Skip sampling if the request is already blocked

cataphract · cataphract · commit 0d833f97d8ab · 2026-01-06T18:50:03.000-03:00
diff --git a/appsec/src/extension/commands_helpers.c b/appsec/src/extension/commands_helpers.c
@@ -11,6 +11,7 @@
 #include "logging.h"
 #include "msgpack_helpers.h"
 #include "request_abort.h"
+#include "request_lifecycle.h"
 #include "tags.h"
 #include "telemetry.h"
 #include "user_tracking.h"
@@ -593,13 +594,13 @@ static dd_result _command_process_actions(
             res = dd_should_block;
             _command_process_block_parameters(
                 &ctx->block_params, mpack_node_array_at(action, 1));
-            dd_tags_add_blocked();
+            dd_req_lifecycle_set_blocked();
         } else if (dd_mpack_node_lstr_eq(verdict, "redirect") &&
                    res != dd_should_redirect) {
             res = dd_should_redirect;
             _command_process_redirect_parameters(
                 &ctx->block_params, mpack_node_array_at(action, 1));
-            dd_tags_add_blocked();
+            dd_req_lifecycle_set_blocked();
         } else if (dd_mpack_node_lstr_eq(verdict, "record") &&
                    res == dd_success) {
             res = dd_should_record;
diff --git a/appsec/src/extension/request_lifecycle.c b/appsec/src/extension/request_lifecycle.c
@@ -50,13 +50,18 @@ static THREAD_LOCAL_ON_ZTS zend_string *nullable _client_ip;
 static THREAD_LOCAL_ON_ZTS zval _blocking_function;
 static THREAD_LOCAL_ON_ZTS bool _shutdown_done_on_commit;
 static THREAD_LOCAL_ON_ZTS bool _empty_service_or_env;
+static THREAD_LOCAL_ON_ZTS bool _request_blocked;
 #define MAX_LENGTH_OF_REM_CFG_PATH 31
 static THREAD_LOCAL_ON_ZTS char
     _last_rem_cfg_path[MAX_LENGTH_OF_REM_CFG_PATH + 1];
 #define CLIENT_IP_LOOKUP_FAILED ((zend_string *)-1)
 
 bool dd_req_is_user_req(void) { return _enabled_user_req; }
 
+void dd_req_lifecycle_set_blocked(void) { _request_blocked = true; }
+
+bool dd_req_lifecycle_is_blocked(void) { return _request_blocked; }
+
 void dd_req_lifecycle_startup(void)
 {
     // we assume that frankenphp is running in worker mode because
@@ -427,6 +432,7 @@ static void _reset_globals(void)
     ZVAL_UNDEF(&_blocking_function);
 
     _shutdown_done_on_commit = false;
+    _request_blocked = false;
     dd_tags_rshutdown();
     dd_rasp_reset_globals();
 }
@@ -924,6 +930,11 @@ static uint64_t _calc_sampling_key(zend_object *root_span, int status_code)
         return 0;
     }
 
+    if (_request_blocked) {
+        mlog_g(dd_log_debug, "Request was blocked; not sampling for API security");
+        return 0;
+    }
+
     if (!root_span) {
         return 0;
     }
diff --git a/appsec/src/extension/request_lifecycle.h b/appsec/src/extension/request_lifecycle.h
@@ -8,6 +8,8 @@
 extern ddtrace_user_req_listeners dd_user_req_listeners;
 
 bool dd_req_is_user_req(void);
+void dd_req_lifecycle_set_blocked(void);
+bool dd_req_lifecycle_is_blocked(void);
 void dd_req_lifecycle_startup(void);
 void dd_req_lifecycle_rinit(bool force);
 void dd_req_lifecycle_rshutdown(bool ignore_verdict, bool force);
diff --git a/appsec/src/extension/tags.c b/appsec/src/extension/tags.c
@@ -142,7 +142,6 @@ static THREAD_LOCAL_ON_ZTS bool _user_event_triggered;
 static THREAD_LOCAL_ON_ZTS bool _appsec_json_frags_inited;
 static THREAD_LOCAL_ON_ZTS zend_llist _appsec_json_frags;
 static THREAD_LOCAL_ON_ZTS zend_string *nullable _event_user_id;
-static THREAD_LOCAL_ON_ZTS bool _blocked;
 
 static void _init_relevant_headers(void);
 static zend_string *_concat_json_fragments(void);
@@ -352,7 +351,6 @@ void dd_tags_rinit(void)
 
     // Just in case...
     _event_user_id = NULL;
-    _blocked = false;
 }
 
 void dd_tags_add_appsec_json_frag(zend_string *nonnull zstr)
@@ -440,8 +438,6 @@ void dd_tags_add_tags(
     }
 }
 
-void dd_tags_add_blocked(void) { _blocked = true; }
-
 static void _zend_string_release_indirect(void *s)
 {
     zend_string_release(*(zend_string **)s);
@@ -830,7 +826,7 @@ static void _dd_event_user_id(zend_array *meta_ht)
 
 static void _dd_appsec_blocked(zend_array *meta_ht)
 {
-    if (_blocked) {
+    if (dd_req_lifecycle_is_blocked()) {
         _add_new_zstr_to_meta(
             meta_ht, _dd_tag_blocked_zstr, _true_zstr, true, false);
     }
diff --git a/appsec/src/extension/tags.h b/appsec/src/extension/tags.h
@@ -18,7 +18,6 @@ void dd_tags_shutdown(void);
 void dd_tags_rinit(void);
 void dd_tags_rshutdown(void);
 void dd_tags_add_tags(zend_object *nonnull span, zend_array *nullable superglob_equiv);
-void dd_tags_add_blocked(void);
 void dd_tags_set_user_event_triggered(void);
 
 // Copies (or increases refcount) of zstr

Original file line number	Diff line number	Diff line change
`@@ -142,7 +142,6 @@ static THREAD_LOCAL_ON_ZTS bool _user_event_triggered;`
`142`	`142`	`static THREAD_LOCAL_ON_ZTS bool _appsec_json_frags_inited;`
`143`	`143`	`static THREAD_LOCAL_ON_ZTS zend_llist _appsec_json_frags;`
`144`	`144`	`static THREAD_LOCAL_ON_ZTS zend_string *nullable _event_user_id;`
`145`		`-static THREAD_LOCAL_ON_ZTS bool _blocked;`
`146`	`145`
`147`	`146`	`static void _init_relevant_headers(void);`
`148`	`147`	`static zend_string *_concat_json_fragments(void);`
`@@ -352,7 +351,6 @@ void dd_tags_rinit(void)`
`352`	`351`
`353`	`352`	`// Just in case...`
`354`	`353`	`_event_user_id = NULL;`
`355`		`- _blocked = false;`
`356`	`354`	`}`
`357`	`355`
`358`	`356`	`void dd_tags_add_appsec_json_frag(zend_string *nonnull zstr)`
`@@ -440,8 +438,6 @@ void dd_tags_add_tags(`
`440`	`438`	`}`
`441`	`439`	`}`
`442`	`440`
`443`		`-void dd_tags_add_blocked(void) { _blocked = true; }`
`444`		`-`
`445`	`441`	`static void _zend_string_release_indirect(void *s)`
`446`	`442`	`{`
`447`	`443`	`zend_string_release((zend_string *)s);`
`@@ -830,7 +826,7 @@ static void _dd_event_user_id(zend_array *meta_ht)`
`830`	`826`
`831`	`827`	`static void _dd_appsec_blocked(zend_array *meta_ht)`
`832`	`828`	`{`
`833`		`- if (_blocked) {`
	`829`	`+ if (dd_req_lifecycle_is_blocked()) {`
`834`	`830`	`_add_new_zstr_to_meta(`
`835`	`831`	`meta_ht, _dd_tag_blocked_zstr, _true_zstr, true, false);`
`836`	`832`	`}`