report truncation metrics (#5380)

* report truncation metrics

* truncation flags names suggestions

* add input truncated to waf requests

* add more test for input_truncated

Author: IlyasShabi

packages/dd-trace/src/appsec/telemetry/common.js

@@ -7,7 +7,8 @@ const tags = {
   RULE_TRIGGERED: 'rule_triggered',
   WAF_TIMEOUT: 'waf_timeout',
   WAF_VERSION: 'waf_version',
-  EVENT_RULES_VERSION: 'event_rules_version'
+  EVENT_RULES_VERSION: 'event_rules_version',
+  INPUT_TRUNCATED: 'input_truncated'
 }
 
 function getVersionsTags (wafVersion, rulesVersion) {

packages/dd-trace/src/appsec/telemetry/waf.js

@@ -7,6 +7,12 @@ const appsecMetrics = telemetryMetrics.manager.namespace('appsec')
 
 const DD_TELEMETRY_WAF_RESULT_TAGS = Symbol('_dd.appsec.telemetry.waf.result.tags')
 
+const TRUNCATION_FLAGS = {
+  STRING: 1,
+  CONTAINER_SIZE: 2,
+  CONTAINER_DEPTH: 4
+}
+
 function addWafRequestMetrics (store, { duration, durationExt, wafTimeout, errorCode }) {
   store[DD_TELEMETRY_REQUEST_METRICS].duration += duration || 0
   store[DD_TELEMETRY_REQUEST_METRICS].durationExt += durationExt || 0
@@ -58,6 +64,12 @@ function trackWafMetrics (store, metrics) {
     metricTags[tags.WAF_TIMEOUT] = true
   }
 
+  const truncationReason = getTruncationReason(metrics)
+  if (truncationReason > 0) {
+    metricTags[tags.INPUT_TRUNCATED] = true
+    incrementTruncatedMetrics(metrics, truncationReason)
+  }
+
   return metricTags
 }
 
@@ -69,6 +81,7 @@ function getOrCreateMetricTags (store, versionsTags) {
       [tags.REQUEST_BLOCKED]: false,
       [tags.RULE_TRIGGERED]: false,
       [tags.WAF_TIMEOUT]: false,
+      [tags.INPUT_TRUNCATED]: false,
 
       ...versionsTags
     }
@@ -98,6 +111,39 @@ function incrementWafRequests (store) {
   }
 }
 
+function incrementTruncatedMetrics (metrics, truncationReason) {
+  const truncationTags = { truncation_reason: truncationReason }
+  appsecMetrics.count('waf.input_truncated', truncationTags).inc(1)
+
+  if (metrics?.maxTruncatedString) {
+    appsecMetrics.distribution('waf.truncated_value_size', {
+      truncation_reason: TRUNCATION_FLAGS.STRING
+    }).track(metrics.maxTruncatedString)
+  }
+
+  if (metrics?.maxTruncatedContainerSize) {
+    appsecMetrics.distribution('waf.truncated_value_size', {
+      truncation_reason: TRUNCATION_FLAGS.CONTAINER_SIZE
+    }).track(metrics.maxTruncatedContainerSize)
+  }
+
+  if (metrics?.maxTruncatedContainerDepth) {
+    appsecMetrics.distribution('waf.truncated_value_size', {
+      truncation_reason: TRUNCATION_FLAGS.CONTAINER_DEPTH
+    }).track(metrics.maxTruncatedContainerDepth)
+  }
+}
+
+function getTruncationReason ({ maxTruncatedString, maxTruncatedContainerSize, maxTruncatedContainerDepth }) {
+  let reason = 0
+
+  if (maxTruncatedString) reason |= TRUNCATION_FLAGS.STRING
+  if (maxTruncatedContainerSize) reason |= TRUNCATION_FLAGS.CONTAINER_SIZE
+  if (maxTruncatedContainerDepth) reason |= TRUNCATION_FLAGS.CONTAINER_DEPTH
+
+  return reason
+}
+
 module.exports = {
   addWafRequestMetrics,
   trackWafMetrics,

packages/dd-trace/test/appsec/resources/index.js

@@ -0,0 +1,21 @@
+'use strict'
+
+const tracer = require('dd-trace')
+tracer.init({
+  flushInterval: 1
+})
+
+const express = require('express')
+const body = require('body-parser')
+
+const app = express()
+app.use(body.json())
+const port = process.env.APP_PORT || 3000
+
+app.post('/', async (req, res) => {
+  res.end('OK')
+})
+
+app.listen(port, () => {
+  process.send({ port })
+})

packages/dd-trace/test/appsec/telemetry/rasp.spec.js

@@ -129,6 +129,7 @@ describe('Appsec Rasp Telemetry metrics', () => {
           blockTriggered: true,
           ruleTriggered: true,
           wafTimeout: true,
+          input_truncated: true,
           wafVersion,
           rulesVersion
         }, req, { type: 'rule-type' })
@@ -141,7 +142,8 @@ describe('Appsec Rasp Telemetry metrics', () => {
           rule_triggered: false,
           waf_timeout: false,
           waf_version: wafVersion,
-          event_rules_version: rulesVersion
+          event_rules_version: rulesVersion,
+          input_truncated: false
         })
       })
     })

packages/dd-trace/test/appsec/telemetry/waf.spec.js

@@ -30,6 +30,11 @@ describe('Appsec Waf Telemetry metrics', () => {
   afterEach(sinon.restore)
 
   describe('if enabled', () => {
+    const metrics = {
+      wafVersion,
+      rulesVersion
+    }
+
     beforeEach(() => {
       appsecTelemetry.enable({
         enabled: true,
@@ -38,11 +43,6 @@ describe('Appsec Waf Telemetry metrics', () => {
     })
 
     describe('updateWafRequestsMetricTags', () => {
-      const metrics = {
-        wafVersion,
-        rulesVersion
-      }
-
       it('should skip update if no request is provided', () => {
         const result = appsecTelemetry.updateWafRequestsMetricTags(metrics)
 
@@ -57,7 +57,8 @@ describe('Appsec Waf Telemetry metrics', () => {
           event_rules_version: rulesVersion,
           request_blocked: false,
           rule_triggered: false,
-          waf_timeout: false
+          waf_timeout: false,
+          input_truncated: false
         })
       })
 
@@ -66,6 +67,7 @@ describe('Appsec Waf Telemetry metrics', () => {
           blockTriggered: true,
           ruleTriggered: true,
           wafTimeout: true,
+          maxTruncatedString: 5000,
           ...metrics
         }, req)
 
@@ -74,7 +76,8 @@ describe('Appsec Waf Telemetry metrics', () => {
           event_rules_version: rulesVersion,
           request_blocked: true,
           rule_triggered: true,
-          waf_timeout: true
+          waf_timeout: true,
+          input_truncated: true
         })
       })
 
@@ -93,7 +96,8 @@ describe('Appsec Waf Telemetry metrics', () => {
           event_rules_version: rulesVersion,
           request_blocked: false,
           rule_triggered: true,
-          waf_timeout: false
+          waf_timeout: false,
+          input_truncated: false
         })
       })
 
@@ -102,6 +106,7 @@ describe('Appsec Waf Telemetry metrics', () => {
           blockTriggered: true,
           ruleTriggered: true,
           wafTimeout: true,
+          maxTruncatedContainerSize: 300,
           ...metrics
         }, req)
 
@@ -120,7 +125,8 @@ describe('Appsec Waf Telemetry metrics', () => {
           event_rules_version: rulesVersion,
           request_blocked: true,
           rule_triggered: true,
-          waf_timeout: true
+          waf_timeout: true,
+          input_truncated: true
         })
       })
 
@@ -250,7 +256,8 @@ describe('Appsec Waf Telemetry metrics', () => {
           rule_triggered: false,
           waf_timeout: true,
           waf_version: wafVersion,
-          event_rules_version: rulesVersion
+          event_rules_version: rulesVersion,
+          input_truncated: false
         })
       })
 
@@ -260,6 +267,63 @@ describe('Appsec Waf Telemetry metrics', () => {
         expect(count).to.not.have.been.called
       })
     })
+
+    describe('WAF Truncation metrics', () => {
+      it('should report truncated string metrics', () => {
+        const result = appsecTelemetry.updateWafRequestsMetricTags({ maxTruncatedString: 5000 }, req)
+        expect(result).to.have.property('input_truncated', true)
+
+        expect(count).to.have.been.calledWith('waf.input_truncated', { truncation_reason: 1 })
+        expect(inc).to.have.been.calledWith(1)
+
+        expect(distribution).to.have.been.calledWith('waf.truncated_value_size', { truncation_reason: 1 })
+        expect(track).to.have.been.calledWith(5000)
+      })
+
+      it('should report truncated container size metrics', () => {
+        const result = appsecTelemetry.updateWafRequestsMetricTags({ maxTruncatedContainerSize: 300 }, req)
+        expect(result).to.have.property('input_truncated', true)
+
+        expect(count).to.have.been.calledWith('waf.input_truncated', { truncation_reason: 2 })
+        expect(inc).to.have.been.calledWith(1)
+
+        expect(distribution).to.have.been.calledWith('waf.truncated_value_size', { truncation_reason: 2 })
+        expect(track).to.have.been.calledWith(300)
+      })
+
+      it('should report truncated container depth metrics', () => {
+        const result = appsecTelemetry.updateWafRequestsMetricTags({ maxTruncatedContainerDepth: 20 }, req)
+        expect(result).to.have.property('input_truncated', true)
+
+        expect(count).to.have.been.calledWith('waf.input_truncated', { truncation_reason: 4 })
+        expect(inc).to.have.been.calledWith(1)
+
+        expect(distribution).to.have.been.calledWith('waf.truncated_value_size', { truncation_reason: 4 })
+        expect(track).to.have.been.calledWith(20)
+      })
+
+      it('should combine truncation reasons when multiple truncations occur', () => {
+        const result = appsecTelemetry.updateWafRequestsMetricTags({
+          maxTruncatedString: 5000,
+          maxTruncatedContainerSize: 300,
+          maxTruncatedContainerDepth: 20
+        }, req)
+        expect(result).to.have.property('input_truncated', true)
+
+        expect(count).to.have.been.calledWith('waf.input_truncated', { truncation_reason: 7 })
+        expect(distribution).to.have.been.calledWith('waf.truncated_value_size', { truncation_reason: 1 })
+        expect(distribution).to.have.been.calledWith('waf.truncated_value_size', { truncation_reason: 2 })
+        expect(distribution).to.have.been.calledWith('waf.truncated_value_size', { truncation_reason: 4 })
+      })
+
+      it('should not report truncation metrics when no truncation occurs', () => {
+        const result = appsecTelemetry.updateWafRequestsMetricTags(metrics, req)
+        expect(result).to.have.property('input_truncated', false)
+
+        expect(count).to.not.have.been.calledWith('waf.input_truncated')
+        expect(distribution).to.not.have.been.calledWith('waf.truncated_value_size')
+      })
+    })
   })
 
   describe('if disabled', () => {