fix(ddwaf): allow conversion of arbitrary Mappings and Sequences to ddwaf_object (#14913)

florentinl · web-flow · commit 92937df0e341 · 2025-10-17T09:49:13.000+02:00
## Description

Allow conversion of arbitrary Mappings and Sequences to ddwaf_object
type.

## Motivation

When using `requests` without `urllib3` patching with `urllib3&lt;2`,
headers are represented by a `requests.structures.CaseInsensitiveDict`
instead of a regular Dict when they are intercepted at the `http.client`
level by the patched `HTTPConnection.request` function. When converting
to ddwaf_object this coerces it into a string instead of properly
representing it as a `map`. This makes headers matching effectively
useless.

## Testing

- Added a unit test

## Risks

&lt;!-- Note any risks associated with this change, or "None" if no risks
--&gt;

## Additional Notes

&lt;!-- Any other information that would be helpful for reviewers --&gt;
diff --git a/ddtrace/appsec/_ddwaf/ddwaf_types.py b/ddtrace/appsec/_ddwaf/ddwaf_types.py
@@ -1,3 +1,5 @@
+from collections.abc import Mapping
+from collections.abc import Sequence
 import ctypes
 import ctypes.util
 from enum import IntEnum
@@ -128,7 +130,7 @@ def truncate_string(string: bytes) -> bytes:
             ddwaf_object_string(self, truncate_string(struct))
         elif isinstance(struct, float):
             ddwaf_object_float(self, struct)
-        elif isinstance(struct, list):
+        elif isinstance(struct, Sequence):
             if max_depth <= 0:
                 observator.set_container_depth(DDWAF_MAX_CONTAINER_DEPTH)
                 max_objects = 0
@@ -145,7 +147,7 @@ def truncate_string(string: bytes) -> bytes:
                     max_string_length=max_string_length,
                 )
                 ddwaf_object_array_add(array, obj)
-        elif isinstance(struct, dict):
+        elif isinstance(struct, Mapping):
             if max_depth <= 0:
                 observator.set_container_depth(DDWAF_MAX_CONTAINER_DEPTH)
                 max_objects = 0
diff --git a/releasenotes/notes/aap-down-req-headers-urllib3-61b27c7fdc927312.yaml b/releasenotes/notes/aap-down-req-headers-urllib3-61b27c7fdc927312.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    AAP: This fix resolves an issue where downstream request analysis would not match headers in rules when using `requests` with `urllib3<2`.
diff --git a/tests/appsec/appsec/test_ddwaf_fuzz.py b/tests/appsec/appsec/test_ddwaf_fuzz.py
@@ -3,6 +3,7 @@
 from hypothesis import given
 from hypothesis import strategies as st
 import pytest
+from requests.structures import CaseInsensitiveDict
 
 from ddtrace.appsec._ddwaf.ddwaf_types import _observator
 from ddtrace.appsec._ddwaf.ddwaf_types import ddwaf_object
@@ -57,6 +58,19 @@ def test_small_objects(obj, res):
     assert dd_obj.struct == res
 
 
+@pytest.mark.parametrize(
+    ["obj", "res"],
+    [
+        (CaseInsensitiveDict({"SomeHeader": "SomeValue"}), {"SomeHeader": "SomeValue"}),
+        (range(1, 4), [1, 2, 3]),
+        ((1, 2, 3), [1, 2, 3]),
+    ],
+)
+def test_mappings_and_sequences(obj, res):
+    dd_obj = ddwaf_object(obj)
+    assert dd_obj.struct == res
+
+
 @pytest.mark.parametrize(
     "obj, res, trunc",
     [

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +fixes:
 +  - |
 +    AAP: This fix resolves an issue where downstream request analysis would not match headers in rules when using `requests` with `urllib3<2`.