DataDog · andrewlock · Dec 4, 2023 · Dec 1, 2023 · Dec 4, 2023 · Dec 4, 2023
@@ -3,6 +3,8 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
 // </copyright>
 
+#nullable enable
+
 #if !NETFRAMEWORK
 
 using Datadog.Trace.AppSec;
@@ -21,9 +23,11 @@ public void OnActionExecuting(ActionExecutingContext context)
     public void OnActionExecuted(ActionExecutedContext context)
     {
         var security = Security.Instance;
-        if (security.Enabled && context.Result.TryDuckCast<ObjectResult>(out var result))
+        if (security.Enabled
+            && context.Result.TryDuckCast<ObjectResult>(out var result)
+            && result.Value is not null
+            && Tracer.Instance.ActiveScope.Span is Span currentSpan)
         {
-            var currentSpan = Tracer.Instance.ActiveScope.Span as Span;
             security.CheckBody(context.HttpContext, currentSpan, result.Value, response: true);
         }
     }

@@ -3,10 +3,12 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
 // </copyright>
 
+#nullable enable
+
 namespace Datadog.Trace.ClrProfiler.AutoInstrumentation.AspNetCore;
 
 [DuckTyping.DuckCopy]
 internal struct ObjectResult
 {
-    public object Value;
+    public object? Value;
 }
@@ -49,6 +49,7 @@ public override void Dispose()
     [Trait("RunOnWindows", "True")]
     [InlineData("/dataapi/model", """{"property":"dummy_rule", "property2":"test2", "property3": 2, "property4": 3}""", HttpStatusCode.Forbidden, true)]
     [InlineData("/dataapi/model", """{"property":"test", "property2":"test2", "property3": 2, "property4": 2}""", HttpStatusCode.OK, false)]
+    [InlineData("/dataapi/empty-model", """{"property":"test", "property2":"test2", "property3": 2, "property4": 2}""", HttpStatusCode.NoContent, false)]
     public async Task TestApiSecurityScan(string url, string body, HttpStatusCode expectedStatusCode, bool containsAttack)
     {
         await TryStartApp();
@@ -58,6 +59,13 @@ public async Task TestApiSecurityScan(string url, string body, HttpStatusCode ex
         var dateTime = DateTime.UtcNow;
         var result = await SubmitRequest(url, body, "application/json");
         var spans = agent.WaitForSpans(2, minDateTime: dateTime);
+#if !NET8_O_OR_GREATER
+        // Simple scrubber for the response content type in .NET 8
+        // .NET 8 doesn't add the content-length header, whereas previous versions do
+        settings.AddSimpleScrubber(
+            """_dd.appsec.s.res.headers: [{"content-length":[[[8]],{"len":1}]}],""",
+            """_dd.appsec.s.res.headers: [{}],""");
+#endif
         await VerifySpans(spans, settings);
     }
 

@@ -0,0 +1,57 @@
+[
+  {
+    TraceId: Id_1,
+    SpanId: Id_2,
+    Name: aspnet_core_mvc.request,
+    Resource: POST /dataapi/empty-model,
+    Service: Samples.Security.AspNetCore2,
+    Type: web,
+    ParentId: Id_3,
+    Tags: {
+      aspnet_core.action: emptymodel,
+      aspnet_core.controller: dataapi,
+      aspnet_core.route: dataapi/empty-model,
+      component: aspnet_core,
+      env: integration_tests,
+      language: dotnet,
+      span.kind: server,
+      _dd.git.commit.sha: aaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbb,
+      _dd.git.repository_url: https://github.com/DataDog/dd-trace-dotnet
+    }
+  },
+  {
+    TraceId: Id_1,
+    SpanId: Id_3,
+    Name: aspnet_core.request,
+    Resource: POST /dataapi/empty-model,
+    Service: Samples.Security.AspNetCore2,
+    Type: web,
+    Tags: {
+      aspnet_core.route: dataapi/empty-model,
+      component: aspnet_core,
+      env: integration_tests,
+      http.client_ip: 127.0.0.1,
+      http.method: POST,
+      http.request.headers.host: localhost:00000,
+      http.route: dataapi/empty-model,
+      http.status_code: 204,
+      http.url: http://localhost:00000/dataapi/empty-model,
+      http.useragent: Mistake Not...,
+      language: dotnet,
+      network.client.ip: 127.0.0.1,
+      runtime-id: Guid_1,
+      span.kind: server,
+      _dd.git.commit.sha: aaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbb,
+      _dd.git.repository_url: https://github.com/DataDog/dd-trace-dotnet,
+      _dd.runtime_family: dotnet
+    },
+    Metrics: {
+      process_id: 0,
+      _dd.agent_psr: 1.0,
+      _dd.appsec.enabled: 1.0,
+      _dd.top_level: 1.0,
+      _dd.tracer_kr: 1.0,
+      _sampling_priority_v1: 1.0
+    }
+  }
+]
@@ -0,0 +1,60 @@
+[
+  {
+    TraceId: Id_1,
+    SpanId: Id_2,
+    Name: aspnet_core_mvc.request,
+    Resource: POST /dataapi/empty-model,
+    Service: Samples.Security.AspNetCore2,
+    Type: web,
+    ParentId: Id_3,
+    Tags: {
+      aspnet_core.action: emptymodel,
+      aspnet_core.controller: dataapi,
+      aspnet_core.route: dataapi/empty-model,
+      component: aspnet_core,
+      env: integration_tests,
+      language: dotnet,
+      span.kind: server,
+      _dd.git.commit.sha: aaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbb,
+      _dd.git.repository_url: https://github.com/DataDog/dd-trace-dotnet
+    }
+  },
+  {
+    TraceId: Id_1,
+    SpanId: Id_3,
+    Name: aspnet_core.request,
+    Resource: POST /dataapi/empty-model,
+    Service: Samples.Security.AspNetCore2,
+    Type: web,
+    Tags: {
+      aspnet_core.route: dataapi/empty-model,
+      component: aspnet_core,
+      env: integration_tests,
+      http.client_ip: 127.0.0.1,
+      http.method: POST,
+      http.request.headers.host: localhost:00000,
+      http.route: dataapi/empty-model,
+      http.status_code: 204,
+      http.url: http://localhost:00000/dataapi/empty-model,
+      http.useragent: Mistake Not...,
+      language: dotnet,
+      network.client.ip: 127.0.0.1,
+      runtime-id: Guid_1,
+      span.kind: server,
+      _dd.appsec.s.req.body: [{"Property":[8],"Property2":[8],"Property3":[4],"Property4":[4]}],
+      _dd.appsec.s.req.headers: [{"connection":[[[8]],{"len":1}],"content-length":[[[8]],{"len":1}],"content-type":[[[8]],{"len":1}],"host":[[[8,{"category":"pii","type":"passport_number"}]],{"len":1}],"user-agent":[[[8]],{"len":1}],"x-forwarded-for":[[[8]],{"len":1}]}],
+      _dd.appsec.s.res.headers: [{}],
+      _dd.git.commit.sha: aaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbb,
+      _dd.git.repository_url: https://github.com/DataDog/dd-trace-dotnet,
+      _dd.runtime_family: dotnet
+    },
+    Metrics: {
+      process_id: 0,
+      _dd.agent_psr: 1.0,
+      _dd.appsec.enabled: 1.0,
+      _dd.top_level: 1.0,
+      _dd.tracer_kr: 1.0,
+      _sampling_priority_v1: 1.0
+    }
+  }
+]
@@ -0,0 +1,58 @@
+[
+  {
+    TraceId: Id_1,
+    SpanId: Id_2,
+    Name: aspnet_core_mvc.request,
+    Resource: POST /dataapi/empty-model,
+    Service: Samples.Security.AspNetCore5,
+    Type: web,
+    ParentId: Id_3,
+    Tags: {
+      aspnet_core.action: emptymodel,
+      aspnet_core.controller: dataapi,
+      aspnet_core.route: dataapi/empty-model,
+      component: aspnet_core,
+      env: integration_tests,
+      language: dotnet,
+      span.kind: server,
+      _dd.git.commit.sha: aaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbb,
+      _dd.git.repository_url: https://github.com/DataDog/dd-trace-dotnet
+    }
+  },
+  {
+    TraceId: Id_1,
+    SpanId: Id_3,
+    Name: aspnet_core.request,
+    Resource: POST /dataapi/empty-model,
+    Service: Samples.Security.AspNetCore5,
+    Type: web,
+    Tags: {
+      aspnet_core.endpoint: Samples.Security.AspNetCore5.DataApiController.EmptyModel (Samples.Security.AspNetCore5),
+      aspnet_core.route: dataapi/empty-model,
+      component: aspnet_core,
+      env: integration_tests,
+      http.client_ip: 127.0.0.1,
+      http.method: POST,
+      http.request.headers.host: localhost:00000,
+      http.route: dataapi/empty-model,
+      http.status_code: 204,
+      http.url: http://localhost:00000/dataapi/empty-model,
+      http.useragent: Mistake Not...,
+      language: dotnet,
+      network.client.ip: 127.0.0.1,
+      runtime-id: Guid_1,
+      span.kind: server,
+      _dd.git.commit.sha: aaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbb,
+      _dd.git.repository_url: https://github.com/DataDog/dd-trace-dotnet,
+      _dd.runtime_family: dotnet
+    },
+    Metrics: {
+      process_id: 0,
+      _dd.agent_psr: 1.0,
+      _dd.appsec.enabled: 1.0,
+      _dd.top_level: 1.0,
+      _dd.tracer_kr: 1.0,
+      _sampling_priority_v1: 1.0
+    }
+  }
+]
@@ -0,0 +1,62 @@
+[
+  {
+    TraceId: Id_1,
+    SpanId: Id_2,
+    Name: aspnet_core_mvc.request,
+    Resource: POST /dataapi/empty-model,
+    Service: Samples.Security.AspNetCore5,
+    Type: web,
+    ParentId: Id_3,
+    Tags: {
+      aspnet_core.action: emptymodel,
+      aspnet_core.controller: dataapi,
+      aspnet_core.route: dataapi/empty-model,
+      component: aspnet_core,
+      env: integration_tests,
+      language: dotnet,
+      span.kind: server,
+      _dd.git.commit.sha: aaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbb,
+      _dd.git.repository_url: https://github.com/DataDog/dd-trace-dotnet
+    }
+  },
+  {
+    TraceId: Id_1,
+    SpanId: Id_3,
+    Name: aspnet_core.request,
+    Resource: POST /dataapi/empty-model,
+    Service: Samples.Security.AspNetCore5,
+    Type: web,
+    Tags: {
+      aspnet_core.endpoint: Samples.Security.AspNetCore5.DataApiController.EmptyModel (Samples.Security.AspNetCore5),
+      aspnet_core.route: dataapi/empty-model,
+      component: aspnet_core,
+      env: integration_tests,
+      http.client_ip: 127.0.0.1,
+      http.method: POST,
+      http.request.headers.host: localhost:00000,
+      http.route: dataapi/empty-model,
+      http.status_code: 204,
+      http.url: http://localhost:00000/dataapi/empty-model,
+      http.useragent: Mistake Not...,
+      language: dotnet,
+      network.client.ip: 127.0.0.1,
+      runtime-id: Guid_1,
+      span.kind: server,
+      _dd.appsec.s.req.body: [{"Property":[8],"Property2":[8],"Property3":[4],"Property4":[4]}],
+      _dd.appsec.s.req.headers: [{"content-length":[[[8]],{"len":1}],"content-type":[[[8]],{"len":1}],"host":[[[8,{"category":"pii","type":"passport_number"}]],{"len":1}],"user-agent":[[[8]],{"len":1}],"x-forwarded-for":[[[8]],{"len":1}]}],
+      _dd.appsec.s.req.params: [{"action":[8],"controller":[8]}],
+      _dd.appsec.s.res.headers: [{}],
+      _dd.git.commit.sha: aaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbb,
+      _dd.git.repository_url: https://github.com/DataDog/dd-trace-dotnet,
+      _dd.runtime_family: dotnet
+    },
+    Metrics: {
+      process_id: 0,
+      _dd.agent_psr: 1.0,
+      _dd.appsec.enabled: 1.0,
+      _dd.top_level: 1.0,
+      _dd.tracer_kr: 1.0,
+      _sampling_priority_v1: 1.0
+    }
+  }
+]
@@ -26,6 +26,13 @@ public ActionResult<MyResponseModel> Model(MyModel model)
             });
         }
 
+
+        [Route("empty-model")]
+        public ActionResult<MyResponseModel> EmptyModel(MyModel model)
+        {
+            return new ActionResult<MyResponseModel>((MyResponseModel)null);
+        }
+
         [Route("array")]
         public IActionResult Array(IEnumerable<string> model)
         {