DataDog · y9v · Jan 16, 2025 · Jan 17, 2025 · Jan 17, 2025 · Jan 17, 2025
@@ -11,7 +11,7 @@ on:
 env:
   REGISTRY: ghcr.io
   REPO: ghcr.io/datadog/dd-trace-rb
-  SYSTEM_TESTS_REF: main # This must always be set to `main` on dd-trace-rb's master branch
+  SYSTEM_TESTS_REF: appsec-remove-graphql-status-code-exception-for-ruby # This must always be set to `main` on dd-trace-rb's master branch
 
 jobs:
   build-harness:

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    # this module encapsulates functions for handling actions that libddawf returns
+    module ActionsHandler
+      module_function
+
+      def handle(actions_hash)
+        # handle actions according their precedence
+        # stack and schema generation should be done before we throw an interrupt signal
+        generate_stack(actions_hash['generate_stack']) if actions_hash.key?('generate_stack')
+        generate_schema(actions_hash['generate_schema']) if actions_hash.key?('generate_schema')
+        redirect_request(actions_hash['redirect_request']) if actions_hash.key?('redirect_request')
+        block_request(actions_hash['block_request']) if actions_hash.key?('block_request')
+      end
+
+      def block_request(action_params)
+        throw(Datadog::AppSec::Ext::INTERRUPT, action_params)
+      end
+
+      def redirect_request(action_params)
+        throw(Datadog::AppSec::Ext::INTERRUPT, action_params)
+      end
+
+      def generate_stack(_action_params); end
+
+      def generate_schema(_action_params); end
+
+      def monitor(_action_params); end
+    end
+  end
+end
@@ -3,6 +3,7 @@
 require_relative 'processor'
 require_relative 'processor/rule_merger'
 require_relative 'processor/rule_loader'
+require_relative 'actions_handler'
 
 module Datadog
   module AppSec

@@ -16,16 +16,10 @@ def execute_multiplex(multiplex:)
 
             gateway_multiplex = Gateway::Multiplex.new(multiplex)
 
-            multiplex_return, multiplex_response = Instrumentation.gateway.push('graphql.multiplex', gateway_multiplex) do
+            multiplex_return, = Instrumentation.gateway.push('graphql.multiplex', gateway_multiplex) do
               super
             end
 
-            # Returns an error * the number of queries so that the entire multiplex is blocked
-            if multiplex_response
-              blocked_event = multiplex_response.find { |action, _options| action == :block }
-              multiplex_return = AppSec::Response.graphql_response(gateway_multiplex) if blocked_event
-            end
-
             multiplex_return
           end
         end

@@ -22,7 +22,6 @@ def watch
               # This time we don't throw but use next
               def watch_multiplex(gateway = Instrumentation.gateway)
                 gateway.watch('graphql.multiplex', :appsec) do |stack, gateway_multiplex|
-                  block = false
                   event = nil
                   context = AppSec::Context.active
                   engine = AppSec::Reactive::Engine.new
@@ -39,13 +38,13 @@ def watch_multiplex(gateway = Instrumentation.gateway)
 
                       Datadog::AppSec::Event.tag_and_keep!(context, result)
                       context.events << event
+
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
 
-                    block = GraphQL::Reactive::Multiplex.publish(engine, gateway_multiplex)
+                    GraphQL::Reactive::Multiplex.publish(engine, gateway_multiplex)
                   end
 
-                  next [nil, [[:block, event]]] if block
-
                   stack.call(gateway_multiplex.arguments)
                 end
               end

@@ -44,11 +44,12 @@ def watch_request(gateway = Instrumentation.gateway)
                       context.trace.keep! if context.trace
                       Datadog::AppSec::Event.tag_and_keep!(context, result)
                       context.events << event
+
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
                   end
 
-                  block = Rack::Reactive::Request.publish(engine, gateway_request)
-                  throw(Datadog::AppSec::Ext::INTERRUPT, event[:actions]) if block
+                  Rack::Reactive::Request.publish(engine, gateway_request)
 
                   stack.call(gateway_request.request)
                 end
@@ -75,11 +76,12 @@ def watch_response(gateway = Instrumentation.gateway)
                       context.trace.keep! if context.trace
                       Datadog::AppSec::Event.tag_and_keep!(context, result)
                       context.events << event
+
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
                   end
 
-                  block = Rack::Reactive::Response.publish(engine, gateway_response)
-                  throw(Datadog::AppSec::Ext::INTERRUPT, event[:actions]) if block
+                  Rack::Reactive::Response.publish(engine, gateway_response)
 
                   stack.call(gateway_response.response)
                 end
@@ -106,11 +108,12 @@ def watch_request_body(gateway = Instrumentation.gateway)
                       context.trace.keep! if context.trace
                       Datadog::AppSec::Event.tag_and_keep!(context, result)
                       context.events << event
+
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
                   end
 
-                  block = Rack::Reactive::RequestBody.publish(engine, gateway_request)
-                  throw(Datadog::AppSec::Ext::INTERRUPT, event[:actions]) if block
+                  Rack::Reactive::RequestBody.publish(engine, gateway_request)
 
                   stack.call(gateway_request.request)
                 end

@@ -24,15 +24,15 @@ def call(env)
             # TODO: handle exceptions, except for @app.call
 
             http_response = nil
-            block_actions = catch(::Datadog::AppSec::Ext::INTERRUPT) do
+            block_action_params = catch(::Datadog::AppSec::Ext::INTERRUPT) do
               http_response, = Instrumentation.gateway.push('rack.request.body', Gateway::Request.new(env)) do
                 @app.call(env)
               end
 
               nil
             end
 
-            return AppSec::Response.negotiate(env, block_actions).to_rack if block_actions
+            return AppSec::Response.build(block_action_params, env['HTTP_ACCEPT']).to_rack if block_action_params
 
             http_response
           end

@@ -76,7 +76,7 @@ def call(env)
             gateway_request = Gateway::Request.new(env)
             gateway_response = nil
 
-            block_actions = catch(::Datadog::AppSec::Ext::INTERRUPT) do
+            block_action_params = catch(::Datadog::AppSec::Ext::INTERRUPT) do
               http_response, = Instrumentation.gateway.push('rack.request', gateway_request) do
                 @app.call(env)
               end
@@ -90,7 +90,7 @@ def call(env)
               nil
             end
 
-            http_response = AppSec::Response.negotiate(env, block_actions).to_rack if block_actions
+            http_response = AppSec::Response.build(block_action_params, env['HTTP_ACCEPT']).to_rack if block_action_params
 
             if AppSec.api_security_enabled?
               ctx.events << {

@@ -40,11 +40,12 @@ def watch_request_action(gateway = Instrumentation.gateway)
                       context.trace.keep! if context.trace
                       Datadog::AppSec::Event.tag_and_keep!(context, result)
                       context.events << event
+
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
                   end
 
-                  block = Rails::Reactive::Action.publish(engine, gateway_request)
-                  next [nil, [[:block, event]]] if block
+                  Rails::Reactive::Action.publish(engine, gateway_request)
 
                   stack.call(gateway_request.request)
                 end

@@ -80,22 +80,12 @@ def process_action(*args)
               # TODO: handle exceptions, except for super
 
               gateway_request = Gateway::Request.new(request)
-              request_return, request_response = Instrumentation.gateway.push('rails.request.action', gateway_request) do
-                super
-              end
 
-              if request_response
-                blocked_event = request_response.find { |action, _options| action == :block }
-                if blocked_event
-                  @_response = AppSec::Response.negotiate(
-                    env,
-                    blocked_event.last[:actions]
-                  ).to_action_dispatch_response
-                  request_return = @_response.body
-                end
+              http_response, = Instrumentation.gateway.push('rails.request.action', gateway_request) do
+                super
               end
 
-              request_return
+              http_response
             end
           end
 

@@ -42,11 +42,12 @@ def watch_request_dispatch(gateway = Instrumentation.gateway)
                       context.trace.keep! if context.trace
                       Datadog::AppSec::Event.tag_and_keep!(context, result)
                       context.events << event
+
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
                   end
 
-                  block = Rack::Reactive::RequestBody.publish(engine, gateway_request)
-                  next [nil, [[:block, event]]] if block
+                  Rack::Reactive::RequestBody.publish(engine, gateway_request)
 
                   stack.call(gateway_request.request)
                 end
@@ -73,11 +74,12 @@ def watch_request_routed(gateway = Instrumentation.gateway)
                       context.trace.keep! if context.trace
                       Datadog::AppSec::Event.tag_and_keep!(context, result)
                       context.events << event
+
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
                   end
 
-                  block = Sinatra::Reactive::Routed.publish(engine, [gateway_request, gateway_route_params])
-                  next [nil, [[:block, event]]] if block
+                  Sinatra::Reactive::Routed.publish(engine, [gateway_request, gateway_route_params])
 
                   stack.call(gateway_request.request)
                 end

@@ -6,7 +6,6 @@
 require_relative '../../response'
 require_relative '../rack/request_middleware'
 require_relative 'framework'
-require_relative 'ext'
 require_relative 'gateway/watcher'
 require_relative 'gateway/route_params'
 require_relative 'gateway/request'
@@ -62,17 +61,8 @@ def dispatch!
 
             gateway_request = Gateway::Request.new(env)
 
-            request_return, request_response = Instrumentation.gateway.push('sinatra.request.dispatch', gateway_request) do
-              # handle process_route interruption
-              catch(Datadog::AppSec::Contrib::Sinatra::Ext::ROUTE_INTERRUPT) { super }
-            end
-
-            if request_response
-              blocked_event = request_response.find { |action, _options| action == :block }
-              if blocked_event
-                self.response = AppSec::Response.negotiate(env, blocked_event.last[:actions]).to_sinatra_response
-                request_return = nil
-              end
+            request_return, = Instrumentation.gateway.push('sinatra.request.dispatch', gateway_request) do
+              super
             end
 
             request_return
@@ -103,20 +93,7 @@ def process_route(*)
               gateway_request = Gateway::Request.new(env)
               gateway_route_params = Gateway::RouteParams.new(route_params)
 
-              _, request_response = Instrumentation.gateway.push(
-                'sinatra.request.routed',
-                [gateway_request, gateway_route_params]
-              )
-
-              if request_response
-                blocked_event = request_response.find { |action, _options| action == :block }
-                if blocked_event
-                  self.response = AppSec::Response.negotiate(env, blocked_event.last[:actions]).to_sinatra_response
-
-                  # interrupt request and return response to dispatch! for consistency
-                  throw(Datadog::AppSec::Contrib::Sinatra::Ext::ROUTE_INTERRUPT, response)
-                end
-              end
+              Instrumentation.gateway.push('sinatra.request.routed', [gateway_request, gateway_route_params])
 
               yield(*args)
             end

@@ -38,11 +38,12 @@ def watch_user_id(gateway = Instrumentation.gateway)
                     context.trace.keep! if context.trace
                     Datadog::AppSec::Event.tag_and_keep!(context, result)
                     context.events << event
+
+                    Datadog::AppSec::ActionsHandler.handle(result.actions)
                   end
                 end
 
-                block = Monitor::Reactive::SetUser.publish(engine, user)
-                throw(Datadog::AppSec::Ext::INTERRUPT, event[:actions]) if block
+                Monitor::Reactive::SetUser.publish(engine, user)
 
                 stack.call(user)
               end