API Security sampling when tracers lack HTTP routes - Rfc 1076 (#10424)

Implements http.endpoint fallback in the API Security Sampler when http.route is unavailable, enabling sampling of traffic in frameworks that don't provide route information.

Reuses EndpointResolver.computeEndpoint() from RFC-1051 (no code duplication)
Uses static computation method to avoid tagging the span when endpoint is used as fallback
Excludes 404 responses from fallback sampling (failsafe against sampling not-found routes)
Caches computed endpoint with boolean flag to prevent multiple computations per request

Author: jandro996

dd-java-agent/appsec/build.gradle

@@ -16,6 +16,7 @@ dependencies {
   implementation project(':communication')
   implementation project(':products:metrics:metrics-api')
   implementation project(':telemetry')
+  implementation project(':dd-trace-core')
   implementation group: 'io.sqreen', name: 'libsqreen', version: '17.3.0'
   implementation libs.moshi
 

dd-java-agent/appsec/src/main/java/com/datadog/appsec/api/security/ApiSecuritySamplerImpl.java

@@ -57,10 +57,26 @@ public ApiSecuritySamplerImpl(
 
   @Override
   public boolean preSampleRequest(final @Nonnull AppSecRequestContext ctx) {
-    final String route = ctx.getRoute();
+    String route = ctx.getRoute();
+
+    // If route is absent, use http.endpoint as fallback (RFC-1076)
     if (route == null) {
-      return false;
+      // Don't sample blocked requests - they represent attacks, not valid API endpoints
+      if (ctx.isWafBlocked()) {
+        return false;
+      }
+      final int statusCode = ctx.getResponseStatus();
+      // Don't use endpoint for 404 responses as a failsafe
+      if (statusCode == 404) {
+        return false;
+      }
+      // Try to get or compute the endpoint
+      route = ctx.getOrComputeEndpoint();
+      if (route == null) {
+        return false;
+      }
     }
+
     final String method = ctx.getMethod();
     if (method == null) {
       return false;

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

@@ -13,6 +13,7 @@
 import datadog.trace.api.Config;
 import datadog.trace.api.http.StoredBodySupplier;
 import datadog.trace.api.internal.TraceSegment;
+import datadog.trace.core.endpoint.EndpointResolver;
 import datadog.trace.util.Numbers;
 import datadog.trace.util.stacktrace.StackTraceEvent;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
@@ -121,6 +122,9 @@ public class AppSecRequestContext implements DataBundle, Closeable {
   private String method;
   private String savedRawURI;
   private String route;
+  private String httpUrl;
+  private String endpoint;
+  private boolean endpointComputed = false;
   private final Map<String, List<String>> requestHeaders = new LinkedHashMap<>();
   private final Map<String, List<String>> responseHeaders = new LinkedHashMap<>();
   private volatile Map<String, List<String>> collectedCookies;
@@ -424,6 +428,45 @@ public void setRoute(String route) {
     this.route = route;
   }
 
+  public String getHttpUrl() {
+    return httpUrl;
+  }
+
+  public void setHttpUrl(String httpUrl) {
+    this.httpUrl = httpUrl;
+  }
+
+  /**
+   * Gets or computes the http.endpoint for this request. The endpoint is computed lazily on first
+   * access and cached to avoid recomputation.
+   *
+   * @return the http.endpoint value, or null if it cannot be computed
+   */
+  public String getOrComputeEndpoint() {
+    if (!endpointComputed) {
+      if (httpUrl != null && !httpUrl.isEmpty()) {
+        try {
+          endpoint = EndpointResolver.computeEndpoint(httpUrl);
+        } catch (Exception e) {
+          endpoint = null;
+        }
+      }
+      endpointComputed = true;
+    }
+    return endpoint;
+  }
+
+  /**
+   * Sets the endpoint directly without computing it. This is useful when the endpoint has already
+   * been computed elsewhere.
+   *
+   * @param endpoint the endpoint value to set
+   */
+  public void setEndpoint(String endpoint) {
+    this.endpoint = endpoint;
+    this.endpointComputed = true;
+  }
+
   public void setKeepOpenForApiSecurityPostProcessing(final boolean flag) {
     this.keepOpenForApiSecurityPostProcessing = flag;
   }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -949,11 +949,16 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
   private boolean maybeSampleForApiSecurity(
       AppSecRequestContext ctx, IGSpanInfo spanInfo, Map<String, Object> tags) {
     log.debug("Checking API Security for end of request handler on span: {}", spanInfo.getSpanId());
-    // API Security sampling requires http.route tag.
+    // API Security sampling requires http.route tag or http.url for endpoint inference.
     final Object route = tags.get(Tags.HTTP_ROUTE);
     if (route != null) {
       ctx.setRoute(route.toString());
     }
+    // Pass http.url to enable endpoint inference when route is absent
+    final Object url = tags.get(Tags.HTTP_URL);
+    if (url != null) {
+      ctx.setHttpUrl(url.toString());
+    }
     ApiSecuritySampler requestSampler = requestSamplerSupplier.get();
     return requestSampler.preSampleRequest(ctx);
   }