[APPSEC-60450] Add parsed body address to downstream request analysis

[Strech]

What does this PR do?

• Add request/response body parsing into Faraday/Excon/RestClient contribs
• Add new utility class for handling body parsing
• Add counter sampler for downstream requests analysis
• Replace inhouse rack query parsing with Rack-based parsing
• And some more refactoring

Motivation:

This is a second batch of changes for http libraries instrumentations that brings a request/response body analysis based on sampling/limit settings.

Change log entry

Yes. AppSec: Add downstream request body analysis.

Additional Notes:

This is 2/3 of the original RFC and the announcement will come with a third one. You can spot that all contribs changes look-a-like and it's known issue due to the lack of events system we slowly moving to (i.e will be refactored one day)

How to test the change?

CI + ST

[github-actions]

Typing analysis

Note: Ignored files are excluded from the next sections.

steep:ignore comments

This PR introduces 8 steep:ignore comments, and clears 6 steep:ignore comments.

steep:ignore comments (+8-6)

❌ Introduced:

lib/datadog/appsec/context.rb:19
lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb:90
lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb:91
lib/datadog/appsec/utils/http/body.rb:17
lib/datadog/appsec/utils/http/body.rb:19
lib/datadog/appsec/utils/http/body.rb:20
lib/datadog/appsec/utils/http/media_type.rb:68
lib/datadog/appsec/utils/http/media_type.rb:72

✅ Cleared:

lib/datadog/appsec/context.rb:18
lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb:57
lib/datadog/appsec/contrib/rest_client/request_ssrf_detection_patch.rb:58
lib/datadog/appsec/utils/http/media_type.rb:13
lib/datadog/appsec/utils/http/media_type.rb:84
lib/datadog/appsec/utils/http/media_type.rb:88

Untyped other declarations

This PR clears 1 partially typed other declaration. It increases the percentage of typed other declarations from 76.49% to 76.75% (+0.26%).

Partially typed other declarations (+0-1)

✅ Cleared:

sig/datadog/appsec/security_engine/runner.rbs:5
└── type input_data = ::Hash[::String, untyped]

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-02-10 11:40:17

Comparing candidate commit ff906db in PR branch appsec-60450-add-parsed-body-address-to-downstream-request with baseline commit 1fdc59c in branch master.

Found 0 performance improvements and 2 performance regressions! Performance is the same for 42 metrics, 2 unstable metrics.

scenario:profiling - Allocations ()

• 🟥 throughput [-247460.130op/s; -240111.180op/s] or [-7.410%; -7.190%]

scenario:tracing - Propagation - Datadog

• 🟥 throughput [-2926.631op/s; -2853.298op/s] or [-9.274%; -9.042%]

[datadog-datadog-prod-us1]

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage
• Patch Coverage: 90.48%
• Overall Coverage: 95.14% (-0.04%)

View detailed report

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: ff906db | Docs | Datadog PR Page | Was this helpful? Give us feedback!}

[y9v]

great job!