[APPSEC-9936] Update AppSec response content_type resolution

lib/datadog/appsec/response.rb

@@ -36,30 +36,34 @@ def negotiate(env)
           Response.new(
             status: 403,
             headers: { 'Content-Type' => content_type },
-            body: [Datadog::AppSec::Assets.blocked(format: FORMAT_MAP[content_type])]
+            body: [Datadog::AppSec::Assets.blocked(format: CONTENT_TYPE_TO_FORMAT[content_type])]
           )
         end
 
         private
 
-        FORMAT_MAP = {
-          'text/plain' => :text,
-          'text/html' => :html,
+        CONTENT_TYPE_TO_FORMAT = {
           'application/json' => :json,
+          'text/html' => :html,
+          'text/plain' => :text,
         }.freeze
 
-        DEFAULT_CONTENT_TYPE = 'text/plain'
+        DEFAULT_CONTENT_TYPE = 'application/json'
 
         def content_type(env)
           return DEFAULT_CONTENT_TYPE unless env.key?('HTTP_ACCEPT')
 
-          accepted = env['HTTP_ACCEPT'].split(',').map { |m| Utils::HTTP::MediaRange.new(m) }.sort!.reverse!
+          accept_types = env['HTTP_ACCEPT'].split(',').map(&:strip)
 
-          accepted.each_with_object(DEFAULT_CONTENT_TYPE) do |range, _default|
-            match = FORMAT_MAP.keys.find { |type| range === type }
+          accepted = accept_types.map { |m| Utils::HTTP::MediaRange.new(m) }.sort!.reverse!
 
-            return match if match
+          accepted.each do |range|
+            type_match = CONTENT_TYPE_TO_FORMAT.keys.find { |type| range === type }
+
+            return type_match if type_match
           end
+
+          DEFAULT_CONTENT_TYPE
         rescue Datadog::AppSec::Utils::HTTP::MediaRange::ParseError
           DEFAULT_CONTENT_TYPE
         end

sig/datadog/appsec/response.rbs

@@ -14,7 +14,7 @@ module Datadog
 
       private
 
-      FORMAT_MAP: ::Hash[::String, ::Symbol]
+      CONTENT_TYPE_TO_FORMAT: ::Hash[::String, ::Symbol]
       DEFAULT_CONTENT_TYPE: ::String
 
       def self.format: (::Hash[untyped, untyped] env) -> ::Symbol

spec/datadog/appsec/response_spec.rb

@@ -74,19 +74,43 @@
       end
 
       context('without Accept header') do
-        it { is_expected.to eq 'text/plain' }
+        it { is_expected.to eq 'application/json' }
       end
 
       context('with Accept: */*') do
         let(:accept) { '*/*' }
 
-        it { is_expected.to eq 'text/plain' }
+        it { is_expected.to eq 'application/json' }
+      end
+
+      context('with Accept: text/*') do
+        let(:accept) { 'text/*' }
+
+        it { is_expected.to eq 'text/html' }
+      end
+
+      context('with Accept: application/*') do
+        let(:accept) { 'application/*' }
+
+        it { is_expected.to eq 'application/json' }
       end
 
       context('with unparseable Accept header') do
         let(:accept) { 'invalid' }
 
-        it { is_expected.to eq 'text/plain' }
+        it { is_expected.to eq 'application/json' }
+      end
+
+      context('with Accept: text/*;q=0.7, application/*;q=0.8, */*;q=0.9') do
+        let(:accept) { 'text/*;q=0.7, application/*;q=0.8, */*;q=0.9' }
+
+        it { is_expected.to eq 'application/json' }
+      end
+
+      context('with unsupported Accept header') do
+        let(:accept) { 'image/webp' }
+
+        it { is_expected.to eq 'application/json' }
       end
 
       context('with Mozilla Firefox Accept') do