fix(tornado): match http routes in correct order and missing routes certain regex patterns (#17515)

## Description

Two fixes to `_find_route`, the helper that determines the `http.route` tag for Tornado requests.

**1. Route matching order in nested applications**

`_find_route` pushes sub-rules of a nested `Application` onto the front of the processing deque with `extendleft`. Because `extendleft` reverses the input sequence as it inserts, the routes were processed in reverse declaration order — a catch-all defined after a specific route would incorrectly win. Fix: `extendleft(reversed(rule.target.rules))`.

**2. `http.route` missing for complex regex patterns**

Tornado's `PathMatches._path` is `None` whenever the route regex cannot be reversed (e.g. patterns containing non-capturing groups `(?:...)`, lookaheads, or lookbehinds). Previously `http.route` was absent for those routes. This adds `_regex_to_route`, a `lru_cache`-backed helper that converts any regex pattern to a route string: capturing groups become `%s` (consistent with Tornado's own format), non-capturing constructs are kept verbatim.

Both issues were surfaced by Streamlit, which mounts a nested Tornado application with non-trivial route patterns.

**3. Endpoint discovery at startup used to send the wrong path format

`_collect_endpoints` previously sent the regex pattern as the route which does not match the `http.route` behavior.
The discrepancy leads to duplicated endpoints in the Datadog UI.

## Testing

- `test_nested_application_route_order`: nested app with a specific route before a catch-all; asserts the specific route wins. Fails without fix 1.
- `test_complex_pattern_route`: covers a pure non-capturing group route and a mixed non-capturing + capturing group route; asserts `http.route` is populated and capturing groups are rendered as `%s`. Fails without fix 2.
- `test_regex_to_route`: parametrised unit tests for `_regex_to_route` in isolation, covering anchors, positional/named capturing groups, non-capturing groups, lookaheads, nested groups, and escaped parens.

## Risks

None. Both changes only affect route tag computation; request dispatch is handled by Tornado independently.
- This changes only adds `http.route` values for cases that were previously not supported.

## Additional Notes

- Slightly refactored the appsec telemetry tests to allow for the fact that tornado does not support typed path parameters in the route.


Co-authored-by: florentin.labelle <florentin.labelle@datadoghq.com>

Author: florentinl

ddtrace/contrib/internal/tornado/application.py

@@ -1,12 +1,14 @@
 from urllib.parse import urlparse
 
 from tornado import template
+from tornado.routing import PathMatches
 import tornado.web
 
 from ddtrace import config
 from ddtrace._trace.pin import Pin
 from ddtrace.contrib.internal.tornado import decorators
 from ddtrace.contrib.internal.tornado.constants import CONFIG_KEY
+from ddtrace.contrib.internal.tornado.handlers import _path_for_path_match
 from ddtrace.contrib.internal.tornado.stack_context import context_provider
 from ddtrace.internal.endpoints import endpoint_collection
 from ddtrace.internal.schema import schematize_service_name
@@ -33,8 +35,7 @@ def _collect_endpoints(app):
     while rules:
         rule = rules.pop()
         matcher = getattr(rule, "matcher", None)
-        regex = getattr(matcher, "regex", None) if matcher is not None else None
-        path = regex.pattern if regex is not None else None
+        path = _path_for_path_match(matcher) if isinstance(matcher, PathMatches) else None
         target = getattr(rule, "target", None)
 
         if path is not None and isinstance(target, type) and issubclass(target, tornado.web.RequestHandler):

ddtrace/contrib/internal/tornado/handlers.py

@@ -1,5 +1,7 @@
 from collections import deque
+from functools import lru_cache
 
+from tornado.routing import PathMatches
 from tornado.web import HTTPError
 
 from ddtrace import config
@@ -104,6 +106,117 @@ async def execute(func, handler, args, kwargs):
                     raise
 
 
+# Regex group prefixes that mark a group as non-capturing (kept verbatim in the route).
+# Full Python re syntax for groups starting with '(':
+#   (?:...)   non-capturing group
+#   (?=...)   positive lookahead
+#   (?!...)   negative lookahead
+#   (?<=...)  positive lookbehind
+#   (?<!...)  negative lookbehind
+#   (?>...)   atomic group
+#   (?(...)   conditional group
+#   (?P=name) named backreference  — NOT a capturing group despite starting with ?P
+#
+# Capturing groups — intentionally absent, they become %s in the route:
+#   (...)         positional capturing group
+#   (?P<name>...) named capturing group
+#
+# Comments — handled separately in _regex_to_route, removed entirely from the route:
+#   (?#...)  inline comment — matches nothing, contributes nothing to the path
+_NON_CAPTURING_PREFIXES = ("?:", "?=", "?!", "?<=", "?<!", "?>", "?(", "?P=")
+
+
+@lru_cache(maxsize=512)
+def _regex_to_route(pattern: str) -> str:
+    """
+    Convert a compiled regex pattern to an ``http.route``-style string.
+
+    This mirrors what Tornado's ``PathMatches._find_groups`` produces: capturing
+    groups (positional ``(...)`` and named ``(?P<name>...)``) are replaced with
+    ``%s``, while non-capturing constructs (``(?:...)``, lookaheads, lookbehinds)
+    are kept verbatim so the route remains readable.
+
+    Unlike ``_find_groups`` this never returns ``None`` — it always produces a
+    usable route string regardless of pattern complexity.
+    """
+    # Strip the anchors that Tornado's PathMatches.__init__ appends.
+    if pattern.startswith("^"):
+        pattern = pattern[1:]
+    if pattern.endswith("$"):
+        pattern = pattern[:-1]
+
+    result = []
+    i = 0
+    n = len(pattern)
+
+    while i < n:
+        if pattern[i] == "\\":
+            # Escaped character — copy both chars and move on.
+            result.append(pattern[i : i + 2])
+            i += 2
+            continue
+
+        if pattern[i] == "[":
+            # Character class — copy verbatim until the closing ']'.
+            # Inside '[…]', '(' is literal, not a group boundary.
+            j = i + 1
+            if j < n and pattern[j] == "^":
+                j += 1
+            # A ']' immediately after '[' or '[^' is a literal ']', not the end.
+            if j < n and pattern[j] == "]":
+                j += 1
+            while j < n and pattern[j] != "]":
+                if pattern[j] == "\\":
+                    j += 2
+                else:
+                    j += 1
+            if j < n:
+                j += 1  # skip the closing ']'
+            result.append(pattern[i:j])
+            i = j
+            continue
+
+        if pattern[i] != "(":
+            result.append(pattern[i])
+            i += 1
+            continue
+
+        # Peek past the opening parenthesis to decide whether this is capturing.
+        suffix = pattern[i + 1 :]
+        capturing = not any(suffix.startswith(p) for p in _NON_CAPTURING_PREFIXES)
+
+        # Find the matching closing paren, respecting nesting and escapes.
+        depth = 1
+        j = i + 1
+        while j < n and depth > 0:
+            if pattern[j] == "\\":
+                j += 2
+            elif pattern[j] == "(":
+                depth += 1
+                j += 1
+            elif pattern[j] == ")":
+                depth -= 1
+                j += 1
+            else:
+                j += 1
+
+        if suffix.startswith("?#"):
+            # Inline comment (?#...) — matches nothing, omit from route entirely.
+            pass
+        else:
+            result.append("%s" if capturing else pattern[i:j])
+        i = j
+
+    return "".join(result)
+
+
+def _path_for_path_match(matcher: PathMatches) -> str:
+    if matcher._path is not None:
+        return matcher._path
+
+    return _regex_to_route(matcher.regex.pattern)
+
+
 def _find_route(initial_rule_set, request):
     """
     We have to walk through the same chain of rules that tornado does to find a matching rule.
@@ -115,11 +228,14 @@ def _find_route(initial_rule_set, request):
 
     while len(rules) > 0:
         rule = rules.popleft()
-        if (m := rule.matcher.match(request)) is not None:
-            if hasattr(rule.matcher, "_path"):
-                return rule.matcher._path, m.get("path_args", []) or m.get("path_kwargs", {})
+        matcher = rule.matcher
+        if (m := matcher.match(request)) is not None:
+            if isinstance(matcher, PathMatches):
+                path_args = m.get("path_args", []) or m.get("path_kwargs", {})
+                return _path_for_path_match(matcher), path_args
+
             elif hasattr(rule.target, "rules"):
-                rules.extendleft(rule.target.rules)
+                rules.extendleft(reversed(rule.target.rules))
 
     return "^$", {}
 

releasenotes/notes/fix-tornado-nested-app-route-order-225fe3c3566c9253.yaml

@@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    tornado: Fixes an issue where routes inside a nested Tornado application were matched
+    in reverse declaration order, causing a catch-all pattern to win over a more-specific
+    route defined before it. This resulted in incorrect ``http.route`` tags on spans.
+  - |
+    tornado: The ``http.route`` tag is now populated for routes whose regex cannot be
+    reversed by Tornado (e.g. patterns containing non-capturing groups such as
+    ``(?:a|b)``). Capturing groups are still rendered as ``%s``, consistent with
+    Tornado's own route format, while non-capturing constructs are kept verbatim.

tests/appsec/contrib_appsec/test_django.py

@@ -85,7 +85,28 @@ def location(self, response):
 
 
 class Test_Django(_Test_Django_Base, utils.Contrib_TestClass_For_Threats):
-    pass
+    ENDPOINT_DISCOVERY_EXPECTED_PATHS = {
+        "^$",
+        "asm/<int:param_int>/<str:param_str>",
+        "^asm/?$",
+        "new_service/<str:service_name>",
+        "login",
+        "login_sdk",
+        "rasp/<str:endpoint>",
+    }
+
+    @staticmethod
+    def endpoint_path_to_uri(path: str) -> str:
+        import re
+
+        # Django regex-style routes: ^asm/?$ → /asm
+        if re.match(r"^\^.*\$$", path):
+            path = path[1:-1]
+        if path.endswith("/?"):
+            path = path[:-2]
+        path = re.sub(r"<int:[a-z_]+>", "123", path)
+        path = re.sub(r"<str:[a-z_]+>", "abczx", path)
+        return path if path.startswith("/") else ("/" + path)
 
 
 class Test_Django_RC(_Test_Django_Base, utils.Contrib_TestClass_For_Threats_RC):

tests/appsec/contrib_appsec/test_fastapi.py

@@ -120,7 +120,23 @@ def location(self, response):
 
 
 class Test_FastAPI(_Test_FastAPI_Base, utils.Contrib_TestClass_For_Threats):
-    pass
+    ENDPOINT_DISCOVERY_EXPECTED_PATHS = {
+        "/",
+        "/asm/{param_int:int}/{param_str:str}",
+        "/asm/",
+        "/new_service/{service_name:str}",
+        "/login/",
+        "/login_sdk/",
+        "/rasp/{endpoint:str}/",
+    }
+
+    @staticmethod
+    def endpoint_path_to_uri(path: str) -> str:
+        import re
+
+        path = re.sub(r"\{[a-z_]+:int\}", "123", path)
+        path = re.sub(r"\{[a-z_]+:str\}", "abczx", path)
+        return path
 
 
 class Test_FastAPI_RC(_Test_FastAPI_Base, utils.Contrib_TestClass_For_Threats_RC):

tests/appsec/contrib_appsec/test_flask.py

@@ -104,7 +104,23 @@ def location(self, response):
 
 
 class Test_Flask(_Test_Flask_Base, utils.Contrib_TestClass_For_Threats):
-    pass
+    ENDPOINT_DISCOVERY_EXPECTED_PATHS = {
+        "/",
+        "/asm/<int:param_int>/<string:param_str>",
+        "/asm/",
+        "/new_service/<string:service_name>",
+        "/login",
+        "/login_sdk",
+        "/rasp/<string:endpoint>/",
+    }
+
+    @staticmethod
+    def endpoint_path_to_uri(path: str) -> str:
+        import re
+
+        path = re.sub(r"<int:[a-z_]+>", "123", path)
+        path = re.sub(r"<(str|string):[a-z_]+>", "abczx", path)
+        return path
 
 
 class Test_Flask_RC(_Test_Flask_Base, utils.Contrib_TestClass_For_Threats_RC):

tests/appsec/contrib_appsec/test_tornado.py

@@ -89,7 +89,24 @@ def location(self, response):
 
 
 class Test_Tornado(_Test_Tornado_Base, utils.Contrib_TestClass_For_Threats):
-    pass
+    ENDPOINT_DISCOVERY_EXPECTED_PATHS = {
+        "/",
+        "/asm/%s/%s/?",
+        "/asm/?",
+        "/new_service/%s/?",
+        "/login/?",
+        "/login_sdk/?",
+        "/rasp/%s/?",
+    }
+
+    @staticmethod
+    def endpoint_path_to_uri(path: str) -> str:
+        # Tornado uses %s for all capturing groups and does not have a notion of typed path parameters.
+        # We substitute with "123" which satisfies both \d+ and [^/]+ patterns.
+        path = path.replace("%s", "123")
+        if path.endswith("/?"):
+            path = path[:-2]
+        return path if path.startswith("/") else ("/" + path)
 
 
 class Test_Tornado_RC(_Test_Tornado_Base, utils.Contrib_TestClass_For_Threats_RC):

tests/appsec/contrib_appsec/utils.py

@@ -2,6 +2,7 @@
 import json
 import sys
 from typing import Any
+from typing import ClassVar
 from typing import Generator
 from urllib.parse import quote
 from urllib.parse import urlencode
@@ -187,6 +188,18 @@ class Contrib_TestClass_For_Threats(_Contrib_TestClass_Base):
     Factorized test class for threats tests on all supported frameworks
     """
 
+    # Expected ep.path values (as stored in the endpoint collection) that must
+    # be discovered. Each child class must override with framework-specific routes.
+    ENDPOINT_DISCOVERY_EXPECTED_PATHS: ClassVar[set[str]] = set()
+
+    @staticmethod
+    def endpoint_path_to_uri(path: str) -> str:
+        """Convert an ep.path from the endpoint collection to a requestable URI.
+
+        Each framework test class must implement this with its own route format logic.
+        """
+        raise NotImplementedError("Subclasses must implement endpoint_path_to_uri")
+
     @pytest.mark.parametrize("asm_enabled", [True, False])
     def test_healthcheck(self, interface: Interface, get_entry_span_tag, asm_enabled: bool):
         # you can disable any test in a framework like that:
@@ -252,34 +265,9 @@ def test_api_endpoint_discovery(self, interface: Interface, find_resource):
         """
         from ddtrace.internal.endpoints import endpoint_collection
 
-        def parse(path: str) -> str:
-            import re
-
-            # substitutions to make a url path from route
-            if re.match(r"^\^.*\$$", path):
-                path = path[1:-1]
-            path = re.sub(r"<int:[a-z_]+>|\{[a-z_]+:int\}", "123", path)
-            path = re.sub(r"<(str|string):[a-z_]+>|\{[a-z_]+:str\}", "abczx", path)
-            # Tornado regex patterns (from regex.pattern, ending with $)
-            if path.endswith("$"):
-                path = path[:-1]
-            path = re.sub(r"\(\?P<[a-z_]+>\\d\+\)", "123", path)
-            path = re.sub(r"\(\?P<[a-z_]+>\[[^\]]+\]\+?\)", "abczx", path)
-            path = re.sub(r"\(\\d\+\)", "123", path)
-            path = re.sub(r"\(\[[^\]]+\]\+?\)", "abczx", path)
-            if path.endswith("/?"):
-                path = path[:-2]
-            return path if path.startswith("/") else ("/" + path)
-
-        must_found: set[str] = {
-            "",
-            "/asm/123/abczx",
-            "/asm",
-            "/new_service/abczx",
-            "/login",
-            "/login_sdk",
-            "/rasp/abczx",
-        }
+        expected = self.ENDPOINT_DISCOVERY_EXPECTED_PATHS
+        assert expected, "ENDPOINT_DISCOVERY_EXPECTED_PATHS must be set on the test class"
+
         found: set[str] = set()
         with override_global_config(dict(_asm_enabled=True)):
             self.update_tracer(interface)
@@ -295,20 +283,20 @@ def parse(path: str) -> str:
                 assert ep.operation_name
                 if ep.method not in ("GET", "*", "POST") or ep.path.startswith("/static"):
                     continue
-                path = parse(ep.path)
-                found.add(path.rstrip("/"))
+                found.add(ep.path)
+                uri = self.endpoint_path_to_uri(ep.path)
                 response = (
-                    interface.client.post(path, data=json.dumps({"data": "content"}), content_type="application/json")
+                    interface.client.post(uri, data=json.dumps({"data": "content"}), content_type="application/json")
                     if ep.method == "POST"
-                    else interface.client.get(path)
+                    else interface.client.get(uri)
                 )
                 assert self.status(response) in (
                     200,
                     401,
-                ), f"ep.path failed: [{self.status(response)}] {ep.path} -> {path}"
+                ), f"ep.path failed: [{self.status(response)}] {ep.path} -> {uri}"
                 resource = "GET" + ep.resource_name[1:] if ep.resource_name.startswith("* ") else ep.resource_name
                 assert find_resource(resource)
-        assert must_found <= found
+        assert expected <= found, f"missing paths: {expected - found}"
 
     @pytest.mark.parametrize("asm_enabled", [True, False])
     @pytest.mark.parametrize(