chore(aap): replace callbacks dict with typed block_callable attribut… (#16784)

christophe-papazian · web-flow · commit 304595cd8b6b · 2026-03-10T10:31:42.000Z
APPSEC-61618

## Summary

  - Replace the generic `callbacks` dict on `ASM_Environment` with a typed `block_callable` attribute, removing the indirect `get_value`/`set_value` pattern for storing the block request callable
  - Move `_block_request_callable` from `ddtrace/contrib/internal/flask/patch.py` into `ddtrace/appsec/_contrib/flask/__init__.py` as `_flask_block_request_callable`, keeping Flask-specific blocking logic in the appsec Flask module
  - Add `_make_block_response()` which returns a `(body, status, headers)` tuple instead of raising via `abort()`, preventing Flask's traced error handlers (`handle_exception`, `handle_http_exception`) from creating extra spans that lack fingerprint tags

  ## Motivation

  The `callbacks` dict on `ASM_Environment` was a loosely-typed bag used to store a single block callable. Replacing it with a typed `block_callable: Optional[Callable]` attribute:
  - Makes the data model explicit and easier to reason about
  - Removes unused `_CALLBACKS` and `_BLOCK_CALL` constants
  - Eliminates `get_value`/`set_value` indirection for this specific use case

  The `_make_block_response()` function fixes system test failures (`test_fingerprinting_network_block`, `test_fingerprinting_header_block`, `test_fingerprinting_endpoint_blocking`, `test_session_blocking`) where fingerprint tags were missing from some spans. The root cause was `abort()` raising an `HTTPException`, which triggered Flask's traced `handle_exception`/`handle_http_exception` handlers, creating extra spans
  without `_dd.appsec.fp.http.*` tags. Returning a tuple avoids Flask's error handling entirely.

  ## Changes

  - **`ddtrace/appsec/_asm_request_context.py`**: Replace `self.callbacks: dict` with `self.block_callable: Optional[Callable]`. Update `set_block_request_callable()` and `block_request()` to use the attribute directly. Remove `_CALLBACKS` and `_BLOCK_CALL` constants.
  - **`ddtrace/appsec/_contrib/flask/__init__.py`**: Add `_make_block_response()` (returns tuple) and `_flask_block_request_callable()` (uses `abort()`). Use `_make_block_response` in `_on_wrapped_view` for path-parameter blocking. Remove `get_value`/`set_value` imports.
  - **`ddtrace/contrib/internal/flask/patch.py`**: Remove `_block_request_callable()` and the `block_request_callable` context item (now handled by the appsec Flask module).
  - **`tests/appsec/appsec/test_asm_request_context.py`**: Update tests to use `env.block_callable` instead of `get_value("callbacks", "block")`.
  - **`tests/appsec/integrations/flask_tests/test_appsec_flask.py`**: Use `get_triggers()` to extract the actual `block_id` from WAF triggers instead of hardcoding `"default"`.

Co-authored-by: christophe.papazian &lt;christophe.papazian@datadoghq.com&gt;
diff --git a/ddtrace/appsec/_asm_request_context.py b/ddtrace/appsec/_asm_request_context.py
@@ -66,10 +66,8 @@ class WARNING_TAGS(metaclass=Constant_Class):
 
 _ASM_CONTEXT: Literal["_asm_env"] = "_asm_env"
 _WAF_ADDRESSES: Literal["waf_addresses"] = "waf_addresses"
-_CALLBACKS: Literal["callbacks"] = "callbacks"
 _TELEMETRY: Literal["telemetry"] = "telemetry"
 _CONTEXT_CALL: Literal["context"] = "context"
-_BLOCK_CALL: Literal["block"] = "block"
 
 
 GLOBAL_CALLBACKS: dict[str, list[Callable]] = {_CONTEXT_CALL: []}
@@ -114,7 +112,7 @@ def __init__(
         self.waf_info: Optional[Callable[[], "DDWaf_info"]] = None
         self.waf_addresses: dict[str, Any] = {}
         self.waf_callable: Optional[WafCallable] = waf_callable
-        self.callbacks: dict[str, Any] = {}
+        self.block_callable: Optional[Callable[[], None]] = None
         self.telemetry: Telemetry_result = Telemetry_result()
         self.addresses_sent: set[str] = set()
         self.waf_triggers: list[dict[str, Any]] = []
@@ -337,7 +335,7 @@ def finalize_asm_env(env: ASM_Environment) -> None:
             entry_span._set_tag_str(APPSEC.RC_PRODUCTS, env.rc_products)
 
     # Manually clear reference cycles to simplify the work for the GC
-    env.callbacks.clear()
+    env.block_callable = None
     env.waf_callable = None
     core.discard_local_item(_ASM_CONTEXT)
 
@@ -435,10 +433,10 @@ def call_waf_callback(
     env = get_active_asm_context()
     if env is not None and env.waf_callable is not None:
         return env.waf_callable(custom_data, crop_trace, rule_type, force_sent)
-    else:
-        logger.warning(WARNING_TAGS.CALL_WAF_CALLBACK_NOT_SET, extra=log_extra, stack_info=True)
-        report_error_on_entry_span("appsec::instrumentation::diagnostic", WARNING_TAGS.CALL_WAF_CALLBACK_NOT_SET)
-        return None
+
+    logger.warning(WARNING_TAGS.CALL_WAF_CALLBACK_NOT_SET, extra=log_extra, stack_info=True)
+    report_error_on_entry_span("appsec::instrumentation::diagnostic", WARNING_TAGS.CALL_WAF_CALLBACK_NOT_SET)
+    return None
 
 
 def call_waf_callback_no_instrumentation() -> None:
@@ -482,23 +480,25 @@ def get_headers_case_sensitive() -> bool:
     return get_value(_WAF_ADDRESSES, SPAN_DATA_NAMES.REQUEST_HEADERS_NO_COOKIES_CASE, False)  # type : ignore
 
 
-def set_block_request_callable(_callable: Optional[Callable[[], Any]], *_: Any) -> None:
+def set_block_request_callable(block_callable: Optional[Callable[[], None]]) -> None:
     """
     Sets a callable that could be use to do a best-effort to block the request. If
     the callable need any params, like headers, they should be curried with
     functools.partial.
     """
-    if asm_config._asm_enabled and _callable:
-        set_value(_CALLBACKS, _BLOCK_CALL, _callable)
+    if asm_config._asm_enabled and block_callable:
+        env = get_active_asm_context()
+        if env is not None:
+            env.block_callable = block_callable
 
 
 def block_request() -> None:
     """
     Calls or returns the stored block request callable, if set.
     """
-    _callable = get_value(_CALLBACKS, _BLOCK_CALL)
-    if _callable:
-        _callable()
+    env = get_active_asm_context()
+    if env is not None and env.block_callable is not None:
+        env.block_callable()
     else:
         logger.warning(WARNING_TAGS.BLOCK_REQUEST_NOT_CALLABLE, extra=log_extra, stack_info=True)
 
@@ -515,7 +515,7 @@ def asm_request_context_set(
     remote_ip: Optional[str] = None,
     headers: Any = None,
     headers_case_sensitive: bool = False,
-    block_request_callable: Optional[Callable] = None,
+    block_request_callable: Optional[Callable[[], None]] = None,
 ) -> None:
     set_ip(remote_ip)
     set_headers(headers)
diff --git a/ddtrace/appsec/_contrib/django/__init__.py b/ddtrace/appsec/_contrib/django/__init__.py
@@ -194,4 +194,4 @@ def listen():
     core.on("django.after_request_headers.finalize", _set_headers_and_response)
 
     core.on("context.ended.django.traced_get_response", _on_context_ended)
-    core.on("django.traced_get_response.pre", set_block_request_callable)
+    core.on("django.traced_get_response.pre", lambda block_callable, *_: set_block_request_callable(block_callable))
diff --git a/ddtrace/appsec/_contrib/flask/__init__.py b/ddtrace/appsec/_contrib/flask/__init__.py
@@ -1,17 +1,15 @@
 import io
 import json
 
-from ddtrace.appsec._asm_request_context import _CALLBACKS
 from ddtrace.appsec._asm_request_context import _call_waf_first
 from ddtrace.appsec._asm_request_context import _on_context_ended
 from ddtrace.appsec._asm_request_context import _set_headers_and_response
+from ddtrace.appsec._asm_request_context import block_request
 from ddtrace.appsec._asm_request_context import call_waf_callback
 from ddtrace.appsec._asm_request_context import get_blocked
-from ddtrace.appsec._asm_request_context import get_value
 from ddtrace.appsec._asm_request_context import in_asm_context
 from ddtrace.appsec._asm_request_context import is_blocked
 from ddtrace.appsec._asm_request_context import set_block_request_callable
-from ddtrace.appsec._asm_request_context import set_value
 from ddtrace.appsec._asm_request_context import set_waf_address
 from ddtrace.appsec._utils import Block_config
 from ddtrace.contrib import trace_utils
@@ -122,6 +120,24 @@ def _on_start_response_blocked(ctx, flask_config, response_headers, status):
     trace_utils.set_http_meta(ctx["req_span"], flask_config, status_code=status, response_headers=response_headers)
 
 
+def _make_block_response():
+    """Build a blocked response as a tuple (body, status, headers).
+
+    Returning a tuple avoids Flask's error handling (handle_exception,
+    handle_http_exception) which would create extra spans without
+    fingerprint tags.
+    """
+    from ddtrace.internal.utils import get_blocked as _get_blocked
+
+    block_config = _get_blocked()
+    ctype = block_config.content_type if block_config else "application/json"
+    block_id = block_config.block_id if block_config else "(default)"
+    status = block_config.status_code if block_config else 403
+    if block_config and block_config.type == "none":
+        return b"", status, {"location": block_config.location}
+    return http_utils._get_blocked_template(ctype, block_id), status, {"content-type": ctype}
+
+
 def _on_wrapped_view(kwargs):
     callback_block = None
     # if Appsec is enabled, we can try to block as we have the path parameters at that point
@@ -131,19 +147,35 @@ def _on_wrapped_view(kwargs):
             set_waf_address(REQUEST_PATH_PARAMS, kwargs)
         call_waf_callback()
         if is_blocked():
-            callback_block = get_value(_CALLBACKS, "flask_block")
+            callback_block = _make_block_response
     return callback_block
 
 
+def _flask_block_request_callable(span):
+    import flask
+    from werkzeug.exceptions import abort
+
+    from ddtrace.internal.utils import get_blocked as _get_blocked
+    from ddtrace.internal.utils import set_blocked as _set_blocked
+
+    if not _get_blocked():
+        _set_blocked()
+    core.dispatch("flask.blocked_request_callable", (span,))
+    block_config = _get_blocked()
+    ctype = block_config.content_type if block_config else "application/json"
+    block_id = block_config.block_id if block_config else "(default)"
+    status = block_config.status_code if block_config else 403
+    if block_config and block_config.type == "none":
+        abort(flask.Response(b"", status=status, headers={"location": block_config.location}))
+    else:
+        abort(flask.Response(http_utils._get_blocked_template(ctype, block_id), content_type=ctype, status=status))
+
+
 def _on_pre_tracedrequest(ctx):
     import functools
 
-    current_span = ctx.span
-    block_request_callable = ctx.get_item("block_request_callable")
     if asm_config._asm_enabled:
-        from ddtrace.appsec._asm_request_context import block_request
-
-        set_block_request_callable(functools.partial(block_request_callable, current_span))
+        set_block_request_callable(functools.partial(_flask_block_request_callable, ctx.span))
         if get_blocked():
             block_request()
 
@@ -152,7 +184,6 @@ def _on_block_decided(callback):
     if not asm_config._asm_enabled:
         return
 
-    set_value(_CALLBACKS, "flask_block", callback)
     core.on("flask.block.request.content", callback, "block_requested")
 
 
diff --git a/ddtrace/contrib/internal/flask/patch.py b/ddtrace/contrib/internal/flask/patch.py
@@ -4,7 +4,6 @@
 import werkzeug
 from werkzeug.exceptions import BadRequest
 from werkzeug.exceptions import NotFound
-from werkzeug.exceptions import abort
 
 from ddtrace.contrib import trace_utils
 from ddtrace.ext import SpanTypes
@@ -16,8 +15,6 @@
 from ddtrace.internal.schema import schematize_url_operation
 from ddtrace.internal.schema.span_attribute_schema import SpanDirection
 from ddtrace.internal.utils import get_blocked
-from ddtrace.internal.utils import http as http_utils
-from ddtrace.internal.utils import set_blocked
 
 
 # Not all versions of flask/werkzeug have this mixin
@@ -543,15 +540,6 @@ def _wrap(code_or_exception, f):
     return _wrap(*args, **kwargs)
 
 
-def _block_request_callable(call):
-    set_blocked()
-    core.dispatch("flask.blocked_request_callable", (call,))
-    block_config = get_blocked()
-    ctype = block_config.content_type if block_config else "application/json"
-    block_id = block_config.block_id if block_config else "(default)"
-    abort(flask.Response(http_utils._get_blocked_template(ctype, block_id), content_type=ctype, status=403))
-
-
 def request_patcher(name):
     @with_instance_pin
     def _patched_request(pin, wrapped, instance, args, kwargs):
@@ -563,7 +551,6 @@ def _patched_request(pin, wrapped, instance, args, kwargs):
                 service=trace_utils.int_service(pin, config.flask, pin),
                 flask_config=config.flask,
                 flask_request=flask.request,
-                block_request_callable=_block_request_callable,
                 ignored_exception_type=NotFound,
                 tags={COMPONENT: config.flask.integration_name},
             ) as ctx,
diff --git a/tests/appsec/appsec/test_asm_request_context.py b/tests/appsec/appsec/test_asm_request_context.py
@@ -25,10 +25,11 @@ def test_context_set_and_reset():
         assert _asm_request_context.get_ip() == _TEST_IP
         assert _asm_request_context.get_headers() == _TEST_HEADERS
         assert _asm_request_context.get_headers_case_sensitive()
-        assert _asm_request_context.get_value("callbacks", "block") is not None
+        env = _asm_request_context.get_active_asm_context()
+        assert env is not None and env.block_callable is not None
     assert _asm_request_context.get_ip() is None
     assert _asm_request_context.get_headers() == {}
-    assert _asm_request_context.get_value("callbacks", "block") is None
+    assert _asm_request_context.get_active_asm_context() is None
     assert not _asm_request_context.get_headers_case_sensitive()
     with asm_context(
         ip_addr=_TEST_IP,
@@ -64,8 +65,10 @@ def _callable():
 
     with asm_context(config=config_asm):
         _asm_request_context.set_block_request_callable(_callable)
-        assert _asm_request_context.get_value("callbacks", "block")() == 42
-    assert not _asm_request_context.get_value("callbacks", "block")
+        env = _asm_request_context.get_active_asm_context()
+        assert env is not None and env.block_callable is not None
+        assert env.block_callable() == 42
+    assert _asm_request_context.get_active_asm_context() is None
 
 
 def test_call_block_callable_curried():
@@ -102,11 +105,13 @@ def test_asm_request_context_manager():
         assert _asm_request_context.get_ip() == _TEST_IP
         assert _asm_request_context.get_headers() == _TEST_HEADERS
         assert _asm_request_context.get_headers_case_sensitive()
-        assert _asm_request_context.get_value("callbacks", "block")() == 42
+        env = _asm_request_context.get_active_asm_context()
+        assert env is not None and env.block_callable is not None
+        assert env.block_callable() == 42
 
     assert _asm_request_context.get_ip() is None
     assert _asm_request_context.get_headers() == {}
-    assert _asm_request_context.get_value("callbacks", "block") is None
+    assert _asm_request_context.get_active_asm_context() is None
     assert not _asm_request_context.get_headers_case_sensitive()
 
 
diff --git a/tests/appsec/contrib_appsec/db.sqlite3 b/tests/appsec/contrib_appsec/db.sqlite3
diff --git a/tests/appsec/integrations/flask_tests/test_appsec_flask.py b/tests/appsec/integrations/flask_tests/test_appsec_flask.py
@@ -2,6 +2,7 @@
 
 from ddtrace.appsec._constants import SPAN_DATA_NAMES
 from ddtrace.appsec._trace_utils import block_request_if_user_blocked
+from ddtrace.appsec._utils import get_triggers
 from ddtrace.contrib.internal.sqlite3.patch import patch
 from ddtrace.ext import http
 from ddtrace.internal import constants
@@ -70,8 +71,11 @@ def test_route(user_id):
             self._aux_appsec_prepare_tracer()
             resp = self.client.get("/checkuser/%s" % _BLOCKED_USER)
             assert resp.status_code == 403
-            assert get_response_body(resp) == _format_template(constants.BLOCKED_RESPONSE_JSON, "default")
             root_span = self.pop_spans()[0]
+            triggers = get_triggers(root_span)
+            assert triggers is not None
+            block_id = triggers[0].get("security_response_id", "default")
+            assert get_response_body(resp) == _format_template(constants.BLOCKED_RESPONSE_JSON, block_id)
             assert root_span.get_tag(http.STATUS_CODE) == "403"
             assert root_span.get_tag(http.URL) == "http://localhost/checkuser/%s" % _BLOCKED_USER
             assert root_span.get_tag(http.METHOD) == "GET"
@@ -82,7 +86,11 @@ def test_route(user_id):
 
             resp = self.client.get("/checkuser/%s" % _BLOCKED_USER, headers={"Accept": "text/html"})
             assert resp.status_code == 403
-            assert get_response_body(resp) == _format_template(constants.BLOCKED_RESPONSE_HTML, "default")
+            root_span = self.pop_spans()[0]
+            triggers = get_triggers(root_span)
+            assert triggers is not None
+            block_id = triggers[0].get("security_response_id", "default")
+            assert get_response_body(resp) == _format_template(constants.BLOCKED_RESPONSE_HTML, block_id)
 
             resp = self.client.get("/checkuser/%s" % _ALLOWED_USER, headers={"Accept": "text/html"})
             assert resp.status_code == 200
