Merge pull request #3204 from DataDog/asm-make-sure-to-append-content…

…-type-and-length-information ASM make sure to append content type and length information
DataDog · Nov 2, 2023 · 9688f2f · 9688f2f
2 parents 713fb1e + 8b68fcb
commit 9688f2f
Show file tree

Hide file tree

Showing 4 changed files with 271 additions and 153 deletions.
diff --git a/lib/datadog/appsec/contrib/rack/gateway/request.rb b/lib/datadog/appsec/contrib/rack/gateway/request.rb
@@ -40,9 +40,13 @@ def method
             end
 
             def headers
-              request.env.each_with_object({}) do |(k, v), h|
-                h[k.gsub(/^HTTP_/, '').downcase.tr('_', '-')] = v if k =~ /^HTTP_/
+              result = request.env.each_with_object({}) do |(k, v), h|
+                h[k.gsub(/^HTTP_/, '').downcase!.tr('_', '-')] = v if k =~ /^HTTP_/
               end
+
+              result['content-type'] = request.content_type if request.content_type
+              result['content-length'] = request.content_length if request.content_length
+              result
             end
 
             def body

diff --git a/spec/datadog/appsec/contrib/rack/gateway/request_spec.rb b/spec/datadog/appsec/contrib/rack/gateway/request_spec.rb
@@ -10,7 +10,7 @@
       Rack::MockRequest.env_for(
         'http://example.com:8080/?a=foo&a=bar&b=baz',
         {
-          'REQUEST_METHOD' => 'GET', 'REMOTE_ADDR' => '10.10.10.10', 'HTTP_CONTENT_TYPE' => 'text/html',
+          'REQUEST_METHOD' => 'GET', 'REMOTE_ADDR' => '10.10.10.10', 'CONTENT_TYPE' => 'text/html',
           'HTTP_COOKIE' => 'foo=bar', 'HTTP_USER_AGENT' => 'WebKit'
         }
       )
@@ -24,8 +24,13 @@
   end
 
   describe '#headers' do
-    it 'returns the header information and strip the HTTP_ prefix' do
-      expected_headers = { 'content-type' => 'text/html', 'cookie' => 'foo=bar', 'user-agent' => 'WebKit' }
+    it 'returns the header information. Strip the HTTP_ prefix and append content-type and content-length information' do
+      expected_headers = {
+        'content-type' => 'text/html',
+        'cookie' => 'foo=bar',
+        'user-agent' => 'WebKit',
+        'content-length' => '0'
+      }
       expect(request.headers).to eq(expected_headers)
     end
   end

diff --git a/spec/datadog/appsec/contrib/rack/reactive/request_spec.rb b/spec/datadog/appsec/contrib/rack/reactive/request_spec.rb
@@ -12,19 +12,34 @@
     Datadog::AppSec::Contrib::Rack::Gateway::Request.new(
       Rack::MockRequest.env_for(
         'http://example.com:8080/?a=foo',
-        { 'REQUEST_METHOD' => 'GET', 'REMOTE_ADDR' => '10.10.10.10', 'HTTP_CONTENT_TYPE' => 'text/html' }
+        {
+          'REQUEST_METHOD' => 'GET',
+          'REMOTE_ADDR' => '10.10.10.10',
+          'CONTENT_TYPE' => 'text/html',
+          'HTTP_USER_AGENT' => 'foo',
+          'HTTP_COOKIE' => 'foo=bar'
+        }
       )
     )
   end
 
+  let(:expected_headers_with_cookies) do
+    { 'content-length' => '0', 'content-type' => 'text/html', 'user-agent' => 'foo', 'cookie' => 'foo=bar' }
+  end
+
+  let(:expected_headers_without_cookies) do
+    { 'content-length' => '0', 'content-type' => 'text/html', 'user-agent' => 'foo' }
+  end
+
   describe '.publish' do
     it 'propagates request attributes to the operation' do
       expect(operation).to receive(:publish).with('server.request.method', 'GET')
       expect(operation).to receive(:publish).with('request.query', { 'a' => ['foo'] })
-      expect(operation).to receive(:publish).with('request.headers', { 'content-type' => 'text/html' })
+      expect(operation).to receive(:publish).with('request.headers', expected_headers_with_cookies)
       expect(operation).to receive(:publish).with('request.uri.raw', '/?a=foo')
-      expect(operation).to receive(:publish).with('request.cookies', {})
+      expect(operation).to receive(:publish).with('request.cookies', { 'foo' => 'bar' })
       expect(operation).to receive(:publish).with('request.client_ip', '10.10.10.10')
+
       described_class.publish(operation, request)
     end
   end
@@ -52,11 +67,11 @@
         expect(operation).to receive(:subscribe).and_call_original
 
         expected_waf_arguments = {
-          'server.request.cookies' => {},
+          'server.request.cookies' => { 'foo' => 'bar' },
           'server.request.query' => { 'a' => ['foo'] },
           'server.request.uri.raw' => '/?a=foo',
-          'server.request.headers' => { 'content-type' => 'text/html' },
-          'server.request.headers.no_cookies' => { 'content-type' => 'text/html' },
+          'server.request.headers' => expected_headers_with_cookies,
+          'server.request.headers.no_cookies' => expected_headers_without_cookies,
           'http.client_ip' => '10.10.10.10',
           'server.request.method' => 'GET',
         }