[ASM] Fix WebApi blocking on Response

tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs

@@ -265,7 +265,7 @@ private SecurityCoordinator(Security security, Span span, HttpTransport transpor
     /// <summary>
     /// Framework can do it all at once, but framework only unfortunately
     /// </summary>
-    internal void BlockAndReport(Dictionary<string, object> args, bool lastWafCall = false)
+    internal void BlockAndReport(Dictionary<string, object> args, bool lastWafCall = false, bool isInHttpTracingModule = false)
     {
         var result = RunWaf(args, lastWafCall);
         if (result is not null)
@@ -274,7 +274,7 @@ internal void BlockAndReport(Dictionary<string, object> args, bool lastWafCall =
 
             if (result.ShouldBlock)
             {
-                ChooseBlockingMethodAndBlock(result, reporting, result.BlockInfo, result.RedirectInfo);
+                ChooseBlockingMethodAndBlock(result, reporting, result.BlockInfo, result.RedirectInfo, isInHttpTracingModule);
             }
 
             // here we assume if we haven't blocked we'll have collected the correct status elsewhere
@@ -305,12 +305,12 @@ internal void ReportAndBlock(IResult? result)
         }
     }
 
-    private void ChooseBlockingMethodAndBlock(IResult result, Action<int?, bool> reporting, Dictionary<string, object?>? blockInfo, Dictionary<string, object?>? redirectInfo)
+    private void ChooseBlockingMethodAndBlock(IResult result, Action<int?, bool> reporting, Dictionary<string, object?>? blockInfo, Dictionary<string, object?>? redirectInfo, bool inTracingHttpModule = false)
     {
         var headers = RequestDataHelper.GetHeaders(_httpTransport.Context.Request) ?? new NameValueCollection();
         var blockingAction = _security.GetBlockingAction([headers["Accept"]], blockInfo, redirectInfo);
         var isWebApiRequest = _httpTransport.Context.CurrentHandler?.GetType().FullName == WebApiControllerHandlerTypeFullname;
-        if (isWebApiRequest)
+        if (isWebApiRequest && !inTracingHttpModule)
         {
             if (!blockingAction.IsRedirect && _throwHttpResponseException.Value is { } throwException)
             {

tracer/src/Datadog.Trace/AspNet/TracingHttpModule.cs

@@ -201,7 +201,7 @@ private void OnBeginRequest(object sender, EventArgs eventArgs)
                         }
                     }
 
-                    securityCoordinator.BlockAndReport(args);
+                    securityCoordinator.BlockAndReport(args, isInHttpTracingModule: true);
                 }
 
                 var iastInstance = Iast.Iast.Instance;
@@ -273,7 +273,7 @@ private void OnEndRequest(object sender, EventArgs eventArgs)
                                 }
                             }
 
-                            securityCoordinator.BlockAndReport(args, true);
+                            securityCoordinator.BlockAndReport(args, true, isInHttpTracingModule: true);
 
                             securityCoordinator.Reporter.AddResponseHeadersToSpanAndCleanup();
                             securityContextCleaned = true;

tracer/test/Datadog.Trace.Security.IntegrationTests/AspNetWebApi.cs

@@ -106,6 +106,28 @@ public async Task TestBlockedRequest(string test)
             await TestAppSecRequestWithVerifyAsync(_iisFixture.Agent, url, null, 5, 1, settings, userAgent: "Hello/V");
         }
 
+        [Trait("Category", "EndToEnd")]
+        [Trait("RunOnWindows", "True")]
+        [Trait("LoadFromGAC", "True")]
+        [SkippableTheory]
+        [InlineData(AddressesConstants.RequestPathParams, "/api/route/2?arg=[blocking_test]")]
+        [InlineData(AddressesConstants.RequestBody, "/api/Home/Upload", "{\"Property1\": \"[blocking_test]\"}")]
+        [InlineData(AddressesConstants.ResponseHeaderNoCookies, "/api/asm/injectedheader")] // Blocked on response
+        public async Task TestBlockedRequests(string test, string url, string body = null)
+        {
+            var sanitisedUrl = VerifyHelper.SanitisePathsForVerify(url);
+            var settings = VerifyHelper.GetSpanVerifierSettings(test, sanitisedUrl, body);
+
+            var expectedSpans = test == AddressesConstants.RequestPathParams ? 1 : 2;
+
+            if (test == AddressesConstants.ResponseHeaderNoCookies && _classicMode)
+            {
+                throw new SkipException("Response header injection is not supported in classic mode");
+            }
+
+            await TestAppSecRequestWithVerifyAsync(_iisFixture.Agent, url, body, 5, expectedSpans, settings, "application/json");
+        }
+
         [SkippableFact]
         public async Task TestNullAction()
         {

tracer/test/Datadog.Trace.Security.IntegrationTests/ruleset.3.0.json

@@ -319,6 +319,9 @@
               },
               {
                 "address": "server.request.path_params"
+              },
+              {
+                "address": "server.response.headers.no_cookies"
               }
             ],
             "list": [
@@ -5946,6 +5949,78 @@
       "on_match": [
         "block"
       ]
+    },
+    {
+      "id": "block-on-path-params",
+      "name": "Block on path params",
+      "tags": {
+        "type": "nosql_injection",
+        "crs_id": "000009",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              }
+            ],
+            "regex": "(?i:(?:\\[blocking_test\\]))",
+            "options": {
+              "case_sensitive": true,
+              "min_length": 5
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [],
+      "on_match": [
+        "customblock"
+      ]
+    },
+    {
+      "id": "block-on-path-params-redirect",
+      "name": "Block on path params with block redirection",
+      "tags": {
+        "type": "nosql_injection",
+        "crs_id": "000010",
+        "category": "attack_attempt"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              }
+            ],
+            "regex": "(?i:(?:\\[block_redir\\]))",
+            "options": {
+              "case_sensitive": true,
+              "min_length": 5
+            }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": [],
+      "on_match": [
+        "blockredir"
+      ]
     }
   ]
 }