Skip to content

Add system tests for WAF Blocking Response Unique Identifier (RFC-1070)#5517

Merged
jandro996 merged 2 commits intomainfrom
alejandro.gonzalez/ST-LastPass-fastlane
Oct 29, 2025
Merged

Add system tests for WAF Blocking Response Unique Identifier (RFC-1070)#5517
jandro996 merged 2 commits intomainfrom
alejandro.gonzalez/ST-LastPass-fastlane

Conversation

@jandro996
Copy link
Member

@jandro996 jandro996 commented Oct 15, 2025
edited
Loading

Motivation

  • Add RFC-1070 system tests for blocking response unique identifiers
  • Verify that blocking responses include a unique security_response_id (UUIDv4) in all response formats
  • Test coverage includes:
    • JSON blocking responses with security_response_id
    • HTML blocking responses with security_response_id element
    • Custom redirect URLs with security_response_id query parameter
    • Traces with blocking events contains security_response_id
    • Uniqueness validation across multiple blocking requests

Changes

  • New test file: tests/appsec/waf/test_blocking_block_id.py
  • Enhanced tests/appsec/waf/test_blocking.py works with new and old template versions
    -Added blocking_response_id feature flag (feature_id=493) in utils/_features.py

Workflow

  1. ⚠️ Create your PR as draft ⚠️
  2. Work on you PR until the CI passes
  3. Mark it as ready for review
    • Test logic is modified? -> Get a review from RFC owner.
    • Framework is modified, or non obvious usage of it -> get a review from R&P team

🚀 Once your PR is reviewed and the CI green, you can merge it!

🛟 #apm-shared-testing 🛟

Reviewer checklist

  • If PR title starts with [<language>], double-check that only <language> is impacted by the change
  • No system-tests internal is modified. Otherwise, I have the approval from R&P team
  • A docker base image is modified?
    • the relevant build-XXX-image label is present
  • A scenario is added (or removed)?

@github-actions
Copy link
Contributor

github-actions bot commented Oct 15, 2025
edited
Loading

CODEOWNERS have been resolved as:

tests/appsec/waf/blocked.v3.min.html                                    @DataDog/asm-libraries @DataDog/system-tests-core
tests/appsec/waf/blocked.v3.min.json                                    @DataDog/asm-libraries @DataDog/system-tests-core
tests/appsec/waf/test_blocking_security_response_id.py                  @DataDog/asm-libraries @DataDog/system-tests-core
manifests/cpp_nginx.yml                                                 @DataDog/system-tests-core
manifests/dotnet.yml                                                    @DataDog/apm-dotnet @DataDog/asm-dotnet
manifests/golang.yml                                                    @DataDog/dd-trace-go-guild
manifests/java.yml                                                      @DataDog/asm-java @DataDog/apm-java
manifests/nodejs.yml                                                    @DataDog/dd-trace-js
manifests/php.yml                                                       @DataDog/apm-php @DataDog/asm-php
manifests/python.yml                                                    @DataDog/apm-python @DataDog/asm-python
manifests/ruby.yml                                                      @DataDog/ruby-guild @DataDog/asm-ruby
tests/appsec/blocking_rule.json                                         @DataDog/asm-libraries @DataDog/system-tests-core
tests/appsec/waf/test_blocking.py                                       @DataDog/asm-libraries @DataDog/system-tests-core
utils/_features.py                                                      @DataDog/system-tests-core

@jandro996 jandro996 changed the title WIP Add system tests for WAF Blocking Response Unique Identifier (RFC-1070) Oct 16, 2025
@jandro996 jandro996 marked this pull request as ready for review October 16, 2025 11:08
@jandro996 jandro996 requested review from a team as code owners October 16, 2025 11:08
@jandro996 jandro996 requested review from christophe-papazian, manuel-alvarez-alvarez, smola and tabgok and removed request for a team October 16, 2025 11:08
Anilm3
Anilm3 reviewed Oct 16, 2025
View reviewed changes
Anilm3
Anilm3 reviewed Oct 16, 2025
View reviewed changes
Anilm3
Anilm3 reviewed Oct 16, 2025
View reviewed changes
Copy link
Contributor

@Anilm3 Anilm3 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Block ID is provided as part of the event / trigger, would it not be better to assert its presence use that to validate the response rather than setting the ID to a known value?

@jandro996 jandro996 force-pushed the alejandro.gonzalez/ST-LastPass-fastlane branch from ff1edb5 to 479a022 Compare October 23, 2025 08:09
@jandro996
Copy link
Member Author

jandro996 commented Oct 23, 2025

The Block ID is provided as part of the event / trigger, would it not be better to assert its presence use that to validate the response rather than setting the ID to a known value?

You are right! Refactored to use the actual block_id from the response for validation instead of normalizing to a placeholder.

@jandro996 jandro996 requested a review from Anilm3 October 23, 2025 08:15
@jandro996 jandro996 force-pushed the alejandro.gonzalez/ST-LastPass-fastlane branch from 3fb784b to fa792f1 Compare October 29, 2025 12:55
@jandro996 jandro996 merged commit bf9ed30 into main Oct 29, 2025
430 checks passed
@jandro996 jandro996 deleted the alejandro.gonzalez/ST-LastPass-fastlane branch October 29, 2025 15:13
@e-n-0 e-n-0 mentioned this pull request Nov 11, 2025
Merged
7 tasks
@jandro996 jandro996 mentioned this pull request Nov 12, 2025
Merged
@e-n-0 e-n-0 mentioned this pull request Dec 2, 2025
Merged
e-n-0 added a commit to DataDog/dd-trace-dotnet that referenced this pull request Dec 9, 2025
@e-n-0
[AAP] Update waf and add support for security_response_id (#7807)
66a621b 
## Summary of changes

This PR:
- updates the WAF to version `v1.30.0`
- implements the Blocking Response Unique Identifier
([rfc](https://docs.google.com/document/d/1JJqsyxJgCKM0LqGE6Pg1ez3O-XB9bPdeejmme5Wf8jY/edit?tab=t.0))

## Reason for change

## Implementation details

- Updated the WAF
- Added `SecurityResponseId` in block actions
- Updated the HTML/JSON templates
([ref](https://github.com/DataDog/asm-blocked-response-template/tree/main))

## Test coverage

Unit tested:
- JSON blocking responses with `security_response_id`
- HTML blocking responses with `security_response_id` element
- Custom redirect URLs with `security_response_id` query parameter

Integration tests:
- Updated all snapshots so it includes the `security_response_id` on all
blocked requests
- Verified that the showed blocking template correctly display the same
security response id present in the security event.

System tests: DataDog/system-tests#5517
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Anilm3 Anilm3 Anilm3 approved these changes

@christophe-papazian christophe-papazian christophe-papazian approved these changes

@tabgok tabgok Awaiting requested review from tabgok tabgok is a code owner automatically assigned from DataDog/apm-python

@smola smola Awaiting requested review from smola smola is a code owner automatically assigned from DataDog/asm-java

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez manuel-alvarez-alvarez is a code owner automatically assigned from DataDog/asm-java

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jandro996 @Anilm3 @christophe-papazian