Forbidden attempt to set different raw URI for given request context (#10709)

WIP

WIP

WIP

add SEND_TELEMETRY to debug log

Merge branch 'master' into issue-appsec-61504

Co-authored-by: alejandro.gonzalez <alejandro.gonzalez@datadoghq.com>

Author: jandro996

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java

@@ -413,11 +413,9 @@ String getSavedRawURI() {
   }
 
   void setRawURI(String savedRawURI) {
-    if (this.savedRawURI != null && this.savedRawURI.compareToIgnoreCase(savedRawURI) != 0) {
-      throw new IllegalStateException(
-          "Forbidden attempt to set different raw URI for given request context");
+    if (this.savedRawURI == null) {
+      this.savedRawURI = savedRawURI;
     }
-    this.savedRawURI = savedRawURI;
   }
 
   public String getRoute() {

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java

@@ -989,21 +989,28 @@ private Flow<Void> onRequestMethodUriRaw(RequestContext ctx_, String method, URI
     }
     ctx.setMethod(method);
     ctx.setScheme(uri.scheme());
-    if (uri.supportsRaw()) {
-      ctx.setRawURI(uri.raw());
-    } else {
-      try {
-        URI encodedUri = new URI(null, null, uri.path(), uri.query(), null);
-        String q = encodedUri.getRawQuery();
-        StringBuilder encoded = new StringBuilder();
-        encoded.append(encodedUri.getRawPath());
-        if (null != q && !q.isEmpty()) {
-          encoded.append('?').append(q);
+    if (ctx.getSavedRawURI() == null) {
+      if (uri.supportsRaw()) {
+        ctx.setRawURI(uri.raw());
+      } else {
+        try {
+          URI encodedUri = new URI(null, null, uri.path(), uri.query(), null);
+          String q = encodedUri.getRawQuery();
+          StringBuilder encoded = new StringBuilder();
+          encoded.append(encodedUri.getRawPath());
+          if (null != q && !q.isEmpty()) {
+            encoded.append('?').append(q);
+          }
+          ctx.setRawURI(encoded.toString());
+        } catch (URISyntaxException e) {
+          log.debug("Failed to encode URI '{}{}'", uri.path(), uri.query());
         }
-        ctx.setRawURI(encoded.toString());
-      } catch (URISyntaxException e) {
-        log.debug("Failed to encode URI '{}{}'", uri.path(), uri.query());
       }
+    } else {
+      log.debug(
+          SEND_TELEMETRY,
+          "Raw URI already set to '{}'; ignoring new URI callback",
+          ctx.getSavedRawURI());
     }
     return maybePublishRequestData(ctx);
   }

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/AppSecRequestContextSpecification.groovy

@@ -81,13 +81,13 @@ class AppSecRequestContextSpecification extends DDSpecification {
     thrown(IllegalStateException)
   }
 
-  void 'adding uri a second time is forbidden'() {
+  void 'setting uri a second time is ignored, first value wins'() {
     when:
     ctx.rawURI = '/a'
     ctx.rawURI = '/b'
 
     then:
-    thrown(IllegalStateException)
+    noExceptionThrown()
     ctx.savedRawURI == '/a'
   }
 

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy

@@ -842,6 +842,17 @@ class GatewayBridgeSpecification extends DDSpecification {
   }
 
 
+  void 'request method URI callback called twice with different URIs does not throw'() {
+    // Reproduces: https://github.com/DataDog/dd-trace-java/issues/10700
+    when:
+    requestMethodURICB.apply(ctx, 'GET', TestURIDataAdapter.create('/a'))
+    requestMethodURICB.apply(ctx, 'GET', TestURIDataAdapter.create('/b'))
+
+    then:
+    noExceptionThrown()
+    ctx.data.savedRawURI == '/a'
+  }
+
   void 'response_start produces appsec context and publishes event'() {
     eventDispatcher.getDataSubscribers({
       KnownAddresses.RESPONSE_STATUS in it