Skip to content

Commit

Permalink
Fix AppSec crash when parsing integer http headers
Browse files Browse the repository at this point in the history
  • Loading branch information
vpellan committed Jul 17, 2024
1 parent 6604ee1 commit 50a7ef9
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/datadog/appsec/contrib/rack/gateway/request.rb
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ def method

def headers
result = request.env.each_with_object({}) do |(k, v), h|
h[k.gsub(/^HTTP_/, '').downcase!.tr('_', '-')] = v if k =~ /^HTTP_/
h[k.gsub(/^HTTP_/, '').tap(&:downcase!).tap { |s| s.tr!('_', '-') }] = v if k =~ /^HTTP_/
end

result['content-type'] = request.content_type if request.content_type
Expand Down
27 changes: 27 additions & 0 deletions spec/datadog/appsec/contrib/rack/gateway/request_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,33 @@
}
expect(request.headers).to eq(expected_headers)
end

context 'with malformed headers' do
let(:request) do
described_class.new(
Rack::MockRequest.env_for(
'http://example.com:8080/?a=foo&a=bar&b=baz',
{
'REQUEST_METHOD' => 'GET', 'REMOTE_ADDR' => '10.10.10.10', 'CONTENT_TYPE' => 'text/html',
'HTTP_COOKIE' => 'foo=bar', 'HTTP_USER_AGENT' => 'WebKit',
'HTTP_' => 'empty header', 'HTTP_123' => 'numbered header'
}
)
)
end

it 'returns the header information. Strip the HTTP_ prefix and append content-type and content-length information' do
expected_headers = {
'content-type' => 'text/html',
'cookie' => 'foo=bar',
'user-agent' => 'WebKit',
'content-length' => '0',
'' => 'empty header',
'123' => 'numbered header'
}
expect(request.headers).to eq(expected_headers)
end
end
end

describe '#body' do
Expand Down

0 comments on commit 50a7ef9

Please sign in to comment.