Check blocking action

packages/dd-trace/src/appsec/blocking.js

@@ -116,6 +116,10 @@ function block (req, res, rootSpan, abortController, actionParameters) {
   abortController?.abort()
 }
 
+function isBlockingAction (actions) {
+  return !!(actions?.block_request || actions?.redirect_request)
+}
+
 function setTemplates (config) {
   if (config.appsec.blockedTemplateHtml) {
     templateHtml = config.appsec.blockedTemplateHtml
@@ -141,5 +145,6 @@ module.exports = {
   block,
   specificBlockingTypes,
   getBlockingData,
+  isBlockingAction,
   setTemplates
 }

packages/dd-trace/src/appsec/graphql.js

@@ -1,7 +1,12 @@
 'use strict'
 
 const { storage } = require('../../../datadog-core')
-const { addSpecificEndpoint, specificBlockingTypes, getBlockingData } = require('./blocking')
+const {
+  addSpecificEndpoint,
+  specificBlockingTypes,
+  getBlockingData,
+  isBlockingAction
+} = require('./blocking')
 const waf = require('./waf')
 const addresses = require('./addresses')
 const web = require('../plugins/util/web')
@@ -32,10 +37,7 @@ function onGraphqlStartResolve ({ context, resolverInfo }) {
   if (!resolverInfo || typeof resolverInfo !== 'object') return
 
   const actions = waf.run({ ephemeral: { [addresses.HTTP_INCOMING_GRAPHQL_RESOLVER]: resolverInfo } }, req)
-  if (
-    actions &&
-    (Object.keys(actions).includes('block_request') || Object.keys(actions).includes('redirect_request'))
-  ) {
+  if (isBlockingAction(actions)) {
     const requestData = graphqlRequestData.get(req)
     if (requestData?.isInGraphqlRequest) {
       requestData.blocked = true

packages/dd-trace/src/appsec/sdk/user_blocking.js

@@ -3,17 +3,14 @@
 const { USER_ID } = require('../addresses')
 const waf = require('../waf')
 const { getRootSpan } = require('./utils')
-const { block } = require('../blocking')
+const { block, isBlockingAction } = require('../blocking')
 const { storage } = require('../../../../datadog-core')
 const { setUserTags } = require('./set_user')
 const log = require('../../log')
 
 function isUserBlocked (user) {
   const actions = waf.run({ persistent: { [USER_ID]: user.id } })
-
-  if (!actions) return false
-
-  return Object.keys(actions).includes('block_request') || Object.keys(actions).includes('redirect_request')
+  return isBlockingAction(actions)
 }
 
 function checkUserAndSetUser (tracer, user) {

packages/dd-trace/src/appsec/waf/waf_context_wrapper.js

@@ -3,6 +3,7 @@
 const log = require('../../log')
 const Reporter = require('../reporter')
 const addresses = require('../addresses')
+const { isBlockingAction } = require('../blocking')
 
 // TODO: remove once ephemeral addresses are implemented
 const preventDuplicateAddresses = new Set([
@@ -61,8 +62,7 @@ class WAFContextWrapper {
 
       const ruleTriggered = !!result.events?.length
 
-      const blockTriggered = result.actions && (Object.keys(result.actions).includes('block_request') ||
-        Object.keys(result.actions).includes('redirect_request'))
+      const blockTriggered = isBlockingAction(result.actions)
 
       Reporter.reportMetrics({
         duration: result.totalRuntime / 1e3,

packages/dd-trace/test/appsec/blocking.spec.js

@@ -248,3 +248,33 @@ describe('blocking', () => {
     })
   })
 })
+
+describe('waf actions', () => {
+  const blocking = require('../../src/appsec/blocking')
+
+  it('identifies a block_request as blocking action', () => {
+    const actions = {
+      block_request: {}
+    }
+    expect(blocking.isBlockingAction(actions), true)
+  })
+
+  it('identifies a redirect_request as blocking action', () => {
+    const actions = {
+      redirect_request: {}
+    }
+    expect(blocking.isBlockingAction(actions), true)
+  })
+
+  it('identifies undefined as non blocking action', () => {
+    const actions = undefined
+    expect(blocking.isBlockingAction(actions), false)
+  })
+
+  it('identifies generate_stack as non blocking action', () => {
+    const actions = {
+      generate_stack: {}
+    }
+    expect(blocking.isBlockingAction(actions), false)
+  })
+})