Fixed closing WAF context (#7681)

* Check if additive is closed

* Added parallel endpoint to simulate span misalignment

* Spotless

* Missing files

* Spotbugs

* Fixed tests

* Added test for closed waf context

* Spotless

* Minor improvement

* Avoid race condition when closing additive

Author: ValentinZakharov

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

@@ -116,6 +116,7 @@ public class AppSecRequestContext implements DataBundle, Closeable {
 
   // should be guarded by this
   private volatile Additive additive;
+  private volatile boolean additiveClosed;
   // set after additive is set
   private volatile PowerwafMetrics wafMetrics;
   private volatile PowerwafMetrics raspMetrics;
@@ -203,6 +204,7 @@ public void closeAdditive() {
       synchronized (this) {
         if (additive != null) {
           try {
+            additiveClosed = true;
             additive.close();
           } finally {
             additive = null;
@@ -550,4 +552,8 @@ public boolean isThrottled(RateLimiter rateLimiter) {
     }
     return throttled;
   }
+
+  public boolean isAdditiveClosed() {
+    return additiveClosed;
+  }
 }

dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java

@@ -410,6 +410,11 @@ public void onDataAvailable(
         return;
       }
 
+      if (reqCtx.isAdditiveClosed()) {
+        log.debug("Skipped; the WAF context is closed");
+        return;
+      }
+
       StandardizedLogging.executingWAF(log);
       long start = 0L;
       if (log.isDebugEnabled()) {
@@ -430,7 +435,9 @@ public void onDataAvailable(
         }
         return;
       } catch (AbstractPowerwafException e) {
-        log.error("Error calling WAF", e);
+        if (!reqCtx.isAdditiveClosed()) {
+          log.error("Error calling WAF", e);
+        }
         return;
       } finally {
         if (log.isDebugEnabled()) {

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/powerwaf/PowerWAFModuleSpecification.groovy

@@ -211,6 +211,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     2 * tracer.activeSpan()
     1 * ctx.reportEvents(_ as Collection<AppSecEvent>)
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     1 * flow.isBlocking()
     1 * ctx.isThrottled(null)
@@ -244,6 +245,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     2 * tracer.activeSpan()
     1 * ctx.reportEvents(_ as Collection<AppSecEvent>)
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     2 * ctx.closeAdditive()
     1 * flow.isBlocking()
     1 * ctx.isThrottled(null)
@@ -285,6 +287,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     2 * tracer.activeSpan()
     1 * ctx.reportEvents(_ as Collection<AppSecEvent>)
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     1 * flow.isBlocking()
     1 * ctx.isThrottled(null)
@@ -309,6 +312,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     2 * tracer.activeSpan()
     1 * ctx.reportEvents(_ as Collection<AppSecEvent>)
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     1 * flow.isBlocking()
     1 * ctx.isThrottled(null)
@@ -365,6 +369,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     2 * tracer.activeSpan()
     1 * ctx.reportEvents(_ as Collection<AppSecEvent>)
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     1 * flow.isBlocking()
     1 * ctx.isThrottled(null)
@@ -383,6 +388,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
       pwafAdditive = it[0].openAdditive()
     }
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     0 * _
   }
@@ -441,6 +447,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     2 * tracer.activeSpan()
     1 * ctx.reportEvents(_ as Collection<AppSecEvent>)
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive() >> { pwafAdditive.close() }
     1 * ctx.setBlocked()
     1 * ctx.isThrottled(null)
@@ -461,6 +468,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
       pwafAdditive = it[0].openAdditive()
     }
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     0 * _
   }
@@ -522,6 +530,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     // we get two events: one for origin rule, and one for the custom one
     1 * ctx.reportEvents(hasSize(2))
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     1 * ctx.setBlocked()
     1 * ctx.isThrottled(null)
@@ -598,6 +607,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     2 * tracer.activeSpan()
     1 * ctx.reportEvents(_ as Collection<AppSecEvent>)
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     1 * flow.isBlocking()
     1 * ctx.isThrottled(null)
@@ -621,6 +631,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
       pwafAdditive
     }
     1 * ctx.getWafMetrics() >> metrics
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     1 * ctx.reportEvents(_)
     1 * ctx.setBlocked()
@@ -686,6 +697,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
       pwafAdditive
     }
     1 * ctx.getWafMetrics() >> metrics
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     1 * ctx.reportEvents(_)
     1 * ctx.setBlocked()
@@ -712,6 +724,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
       pwafAdditive = it[0].openAdditive()
     }
     1 * ctx.getWafMetrics() >> null
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     1 * ctx.reportEvents(_)
     1 * ctx.setBlocked()
@@ -768,6 +781,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     1 * ctx.reportEvents(*_)
     1 * ctx.setBlocked()
     1 * ctx.isThrottled(null)
+    1 * ctx.isAdditiveClosed() >> false
     0 * ctx._(*_)
     flow.blocking == true
   }
@@ -1032,6 +1046,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     1 * ctx.reportEvents(_ as Collection<AppSecEvent>)
     1 * ctx.getWafMetrics()
     1 * flow.setAction({ it.blocking })
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     1 * flow.isBlocking()
     1 * ctx.isThrottled(null)
@@ -1086,6 +1101,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     1 * ctx.getOrCreateAdditive(_, true, false) >> {
       pwafAdditive = it[0].openAdditive() }
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive() >> { pwafAdditive.close() }
     _ * ctx.increaseTimeouts()
     0 * _
@@ -1108,6 +1124,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     1 * ctx.getOrCreateAdditive(_, true, false) >> {
       pwafAdditive = it[0].openAdditive() }
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive() >> {pwafAdditive.close()}
     1 * reconf.reloadSubscriptions()
     _ * ctx.increaseTimeouts()
@@ -1132,6 +1149,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     1 * ctx.reportEvents(_ as Collection<AppSecEvent>)
     1 * ctx.getWafMetrics()
     1 * flow.setAction({ it.blocking })
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive() >> {pwafAdditive.close()}
     1 * flow.isBlocking()
     1 * ctx.isThrottled(null)
@@ -1155,6 +1173,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     1 * reconf.reloadSubscriptions()
     1 * ctx.getOrCreateAdditive(_, true, false) >> { pwafAdditive = it[0].openAdditive() }
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     _ * ctx.increaseTimeouts()
     0 * _
@@ -1184,6 +1203,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     // no attack
     1 * ctx.getOrCreateAdditive(_, true, false) >> { pwafAdditive = it[0].openAdditive() }
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive() >> {pwafAdditive.close()}
     _ * ctx.increaseTimeouts()
     0 * _
@@ -1207,6 +1227,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     1 * ctx.getOrCreateAdditive(_, true, false) >> {
       pwafAdditive = it[0].openAdditive() }
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive() >> {pwafAdditive.close()}
     _ * ctx.increaseTimeouts()
     0 * _
@@ -1234,6 +1255,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     1 * flow.setAction({ it.blocking })
     2 * tracer.activeSpan()
     1 * ctx.reportEvents(_ as Collection<AppSecEvent>)
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive() >> {pwafAdditive.close()}
     _ * ctx.increaseTimeouts()
     1 * ctx.isThrottled(null)
@@ -1256,6 +1278,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     1 * ctx.getOrCreateAdditive(_, true, false) >> {
       pwafAdditive = it[0].openAdditive() }
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     _ * ctx.increaseTimeouts()
     0 * _
@@ -1371,6 +1394,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     1 * ctx.getWafMetrics()
     1 * flow.isBlocking()
     1 * ctx.isThrottled(null)
+    1 * ctx.isAdditiveClosed() >> false
     0 * _
 
     when:
@@ -1386,6 +1410,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
       it[0].iterator().next().ruleMatches[0].parameters[0].value == 'user-to-block-1'
     }
     1 * ctx.getWafMetrics()
+    1 * ctx.isAdditiveClosed() >> false
     1 * ctx.closeAdditive()
     1 * ctx.isThrottled(null)
     1 * flow.isBlocking()
@@ -1485,6 +1510,7 @@ class PowerWAFModuleSpecification extends DDSpecification {
     1 * flow.setAction({ Flow.Action.RequestBlockingAction rba ->
       rba.statusCode == 402 && rba.blockingContentType == BlockingContentType.AUTO
     })
+    1 * ctx.isAdditiveClosed() >> false
   }
 
   void 'http endpoint fingerprint support'() {
@@ -1555,6 +1581,26 @@ class PowerWAFModuleSpecification extends DDSpecification {
     addresses.contains(KnownAddresses.REQUEST_BODY_OBJECT)
   }
 
+  void 'waf not used if the context is closed'() {
+    ChangeableFlow flow = Mock()
+
+    when:
+    setupWithStubConfigService('rules_with_data_config.json')
+    dataListener = pwafModule.dataSubscriptions.first()
+
+    def bundle = MapDataBundle.of(
+      KnownAddresses.USER_ID,
+      'legit-user'
+      )
+    ctx.closeAdditive()
+    dataListener.onDataAvailable(flow, ctx, bundle, gwCtx)
+
+    then:
+    1 * ctx.closeAdditive()
+    1 * ctx.isAdditiveClosed() >> true
+    0 * _
+  }
+
   private Map<String, Object> getDefaultConfig() {
     def service = new StubAppSecConfigService()
     service.init()

dd-smoke-tests/appsec/springboot/src/main/java/datadog/smoketest/appsec/springboot/AsyncConfig.java

@@ -0,0 +1,22 @@
+package datadog.smoketest.appsec.springboot;
+
+import java.util.concurrent.Executor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.scheduling.annotation.EnableAsync;
+import org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor;
+
+@Configuration
+@EnableAsync
+public class AsyncConfig {
+  @Bean(name = "taskExecutor")
+  public Executor taskExecutor() {
+    ThreadPoolTaskExecutor executor = new ThreadPoolTaskExecutor();
+    executor.setCorePoolSize(5);
+    executor.setMaxPoolSize(10);
+    executor.setQueueCapacity(100);
+    executor.setThreadNamePrefix("Async-");
+    executor.initialize();
+    return executor;
+  }
+}

dd-smoke-tests/appsec/springboot/src/main/java/datadog/smoketest/appsec/springboot/controller/WebController.java

@@ -1,12 +1,14 @@
 package datadog.smoketest.appsec.springboot.controller;
 
+import datadog.smoketest.appsec.springboot.service.AsyncService;
 import java.io.File;
 import java.net.URL;
 import java.nio.file.Paths;
 import java.sql.Connection;
 import java.sql.DriverManager;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -20,6 +22,9 @@
 
 @RestController
 public class WebController {
+
+  @Autowired private AsyncService myAsyncService;
+
   @RequestMapping("/greeting")
   public String greeting() {
     return "Sup AppSec Dawg";
@@ -46,6 +51,12 @@ public String sqliQuery(@RequestParam("id") String id) throws Exception {
     return "EXECUTED";
   }
 
+  @GetMapping("parallel/sqli/query")
+  public String sqliQueryParallel(@RequestParam("id") String id) {
+    myAsyncService.performAsyncTask(id);
+    return "EXECUTED";
+  }
+
   @GetMapping("/sqli/header")
   public String sqliHeader(@RequestHeader("x-custom-header") String id) throws Exception {
     Connection conn = DriverManager.getConnection("jdbc:h2:mem:testdb", "sa", "");

dd-smoke-tests/appsec/springboot/src/main/java/datadog/smoketest/appsec/springboot/service/AsyncService.java

@@ -0,0 +1,20 @@
+package datadog.smoketest.appsec.springboot.service;
+
+import java.sql.Connection;
+import java.sql.DriverManager;
+import org.springframework.scheduling.annotation.Async;
+import org.springframework.stereotype.Service;
+
+@Service
+public class AsyncService {
+
+  @Async("taskExecutor")
+  public void performAsyncTask(String id) {
+    try {
+      Connection conn = DriverManager.getConnection("jdbc:h2:mem:testdb", "sa", "");
+      conn.createStatement().execute("SELECT 1 FROM DUAL WHERE '1' = '" + id + "'");
+    } catch (Exception e) {
+      // ignore
+    }
+  }
+}

gradle/spotbugFilters/exclude.xml

@@ -6,6 +6,7 @@
       <Package name="io.sqreen.testapp.sampleapp" />
       <Package name="datadog.trace.bootstrap.instrumentation.decorator.http.utils" />
       <Package name="datadog.smoketest.appsec.springboot.controller" />
+      <Package name="datadog.smoketest.appsec.springboot.service" />
       <!-- these are auto-generated -->
       <Package name="com.datadog.appsec.report.raw.contexts._definitions" />
       <Package name="com.datadog.appsec.report.raw.contexts.actor" />