chore(asm): update the list of IP headers to the latest RFC (#5185)

## Motivation

Update the list of headers from which we search for an IP address to the
latest version of the "Client IP address resolution" RFC.

## Checklist

- [X] Change(s) are motivated and described in the PR description.
- [X] Testing strategy is described if automated tests are not included
in the PR.
- [X] Risk is outlined (performance impact, potential for breakage,
maintainability, etc).
- [X] Change is maintainable (easy to change, telemetry, documentation).
- [X] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/contributing.html#Release-Note-Guidelines)
are followed.
- [X] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/)).
- [X] Author is aware of the performance implications of this PR as
reported in the benchmarks PR comment.

## Reviewer Checklist

- [x] Title is accurate.
- [x] No unnecessary changes are introduced.
- [x] Description motivates each change.
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes unless absolutely necessary.
- [x] Testing strategy adequately addresses listed risk(s).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] Release note makes sense to a user of the library.
- [x] Reviewer is aware of, and discussed the performance implications
of this PR as reported in the benchmarks PR comment.

---------

Signed-off-by: Juanjo Alvarez <[email protected]>

Author: juanjux

ddtrace/appsec/processor.py

@@ -94,10 +94,13 @@ def get_appsec_obfuscation_parameter_value_regexp():
     "accept",
     "accept-encoding",
     "accept-language",
+    "cf-connecting-ip",
+    "cf-connecting-ipv6",
     "content-encoding",
     "content-language",
     "content-length",
     "content-type",
+    "fastly-client-ip",
     "forwarded",
     "forwarded-for",
     "host",

ddtrace/contrib/trace_utils.py

@@ -61,13 +61,14 @@
 IP_PATTERNS = (
     "x-forwarded-for",
     "x-real-ip",
-    "client-ip",
+    "true-client-ip",
+    "x-client-ip",
     "x-forwarded",
-    "x-cluster-client-ip",
     "forwarded-for",
-    "forwarded",
-    "via",
-    "true-client-ip",
+    "x-cluster-client-ip",
+    "fastly-client-ip",
+    "cf-connecting-ip",
+    "cf-connecting-ipv6",
 )
 
 

releasenotes/notes/asm-update-ip-resolution-04c9d92ea3138051.yaml

@@ -0,0 +1,8 @@
+---
+other:
+  - |
+    ASM: The list of headers for retrieving the IP when Application Security Management is enabled or the 
+      `DD_TRACE_CLIENT_IP_ENABLED` environment variable is set has been updated. "Via" has been 
+      removed as it rarely contains IP data and some common vendor headers have been added. You can
+      also set the environment variable `DD_TRACE_CLIENT_IP_HEADER` to always retrieve the IP
+      from the header specified as the value.

tests/contrib/django/test_django_appsec.py

@@ -349,7 +349,7 @@ def test_django_client_ip_header_set_by_env_var_valid(client, test_spans, tracer
             test_spans,
             tracer,
             url="/?a=1&b&c=d",
-            headers={"HTTP_CLIENT_IP": "8.8.8.8", "HTTP_X_USE_THIS": "4.4.4.4"},
+            headers={"HTTP_X_CLIENT_IP": "8.8.8.8", "HTTP_X_USE_THIS": "4.4.4.4"},
         )
         assert root_span.get_tag(http.CLIENT_IP) == "4.4.4.4"
 
@@ -364,10 +364,10 @@ def test_django_client_ip_nothing(client, test_spans, tracer):
 @pytest.mark.parametrize(
     "kwargs,expected",
     [
-        ({"HTTP_CLIENT_IP": "", "HTTP_X_FORWARDED_FOR": "4.4.4.4"}, "4.4.4.4"),
-        ({"HTTP_CLIENT_IP": "192.168.1.3,4.4.4.4"}, "4.4.4.4"),
-        ({"HTTP_CLIENT_IP": "4.4.4.4,8.8.8.8"}, "4.4.4.4"),
-        ({"HTTP_CLIENT_IP": "192.168.1.10,192.168.1.20"}, "192.168.1.10"),
+        ({"HTTP_X_CLIENT_IP": "", "HTTP_X_FORWARDED_FOR": "4.4.4.4"}, "4.4.4.4"),
+        ({"HTTP_X_CLIENT_IP": "192.168.1.3,4.4.4.4"}, "4.4.4.4"),
+        ({"HTTP_X_CLIENT_IP": "4.4.4.4,8.8.8.8"}, "4.4.4.4"),
+        ({"HTTP_X_CLIENT_IP": "192.168.1.10,192.168.1.20"}, "192.168.1.10"),
     ],
 )
 def test_django_client_ip_headers(client, test_spans, tracer, kwargs, expected):

tests/contrib/django/test_django_appsec_snapshots.py

@@ -114,7 +114,7 @@ def test_request_ipblock_nomatch_200():
             "DD_APPSEC_RULES": RULES_GOOD_PATH,
         },
     ) as client:
-        result = client.get("/", headers={"Via": _ALLOWED_IP})
+        result = client.get("/", headers={"X-Real-Ip": _ALLOWED_IP})
         assert result.status_code == 200
         assert result.content == b"Hello, test app."
 
@@ -143,7 +143,7 @@ def test_request_ipblock_match_403():
         result = client.get(
             "/",
             headers={
-                "Via": _BLOCKED_IP,
+                "X-Real-Ip": _BLOCKED_IP,
                 "Accept": "text/html",
             },
         )
@@ -178,7 +178,7 @@ def test_request_ipblock_match_403_json():
         result = client.get(
             "/",
             headers={
-                "Via": _BLOCKED_IP,
+                "X-Real-Ip": _BLOCKED_IP,
             },
         )
         assert result.status_code == 403

tests/contrib/django/test_django_snapshots.py

@@ -111,7 +111,8 @@ def test_safe_string_encoding(client, snapshot_context):
             "111x": (1, 9) <= django.VERSION < (1, 12),
             "21x": (1, 12) < django.VERSION < (2, 2),
             "": django.VERSION >= (2, 2),
-        }
+        },
+        ignores=["metrics._dd.tracer_kr"],
     ):
         assert client.get("/safe-template/").status_code == 200
 
@@ -156,7 +157,7 @@ def test_psycopg_query_default(client, snapshot_context, psycopg2_patched):
     from django.db import connections
     from psycopg2.sql import SQL
 
-    with snapshot_context(ignores=["meta.out.host"]):
+    with snapshot_context(ignores=["meta.out.host", "metrics._dd.tracer_kr"]):
         query = SQL("""select 'one' as x""")
         conn = connections["postgres"]
         with conn.cursor() as cur:

tests/contrib/flask/test_appsec_flask_snapshot.py

@@ -127,7 +127,7 @@ def flask_client(flask_command, flask_port, flask_wsgi_application, flask_env_ar
 )
 @pytest.mark.parametrize("flask_env_arg", (flask_appsec_good_rules_env,))
 def test_flask_ipblock_match_403(flask_client):
-    resp = flask_client.get("/", headers={"Via": _BLOCKED_IP, "ACCEPT": "text/html"})
+    resp = flask_client.get("/", headers={"X-Real-Ip": _BLOCKED_IP, "ACCEPT": "text/html"})
     assert resp.status_code == 403
     if hasattr(resp, "text"):
         assert resp.text == APPSEC_BLOCKED_RESPONSE_HTML
@@ -154,7 +154,7 @@ def test_flask_ipblock_match_403(flask_client):
 )
 @pytest.mark.parametrize("flask_env_arg", (flask_appsec_good_rules_env,))
 def test_flask_ipblock_match_403_json(flask_client):
-    resp = flask_client.get("/", headers={"Via": _BLOCKED_IP})
+    resp = flask_client.get("/", headers={"X-Real-Ip": _BLOCKED_IP})
     assert resp.status_code == 403
     if hasattr(resp, "text"):
         assert resp.text == APPSEC_BLOCKED_RESPONSE_JSON

tests/contrib/flask/test_flask_appsec.py

@@ -140,7 +140,7 @@ def test_flask_useragent(self):
 
     def test_flask_client_ip_header_set_by_env_var_valid(self):
         with override_global_config(dict(_appsec_enabled=True, client_ip_header="X-Use-This")):
-            self.client.get("/?a=1&b&c=d", headers={"HTTP_CLIENT_IP": "8.8.8.8", "X-Use-This": "4.4.4.4"})
+            self.client.get("/?a=1&b&c=d", headers={"HTTP_X_CLIENT_IP": "8.8.8.8", "X-Use-This": "4.4.4.4"})
             spans = self.pop_spans()
             root_span = spans[0]
             assert root_span.get_tag(http.CLIENT_IP) == "4.4.4.4"
@@ -268,7 +268,7 @@ def test_flask_body_xml_empty_logs_warning(self):
     def test_flask_ipblock_match_403_json(self):
         with override_global_config(dict(_appsec_enabled=True)), override_env(dict(DD_APPSEC_RULES=RULES_GOOD_PATH)):
             self._aux_appsec_prepare_tracer()
-            resp = self.client.get("/", headers={"Via": _BLOCKED_IP})
+            resp = self.client.get("/", headers={"X-Real-Ip": _BLOCKED_IP})
             assert resp.status_code == 403
             if hasattr(resp, "text"):
                 assert resp.text == constants.APPSEC_BLOCKED_RESPONSE_JSON

tests/contrib/flask/test_flask_appsec_telemetry.py

@@ -31,7 +31,7 @@ def test_telemetry_metrics_block(self):
             dict(DD_APPSEC_RULES=RULES_GOOD_PATH)
         ):
             self._aux_appsec_prepare_tracer()
-            resp = self.client.get("/", headers={"Via": _BLOCKED_IP})
+            resp = self.client.get("/", headers={"X-Real-Ip": _BLOCKED_IP})
             assert resp.status_code == 403
             if hasattr(resp, "text"):
                 assert resp.text == APPSEC_BLOCKED_RESPONSE_JSON

tests/snapshots/tests.contrib.django.test_django_appsec_snapshots.test_request_ipblock_match_403.json

@@ -28,7 +28,7 @@
       "http.request.headers.accept-encoding": "gzip, deflate, br",
       "http.request.headers.host": "localhost:8000",
       "http.request.headers.user-agent": "python-requests/2.28.1",
-      "http.request.headers.via": "8.8.4.4",
+      "http.request.headers.x-real-ip": "8.8.4.4",
       "http.url": "http://localhost:8000/",
       "http.useragent": "python-requests/2.28.1",
       "http.version": "1.1",