Merge branch 'main' into avara1986/refactor_iast_request_context_to_core

ddtrace/appsec/_iast/_ast/visitor.py

@@ -278,7 +278,7 @@ def _should_replace_with_taint_sink(self, call_node: ast.Call, is_function: bool
  if function_name in self._taint_sink_replace_disabled:
  return False
 
- return any(allowed in function_name for allowed in self._taint_sink_replace_any)
+ return function_name in self._taint_sink_replace_any
 
  def _add_original_function_as_arg(self, call_node: ast.Call, is_function: bool) -> Any:
  """

releasenotes/notes/iast-aspects-partial-matches-f43dc04584ca6788.yaml

@@ -0,0 +1,3 @@
+fixes:
+ - |
+ Code security: This fix resolves an issue where partial matches on function names we aimed to patch were being patched instead of full matches on them.

tests/appsec/iast/_ast/test_ast_patching.py

@@ -208,3 +208,18 @@ def test_astpatch_bytesio_module_changed(module_name):
  "\nimport ddtrace.appsec._iast._taint_tracking.aspects as ddtrace_aspects"
  )
  assert "ddtrace_aspects.bytesio_aspect(" in new_code
+
+
+@pytest.mark.parametrize(
+ "module_name",
+ [
+ ("tests.appsec.iast.fixtures.ast.other.globals_builtin"),
+ ],
+)
+def test_astpatch_globals_module_unchanged(module_name):
+ module_path, new_source = astpatch_module(__import__(module_name, fromlist=[None]))
+ assert ("", "") == (module_path, new_source)
+ if ("", "") != (module_path, new_source):
+ new_code = astunparse.unparse(new_source)
+ assert not new_code.startswith("\nimport ddtrace.appsec._iast")
+ assert "ddtrace_taint_sinks.ast_function(globals, 0)" not in new_code

tests/appsec/iast/fixtures/ast/other/globals_builtin.py

@@ -0,0 +1,3 @@
+#!/usr/bin/env python3
+
+_globals = globals()