Add request_excluded tag to appsec.waf.requests metric#11744
Conversation
Adds the `request_excluded` tag to the `appsec.waf.requests` telemetry metric as required by the ASM Tags RFC. The tag emits string values `full`/`partial` (per RFC) with `none` as the baseline until libddwaf exposes exclusion filter data in its result. - WafMetricCollector: WAF_REQUEST_COMBINATIONS 128->256 (2^8), new requestExcluded boolean in bitmask (bit 7), tag emits "full"/"none" - AppSecRequestContext: wafRequestExcluded field + getter/setter - GatewayBridge: passes ctx.isWafRequestExcluded() as 8th arg - WafMetricCollectorTest: 256 combinations, wafInit added to given block
- Add metric.value == 1 assertion in waf request metrics test - Add requestMetrics.size() == 1 guard assertion - Add placeholder comment on setWafRequestExcluded() (libddwaf blocker) - Apply spotless formatting
Update wafRequest mock expectation from 7 to 8 wildcard arguments to match the new requestExcluded parameter added in APPSEC-62739.
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8aadb97311
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Add missing requestExcluded (false) 8th argument to all wafRequest calls and add request_excluded:none to all expected tag lists. Found by Codex review of PR #11744.
|
Fixed in b130f0d: updated all 18 |
🟢 Java Benchmark SLOs — All performance SLOs passed
PR vs. master results
Commit: Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion. |
jandro996
added
type: enhancement
1 participant
What Does This Do
request_excludedtag to theappsec.waf.requeststelemetry metric inWafMetricCollectorWAF_REQUEST_COMBINATIONSfrom 128 (2^7) to 256 (2^8) to accommodate the new boolean dimensionrequestExcludedas the 8th parameter towafRequest()andcomputeWafRequestIndex(), using bit 7 (1 << 7)request_excluded:fullwhen a request was excluded,request_excluded:noneotherwise (always explicit per team guidance)wafRequestExcludedfield,setWafRequestExcluded(), andisWafRequestExcluded()toAppSecRequestContext, following the existingwafBlocked/wafTruncatedpatternctx.isWafRequestExcluded()as the 8th argument inGatewayBridgewhen callingwafMetricCollector.wafRequest()at end-of-requestWafMetricPeriodicActionSpecificationto pass the 8th argument and assertrequest_excluded:nonein all expected tag listsImplementation note
setWafRequestExcluded()is intentionally never called today: libddwaf 1.30.0 does not expose exclusion filter results in its output (ddwaf_resultonly carriesevents,actions,duration,timeout,attributes,keep). All requests therefore emitrequest_excluded:noneas a baseline. The RFC itself acknowledges this: "At the time of writing, this information is not available, however the interface of libddwaf will be updated to propagate this information." The setter will be activated once libddwaf exposes that data.Motivation
Implements the
request_excludedtag defined in the In-App WAF Error Telemetry RFC for theappsec.waf.requestsmetric. The RFC changed this tag from a boolean to a string with valuesfull(fully excluded) andpartial(partially excluded). Per team guidance, tags must always be emitted explicitly rather than left implicit/undefined.Jira ticket: APPSEC-62739
Additional Notes
Tag values defined by the RFC:
full— request was fully excluded by an exclusion filter (not yet emitted, pending libddwaf update)partial— request was partially excluded (future use)none— request was not excluded (current baseline for all requests)All 256 boolean combinations of the 8 WAF request flags are covered by the parameterized test in
WafMetricCollectorTest.Contributor Checklist
type:and (comp:orinst:) labels in addition to any other useful labelsclose,fix, or any linking keywords when referencing an issueUse
solvesinstead, and assign the PR milestone to the issueNote: Once your PR is ready to merge, add it to the merge queue by commenting
/merge./merge -ccancels the queue request./merge -f --reason "reason"skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.