-oldest	`18.48% <0.00%> (-0.11%)`	⬇️
llmobs-ai	`35.22% <ø> (-1.30%)`	⬇️
llmobs-anthropic	`36.63% <0.00%> (-0.18%)`	⬇️
llmobs-bedrock	`35.35% <0.00%> (-0.23%)`	⬇️
llmobs-google-genai	`35.68% <0.00%> (-0.20%)`	⬇️
llmobs-langchain	`34.76% <0.00%> (-0.14%)`	⬇️
llmobs-openai-latest	`39.11% <0.00%> (-0.14%)`	⬇️
llmobs-openai-oldest	`39.14% <0.00%> (-0.14%)`	⬇️
llmobs-sdk-active	`43.57% <ø> (-0.23%)`	⬇️
llmobs-sdk-latest	`43.57% <ø> (-0.23%)`	⬇️
llmobs-sdk-maintenance	`43.62% <ø> (-0.23%)`	⬇️
llmobs-sdk-oldest	`43.61% <ø> (-0.23%)`	⬇️
llmobs-vertex-ai	`35.67% <0.00%> (-0.22%)`	⬇️
master-coverage	`91.94% <96.96%> (?)`
openfeature-macos	`37.61% <0.00%> (-0.14%)`	⬇️
openfeature-ubuntu	`37.68% <0.00%> (-0.14%)`	⬇️
openfeature-unit-active	`50.57% <ø> (-0.09%)`	⬇️
openfeature-unit-latest	`50.57% <ø> (-0.09%)`	⬇️
openfeature-unit-maintenance	`50.69% <ø> (-0.09%)`	⬇️
openfeature-unit-oldest	`50.69% <ø> (-0.09%)`	⬇️
openfeature-windows	`37.43% <0.00%> (-0.19%)`	⬇️
platform-core	`31.85% <ø> (ø)`
platform-esbuild	`36.42% <ø> (ø)`
platform-instrumentations-misc	`30.31% <0.00%> (?)`
platform-integration-active	`46.79% <0.00%> (-0.19%)`	⬇️
platform-integration-latest	`46.85% <0.00%> (-0.12%)`	⬇️
platform-integration-maintenance	`?`
platform-integration-oldest	`47.01% <0.00%> (-0.18%)`	⬇️
platform-shimmer	`39.89% <ø> (-0.30%)`	⬇️
platform-unit-guardrails	`32.46% <ø> (-0.27%)`	⬇️
platform-webpack	`18.00% <0.00%> (-0.11%)`	⬇️
plugins-axios	`35.50% <0.00%> (-0.09%)`	⬇️
plugins-azure-cosmos	`35.94% <0.00%> (-0.16%)`	⬇️
plugins-azure-event-hubs	`34.86% <ø> (-0.01%)`	⬇️
plugins-azure-service-bus	`35.28% <0.00%> (-0.08%)`	⬇️
plugins-body-parser	`36.47% <0.00%> (-0.11%)`	⬇️
plugins-bullmq	`?`
plugins-cassandra	`33.64% <0.00%> (-0.34%)`	⬇️
plugins-cookie	`25.00% <ø> (-0.17%)`	⬇️
plugins-cookie-parser	`24.75% <ø> (-0.17%)`	⬇️
plugins-crypto	`24.48% <ø> (-0.23%)`	⬇️
plugins-dd-trace-api	`33.42% <ø> (-0.21%)`	⬇️
plugins-express-mongo-sanitize	`25.00% <ø> (-0.17%)`	⬇️
plugins-express-session	`24.67% <ø> (-0.16%)`	⬇️
plugins-fastify	`37.78% <0.00%> (-0.11%)`	⬇️
plugins-fetch	`34.08% <0.00%> (-0.22%)`	⬇️
plugins-fs	`33.80% <ø> (-0.16%)`	⬇️
plugins-generic-pool	`23.72% <ø> (-0.16%)`	⬇️
plugins-google-cloud-pubsub	`41.47% <0.00%> (+0.01%)`	⬆️
plugins-grpc	`?`
plugins-handlebars	`24.96% <ø> (-0.17%)`	⬇️
plugins-hapi	`35.60% <0.00%> (-0.18%)`	⬇️
plugins-hono	`35.95% <0.00%> (-0.16%)`	⬇️
plugins-ioredis	`34.26% <ø> (-0.12%)`	⬇️
plugins-jest	`27.08% <ø> (+0.04%)`	⬆️
plugins-knex	`24.69% <ø> (-0.15%)`	⬇️
plugins-langgraph	`32.42% <ø> (-0.17%)`	⬇️
plugins-ldapjs	`22.35% <ø> (-0.14%)`	⬇️
plugins-light-my-request	`24.41% <ø> (-0.16%)`	⬇️
plugins-limitd-client	`27.96% <ø> (-0.17%)`	⬇️
plugins-lodash	`23.90% <ø> (-0.16%)`	⬇️
plugins-mariadb	`35.23% <ø> (-0.05%)`	⬇️
plugins-memcached	`33.78% <ø> (-0.12%)`	⬇️
plugins-microgateway-core	`34.70% <0.00%> (-0.17%)`	⬇️
plugins-modelcontextprotocol-sdk	`32.38% <ø> (-0.15%)`	⬇️
plugins-moleculer	`36.63% <0.00%> (-0.08%)`	⬇️
plugins-mongodb	`35.88% <0.00%> (+0.10%)`	⬆️
plugins-mongodb-core	`35.53% <ø> (+0.18%)`	⬆️
plugins-mongoose	`34.35% <0.00%> (?)`
plugins-multer	`24.71% <ø> (-0.16%)`	⬇️
plugins-mysql	`34.57% <ø> (-0.07%)`	⬇️
plugins-mysql2	`34.99% <ø> (-0.02%)`	⬇️
plugins-nats	`36.44% <ø> (-0.09%)`	⬇️
plugins-node-serialize	`25.04% <ø> (-0.17%)`	⬇️
plugins-opensearch	`33.58% <0.00%> (-0.16%)`	⬇️
plugins-passport-http	`24.64% <ø> (-0.16%)`	⬇️
plugins-pino	`29.83% <ø> (-0.25%)`	⬇️
plugins-postgres	`34.55% <ø> (-0.05%)`	⬇️
plugins-process	`24.48% <ø> (-0.23%)`	⬇️
plugins-pug	`25.00% <ø> (-0.17%)`	⬇️
plugins-redis	`34.16% <ø> (-0.25%)`	⬇️
plugins-router	`38.05% <0.00%> (-0.29%)`	⬇️
plugins-sequelize	`23.60% <ø> (-0.16%)`	⬇️
plugins-test-and-upstream-amqp10	`33.92% <ø> (-0.09%)`	⬇️
plugins-test-and-upstream-amqplib	`39.16% <ø> (?)`
plugins-test-and-upstream-apollo	`?`
plugins-test-and-upstream-avsc	`33.82% <ø> (-0.24%)`	⬇️
plugins-test-and-upstream-connect	`36.24% <0.00%> (-0.18%)`	⬇️
plugins-test-and-upstream-graphql	`36.11% <ø> (-0.08%)`	⬇️
plugins-test-and-upstream-koa	`35.78% <0.00%> (-0.18%)`	⬇️
plugins-test-and-upstream-protobufjs	`34.05% <ø> (-0.20%)`	⬇️
plugins-test-and-upstream-rhea	`39.29% <ø> (-0.03%)`	⬇️
plugins-undici	`34.59% <0.00%> (-0.19%)`	⬇️
plugins-url	`24.48% <ø> (-0.23%)`	⬇️
plugins-valkey	`33.89% <ø> (-0.12%)`	⬇️
plugins-vm	`24.48% <ø> (-0.23%)`	⬇️
plugins-winston	`29.63% <0.00%> (-0.30%)`	⬇️
plugins-ws	`37.09% <0.00%> (-0.13%)`	⬇️
profiling-macos	`43.24% <0.00%> (-0.17%)`	⬇️
profiling-ubuntu	`43.62% <0.00%> (-0.11%)`	⬇️
profiling-windows	`?`
serverless-aws-sdk-latest-aws-sdk	`33.47% <0.00%> (-0.16%)`	⬇️
serverless-aws-sdk-latest-bedrockruntime	`31.68% <0.00%> (?)`
serverless-aws-sdk-latest-client	`20.18% <ø> (?)`
serverless-aws-sdk-latest-dynamodb	`34.23% <0.00%> (-0.15%)`	⬇️
serverless-aws-sdk-latest-eventbridge	`27.05% <0.00%> (-0.25%)`	⬇️
serverless-aws-sdk-latest-kinesis	`37.43% <0.00%> (-0.10%)`	⬇️
serverless-aws-sdk-latest-lambda	`34.78% <0.00%> (-0.18%)`	⬇️
serverless-aws-sdk-latest-s3	`32.63% <0.00%> (-0.21%)`	⬇️
serverless-aws-sdk-latest-sqs	`38.05% <0.00%> (-0.16%)`	⬇️
serverless-aws-sdk-latest-stepfunctions	`33.34% <0.00%> (-0.22%)`	⬇️
serverless-aws-sdk-latest-util	`47.00% <ø> (ø)`
serverless-aws-sdk-oldest-aws-sdk	`33.55% <0.00%> (-0.16%)`	⬇️
serverless-aws-sdk-oldest-bedrockruntime	`31.94% <0.00%> (-0.22%)`	⬇️
serverless-aws-sdk-oldest-client	`20.56% <ø> (-0.11%)`	⬇️
serverless-aws-sdk-oldest-dynamodb	`34.28% <0.00%> (-0.15%)`	⬇️
serverless-aws-sdk-oldest-eventbridge	`27.09% <0.00%> (?)`
serverless-aws-sdk-oldest-kinesis	`37.55% <0.00%> (-0.10%)`	⬇️
serverless-aws-sdk-oldest-lambda	`?`
serverless-aws-sdk-oldest-s3	`32.72% <0.00%> (-0.17%)`	⬇️
serverless-aws-sdk-oldest-serverless-peer-service	`39.72% <0.00%> (?)`
serverless-aws-sdk-oldest-sns	`38.62% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-oldest-sqs	`37.89% <0.00%> (-0.15%)`	⬇️
serverless-aws-sdk-oldest-stepfunctions	`33.39% <0.00%> (-0.22%)`	⬇️
serverless-aws-sdk-oldest-util	`47.26% <ø> (ø)`
serverless-azure-durable-functions	`36.95% <0.00%> (-0.13%)`	⬇️
serverless-azure-functions-eventhubs	`38.40% <0.00%> (-0.07%)`	⬇️
serverless-azure-functions-servicebus	`38.46% <0.00%> (-0.07%)`	⬇️
serverless-lambda	`34.50% <0.00%> (-0.30%)`	⬇️
test-optimization-cucumber-latest-7.0.0	`?`
test-optimization-cucumber-latest-latest	`53.15% <0.00%> (-0.05%)`	⬇️
test-optimization-cucumber-oldest-7.0.0	`50.40% <0.00%> (-0.03%)`	⬇️
test-optimization-cypress-latest-12.0.0-commonJS	`49.53% <0.00%> (+<0.01%)`	⬆️
test-optimization-cypress-latest-12.0.0-esm	`49.56% <0.00%> (+<0.01%)`	⬆️
test-optimization-cypress-latest-14.5.4-commonJS	`49.11% <0.00%> (-0.27%)`	⬇️
test-optimization-cypress-latest-14.5.4-esm	`49.41% <0.00%> (+<0.01%)`	⬆️
test-optimization-cypress-latest-latest-commonJS	`49.87% <0.00%> (+<0.01%)`	⬆️
test-optimization-cypress-latest-latest-esm	`49.87% <0.00%> (-0.03%)`	⬇️
test-optimization-cypress-oldest-12.0.0-commonJS	`49.57% <0.00%> (+0.03%)`	⬆️
test-optimization-cypress-oldest-12.0.0-esm	`49.47% <0.00%> (+<0.01%)`	⬆️
test-optimization-cypress-oldest-14.5.4-commonJS	`49.41% <0.00%> (+<0.01%)`	⬆️
test-optimization-cypress-oldest-14.5.4-esm	`49.44% <0.00%> (+<0.01%)`	⬆️
test-optimization-jest-latest-latest	`55.49% <0.00%> (-0.05%)`	⬇️
test-optimization-jest-latest-oldest	`54.40% <0.00%> (-0.04%)`	⬇️
test-optimization-jest-oldest-latest	`54.85% <0.00%> (-0.70%)`	⬇️
test-optimization-jest-oldest-oldest	`52.42% <0.00%> (-1.98%)`	⬇️
test-optimization-mocha-latest-latest	`53.68% <0.00%> (-0.08%)`	⬇️
test-optimization-mocha-latest-oldest	`51.35% <0.00%> (-0.04%)`	⬇️
test-optimization-mocha-oldest-latest	`53.76% <0.00%> (-0.08%)`	⬇️
test-optimization-mocha-oldest-oldest	`51.30% <0.00%> (-0.06%)`	⬇️
test-optimization-playwright-latest-latest-playwright-active-test-span	`44.42% <0.00%> (+0.19%)`	⬆️
test-optimization-playwright-latest-latest-playwright-atr	`43.08% <0.00%> (+0.04%)`	⬆️
test-optimization-playwright-latest-latest-playwright-efd	`43.49% <0.00%> (+0.02%)`	⬆️
test-optimization-playwright-latest-latest-playwright-final-status	`43.53% <0.00%> (+0.01%)`	⬆️
test-optimization-playwright-latest-latest-playwright-impacted-tests	`43.01% <0.00%> (-0.07%)`	⬇️
test-optimization-playwright-latest-latest-playwright-reporting	`43.10% <0.00%> (+0.14%)`	⬆️
test-optimization-playwright-latest-latest-playwright-test-management	`44.70% <0.00%> (+0.03%)`	⬆️
test-optimization-playwright-latest-oldest-playwright-active-test-span	`44.22% <0.00%> (+0.18%)`	⬆️
test-optimization-playwright-latest-oldest-playwright-atr	`43.15% <0.00%> (+0.02%)`	⬆️
test-optimization-playwright-latest-oldest-playwright-efd	`43.38% <0.00%> (+<0.01%)`	⬆️
test-optimization-playwright-latest-oldest-playwright-final-status	`43.45% <0.00%> (+0.02%)`	⬆️
test-optimization-playwright-latest-oldest-playwright-impacted-tests	`42.93% <0.00%> (-0.09%)`	⬇️
test-optimization-playwright-latest-oldest-playwright-reporting	`42.91% <0.00%> (?)`
test-optimization-playwright-latest-oldest-playwright-test-management	`44.64% <0.00%> (+<0.01%)`	⬆️
test-optimization-playwright-oldest-latest-playwright-active-test-span	`44.45% <0.00%> (+0.03%)`	⬆️
test-optimization-playwright-oldest-latest-playwright-atr	`43.11% <0.00%> (+0.02%)`	⬆️
test-optimization-playwright-oldest-latest-playwright-efd	`43.49% <0.00%> (+0.02%)`	⬆️
test-optimization-playwright-oldest-latest-playwright-final-status	`43.59% <0.00%> (+0.02%)`	⬆️
test-optimization-playwright-oldest-latest-playwright-impacted-tests	`43.04% <0.00%> (-0.07%)`	⬇️
test-optimization-playwright-oldest-latest-playwright-reporting	`43.13% <0.00%> (+0.02%)`	⬆️
test-optimization-playwright-oldest-latest-playwright-test-management	`44.73% <0.00%> (+0.01%)`	⬆️
test-optimization-playwright-oldest-oldest-playwright-active-test-span	`44.26% <0.00%> (+0.18%)`	⬆️
test-optimization-playwright-oldest-oldest-playwright-atr	`43.19% <0.00%> (+0.02%)`	⬆️
test-optimization-playwright-oldest-oldest-playwright-efd	`43.42% <0.00%> (?)`
test-optimization-playwright-oldest-oldest-playwright-final-status	`43.51% <0.00%> (+0.02%)`	⬆️
test-optimization-playwright-oldest-oldest-playwright-impacted-tests	`?`
test-optimization-playwright-oldest-oldest-playwright-reporting	`42.94% <0.00%> (+0.02%)`	⬆️
test-optimization-playwright-oldest-oldest-playwright-test-management	`44.67% <0.00%> (+<0.01%)`	⬆️
test-optimization-selenium-latest	`45.47% <0.00%> (-0.04%)`	⬇️
test-optimization-selenium-oldest	`44.92% <0.00%> (-0.09%)`	⬇️
test-optimization-testopt-active	`48.60% <0.00%> (+0.02%)`	⬆️
test-optimization-testopt-latest	`48.60% <0.00%> (+0.02%)`	⬆️
test-optimization-testopt-maintenance	`48.64% <0.00%> (+0.02%)`	⬆️
test-optimization-testopt-oldest	`49.57% <0.00%> (-0.02%)`	⬇️
test-optimization-vitest-latest	`49.91% <0.00%> (+0.20%)`	⬆️
test-optimization-vitest-oldest	`48.07% <0.00%> (+0.21%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

pr-commenter · 2026-05-27T09:14:01Z

Benchmarks

Benchmark execution time: 2026-06-02 08:19:58

Comparing candidate commit 1437d20 in PR branch ugaitz/fix-possible-memory-leak with baseline commit c6be3b9 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 1504 metrics, 89 unstable metrics.

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 37afb8fceb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Always run handleRedirectResponse before applying body guard outcomes so sampled redirect chains still store the Location decision. Skip response_body_ignored metrics on redirect hops where body analysis is deferred to the follow-up request. Co-authored-by: Cursor <cursoragent@cursor.com>

BridgeAR · 2026-05-29T11:28:32Z

+        "implementation": "A",
+        "type": "int",
+        "internalPropertyName": "appsec.apiSecurity.maxDownstreamBodyBytes",
+        "default": "10485760"


Do we have to make this configurable? Would a default not be fine?

I think is good to have this configurable (I know that 99% of users is not going to modify it), but if some user has a memory sensitive application or they complain that we are ignoring data, we can say them to modify the max size.

BridgeAR · 2026-05-29T11:29:48Z

+ */
+function getResponseBodyCollectionConfig () {
+  return {
+    maxBytes: config?.appsec?.apiSecurity?.maxDownstreamBodyBytes ?? DEFAULT_MAX_DOWNSTREAM_BODY_BYTES,


Suggested change

maxBytes: config?.appsec?.apiSecurity?.maxDownstreamBodyBytes ?? DEFAULT_MAX_DOWNSTREAM_BODY_BYTES,

maxBytes: config.appsec.apiSecurity.maxDownstreamBodyBytes

If we access the config, it is guaranteed to already have done all of that

BridgeAR · 2026-05-29T11:33:13Z

+    return { collect: false, reason: 'content_length_too_big' }
+  }
+
+  return { collect: true }


I am not sure but I believe V8 would be able to detect the shape better if we define an object at the top where we just change the value before returning. I would add a undefined reason so the shape stays constant.

CarlesDD · 2026-06-02T12:48:50Z


  // Track body analysis count if we're sampling the response body
  if (shouldCollectBody) {
    incrementBodyAnalysisCount(req)


Should this counter be incremented if response body is finally ignored (not analyzed)?

CarlesDD · 2026-06-02T13:01:15Z

  getMethod,
  storeRedirectBodyCollectionDecision,
+  SUPPORTED_RESPONSE_BODY_MIME_TYPES,
+  RESPONSE_BODY_IGNORED_METRIC_SUFFIX,


RESPONSE_BODY_IGNORED_METRIC_SUFFIX exported but never used...

if it is not used elsewhere, only here to filter out unknown reasons, is there really a reason for it to be an object? Could it not be a Set and check it with VALID_REASONS.has(xxxx)?

I'm going to remove the export, you're right it is not used (I guess it was used in a initial version)

Is very small object (3 keys), why do you thing that set would be better than object? I'd be slower (I know, not much), isn't it?

CarlesDD · 2026-06-02T14:05:59Z

+function handleResponseFinish ({ ctx, res, body, responseBodyIgnoredReason }) {
  // downstream response object
  if (!res) return

  const originatingRequest = getActiveRequest()
  if (!originatingRequest) return

-  // Skip body analysis for redirect responses
-  const evaluateBody = ctx.shouldCollectBody && !downstream.handleRedirectResponse(originatingRequest, res)
+  const shouldCollectBodyAfterRedirect = ctx.shouldCollectBody &&
+    downstream.handleRedirectResponse(originatingRequest, res)
+
+  if (!shouldCollectBodyAfterRedirect && responseBodyIgnoredReason) {
+    downstream.recordResponseBodyIgnored(originatingRequest, responseBodyIgnoredReason)
+  }
+
+  const evaluateBody = ctx.shouldCollectBody && !shouldCollectBodyAfterRedirect && !responseBodyIgnoredReason
  const responseBody = evaluateBody ? body : null
  runResponseEvaluation(res, originatingRequest, responseBody)
 }


I think these logical paths could be reworked (within the naming) to make them clear.

if !ctx.shouldCollectBody we could return an early runResponseEvaluation with a null responseBody

the same applies to shouldCollectBodyAfterRedirect being true (which in this case, we can rename to isRedirect to make it clear).

then, if there is a responseBodyIgnoredReason we can record the metric and return early again.

and finally, if none of this conditions are met, we runResponseEvaluation with the body.

WDYT?

CarlesDD · 2026-06-02T14:25:53Z

+            })
+
+            it('ignores body when content-length exceeds maxBytes', (done) => {
+              responseBodyCollection.maxBytes = 10


responseBodyCollection is declared in a before block and then mutated in this test. would worth to move the responseBodyCollection declaration to beforeEach to be sure it is not mutated in each test.

CarlesDD · 2026-06-02T14:26:40Z

+      sinon.assert.calledTwice(span.setTag)
+      sinon.assert.calledWith(span.setTag, tag, 1)
+      sinon.assert.calledWith(span.setTag, tag, 2)
+      webRootStub.restore()


Is not sinon.restore() from afterEach doing the same?

fix(appsec): Implement limits for analyzed downstream requests

66d1cec

github-actions Bot added semver-patch appsec labels May 27, 2026

uurien added 5 commits May 27, 2026 14:20

fix lint

2a1a590

Merge branch 'master' into ugaitz/fix-possible-memory-leak

ef1bee3

fix comment

416a7ef

Do not require extra http

49149ea

small fixes

37afb8f

uurien added the ai-generated PR created with AI assistance label May 28, 2026

uurien marked this pull request as ready for review May 29, 2026 10:21

uurien requested review from a team as code owners May 29, 2026 10:21

uurien requested review from BridgeAR and bojbrook and removed request for a team May 29, 2026 10:21

chatgpt-codex-connector Bot reviewed May 29, 2026

View reviewed changes

Comment thread packages/dd-trace/src/appsec/rasp/ssrf.js Outdated

uurien and others added 2 commits May 29, 2026 12:38

Merge branch 'master' into ugaitz/fix-possible-memory-leak

bdf5880

BridgeAR reviewed May 29, 2026

View reviewed changes

Apply PR comments

1437d20

CarlesDD reviewed Jun 2, 2026

View reviewed changes

	maxBytes: config?.appsec?.apiSecurity?.maxDownstreamBodyBytes ?? DEFAULT_MAX_DOWNSTREAM_BODY_BYTES,
	maxBytes: config.appsec.apiSecurity.maxDownstreamBodyBytes

Conversation

uurien commented May 27, 2026 • edited by atlassian Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What does this PR do?

Motivation

Additional Notes

Uh oh!

dd-octo-sts Bot commented May 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Overall package size

Uh oh!

datadog-official Bot commented May 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov Bot commented May 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

pr-commenter Bot commented May 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Benchmarks

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

CarlesDD Jun 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

CarlesDD Jun 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

uurien commented May 27, 2026 •

edited by atlassian Bot

Loading

dd-octo-sts Bot commented May 27, 2026 •

edited

Loading

datadog-official Bot commented May 27, 2026 •

edited

Loading

codecov Bot commented May 27, 2026 •

edited

Loading

pr-commenter Bot commented May 27, 2026 •

edited

Loading

CarlesDD Jun 2, 2026 •

edited

Loading

CarlesDD Jun 2, 2026 •

edited

Loading