Fix npe on ConflatingMetricsAggregator when the resource is null (#9909)

Author: amarziali

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/blocking/BlockingActionHelper.java

@@ -23,6 +23,10 @@ public class BlockingActionHelper {
   private static final int DEFAULT_HTTP_CODE = 403;
   private static final int MAX_ALLOWED_TEMPLATE_SIZE = 1024 * 500; // 500 kiB
 
+  // Pattern for removing security_response_id from HTML template when blockId is null/empty
+  private static final Pattern HTML_SECURITY_RESPONSE_ID_PATTERN =
+      Pattern.compile("<p[^>]*>Security Response ID: \\[security_response_id]</p>\\s*");
+
   private static volatile byte[] TEMPLATE_HTML;
   private static volatile byte[] TEMPLATE_JSON;
 
@@ -118,12 +122,42 @@ public static TemplateType determineTemplateType(
   }
 
   public static byte[] getTemplate(TemplateType type) {
+    return getTemplate(type, null);
+  }
+
+  public static byte[] getTemplate(TemplateType type, String blockId) {
+    byte[] template;
     if (type == TemplateType.JSON) {
-      return TEMPLATE_JSON;
+      template = TEMPLATE_JSON;
     } else if (type == TemplateType.HTML) {
-      return TEMPLATE_HTML;
+      template = TEMPLATE_HTML;
+    } else {
+      return null;
     }
-    return null;
+
+    String templateString = new String(template, java.nio.charset.StandardCharsets.UTF_8);
+
+    if (blockId == null || blockId.isEmpty()) {
+      // Remove the security_response_id field/placeholder entirely when blockId is not present
+      if (type == TemplateType.JSON) {
+        // Remove the entire security_response_id field from JSON:
+        // ,"security_response_id":"[security_response_id]"
+        // Try both variants: with comma before and with comma after
+        templateString =
+            templateString.replace(",\"security_response_id\":\"[security_response_id]\"", "");
+        templateString =
+            templateString.replace("\"security_response_id\":\"[security_response_id]\",", "");
+      } else {
+        // For HTML, remove the entire security_response_id section including any attributes
+        Matcher matcher = HTML_SECURITY_RESPONSE_ID_PATTERN.matcher(templateString);
+        templateString = matcher.replaceFirst("");
+      }
+      return templateString.getBytes(java.nio.charset.StandardCharsets.UTF_8);
+    }
+
+    // Perform placeholder replacement for [security_response_id]
+    String replacedTemplate = templateString.replace("[security_response_id]", blockId);
+    return replacedTemplate.getBytes(java.nio.charset.StandardCharsets.UTF_8);
   }
 
   public static String getContentType(TemplateType type) {

dd-java-agent/agent-bootstrap/src/main/resources/datadog/trace/bootstrap/blocking/template.html

@@ -1 +1 @@
-<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>You've been blocked</title><style>a,body,div,html,span{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}body{background:-webkit-radial-gradient(26% 19%,circle,#fff,#f4f7f9);background:radial-gradient(circle at 26% 19%,#fff,#f4f7f9);display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;width:100%;min-height:100vh;line-height:1;flex-direction:column}p{display:block}main{text-align:center;flex:1;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;flex-direction:column}p{font-size:18px;line-height:normal;color:#646464;font-family:sans-serif;font-weight:400}a{color:#4842b7}footer{width:100%;text-align:center}footer p{font-size:16px}</style></head><body><main><p>Sorry, you cannot access this page. Please contact the customer service team.</p></main><footer><p>Security provided by <a href="https://www.datadoghq.com/product/security-platform/application-security-monitoring/" target="_blank">Datadog</a></p></footer></body></html>
+<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>You've been blocked</title><style>a,body,div,html,span{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}body{background:-webkit-radial-gradient(26% 19%,circle,#fff,#f4f7f9);background:radial-gradient(circle at 26% 19%,#fff,#f4f7f9);display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;width:100%;min-height:100vh;line-height:1;flex-direction:column}p{display:block}main{text-align:center;flex:1;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;flex-direction:column}p{font-size:18px;line-height:normal;color:#646464;font-family:sans-serif;font-weight:400}a{color:#4842b7}footer{width:100%;text-align:center}footer p{font-size:16px}.security-response-id{font-size:14px;color:#999;margin-top:20px;font-family:monospace}</style></head><body><main><p>Sorry, you cannot access this page. Please contact the customer service team.</p><p class="security-response-id">Security Response ID: [security_response_id]</p></main><footer><p>Security provided by <a href="https://www.datadoghq.com/product/security-platform/application-security-monitoring/" target="_blank">Datadog</a></p></footer></body></html>

dd-java-agent/agent-bootstrap/src/main/resources/datadog/trace/bootstrap/blocking/template.json

@@ -1 +1 @@
-{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}]}
+{"errors":[{"title":"You've been blocked","detail":"Sorry, you cannot access this page. Please contact the customer service team. Security provided by Datadog."}],"security_response_id":"[security_response_id]"}

dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/blocking/BlockingActionHelperSpecification.groovy

@@ -167,4 +167,110 @@ class BlockingActionHelperSpecification extends DDSpecification {
     BlockingActionHelper.reset(Config.get())
     tempDir.deleteDir()
   }
+
+  void 'getTemplate with block_id replaces placeholder in HTML template'() {
+    given:
+    def blockId = '12345678-1234-1234-1234-123456789abc'
+
+    when:
+    def template = BlockingActionHelper.getTemplate(HTML, blockId)
+    def templateStr = new String(template, StandardCharsets.UTF_8)
+
+    then:
+    templateStr.contains("Security Response ID: ${blockId}")
+    !templateStr.contains('[security_response_id]')
+  }
+
+  void 'getTemplate with block_id replaces placeholder in JSON template'() {
+    given:
+    def blockId = '12345678-1234-1234-1234-123456789abc'
+
+    when:
+    def template = BlockingActionHelper.getTemplate(JSON, blockId)
+    def templateStr = new String(template, StandardCharsets.UTF_8)
+
+    then:
+    templateStr.contains("\"security_response_id\":\"${blockId}\"")
+    !templateStr.contains('[security_response_id]')
+  }
+
+  void 'getTemplate without block_id removes block_id field from HTML template'() {
+    when:
+    def template = BlockingActionHelper.getTemplate(HTML, null)
+    def templateStr = new String(template, StandardCharsets.UTF_8)
+
+    then:
+    !templateStr.contains('[security_response_id]')
+    !templateStr.contains('Security Response ID:')
+  }
+
+  void 'getTemplate without block_id removes block_id field from JSON template'() {
+    when:
+    def template = BlockingActionHelper.getTemplate(JSON, null)
+    def templateStr = new String(template, StandardCharsets.UTF_8)
+
+    then:
+    !templateStr.contains('[security_response_id]')
+    !templateStr.contains('"security_response_id"')
+  }
+
+  void 'getTemplate with empty block_id removes block_id field'() {
+    when:
+    def htmlTemplate = BlockingActionHelper.getTemplate(HTML, '')
+    def jsonTemplate = BlockingActionHelper.getTemplate(JSON, '')
+
+    then:
+    !new String(htmlTemplate, StandardCharsets.UTF_8).contains('[security_response_id]')
+    !new String(htmlTemplate, StandardCharsets.UTF_8).contains('Security Response ID:')
+    !new String(jsonTemplate, StandardCharsets.UTF_8).contains('[security_response_id]')
+    !new String(jsonTemplate, StandardCharsets.UTF_8).contains('"security_response_id"')
+  }
+
+  void 'getTemplate with block_id works with custom HTML template'() {
+    setup:
+    File tempDir = File.createTempDir('testTempDir-', '')
+    Config config = Mock(Config)
+    File tempFile = new File(tempDir, 'template.html')
+    tempFile << '<body>Custom template with security_response_id: [security_response_id]</body>'
+    def blockId = 'test-block-id-123'
+
+    when:
+    BlockingActionHelper.reset(config)
+    def template = BlockingActionHelper.getTemplate(HTML, blockId)
+    def templateStr = new String(template, StandardCharsets.UTF_8)
+
+    then:
+    1 * config.getAppSecHttpBlockedTemplateHtml() >> tempFile.toString()
+    1 * config.getAppSecHttpBlockedTemplateJson() >> null
+    templateStr.contains("Custom template with security_response_id: ${blockId}")
+    !templateStr.contains('[security_response_id]')
+
+    cleanup:
+    BlockingActionHelper.reset(Config.get())
+    tempDir.deleteDir()
+  }
+
+  void 'getTemplate with block_id works with custom JSON template'() {
+    setup:
+    File tempDir = File.createTempDir('testTempDir-', '')
+    Config config = Mock(Config)
+    File tempFile = new File(tempDir, 'template.json')
+    tempFile << '{"error":"blocked","id":"[security_response_id]"}'
+    def blockId = 'test-block-id-456'
+
+    when:
+    BlockingActionHelper.reset(config)
+    def template = BlockingActionHelper.getTemplate(JSON, blockId)
+    def templateStr = new String(template, StandardCharsets.UTF_8)
+
+    then:
+    1 * config.getAppSecHttpBlockedTemplateHtml() >> null
+    1 * config.getAppSecHttpBlockedTemplateJson() >> tempFile.toString()
+    templateStr.contains("\"error\":\"blocked\",\"id\":\"${blockId}\"")
+    !templateStr.contains('[security_response_id]')
+
+    cleanup:
+    BlockingActionHelper.reset(Config.get())
+    tempDir.deleteDir()
+  }
 }

dd-java-agent/appsec/build.gradle

@@ -15,7 +15,7 @@ dependencies {
   implementation project(':internal-api')
   implementation project(':communication')
   implementation project(':telemetry')
-  implementation group: 'io.sqreen', name: 'libsqreen', version: '17.2.0'
+  implementation group: 'io.sqreen', name: 'libsqreen', version: '17.3.0'
   implementation libs.moshi
 
   testImplementation libs.bytebuddy

dd-java-agent/appsec/src/main/java/com/datadog/appsec/ddwaf/WAFModule.java

@@ -363,6 +363,7 @@ public void onDataAvailable(
           WafMetricCollector.get().raspRuleMatch(gwCtx.raspRuleType);
         }
 
+        String security_response_id = null;
         for (Map.Entry<String, Map<String, Object>> action : resultWithData.actions.entrySet()) {
           String actionType = action.getKey();
           Map<String, Object> actionParams = action.getValue();
@@ -373,10 +374,14 @@ public void onDataAvailable(
             Flow.Action.RequestBlockingAction rba =
                 createBlockRequestAction(actionInfo, reqCtx, gwCtx.isRasp);
             flow.setAction(rba);
+            // Extract security_response_id from action parameters for use in triggers
+            security_response_id = rba.getSecurityResponseId();
           } else if ("redirect_request".equals(actionInfo.type)) {
             Flow.Action.RequestBlockingAction rba =
                 createRedirectRequestAction(actionInfo, reqCtx, gwCtx.isRasp);
             flow.setAction(rba);
+            // Extract security_response_id from action parameters for use in triggers
+            security_response_id = rba.getSecurityResponseId();
           } else if ("generate_stack".equals(actionInfo.type)) {
             if (Config.get().isAppSecStackTraceEnabled()) {
               String stackId = (String) actionInfo.parameters.get("stack_id");
@@ -412,7 +417,7 @@ public void onDataAvailable(
             }
           }
         }
-        Collection<AppSecEvent> events = buildEvents(resultWithData);
+        Collection<AppSecEvent> events = buildEvents(resultWithData, security_response_id);
         boolean isThrottled = reqCtx.isThrottled(rateLimiter);
 
         if (!isThrottled) {
@@ -477,7 +482,9 @@ private Flow.Action.RequestBlockingAction createBlockRequestAction(
         } catch (IllegalArgumentException iae) {
           log.warn("Unknown content type: {}; using auto", contentType);
         }
-        return new Flow.Action.RequestBlockingAction(statusCode, blockingContentType);
+        String securityResponseId = (String) actionInfo.parameters.get("security_response_id");
+        return new Flow.Action.RequestBlockingAction(
+            statusCode, blockingContentType, Collections.emptyMap(), securityResponseId);
       } catch (RuntimeException cce) {
         log.warn("Invalid blocking action data", cce);
         if (!isRasp) {
@@ -506,7 +513,18 @@ private Flow.Action.RequestBlockingAction createRedirectRequestAction(
         if (location == null) {
           throw new RuntimeException("redirect_request action has no location");
         }
-        return Flow.Action.RequestBlockingAction.forRedirect(statusCode, location);
+        String securityResponseId = (String) actionInfo.parameters.get("security_response_id");
+        if (securityResponseId != null && !securityResponseId.isEmpty()) {
+          // For custom redirects, only replace [security_response_id] placeholder if present in the
+          // URL.
+          // The client decides whether to include security_response_id by adding the placeholder.
+          // We don't automatically append security_response_id as a URL parameter.
+          if (location.contains("[security_response_id]")) {
+            location = location.replace("[security_response_id]", securityResponseId);
+          }
+        }
+        return Flow.Action.RequestBlockingAction.forRedirect(
+            statusCode, location, securityResponseId);
       } catch (RuntimeException cce) {
         log.warn("Invalid blocking action data", cce);
         if (!isRasp) {
@@ -572,7 +590,7 @@ private Waf.ResultWithData runWafTransient(
         new DataBundleMapWrapper(ctxAndAddr.addressesOfInterest, newData), LIMITS, metrics);
   }
 
-  private Collection<AppSecEvent> buildEvents(Waf.ResultWithData actionWithData) {
+  private Collection<AppSecEvent> buildEvents(Waf.ResultWithData actionWithData, String blockId) {
     if (actionWithData.data == null) {
       log.debug(SEND_TELEMETRY, "WAF result data is null");
       return Collections.emptyList();
@@ -590,14 +608,14 @@ private Collection<AppSecEvent> buildEvents(Waf.ResultWithData actionWithData) {
 
     if (listResults != null && !listResults.isEmpty()) {
       return listResults.stream()
-          .map(this::buildEvent)
+          .map(wafResult -> buildEvent(wafResult, blockId))
           .filter(Objects::nonNull)
           .collect(Collectors.toList());
     }
     return emptyList();
   }
 
-  private AppSecEvent buildEvent(WAFResultData wafResult) {
+  private AppSecEvent buildEvent(WAFResultData wafResult, String blockId) {
 
     if (wafResult == null || wafResult.rule == null || wafResult.rule_matches == null) {
       log.warn("WAF result is empty: {}", wafResult);
@@ -615,6 +633,7 @@ private AppSecEvent buildEvent(WAFResultData wafResult) {
         .withRuleMatches(wafResult.rule_matches)
         .withSpanId(spanId)
         .withStackId(wafResult.stack_id)
+        .withSecurityResponseId(blockId)
         .build();
   }
 

dd-java-agent/appsec/src/main/java/com/datadog/appsec/report/AppSecEvent.java

@@ -21,6 +21,9 @@ public class AppSecEvent {
   @com.squareup.moshi.Json(name = "stack_id")
   private String stackId;
 
+  @com.squareup.moshi.Json(name = "security_response_id")
+  private String securityResponseId;
+
   public Rule getRule() {
     return rule;
   }
@@ -37,6 +40,10 @@ public String getStackId() {
     return stackId;
   }
 
+  public String getSecurityResponseId() {
+    return securityResponseId;
+  }
+
   @Override
   public String toString() {
     StringBuilder sb = new StringBuilder();
@@ -58,6 +65,10 @@ public String toString() {
     sb.append("stackId");
     sb.append('=');
     sb.append(((this.stackId == null) ? "<null>" : this.stackId));
+    sb.append(',');
+    sb.append("securityResponseId");
+    sb.append('=');
+    sb.append(((this.securityResponseId == null) ? "<null>" : this.securityResponseId));
     if (sb.charAt((sb.length() - 1)) == ',') {
       sb.setCharAt((sb.length() - 1), ']');
     } else {
@@ -73,6 +84,9 @@ public int hashCode() {
     result = ((result * 31) + ((this.ruleMatches == null) ? 0 : this.ruleMatches.hashCode()));
     result = ((result * 31) + ((this.spanId == null) ? 0 : this.spanId.hashCode()));
     result = ((result * 31) + ((this.stackId == null) ? 0 : this.stackId.hashCode()));
+    result =
+        ((result * 31)
+            + ((this.securityResponseId == null) ? 0 : this.securityResponseId.hashCode()));
     return result;
   }
 
@@ -88,7 +102,8 @@ public boolean equals(Object other) {
     return ((Objects.equals(this.rule, rhs.rule))
         && (Objects.equals(this.ruleMatches, rhs.ruleMatches))
         && (Objects.equals(this.spanId, rhs.spanId))
-        && (Objects.equals(this.stackId, rhs.stackId)));
+        && (Objects.equals(this.stackId, rhs.stackId))
+        && (Objects.equals(this.securityResponseId, rhs.securityResponseId)));
   }
 
   public static class Builder {
@@ -125,5 +140,10 @@ public Builder withStackId(String stackId) {
       this.instance.stackId = stackId;
       return this;
     }
+
+    public Builder withSecurityResponseId(String securityResponseId) {
+      this.instance.securityResponseId = securityResponseId;
+      return this;
+    }
   }
 }