chore(iast): strip, rstrip, lstrip aspects

[avara1986]

This PR implements new aspects for Python's string strip methods (strip, rstrip, lstrip) to support IAST taint propagation. These aspects ensure proper taint tracking when string stripping operations are performed.

Motivation

• Enable taint propagation through string strip operations
• Remove TODO related to strip function and werkzeug
• Ensure security marks are properly maintained during string manipulation
• Support proper range calculations for tainted strings after stripping

Changes Made

1. Added new aspects in ddtrace/appsec/_iast/_taint_tracking/aspects.py:

   • strip_aspect: Handles both-ends string stripping
   • rstrip_aspect: Handles right-side string stripping
   • lstrip_aspect: Handles left-side string stripping

2. Each aspect implementation:

   • Maintains taint propagation through strip operations
   • Recalculates taint ranges based on stripped content
   • Preserves security marks
   • Handles both default whitespace stripping and custom character stripping

3. Added comprehensive test coverage in tests/appsec/iast/aspects/test_strip_aspect.py:

   • Property-based tests for basic functionality
   • Taint tracking verification
   • Range calculation tests
   • Edge cases and special character handling

Checklist

• PR author has checked that all the criteria below are met
• The PR description includes an overview of the change
• The PR description articulates the motivation for the change
• The change includes tests OR the PR description describes a testing strategy
• The PR description notes risks associated with the change, if any
• Newly-added code is easy to change
• The change follows the library release note guidelines
• The change includes or references documentation updates if necessary
• Backport labels are set (if applicable)

Reviewer Checklist

• Reviewer has checked that all the criteria below are met
• Title is accurate
• All changes are related to the pull request's stated goal
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Newly-added code is easy to change
• Release note makes sense to a user of the library
• If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[github-actions]

CODEOWNERS have been resolved as:

tests/appsec/iast/aspects/test_strip_aspect.py                          @DataDog/asm-python
benchmarks/appsec_iast_aspects/config.yaml                              @DataDog/asm-python
benchmarks/appsec_iast_aspects/functions.py                             @DataDog/asm-python
ddtrace/appsec/_iast/_ast/iastpatch.c                                   @DataDog/asm-python
ddtrace/appsec/_iast/_ast/visitor.py                                    @DataDog/asm-python
ddtrace/appsec/_iast/_patch_modules.py                                  @DataDog/asm-python
ddtrace/appsec/_iast/_taint_tracking/aspects.py                         @DataDog/asm-python
scripts/iast/mod_leak_functions.py                                      @DataDog/asm-python
tests/appsec/iast/fixtures/propagation_path.py                          @DataDog/asm-python
tests/appsec/integrations/packages_tests/test_iast_sanitizers.py        @DataDog/asm-python

[Copilot]

Pull Request Overview

This PR implements new IAST aspects for Python’s string strip methods to ensure proper taint propagation during string manipulation and updates related tests, benchmarks, and patch modules. Key changes include:

• Adding and registering new aspects (strip, rstrip, lstrip) in ddtrace/appsec/_iast/_taint_tracking/aspects.py.
• Updating tests (in tests/appsec/iast/aspects and fixtures) to cover a variety of input cases, including edge cases and taint range validations.
• Adjusting patch module configurations, benchmarks, and C-level allowlists to integrate the new aspects.

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/appsec/integrations/packages_tests/test_iast_sanitizers.py	Added patch for werkzeug.utils to activate IAST propagation.
tests/appsec/iast/fixtures/propagation_path.py	Updated test to apply successive strip operations and verify taint behavior.
tests/appsec/iast/aspects/test_strip_aspect.py	Introduced comprehensive tests for strip, rstrip, and lstrip aspects.
scripts/iast/mod_leak_functions.py	Modified string manipulation and propagation logic to use the new aspects.
ddtrace/appsec/_iast/_taint_tracking/aspects.py	Added implementations for lstrip, rstrip, and strip aspects with taint range adjustments.
ddtrace/appsec/_iast/_patch_modules.py	Updated comment regarding safe_join propagation to reflect new limitations.
ddtrace/appsec/_iast/_ast/visitor.py	Registered the new strip-related aspects.
ddtrace/appsec/_iast/_ast/iastpatch.c	Expanded the static allowlist to include werkzeug.utils.
benchmarks/appsec_iast_aspects/functions.py & config.yaml	Added functions and configuration blocks for new aspects.

Comments suppressed due to low confidence (1)

scripts/iast/mod_leak_functions.py:311

• [nitpick] Consider renaming variables like 'string13_3' to more descriptive names to improve code clarity.

string13_3 = string13_2.strip()

[github-actions]

Bootstrap import analysis

Comparison of import times between this PR and base.

Summary

The average import time from this PR is: 238 ± 4 ms.

The average import time from base is: 242 ± 5 ms.

The import time difference between this PR and base is: -4.5 ± 0.2 ms.

Import time breakdown

The following import paths have shrunk:

ddtrace.auto 2.205 ms (0.93%)

ddtrace.bootstrap.sitecustomize 1.525 ms (0.64%)

ddtrace.bootstrap.preload 1.525 ms (0.64%)

ddtrace.internal.products 1.525 ms (0.64%)

ddtrace.internal.remoteconfig.client 0.682 ms (0.29%)

ddtrace 0.680 ms (0.29%)

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-04-25 17:22:02

Comparing candidate commit 93376c8 in PR branch avara1986/APPSEC-57375_strip with baseline commit 518a913 in branch main.

Some scenarios are present only in baseline or only in candidate runs. If you didn't create or remove some scenarios in your branch, this maybe a sign of crashed benchmarks 💥💥💥
Check Gitlab CI job log to find if any benchmark has crashed.

Scenarios present only in candidate:

• iast_aspects-lstrip_aspect
• iast_aspects-rstrip_aspect
• iast_aspects-strip_aspect

Found 0 performance improvements and 0 performance regressions! Performance is the same for 486 metrics, 8 unstable metrics.