feat: use vendored version of requests package in layer. #546
Conversation
purple4reina
force-pushed
the
rey.abolofia/vendored-requests
branch
from
3b9cbac to
540c6ad
Compare
tests/integration/handle.py
Outdated
| @@ -21,6 +22,8 @@ def handle(event, context): | |||
|
|
|||
| # Generate custom metrics | |||
| lambda_metric("hello.dog", 1, tags=["team:serverless", "role:hello"]) | |||
| lambda_metric("hello.cat", 1, tags=["team:serverless", "role:hello"], | |||
| timestamp=time.time() - 60) | |||
There was a problem hiding this comment.
Creating a custom metric with a timestamp forces our instrumentation to use the datadog api package instead of sending the metric to the extension.
purple4reina
force-pushed
the
rey.abolofia/vendored-requests
branch
2 times, most recently
from
00f707b to
aec1eb0
Compare
purple4reina
force-pushed
the
rey.abolofia/vendored-requests
branch
from
aec1eb0 to
de9caa5
Compare
purple4reina
changed the title
purple4reina
changed the title
| lambda_metric("hello.dog", 1, tags=["team:serverless", "role:hello"]) | ||
| lambda_metric( | ||
| "hello.cat", 1, tags=["team:serverless", "role:hello"], timestamp=timestamp | ||
| ) |
There was a problem hiding this comment.
Creating a custom metric with a timestamp forces our instrumentation to use the datadog api package instead of sending the metric to the extension.
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
| @@ -0,0 +1,16 @@ | |||
| name: Check Dependencies | |||
There was a problem hiding this comment.
🟠 Code Vulnerability
No explicit permissions set for at the workflow level (...read more)
Datadog’s GitHub organization defines default permissions for the GITHUB_TOKEN to be restricted (contents:read, metadata:read, and packages:read).
Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.
You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.
| check: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag (...read more)
When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).
No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.
Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.
Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.
purple4reina
force-pushed
the
rey.abolofia/vendored-requests
branch
9 times, most recently
from
34d00fc to
bd762c3
Compare
| - uses: actions/checkout@v3 | ||
|
|
||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v4 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag (...read more)
When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).
No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.
Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.
Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.
purple4reina
force-pushed
the
rey.abolofia/vendored-requests
branch
from
bd762c3 to
4fc91d2
Compare
purple4reina
force-pushed
the
rey.abolofia/vendored-requests
branch
from
4fc91d2 to
591509d
Compare
|
We have tried this idea before, though using the requests version vendored with botocore. However there were major problems and we reverted. See
Since we do not have any control over the lambda runtime, if for some reason the requests version changes or goes away, we have little recourse in trying to solve it. There is potential that it could cause every lambda everywhere to start failing, which is an incredibly high risk, even if chances of it happening are very low. |
What does this PR do?
Removes the requests package from the zipped lambda layer. Adds
/path/to/pip/_vendorto sys.path so requests can instead be imported frompip._vendor.requests.Motivation
Removing requests and all its dependencies from the layer reduces the package size (unzipped) from 15,212 KB to 13,904 KB -- a roughly 8.5% reduction!! (Data gathered running
PYTHON_VERSION=3.12 ARCH=arm64 ./scripts/build_layers.sh)Potential Drawbacks
Some customers may already be relying on the presence of the
requestspackage in our python layer. This change could crash their lambda functions ifrequestsis imported beforedatadog_lambda. This would only be the case if they are using the@datadog_lambda_wrapperdecorator and not the automatic handler redirection usingDD_LAMBDA_HANDLER.For example, prior to this change, assuming a customer adds just our python layer and nothing else, this handler will fail to initialize.
Therefore, we absolutely must include something about the import order importance in the release notes.
Testing Guidelines
Additional Notes
If for some reason the importing of
requestsdoesn't work (saypop._vendor.requestsisn't installed on the container) then the only situation in which the lambda function would raise an exception is when attempting to submit metrics via the datadog api. We do this when either the metric has a post dated timestamp or there is no extension available. Therefore, a pretty narrow use case.Types of Changes
Check all that apply