dd-trace-go
dd-trace-go copied to clipboard
DataDog
[BUG] contrib/dimfeld/httptreemux.v5: trailing slash requests are redirected with raw URL being tracked
Version of dd-trace-go v1.59.1 (and newer)
Describe what happened:
This issue is specific to contrib/dimfeld/httptreemux.v5 and related to #2293.
From the description of #2293:
The dimfeld/httptreemux router has logic to handle trailing slashes which redirects to the URL without the trailing slash. This happens without the URL parameterized and sanitized of any sensitive information. This results in a second request being done, which is parameterized, but more importantly, it means that the first request is traced with its raw URL rather than the parametrized one. This happens because while looking up the resource with a trailing slash, the parameters are not detected.
A partial fix for the issue was included in #2332, but it only catered for one of the two scenarios. The same problematic behaviour is observed when a request without a trailing slash matches a registered route that has a trailing slash.
The following examples will both trigger the redirect behaviour in the dimfeld/httptreemux.v5 router:
- request without trailing slash matching to route with trailing slash:
- request URL:
GET /api/v1/:email(without trailing slash) - route path:
GET /api/v1/:email/(with trailing slash)
- request URL:
- request with trailing slash matching to route without trailing slash:
- request URL:
GET /api/v1/:email/(with trailing slash) - route path:
GET /api/v1/:email(without trailing slash)
- request URL:
Describe what you expected:
Both requests, redirect and post redirect, should be parameterized in both scenarios listed in the previous section.
Steps to reproduce the issue:
Call an endpoint with at least one path parameter with a trailing slash, while using the dimfeld/httptreemux.v5 router.
Additional environment details (Version of Go, Operating System, etc.):
This issue isn't dependent on any environmental details.
Hi @devillecodes
Thanks for the bug report and opening a PR with the fix! I was able to confirm the bug is indeed happening, so I will proceed with the PR review soon.
