-
Notifications
You must be signed in to change notification settings - Fork 411
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(iast): re.finditer aspect error (#11027)
Ensure IAST propagation does not raise side effects related to re.finditer. We detect this error in #10988 PR, when FastAPI headers were empty in framework tests: https://github.com/DataDog/dd-trace-py/actions/runs/11273577079/job/31350947622 We can revert this system tests PR after this PR: DataDog/system-tests#3230 This error was detected in [python-multipart==0.0.05](https://pypi.org/project/python-multipart/0.0.5/) ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) (cherry picked from commit 9973b22)
- Loading branch information
1 parent
e0fc27d
commit 27c134d
Showing
9 changed files
with
152 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 4 additions & 0 deletions
4
releasenotes/notes/iast-fix-re-finditer-aspect-8925b30073169222.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
--- | ||
fixes: | ||
- | | ||
Code Security: Ensure IAST propagation does not raise side effects related to re.finditer. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
49 changes: 49 additions & 0 deletions
49
tests/appsec/iast_packages/packages/pkg_python_multipart.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
""" | ||
isodate==0.6.1 | ||
https://pypi.org/project/isodate/ | ||
""" | ||
|
||
from flask import Blueprint | ||
from flask import request | ||
|
||
from .utils import ResultResponse | ||
|
||
|
||
pkg_python_multipart = Blueprint("multipart", __name__) | ||
|
||
|
||
@pkg_python_multipart.route("/python-multipart") | ||
def pkg_multipart_view(): | ||
from multipart.multipart import parse_options_header | ||
|
||
response = ResultResponse(request.args.get("package_param")) | ||
|
||
try: | ||
_, params = parse_options_header(response.package_param) | ||
|
||
response.result1 = str(params[b"boundary"], "utf-8") | ||
except Exception as e: | ||
response.result1 = f"Error: {str(e)}" | ||
|
||
return response.json() | ||
|
||
|
||
@pkg_python_multipart.route("/python-multipart_propagation") | ||
def pkg_multipart_propagation_view(): | ||
from multipart.multipart import parse_options_header | ||
|
||
from ddtrace.appsec._iast._taint_tracking import is_pyobject_tainted | ||
|
||
response = ResultResponse(request.args.get("package_param")) | ||
if not is_pyobject_tainted(response.package_param): | ||
response.result1 = "Error: package_param is not tainted" | ||
return response.json() | ||
|
||
_, params = parse_options_header(response.package_param) | ||
response.result1 = ( | ||
"OK" | ||
if is_pyobject_tainted(params[b"boundary"]) | ||
else "Error: yaml_string is not tainted: %s" % str(params[b"boundary"], "utf-8") | ||
) | ||
return response.json() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters