[nodejs@ugaitz/fix-possible-memory-leak] Add API10 system tests for downstream response body limits

[uurien]

Motivation

Add end-to-end coverage for API10 downstream HTTP response body collection limits in Node.js (Express). These guards are implemented in dd-trace-js (DD_API_SECURITY_MAX_DOWNSTREAM_BODY_BYTES, content-type, and content-length checks) and need system-tests to validate that skipped collection is reflected in span metrics and that res_body is not attached when collection is ignored.

Changes

• internal_server: add GET /downstream_response/{profile} with controlled responses for invalid_content_type, content_length_missing (chunked), and content_length_too_big.
• Express weblog: refactor external request forwarding; add GET /external_request/{failure_reason} mapping to internal-server profiles (keep /external_request and /external_request/redirect unchanged).
• APPSEC_RASP scenario: set DD_API_SECURITY_MAX_DOWNSTREAM_BODY_BYTES=128 so limits are easy to trigger in CI.
• test_api10.py: add three tests asserting response_body_ignored.* metrics and absence of _dd.appsec.trace.res_body for each failure reason.
• manifests/nodejs.yml: enable new tests on express4 / express5 with dd-trace >= 5.106.0.
• config_norm_rules.json: register DD_API_SECURITY_MAX_DOWNSTREAM_BODY_BYTES.
• Docs: document /external_request/{failure_reason} in the end-to-end weblog spec.

Workflow

1. ⚠️ Create your PR as draft ⚠️
2. Work on you PR until the CI passes
3. Mark it as ready for review
   • Test logic is modified? -> Get a review from RFC owner.
   • Framework is modified, or non obvious usage of it -> get a review from R&P team

🚀 Once your PR is reviewed and the CI green, you can merge it!

🛟 #apm-shared-testing 🛟

Reviewer checklist

• Anything but tests/ or manifests/ is modified ? I have the approval from R&P team
• A docker base image is modified?
  • the relevant build-XXX-image label is present
• A scenario is added, removed or renamed?
  • Get a review from R&P team

[github-actions]

CODEOWNERS have been resolved as:

docs/understand/weblogs/end-to-end_weblog.md                            @DataDog/system-tests-core
manifests/nodejs.yml                                                    @DataDog/dd-trace-js
tests/appsec/rasp/test_api10.py                                         @DataDog/asm-libraries @DataDog/system-tests-core
utils/_context/_scenarios/appsec_rasp.py                                @DataDog/system-tests-core
utils/build/docker/internal_server/app.py                               @DataDog/system-tests-core
utils/build/docker/nodejs/express/app.js                                @DataDog/dd-trace-js @DataDog/system-tests-core
utils/telemetry/intake/static/config_norm_rules.json                    @DataDog/apm-sdk

[datadog-prod-us1-3]

 

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 3 Pipeline jobs failed

Testing the test | all-jobs-are-green     

🔧 Fix in code (Fix with Cursor).

Some CI checks failed: target branch specified and failed system tests.

Testing the test | System Tests (nodejs, dev) / End-to-end #3 / nextjs 3     

🔄 Retry job. This looks flaky and may succeed on retry.

Docker compose pull failed after 3 attempts due to unknown errors retrieving image manifests from Docker registry.

Testing the test | Fail if target branch is specified     

🛟 This job is unlikely to succeed on retry. Please review your pipeline configuration.

This PR can't be merged, due to the title specifying a target branch.

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 1db50da | Docs | Datadog PR Page | Give us feedback!}