Blocking from a hook is not stopping code execution (#2836)

Author: estringana

appsec/tests/extension/push_params_block_02.phpt

@@ -0,0 +1,43 @@
+--TEST--
+Push address gets blocked even when within a hook
+--INI--
+extension=ddtrace.so
+datadog.appsec.enabled=1
+--FILE--
+<?php
+use function datadog\appsec\testing\{rinit,rshutdown};
+use function datadog\appsec\push_address;
+
+include __DIR__ . '/inc/mock_helper.php';
+
+$helper = Helper::createInitedRun([
+    response_list(response_request_init([[['ok', []]]])),
+    response_list(response_request_exec([[['block', ['status_code' => '404', 'type' => 'html']]], ['{"found":"attack"}','{"another":"attack"}']])),
+]);
+rinit();
+
+class SomeIntegration {
+    public function init()
+    {
+        DDTrace\install_hook("ltrim", self::hooked_function(), null);
+    }
+
+    private static function hooked_function()
+    {
+        return static function (DDTrace\HookData $hook) {
+              push_address("server.request.path_params", ["some" => "params", "more" => "parameters"]);
+              var_dump("This should be executed");
+        };
+    }
+}
+
+$integration = new SomeIntegration();
+$integration->init();
+var_dump(ltrim("     Calling wrapped function"));
+var_dump("THIS SHOULD NOT GET IN THE OUTPUT");
+?>
+--EXPECTHEADERS--
+Status: 404 Not Found
+Content-type: text/html;charset=UTF-8
+--EXPECTF--
+<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>You've been blocked</title><style>a,body,div,html,span{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}body{background:-webkit-radial-gradient(26% 19%,circle,#fff,#f4f7f9);background:radial-gradient(circle at 26% 19%,#fff,#f4f7f9);display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;width:100%;min-height:100vh;line-height:1;flex-direction:column}p{display:block}main{text-align:center;flex:1;display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-ms-flex-pack:center;justify-content:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;-ms-flex-line-pack:center;align-content:center;flex-direction:column}p{font-size:18px;line-height:normal;color:#646464;font-family:sans-serif;font-weight:400}a{color:#4842b7}footer{width:100%;text-align:center}footer p{font-size:16px}</style></head><body><main><p>Sorry, you cannot access this page. Please contact the customer service team.</p></main><footer><p>Security provided by <a href="https://www.datadoghq.com/product/security-platform/application-security-monitoring/" target="_blank">Datadog</a></p></footer></body></html>

appsec/tests/extension/push_params_block_03.phpt

@@ -0,0 +1,43 @@
+--TEST--
+Push address gets blocked even when within a hook
+--INI--
+extension=ddtrace.so
+datadog.appsec.enabled=1
+--FILE--
+<?php
+use function datadog\appsec\testing\{rinit,rshutdown};
+use function datadog\appsec\push_address;
+
+include __DIR__ . '/inc/mock_helper.php';
+
+$helper = Helper::createInitedRun([
+    response_list(response_request_init([[['ok', []]]])),
+    response_list(response_request_exec([[['block', ['status_code' => '404', 'type' => 'html']]], ['{"found":"attack"}','{"another":"attack"}']])),
+]);
+rinit();
+
+class SomeIntegration {
+    public function init()
+    {
+        DDTrace\install_hook("ltrim", self::hooked_function(), null);
+    }
+
+    private static function hooked_function()
+    {
+        return static function (DDTrace\HookData $hook) {
+              push_address("server.request.path_params", ["some" => "params", "more" => "parameters"]);
+              var_dump("This should be executed");
+        };
+    }
+}
+
+$integration = new SomeIntegration();
+$integration->init();
+echo "Something here to force partially booking";
+var_dump(ltrim("     Calling wrapped function"));
+var_dump("THIS SHOULD NOT GET IN THE OUTPUT");
+?>
+--EXPECTHEADERS--
+Content-type: text/html; charset=UTF-8
+--EXPECTF--
+Something here to force partially booking

appsec/tests/extension/push_params_redirect.phpt renamed to appsec/tests/extension/push_params_redirect_01.phpt

@@ -0,0 +1,42 @@
+--TEST--
+Push address gets blocked
+--INI--
+extension=ddtrace.so
+datadog.appsec.enabled=1
+--FILE--
+<?php
+use function datadog\appsec\testing\{rinit,rshutdown};
+use function datadog\appsec\push_address;
+
+include __DIR__ . '/inc/mock_helper.php';
+
+$helper = Helper::createInitedRun([
+    response_list(response_request_init([[['ok', []]]])),
+    response_list(response_request_exec([[['redirect', ['status_code' => '303', 'location' => 'https://datadoghq.com']]], []])),
+]);
+rinit();
+
+class SomeIntegration {
+    public function init()
+    {
+        DDTrace\install_hook("ltrim", self::hooked_function(), null);
+    }
+
+    private static function hooked_function()
+    {
+        return static function (DDTrace\HookData $hook) {
+              push_address("server.request.path_params", ["some" => "params", "more" => "parameters"]);
+              var_dump("This should be executed");
+        };
+    }
+}
+
+$integration = new SomeIntegration();
+$integration->init();
+var_dump(ltrim("     Calling wrapped function"));
+var_dump("THIS SHOULD NOT GET IN THE OUTPUT");
+?>
+--EXPECTHEADERS--
+Status: 303 See Other
+Content-type: text/html; charset=UTF-8
+--EXPECTF--

appsec/tests/extension/push_params_redirect_02.phpt

@@ -6,6 +6,7 @@ extern inline void zai_sandbox_open(zai_sandbox *sandbox);
 extern inline void zai_sandbox_close(zai_sandbox *sandbox);
 extern inline void zai_sandbox_bailout(zai_sandbox *sandbox);
 extern inline bool zai_sandbox_timed_out(void);
+extern inline bool zai_is_request_blocked(void);
 
 extern inline void zai_sandbox_error_state_backup(zai_error_state *es);
 extern inline void zai_sandbox_error_state_restore(zai_error_state *es);

zend_abstract_interface/sandbox/php7/sandbox.c

@@ -7,6 +7,7 @@ extern inline void zai_sandbox_open(zai_sandbox *sandbox);
 extern inline void zai_sandbox_close(zai_sandbox *sandbox);
 extern inline void zai_sandbox_bailout(zai_sandbox *sandbox);
 extern inline bool zai_sandbox_timed_out(void);
+extern inline bool zai_is_request_blocked(void);
 
 extern inline void zai_sandbox_error_state_backup(zai_error_state *es);
 

zend_abstract_interface/sandbox/php8/sandbox.c

@@ -76,7 +76,9 @@
  *
  * This function should be invoked when a bailout has been caught.
  *
- * It will restore engine state and continue in all but the case of a timeout
+ * It will restore engine state and continue in all cases except:
+ * - Timeout
+ * - Request is blocked by the extension
  */
 
 /* ######### Timeout ##########
@@ -218,8 +220,21 @@ inline bool zai_sandbox_timed_out(void) {
     return false;
 }
 
+inline bool zai_is_request_blocked(void)
+{
+    if (!PG(last_error_message)) {
+        return false;
+    }
+
+    if (strstr(ZSTR_VAL(PG(last_error_message)), "Datadog blocked the request") != NULL) {
+        return true;
+    }
+
+    return false;
+}
+
 inline void zai_sandbox_bailout(zai_sandbox *sandbox) {
-    if (!zai_sandbox_timed_out()) {
+    if (!zai_sandbox_timed_out() && !zai_is_request_blocked()) {
         zai_sandbox_engine_state_restore(&sandbox->engine_state);
 
         return;
@@ -356,8 +371,21 @@ inline bool zai_sandbox_timed_out(void) {
     return false;
 }
 
+inline bool zai_is_request_blocked(void)
+{
+    if (!PG(last_error_message)) {
+        return false;
+    }
+
+    if (strstr(PG(last_error_message), "Datadog blocked the request") != NULL) {
+        return true;
+    }
+
+    return false;
+}
+
 inline void zai_sandbox_bailout(zai_sandbox *sandbox) {
-    if (!zai_sandbox_timed_out()) {
+    if (!zai_sandbox_timed_out() && !zai_is_request_blocked()) {
         zai_sandbox_engine_state_restore(&sandbox->engine_state);
 
         return;