Merge pull request #4887 from DataDog/appsec-58855-fix-head-requests-route-extraction

Fix error on HEAD requests route extraction

Author: Strech

lib/datadog/appsec/api_security/route_extractor.rb

@@ -39,9 +39,9 @@ module RouteExtractor
         # WARNING: This method works only *after* the request has been routed.
         #
         # WARNING: In Rails > 7.1 when a route was not found,
-        #          action_dispatch.route_uri_pattern will not be set.
+        #          `action_dispatch.route_uri_pattern` will not be set.
         #          In Rails < 7.1 it also will not be set even if a route was found,
-        #          but in this case  action_dispatch.request.path_parameters won't be empty.
+        #          but in this case `action_dispatch.request.path_parameters` won't be empty.
         def self.route_pattern(request)
           if request.env.key?(GRAPE_ROUTE_KEY)
             pattern = request.env[GRAPE_ROUTE_KEY][:route_info]&.pattern&.origin
@@ -52,6 +52,10 @@ def self.route_pattern(request)
           elsif request.env.key?(RAILS_ROUTE_KEY)
             request.env[RAILS_ROUTE_KEY].delete_suffix(RAILS_FORMAT_SUFFIX)
           elsif request.env.key?(RAILS_ROUTES_KEY) && !request.env.fetch(RAILS_PATH_PARAMS_KEY, {}).empty?
+            # NOTE: Rails mutate HEAD request in order to understand that route is supported.
+            #       It will assing GET request method and run the route recognition.
+            request = request.env[RAILS_ROUTES_KEY].request_class.new(request.env) if request.head?
+
             pattern = request.env[RAILS_ROUTES_KEY].router
               .recognize(request) { |route, _| break route.path.spec.to_s }
 

sig/datadog/appsec/api_security.rbs

@@ -6,6 +6,7 @@ module Datadog
         def script_name: () -> String?
         def request_method: () -> String
         def path: () -> String
+        def head?: () -> bool
       end
 
       interface _Response

spec/datadog/appsec/api_security/route_extractor_spec.rb

@@ -92,7 +92,7 @@
         it { expect(described_class.route_pattern(request)).to eq('/api/v1/users/:id/posts/:post_id') }
       end
 
-      context 'when route_uri_pattern is not set, but request path parameters are present' do
+      context 'when route_uri_pattern is not set and request path_parameters is empty' do
         before do
           allow(request).to receive(:env).and_return({
             'action_dispatch.routes' => route_set,
@@ -107,6 +107,48 @@
         it { expect(described_class.route_pattern(request)).to eq('/users/1') }
       end
 
+      context 'when route_uri_pattern is not set and request path_parameters is present' do
+        let(:env) do
+          {
+            'action_dispatch.routes' => route_set,
+            'action_dispatch.request.path_parameters' => {
+              'controller' => 'users', 'action' => 'show', 'id' => '1'
+            }
+          }
+        end
+
+        context 'when request is HEAD' do
+          before do
+            allow(request).to receive(:env).and_return(env)
+            allow(action_dispatch_request).to receive(:env).and_return(env)
+          end
+
+          let(:router) { double('ActionDispatch::Routing::RouteSet::Router') }
+          let(:route_set) { double('ActionDispatch::Routing::RouteSet', router: router, request_class: action_dispatch_request_class) }
+          let(:request) { double('Rack::Request', env: {}, script_name: '', path: '/users/1', head?: true) }
+          let(:action_dispatch_request_class) { double('class ActionDispatch::Request', new: action_dispatch_request) }
+          let(:action_dispatch_request) { double('ActionDispatch::Request', env: {}, script_name: '', path: '/users/1') }
+
+          it 'uses action dispatch request for route recognition' do
+            expect(router).to receive(:recognize).with(action_dispatch_request).and_return('/users/1')
+            expect(described_class.route_pattern(request)).to eq('/users/1')
+          end
+        end
+
+        context 'when request is not HEAD' do
+          before { allow(request).to receive(:env).and_return(env) }
+
+          let(:router) { double('ActionDispatch::Routing::RouteSet::Router') }
+          let(:route_set) { double('ActionDispatch::Routing::RouteSet', router: router) }
+          let(:request) { double('Rack::Request', env: {}, script_name: '', path: '/users/1', head?: false) }
+
+          it 'uses action dispatch request for route recognition' do
+            expect(router).to receive(:recognize).with(request).and_return('/users/1')
+            expect(described_class.route_pattern(request)).to eq('/users/1')
+          end
+        end
+      end
+
       context 'when Rails router cannot recognize request' do
         before do
           allow(request).to receive(:env).and_return({'action_dispatch.routes' => route_set})