From e24b368335569d8ce01a5566d4a7e0f150b27a2b Mon Sep 17 00:00:00 2001
From: "alejandro.gonzalez" <alejandro.gonzalez@datadoghq.com>
Date: Mon, 16 Jun 2025 09:22:58 +0200
Subject: [PATCH] http route fallback

---
 .../datadog/appsec/gateway/GatewayBridge.java  |  8 ++++----
 .../gateway/GatewayBridgeSpecification.groovy  | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
index c055f709a74..a35902bc21f 100644
--- a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
+++ b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
@@ -820,11 +820,11 @@ private NoopFlow onRequestEnded(RequestContext ctx_, IGSpanInfo spanInfo) {
   private boolean maybeSampleForApiSecurity(
       AppSecRequestContext ctx, IGSpanInfo spanInfo, Map<String, Object> tags) {
     log.debug("Checking API Security for end of request handler on span: {}", spanInfo.getSpanId());
-    // API Security sampling requires http.route tag.
+    // API Security sampling requires http.route tag. If it is not present, we set empty string to
+    // avoid filtering all requests when http route is not implemented for some frameworks.
     final Object route = tags.get(Tags.HTTP_ROUTE);
-    if (route != null) {
-      ctx.setRoute(route.toString());
-    }
+    String routeStr = route != null ? route.toString() : "";
+    ctx.setRoute(routeStr);
     ApiSecuritySampler requestSampler = requestSamplerSupplier.get();
     return requestSampler.preSampleRequest(ctx);
   }
diff --git a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy
index 38eaf9f1208..7f16c44ec57 100644
--- a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy
+++ b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy
@@ -1202,6 +1202,24 @@ class GatewayBridgeSpecification extends DDSpecification {
     0 * traceSegment.setTagTop(Tags.PROPAGATED_TRACE_SOURCE, ProductTraceSource.ASM)
   }
 
+  void 'test api security sampling - No http route'() {
+    given:
+    AppSecRequestContext mockAppSecCtx = Mock(AppSecRequestContext)
+    RequestContext mockCtx = Stub(RequestContext) {
+      getData(RequestContextSlot.APPSEC) >> mockAppSecCtx
+      getTraceSegment() >> traceSegment
+    }
+    IGSpanInfo spanInfo = Mock(AgentSpan)
+    when:
+    def flow = requestEndedCB.apply(mockCtx, spanInfo)
+    then:
+    1 * mockAppSecCtx.transferCollectedEvents() >> []
+    1 * spanInfo.getTags() >>  ['http.route': null]
+    1 * requestSampler.preSampleRequest(_) >> true
+    0 * traceSegment.setTagTop(Tags.ASM_KEEP, true)
+    0 * traceSegment.setTagTop(Tags.PROPAGATED_TRACE_SOURCE, ProductTraceSource.ASM)
+  }
+
   void 'test api security sampling - trace excluded'() {
     given:
     AppSecRequestContext mockAppSecCtx = Mock(AppSecRequestContext)