Filter connection header in flaky tests (#7290)

## Summary of changes

Some security WebApi tests that rely on the Sample.security.WebAPI (.NET
framework) does not show consistent result. The result of the test
depends on the order of the tests. The problem is that in some requests,
the Connection header is returned (or not) by the framework depending on
the request order. That causes the generated security header fingerprint
to vary.

The fingerprint hash and format is defined
[here](https://docs.google.com/document/d/1DivOa9XsCggmZVzMI57vyxH2_EBJ0-qqIkRHm_sEvSs/edit?tab=t.0).

In order to avoid that, a scrubber has been added to skip that
particular flag in the fingerprint.

Other approaches have been tried to get a consistent result that failed:
* Adding a filter in FilterConfig.cs in the sample to overwrite the
connection header.
* Set UseProxy = false in HttpClientHandler in the test
* Moved to an HttpModule and added Connection: keep-alive in EndRequest

In all these cases, the framework seemed to overwrite the connection
header value even when set explicitly.

## Reason for change

Avoid having tests that depend on test execution order.

## Implementation details

## Test coverage

## Other details
<!-- Fixes #{issue} -->

<!-- ⚠️ Note: where possible, please obtain 2 approvals prior to
merging. Unless CODEOWNERS specifies otherwise, for external teams it is
typically best to have one review from a team member, and one review
from apm-dotnet. Trivial changes do not require 2 reviews. -->

Author: NachoEchevarria

tracer/test/Datadog.Trace.Security.IntegrationTests/AspNetBase.cs

@@ -256,6 +256,14 @@ await VerifyHelper.VerifySpans(spans, settings)
             }
         }
 
+        protected static void FilterConnectionHeader(VerifySettings settings)
+        {
+            Regex appSecConnectionHeader0 = new(@"_dd.appsec.fp.http.header: hdr-0\d", RegexOptions.IgnoreCase | RegexOptions.Compiled);
+            Regex appSecConnectionHeader1 = new(@"_dd.appsec.fp.http.header: hdr-1\d", RegexOptions.IgnoreCase | RegexOptions.Compiled);
+            settings.AddRegexScrubber(appSecConnectionHeader0, "_dd.appsec.fp.http.header: hdr-0X");
+            settings.AddRegexScrubber(appSecConnectionHeader1, "_dd.appsec.fp.http.header: hdr-1X");
+        }
+
         protected void AppsecMetaStructScrubbing(MockSpan target, bool forceMetaStruct = false)
         {
             // We want to retrieve the appsec event data from the meta struct to validate it in snapshots

tracer/test/Datadog.Trace.Security.IntegrationTests/AspNetMvc5.cs

@@ -105,6 +105,7 @@ public async Task TestBlockedRequest(string test)
         {
             var url = "/Health";
             var settings = VerifyHelper.GetSpanVerifierSettings(test);
+            FilterConnectionHeader(settings);
             await TestAppSecRequestWithVerifyAsync(_iisFixture.Agent, url, null, 5, SecurityEnabled ? 1 : 2, settings, userAgent: "Hello/V");
         }
 

tracer/test/Datadog.Trace.Security.IntegrationTests/AspNetWebApi.cs

@@ -90,6 +90,7 @@ public Task TestSecurity(string test, string url, string body)
             // NOTE: by integrating the latest version of the WAF, blocking was disabled, as it does not support blocking yet
             var sanitisedUrl = VerifyHelper.SanitisePathsForVerify(url);
             var settings = VerifyHelper.GetSpanVerifierSettings(test, sanitisedUrl, body);
+            FilterConnectionHeader(settings);
             return TestAppSecRequestWithVerifyAsync(_iisFixture.Agent, url, body, 5, 2, settings, "application/json");
         }
 
@@ -103,6 +104,7 @@ public async Task TestBlockedRequest(string test)
             var url = "/api/Health";
 
             var settings = VerifyHelper.GetSpanVerifierSettings(test);
+            FilterConnectionHeader(settings);
             await TestAppSecRequestWithVerifyAsync(_iisFixture.Agent, url, null, 5, 1, settings, userAgent: "Hello/V");
         }
 
@@ -117,6 +119,7 @@ public async Task TestBlockedRequests(string test, string url, string body = nul
         {
             var sanitisedUrl = VerifyHelper.SanitisePathsForVerify(url);
             var settings = VerifyHelper.GetSpanVerifierSettings(test, sanitisedUrl, body);
+            FilterConnectionHeader(settings);
 
             var expectedSpans = test == AddressesConstants.RequestPathParams ? 1 : 2;
 
@@ -136,6 +139,7 @@ public async Task TestNullAction()
             var url2 = "/api/home/null-action-async/pathparam/appscan_fingerprint";
             var settings = VerifyHelper.GetSpanVerifierSettings();
             settings.UseTextForParameters($"scenario=null-action");
+            FilterConnectionHeader(settings);
             var dateTime = DateTime.UtcNow;
             var res = await SubmitRequest(url, null, null);
             var res2 = await SubmitRequest(url2, null, null);

tracer/test/Datadog.Trace.Security.IntegrationTests/AspNetWebForms.cs

@@ -125,6 +125,7 @@ public async Task TestBlockedRequest(string test)
             var url = "/Health";
 
             var settings = VerifyHelper.GetSpanVerifierSettings(test);
+            FilterConnectionHeader(settings);
             await TestAppSecRequestWithVerifyAsync(_iisFixture.Agent, url, null, 5, 1, settings, userAgent: "Hello/V");
         }
 

tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=blocking.verified.txt

@@ -24,7 +24,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-0587c50e--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-1-4740ae63,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,
@@ -68,7 +68,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-0587c50e--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-1-4740ae63,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,
@@ -112,7 +112,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-0587c50e--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-1-4740ae63,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,
@@ -156,7 +156,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-0587c50e--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-1-4740ae63,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,
@@ -200,7 +200,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-0587c50e--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-1-4740ae63,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,

tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=blocking.verified.txt

@@ -25,7 +25,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-0587c50e--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-3-98425651,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,
@@ -70,7 +70,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-0587c50e--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-3-98425651,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,
@@ -115,7 +115,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-0587c50e--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-3-98425651,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,
@@ -160,7 +160,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-0587c50e--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-3-98425651,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,
@@ -205,7 +205,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-0587c50e--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-3-98425651,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,

tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=blocking.verified.txt

@@ -24,7 +24,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-7ab84831--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-1-4740ae63,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,
@@ -68,7 +68,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-7ab84831--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-1-4740ae63,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,
@@ -112,7 +112,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-7ab84831--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-1-4740ae63,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,
@@ -156,7 +156,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-7ab84831--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-1-4740ae63,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,
@@ -200,7 +200,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-get-7ab84831--,
-      _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63,
+      _dd.appsec.fp.http.header: hdr-0X00000000-197358b8-1-4740ae63,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]},
       _dd.origin: appsec,

tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.body_url=_api_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt

@@ -48,7 +48,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7,
-      _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311,
+      _dd.appsec.fp.http.header: hdr-0X00000100-3626b5f8-3-4d739311,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]},
       _dd.origin: appsec,
@@ -116,7 +116,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7,
-      _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311,
+      _dd.appsec.fp.http.header: hdr-0X00000100-3626b5f8-3-4d739311,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]},
       _dd.origin: appsec,
@@ -184,7 +184,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7,
-      _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311,
+      _dd.appsec.fp.http.header: hdr-0X00000100-3626b5f8-3-4d739311,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]},
       _dd.origin: appsec,
@@ -252,7 +252,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7,
-      _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311,
+      _dd.appsec.fp.http.header: hdr-0X00000100-3626b5f8-3-4d739311,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]},
       _dd.origin: appsec,
@@ -320,7 +320,7 @@
       runtime-id: Guid_1,
       span.kind: server,
       _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7,
-      _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311,
+      _dd.appsec.fp.http.header: hdr-0X00000100-3626b5f8-3-4d739311,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]},
       _dd.origin: appsec,