feat(asm): redirect requests for custom blocking (#6884)

Allow tracer to handle custom blocking actions of type
`redirect_request` in Django and Flask.
This completes the full support of RFC "ASM Rules blocking configuration
- libraries" started with
#6615

## Checklist

- [x] Change(s) are motivated and described in the PR description.
- [x] Testing strategy is described if automated tests are not included
in the PR.
- [x] Risk is outlined (performance impact, potential for breakage,
maintainability, etc).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed. If no release note is required, add label
`changelog/no-changelog`.
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/)).
- [x] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist

- [x] Title is accurate.
- [x] No unnecessary changes are introduced.
- [x] Description motivates each change.
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes unless absolutely necessary.
- [x] Testing strategy adequately addresses listed risk(s).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] Release note makes sense to a user of the library.
- [x] Reviewer has explicitly acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment.
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
- [x] If this PR touches code that signs or publishes builds or
packages, or handles credentials of any kind, I've requested a review
from `@DataDog/security-design-and-guidance`.
- [x] This PR doesn't touch any of that.

---------

Co-authored-by: Emmett Butler <[email protected]>
Co-authored-by: Teague Bick <[email protected]>
Co-authored-by: Tahir H. Butt <[email protected]>
Co-authored-by: Munir Abdinur <[email protected]>
Co-authored-by: Alberto Vara <[email protected]>
Co-authored-by: Federico Mon <[email protected]>

Author: 7 people

ddtrace/appsec/_constants.py

@@ -166,6 +166,7 @@ class WAF_ACTIONS(object):
     ID = "id"
     DEFAULT_PARAMETERS = STATUS_403_TYPE_AUTO
     BLOCK_ACTION = "block_request"
+    REDIRECT_ACTION = "redirect_request"
     DEFAULT_ACTONS = {
         BLOCK: {
             ID: BLOCK,

ddtrace/appsec/processor.py

@@ -321,9 +321,21 @@ def _waf_action(self, span, ctx, custom_data=None):
             log.debug("[DDAS-011-00] ASM In-App WAF returned: %s. Timeout %s", waf_results.data, waf_results.timeout)
 
         for action in waf_results.actions:
-            if self._actions.get(action, {}).get(WAF_ACTIONS.TYPE) == WAF_ACTIONS.BLOCK_ACTION:
+            action_type = self._actions.get(action, {}).get(WAF_ACTIONS.TYPE, None)
+            if action_type == WAF_ACTIONS.BLOCK_ACTION:
                 blocked = self._actions[action][WAF_ACTIONS.PARAMETERS]
                 break
+            elif action_type == WAF_ACTIONS.REDIRECT_ACTION:
+                blocked = self._actions[action][WAF_ACTIONS.PARAMETERS]
+                location = blocked.get("location", "")
+                if not location:
+                    blocked = WAF_ACTIONS.DEFAULT_PARAMETERS
+                    break
+                status_code = str(blocked.get("status_code", ""))
+                if not (status_code[:3].isdigit() and status_code.startswith("3")):
+                    blocked["status_code"] = "303"
+                blocked[WAF_ACTIONS.TYPE] = "none"
+                break
         else:
             blocked = {}
         _asm_request_context.set_waf_results(waf_results, self._ddwaf.info, bool(blocked))

ddtrace/contrib/django/patch.py

@@ -471,14 +471,21 @@ def blocked_response():
                 from django.http import HttpResponse
 
                 block_config = core.get_item(WAF_CONTEXT_NAMES.BLOCKED, span=span)
-                if block_config.get("type", "auto") == "auto":
-                    ctype = "text/html" if "text/html" in request_headers.get("Accept", "").lower() else "text/json"
-                else:
-                    ctype = "text/" + block_config["type"]
+                desired_type = block_config.get("type", "auto")
                 status = block_config.get("status_code", 403)
-                content = appsec_utils._get_blocked_template(ctype)
-                response = HttpResponse(content, content_type=ctype, status=status)
-                response.content = content
+                if desired_type == "none":
+                    response = HttpResponse("", status=status)
+                    location = block_config.get("location", "")
+                    if location:
+                        response["location"] = location
+                else:
+                    if desired_type == "auto":
+                        ctype = "text/html" if "text/html" in request_headers.get("Accept", "").lower() else "text/json"
+                    else:
+                        ctype = "text/" + desired_type
+                    content = appsec_utils._get_blocked_template(ctype)
+                    response = HttpResponse(content, content_type=ctype, status=status)
+                    response.content = content
                 utils._after_request_tags(pin, span, request, response)
                 return response
 

ddtrace/contrib/flask/patch.py

@@ -111,12 +111,16 @@ def _wrapped_start_response(self, start_response, ctx, status_code, headers, exc
             if core.get_item(HTTP_REQUEST_BLOCKED):
                 # response code must be set here, or it will be too late
                 block_config = core.get_item(HTTP_REQUEST_BLOCKED)
-                if block_config.get("type", "auto") == "auto":
-                    ctype = "text/html" if "text/html" in headers_from_context else "text/json"
-                else:
-                    ctype = "text/" + block_config["type"]
+                desired_type = block_config.get("type", "auto")
                 status = block_config.get("status_code", 403)
-                response_headers = [("content-type", ctype)]
+                if desired_type == "none":
+                    response_headers = []
+                else:
+                    if block_config.get("type", "auto") == "auto":
+                        ctype = "text/html" if "text/html" in headers_from_context else "text/json"
+                    else:
+                        ctype = "text/" + block_config["type"]
+                    response_headers = [("content-type", ctype)]
                 result = start_response(str(status), response_headers)
                 core.dispatch("flask.start_response.blocked", config.flask, response_headers, status)
             else:

ddtrace/contrib/wsgi/wsgi.py

@@ -99,14 +99,14 @@ def __call__(self, environ, start_response):
             middleware=self,
         ) as ctx:
             if core.get_item(HTTP_REQUEST_BLOCKED):
-                status, ctype, content = core.dispatch("wsgi.block.started", ctx, construct_url)[0][0]
-                start_response(str(status), [("content-type", ctype)])
+                status, headers, content = core.dispatch("wsgi.block.started", ctx, construct_url)[0][0]
+                start_response(str(status), headers)
                 closing_iterator = [content]
                 not_blocked = False
 
             def blocked_view():
-                status, ctype, content = core.dispatch("wsgi.block.started", ctx, construct_url)[0][0]
-                return content, status, [("content-type", ctype)]
+                status, headers, content = core.dispatch("wsgi.block.started", ctx, construct_url)[0][0]
+                return content, status, headers
 
             core.dispatch("wsgi.block_decided", blocked_view)
 

ddtrace/tracing/trace_handlers.py

@@ -91,15 +91,23 @@ def _make_block_content(ctx, construct_url):
     if req_span is None:
         raise ValueError("request span not found")
     block_config = core.get_item(HTTP_REQUEST_BLOCKED, span=req_span)
-    if block_config.get("type", "auto") == "auto":
-        ctype = "text/html" if "text/html" in headers.get("Accept", "").lower() else "text/json"
+    desired_type = block_config.get("type", "auto")
+    ctype = None
+    if desired_type == "none":
+        content = ""
+        resp_headers = [("content-type", "text/plain; charset=utf-8"), ("location", block_config.get("location", ""))]
     else:
-        ctype = "text/" + block_config["type"]
-    content = http_utils._get_blocked_template(ctype).encode("UTF-8")
+        if desired_type == "auto":
+            ctype = "text/html" if "text/html" in headers.get("Accept", "").lower() else "text/json"
+        else:
+            ctype = "text/" + block_config["type"]
+        content = http_utils._get_blocked_template(ctype).encode("UTF-8")
+        resp_headers = [("content-type", ctype)]
     status = block_config.get("status_code", 403)
     try:
         req_span.set_tag_str(RESPONSE_HEADERS + ".content-length", str(len(content)))
-        req_span.set_tag_str(RESPONSE_HEADERS + ".content-type", ctype)
+        if ctype is not None:
+            req_span.set_tag_str(RESPONSE_HEADERS + ".content-type", ctype)
         req_span.set_tag_str(http.STATUS_CODE, str(status))
         url = construct_url(environ)
         query_string = environ.get("QUERY_STRING")
@@ -115,7 +123,7 @@ def _make_block_content(ctx, construct_url):
     except Exception as e:
         log.warning("Could not set some span tags on blocked request: %s", str(e))  # noqa: G200
 
-    return status, ctype, content
+    return status, resp_headers, content
 
 
 def _on_request_prepare(ctx, start_response):

releasenotes/notes/custom_blocking_redirect_request-fcd032a01ed10894.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    ASM: This introduces support for custom blocking actions of type redirect_request.

tests/appsec/rules-suspicious-requests-custom-actions.json

@@ -24,6 +24,21 @@
                 "status_code": 503,
                 "type": "html"
             }
+        },
+        {
+            "id": "block_301",
+            "type": "redirect_request",
+            "parameters": {
+                "status_code": 301,
+                "location": "https://www.datadoghq.com"
+            }
+        },
+        {
+            "id": "block_303",
+            "type": "redirect_request",
+            "parameters": {
+                "location": "https://www.datadoghq.com"
+            }
         }
     ],
     "rules": [
@@ -104,6 +119,58 @@
             "on_match": [
                 "block_503_html"
             ]
+        },
+        {
+            "id": "tst-040-004",
+            "name": "Test block on query parameter with custom code 301",
+            "tags": {
+                "type": "lfi",
+                "crs_id": "040003",
+                "category": "attack_attempt"
+            },
+            "conditions": [
+                {
+                    "parameters": {
+                        "inputs": [
+                            {
+                                "address": "server.request.query"
+                            }
+                        ],
+                        "regex": "suspicious_301"
+                    },
+                    "operator": "match_regex"
+                }
+            ],
+            "transformers": [],
+            "on_match": [
+                "block_301"
+            ]
+        },
+        {
+            "id": "tst-040-005",
+            "name": "Test block on query parameter with custom code 303",
+            "tags": {
+                "type": "lfi",
+                "crs_id": "040003",
+                "category": "attack_attempt"
+            },
+            "conditions": [
+                {
+                    "parameters": {
+                        "inputs": [
+                            {
+                                "address": "server.request.query"
+                            }
+                        ],
+                        "regex": "suspicious_303"
+                    },
+                    "operator": "match_regex"
+                }
+            ],
+            "transformers": [],
+            "on_match": [
+                "block_303"
+            ]
         }
     ]
 }

tests/contrib/django/test_django_appsec.py

@@ -856,6 +856,31 @@ def test_request_suspicious_request_block_custom_actions(client, test_spans, tra
     http._JSON_BLOCKED_TEMPLATE_CACHE = None
 
 
+@pytest.mark.parametrize(
+    ["suspicious_value", "expected_code", "rule"],
+    [
+        ("suspicious_301", 301, "tst-040-004"),
+        ("suspicious_303", 303, "tst-040-005"),
+    ],
+)
+def test_request_suspicious_request_redirect_actions(client, test_spans, tracer, suspicious_value, expected_code, rule):
+    # value suspicious_306_auto must be blocked
+    with override_global_config(dict(_appsec_enabled=True)), override_env(
+        dict(
+            DD_APPSEC_RULES=RULES_SRBCA,
+        )
+    ):
+        root_span, response = _aux_appsec_get_root_span(
+            client, test_spans, tracer, url="index.html?toto=%s" % suspicious_value
+        )
+        assert response.status_code == expected_code
+        # check if response content is custom as expected
+        assert not response.content
+        assert response["location"] == "https://www.datadoghq.com"
+        loaded = json.loads(root_span.get_tag(APPSEC.JSON))
+        assert [t["rule"]["id"] for t in loaded["triggers"]] == [rule]
+
+
 @pytest.mark.django_db
 def test_django_login_events_disabled_explicitly(client, test_spans, tracer):
     from django.contrib.auth import get_user

tests/contrib/flask/test_flask_appsec.py

@@ -867,3 +867,61 @@ def test_route():
         # remove cache to avoid using template from other tests
         uhttp._HTML_BLOCKED_TEMPLATE_CACHE = None
         uhttp._JSON_BLOCKED_TEMPLATE_CACHE = None
+
+    def test_request_suspicious_request_block_redirect_actions_301(self):
+        @self.app.route("/index.html")
+        def test_route():
+            return "Ok: %s" % request.args.get("toto", ""), 200
+
+        # value suspicious_301 must be redirected
+        with override_global_config(dict(_appsec_enabled=True)), override_env(
+            dict(
+                DD_APPSEC_RULES=RULES_SRBCA,
+                DD_APPSEC_HTTP_BLOCKED_TEMPLATE_JSON=RESPONSE_CUSTOM_JSON,
+                DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML=RESPONSE_CUSTOM_HTML,
+            )
+        ):
+            self._aux_appsec_prepare_tracer()
+            resp = self.client.get("/index.html?toto=suspicious_301")
+            assert resp.status_code == 301
+            assert resp.headers["location"] == "https://www.datadoghq.com"
+            assert not get_response_body(resp)
+            root_span = self.pop_spans()[0]
+            loaded = json.loads(root_span.get_tag(APPSEC.JSON))
+            assert [t["rule"]["id"] for t in loaded["triggers"]] == ["tst-040-004"]
+            assert root_span.get_tag(http.STATUS_CODE) == "301"
+            assert root_span.get_tag(http.URL) == "http://localhost/index.html?toto=suspicious_301"
+            assert root_span.get_tag(http.METHOD) == "GET"
+            assert root_span.get_tag(http.USER_AGENT).startswith("werkzeug/")
+            assert root_span.get_tag(SPAN_DATA_NAMES.RESPONSE_HEADERS_NO_COOKIES + ".content-type").startswith(
+                "text/plain"
+            )
+
+    def test_request_suspicious_request_block_redirect_actions_303(self):
+        @self.app.route("/index.html")
+        def test_route():
+            return "Ok: %s" % request.args.get("toto", ""), 200
+
+        # value suspicious_301 must be redirected
+        with override_global_config(dict(_appsec_enabled=True)), override_env(
+            dict(
+                DD_APPSEC_RULES=RULES_SRBCA,
+                DD_APPSEC_HTTP_BLOCKED_TEMPLATE_JSON=RESPONSE_CUSTOM_JSON,
+                DD_APPSEC_HTTP_BLOCKED_TEMPLATE_HTML=RESPONSE_CUSTOM_HTML,
+            )
+        ):
+            self._aux_appsec_prepare_tracer()
+            resp = self.client.get("/index.html?toto=suspicious_303")
+            assert resp.status_code == 303
+            assert resp.headers["location"] == "https://www.datadoghq.com"
+            assert not get_response_body(resp)
+            root_span = self.pop_spans()[0]
+            loaded = json.loads(root_span.get_tag(APPSEC.JSON))
+            assert [t["rule"]["id"] for t in loaded["triggers"]] == ["tst-040-005"]
+            assert root_span.get_tag(http.STATUS_CODE) == "303"
+            assert root_span.get_tag(http.URL) == "http://localhost/index.html?toto=suspicious_303"
+            assert root_span.get_tag(http.METHOD) == "GET"
+            assert root_span.get_tag(http.USER_AGENT).startswith("werkzeug/")
+            assert root_span.get_tag(SPAN_DATA_NAMES.RESPONSE_HEADERS_NO_COOKIES + ".content-type").startswith(
+                "text/plain"
+            )