Skip to content

[APPSEC]: blocking for alb multi value headers events #655

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 9, 2025
Merged

[APPSEC]: blocking for alb multi value headers events #655

merged 3 commits into from
Sep 9, 2025

Conversation

@florentinl
Copy link
Contributor

@florentinl florentinl commented Sep 2, 2025
edited
Loading

What does this PR do?

Currently, ASM returns the same response for all event types. It works in all cases except ALB with a target group that has the multi-value headers option turned on. In this case, headers must be sent in the multiValueHeaders field with type dict[str, list[str]] instead of in the headers field with type dict[str, str].

This PR fixes blocking for Appsec in the context of ALB events for lambdas in target groups with multi-value headers enabled:

  • Add EventSubTypes for regular ALB and ALB multi-value headers to propagate the information
  • Send a blocking response with multiValueHeaders instead of headers when required.
  • [typo] renamed the sample events file

Motivation

While adding the ALB event types to the system-tests in : DataDog/system-tests#5181. I noticed that blocking responses did not work as expected in the multi-value headers case.

Testing Guidelines

  • updated the unit tests
  • the system-tests APPSEC_LAMBDA_BLOCKING scenario asserts that it works as it should:
    • in the job logs for the alb-multi event type, you can see all xpassed tests that were failing currently for blocking and are now passing
  • manual testing: spinned up an ALB with multi-value headers and tested it.

Types of Changes

  • Bug fix
  • New feature
  • Breaking change
  • Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

  • This PR's description is comprehensive
  • This PR contains breaking changes that are documented in the description
  • This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
  • This PR impacts documentation, and it has been updated (or a ticket has been logged)
  • This PR's changes are covered by the automated tests
  • This PR collects user input/sensitive content into Datadog
  • This PR passes the integration tests (ask a Datadog member to run the tests)

@florentinl florentinl force-pushed the florentinl/APPSEC-58787/fix-blocking-for-ALB-multi branch from bf47a21 to 8d706e6 Compare September 8, 2025 08:00
@florentinl florentinl force-pushed the florentinl/APPSEC-58787/fix-blocking-for-ALB-multi branch from 8d706e6 to bb76aad Compare September 8, 2025 09:25
@florentinl florentinl marked this pull request as ready for review September 8, 2025 12:10
@florentinl florentinl requested review from a team as code owners September 8, 2025 12:10
joeyzhao2018
joeyzhao2018 approved these changes Sep 9, 2025
View reviewed changes
Copy link
Contributor

@joeyzhao2018 joeyzhao2018 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@florentinl florentinl merged commit b171bda into main Sep 9, 2025
84 checks passed
@florentinl florentinl deleted the florentinl/APPSEC-58787/fix-blocking-for-ALB-multi branch September 9, 2025 08:18
@florentinl florentinl mentioned this pull request Sep 9, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joeyzhao2018 joeyzhao2018 joeyzhao2018 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@florentinl @joeyzhao2018