serverless/appsec: fix handling of ALB headers & query string

[RomainMuller]

What does this PR do?

We were previously only considering the multi-valued entries, since other event types (such as API Gateway) provide values in both formats all the time. This change uses the multi-valued map if present, and falls back to the single-valued map otherwise.

Motivation

When an AWS Application Load Balancer forwards a request to Lambda, it formats headers and query string parameters either as map[string]string in the Headers and QueryStringParameters properties (this is the default behavior), or as map[string][]string in MultiValueHeaders and MultiValueQueryStringParameters (when explicitly enabled by setting the appropriate target group attribute¹).

Describe how to test/QA your changes

Send traffic to a serverless-AppSec enabled Lambda function via an ALB, with e.g: a user-agent of Arachni/v1 -- which triggers a detection rule, and should result in the trace showing up in the ASM console.

Reviewer's Checklist

• If known, an appropriate milestone has been selected; otherwise the Triage milestone is set.
• Use the major_change label if your change either has a major impact on the code base, is impacting multiple teams or is changing important well-established internals of the Agent. This label will be use during QA to make sure each team pay extra attention to the changed behavior. For any customer facing change use a releasenote.
• A release note has been added or the changelog/no-changelog label has been applied.
• Changed code has automated tests for its functionality.
• Adequate QA/testing plan information is provided. Except if the qa/skip-qa label, with required either qa/done or qa/no-code-change labels, are applied.
• At least one team/.. label has been applied, indicating the team(s) that should QA this change.
• If applicable, docs team has been notified or an issue has been opened on the documentation repo.
• If applicable, the need-change/operator and need-change/helm labels have been applied.
• If applicable, the k8s/<min-version> label, indicating the lowest Kubernetes version compatible with this feature.
• If applicable, the config template has been updated.

Footnotes

1. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/lambda-functions.html#enable-multi-value-headers ↩

[RomainMuller]

This will be helpful when diagnosing future cases, as this line makes it very easy to rule out the "failed to identify payload" scenario (presence of positive evidence is easier to reason about than absence of negative evidence).

[purple4reina]

Agreed, this is a good addition. Ideally at some point we should add a String() method to the event type. Right now, if I recall correctly, it will just print a number.

[purple4reina]

Omg, great minds think alike, I just scrolled down and saw the String() method you added! 🎉

[RomainMuller]

This is only there to make the debug log of detection easier to read/reason about.

[pr-commenter]

Bloop Bleep... Dogbot Here

Regression Detector Results

Run ID: a82e76bb-038a-488e-8f40-25fb5d12b0f4
Baseline: a27fe22
Comparison: 3f3a264
Total CPUs: 7

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI
➖	file_to_blackhole	% cpu utilization	+0.62	[-6.00, +7.23]
➖	idle	memory utilization	-0.02	[-0.04, +0.01]
➖	file_tree	memory utilization	-0.75	[-0.85, -0.64]

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI
➖	file_to_blackhole	% cpu utilization	+0.62	[-6.00, +7.23]
➖	process_agent_real_time_mode	memory utilization	+0.42	[+0.38, +0.45]
➖	process_agent_standard_check	memory utilization	+0.02	[-0.03, +0.07]
➖	trace_agent_msgpack	ingress throughput	+0.01	[-0.01, +0.02]
➖	uds_dogstatsd_to_api	ingress throughput	+0.00	[-0.03, +0.03]
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.00	[-0.06, +0.06]
➖	idle	memory utilization	-0.02	[-0.04, +0.01]
➖	process_agent_standard_check_with_stats	memory utilization	-0.03	[-0.08, +0.01]
➖	trace_agent_json	ingress throughput	-0.03	[-0.06, -0.00]
➖	tcp_syslog_to_blackhole	ingress throughput	-0.50	[-0.56, -0.43]
➖	file_tree	memory utilization	-0.75	[-0.85, -0.64]
➖	otel_to_otel_logs	ingress throughput	-4.71	[-5.42, -3.99]

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

[RomainMuller]

/merge

[dd-devflow]

🚂 MergeQueue

This merge request is not mergeable yet, because of pending checks/missing approvals. It will be added to the queue as soon as checks pass and/or get approvals.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

you can cancel this operation by commenting your pull request with /merge -c!

[github-actions]

Serverless Benchmark Results

BenchmarkStartEndInvocation comparison between a27fe22 and 4b09e0c.

tl;dr

1. Skim down the vs base column in each chart. If there is a ~, then there was no statistically significant change to the benchmark. Otherwise, ensure the estimated percent change is either negative or very small.

2. The last row of each chart is the geomean. Ensure this percentage is either negative or very small.

What is this benchmarking?

The BenchmarkStartEndInvocation compares the amount of time it takes to call the start-invocation and end-invocation endpoints. For universal instrumentation languages (Dotnet, Golang, Java, Ruby), this represents the majority of the duration overhead added by our tracing layer.

The benchmark is run using a large variety of lambda request payloads. In the charts below, there is one row for each event payload type.

How do I interpret these charts?

The charts below comes from benchstat. They represent the statistical change in duration (sec/op), memory overhead (B/op), and allocations (allocs/op).

The benchstat docs explain how to interpret these charts.

Before the comparison table, we see common file-level configuration. If there are benchmarks with different configuration (for example, from different packages), benchstat will print separate tables for each configuration.

The table then compares the two input files for each benchmark. It shows the median and 95% confidence interval summaries for each benchmark before and after the change, and an A/B comparison under "vs base". ... The p-value measures how likely it is that any differences were due to random chance (i.e., noise). The "~" means benchstat did not detect a statistically significant difference between the two inputs. ...

Note that "statistically significant" is not the same as "large": with enough low-noise data, even very small changes can be distinguished from noise and considered statistically significant. It is, of course, generally easier to distinguish large changes from noise.

Finally, the last row of the table shows the geometric mean of each column, giving an overall picture of how the benchmarks changed. Proportional changes in the geomean reflect proportional changes in the benchmarks. For example, given n benchmarks, if sec/op for one of them increases by a factor of 2, then the sec/op geomean will increase by a factor of ⁿ√2.

Benchmark stats

goos: linux
goarch: amd64
pkg: github.com/DataDog/datadog-agent/pkg/serverless/daemon
cpu: AMD EPYC 7763 64-Core Processor                
                                      │     previous     │                 current                  │
                                      │      sec/op      │     sec/op       vs base                 │
api-gateway-appsec.json                  96.40µ ±   5%      92.70µ ±    5%        ~ (p=0.481 n=10)
api-gateway-kong-appsec.json             70.93µ ±   3%      70.49µ ±    1%        ~ (p=0.631 n=10)
api-gateway-kong.json                    69.20µ ±   3%      68.83µ ±    3%        ~ (p=0.631 n=10)
api-gateway-non-proxy-async.json         107.1µ ±   1%      108.2µ ±    3%        ~ (p=0.315 n=10)
api-gateway-non-proxy.json               105.4µ ±   4%      107.9µ ±    1%        ~ (p=0.481 n=10)
api-gateway-websocket-connect.json       73.57µ ±   3%      74.66µ ±    5%        ~ (p=0.190 n=10)
api-gateway-websocket-default.json       66.34µ ±   4%      64.64µ ±    2%        ~ (p=0.052 n=10)
api-gateway-websocket-disconnect.json    64.21µ ±   6%      64.57µ ±    4%        ~ (p=0.971 n=10)
api-gateway.json                         125.2µ ±   6%      119.0µ ±    3%   -4.99% (p=0.004 n=10)
application-load-balancer.json           67.72µ ±  11%      63.53µ ±    6%   -6.18% (p=0.035 n=10)
cloudfront.json                          55.55µ ±   9%      51.57µ ±    8%   -7.16% (p=0.035 n=10)
cloudwatch-events.json                   44.43µ ±   5%      42.31µ ±    3%   -4.78% (p=0.002 n=10)
cloudwatch-logs.json                     56.81µ ±  43%      54.93µ ±   12%   -3.31% (p=0.035 n=10)
custom.json                              33.22µ ±  24%      32.91µ ±    8%        ~ (p=0.436 n=10)
dynamodb.json                           111.52µ ±  17%      98.52µ ±    8%  -11.66% (p=0.035 n=10)
empty.json                               41.94µ ±   9%      35.59µ ±    7%  -15.14% (p=0.000 n=10)
eventbridge-custom.json                  51.90µ ±  20%      45.97µ ±   16%  -11.42% (p=0.043 n=10)
http-api.json                            88.35µ ±  17%      86.62µ ±    3%        ~ (p=0.089 n=10)
kinesis-batch.json                      104.41µ ±  17%      92.11µ ±   10%        ~ (p=0.218 n=10)
kinesis.json                             81.83µ ±  11%      76.75µ ±   11%        ~ (p=0.075 n=10)
s3.json                                  98.42µ ± 196%      73.12µ ±   20%  -25.71% (p=0.009 n=10)
sns-batch.json                           118.6µ ± 107%      148.7µ ±   71%        ~ (p=0.143 n=10)
sns.json                                 84.23µ ±    ∞ ¹   757.60µ ± 5698%        ~ (p=0.200 n=1+9)
geomean                                  74.62µ             78.63µ           +5.37%
¹ need >= 6 samples for confidence interval at level 0.95

                                      │    previous    │                current                │
                                      │      B/op      │     B/op       vs base                │
api-gateway-appsec.json                 41.96Ki ± 3%     41.97Ki ±  3%       ~ (p=0.631 n=10)
api-gateway-kong-appsec.json            27.95Ki ± 0%     29.08Ki ± 11%       ~ (p=0.323 n=10)
api-gateway-kong.json                   25.29Ki ± 0%     25.29Ki ± 27%       ~ (p=0.809 n=10)
api-gateway-non-proxy-async.json        51.34Ki ± 0%     51.40Ki ±  0%  +0.11% (p=0.000 n=10)
api-gateway-non-proxy.json              49.90Ki ± 0%     49.96Ki ±  0%  +0.12% (p=0.001 n=10)
api-gateway-websocket-connect.json      29.11Ki ± 0%     29.15Ki ±  0%  +0.11% (p=0.000 n=10)
api-gateway-websocket-default.json      23.26Ki ± 0%     23.29Ki ±  0%  +0.13% (p=0.000 n=10)
api-gateway-websocket-disconnect.json   22.89Ki ± 0%     22.92Ki ±  0%  +0.14% (p=0.000 n=10)
api-gateway.json                        53.82Ki ± 0%     53.82Ki ±  0%  +0.01% (p=0.045 n=10)
application-load-balancer.json          22.90Ki ± 0%     23.84Ki ±  0%  +4.09% (p=0.001 n=10)
cloudfront.json                         18.43Ki ± 0%     18.45Ki ±  0%  +0.07% (p=0.001 n=10)
cloudwatch-events.json                  11.46Ki ± 0%     11.49Ki ±  0%  +0.26% (p=0.000 n=10)
cloudwatch-logs.json                    53.28Ki ± 0%     53.28Ki ±  0%       ~ (p=0.208 n=10)
custom.json                             9.216Ki ± 0%     9.233Ki ±  0%  +0.19% (p=0.001 n=10)
dynamodb.json                           43.24Ki ± 0%     43.27Ki ±  0%  +0.07% (p=0.000 n=10)
empty.json                              8.709Ki ± 0%     8.726Ki ±  0%  +0.19% (p=0.000 n=10)
eventbridge-custom.json                 13.18Ki ± 0%     13.21Ki ±  0%  +0.23% (p=0.001 n=10)
http-api.json                           24.10Ki ± 0%     24.16Ki ±  0%  +0.25% (p=0.000 n=10)
kinesis-batch.json                      28.41Ki ± 0%     28.44Ki ±  0%  +0.11% (p=0.000 n=10)
kinesis.json                            18.14Ki ± 0%     18.17Ki ±  0%  +0.19% (p=0.000 n=10)
s3.json                                 20.86Ki ± 0%     20.89Ki ±  0%  +0.14% (p=0.017 n=10)
sns-batch.json                          41.55Ki ± 0%     41.56Ki ±  0%       ~ (p=0.324 n=10)
sns.json                                24.80Ki ±  ∞ ¹   24.84Ki ± 13%       ~ (p=0.200 n=1+9)
geomean                                 25.37Ki          25.49Ki        +0.46%
¹ need >= 6 samples for confidence interval at level 0.95

                                      │   previous   │                current                │
                                      │  allocs/op   │  allocs/op   vs base                  │
api-gateway-appsec.json                 630.0 ± 0%     630.0 ±  0%       ~ (p=1.000 n=10)  ¹
api-gateway-kong-appsec.json            487.0 ± 0%     487.0 ±  0%       ~ (p=1.000 n=10)  ¹
api-gateway-kong.json                   465.0 ± 0%     465.0 ±  0%       ~ (p=1.000 n=10)  ¹
api-gateway-non-proxy-async.json        722.0 ± 0%     722.0 ±  0%       ~ (p=1.000 n=10)
api-gateway-non-proxy.json              712.0 ± 0%     712.0 ±  0%       ~ (p=1.000 n=10)
api-gateway-websocket-connect.json      452.0 ± 0%     452.0 ±  0%       ~ (p=1.000 n=10)  ¹
api-gateway-websocket-default.json      377.0 ± 0%     377.0 ±  0%       ~ (p=1.000 n=10)  ¹
api-gateway-websocket-disconnect.json   367.0 ± 0%     367.0 ±  0%       ~ (p=1.000 n=10)  ¹
api-gateway.json                        786.0 ± 0%     786.0 ±  0%       ~ (p=1.000 n=10)  ¹
application-load-balancer.json          348.0 ± 0%     349.0 ±  0%  +0.29% (p=0.000 n=10)
cloudfront.json                         280.0 ± 0%     280.0 ±  0%       ~ (p=1.000 n=10)  ¹
cloudwatch-events.json                  217.0 ± 0%     217.0 ±  0%       ~ (p=1.000 n=10)  ¹
cloudwatch-logs.json                    211.0 ± 0%     211.0 ±  0%       ~ (p=1.000 n=10)  ¹
custom.json                             165.0 ± 0%     165.0 ±  0%       ~ (p=1.000 n=10)  ¹
dynamodb.json                           584.0 ± 0%     584.0 ±  0%       ~ (p=1.000 n=10)  ¹
empty.json                              156.0 ± 0%     156.0 ±  0%       ~ (p=1.000 n=10)  ¹
eventbridge-custom.json                 249.0 ± 0%     249.0 ±  0%       ~ (p=1.000 n=10)  ¹
http-api.json                           424.0 ± 0%     424.0 ±  0%       ~ (p=1.000 n=10)
kinesis-batch.json                      384.0 ± 0%     384.0 ±  0%       ~ (p=1.000 n=10)  ¹
kinesis.json                            279.0 ± 0%     279.0 ±  0%       ~ (p=1.000 n=10)  ¹
s3.json                                 350.0 ± 0%     350.0 ±  0%       ~ (p=0.474 n=10)
sns-batch.json                          443.0 ± 0%     443.0 ±  0%       ~ (p=1.000 n=10)
sns.json                                314.0 ±  ∞ ²   315.0 ± 21%       ~ (p=0.800 n=1+9)
geomean                                 372.1          372.2        +0.03%
¹ all samples are equal
² need >= 6 samples for confidence interval at level 0.95

[dd-devflow]

🚂 MergeQueue

Added to the queue.

There are 3 builds ahead of this PR! (estimated merge in less than 1h)

you can cancel this operation by commenting your pull request with /merge -c!

[dd-devflow]

🚂 MergeQueue

This PR is already merged