chore(tracer): adding additional validation for jsonpath syntax for aws payload tagging

[happynancee]

Add a check for leading "$" in AWS Payload tagging JSONPath parser

Why do we need this check?

parse() in jsonpath_ng technically doesn’t require a leading $ for valid JSONPath expressions to allow more flexibility in syntax styling. So any string, such as “false”, “none”, were considered valid JSONPaths for this function and thus turned on the feature with no redaction rules applied.

We’re requiring the leading “$” to match the JSONpath validator linked in our docs and the JSONPath RFC and also so that we won’t turn on this payload tagging feature if user specifies something that suggests they want it turned off, such as “false”, in the environment variables

https://datadoghq.atlassian.net/browse/APMSVLS-51

Checklist

• PR author has checked that all the criteria below are met
• The PR description includes an overview of the change
• The PR description articulates the motivation for the change
• The change includes tests OR the PR description describes a testing strategy
• The PR description notes risks associated with the change, if any
• Newly-added code is easy to change
• The change follows the library release note guidelines
• The change includes or references documentation updates if necessary
• Backport labels are set (if applicable)

Reviewer Checklist

• Reviewer has checked that all the criteria below are met
• Title is accurate
• All changes are related to the pull request's stated goal
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Newly-added code is easy to change
• Release note makes sense to a user of the library
• If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[github-actions]

CODEOWNERS have been resolved as:

tests/snapshots/tests.contrib.botocore.test.BotocoreTest.test_aws_payload_tagging_sqs_invalid_config.json  @DataDog/apm-python
ddtrace/_trace/utils_botocore/aws_payload_tagging.py                    @DataDog/apm-sdk-api-python
tests/contrib/botocore/test.py                                          @DataDog/apm-core-python @DataDog/apm-idm-python

[github-actions]

Bootstrap import analysis

Comparison of import times between this PR and base.

Summary

The average import time from this PR is: 297 ± 7 ms.

The average import time from base is: 298 ± 8 ms.

The import time difference between this PR and base is: -1.7 ± 0.3 ms.

Import time breakdown

The following import paths have shrunk:

ddtrace.auto 1.341 ms (0.45%)

ddtrace 0.688 ms (0.23%)

ddtrace.internal._unpatched 0.035 ms (0.01%)

json 0.035 ms (0.01%)

json.decoder 0.035 ms (0.01%)

re 0.035 ms (0.01%)

enum 0.035 ms (0.01%)

types 0.035 ms (0.01%)

ddtrace.bootstrap.sitecustomize 0.653 ms (0.22%)

ddtrace.bootstrap.preload 0.653 ms (0.22%)

ddtrace.internal.remoteconfig.client 0.653 ms (0.22%)

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-07-07 17:49:21

Comparing candidate commit fc08988 in PR branch nancy.li/aws-payload-tagging-new with baseline commit 242af42 in branch main.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 546 metrics, 3 unstable metrics.

scenario:iastaspectsospath-ospathjoin_aspect

• 🟥 execution_time [+838.513ns; +963.600ns] or [+13.605%; +15.634%]