WIP

Author: jandro996

manifests/cpp_nginx.yml

@@ -65,10 +65,11 @@ tests/:
         Test_Blocking: v1.2.0
         Test_Blocking_strip_response_headers: irrelevant (no response headers on 1st waf run, which is where blocking is possible)
         Test_CustomBlockingResponse: v1.2.0
-      test_blocking_block_id.py:
-        Test_BlockId_Custom_Redirect: missing_feature
-        Test_BlockId_HTML_Response: missing_feature
-        Test_BlockId_JSON_Response: missing_feature
+      test_blocking_security_response_id.py:
+        Test_SecurityResponseId_Custom_Redirect: missing_feature
+        Test_SecurityResponseId_HTML_Response: missing_feature
+        Test_SecurityResponseId_In_Span_Triggers: missing_feature
+        Test_SecurityResponseId_JSON_Response: missing_feature
       test_custom_rules.py:
         Test_CustomRules: v1.2.0
       test_exclusions.py:

manifests/dotnet.yml

@@ -302,10 +302,11 @@ tests/:
         Test_Blocking: v2.27.0
         Test_Blocking_strip_response_headers: missing_feature
         Test_CustomBlockingResponse: v3.10.0
-      test_blocking_block_id.py:
-        Test_BlockId_Custom_Redirect: missing_feature
-        Test_BlockId_HTML_Response: missing_feature
-        Test_BlockId_JSON_Response: missing_feature
+      test_blocking_security_response_id.py:
+        Test_SecurityResponseId_Custom_Redirect: missing_feature
+        Test_SecurityResponseId_HTML_Response: missing_feature
+        Test_SecurityResponseId_In_Span_Triggers: missing_feature
+        Test_SecurityResponseId_JSON_Response: missing_feature
       test_custom_rules.py:
         Test_CustomRules: v2.30.0
       test_exclusions.py:

manifests/golang.yml

@@ -350,10 +350,11 @@ tests/:
         Test_Blocking: v1.50.0-rc.1
         Test_Blocking_strip_response_headers: missing_feature
         Test_CustomBlockingResponse: v1.63.0
-      test_blocking_block_id.py:
-        Test_BlockId_Custom_Redirect: missing_feature
-        Test_BlockId_HTML_Response: missing_feature
-        Test_BlockId_JSON_Response: missing_feature
+      test_blocking_security_response_id.py:
+        Test_SecurityResponseId_Custom_Redirect: missing_feature
+        Test_SecurityResponseId_HTML_Response: missing_feature
+        Test_SecurityResponseId_In_Span_Triggers: missing_feature
+        Test_SecurityResponseId_JSON_Response: missing_feature
       test_custom_rules.py:
         Test_CustomRules: v1.51.0
       test_exclusions.py:

manifests/java.yml

@@ -1148,14 +1148,17 @@ tests/:
           akka-http: v1.22.0
           play: v1.22.0
           spring-boot-3-native: irrelevant (GraalVM. Tracing support only)
-      test_blocking_block_id.py:
-        Test_BlockId_Custom_Redirect:
+      test_blocking_security_response_id.py:
+        Test_SecurityResponseId_Custom_Redirect:
           '*': missing_feature
           spring-boot-3-native: irrelevant (GraalVM. Tracing support only)
-        Test_BlockId_HTML_Response:
+        Test_SecurityResponseId_HTML_Response:
           '*': missing_feature
           spring-boot-3-native: irrelevant (GraalVM. Tracing support only)
-        Test_BlockId_JSON_Response:
+        Test_SecurityResponseId_In_Span_Triggers:
+          '*': missing_feature
+          spring-boot-3-native: irrelevant (GraalVM. Tracing support only)
+        Test_SecurityResponseId_JSON_Response:
           '*': missing_feature
           spring-boot-3-native: irrelevant (GraalVM. Tracing support only)
       test_custom_rules.py:

manifests/nodejs.yml

@@ -766,10 +766,11 @@ tests/:
         Test_Blocking: *ref_3_19_0
         Test_Blocking_strip_response_headers: *ref_5_17_0
         Test_CustomBlockingResponse: *ref_5_15_0
-      test_blocking_block_id.py:
-        Test_BlockId_Custom_Redirect: missing_feature
-        Test_BlockId_HTML_Response: missing_feature
-        Test_BlockId_JSON_Response: missing_feature
+      test_blocking_security_response_id.py:
+        Test_SecurityResponseId_Custom_Redirect: missing_feature
+        Test_SecurityResponseId_HTML_Response: missing_feature
+        Test_SecurityResponseId_In_Span_Triggers: missing_feature
+        Test_SecurityResponseId_JSON_Response: missing_feature
       test_custom_rules.py:
         Test_CustomRules:
           '*': *ref_4_1_0

manifests/php.yml

@@ -312,10 +312,11 @@ tests/:
         Test_Blocking: missing_feature  # v0.86.0
         Test_Blocking_strip_response_headers: missing_feature
         Test_CustomBlockingResponse: missing_feature  # v0.86.0
-      test_blocking_block_id.py:
-        Test_BlockId_Custom_Redirect: missing_feature
-        Test_BlockId_HTML_Response: missing_feature
-        Test_BlockId_JSON_Response: missing_feature
+      test_blocking_security_response_id.py:
+        Test_SecurityResponseId_Custom_Redirect: missing_feature
+        Test_SecurityResponseId_HTML_Response: missing_feature
+        Test_SecurityResponseId_In_Span_Triggers: missing_feature
+        Test_SecurityResponseId_JSON_Response: missing_feature
       test_custom_rules.py:
         Test_CustomRules: v0.87.2
       test_exclusions.py:

manifests/python.yml

@@ -452,10 +452,11 @@ tests/:
         Test_CustomBlockingResponse:
           '*': v1.20.0
           fastapi: v2.4.0
-      test_blocking_block_id.py:
-        Test_BlockId_Custom_Redirect: missing_feature
-        Test_BlockId_HTML_Response: missing_feature
-        Test_BlockId_JSON_Response: missing_feature
+      test_blocking_security_response_id.py:
+        Test_SecurityResponseId_Custom_Redirect: missing_feature
+        Test_SecurityResponseId_HTML_Response: missing_feature
+        Test_SecurityResponseId_In_Span_Triggers: missing_feature
+        Test_SecurityResponseId_JSON_Response: missing_feature
       test_custom_rules.py:
         Test_CustomRules:
           '*': v1.16.1

manifests/ruby.yml

@@ -345,10 +345,11 @@ tests/:
         Test_Blocking: v1.11.0
         Test_Blocking_strip_response_headers: v1.13.0
         Test_CustomBlockingResponse: v1.15.0
-      test_blocking_block_id.py:
-        Test_BlockId_Custom_Redirect: missing_feature
-        Test_BlockId_HTML_Response: missing_feature
-        Test_BlockId_JSON_Response: missing_feature
+      test_blocking_security_response_id.py:
+        Test_SecurityResponseId_Custom_Redirect: missing_feature
+        Test_SecurityResponseId_HTML_Response: missing_feature
+        Test_SecurityResponseId_In_Span_Triggers: missing_feature
+        Test_SecurityResponseId_JSON_Response: missing_feature
       test_custom_rules.py:
         Test_CustomRules: v1.12.0
       test_exclusions.py:

tests/appsec/waf/test_blocking.py

@@ -2,7 +2,11 @@
 
 from utils import interfaces, bug, scenarios, weblog, rfc, missing_feature, flaky, features
 from utils._context.core import context
-from .test_blocking_block_id import is_valid_uuid4, extract_block_id_from_json, extract_block_id_from_html
+from .test_blocking_security_response_id import (
+    is_valid_uuid4,
+    extract_security_response_id_from_json,
+    extract_security_response_id_from_html,
+)
 
 
 BLOCK_TEMPLATE_JSON_MIN_V1 = "blocked.v1.min.json"
@@ -17,35 +21,35 @@ def _read_file(file_path: str) -> str:
 
 
 def _is_valid_json_v3_template(body: str) -> bool:
-    """Check if body matches v3 JSON template with valid dynamic block_id
+    """Check if body matches v3 JSON template with valid dynamic security_response_id
 
-    RFC-1070: Uses the actual block_id from the response for validation
+    RFC-1070: Uses the actual security_response_id from the response for validation
     """
-    # Extract and validate block_id from actual response
-    block_id = extract_block_id_from_json(body)
-    if block_id is None or not is_valid_uuid4(block_id):
+    # Extract and validate security_response_id from actual response
+    security_response_id = extract_security_response_id_from_json(body)
+    if security_response_id is None or not is_valid_uuid4(security_response_id):
         return False
 
-    # Build expected response by injecting the actual block_id into the template
+    # Build expected response by injecting the actual security_response_id into the template
     v3_template = _read_file(BLOCK_TEMPLATE_JSON_MIN_V3).rstrip()
-    expected_response = v3_template.replace("00000000-0000-4000-8000-000000000000", block_id)
+    expected_response = v3_template.replace("00000000-0000-4000-8000-000000000000", security_response_id)
 
     return body.rstrip() == expected_response
 
 
 def _is_valid_html_v3_template(body: str) -> bool:
-    """Check if body matches v3 HTML template with valid dynamic block_id
+    """Check if body matches v3 HTML template with valid dynamic security_response_id
 
-    RFC-1070: Uses the actual block_id from the response for validation
+    RFC-1070: Uses the actual security_response_id from the response for validation
     """
-    # Extract and validate block_id from actual response
-    block_id = extract_block_id_from_html(body)
-    if block_id is None or not is_valid_uuid4(block_id):
+    # Extract and validate security_response_id from actual response
+    security_response_id = extract_security_response_id_from_html(body)
+    if security_response_id is None or not is_valid_uuid4(security_response_id):
         return False
 
-    # Build expected response by injecting the actual block_id into the template
+    # Build expected response by injecting the actual security_response_id into the template
     v3_template = _read_file(BLOCK_TEMPLATE_HTML_MIN_V3).rstrip()
-    expected_response = v3_template.replace("00000000-0000-4000-8000-000000000000", block_id)
+    expected_response = v3_template.replace("00000000-0000-4000-8000-000000000000", security_response_id)
 
     return body.rstrip() == expected_response
 
@@ -61,7 +65,7 @@ def assert_valid_html_blocked_template(body: str) -> None:
         _read_file(BLOCK_TEMPLATE_HTML_MIN_V2),
     }
 
-    # Check for v3 template with dynamic block_id
+    # Check for v3 template with dynamic security_response_id
     assert body in valid_templates or _is_valid_html_v3_template(body)
 
 
@@ -77,7 +81,7 @@ def assert_valid_json_blocked_template(body: str) -> None:
         _read_file(BLOCK_TEMPLATE_JSON_MIN_V1).rstrip(),
     }
 
-    # Check for v3 template with dynamic block_id
+    # Check for v3 template with dynamic security_response_id
     assert body in valid_templates or _is_valid_json_v3_template(body)
 
 
@@ -222,19 +226,19 @@ def setup_json_template_v1(self):
     @missing_feature(context.library < "python@2.11.0.dev")
     @missing_feature(library="ruby")
     def test_json_template_v1(self):
-        """JSON block template is v1 minified (or v3 with block_id)"""
+        """JSON block template is v1 minified (or v3 with security_response_id)"""
         assert self.r_json_v1.status_code == 403
         assert self.r_json_v1.headers.get("content-type", "").lower() in JSON_CONTENT_TYPES
 
-        # Accept v1 template without block_id or v3 template with block_id
+        # Accept v1 template without security_response_id or v3 template with security_response_id
         response_text = self.r_json_v1.text.rstrip()
         v1_template = _read_file(BLOCK_TEMPLATE_JSON_MIN_V1).rstrip()
 
         # Check if it's v1 template
         if response_text == v1_template:
             return
 
-        # Check if it's v3 template with valid block_id
+        # Check if it's v3 template with valid security_response_id
         assert _is_valid_json_v3_template(self.r_json_v1.text), "Response doesn't match v1 or v3 template"
 
     def setup_html_template_v2(self):
@@ -247,19 +251,19 @@ def setup_html_template_v2(self):
     @missing_feature(context.library < "python@2.11.0.dev")
     @missing_feature(library="ruby")
     def test_html_template_v2(self):
-        """HTML block template is v2 minified (or v3 with block_id)"""
+        """HTML block template is v2 minified (or v3 with security_response_id)"""
         assert self.r_html_v2.status_code == 403
         assert self.r_html_v2.headers.get("content-type", "").lower() in HTML_CONTENT_TYPES
 
-        # Accept v2 template without block_id or v3 template with block_id
+        # Accept v2 template without security_response_id or v3 template with security_response_id
         response_text = self.r_html_v2.text
         v2_template = _read_file(BLOCK_TEMPLATE_HTML_MIN_V2)
 
         # Check if it's v2 template
         if response_text == v2_template:
             return
 
-        # Check if it's v3 template with valid block_id
+        # Check if it's v3 template with valid security_response_id
         assert _is_valid_html_v3_template(self.r_html_v2.text), "Response doesn't match v2 or v3 template"