Fix the X-Content-Type-Options header string (#5950)

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/util/HttpHeader.java

@@ -58,7 +58,7 @@ public void onHeader(final IastRequestContext ctx, final String value) {
           }
         };
     public static final HttpHeader X_CONTENT_TYPE_OPTIONS =
-        new ContextAwareHeader("X-Content-Type") {
+        new ContextAwareHeader("X-Content-Type-Options") {
           @Override
           public void onHeader(final IastRequestContext ctx, final String value) {
             ctx.setxContentTypeOptions(value);

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/HttpResponseHeaderModuleTest.groovy

@@ -92,7 +92,7 @@ class HttpResponseHeaderModuleTest extends IastModuleImplTestBase {
     module.onHeader("Strict-Transport-Security", "invalid max age")
 
     then:
-    3 * tracer.activeSpan()
+    4 * tracer.activeSpan()
     1 * overheadController.consumeQuota(_,_)
     0 * _
   }

dd-smoke-tests/iast-util/src/main/java/datadog/smoketest/springboot/controller/IastWebController.java

@@ -316,6 +316,13 @@ public String xContentTypeOptionsMissing(HttpServletResponse response) {
     return "ok";
   }
 
+  @GetMapping(value = "/xcontenttypeoptionsecure", produces = "text/html")
+  public String xContentTypeOptionsSecure(HttpServletResponse response) {
+    response.addHeader("X-Content-Type-Options", "nosniff");
+    response.setStatus(HttpStatus.OK.value());
+    return "ok";
+  }
+
   private void withProcess(final Operation<Process> op) {
     Process process = null;
     try {

dd-smoke-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastServerSmokeTest.groovy

@@ -126,6 +126,27 @@ abstract class AbstractIastServerSmokeTest extends AbstractServerSmokeTest {
     }
   }
 
+  protected void noVulnerability(@ClosureParams(value = SimpleType, options = ['datadog.smoketest.model.Vulnerability'])
+    final Closure<Boolean> matcher) {
+    final found = []
+    try {
+      waitForSpan(pollingConditions()) { span ->
+        final json = span.meta.get(TAG_NAME)
+        if (!json) {
+          return false
+        }
+        final batch = jsonSlurper.parseText(json) as Map
+        final vulnerabilities = batch.vulnerabilities as List<Vulnerability>
+        found.addAll(vulnerabilities)
+      }
+    } catch (SpockTimeoutError toe) {
+      // do nothing
+    }
+    if ( found.find(matcher) != null){
+      throw new AssertionError("A matching vulnerability was found while expecting none. Vulnerabilities found: ${new JsonBuilder(found).toPrettyString()}")
+    }
+  }
+
   protected TaintedObject parseTaintedLog(final String log) {
     final index = log.indexOf('tainted=')
     if (index >= 0) {

dd-smoke-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastSpringBootTest.groovy

@@ -186,6 +186,20 @@ abstract class AbstractIastSpringBootTest extends AbstractIastServerSmokeTest {
     }
   }
 
+  void 'X content type options missing header vulnerability is absent'() {
+    setup:
+    String url = "http://localhost:${httpPort}/xcontenttypeoptionsecure"
+    def request = new Request.Builder().url(url).get().build()
+    when:
+    def response = client.newCall(request).execute()
+    then:
+    response.isSuccessful()
+    noVulnerability { vul ->
+      vul.type == 'XCONTENTTYPE_HEADER_MISSING'
+    }
+  }
+
+
   void 'no HttpOnly cookie vulnerability is present'() {
     setup:
     String url = "http://localhost:${httpPort}/insecure_cookie"