WIP

Author: jandro996

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -707,8 +707,15 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
         traceSeg.setDataTop("appsec", wrapper);
 
         // Report collected request and response headers based on allow list
-        writeRequestHeaders(traceSeg, REQUEST_HEADERS_ALLOW_LIST, ctx.getRequestHeaders());
-        writeResponseHeaders(traceSeg, RESPONSE_HEADERS_ALLOW_LIST, ctx.getResponseHeaders());
+        boolean collectAll =
+            Config.get().isAppSecCollectAllHeaders()
+                // Until redaction is defined we don't want to collect all headers due to risk of
+                // leaking sensitive data
+                && !Config.get().isAppSecHeaderCollectionRedactionEnabled();
+        writeRequestHeaders(
+            traceSeg, REQUEST_HEADERS_ALLOW_LIST, ctx.getRequestHeaders(), collectAll);
+        writeResponseHeaders(
+            traceSeg, RESPONSE_HEADERS_ALLOW_LIST, ctx.getResponseHeaders(), collectAll);
 
         // Report collected stack traces
         List<StackTraceEvent> stackTraces = ctx.getStackTraces();
@@ -718,10 +725,11 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
 
       } else if (hasUserInfo(traceSeg)) {
         // Report all collected request headers on user tracking event
-        writeRequestHeaders(traceSeg, REQUEST_HEADERS_ALLOW_LIST, ctx.getRequestHeaders());
+        writeRequestHeaders(traceSeg, REQUEST_HEADERS_ALLOW_LIST, ctx.getRequestHeaders(), false);
       } else {
         // Report minimum set of collected request headers
-        writeRequestHeaders(traceSeg, DEFAULT_REQUEST_HEADERS_ALLOW_LIST, ctx.getRequestHeaders());
+        writeRequestHeaders(
+            traceSeg, DEFAULT_REQUEST_HEADERS_ALLOW_LIST, ctx.getRequestHeaders(), false);
       }
       // If extracted any derivatives - commit them
       if (!ctx.commitDerivatives(traceSeg)) {
@@ -835,32 +843,76 @@ private static boolean hasUserCollectionEvent(final TraceSegment traceSeg) {
   private static void writeRequestHeaders(
       final TraceSegment traceSeg,
       final Set<String> allowed,
-      final Map<String, List<String>> headers) {
-    writeHeaders(traceSeg, "http.request.headers.", allowed, headers);
+      final Map<String, List<String>> headers,
+      final boolean collectAll) {
+    writeHeaders(
+        traceSeg, "http.request.headers.", "_dd.appsec.request.", allowed, headers, collectAll);
   }
 
   private static void writeResponseHeaders(
       final TraceSegment traceSeg,
       final Set<String> allowed,
-      final Map<String, List<String>> headers) {
-    writeHeaders(traceSeg, "http.response.headers.", allowed, headers);
+      final Map<String, List<String>> headers,
+      final boolean collectAll) {
+    writeHeaders(
+        traceSeg, "http.response.headers.", "_dd.appsec.response.", allowed, headers, collectAll);
   }
 
   private static void writeHeaders(
       final TraceSegment traceSeg,
       final String prefix,
+      final String discardedPrefix,
       final Set<String> allowed,
-      final Map<String, List<String>> headers) {
-    if (headers != null) {
-      headers.forEach(
-          (name, value) -> {
-            if (allowed.contains(name)) {
-              String v = String.join(",", value);
-              if (!v.isEmpty()) {
-                traceSeg.setTagTop(prefix + name, v);
-              }
-            }
-          });
+      final Map<String, List<String>> headers,
+      final boolean collectAll) {
+
+    if (headers == null || headers.isEmpty()) {
+      return;
+    }
+
+    final int headerLimit = Config.get().getAppsecMaxCollectedHeaders();
+    final Set<String> added = new HashSet<>();
+    int excluded = 0;
+
+    // Try to add allowed headers (prioritized)
+    for (String name : allowed) {
+      if (added.size() >= headerLimit) {
+        break;
+      }
+      List<String> values = headers.get(name);
+      if (values != null) {
+        String joined = String.join(",", values);
+        if (!joined.isEmpty()) {
+          traceSeg.setTagTop(prefix + name, joined);
+          added.add(name);
+        }
+      }
+    }
+
+    if (collectAll) {
+      // Add other headers (non-allowed) until total reaches the limit
+      for (Map.Entry<String, List<String>> entry : headers.entrySet()) {
+        String name = entry.getKey();
+        if (added.contains(name)) {
+          continue;
+        }
+
+        if (added.size() >= headerLimit) {
+          excluded++;
+          continue;
+        }
+
+        List<String> values = entry.getValue();
+        String joined = String.join(",", values);
+        if (!joined.isEmpty()) {
+          traceSeg.setTagTop(prefix + name, joined);
+          added.add(name);
+        }
+      }
+
+      if (excluded > 0) {
+        traceSeg.setTagTop(discardedPrefix + "header_collection.discarded", excluded);
+      }
     }
   }
 

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy

@@ -1222,4 +1222,96 @@ class GatewayBridgeSpecification extends DDSpecification {
     1 * traceSegment.setTagTop(Tags.PROPAGATED_TRACE_SOURCE, ProductTraceSource.ASM)
   }
 
+
+  void 'test default writeRequestHeaders'(){
+    given:
+    def allowedHeaders = ['x-allowed-header', 'x-multiple-allowed-header', 'x-always-included'] as Set
+    def headers = [
+      'x-allowed-header' : ['value1'],
+      'x-multiple-allowed-header' : ['value1A', 'value1B'],
+      'x-other-header-1' : ['value2'],
+      'x-other-header-2' : ['value3'],
+      'x-other-header-3' : ['value4']
+    ]
+
+    when:
+    GatewayBridge.writeRequestHeaders(traceSegment, allowedHeaders, headers, false)
+
+    then:
+    1 * traceSegment.setTagTop('http.request.headers.x-allowed-header', 'value1')
+    1 * traceSegment.setTagTop('http.request.headers.x-multiple-allowed-header', 'value1A,value1B')
+    0 * traceSegment.setTagTop(_, _)
+  }
+
+  void 'test default writeResponseHeaders'(){
+    given:
+    def allowedHeaders = ['x-allowed-header', 'x-multiple-allowed-header', 'x-always-included'] as Set
+    def headers = [
+      'x-allowed-header' : ['value1'],
+      'x-multiple-allowed-header' : ['value1A', 'value1B'],
+      'x-other-header-1' : ['value2'],
+      'x-other-header-2' : ['value3'],
+      'x-other-header-3' : ['value4']
+    ]
+
+    when:
+    GatewayBridge.writeResponseHeaders(traceSegment, allowedHeaders, headers, false)
+
+    then:
+    1 * traceSegment.setTagTop('http.response.headers.x-allowed-header', 'value1')
+    1 * traceSegment.setTagTop('http.response.headers.x-multiple-allowed-header', 'value1A,value1B')
+    0 * traceSegment.setTagTop(_, _)
+  }
+
+  void 'test  writeRequestHeaders collecting all headers '(){
+    setup:
+    injectEnvConfig('DD_APPSEC_MAX_COLLECTED_HEADERS', '4')
+
+    def allowedHeaders = ['x-allowed-header', 'x-multiple-allowed-header', 'x-always-included'] as Set
+    def headers = [
+      'x-allowed-header' : ['value1'],
+      'x-multiple-allowed-header' : ['value1A', 'value1B'],
+      'x-other-header-1' : ['value2'],
+      'x-other-header-2' : ['value3'],
+      'x-other-header-3' : ['value4']
+    ]
+
+    when:
+    GatewayBridge.writeRequestHeaders(traceSegment, allowedHeaders, headers, true)
+
+    then:
+    1 * traceSegment.setTagTop('http.request.headers.x-allowed-header', 'value1')
+    1 * traceSegment.setTagTop('http.request.headers.x-multiple-allowed-header', 'value1A,value1B')
+    1 * traceSegment.setTagTop('http.request.headers.x-other-header-1', 'value2')
+    1 * traceSegment.setTagTop('http.request.headers.x-other-header-2', 'value3')
+    1 * traceSegment.setTagTop('_dd.appsec.request.header_collection.discarded', 1)
+    0 * traceSegment.setTagTop(_, _)
+  }
+
+  void 'test  writeResponseHeaders collecting all headers '(){
+    setup:
+    injectEnvConfig('DD_APPSEC_COLLECT_ALL_HEADERS' , 'true')
+    injectEnvConfig('DD_APPSEC_MAX_COLLECTED_HEADERS', '4')
+
+    def allowedHeaders = ['x-allowed-header', 'x-multiple-allowed-header', 'x-always-included'] as Set
+    def headers = [
+      'x-allowed-header' : ['value1'],
+      'x-multiple-allowed-header' : ['value1A', 'value1B'],
+      'x-other-header-1' : ['value2'],
+      'x-other-header-2' : ['value3'],
+      'x-other-header-3' : ['value4']
+    ]
+
+    when:
+    GatewayBridge.writeResponseHeaders(traceSegment, allowedHeaders, headers, true)
+
+    then:
+    1 * traceSegment.setTagTop('http.response.headers.x-allowed-header', 'value1')
+    1 * traceSegment.setTagTop('http.response.headers.x-multiple-allowed-header', 'value1A,value1B')
+    1 * traceSegment.setTagTop('http.response.headers.x-other-header-1', 'value2')
+    1 * traceSegment.setTagTop('http.response.headers.x-other-header-2', 'value3')
+    1 * traceSegment.setTagTop('_dd.appsec.response.header_collection.discarded', 1)
+    0 * traceSegment.setTagTop(_, _)
+  }
+
 }

dd-smoke-tests/appsec/springboot/src/main/java/datadog/smoketest/appsec/springboot/controller/WebController.java

@@ -16,6 +16,7 @@
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.DefaultHttpClient;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -210,6 +211,27 @@ public ResponseEntity<String> apiSecuritySampling(@PathVariable("status_code") i
     return ResponseEntity.status(statusCode).body("EXECUTED");
   }
 
+  @GetMapping("/custom-headers")
+  public ResponseEntity<String> customHeaders() {
+    HttpHeaders headers = new HttpHeaders();
+    headers.add("X-Test-Header-1", "value1");
+    headers.add("X-Test-Header-2", "value2");
+    headers.add("X-Test-Header-3", "value3");
+    headers.add("X-Test-Header-4", "value4");
+    headers.add("X-Test-Header-5", "value5");
+    return new ResponseEntity<>("Custom headers added", headers, HttpStatus.OK);
+  }
+
+  @GetMapping("/exceedResponseHeaders")
+  public ResponseEntity<String> exceedResponseHeaders() {
+    HttpHeaders headers = new HttpHeaders();
+    for (int i = 1; i <= 50; i++) {
+      headers.add("X-Test-Header-" + i, "value" + i);
+    }
+    headers.add("content-language", "en-US");
+    return new ResponseEntity<>("Custom headers added", headers, HttpStatus.OK);
+  }
+
   private void withProcess(final Operation<Process> op) {
     Process process = null;
     try {