Fix header collection for case insensitive duplicates

DataDog · Jul 19, 2024 · 709bd1e · 709bd1e
1 parent 50a7ef9
commit 709bd1e
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/lib/datadog/appsec/contrib/rack/gateway/request.rb b/lib/datadog/appsec/contrib/rack/gateway/request.rb
@@ -41,7 +41,13 @@ def method
 
             def headers
               result = request.env.each_with_object({}) do |(k, v), h|
-                h[k.gsub(/^HTTP_/, '').tap(&:downcase!).tap { |s| s.tr!('_', '-') }] = v if k =~ /^HTTP_/
+                # When multiple headers with the same name are present, they are concatenated with a comma
+                # https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
+                # Because headers are case insensitive, HTTP_FOO and HTTP_Foo is the same, and should be merged
+                if k =~ /^HTTP_/
+                  key = k.gsub(/^HTTP_/, '').tap(&:downcase!).tap { |s| s.tr!('_', '-') }
+                  h[key] = h[key].nil? ? v : "#{h[key]}, #{v}"
+                end
               end
 
               result['content-type'] = request.content_type if request.content_type

diff --git a/spec/datadog/appsec/contrib/rack/gateway/request_spec.rb b/spec/datadog/appsec/contrib/rack/gateway/request_spec.rb
@@ -42,7 +42,9 @@
             {
               'REQUEST_METHOD' => 'GET', 'REMOTE_ADDR' => '10.10.10.10', 'CONTENT_TYPE' => 'text/html',
               'HTTP_COOKIE' => 'foo=bar', 'HTTP_USER_AGENT' => 'WebKit',
-              'HTTP_' => 'empty header', 'HTTP_123' => 'numbered header'
+              'HTTP_' => 'empty header', 'HTTP_123' => 'numbered header',
+              'HTTP_123_FOO' => 'alphanumerical header', 'HTTP_FOO_123' => 'reverse alphanumerical header',
+              'HTTP_foo' => 'lowercase header', 'HTTP_Foo' => 'mixed case header' 
             }
           )
         )
@@ -55,7 +57,10 @@
           'user-agent' => 'WebKit',
           'content-length' => '0',
           '' => 'empty header',
-          '123' => 'numbered header'
+          '123' => 'numbered header',
+          '123-foo' => 'alphanumerical header',
+          'foo-123' => 'reverse alphanumerical header',
+          'foo' => 'lowercase header, mixed case header'
         }
         expect(request.headers).to eq(expected_headers)
       end