🚑 Avoid Django "ALLOWED_HOSTS" check

jourdanrodrigues · jourdanrodrigues · commit acea8899d5ba · 2025-07-25T10:21:29.000-03:00
diff --git a/instrumentation/opentelemetry-instrumentation-django/src/opentelemetry/instrumentation/django/middleware/otel_middleware.py b/instrumentation/opentelemetry-instrumentation-django/src/opentelemetry/instrumentation/django/middleware/otel_middleware.py
@@ -194,7 +194,7 @@ def process_request(self, request):
         # Read more about request.META here:
         # https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpRequest.META
 
-        if self._excluded_urls.url_disabled(request.build_absolute_uri("?")):
+        if self._url_is_disabled(request):
             return
 
         is_asgi_request = _is_asgi_request(request)
@@ -305,7 +305,7 @@ def process_request(self, request):
     def process_view(self, request, view_func, *args, **kwargs):
         # Process view is executed before the view function, here we get the
         # route template from request.resolver_match.  It is not set yet in process_request
-        if self._excluded_urls.url_disabled(request.build_absolute_uri("?")):
+        if self._url_is_disabled(request):
             return
 
         if (
@@ -330,7 +330,7 @@ def process_view(self, request, view_func, *args, **kwargs):
                         duration_attrs[HTTP_ROUTE] = route
 
     def process_exception(self, request, exception):
-        if self._excluded_urls.url_disabled(request.build_absolute_uri("?")):
+        if self._url_is_disabled(request):
             return
 
         if self._environ_activation_key in request.META.keys():
@@ -340,7 +340,7 @@ def process_exception(self, request, exception):
     # pylint: disable=too-many-locals
     # pylint: disable=too-many-statements
     def process_response(self, request, response):
-        if self._excluded_urls.url_disabled(request.build_absolute_uri("?")):
+        if self._url_is_disabled(request):
             return response
 
         is_asgi_request = _is_asgi_request(request)
@@ -453,6 +453,15 @@ def process_response(self, request, response):
 
         return response
 
+    def _url_is_disabled(self, request):
+        """
+        Avoid `request.get_host` to bypass Django's ALLOWED_HOST check
+        """
+        url = "{}://{}{}?".format(
+            request.scheme, request._get_raw_host(), request.path
+        )
+        return self._excluded_urls.url_disabled(url)
+
 
 def _parse_duration_attrs(
     req_attrs, sem_conv_opt_in_mode=_StabilityMode.DEFAULT
diff --git a/instrumentation/opentelemetry-instrumentation-django/tests/test_middleware.py b/instrumentation/opentelemetry-instrumentation-django/tests/test_middleware.py
@@ -116,6 +116,10 @@ def setUpClass(cls):
     def setUp(self):
         super().setUp()
         setup_test_environment()
+        conf.settings.ALLOWED_HOSTS = [
+            # Django adds "testserver" within "setup_test_environment" so this check doesn't break during tests.
+            "unknown"
+        ]
         test_name = ""
         if hasattr(self, "_testMethodName"):
             test_name = self._testMethodName
