Skip to content

fix(swoole): gate post body parsing on allowed post params#3931

Merged
bwoebi merged 1 commit into
masterfrom
codex/fix-swoole-integration-vulnerability
May 28, 2026
Merged

fix(swoole): gate post body parsing on allowed post params#3931
bwoebi merged 1 commit into
masterfrom
codex/fix-swoole-integration-vulnerability

Conversation

@bwoebi

@bwoebi bwoebi commented May 28, 2026

Copy link
Copy Markdown
Collaborator

Motivation

  • The Swoole request hook unconditionally called $request->rawContent() and json_decode() then normalized and added every parsed POST parameter name to span metadata even when DD_TRACE_HTTP_POST_DATA_PARAM_ALLOWED is empty, allowing unauthenticated clients to force expensive parsing and metadata growth.
  • The change aligns Swoole behavior with the existing guarded serializer path that only processes POST fields when the allowlist has entries.

Description

  • Add a guard in SwooleIntegration::instrumentRequestStart() so request body reading and decoding only runs when DD_TRACE_HTTP_POST_DATA_PARAM_ALLOWED is non-empty (changed file: src/DDTrace/Integrations/Swoole/SwooleIntegration.php).
  • Preserve the existing Normalizer::sanitizePostFields() and metadata-writing behavior when POST parameter capture is explicitly enabled.

Testing

  • Ran php -l src/DDTrace/Integrations/Swoole/SwooleIntegration.php to validate syntax, which succeeded.

Codex Task

@bwoebi bwoebi requested a review from a team as a code owner May 28, 2026 13:15
@bwoebi bwoebi requested review from tabgok and removed request for a team May 28, 2026 13:15
@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented May 28, 2026

Copy link
Copy Markdown

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 4 Pipeline jobs failed

DataDog/apm-reliability/dd-trace-php | Loader test on arm64 libc: [7.3, nts]   View in Datadog   GitLab

🔧 Fix in code (Fix with Cursor). 1 failed test. Error: Cannot assert "" contains "{\"name\":\"instrumentation_source\",\"value\":\"ssi\",\"origin\":\"default\",\"config_id\":null,\"seq_id\":null}" in test_configuration_telemetry.php:22.

DataDog/apm-reliability/dd-trace-php | test_extension_ci: [8.1]   View in Datadog   GitLab

🔧 Fix in code (Fix with Cursor). Assertion failed: A non-numeric value encountered in /go/src/github.com/DataDog/apm-reliability/dd-trace-php/tmp/build_extension/run-tests.php on line 3616

DataDog/apm-reliability/dd-trace-php | test early PHP 8.1   View in Datadog   GitLab

🔄 Retry job. This looks flaky and may succeed on retry. 1 failed test. Error: Failed to connect to master listener: Connection refused (os error 111) at tests/ext/pcntl/pcntl_fork_thread_mode_orphan.phpt.

View all 4 failed jobs.

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 60.71% (-0.04%)

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 59a3554 | Docs | Datadog PR Page | Give us feedback!

@bwoebi bwoebi merged commit fc3190c into master May 28, 2026
2028 of 2127 checks passed
@bwoebi bwoebi deleted the codex/fix-swoole-integration-vulnerability branch May 28, 2026 13:58
@github-actions github-actions Bot added this to the 1.21.0 milestone May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants