RUM: Prevent any Content-Length header from being set upon injection

Author: amarziali

dd-java-agent/instrumentation/servlet/jakarta-servlet-5.0/src/main/java/datadog/trace/instrumentation/servlet5/RumHttpServletResponseWrapper.java

@@ -103,21 +103,33 @@ public PrintWriter getWriter() throws IOException {
 
   @Override
   public void setHeader(String name, String value) {
-    checkForContentSecurityPolicy(name);
+    if (shouldInject) {
+      if (isContentLengthHeader(name)) {
+        return;
+      }
+      checkForContentSecurityPolicy(name);
+    }
     super.setHeader(name, value);
   }
 
   @Override
   public void addHeader(String name, String value) {
-    checkForContentSecurityPolicy(name);
+    if (shouldInject) {
+      if (isContentLengthHeader(name)) {
+        return;
+      }
+      checkForContentSecurityPolicy(name);
+    }
     super.addHeader(name, value);
   }
 
+  private boolean isContentLengthHeader(String name) {
+    return "content-length".equalsIgnoreCase(name);
+  }
+
   private void checkForContentSecurityPolicy(String name) {
-    if (name != null) {
-      if (name.startsWith("Content-Security-Policy")) {
-        RumInjector.getTelemetryCollector().onContentSecurityPolicyDetected(servletVersion);
-      }
+    if (name != null && name.equalsIgnoreCase("content-security-policy")) {
+      RumInjector.getTelemetryCollector().onContentSecurityPolicyDetected(servletVersion);
     }
   }
 

dd-java-agent/instrumentation/servlet/javax-servlet/javax-servlet-3.0/src/main/java/datadog/trace/instrumentation/servlet3/RumHttpServletResponseWrapper.java

@@ -122,21 +122,33 @@ public PrintWriter getWriter() throws IOException {
 
   @Override
   public void setHeader(String name, String value) {
-    checkForContentSecurityPolicy(name);
+    if (shouldInject) {
+      if (isContentLengthHeader(name)) {
+        return;
+      }
+      checkForContentSecurityPolicy(name);
+    }
     super.setHeader(name, value);
   }
 
   @Override
   public void addHeader(String name, String value) {
-    checkForContentSecurityPolicy(name);
+    if (shouldInject) {
+      if (isContentLengthHeader(name)) {
+        return;
+      }
+      checkForContentSecurityPolicy(name);
+    }
     super.addHeader(name, value);
   }
 
+  private boolean isContentLengthHeader(String name) {
+    return "content-length".equalsIgnoreCase(name);
+  }
+
   private void checkForContentSecurityPolicy(String name) {
-    if (name != null) {
-      if (name.startsWith("Content-Security-Policy")) {
-        RumInjector.getTelemetryCollector().onContentSecurityPolicyDetected(servletVersion);
-      }
+    if (name != null && name.equalsIgnoreCase("content-security-policy")) {
+      RumInjector.getTelemetryCollector().onContentSecurityPolicyDetected(servletVersion);
     }
   }
 

dd-java-agent/instrumentation/spring/spring-webmvc/spring-webmvc-3.1/src/latestDepTest/groovy/test/boot/SpringBootBasedTest.groovy

@@ -129,6 +129,11 @@ class SpringBootBasedTest extends HttpServerTest<ConfigurableApplicationContext>
     true
   }
 
+  @Override
+  boolean testRumInjection() {
+    true
+  }
+
   @Override
   Serializable expectedServerSpanRoute(ServerEndpoint endpoint) {
     switch (endpoint) {

dd-java-agent/instrumentation/spring/spring-webmvc/spring-webmvc-3.1/src/latestDepTest/groovy/test/boot/TestController.groovy

@@ -161,6 +161,27 @@ class TestController {
     }
   }
 
+  @RequestMapping(value = "/gimme-xml", produces = "text/xml")
+  @ResponseBody
+  String gimmeXml() {
+    "<test/>"
+  }
+
+  @RequestMapping(value = "/gimme-html", produces = "text/html")
+  @ResponseBody
+  String gimmeHtml() {
+    "\n" +
+      "<!doctype html>\n" +
+      "<html>\n" +
+      "  <head>\n" +
+      "    <title>This is the title of the webpage!</title>\n" +
+      "  </head>\n" +
+      "  <body>\n" +
+      "    <p>This is an example paragraph. Anything in the <strong>body</strong> tag will appear on the page, just like this <strong>p</strong> tag and its contents.</p>\n" +
+      "  </body>\n" +
+      "</html>"
+  }
+
   @ExceptionHandler
   ResponseEntity handleException(Throwable throwable) {
     new ResponseEntity(throwable.message, HttpStatus.INTERNAL_SERVER_ERROR)

dd-java-agent/instrumentation/spring/spring-webmvc/spring-webmvc-3.1/src/test/groovy/test/boot/SpringBootBasedTest.groovy

@@ -144,6 +144,11 @@ class SpringBootBasedTest extends HttpServerTest<ConfigurableApplicationContext>
     true
   }
 
+  @Override
+  boolean testRumInjection() {
+    true
+  }
+
   @Override
   void assertEndpointDiscovery(final List<?> endpoints) {
     final discovered = endpoints.collectEntries { [(it.method): it] }  as Map<String, Endpoint>

dd-java-agent/instrumentation/spring/spring-webmvc/spring-webmvc-3.1/src/test/groovy/test/boot/TestController.groovy

@@ -162,6 +162,27 @@ class TestController {
     }
   }
 
+  @RequestMapping(value = "/gimme-xml", produces = "text/xml")
+  @ResponseBody
+  String gimmeXml() {
+    "<test/>"
+  }
+
+  @RequestMapping(value = "/gimme-html", produces = "text/html")
+  @ResponseBody
+  String gimmeHtml() {
+    "\n" +
+      "<!doctype html>\n" +
+      "<html>\n" +
+      "  <head>\n" +
+      "    <title>This is the title of the webpage!</title>\n" +
+      "  </head>\n" +
+      "  <body>\n" +
+      "    <p>This is an example paragraph. Anything in the <strong>body</strong> tag will appear on the page, just like this <strong>p</strong> tag and its contents.</p>\n" +
+      "  </body>\n" +
+      "</html>"
+  }
+
   @RequestMapping(value = "/discovery",
   method = [RequestMethod.POST, RequestMethod.PATCH, RequestMethod.PUT],
   consumes = MediaType.APPLICATION_JSON_VALUE,

dd-java-agent/instrumentation/spring/spring-webmvc/spring-webmvc-6.0/src/test/groovy/datadog/trace/instrumentation/springweb6/boot/SpringBootBasedTest.groovy

@@ -221,6 +221,11 @@ class SpringBootBasedTest extends HttpServerTest<ConfigurableApplicationContext>
     true
   }
 
+  @Override
+  boolean testRumInjection() {
+    true
+  }
+
   @Override
   Map<String, Serializable> expectedExtraErrorInformation(ServerEndpoint endpoint) {
     // latest DispatcherServlet throws if no handlers have been found

dd-java-agent/instrumentation/spring/spring-webmvc/spring-webmvc-6.0/src/test/groovy/datadog/trace/instrumentation/springweb6/boot/TestController.groovy

@@ -151,6 +151,27 @@ class TestController {
     }
   }
 
+  @RequestMapping(value = "/gimme-xml", produces = "text/xml")
+  @ResponseBody
+  String gimmeXml() {
+    "<test/>"
+  }
+
+  @RequestMapping(value = "/gimme-html", produces = "text/html")
+  @ResponseBody
+  String gimmeHtml() {
+    "\n" +
+      "<!doctype html>\n" +
+      "<html>\n" +
+      "  <head>\n" +
+      "    <title>This is the title of the webpage!</title>\n" +
+      "  </head>\n" +
+      "  <body>\n" +
+      "    <p>This is an example paragraph. Anything in the <strong>body</strong> tag will appear on the page, just like this <strong>p</strong> tag and its contents.</p>\n" +
+      "  </body>\n" +
+      "</html>"
+  }
+
   @ExceptionHandler
   ResponseEntity handleException(Throwable throwable) {
     new ResponseEntity(throwable.message, HttpStatus.INTERNAL_SERVER_ERROR)