WIP

Author: jandro996

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/blocking/BlockingActionHelper.java

@@ -118,12 +118,27 @@ public static TemplateType determineTemplateType(
   }
 
   public static byte[] getTemplate(TemplateType type) {
+    return getTemplate(type, null);
+  }
+
+  public static byte[] getTemplate(TemplateType type, String blockId) {
+    byte[] template;
     if (type == TemplateType.JSON) {
-      return TEMPLATE_JSON;
+      template = TEMPLATE_JSON;
     } else if (type == TemplateType.HTML) {
-      return TEMPLATE_HTML;
+      template = TEMPLATE_HTML;
+    } else {
+      return null;
     }
-    return null;
+
+    if (blockId == null || blockId.isEmpty()) {
+      return template;
+    }
+
+    // Perform placeholder replacement for {block_id}
+    String templateString = new String(template, java.nio.charset.StandardCharsets.UTF_8);
+    String replacedTemplate = templateString.replace("{block_id}", blockId);
+    return replacedTemplate.getBytes(java.nio.charset.StandardCharsets.UTF_8);
   }
 
   public static String getContentType(TemplateType type) {

dd-java-agent/agent-bootstrap/src/main/resources/datadog/trace/bootstrap/blocking/template.html

@@ -1 +1 @@
-<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>You've been blocked</title><style>a,body,div,html,span{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}body{background:-webkit-radial-gradient(26% 19%,circle,#fff,#f4f7f9);background:radial-gradient(circle at 26% 19%,#fff,#f4f7f9);display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;width:100%;min-height:100vh;line-height:1;flex-direction:column}p{display:block}main{text-align:center;flex:1;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;flex-direction:column}p{font-size:18px;line-height:normal;color:#646464;font-family:sans-serif;font-weight:400}a{color:#4842b7}footer{width:100%;text-align:center}footer p{font-size:16px}</style></head><body><main><p>Sorry, you cannot access this page. Please contact the customer service team.</p></main><footer><p>Security provided by <a href="https://www.datadoghq.com/product/security-platform/application-security-monitoring/" target="_blank">Datadog</a></p></footer></body></html>
+<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>You've been blocked</title><style>a,body,div,html,span{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}body{background:-webkit-radial-gradient(26% 19%,circle,#fff,#f4f7f9);background:radial-gradient(circle at 26% 19%,#fff,#f4f7f9);display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;width:100%;min-height:100vh;line-height:1;flex-direction:column}p{display:block}main{text-align:center;flex:1;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;flex-direction:column}p{font-size:18px;line-height:normal;color:#646464;font-family:sans-serif;font-weight:400}a{color:#4842b7}footer{width:100%;text-align:center}footer p{font-size:16px}.block-id{font-size:14px;color:#999;margin-top:20px;font-family:monospace}</style></head><body><main><p>Sorry, you cannot access this page. Please contact the customer service team.</p><p class="block-id">Event ID: {block_id}</p></main><footer><p>Security provided by <a href="https://www.datadoghq.com/product/security-platform/application-security-monitoring/" target="_blank">Datadog</a></p></footer></body></html>

dd-java-agent/agent-bootstrap/src/main/resources/datadog/trace/bootstrap/blocking/template.json

@@ -1 +1 @@
-{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}
+{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}],"block_id":"{block_id}"}

dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/blocking/BlockingActionHelperSpecification.groovy

@@ -167,4 +167,106 @@ class BlockingActionHelperSpecification extends DDSpecification {
     BlockingActionHelper.reset(Config.get())
     tempDir.deleteDir()
   }
+
+  void 'getTemplate with block_id replaces placeholder in HTML template'() {
+    given:
+    def blockId = '12345678-1234-1234-1234-123456789abc'
+
+    when:
+    def template = BlockingActionHelper.getTemplate(HTML, blockId)
+    def templateStr = new String(template, StandardCharsets.UTF_8)
+
+    then:
+    templateStr.contains("Event ID: ${blockId}")
+    !templateStr.contains('{block_id}')
+  }
+
+  void 'getTemplate with block_id replaces placeholder in JSON template'() {
+    given:
+    def blockId = '12345678-1234-1234-1234-123456789abc'
+
+    when:
+    def template = BlockingActionHelper.getTemplate(JSON, blockId)
+    def templateStr = new String(template, StandardCharsets.UTF_8)
+
+    then:
+    templateStr.contains("\"block_id\":\"${blockId}\"")
+    !templateStr.contains('{block_id}')
+  }
+
+  void 'getTemplate without block_id keeps placeholder in HTML template'() {
+    when:
+    def template = BlockingActionHelper.getTemplate(HTML, null)
+    def templateStr = new String(template, StandardCharsets.UTF_8)
+
+    then:
+    templateStr.contains('{block_id}')
+  }
+
+  void 'getTemplate without block_id keeps placeholder in JSON template'() {
+    when:
+    def template = BlockingActionHelper.getTemplate(JSON, null)
+    def templateStr = new String(template, StandardCharsets.UTF_8)
+
+    then:
+    templateStr.contains('{block_id}')
+  }
+
+  void 'getTemplate with empty block_id keeps placeholder'() {
+    when:
+    def htmlTemplate = BlockingActionHelper.getTemplate(HTML, '')
+    def jsonTemplate = BlockingActionHelper.getTemplate(JSON, '')
+
+    then:
+    new String(htmlTemplate, StandardCharsets.UTF_8).contains('{block_id}')
+    new String(jsonTemplate, StandardCharsets.UTF_8).contains('{block_id}')
+  }
+
+  void 'getTemplate with block_id works with custom HTML template'() {
+    setup:
+    File tempDir = File.createTempDir('testTempDir-', '')
+    Config config = Mock(Config)
+    File tempFile = new File(tempDir, 'template.html')
+    tempFile << '<body>Custom template with block_id: {block_id}</body>'
+    def blockId = 'test-block-id-123'
+
+    when:
+    BlockingActionHelper.reset(config)
+    def template = BlockingActionHelper.getTemplate(HTML, blockId)
+    def templateStr = new String(template, StandardCharsets.UTF_8)
+
+    then:
+    1 * config.getAppSecHttpBlockedTemplateHtml() >> tempFile.toString()
+    1 * config.getAppSecHttpBlockedTemplateJson() >> null
+    templateStr.contains("Custom template with block_id: ${blockId}")
+    !templateStr.contains('{block_id}')
+
+    cleanup:
+    BlockingActionHelper.reset(Config.get())
+    tempDir.deleteDir()
+  }
+
+  void 'getTemplate with block_id works with custom JSON template'() {
+    setup:
+    File tempDir = File.createTempDir('testTempDir-', '')
+    Config config = Mock(Config)
+    File tempFile = new File(tempDir, 'template.json')
+    tempFile << '{"error":"blocked","id":"{block_id}"}'
+    def blockId = 'test-block-id-456'
+
+    when:
+    BlockingActionHelper.reset(config)
+    def template = BlockingActionHelper.getTemplate(JSON, blockId)
+    def templateStr = new String(template, StandardCharsets.UTF_8)
+
+    then:
+    1 * config.getAppSecHttpBlockedTemplateHtml() >> null
+    1 * config.getAppSecHttpBlockedTemplateJson() >> tempFile.toString()
+    templateStr.contains("\"error\":\"blocked\",\"id\":\"${blockId}\"")
+    !templateStr.contains('{block_id}')
+
+    cleanup:
+    BlockingActionHelper.reset(Config.get())
+    tempDir.deleteDir()
+  }
 }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/ddwaf/WAFModule.java

@@ -477,7 +477,9 @@ private Flow.Action.RequestBlockingAction createBlockRequestAction(
         } catch (IllegalArgumentException iae) {
           log.warn("Unknown content type: {}; using auto", contentType);
         }
-        return new Flow.Action.RequestBlockingAction(statusCode, blockingContentType);
+        String blockId = (String) actionInfo.parameters.get("block_id");
+        return new Flow.Action.RequestBlockingAction(
+            statusCode, blockingContentType, Collections.emptyMap(), blockId);
       } catch (RuntimeException cce) {
         log.warn("Invalid blocking action data", cce);
         if (!isRasp) {
@@ -506,7 +508,13 @@ private Flow.Action.RequestBlockingAction createRedirectRequestAction(
         if (location == null) {
           throw new RuntimeException("redirect_request action has no location");
         }
-        return Flow.Action.RequestBlockingAction.forRedirect(statusCode, location);
+        String blockId = (String) actionInfo.parameters.get("block_id");
+        if (blockId != null) {
+          // Append block_id as URL parameter to redirect location
+          String separator = location.contains("?") ? "&" : "?";
+          location = location + separator + "block_id=" + blockId;
+        }
+        return Flow.Action.RequestBlockingAction.forRedirect(statusCode, location, blockId);
       } catch (RuntimeException cce) {
         log.warn("Invalid blocking action data", cce);
         if (!isRasp) {

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/ddwaf/WAFModuleSpecification.groovy

@@ -608,7 +608,13 @@ class WAFModuleSpecification extends DDSpecification {
     flow.action instanceof Flow.Action.RequestBlockingAction
     with(flow.action as Flow.Action.RequestBlockingAction) {
       assert it.statusCode == statusCode
-      assert it.extraHeaders == [Location: "https://example${variant}.com/"]
+      // Location header may include block_id parameter from libddwaf
+      def location = it.extraHeaders['Location']
+      assert location.startsWith("https://example${variant}.com/")
+      // If block_id is present, it should be a valid UUID
+      if (location.contains('block_id=')) {
+        assert location.matches(".*block_id=[0-9a-f-]{36}.*")
+      }
     }
 
     where:
@@ -2047,6 +2053,82 @@ class WAFModuleSpecification extends DDSpecification {
     !flow.blocking // Should not block since keep: false
   }
 
+  void 'block_id is extracted from blocking action and included in RequestBlockingAction'() {
+    setup:
+    def rulesConfig = [
+      version: '2.1',
+      metadata: [
+        rules_version: '1.0.0'
+      ],
+      actions: [
+        [
+          id: 'block',
+          type: 'block_request',
+          parameters: [
+            status_code: 403,
+            type: 'json'
+          ]
+        ]
+      ],
+      rules: [
+        [
+          id: 'test-rule',
+          name: 'Test blocking rule',
+          tags: [
+            type: 'security_scanner',
+            category: 'attack_attempt'
+          ],
+          conditions: [
+            [
+              parameters: [
+                inputs: [
+                  [
+                    address: 'server.request.headers.no_cookies',
+                    key_path: ['user-agent']
+                  ]
+                ],
+                regex: '^BlockTest'
+              ],
+              operator: 'match_regex'
+            ]
+          ],
+          on_match: ['block']
+        ]
+      ]
+    ]
+
+    when:
+    initialRuleAddWithMap(rulesConfig)
+    wafModule.applyConfig(reconf)
+    def bundle = MapDataBundle.of(KnownAddresses.HEADERS_NO_COOKIES,
+      new CaseInsensitiveMap<List<String>>(['user-agent': 'BlockTest']))
+    def flow = new ChangeableFlow()
+    dataListener.onDataAvailable(flow, ctx, bundle, gwCtx)
+    ctx.closeWafContext()
+
+    then:
+    1 * ctx.getOrCreateWafContext(_, true, false)
+    2 * ctx.getWafMetrics() >> metrics
+    1 * ctx.isWafContextClosed() >> false
+    1 * ctx.closeWafContext()
+    1 * ctx.reportEvents(_)
+    1 * ctx.setWafBlocked()
+    1 * ctx.isThrottled(null)
+    1 * ctx.setManuallyKept(true)
+    0 * ctx._(*_)
+    flow.blocking
+    flow.action instanceof Flow.Action.RequestBlockingAction
+    with(flow.action as Flow.Action.RequestBlockingAction) {
+      assert it.statusCode == 403
+      assert it.blockingContentType == BlockingContentType.JSON
+      // blockId should be extracted from libddwaf (or null if not present)
+      // With libddwaf v18.0.0, block_id is automatically generated
+      // We just verify the field is accessible
+      def blockId = it.blockId
+      assert blockId == null || blockId.matches('[0-9a-f-]{36}')
+    }
+  }
+
   private static class BadConfig implements Map<String, Object> {
     @Delegate
     private Map<String, Object> delegate

dd-java-agent/instrumentation/servlet/jakarta-servlet-5.0/src/main/java/datadog/trace/instrumentation/servlet5/JakartaServletBlockingHelper.java

@@ -23,6 +23,17 @@ public static void commitBlockingResponse(
       int statusCode_,
       BlockingContentType bct,
       Map<String, String> extraHeaders) {
+    commitBlockingResponse(segment, httpServletRequest, resp, statusCode_, bct, extraHeaders, null);
+  }
+
+  public static void commitBlockingResponse(
+      TraceSegment segment,
+      HttpServletRequest httpServletRequest,
+      HttpServletResponse resp,
+      int statusCode_,
+      BlockingContentType bct,
+      Map<String, String> extraHeaders,
+      String blockId) {
     int statusCode = BlockingActionHelper.getHttpCode(statusCode_);
     if (!start(resp, statusCode)) {
       return;
@@ -37,7 +48,7 @@ public static void commitBlockingResponse(
       String acceptHeader = httpServletRequest.getHeader("Accept");
       BlockingActionHelper.TemplateType type =
           BlockingActionHelper.determineTemplateType(bct, acceptHeader);
-      template = BlockingActionHelper.getTemplate(type);
+      template = BlockingActionHelper.getTemplate(type, blockId);
       String contentType = BlockingActionHelper.getContentType(type);
 
       resp.setHeader("Content-length", Integer.toString(template.length));
@@ -68,7 +79,8 @@ public static void commitBlockingResponse(
         resp,
         rba.getStatusCode(),
         rba.getBlockingContentType(),
-        rba.getExtraHeaders());
+        rba.getExtraHeaders(),
+        rba.getBlockId());
   }
 
   private static boolean start(HttpServletResponse resp, int statusCode) {