[APMSP-2668] Reach feature parity on redis obfuscation#1632
[APMSP-2668] Reach feature parity on redis obfuscation#1632
Conversation
📚 Documentation Check Results📦
|
Clippy Allow Annotation ReportComparing clippy allow annotations between branches:
Summary by Rule
Annotation Counts by File
Annotation Stats by Crate
About This ReportThis report tracks Clippy allow annotations for specific rules, showing how they've changed in this PR. Decreasing the number of these annotations generally improves code quality. |
🔒 Cargo Deny Results✅ No issues found! 📦
|
There was a problem hiding this comment.
Pull request overview
This PR brings libdd-trace-obfuscation Redis obfuscation behavior closer to the Datadog Agent by adding Redis query quantization, fixing multi-pair HSET value obfuscation, and exposing the “remove all args” helper for external use (e.g., tests).
Changes:
- Added
quantize_redis_string()to extract up to 3 Redis command names from a (possibly multi-line) query. - Fixed
HSETobfuscation to handle multiple field/value pairs (aligning with existingHMSETbehavior). - Made
remove_all_redis_args()public.
Comments suppressed due to low confidence (1)
libdd-trace-obfuscation/src/redis.rs:182
- The HSET obfuscation change now supports multiple field/value pairs, but the test suite only covers single-pair
HSET key field value. Add a test case for multi-pair HSET (e.g.,HSET key f1 v1 f2 v2) to prevent regressions in this updated behavior.
b"HMSET" | b"HSET" => {
// Every 2nd argument starting from first.
// • HMSET key field value [field value ...]
args = obfuscate_redis_args_step(args, 1, 2)
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| let mut result = commands.join(" "); | ||
| if commands.len() == MAX_REDIS_NB_COMMANDS || truncated { | ||
| if !result.is_empty() { | ||
| result.push(' '); | ||
| } | ||
| result.push_str("..."); | ||
| } |
There was a problem hiding this comment.
The ellipsis logic appends "..." whenever commands.len() == MAX_REDIS_NB_COMMANDS, even if the input contains exactly 3 commands and nothing more. If the intent is to indicate truncation only when additional (non-empty) commands exist (or a truncation mark was seen), this should instead be conditioned on having remaining content beyond the captured commands.
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1632 +/- ##
==========================================
+ Coverage 71.19% 71.21% +0.01%
==========================================
Files 423 423
Lines 62453 62495 +42
==========================================
+ Hits 44466 44503 +37
- Misses 17987 17992 +5
🚀 New features to boost your workflow:
|
BenchmarksComparisonBenchmark execution time: 2026-02-26 16:35:42 Comparing candidate commit dfa071c in PR branch Found 1 performance improvements and 0 performance regressions! Performance is the same for 56 metrics, 2 unstable metrics. scenario:sql/obfuscate_sql_string
CandidateCandidate benchmark detailsGroup 1
Group 2
Group 3
Group 4
Group 5
Group 6
Group 7
Group 8
Group 9
Group 10
Group 11
Group 12
Group 13
Group 14
Group 15
Group 16
Group 17
Group 18
Group 19
BaselineOmitted due to size. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Artifact Size Benchmark Reportaarch64-alpine-linux-musl
aarch64-unknown-linux-gnu
libdatadog-x64-windows
libdatadog-x86-windows
x86_64-alpine-linux-musl
x86_64-unknown-linux-gnu
|
What does this PR do?
Motivation
Making libdatadog’s obfuscation feature equivalent to the Agent’s implementation.
Additional Notes
How to test the change?