Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CI] Remove template injection vulnerable bits from Serverless GHA Workflows #30631

Merged
merged 1 commit into from
Nov 4, 2024

Conversation

amenasria
Copy link
Contributor

What does this PR do?

This PR removes the template injection vulnerable bits from Serverless GHA Workflows.

Motivation

TL; DR: From this remediation security post from Gitlab:
The best practice to avoid code and command injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable:

- name: print title
  env:
    TITLE: ${{ github.event.issue.title }}
  run: echo "$TITLE"

This way, the value of the ${{ github.event.issue.title }} expression is stored in memory and used as variable instead of influencing the generation of script. As a side note, it is a good idea to double quote shell variables to avoid word splitting, but this is one of many general recommendations for writing shell scripts, not specific to GitHub Actions.

Describe how to test/QA your changes

Possible Drawbacks / Trade-offs

Additional Notes

@amenasria amenasria added changelog/no-changelog qa/no-code-change No code change in Agent code requiring validation team/agent-devx-infra labels Oct 30, 2024
@github-actions github-actions bot added the short review PR is simple enough to be reviewed quickly label Oct 30, 2024
Copy link
Contributor

Serverless Benchmark Results

BenchmarkStartEndInvocation comparison between a0e73e3 and e924240.

tl;dr

Use these benchmarks as an insight tool during development.

  1. Skim down the vs base column in each chart. If there is a ~, then there was no statistically significant change to the benchmark. Otherwise, ensure the estimated percent change is either negative or very small.

  2. The last row of each chart is the geomean. Ensure this percentage is either negative or very small.

What is this benchmarking?

The BenchmarkStartEndInvocation compares the amount of time it takes to call the start-invocation and end-invocation endpoints. For universal instrumentation languages (Dotnet, Golang, Java, Ruby), this represents the majority of the duration overhead added by our tracing layer.

The benchmark is run using a large variety of lambda request payloads. In the charts below, there is one row for each event payload type.

How do I interpret these charts?

The charts below comes from benchstat. They represent the statistical change in duration (sec/op), memory overhead (B/op), and allocations (allocs/op).

The benchstat docs explain how to interpret these charts.

Before the comparison table, we see common file-level configuration. If there are benchmarks with different configuration (for example, from different packages), benchstat will print separate tables for each configuration.

The table then compares the two input files for each benchmark. It shows the median and 95% confidence interval summaries for each benchmark before and after the change, and an A/B comparison under "vs base". ... The p-value measures how likely it is that any differences were due to random chance (i.e., noise). The "~" means benchstat did not detect a statistically significant difference between the two inputs. ...

Note that "statistically significant" is not the same as "large": with enough low-noise data, even very small changes can be distinguished from noise and considered statistically significant. It is, of course, generally easier to distinguish large changes from noise.

Finally, the last row of the table shows the geometric mean of each column, giving an overall picture of how the benchmarks changed. Proportional changes in the geomean reflect proportional changes in the benchmarks. For example, given n benchmarks, if sec/op for one of them increases by a factor of 2, then the sec/op geomean will increase by a factor of ⁿ√2.

I need more help

First off, do not worry if the benchmarks are failing. They are not tests. The intention is for them to be a tool for you to use during development.

If you would like a hand interpreting the results come chat with us in #serverless-agent in the internal DataDog slack or in #serverless in the public DataDog slack. We're happy to help!

Benchmark stats
goos: linux
goarch: amd64
pkg: github.com/DataDog/datadog-agent/pkg/serverless/daemon
cpu: AMD EPYC 7763 64-Core Processor                
                                      │ baseline/benchmark.log │        current/benchmark.log        │
                                      │         sec/op         │    sec/op     vs base               │
api-gateway-appsec.json                            87.52µ ± 4%    85.44µ ± 4%       ~ (p=0.353 n=10)
api-gateway-kong-appsec.json                       67.65µ ± 2%    67.01µ ± 1%       ~ (p=0.075 n=10)
api-gateway-kong.json                              66.70µ ± 4%    65.85µ ± 1%       ~ (p=0.315 n=10)
api-gateway-non-proxy-async.json                   105.4µ ± 2%    105.0µ ± 7%       ~ (p=0.912 n=10)
api-gateway-non-proxy.json                         105.9µ ± 2%    112.2µ ± 2%  +6.00% (p=0.000 n=10)
api-gateway-websocket-connect.json                 70.63µ ± 1%    74.63µ ± 2%  +5.67% (p=0.000 n=10)
api-gateway-websocket-default.json                 63.30µ ± 1%    65.36µ ± 2%  +3.24% (p=0.000 n=10)
api-gateway-websocket-disconnect.json              63.41µ ± 2%    65.64µ ± 1%  +3.51% (p=0.000 n=10)
api-gateway.json                                   116.0µ ± 1%    116.2µ ± 1%       ~ (p=0.315 n=10)
application-load-balancer.json                     64.43µ ± 1%    64.98µ ± 1%  +0.86% (p=0.002 n=10)
cloudfront.json                                    48.00µ ± 1%    49.10µ ± 3%  +2.29% (p=0.008 n=10)
cloudwatch-events.json                             38.83µ ± 1%    40.64µ ± 3%  +4.68% (p=0.001 n=10)
cloudwatch-logs.json                               65.37µ ± 1%    68.44µ ± 3%  +4.69% (p=0.000 n=10)
custom.json                                        31.35µ ± 2%    31.61µ ± 1%       ~ (p=0.143 n=10)
dynamodb.json                                      93.60µ ± 1%    94.45µ ± 2%  +0.91% (p=0.035 n=10)
empty.json                                         29.31µ ± 1%    29.54µ ± 4%       ~ (p=0.739 n=10)
eventbridge-custom.json                            48.58µ ± 4%    48.30µ ± 1%       ~ (p=0.393 n=10)
eventbridge-no-bus.json                            47.25µ ± 1%    47.24µ ± 3%       ~ (p=0.481 n=10)
eventbridge-no-timestamp.json                      47.11µ ± 2%    46.98µ ± 1%       ~ (p=1.000 n=10)
eventbridgesns.json                                63.78µ ± 1%    63.84µ ± 2%       ~ (p=0.971 n=10)
eventbridgesqs.json                                71.64µ ± 1%    72.21µ ± 2%       ~ (p=0.699 n=10)
http-api.json                                      73.37µ ± 1%    71.99µ ± 3%  -1.89% (p=0.023 n=10)
kinesis-batch.json                                 72.26µ ± 1%    72.38µ ± 1%       ~ (p=0.739 n=10)
kinesis.json                                       55.38µ ± 2%    55.16µ ± 1%       ~ (p=0.853 n=10)
s3.json                                            61.25µ ± 2%    61.08µ ± 2%       ~ (p=0.592 n=10)
sns-batch.json                                     94.04µ ± 1%    94.26µ ± 1%       ~ (p=0.684 n=10)
sns.json                                           68.60µ ± 1%    70.64µ ± 3%  +2.97% (p=0.011 n=10)
snssqs.json                                        117.9µ ± 2%    123.8µ ± 3%  +5.01% (p=0.000 n=10)
snssqs_no_dd_context.json                          107.7µ ± 2%    108.9µ ± 2%       ~ (p=0.481 n=10)
sqs-aws-header.json                                60.30µ ± 2%    60.72µ ± 2%       ~ (p=0.342 n=10)
sqs-batch.json                                     97.44µ ± 2%   100.02µ ± 2%  +2.65% (p=0.005 n=10)
sqs.json                                           74.33µ ± 3%    74.19µ ± 2%       ~ (p=0.684 n=10)
sqs_no_dd_context.json                             69.75µ ± 3%    69.79µ ± 2%       ~ (p=0.971 n=10)
stepfunction.json                                  47.01µ ± 3%    48.57µ ± 5%  +3.33% (p=0.002 n=10)
geomean                                            66.64µ         67.46µ       +1.22%

                                      │ baseline/benchmark.log │        current/benchmark.log        │
                                      │          B/op          │     B/op      vs base               │
api-gateway-appsec.json                           37.34Ki ± 0%   37.33Ki ± 0%       ~ (p=0.853 n=10)
api-gateway-kong-appsec.json                      26.93Ki ± 0%   26.94Ki ± 0%       ~ (p=0.382 n=10)
api-gateway-kong.json                             24.43Ki ± 0%   24.44Ki ± 0%       ~ (p=0.725 n=10)
api-gateway-non-proxy-async.json                  48.14Ki ± 0%   48.14Ki ± 0%       ~ (p=0.869 n=10)
api-gateway-non-proxy.json                        47.35Ki ± 0%   47.37Ki ± 0%  +0.05% (p=0.000 n=10)
api-gateway-websocket-connect.json                25.53Ki ± 0%   25.54Ki ± 0%       ~ (p=0.158 n=10)
api-gateway-websocket-default.json                21.44Ki ± 0%   21.44Ki ± 0%       ~ (p=0.254 n=10)
api-gateway-websocket-disconnect.json             21.22Ki ± 0%   21.22Ki ± 0%       ~ (p=0.254 n=10)
api-gateway.json                                  49.59Ki ± 0%   49.59Ki ± 0%       ~ (p=0.896 n=10)
application-load-balancer.json                    23.31Ki ± 0%   23.32Ki ± 0%       ~ (p=0.170 n=10)
cloudfront.json                                   17.67Ki ± 0%   17.68Ki ± 0%  +0.06% (p=0.022 n=10)
cloudwatch-events.json                            11.73Ki ± 0%   11.74Ki ± 0%  +0.10% (p=0.033 n=10)
cloudwatch-logs.json                              53.38Ki ± 0%   53.39Ki ± 0%       ~ (p=0.224 n=10)
custom.json                                       9.753Ki ± 0%   9.739Ki ± 0%       ~ (p=0.060 n=10)
dynamodb.json                                     40.81Ki ± 0%   40.83Ki ± 0%       ~ (p=0.100 n=10)
empty.json                                        9.310Ki ± 0%   9.312Ki ± 0%       ~ (p=0.362 n=10)
eventbridge-custom.json                           15.02Ki ± 0%   15.02Ki ± 0%       ~ (p=0.469 n=10)
eventbridge-no-bus.json                           14.00Ki ± 0%   14.02Ki ± 0%       ~ (p=0.065 n=10)
eventbridge-no-timestamp.json                     14.02Ki ± 0%   14.03Ki ± 0%       ~ (p=0.684 n=10)
eventbridgesns.json                               20.96Ki ± 0%   20.98Ki ± 1%       ~ (p=0.739 n=10)
eventbridgesqs.json                               25.16Ki ± 0%   25.14Ki ± 0%       ~ (p=0.363 n=10)
http-api.json                                     23.93Ki ± 0%   23.93Ki ± 0%       ~ (p=0.670 n=10)
kinesis-batch.json                                27.16Ki ± 0%   27.12Ki ± 0%       ~ (p=0.123 n=10)
kinesis.json                                      17.92Ki ± 0%   17.90Ki ± 0%       ~ (p=0.971 n=10)
s3.json                                           20.42Ki ± 1%   20.46Ki ± 0%       ~ (p=0.753 n=10)
sns-batch.json                                    39.93Ki ± 0%   39.94Ki ± 0%       ~ (p=0.986 n=10)
sns.json                                          25.13Ki ± 0%   25.20Ki ± 0%  +0.26% (p=0.002 n=10)
snssqs.json                                       53.87Ki ± 0%   53.96Ki ± 0%       ~ (p=0.123 n=10)
snssqs_no_dd_context.json                         47.57Ki ± 0%   47.70Ki ± 0%  +0.28% (p=0.037 n=10)
sqs-aws-header.json                               19.47Ki ± 0%   19.48Ki ± 1%       ~ (p=0.912 n=10)
sqs-batch.json                                    42.38Ki ± 0%   42.37Ki ± 0%       ~ (p=0.971 n=10)
sqs.json                                          26.23Ki ± 0%   26.23Ki ± 0%       ~ (p=1.000 n=10)
sqs_no_dd_context.json                            21.88Ki ± 1%   21.93Ki ± 1%       ~ (p=0.753 n=10)
stepfunction.json                                 14.27Ki ± 2%   14.38Ki ± 1%       ~ (p=0.247 n=10)
geomean                                           24.61Ki        24.62Ki       +0.06%

                                      │ baseline/benchmark.log │        current/benchmark.log        │
                                      │       allocs/op        │ allocs/op   vs base                 │
api-gateway-appsec.json                             629.5 ± 0%   629.0 ± 0%       ~ (p=1.000 n=10)
api-gateway-kong-appsec.json                        488.0 ± 0%   488.0 ± 0%       ~ (p=1.000 n=10)
api-gateway-kong.json                               466.0 ± 0%   466.0 ± 0%       ~ (p=1.000 n=10) ¹
api-gateway-non-proxy-async.json                    726.0 ± 0%   725.5 ± 0%       ~ (p=1.000 n=10)
api-gateway-non-proxy.json                          716.0 ± 0%   716.0 ± 0%       ~ (p=0.474 n=10)
api-gateway-websocket-connect.json                  453.0 ± 0%   453.0 ± 0%       ~ (p=0.474 n=10)
api-gateway-websocket-default.json                  379.0 ± 0%   379.0 ± 0%       ~ (p=1.000 n=10)
api-gateway-websocket-disconnect.json               370.0 ± 0%   370.0 ± 0%       ~ (p=1.000 n=10)
api-gateway.json                                    791.0 ± 0%   791.0 ± 0%       ~ (p=1.000 n=10)
application-load-balancer.json                      353.0 ± 0%   353.0 ± 0%       ~ (p=1.000 n=10) ¹
cloudfront.json                                     284.0 ± 0%   284.0 ± 0%       ~ (p=1.000 n=10)
cloudwatch-events.json                              220.0 ± 0%   220.0 ± 0%       ~ (p=1.000 n=10)
cloudwatch-logs.json                                215.0 ± 0%   216.0 ± 0%       ~ (p=0.370 n=10)
custom.json                                         168.0 ± 0%   168.0 ± 0%       ~ (p=1.000 n=10)
dynamodb.json                                       589.0 ± 0%   589.0 ± 0%       ~ (p=1.000 n=10)
empty.json                                          160.0 ± 1%   160.0 ± 1%       ~ (p=1.000 n=10)
eventbridge-custom.json                             266.0 ± 0%   266.0 ± 0%       ~ (p=0.548 n=10)
eventbridge-no-bus.json                             257.5 ± 0%   258.0 ± 0%       ~ (p=0.350 n=10)
eventbridge-no-timestamp.json                       258.0 ± 0%   258.0 ± 0%       ~ (p=1.000 n=10)
eventbridgesns.json                                 326.0 ± 0%   326.0 ± 1%       ~ (p=1.000 n=10)
eventbridgesqs.json                                 367.0 ± 0%   366.5 ± 0%       ~ (p=0.318 n=10)
http-api.json                                       434.0 ± 0%   434.0 ± 0%       ~ (p=0.690 n=10)
kinesis-batch.json                                  392.0 ± 0%   391.5 ± 0%       ~ (p=0.515 n=10)
kinesis.json                                        286.0 ± 0%   286.0 ± 0%       ~ (p=0.577 n=10)
s3.json                                             358.0 ± 1%   359.0 ± 0%       ~ (p=0.855 n=10)
sns-batch.json                                      479.0 ± 0%   479.0 ± 0%       ~ (p=0.924 n=10)
sns.json                                            346.0 ± 1%   347.0 ± 1%  +0.29% (p=0.010 n=10)
snssqs.json                                         478.0 ± 1%   479.5 ± 0%       ~ (p=0.107 n=10)
snssqs_no_dd_context.json                           436.5 ± 0%   438.0 ± 0%       ~ (p=0.051 n=10)
sqs-aws-header.json                                 287.0 ± 1%   287.0 ± 1%       ~ (p=0.755 n=10)
sqs-batch.json                                      517.5 ± 0%   517.5 ± 0%       ~ (p=0.962 n=10)
sqs.json                                            364.0 ± 1%   364.0 ± 1%       ~ (p=0.944 n=10)
sqs_no_dd_context.json                              349.0 ± 1%   350.0 ± 1%       ~ (p=0.562 n=10)
stepfunction.json                                   237.0 ± 2%   238.5 ± 1%       ~ (p=0.253 n=10)
geomean                                             367.1        367.4       +0.07%
¹ all samples are equal

@agent-platform-auto-pr
Copy link
Contributor

[Fast Unit Tests Report]

On pipeline 47884641 (CI Visibility). The following jobs did not run any unit tests:

Jobs:
  • tests_deb-arm64-py3
  • tests_deb-x64-py3
  • tests_flavor_dogstatsd_deb-x64
  • tests_flavor_heroku_deb-x64
  • tests_flavor_iot_deb-x64
  • tests_rpm-arm64-py3
  • tests_rpm-x64-py3
  • tests_windows-x64

If you modified Go files and expected unit tests to run in these jobs, please double check the job logs. If you think tests should have been executed reach out to #agent-devx-help

Copy link

Regression Detector

Regression Detector Results

Run ID: 316d203e-0d12-4232-b983-6a41ab074c08 Metrics dashboard Target profiles

Baseline: a0e73e3
Comparison: 4dfcff6

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI trials links
otel_to_otel_logs ingress throughput +1.17 [+0.36, +1.98] 1 Logs
basic_py_check % cpu utilization +0.98 [-1.76, +3.73] 1 Logs
quality_gate_idle memory utilization +0.36 [+0.32, +0.41] 1 Logs bounds checks dashboard
pycheck_lots_of_tags % cpu utilization +0.29 [-2.24, +2.81] 1 Logs
uds_dogstatsd_to_api_cpu % cpu utilization +0.27 [-0.45, +1.00] 1 Logs
idle memory utilization +0.20 [+0.15, +0.24] 1 Logs bounds checks dashboard
tcp_syslog_to_blackhole ingress throughput +0.10 [+0.05, +0.15] 1 Logs
file_to_blackhole_300ms_latency egress throughput +0.06 [-0.12, +0.24] 1 Logs
tcp_dd_logs_filter_exclude ingress throughput +0.00 [-0.01, +0.01] 1 Logs
file_to_blackhole_100ms_latency egress throughput -0.00 [-0.23, +0.22] 1 Logs
uds_dogstatsd_to_api ingress throughput -0.00 [-0.10, +0.09] 1 Logs
file_to_blackhole_0ms_latency egress throughput -0.01 [-0.35, +0.32] 1 Logs
file_to_blackhole_500ms_latency egress throughput -0.02 [-0.26, +0.23] 1 Logs
quality_gate_idle_all_features memory utilization -0.31 [-0.42, -0.20] 1 Logs bounds checks dashboard
file_to_blackhole_1000ms_latency egress throughput -0.41 [-0.89, +0.08] 1 Logs
idle_all_features memory utilization -0.68 [-0.82, -0.54] 1 Logs bounds checks dashboard
file_tree memory utilization -1.18 [-1.31, -1.04] 1 Logs

Bounds Checks

perf experiment bounds_check_name replicates_passed
file_to_blackhole_0ms_latency memory_usage 10/10
file_to_blackhole_1000ms_latency memory_usage 10/10
file_to_blackhole_100ms_latency memory_usage 10/10
file_to_blackhole_300ms_latency memory_usage 10/10
file_to_blackhole_500ms_latency memory_usage 10/10
idle memory_usage 10/10
idle_all_features memory_usage 10/10
quality_gate_idle memory_usage 10/10
quality_gate_idle_all_features memory_usage 10/10

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

@amenasria amenasria marked this pull request as ready for review October 31, 2024 13:00
@amenasria amenasria requested review from a team as code owners October 31, 2024 13:00
@amenasria
Copy link
Contributor Author

/merge

@dd-devflow
Copy link

dd-devflow bot commented Nov 4, 2024

🚂 MergeQueue: pull request added to the queue

The median merge time in main is 22m.

Use /merge -c to cancel this operation!

@dd-mergequeue dd-mergequeue bot merged commit 3a37382 into main Nov 4, 2024
232 of 233 checks passed
@dd-mergequeue dd-mergequeue bot deleted the amenasria/serverless-safe-gha branch November 4, 2024 14:59
@github-actions github-actions bot added this to the 7.61.0 milestone Nov 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
changelog/no-changelog qa/no-code-change No code change in Agent code requiring validation short review PR is simple enough to be reviewed quickly team/agent-devx-infra
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants