Skip to content

[APPSEC]: report blocking_response payload and status code on blocked response #656

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 10, 2025
Merged

[APPSEC]: report blocking_response payload and status code on blocked response #656

merged 1 commit into from
Sep 10, 2025

Conversation

@florentinl
Copy link
Contributor

@florentinl florentinl commented Sep 8, 2025
edited
Loading

What does this PR do?

This PR ensures that when a request is blocked, the reported captured response and http.status_code comes from the blocking_response instead of the response.

Motivation

Currently, when enabling Appsec and a request is blocked. The span will still report the status code of the response that was blocked instead of the automatic blocking response and if the request was blocked before the function handler was called the default value of 502 would be returned.

Testing Guidelines

  • updated unit tests to avoid regressions

Additional Notes

  • I am making a pass of manual testing before making appsec through the tracer the default and spot this bug

Types of Changes

  • Bug fix
  • New feature
  • Breaking change
  • Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

  • This PR's description is comprehensive
  • This PR contains breaking changes that are documented in the description
  • This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
  • This PR impacts documentation, and it has been updated (or a ticket has been logged)
  • This PR's changes are covered by the automated tests
  • This PR collects user input/sensitive content into Datadog
  • This PR passes the integration tests (ask a Datadog member to run the tests)

@florentinl florentinl force-pushed the florentinl/fix-status-code-collection-on-blocked-response branch 2 times, most recently from f56463b to 005e6b3 Compare September 8, 2025 14:26
@florentinl florentinl changed the title fix(appsec): perform _after extractions on the blocking_response  [APPSEC]: report blocking_response payload and status code on blocked response Sep 8, 2025
@florentinl florentinl marked this pull request as ready for review September 8, 2025 14:44
@florentinl florentinl requested review from a team as code owners September 8, 2025 14:44
joeyzhao2018
joeyzhao2018 reviewed Sep 8, 2025
View reviewed changes
datadog_lambda/wrapper.py
self.response = self.blocking_response

if config.capture_payload_enabled:
tag_object(self.span, "function.request", event)
Copy link
Contributor

@joeyzhao2018 joeyzhao2018 Sep 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not a request to change but I wonder if we should still tag the original self.response? maybe like tage it "function.original_request"? Does being blocked means we don't want the customer to see the original response whatsoever?

Copy link
Contributor Author

@florentinl florentinl Sep 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't particularly want to hide it from the customer, the question is rather: would it be useful to have it ? The security signal will already have a detail of which security rule was matched to trigger the block. Having the response might be handy for debugging.

The request can be blocked at multiple moments. We would only have an "original response" when we block after looking at the response of the handler.
In this case, I can tag a "function.blocked_response" to link it more explicitly with the blocking feature.

joeyzhao2018
joeyzhao2018 approved these changes Sep 8, 2025
View reviewed changes
Copy link
Contributor

@joeyzhao2018 joeyzhao2018 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@florentinl florentinl force-pushed the florentinl/fix-status-code-collection-on-blocked-response branch 2 times, most recently from b17e18c to fe3f87e Compare September 9, 2025 14:27
@florentinl florentinl force-pushed the florentinl/fix-status-code-collection-on-blocked-response branch from fe3f87e to 19fcf5f Compare September 10, 2025 09:10
@florentinl florentinl merged commit 2389ec3 into main Sep 10, 2025
84 checks passed
@florentinl florentinl deleted the florentinl/fix-status-code-collection-on-blocked-response branch September 10, 2025 11:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joeyzhao2018 joeyzhao2018 joeyzhao2018 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@florentinl @joeyzhao2018