Skip to content

AppSec: Fix undefined method request_method= #4870

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

AppSec: Fix undefined method request_method= #4870

wants to merge 1 commit into from

Conversation

marcotc
Copy link
Member

@marcotc marcotc commented Aug 27, 2025

What does this PR do?

Motivation:

Change log entry

Additional Notes:

How to test the change?

@github-actions github-actions bot added the appsec Application Security monitoring product label Aug 27, 2025
@github-actions GitHub Actions
Copy link

👋 Hey @marcotc, please fill "Change log entry" section in the pull request description.

If changes need to be present in CHANGELOG.md you can state it this way

**Change log entry**

Yes. A brief summary to be placed into the CHANGELOG.md

(possible answers Yes/Yep/Yeah)

Or you can opt out like that

**Change log entry**

None.

(possible answers No/Nope/None)

Visited at: 2025-08-27 01:37:49 UTC

@datadog-official Datadog Official
Copy link

datadog-official bot commented Aug 27, 2025
edited
Loading

⚠️ Tests

⚠️ Warnings

❄️ 5 New flaky tests detected

Rails integration tests for an application with a basic route GET request with an event-triggering request in headers behaves like a trace with AppSec api security tags with api security enabled is expected not to be empty from rspec (Datadog) 
expected \`{}.empty?\` to be falsey, got true

Failure/Error: expect(api_security_tags).to_not be_empty
  expected \`{}.empty?\` to be falsey, got true
Shared Example Group: "a trace with AppSec api security tags" called from ./spec/datadog/appsec/contrib/rails/integration_test_spec.rb:261
./spec/datadog/appsec/contrib/support/integration/shared_examples.rb:135:in \`block (3 levels) in <top (required)>'
./spec/datadog/tracing/contrib/rails/support/base.rb:65:in \`block (3 levels) in <top (required)>'
/usr/local/bundle/gems/climate_control-1.2.0/lib/climate_control.rb:24:in \`block in modify'
/usr/local/bundle/gems/climate_control-1.2.0/lib/climate_control.rb:15:in \`modify'
./spec/datadog/tracing/contrib/rails/support/base.rb:64:in \`block (2 levels) in <top (required)>'
...
Rails integration tests for an application with a basic route GET request with an event-triggering request in IP behaves like a trace with AppSec api security tags with api security enabled is expected not to be empty from rspec (Datadog) 
expected \`{}.empty?\` to be falsey, got true

Failure/Error: expect(api_security_tags).to_not be_empty
  expected \`{}.empty?\` to be falsey, got true
Shared Example Group: "a trace with AppSec api security tags" called from ./spec/datadog/appsec/contrib/rails/integration_test_spec.rb:329
./spec/datadog/appsec/contrib/support/integration/shared_examples.rb:135:in \`block (3 levels) in <top (required)>'
./spec/datadog/tracing/contrib/rails/support/base.rb:65:in \`block (3 levels) in <top (required)>'
/usr/local/bundle/gems/climate_control-1.2.0/lib/climate_control.rb:24:in \`block in modify'
/usr/local/bundle/gems/climate_control-1.2.0/lib/climate_control.rb:15:in \`modify'
./spec/datadog/tracing/contrib/rails/support/base.rb:64:in \`block (2 levels) in <top (required)>'
...
Rails integration tests for an application with a basic route GET request with an event-triggering request in query string and a blocking rule behaves like a trace with AppSec api security tags with api security enabled is expected not to be empty from rspec (Datadog) 
expected \`{}.empty?\` to be falsey, got true

Failure/Error: expect(api_security_tags).to_not be_empty
  expected \`{}.empty?\` to be falsey, got true
Shared Example Group: "a trace with AppSec api security tags" called from ./spec/datadog/appsec/contrib/rails/integration_test_spec.rb:284
./spec/datadog/appsec/contrib/support/integration/shared_examples.rb:135:in \`block (3 levels) in <top (required)>'
./spec/datadog/tracing/contrib/rails/support/base.rb:65:in \`block (3 levels) in <top (required)>'
/usr/local/bundle/gems/climate_control-1.2.0/lib/climate_control.rb:24:in \`block in modify'
/usr/local/bundle/gems/climate_control-1.2.0/lib/climate_control.rb:15:in \`synchronize'
/usr/local/bundle/gems/climate_control-1.2.0/lib/climate_control.rb:15:in \`modify'
...
View all

ℹ️ Info

🧪 All tests passed

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 69b1fa1 | Docs | Was this helpful? Give us feedback!

@pr-commenter
Copy link

pr-commenter bot commented Aug 27, 2025

Benchmarks

Benchmark execution time: 2025-08-27 02:07:16

Comparing candidate commit 69b1fa1 in PR branch fix-appsec-rack with baseline commit 319db66 in branch master.

Found 2 performance improvements and 2 performance regressions! Performance is the same for 40 metrics, 2 unstable metrics.

scenario:line instrumentation - targeted

  • 🟥 throughput [-11517.037op/s; -10907.233op/s] or [-6.883%; -6.518%]

scenario:method instrumentation

  • 🟥 throughput [-10556.629op/s; -10069.172op/s] or [-5.941%; -5.666%]

scenario:profiling - stack collector (ruby frames - native filenames enabled)

  • 🟩 throughput [+492.710op/s; +494.619op/s] or [+16.903%; +16.968%]

scenario:tracing - Tracing.log_correlation

  • 🟩 throughput [+8986.753op/s; +9280.936op/s] or [+8.883%; +9.174%]

Strech
Strech reviewed Sep 1, 2025
View reviewed changes
lib/datadog/appsec/api_security/route_extractor.rb
pattern = request.env[RAILS_ROUTES_KEY].router
.recognize(request) { |route, _| break route.path.spec.to_s }
route_set = request.env[RAILS_ROUTES_KEY]
rails_request = route_set.request_class.new(request.env)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @marcotc, thanks for taking care of that. We don't have grape contrib, but there was a plan to start supporting it as main API framework.

The init of the router will generate new instance with unprocessed env, could you please explain what is the actual issue here of using stored router?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main issue is that recognize(request) expects a wrapped ActionPack request, not a raw Rack request, and it throws the error undefined method request_method= when running.

Thankfully this is easy to reproduce in tests (which are being added).

Tbh, I only really have to fix the Rails issue today, but I noticed that the Grape and Sinatra paths were not tested in integration tests (which the the only way to trigger the Rails failure today), so I started adding them in this PR as well.

Still WIP though!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤔 Hmmm, we have tested it with Rails and we decide to scope out Sinatra to system tests, but both working. In which case it do you get that error?

If it happens solely in tests like an old "integration" test we poses, than I would challenge the quality of the test.

We also have a test app where I run it across different Rails app versions.

Copy link
Member

@Strech Strech Sep 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW, here are integrations tests that will use route extraction (but not on all Rails versions)

If you don't mind could you share the error case you are fixing? I would love to help on this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I get the issue now, problem starts not because sampling window, but because the HEAD request. It will take a path into the router which will assign the method into it to be able to find it across the available routes.

Rails will try to modify the request in order to find it.

As a suggestion, to avoid this expensive path, could we wrap the request only for this specific scenario of HEAD request then?

@Strech Strech mentioned this pull request Sep 10, 2025
Merged
@Strech Strech closed this in #4887 Sep 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Strech Strech Strech left review comments

Assignees
No one assigned
Labels
appsec Application Security monitoring product
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@marcotc @Strech