fix(asm): avoid json decode error in request body (backport #4129) (#4130)

This is an automatic backport of pull request #4129 done by [Mergify](https://mergify.com).
Cherry-pick of b8ddbec has failed:
```
On branch mergify/bp/1.4/pr-4129
Your branch is up to date with 'origin/1.4'.

You are currently cherry-picking commit b8ddbec.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	new file:   releasenotes/notes/asm-avoid-json-decode-error-31479891110bcb55.yaml
	modified:   tests/contrib/django/test_django_appsec.py

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   ddtrace/contrib/django/utils.py
	both modified:   ddtrace/contrib/flask/patch.py
	both modified:   ddtrace/contrib/pylons/middleware.py
	both modified:   tests/contrib/flask/test_flask_appsec.py
	both modified:   tests/contrib/pylons/test_pylons.py

```


To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

---


<details>
<summary>Mergify commands and options</summary>

<br />

More conditions and actions can be found in the [documentation](https://docs.mergify.com/).

You can also trigger Mergify actions by commenting on this pull request:

- `@Mergifyio refresh` will re-evaluate the rules
- `@Mergifyio rebase` will rebase this PR on its base branch
- `@Mergifyio update` will merge the base branch into this PR
- `@Mergifyio backport <destination>` will backport this PR on `<destination>` branch

Additionally, on Mergify [dashboard](https://dashboard.mergify.com/) you can:

- look at your merge queues
- generate the Mergify configuration with the config editor.

Finally, you can contact us on https://mergify.com
</details>

Author: mergify[bot]

ddtrace/contrib/django/utils.py

@@ -25,6 +25,13 @@
 from .compat import user_is_authenticated
 
 
+try:
+    from json import JSONDecodeError
+except ImportError:
+    # handling python 2.X import error
+    JSONDecodeError = ValueError  # type: ignore
+
+
 log = get_logger(__name__)
 
 # Set on patch, when django is imported
@@ -312,7 +319,7 @@ def _after_request_tags(pin, span, request, response):
 
             if config._appsec_enabled and request.method in _BODY_METHODS:
                 content_type = (
-                    request.content_type if hasattr(request, "content_type") else request.META["CONTENT_TYPE"]
+                    request.content_type if hasattr(request, "content_type") else request.META.get("CONTENT_TYPE")
                 )
 
                 rest_framework = hasattr(request, "data")
@@ -328,7 +335,14 @@ def _after_request_tags(pin, span, request, response):
                         )
                     else:  # text/plain, xml, others: take them as strings
                         req_body = request.data.decode("UTF-8") if rest_framework else request.body.decode("UTF-8")
-                except (AttributeError, RawPostDataException, UnreadablePostError, OSError):
+                except (
+                    AttributeError,
+                    RawPostDataException,
+                    UnreadablePostError,
+                    OSError,
+                    ValueError,
+                    JSONDecodeError,
+                ):
                     log.warning("Failed to parse request body", exc_info=True)
                     # req_body is None
 

ddtrace/contrib/flask/patch.py

@@ -34,6 +34,13 @@
 from .wrappers import wrap_signal
 
 
+try:
+    from json import JSONDecodeError
+except ImportError:
+    # handling python 2.X import error
+    JSONDecodeError = ValueError  # type: ignore
+
+
 log = get_logger(__name__)
 
 FLASK_ENDPOINT = "flask.endpoint"
@@ -374,7 +381,7 @@ def traced_wsgi_app(pin, wrapped, instance, args, kwargs):
                     req_body = request.form.to_dict()
                 else:
                     req_body = request.get_data()
-            except (AttributeError, RuntimeError, TypeError, BadRequest):
+            except (AttributeError, RuntimeError, TypeError, BadRequest, ValueError, JSONDecodeError):
                 log.warning("Failed to parse werkzeug request body", exc_info=True)
             finally:
                 # Reset wsgi input to the beginning

releasenotes/notes/asm-avoid-json-decode-error-31479891110bcb55.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    ASM: (flask) avoid json decode error while parsing request body.

tests/contrib/django/test_django_appsec.py

@@ -1,4 +1,5 @@
 import json
+import logging
 
 from ddtrace.internal import _context
 from ddtrace.internal.compat import urlencode
@@ -157,18 +158,31 @@ def test_django_request_body_plain(client, test_spans, tracer):
 
 
 def test_django_request_body_plain_attack(client, test_spans, tracer):
-    with override_global_config(dict(_appsec_enabled=True)):
-        with override_env(dict(DD_APPSEC_RULES=RULES_GOOD_PATH)):
-            tracer._appsec_enabled = True
-            # Hack: need to pass an argument to configure so that the processors are recreated
-            tracer.configure(api_version="v0.4")
-            payload = "1' or '1' = '1'"
-            client.post("/", payload, content_type="text/plain")
-            root_span = test_spans.spans[0]
+    with override_global_config(dict(_appsec_enabled=True)), override_env(dict(DD_APPSEC_RULES=RULES_GOOD_PATH)):
+        tracer._appsec_enabled = True
+        # Hack: need to pass an argument to configure so that the processors are recreated
+        tracer.configure(api_version="v0.4")
+        payload = "1' or '1' = '1'"
+        client.post("/", payload, content_type="text/plain")
+        root_span = test_spans.spans[0]
 
-            query = _context.get_item("http.request.body", span=root_span)
-            assert "triggers" in json.loads(root_span.get_tag("_dd.appsec.json"))
-            assert query == "1' or '1' = '1'"
+        query = _context.get_item("http.request.body", span=root_span)
+        assert "triggers" in json.loads(root_span.get_tag("_dd.appsec.json"))
+        assert query == "1' or '1' = '1'"
+
+
+# @pytest.fixture(autouse=True)
+def test_django_request_body_json_empty(caplog, client, test_spans, tracer):
+    with caplog.at_level(logging.WARNING), override_global_config(dict(_appsec_enabled=True)), override_env(
+        dict(DD_APPSEC_RULES=RULES_GOOD_PATH)
+    ):
+        tracer._appsec_enabled = True
+        # Hack: need to pass an argument to configure so that the processors are recreated
+        tracer.configure(api_version="v0.4")
+        payload = '{"attack": "bad_payload",}'
+        response = client.post("/", payload, content_type="application/json")
+        assert response.status_code == 200
+        assert "Failed to parse request body" in caplog.text
 
 
 def test_django_path_params(client, test_spans, tracer):

tests/contrib/flask/test_flask_appsec.py

@@ -1,6 +1,8 @@
 import json
+import logging
 
 from flask import request
+import pytest
 
 from ddtrace.internal import _context
 from ddtrace.internal.compat import urlencode
@@ -11,6 +13,10 @@
 
 
 class FlaskAppSecTestCase(BaseFlaskTestCase):
+    @pytest.fixture(autouse=True)
+    def inject_fixtures(self, caplog):
+        self._caplog = caplog
+
     def test_flask_simple_attack(self):
         self.tracer._appsec_enabled = True
         # Hack: need to pass an argument to configure so that the processors are recreated
@@ -188,3 +194,11 @@ def test_flask_body_json_attack(self):
             query = dict(_context.get_item("http.request.body", span=root_span))
             assert "triggers" in json.loads(root_span.get_tag("_dd.appsec.json"))
             assert query == {"attack": "1' or '1' = '1'"}
+
+    def test_flask_body_json_empty_body_logs_warning(self):
+        with self._caplog.at_level(logging.WARNING), override_global_config(dict(_appsec_enabled=True)):
+            self.tracer._appsec_enabled = True
+            # Hack: need to pass an argument to configure so that the processors are recreated
+            self.tracer.configure(api_version="v0.4")
+            self.client.post("/", data="", content_type="application/json")
+            assert "Failed to parse werkzeug request body" in self._caplog.text