Merge pull request #4175 from DataDog/appsec-handle-non-int-status-code

Fix handling of non integer response status code in AppSec

Author: y9v

lib/datadog/appsec/response.rb

@@ -87,7 +87,7 @@ def block_response(env, options)
           body << content(content_type)
 
           Response.new(
-            status: options['status_code'] || 403,
+            status: options['status_code']&.to_i || 403,
             headers: { 'Content-Type' => content_type },
             body: body,
           )
@@ -97,15 +97,14 @@ def redirect_response(env, options)
           if options['location'] && !options['location'].empty?
             content_type = content_type(env)
 
-            status = options['status_code'] >= 300 && options['status_code'] < 400 ? options['status_code'] : 303
-
             headers = {
               'Content-Type' => content_type,
               'Location' => options['location']
             }
 
+            status_code = options['status_code'].to_i
             Response.new(
-              status: status,
+              status: (status_code >= 300 && status_code < 400 ? status_code : 303),
               headers: headers,
               body: [],
             )

spec/datadog/appsec/response_spec.rb

@@ -21,7 +21,7 @@
         end
 
         let(:type) { 'html' }
-        let(:status_code) { 100 }
+        let(:status_code) { '100' }
 
         context 'status_code' do
           subject(:status) { described_class.negotiate(env, actions).status }
@@ -92,15 +92,15 @@
         end
 
         let(:location) { 'foo' }
-        let(:status_code) { 303 }
+        let(:status_code) { '303' }
 
         context 'status_code' do
           subject(:status) { described_class.negotiate(env, actions).status }
 
           it { is_expected.to eq 303 }
 
           context 'when status code do not starts with 3' do
-            let(:status_code) { 202 }
+            let(:status_code) { '202' }
 
             it { is_expected.to eq 303 }
           end