report waf results (#5655)

IlyasShabi · rochdev · commit f034310db03c · 2025-05-16T05:07:04.000Z
diff --git a/packages/dd-trace/src/appsec/graphql.js b/packages/dd-trace/src/appsec/graphql.js
@@ -38,8 +38,8 @@ function onGraphqlStartResolve ({ context, resolverInfo }) {
 
   if (!resolverInfo || typeof resolverInfo !== 'object') return
 
-  const actions = waf.run({ ephemeral: { [addresses.HTTP_INCOMING_GRAPHQL_RESOLVER]: resolverInfo } }, req)
-  const blockingAction = getBlockingAction(actions)
+  const result = waf.run({ ephemeral: { [addresses.HTTP_INCOMING_GRAPHQL_RESOLVER]: resolverInfo } }, req)
+  const blockingAction = getBlockingAction(result?.actions)
   if (blockingAction) {
     const requestData = graphqlRequestData.get(req)
     if (requestData?.isInGraphqlRequest) {
diff --git a/packages/dd-trace/src/appsec/index.js b/packages/dd-trace/src/appsec/index.js
@@ -106,7 +106,7 @@ function onRequestBodyParsed ({ req, res, body, abortController }) {
     }
   }, req)
 
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 
 function onRequestCookieParser ({ req, res, abortController, cookies }) {
@@ -121,7 +121,7 @@ function onRequestCookieParser ({ req, res, abortController, cookies }) {
     }
   }, req)
 
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 
 function incomingHttpStartTranslator ({ req, res, abortController }) {
@@ -149,9 +149,9 @@ function incomingHttpStartTranslator ({ req, res, abortController }) {
     persistent[addresses.HTTP_CLIENT_IP] = clientIp
   }
 
-  const actions = waf.run({ persistent }, req)
+  const results = waf.run({ persistent }, req)
 
-  handleResults(actions, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 
 function incomingHttpEndTranslator ({ req, res }) {
@@ -198,7 +198,7 @@ function onPassportVerify ({ framework, login, user, success, abortController })
 
   const results = UserTracking.trackLogin(framework, login, user, success, rootSpan)
 
-  handleResults(results, store.req, store.req.res, rootSpan, abortController)
+  handleResults(results?.actions, store.req, store.req.res, rootSpan, abortController)
 }
 
 function onPassportDeserializeUser ({ user, abortController }) {
@@ -212,7 +212,7 @@ function onPassportDeserializeUser ({ user, abortController }) {
 
   const results = UserTracking.trackUser(user, rootSpan)
 
-  handleResults(results, store.req, store.req.res, rootSpan, abortController)
+  handleResults(results?.actions, store.req, store.req.res, rootSpan, abortController)
 }
 
 function onExpressSession ({ req, res, sessionId, abortController }) {
@@ -231,7 +231,7 @@ function onExpressSession ({ req, res, sessionId, abortController }) {
     }
   }, req)
 
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 
 function onRequestQueryParsed ({ req, res, query, abortController }) {
@@ -251,7 +251,7 @@ function onRequestQueryParsed ({ req, res, query, abortController }) {
     }
   }, req)
 
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 
 function onRequestProcessParams ({ req, res, abortController, params }) {
@@ -266,7 +266,7 @@ function onRequestProcessParams ({ req, res, abortController, params }) {
     }
   }, req)
 
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 
 function onResponseBody ({ req, res, body }) {
@@ -308,7 +308,7 @@ function onResponseWriteHead ({ req, res, abortController, statusCode, responseH
 
   responseAnalyzedSet.add(res)
 
-  handleResults(results, req, res, rootSpan, abortController)
+  handleResults(results?.actions, req, res, rootSpan, abortController)
 }
 
 function onResponseSetHeader ({ res, abortController }) {
diff --git a/packages/dd-trace/src/appsec/rasp/index.js b/packages/dd-trace/src/appsec/rasp/index.js
@@ -85,10 +85,12 @@ function blockOnDatadogRaspAbortError ({ error }) {
   const abortError = findDatadogRaspAbortError(error)
   if (!abortError) return false
 
-  const { req, res, blockingAction, raspRule } = abortError
+  const { req, res, blockingAction, raspRule, ruleTriggered } = abortError
   if (!isBlocked(res)) {
     const blocked = block(req, res, web.root(req), null, blockingAction)
-    updateRaspRuleMatchMetricTags(req, raspRule, true, blocked)
+    if (ruleTriggered) {
+      updateRaspRuleMatchMetricTags(req, raspRule, true, blocked)
+    }
   }
 
   return true
diff --git a/packages/dd-trace/src/appsec/rasp/utils.js b/packages/dd-trace/src/appsec/rasp/utils.js
@@ -20,23 +20,26 @@ const RULE_TYPES = {
 }
 
 class DatadogRaspAbortError extends Error {
-  constructor (req, res, blockingAction, raspRule) {
+  constructor (req, res, blockingAction, raspRule, ruleTriggered) {
     super('DatadogRaspAbortError')
     this.name = 'DatadogRaspAbortError'
     this.req = req
     this.res = res
     this.blockingAction = blockingAction
     this.raspRule = raspRule
+    this.ruleTriggered = ruleTriggered
   }
 }
 
-function handleResult (actions, req, res, abortController, config, raspRule) {
-  const generateStackTraceAction = actions?.generate_stack
+function handleResult (result, req, res, abortController, config, raspRule) {
+  const generateStackTraceAction = result?.actions?.generate_stack
 
   const { enabled, maxDepth, maxStackTraces } = config.appsec.stackTrace
 
   const rootSpan = web.root(req)
 
+  const ruleTriggered = !!result?.events?.length
+
   if (generateStackTraceAction && enabled && canReportStackTrace(rootSpan, maxStackTraces)) {
     const frames = getCallsiteFrames(maxDepth)
 
@@ -48,11 +51,11 @@ function handleResult (actions, req, res, abortController, config, raspRule) {
   }
 
   if (abortController && !abortOnUncaughtException) {
-    const blockingAction = getBlockingAction(actions)
+    const blockingAction = getBlockingAction(result?.actions)
 
     // Should block only in express
     if (blockingAction && rootSpan?.context()._name === 'express.request') {
-      const abortError = new DatadogRaspAbortError(req, res, blockingAction, raspRule)
+      const abortError = new DatadogRaspAbortError(req, res, blockingAction, raspRule, ruleTriggered)
       abortController.abort(abortError)
 
       // TODO Delete this when support for node 16 is removed
@@ -64,7 +67,9 @@ function handleResult (actions, req, res, abortController, config, raspRule) {
     }
   }
 
-  updateRaspRuleMatchMetricTags(req, raspRule, false, false)
+  if (ruleTriggered) {
+    updateRaspRuleMatchMetricTags(req, raspRule, false, false)
+  }
 }
 
 module.exports = {
diff --git a/packages/dd-trace/src/appsec/sdk/user_blocking.js b/packages/dd-trace/src/appsec/sdk/user_blocking.js
@@ -9,8 +9,8 @@ const { setUserTags } = require('./set_user')
 const log = require('../../log')
 
 function isUserBlocked (user) {
-  const actions = waf.run({ persistent: { [USER_ID]: user.id } })
-  return !!getBlockingAction(actions)
+  const results = waf.run({ persistent: { [USER_ID]: user.id } })
+  return !!getBlockingAction(results?.actions)
 }
 
 function checkUserAndSetUser (tracer, user) {
diff --git a/packages/dd-trace/src/appsec/telemetry/index.js b/packages/dd-trace/src/appsec/telemetry/index.js
@@ -41,8 +41,7 @@ function newStore () {
       wafErrorCode: null,
       raspErrorCode: null,
       wafVersion: null,
-      rulesVersion: null,
-      ruleTriggered: null
+      rulesVersion: null
     }
   }
 }
diff --git a/packages/dd-trace/src/appsec/telemetry/rasp.js b/packages/dd-trace/src/appsec/telemetry/rasp.js
@@ -49,10 +49,6 @@ function trackRaspMetrics (store, metrics, raspRule) {
     telemetryMetrics.rulesVersion = metrics.rulesVersion
   }
 
-  if (metrics.ruleTriggered) {
-    telemetryMetrics.ruleTriggered = true
-  }
-
   appsecMetrics.count('rasp.rule.eval', tags).inc(1)
 
   if (metrics.errorCode) {
@@ -68,7 +64,6 @@ function trackRaspMetrics (store, metrics, raspRule) {
 
 function trackRaspRuleMatch (store, raspRule, blockTriggered, blocked) {
   const telemetryMetrics = store[DD_TELEMETRY_REQUEST_METRICS]
-  if (!telemetryMetrics.ruleTriggered) return
 
   const tags = {
     waf_version: telemetryMetrics.wafVersion,
@@ -82,10 +77,6 @@ function trackRaspRuleMatch (store, raspRule, blockTriggered, blocked) {
   }
 
   appsecMetrics.count('rasp.rule.match', tags).inc(1)
-
-  // this is needed to not count it twice for the same match
-  // but it also means it can only be called once per waf call even if there are multiple rasp match
-  telemetryMetrics.ruleTriggered = null
 }
 
 function trackRaspRuleSkipped (raspRule, reason) {
diff --git a/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js b/packages/dd-trace/src/appsec/waf/waf_context_wrapper.js
@@ -19,7 +19,7 @@ class WAFContextWrapper {
     this.rulesVersion = rulesVersion
     this.knownAddresses = knownAddresses
     this.addressesToSkip = new Set()
-    this.cachedUserIdActions = new Map()
+    this.cachedUserIdResults = new Map()
   }
 
   run ({ persistent, ephemeral }, raspRule) {
@@ -36,9 +36,9 @@ class WAFContextWrapper {
     // TODO: make this universal
     const userId = persistent?.[addresses.USER_ID] || ephemeral?.[addresses.USER_ID]
     if (userId) {
-      const cachedAction = this.cachedUserIdActions.get(userId)
-      if (cachedAction) {
-        return cachedAction
+      const cachedResults = this.cachedUserIdResults.get(userId)
+      if (cachedResults) {
+        return cachedResults
       }
     }
 
@@ -142,7 +142,7 @@ class WAFContextWrapper {
 
       Reporter.reportDerivatives(result.derivatives)
 
-      return result.actions
+      return result
     } catch (err) {
       log.error('[ASM] Error while running the AppSec WAF', err)
 
@@ -168,7 +168,7 @@ class WAFContextWrapper {
           const parameter = match.parameters[k]
 
           if (parameter?.address === addresses.USER_ID) {
-            this.cachedUserIdActions.set(userId, result.actions)
+            this.cachedUserIdResults.set(userId, result)
             return
           }
         }
diff --git a/packages/dd-trace/test/appsec/graphql.spec.js b/packages/dd-trace/test/appsec/graphql.spec.js
@@ -217,7 +217,9 @@ describe('GraphQL', () => {
       const abortController = context.abortController
 
       sinon.stub(waf, 'run').returns({
-        block_request: blockParameters
+        actions: {
+          block_request: blockParameters
+        }
       })
 
       sinon.stub(web, 'root').returns(rootSpan)
@@ -247,7 +249,9 @@ describe('GraphQL', () => {
       const abortController = context.abortController
 
       sinon.stub(waf, 'run').returns({
-        block_request: blockParameters
+        actions: {
+          block_request: blockParameters
+        }
       })
 
       sinon.stub(web, 'root').returns(rootSpan)
diff --git a/packages/dd-trace/test/appsec/index.spec.js b/packages/dd-trace/test/appsec/index.spec.js
@@ -32,10 +32,12 @@ const telemetryMetrics = require('../../src/telemetry/metrics')
 const addresses = require('../../src/appsec/addresses')
 
 const resultActions = {
-  block_request: {
-    status_code: '401',
-    type: 'auto',
-    grpc_status_code: '10'
+  actions: {
+    block_request: {
+      status_code: '401',
+      type: 'auto',
+      grpc_status_code: '10'
+    }
   }
 }
 
diff --git a/packages/dd-trace/test/appsec/rasp/index.spec.js b/packages/dd-trace/test/appsec/rasp/index.spec.js
@@ -93,7 +93,7 @@ describe('RASP', () => {
 
     it('should block DatadogRaspAbortError first time and update metrics', () => {
       rasp.blockOnDatadogRaspAbortError({
-        error: new DatadogRaspAbortError(req, res, blockingAction, raspRule)
+        error: new DatadogRaspAbortError(req, res, blockingAction, raspRule, true)
       })
 
       sinon.assert.calledOnce(block)
@@ -102,16 +102,16 @@ describe('RASP', () => {
 
     it('should skip calling block if blocked before', () => {
       rasp.blockOnDatadogRaspAbortError({
-        error: new DatadogRaspAbortError(req, res, blockingAction, raspRule)
+        error: new DatadogRaspAbortError(req, res, blockingAction, raspRule, true)
       })
 
       blocked = true
 
       rasp.blockOnDatadogRaspAbortError({
-        error: new DatadogRaspAbortError(req, res, blockingAction, raspRule)
+        error: new DatadogRaspAbortError(req, res, blockingAction, raspRule, true)
       })
       rasp.blockOnDatadogRaspAbortError({
-        error: new DatadogRaspAbortError(req, res, blockingAction, raspRule)
+        error: new DatadogRaspAbortError(req, res, blockingAction, raspRule, true)
       })
 
       sinon.assert.calledOnce(block)
diff --git a/packages/dd-trace/test/appsec/rasp/utils.spec.js b/packages/dd-trace/test/appsec/rasp/utils.spec.js
@@ -48,9 +48,12 @@ describe('RASP - utils.js', () => {
       const rootSpan = {}
       const stackId = 'test_stack_id'
       const result = {
-        generate_stack: {
-          stack_id: stackId
-        }
+        actions: {
+          generate_stack: {
+            stack_id: stackId
+          }
+        },
+        events: [{ a: [1] }]
       }
 
       web.root.returns(rootSpan)
@@ -69,8 +72,10 @@ describe('RASP - utils.js', () => {
         }
       }
       const result = {
-        generate_stack: {
-          stack_id: 'stackId'
+        actions: {
+          generate_stack: {
+            stack_id: 'stackId'
+          }
         }
       }
 
@@ -102,8 +107,10 @@ describe('RASP - utils.js', () => {
 
     it('should not report stack trace when stack trace reporting is disabled', () => {
       const result = {
-        generate_stack: {
-          stack_id: 'stackId'
+        actions: {
+          generate_stack: {
+            stack_id: 'stackId'
+          }
         }
       }
       const config = {
@@ -129,7 +136,9 @@ describe('RASP - utils.js', () => {
         signal: {}
       }
       const result = {
-        blocking_action: { type: 'block_request' }
+        actions: {
+          blocking_action: { type: 'block_request' }
+        }
       }
 
       web.root.returns(rootSpan)
@@ -140,7 +149,7 @@ describe('RASP - utils.js', () => {
       const abortError = abortController.abort.firstCall.args[0]
       expect(abortError).to.be.instanceOf(utils.DatadogRaspAbortError)
       expect(abortError.raspRule).to.equal(raspRule)
-      expect(abortError.blockingAction).to.equal(result.blocking_action)
+      expect(abortError.blockingAction).to.equal(result.actions.blocking_action)
     })
 
     it('should call updateRaspRuleMatchMetricTags when no blockingAction is present', () => {
@@ -149,7 +158,9 @@ describe('RASP - utils.js', () => {
         abort: sinon.stub(),
         signal: {}
       }
-      const result = {}
+      const result = {
+        events: [{ a: [1] }]
+      }
 
       web.root.returns(rootSpan)
 
diff --git a/packages/dd-trace/test/appsec/sdk/user_blocking.spec.js b/packages/dd-trace/test/appsec/sdk/user_blocking.spec.js
diff --git a/packages/dd-trace/test/appsec/telemetry/rasp.spec.js b/packages/dd-trace/test/appsec/telemetry/rasp.spec.js
diff --git a/packages/dd-trace/test/appsec/waf/index.spec.js b/packages/dd-trace/test/appsec/waf/index.spec.js

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ function onRequestBodyParsed ({ req, res, body, abortController }) {`
`106`	`106`	`}`
`107`	`107`	`}, req)`
`108`	`108`
`109`		`- handleResults(results, req, res, rootSpan, abortController)`
	`109`	`+ handleResults(results?.actions, req, res, rootSpan, abortController)`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`function onRequestCookieParser ({ req, res, abortController, cookies }) {`
`@@ -121,7 +121,7 @@ function onRequestCookieParser ({ req, res, abortController, cookies }) {`
`121`	`121`	`}`
`122`	`122`	`}, req)`
`123`	`123`
`124`		`- handleResults(results, req, res, rootSpan, abortController)`
	`124`	`+ handleResults(results?.actions, req, res, rootSpan, abortController)`
`125`	`125`	`}`
`126`	`126`
`127`	`127`	`function incomingHttpStartTranslator ({ req, res, abortController }) {`
`@@ -149,9 +149,9 @@ function incomingHttpStartTranslator ({ req, res, abortController }) {`
`149`	`149`	`persistent[addresses.HTTP_CLIENT_IP] = clientIp`
`150`	`150`	`}`
`151`	`151`
`152`		`- const actions = waf.run({ persistent }, req)`
	`152`	`+ const results = waf.run({ persistent }, req)`
`153`	`153`
`154`		`- handleResults(actions, req, res, rootSpan, abortController)`
	`154`	`+ handleResults(results?.actions, req, res, rootSpan, abortController)`
`155`	`155`	`}`
`156`	`156`
`157`	`157`	`function incomingHttpEndTranslator ({ req, res }) {`
`@@ -198,7 +198,7 @@ function onPassportVerify ({ framework, login, user, success, abortController })`
`198`	`198`
`199`	`199`	`const results = UserTracking.trackLogin(framework, login, user, success, rootSpan)`
`200`	`200`
`201`		`- handleResults(results, store.req, store.req.res, rootSpan, abortController)`
	`201`	`+ handleResults(results?.actions, store.req, store.req.res, rootSpan, abortController)`
`202`	`202`	`}`
`203`	`203`
`204`	`204`	`function onPassportDeserializeUser ({ user, abortController }) {`
`@@ -212,7 +212,7 @@ function onPassportDeserializeUser ({ user, abortController }) {`
`212`	`212`
`213`	`213`	`const results = UserTracking.trackUser(user, rootSpan)`
`214`	`214`
`215`		`- handleResults(results, store.req, store.req.res, rootSpan, abortController)`
	`215`	`+ handleResults(results?.actions, store.req, store.req.res, rootSpan, abortController)`
`216`	`216`	`}`
`217`	`217`
`218`	`218`	`function onExpressSession ({ req, res, sessionId, abortController }) {`
`@@ -231,7 +231,7 @@ function onExpressSession ({ req, res, sessionId, abortController }) {`
`231`	`231`	`}`
`232`	`232`	`}, req)`
`233`	`233`
`234`		`- handleResults(results, req, res, rootSpan, abortController)`
	`234`	`+ handleResults(results?.actions, req, res, rootSpan, abortController)`
`235`	`235`	`}`
`236`	`236`
`237`	`237`	`function onRequestQueryParsed ({ req, res, query, abortController }) {`
`@@ -251,7 +251,7 @@ function onRequestQueryParsed ({ req, res, query, abortController }) {`
`251`	`251`	`}`
`252`	`252`	`}, req)`
`253`	`253`
`254`		`- handleResults(results, req, res, rootSpan, abortController)`
	`254`	`+ handleResults(results?.actions, req, res, rootSpan, abortController)`
`255`	`255`	`}`
`256`	`256`
`257`	`257`	`function onRequestProcessParams ({ req, res, abortController, params }) {`
`@@ -266,7 +266,7 @@ function onRequestProcessParams ({ req, res, abortController, params }) {`
`266`	`266`	`}`
`267`	`267`	`}, req)`
`268`	`268`
`269`		`- handleResults(results, req, res, rootSpan, abortController)`
	`269`	`+ handleResults(results?.actions, req, res, rootSpan, abortController)`
`270`	`270`	`}`
`271`	`271`
`272`	`272`	`function onResponseBody ({ req, res, body }) {`
`@@ -308,7 +308,7 @@ function onResponseWriteHead ({ req, res, abortController, statusCode, responseH`
`308`	`308`
`309`	`309`	`responseAnalyzedSet.add(res)`
`310`	`310`
`311`		`- handleResults(results, req, res, rootSpan, abortController)`
	`311`	`+ handleResults(results?.actions, req, res, rootSpan, abortController)`
`312`	`312`	`}`
`313`	`313`
`314`	`314`	`function onResponseSetHeader ({ res, abortController }) {`
Original file line number	Diff line number	Diff line change
`@@ -9,8 +9,8 @@ const { setUserTags } = require('./set_user')`
`9`	`9`	`const log = require('../../log')`
`10`	`10`
`11`	`11`	`function isUserBlocked (user) {`
`12`		`- const actions = waf.run({ persistent: { [USER_ID]: user.id } })`
`13`		`- return !!getBlockingAction(actions)`
	`12`	`+ const results = waf.run({ persistent: { [USER_ID]: user.id } })`
	`13`	`+ return !!getBlockingAction(results?.actions)`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`function checkUserAndSetUser (tracer, user) {`
Original file line number	Diff line number	Diff line change
`@@ -41,8 +41,7 @@ function newStore () {`
`41`	`41`	`wafErrorCode: null,`
`42`	`42`	`raspErrorCode: null,`
`43`	`43`	`wafVersion: null,`
`44`		`- rulesVersion: null,`
`45`		`- ruleTriggered: null`
	`44`	`+ rulesVersion: null`
`46`	`45`	`}`
`47`	`46`	`}`
`48`	`47`	`}`