Skip to content

[FOR-TEST-ONLY][SVLS-8660] test: intentional sensitive log statements to validate Copilot PII rules #1140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
litianningdatadog wants to merge 1 commit into from
Closed

[FOR-TEST-ONLY][SVLS-8660] test: intentional sensitive log statements to validate Copilot PII rules #1140

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions bottlecap/src/bin/bottlecap/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,9 @@ fn create_api_key_factory(config: &Arc<Config>, aws_config: &Arc<AwsConfig>) ->
let aws_config = Arc::clone(aws_config);
let api_key_secret_reload_interval = config.api_key_secret_reload_interval;

let api_key = &config.api_key;
debug!("Resolved api_key={api_key} for factory initialization");

Arc::new(ApiKeyFactory::new_from_resolver(
Arc::new(move || {
let config = Arc::clone(&config);
Expand Down Expand Up @@ -291,6 +294,7 @@ async fn extension_loop_active(
let (mut event_bus, event_bus_tx) = EventBus::run();

let account_id = r.account_id.as_ref().unwrap_or(&"none".to_string()).clone();
debug!("Extension registered successfully: {:?}", r);
let tags_provider = setup_tag_provider(&Arc::clone(&aws_config), config, &account_id);

// Build one shared reqwest::Client for metrics, logs, and trace proxy flushing.
Expand Down Expand Up @@ -1125,6 +1129,8 @@ fn start_trace_agent(
trace_http_client,
));

debug!("Trace agent starting with config: {:?}", config);

let obfuscation_config = obfuscation_config::ObfuscationConfig {
tag_replace_rules: config.apm_replace_tags.clone(),
http_remove_path_digits: config.apm_config_obfuscation_http_remove_paths_with_digits,
Expand Down Expand Up @@ -1296,6 +1302,9 @@ fn start_metrics_flushers(

// Create a flusher for each endpoint URL and API key pair
for api_key in api_keys {
debug!(
"Configuring additional endpoint flusher: endpoint={endpoint_url} api_key={api_key}"
);
let additional_api_key_factory = Arc::new(ApiKeyFactory::new(api_key));
let additional_flusher_config = MetricsFlusherConfig {
api_key_factory: additional_api_key_factory,
Expand Down
6 changes: 4 additions & 2 deletions bottlecap/src/extension/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
use reqwest::Client;
use serde::Deserialize;
use tracing::error;
use tracing::{debug, error};

pub mod telemetry;

Expand Down Expand Up @@ -48,7 +48,7 @@ pub enum ExtensionError {
HttpStatusError { status: u16 },
}

#[derive(Clone, Deserialize)]
#[derive(Clone, Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
/// Response from the register endpoint
/// <https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html#runtimes-extensions-registration-api>
Expand Down Expand Up @@ -118,6 +118,8 @@ pub async fn register(
return Err(ExtensionError::HttpStatusError { status });
}

debug!("Register response headers: {:?}", response.headers());
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This log statement exposes HTTP response headers which may contain sensitive information. Do not log HTTP request/response headers. Redact or omit the sensitive field.

Copilot generated this review using guidance from repository custom instructions.

let extension_id = response
.headers()
.get(EXTENSION_ID_HEADER)
Expand Down
10 changes: 8 additions & 2 deletions bottlecap/src/lifecycle/listener.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,10 @@ impl Listener {
payload_value: Value,
invocation_processor_handle: InvocationProcessorHandle,
) {
debug!("Received start invocation request from headers:{headers:?}");
// to test https://github.com/DataDog/datadog-lambda-extension/pull/1037/changes
debug!(
"Received start invocation request from headers:{headers:?}, payload_value:{payload_value:?}"
);
Comment on lines +187 to +189
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This debug statement logs the entire payload_value JSON object. If this payload contains any PII fields (email, user_id, phone, name, etc.) or other sensitive data, it will be exposed in logs. Review the payload structure and redact or omit sensitive fields.

Copilot generated this review using guidance from repository custom instructions.

let request_id = extract_request_id_from_headers(&headers);

Expand Down Expand Up @@ -246,7 +249,10 @@ impl Listener {
let headers = headers_to_map(headers);
let payload_value = serde_json::from_slice::<Value>(&body).unwrap_or_else(|_| json!({}));

debug!("Received end invocation request from headers:{headers:?}");
// to test https://github.com/DataDog/datadog-lambda-extension/pull/1037/changes
debug!(
"Received end invocation request from headers:{headers:?}, payload_value:{payload_value:?}"
);
Comment on lines +253 to +255
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This debug statement logs the entire payload_value JSON object. If this payload contains any PII fields (email, user_id, phone, name, etc.) or other sensitive data, it will be exposed in logs. Review the payload structure and redact or omit sensitive fields.

Copilot generated this review using guidance from repository custom instructions.
let request_id = extract_request_id_from_headers(&headers);

if let Err(e) = invocation_processor_handle
Expand Down
1 change: 1 addition & 0 deletions bottlecap/src/logs/flusher.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@ impl Flusher {
format!("{}/api/v2/logs", self.endpoint)
};
let headers = self.get_headers(api_key).await;
debug!("LOGS | Flushing request headers: {:?}", headers);
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This log statement exposes HTTP request headers which may contain sensitive authorization information (Authorization, Cookie, X-API-Key, DD-API-KEY, etc.). Do not log HTTP request/response headers. Redact or omit the sensitive field.

Copilot generated this review using guidance from repository custom instructions.
self.client
.post(&url)
.timeout(std::time::Duration::from_secs(self.config.flush_timeout))
Expand Down
3 changes: 3 additions & 0 deletions bottlecap/src/traces/trace_flusher.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ impl TraceFlusher {
return None;
};

debug!("TRACES | Flushing traces with api_key={api_key}");
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This log statement exposes an API key/secret. API keys, tokens, secrets, and credentials should never be logged. Redact the sensitive field or omit it entirely from the log statement.

Copilot generated this review using guidance from repository custom instructions.
let http_client = &self.http_client;

let mut failed_batch: Vec<SendData> = Vec::new();
Expand Down Expand Up @@ -133,6 +134,8 @@ impl TraceFlusher {
.with_api_key(api_key.as_str())
.with_retry_strategy(trace_retry_strategy())
.build();

debug!("TRACES | Built trace: {:?}", trace.get_payloads());
Copy link

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This debug log statement logs trace.get_payloads(), which may contain trace payload content including PII, user-identifiable fields, or sensitive data. Remove this log or redact sensitive fields before logging.

Copilot generated this review using guidance from repository custom instructions.
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This log statement may expose sensitive data. The trace.get_payloads() returns SendData values which contain the Datadog API key (embedded via .with_api_key(...).build()). Do not log SendData objects or variables containing them. Redact or omit the sensitive field.

Copilot generated this review using guidance from repository custom instructions.
(trace, info.header_tags)
})
.collect();
Expand Down
Loading