From 8c52213e047cde29a773714fc304135635d8dedd Mon Sep 17 00:00:00 2001
From: Gustavo Caso <gustavo.caso@datadoghq.com>
Date: Tue, 3 Oct 2023 11:02:58 +0200
Subject: [PATCH] Compress and encode schema information

---
 Steepfile                         |  1 +
 lib/datadog/appsec/event.rb       | 14 +++++++++++++-
 sig/datadog/appsec/event.rbs      |  2 ++
 spec/datadog/appsec/event_spec.rb | 15 +++++++++++++--
 4 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/Steepfile b/Steepfile
index 1239e9c5875..538c8a11f47 100644
--- a/Steepfile
+++ b/Steepfile
@@ -619,6 +619,7 @@ target :ddtrace do
   library 'securerandom'
   library 'base64'
   library 'digest'
+  library 'zlib'
 
   repo_path 'vendor/rbs'
   library 'cucumber'
diff --git a/lib/datadog/appsec/event.rb b/lib/datadog/appsec/event.rb
index 4462d4fcbf5..5547cf99fe4 100644
--- a/lib/datadog/appsec/event.rb
+++ b/lib/datadog/appsec/event.rb
@@ -1,4 +1,6 @@
 require 'json'
+require 'zlib'
+require 'base64'
 
 require_relative 'rate_limiter'
 
@@ -34,6 +36,8 @@ module Event
         Content-Language
       ].map!(&:downcase).freeze
 
+      MAX_ENCODED_SCHEMA_SIZE = 25000
+
       # Record events for a trace
       #
       # This is expected to be called only once per trace for the rate limiter
@@ -110,7 +114,15 @@ def self.build_service_entry_tags(event_group)
           tags['_dd.appsec.triggers'] += waf_result.events
 
           waf_result.derivatives.each do |key, value|
-            tags[key] = JSON.dump(value)
+            data = Base64.encode64(Zlib.gzip(JSON.dump(value)))
+
+            if data.size >= MAX_ENCODED_SCHEMA_SIZE
+              Datadog.logger.debug do
+                "Schema key: #{key} exceed max size value. We do not include it as part of the span tags"
+              end
+              next
+            end
+            tags[key] = data
           end
 
           tags
diff --git a/sig/datadog/appsec/event.rbs b/sig/datadog/appsec/event.rbs
index db301c40bf9..d63863c76d3 100644
--- a/sig/datadog/appsec/event.rbs
+++ b/sig/datadog/appsec/event.rbs
@@ -5,6 +5,8 @@ module Datadog
 
       ALLOWED_RESPONSE_HEADERS: untyped
 
+      MAX_ENCODED_SCHEMA_SIZE: Numeric
+
       def self.record: (Datadog::Tracing::SpanOperation, *untyped events) -> (nil | untyped)
 
       def self.record_via_span: (Datadog::Tracing::SpanOperation, *untyped events) -> untyped
diff --git a/spec/datadog/appsec/event_spec.rb b/spec/datadog/appsec/event_spec.rb
index 99b97845cd2..0dff58fce8a 100644
--- a/spec/datadog/appsec/event_spec.rb
+++ b/spec/datadog/appsec/event_spec.rb
@@ -112,9 +112,20 @@
             }
           end
 
-          it 'adds derivatives to the top level span meta' do
+          it 'adds derivatives after comporessing and encode to Base64 to the top level span meta' do
             meta = top_level_span.meta
-            expect(meta['_dd.appsec.s.req.headers']).to eq JSON.dump([{ 'host' => [8], 'version' => [8] }])
+            result = Base64.encode64(Zlib.gzip(JSON.dump([{ 'host' => [8], 'version' => [8] }])))
+
+            expect(meta['_dd.appsec.s.req.headers']).to eq result
+          end
+
+          context 'derivative values exceed Event::MAX_ENCODED_SCHEMA_SIZE value' do
+            it 'do not add derivative key to meta' do
+              stub_const('Datadog::AppSec::Event::MAX_ENCODED_SCHEMA_SIZE', 1)
+              meta = top_level_span.meta
+
+              expect(meta['_dd.appsec.s.req.headers']).to be_nil
+            end
           end
         end
       end