Strip fragment as well

DataDog · Jul 9, 2024 · 6dc09f5 · 6dc09f5
1 parent cd315a4
commit 6dc09f5
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 3 deletions.
diff --git a/src/processor/fingerprint.cpp b/src/processor/fingerprint.cpp
@@ -262,9 +262,9 @@ std::pair<ddwaf_object, object_store::attribute> http_endpoint_fingerprint::eval
 
     // Strip query parameter from raw URI
     auto stripped_uri = uri_raw.value;
-    auto query_idx = stripped_uri.find_first_of('?');
-    if (query_idx != std::string_view::npos) {
-        stripped_uri = stripped_uri.substr(0, query_idx);
+    auto query_or_frag_idx = stripped_uri.find_first_of("?#");
+    if (query_or_frag_idx != std::string_view::npos) {
+        stripped_uri = stripped_uri.substr(0, query_or_frag_idx);
     }
 
     auto res = generate_fragment("http", string_field{method.value},

diff --git a/tests/processor/fingerprint_test.cpp b/tests/processor/fingerprint_test.cpp
@@ -302,6 +302,34 @@ TEST(TestHttpEndpointFingerprint, UriRawConsistency)
         ddwaf_object_free(&output);
     }
 
+    {
+        ddwaf::timer deadline{2s};
+        auto [output, attr] =
+            gen.eval_impl({{}, {}, false, "GET"}, {{}, {}, false, "/path/to/whatever#fragment"},
+                {{}, {}, false, &query}, {{}, {}, false, &body}, deadline);
+        EXPECT_EQ(output.type, DDWAF_OBJ_STRING);
+        EXPECT_EQ(attr, object_store::attribute::none);
+
+        std::string_view output_sv{output.stringValue,
+            static_cast<std::size_t>(static_cast<std::size_t>(output.nbEntries))};
+        EXPECT_STRV(output_sv, "http-get-0ede9e60-0ac3796a-9798c0e4");
+        ddwaf_object_free(&output);
+    }
+
+    {
+        ddwaf::timer deadline{2s};
+        auto [output, attr] = gen.eval_impl({{}, {}, false, "GET"},
+            {{}, {}, false, "/path/to/whatever?param=hello#fragment"}, {{}, {}, false, &query},
+            {{}, {}, false, &body}, deadline);
+        EXPECT_EQ(output.type, DDWAF_OBJ_STRING);
+        EXPECT_EQ(attr, object_store::attribute::none);
+
+        std::string_view output_sv{output.stringValue,
+            static_cast<std::size_t>(static_cast<std::size_t>(output.nbEntries))};
+        EXPECT_STRV(output_sv, "http-get-0ede9e60-0ac3796a-9798c0e4");
+        ddwaf_object_free(&output);
+    }
+
     {
         ddwaf::timer deadline{2s};
         auto [output, attr] =