perf(appsec): cache negative SQLi RASP evaluations#18704
Conversation
|
Codeowners resolved as |
BenchmarksBenchmark execution time: 2026-06-26 11:53:10 Comparing candidate commit 93cfd4d in PR branch Found 0 performance improvements and 3 performance regressions! Performance is the same for 81 metrics, 0 unstable metrics. scenario:iast_aspects-re_expand_aspect
scenario:iast_aspects-re_match_noaspect
scenario:iastaspectsospath-ospathbasename_aspect
|
f28fea8 to
10e550f
Compare
Introduces RaspSqliCache, a per-request negative cache for SQLi RASP evaluations. Repeated identical queries in one request skip WAF subcontext allocation entirely on cache hit. Design choices: - Cache key is (hash(sql), db_system): uses hash() instead of the sql string reference to avoid holding query strings in memory for the request lifetime. Python's SipHash-1-3 with a 128-bit random seed makes adversarial collisions infeasible; accidental collision probability at 128 entries is ~4e-16 per request. - Invalidation is event-driven: the cache is cleared whenever the processor sends a new persistent address to the WAF main context (rule_type is None branch in _waf_action), since the WAF subcontext inherits main context data and previously-cached results may not hold. - Max 128 entries per request; only clean results (return_code==0, no data/actions/timeout/meta) are cached. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
10e550f to
93cfd4d
Compare
Description
SQLi RASP checks run on every instrumented DB call. ORM-heavy endpoints trigger many identical queries per request (N+1 patterns, repeated lookups) — each previously ran a full libddwaf subcontext evaluation.
This PR adds a request-local negative-result cache for SQLi RASP. When the WAF returns a clean result for a `(sql_statement, db_system, persistent_addresses_snapshot)` triple, subsequent identical evaluations within the same request skip subcontext creation and WAF execution.
Cache safety:
SQLi-only for now; other RASP types lack the same high-frequency repeated-call pattern.
Testing
Three new unit tests in `tests/appsec/appsec/test_processor.py`:
Risks
Cache correctness depends on WAF determinism for a given `(sql, db_system, inherited_addresses)` triple, which holds for current SQLi rules. The cache is conservative: any non-trivially-clean result skips caching. False negatives (unnecessary re-evaluation) are possible; false positives (skipping a real attack) are not.