chore(iast): strip, rstrip, lstrip aspects #13266
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
avara1986
added
changelog/no-changelog
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
|
|
Co-authored-by: datadog-datadog-prod-us1[bot] <88084959+datadog-datadog-prod-us1[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Pull Request Overview
This PR implements new IAST aspects for Python’s string strip methods to ensure proper taint propagation during string manipulation and updates related tests, benchmarks, and patch modules. Key changes include:
- Adding and registering new aspects (strip, rstrip, lstrip) in ddtrace/appsec/_iast/_taint_tracking/aspects.py.
- Updating tests (in tests/appsec/iast/aspects and fixtures) to cover a variety of input cases, including edge cases and taint range validations.
- Adjusting patch module configurations, benchmarks, and C-level allowlists to integrate the new aspects.
Reviewed Changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/appsec/integrations/packages_tests/test_iast_sanitizers.py | Added patch for werkzeug.utils to activate IAST propagation. |
| tests/appsec/iast/fixtures/propagation_path.py | Updated test to apply successive strip operations and verify taint behavior. |
| tests/appsec/iast/aspects/test_strip_aspect.py | Introduced comprehensive tests for strip, rstrip, and lstrip aspects. |
| scripts/iast/mod_leak_functions.py | Modified string manipulation and propagation logic to use the new aspects. |
| ddtrace/appsec/_iast/_taint_tracking/aspects.py | Added implementations for lstrip, rstrip, and strip aspects with taint range adjustments. |
| ddtrace/appsec/_iast/_patch_modules.py | Updated comment regarding safe_join propagation to reflect new limitations. |
| ddtrace/appsec/_iast/_ast/visitor.py | Registered the new strip-related aspects. |
| ddtrace/appsec/_iast/_ast/iastpatch.c | Expanded the static allowlist to include werkzeug.utils. |
| benchmarks/appsec_iast_aspects/functions.py & config.yaml | Added functions and configuration blocks for new aspects. |
Comments suppressed due to low confidence (1)
scripts/iast/mod_leak_functions.py:311
- [nitpick] Consider renaming variables like 'string13_3' to more descriptive names to improve code clarity.
string13_3 = string13_2.strip()
Bootstrap import analysisComparison of import times between this PR and base. SummaryThe average import time from this PR is: 239 ± 4 ms. The average import time from base is: 240 ± 4 ms. The import time difference between this PR and base is: -1.1 ± 0.2 ms. Import time breakdownThe following import paths have shrunk:
|
BenchmarksBenchmark execution time: 2025-04-30 08:37:43 Comparing candidate commit 4a49dd3 in PR branch Some scenarios are present only in baseline or only in candidate runs. If you didn't create or remove some scenarios in your branch, this maybe a sign of crashed benchmarks 💥💥💥 Scenarios present only in candidate:
Found 0 performance improvements and 0 performance regressions! Performance is the same for 501 metrics, 5 unstable metrics. |
RamyElkest
reviewed
Apr 28, 2025
christophe-papazian
approved these changes
Apr 29, 2025
brettlangdon
pushed a commit
that referenced
this pull request
May 6, 2025
This PR implements new aspects for Python's string strip methods (strip, rstrip, lstrip) to support IAST taint propagation. These aspects ensure proper taint tracking when string stripping operations are performed. ## Motivation - Enable taint propagation through string strip operations - Remove TODO related to strip function and werkzeug - Ensure security marks are properly maintained during string manipulation - Support proper range calculations for tainted strings after stripping ## Changes Made 1. Added new aspects in `ddtrace/appsec/_iast/_taint_tracking/aspects.py`: - `strip_aspect`: Handles both-ends string stripping - `rstrip_aspect`: Handles right-side string stripping - `lstrip_aspect`: Handles left-side string stripping 2. Each aspect implementation: - Maintains taint propagation through strip operations - Recalculates taint ranges based on stripped content - Preserves security marks - Handles both default whitespace stripping and custom character stripping 3. Added comprehensive test coverage in `tests/appsec/iast/aspects/test_strip_aspect.py`: - Property-based tests for basic functionality - Taint tracking verification - Range calculation tests - Edge cases and special character handling - ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) --------- Co-authored-by: datadog-datadog-prod-us1[bot] <88084959+datadog-datadog-prod-us1[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements new aspects for Python's string strip methods (strip, rstrip, lstrip) to support IAST taint propagation. These aspects ensure proper taint tracking when string stripping operations are performed.
Motivation
Changes Made
Added new aspects in
ddtrace/appsec/_iast/_taint_tracking/aspects.py:strip_aspect: Handles both-ends string strippingrstrip_aspect: Handles right-side string strippinglstrip_aspect: Handles left-side string strippingEach aspect implementation:
Added comprehensive test coverage in
tests/appsec/iast/aspects/test_strip_aspect.py:Checklist
Reviewer Checklist